As the combined assessments of inherent and control risk decreases
|
Do you know how to assess inherent risk? Knowing when this risk is low is a key to efficient audits. In this article, I tell you how to assess inherent risk--and how lower risk assessments (potentially) decrease the amount of work you perform. I also provide inherent risk examples, and I define inherent risk. Show
While audit standards don't require a separate assessment on inherent risk (IR) and control risk (CR), it's wise to do so. Why? So you know what drives the risk of material misstatement (RMM). Many auditors assess control risk at high (after performing their risk assessment procedures). Why? So they don't have to test controls. If control risk is high, then inherent risk is the only factor that can lower your risk of material misstatement. For example, a high control risk and a low inherent risk results in a moderate risk of material misstatement. Why is this important? Lower RMMs provide the basis for less substantive work. The Audit Risk ModelBefore we delve deeper into inherent risk assessment, let's do a quick review of the audit risk model. Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.” Audit risk is defined as follows: Audit Risk = IR X CR X Detection Risk Inherent risk and control risk live within the entity to be audited. Detection risk lies with the auditor. A material misstatement may develop within the company because the transaction is risky or complex. Then, controls may not be sufficient to detect and correct the misstatement. If the auditor fails to detect the material misstatement, audit failure occurs. The auditor issues an unmodified opinion when a material misstatement is present. Risk of Material MisstatementAs we plan an audit, we assess the risk of material misstatement. It is defined as follows: RMM = IR X CR Auditors assess the risk of material misstatement at the assertion level so they can determine the level of substantive work. Substantive work is the response to risk. If the RMM is high, more substantive work is needed. Why? To reduce detection risk. But if the RMM is low to moderate, less substantive work is needed. Inherent Risk DefinitionLet’s define inherent risk. It is the susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. The following inherent risk video is from my YouTube playlist: Audit Risk Assessment Made Easy. (The videos correspond to each chapter in my risk assessment book by the same name, available on Amazon.) Inherent Risk ExamplesThe risk for cash is greater than that of a building. Cash is easily stolen. Buildings are not. The risk of a hedge transaction is greater than that of a trade receivable. Hedges can be complicated to compute. Trade receivables are not. Post-retirement liabilities are inherently risky. Why? It's a complex accounting area. The numbers usually come from an actuary. There are estimates in the form of assumptions. Inherent Risk FactorsConsider factors such as the following in assessing risk:
Inherent risk is not an average of the above factors. Just one risk factor can make an account balance or transaction cycle or disclosure high risk. Inherent Risk at Less Than HighWhen inherent risk is less than high, you can perform fewer or less rigorous substantive procedures. An example of a low inherent risk is the existence assertion for payables. If experienced payables personnel accrue payables, then the existence assertion might be assessed at low. (The directional risk of payables is an understatement, not an overstatement.) The lower risk assessment for existence allows the auditor to perform little if any procedures in relation to this assertion. Conversely, the completeness assertion for accounts payable is commonly a high inherent risk. Businesses can inflate their profits by accruing fewer payables. Fraudulent reporting of period-end payables is possible. Therefore, the risk of completeness for payables is often high. That's why auditors perform a search for unrecorded liabilities. Base your risk assessment on factors such as those listed above. If inherent risk is legitimately low, then great. You can perform less substantive work. But if the assertion is high risk, then it should be assessed accordingly--even if that means more work. (The AICPA has included questions in peer review checklists regarding the basis for lower risk assessments. Their concern (I think) is that auditors might manipulate this risk in order to perform less work. I've heard no one from the AICPA say this. But I can see how they might be concerned about this possibility.)
Control RiskSo, what is the relationship between inherent risk and control risk? Companies develop internal controls to manage areas that are inherently risky. A business might create internal controls to lessen the risk that payables are understated. Examples of such controls include:
Inherent risk exists independent of internal controls. Control risk exists when the design or operation of a control does not remove the risk of misstatement. Audit Risk Assessment Update - SAS 145SAS 145 will be effective for years ending December 31, 2023. This standard provides new inherent risk guidance, particularly in regard to inherent risk factors. See my SAS 145 article for details. Audit Risk Assessment BookMy new book, Audit Risk Assessment Made Easy, is now available on Amazon. If you struggle with internal control walkthroughs, preliminary analytics, understanding the entity and its environment, risk assessment and linkage, then this book is for you. Click the book cover to see it now on Amazon. Is inherent risk affected by the control Risk Assessment?The inherent risk stems from the nature of the business transaction or operation without the implementation of internal controls to mitigate the risk. Control risk arises because an organization doesn't have adequate internal controls in place to prevent and detect fraud and error.
What happens to detection risk when inherent risk goes up?Detection risk has an inverse relationship with the assessed risk of material misstatements (Inherent risk X control risk). Therefore, if risk of material misstatement is high, then detection risk would be set to high.
Can inherent risk be high and control risk low?So they don't have to test controls. If control risk is high, then inherent risk is the only factor that can lower your risk of material misstatement. For example, a high control risk and a low inherent risk results in a moderate risk of material misstatement.
What causes inherent risk to increase?Factors that can increase inherent risk include subjective estimates, non-routine transactions, and the use of complex financial instruments. Generally, the more complicated a company's business model and transactions are, the higher the inherent risk is.
How can inherent risk be reduced?Implementing or increasing internal controls is one of the best ways that companies have to lower the level of inherent risk they may experience.
How does inherent risk and control risk differ from detection risk?Inherent risk and control risk differ from detection risk in that they exist independently of the audit of financial statements, whereas detection risk relates to the auditor's procedures and can be changed at his or her discretion. Detection risk should bear an inverse relationship to inherent and control risk.
|
