Hey, welcome back audit learners. I want to walk you through the nuts and bolts of the traditional audit risk model. Let's dive right in. So, going to PCAOB audit standard number 8, the risk of material misstatement, is a risk that is fundamentally beyond the control of the auditor. It's a risk that the auditor primarily assesses, and it's a risk that is comprised itself of 2 categories of risk. Inherent risk, and control risk. Okay? Now let's break those down and turn. Inherent risk is the risk that material misstatement could occur, before consideration of any internal controls that management has put in place over its financial reporting, okay? So the idea here is that doing businesses in some industries, it's just more susceptible to misstatement. So let's think of an industry that might have a high inherent degree of risk. Well, think of industries that have very complex estimates in their financial statements, okay? A gold mining company whose primary assets are the gold reserves. That could have a high inherent risk. Maybe a company whose product lines are rapidly changing and there's a huge amount of patent litigation, technological obsolescence, it's a high, inherent risk. If it's a company, by contrast, let's say like a public utility that is highly regulated, and they have a lot of people looking over their shoulders, and the price that they can even charge for their product doesn't have a lot of wiggle room, and their cost structure is pretty much well known, now they're going to have lower inherent risk. Now the first person that gets a shot at addressing these inherent risks is not the auditor, it's management. So what the auditor next does is figure out, well how carefully is management actively trying to mitigate these inherent risks of material misstatement in the financial statements. So control risk, is the risk that controls present, will not prevent or detect and correct, in a timely manner, a material misstatement. So if you're thinking of a leaky faucet being the inherent risk. You have a faucet and you can imagine if you have an old house, I have one of these, and if I don't turn that knob really really down hard it's going to drip. Imagine that water coming out of the faucet being misstatements and if it's more than just a leak, a little drip, if it's a stream, they can be high risk of being material. It can make your water bill go up. Well, what would be a control? A control might be either recapturing that water as it comes and filtering it back into the tank. Or just a control might be hey, simple as this, maybe 3 times during the day have the kids or you, yourself go check the faucets and turn it down. That could be your control, right? And, the point is if you're in a brand new home with great faucets and great seals, do you have to go in and check the faucets for drips 3 times a day or even once a day? The answer is no. So if you're a control conscious company, you will proactively do what it takes to mitigate inherent risks of material misstatement. On the other hand, if you have a very lackadaisical approach to inherent risks, the auditor needs to realize if you're not very serious about your controls at your organization, that when inherent risk goes up, the auditor him or herself needs to do more work. So what you have here is two risks, inherent and control, that the auditor primarily assesses and does not control directly. The way the auditor assesses inherent risk, is by being an expert in that industry and understanding the particulars of the business processes used by client. And there's a lot of different business processes right? There is a sale and collections business process. There is a marketing business process. There's probably, and for many companies today, an alliance management process, where you co-brand with companies, where you...there's a customer acquisition and retention process. All these processes have key business steps involved, some of those may increase the risk of a material misstatement in the financial statements. Okay? Now, when it comes to control risk it's not just about being an expert. As we will see later in the course, when the auditor believes that management is designing controls in a wise fashion, the auditor then will also design tests of those controls to get assurance that the controls over financial reporting are working, okay? So the auditor can assess inherent risk and actually the way these are often assessed by the way is in is in buckets of low, medium, or high, or sometimes just low and high. You do that based on professional judgment, and you don't necessarily need to go ahead and do a lot of testing to make that assessment, low, medium, or high. You have a narrative. When it comes to assessing control risk however, you actually have to go out, not only look at how well-designed management's controls are, you will also conduct some tests of these internal controls. And these tests could be, well let's look at the control that management should be doing and let's reperform the control ourself. And if, when you re-perform the control, you seem to fix something that was not fixed before, you've learned that management has not been doing a good job in controlling things, right? Or it could be looking at evidence that management has implemented the control in a faithful way. Let's go back to the rather silly, admittedly, faucet example. Suppose that not only when you turn the faucet more tightly you should also say, and maybe you even notice this when you go into restaurants restrooms, you'll see this little chart sometimes about when the restroom was checked. Presumably that's given you a sense of this restaurant cares about the customer experience. Well you could say, I'm just gonna go in here and see is the logbook signed when someone was coming in and cleaning the restroom, or checking the faucet for being a leaky faucet. Of course this could apply to much more serious things like in a nuclear power plant, is someone coming in and checking emissions levels? So the auditor going can contest whether there's evidence that the control was operating as designed. And if it is operating as designed, that can warrant you assessing control risk to be below maximum. Okay? So the auditor assesses inherent risk and control risk only, doesn't directly control them, but you need more proof, if you will, more evidence collection to get your assessment of control risk correct.
