Accounting Horizons Vol. 24, No. 1 2010 pp.

6578

American Accounting Association DOI: 10.2308/acch.2010.24.1.65

COMMENTARY

A Risk Model to Opine on Internal Control

Abraham D. Akresh
SYNOPSIS: In recent years, auditors have reported on the effectiveness of internal control, usually as part of integrated audits. The audit risk model currently in auditing standards was designed for nancial statement audits, not internal control auditsa key part of integrated audits. Because the audit of processes internal control is conceptually different from the audit of outputs nancial statements , the auditor needs a different risk model to provide a conceptual framework for internal control audits. The model I propose1 provides the auditor a method to determine the appropriate nature, timing, and extent of testing in an integrated audit. My model is focused on the risk of material weakness, rather than the risk of material misstatement. I also show how the auditor would use two different models in an integrated audit. Keywords: audit risk model; inherent risk; integrated audit; internal control; opinion; risk of material misstatement; risk of material weakness.

INTRODUCTION he audit risk model has provided a conceptual framework for audits of nancial statements for more than 40 years. Despite practical difculties in implementation and criticisms of its theoretical foundation, the model has been fairly effective in helping auditors analyze risks and use that analysis to determine the nature, timing, and extent of audit procedures especially substantive procedures in audits of nancial statements. The audit risk model provides a conceptual framework for the risk assessment standards Statements on Auditing Standards SAS Nos. 10411 . In recent years, some auditors have tried to apply the audit risk model to audits of internal control, usually performed as parts of integrated audits. An integrated audit is an engagement

Abraham D. Akresh is a CPA and consultant, who recently retired from the U.S. Government Accountability Ofce.
I thank Mark Beasley, Bob Dacey, Bill Felix, Jeanette Franzel, Jonas Gaudernack, Steven Glover, Bill Kinney, Meg Mills, Doug Prawitt, Corinne Robertson, Iris Stuart, Mark Taylor, participants at the American Accounting Association Auditing Section 2009 Midyear Conference, the two anonymous reviewers, and the editor for their comments on earlier drafts.

This paper contains my views, which are not necessarily the views of the U.S. Government Accountability Ofce GAO .

Submitted: December 2008 Accepted: September 2009 Published Online: March 2010
Corresponding author: Abraham D. Akresh Email: akresha@gao.gov

65

66

Akresh

where the auditor provides an opinion on the nancial statements and an opinion on the effectiveness of internal control over nancial reporting. It is integrated in the sense that the auditor tries to use some of the same procedures to meet both objectives. While the audit risk model was designed for audits of nancial statements, it was not designed for audits of internal control. Audits of internal control are audits of processes rather than audits of outputs nancial statements . In addition, opinions on internal control do not rely on analytical procedures or on substantive tests of details. Because of this conceptual difference, the audit risk model, as originally formulated, does not work as a coherent conceptual framework for audits of internal control. As I discuss later, the auditor needs a different model for audits of internal control. The auditor needs to apply two different models in an integrated audit the original model for the opinion on the nancial statements and a different model for the opinion on internal controls . The need for a different risk model for internal control audits is not currently recognized in the auditing standards or in the auditing literature. Background In recent years, auditors have been asked to opine not only on nancial statements, but also on the effectiveness of internal control over nancial reporting internal control , usually as part of an integrated audit. The two key laws requiring opinions on internal control are the Federal Deposit Insurance Corporation Improvement Act FDICIA of 1991 and the Sarbanes-Oxley Act of 2002. The U.S. Government Accountability Ofce GAO prefers that its nancial audits include opinions on internal control see GAO/PCIE 2008 . To help auditors whose clients request opinions on internal control, the American Institute of Certied Public Accountants AICPA issued AT 501, which had been used for entities subject to the FDICIA, as well as for opinions on internal control issued by the GAO and others. To provide guidance for auditors performing integrated audits under the Sarbanes-Oxley Act of 2002, the Public Company Accounting Oversight Board PCAOB 2007 issued Auditing Standard No. 5 hereafter, AS No. 5 . The AICPA issued SSAE No. 15 in 2008, which revised AT 501 to substantially conform with AS No. 5. AT 501 is included in AICPA 2009a. The PCAOB 2008 issued an exposure draft of a proposed revision of its risk assessment standards. In late 2009, PCAOB 2009c issued a revised exposure draft of its risk assessment standards. Although that revision provides denitions of and guidance on the components of audit risk, it does not directly contain the audit risk model. Thus, most of my discussion refers to the current AICPA standards. The AICPA recently issued an exposure draft AICPA 2009b to clarify the risk assessment standards and converge them with International Auditing Standards ISAs . The ISAs and the AICPA exposure draft do not explicitly contain the audit risk model, although the concepts are there. The model is in the audit guides for audit sampling AICPA 2008 and for assessing and responding to audit risk AICPA 2006 . Relevant Literature Two streams of literature are relevant. The rst stream relates to the costs of integrated audits and of implementing Sarbanes-Oxley . Research shows that integrated audits cost more than audits that provide opinions only on nancial statements. For example, Raghunandan and Rama 2006 and Ettredge et al. 2006 found that Sarbanes-Oxley Section 404 requirements have signicantly increased audit fees. Hoitash et al. 2009 also noted that audit fees increased during the period when Section 404 was implemented. Coates 2007 noted the higher implementation costs, but indicated costs have fallen substantially since the initial years under Section 404. Bierstaker et al. 2009 stated that there is little doubt that a desire to reduce compliance costs was the primary motive for the new standard AS No. 5 . The research is unclear as to whether

