Chapter 4 – The Audit Risk Model and Inherent Risk Assessment
Studied by 0 people
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/114
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
115 Terms
What is audit risk?
The probability that an auditor will issue an inappropriate audit opinion on financial statements that are materially misstated.
What’s the goal of the auditor regarding audit risk?
To reduce audit risk to an appropriately low level through adequate planning and testing.
Why does audit risk always exist?
Because audits rely on sampling, judgment, and limited evidence—there’s always a chance of missing misstatements.
What is the Audit Risk Model formula?
Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR)
What does this model help auditors do?
Assess and plan procedures to keep overall audit risk (AR) at a low or acceptable level.
Key Terms
Term | Definition | Example |
|---|---|---|
Significant Account or Disclosure | An item likely to contain a material misstatement (with or without internal controls). | Revenue, inventory, goodwill |
Relevant Assertion | A management claim (e.g., existence, completeness) that could be misstated and thus requires audit testing. | “All sales recorded actually occurred” |
Risk of Material Misstatement (RMM) | The combined risk that misstatements will occur (IR) and not be prevented or detected by controls (CR). | RMM = IR × CR |
Inherent Risk (IR)
The likelihood that material misstatements will occur without considering internal controls.
Driven by the nature of the business, transaction complexity, and management integrity.
Example: Complex revenue recognition → high inherent risk.
Susceptibility of the account to error/fraud is key.
Control Risk (CR)
The likelihood that internal controls will fail to prevent or detect misstatements.
Evaluated by understanding and testing the client’s internal controls.
Auditors cannot control CR—they can only assess it.
Detection Risk (DR)
The likelihood that audit procedures will fail to detect an existing misstatement.
The only component auditors can directly influence through their testing.
Inverse Relationship?
When IR and CR are high → auditors must set DR low (do more effective testing).
When IR and CR are low → DR can be higher (less testing).
The Audit Risk Model in Practice (Exhibit 4.3–4.4)
Step | Action | Example / Effect |
|---|---|---|
1. Set desired AR | Decide acceptable overall audit risk (low or very low). | High-risk client → AR = very low |
2. Assess IR | Evaluate susceptibility to misstatement. | IR = high (complex inventory) |
3. Assess CR | Evaluate internal controls. | CR = high (weak inventory tracking) |
4. Solve for DR | Determine how much testing is needed. | DR = very low → perform extensive testing |
Risk of Material Misstatement (RMM)
RMM = IR × CR
Represents the risk of misstatements before the auditor performs testing.
High RMM → lower DR → more substantive testing needed.
Exhibit 4.5 – Relationship Between Detection Risk & Audit Testing
Lower Detection Risk Allowed | Higher Detection Risk Allowed |
|---|---|
More effective tests | Less effective tests |
Testing at year-end | Testing can be done at interim |
More tests (larger sample size) | Fewer tests (smaller sample size) |
Exhibit 4.6 – Matrix Approach to Detection Risk (DR)
Inherent Risk (IR) | Control Risk (CR) | Detection Risk (DR) |
|---|---|---|
Low + Low | → DR High | |
Low + Moderate | → DR Moderate to High | |
Low + High | → DR Moderate | |
Moderate + Low | → DR Moderate to High | |
Moderate + Moderate | → DR Moderate | |
Moderate + High | → DR Low to Moderate | |
High + Low | → DR Moderate | |
High + Moderate | → DR Low to Moderate | |
High + High | → DR Low |
The higher the combined RMM, the lower detection risk must be (more extensive testing).
What is fraud?
Fraud is the intentional act of knowingly making a false representation to induce someone to believe it and act on it, causing loss or damage.
How does fraud differ from an error?
Fraud involves intent to deceive; errors are unintentional mistakes or omissions.
What is the auditor’s responsibility for fraud risk?
Auditors must consider fraud risk on every audit engagement and design procedures to detect material misstatements caused by fraud.
