CHAPTER 9: Audit Risk, Including the Risk of Fraud

QUESTIONS

True/False
REQUIRED: For each of the following items, indicate whether it is (T) True or (F) False. For
those marked “False,” identify the error(s) and indicate the change or changes that are needed
to make the statement true.

1. The concept of audit risk is the inverse of the concept of reasonable assurance.

2. The more certain the auditor wants to be of expressing the correct opinion, the lower will
be the acceptable audit risk.

3. The revised control risk is used in finalizing the design of substantive tests of
transactions or tests of balances.

4. The actual level of control risk, but not inherent risk, is directly controllable by the
auditor.

5. Auditors are required to perform risk assessment procedures in every audit to assess the
risk of fraud due to both misappropriation and fraudulent financial reporting.

6. If inherent risk is assessed at the maximum, control risk as moderate and analytical
procedures risk at moderate, the acceptable level of detection risk for tests of details is
low.

7. Detection risk is a function of the effectiveness of the controls put into place and their
application by client personnel.

8. In practice, many auditors do not attempt to quantify each of the components in the
audit risk model.

9. Inherent risk cannot be greater for some assertions than for others.

10. There is an inverse relationship between audit risk and the amount of evidence needed.

11. A primarily substantive approach would usually be chosen when the auditor concludes
that the costs of performing additional procedures to obtain a more extensive
understanding of internal controls and tests of controls to support a lower assessed level
of control risk would exceed the cost of performing more extensive substantive tests.

12. The auditor might choose a primarily substantive approach when auditing assertions
that are affected by a high degree of subjectivity or involve highly complex transactions.

13. The auditor might choose an approach that places emphasis on inherent risk and
analytical procedures when inherent risk is below the maximum and he or she can
develop reliable expectations regarding the account balance.

14. The auditor might choose a response to lower inherent risk for audit assertions where
the auditor has developed an analytical model by examining the relationship between
nonfinancial measures of the volume of business activity such as gross payroll or accrued
payroll taxes, and these items are consistent with expectations.
1
15. When the preliminary audit strategy calls for the primarily substantive approach, the
planned acceptable level of detection risk should be set at moderate or high.

Answers to True/False
1. T.
2. T.
3. F: Control should be detection.
4. F: The should be neither; but not should be nor.
5. T.
6. T.
7. F: Controls put in place should be audit procedures; client personnel should be the
auditor. (Alternately, can change detection to control.)
8. T.
9. F: Cannot should be may.
10. T.
11. T.
12. T.
13. T.
14. T.
15. F: Moderate or high should be low or very low.

Multiple Choice
REQUIRED: Indicate the best answer choice for each of the following.

1. The susceptibility of an assertion to a material misstatement, assuming that there are no

controls, is:
a. audit risk.
b. control risk.
c. analytical procedures risk.
d. inherent risk.
e. tests of details risk.

2. The risk that the auditor may unknowingly fail to appropriately modify his or her
opinion on financial statements that are materially misstated is:
a. analytical procedures risk.
b. control risk.
c. tests of details risk.
d. inherent risk.
e. audit risk.

3. The risk that a material misstatement that could occur in an assertion will not be
prevented or detected on a timely basis by the entity’s internal controls is:
a. control risk.
b. audit risk.
c. inherent risk.
d. rejection risk.
e. detection risk.

2
4. The risk that the auditor will not detect a material misstatement that exists in an
assertion is:
a. control risk.
b. audit risk.
c. inherent risk.
d. rejection risk.
e. detection risk.

5. The assessment of inherent risk requires consideration of matters that have a pervasive
effect on assertions for all or many accounts and matters that may pertain only to
assertions for specific accounts. Which of the following is an example of a “specific
account” matter?
a. going concern problems such as lack of sufficient working capital.
b. profitability of the entity relative to the industry.
c. sensitivity of operating results to economic factors.
d. complexity of calculations.
e. management turnover, reputation, and accounting skills.

6. The assessment of inherent risk requires consideration of matters that have a pervasive
effect on assertions for all or many accounts and matters that may pertain only to
assertions for specific accounts. Which of the following is an example of a “pervasive
effects” matter?
a. complexity of calculations.
b. management turnover, reputation, and accounting skills.
c. susceptibility to misappropriation.
d. sensitivity of operating results to economic factors.
e. difficult-to-audit accounts or transactions.

7. The auditor has some control over:

a. the assessed level of inherent risk.
b. the actual level of inherent risk.
c. both the actual level and the assessed levels of inherent risk.
d. neither the actual level nor the assessed level of inherent risk.
e. the projected level of inherent risk.

8. An inaccurate version of the audit risk model would imply that:

a. detection risk is inversely related to inherent risk.
b. detection risk can be determined from audit risk, inherent risk and control risk.
c. detection risk is inversely related to audit risk.
d. audit risk is related to all other risks in the model.
e. increases in the acceptable level of control risk will cause decreases in detection
risk.