Accounting Horizons American Accounting Association

March 2010

A Risk Model to Opine on Internal Control

67

the higher costs under Sarbanes-Oxley are a result of auditors doing more work or because of changes in the market for audit services; most likely, they are a combination of both see Huang et al. 2009 . The PCAOB has been trying to help reduce the costs of integrated audits. For example, the PCAOBs 2007 issuance of AS No. 5 and its staff guidance papers were in part a reaction to the high costs of Auditing Standard No. 2 hereafter, AS No. 2 PCAOB 2004 ; for example, see PCAOB 2009a, 2009b; 2005a, 2005b, 2005c, 2005d . Yet it is not clear why integrated audits should cost much more than nancial statement audits. The requirements under FDICIA are similar to those under Sarbanes-Oxley. But the costs of FDICIA caused little outcry, and academics did little research concerning FDICIA. With Section 404 soon to become applicable to smaller issuers, it is important to control the costs of integrated audits. Perhaps the lack of a conceptual framework contributes to the higher costs of integrated audits. Thus, auditors would nd useful a model that provides a conceptual framework to determine the extent of control testing. The second stream of literature relates to the audit risk model. See Allen et al. 2006 for a discussion of the papers on audit risk assessment, including the audit risk model. Many of these papers help the auditor recognize the limitations of the model, including recognizing that the model is a framework, not a formula. For example, several early papers discuss issues with the multiplicative form of the model, including that, in certain situations, the model may understate the audit risk see, for example, Kinney 1983; Jiambalvo and Waller 1984; Cushing and Loebbecke 1983 . Smieliauskas 2007 asserted that the audit risk model does not incorporate accounting risks and does not integrate the new business risk approaches to auditing into a conceptual framework. Allen et al. 2006 stated:
Other studies have asserted that the audit risk model ARM has shortcomings, including: inherent risk and control risk get blurred or mixed e.g., Haskins and Dirsmith 1995; Messier and Austen 2000 ; the ARM does not consider the quality of audit evidence Dusenbury and Reimers 1996 ; the ARM does not consider the risk of incorrect rejection e.g., Kinney 1989; Sennetti 1990; Boritz and Zhang 1999 ; and the ARM is inconsistent with actual auditors judgments Daniel 1988; Strawser 1990 .

However, most of the papers were based on research done before the PCAOB developed the concept of integrated audits. Thus, none of the papers cited by Allen et al. 2006 discussed using the audit risk model for integrated audits. Allen et al. 2006 believed the following:
The emergence of the integrated audit of internal controls and nancial statements offers research opportunities including: 1 2 3 How does risk assessment for the nancial statement audit relate to risk assessment for the internal control audit and vice versa? Are risks strongly linked to audit effort in internal control audits? What should be the nature of an audit risk model for the integrated audit of internal controls and nancial statements?

In this paper, I propose responses to the rst and the third research questions. In the next section, I provide an overview of the current audit risk model. After that, I explain why a different model is needed for an audit of internal controls. Then I present an overview of a proposed risk model to opine on internal control as a part of an integrated audit. I then discuss how to use the two models in an integrated audit and present thoughts for standard setters and academics.

