Risk is the probability or threat of damage, injury, loss, liability or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.
Audit risk is the chance that the auditor reaches the inappropriate conclusion in the area under audit. The audit process is designed to give a high level of assurance about the information that is subject to audit. However, the audit process does not give the absolute level of assurance that the information is 100% correct. The implication of this is that the auditor will seek to reduce the level of audit risk to an acceptably low level but will not attempt to eliminate audit risk entirely. The audit risk is made by three components namely inherent risk, control risk, and detection risk. The following audit risk model is used by auditors when determining the audit risk.
Audit risk = Inherent risk ✖ Control risk ✖ Detection risk
The inherent risk this susceptibility of an assertion about the class of transaction, account balance or disclosure to misstatement that could be material either individually or when aggregated with other misstatements before the consideration of any related controls. The inherent risk may result from either
- The nature of items themselves for example estimated items are inherently risky because their measurement depends on management judgment rather than precise measures or
- The nature of an entity or the industry in which it operates, for example, a company in the construction industry operates in the volatile and high-risk environment, therefore the items in its financial statements are likely to be misstated rather than the financial statements of the companies like manufacturers of food and drinks which operate in a more stable environment.
The auditors’ assessment of inherent risk will be based mainly in
- The knowledge gained from the previous audit
- An assessment of the current environment within which the industry operates
It is normal practice to assess the inherent risk to assess inherent risk at the financial statement level and account balance and transaction level. Inherent risk is outside the control of both the auditor and client management
Control risk is the probability that material misstatement exists in the assertion because that misstatement was not either prevented from entering the entity’s financial information or it was not detected and corrected by the control system of the entity. Evidence about control risk can be obtained through a test of control for each major transaction cycle. It is unlikely that control risk will be zero because of the inherent limitation of any internal control system. Control risk can be reduced by introducing new control or better control.
Detection risk is the risk that the audit testing procedures will fail to detect a misstatement in a class of transaction, account balance or disclosure in financial statements. An auditor must apply audit procedures to detect material misstatement in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in material misstatement remaining undetected by the auditor. Some detection risk is always present due to the inherent limitation of the audit such as the use of the sample. Detection risk can be lowered by performing more substantive tests in the audit. Detection risk is under the control of the auditor.