Auditing 101 | Part 2: Risk Assessment
How an Audit Works from Start to Finish (Part 2 of 4)
Audit Risk, Materiality, Management Assertions, and Types of Audit Procedures
In Part 1, we covered everything that happens before the audit begins: client acceptance, the engagement letter, documentation, and planning. Now in Part 2, we move into the concepts that drive every audit decision from this point forward.
This is the most conceptual part of AUD, and it is where students lose the most points. The audit risk formula, materiality, management assertions, and the distinction between tests of controls and substantive procedures are not just standalone topics. They are the decision-making framework the auditor uses for the rest of the engagement. Once you understand how these concepts connect, the procedural topics in Parts 3 and 4 become far more intuitive.
AUD 101: The Complete Audit Process
- Part 1: Client Acceptance, Engagement Letter, Documentation, and Planning
- Part 2: Audit Risk, Materiality, Assertions, and Types of Procedures (this article)
- Part 3: Substantive Testing -- Cash, Receivables, and Revenue (coming soon)
- Part 4: Audit Reports and Opinions (coming soon)
Who this guide is for:
- AUD students who need the audit risk formula and materiality explained in plain language
- Students struggling with assertions who want a practical framework instead of a memorized list
- Anyone confused about the difference between tests of controls and substantive procedures
- Retakers who lost points on risk assessment and want a clearer mental model
Jump to:
Video: The Entire Audit Process Explained (Part 2 of 4)
Want the full AUD study system?
My Free CPA 101 course includes a complete study roadmap for AUD, including how to tackle conceptual questions about audit risk and materiality.
Get My Free CPA 101 CourseWhy Risk Assessment Matters AUD
Auditors do not have unlimited time, staff, or budget. They cannot test every single transaction in every single account. Risk assessment is the process of figuring out which areas of the company are most likely to contain misstatements, so the auditors know where to focus their limited resources.
Think of it like a surgeon.
Imagine a surgeon who skips the consultation entirely and walks into the operating room planning to replace the patient's legs, arms, and organs all at once. Without an assessment, the surgeon has no idea where the actual problem is. Risk assessment is the auditor's version of the diagnostic phase. It tells you where to operate.
Kyle's 90+ Score Insight: Almost every AUD question about "how should the auditor respond" traces back to risk assessment. If you understand why certain areas are riskier, the correct procedural response becomes obvious. Risk assessment is the foundation that makes everything else in the audit logical.
The Audit Risk Formula High-Yield
Inherent Risk
The risk that a misstatement exists based on the nature of the account itself, before considering any internal controls. Some accounts are naturally riskier than others. Cash has high inherent risk because it can be stolen or misreported. Prepaid expenses have low inherent risk because there is little incentive to manipulate them and not much that can go wrong.
Control Risk
The risk that the company's internal controls fail to detect a misstatement. Strong controls lower control risk. Weak controls or no controls raise it. The company controls this, not the auditor.
Detection Risk
The risk that the auditors perform their test work and still do not find a misstatement. This is the only component the auditor can directly control by adjusting the nature, extent, and timing of audit procedures.
Risk of Material Misstatement vs. Detection Risk
The first two components combine into one concept:
RMM represents the risk that a misstatement exists and the company's own controls do not catch it. This is the company's side of the equation. The auditor cannot change inherent risk or control risk. They are what they are.
Detection risk is the auditor's side. The critical relationship is this:
They operate inversely.
When the risk of material misstatement is high, the auditor needs to work harder to compensate. That means lowering detection risk by increasing the nature, extent, or timing of audit procedures. When RMM is low, the auditor can accept a higher detection risk and perform less intensive testing.
The Restaurant Analogy
Think of a restaurant kitchen. Inherent risk is the difficulty of the dish: a medium-well steak has high inherent risk of being prepared incorrectly, while french fries have low inherent risk. Control risk is whether the head chef checks the orders before they leave the kitchen. If the head chef catches mistakes, control risk is low. If the head chef does not check, control risk is high. Detection risk is the delivery driver checking the order one more time before handing it to the customer. If the kitchen is making risky dishes and the chef is not checking, the delivery driver (the external auditor) needs to check more carefully to prevent an error from reaching the customer.
