The Audit Risk Model (Au 312)

1
The Audit Risk Model (Au 312)

• Dr. Donald K. McConnell Jr.

2
Why Was the Audit Risk Model Developed?

• Competitive bidding restrictions were eliminated
  by AICPA for legal reasons
• What was effect on fees when audits could be
  competitively bid?
• How does auditor respond to fees lowered by price
  competition?
• Two courses of action exist
• Cut corners? No way!
• Audit more efficiently
• Audit testing should be concentrated in areas of
  greatest perceived risk
• Some tests traditionally done perhaps werent
  necessary!

3
The Audit Risk Model

• A structured way to identify the areas of
  greatest risk in the audit
• Used in the planning phases of the audit
• AAR IR x CR x PADR, where
• AAR audit risk, which is driven by
• IR inherent risk
• CR control risk
• PADR planned acceptable detection risk
• A conceptual, not a mathematical model

4
Audit Risk Defined

• The risk that the auditor might fail to modify
  his/her report when the financial statements do
  not present fairly (Au 312.02)
• Audit risk is set for the entire audit
• IR and CR are evaluated by individual transaction
  cycles

5
Audit Risk Is a Beta Risk Concept

• Our concern is with Type II error
• ARO (The Risk of Assessing Control Risk too Low)
  the risk of concluding that controls tested are
  effective when they are not
• ARIA (Risk of Incorrect Acceptance) concluding
  that an account balance is materially correct
  when it is not

6
What Would Constitute Alpha Risk (Type I Error)?

• The risk of concluding controls are ineffective
  when they are actually effective
• The risk of concluding an account balance is
  materially misstated when it is not

7
Why Are We Not As Concerned with Alpha Risk (Type
One Error)?

• The auditor would ordinarily reconsider or extend
  auditing procedures
• This would ordinarily lead the auditor to the
  correct conclusion (Au 312 fn 3)
• An effective, but less efficient audit

8
What Level of Audit Risk Is Typical for an Audit
Engagement?

• Intuitively, about 5
• That is, a 1 in 20 chance that after the audit
  testing we might have failed to detect a material
  misstatement!
• Why not audit more conclusively seeking 1 or 2
  audit risk?

9
Would We Ever Want to Achieve Audit Risk Lower
Than 5?

• ABSOLUTELY! Examples
• A 1933 Act filing (IPO)
• An acquisition target audit
• A publicly held company with deteriorating
  financial position and/or much debt

10
AAR IR x CR x PADR A
Acceptable
11
What Is Inherent Risk (IR)? AU 312.27 (a)

• The risk that a material misstatement might occur
  in a transaction cycle, ignoring the effects of
  internal controls
• A function of client and industry characteristics
• Most auditors set IR at 50 (medium) to 100
  (high)
• For reasons of conservatism
• To avoid under-auditing

12
What Is Control Risk (CR)? AU 312.27 (b)

• The risk in a transaction cycle that a material
  misstatement which does occur will not be
  prevented or detected by the clients system of
  internal controls
• Evaluated through assessing internal controls
  documentation
• Flowcharts of systems
• Internal Control Questionnaires
• Narrative memos
• Commonly set at 100 in audits of small
  companies!

13
What Is Planned Acceptable Detection Risk (PADR)?
Au 312.27 (c)

• The risk in a transaction cycle that a material
  misstatement which eludes internal controls will
  not be detected by the auditors tests
• The only risk component (of the three) the
  auditor can control
• The auditors substantive tests are based on what
  he/she thinks might get past internal controls
• Internal controls are always the first line of
  defense!

14
More Audit Risk Issues

• Even with controls and audit testing, it is
  possible for misstatements to go undetected
• Those possibilities represent the level of audit
  risk accepted by the auditor
• Audit risk must be at a low level, but it would
  take an unreasonable amount of work to eliminate
  it entirely!

15
Why are Control Risk and Inherent Risk Evaluated
By Transaction Cycles?

• CR could be high in one cycle, and low in
  another
• Controls could be weak in acquisition and payment
  cycle
• But strong in the payroll cycle
• IR could be high in one cycle, and low in
  another
• Risk of material misstatement would typically be
  great in sales and collection cycle
• Risk of material misstatement would typically be
  low in payroll cycle

16
How Do We Evaluate Effects of CR and IR on PADR?

• We can only control detection risk, in response
  to inherent risk and control risk assessments
• Inherent risk and control risk are what they are
  at the time!
• Hence, we rearrange the audit risk equation as
  follows
• PADR AAR / (IR x CR)

17
Detection Risk Bears an Inverse Relationship to
Inherent and Control Risk

• The lower the inherent and control risk, the
  greater the detection risk the auditor can accept
• The greater the inherent and control risk, the
  lower the detection risk the auditor can accept

18
Examples of This Concept, Assuming 5 Acceptable
Audit Risk

• Sales and collection cycle
• IR 50
• CR 50
• What is PADR?
• PADR 20

• Audit of Payroll cycle
• IR 25
• CR 25
• What is PADR?
• PADR 80

19
What Would We Conclude from These Examples?

• Acceptable detection risk (PADR 20) is lower in
  the sales cycle, requiring more extensive,
  conclusive audit testing
• Acceptable detection risk (PADR 80) is higher
  in the payroll cycle, allowing less rigorous
  audit testing
• Perhaps just analytical review, and
• Required minimal substantive testing, as per
  SASs

20
What Should the Auditor Do Where IR and/or CR are
High? AU 319.82

• Look at larger sample sizes
• Consider auditing 100 versus sampling
• Apply more effective tests e.g., confirmation of
  A/R vs. vouching to internal documents
• Apply audit tests closer to balance sheet date
• Use more experienced audit personnel

21
How Does the Auditor Assess Inherent Risk?

• IR is a function of transaction cycle, industry,
  and client characteristics, e.g.
• Nature of client industry
• Makeup of the population
• Extent of errors in previous audits
• New audit engagements are always risky
• Non-routine transactions raise IR
• New accounts are risky
• Accounts requiring subjective judgments
• Related party transactions increase IR

22
Acceptable Audit Risk (AAR) Is Not the Same As
Inherent Risk (IR)!

• How much exposure to liability does the auditor
  have? The greater that exposure, the lower the
  AAR
• What chance are you willing to accept that after
  the audit testing there is still material
  misstatement?
• IR is the probability of material misstatement in
  a transaction cycle
• There could be a 50 chance of misstatement in a
  cycle (IR), but we wouldnt want a 50 chance we
  would not detect it (AAR)!

23
Most Auditors Evaluate IR and CR Qualitatively!

• Practicing auditors tend to look at IR, CR, etc.
  as being high, low, or medium vs. assessing
  percentage probabilities
• Why?
• The audit risk model is a conceptual model, not
  strictly speaking a mathematical model
• The determinations are subjective, not precise

24
How Do We Evaluate IR and CR Qualitatively?

• Whats the process?
• As a first approximation, look at interaction of
  IR and CR, which is inverse to PADR
• PADR might need to be adjusted in light of AAR,
  to avoid underauditing!
• Example
• Assume AAR needed is low, IR is low, and CR is
  high in a cycle
• Implies PADR medium as a 1st approx.
• However, if we need to achieve low levels of AAR
  in the audit, intuitively PADR should be
  adjusted to low
• Hence, evidence needed would be high, not medium