 Hello and welcome to this session in which we will discuss the audit risk model before we discuss the model We need to know what is audit risk well when we perform an audit We are accepting a certain degree of risk or uncertainty This risk that we could be wrong is called the audit risk So when we all at the company, there's a likelihood There's a chance that we might issue a report. That's Unqualified or unmodified unqualified or unmodified means a clean a clean report But in reality the financial statements are not fairly stated So we issued a report that we said everything is good in a sense of fairly presented But indeed there were errors or fraud or other things that we missed in that audit things that are material Now, why do we take this risk? Why do we take this risk? We always take this risk because when we perform an audit we sample we don't audit everything 100% That's one reason why we are always taking a risk because when you sample you don't catch everything The other reason is you might Performed or you might make an error even if you audit everything 100% Well, you could have misapplied a procedure or procedures So you did not perform the procedure correct or if you perform the procedure correct You could always misinterpret the results come up with the wrong results So for those reasons you're always taking the risk of issuing unqualified or unmodified opinion When the financial statements are not clean. So that's the risk that you are taking So I'm gonna give you another analogy. It's gonna be a little bit extreme But hopefully it will make the point. You're giving someone a clean bill of health While you while you have cancer or the opposite. So you are you are giving somebody you wanted a doctor and the doctor said You're in good shape. You don't have to worry about anything. This headache is not really a big deal They give you a clean bill of health in reality You have a brain cancer or the opposite now if they told you you have a clean clean bill of health But but you have cancer. That's a problem for the doctor because you're gonna come back and so the doctor later because they didn't tell you The problem Well, there's always the risk. They can tell you you have cancer, but indeed you have clean bill of health What do you do then you're gonna do more exams and say, okay? I'm good now I have a peace of mind So the risk the real risk is giving that clean bill of health while in reality the patient is really sick What would happen if that's the case you could be sued The auditor could be sued by the shareholders by the client by the government by regulators So that's the risk that the auditor is taking Giving a clean bill of health. Well in reality, that's not the case Now the audit risk model will help us measure this audit risk because We have to measure this audit risk. How much risk are we going to be taking and this is what we're going to be discussing Next before we proceed any further. I have a public announcement about my company farhat lectures dot com Farhat accounting lectures is a supplemental educational tool That's going to help you with your cpa exam preparation as well as your accounting courses My cpa material is aligned with your cpa review course such as becker, roger, wiley, gleam, miles My accounting courses are aligned with your accounting courses broken down by chapter and topics My resources consist of Lectures multiple choice questions true false questions as well as exercises Go ahead start your free trial today. No obligation. No credit card required Let's discuss the audit risk model The audit risk model is audit risk equal to inherent risk times control risk times detection risk Every time you have a formula, it's very important to break the formula into its separate component Understand each component separately Then study how these components relate to each other. What's the relationship between each other? So i'm going to start by defining and working with audit risk What is audit risk? Well audit risk is set by the partner So the auditor set the audit risk and the objective is to set the audit risk low. What does that mean? It means if I want to be sure if I want to be sure if I don't want to take any chances I want to set my audit risk low Why because that's going to reduce My chances being sued by the client so if I set the audit risk at 5% just just to give you a number What does 5% mean? It means I want to be 95 confident If I set the audit risk at 10% It means I want to be only 90 confident Confident that I am correct. So notice when I go from 5 to 10 notice 10 percent I am I I'm comfortable with 90 percent If I set the audit risk at 15 percent. Well, I only want to be 85 confident Notice if I set my risk at 0 percent It means I want to be 100 confident. It means I want to audit everything Now this is an extreme case But when do I when do I want to set the audit risk at 0 percent? Which is it doesn't happen, but just to kind of illustrate the point. What does 0 percent mean? 0 percent means I am dealing with a very risky customer and because they are risky I want to be 100 confident when I issue my report Maybe it's a very important extremely important company and there's billions and billions of dollars on the line There's a lot of risk involved. Well, if that's the case, I will set my audit risk as 0 and audit everything again That's not realistic because it's not realistic from a practical perspective Therefore the auditor might set the risk might set audit risk at 5 10 15. Whatever they are comfortable with How do they come up with this conclusion? They study the company. They study the industry That's how they come up with this but this number is said by the auditor Now let's discuss the detection risk or planned detection risk This refers to the risk that the auditor will fail to detect the chance that they will fail to detect the material misstatement that That exists in the financial statement And the detection risk it's going to be influenced by the nature Timing and extent of the auditing procedures. How much work you are willing to take now If you could be you could be accepting a 5 chance You could you could