July 2001
Inherent Risk Reconsidered
By Neal B. Hitzig
In October 1998, the Public Oversight Board (POB) appointed a Panel on Audit Effectiveness to assess the adequacy of independent audits of the financial statements of public companies. Among the Panel’s suggestions were statements and recommendations regarding the audit risk model and one of its component factors, inherent risk. The Panel made sweeping recommendations regarding the audit risk model, extending and embedding the consideration of inherent risk (see the Sidebar) further into the audit. Regarding the audit risk model itself, the Panel said it “is satisfied that the audit risk model is appropriate, but needs updating. It embraces judgment in an organized and logical way.” In arriving at its conclusions and embracing a methodology and structure (i.e., the audit risk model) that has come under increasing criticism in recent years, the Panel may have missed an opportunity to simplify the process.
Location, Location, Location
Auditors assess inherent risk on every engagement. Deceptively simple in concept, it is difficult to put into practice; practitioners therefore often take the conservative approach and set inherent risk to a maximum level. This decision is driven by the audit risk model, which defines audit risk (AR) as the risk that the auditor may unknowingly fail to appropriately modify an opinion on financial statements that are materially misstated. The mathematical form of the model is given in AU 350 of the AICPA’s Codification of Statements on Auditing Standards as follows:
AR = IR x CR x DR.
Audit risk is therefore the product of three factors:
Inherent risk appears in the audit risk model on the right side of the equation as a factor in determining whether some specified overall level of audit risk has been achieved. Thus, the model enables an auditor’s impression of susceptibility to misstatement to form the basis for reasonable assurance, even though no audit procedures have been performed.
The presence of inherent risk on the right side strongly suggests that the risk assessment envisioned is based on factors that rise to the level of evidential matter, as comprehended by the third standard of fieldwork. An auditor obtains such evidential matter by inquiry, observation, inspection, and confirmation. How are the twin criteria of relevance and reliability to be assessed when considering an inherent risk assessment? How does an auditor proceed when considering the impact of the business environment on inherent risk? Is there some rough auditing equivalent to the taking of “judicial notice” that exists in law? If so, what is it: an article in the Wall Street Journal? Congressional testimony by the chair of the Federal Reserve Board? May an auditor rely on newspapers, on sworn testimony, or even on analysts’ and pundits’ prognostications? The authoritative literature is not helpful. Yet, an auditor’s consideration of inherent risk derives in large part from such sources.
The professional literature does not address the auditor’s need to divorce inherent risk from the controls that would mitigate the effects of that risk, which follows from the definition of inherent risk. What it does offer is trivial. Consider the examples of AU 312:
Cash vs. Coal
If one is considering the existence assertion, whether recorded cash or inventory exists, then few would argue that unguarded cash would disappear more readily than an unguarded mound of coal. It appears reasonable to assume that the inherent risk of failure of the existence assertion for cash is greater than for coal (recognizing that no entity would literally leave money on a table, unguarded).
On the other hand, cash can be more readily and precisely measured than a mound of coal. The former can simply by counted, whereas the latter requires an estimate of its volume and average unit cost. In this respect, cash has a lower inherent risk than coal, because the measurement process is routine and factual. What, then, does an auditor consider when contemplating inherent risk—failure of the existence assertion arising from the possibility of theft, or failure of the existence assertion arising from the difficulty of estimating the amount that could be stolen? In this author’s opinion, it should be the latter.
Estimating vs. Counting
The accounting estimate versus routine (counting) data example of AU 312 overlooks the fact that estimates depend on routine data and are frequently derived from them. Thus, the risk of misstatement in the former depends upon the risk of misstatement in the latter. Notwithstanding that the literature has implicitly recognized a complication for which the audit risk model is not properly formulated (it assumes that the factors are independent, an assumption that has been seriously challenged in recent years), tests of estimates differ from tests of routine data. What does the auditor gain from the knowledge that estimates have higher inherent risk? If the answer is that an auditor should always use a higher risk level for tests of estimates than for tests of routine data, then the literature should say so.
Experienced auditors understand that, all other factors being equal, routine data processes are less susceptible to misstatement than estimates, and complex calculations are more susceptible to misstatement than simple calculations. Nevertheless, it is questionable that such considerations are sufficient to require the auditor to measure inherent risk, however primitively, instead of simply requiring a consideration of the nature and timing of relevant audit procedures.
An Alternative View of Inherent Risk
The problems identified above are not easily rectified, even by extensive additional professional guidance. The profession can, however, dispose of these issues by adopting an alternative view of inherent risk that removes it from the audit risk model. Instead of a factor for deciding whether a level of audit risk has been achieved, inherent risk should be a basis for deciding what level of audit risk is appropriate in the first place. This is what many auditors have done for decades, albeit at the financial statement level. Some clients were recognized as higher risk and those engagements were more closely monitored. Frequently, this meant subjecting the engagement to additional and more intensive internal review before signing off. Sometimes, the nature and timing of specific audit procedures would be affected. For the closely monitored engagement, test procedures would be performed closer to year-end, or less reliance would be placed on analytical procedures. This view is consistent with the recommendation by the POB Panel on Audit Effectiveness, which called for inherent risk assessments for high-risk clients to be “reviewed by the concurring partner or an industry expert before the related tests of controls and substantive tests are designed and performed.”
If the inherent risk concept were revised to address the appropriate level of audit risk at the financial statement level, the profession might finally be motivated to formulate a benchmark level of overall audit risk for all audit engagements. The public benefit would be to provide users with a better understanding of “reasonable assurance.”
At the account or assertion level, a revised view of inherent risk would focus on the auditor’s consideration of the nature and timing of audit procedures. An audit’s extent, particularly regarding tests of details (in those instances where they are performed), would be affected by risk level decisions regarding controls and analytical procedures.
Simplify
The present role of inherent risk as a basis for achieving audit assurance is itself inherently risky and undermines the effectiveness of the audit. The POB Panel’s sanctioning of an audit risk model whose validity has been challenged, as well as the Panel’s inclination toward increasing complexity, is unfortunate.
Simplification is in order. A proper role for the inherent risk concept is to help the auditor to decide on 1) an appropriate level of audit risk to be achieved at the financial statement level, and 2) the nature and timing of audit procedures at the account or assertion level. To demand more of inherent risk is to demand too much.
Editor:
Robert H. Colson, PhD, CPA
The CPA Journal
The
CPA Journal is broadly recognized as an outstanding, technical-refereed publication
aimed at public practitioners, management, educators, and other accounting professionals.
It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting
professionals with the information and news to enable them to be successful accountants,
managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.