Management often reacts to inherent risk situations by designing accounting and internal control systems to prevent or detect and correct misstatements and therefore, in many cases, inherent risk and control risk are highly interrelated. In such situations, if the auditor attempts to assess inherent and control risks separately, there is a possibility of inappropriate risk assessment. As a result, audit risk
may be more appropriately determined in such situations by making a combined assessment.
The level of detection risk relates directly to the auditor’s substantive procedures. The auditor’s control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk, and therefore audit risk, to an acceptably low level. Some detection risk would always be present even if an auditor were to examine 100 percent of the account balances or class of transactions because, for example, most audit evidence is persuasive rather than conclusive.
The auditor should consider the assessed levels of inherent and control risks in determining the nature, timing and extent of substantive procedures required to reduce audit risk to an acceptably low level. In this regard the auditor would consider:
- the nature of substantive procedures, for example, using tests directed toward independent parties outside the entity rather than tests directed toward parties or documentation within the entity, or using tests of details for a particular audit objective in addition to analytical procedures;
- the timing of substantive procedures, for example, performing them at period end rather than at an earlier date; and
- the extent of substantive procedures, for example, using a larger sample size.
There is an inverse relationship between detection risk and the combined level of inherent and control risks. For example, when inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. On the other hand, when inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level.
Refer to the Appendix to this SAP for an illustration of the interrelationship of the components of audit risk. While tests of control and substantive procedures are distinguishable as to their purpose, the results of either type of procedure may contribute to the purpose of the other. Misstatements discovered in conducting substantive procedures may cause the auditor to modify the previous assessment of control risk. Refer to the Appendix to this SAP for an illustration of the interrelationship of the components of
The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need for the auditor to perform any substantive procedures. Regardless of the assessed levels of inherent and control risks, the auditor should perform some substantive procedures for material account balances and classes of transactions. The auditor’s assessment of the components of audit risk may change during the course of an audit, for example, information may come to the auditor’s attention when performing substantive procedures that differs significantly from the information on which the auditor originally assessed inherent and control risks. In such cases, the auditor would modify the planned substantive procedures based on a revision the assessed levels of inherent and control risks.
The higher the assessment of inherent and control risks, the more audit evidence the auditor should obtain from the performance of substantive procedures. When both inherent and control risks are assessed as high, the auditor needs to consider whether substantive procedures can provide sufficient appropriate audit evidence to reduce detection risk, and therefore audit risk, to an acceptably low level.
When the auditor determines that detection risk regarding a financial statement assertion for a material account balance or class of transactions cannot be reduced to an acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion as may be appropriate.