Audit risk is the risk that an auditor may give an inappropriate opinion on financial information that is materially mis-stated. For example, an auditor may give an unqualified opinion on financial statements without knowing that they are materially mis-stated. Such risk may exist at overall level or while verifying various transactions and balance-sheet items.
1. Audit risk at the financial statement level : Audit risk is considered at the financial statement level during the audit planning process. At this time, the auditor should undertake an overall audit risk assessment based on his knowledge of the client’s business, industry, management, control environment and operations. Such an assessment provides preliminary information about the general
approach to the engagement, the auditor’s staffing needs and the framework within which materiality and audit risk assessments can be made at the individual account balance or class of transactions level. As part of this overall risk assessment, the auditor should consider whether there is potential for pervasive problems, for example, liquidity or going concern problems.
2. Audit risk at the account balance and class of transactions level: The majority of audit procedures are directed to, and carried out at the account balance and class of transactions level. Accordingly, audit risk should be considered by the auditor at this level taking into account the results of the overall audit risk assessment made at the financial statement level. To assess inherent risk, the auditor uses professional judgement to evaluate numerous factors, examples of which are:
At the financial statement level :
- the integrity of management;
- management experience, knowledge and changes during the period (e.g. the in experience of management may affect the preparation of the financial statements of the entity);
- unusual pressures on management (e.g. circumstances that might predispose management to misstate the financial statements, such as an entity in an industry experiencing a large number of business failures or an entity that lacks sufficient capital to continue operations);
- the nature of the entity’s business (e.g. its technological obsolescence of products and services, complex capital structure, significance of related parties, and the number of locations and geographical spread of its production facilities); factors affecting the industry in which the entity operates (e.g. economic and competitive conditions, and changes in technology, accounting
practices common to the industry and, if available, financial trends and ratios); At the Account balance and class of transaction level: - financial statement of accounts likely to be susceptible to misstatement (e.g. a financial statement of account which required adjustment in the previous period);
- the complexity of underlying transactions which might require the use of the work of an expert;
- the amount of judgement involved in determining account balances;
- susceptibility of assets to loss or misappropriation;
- the completion of unusual and complex transactions, particularly at or near year end; Assessment of audit risk by reference to its components : Audit risk has been discussed at length in AAS-6. As per AAS-6 three components of audit risk are:
- inherent risk (risk that material errors will occur);
- control risk (risk that the client’s system of internal control will not prevent or correct such errors); and
- detection risk (risk that any remaining material errors will not be detected by the auditor).
The nature of each of these types of risk and their interrelationship is discussed below:
Inherent risk is the susceptibility of an account balance or class of transactions to misstatement that could be material, individually or when aggregated with mis-statements in other balances or classes, assuming that there were no related internal controls. It is a function of the entity’s business and its environment and the nature of the account balance or class of transactions. For example, accounts
involving a high degree of management judgement, or that are difficult to compute, such as a complex accounting estimate, or that involve highly desirable and movable assets, such as jewellery, or that are particularly susceptible to changes in consumer demand or technology that could affect their value, will involve more inherent risk than other accounts.
Control risk is the risk that misstatement that could occur in an account balance or class of transactions and that could be material, individually or when aggregated with mis-statements in other balances or classes, will not be prevented or detected on a timely basis by the system of internal control. There will always be some control risk because of the intrinsic limitation of any system of internal control. To assess control risk, the auditor should consider the adequacy of control design, as well as test adherence to control procedures. In the absence of such an assessment, the auditor should assume that control risk is high. Detection risk is the risk that an auditor’s procedures will not detect a misstatement that exists in an account balance or class of transactions that could be material, individually or when aggregated with misstatements in other balances or classes. The level of detection risk relates directly to the auditor’s
procedures. Some detection risk would always be present even if an auditor were to examine 100 percent of the account balance or class of transaction because, for example, the auditor may select an inappropriate audit procedure, misapply an appropriate audit procedure or misinterpret the audit results.
Interrelationship of the components of audit risk : Inherent and control risks differ from detection risk in that they exist independently of an audit of financial information. Inherent and control risks are functions of the entity’s business and its environment and the nature of the account balances or classes of transactions, regardless of whether an audit is conducted. Even though inherent and control risks cannot be controlled by the auditor, the auditor can assess them and design his substantive procedures to produce an acceptable level of detection risk, thereby reducing audit risk to an acceptably low level.