http://en.wikipedia.org/wiki/Audit_risk
Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue unmodified report due to auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR), and can be calculated thus:
where... IR is inherent risk, CR is control risk and DR detection risk. IR refers to the risk involved in the nature of business or transaction. Example, where transactions involving exchange of cash may have higher IR than transactions involving settlement by cheques. CR refers to the risk that a misstatement could occur but may not be detected and corrected or prevented by entity's internal control mechanism. DR is the probability that the audit procedures may fail to detect existence of a material error or fraud. While CR depends on the strength or weakness of the internal control procedures, DR is either due to sampling error or human factors.
Solving for DR
Detection risk has to be restricted and occurs when the correct audit procedure is used or the audit procedure is used incorrectly. The auditor assesses the inherent risk and control risk and then solves the audit risk by assigning detection risk to reduce the audit risk to an acceptable amount. The major elements of detection risk are misapplying an audit procedure, misinterpreting audit results, and selecting the wrong audit test method. To solve for the detection risk:
DR = AR/ (IR x CR) or DR = AR/RMM
From the result of solving this equation, it is understood that if the detection risk is low, the auditor must collect additional appropriate evidence and the detection risk is high, the less evidence is needed. Since detection risk is a function of the effectiveness of the audit procedures performed, detection risk is the only risk that is completely a function of sufficiency of the procedures performed by the auditors. The audit evidence that the auditor collects must be sufficient and appropriate. Sufficiency is the measure of quantity of audit evidence that must be obtained and appropriateness is the measure of quality of audit evidence obtained. The audit evidence has to be both reliable and relevant in order for it to affect the detection risk.
Implementing the model
The reason for using the audit risk model is to help prevent the risk of fraud and misstatements. When an auditor audits a company, their main objective is to provide the best assurance possible that the financial statements do not contain material mistakes. This will help the future decisions made by the company and its current and future investors. The audit risk model is used to help the auditor determine which auditing procedures for accounts or transactions shown on the financial statements are used to help decrease the audit risk to an appropriate level. The financial statements consist of the income statements, balance sheet, and statement of cash flows. The income statements show the company’s operating performance, from the accounts of revenues, expenses, and net income. The balance sheet shows a company’s assets, liabilities, and owner’s equity and the statement of cash flows shows the company’s cash and cash payments. These are important to look over this information because it is not always trusted. These financial statements may be inaccurate and auditors may need to find additional information to make sure that the information provided by these financial statements is reliable. Auditors might have a situation where the client impeded the ability for the auditor to assess the financial statement. This situation will increase audit risk and the auditor responses in two ways, that is; the auditor issues an adverse opinion when it is not warranted or an unqualified opinion when it is not warranted.
Risk of Material Misstatement
RMM = IR x CR
Risks of material misstatement at the financial statement level relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the financial statement level may be especially relevant to the auditor's consideration of the risk of material misstatement due to fraud. For example, an ineffective control environment, a lack of sufficient capital to continue operations, and declining conditions affecting the company's industry might create pressures or opportunities for management to manipulate the financial statements, leading to higher risk of material misstatement. Risks of material misstatement at the assertion level are consisted of two components, that is; inherent risk and control risk. Inherent risk refers to the susceptibility of an assertion to a misstatement due to error or fraud that could be material, individually or in combination with other misstatements, before consideration of any related controls. Control risk is the risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company's internal control. Control risk is a function of the effectiveness of the design and operation of internal control. Inherent risk and control risk are related to the company, its environment, and its internal control, and the auditor assesses those risks based on evidence he or she obtains. The auditor assesses inherent risk using information obtained from performing risk assessment procedures and considering the characteristics of the accounts and disclosures in the financial statements. The auditor assesses control risk using evidence obtained from tests of controls and from other sources. There is an inverse relationship between RMM and detection risk which is the risk that auditors will not detect a misstatement. If RMM increases, this means that the auditor will do more substantive testing and this leads to a decrease of the detection risk. If RMM decreases, this means the auditor will not do as much testing and the detection risk will increase because limited testing will increase the chances of the auditor missing something.
