Audit Risk and

Internal Controls
Atta-ur-Rahman Arif

Audit Risk Model

AR = IR x CR x DR
AR = Audit risk
Also referred to as Residual Risk
The risk that the auditor will incorrectly
issue an unqualified opinion

IR = Inherent risk
The risk of material misstatements
absent any internal controls or testing

Audit Risk Model

CR = Control risk
The risk that internal controls will fail to
prevent or detect material misstatement

DR = Detection risk
The risk that audit tests will fail to detect
material misstatement

Therefore, audit risk is a function of

inherent risk, unchecked by controls
and not detected by the auditor

Risk Components
Inherent risk
Higher in complex transactions
Higher where items are more naturally
prone to fraud
Based in part on prior experience
Industry and management pressures

Inherent risk cannot be changed by

the auditor

Control Risk
Part of Audit Risk Model
Depends on the design and execution of controls
Audit Risk = risk that internal controls will FAIL to
prevent or detect misstatement
High CR means high risk controls will fail
Low CR means low risk controls will fail

If CR is high, auditor will not rely much on

controls
If CR is low, auditor can rely on ICS and reduce
other types of testing

Is Risk Quantifiable?
Yes and No
Often assessed in percentage terms
Requires judgment because no
number is out there to be measured
Detection risk needs to be quantified
for statistical testing

Interrelationship of Risks
IF IR and CR are
high, then
If IR is high and CR
is low
If IR is low and CR is
low
If IR is low but CR is
high

DR should be low
(lots of testing)
DR can be higher,
because controls
offset high IR
DR can be high
Somewhat indicative
of fraud. DR should
be very low

What is Acceptable Audit Risk?

Risk the auditor is willing to take of being
wrong
Generally considered in terms of
unqualified where there are misstatements,
but not in reverse
Depends on engagement risk
Financial stability
Industry factors
Management integrity

Degree of reliance on audited statements

Keep Things Open

Control risk assessment must be
backed up by control testing results
If tests show weaker controls, CR is
higher, thus DR needs to be lower

Internal Control
Objectives
Reliability of financial statements
Efficiency and effectiveness of
operations
Compliance with laws and
regulations
Safeguarding of assets

Underlying Limitations
Reasonable assurance
Cost-benefit
Inherent limitations
collusion

Design of ICS

Preventing material misstatements

Detecting material misstatements
Preventing misappropriation
Detecting misappropriation
SarbOx: Management must assess and
report on design
How are transaction initiated, authorized,
recorded, processed, and reported?
Are there any weaknesses?

Managements Report on ICS

Must describe design

Must make assertions about effectiveness
Must report material weaknesses
A single weakness prevents claim that ICS is
operating effectively
Must be able to document basis for report
Auditor will provide an opinion on the report
Any weaknesses mean that auditors report
will be adverse.

Risk Assessment
Managements identification of risks
Economic
Industry
Regulatory
Operating risks

Analysis and management of risks

Examples
Oil companies in the Gulf of Mexico
Smith Corona

Control Activities
Policies and procedures to address
risks
Pertains to all four other areas
Separation of duties
Proper authorization
Adequate documents and records
Physical control over assets and
records
Independent checks

Information and
Communication
Initiates, records, processes, and
reports
Transaction cycles
Subsidiaries and controls
Think of PERCV

Monitoring
Need to ensure controls are working
Monitoring now more pressing
because of SarbOx
Control needs change
Personnel change
Organizational structure changes