Important
Notice

Updated arrangement for library facilities

In light of further sign of stabilization of the local coronavirus situation, the Hong Kong Institute of Certified Public Accountants announced the reopening of the library facilities with effect from 18 February 2021 (Thursday).

close
spacer
search icon cross white
spacer bookmark cross
search icon
Search Tags

  Total: Bookmarks

 Bookmark(s) Click icon to add bookmark(s) to my profile

  •  Local Bookmark is Empty

 User Profile Bookmark(s)

  •  Profile is Empty
MENU
spacer
bookmark cross white
A
search icon cross white
search icon
Search Tags

  Total: Bookmarks

Click icon to add bookmark(s) to my profile

 Bookmark(s)

 User Profile Bookmark(s)

close

Forgot password / username Re-send activiation email Register an account Help with web login

Audit Risk Model

07 October 2020

Audit Risk Model

 

According to Hong Kong Standard on Auditing 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Hong Kong Standards on Auditing (HKSA 200), one of the overall objectives of the auditor in conducting an audit of financial statements is to obtain sufficient and appropriate audit evidence to reduce audit risk to an acceptably low level.

Audit risk is a function of the risks of material misstatement and detection risk. HKSA 200 explains the risks of material misstatement may exist at two levels: the overall financial statement level; and the assertion level for classes of transactions, account balances and disclosures. The risks of material misstatement consist of inherent risks and control risks. The risks of material misstatement are assessed at the assertion level in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. For the identified risks of material misstatement at the assertion level, a separate assessment of inherent risk and control risk is required by this HKSA.

In the following discussion, the audit risk model will be introduced by illustrating a daily life example relating to risks of material misstatement existing at the assertion level for a class of transactions, sales revenue.

The audit risk model shows the total amount of audit risk associated with an audit can be managed by adjusting detection risk. The equation of audit risk model is:

Audit risk = Inherent risk x Control risk x Detection risk

The definition of each component of the audit risk model is as follows:

Audit risk - The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement, a combination of inherent risk and control risk, and detection risk.

Inherent risk - The susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Control risk - The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity's internal control.

Detection risk - The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.

When planning an audit engagement, the auditor should assess the risks of material misstatement at the assertion level to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence for adjusting the detection risk to an acceptably low level.

When the level of combined risk of inherent risk and control risk is high, the auditor should perform more appropriate types of substantive procedures and increase the sample size for audit testing to reduce detection risk. Conversely, when the combined risk of inherent and control risk is considered to be low, it is safe for the auditor to rely more on the client’s internal control system and perform more tests of control procedures. Therefore, the auditor can reduce the types of substantive procedures and the sample size for auditing testing, which increase detection risk.

Example: Completeness of sales revenue of fast food stores

Let’s take the audit of sales revenue of fast food stores as an example. For purely cash sales business, there is a higher chance of misappropriation of cash by employees. In case of cash misappropriation, the sales transactions may not be recorded. There is therefore an understatement of the sales revenue amount; the record of sales revenue is not complete. The business risk of cash sales business leads to the higher inherent risk of incompletely recording the sales transactions. However, technology can reduce the chance of misappropriation of cash by employees. Nowadays, electronic payments are more common than cash payments. The inherent risk of incompletely recording the sales transaction is greatly reduced if a large portion of the sales revenue is settled by electronic payments instead of cash.  When assessing inherent risk, we need to look at the environment where the company operates in and its operation. We should not take internal control into consideration when assessing inherent risk.  

The business risk of cash misappropriation is not completely removed since there is still settlement by cash. As auditors, we will try to see whether the business has a good internal control system to cope with such business risk. Nowadays, most fast food chain stores have point of sales systems and good segregation of duties. The cashier who receives cash from the customers is not the person who provides food to the customers. Transactions are recorded by the cashier when receiving money from the customers for the generation of food tickets or receipts, which are redeemed for food. The information system, which is part of the internal control of the business, and segregation of duties reduce the possibility of misappropriation of cash and omission of sale transactions recording.

If the auditor considers that the internal control system is effective to prevent misappropriation of cash and the omission of recording sale transactions, the auditor may assess the combined risks of material misstatement, including inherent risk and control risk, as low. For determining further audit procedures, the auditor may adopt a combined approach by conducting more tests of control procedures and reduce the extent of substantive audit procedures by performing analytical procedures instead of testing a large sample of individual transactions.

This example shows that the inherent risk of incompletely recording of sales revenue may arise from employee fraud. The level of inherent risk is affected by the environment, such as payment habits of customers, and the operation of the business, e.g. acceptance of electronic payments from customers. The control risk is affected by the effectiveness of the information system and control activities.  The audit will finally determine the detection risk as well as the nature, timing and extent of further audit procedures to reduce audit risk to an acceptably low level.  

Conclusion

In conclusion, given the level of the audit risk that the auditor is willing to accept, detection risk is determined by the auditor after taking into consideration of the inherent and control risks.


About the author

Dr. Josephine Wong, Teaching Fellow, School of Accounting and Finance of the Hong Kong Polytechnic University

gotop