Common Trap: Students often say that the auditor "sets" audit risk at a target level. Audit risk is the overall acceptable level of risk for the engagement. The auditor sets the target, then adjusts detection risk to achieve it. The auditor does not control inherent risk or control risk.
Study Tip: When an AUD question asks "how should the auditor respond to increased risk of material misstatement," the answer is always: decrease detection risk by doing more work (change the nature, increase the extent, or adjust the timing of procedures).
Two Levels of Risk Assessment AUD
Financial Statement Level (High Level)
Risks that affect the financial statements as a whole, not just one specific account. These are pervasive risks that cut across the entire entity.
Examples: The company changes its CFO mid-year. The company is facing a going concern issue. There are significant related party transactions.
Response: The auditor adjusts the overall audit strategy, such as assigning more experienced staff, increasing professional skepticism, or adding unpredictability to the audit procedures.
Relevant Assertion Level (Detailed Level)
Risks tied to specific transactions, account balances, or disclosures. This is where the auditor evaluates risk for individual accounts like cash, accounts receivable, inventory, and revenue.
Categories:
- Transactions = income statement items
- Balances = balance sheet items
- Disclosures = footnote disclosures
Response: The auditor designs specific audit procedures tailored to the identified risks for each account or assertion.
Kyle's 90+ Score Insight: Most of the audit work happens at the relevant assertion level because that is where the auditor designs the specific tests for each account. But do not forget the financial statement level. If a question describes a pervasive risk like a CFO change and asks for the response, the answer is about the overall audit strategy, not a specific account procedure.
Tests of Controls vs. Substantive Procedures High-Yield
Tests of Controls
These test whether the company's internal controls are operating effectively. Remember from Part 1: the auditor is always required to understand the design and implementation of controls, but testing operating effectiveness is optional.
Why test them? If the controls are working effectively, the auditor can reduce control risk below its maximum level. That lowers the risk of material misstatement, which means the auditor can accept a higher detection risk and perform less substantive testing.
If the auditor does not test controls: Control risk stays at its maximum level, and the auditor must rely entirely on substantive procedures.
Substantive Procedures
These are any procedures that are not tests of controls. Their purpose is to detect material misstatements directly in the account balances, transactions, and disclosures.
Substantive procedures include two sub-categories:
- Tests of details: Testing specific transactions and balances (confirmations, inspection, recalculation, etc.)
- Substantive analytical procedures: High-level analysis comparing expectations to recorded amounts
The Full List of Substantive Procedures
| Procedure | What the Auditor Does | Category |
|---|---|---|
| Confirmation | Sends a request directly to a third party (e.g., a bank or customer) to verify a balance | Test of details |
| Observation | Watches a process being performed (e.g., observing a physical inventory count) | Test of details |
| Reperformance | Independently re-executes a procedure or control that the client performed | Test of details |
| Recalculation | Checks the mathematical accuracy of the client's calculations | Test of details |
| Inspecting assets | Physically examines a tangible asset to verify it exists | Test of details |
| Inspecting documents | Examines source documents like invoices, contracts, or bank statements | Test of details |
| Substantive analytical procedures | Develops an expectation and compares it to the recorded amount to identify unusual differences | Analytical (not a test of details) |
Common Trap: Students sometimes classify substantive analytical procedures as a "test of details." They are not. The first six procedures in the table are tests of details because you are directly examining individual transactions or balances. Substantive analytical procedures are a separate category where you analyze at a higher level. The exam tests this distinction.
How Tests of Controls Connect to the Audit Risk Formula
Study Tip: This flow chart is the single most important logical chain in all of AUD. If you can trace any audit decision back to this chain, you will get the question right.
Assertions and materiality are where AUD gets the most conceptual.
My Free CPA 101 Course includes the exact strategies I used to handle conceptual AUD questions, including how to approach assertion-based MCQs without memorizing every possible combination. Start it here for free.
Management Assertions High-Yield
When management presents financial statements, they are implicitly saying: "These numbers exist. They are complete. They are in the right accounts. They are recorded in the right period. They are recorded for the right amounts. We have the rights to the assets and obligations for the liabilities. And the disclosures are clear and properly presented."
Each of those claims is a separate assertion. The auditor uses assertions as a framework to design specific procedures. Instead of vaguely "testing accounts receivable," the auditor tests whether AR exists, whether it is complete, whether it is valued correctly, and so on.
