3 Types of Audit Risk
Audit risk is the risk that auditors give a clean opinion on financial statements that contain material misstatement. There are three types of audit risk that lead to auditors providing an inappropriate opinion.
These three types of audit risk include:
- Inherent risk
- Control risk
- Detection risk
Inherent and control risk are the risks of material misstatement arising in the financial statements. These types of audit risk are dependent on the business, transactions and internal control system that the client has in place.
On the other hand, detection risk is the risk that is dependent entirely on the auditors. It is the type of audit risk that occurs due to the auditors fail to detect material misstatements in the financial statements.
Inherent risk is the risk that financial statements contain material misstatement before consideration of any related controls. This is the first type of audit risk as it occurs before putting any internal control in place and already exist before any audit work performed.
Inherent risk is the susceptibility of transaction or account balance to misstatement. It comes with the business’s transactions and its environment.
Among the three types of audit risk, inherent risk comes directly from the business nature itself. For example, if the business is in a high-risk area, the level of inherent risk is also high.
It is related to the complexity and dynamic of the business and transactions. So, the more complex and dynamic the business is, the higher the inherent risk will be. If a transaction is so complex and difficult for calculation, there is a higher chance of misstatement in calculation than a transaction that is simple.
For example, the company in the financial service sector that provides derivative products is inherently riskier than the trading company that does not provide such products. This is due to the derivative is the type of financial instrument that is generally considered complex in the accounting field.
The inherent risk cannot be reduced as it is related to the nature of the business and transaction itself. Hence, auditors can only assess whether it is high, moderate, or low and plan the audit procedures accordingly so that overall audit risk can be minimized.
Control risk is the risk that the internal control fails to prevent or detect material misstatements in the financial statements. Among the three types of audit risk, control risk is in the middle as the control is usually put in place to reduce the chance of error or fraud that inherits from the business and its environment.
In this case, once auditors have assessed that the inherent risk is high, the level of risk of material misstatement can only be reduced if the control risk is low. On the other hand, if both inherent and control risks are high, auditors can only lower detection risk to have an acceptable audit risk.
For example, if a restaurant allows its cashier to perform both receiving cash from customers and recording it into the accounting system, there is a risk that the cashier forgets to record the transactions into the system or record the incorrect amount into the system which leads to misstatement. This means that the control risk is high.
Auditors need to perform control risk assessment when obtaining an understanding of the client’s internal controls. In this case, they need to assess whether the controls can prevent or detect material misstatements related to relevant assertion for each significant account and disclosure.
If auditors believe that the internal controls are effective in preventing or detecting material misstatement, they will perform the test of controls to obtain evidence in supporting the effectiveness of controls before relying on the internal controls.
If the internal controls are strong and the auditors can rely upon, the audit work can be reduced by lowering the amount of substantive tests. However, if the internal controls are weak, the auditors will have to perform more substantive tests so that the overall audit risk can be minimized.
Detection risk is the risk that auditors fail to detect the material misstatement that exists in the financial statements. This type of audit risk occurs when audit procedures performed by the audit team could not locate the existed material misstatement.
Detection risk could occur due to many factors such as:
- Not proper audit planning
- Not appropriated audit procedures
- Not proper allocate of staff based on their skills and experiences
- Not proper monitoring and supervision of work
- Not proper documenting and dealing with problem arose
- Not performing regular review neither hot review nor cold review
- Staff’s not competent enough to perform the tasks etc.
- Lack of professional skepticism when performing the audit work
Unlike inherent risk and control risk, auditors can influence the level of detection risk. For example, if the risk of material misstatement is high, auditors can reduce the level of detection risk by performing more substantive tests or increasing the sample size in the tests of details.
In this case, auditors need to make sure that the level of audit risk is acceptably low. This is so that auditors can minimize the risk of providing a wrong opinion on financial statements.
In summary, the three types of audit risk that include inherent risk, control risk, and detection risk are closely related to each other. Even though inherent risk and control risk are not in the control of auditors, they need to make sure that the level of detection risk is suitable in responding to these types of audit risk so that the overall level of audit risk is acceptably low.