Return to home page

(C) 2008-2013 Yigal Rechtman DRAFT FOR DISCUSSION PURPOSES ONLY

What is component risk bleed?

The Generally Accepted Auditing Standards' audit risk model speaks of three components for auditing:

• Inherit risk (IR), assessed by the auditor and controlled by neither the auditor nor organization under audit.
• Control risk, (CR) assessed by the auditor and controlled by the organization.
• Detection risk (DR), controlled by the auditor to manage overall audit risk (AR).

These three components are supposed to be discrete and the auditor is expected to reduce overall audit risk by assessing IR and CR, and managing the overall audit risk through DR.

The "Risk Bleed" symptom is one that is often enabled by the underlying computerized information system (IS). As IS is underlying both CR and DR, there is a movement of risk between CR and DR, that is enabled and even caused by IS. This causes the reliance of audit procedures to manage DR, to be somewhat ineffective. When CR is substantially based on IS, the auditor is in a position that requires deep understanding of IS, and designing of procedures that are also based on the same IS that produces the CR in the first place. This in essence is a bleed of risk from two components that in theory at least, are discrete.