Audit Risk

  • Creator
    Topic
  • #177642
    Tryinghard
    Member

    I had 2 questions about audit risk.

    Audit Risk= Inherent Risk +Control Risk + Detection Risk

    Detection risk has an inverse relationship to Inherent and Control Risk( I think these two risks are called risk of material misstatement). In many problems I have seen, they will for instance say, if the risk of material misstatement increases, what happens to the detection risk? Since they have an inverse relationship detection risk would decrease. That is pretty straightforward, but I had a more specific question. Let’s say there is a question or even a simulation for that matter that asks you to identify the effect on all 3 risks.

    1. When looking at a situation. How would you go about it? I would think it would be easier to figure out the detection risk first. That way you would know that the risk of material risk would have an inverse effect.

    2. If you are able to decide that the detection risk increases, would both inherent and the control risk decrease then? Or would only 1 decrease.

    In a possible situation, I would think that it would be the best strategy if you are unsure of the effect of the inherent/control risk, would be to figure out the detection risk. You then know the inherent and control risk would have to be the opposite. Does this make sense to you guys? Thanks

Viewing 10 replies - 1 through 10 (of 10 total)
  • Author
    Replies
  • #413842

    I don't know if this will help you, but I had my boyfriend(an auditor) explain it to me like this…. think about it as an equation. If AR cannot change and you know DR or CR changes, then the other must also(in their inverse relationship) to keep AR the same. Or if they problem suggest all the other remain(IR, CR, or DR) then assume AR will go up or down depending on the rest of the problem. This has helped me get through those type of MCQ problems.

    CA CPA - All because of the journey listed below
    -----------------------------------------------------------------------
    FAR - 53('10), 8/25/12 79 PASSED!
    REG - 66('11), 69('12), 12/06/12 77 PASSED!!
    BEC - 58('10), 74('12), 01/05/13 77 PASSED!!!
    AUD - 43('11), 66('12), 69('13), 74('13) 7/29/13 85 PASSED!!!!!

    (Combinations of Roger, Yaeger, Wiley Book, Wiley TB, & NINJA Notes)

    Ethics 90%

    #413843
    Anonymous
    Inactive

    I believe it depends on the questions. If there is a chance of high RMM (Inherent risk + Control risk), then auditors need to assess higher control risk and do more test of controls since Inherent risk is inevitable. So, it leads to lower detection risk, which auditors can detect misstatements, meaning doing less works. If questions are asking that auditors are doing more works(sub. tests), which means detection risk less, leading control risk should be assessed high. I think either way from RMM to DR or vice versa, the answer should be the same.

    Correct me if my understanding is different from yours. Thanks

    #413844
    Anonymous
    Inactive

    To @Littlenumberrobot‘s point it's best to think of this from an overall testing perspective.

    First – my take of what's going on may help sink it in:

    AR – is going to be determined by the engagement team. A ‘hey, what are the chances we screw up?' . It will most likely be predetermined and very rarely should be the changing factor — no one is going to say ‘ehh, let's just increase the chances we get this wrong..'

    IR – is just an assessment of the business risks. Depending on the industry or changes to the business it can be more/less risky.

    CR – is the safeguards to prevent and detect material misstatement. If it's “assessed” high – doing controls testing (and you find controls are working effectively) will help give you comfort the control risk isn't as bad as you thought thus can lower your ‘assessment'. If the controls aren't operating effectively – then what's the point of testing? you won't get additional comfort because they'll still be high risk.

    3) DR is just your substantive testing. If the client is risky (IR high), and you didn't test controls (CR high) because a)they don't have any b)they have them but are ineffective c)it won't be any more efficient , well then I'm gonna have to test the crap out of it (DR low) to make sure I can say “with 95% confidence your FS looks clean”.

    Now in regards to question #1:

    Regardless of what the question asks I found it always better to set up the situation (if the details aren't given, just think of a situation that would match the scenario) going from left to right because ultimately that's how you audit 🙂

    Now in regards to question #2:

    If DR increases, you know RMM will inversely decrease — but which one? Well, it's more likely than not in an audit that you'll do controls testing, which will decrease your assessed level of CR (like a ‘hey- looks like these guys might know what they are doing', thus you are more relaxed about your substantive testing) than the IR changing. Remember IR is related to business changes. IR can decrease (divesting a risky business segment that's just naturally prone to have problems), but should be an exception to the rule.

    i.e. AR (same=low) = IR (same=high) x CR (change=lower) x DR (change=higher)

    #413845
    Anonymous
    Inactive

    Use your formula

    AR= IR X CR x DR If either IR ,CR or DR increase then AR must decrease. Ideally only one should increase/decrease. However, they can say AR remain the same and CR in crease so either IR or DR must decrease to make the equation work.

