Auditing Section Research Summaries Space

A Database of Auditing Research - Building Bridges with Practice

This is a public Custom Hive  public

research summary

    A Risk Model to Opine on Internal Control.
    research summary posted October 19, 2015 by Jennifer M Mueller-Phillips, tagged 06.0 Risk and Risk Management, Including Fraud Risk, 06.02 Fraud Risk Models, 06.05 Assessing Risk of Material Misstatement, 07.0 Internal Control, 07.02 Assessing Material Weaknesses, 07.03 Reporting Material Weaknesses 
    239 Views
    Title:
    A Risk Model to Opine on Internal Control.
    Practical Implications:

    The auditor needs a different model for audits of internal control. The auditor needs to apply two different models in an integrated audit, the original model for the opinion on the financial statements and a different model for the opinion on internal controls.

    The author believes standard setters should sponsor research on an appropriate risk model for audits of internal control. Even before the research is completed, the standards could be enhanced in the following ways:
    • indicate that the original audit risk model is intended for use only in financial statement audits, not internal control audits;
    • write standards that consistently use risk terminology and are clear as to which risk they are discussing; and
    • provide guidance on the use of models in integrated audits.

    Citation:

    Akresh, A. D. 2010. A Risk Model to Opine on Internal Control. Accounting Horizons 24 (1): 65-78.

    Keywords:
    audit risk model, inherent risk, integrated audit, internal control, opinion, risk of material misstatement, risk of material weakness
    Purpose of the Study:

    The audit risk model has provided a conceptual framework for audits of financial statements for more than 40 years. Despite practical difficulties in implementation and criticisms of its theoretical foundation, the model has been fairly effective in helping auditors analyze risks and use that analysis to determine the nature, timing, and extent of audit procedures in audits of financial statements. In recent years, some auditors have tried to apply the audit risk model to audits of internal control, usually performed as parts of integrated audits. An integrated audit is an engagement where the auditor provides an opinion on the financial statements and an opinion on the effectiveness of internal control over financial reporting. It is integrated in the sense that the auditor tries to use some of the same procedures to meet both objectives.

    While the audit risk model was designed for audits of financial statements, it was not designed for audits of internal control. Audits of internal control are audits of processes rather than audits of outputs (financial statements). In addition, opinions on internal control do not rely on analytical procedures or on substantive tests of details. Because of this conceptual difference, the author asserts that audit risk model, as originally formulated, does not work as a coherent conceptual framework for audits of internal control. The need for a different risk model for internal control audits is not currently recognized in the auditing standards or in the auditing literature.

    Design/Method/ Approach:

    This article is a commentary.

    Findings:

    For an integrated audit, the auditor would use the two models sequentially. The auditor would use the internal control risk model as a framework to determine the extent of control tests. Then the auditor would use the financial statement audit risk model as a framework to determine the extent of substantive testing.

    Future research could determine a more specific model based on how auditors perform these audits. Some research questions include, for example:

    • What models and approaches are currently used in practice? How does current practice compare with the model proposed and other models?
    • Are models useful in providing a conceptual framework for integrated audits?
    • What are the current practices for the auditor’s evaluation of inherent risk? How do those practices compare with risk models?  
    • How do auditors assess design and implementation of internal controls in light of inherent risk without considering operating effectiveness?
    • What are the current practices for the auditor’s evaluation of design, implementation, and operating effectiveness of the control environment? Are those practices adequate to effectively use in a risk model?
    Category:
    Internal Control, Risk & Risk Management - Including Fraud Risk
    Sub-category:
    Assessing Material Weaknesses, Assessing Risk of Material Misstatement, Fraud Risk Models, Reporting Material Weaknesses