Is fraud a part of the audit risk model?
Not explicitly — but it affects the risk of material misstatement (RMM) and must be evaluated for every significant account and assertion.
Two Broad Types of Fraud in Auditing
Type | Description | Typical Perpetrator(s) | Example |
|---|---|---|---|
Fraudulent Financial Reporting | Intentional misstatement of amounts or disclosures to deceive financial statement users. Also called management fraud. | Management or executives | Overstating revenues or assets to meet targets |
Misappropriation of Assets | Theft of an entity’s assets by employees or others; also called employee fraud or defalcation. | Employees or low-level personnel | Stealing cash, embezzling funds, creating false vendors |
Key Sub-Types of Employee Fraud
Embezzlement : Theft of cash or property entrusted to the employee.
Larceny : Simple theft of employer property.
Defalcation : Misuse of funds or assets by employees or officers.
Fraud vs Error (Exam Highlight)
Fraud | Error |
|---|---|
Intentional misrepresentation | Unintentional misstatement |
Affects trust in management | Usually clerical or technical |
Difficult to detect — concealed by collusion | Detected by controls or testing |
Auditing Insight — “When Upper Management Goes Bad”
Examples of notorious fraud cases to illustrate management intent and scale:
Bernie Ebbers – WorldCom ($11 billion accounting fraud)
Dennis Kozlowski – Tyco (stole $600 million)
Jeff Skilling – Enron (securities fraud)
Bernie Madoff – Madoff Investment Securities (Ponzi scheme)
Elizabeth Holmes – Theranos (fraudulent claims about technology)
These cases show how intent and management override make fraud especially dangerous and hard to detect.
Fraud Risk Factors (Exhibit 4.7)
Category | Common Examples |
|---|---|
Management’s Characteristics and Influence | Pressure for bonuses or stock options; dominant CEO; aggressive financial reporting attitude; frequent disputes with auditors; high management turnover |
Industry Conditions | Declining industry; tight competition; new regulations impacting profitability; volatile markets |
Operating Characteristics and Financial Stability | Weak internal controls; poor cash flows; complex accounting; large related-party transactions; inexperienced accounting staff |
Types of Fraud Acts and Who They Affect (Exhibit 4.8)
Party Affected | Examples of Fraud |
|---|---|
Stockholders / Creditors | Fraudulent financial statements, securities fraud |
Owners / Managers | Insider trading, related-party transactions |
Competitors | Theft of trade secrets, bribery |
Vendors / Suppliers | Short shipments, double billing, false invoices |
Employees | Expense account falsification, embezzlement, kickbacks, falsified payroll |
Customers | False advertising, price fixing, false refunds, shoplifting |
Government | Tax evasion, contract padding, false benefit claims |
Insurers | False loss claims |
Auditing Insight — Fraud Post-Pandemic (Grant Thornton Study)
COVID-19 increased remote work → higher cyber fraud risk (e.g., phishing, email hacks).
71 % of fraud professionals expect fraud to increase after the pandemic.
86 % say anti-fraud resources remained the same or increased.
Are auditors responsible for all fraud?
Only for fraud that results in material misstatements in the financial statements.
What must auditors do if they detect immaterial fraud?
Reassess management integrity and increase testing as needed, even if amounts are not material.
What’s the auditor’s goal regarding fraud risk?
To design procedures that provide reasonable assurance that material fraud misstatements are detected.
What is inherent risk?
The likelihood that material errors or fraud could occur in the absence of internal controls.
Why is assessing inherent risk important?
It helps auditors focus on high-risk areas and design audit procedures that properly respond to the potential for misstatement.
What’s the key question auditors ask during inherent risk assessment?
“What could go wrong?” with each account or transaction.
