Summary #1

The Audit Risk Model

The interdependence of component risks.

BY RICHARD DUSENBURY, JANE REIMERS
AND STEPHEN WHEELER

re the risks assessed for the audit risk model judged independently or are they conditional on values of the other risks?

Auditing standards indicate that inherent, control and analytical procedures risks may be combined to determine the extent of substantive, detailed testing. The standards depict each component risk individually; however, the audit risk model will not produce proper results unless the components are considered in relation to each other. That is, knowledge about one component of the risk model must be weighed in order to properly assess the risks associated with another (this relationship is known as being “conditionally dependent”).

For example, imagine that firm A and firm B have identical control structures with respect to an audit objective or account, but that firm A is inherently riskier than firm B. If auditors consider only features of the internal controls as the basis to assess control risk, then they will assess A and B control risk as the same. However, to use the risk model properly, the assessed control risk of firm A should be higher than the control risk of firm B. To oversimplify, if there is inherently a higher probability of more material misstatements in firm A than in firm B, then the same control structure has a higher risk of failing to detect/correct misstatements in firm A than in firm B. Assessing these component risks interdependently calls for subtle, highly skilled judgment.

In a series of cases, we looked at inherent, control and analytical-procedures risks from auditors in firms where each of these risks was separately assessed. Our research showed that a client factor or behavior could affect the assessed level of more than one component risk (for example, the aggressiveness of the client firm’s management could influence both the inherent and control risks). Next, we found that auditors did base subsequent risk assessments on the prior risk assessment level, as is necessary for proper use of the audit risk model. The implication is that inherent risk need not automatically be set at a maximum (to offset a possibility that risk components will be assessed independently). Instead, auditors appear to be capable of making combined assessments of the component risks to appropriately plan the extent of substantive testing.

For the full text of the research paper, see Auditing: A Journal of Practice & Theory, Fall 2000, vol. 19, no. 2, “Inherent Risk and Control Assessments: Evidence on the Effect of Pervasive and Specific Risk Factors.”

RICHARD DUSENBURY, PhD, is associate professor of accounting at Florida State University. His e-mail address is rdusenb@cob.fsu.edu. JANE REIMERS, PhD, is the KPMG professor of accounting at Florida State University. Her e-mail address is jreimer@cob.fsu.edu. STEPHEN WHEELER is professor of accounting at the University of the Pacific. His e-mail address is swheeler@uop.edu.

Summary #2

Inherent Risk and
Control Risk
Assessments

Pervasive and specific risk factors share the floor.

BY WILLIAM F. MESSIER, JR. AND LIZABETH A. AUSTEN

he AICPA’s audit risk model serves as the major framework for conducting audits of financial statements. Researchers and practitioners are critical of the model because its multiplicative form suggests the components of inherent risk, control risk, and detection risk are independent. Many argue the components are, in reality, dependent, which if ignored can result in a biased estimate of audit risk. Specifically, the model does not take into account the preventative aspect of control risk and, as a result, does not formally capture this dependence between inherent risk and control risk.

We argue that auditors recognize this dependency and make judgments accordingly. To examine this issue, 124 senior auditors and managers were asked to make inherent risk and control risk assessments on eight cases which varied four inherent risk factors and the results of control testing. The findings showed that pervasive and specific inherent and control risk factors significantly affected both auditors’ inherent risk and control risk assessments. We also found a significant positive correlation between auditors’ inherent risk and control risk assessments, indicating that the two judgments were dependent. The first result shows that the factors affected the auditors’ judgments. The second result shows that the auditors’ judgments were correlated—dependent. These results were consistent with our expectations that auditors are aware of this dependency and reflect it in their inherent risk and control risk assessments.

For the full text of the published work, see Auditing: A Journal of Practice & Theory, Fall 2000, vol. 19, no. 2, “The Audit Risk Model: An Empirical Test for Conditional Dependencies Among Assessed Component Risks.”

WILLIAM F. MESSIER, Jr., is the Deloitte & Touche LLP professor at Georgia State University. His e-mail address is bmessier@gsu.edu. LIZABETH A. AUSTEN is an assistant professor at the University of Arkansas. Her e-mail address is austen@walton.uark.edu.