Accounting Horizons

March 2010 American Accounting Association

68

Akresh

THE AUDIT RISK MODEL FOR FINANCIAL STATEMENT AUDITS Even though audit risk may be viewed as applying to the nancial statements taken as a whole, AU 314 requires the auditor to evaluate audit risk at the relevant assertion level. Figure 1 presents a graphical depiction of the audit risk model applied at the relevant assertion level for nancial statement audits. Audit risk is a function of the risk of material misstatement and of detection risk.2 In symbols: AR = f RMM,DR where: AR audit risk either desired or achieved ,3 the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on nancial statements that are materially misstated AU 312.02 ;4 risk of material misstatement, the auditors combined assessment of inherent risk and control risk AU 312.22 . In other words, RMM is the auditors 1

RMM

FIGURE 1 The Audit Risk Model for Financial Statement Audits, Applied at the Relevant Assertion Level

Objective: Low risk that, after all testing, relevant assertions in nancial statements are materially misstated.

I use the function symbol because it is not clear what the form of the model should be. AU 312.26 uses a multiplicative model, even though the terms might not be independent and thus might cause the multiplicative model to understate the audit risk. The audit risk model does not consider the risk that the auditor will incorrectly determine that the nancial statements are materially misstated when they are not. In those situations, management and those charged with governance will challenge the auditors conclusion, and the auditor will do more work to determine the correct conclusion. If the auditor eventually modies the report, the risk is still that the auditor failed to detect other matters that should have been added to the auditors report, not that the modication is incorrect. Thus, this is an efciency issue. This model also does not consider the risk that the auditor will make improper judgments about what constitutes a material misstatement. Rather, the rms system of quality control usually helps the rm reach the appropriate decision.

Accounting Horizons American Accounting Association

March 2010

A Risk Model to Opine on Internal Control

69

DR

assessment prior to the performance of substantive testing of the risk that the nancial statements or an assertion are materially misstated; RMM includes risks of material misstatement because of both error and fraud; and detection risk, the risk that the auditor will not detect a misstatement that exists in a relevant assertion that could be material, either individually or when aggregated with other misstatements AU 312.24 . In other words, detection risk is the risk that all the tests of details and substantive analytical procedures performed concerning an assertion would fail to detect aggregate material misstatements5 that have occurred and were not detected and corrected 6 by the entitys internal controls.

RMM may be further dened as follows: RMM = f IR,CR where: IR inherent risk, the auditors assessment of the susceptibility of a relevant assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming there were no related controls AU 312.21 . IR includes the risks of both error and fraud; and control risk, the auditors assessment of the risk that a misstatement that could occur in a relevant assertion and that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entitys internal control AU 312.21 . CR includes the risk that controls will fail to prevent and detect and correct both error and fraud. 2

CR

The auditor also needs to determine and use the components of DR. DR may be divided into its components, as follows: DR = f TD,AP where: DR TD detection risk, as dened above; test of detail risk, the risk that the primary substantive test being designed will not detect aggregate material misstatements; auditors may use 1 minus TD as the level of assurance provided by the test;7 and analytical procedures and other substantive testing risk, the risk that analytical procedures and other substantive testing directed toward the same assertion will not detect aggregate material misstatements. 3

AP

5 6 7

Aggregate material misstatements means that the individual misstatements need not be material, but the total effect of misstatements for the period could be material. The term and corrected is not in the current AU 312, but is included in the International Statements on Auditing ISAs and in other SASs. Auditors using statistical sampling usually determine the risk of incorrect acceptance as TD; or they dene the condence level for primary substantive tests as 1 minus TD.

Accounting Horizons

March 2010 American Accounting Association

70

Akresh

AN INTERNAL CONTROL RISK MODEL Need for Model An audit of internal control is different from an audit of nancial statements. An audit of internal control involves the evaluation of processes. An audit of nancial statements involves an evaluation of outputs. To audit internal control if the audit were not an integrated audit , the auditor would not be required to perform substantive tests of account balances or classes of transactions.8 Even in an integrated audit, substantive tests are designed primarily to test nancial statement assertions, not internal control effectiveness although substantive tests might ultimately lead the auditor to detect internal control deciencies . Tests of controls are the primary tests the auditor performs in an internal control audit.9 Because the audit risk model is designed to help the auditor determine the extent of control and substantive testing, including determining the desired level of assurance for substantive tests, the audit risk model in AU 312.26 is not directly applicable to an audit of internal control whether integrated or not . Just as the audit risk model in AU 312.26 provides a conceptual framework to help auditors determine the extent of testing in nancial statement audits, an appropriate model would provide a framework to help auditors determine the extent of testing in audits of internal control. This model would improve consistency in practice by allowing auditors to focus on the key elements in determining the extent of testing in internal control audits. Audit Objective for Internal Control Audits Before discussing the proposed model, it is important to describe the auditors objective in an internal control audit. The objective of an internal control audit is not to detect material misstatements. AS No. 5 and SSAE No. 15 indicate:
The auditors objective in an examination of internal control is to form an opinion on the effectiveness of the entitys internal control. Because an entitys internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor should plan and perform the examination to obtain sufcient appropriate evidence to obtain reasonable assurance about whether material weaknesses exist as of the date specied in managements assertion. A material weakness in internal control may exist even when nancial statements are not materially misstated. SSAE No. 15, paragraph 9; AS No. 5, paragraph 3 contains similar wording

