The Audit Risk Model (Au 312) Dr. Donald K. McConnell Jr. 2/24/2019

Why Was the Audit Risk Model Developed? Competitive bidding restrictions were eliminated by AICPA for legal reasons What was effect on fees when audits could be competitively bid? How does auditor respond to fees lowered by price competition? Two courses of action exist: Cut corners? No way! Audit more efficiently: Audit testing should be concentrated in areas of greatest perceived risk Some tests “traditionally” done perhaps weren’t necessary! 2/24/2019

The Audit Risk Model: A structured way to identify the areas of greatest risk in the audit Used in the planning phases of the audit AAR = IR x CR x P[A]DR, where: AAR = audit risk, which is driven by IR = inherent risk CR = control risk P[A]DR = planned [acceptable] detection risk A conceptual, not a mathematical model 2/24/2019

Audit Risk Defined The risk that the auditor might fail to modify his/her report when the financial statements do not present fairly (Au 312.02) Audit risk is set for the entire audit IR and CR are evaluated by individual transaction cycles 2/24/2019

Audit Risk Is a Beta Risk Concept Our concern is with Type II error ARO (The Risk of Assessing Control Risk too Low): the risk of concluding that controls tested are effective when they are not ARIA (Risk of Incorrect Acceptance): concluding that an account balance is materially correct when it is not 2/24/2019

What Would Constitute Alpha Risk (Type I Error)? The risk of concluding controls are ineffective when they are actually effective The risk of concluding an account balance is materially misstated when it is not 2/24/2019

Why Are We Not As Concerned with Alpha Risk (Type One Error)? The auditor would ordinarily reconsider or extend auditing procedures This would ordinarily lead the auditor to the correct conclusion (Au 312: fn 3) An effective, but less efficient audit 2/24/2019

What Level of Audit Risk Is Typical for an Audit Engagement? Intuitively, about 5% That is, a 1 in 20 chance that after the audit testing we might have failed to detect a material misstatement! Why not audit more conclusively: seeking 1% or 2% audit risk? 2/24/2019

Would We Ever Want to Achieve Audit Risk Lower Than 5%? ABSOLUTELY! Examples: A 1933 Act filing (IPO) An acquisition target audit A publicly held company with deteriorating financial position and/or much debt 2/24/2019

AAR = IR x CR x P[A]DR [A]: Acceptable 2/24/2019

What Is Inherent Risk (IR)? [AU 312.27 (a)] The risk that a material misstatement might occur in a transaction cycle, ignoring the effects of internal controls A function of client and industry characteristics Most auditors set IR at 50% (medium) to 100% (high): For reasons of conservatism To avoid under-auditing 2/24/2019

What Is Control Risk (CR)? [AU 312.27 (b)] The risk [in a transaction cycle] that a material misstatement which does occur will not be prevented or detected by the client’s system of internal controls Evaluated through assessing internal controls documentation: Flowcharts of systems Internal Control Questionnaires Narrative memos Commonly set at 100% in audits of small companies! 2/24/2019

What Is Planned Acceptable Detection Risk (PADR)? [Au 312.27 (c)] The risk [in a transaction cycle] that a material misstatement which eludes internal controls will not be detected by the auditor’s tests The only risk component (of the three) the auditor can control The auditor’s substantive tests are based on what he/she thinks might get past internal controls Internal controls are always the first line of defense! 2/24/2019

More Audit Risk Issues Even with controls and audit testing, it is possible for misstatements to go undetected Those possibilities represent the level of audit risk accepted by the auditor Audit risk must be at a low level, but it would take an unreasonable amount of work to eliminate it entirely! 2/24/2019

Why are Control Risk and Inherent Risk Evaluated By Transaction Cycles? CR could be high in one cycle, and low in another: Controls could be weak in acquisition and payment cycle But strong in the payroll cycle IR could be high in one cycle, and low in another: Risk of material misstatement would typically be great in sales and collection cycle Risk of material misstatement would typically be low in payroll cycle 2/24/2019

How Do We Evaluate Effects of CR and IR on P[A]DR? We can only control detection risk, in response to inherent risk and control risk assessments Inherent risk and control risk are what they are at the time! Hence, we rearrange the audit risk equation as follows: P[A]DR = AAR / (IR x CR) 2/24/2019

Detection Risk Bears an Inverse Relationship to Inherent and Control Risk The lower the inherent and control risk, the greater the detection risk the auditor can accept The greater the inherent and control risk, the lower the detection risk the auditor can accept 2/24/2019

Examples of This Concept, Assuming 5% Acceptable Audit Risk Sales and collection cycle IR= 50% CR= 50% What is PADR? PADR= 20% Audit of Payroll cycle IR= 25% CR= 25% What is PADR? PADR= 80% 2/24/2019

What Would We Conclude from These Examples? Acceptable detection risk (PADR= 20%) is lower in the sales cycle, requiring more extensive, conclusive audit testing Acceptable detection risk (PADR= 80%) is higher in the payroll cycle, allowing less rigorous audit testing Perhaps just analytical review, and Required minimal substantive testing, as per SAS’s 2/24/2019

What Should the Auditor Do Where IR and/or CR are High? [AU 319.82] Look at larger sample sizes Consider auditing 100% versus sampling Apply more effective tests: e.g., confirmation of A/R vs. vouching to internal documents Apply audit tests closer to balance sheet date Use more experienced audit personnel 2/24/2019

How Does the Auditor Assess Inherent Risk? IR is a function of transaction cycle, industry, and client characteristics, e.g.: Nature of client industry Makeup of the population Extent of errors in previous audits New audit engagements are always risky Non-routine transactions raise IR New accounts are risky Accounts requiring subjective judgments Related party transactions increase IR 2/24/2019

Acceptable Audit Risk (AAR) Is Not the Same As Inherent Risk (IR)! How much exposure to liability does the auditor have? The greater that exposure, the lower the AAR What chance are you willing to accept that after the audit testing there is still material misstatement? IR is the probability of material misstatement in a transaction cycle There could be a 50% chance of misstatement in a cycle (IR), but we wouldn’t want a 50% chance we would not detect it (AAR)! 2/24/2019

Most Auditors Evaluate IR and CR Qualitatively! Practicing auditors tend to look at IR, CR, etc. as being high, low, or medium vs. assessing percentage probabilities Why? The audit risk model is a conceptual model, not strictly speaking a mathematical model The determinations are subjective, not precise 2/24/2019

How Do We Evaluate IR and CR Qualitatively? What’s the process? As a first approximation, look at interaction of IR and CR, which is inverse to P[A]DR P[A]DR might need to be adjusted in light of AAR, to avoid underauditing! Example: Assume AAR needed is low, IR is low, and CR is high in a cycle Implies P[A]DR “medium” as a 1st approx. However, if we need to achieve low levels of AAR in the audit, intuitively P[A]DR should be adjusted to low Hence, evidence needed would be high, not medium 2/24/2019