Audit Risk and Internal Control

Atta-ur-Rahman Arif

Audit Risk and Internal Controls

Audit Risk Model

• AR = IR x CR x DR• AR = Audit risk– Also referred to as Residual Risk– The risk that the auditor will incorrectly issue an

unqualified opinion• IR = Inherent risk– The risk of material misstatements absent any

internal controls or testing

Audit Risk Model

• CR = Control risk– The risk that internal controls will fail to prevent or

detect material misstatement• DR = Detection risk– The risk that audit tests will fail to detect material

misstatement• Therefore, audit risk is a function of inherent

risk, unchecked by controls and not detected by the auditor

Risk Components

• Inherent risk– Higher in complex transactions– Higher where items are more naturally prone to

fraud– Based in part on prior experience– Industry and management pressures

• Inherent risk cannot be changed by the auditor

Control Risk• Part of Audit Risk Model • Depends on the design and execution of controls• Audit Risk = risk that internal controls will FAIL to prevent or

detect misstatement– High CR means high risk controls will fail– Low CR means low risk controls will fail

• If CR is high, auditor will not rely much on controls• If CR is low, auditor can rely on ICS and reduce other types of

testing

Is Risk Quantifiable?

• Yes and No• Often assessed in percentage terms• Requires judgment because no number is out

there to be measured• Detection risk needs to be quantified for

statistical testing

Interrelationship of Risks

• IF IR and CR are high, then

• If IR is high and CR is low

• If IR is low and CR is low

• If IR is low but CR is high

• DR should be low (lots of testing)

• DR can be higher, because controls offset high IR

• DR can be high

• Somewhat indicative of fraud. DR should be very low

What is Acceptable Audit Risk?

Risk the auditor is willing to take of being wrong Generally considered in terms of unqualified

where there are misstatements, but not in reverse

Depends on engagement risk› Financial stability› Industry factors› Management integrity

Degree of reliance on audited statements

Keep Things Open

• Control risk assessment must be backed up by control testing results

• If tests show weaker controls, CR is higher, thus DR needs to be lower

Internal Control Objectives

• Reliability of financial statements• Efficiency and effectiveness of operations• Compliance with laws and regulations• Safeguarding of assets

Underlying Limitations

• Reasonable assurance• Cost-benefit• Inherent limitations– collusion

Design of ICS

• Preventing material misstatements• Detecting material misstatements• Preventing misappropriation• Detecting misappropriation• SarbOx: Management must assess and report

on design– How are transaction initiated, authorized, recorded,

processed, and reported?– Are there any weaknesses?

Management’s Report on ICS

• Must describe design• Must make assertions about effectiveness• Must report material weaknesses• A single weakness prevents claim that ICS is

operating effectively• Must be able to document basis for report• Auditor will provide an opinion on the report• Any weaknesses mean that auditor’s report will be

adverse.

Risk Assessment

• Management’s identification of risks– Economic– Industry– Regulatory– Operating risks

• Analysis and management of risks• Examples– Oil companies in the Gulf of Mexico– Smith Corona

Control Activities

• Policies and procedures to address risks• Pertains to all four other areas• Separation of duties• Proper authorization• Adequate documents and records• Physical control over assets and records• Independent checks

Information and Communication

• Initiates, records, processes, and reports• Transaction cycles• Subsidiaries and controls• Think of PERCV

Monitoring

• Need to ensure controls are working• Monitoring now more pressing because of

SarbOx• Control needs change• Personnel change• Organizational structure changes