Thus, the auditors objective in an internal control audit is to obtain a high level of assurance that there are no undetected material weaknesses in the design, implementation, or operating effectiveness of controls. Risk in an Internal Control Audit In an audit of internal control, an initial denition of risk might be the risk of issuing an improper opinion on the effectiveness of internal control. As stated earlier, the auditors objective is to obtain a high level of assurance about whether the entitys internal control system has a material weakness. The auditor should not give an unqualied opinion on internal control if the auditor believes that the risk of an undetected material weakness has not been reduced to a sufciently low level. Thus, an operational denition of risk for an internal control audit is the risk that the entity has a material weakness that the auditor has not detected.
8 9

SSAE No. 15 and AS No. 5 apply only to integrated audits; AT 101 now applies to examinations of internal control that are not part of integrated audits. Some tests could be dual purposehaving a control and a substantive aspect. The auditor evaluates each aspect separately.

Accounting Horizons American Accounting Association

March 2010

A Risk Model to Opine on Internal Control

71

If that is the denition of risk, what is the purpose of a conceptual framework for an audit of internal control? The purpose is to help the auditor determine how much testing is needed to reduce the risk of an undetected material weakness to a sufciently low level. Material weaknesses can occur in two ways: a material weakness in the design or implementation of internal controls; and for adequately designed and implemented controls, a material weakness in the operating effectiveness of controls. The auditor attempts to nd material weaknesses in design or implementation by adequately evaluating the design of controls including identifying missing controls , and by adequately testing whether the controls have been implemented. Typical procedures to do this include inquiry often based on questionnaires or other practice aids , analyzing owcharts, reading documentation, observation, walk-throughs, and some document examination. These risk assessment procedures are sometimes tests of controls. The auditor attempts to nd material weaknesses in the operating effectiveness of controls by performing an adequate test of the operating effectiveness of controls.10 An adequate test of controls is one with a low risk of failing to detect lack of effectiveness. An appropriate risk model for internal control audits would help the auditor determine an appropriate extent of testing of operating effectiveness. Some might argue that auditors already are required to test controls under the risk assessment standards. For a nancial statement audit, AU 314.40 requires that the auditor obtain a sufcient understanding of the ve COSO components of internal control to evaluate the design of controls and to determine whether they have been implemented. Implementation is not the same as operating effectiveness. Only if the auditor decides to rely on controls to modify the nature, timing, or extent of substantive tests does the auditor need to test operating effectiveness of controls in a nancial statement audit. In an integrated audit, the auditor is required to test controls to render an unqualied opinion. Developing a Model The model I propose recognizes that a material weakness can occur only in the following situations: 1 internal controls are not adequately designed for the inherent risk; 2 internal controls are not adequately implemented; or 3 adequately designed and implemented internal controls are not operating effectively. To avoid confusion between audit risk from the original model and risk in an internal control audit, I create a new term, incorrect control opinion risk, or ICOR. I do not present a multiplicative form of the model because the presence of any one of the three conditions leads to a material weakness. To issue an unqualied opinion on internal control, the auditor needs to be satised that none of the three conditions exist. In certain circumstances, a multiplicative model would indicate that control tests are not needed. The multiplicative model understates the risk of an undetected material weakness because it allows the auditor to offset weak effectiveness with strong design or vice versa and therefore could cause the auditor to perform inadequate testing. For example, if the auditor assessed the design and implementation as excellent and assessed control design and implementation risk dened later as CDIR as low say 5 percent , a multiplicative model would indicate that control tests are not needed. This is incorrect because the auditor needs to assess the design risk separately from the operating effectiveness risk and perform sufcient testing to conclude that each risk is low.
10

Some of the tests of implementation may also provide evidence about operating effectiveness.

