What is Audit Risk?
Audit risk is the risk that the auditor will express an inappropriate audit opinion on financial statements that contain material misstatements. From audit risk stems a concept called “acceptable level of audit risk.” The acceptable level of audit risk is what the auditor determines is acceptable for the specific company being audited. The key point is that the auditor, not the entity being audited, chooses what is an acceptable level of risk. The lower the level of acceptable audit risk, the higher the desired level of assurance/certainty, and vice versa.
The Audit Risk Formula
The audit risk model is best understood through a mathematical formula:
DR = Detection Risk
AR = Audit Risk
IR = Inherent Risk
CR = Control Risk
Looking at the denominator first, inherent risk (IR) is the risk/susceptibility of an assertion to a material misstatement without considering internal controls. It means that there is an error in the first place.
Control risk (CR) is the risk that the client’s system of internal controls (i.e. policies and procedures put in place by management to enhance the reliability of the financial statements) will fail to prevent or detect a material misstatement. And finally, detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.
Therefore, audit risk and detection risk are related to the auditor and inherent and control risk are independent of the auditor; they exist within the client regardless of an audit. According to the audit/detection risk that the auditor decides, the types of audit procedures are designed accordingly. A lower detection risk will require more persuasive evidence over a higher detection risk.
Using the Audit Risk Model to Determine the Audit Evidence Required
|Audit Risk||Inherent Risk||Control Risk||Planned Detection Risk||Amount of Evidence Required|
|Sales and collections||Low (1%)||High (95%)||High (90%)||Low||HIGH|
|Acquisitions and payments||High (5%)||Low (50%)||Low (20%)||High||LOW|
|Inventory||High (5%)||Low (50%)||Moderate||Moderate||MODERATE|
Remember that IR and CR are independent of the auditor and depending on the acceptable level of audit risk, the amount of evidence required will vary.
A Closer Look at Acceptable Audit Risk
A general way to determine the acceptable level of audit risk usually depends on the type of client. For example, auditors will choose a lower level for public companies over private companies because more users will depend on the financial statements for publicly listed companies. However, there are other factors that also affect how an auditor sets audit risk for an engagement:
- Reliance by external users: The more external users there are, the lower the acceptable level of audit risk
- Likelihood of financial failure: The higher the risk of financial failure, the lower the acceptable level of audit risk
- Integrity of management: The more questionable the integrity/honesty of management, the lower the acceptable level of audit risk.
A Closer Look at Inherent Risk
Remember that inherent risk exists independent of the auditor. To gain a better understanding of inherent risk, it is critical to understand the entity and its environment by considering the following factors:
- Nature of the client’s business including its products and services
- A business in a high tech or jewelry industry is more prone to risk/inventory obsolescence
- The client’s information technology environment
- A company with more complex and decentralized processing systems are more prone to higher inherent risk
- Integrity of management
- Client motivations or client objectives (i.e. bonuses based on net income, stock options)
- Related parties (i.e. greater risk of accounting measurement issues)
- Non-routine transactions (i.e. greater likelihood of accounting error due to unorthodox transactions)
- Judgment/estimation involved in accounting issues
ABC Company produces cutting-edge environmentally friendly machines. ABC Company recently commercialized its newly developed product and is amortizing it over 50 years. The company financed its new manufacturing facility by issuing convertible debentures and expects to complete an IPO in the future. The financial controller recently obtained his CPA. All management personnel is given stock options, as well as a bonus based on net income.
Some factors to consider:
- New convertible debentures and potential future IPO means more external users, hence acceptable level of audit risk should be lowered.
- Cutting-edge technology that is unproven may suggest a potential financial failure issue.
- The new financial controller is new and may be inexperienced, meaning a higher chance of inherent risk.
- Stock option accounting can be difficult to the volatility of the stock.
- The nature of the business seems to be risky because of the high-tech products; there may be potential for inventory valuation issues.
- The amortization period is judgmental.
- Public companies are subject to more regulatory requirements over private companies, which also poses higher chance for inherent risk.
CFI is the official provider of the Financial Modeling & Valuation Analyst designation for financial analysts. To continue learning and advancing your career, these additional resources will be helpful: