Chapter 7 - Assessing Risks and Internal Control
o Describe the conceptual audit risk model and its components, and explain its usefulness and limitations
in conducting the audit.
o Explain how auditors assess the auditee’s business risk through strategic analysis and business process
o Outline the relationships among business processes, accounting processes/cycles and management’s
general purpose financial statements.
o Illustrate how business risk analysis is used in a preliminary assessment of the risk that fraud or error has
led to material misstatement at the overall financial statement level.
o Describe the basic components of internal control; control environment, management’s risk assessment
process, information systems and communication, control activities and monitoring.
o Explain how the auditor’s understanding of an organization’s internal control helps to assess the risk
that its financial. statements are misstated.
o Apply and integrate the chapter topics to analyze a practical auditing situation / case / scenario.
o Audit Risk Assessment
o Business Risk-Based Approach to Auditing
o Accounting Processes and the Financial Statements
o Business Risk and Risk of Material Misstatement
o Understanding Internal Control
o How Internal Control Relates to the Risk of Material Misstatement
Audit Risk Assessment
o Auditing is fundamentally a risk management process.
Audit risk is related to information risk that financial statements are materially misstated.
Auditors strive to lower audit risk by performing audit work that gives a high level of
assurance that statements are correct.
Auditors need to assess risk in audit related terms; inherent risk, control risk and
o The probability of material misstatement occurring in transactions entering the accounting system or
being in the account balances is inherent risk.
Auditors do not create or control inherent risk.
Auditors only try to assess its magnitude based on prior experience, management bias,
and nature of the transactions.
The auditor will consider the characteristics of the client’s business, types of
transactions, and effectiveness of accountants.
o The risk that the client’s internal control system will not prevent or detect a material misstatement is
Auditors do not create or control control risk; they simply evaluate or assess probability of
failure to detect material misstatements.
This assessment of effectiveness may be tested by the auditor in the audit.
Assessment is based on study and evaluation of the company’s control system. o Several control frameworks are available to the auditor in assessing controls.
CICA’s Criteria of Control Committee (COCO)
Includes evaluation criteria.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Includes a set of evaluation tools.
Control Objectives for Information and Related Technology (COBIT)
o Control risk assessment provides only an indirect assessment of monetary misstatements in the financial
Control testing or compliance testing are detailed procedures used to assess control risk.
Control risk should not be assessed so low that auditors rely entirely on controls, and do no
Risk of Material Misstatement
o Auditing standards refer to risk of material misstatement rather than to inherent risk and control risk
It is often difficult to separate the two risks.
Some controls are preventative and reduce inherent risk, some controls are only
effective when misstatements occur.
The auditor may make a combined assessment of inherent and control risks.
o The risk that any material misstatement that has not been corrected by the client’s internal control will
not be detected by the auditor is detection risk.
Auditors can control this risk by conducting substantive (balance audit) tests.
Substantive tests include audit of details of transactions and balances, and analytical
procedures applied to dollar amounts in the accounts.
o The probability that an auditor will fail to express a reservation that financial statements are materially
misstated is audit risk.
Audit risk is greater if there is poor planning or poor execution of the audit.
Audit risk is inversely proportionate to risk of getting sued.
Audit risk is dependent on user reliance.
Audit risk is also applied to individual account balances and disclosures.
o AR = IR x CR x DR
o Audit risk will occur when:
a material misstatement has been made in the transactions or balances (inherent risk),
and internal controls fail to detect or correct the misstatement (control risk), and
audit procedures also fail to detect the misstatement (detection risk).
Auditors usually like to limit audit risk to less than 5%.
How Materiality and Audit Risk are Related
o Materiality refers to the magnitude of a misstatement; audit risk refers to the level of assurance that
material misstatement does not exist.
The auditor will make these assessments independently.
Both deal with sufficiency of evidence and extent of audit evidence that will be collected.
Business Risk and extension of the Audit Risk Model
o Business risk is an event of action that will adversely affect an organization’s ability to achieve its
objectives and execute its strategies. Auditors need to assess the ways that business risk affects the risk of material misstatement in
Business Risk-Based Approach to Auditing
o The business risk-based approach to auditing requires the auditor to understand the auditee’s business
risks, management’s strategy for addressing those risks, and the business processes it uses to implement
Business Risk Analysis
o There are two parts of business analysis:
Strategic analysis, and
Business process analysis.
o At the end of the business analysis, the auditor should be able to determine if there are any weaknesses
in the client’s risk management process that could lead to misstatement on the financial statements.
o Gain an understanding from senior client management about:
key strategies employed to meet those objectives, and
risks that threaten achievement of those objectives.
Business Process Analysis
o Management will minimize risks through well-designed business processes.
Business success depends on how well management can execute the main aspects of strategy.
o Business process analysis deepens the auditor’s understanding of the client’s operations.
It may also highlight risks and possible note disclosures.
Effects of IT and E-Commerce on Business Risk
o Analyzing the effects of IT and e-commerce is also an important component of business risk analysis.
More involvement in e-commerce and more complex information sy