Accounting Horizons

March 2010 American Accounting Association

72

Akresh

Figure 2 presents a graphical description of my risk model for internal control audits. It is a simplication of the model in Figure 3, discussed in the Appendix. The model is: ICOR = f CDIR/given IR;COER/if CDIR effective 4

where: ICOR

IR

CDIR

COER

risk of an incorrect internal control opinion, the risk of the auditor reaching a conclusion that the entitys internal control has no material weaknesses when material weaknesses really exist but the auditor has not detected them;11,12 inherent risk, the auditors assessment of the susceptibility of a relevant assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming there were no related controls AU 312.21 ; see discussion below; control design and implementation risk, the auditors assessment of the risk that the internal control system is not designed or implemented adequately, in light of the inherent risk, to prevent or detect and correct aggregate material misstatements; and control operating effectiveness risk, the auditors assessment of the risk that an adequately designed and implemented internal control system is not being followed sufciently to prevent or detect and correct aggregate material misstatements; see discussion below.

The auditor may assess CDIR and COER in planning and reassess them at the end of the audit to consider the achieved levels of those risks. Inherent Risk Inherent risk is the risk of material misstatement if there were no controls. Inherent risk includes both the overall risk factors that apply to the nancial statements as a whole and the inherent risks that apply to specic assertions in individual account balances. If inherent risk is low, no matter how ineffective the controls, there is low risk of material weakness. This occurs because an integral part of determining whether a deciency constitutes a material weakness is to assess both the magnitude and likelihood of a material misstatement that the internal controls would not prevent or detect and correct as a result of the deciency. With low inherent risk, a material misstatement is unlikely.

11

12

This model does not consider the risk that the auditor may identify what the auditor believes are material weaknesses that are in reality not material weaknesses. Similar to the treatment of the risk of incorrect rejection in nancial statement audits, management and those charged with governance will challenge the auditors conclusion and the auditor will do more work to eventually reach the correct conclusion. If the auditor ultimately issues an adverse opinion identifying material weaknesses, the auditors risk is still additional undetected material weaknesses not the risk of issuing an incorrect opinion . Thus, this is primarily an efciency issue. This model also does not consider the risk that the auditor will improperly judge material weakness as opposed to a signicant deciency or other internal control deciency . Bedard and Graham 2009 discussed factors auditors consider in this decision. The model also assumes that the auditor correctly assesses design and implementation risks. The rms system of quality control usually helps the rm reach the appropriate decision on these issues.

Accounting Horizons American Accounting Association

March 2010

A Risk Model to Opine on Internal Control

73

FIGURE 2 Risk Model, Applied at the Relevant Assertion Level, for Internal Control Audits

Objective: Low risk that, after all testing, there is an undetected material weakness.

However, inherent risk is usually not low, except perhaps for the existence assertion for accounts that are not material. In analyzing inherent risk, auditors often assume the competence of employees, or adequate supervision, or an adequate control environment. Because these are controls, the auditor needs to include them in the control risk analysis, not as the reasons for low inherent risk. In the analysis of design and implementation, the auditor needs to determine whether the design and implementation of the controls are adequate given the nature and amount of inherent risk. That is, the auditor determines adequacy of internal controls in light of what could go wrong if there were no internal controls. If inherent risk is high, the entity needs stronger controls to prevent or detect and correct misstatements. As inherent risk decreases, the need for controls lessens. For example, one entity might have low transaction volume and simple transactions low inherent risk ; that entity can have relatively simple internal controls. Another entity might have a large volume of transactions, some of which are complex high inherent risk . That entity might need sophisticated computer edits, exception reports, documented review, and follow-up of those reports to have effectively designed controls. Thus, inherent risk is not a separate term in the model; rather, I dene the CDIR term as: CDIR/given IR. The denition of inherent risk focuses on material misstatements, not material weaknesses. No separate term exists in the model for risk of material weakness. Rather, the auditor evaluates design by considering whether the design is adequate to sufciently reduce control the risk caused by the inherent risk. Control Operating Effectiveness Risk (COER) The auditor uses COER to determine the extent of control testing. Thus, it is similar to