Misstatements by Assertion (Exhibit 4.9)
Misstatement Type | Assertion Violated |
|---|---|
1. Invalid transactions are recorded. | Occurrence |
2. Valid transactions/disclosures omitted. | Completeness |
3. Transactions/disclosures are inaccurate. | Accuracy |
4. Transactions classified incorrectly. | Classification |
5. Transactions aggregated/disaggregated improperly. | Presentation |
6. Transactions recorded in wrong period. | Cutoff |
Tip: Always link the potential misstatement to the relevant assertion (existence, completeness, accuracy, etc.) for exam questions.
Common Factors That Increase Inherent Risk
Factor | Effect on Risk |
|---|---|
Dollar size of account | Larger balances → higher risk of misstatement or fraud |
Liquidity | Easily converted assets (e.g., cash) → higher theft risk |
Volume of transactions | More transactions → more chance for errors |
Complexity | Complex estimates or derivative transactions → higher risk |
Subjectivity | Subjective estimates (e.g., allowance for doubtful accounts) → easier to manipulate |
Understanding the Client’s Business and Environment
Auditors must understand both the entity and its environment to assess inherent risk effectively.
Key elements to understand:
1⃣ Industry, regulatory, and external factors
2⃣ Nature of the company and related parties
3⃣ Effect of client’s computerized processing
4⃣ Selection and application of accounting principles
5⃣ Company objectives and strategies
6⃣ Company performance measures
Why must auditors understand a client’s industry, regulatory, and external environment?
Because these factors shape the company’s risks of material misstatement — they affect business conditions, financial reporting, and compliance obligations.
What are some examples of industry and external factors auditors must consider?
Relevant accounting and reporting standards (GAAP or IFRS).
Industry competition and economic trends.
Government regulations, taxation, and trade restrictions.
Geographic and market influences.
Current events that affect the industry (e.g., supply chain disruption, COVID-19 impacts).
How can industry knowledge help in assessing risk?
It helps auditors identify unusual transactions, complex accounting issues, or unique risks specific to that industry.
What does “nature of the company” mean in auditing?
It refers to understanding how the business is structured, financed, and managed — including operations, ownership, and decision-making.
What specific aspects of a company’s nature should auditors evaluate?
1⃣ Organizational structure (centralized vs. decentralized).
2⃣ Financing and debt arrangements.
3⃣ Major investments, subsidiaries, or acquisitions.
4⃣ Related-party relationships and transactions.
5⃣ The company’s physical location, size, and complexity.
Why do related-party transactions create audit risk?
Because they may lack independence and proper disclosure — they can be used to manipulate earnings or conceal liabilities.
What did research reveal about related-party transactions?
Companies with related-party transactions are more likely to experience restatements or audit problems than those without them.
Why are these risks often underestimated?
Because they appear routine, and auditors may fail to challenge them due to familiarity with management or a lack of documentation.
Why does the client’s IT environment matter to auditors?
Because computerized systems affect how transactions are recorded, processed, and controlled — poor design or decentralized systems can increase misstatement risk.
What’s the difference between centralized and decentralized processing?
Centralized: Easier to test and more uniform controls.
Decentralized: Greater inconsistency across systems and locations, requiring more testing.
What should auditors evaluate about a company’s accounting principles?
Whether they are:
Appropriate for the business.
Consistent with GAAP or IFRS.
Properly disclosed in the financial statements.
Why are accounting estimates a major source of risk?
Because they involve management judgment, subjectivity, and potential bias — making them prone to manipulation.
Give examples of risky accounting estimates.
Valuation of investments, depreciation, impairment, warranty liabilities, and revenue recognition under percentage-of-completion.
What went wrong in Toshiba’s case?
Toshiba overstated $1.9 billion in earnings by manipulating percentage-of-completion estimates for long-term projects.
What lesson does the Toshiba case teach auditors?
To scrutinize management’s subjective estimates and assess whether assumptions are reasonable and unbiased.
Why do auditors need to understand company strategy and objectives?
Because business risks (strategic, operational, financial) often translate into risks of material misstatement in the financial statements.