Think of assertions like a rubric.
When a professor grades your essay, they do not just say "good" or "bad." They break it into categories: spelling, grammar, structure, argument quality. Assertions do the same thing for financial statements. They break the audit into specific, testable claims so the auditor has a structured way to evaluate each account.
| Assertion | What It Asks | Example |
|---|---|---|
| Existence / Occurrence | Do the assets actually exist? Did the transactions actually occur? Are these items legitimate? | Does the inventory sitting in the warehouse actually exist? Did the recorded sale actually happen? |
| Completeness | Did the company leave anything out of the financial statements? | Management omitted a note payable from the balance sheet. The financials are incomplete. |
| Classification | Is each item recorded in the correct account? | A repair cost was capitalized to fixed assets instead of being expensed to repairs and maintenance. |
| Cutoff | Is the item recorded in the correct accounting period? | Revenue earned in January of next year was recorded in December of the current year. |
| Valuation / Allocation / Accuracy | Is the item recorded for the correct dollar amount? | Accounts receivable is recorded in the right account and the right period, but the balance is overstated by $50,000. |
| Rights and Obligations | Does the company have the legal right to the assets? Does it have the obligation for the liabilities? | Inventory held on consignment does not belong to the company and should not be on its balance sheet. |
| Presentation and Disclosure | Are the footnote disclosures clear, complete, and properly presented? | The company failed to disclose a material contingent liability in the footnotes. |
Which Assertions Matter Most for Which Accounts?
On the CPA exam, certain assertions are more critical for certain types of accounts. This is because management's incentives create predictable risks:
| Account Type | Most Critical Assertion | Why |
|---|---|---|
| Assets (cash, AR, inventory) | Existence | Management has an incentive to overstate assets. The primary risk is that recorded assets do not actually exist. |
| Liabilities (AP, debt) | Completeness | Management has an incentive to understate liabilities. The primary risk is that liabilities have been left off the books. |
| Revenue | Existence / Occurrence | Management has an incentive to overstate revenue. The primary risk is that recorded revenue did not actually occur. |
| Expenses | Completeness | Management has an incentive to understate expenses to boost net income. The primary risk is that expenses were omitted. |
Common Trap: Students memorize assertions as an isolated list without connecting them to specific accounts. On the exam, you will be given a scenario and asked which assertion a particular procedure addresses. Practice connecting procedures to assertions in context, not just listing them.
Kyle's 90+ Score Insight: The logic is simple once you see it. For assets and revenue, management wants the numbers to look bigger, so the main risk is that things are overstated or fabricated (existence). For liabilities and expenses, management wants the numbers to look smaller, so the main risk is that things are missing (completeness). That one insight will help you answer dozens of assertion questions correctly.
Materiality High-Yield
When you first start auditing, it is natural to find a $3 variance and feel like the entire financial statement is wrong. In reality, a $3 error on a company with $500 million in revenue is completely immaterial. It would not change a single decision that any investor or creditor makes.
Materiality gives the auditor a structured way to answer: "How big does an error have to be before it actually matters?"
How the Auditor Sets Materiality
The auditor sets materiality during the planning phase, typically using a percentage of a financial statement benchmark. The two most common benchmarks are:
Percentage of Total Revenue
Example: 2% of total revenue. If revenue is $10 million, materiality would be $200,000.
Percentage of Total Assets
Example: 1% of total assets. If total assets are $50 million, materiality would be $500,000.
The auditor may also use a combination of benchmarks or choose a different base entirely depending on the nature of the entity. The key point is that materiality is based on the size of the company, not an arbitrary number.
Materiality Can Change
Materiality is set during planning, but it is not locked in for the entire engagement. As the auditor performs testing and learns more about the company, they may revise materiality upward or downward. For example, if the auditor discovers that total revenue was significantly different from what was initially expected, the materiality threshold would be adjusted accordingly.
Common Trap: Students sometimes think that if the auditor finds misstatements below the materiality threshold, those misstatements can be ignored entirely. They cannot. The auditor accumulates all identified misstatements and evaluates their combined effect. A group of individually immaterial misstatements can become material in aggregate.