Accounting Horizons

March 2010 American Accounting Association

74

Akresh

detection risk for nancial statement audits. The auditor would use 1 minus COER to determine the assurance level needed for control tests.13 The model highlights that the auditor tests controls only when they are adequately designed and implemented. If the auditor determines that the controls are not adequately designed or implemented, the auditor already has determined that there is a control deciency and evaluates whether the deciency is a material weakness. Therefore, the COER term is conditional. Expanding the Model The above model is a starting point in developing a conceptual approach for internal control audits. The auditor may expand the model to separately include the control environment. SSAE No. 15 and AS No. 5 state:
Because of its importance to effective internal control, the auditor should must in AS No. 5 evaluate the control environment at the entity. When evaluating the control environment, the auditor should apply paragraphs 0.670.75 of AU section 314. As part of evaluating the control environment, the auditor should assess: whether managements philosophy and operating style promote effective internal control; whether sound integrity and ethical values, particularly of top management, are developed and understood; and whether those charged with governance understand and exercise oversight responsibility over nancial reporting and internal control. SSAE No. 15, paragraph 40; AS No. 5, paragraph 25 .

This requires a separate evaluation of the design, implementation, and operating effectiveness of the control environment. In the Appendix, I expand the model to include the control environment. If the auditor nds material weaknesses in the control environment, the auditor is likely to nd other material weaknesses. The auditor might wish to stop and issue an opinion indicating that because material weaknesses exist in the control environment, the auditor concludes that the controls are not effective. However, because other undetected material weaknesses might exist, SSAE No. 15 and AS No. 5 do not permit the auditor to issue an adverse opinion if there is a scope limitation. Thus, I do not develop a model that allows the auditor to discontinue testing of internal control after analyzing only the design, implementation, and operating effectiveness of the control environment. The auditor could further expand the model by dividing internal control into its ve components. Under the COSO framework, internal control is composed of the control environment, the entitys risk assessment process, information and communication, control activities, and monitoring. AU 314 requires a separate understanding of the design and implementation of each of these ve elements. Expansion of the model to include a separate understanding of the design and implementation of each of the ve components is beyond the scope of this paper. USING TWO MODELS IN AN INTEGRATED AUDIT For an integrated audit, the auditor would use the two models sequentially. First, the auditor would use the internal control risk model as a framework to determine the extent of control tests. Then the auditor would use the nancial statement audit risk model as a framework to determine the extent of substantive testing.
13

The auditor using statistical sampling would use COER for the risk of assessing control risk too low or 1 minus COER as the condence level for control tests.

Accounting Horizons American Accounting Association

March 2010

A Risk Model to Opine on Internal Control

75

The auditor may perform the internal control audit and, after all testing, conclude that the risk of an undetected material weakness is low. If so, the risk of material misstatement is also low. This is because the effective controls will overcome the inherent risks and thus prevent or detect and correct material misstatements. If the auditor is planning an integrated audit and expects to be able to provide an opinion that controls are effective low risk of undetected material weaknesses , the auditor would usually plan substantive testing assuming low risk of material misstatement. If, based on the understanding of control design and implementation, the auditor performing an integrated audit believes that the risk of material misstatement is other than low, it usually is because the auditor expects to nd that the controls are not effective to overcome the inherent risk. In this situation, the auditor would expect to nd material weaknesses. Thus, the models are related. In some nancial statement audits, the auditor is required to test the operating effectiveness of internal controls whenever the auditor concludes the design and implementation are effective the preliminary assessment is that control risk is low .14 In those situations, the auditor cannot avoid tests of controls. If, after sufcient testing, the auditor concludes that control risk is low, the auditor usually is satised that the risk of undetected material weakness is low. In that situation, the auditor usually has done enough to issue the opinion that internal control is effective. THOUGHTS FOR STANDARD SETTERS I believe standard setters should sponsor research on an appropriate risk model for audits of internal control see next section for some research topics . Even before the research is completed, the standards could be enhanced in the following ways: indicate that the original audit risk model is intended for use only in nancial statement audits, not internal control audits; write standards that consistently use risk terminology and are clear as to which risk they are discussing e.g., risk of material misstatement versus risk of material weakness ; and provide guidance on the use of models in integrated audits. THOUGHTS FOR ACADEMIA Because the auditing profession has issued opinions on internal control as part of integrated audits for only a short time, research is needed on the fundamental concepts underlying those audits. I believe this paper is the rst to raise issues about the use of the audit risk model for integrated audits and to provide a new model for those audits. Future research could determine a more specic model based on how auditors perform these audits. Some research questions include, for example: What models and approaches are currently used in practice? How does current practice compare with the model proposed and other models? Are models useful in providing a conceptual framework for integrated audits? What are the current practices for the auditors evaluation of inherent risk? How do those practices compare with risk models? How do auditors assess design and implementation of internal controls in light of inherent risk without considering operating effectiveness?
14

For example, in some government audits, such as those subject to the Ofce of Management and Budgets OMB audit guidance for Chief Financial Ofcer CFO Act agencies, the auditor is required to test internal controls whenever the auditor assesses control design and implementation as adequate.