What are examples of business risks auditors should identify?
Rapid industry changes the company can’t adapt to.
Unsuccessful new product launches.
Overexpansion or poor demand forecasts.
Implementation of new accounting systems or strategies.
Financing or liquidity problems.
What is the auditor’s role regarding business risk?
To link identified business risks to possible misstatements in the financial statements.
Why do auditors review company performance measures?
To identify pressures on management that may lead to earnings manipulation or bias in financial reporting.
What are examples of sensitive performance measures?
Budget variances and profit margins.
Return on assets or equity.
Analyst ratings or share price performance.
Executive compensation metrics tied to profits.
What does sensitivity to performance measures suggest?
Higher likelihood of management bias and thus greater inherent risk.
Why must auditors carefully assess inherent risk for each audit?
To identify accounts and assertions most prone to misstatement, allowing them to tailor audit procedures accordingly.
What does “nature of the company” mean in risk assessment?
The company’s structure, environment, and relationships that influence how risks arise and are managed.
Why review performance measures?
They may reveal where management has incentives to manipulate results.
What’s the main concern with related-party transactions?
They can obscure true financial results or hide fraud because they lack independence.
What is the goal of gathering information during audit planning?
To gain a thorough understanding of the client’s business, industry, and environment so the auditor can identify potential risks of material misstatement.
What are the three main categories of information sources auditors use?
General business sources
Company-specific sources
Information from prior audits and client evaluations
What types of general business information help auditors understand a client’s industry?
Industry magazines and trade journals
SEC filings (like 10-Ks for public companies)
Financial media (Bloomberg, Forbes, Wall Street Journal, Harvard Business Review)
Online databases (e.g., Library of Congress E-Resources)
What should auditors monitor for public companies?
The company’s stock price trends, press releases, and analyst reports for signs of risk or unusual activity.
What company-specific information do auditors review?
Corporate charter, bylaws, or partnership agreements
Contracts, legal proceedings, and meeting minutes
Management compensation and incentive plans
Public communications (e.g., investor materials or press statements)
Why are minutes of meetings important?
They often reveal decisions and transactions that could have financial reporting impacts.
What common topics are found in board or committee meeting minutes?
Declaration of dividends
Election and compensation of officers
Approvals for mergers, contracts, or lawsuits
Financing arrangements and debt pledges
Accounting policy changes
Authorization to sign checks or issue stock
Why do auditors analyze meeting minutes?
To identify potential commitments, contingencies, or approvals that may affect the financial statements.
How can previous audit work help assess risk?
It provides insight into management integrity, control effectiveness, and recurring problem areas.
What’s an example of valuable prior audit information?
Prior adjusting journal entries or significant findings (such as misstatements or control deficiencies).
What are preliminary analytical procedures?
Analytical reviews performed early in the audit to identify potential problem areas or unusual relationships among data.
When are analytical procedures required?
At the beginning of an audit (risk assessment)
At the end of the audit (final review of overall financial statement reasonableness)
What are the five steps auditors follow for analytical procedures?
1⃣ Develop an expectation — what should the balance or relationship look like?
2⃣ Define a significant difference — decide what % or $ difference would be “unreasonable.”
3⃣ Compare expectation to recorded amount.
4⃣ Investigate significant differences.
5⃣ Document each step and conclusion.
What are sources of expectations auditors might use?
Prior-period balances
Budgets and forecasts
Industry data or third-party sources
Nonfinancial data (e.g., number of stores, employee counts, production stats)
What does defining a significant difference mean?
Setting a threshold to determine when a difference between expected and actual results is worth investigating — before making comparisons to avoid bias.
What are horizontal analyses?
Year-over-year comparisons of account balances and income statement items.
What are vertical analyses?
Expressing financial statement items as percentages of a base (e.g., total sales or total assets).
What are other analytical techniques auditors might use?
