AUDIT LECTURES SLIDES AUDIT RISK

1. Atta-ur-Rahman Arif

2. Audit Risk Model
• AR = IR x CR x DR
• AR = Audit risk
– Also referred to as Residual Risk
– The risk that the auditor will incorrectly issue an
unqualified opinion
• IR = Inherent risk
– The risk of material misstatements absent any
internal controls or testing

3. Audit Risk Model
• CR = Control risk
– The risk that internal controls will fail to prevent
or detect material misstatement
• DR = Detection risk
– The risk that audit tests will fail to detect material
misstatement
• Therefore, audit risk is a function of inherent
risk, unchecked by controls and not detected
by the auditor

4. Risk Components
• Inherent risk
– Higher in complex transactions
– Higher where items are more naturally prone to
fraud
– Based in part on prior experience
– Industry and management pressures
• Inherent risk cannot be changed by the
auditor

5. Control Risk
• Part of Audit Risk Model
• Depends on the design and execution of controls
• Audit Risk = risk that internal controls will FAIL to prevent or
detect misstatement
– High CR means high risk controls will fail
– Low CR means low risk controls will fail
• If CR is high, auditor will not rely much on controls
• If CR is low, auditor can rely on ICS and reduce other types of
testing

6. Is Risk Quantifiable?
• Yes and No
• Often assessed in percentage terms
• Requires judgment because no number is out
there to be measured
• Detection risk needs to be quantified for
statistical testing

7. Interrelationship of Risks
• IF IR and CR are high,
then
• If IR is high and CR is
low
• If IR is low and CR is low
• If IR is low but CR is
high
• DR should be low (lots
of testing)
• DR can be higher,
because controls offset
high IR
• DR can be high
• Somewhat indicative of
fraud. DR should be
very low

8. What is Acceptable Audit Risk?
Risk the auditor is willing to take of being wrong
Generally considered in terms of unqualified
where there are misstatements, but not in
reverse
Depends on engagement risk
› Financial stability
› Industry factors
› Management integrity
Degree of reliance on audited statements

9. Keep Things Open
• Control risk assessment must be backed up by
control testing results
• If tests show weaker controls, CR is higher,
thus DR needs to be lower

10. Internal Control Objectives
• Reliability of financial statements
• Efficiency and effectiveness of operations
• Compliance with laws and regulations
• Safeguarding of assets

11. Underlying Limitations
• Reasonable assurance
• Cost-benefit
• Inherent limitations
– collusion

12. Design of ICS
• Preventing material misstatements
• Detecting material misstatements
• Preventing misappropriation
• Detecting misappropriation
• SarbOx: Management must assess and report
on design
– How are transaction initiated, authorized,
recorded, processed, and reported?
– Are there any weaknesses?

13. Management’s Report on ICS
• Must describe design
• Must make assertions about effectiveness
• Must report material weaknesses
• A single weakness prevents claim that ICS is
operating effectively
• Must be able to document basis for report
• Auditor will provide an opinion on the report
• Any weaknesses mean that auditor’s report will
be adverse.

14. Risk Assessment
• Management’s identification of risks
– Economic
– Industry
– Regulatory
– Operating risks
• Analysis and management of risks
• Examples
– Oil companies in the Gulf of Mexico
– Smith Corona

15. Control Activities
• Policies and procedures to address risks
• Pertains to all four other areas
• Separation of duties
• Proper authorization
• Adequate documents and records
• Physical control over assets and records
• Independent checks

16. Information and
Communication
• Initiates, records, processes, and reports
• Transaction cycles
• Subsidiaries and controls
• Think of PERCV

17. Monitoring
• Need to ensure controls are working
• Monitoring now more pressing because of
SarbOx
• Control needs change
• Personnel change
• Organizational structure changes