Audit risk is the risk that the auditors express an inappropriate audit opinion on financial statements. It is the risk that auditors give an unqualified or clean opinion on the financial statements that contain a material misstatement.
Audit risk always exists regardless of how well auditors planned and performed their audit tasks. However, auditors can reduce the level of risk, e.g. by increasing the number of audit procedures. Additionally, audit risk will be low if the audit is well planned and carefully performed.
When performing the audit work, auditors usually follow a risk-based approach. In this approach, auditors analyze and assess the risks related to the client’s business, transactions and internal control system in place which could lead to misstatements in the financial statements. Then they will direct their focus and testing to the risky areas.
Audit Risk Components
There are three audit risk components which include:
- inherent risk
- control risk
- detection risk
Inherent risk is the risk that the financial statements may contain material misstatement before considering any internal control procedure. It is considered the first one of audit risk components in which the risk is inherited from the client’s business.
Inherent risk comes from the size, nature and complexity of the client’s business transactions. The more complex business transactions are, the higher the inherent risk the client will have.
For example, those businesses that involve more with hedge accounting tend to have higher inherent risk than those of trading companies. This is due to hedge accounting tends to be complicated and require a high level of skill and knowledge in accounting.
Also, auditors cannot change or influence inherent risk; hence, the only way to deal with inherent risk is to tick it as high, moderate or low and perform more audit procedures to reduce the level of audit risk.
Control risk is the risk that the client’s internal control cannot prevent or detect a material misstatement that occurs on financial statements. It is the second one of audit risk components where auditors usually make an assessment by evaluating the internal control system that the client has in place.
If auditors believe that the client’s internal control can reduce the risk of material misstatement, they will assess the control risk as low and perform the test of controls to obtain evidence to support their assessment.
On the other hand, if auditors believe that the client’s internal control is week and ineffective, they will tick the control risk as high. In this case, auditors will not perform the test of controls as they will go directly to substantive audit procedures.
For example, control risk is high when the client does not perform bank reconciliation regularly. In this case, auditors will not perform the test of controls on the bank reconciliation. Likewise, more substantive works will be required in order to reduce audit risk to an acceptable level.
Auditors may also tick the control risk as high when they believe that it is more effective to perform the test of detail rather than reliance on internal control.
Similar to inherent risk, auditors cannot influence control risk; hence, if the control risk is high, auditors may need to perform more substantive works, e.g. test on a bigger sample, to reduce the audit risk.
Detection risk is the risk that auditors fail to detect material misstatements that exist on the financial statements. Detection risk is considered the last one of the three audit risk components.
This is due to without proper assessment of inherent and control risk, auditors would have no basis for assessing the detection risk. And as a result, auditors would not be able to properly plan the nature, timing and extent of the audit procedures.
Detection risk occurs when audit procedures performed by the audit team could not locate the material misstatement that exists on financial statements.
Unlike inherent risk and control risk, auditors can influence the level of detection risk. For example, if the risk of material misstatement is high, auditors need to reduce the level of detection risk.
This is so that the overall audit risk is at an acceptably low level. In this case, auditors can do so by increasing their substantive tests.
Audit Risk Formula
The audit risk formula is formed as the combination of inherent risk, control risk and detection risk as below:
In the formula, the sign “x” doesn’t mean multiplication. It refers to the relationship between the three components of audit risk.
For example, if the level of inherent and control risk is low, auditors can make an appropriate judgment that the level of audit risk can be still acceptably low even though the detection risk can be a bit high. This means auditors can reduce their substantive works and the risk is still acceptably low.
Also, audit risk formula can be in the form of risk of material misstatement and detection risk. This is due to the risk of material misstatement is the combination of inherent risk and control risk.
How can an auditor reduce audit risk?
Auditor has a responsibility to perform risk assessment at the planning stage of the audit. Likewise, the auditor needs to reduce audit risk to acceptable low to make sure that they do not fail to detect any material misstatement that happens to the financial statements.
Since inherent risk and control risk are outside of the control, the auditor can only change the level of detection risk. In this case, the auditor can reduce audit risk by:
- Perform proper audit planning before executing audit procedures
- Design suitable audit procedures that respond to the assessed risk
- Properly allocate staff based on their skills and experiences
- Have proper monitoring and supervision of audit work
- Have proper documenting and dealing with problem arose
- Perform regular review on the work of audit team members, both hot and cold review
- Form audit team that is competent to perform the tasks
- Maintain professional skepticism throughout audit work, etc.
Acceptable Audit Risk
Acceptable audit risk is the concept that auditors need to obtain sufficient appropriate audit evidence to draw reasonable conclusions on which to base the audit opinion.
In this case, auditors need to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement. Likewise, this can be done when auditors obtain sufficient appropriate audit evidence to reduce audit risk to an acceptable level.
The standards do not specify on what level is considered an acceptable level. They only state that auditors should reduce the audit risk to an acceptably low level. Hence, auditors’ professional judgment which is based on their knowledge and experience is very important here.
Auditors usually make use of the relationship of the three components of audit risk to determine an acceptable level of risk. In this case, as they cannot change the level of inherent and control risk, they need to change the level of detection risk to arrive at an acceptable level of audit risk.