Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. In simple terms, audit risk is the risk that an auditor will issue an unqualified opinion when the financial statements contain material misstatement.
ISA 200 states that auditor should plan and perform the audit to reduce audit risk to an acceptably low level that is consistent with the objective of an audit. (Auditing and Assurance Standard) AAS-6(Revised), “Risk Assessments and Internal Controls”, identifies the three components of audit risk i.e. inherent risk, control risk and detection risk.
Audit Risk Model: AR = IR x CR x DR
- AR= Audit risk (the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated)
- IR = Inherent risk (the risk that an assertion is susceptible to a material misstatement, assuming there are no related controls) : Inherent Risk is the auditor’s measure of assessing whether material misstatements exist in the financial statement before considering of internal controls. Ignoring internal controls, if the auditor assesses that the likelihood of material errors is high, the auditor will assume that the Inherent Risk is high. As the Control Risk constitutes a separate component of the Audit Risk Model, it is ignored here.
- CR = Control risk (the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity’s internal control) : Control Risk is the auditor’s measure of assessing the likelihood that the client’s internal control system is unable to prevent or detect material misstatements exceeding a tolerable level. In assessing the level of the Control Risk, the auditor will assess the effectiveness of the firm’s internal control system during his audit, e.g. through questionnaires. The lower the effectiveness of internal controls the greater the frequency of error.
- DR = Detection risk (the risk that the auditor will not detect a material misstatement that exists in an assertion) : Detection Risk is the auditor’s measure of assessing the likelihood that the auditor won’t detect material misstatements. Auditors will carry out more audit work to increase the detection rate if Internal Risk and Control Risk are too high in order to meet the Audit Risk target.
The objective in an audit is to limit audit risk to a low level, as judged by the auditor. When conducting an audit, the auditor should consider materiality and its relationship with audit risk. The level of detection risk can be considered only after considering the level of inherent and control risks. While planning an audit, the auditor should keep in mind that the audit risk is to be kept at an acceptably low level. The range, efficiency, efficacy, nature and timing of the procedures performed by the auditor will determine the level (i.e. high or low) of detection risk
The major purpose of audit risk models is to help the auditor to obtain a given degree of confidence that the financial statements do not contain a material error. Economic considerations are not explicitly taken into account, and the focus is rather on effective audit risk control. In the second approach, audit decision models are more comprehensive in nature as compared to audit risk models: a broader set of factors are taken into account (such as, audit risk, audit costs, etc.). This type of model may serve as an aid for auditors to identify an efficient and cost effective way by which a suitable level (i.e., cost minimizing) of confidence can be achieved.
Audit risk is fundamental to the audit process because auditors cannot and do not attempt to check all transactions. It would be impossible to check all of transactions, and no one would be prepared to pay for the auditors to do so, hence the importance’s of the risk based approach toward auditing. Traditionally, auditors have used a risk-based approach in order to minimize the chance of giving an inappropriate audit opinion, and audits conducted in accordance with ISAs must follow the risk based approach, which should also help to ensure that audit work is carried out efficiently, using the most effective tests based on the audit risk assessment. Auditors should direct audit work to the key risks (sometimes also described as significant risks), where it is more likely that error in transactions and balances will lead to a material misstatement in the financial statements. It would be inefficient to address insignificant risks in a high level of detail, and whether a risk is classified as a key risk or not is a matter of judgment for the auditor.
Generally Accepted Auditing Standards (GAAS) establish a “model” for carrying out audits that requires auditors to use their judgment in assessing risks and then in deciding what procedures to carry out. This model often is referred to as the “audit risk model.” The model allows auditors to take a variety of circumstances into account in selecting an audit approach. For example, the model calls for auditors to have an understanding of the client’s business and industry, the systems employed to process transactions, the quality of personnel involved in accounting functions, the client’s policies and procedures related to the preparation of financial statements, and much more. The model requires auditors to gain an understanding of a company’s internal control, and to test the effectiveness of controls if the auditor intends to rely on them when considering the nature, timing and extent of the substantive tests to be carried out. For example, if controls over sales and accounts receivable are strong, the auditor might send a limited number of accounts receivable confirmation requests at an interim date and rely on the controls and certain other tests for updating the accounts to year end. Conversely, if controls are not strong, the auditor might send a larger number of accounts receivable confirmations at year end. The model requires an assessment of the risk of fraud (intentional misstatements of financial statements) in every audit.
Based on the auditor’s assessment of various risks and any tests of controls, the auditor makes judgments about the kinds of evidence (from sources that are internal or external to the client’s organization) needed to achieve “reasonable assurance.” On the one hand, GAAS set forth numerous requirements or matters that auditors should consider; on the other hand, the need to exercise audit judgment is embedded throughout GAAS.