Chapter 6 –Assessing Risks and Internal Control
Audit Risk:An EssentialAudit Planning Decision
The higher the assurance, the lower the audit risk.
• Audit risk is the probability that an auditor will FAILTO EXPRESS a reservation of opinion on
financial statements that are materially misstated.
Audit risk is greater if there is poor planning or poor execution of the audit.
Audit risk is inversely proportionate to risk of getting sued.
Audit risk is dependent on user reliance.
Audit risk is also applied to individual account balances and disclosures.
• Auditors strive to lower audit risk by performing audit work that gives a high level of assurance
that statements are correct.
• Auditors need to assess risk in audit related terms; inherent risk, control risk and detection risk.
TheAudit Risk Model
Audit Risk (AR) = Inherent Risk (IR) X Control Risk (CR) X Detection Risk (DR)
Audit Risk = The probability that the audit fails. Keep it less than 5%.
How much risk is the audit willing to take before giving a bad opinion? Low, medium or high risk?
Not doing well = audit risk is low - we are not willing to take allot of risk
Business is great = high audit risk - we can take on more risk
Impacts the audit risk:
likelihood of financial failure
users of the financial statement
• Inherent Risk – The probability that material misstatements could have occurred.
Amaterial misstatement has been made in the transactions or balances.
Care should be greater when inherent risk is greater.
First time audit = high risk vs. Repeated - low
Estimates are subjective - many estimates = higher risk
Management Bias - incentives = higher risk
• Control Risk – The risk that the client’s internal controls will not prevent or detect a material
Assessment is based on study and evaluation of the company’s control system.
Risk can never be zero because management can override it (collusion, human error etc...)
Start with anchoring (preconceived knowledge of last year’s conclusions on control risk
Can be a pitfall if conditions worsen from last year.
• Detection Risk – The risk that the auditor’s procedures will fail to find a material misstatement that
exists in the accounts.
Audit procedures also fail to detect the misstatement.
Auditors want this risk LOW (opposite of other two)
Test using substantive procedures:
1. Tests the details of random transactions, balances, and disclosures.
2. Analytical procedures.
How are Materiality and Audit Risk Related? Materiality refers to the magnitude of a misstatement; audit risk refers to the level of assurance that
material misstatement does not exist.
• The auditor will make these assessments independently.
• Both deal with sufficiency of evidence and extent of audit evidence that will be collected.
Business Risk-BasedApproach toAuditing
Requires the auditor to understand the company’s business risks/strategy and its related internal control.
There are 2 parts of business risk analysis:
1. Strategic analysis
2. Business Process analysis
At the end of the business risk analysis, the auditor should be able to answer: