Sign in |  Join | 
ronninviks
Profile | Posts | Photos | Videos | Comments | Friends | Groups
join mymsg.in
RISK IN AUDIT
Thu Jun 23 01:04:32 2011
views: 393 | Comments: 0
 ronninviks image By Ronninviks
Member since:Jun 22, 2010 07:24:42
 


Companies request an audit in order to provide confidence to investors that their financial statements and reporting are accurate. In order to insure against potential litigation arising from missed financial improprieties, such as material misstatements, auditors will typically carry malpractice insurance.


Audit risk is the  risk that an auditor will not discover errors or intentional miscalculations (i.e. fraud) while reviewing a company's or individual’s financial statements. There are two general categories of audit risk – risk regarding assessment of the financial materials and risk regarding the assertions produced by evaluation of the financial materials


Audit risk (also referred to as residual risk) refers to acceptable audit risk, i.e. it indicates the auditor's willingness to accept that the financial statements may be materially misstated after the audit is completed and an unqualified (clean) opinion was issued. If the auditor decides to lower audit risk, it means that he wants to be more certain that the financial statements are not materially misstated.  



 



COMPONENTS OF AUDIT RISK


 


The three components of AUDIT RISK   are referred to respectively as inherent risk [IR], control risk [CR] and detection risk [DR]. This gives rise to the audit risk model of:


AR = IR x CR x DR, where



  • IR, inherent risk, is the perceived level of risk that a material misstatement may occur in the client’s unaudited financial statements, or underlying levels of aggregation, in the absence of internal control procedures.

  • CR, control risk, is the perceived level of risk that a material misstatement in the client’s unaudited financial statements, or underlying levels of aggregation, will not be detected and corrected by the management’s internal control procedures.

  • DR, detection risk, is the perceived level of risk that a material misstatement in the client’s unaudited financial statements, or underlying levels of aggregation, will not be detected by the auditor. DR is split between two components; SR (Sampling Risk) and NSR (Non-Sampling Risk)


- SR is the risk that the sample selected by the auditor does not properly reflect the population of the data being sampled. The conclusion drawn from such a sample will therefore not be applicable to the entire population.


- NSR is the detection risk other than SR that the auditor will not detect a material misstatement. This could be due to a variety of reasons eg. Human error.


CONCEPTS OF AUDIT RISK


Before evaluating audit risk or its components, auditors first determine what they consider to be a material misstatement. Obviously, the likelihood of a material misstatement appearing in the audited financial statements of an entity depends on the value of a material misstatement: the lower the value, the greater the likelihood. It is only after determining the value of reporting materiality that an auditor is able to evaluate whether audit risk is, for example, LOW, MODERATE or HIGH. This is referred to in more detail below.


There are two distinct concepts of audit risk – the acceptable level of audit risk and the achievable level of audit risk.


The acceptable level of audit risk [AR*] is the risk of a material financial statement misstatement that is acceptable to the auditor. The acceptable level of audit risk [AR*] is estimated by reference to the expected reliance on the audited financial statements. The greater the expected reliance, the lower is the acceptable level of audit risk.


The achievable level of audit risk [AR] is the risk the audited financial statements will contain a material misstatement. (AR is an ex ante concept and thus it is referred to as the achievable level of risk rather than an ex post concept of an achieved level of risk).


The achievable level of audit risk [AR] is estimated by reference to the ex ante value of the components of the audit risk model. That is, the estimated values of inherent, control and (the achievable level of) detection risks. The aim of an auditor is to achieve an acceptable level of audit risk; to achieve a level of audit risk that is acceptable to the auditor.


There are similarly two concepts of detection risk – i.e


The allowable level of detection risk and the achievable level of detection risk.


The allowable level of detection risk [DR*] is the maximum level of detection risk an auditor can allow to occur. On the other hand, the achievable level of detection risk [DR] is, broadly, the risk that a material misstatement in the unaudited information will not be detected by the auditor, (Again, DR is an ex ante concept and thus it is referred to as the achievable level of risk rather than an ex post concept of an achieved level of risk).The allowable level of detection risk [DR*] is estimated by reference to specified levels of audit risk, inherent risk and control risk. The greater the acceptable level of audit risk, and the lower the inherent and control risk, then the greater is the allowable level of detection risk.


The achievable level of detection risk [DR] is based on such factors as the auditor’s independence and ability. The lesser the independence and ability of the auditor, the greater is the level of detection risk that can be achieved (i.e. the greater is the risk that the auditor will not detect a material misstatement).


INHERENT RISK


Inherent risk is the susceptibility of an account balance or class of transaction to a material misstatement either individually or when aggregated with misstatements of other balances or classes, assuming that there were no internal controls. The auditor should study and evaluate the degree of inherent risk in order to determine the audit plan. He should also consider other factors, which might compensate for an otherwise high degree of inherent risk. Some of these factors are: -


At the level of financial statements



  • The integrity of management;

  • Experience of the management;

  • Changes in the management team;

  • Unusual pressures on management team; and management, for example, circumstances that might predispose management to misstate the financial statements


At the level of account balance and class of transactions



  • Quality of accounting system;

  • Complexity of the transaction and events;

  • Degree of judgment involved in determining account balances;

  • Susceptibility of assets to losses or misappropriations; and

  • Transactions not subject to ordinary processing.


Range of assessment


Inherent risk is typically assessed using a scale, with assessments being either low, medium, or high. Assessments of medium or high risk will require additional audit work to be performed in order to reduce the audit risk.


Inherent risk is a client risk; since it is outside of the auditor's control the auditor's response is to adjust detection riSK


Factors in assessing inherent risk


Considerations which an auditor may include in assessing inherent risk include:



  • complexity of determining the account amount (if it is an estimate or a financial statement disclosure)

  • past history (including any audit differences identified)

  • the circumstances of the entity's business environment

  • management's overall risk awareness


For example, the valuation of accounts receivable would have a higher inherent risk assessment since the amount of allowance is subjective and is an accounting estimate. In contrast, the valuation assertion of cash and cash equivalents would have a lower inherent risk as the amount involves no estimation and is thus less susceptible to manipulation


 


CONTROL RISK


 Control risk is the risk that misstatements could occur in an account balance or class of transaction and that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the accounting and internal control system.


Steps in the Assessment of Risks Control


Preliminary Assessment of Control Risk


In order to make a preliminary assessment of the control risk, the auditor should obtain an understanding of the accounting system and related internal controls. This may be done by supplementing his knowledge gained through previous experience with the entity with



  • Enquiries about the composition of the management;

  • Inspection of the documents and records produced by the accounting and internal control system; and

  • Observations of the entity’s activities and procedures.


Test of Controls


Tests of controls are performed by an auditor to obtain audit evidence about the effectiveness of the following:



  • Whether the accounting and internal control systems are suitably designed to prevent or detect and control material misstatements; and

  • Operation of internal controls throughout the period.


Test of control may include the following procedures:



  • Inspection of the documents and records;

  • Inquiries about and observation of internal controls that leave no audit trail;

  • Redoing on a test basis, activities performed automatically by the system; and

  • Testing of internal controls operating on computerised applications.


Final assessment of control risk


On the basis of the results of the test of control the auditor should evaluate whether the preliminary assessment of control risk was correct or do they need to be revised. He should accordingly determine any modification in the nature; timing and extent of audit procedures.


The Internal Control System comprises of -


The Control Environment It refers to the overall attitude, awareness and actions of the directors and management regarding the internal control system and its importance in the entity. The control environment has an effect on the specific control procedures and provides the background against which other controls are operated. The internal control environment may be affected by the following factors



  • organisational structure and methods of delegation of authority and responsibility;

  • functions of the governing bodies;

  • management’s philosophy operating style;

  • management’s control system including the internal audit function, personnel policies and procedures.


Control Procedures – Control procedures are those policies and procedures in addition to the control environment, established by the management to achieve entity’s specific objectives. These procedures include the following:



  • reporting and reviewing reconciliations;

  • checking the arithmetical accuracy of the records;

  • controlling applications and environment of computer information systems;

  • approving and controlling access to documents, assets, records etc.;

  • comparing and analysing the financial results with the budgets.


