The audit risk model: Your first step in risk assessment
AICPA logo
AICPA logo
  • Home
businessman standing near paper airplane

The audit risk model: Your first step in risk assessment

3 years ago · 3 min read · AICPA Insights Blog

This blog post is the third in a series on risk assessment, a significant audit quality issue. View the first blog post here and the second here.

RMM Model

The audit risk model is the foundation of any audit. This might seem like CPA 101, but are you correctly applying it to your engagements?

In doing so, your first consideration is your client’s risks of material misstatement (RMM), which is made up of inherent risk and control risk. As a reminder, inherent risk is the risk of material misstatement assuming no related controls, while control risk is the risk that your client’s controls won’t prevent or detect and correct a material misstatement. So how do you apply this to your audit?

Understand your client and its environment

Because RMM drives your audit planning and procedures, your first step in applying the audit risk model is to obtain an understanding of your client and its environment. You should consider the nature of your client’s business, external factors that impact it, and how the organization measures and reviews its financial performance. This includes:

  • Nature of the client – Make sure to think about business operations, investment and financing activities, and financial reporting.

  • External factors – Consider industry conditions, the regulatory environment, and government policies. How competitive is your client’s industry? How easy is it to enter? What are its revenue characteristics? How quickly do products change?

  • Organization strategies – How does your client address these external factors?

  • Financial Performance – Consider your client’s financial performance, including key ratios and operating statistics; key performance indicators; employee performance measures and incentive compensation policies; trends, forecasts, budgets, variance analysis, and competitor analysis; and period-on-period financial performance (revenue growth, profitability, and leverage).

With each of these areas, make sure to document the steps you took to gain an understanding, any changes to your understanding of the client from previous years as well as risks identified and whether they are significant.

Understand your client’s internal control

Your next step in applying the audit risk model is to obtain an understanding of your client’s internal control. You’ll want to know what controls (either individually or in combination) are in place, if they are designed properly to meet their objective, and if they have been implemented. Make sure to consider the following:

  • Control environment: What are management’s attitudes and actions related to internal control? How much emphasis do they put on achieving reliable financial reporting?

  • Control activities: For all material classes of transactions, account balances, and disclosures, you’ll need to identify the relevant assertion(s), control objective, key controls, whether the control’s design is effective or ineffective, and whether the control is properly implemented.

  • Your client’s risk assessment, information and communication, and monitoring: While smaller entities may not have well-documented controls or procedures in these areas, they likely still have some controls in place. For example, does the owner review financial results on a monthly basis?

Again, you’ll want to document your understanding of your client’s internal control, including the control environment. Then document the steps you took to understand it, any changes over the previous period, and all identified risks.

Use RMM to drive detection risk

Based upon your assessment of RMM, you’ll determine the nature, timing, and extent of your audit procedures. For example, if you determine that your client has low inherent and control risks at the assertion level, you might accept detection risk at high and thus use less rigorous substantive tests (i.e., analytical procedures or tests of details). On the other hand, if your client’s inherent and control risks are moderate to high, you would plan more rigorous substantive tests in order to obtain more persuasive audit evidence about the assertion as part of your audit.

The key for using RMM to drive detection risk is to remember that the nature, timing, and extent of further audit procedures planned needs to be responsive to the RMM identified.

The audit risk model is the basis for any audit. For a step-by-step guide to help you apply it to your engagements, download our free Audit Risk Assessment Tool, listen to the latest podcast episode from the Small Firm Philosophies series on risk assessment, and check out other resources on the AICPA risk assessment resources page.

Bob Dohrer, CPA, CGMA

Bob Dohrer is the Chief Auditor at the American Institute of Certified Public Accountants.

Bob serves as an expert on US and international auditing and attestation standards and leads Professional Standards teams in the delivery of high-quality, innovative audit, attest, quality control, review, compilation and preparation standards. Bob provides strategic direction to the Auditing Standards Board (ASB) and the Accounting and Review Services Committee (ARS), in partnership with their Chairs. He works with the ASB in identifying and developing new, innovative and transformational auditing standards that encourage the use of technology in the financial statement audit and in visioning how the audit might change as technology advances. Bob represents the AICPA and participates in leadership and activities of the Committee of Sponsoring Organizations (COSO), The International Auditing and Assurance Standards Board (IAASB) and The U.S. Standard-Setting Coordinating Committee (AICPA-PCAOB-GAO), with the ASB chair, promoting collaboration and uniformity.

Prior to joining the AICPA in October 2018, Bob was RSM International Limited’s Global Leader - Quality & Risk, based primarily in RSM’s Executive Office in London. Bob had overall responsibility for the global network’s audit and other attest services policies, procedures and guidance. Prior to joining the RSM Executive Office in March 2012, Bob served as the RSM US LLP’s (formerly McGladrey) Director of Assurance Services and International Assurance Services Practice Leader and served a broad range of clients. Bob has twenty-nine years of experience in public accounting, all with RSM and McGladrey.

Bob is the immediate past chair of the AICPA’s Assurance Services Executive Committee (ASEC) and in that role led the AICPA through recent efforts related to SOC, cybersecurity, sustainability and use of emerging technologies. Bob also served two terms on the ASB. Internationally, Bob is a member of the IAASB, where he serves as Chair of the Data Analytics Working Group, Co-Chairs the Group Audits Task Force and is a member of the Quality Control Task Force. Prior to being appointed to the IAASB, Bob served two terms as Chair of the Forum of Firms.

Bob graduated from the University of South Dakota with a Master of Professional Accountancy degree and from Black Hills State University with a Bachelor of Science degree in accounting.

What did you think of this?

Every bit of feedback you provide will help us improve your experience

What did you think of this?

Every bit of feedback you provide will help us improve your experience