Audit Risk Model: Quantifying (And Reducing) Your Mistakes

audit risk modelThe concept of the audit strikes fear into the hearts of most people. They immediately think of the IRS knocking on their door and taking all of their money. While a variation of that situation may be true sometimes, most of the time it simply means that someone is checking to make sure things within a business are running properly. An audit may take place in many different forms and occur in all kinds of organizations, with most of them either requiring an audit by law or by necessity, or by having one requested by management.

The type of audit we are discussing today is the financial type, where a firm’s financial statements are scrutinized, and even more specifically, the the audit risk model. Audit risk is the chance that an auditor might make an inappropriate assessment of certain financial statements, and the associated model is the quantification of the chances that this risk may occur. If the world of accounting and financial statements are new to you, this course on interpreting financial statements, and this course on the basics of financial accounting will give you a good foundation to start with.

More About the Audit Risk

So why would a business ever want to be audited? If they have something to hide, they probably would rather not get audited. However, an audit of a business’ financial statements is done mainly in order to figure out if the information provided by these statements is valid and reliable, and to also assess the effectiveness a firm’s system of internal controls. The goal of these investigations is for the auditor to provide an opinion on the operations of the business, firm, organization, etc. For some reason, the auditor may provide an erroneous opinion about these financial statements, and the chance of that happening is called audit risk, or residual risk. Not only does this subject fall within the worlds of finance and accounting, but also within the realm of risk management. If you’re curious about this career, this course on the basics of risk management, and this article on financial risk management will let you know if this industry is right for you.

The cause of audit risk may be due to the auditor’s failure to detect an issue, either by error or fraud. The issue of audit risk is such an important issue in the worlds of financial accounting and auditing, that there are a set of rules that attempt to prevent such errors from happening. They were put into place by the International Federation of Accountants (IFAC), and the rules are referred to as the International Standards of Auditing, and specifically section 315 (ISA 3159) deals with audit risk.

Some examples of auditing errors include:

  • Issuing an unqualified audit report when qualification was necessary
  • Issuing a qualified audit report when no qualification was needed
  • Failing to emphasize an important aspect of the report
  • Providing an opinion that was formed as a result of limited scope

The Audit Risk Model

In the process of quantifying the chances that an audit risk can occur, three factors are taken into account: inherent risk, control risk, and detection risk, and the formula is as follows:

Audit Risk = Inherent Risk x Control Risk x Detection Risk

  1. Inherent Risk: This type of risk is more likely to happen when there is more subjectivity is required in the auditor’s assessment, especially when they’re auditing highly complex activities, and as a result, an error or omission is more likely to occur. An example of inherent risk would be during the auditing of transactions that involve complex calculations that are susceptible to error. If math isn’t one of your strong points, this course on easy advanced math skills should clear that right up. Other major factors in inherent risk are theft and fraud, as well as external factors, such as the state of the economy, inventory obsolescence, and expiring patents, among others.
  2. Control Risk: If a firm’s internal controls, which are the processes used to ensure that effectiveness and efficiency objectives are met, somehow fail, or are otherwise insufficient, then a control risk may occur. If these internal controls are inadequate when detecting fraud and error, then there’s a high chance of control risk. Control risk and inherent risk are closely tied together, and are sometimes difficult to tell the difference between. An example of when control risk can possibly happen is when the organization is small in size, and people who may not have sufficient qualifications are preparing the financial statements.
  3. Detection Risk: Finally, detection risk occurs when the auditor fails to detect an error in the financial statements. There are proper procedures that the auditor must apply to the statements in order to detect these errors, or misstatements, and if these procedures were applied incorrectly, or not at all, the error may go unnoticed, resulting in a detection risk. There are inherent limitations in the auditing process, like the use of sampling in selecting transactions, but detection risk can be limited by increasing the amount of transactions sampled for a more detailed testing. The level of detection risk that the auditor can accept is inversely proportional to the inherent and control risks: the higher the inherent and control risks, the less amount of detection risk that is acceptable to the auditor in order to keep misstatements at an acceptably low level.

Once these three factors are taken into account, the audit risk model may then be figured out, and the overall risk of the auditing session may then be managed.

Audit Risk Model Example

Jim’s Auditing Firm (JAF) has recently been hired to assess the inner workings of Anne’s Big Company (ABC). While planning the audit, JAF learned a few things about ABC:

  • ABC is in the financial services sector.
  • They have a large and detailed network of subsidiaries, overseas branches, and associates.
  • ABC has no internal auditing department, and those that are part of this auditing department have little to no background in finance, even though this is against corporate guidelines.
  • JAF’s policy is to keep the overall audit risk below 10%

Because ABC operates in a very complex and highly regulated sector, with a very detailed network of associates, there’s a very good chance that their financial statements could be misinterpreted by JAF’s auditor, and as a result, there is high inherent risk. Also, because ABC lacks a proper internal auditing committee to oversee their financial statements, and theirs is a particularly regulation-heavy sector, the audit’s control risk is also considered to be high.

Control risk and inherent risk are assumed to be 60% each, which means that the detection risk must be set at 27.8% in order for the pre-determined audit risk of 10% to not be exceeded.

Using the formula Audit Risk = Inherent Risk x Control Risk x Detection Risk, we already have the values for the audit risk (10% = .10), and the control and inherent risks (60% = .60), and we need to find the detection risk for this particular audit.

.10 = .60 x .60 x Detection Risk

.10/.36 = Detection Risk

Detection Risk = .278 = 27.8%

Even the stuffy world of auditing and financial accounting can be risky, and now you know how to calculate that risk. While it may not seem like the most exciting job in the world, there are people out there that can think of nothing more riveting than to not only audit a company, but to then calculate and attempt to mitigate the risk of making mistakes. What other career can say that they quantify their rates of messing up, let alone admit to even making them? If auditing seems like something you’d like to do, this course on SAP audit compliance is a thorough overview of this career.