The relationship of inherent risk to planned detection risk is inverse while the relationship of inherent

risk to pinned evidence is direct.

Step 3. Assess Control Risk

Control risk represents

(I) An assessment of whether a client’s internal controls are effective for preventing and
detecting misstatements, and

(2) the auditor’s intention to make that assessment at a level below the maximum (100%) as part of the
audit plan.

If after the auditor has obtained an understanding of internal control and concludes that internal
controls are completely ineffective, to prevent or detect misstatement, the auditor would assign a high,
perhaps 100% (maximum level) risk factor to control risk.

Before auditors can set control risk less than 100%, they must do these things:

(I) Obtaining an understanding of internal control,

(2) Evaluate how well it should function based on the understanding, and

(3) Test the internal controls for effectiveness.

The first of lhese is the understanding requirement that relates to all audits. The last two are the
assessment Q/ control risk steps that are required when the auditor chooses to assess control risk below
maximum.

Step 4. Determine Allowable Detection Risk

Allowable detection risk or Planned detection risk is the amount of risk the auditor can allow for an
assertion or a measure of the risk that audit evidence for a segment will fail to detect misstatements
exceeding a tolerable amount, should such misstatements exist… There are two key points about
planned detection risk:

(a) It is dependent on the other three factors in the model.

(b) It determines the amount Of substantial evidence that the aud itor plans to accumulate,
inversely with the size of planned detection risk.

PDR can be computed using the equation:

AAR

PDR

Where:

PDR planned detection risk

AAR acceptable audit risk

IR inherent risk

CR — control risk

To illustrate, assume that Kat Morales. An auditor, is willing to accept a 5% risk that existence Of sales
will be materially misstated after she completes the audit of Daffodil Company. Furthermore, based on
her prior experience with Daffodil. Her understanding of current conditions, and her assessment of
control risk, Kat assesses inherent risk to be 600/0 and control risk to be 400/0. Using the audit risk
equation, she can solve for planned detection risk as follows:
 PDR or 0.208 or 2 1 % (rounded)

0.6 x 0.4

Kat should plan auditing procedures so that allowable detection risk does not exceed 2 10/0. In other
words, Kat must gather enough evidence so that the risk of failing to detect a material misstatement is
low; she can manage detection risk by managing the nature, timing, and extent of audit testing.

As an alternative to numeric representations for planned audit risk, inherent risk. And control risk, some
auditors use the terms high. Medium, or low. Most auditors are conservative in making these
assessments. In other words. An auditor assessing inherent risk to be between low and medium sets the
risk at medium which will require him to gather a medium of evidence.

An auditor has planned the acceptable level of audit risk and changes his or her evaluation of’ either
inherent or control risk. The allowable detection risk also changes. For example. Assume that an auditor
has already planned to accept a low level of audit risk and he has made a preliminary assessment of
inherent risk and control risk. If later, as a result of the evaluation of internal control, he assesses control
risk to be higher, he must then reduce the level of planned detection risk. When the auditor plans a low
detection risk, the auditor must gather evidence or the auditor might perform the specific procedures
on a larger sample of transactions or performs additional audit procedures on a sample.

The assessed levels Of inherent and control risk cannot be sufficiently low to eliminate the need for the
auditor to perform any substantive procedures. Regardless e/ the assessed levels of inherent and
control risk, the auditor should perform some substantive procedures for material account balances and
classes Of transactions.

When both inherent and control risks are assessed as high, the auditor needs to consider whether
substantive procedures can provide sufficient appropriate audit evidence to reduce detection risk, and
therefore audit risk to an acceptable low level. When the auditor determines that the detection risk
regarding a financial statement assertion cannot be reduced to an acceptable level, the auditor should
express a qualified opinion or a disclaimer of opinion.

Once the auditor has accumulated evidence regarding an assertion, he or she ean use the audit risk
model to evaluate whether the accumulated evidence is sufficient. The auditor would assess inherent
risk, control risk, and detection risk based on the procedures performed. Then the auditor would use the
audit risk model to compute the achieved audit risk which will be compared with the planned audit risk.
When the achieved audit risk is less than, or equal to, planned audit risk, the auditor has accumulated
sufficient evidence for the assertion.

The audit risk model for evaluating audit results is:

AcAR IR x CR x AcDR

Where:

AcAR =Achieved audit risk. A measure of the risk the auditor has taken that an account in the financial
statements is materially misstated after the auditor has accumulated audit evidence.

IR=Inherent risk. It is the same inherent risk factor discussed in planning unless it has been revised as a
result of new information.

CR Control risk. It is also the same control risk discussed previously unless it has been
revised during the audit.

AcDR Achieved detection risk. A measure of the risk that audit evidence for a segment did not detect
misstatement exceeding a tolerable amount, if such misstatements existed. ‘I •he auditor can -reduce
achieved detection risk only by accumulating substantive evidence.

Although research indicates that it is not appropriate to use the formula to calculate achieved audit risk,
the relationships in the formula are valid and should be used in practice. The formula shows that there
are three ways to reduce achieved audit risk to an acceptable level:

Reduce inherent risk. Because inherent risk is assessed by the auditor based on the client’s
circumstances, this assessment is done during planning and is typically pot changed unless new facts are
uncovered as the audit progresses.
 Reduce control risk. Assessed control risk is affected by the client’s internal controls and the
auditor’s tests of those controls. Auditors can reduce control risk by more extensive tests of controls if
the client has effective controls,

Reduce achieved detection risk by increasing substantive audit tests. Auditors reduce achieved
detection risk by accumulating evidence using analytical procedures, substantive tests of transactions,
and tests of details of balances. Additional audit procedures assuming that they are effective, and larger
sample sim both reduce achieved detection risk.

Combining these three factors subjectively to achieve an acceptably low audit risk requires considerable
professional judgment. Some firms develop sophisticated approaches to help their auditors make those
judgments, while other firms leave those decisions to each audit team.

Audit Risk in the Small Business

The auditor needs to obtain the same level of assurance in order to express an unqualified opinion on
the financial statements of both small and large entities. However, many internal controls which would
be relevant to large entities are not practical in the small business. For example, in small businesses,
accounting procedures may be performed by a few persons who may have both operating and custodial
responsibilities, and therefore segregation of duties may be missing or severely limited. Inadequate
segregation of duties may, in some cases, be offset by a strong management control system in which
owner/manager supervisory controls exist because of direct personal knowledge of the entity and
involvement in transactions. In circumstances where segregation of duties is limited and audit evidence
of supervisory controls is lacking, the audit evidence necessary to support the auditor’s opinion on the
financial statements may have to be obtained entirely through the performance of substantive
procedures