In forming an opinion on the financial statements, an auditor faces various audit-related risks and risk components. Two types of audit-related risk can be distinguished: audit risk and business risk. Audit risk can generally be defined as the probability of incorrectly reporting on the financial statements, and is a function of a number of auditor-and auditee-related risk components. Business risk relates to the adverse consequences to the audit firm arising from any litigation or criticism concerning the auditor’s work or the client’s audited financial statements. Some major elements of business risk are: litigation, sanctions imposed by public or private regulatory bodies, and impaired professional reputation.
This post provides a short overview of the “audit risk” based on literature point of view. Enjoy!
Two distinct approaches have evolved in the literature:
- the risk analysis approach; and
- the audit modeling approach.
The former approach focuses only on risk related to audit tasks, thereby ignoring business risk. Audit risk analysis has been the result of a movement toward the idea of basing audit scope and timing decisions on a more explicit analysis of audit risk. The major purpose of audit risk models is to help the auditor to obtain a given degree of confidence that the financial statements do not contain a material error. Economic considerations are not explicitly taken into account, and the focus is rather on effective audit risk control. In the second approach, audit decision models are more comprehensive in nature as compared to audit risk models: a broader set of factors are taken into account (such as, audit risk, audit costs, etc.). This type of model may serve as an aid for auditors to identify an efficient and cost effective way by which a suitable level (i.e., cost minimizing) of confidence can be achieved.
The most general definition of audit risk is the risk or probability of incorrectly reporting on the financial statements. This embodies both the risk of incorrect rejection or a-risk [also type I error risk] and the risk of incorrect acceptance or b-risk [also type II error risk]. The distinction between “a” and “b” risk types is used both in the context of a single reported book value and at the aggregated level of the financial statements as a whole. The difference between a and b risk is clarified in the article by Elliott & Rogers (1972). It stems from the application of the statistical hypothesis testing approach to the audit setting, which permits the auditor to measure and control both types of risk.
Along another dimension that is directly related to the use of statistical sampling methods in audit testing, audit risk can also be viewed to entail two other types of risk: “sampling risk” and “non-sampling risk“.
Roberts (1978) defined sampling risk as:
the portion of audit risk of not detecting a material error that exists because the auditor examined a sample of the account balances or transactions instead of every one.
Non-sampling risk then is:
the portion of audit risk of not detecting a material error that exists because of inherent limitations of the procedures used, the timing of the procedures, the system being examined, and the skill and care of the auditor.
Although both types of risk are defined here in the light of b-risk, a distinction between sampling and non-sampling risk equally applies to a-risk. Roberts further defines another concept, the d-risk, as the sampling risk of unwarranted reliance in statistical compliance tests.
Finally, there exist three distinct forms of (total) audit risk:
- There is the planned level of acceptable audit risk (or, desired audit risk), specified before the substantive audit procedures are performed.
- There is the true ex post level of audit risk (a synonym for ex post audit risk is achieved audit risk), which is unknown to the auditor.
- There is the estimate of ex post audit risk as made by the auditor.
Multiplicative Audit Risk Model
The use of an audit risk model for financial statement auditing has been established in various auditing standards. General statements about risk consideration have evolved into detailed guidance on quantitative risk assessment. An understanding of the importance of risk evaluation was already shown in professional standards in the USA as early as 1963 (see AU Section 150.05 of The American Institute of Certified Public Accountants (AICPA) professional standards):
The degree of risk involved also has an important bearing on the nature of the examination. . . . The effect of internal control on the scope of the examination is an outstanding example of the influence on auditing procedures of a greater or lesser degree of risk of error; i.e., the stronger the internal control, the less the degree of risk.
The first explicit incorporation of a formula in the standards occurred only in 1972, when the AICPA published Statement of Auditing Procedure No. 54 [which was later incorporated as Section 320 of the Codification of Statements of Auditing Standards (SAS 1)]. At that stage of development, the problem was modeled as one of setting the reliability level of substantive test of details (S) so that its combination with the subjective reliance on internal accounting control and other relevant factors (C) would provide a combined reliability level (R) sufficient to meet the auditor’s overall objectives for the audit. Or:
S = 1 – [(1-R)/(1-C]
The relationship with risk was described as follows:
The combined reliability is the complement of the combined risk that none of the procedures would accomplish the particular audit purpose, and the combined risk is the product of such risks for the respective individual procedures . . . [SAS 1 section 320B.31].
The audit risk model was given further authoritative support by the publication of Statement of Auditing Standard (SAS) 39 (1981) and SAS 47 (1983).
SAS 39 proposes the following multiplicative model for audit planning purposes:
AR = IR x CR x AP x TD
- AR = allowable audit risk level that financial statements are materially misstated;
- IR = inherent risk of material misstatement; i.e. susceptibility of an assertion to a material misstatement assuming that there are no related internal control structures or procedures;
- CR = control risk, or the risk of a material misstatement given that it has occurred and has not been detected by the system of internal control;
- AP = risk that analytical review procedures will fail to detect a material misstatement;
- TD = risk that substantive tests of detail fail to detect a material misstatement, given that it has occurred and has not been detected by the system of internal control.
The SAS 39 model is specified in terms of risk factors instead of reliance factors, and includes a factor for analytical review procedures and other relevant substantive tests. SAS 39 also raises the issue of inherent risk, but asserts that this risk is potentially costly to quantify and that for this reason it is implicitly and conservatively set at unity. It further suggests that the proposed model might be used in planning a statistical sample by selecting an acceptable ultimate risk, subjectively assessing inherent (IR), control (CR) and analytical review risk (AR) and then solving for tests of detail risk (TD) as follows:
TD = AR / [IR x CR x AR]
Note: SAS 39 does not contemplate the use of the formula to conditionally revise an audit plan or to evaluate audit results.
SAS 47 updated the concepts and terminology of SAS 39 to provide further guidance in considering audit risk both at the financial statement level and at the level of individual account balances or classes of transactions. The basic approach remains the same although certain terms have been redefined. SAS 47 explicitly incorporates a factor for inherent risk and combines analytical review risk (AR) and test of details risk (TD) in one risk factor, namely, detection risk (DR).
Unlike SAS 39, SAS 47 emphasizes the need of audit risk and materiality “to be considered together in determining the nature, timing, and extent of auditing procedures and in evaluating the results of these procedures“.
The suggestion to use the “ARM“ for risk evaluation has been heavily criticized in subsequent audit risk literature, as the model is clearly not fit to correctly measure achieved (ex post) audit risk.
An interesting discussion of the assumptions and limitations of ARM has been provided by Cushing & Loebbecke (1983). The major points of their criticism are the following:
- It is assumed that the individual risk components of the ARM are independent of each other, whilst there exist interdependencies between these factors. Inherent risk, analytical review risk, and substantive test of detail risk all depend on control risk. Failure to consider these interdependencies when internal control is weak tends to understate the risk factor being assessed. As a result the use of the model might expose the auditor to a higher level of ultimate risk than he or she would consider acceptable.
- The model does not provide any guidance for aggregating the risk assessments made at the disaggregated level of accounts or transactions to the risk for the financial statements as a whole.
- The model only considers sampling risk (and ß-risk) and assumes that the non-sampling risk component is negligible.
- The ARM is ill-equipped to explicitly consider other economic factors such as the audit cost or the effect of potential misstatement.
- The ARM should only be used as a planning tool, namely, to determine the appropriate level of sampling risk for substantive tests of details, and not as a risk evaluation model.
Although the audit risk model as defined by SAS 39/47 has been accepted by several auditing firms as a planning aid for their audits, there appear to be wide differences in the way in which audit firms in different countries implement the audit risk model.
This is not surprising in itself, since little guidance is provided in audit standards about the underlying determinants of the risk components in the model [in particular w.r.t. inherent risk and control risk], which might result in differences in their conceptual interpretations. A number of empirical studies have investigated some behavioral aspects related to the use of the ARM in practice. From the evidence there seems to be reason to believe that the audit risk model might not be descriptive of risk judgment in practice.
Bayesian Approaches to Modeling Audit Risk
Given the limitations of the “multiplicative“ audit risk model for evaluation of (ex post) audit risk, several authors have discussed an alternative approach for the combination of risk components into an overall ex post audit risk measure, which is derived from the application of Bayesian theory of conditional dependence to the audit judgment process. The approach is fundamentally different from the US Statement on Auditing Standard (SAS) 39/47 model that is a joint (multiplicative) ad hoc risk model.
From a theoretical perspective the Bayesian approach to risk modeling is superior as it is based on the laws of subjective probability theory.
Several versions of Bayesian audit risk models have been proposed in the literature, based on alternative assumptions about the conditional nature of the various steps in the audit process. Two major categories of models can be distinguished:
- A first category views inherent risk as the prior probability of material error in the financial statements, but does not recognize the sequential and conditional nature of various audit procedures. The audit risk model introduced in 1980 by the Canadian Institute of Chartered Accountants (CICA, 1980) is an example of such a model.
- In a second category of models the conditional and sequential nature of various audit procedures is explicitly recognized.