Accounting Horizons

March 2010 American Accounting Association

76

Akresh

What are the current practices for the auditors evaluation of design, implementation, and operating effectiveness of the control environment? Are those practices adequate to effectively use in a risk model? How should conditional probabilities be considered in the model? Is expansion of the model useful? How would a revised model be used in an integrated audit? What changes to the audit risk model for nancial statement audits are needed to make that model more effective? In addition to the research issues, a need also exists for improved textbooks and teaching materials on integrated audits. These materials could include case studies and should focus on the underlying concepts, not just the rules in AS No. 5 and SSAE No. 15. APPENDIX EXPANDING THE MODEL FOR CONTROL ENVIRONMENT As discussed in the section Expanding the Model, AS No. 5 and SSAE No. 15 require a separate assessment of the control environment. Figure 3 presents a graphical description of an expanded model where control environment design and operating effectiveness are separate factors in the model. The model becomes: ICOR = f CEDIR,CDIR/both given IR;CEOER/if CEDIR effective;COER/if CDIR effective 5 where: ICOR IR

risk of incorrect internal control opinion, as dened in Equation 4 ; inherent risk, as dened in Equation 4 ;

FIGURE 3 Risk Model, Applied at the Relevant Assertion Level, for Internal Control AuditsExpanded for Effect of Control Environment

Objective: Low risk that, after all testing, there is an undetected material weakness.

Accounting Horizons American Accounting Association

March 2010

A Risk Model to Opine on Internal Control

77

CEDIR

CEOER

CDIR

COER

control environment design and implementation risk, the auditors assessment of the risk that the control environment is not designed or implemented adequately to prevent or detect and correct aggregate material misstatements; control environment operating effectiveness control risk, the auditors assessment of the risk that an adequately designed control environment is not being followed sufciently to prevent or detect and correct aggregate material misstatements; control design and implementation risk, the auditors assessment of the risk that the internal control system except the control environment is not designed adequately to prevent or detect and correct aggregate material misstatements; and control operating effectiveness risk, the auditors assessment of the risk that an adequately designed internal control system except the control environment is not being followed sufciently to prevent or detect and correct aggregate material misstatements.

REFERENCES
Allen, R. D., D. R. Hermanson, T. M. Kozloski, and R. J. Ramsay. 2006. Audit risk assessment: Insights from the academic literature. Accounting Horizons 20 2 : 157177. American Institute of Certied Public Accountants AICPA . 2006. Assessing and Responding to Audit Risk in a Financial Statement Audit audit guide . New York, NY: AICPA. . 2008. Audit Sampling audit guide . New York, NY: AICPA. . 2009a. Codication of Statements on Auditing Standards (Including Statements on Standards for Attestation Engagements) Numbers 1 to 116. New York, NY: AICPA. . 2009b. Proposed Statements on Auditing Standards, Risk Assessment. New York, NY: AICPA. Bedard, J. C., and L. Graham. 2009. Factors affecting the severity of Sarbanes-Oxley Section 404 internal control deciencies: Archival evidence. Working paper, Bentley University. Bierstaker, J. L., J. E. Hunton, and J. C. Thibodeau. 2009. Do client-prepared internal control documentation and business process owcharts help or hinder an auditors ability to identify missing controls? Auditing: A Journal of Practice & Theory 28: 7994. Boritz, J. E., and P. Zhang. 1999. The auditors objectivity under negligence liability system. Auditing: A Journal of Practice & Theory 18 Supplement : 147165. Coates, J. C., IV. 2007. The goals and promise of the Sarbanes-Oxley Act. The Journal of Economic Perspectives 21 1 : 91116. Cushing, B., and J. K. Loebbecke. 1983. Analytical approaches to audit risk: A survey and analysis. Auditing: A Journal of Practice & Theory 3: 2348. Daniel, S. 1988. Some empirical evidence about the assessment of audit risk in practice. Auditing: A Journal of Practice & Theory 7 2 : 174181. Dusenbury, R. B., and J. L. Reimers. 1996. An empirical study of belief-based and probability-based specications of audit risk. Auditing: A Journal of Practice & Theory 15 2 : 1228. Ettredge, M., C. Li, and L. Sun. 2006. The impact of internal control quality on audit delay in the SOX era. Auditing: A Journal of Practice & Theory 25: 124. Government Accountability Ofce/Presidents Council for Integrity and Efciency GAO/PCIE . 2008. Financial Audit Manual. Available at: http://www.gao.gov/special.pubs/gaopcie/. Haskins, M. E., and M. W. Dirsmith. 1995. Control and inherent risk assessments in client engagements: An examination of their interdependencies. Journal of Accounting and Public Policy 14 1 : 6383. Hoitash, R., U. Hotash, and J. C. Bdard. 2009. Internal controls quality and audit pricing under the Sarbanes-Oxley Act. Auditing: A Journal of Practice & Theory forthcoming . Huang, H.-W., K. Raghunandan, and D. Rama. 2009. Audit fees for initial audit engagements before and after SOX. Auditing: A Journal of Practice & Theory 28: 171190. Jiambalvo, J., and W. S. Waller. 1984. Decomposition and assessments of audit risk. Auditing: A Journal of Practice & Theory 4: 8088.

