Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue an unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR), and can be calculated thus:
AR = IR × CR × DR
IR refers to the risk involved in the nature of business or transaction. Example, transactions involving exchange of cash may have higher IR than transactions involving settlement by cheques. CR refers to the risk that a misstatement could occur but may not be detected and corrected or prevented by the entity’s internal control mechanism. Example, control risk assessment may be higher in an entity where separation of duties is not well defined.
DR is the probability that the audit procedures may fail to detect existence of a material error or fraud. While CR depends on the strength or weakness of the internal control procedures, DR is either due to sampling error or human factors. There are three components of an audit risk from the viewpoint of the auditor — inherent risk, control risk and detection risk.
Inherent risk lies inherent in the audit. This springs from the reason that the systems, as designed by the management, may not be implemented in true letter and spirit. Control risk emanates from the inadequacy or inefficiency of the internal control systems in place. Especially in small entities, the internal control systems may not exist at all, or even if the systems exist, they may not be followed by the managements. Detection risk is that component of the audit risk resulting from the failure on the part of the
auditor to notice a misstatement. This could be due to want of experience, negligence, sacrificing integrity, or frauds being skillfully woven into the financial statements.