Study Tip: Remember that the engagement letter does not disclose materiality to management. If management knew the threshold, they could manipulate the financials to stay just below it. This is why materiality is the auditor's professional judgment, kept confidential from the client.
Materiality vs. Performance Materiality vs. Tolerable Misstatement
You may see these related terms on the CPA exam:
| Term | What It Means | Relationship |
|---|---|---|
| Materiality | The overall threshold for the financial statements as a whole | Set first; largest amount |
| Performance materiality | A lower amount set to reduce the risk that the total of uncorrected and undetected misstatements exceeds overall materiality | Set below overall materiality |
| Tolerable misstatement | The maximum misstatement the auditor will accept in a specific account or class of transactions | Applied at the individual account level |
| Trivial (clearly trivial) | Misstatements so small they do not need to be accumulated or communicated | Well below materiality |
Kyle's 90+ Score Insight: Think of it as a funnel. Overall materiality is the widest threshold for the statements as a whole. Performance materiality is a tighter threshold used during testing to create a buffer. Tolerable misstatement is even more specific, applied account by account. And trivial is the floor below which errors are too small to worry about.
Putting It All Together
Everything in Part 2 connects to the same decision chain:
Set materiality to determine what size of misstatement matters.
Assess inherent risk for each account based on its nature.
Decide whether to test controls. If the auditor tests them and they are effective, control risk decreases and less substantive testing is needed.
Design substantive procedures targeted at the specific assertions that are most at risk for each account.
Execute the procedures and evaluate whether identified misstatements exceed materiality.
In Part 3, we will move into the actual substantive testing phase: how auditors test cash, accounts receivable, and revenue. Every procedure in Part 3 traces back to the risk assessment and assertion framework we covered here.
FAQ
What is the audit risk formula?
Audit Risk = Inherent Risk × Control Risk × Detection Risk. Inherent risk and control risk together form the risk of material misstatement (RMM), which represents the company's side. Detection risk is the auditor's side and is the only component the auditor can directly control.
What is the relationship between risk of material misstatement and detection risk?
They operate inversely. When the risk of material misstatement increases, the auditor must decrease detection risk by performing more work (changing the nature, increasing the extent, or adjusting the timing of procedures). When RMM is low, the auditor can accept a higher detection risk.
What are management assertions?
Assertions are the implicit claims management makes about the financial statements. They include existence/occurrence, completeness, classification, cutoff, valuation/allocation/accuracy, rights and obligations, and presentation and disclosure. The auditor uses these assertions as a framework to design specific audit procedures for each account.
Which assertion is most important for assets vs. liabilities?
For assets, the most critical assertion is generally existence (management has an incentive to overstate assets). For liabilities, the most critical assertion is generally completeness (management has an incentive to understate or omit liabilities).
What is the difference between tests of controls and substantive procedures?
Tests of controls evaluate whether the company's internal controls are operating effectively. Substantive procedures test for material misstatements directly in the account balances, transactions, and disclosures. Substantive procedures include both tests of details (confirmations, inspection, recalculation, etc.) and substantive analytical procedures.
How is materiality determined?
The auditor sets materiality during the planning phase using a percentage of a financial statement benchmark, most commonly total revenue or total assets. Materiality can be revised during the engagement as the auditor gains more information about the company.
What is the difference between materiality and performance materiality?
Materiality is the overall threshold for the financial statements as a whole. Performance materiality is a lower amount set to create a buffer, reducing the risk that the total of all uncorrected and undetected misstatements exceeds overall materiality. Performance materiality is always set below overall materiality.
Ready to see how these concepts play out in real audit testing?
In Part 3, we will cover substantive testing for cash, accounts receivable, and revenue, showing how the risk assessment and assertion framework from this article drives every procedure the auditor performs. My Free CPA 101 Course gives you the complete study system for AUD and every other CPA exam section.
Kyle Ashcraft is a CPA who scored a 90+ on all four CPA exams. Kyle founded Maxwell CPA Review, which is an exam-prep company that offers a comprehensive CPA exam review course and private tutoring.
Explore the Complete AUD 101 Series
The foundation of the audit, from engagement letters to initial strategy.
Master the audit risk formula, materiality, and the framework that drives procedures.
A complete walkthrough of the balance sheet, sampling, and the legal letter.
Concluding the audit, handling subsequent events, and issuing the final report.