be accepting or willing to accept a 5 chance It means you're only accepting 5 chance that you could you want to be wrong Or you could be accepting a 20 chance that you could be wrong now the higher the Acceptable level of risk The less work you have to do why because if i'm willing to accept 40 chance. I am going to be wrong. I'm accepting this It means I am comfortable because that's why I'm accepting the risk because I don't want to accept this detection risk I want this detection risk I don't I want to be 100 confident if I can but I can't But the closer I get to 100 the more comfortable I am The closer I go down to zero if I accept zero Zero detection risk. I mean zero chance. I could be wrong. Well I have to think about it Do I want to take the audit because I can't accept risk because this company is too risky But that's so I accept 5% risk Well, 5% it means I have to do more work relative to 40% because if I can accept a higher level of risk I am more comfortable. Okay, so if the auditor's Procedures are sufficient or not properly executed the detection risk is higher You could be missing the mistake. Why because you want to set all the thing procedures. That's what's going to determine it That's what that's what is going to determine your level of comfort is The nature timing and extent you want to execute those procedures in a way That's going to catch the mistake if you're comfortable with this you are willing to accept more risk And again, we're going to go back and talk to detection risk later because we're going to have to compute This is the number that we have to compute and you're going to see how and why later So we cover the audit risk. We cover the detection risk. Let's discuss the control risk I always like to show this picture when discussing control risk Control risk is the risk that the material statement basically an error or a fraud or some sort of a mistake Will not be prevented or detected by the entity's internal control system Well, let me show you what do we mean by this? Let's assume your accounting information system your ais is residing inside this castle And the castle itself is what preventing preventing errors fraud from occurring So the castle is the internal control system now We're going to discuss much much more about internal control It's kind of we're going to have one maybe one or two hour session all what you need to do for now is If your control risk is high if if the control risk is considered high It means you don't have good controls. It means those walls. They can be easily easily penetrated Errors and fraud could could could could get into your accounting information system If we say control risk is high It means your system is not working properly your policies and procedures are not working properly to prevent those errors If we say your control risk is low, it means you have a good I see internal control It means the policies and procedures that you are implementing for your Accounting information system for your companies are working properly to prevent those errors or fraud So this is what you need to know and we'll discuss this topic much much more Errulator session now control risk is company specific. What does that mean? It means each company will have a different control risk and within each their accounts They will have a different control risk for each account and again, we'll discuss this later Again, this risk referred to the material misstatement will not be prevented or deducted Internal control include policies and procedures We're going to be talking about those a lot later on and other measures designed to ensure that the financial reporting is accurate and Reliable if the internal control are weak or ineffective the control risk is higher Remember if we set control risk high it sounds good, but it's not good. It means it's not good So we discuss control risk again control risk could be high control risk could be medium control risk Could be low as well. It it's assessed and we're going to see what assessed mean in a moment Let's move to inherent risk. What is inherent risk again inherent risk is company specific And account specific certain accounts are more inherently risky than other This refer to the risk that a material misstatement exists due to the factors such as complexity Estimate or judgment simply put inherent risk is the account By itself is risky. Why? because It requires a high level of judgment It requires estimate once the account is not clear cut. It's not black and white. It's something in the middle Then what you have to do is you have to be more careful. We say the account is inherently risky So inherent account that's an account could be risky a company could be risky the industry could be risky So when we say inherent risk, it doesn't only refer to an account It could also refer to the entities itself the industry now a larger company the more maybe inherent risk risk there is The more complicated the operation the more inherent risk there is As well as accounting policies and procedures used if they are if they are using Accounting accounting policies and procedures that are not conservative Well, guess what then there's more inherent risk if they always if they always take their chances When they have to choose between an asset and expense they would always choose an asset Well, that's risky because conservatism said if you have to choose between an asset and expense be conservative and choose the expense So inherent risk and control is beyond the control of the auditor and cannot be eliminated because it's company specific So depending on the company depending on the type of accounting they are using Depending on the size of the operation depending on its complexity Now both inherent risk and control risk and this is very important to understand they are assessed Which is basically pass a judgment on them assessed by the auditor the auditor don't control them The auditor can set audit risk But they cannot set inherent risk and control risk. They assess them and Inherent risk times control risk We need to know equal to something we called risk of material misstatement or r mm. So if you