CHAPTER 11

A RISK-BASED AUDIT APPROACH – PART II

I. Review Questions

1. Use the model AR = IR x CR x DR to solve for different values of Audit Risk

(AR) when internal control risk (CR) is given different values. In all cases IR =
0.90 and DR = 0.10, therefore, AR = 0.90 x CR x 0.10

When CR is AR is
0.10 0.009 or 0.9 percent
0.50 0.045 or 4.5 percent
0.70 0.063 or 6.3 percent
0.90 0.081 or 8.1 percent
1.00 0.090 or 9.0 percent

2. a. Risk of Assessing Control Risk Too Low or Overreliance is a matter of

judgment about the importance (“key”) characteristic of a particular client
control procedure. An auditor can take more risk of assessing control risk
too low on unimportant controls than on important (“key”) ones.
Alternatively, the risk of assessing control risk too low can be considered a
constant (say, 0.05) and the importance of a control can be measured in
terms of a smaller or larger tolerable rate. (The authors prefer the latter
approach.)
b. Risk of Assessing Control Risk Too High or Underreliance is a matter of
judgment about the efficiency of an audit engagement. The risk can be
quite high when the audit team is willing to do extensive substantive work
anyway. If the work budget is tight, auditors need to find objective ways
(e.g., larger test of controls audit samples) to mitigate the risk.
c. Tolerable Deviation Rate is a judgment about how many control deviations
can exist in the population, yet the control can still be considered effective.
Auditors need to be careful about brushing aside findings of deviations.
d. Expected Deviation Rate in the Population is an estimate, usually based on
assumptions or sketchy information, of the imbedded incidence of control
deviations. The only use of this estimate in classical attribute sampling is to
figure a sample size in advance. The statistical evaluation (CUL
calculation) does not use it.
11-2 Solutions Manual - Principles of Auditing and Other Assurance
Services
e. Population Definition might be called a judgment about identification of the
population of control performances that correspond to an audit objective.
For example, an auditor would want to be sure he is sampling from a file of
recorded documents if his objective is to audit the controls over transaction
validity.

3. Assessing the control risk too low causes auditors to assign less control risk
(CR) in planning procedures than proper evaluation would cause them to assign.
The result could be (1) inadvertently conducting less audit work than properly
necessary and taking more audit risk (AR) than originally contemplated, perhaps
to the unpleasant results of failing to detect material misstatements (damaging
the effectiveness of the audit) or (2) discovering in the course of the audit work
that control is not as good as first believed, causing an increase in the audit
work, perhaps at a time when doing so is very costly (damaging the efficiency of
the audit).

4. The important consideration involved in judging an acceptable risk of assessing

control risk too high is the efficiency of the audit. Assessing control risk too
high causes auditors to think they need to perform a level of substantive work
which is greater than a proper evaluation of control would suggest. Assessing
control risk too high leads to overauditing.

Some auditors may be willing to accept high risks of assessing the control risk
too high because they intend to overaudit anyway, and the audit budget can
support the work.

Other auditors want to minimize their work (within acceptable professional

bounds of audit risk) and thus want to minimize the risk (probability) of
overauditing by mistake.

Technically, the risk of assessing control risk too high in relation to an attribute
sample is the probability of finding in the sample (n) one deviation more than
the “acceptable number” for the sampling plan. For example, if the plan called
for a sample of 100 units and a tolerable rate of 3 percent at a 0.10 risk of
assessing control risk too low, the “acceptable number” is zero deviations.

The probability of finding 1 or more deviations when the population rate is

actually 2 percent is:
Probability (x > 0 : n = 100, r = 0.02) = 1 – (1 – r) n
= 1 – (1 – 0.02) 100
= 0.867 or 86.7 percent

5. All the elements of the risk model are products of auditors’ professional
judgments. Auditors must judge:
 A Risk-based Audit Approach – Part II 11-3
Inherent risk – the probability that material errors or irregularities have entered
the accounting system used to develop financial statements.
Internal control risk – the probability that client’s system of internal control
policies and procedures will fail to detect material errors and irregularities,
provided any enter the data accounting system in the first place.
Analytical procedures risk – the probability that auditors’ analytical procedures
will fail to produce evidence of material errors and irregularities, provided
any have entered the accounting system in the first place and have not been
detected and corrected by the client’s internal control procedures.
Audit risk – the probability that auditors will not discover by any means errors
and irregularities that cause an account balance to be materially misstated.

Test of detail risk appears at first glance to be the product of a formula and not a
professional judgment. However, everything in the risk model is a judgment, so
the test of detail derived from the model is no less a judgment.

6. An incorrect acceptance decision directly impairs the effectiveness of an audit.

Auditors wrap up the work and the material misstatement appears in the
financial statements.

An incorrect rejection decision impairs the efficiency of an audit. Further

investigation of the cause and amount of misstatement provides a chance to
reverse the initial decision error.

7. Detection risk is the component of audit risk that is controllable by the auditor.
It may be raised or lowered by reducing or increasing the amount of substantive
audit testing. It is determined by the auditor’s assessment of inherent risk and
control risk.

8. The auditor deals with both inherent risk and control risk during the planning
phase of the audit. Inquiry of client personnel, study of the business and
industry, application of analytical procedures, and documentation of the
auditor’s initial understanding of internal control are all performed during the
planning phase of the audit. Further study of internal control procedures may
occur after the planning phase if the auditor wishes to further reduce the
assessed level of control risk, and considers it economically feasible to do so.

