Speaker 1: In this video, we're going to discuss the audit risk model. So here's the model. Audit risk is seen as a function of three different things, inherent risk, control risk, and detection risk. Detection risk is the only thing over which the auditor has any control. Inherent risk and control risk together are called the risk of material misstatement or client risk. The auditor has nothing to do with it. It has little control over the risk of material misstatement, but the auditor does have control over the amount of tests that they do, which affects detection risk. But let's go through each of these in more detail. So audit risk is the risk that the auditor would issue a clean audit opinion and say, hey, these financial statements are free of material misstatement when, in fact, a material misstatement exists. So for example, let's say the auditor that issued the final audit on Enron's financial statements, which was Arthur Anderson. They were the auditor, and they issued a clean audit opinion for Enron's financial statements when, in fact, Enron's financial statements had material misstatements. So that is audit risk, the risk that you as the auditor would issue an incorrect opinion. Now audit risk, when we break it out into these three different types of risks that affect audit risk, inherent risk is the susceptibility of an assertion to material misstatement before any internal controls are applied. So what is that saying? That is saying, is there anything unique to the client's business? So for example, is there anything about the client's business or the nature of the transactions that is inherently risky or would be prone to material misstatement? Or are there any issues with the integrity of management? For example, if the prior year there were some issues with integrity, or maybe management was making some journal entries that they shouldn't have been doing or something, there's somehow some reason to question the integrity of management. If that's the case, we would say that there's a high level of inherent risk. Now, just because there's inherent risk doesn't mean there's going to be a material misstatement. Because remember, the client presumably has some internal controls to try and prevent material misstatements from getting their way into the financial statements. But some clients will have very strong internal controls, and some would have weak internal controls. So this is the risk that, assuming that we've got a material misstatement, that it would not be caught by the client's control. So if control risk is very high, what that means is that if there's some kind of material misstatement, it's probably going to get into the financial statements. So we've got inherent risk is, OK, for the client's business, the transactions, integrity, is there a high risk of material misstatement? And control risk is saying, OK, if there is a material misstatement, are the controls going to catch it? So again, the auditor has no control over the risk of material misstatement. These have to do with the client. What the auditor does control is detection risk. So this is when the auditor says, OK, the more tests we run, the higher the likelihood that we would catch any type of material misstatement. So this is the likelihood that if detection risk is really high, that means that there's not a good chance that the auditor would detect or catch any material misstatement that got past the internal controls. So the auditor has some effect or has some ability to influence the detection risk, because the more tests that the auditor does, they're going to bring down the detection risk. You can never get detection risk to zero. And the reason is that the auditor does not examine 100% of the client's transactions. They can't. Imagine the auditor of Walmart. They can't go through 100% of the transactions, so they're going to engage in sampling. So they're never going to be able to see all the transactions. You can't get detection risk to zero. However, the more tests that the auditor runs, the more sampling that they engage in, maybe they take a bigger sample. Because they say, oh, there's a high risk of material misstatement at this particular company, so we're going to get a much bigger sample of accounts receivable that we're going to do for our confirmations and so forth. So the auditor can control detection risk. And there's an inverse relationship between these. So the higher the risk of material misstatement, if there's a really high risk of material misstatement, to keep audit risk low, which, of course, the auditor wants. The auditor doesn't want to issue an incorrect opinion when there's a material misstatement. To keep audit risk low when the risk of material misstatement is high, then the auditor is going to want to lower detection risk by conducting more substantive testing. Now, so I've gone over risk of material misstatement as inherent risk and control risk. But there's a couple I want to basically hit you with an example and go through it in a little more detail. So let's say, sometimes you'll see numbers put to this. So you'll say, OK, if the auditor wants the audit risk to be no higher than 0.02, and what does that mean? That means that, assuming that there's a material misstatement, there's a 2% chance that the auditor would issue an incorrect opinion if there was a material misstatement. So if we're talking about an Enron, there's only a 2% chance that the auditor would fail to catch that and say, oh, OK, the financial statements are fine when, in fact, they're not. So that's a 2% chance that the auditor is comfortable with for that. And we have inherent risk of 0.8. And then control risk of 0.5. Then the question is, what should the auditor set detection risk to? And the auditor should set detection risk no higher than 0.05. It should be 0.05 or lower. So this is basically the level at which the auditor would be comfortable. So they're going to have to go and do enough testing to bring the detection risk down to 0.05 or lower in order to have an overall audit risk of 2%. Now, sometimes the auditor doesn't want to use numbers, because what does this really mean? To say, OK, there's a 5% chance of detection risk, of the 5% chance of the auditor catching something that wasn't caught by the internal controls. That's a little bit subjective to just put this number 0.05. So sometimes some audit firms prefer a qualitative assessment, where they'll say things like high or low. So for example, one way of putting is to say, OK, you always want the audit risk to be low. So you don't want to issue a clean opinion when the company has material misstatements. But if the company has a high level of inherent risk and a high level of control risk, then you say, OK, how do we set the detection risk? We're going to want to set it very low. We're going to want to set it really low, because the risk of material misstatement for this company is high. So if the risk of material misstatement is high, then we're going to want to do, as the auditor, we're going to want to increase the number of tests that we do. We want to sample more accounts so that we can bring down the detection risk and get it lower to counterbalance the high risk and material misstatement. Conversely, if you had a situation where the inherent risk was really low and the control risk was really low, maybe the company has excellent internal controls. And so we have a low inherent risk and a low control risk, then you could afford to have a higher detection risk. Because in that scenario, the auditor wouldn't be required to do as much testing, because the client's internal controls are strong and there's not as much inherent risk.