    Example AR= IR x CR X DR

    .06 = .02 x.03 X .01 therefore if AR goes up or down then either IR, CR or DR must go in the opposite direction.

    Use some numbers it makes it easier to see.

    Always consider the Nature, extent and Timing.

    #413846
    Anonymous
    Inactive

    Inherent risk never increases or decreases?

    I've screwed this up numerous times where I thought it never changes and always stays the same no matter what.

    #413847
    Anonymous
    Inactive

    @DavidB

    IR will usually stay constant unless there's a change in the business, but it has to be something that makes the business easier / harder to audit.

    If you are auditing a bank maybe it's a low risk to start. Then they start trading OTC derivatives, CDOs, and credit default swaps.. Obviously more complex, more potential for misstatement, more inherent risk. Unless the question says there's a business change IR should stay the same. Some SIMs MAY suggest what factor changes (IR, AR, DR, CR) when XX happens. Should be comfortable with how these are connected.

    #413848
    Almost Done
    Member

    FYI- the formula is: AR = (IR) x (CR) x (DR) NOT AR = (IR) + (CR) + (DR). Multiply don't add

    BEC: Passed
    REG: Passed
    FAR: Passed
    AUD: Passed

    #413849
    Tryinghard
    Member

    Thanks for everyone who got back to me. I just want to point out that Inherent risk is the risk that a misstatement will arise due to there not being any controls in that area. I think calling it essentially a business risk will help me remember that.

    The formula was also helpful. If detection risk goes up, then one of the other risks should only go down as the other risk will stay constant. I guess if you are unsure of which one changes, you can always put both of them as a decrease to try and gain the maximize points. That way you know you will have at least one of the two risks right instead of both possibly wrong.

    One thing i get mixed up id detection risk is when to perform year end and interim testing. When detection risk is high, do you perform the tests at year end?

    #413850
    LoveEventing
    Member

    Ok, I'm going to start at the beginning to try and explain this as it looks like there is a lot of confusion in this area. Here is the basic steps in determining the audit plan based on the internal control system:

    1. Obtain an understanding of whether internal controls are IMPLEMENTED.

    2. Document understanding of internal controls.

    3. Assess the risk of material misstatement (RMM) and plan further audit procedures (including tests of controls AND substantive testing).

    Ok, so you're at step 3 and trying to assess RMM. You were right in that RMM = IR x CR from the audit risk formula (AR = IR x CR x DR). The RMM consisting of inherent risk and control risk cannot be controlled by the auditor. That is NOT to say it can't change based on changes in the BUSINESS. It just means that the auditor can only ASSESS the risk as it stands in the business based on the design of internal controls. Hence, why it is referred to as “business risk.”

    Now, the only risk that the auditor CAN control is detection risk (DR) by either increasing or decreasing the nature, timing and extent of audit procedures. If your RMM is HIGH, you must bring detection risk to a LOW level in order to keep audit risk LOW (plug in numbers to the audit risk formula to see the effect). In order to bring DR to a LOW level, you must INCREASE your testing by changing the nature, timing and extent of audit procedures. You have a few options here. Nature of testing means you may change HOW you test a particular item. Timing means you change WHEN you test (generally, testing closer to year-end provides more assurance). Extent means HOW MUCH testing you actually do (increasing sample size will provide more assurance). So, to your question on when to perform year-end vs. interim testing… if you've decided you can tolerate a HIGH detection risk (because RMM is low), you can perform interim testing and just roll forward at year-end. If you can't tolerate a high detection risk because the controls at the company suck, then you better test at year-end to make sure you have the most accurate testing as of the date of the balance sheet.

    Ok so now you have assessed your audit risk (AR = IR x CR x DR) to a tolerable level. Your initial control risk assessment indicates that controls seem to be pretty good at the company, so we want to rely on them in order to reduce our testing (control risk is LOW, detection risk is HIGH). Now you have to test controls. If the results of your tests of controls say that the controls looked good, but are actually CRAP, then now you have to reassess control risk as HIGH and detection risk at LOW. Meaning, now you have to perform additional substantive tests to keep audit risk at a tolerable level. So, in essence, you've wasted your time and should have never tested controls in the first place.

    Keep in mind that you don't have an option of whether to test controls for an SEC registrant (public company) due to SOX rules.

    Hope this helps!

    BEC - 68, 76
    AUD - 90, 91
    FAR - 63, 83
    REG - 55, 79

    FINALLY DONE!

    #413851
    Almost Done
    Member

    @LoveEventing GREAT explanation. Thank you.

    BEC: Passed
    REG: Passed
    FAR: Passed
    AUD: Passed

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Audit Risk’ is closed to new replies.