9. An auditor would assess control risk to be at maximum when (1) effective

controls for the assertion have either not been designed or not put in place, or (2)
when the auditor believes performing substantive tests of the assertion is more
cost effective. When an auditor assesses control risk to be below the maximum,
the auditor should believe that effective controls are present to prevent or detect
misstatements in the financial statement assertions.
11-4 Solutions Manual - Principles of Auditing and Other Assurance
Services
10. When the auditor assesses control risk at a level lower than maximum, the
auditor may generally perform fewer substantive tests.

11. The audit risk model is useful in managing audit risk for assertions. By
determining planned audit risk for an assertion, assessing inherent and control
risks, an auditor can determine the allowable detection risk (the amount of
detection risk an auditor can allow) for an assertion. Allowable detection risk is
used to determine the nature, timing, and extent of audit procedures for the
assertion.

12. Detection risk exists because auditors (1) may use an inappropriate audit
procedure, (2) may misapply an audit procedure, (3) may misinterpret the
findings, or (4) do not examine 100 percent of an account balance or transaction
class.

13. The amount of audit evidence an auditor must gather varies inversely with
allowable detection risk. As allowable detection risk decreases, the amount of
evidence required increases, and vice versa. Chapter 12 introduces audit
procedures and discusses how auditors modify audit procedures to obtain
sufficient competent evidential matter by changing (1) the nature, (2) the timing,
or (3) the extent of procedures.

14. The audit risk model is

Audit risk (AR) = Inherent risk (IR) x Control risk (CR) x Detection risk (DR)

15. Risks identified at the financial statement level may have a substantial impact on
the assessment of inherent risk for specific assertions. For example, concern
about management integrity, identified as a risk at the financial statement level,
would cause an auditor to assess a higher level of inherent risk for existence of
sales.

II. Multiple Choice Questions

1. d 12. d 23. c 34. c

2. d 13. a 24. c 35. d
3. c 14. d 25. d 36. b
4. d 15. d 26. d 37. d
5. a 16. c 27. c 38. d
6. b 17. b 28. b 39. c
7. a 18. a 29. d 40. a
8. a 19. a 30. a 41. c
9. b 20. b 31. a 42. d
10. b 21. d 32. b
11. a 22. a 33. a
 A Risk-based Audit Approach – Part II 11-5

III. Comprehensive Cases

Case 1. Factors that will affect your evaluation of audit risk include
• integrity of management – Jimenez’s reputation and lawsuit.
• trend toward domination of operating and financial decisions by
Jimenez.
• increased management compensation based on performance.
• aggressive attitude toward financial reporting by new personnel.
• profitability inconsistent with the industry.

Case 2. The factors that will affect Josefina’s audit risk and business risk are (a) this
is a special audit, (b) the audit will be used to set the value of certain assets, (c)
the auditor is to evaluate any disputed amount (although this is a common
provision in purchase agreements, one might question whether auditors should
agree to such terms), and (d) the materiality level is set at P50,000, even though
that is considerably below an amount that might be determined using a
percentage of assets and/or income. These factors will increase the risk at the
financial statement level and potentially increase business risk.

Case 3. a. The audit risk model gives the following results:

AR = IR x CR x DR (or) DR x AR / (IR x CR)

(1) 2.5% (4) 3.33%

(2) 0.67% (5) 2.5%
(3) 1

In the third situation, the auditor does not have to accumulate any evidence
because inherent risk and control risk give the appropriate level of planned
audit risk.

b. (1) 3 (tied) (4) 2

(2) 5 (5) 3 (tied)
(3) 1

Case 4. a. (1) Medium (4) Low

(2) Low (5) Low
(3) Low

b. (1) Least (4) 2 (tied)

(2) 2 (tied) (5) 2 (tied)
(3) 2 (tied)
11-6 Solutions Manual - Principles of Auditing and Other Assurance
Services

Case 5. 1. a. This will have an impact on audit risk for valuation of accounts
receivable.
b. Accumulation of additional evidence regarding collectability of
receivables will be necessary.
2. a. This situation may or may not affect overall audit risk, depending on
the impact of the financing needed and whether the company will
become so heavily leveraged that profitability becomes inadequate.
This situation might create increased business risk because of the
potential change in ownership. It would have an impact on audit risk
for valuation of stockholders’ equity.
b. Additional evidence will have to be accumulated relating to
stockholders’ equity, as well as any additional debt incurred.
3. a. The client’s changing of its accounting system will affect control risk in
each cycle, primarily for existence, completeness, and valuation.
b. Additional information will have to be accumulated about the system in
each cycle.
4. a. This will affect risk at the financial statement level, which may also
have an impact on risk for assertions relating to earnings and valuation
of assets. For example, the volatility in the industry may indicate the
potential for inadequate industry earnings or for a client’s earnings
being inconsistent with the industry.
b. Additional evidence will have to be accumulated about the financial
viability of the client and to provide evidence that management fraud
does not exist.
5. a. The increase in inventory will affect existence and valuation of
inventory.
b. Additional evidence will have to be accumulated about the existence
and valuation assertions.

Case 6. 1. a. Sales and collection

b. Primarily affects existence, completeness, and valuation assertions
c. Increase
2. a. Acquisitions and payments
b. Potential impact on all assertions
c. Increase
3. a. Sales and collections
b. Valuation, cutoff, and existence
c. No effect
 A Risk-based Audit Approach – Part II 11-7
4. a. Production and warehousing
b. Valuation
c. Increase