Accounting Horizons

March 2010 American Accounting Association

78

Akresh

Kinney, W. R., Jr. 1983. A note on compounding probabilities in auditing. Auditing: A Journal of Practice & Theory 2: 1322. . 1989. Achieved audit risk and the audit outcome space. Auditing: A Journal of Practice & Theory 8 Supplement : 6784. Messier, W. F., Jr. and L. A. Austen. 2000. Inherent risk and control risk assessments: Evidence on the effect of pervasive and specic risk factors. Auditing: A Journal of Practice & Theory 19 2 : 119131. Public Company Accounting Oversight Board PCAOB . 2004. An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Auditing Standard No. 2. Available at: http://www.pcaobus.org/Standards/Standards_and_Related_Rules/ Auditing_Standard_No.2.aspx. . 2005a. An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Report on the initial implementation of Auditing Standard No. 2. November 30. Available at: http://www.pcaobus.org/Inspections/Other/2005/11-30_Release_2005-023.pdf. . 2005b. An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Policy statement regarding implementation of Auditing Standard No. 2. May 16. Available at: http://www.pcaobus.org/Rules/Docket_008/2005-05-16_Release_2005-009.pdf. . 2005c. Staff Questions and Answers: Auditing Internal Control over Financial Reporting. May 16. Available at: http://www.pcaobus.org/Standards/Staff_Questions_and_Answers/2005/05-16.pdf. . 2005d. Staff Questions and Answers: Auditing Internal Control over Financial Reporting. January 21. Available at: https://corporatecompliance.org/Content/NavigationMenu/Resources/IssuesAnswers/ AuditingControlReporting05-01-21.pdf. . 2007. An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements. Auditing Standard No. 5. Available at: http://www.pcaobus.org/Rules/ Rules_of_the_Board/Auditing_Standard_5.pdf. . 2008. Proposed Auditing Standards Related to the Auditors Assessment of and Response to Risk. Available at: http://www.pcaobus.org/Rules/Docket_026/2008-10-21_Release_No_2008-006.pdf. . 2009a. An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements: Guidance for Auditors of Smaller Public Companies. Available at: http:// www.pcaobus.org/Standards/Standards_and_Related_Rules/AS5/Guidance.pdf. . 2009b. An Audit of Internal Control that is Integrated with an Audit of Financial Statements. Report on the rst-year implementation of Auditing Standard No. 5. September 24. Available at: http:// www.pcaobus.org/Inspections/Other/2009/09-24_AS5_4010_Report.pdf. . 2009c. Proposed Auditing Standards Related to an Auditors Assessment of and Response to Risk and Related Amendments to PCAOB Standards. December 17. Available at http://www.pcaobus.org/ Standards/Standards_and_Related_Rules.aspx Raghunandan, K., and D. Rama. 2006. SOX Section 404 material weakness disclosures and audit fees. Auditing: A Journal of Practice & Theory 25: 99114. Sennetti, J. 1990. Toward a more consistent model for audit risk. Auditing: A Journal of Practice & Theory 9 2 : 103112. Smieliauskas, W. 2007. Whats wrong with the current audit risk model? Accounting Perspectives 6 4 : 343368. Strawser, J. R. 1990. Human information processing and the consistency of the audit risk model. Accounting and Business Research 21 Winter : 6775.

Accounting Horizons American Accounting Association

March 2010

Copyright of Accounting Horizons is the property of American Accounting Association and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.