Audit risk is the risk that auditors issued the incorrect audit opinion to the audited financial statements. For example, auditors issued an unqualified opinion to the audited financial statements even though the financial statements are materially misstated. In other words, the material misstatements of financial statements fail to identify or detect by auditors.
Or the qualified opinion is issued as the result of immaterial misstatement found in financial statements, which the correct opinion should be unqualified since the fact is financial statements are materially misstated. Audit risks come from two main different sources: Clients and Auditors themselves. The risks are classified into three different types: Inherent risks, Control Risks, and Detection Risks.
We will discuss this in detail below.
The auditor is required to assess the risks of material misstatements in the financial statements as per requirement from ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment.
The procedures auditors use to perform risk assessment are inquiry, inspection, observation, and analytical procedures. The auditor assesses the risks at the entity control level deep dive into the risks related to the activities control level that could significantly affect the quality of financial information.
They also study the trend of balance or transactions of accounting items in the financial statements over the period of time to see if the change is normal or not and is there any risks of misstatement related to the change.
Audit Risks Model and Calculation:
The audit risks model can present audit risk as to the combination of inherent risks, control risks, and detection risks. As mention above, inherent risks and control risks have come from clients, whereas detection risks are control by auditors. All of these three risks are discussed below:
Here is the formula:
Audit Risks = Inherent risks * Control risks * Detection risks
Let me clarify the formula here. Just because the model use multiplies here, it does not mean that the need to be multiple to get audit risk. Detection Risk alone could also make high audit risk.
Inherent risk refers to the risk that could not be protected or detected by the entity’s internal control. This risk could happen due to the complexity of the client’s nature of business or transactions.
Sometimes, that nature of business could link to the complexity of financial transactions and require high involvement with judgment. The risk is normally high if the transaction or even involves highly human judgment—for example, the exposure in the complex derivative instrument.
This kind of risk could also be affected by the external environment, such as climate change, political problems, or other PESTEL effects. Auditors are required to assess those kinds of risks and set up audit procedures to address inherent risks properly.
For example, the auditor needs to set up a proper audit plan, audit approach, and audit strategy. All relevant inherent risks that might affect the financial statements are identified and rectified on time.
Those include sufficient time for the audit team to work on the significant areas or have a member who has a deep understanding of the business and accounting transactions of the auditing financial statements.
If the auditor is aware that the potential client has high exposure to inherent risks, and the auditor also knows that the current resources are not capable of handling such client, the audit should not accept the engagement.
This procedure could help the auditor to minimize audit risks that come from inherent risks.
Control risk or internal control risk is the risk that current internal control could not detect or fail to protect against significant error or misstatement in the financial statements.
Basically, management is required to set up and assess the effectiveness and efficiency of internal control over financial reporting to make sure that financial statements are free from material misstatements.
Why is the weakness of internal control leads bring risk to the auditor?
Basically, if the control is weak, there is a high chance that financial statements are materially misstated, and there is subsequently a high chance that auditors could not detect all kinds of those misstatements.
That means to control risk could lead to audit risk. Don’t be confused that it is the detection risk.
The auditor needs to understand and assess the client’s internal control over financial reporting conclude whether those control could be relied on or not.
If the client’s internal control seems to be strong, the audit needs to confirm if the control is worked by testing internal control. There are certain ways that auditors could use to help them to minimize the control risks that result from poor internal control. For example, auditors should have a proper risk assessment at the planning stages.
These risks assessment required auditors to understand the nature of the business and internal control activities that link to financial reporting.
Mostly, COSO frameworks are the popular frameworks that use by most international audit firms to documents and assess internal controls.
Once the internal over financial statements and risks are properly assessed, the audit programs are properly tailored, then Control Risks are minimized.
Well, detection risk is the risk that the auditor fails to detect the material misstatement in the financial statements and then issued an incorrect opinion to the audited financial statements.
The common cause of detection risk is improper audit planning, poor engagement management, wrong audit methodology, low competency, and lack of understanding of audit clients.
Detection risk is occurred because of the auditor part rather than the client part.
As mentioned, detection risk could be the result of poor audit planning. For example, if audit planning is poor, not all kinds of risks are defined, and the audit program used to detect those risks is deploy incorrectly. Then, the result is the material misstates are not detected.
Certain guidelines could help auditors minimize detection risks so that the audit risks are also subsequently minimized.
At the time of planning, auditors should set the right audit strategy, employed the right audit approach, and having a strong strategic audit plan.
These include having a good understanding of the nature of the business, the complexity of the business operation, the complexity of the client’s financial statements, and a deep understanding of the client’s internal control over financial reporting.
A clear understanding of audit objectives and audit scope could help auditors set audit approaches and tailor the right audit program.
Having a strong audit team could also help auditors to minimize detection risks.
For example, having enough team members and those team members have good experiences and knowledge related to clients’ business and financial statements.
Why do auditors need to perform a risk assessment?
Auditors must perform risk assessments to ensure that all possible risks of misstatements that might happen to the financial statements are identified.
This is normally performed during and after the audit plan. If certain risks are identified during the cause of the audit, the auditor should perform additional assessments to figure out the real size of the risks.
The auditor should assess audit risks before accepting the audit engagements by understanding the nature of its client’s business and the complexity of financial reporting in that sector.
This might help them understand more about the audit risks and let them detect them. The different industries might face different challenges in financial reporting.
For example, the merchandising company’s financial reporting might be easier to audit than financial reporting in agriculture or oil.
The auditor should also assess audit risks at the time they prepare the audit plan. Normally, this is done by using a control framework like COSO to assess all angles of the business process.
At this stage, the auditor might understand the client nature of the business, major internal control over financial reporting, financial reporting system, and many more.
Auditor will also assess the leadership of the management team as well as the entity’s culture.
How to calculate audit risks?
Above, we have mentioned the audit risks model, and by that, you might think of casting audit risk. Before we say whether or not audit risk is calculable, let see the model first.
The audit risks model is:
Audit Risks = Inherent Risk X Control Risk X Deletion Risk
This formula seems to tell us that the audit risks are quantifiable yet it does not.
This formula is just the concept. The thing is, if either one is high, the likelihood that the auditor issued an incorrect opinion is also high.
Audit Risks Vs Fraud Risks:
What is the difference between audit risks and fraud risk?
Let assume you already have a better understanding of audit risks and let check above if you still not sure.
Now, let talk about fraud risks. Fraud risk is the risk that financial statements have material misstatement without detection by both auditor and management.
Management has the primary role and responsibility to design the control that could prevent and detect fraud. They also have the primary responsibility to investigate fraud.
The auditor is not responsible for fraud, but they are responsible for providing reasonable assurance to the users of financial statements.
Based on the audit standard, the auditor needs to assess the risks of fraud that might happen and the materiality.
The following is one of the best audit materials that could help you better understand audit in more depth and detail.
The book covers many areas in audit and focuses deeply on perform a risk-based audit approach.
This book is authored by well-known authors in audit, accounting, and finance areas, Karla M. Johnstone, Ph.D., C.P.A. The author holds a Ph.D. in accounting and information systems.
He is currently the professor and Accounting Department Chair at Colorado State University.
Audit risk is the risk that audit opinion is incorrectly issued, and it has come from a leak of internal control over financial reporting, poor audit quality, and inherent risks.
Written by Sinra