What is Audit Risk?
Audit risk is the risk that the auditor will express an inappropriate audit opinion on financial statements that contain material misstatements. From audit risk stems a concept called “acceptable level of audit risk.” The acceptable level of audit risk is what the auditor determines is acceptable for the specific company being audited. The key point is that the auditor, not the entity being audited, chooses what is an acceptable level of risk. The lower the level of acceptable audit risk, the higher the desired level of assurance/certainty, and vice versa.
The Audit Risk Formula
There is a mathematical formula for determining the level of risk associated with a given audit:
DR = Detection Risk
AR = Audit Risk
IR = Inherent Risk
CR = Control Risk
Looking at the denominator first, inherent risk (IR) is the risk of an assertion being a material misstatement, without considering internal controls.
Control risk (CR) is the risk that the client’s system of internal controls (i.e., policies and procedures put in place by management to enhance the reliability of the financial statements) will fail to prevent or detect a material misstatement.
Finally, detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.
Audit risk and detection risk are related to the auditor, while inherent and control risk are independent of the auditor (they exist within the client, regardless of an audit). According to the audit/detection risk that the auditor decides, the audit procedures are designed accordingly. For example, if there is a higher level of detection risk (more risk of an error not begin detected), then the auditor will require more persuasive evidence to be reassured that there are no material misstatements.
Using the Audit Risk Model to Determine the Audit Evidence Required
|Audit Risk||Inherent Risk||Control Risk||Planned Detection Risk||Amount of Evidence Required|
|Sales and collections||Low (1%)||High (95%)||High (90%)||Low||HIGH|
|Acquisitions and payments||High (5%)||Low (50%)||Low (20%)||High||LOW|
|Inventory||High (5%)||Low (50%)||Moderate||Moderate||MODERATE|
Remember that IR and CR are independent of the auditor. Depending on the acceptable level of audit risk, the amount of evidence required will vary.
A Closer Look at Acceptable Audit Risk
The acceptable level of audit risk often depends on the type of client. For example, auditors will choose a lower level for public companies over private companies because more users depend on the financial statements of publicly-listed companies. However, there are other factors that also affect how an auditor sets audit risk for an engagement:
- Reliance by external users: The more external users are likely to rely on the audit information, the lower the acceptable level of audit risk
- Likelihood of financial failure: The higher the risk of the company experiencing financial failure, the lower the acceptable level of audit risk
- Integrity of management: The more questionable the integrity/honesty of management, the lower the acceptable level of audit risk
A Closer Look at Inherent Risk
Remember that inherent risk exists independent of the auditor. To gain a better understanding of inherent risk, it is critical to understand the entity being audited and its environment. The following factors are important in making this determination:
- Nature of the client’s business, including its products and services
- For example, a business in the high-tech or jewelry industries is more prone to risk as a result of inventory obsolescence
- The client’s information technology environment
- A company with more complex and decentralized processing systems are more prone to higher inherent risk
- Integrity of management
- Client motivations or client objectives (i.e., risks associated with incentives such as bonuses based on net income or profit margin)
- Related parties – the greater the number of parties involved in determining the company’s financial health, the greater the risk of accounting measurement issues
- Non-routine transactions (since auditors use sampling, as opposed to examining every individual transaction, there is a greater likelihood of accounting error when a company has a higher number of non-routine transactions)
- Judgment/estimation involved in accounting issues
ABC Company produces cutting-edge environmentally friendly machines. ABC Company recently commercialized its newly developed product and is amortizing it over 50 years. The company financed its new manufacturing facility by issuing convertible debentures, and expects to complete an IPO in the future. The financial controller recently obtained his CPA. All management personnel are given stock options, as well as bonuses based on the company’s bottom line net income.
Some factors to consider:
- New convertible debentures and potential future IPO means more external users. Therefore, the acceptable level of audit risk should be lowered.
- Cutting-edge technology that is unproven may suggest a potential financial failure issue.
- The financial controller is newly-trained and likely inexperienced, which makes for a higher level of inherent risk.
- Stock option accounting can be difficult to perform adequately when the stock experiences high volatility.
- The nature of the business seems to be risky because of the high-tech products the company deals in – there may be potential for inventory valuation issues.
- The amortization period is subjectively chosen. Therefore, it may or may not accurately reflect the useful life of the asset.
- Public companies are subject to more regulatory requirements than private companies are, which also poses a higher level of inherent risk.
CFI is the official provider of the Financial Modeling & Valuation Analyst designation for financial analysts. To continue learning and advancing your career, these additional CFI resources will be helpful: