Relationships among the Audit Risk Components
For a specified level of audit risk, there is an inverse relationship between the assessed levels of inherent and control risks for an assertion and the level of detection risk that the auditor can accept for that assertion.
Thus, the lower the assessments of inherent and control risks, the higher is the acceptable level of detection risk. Inherent and control risks relate to the client’s circumstances, whereas detection risk is controllable by the auditor. Accordingly, the auditor controls audit risk by adjusting detection risk according to the assessed levels of inherent and control risks. In relating the components of audit risk, the auditor may express each component in quantitative terms, such as percentages, or-non-quantitative terms, such as very low, low, moderate, high, and maximum. In either case, an understanding of the relationship expressed in the audit risk model is essential in determining the panned acceptable level of detection risk.
The audit risk model is used by the auditors to manage the overall risk of an audit engagement.
Auditors proceed by examining the inherent and control risks of an audit engagement while gaining an understanding of the entity and its environment.
Detection risk forms the residual risk after taking into consideration the inherent and control risks of the audit engagement and the overall audit risk that the auditor is willing to accept.
Where the auditor’s assessment of inherent and control risk is high, the detection risk is set at a lower level to keep the audit risk at an acceptable level.
Lower detection risk may be achieved by increasing the sample size for audit testing.
Conversely, where the auditor believes the inherent and control risks of engagement to below, detection risk is allowed to be set at a relatively higher level.
The audit risk model expresses the relationship between the audit risk components as follows:
AR = IR x CR x DR
The symbols represent audit, inherent, control, and detection risk, respectively. The model can be used to determine the planned detection risk for an assertion.
To illustrate the use of the model, let’s assume that the auditor has made the following risk assessments for a particular assertion, such as the valuation or allocation assertion for inventories;
IR = 50%; CR = 50%
Further, let’s assume the auditor has specified an overall AR of 5%. Detection risk can be determined by solving the model for DR as follows:
DR = AR 4- (IR x CR) = 5% (50% x 50%) = 20%
In practice, many auditors do not attempt to quantify each of the risk components, making it impossible to solve the risk model mathematically.
However, even when not solved mathematically, familiarity with the model makes the following relationship clear to hold audit risk to a specified level, the higher the assessed levels of inherent and control risks, the lower will be the acceptable level of detection risk.