DETECTION RISK


Detection risk is the risk that an auditor’s substantive procedures will not detect a misstatement that exists in an account balance or class of transactions that could be material, either individually or when aggregated with misstatements in other balances or classes. The auditor should consider the assessed levels of inherent and control risks in determining the, nature, timing and extent of substantive procedures required to reduce audit risk to an acceptably low level. There is an inverse relationship between detection risks and the combined level of inherent and control risks. Thus when inherent and control risks are high, acceptable detection risk should be low to reduce the audit risk to an acceptably low level.


Any internal weakness in the inherent control noticed by the auditor during the course of his evaluation or audit procedures should be communicated to the management. While communicating it should be made clear that the audit examination had not been designed to determine the adequacy of internal controls.


What Does Detection Risk Mean?


The chance that an auditor will not find material misstatements relating to an assertion in an entity's financial statements through substantive tests and analysis. Detection risk is the risk that the auditor will conclude that no material errors are present when in fact there are. Detection risk is one of the three elements that comprise audit risk, the other two being inherent risk and control risk.


 


Investopedia explains Detection Risk
Exhaustive substantive tests and analysis may reduce the level of detection risk. Detection risk also depends on the quality of the auditors - the lower the quality of the auditor, generally the higher the detection risk. Detection risk may also be higher in regions where regulatory bodies are relatively ineffective.


 


How to Assess Detection Risk in an Audit


Detection risk occurs when you don’t use the right audit procedures or you don’t use them correctly. You assess inherent and control risk and then solve your audit risk equation by assigning detection risk to reduce your audit risk to an acceptable level. Keep in mind that you can never completely eliminate detection risk because you’ll most likely never look at each and every transaction. You’ll always have some risk of a misstatement being missed, but your goal is to keep it to an acceptable minimum.


Here are the three major elements of detection risk:


·                   Misapplying an audit procedure: A good example is when you’re using ratios to determine if a financial account balance is at face value accurate (reasonable), and you use the wrong ratio. I discuss reasonability more in the next section of this chapter.


·                   Misinterpreting audit results: You use the right audit procedure but just flat out make the wrong decision when evaluating your results. Maybe you decide accounts payable is fairly presented when it actually contains a material misstatement.


·                   Selecting the wrong audit testing method: Different financial accounts are best served using specific testing methods. For example, if you want to make sure a particular sale took place, you test for its occurrence — not for whether the invoice is mathematically correct.


Consider an example of detection risk during a common audit procedure. While examining accounts payable, you test to see if the invoices shown in the accounts payable list are indeed not paid. Very good — that’s a correct audit procedure to use for the accounts payable assertion. You correctly implement your audit procedure and make the accurate decision that the accounts payable balance contains no material misstatements.


However, you fail to test for segregation of duties between the employee who processes the payments and the employee who updates the vendor file marking the invoice as paid. This incomplete testing causes you to misinterpret audit results, which increases your detection risk. In other words, you heighten the risk that you’ll fail to recognize or detect errors or fraudulent transactions in the client’s purchasing process.


 


RELATIONSHIP BETWEEN DIFFERENT COMPONENTS


 


The relationship between different components of audit risks is given in the following table:


 


The deep grey region in this table relate to detection risk.


The auditor should make a combined assessment of the inherent and control risks. This is because the management often reacts to inherent risk situations by designing suitable accounting and internal control system to prevent or detect and correct material misstatement. The higher the assessment of inherent and control risks, the more audit evidence the auditor should obtain from the performance of substantive procedures.


There is an inverse relationship between detection risks and the combined level of inherent and control risks. For example, when inherent and control risks are high, acceptable levels of detection risk need to be low to reduce audit risk to an acceptably low level. On the other hand, when inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level.









In theory, audit risk ranges anywhere from zero (0.0), where there is complete certainty of no material misstatement, to one (1.0), where there is complete certainty of a material misstatement. In practice, however, audit risk is always greater than zero. There is always some risk of material misstatement as it is not possible, (except for the audit of the simplest of financial statements), due to the limitations inherent in both accounting and auditing, to be absolutely certain a material misstatement will not exist. The Institute of Chartered Accountants of India (ICAI) in the form of AAS-6 on Risk Assessment and Internal Control issued a guidance over the subject matter.

mymsg mymsg Bookmark and Share Email
Join the Conversation
Become a mymsg member to comment. 

 already a member? sign in

mymsg