iEduNote.com

Audit Risk: Components of Audit Risk

Audit Risk: Components of Audit Risk

The audit risk can be defined as the risk that the auditor will not discern errors or intentional miscalculations while reviewing the financial statements of a company or an individual.

What is Audit Risk?

Audit Risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.

Audit risk is when an auditor issues an incorrect opinion of financial statements.

The audit risk is the risk that the auditor will not discern errors or intentional miscalculations while reviewing the company’s financial statements.

Examples of inappropriate audit opinions include the following:

  • Issuing an unqualified audit report where a qualification is reasonably justified;
  • Issuing a qualified audit opinion where no qualification is necessary;
  • Failing to emphasize a significant matter in the audit report;
  • Providing an opinion on financial statements where no such opinion may be reasonably given due to a significant limitation of scope in the performance of the audit.

Components of Audit Risk

Audit risk may be considered as the product of the various risks encountered in the performance of the audit.

To keep the overall audit risk of engagements below an acceptable limit, the auditor must assess each component of the audit risk level.

1. Inherent Risk

Inherent risk is the risk of a material misstatement in the financial statements arising due to error or omission due to factors other than the failure of controls (factors that may cause a misstatement due to absence or lapse of controls are considered separately in the assessment of control risk).

Inherent risk is generally considered higher where a high degree of judgment and estimation is involved, or entity transactions are highly complex.

For example, the inherent risk in auditing a newly formed financial institution with significant trade and exposure to complex derivative instruments may be significantly higher compared to a well-established manufacturing concern operating in a relatively stable competitive environment.

2. Control Risk

Control Risk is the risk of a material misstatement in the financial statements arising due to the absence or failure in the operation of relevant controls of the entity.

Organizations must have adequate internal controls in place to prevent and detect instances of fraud and error.

Control risk is considered to be high when the audited entity does not have adequate internal controls to prevent and detect instances of fraud and error in the financial statements.

Assessment of control risk may be higher, for example, in the case of a small-sized entity in which segregation of duties is not well defined, and the financial statements are prepared by individuals who do not have the necessary technical knowledge of accounting and finance.

Read our article on the definition of control risk and the steps for assessing control risk.

3. Detection Risk

Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements. An auditor must apply audit procedures to detect material misstatements in the financial statements, whether due to fraud or error.

Misapplication or omission of critical audit procedures may result in an undetected material misstatement by the auditor.

Some detection risk is always present due to the inherent limitations of the audit, such as the use of sampling for the selection of transactions.

Auditors can reduce detection risk by increasing the number of sampled transactions for detailed testing. Check out our article on detection risk, how to determine detection risk, and the formula for detection risk.

Relationships Among the Audit Risk Components

For a specified level of audit risk, there is an inverse relationship between the assessed levels of inherent and control risks for an assertion and the level of detection risk that the auditor can accept for that assertion.

Thus, the lower the assessments of inherent and control risks, the higher the acceptable level of detection risk. Inherent and control risks relate to the client’s circumstances, whereas detection risk is controllable by the auditor.

Accordingly, the auditor controls audit risk by adjusting detection risk according to the assessed levels of inherent and control risks.

In relating the components of audit risk, the auditor may express each component in quantitative terms, such as percentages, or-non-quantitative terms such as very low, low, moderate, high, and maximum.

In either case, understanding the relationship expressed in the audit risk model is essential in determining the acceptable level of detection risk.

Assessing the Audit Risk

The auditors use the audit risk model to manage the overall risk of an audit engagement.

Auditors proceed by examining the inherent and control risks of an audit engagement while gaining an understanding of the entity and its environment.

Detection risk forms the residual risk after considering the inherent and control risks of the audit engagement and the overall audit risk that the auditor is willing to accept.

Where the auditor’s assessment of inherent and control risk is high, the detection risk is set at a lower level to keep the audit risk at an acceptable level.

Lower detection risk may be achieved by increasing the sample size for audit testing.

Conversely, where the auditor believes the inherent and control risks of engagement to below, detection risk is allowed to be set at a relatively higher level.

Audit Risk Model for Planning

The audit risk model expresses the relationship between the audit risk components as follows:

AR = IR x CR x DR

The symbols represent audit, inherent, control, and detection risk. The model can be used to determine the planned detection risk for an assertion.

To illustrate the use of the model, let’s assume that the auditor has made the following risk assessments for a particular assertion, such as the valuation or allocation assertion for inventories;

IR = 50%; CR = 50%

Further, let’s assume the auditor has specified an overall AR of 5%. Detection risk can be determined by solving the model for DR as follows:

DR = AR 4- (IR x CR) = 5% (50% x 50%) = 20%

In practice, many auditors do not attempt to quantify each risk component, making it impossible to mathematically solve the risk model.

However, even when not solved mathematically, familiarity with the model makes the following relationship clear to hold audit risk to a specified level. The higher the assessed levels of inherent and control risks, the lower the acceptable level of detection risk will be.

Significance of Audit Risk

Low audit risk is significant as auditors can’t verify every transaction.

The auditors generally focus on main risk areas, for example, understated costs or overstated revenues, where errors may lead to material misstatements on the financial statements.

Moreover, auditing standards necessitate the auditors to plan and perform audits with professional skepticism as there is always a possibility for the financial statements being materially misstatement.

Audit Risk at the Financial Statement and Account Balance Levels

The auditor specifies an overall audit risk level for the financial statements taken as a whole.

Generally, that same level applies to each account balance and all related assertions.

Currently, if an auditor used different audit risk levels for different accounts and assertions, there would be no generally accepted way of combining the results to determine the overall audit risk level for the financial statements.

In contrast, the assessed levels of inherent and control risk and the acceptable level of detection risk can vary for each account and assertion.

The auditor does not control the levels of inherent and control risk and intentionally varies the acceptable level of detection risk inversely with the assessed levels of the other risk components to hold audit risk constant.

Thus, expressions of the levels of inherent, control, and detection risk pertain to individual assertions at the accounts balance level, not to the financial statements taken as a whole.

Interrelationships among Materiality, Audit Risk, and Audit Evidence

There is an inverse relationship between materiality and audit evidence and an inverse relationship between audit risk and audit evidence.

Interrelationships among Materiality, Audit Risk and Audit Evidence

The above figure illustrates these relationships and the interrelationships among all three concepts.

For example, if we hold audit risk constant and reduce the materiality level in the figure, audit evidence must increase to complete the circle.

Similarly, if we hold the materiality level constant and reduce audit evidence, the audit risk must increase to complete the circle.

Or, if we wish to reduce audit risk, we can do any of the following;

  1. increase the materiality level while holding audit evidence constant,
  2. increase audit evidence while holding the materiality level constant, or
  3. make a smaller increase in the amount of audit evidence and the materiality level.

Audit Risk Alerts

Audit risk alerts are intended to provide auditors with an overview of recent economic, professional, and regulatory developments that may affect audits for clients in many industries.

Periodically, the AICPA staff, in consultation with the Auditing Standards Board, issues audit risk alerts. In addition to the general audit risk alerts, updates are issued covering developments related to specific industries.

Related Posts