THE AUDIT RISK MODEL

Make it your friend

What is it?

In plain English

Affected by

Planned Detection Risk =

Measure of the risk that audit
evidence for a segment will
fail to detect material
misstatements, should they
exist.

Audit Risk /
Measure of how
willing the auditor
is to accept that
the financial
statements may be
materially
Determines amount of
misstated after an
evidence auditor plans to
unqualified
accumulate.
opinion is issued.
Risk that the evidence you
Risk that the
gather wont pick up on a
auditor is willing
significant misstatement. If
to accept of
you are willing to accept a
wrongly giving a
high planned detection risk, it clean opinion.
means that you accept the
risk that a significant
misstatement wont be
detected and hence less
evidence is required.
Changes to any other audit
The number of
risk model factors.
external users
relying on the
F/Ss, and the
extent of their
reliance (eg: how
widely disbursed

(Inherent Risk X
Measure of auditors
assessment of the
likelihood of a material
misstatement occurring,
before considering the
effectiveness of internal
controls.

Control Risk)
Measure of the auditors
assessment of the likelihood
that misstatements
exceeding a tolerable
amount in a segment will
not be prevented or
detected.

Risk of a significant
misstatement just
considering the nature of
the clients business.

Risk of controls failing to

catch a significant
misstatement (ie: the
controls fail)

Nature of the clients

business (remember my
telecom example)

Impacted by the strength of

the control environment,
and the control systems.

The nature and strength of

their information systems
(if weak, this creates a

The effectiveness of the

internal controls (how well
are they working

Relationships

The amount of evidence

required varies inversely with
the acceptable planned
detection risk to the auditor.
If the auditor is willing to
accept a greater risk that
his/her testing will fail to
detect a material
misstatement, then less
evidence is required.
However, if they are not

is the
organizations
ownership; is it
going public?)

greater risk of error).

throughout the fiscal year).

Management integrity (see

a common theme???)

Likelihood the
client will have
financial problems
after the audit
(look at their
liquidity position).

What drives management

(for example are they
compensated on a bonus
scheme driven solely by
profits?)

To what degree does the

auditor plan to rely on
them? Controls may work
very well, but if it is more
efficient to just do
substantive testing and not
rely on them, then control
risk may just be assessed as
high.

Integrity of
management (the
less integrity
management has,
the lower audit
risk the auditor
will be willing to
accept).
As the auditors
desired audit risk
decreases, the
amount of
assurance required
increases, and
more evidence
must be gathered.
Basically the
less the auditor is

Past audit results (have

you noted systematic
errors in the past?)
Complexity of accounting
(how many related parties
do they have, and do they
have complicated
accounting policies?)
Inherent risk impacts the
amount of evidence the
auditor must accumulate
(ie: the higher the inherent
risk, the more evidence is
required and hence the
lower planned detection
risk the auditor can
accept).
It also impacts where the

Generally, the higher your

control risk (the higher the
likelihood of your controls
failing), the greater the
amount of evidence the
auditor must accumulate.
Also, if controls cannot be
relied upon, this evidence
will have to come in the
form of more substantive
testing/ tests of details.

willing to accept such a risk, willing to accept a

they must gather more
wrong opinion,
evidence and do more testing. the more
assurance they
The higher the inherent risk,
need, and the
the lower the acceptable level more evidence
of planned detection risk.
required.

auditor focuses his or her

attention in testing
obviously, more testing
will be performed on areas
of higher risk).

Basically, the greater the

natural chance of a material
error (holding controls
constant), the less the
detection risk that can be
accepted by the auditor (and
hence the more evidence that
must be gathered).

Assessed for

Similarly, if control risk

increases (your controls have
a greater risk of failing) , but
inherent risk doesnt change,
the less planned detection
risk the auditor will be
willing to accept (and hence
more evidence required).
Will vary by transaction
related audit objective, for
each transaction cycle.

The financial
statements as a
whole. Rarely
varies by cycle or
account.

Each transaction cycle,

account, and audit
objective (remember the
telecom example, with
respect to revenues).

Each transaction related

audit objective, for each
transaction cycle.