3
9. Which of the following statements about fraud is not true?
a. Fraud is defined in generally accepted auditing standards as any act that results in
a material misstatement in financial statements that are the subject of an audit.
b. Auditors are concerned about two types of misstatements that are relevant to the
auditor’s consideration of fraud.
c. The types of fraud that are the least frequent are also the most expensive.
d. The fraud triangle includes opportunity, incentives, pressures, attitudes and
rationalization.
e. Auditors should conduct discussions about management overrides of internal
controls with employees having varying levels of authority including personnel not
directly involved in the financial reporting process

10. Which of the following is a fraud mitigation procedure recently instituted in many
companies?
a. Demoted compliance personnel.
b. Performance audits.
c. External audit.
d. Management code of conduct.
e. Employee hotline.

11. The auditor has some control over:

a. the actual level of control risk.
b. the assessed level of control risk.
c. both the actual level and the assessed levels of control risk.
d. neither the actual level nor the assessed level of control risk.
e. the projected level of control risk.

12. Which of the following is an example of how an analytical procedure may be helpful in
identifying accounts and assertions that are likely to contain misstatements?
a. An improvement in the current ratio combined with an increase in the quick ratio.
b. An increase in gross sales combined with an increase in earnings per share.
c. Susceptibility of misappropriation.
d. An increase in gross margins combined with an increase in the number of
inventory turn days.
e. Difficult-to-audit accounts or transactions.

13. Which of the following is not an example of a significant inherent risk?

a. Management override of internal controls.
b. The impact of technological developments.
c. Inadequate accounting skills.
d. Management turnover.
e. Contentious accounting issues.

14. Which of the following risk factors is an example of an assertion specific inherent risk
factor?
a. Management override of internal controls.
b. The impact of technological developments.
c. Inadequate accounting skills.
d. Management turnover.
e. Contentious accounting issues.
4
15. Which of the following would be considered the most conservative settings for inherent
risk and control risk?

Inherent Control
Risk Risk
a. 1.0 1.0
b. 1.0 0.0
c. 0.0 0.0
d. 0.0 1.0
e. 0.5 0.5

16. The risk that a material misstatement that could occur in an assertion will not be
prevented or detected on a timely basis by the entity’s internal controls is
a. control risk.
b. analytical procedures risk.
c. tests of details risk.
d. inherent risk.
e. audit risk.

17. A risk components matrix or its equivalent is necessary whenever the auditor uses:
a. quantitative expressions for risk.
b. nonqualitative expressions for risk.
c. the risk model in planning an audit.
d. a lower assessment of control risk or inherent risk.
e. nonquantitative expressions for risk.

18. If inherent risk is assessed as low, control risk is assessed as low and analytical
procedures risk is very low, the acceptable levels of test of details risk would be:
a. Maximum
b. High
c. Moderate
d. Low
e. So low that substantive tests of details may not be necessary.

19. The preliminary audit strategy for each assertion:

a. is a detailed specification of auditing procedures.
b. must be set before risk assessment is completed.
c. represents a tentative audit approach.
d. will be uniform throughout the audit.
e. represents a committed audit approach.

20. The auditor has chosen the preliminary strategy of primarily substantive testing. Which
of the following is not a validly specified component of this strategy?
a. set control risk at a high level
b. plan tests of controls, probably testing computer controls embedded in the client’s
system
c. plan few, if any, tests of controls
d. plan extensive substantive tests
e. plan to obtain a minimum understanding of relevant portions of internal controls.

5
21. The auditor has chosen the preliminary strategy of lower assessed control risk. Which of
the following is not a validly specified component of this strategy?
a. use a planned assessed level of control risk of moderate or low
b. plan tests of controls, probably testing computer controls embedded in the client’s
system
c. plan restrictive substantive tests
d. plan few, if any, tests of controls
e. use a planned assessed level of analytical procedures risk at a high level

22. For which of the following accounts is the primarily substantive testing strategy least
likely?
a. bonds payable
b. trade accounts payable
c. equipment
d. capital stock
e. machinery

Answers to Multiple Choice

1. d 11. b 21. d
2. e 12. d 22. b
3. a 13. a
4. e 14. e
5. d 15. a
6. b 16. a
7. a 17. e
8. c 18. e
9. a 19. c
10. e 20. b

Matching 9-1 (10 minutes)

Following are a number of items that may have an impact on one of the components of audit
risk.

REQUIRED: For each of the following, indicate the risk component that is directly affected.
More than one selection may be correct. Use the following code:

I: Inherent Risk
C: Control Risk
A: Analytical Procedures Risk
D: Tests of Details Risk

1. Fixed assets consist primarily of capitalized leasehold items.

2. Policies and procedures in the cash collection area appear ineffective.

3. Evidence from external sources will be obtained in testing the sales cycle.

4. The CPA firm has a sound system of quality controls.

6
 5. In the prior year, numerous errors were detected in the account in question.

