Risk Assessment Procedures
Risk assessment is the engine that drives the modern audit. Rather than testing every transaction, auditors concentrate their efforts on the areas most likely to contain material misstatements. This risk-based approach requires the auditor to identify, assess, and respond to risks at both the financial statement level and the assertion level.
This section covers the three types of misstatements, the audit risk model (AR = RMM × DR), the components of the risk of material misstatement, the concept of detection risk, factors that increase inherent risk, and how the auditor adjusts substantive procedures to achieve the desired level of assurance.
Risk assessment procedures are addressed in AU-C 315 (AICPA) for nonissuers and AS 2110 (PCAOB) for issuers. The auditor performs risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control, and to identify and assess the risks of material misstatement.
Three Types of Misstatements
Not all misstatements are the same. Auditing standards recognize three distinct types, each arising from a different source:
| Type | Description | Example |
|---|---|---|
| Factual misstatement | A misstatement about which there is no doubt; the amount is clearly wrong | Gies Co. records a $50,000 invoice twice, resulting in a definite overstatement of expenses |
| Judgmental misstatement | A misstatement arising from management's judgments about accounting estimates or the selection/application of accounting policies that the auditor considers unreasonable | MAS Inc. estimates its warranty liability at $100,000, but the auditor's analysis suggests $300,000 is more appropriate given historical claim rates |
| Projected misstatement | The auditor's best estimate of misstatement in a population, extrapolated from misstatements identified in an audit sample | The auditor tests a sample of Kingfisher Industries' inventory items and finds errors totaling $15,000. Extrapolating to the full population, the projected misstatement is $120,000 |
The CPA exam may ask you to distinguish these types. Remember: factual = certain and definite, judgmental = stems from estimates or accounting policy disagreements, projected = extrapolated from a sample to the population.
The Audit Risk Model
Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. In other words, it is the risk of issuing a clean opinion on financial statements that contain a material misstatement.
The audit risk model expresses this relationship mathematically:
AR = RMM × DR
Where:
- AR = Audit Risk (the overall risk the auditor accepts)
- RMM = Risk of Material Misstatement (the risk that the financial statements contain a material misstatement before the audit)
- DR = Detection Risk (the risk that the auditor's procedures will fail to detect a material misstatement that exists)
Expanding the Model
The risk of material misstatement can be further decomposed:
RMM = IR × CR
Where:
- IR = Inherent Risk
- CR = Control Risk
So the full model becomes:
AR = IR × CR × DR
The auditor does not control inherent risk or control risk—these are characteristics of the entity. The only component the auditor can directly influence is detection risk, by adjusting the nature, timing, and extent of audit procedures.
Risk of Material Misstatement (RMM)
The risk of material misstatement represents the likelihood that the financial statements contain a material misstatement before the audit is conducted. It has two components:
Inherent Risk (IR)
Inherent risk is the susceptibility of an assertion to a misstatement that could be material, before considering any related controls. It reflects the inherent characteristics of the account, transaction, or disclosure.
Factors that increase inherent risk include:
- Complexity of transactions or calculations (e.g., complex financial instruments, derivatives)
- Degree of subjectivity in measurements (e.g., fair value estimates, allowances for doubtful accounts)
- Susceptibility to theft or misappropriation (e.g., cash, inventory, marketable securities)
- Volume of transactions processed near the end of the reporting period
- Non-routine or unusual transactions (e.g., related-party transactions, one-time restructurings)
- Degree of management judgment required in applying accounting principles
- Industry conditions (e.g., rapidly changing technology, heavy regulation)
- Economic environment (e.g., recession, market downturns)
Example: Illini Entertainment produces feature films and must estimate the ultimate revenue and amortization of film costs—a highly subjective process involving significant management judgment. The inherent risk for the film cost asset is high due to the complexity and uncertainty of the estimates.
Control Risk (CR)
Control risk is the risk that a misstatement that could be material will not be prevented or detected on a timely basis by the entity's internal controls.
