Audit risk model



1999 Semester II


AFM 312
Auditing




Assignment 1


Audit Risk Model








Posting Date: 6 September, 1999
Table of Contents

A) DEFINITION OF RISKS 1
INHERENT RISK 1
CONTROL RISK 1
AUDIT RISK 1
DETECTION RISK 1
B) ARMIDALE PTY LTD – YEAR 1 3
INHERENT & CONTROL RISK LEVELS 3
DETECTION RISK & EVIDENCE ACCUMULATION 3
C) ARMIDALE PTY LTD – YEAR 3 4
SETTING AUDIT RISK HIGH 4
WHAT IS A ‘LOW’ LEVEL OF IR & CR 4
D) THE AUDIT RISK MODEL IN PRACTICE 5

A) Definition of Risks
Inherent Risk
This is defined in AUS 402 as ‘the susceptibility of an account balance … to misstatement that could be material … assuming there were no related internal controls’ (AUS 402.09).
Estimating the inherent risk (IR) for each account balance or class of transactions requires the auditor to take into account such factors as the level of complexity involved in determining the ‘correct’ balance of an account, the complexity of transactions involving the particular account(s) and the ‘portability’ of the assets involved.
The estimation of IR is done as though no internal controls exist – it looks only at the nature of the account being evaluated.
Control Risk
AUS 402 defines this as ‘the risk that misstatements that could occur in an account balance … that could be material … will not be prevented or detected on a timely basis by the internal control structure’ (AUS 402.06).
The evaluation of the level of control risk (CR) requires the auditor to have a thorough understanding of the internal control structure that is in place, and practiced (not necessarily the same thing) within the organisation to be studied. Elements such as the segregation of duties, the existence of ‘management overrides’, and the level of formalised policies and procedures in use are among the factors to be considered.
Audit Risk
Defined in AUS 402 as ‘the risk that the auditor gives an inappropriate audit opinion when the financial report is materially misstated.’ (AUS 402.03)
The level that is set as the acceptable audit risk (AR) reflects the degree of certainty that the auditor and audit subject wish to achieve. An audit opinion can never be a guarantee (AR = 0), even if every transaction during the year was tested, due, at least in part, to the interpretive nature of many of the accounting decisions involved.
Detection Risk
The final part of the risk model outlined in AUS 402 is defined as ‘the risk that an auditor’s substantive procedures will not detect a misstatement…’ (AUS 402.07)
This risk relates to the volume, effectiveness and sufficiency of the audit testing and investigation undertaken.

Both IR and CR are related to the probability that a particular balance will contain an error, either accidental or fraudulent, while detection risk (DR) is the probability that the auditor will not detect the error (Graham, 1985, p.15).
The audit risk model is ‘a joint probability statement of independent events’ (Wade, 1996) which attempts to combine these probabilities and give an overall ‘chance’ of a misstatement existing (IR * CR) and remaining undetected (* DR) – leading to the auditor giving an inappropriate audit opinion (AR).
B) Armidale Pty Ltd – Year 1
Inherent & Control Risk Levels
In the first year of an engagement the auditor will have gained only a limited knowledge of the client and their practices.
Faced with a poor internal control structure the auditor may question the level of management experience and knowledge, which AUS 402.14(b) suggests may be an indicator of high inherent risk. This, combined with the newness of the engagement, would be sufficient cause to set IR at a high level at the financial report level, and for most, if not all, of the assertions below that.
AUS 402.32 & AUS 402.34 mandate the setting of control risk to high ‘unless the auditor is able to identify internal controls … likely to prevent or detect and correct a material misstatement’ (AUS 402.32(a)). Given the conclusion of the auditor that such a control structure does not exist within Armidale Pty Ltd they would have no option but to set CR as high – which is a logical choice given our previous definition of CR.

Detection Risk & Evidence Accumulation
Assuming that the auditor wishes to achieve a low level of Audit Risk, especially given the newness of the engagement and the lack of an effective control structure we can, by restating the audit risk model as DR = AR / (IR x CR) determine what the level of detection risk must be set