6. Limited procedures to obtain an understanding are planned.

7. The auditor has decided to consult a specialist.

8. An internal audit function exists and answers directly to the president.

9. Physical security over blank documents and accounting records is weak.

10. Extensive tests of details of balances are planned.

11. The client is in the savings and loan industry.

12. Working capital levels have declined over the past year.

13. A highly experienced audit staff has been assigned to the engagement.

14. The auditor is planning extensive compliance testing.

15. Management turnovers have been considerable this year.

Answers — Matching 9-1

1. I 4. A and D 7. D 10. D 13. A and D
2. C 5. I 8. C 11. I 14. C
3. D 6. C 9. C 12. I 15. I

Matching 9-2 (5 minutes)

Following are the three possible audit strategies discussed in the text.

A. A Primarily Substantive Approach

B. A Lower Assessed Level of Control Risk Approach
C. A Response to Lower Inherent Risk Approach

REQUIRED: Using the corresponding letters from the list above, match the audit strategy with
the audit strategy components listed below. (Items may be used more than once.)

1. Plan few, if any, tests of controls.

2. Plan to obtain a minimum understanding of relevant portions of internal

controls.

3. Obtain extensive knowledge of the client’s business processes relevant to the

assertion.

4. Use a planned assessed level of control risk of moderate or low.

Answers — Matching 9-2

1. A 2. A 3. B 4. B and C

7
Short Answer 9-1 (15 minutes)

Complete the risk components matrix below, including the explanation for the asterisk.

Risk that Analytical Procedures

Will Not Detect Material Misstatements
Inherent Risk Control Risk
Assessment Assessment High Moderate Low Very Low
Maximum

High

Moderate

Low

Answers — Short Answer 9-1

Risk that Analytical Procedures
Will Not Detect Material Misstatements
Inherent Risk Control Risk
Assessment Assessment High Moderate Low Very Low
Maximum Maximum Very Low Very Low Very Low Low
High Very Low Very Low Low Moderate
Moderate Very Low Low Moderate *
Low Low Moderate High *
High Maximum Very Low Very Low Low Moderate
High Very Low Low Moderate *
Moderate Low Moderate High *
Low Moderate High * *
Moderate Maximum Very Low Low Moderate High
High Low Moderate High *
Moderate Moderate High * *
Low High * * *
Low Maximum Low Moderate High *
High Moderate High * *
Moderate High * * *
Low * * * *
* Substantive tests may not be necessary.

8
Short Answer 9-2 (10 minutes)

A. Under a lower assessed level of control risk approach, what audit strategy components
does the auditor specify?

B. Under a primarily substantive approach, what audit strategy components does the
auditor specify?

Answers — Short Answer 9-2

A. Under a lower assessed level of control risk approach, the auditor specifies the
components of the audit strategy as follows:

1. Use a planned assessed level of analytical procedures risk at a high level.

2. Plan to obtain an extensive understanding of relevant portions of internal controls,
particularly control activities.
3. Plan tests of controls, probably testing computer controls, embedded in the client’s
system.
4. Plan restricted substantive tests of transactions or balances based on a moderate or
high planned acceptable level of detection risk.

B. Under a primarily substantive approach, the auditor specifies the components of the
audit strategy as follows:

1. Plan extensive substantive tests based on a low planned acceptable level of

detection risk.
2. Use a planned assessed level of control risk at a high level (or at the maximum).
3. Plan to obtain a minimum understanding of relevant portions of internal controls.
4. Plan few, if any, tests of controls.

Analysis 9-1 (6 minutes)

For each one of the following risk factors relating to misstatements arising from fraudulent
reporting, identify the appropriate category.

1. Inability to generate cash flows from operations while reporting earnings and earnings
growth.
2. High degree of competition or market saturation, accompanied by declining margins.
3. High turnover of senior management, counsel, or board members.
4. Difficulty in determining the organization or individual(s) that control(s) the entity.
5. Strained relationship between management and the current or predecessor auditor.
6. Declining industry with increasing business failures and significant declines in customer
demand.

Answers — Analysis 9-1

1. Operating characteristics and financial stability.
2. Industry conditions that involve the economic and regulatory environment in which the
entity operates.
3. Management’s characteristics and influence over the control environment.
9
 4. Operating characteristics and financial stability.
5. Management’s characteristics and influence over the control environment.
6. Industry conditions that involve the economic and regulatory environment in which the
entity operates.

Analysis 9-2
For each one of the following risk factors relating to misstatements arising from the
misappropriation of assets, identify the appropriate category.

1. Lack of appropriate management oversight

2. Large amounts of cash on hand or processed
3. Inventory characteristics, such as small size, high value, or high demand
4. Poor physical safeguards over cash, investments, inventory, or fixed assets
5. Easily convertible assets, such as bearer bonds, diamonds, or computer chips
6. Lack of mandatory vacations for employees performing key control functions

Answers — Analysis 9-2

1. The lack of controls designed to prevent or detect misappropriations of assets.
2. The susceptibility of assets to misappropriation.
3. The susceptibility of assets to misappropriation.
4. The lack of controls designed to prevent or detect misappropriations of assets.
5. The susceptibility of assets to misappropriation.
6. The lack of controls designed to prevent or detect misappropriations of assets.

10