Ratio analysis (profitability, liquidity, solvency)
Trend analysis
Time-series and regression analysis
What ratios can auditors use to assess risk?
Liquidity Ratios: Current ratio, working capital/total assets.
Operations Ratios: Receivables turnover, inventory turnover.
Leverage Ratios: Debt/equity, EBIT/total assets.
Profitability Ratios: Gross margin %, return on assets.
Financial Distress Ratios: Retained earnings/total assets, Z-score.
Why are ratios important?
They reveal unusual changes or inconsistent trends that might require additional audit testing.
What was learned from the “Too Much of a Good Thing” study?
When auditors try to create too many explanations for a difference, they can lose focus and become less professionally skeptical.
What’s the takeaway for auditors?
Focus on quality of explanations, not quantity — and remain skeptical about management’s explanations.
What is IDEA, and how is it used in audits?
A software tool that analyzes large data sets to identify unusual transactions, trends, or risk indicators.
What does the Stratification Task in IDEA do?
Groups transactions by size, code, or other criteria to help auditors identify outliers.
Why is IDEA helpful for auditors?
It increases efficiency and allows auditors to analyze entire populations rather than relying only on samples.
Why is brainstorming required in every audit?
To encourage auditors to share ideas about fraud risks, business risks, and ways misstatements could occur.
When should brainstorming occur?
During the planning stage and continue throughout the audit as risks are reassessed.
Who typically leads the brainstorming session?
The engagement partner or forensic specialist (for high-risk engagements).
What are some best practices for effective brainstorming?
Encourage open discussion and idea sharing.
Use forensic specialists or experienced staff to lead.
Emphasize professional skepticism.
Discuss real fraud examples and red flags.
Conduct sessions early and revisit throughout the audit.
What should be documented after brainstorming?
Key identified risks, planned responses, and any changes to the audit plan based on discussion.
Why do auditors conduct inquiries with management and audit committees?
To gather insights about internal control, fraud risks, and unusual transactions — and assess management’s integrity.
Who might auditors interview besides management?
Audit committee members
Internal auditors
Operations and marketing managers
Employees involved in financial reporting
What is the app “Blind,” and why is it relevant to auditors?
Blind allows employees to anonymously post about workplace issues. Auditors might use such platforms to gauge management integrity or detect signs of internal problems.
What is the broader lesson from this example?
Auditors should think creatively about information sources — even unconventional ones like social media or employee forums.
What is the overall goal of the risk assessment process?
To identify and assess the risks of material misstatement that exist at the client, so the auditor can plan and perform audit procedures that respond appropriately to those risks.
How should inherent risk be evaluated?
Independently of internal controls — focusing on the nature of accounts and assertions that could lead to misstatements.
Why must inherent risk assessment be done for each account and assertion?
Because each financial statement account may have different risks of error or fraud, requiring customized audit procedures.
What makes a financial statement assertion “relevant”?
An assertion is relevant if it has a reasonable possibility of containing a misstatement that could make the financial statements materially misstated.
What are the main financial statement assertions auditors assess?
1⃣ Existence/Occurrence
2⃣ Completeness
3⃣ Valuation/Allocation
4⃣ Rights and Obligations
5⃣ Presentation and Disclosure
What is the key question auditors ask for each assertion?
“What could go wrong?” with this account or disclosure.
Exhibit 4.12 — “What Could Go Wrong?” Examples
Significant Account | Relevant Assertion | Possible Misstatement (“What Could Go Wrong?”) |
|---|---|---|
Cash | Existence | Cash balance doesn’t exist in company’s accounts. |
Valuation | Foreign currency accounts not properly translated. | |
Presentation & Disclosure | Restrictions on cash not properly disclosed. | |
Accounts Receivable | Existence | Recorded receivables don’t exist. |
Completeness | Not all receivables recorded. | |
Valuation | Receivables not included at proper value; allowances incorrect. |