are If you are if you see this term r mm Or if it's referred to as r mm r mm risk of material misstatement equal to inherent risk times the control risk Both assessed by the auditor a little bit more about inherent risk when assessing inherent risk All what the auditor trying to do is predict is anticipate where the where the potential statement is occurring So we want to know on the financial statements, which account are more susceptible to material misstatement Which account are more or less probable to have mistakes This is all what we're trying to do in inherent risk Why because assessing an account as Probably incorrect if we assess it it's probably incorrect It's going to affect the level of evidence the quantity of evidence we need to collect If the account is susceptible to errors and fraud then we have to collect more evidence So the auditor must evaluate the factors that contribute to that risk and adjust the audit procedures Accordingly to consider them So we have to basically look at factors different factors that contribute to that risk Again complexity judgment estimate those are factors that could make the account more inherently risky And when do we do this evaluation? We will do this evaluation before we start the audit during the planning phase We want to know ahead of time. What are we dealing with? What snake are we dealing with so we can react accordingly? And sometimes what could happen is we could assess inherent risk at low And it can then we could review it later and move it to high or medium Or we we thought it's high then we could move it to low and medium In other words, it's a periodically reviewed based on the different evidence in our experience in the audit. Okay, remember High volume transaction complex calculation high level of judgment estimates derivatives declining industry condition Rapid technological changes all of those they could increase inherent risk Use your common sense, but those some of the factors you would see on the exam The more riskier is the account the more riskier is the industry the more riskier is the audit The higher is the inherent risk. I'm sorry. Not the audit the higher riskier is the company itself The higher is the inherent risk Remember, how does that affect our work if we have a high inherent risk? We're gonna have to collect more samples. We're gonna have to do more work samples mere more work It means we have to collect more evidence So connect those high inherent risk more samples more work more evidence and remember also Remember high control risk if we have a high Control risk we have to do more work because we cannot rely Under under internal control therefore we have to do more work more evidence So now just to just to review remember What we did is we set the auditors audit risk and we assessed control risk and inherent risk What do we do with detection risk? We solve for detection risk Okay, so this is how we solve for detection risk. So how are we gonna solve for detection risk? We're gonna divide both sides of the equation by the control risk times inherent risk And that's going to give us audit risk divided by control risk or inherent risk equal to detection risk Therefore the formula for detection risk is audit risk divided by You know rmm control risk versus inherent risk. So this is how we solve for detection risk So what does this formula shows us right from the formula itself from the mathematical perspective? There's an inverse relationship between detection risk And audit risk the formula shows that detection risk is inversely proportioned to the audit risk If the audit risk is high, what is the audit risk? If we are if we are willing to take more risk audit risk means how much risk are we willing to take? We're willing to take 20 percent audit risk Detection risk must be low To reduce the overall audit risk to an acceptable level. So if I'm taking an audit a high audit risk Well, guess what? I have to do more more more work detection risk must be low to reduce the overall Audit to an acceptable level. I want if I'm taking more risk. I want to be able to accept this risk Also, if the audit risk is low Okay, so I'm only taking a five percent chance Detection risk must be higher Provided that control and risk inherent Control risk and inherent risk are also low. Now the best way to kind of illustrate this concept is to actually Use some some figures some numbers some percentages to say how they all relate to each other I mean right from the formula basic mathematics It shows you this but I would rather off show you this using figures So let's go to the excel sheet on this excel sheet. I'm starting with a scenario where I am I'm setting my audit risk at five percent. It means I want to be 95 confident That's that's what I'm doing audit risk five percent means I want to be 95 confident I am setting my inherent risk at 100 percent. I'm setting my control risk at 100 percent. What does that mean? It means the company's account are inherently risky 100 percent Control risk is high. I cannot rely on the controls How do I come up with my detection risk? Well, I will take audit risk divided by Inherent risk times control risk and I come up with 5% Well, what does 5% mean? It's I'm willing to accept a 5% chance that I am wrong, which is a low percentage I'm not willing to take more than 5% chance. Now. Why am I only willing to take 5% chance? Well, I'm setting my audit risk low and inherent risk and control risk are no good So I cannot take a lot of chances because this looks like a risky company Now what could happen is this? Let's assume I am also setting my audit risk at 5% The company that I am dealing with is not inherently risky the accounts or the account or the company when I say inherent risk It could apply to a specific account or to a specific cycle or that apply to a company. It doesn't really matter Inherent risk is 50% which is lower than the prior scenario and my control risk I can rely a little bit more on the control of this company They're not perfect, but they are better than the first scenario if we're gonna call this company a Coa we're gonna call this company b company b Now if I