Understanding the Audit Risk Model: AR, IR, CR, and DR

Posted on Feb 23, 2025 in Business Administration and Innovation Management

The Audit Risk Model

The audit risk model is represented by the following formula:

AR = IR x CR x DR

Where:

  • AR: Audit Risk: The risk of the auditor issuing an unqualified opinion on financial statements that are materially misstated. It’s the level of risk the auditor is willing to accept. (AR is typically set low, e.g., 0.1 – 10%)
  • IR: Inherent Risk: The susceptibility of the financial statements to material misstatement, *before* considering the effects of internal controls. It’s the probability of errors occurring in the accounting information.

Inherent risk is only assessable. Characteristics to evaluate include:

  • Account or Transaction Level:
    • Assets susceptible to theft.
    • Balances resulting from accounting estimates.
    • Transactions not canceled.
    • Unusual or complex transactions.
    • Accruals.
  • Management Level:
    • Decisions made by a small group or one person.
    • High turnover of management.
    • Emphasis on projecting benefits.
    • Aggressive attitude of the manager.
    • Poor reputation of the manager.
    • Evasiveness to auditor questions.
    • Frequent disputes with auditors.
    • Limits on the scope of auditors’ work.
    • Compensation agreements based on accounting information.
  • Operations and Industry Level:
    • Operating results sensitive to economic factors.
    • Low profitability relative to the sector.
    • Rapid rate of change in the sector (activities or product lines).
    • The sector is in decline with high bankruptcy rates.
    • Concerns about business continuity.
    • Decentralized organization without adequate control.
  • Business Environment Level:
    • Controversial issues.
    • Difficult-to-audit transactions.
    • Important and unusual relationships with other companies.
    • Errors detected in prior periods.
    • The client is new without a prior audit history, or prior auditor information is insufficient.
    • Inexperience or lack of cooperation from accounting staff.
  • CR: Control Risk: The risk that internal controls will *fail* to prevent or detect material misstatements in the financial statements. It depends on the company’s internal control system. The auditor assesses this risk but does not control it.

Control risk is only assessable. Stages for assessment:

  1. Understanding the internal control system.
  2. Assessment of control risk: Two approaches:
  • 1. Directly assign the maximum value (100%) and proceed directly to designing substantive tests. This occurs when:
    • The auditor does not rely on internal control policies.
    • The auditor estimates that substantive tests are less expensive than compliance tests.
  • 2. Assign a value less than the maximum. This involves:
    • Designing controls for specific items to address potential errors.
    • Performing tests of controls to evaluate the effectiveness of the system (compliance testing).
  • DR: Detection Risk: The risk that the auditor’s procedures will *fail* to detect material misstatements that exist and were not prevented or detected by internal controls. This risk *is* controllable by the auditor.

Detection risk has two components:

  • Substantive Testing Risk: The risk that substantive tests fail to detect errors in the financial statements.
  • Sampling Risk: The risk that the sample obtained is not representative of the population (since the auditor typically does not examine 100% of the transactions).

Using the Audit Risk Model

The audit risk model can be rearranged to solve for Detection Risk:

DR = AR / (IR x CR)

The lower the DR, the greater the professional effort required by the auditor.

  • The auditor *sets* the Audit Risk (AR).
  • The auditor *assesses* Inherent Risk (IR) and Control Risk (CR).
  • Detection risk (DR) is determined by solving the equation, considering both quantitative and qualitative factors.