AR = IR x CR x DR AR = Audit risk

The risk that the auditor will incorrectly issue an unqualified opinion The risk of material misstatements absent any internal controls or testing

IR = Inherent risk

CR = Control risk

The risk that internal controls will fail to prevent or detect material misstatement The risk that audit tests will fail to detect material misstatement

DR = Detection risk

Therefore, audit risk is a function of inherent risk, unchecked by controls and not detected by the auditor

Inherent risk

Higher in complex transactions Higher where items are more naturally prone to fraud Based in part on prior experience Industry and management pressures

Inherent risk cannot be changed by the auditor it just is

Part of Audit Risk Model Depends on the design and execution of controls Audit Risk = risk that internal controls will FAIL to prevent or detect misstatement

High CR means high risk controls will fail Low CR means low risk controls will fail

If CR is high, auditor will not rely much on controls If CR is low, auditor can rely on ICS and reduce other types of testing

More Control risk

Depends on all 5 COSO categories Observed by the auditor but cannot be changed retroactively

Detection risk
A function of the types of tests the auditor does Remember nature, timing, and extent This is the only risk element that can be controlled by the auditor

Yes and No Often assessed in percentage terms Requires judgment because no number is out there to be measured Detection risk needs to be quantified for statistical testing

IF IR and CR are high, then If IR is high and CR is low

If IR is low and CR is low If IR is low but CR is high

DR should be low (lots of testing) DR can be higher, because controls offset high IR DR can be high
Somewhat indicative of fraud. DR should be very low

Risk the auditor is willing to take of being wrong Generally considered in terms of unqualified where there are misstatements, but not in reverse

Depends on engagement risk

Financial stability Industry factors Management integrity

Degree of reliance on audited statements

Control risk assessment must be backed up by control testing results If tests show weaker controls, CR is higher, thus DR needs to be lower

Reliability of financial statements Efficiency and effectiveness of operations Compliance with laws and regulations Safeguarding of assets

Reasonable assurance Cost-benefit Inherent limitations

collusion

Preventing material misstatements Detecting material misstatements Preventing misappropriation

Detecting misappropriation Management must assess and report on design

How are transaction initiated, authorized, recorded, processed, and reported? Are there any weaknesses?

Is the control operating as designed? Is the person operating the control qualified to do so effectively? Does the person have the necessary authority? How should management assess this?

Must describe design Must make assertions about effectiveness Must report material weaknesses A single weakness prevents claim that ICS is operating effectively

Must be able to document basis for report Auditor will provide an opinion on the report Any weaknesses mean that auditors report will be adverse.

Control environment Risk assessment Control activities Information and communication Monitoring

Reflects managements overall attitude toward controls Integrity and ethical values Commitment to competence Audit committee / Board of Directors

Philosophy and operating style Organizational structure HR practices Environment sets the stage for all the rest!

Managements identification of risks

Economic Industry Regulatory Operating risks

Analysis and management of risks

Policies and procedures to address risks Pertains to all four other areas Separation of duties Proper authorization

Adequate documents and records Physical control over assets and records Independent checks

Initiates, records, processes, and reports Transaction cycles Subsidiaries and controls

Need to ensure controls are working Control needs change Personnel change Organizational structure changes

Narratives Flowcharts

Pictures tell a thousand words!

Questionnaires
All no answers are weaknesses Look for mitigating controls elsewhere Be sure connections are made Insufficient by itself

Top left to bottom right Try to keep one department or operator in one column Decision points give alternate paths Connectors are usually necessary

Data enters system

Process

Stored data file Disk storage

?
N o
A

Document
Multiple copies File

Yes

Decision point
Connector