CHAPTER 11A RISK-BASED AUDIT APPROACH – PART II
1.Use the model AR = IR x CR x DR to solve for different values of Audit Risk (AR) when internal control risk (CR) is given different values. In all cases IR =0.90 and DR = 0.10, therefore, AR = 0.90 x CR x 0.10
When CR isAR is
0.100.009 or 0.9 percent0.500.045 or 4.5 percent0.700.063 or 6.3 percent0.900.081 or 8.1 percent1.000.090 or 9.0 percent2.a.
Risk of Assessing Control Risk Too Low
is a matter of judgment about the importance (“key”) characteristic of a particular clientcontrol procedure. An auditor can take more risk of assessing control risk too low on unimportant controls than on important (“key”) ones.Alternatively, the risk of assessing control risk too low can be considered aconstant (say, 0.05) and the importance of a control can be measured interms of a smaller or larger tolerable rate. (The authors prefer the latter approach.) b.
Risk of Assessing Control Risk Too High
is a matter of judgment about the efficiency of an audit engagement. The risk can bequite high when the audit team is willing to do extensive substantive work anyway. If the work budget is tight, auditors need to find objective ways(e.g., larger test of controls audit samples) to mitigate the risk.c.
Tolerable Deviation Rate
is a judgment about
control deviationscan exist in the population, yet the control can still be considered effective.Auditors need to be careful about brushing aside findings of deviations.d.
Expected Deviation Rate in the Population
is an estimate, usually based onassumptions or sketchy information, of the imbedded incidence of controldeviations. The only use of this estimate in classical attribute sampling is tofigure a sample size in advance. The statistical evaluation (CULcalculation) does not use it.