This page covers audit risk model including assessing inherent risk, setting detection risk and assessing control risk.
Audit Risk Model
Assessment of Inherent Risk in the Audit Risk Model
Relationship of Risk to Audit Evidence
Engagement Risk Assessing Acceptable Audit Risk
Relationship of Risk and Materialty to Audit Evidence
Example: Detection Risk
Example: Components of Audit Risk Model
The risk assessment process
Before risk can be assessed, the auditor must perform procedures to obtain an under- standing of accounting and internal control systems (see Chapter 7 ‘Internal Control and Control Risk’). Audit procedures to obtain an understanding are referred to as ‘risk assessment procedures’17 because some of the results may be used by the auditor as audit evidence to support the assessments of the risks of material misstatement of the financial statements. The audit evidence obtained might also apply to transactions, account balances, disclosures, and the operating effectiveness of controls.
The auditor examines the risks of material misstatement at the financial statement level and at the financial statement assertion level for classes of transactions, account balances and disclosures. Risks that exist at the financial statement level are pervasive, i.e. they have a potential impact on a large number of items in the financial statements. An example is the risk that a company is unable to continue as a going concern. This risk would not just have an impact on one item of the financial statements, but would be of importance on the recognition and valuation of many items. Other risks are confined to one or only a few assertions in the financial statements, e.g. the risk of theft from a specific warehouse A could have an impact on the existence of the items recorded on account balance ‘Inventory warehouse A’. ‘Inventory’ is the financial statement element and the related class of transaction would be ‘Goods in’ or ‘Goods out’.
assessment tasks To assess the risks of misstatement of the financial statements, the auditor performs four tasks:
- Identify risks by developing an understanding of the entity and its environment, including relevant controls that relate to the risks. Analyse the strategic risks and the significant classes of transactions.
- Relate the identified risks to what could go wrong in management’s assertions about completeness, existence, valuation, occurrence, and measurement of transactions or assertions about rights, obligations, presentation, and disclosure.
- Determine whether the risks are of a magnitude that could result in a material misstatement of the financial statements.
- Consider the likelihood that the risks will result in a material misstatement of the financial statements and their impact on classes of transactions, account balances and disclosures.
Business risk, audit risk and its Components
As discussed before, business risks result from significant conditions, events, circum- stances, or actions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies. Even though such risks are likely to eventually have an impact on an entity’s financial statements, not every business risk will translate directly in a risk of a material misstatement in the financial statements, which is often referred to as audit risk. For example, the fact that an engineering company has difficulty finding sufficient engineers is clearly a business risk, without there being an obvious direct link to an audit risk.
Audit risk is the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a measure the reliability of theinformation used by the accounting system is, i.e. how much reliance can be put on it. The higher the audit risk, the more evidence must be gathered in order for the auditor to obtain sufficient assurance as a basis for expressing an opinion on the financial statements.
Audit risk has three components: inherent risk, control risk and detection risk.18 Even though the new ISAs make only scarce reference to these components, we believe that they are illustrative in understanding how the risk assessment process works.
The three components are traditionally defined as follows:
- Inherentriskisthesusceptibilityofanaccountbalanceorclassoftransactionstomis- statements that could be material, individually or when aggregated with misstatements in other balances or classes, assuming that there were no related internal controls. The assessment of inherent risk is discussed in more detail later in this chapter.
- Control risk is the risk that a misstatement that could occur in an account balance or class of transactions and that could be material – individually or when aggregated with misstatements in other balances or classes – will not be prevented or detected and corrected on a timely basis by accounting and internal control systems.
- Detection risk is the risk that an auditor’s substantive procedures will not detect a misstatement that exists in an account balance or class of transactions that could be material, individually or when aggregated with misstatements in other balances or classes.
When inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. For example, if the internal control structure is effective in preventing and/or detecting errors (i.e. control risk is low), the auditor is able to perform less effective substantive tests (detection risk is high). Alternatively, if the account balance is more susceptible to misstatement (inherent risk is higher), the auditor must apply more effective substantive testing procedures (detec- tion risk is lower). In short, the higher the assessment of inherent and control risk, the more audit evidence the auditor should obtain from the performance of substantive procedures.