Abstract Current policy on how auditors should limit uncertainty about misstatements in auditee assertions is based on the audit risk model (AICPA 1992) that decomposes the components of audit risk as inherent risk (IR), control risk (CR), and detection risk (DR). The literature on the audit risk model has focused on a priori analyses of the model's assumptions and implications (see, e.g., Cushing and Loebbecke 1983; Kinney 1983, 1989, 1992; Leslie 1984), and auditors' risk assessments in experimental settings (see, e.g., Colbert 1988; Daniel 1988; Jiambalvo and Waller 1984; Libby et al. 1985). Absent are empirical studies that examine applications of the model in field settings. This article reports empirical evidence on auditors' IR and CR assessments in field settings by analyzing archival data drawn from the audit workpapers of KPMG Peat Marwick. As a part of audit planning, the firm requires its auditors to make and document IR and CR assessments for each assertion of each significant account. The assessments are made with respect to tolerable error, an algorithm-based measure of planning materiality at the assertion level. The data include approximately 5,000 risk assessments at the assertion level for trade accounts receivable, inventory, and trade accounts payable, on a total of 215 audit engagements. The data also indicate, for each assertion, whether a misstatement exceeding tolerable error was detected by the auditor. The data analysis considers four issues, the first of which is whether there is a statistical association between auditors' IR and CR assessments. A priori researchers (e.g., Cushing and Loebbecke 1983) argue that the audit risk model's multiplicative combination of IR and CR suggests independence between risk components, which contradicts auditors' conventional wisdom of dependence. The analysis in this study concludes that the dependence problem arises because (1) its event structure is ill-defined and (2) it fails to recognize that an auditor's assessments are conditional on his or her knowledge. A knowledge-based dependence may produce a statistical association between IR and CR. Contrary to expectation, the empirical evidence supports the conclusion of an insignificant association between IR and CR however, in a predominance of cases, CR is assessed at the maximum probably for reasons of efficiency. The remaining issues pertain to the policy requirement of assertion-level risk assessments. Viewed generally over many audit engagements, current policy depends on the following premises: (1) the rate of misstatements varies over assertions, (2) auditors' risk assessments vary over assertions, and (3) the association between the rate of misstatements and auditors' risk assessments is positive (i.e., the assessments are accurate). The data analysis examines the empirical validity of each premise, and supports the first inasmuch as there are significant differences in the rate of detected misstatements over assertions for each account. However, auditors typically assess IR and CR at the same value for all assertions for an account, which is inconsistent with the second premise. When the data pertaining to all assertions for an account are included in the analysis, the association between IR and the rate of detected misstatements (after controlling for CR and DR) tends to be positive but low, which indicates modest support for the third premise. When the analysis includes only the "most important" assertion for each account, the association is considerably stronger. In general, auditors' risk assessments are consistent with a heuristic that deliberately assesses risk for an account's "most important" assertion but does so mechanically for other assertions. Taken as a whole, the results indicate a need either to reconsider the policy of multiple risk assessments for an account or to enhance auditors' ability to assess assertion-specific risk.
William S. Waller (Fri,) studied this question.