Academic journal article Auditing: A Journal of Practice & Theory

The Audit Risk Model: An Empirical Test for Conditional Dependencies among Assessed Component Risks

Academic journal article Auditing: A Journal of Practice & Theory

The Audit Risk Model: An Empirical Test for Conditional Dependencies among Assessed Component Risks

Article excerpt


Professional standards and prior theoretical research indicate that assessed audit risk components should be conditionally dependent, in an experiment, experienced auditors made the risk assessments that are, in practice, inputs for using the audit risk model for planning the extent of detailed testing. Conditional dependencies were tested using a sequential linear modeling process that added the previously assessed risk components to the model (e.g., inherent risk assessments added to predict subsequent control risk assessments) as the last independent variable. Results showed that the previously assessed risk substantially increased the explanatory power of the models in accounting for variation in the subsequently assessed components. The results support the notion that audit risk components are assessed conditionally. Thus, they provide a defense for practitioners' claims that they are appropriately using the model and give guidance to future research on the audit risk model.

Key Words: Audit risk, Control risk, Analytical procedures risk, inherent risk, Component risk.

Data Availability: Contact the authors.


The consideration of audit risk is a major focus for balancing the trade-offs between efficiency and effectiveness in audits. The model described in SAS No. 47 (AICPA 1984) constitutes a decision aid that decomposes a global risk assessment into component risks that are used as inputs to the model (Jiambalvo and Waller 1984). On the one hand, the standards define the components to be conditionally dependent. For instance, the analytical procedures risk component is described in AU [section] 350.48 (AICPA 1998) as "the risk that analytical procedures ... would fail to detect misstatements ... given that such misstatements occur and are not detected by the internal control structure." Likewise, control risk is defined in AU [section] 312.20 (AICPA 1998) as "the risk that a material misstatement that could occur ... will not be prevented or detected ... by the entity's internal control structure" (emphasis added). Thus, the wording of the standard indicates that the component risk assessments should not be made independently.

On the other hand, the multiplicative combination rule provided in SAS No. 47 (AICPA 1984) treats the risk components as independent factors, as shown in the example in the standards. This possibility prompted research of the implications of assessing the components independently. The results of this research are consistent in concluding that proper use of the model requires that the component risks be specified as conditionally dependent risks (e.g., Morton and Felix 1991). Otherwise, using the combination rules as illustrated in the professional standards may result in conducting insufficient detailed testing to achieve the auditor's planned overall audit risk (Kinney 1989, 1992; Cushing and Loebbecke 1983).

The purpose of this study is to assess empirically whether component audit risks are assessed independently or are assessed interdependently and conditionally (i.e., configurally). (1) If auditors do assess the component risks independently of each other, they may unknowingly increase the chance of an undetected material misstatement. However, a finding that auditors assess the component risks conditionally would lend support to auditors' claims that they do not assess component risks in a manner that regularly results in under-auditing (Smith 1984; Aldersley 1989). The results could also provide a useful guide for future research on the audit risk model.

We used an experimental approach in which experienced auditors assessed the three components of the audit risk model that they regularly use as inputs to their sampling plans in practice (i.e., firm equivalents for inherent risk, control risk, and analytical procedures risk). (2) Each participant made an initial assessment of the component risks before being given results of the tests of controls and then made a second set of component risk assessments after being given the results of the tests of controls. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.