Key points about control risk:
- Control risk is a function of the effectiveness of the entity's internal controls
- The auditor assesses control risk based on the entity's internal controls, not on the auditor's own procedures
- If the auditor decides not to test controls, control risk is assessed at the maximum (i.e., the auditor assumes controls are ineffective)
- Even when controls are well-designed and operating effectively, control risk can never be reduced to zero due to inherent limitations of internal control
Example: BIF Partners assesses control risk for Illini Security's cash disbursements cycle. Illini Security has a strong segregation of duties—one person prepares checks, another signs them, and a third reconciles the bank statement. After testing these controls and finding them operating effectively, BIF Partners assesses control risk as low for the cash disbursements assertions.
Detection Risk (DR)
Detection risk is the risk that the auditor's procedures will fail to detect a misstatement that exists and could be material. Unlike inherent risk and control risk, detection risk is directly controlled by the auditor.
The Inverse Relationship
Detection risk has an inverse relationship with the risk of material misstatement:
| RMM Level | Required DR Level | Auditor's Response |
|---|---|---|
| High | Low | Must perform more extensive, more persuasive substantive procedures |
| Low | High | Can accept a higher detection risk and perform less extensive procedures |
The auditor can never set detection risk at zero. There is always some risk that procedures will not detect a material misstatement—due to the inherent limitations of sampling, the possibility of selecting inappropriate procedures, or human error in performing or evaluating procedures.
How Detection Risk Affects Procedures
When the auditor needs to decrease detection risk (because RMM is high), the auditor adjusts the nature, timing, and extent of substantive procedures:
| Dimension | Lower Detection Risk (More Work) | Higher Detection Risk (Less Work) |
|---|---|---|
| Nature | More reliable procedures (e.g., external confirmations instead of internal inquiries) | Less rigorous procedures may suffice |
| Timing | Testing at or near the balance sheet date rather than at interim | Interim testing may be acceptable |
| Extent | Larger sample sizes, more items tested | Smaller sample sizes |
Example: The auditor determines that inherent risk and control risk for MSA Records' revenue recognition are both high (complex licensing arrangements with variable consideration). The combined RMM is high, so the auditor must set detection risk low. The auditor responds by performing detailed contract-by-contract testing of revenue transactions (nature), concentrating testing at year-end rather than interim (timing), and selecting a larger sample of contracts for testing (extent).
How the Auditor Increases Assurance from Substantive Procedures
When the assessed risk of material misstatement is high, the auditor must obtain more persuasive audit evidence through substantive procedures. The auditor achieves this by:
- Increasing the quantity of evidence — Testing more transactions, examining more documents, confirming more balances
- Improving the quality of evidence — Relying on external rather than internal sources, using original documents rather than copies, obtaining evidence directly rather than through inquiry alone
- Performing procedures closer to year-end — Evidence obtained at or after the balance sheet date is generally more relevant than evidence obtained during interim periods
- Using more experienced personnel — Assigning senior auditors or specialists to high-risk areas
- Increasing the unpredictability of procedures — Varying the procedures performed, the timing, or the locations tested to reduce the risk that management can anticipate and circumvent auditor testing
The CPA exam often tests the inverse relationship between RMM and detection risk. If a question describes a situation where inherent risk is high (e.g., complex estimates, susceptibility to fraud), the correct answer will involve the auditor performing more work—larger samples, more reliable evidence, testing closer to year-end.
Summary
| Concept | Definition | Key Point |
|---|---|---|
| Audit risk | Risk of issuing an inappropriate opinion on materially misstated financials | AR = RMM × DR |
| Inherent risk | Susceptibility to material misstatement before controls | Driven by complexity, subjectivity, volume, and susceptibility to theft |
| Control risk | Risk that controls fail to prevent or detect material misstatement | Assessed based on entity's controls; maximum if controls are not tested |
| Detection risk | Risk that auditor's procedures fail to detect material misstatement | Only component the auditor controls; inversely related to RMM |
| Factual misstatement | Definite, undisputed error | No judgment involved |
| Judgmental misstatement | From unreasonable estimates or policy application | Requires auditor's assessment of reasonableness |
| Projected misstatement | Extrapolated from sample results to the population | Based on sampling |