Limitations of the Audit Risk Model
Standard setters developed the audit risk model as a planning tool. However, the model has a number of limitations that must be considered by auditors and their firms when the model is used to revise an audit plan or to evaluate audit results. In those instances, the actual or achieved level of audit risk may be smaller or greater than the audit risk indicated by the formula. This can occur because the auditor assesses the risk of material misstatement and such an assessment may be higher or lower than the actual risk of material misstatement that exists for the client. Inaccurate assessments are likely to result in a flawed determination of detection risk. Thus, the desired level of audit risk may not actually be achieved. In addition, the audit risk model also does not specifically consider non sampling risk. The audit risk model has some limitations that make its actual implementation difficult. CPA firms in determining their approach to implementing the model have considered the following limitations: • Inherent risk is difficult to formally assess. Some transactions are more susceptible to error, but it is difficult to assess that level of risk independent of the client’s accounting system. • Audit risk is judgmentally determined. Many auditors set audit risk at a nominal level, such as 5%. However, no firm could survive if 5% of its audits were in error. Audit risk on most engagements is much lower than 5% because of conservative assumptions that take place when inherent risk is assessed at the maximum. Setting inherent risk at 100% implies that every transaction is initially recorded in error. It is very rare that every transaction would be in error. Because such a conservative assessment leads to more audit work, the real level of audit risk will be significantly less than 5%. • The model treats each risk component as separate and independent when in fact the components are not independent. It is difficult to separate an organization’s internal controls and inherent risk. • Audit technology is not so precisely developed that each component of the model can be accurately assessed. Auditing is based on testing; precise estimates of the model’s components are not possible. Auditors can, however, make subjective assessments and use the audit risk model as a guide. • The model is not particularly useful for helping auditors determine the necessary control testing for issuing an opinion on the effectiveness of internal controls as is be required in an integrated audit. While the audit risk model has limitations, it serves as an important tool that auditors can use for planning an audit engagement.
Historical Perspective of the Model in GAAS
The audit risk model is codified in GAAS in SAS No. 47. The ASB issued SAS No. 47 in 1983, and it was amended in 1997 by SAS No.82, Consideration of Fraud in a Financial Statement Audit. Prior to SAS No. 47, many auditors employed some of the model’s concepts in practice, albeit they were not explicitly codified and embedded in GAAS. There is, however, no clear record of exactly what practice was in this area prior to SAS No. 47. Generally, it is believed that, while auditors’ judgments entered into the audit process, many auditors employed “procedural” approaches that were not fully supported by strict conceptual underpinnings. In other words, audits tended to be conducted using a variety of substantive testing approaches with less reliance on judgments about risk. Testing of internal control, primarily by testing individual transactions, was common and sometimes extensive. Since 1984, auditors have been required to follow SAS No. 47; in other words, they have been required to employ the audit risk model. Notwithstanding this requirement, anecdotal and other evidence indicates that many (but by no means all) audits continue to be performed using substantive testing approaches with little or no attention paid to the results of the risk assessments called for by the model. This phenomenon perhaps is facilitated by the fact that the model permits “defaulting” to an assumption that risks are at a maximum level. Based on the auditor’s assessment of various risks and any tests of controls, the auditor makes judgments about the kinds of evidence (from sources that are internal or external to the client’s organization) needed to achieve “reasonable assurance.” On the one hand, GAAS set forth numerous requirements or matters that auditors should consider when exercising audit judgment.
IAASB
The IAASB believes the Audit Risk Standards will increase audit quality as a result of better risk assessments through a more detailed understanding of the entity and its environment, including its internal control, and improved design and performance of audit procedures to respond to assessed risks of material misstatements. The improved linkage of audit procedures and assessed risks is expected to result in a greater concentration of audit effort on areas where there is a greater risk of material misstatement. The approved Standards are: • ISA 500 (Revised), Audit Evidence • ISA 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement • ISA 330, The Auditor's Procedures in Response to Assessed Risks • An addition to ISA 200, Objective and General Principles Governing an Audit of Financial Statements
The approved Standards replace the following existing ISAs: • ISA 310, Knowledge of the Business • ISA 400, Risk Assessments and Internal Control • ISA 401, Auditing in a Computer Information Systems Environment The scope of each of the Audit Risk Standards is reflected in the introduction to the Standard. • Addition to ISA 200 - Explains the basic audit risk model. • ISA 500 (Revised) - Standards and guidance on what constitutes audit evidence, the sufficiency and appropriateness of audit evidence obtained the auditor's use of assertions, and the auditor's procedures for obtaining audit evidence. • ISA 315 - Standards and guidance on obtaining an understanding of the entity and its environment, including its internal control, and on assessing risks of material misstatement. • ISA 330 - Standards and guidance on determining overall responses to assessed risks at the financial statement level and on designing and performing further audit procedures to respond to assessed risks of material misstatements at the assertions level.