compute my detection risk now you just using the formula My detection risk is 20% now. What what does that mean? I am accepting 20% risk now It means I have to do less work if I'm accepting 20% risk from work perspective I can do less work because I am willing to accept more risk Now why am I willing to accept more risk? So why did why did this 5% became 20%? The reason it became 20% because RMM Inherent risk and control risk are better. They used to be 100% now. They are at 50% Let's use a third scenario. Let's look at this company Let's see. This is company c Company c is they have even a better inherent risk And a better control risk if that's the case when I compute my detection risk My detection risk is 80% Now what's gonna happen? What can I say? I am taking I am accepting an 80 chance. I am accepting an 80 chance if I'm accepting an 80 chance Obviously, I'll have I can do less work because I am willing to take Better a more chance. Why am I willing to do so? The reason I'm willing to do so Why am I willing to do so? Because their RMM is low inherent risk and control risk They're both lower than what we started with compared to company a now If I am let me just change one more thing here to show you the relationship If I'm if my audit risk is rather than 5% if if I make it 20% Notice if I am if I want to be only 80% confident I can do less work. I can do less work. Why? Because I I I am willing to I only accept 80% confidence. Okay. I only want to be 80% confident Confidence because I'm my audit risk is 20% that I'm willing to take more of a chance Let's look at different scenarios. Let's assume I'm starting with 5% audit risk 50% inherent 50% control 20% 20% detection risk. Now, what if I only Change my control risk. So I only change my control risk. If I lower my control risk I'm willing to take more of a chance. Why? Because I'm willing to rely on the company's record I'm willing to rely on their company records. Why? Because they have a better control risk a better control risk It gives me more comfort. I'm willing to take a 40% chance of my Detection risk. Let's look at a different scenario. Let's assume. I lower it further I lower it from 25 to 20. I even have a better control risk. Notice the better my control risk The more The higher is my detection risk the more comfortable the more chance I'm willing to take the more chance I'm willing to take with this company Let's choose. Let's kind of play with different scenarios Now I'm going to keep my control risk the same and I'm going to reduce my inherent risk as I reduce my inherent risk My detection risk went up as well. I'm more comfortable. Why? Because the accounts are not Inherently risky or the company is not inherently risky. Notice as I reduce my inherent risk My detection risk also went up You have to know this relationship now sometime they they'll tell you inherent risk went up control risk went down Then you really cannot determine unless you are giving numbers to play with the numbers But that's not usually the case. But here's what you need to know the relationship as risk of material misstatement goes down So as rmm As rmm goes down Detection risk goes up. This is what you need to know. Okay Risk down if I'm willing to take More I mean risk down because I'm comfortable with risk. I do less work I'm accepting more of that risk. I will do less work if I'm accepting more risk I I I could do I do less work. I do less work. So it's very important to understand those Relationship. So what's the relationship one more time between rmm and detection risk? I'm going to show you this balance of justice if rmm is here detection risk is Here and the opposite is true if In other words, if I lower my rmm. I can take more of a risk also If my rmm is high My detection risk is low. So notice there the opposite of each other Once again, these applies to a specific site They could apply to a specific cycle or we could set them for the company overall But for each cycle we could have this for example, if we're looking at a sales and collection cycle If we say inherent risk is high What does inherent if we assess inherent risk as high assessment of material misstatement before taking it into account Control risk or simply put the sales cycle has a high inherent risk. It's a risky account We have a lot of estimates a lot of judgment complexity Maybe the contract are not well clear that it's a high. It's a high inherent risk Sales cycle also, let's assume the control risk for this cycle is high If the control risk is high, it means the effectiveness of the internal control are not as good Okay, they don't have a good internal control. So this is rmm is high If rmm is high and I'm willing to accept only a low audit risk I mean, I don't want to take a lot of audit risk obviously because those The reason is rmm is high. Then my detection risk is low. So notice rmm is high detection risk is low now Let's assume a company with a sales and collection cycle where inherent risk is low Transaction are simple Everything is transparent. No need for judgment. No need for estimate inherent risk is low Control risk is low too. The company has an excellent controls They monitor everything. Everything is double checked The system is working as expected. Well, if now rmm We're going to say rmm is low. So rmm is here rmm is low if rmm is low Now I'm more comfortable accepting more risk because you know the company have a good risk rmm then if that's the case I can set detection risk at high or medium So notice detection risk is high or medium. Notice it's the opposite of rmm so as rmm goes down detection risk goes up and vice versa Same thing if you want to we have an analogy if you have a seesaw, you know rmm and Detection and detection risk when one goes up the other goes down, you know So you have to be comfortable with this The audit risk model is an extremely important concept for the cpa exam for your audit course What should you do now go to farhat lectures and look at additional mcqs through false Additional lectures that's going to help you understand this topic this important topic. Good luck invest in yourself The cpa exam is worth it