Do auditors assess inherent risk as if there are no controls?

Abstract

PurposeThe purpose of this paper is to examine whether auditors interpret the risk of material misstatement (RMM) in accordance with current standards' definition of inherent risk (IR). It is argued that controls should not be presumed when assessing inherent risk and that inherent risk should be considered separate from and prior to control risk when it is practical to do so. Because auditing standards explicitly require auditors to assess IR without consideration of internal controls (i.e. control risk (CR)), RMM should not be adjusted upward for control deficiencies.Design/methodology/approachThe authors survey and interview practicing auditors to gain an understanding of current risk assessment practice. They then evaluate whether their understanding of risk assessment is in line with current standards.FindingsContrary to auditing standards' definition of inherent risk, it appears that auditors presume some level of expected control effectiveness when assessing IR and they may increase RMM in response to internal control deficiencies. Such a presumption is inconsistent with the definition of inherent risk from the Auditing Standards Board (SAS No. 107), Public Company Accounting Oversight Board (AS 8), and International Auditing and Assurance Standards Board (ISA 200). Such misinterpretation may be an inadvertent result of guidance provided by standard setters in the form of SAS No. 109 from the ASB, AS 12 from the PCAOB and ISA 315 from the IAASB, which suggest combining IR and CR into RMM.Research limitations/implicationsThe research is limited both by the small sample size and the small number of risk factors investigated.Practical implicationsIf auditors presume a level of controls in assessing inherent risk, they may reduce audit effectiveness by estimating a lower RMM than is appropriate.Originality/valueThis study presents insights on the interpretation and assessment of audit risk in audit environments where inherent risk is no longer automatically set to be at the maximum. Namely that due to the definition of inherent risk, control information should have a unidirectional downward effect on the risk of material misstatement.