AUDIT RISK

Chapter 9, part 2
 WHAT IS RISK?
◦ is a measure of uncertainty
◦ Zero risk is a certainty

◦ a 100 percent risk is complete uncertainty. Complete assurance (zero risk) of the accuracy of the financial
statements is not economically practical.

◦ the auditor cannot guarantee the complete absence of material misstatements.

◦ Often, auditors refer to the term audit assurance (also called overall assurance or level of assurance)
instead of acceptable audit risk
 ❑ Auditing
AUDIT RISK MODEL
standards
require the auditor to
understand the entity
and its environment,
including its internal
controls, to assess the
risk of material
misstatements in the
client’s financial
statements.
❑ Auditing standards
require the auditor to
assess the risk of
material misstatements
at the overall financial
statement level as well
as the relevant
assertion level for
classes of transactions,
account balances, and
disclosures.
 AUDIT RISK MODEL
◦ The audit risk model helps auditors decide how much and what types of evidence to accumulate for each
relevant audit objective.

𝐴𝐴𝑅
𝑃𝐷𝑅 =
𝐼𝑅 × 𝐶𝑅
Where:
• PDR = Planned Detection Risk
• AAR = Acceptable Audit Risk
• IR = Inherent Risk
• CR = Control Risk
 Planned Detection Risk 𝑃𝐷𝑅 =
𝐴𝐴𝑅
𝐼𝑅 × 𝐶𝑅

Planned detection risk is the risk that audit evidence for an audit objective will fail to detect misstatements
exceeding performance materiality.

There are two key points to know about planned detection risk.
❑ Planned detection risk is dependent on the other three factors in the model.
➢ It will change only if the auditor changes one of the other risk model factors.

❑ Planned detection risk determines the amount of substantive evidence that the auditor plans to accumulate, inversely
with the size of planned detection risk.
➢ If the planned detection risk is reduced, the auditor needs to accumulate more evidence to achieve the reduced
planned risk.
 Inherent Risk 𝑃𝐷𝑅 =
𝐴𝐴𝑅
𝐼𝑅 × 𝐶𝑅

❑Inherent risk measures the auditor’s assessment of the susceptibility of an assertion to material
misstatement before considering the effectiveness of related internal controls.

❑If the auditor concludes that a high likelihood of misstatement exists, the auditor will conclude that
inherent risk is high

❑Internal controls are ignored in setting inherent risk because they are considered separately in the audit
risk model as control risk.

❑Inherent risk is inversely related to planned detection risk and directly related to evidence.
 Control Risk 𝑃𝐷𝑅 =
𝐴𝐴𝑅
𝐼𝑅 × 𝐶𝑅

❑Control risk measures the auditor’s assessment of the risk that a material misstatement could occur in an assertion and
not be prevented or detected on a timely basis by the client’s internal controls.

❑The combination of inherent risk and control risk is referred to in auditing standards as the risk of material
misstatements.

❑The auditor may make a combined assessment of the risk of material misstatements or the auditor can separately assess
inherent risk and control risk. (Remember, inherent risk is the expectation of misstatements before considering the
effect of internal control.)

❑As with inherent risk, the relationship between control risk and planned detection risk is inverse, whereas the
relationship between control risk and substantive evidence is direct.
Acceptable audit 𝐴𝐴𝑅

risk
𝑃𝐷𝑅 =
𝐼𝑅 × 𝐶𝑅

❑Acceptable audit risk is a measure of how willing the auditor is to accept that
the financial statements may be materially misstated after the audit is
completed and an unqualified opinion has been issued.

❑When auditors decide on a lower acceptable audit risk, they want to be more
certain that the financial statements are not materially misstated.
 Impact of Engagement
Risk on Acceptable
Audit Risk
❑Auditors must decide the appropriate acceptable audit risk for an audit, preferably during audit planning.

First, auditors decide on engagement risk and then use engagement risk to modify acceptable audit risk.

◦ Engagement risk is the risk that the auditor or audit firm will suffer harm after the audit is finished, even

though the audit report was correct.

◦ For example, if a client declares bankruptcy after an audit is completed, the likelihood of a lawsuit

against the CPA firm is reasonably high, even if the quality of the audit is high.
 Factors Affecting
Acceptable Audit Risk
❑The Degree to Which External Users Rely on the Statements

❑The Likelihood That a Client Will Have Financial Difficulties

After the Audit Report Is Issued

❑The Auditor’s Evaluation of Management’s Integrity

 The Degree to Which
External Users Rely on the
Statements
❑When external users place heavy reliance on the financial statements, it is appropriate to decrease
acceptable audit risk.

❑Several factors are good indicators of the degree to which statements are relied on by external users:
◦ Client’s size. measured by total assets or total revenues, will have an effect on acceptable audit risk.
◦ Distribution of ownership. The statements of publicly held corporations are normally relied on by
many more users than those of closely held corporations. For these companies, the interested parties
include the SEC, financial analysts, and the general public.
◦ Nature and amount of liabilities. When statements include a large amount of liabilities, they are
more likely to be used extensively by actual and potential creditors than when there are few liabilities.
 The Likelihood That a Client Will Have
Financial Difficulties After the Audit
Report Is Issued
❑It is difficult for an auditor to predict financial failure before it occurs, but
❑ certain factors are good indicators of its increased probability:
❖Liquidity position. If a client is constantly short of cash and working capital, it indicates a future problem in paying bills.

❖Profits (losses) in previous years. When a company has rapidly declining profits or increasing losses for several years, the
auditor should recognize the future solvency problems that the client is likely to encounter. It is also important to consider the
changing profits relative to the balance remaining in retained earnings.

❖Method of financing growth. The more a client relies on debt as a means of financing, the greater the risk of financial difficulty
if the client’s operating success declines.

❖Nature of the client’s operations. Certain types of businesses are inherently riskier than others. For example, a start-up
technology company dependent on one product is much more likely to go bankrupt than a diversified food manufacturer.

❖Competence of management. Competent management is constantly alert to potential financial difficulties and modifies its
operating methods to minimize the effects of short-run problems.
 Assessing Inherent
Risk
❑The auditor must assess the factors that make up the risk and modify audit evidence to consider them.

❑The auditor should consider several major factors when assessing inherent risk:
◦ Nature of the client’s business

◦ Results of previous audits

◦ Initial versus repeat engagement

◦ Related parties

◦ Complex or nonroutine transactions

◦ Judgment required to correctly record account balances and transactions

◦ Makeup of the population

◦ Factors related to fraudulent financial reporting

◦ Factors related to misappropriation of assets

Relationships of Risk
to Evidence𝑃𝐷𝑅 =
𝐴𝐴𝑅
𝐼𝑅 × 𝐶𝑅