Audit risk is the risk that auditors issued the incorrect audit opinion to the audited financial statements. For example, auditors issued an unqualified opinion to the audited financial statements even though the financial statements are materially misstated. In other words, the material misstatements of financial statements fail to identify or detect by auditors.
Or the qualified opinion is issued as the result of immaterial misstatement found in financial statements which the correct opinion should be unqualified since the fact is financial statements are materially misstated. Audit risks come from two main different sources: Clients and Auditors themselves. The risks are classified into three different types: Inherent risks, Control Risks, and Detection Risks.
We will discuss this in detail below.
The auditor is required to assess the risks of material misstatements in the financial statements as per requirement from ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment.
The procedures that auditors use to perform risk assessment are inquiry, inspection, observation, and analytical procedures. The auditor assesses the risks at the entity control level deep dive into the risks related to the activities control level that could significantly affect the quality of financial information.
They also study the trend of balance or transactions of accounting items in the financial statements over the period of time to see if the change is normal or not and is there any risks of misstatement related to the change.
Audit Risks Model and Calculation:
Audit risk can be presented by the audit risks model as the combination of inherent risks, control risks, and detection risks. As mention above, inherent risks and control risks have come from clients whereas detection risks are control by auditors. All of these three risks are discussed below:
Here is the formula:
Audit Risks = Inherent risks * Control risks * Detection risks
Let me clarify about the formula here. Just because the model use multiplies here it does not mean that the need to be multiple to get audit risk. Detection Risk alone could also make high audit risk.
Inherent risk refers to the risk that could not be protected or detected by the entity’s internal control. This risk could happen as a result of the complexity of the client’s nature of business or transactions.
Sometimes, that nature of business could link to the complexity of financial transactions and require high involvement with judgment. The risk is normally high if the transaction or even involve highly human judgment. For example, the exposure in the complex derivative instrument.
This kind of risk could also be affected by the external environment; for example, climate change, political problems, or some other PESTEL effect on the business. Auditors required to assess those kinds of risks and set up audit procedures to address inherent risks properly.
For example, the auditor needs to set up a proper audit plan, audit approach, and audit strategy so that all relevance inherent risks that might affect the financial statements are identified and rectified on time.
Those include sufficient time for the audit team to work on the significant areas or having a member that has a deep understanding of the business as well as accounting transactions of the auditing financial statements.
In case auditor being aware that the potential client has high exposure to inherent risks, and auditor also know that the current resources are not capable to handle such client, the audit should not accept the engagement.
This procedure could help the auditor to minimize audit risks that come from inherent risks.
Control risk or internal control risk is the risk that current internal control could not detect or fail to protect significant error or misstatement in the financial statements.
Basically, management is required to set up and assess the effectiveness and efficiency of internal control over financial reporting to make sure that financial statements are free from material misstatements.
Why is the weakness of internal control leads bring risk to the auditor?
Basically, if the control is weak, there is a high chance that financial statements are materially misstated, and there is subsequently a high chance that auditors could not detect all kinds of those misstatements.
That means to control risk could lead to audit risk. Don’t be confused that it is the detection risk.
The auditor needs to understand and assess the client’s internal control over financial reporting conclude whether those control could be relied on or not.
If the client’s internal control seems to be strong, then the audit needs to confirm if the control is worked by testing internal control. There are certain ways that auditors could use to help them to minimize the control risks that result from poor internal control. For example, auditors should have proper risk assessment at the planning stages.
These risks assessment required auditors to understand not only the nature of the business but also internal control activities that link to financial reporting.
Mostly, COSO frameworks are the popular frameworks that use by most of the international audit firms to documents and assess internal controls.
Once the internal over financial statements and risks are properly assessed, the audit programs are properly tailored, then Control Risks are minimized.
Well, detection risk is the risk that auditor fails to detect the material misstatement in the financial statements and then issued an incorrect opinion to the audited financial statements.
The common cause of detection risk is improper audit planning, poor engagement management, wrong audit methodology, low competency and lack of understanding of audit clients.
Detection risk is occurred because of the auditor part rather than the client part.
As mentioned, detection risk could be the result of poor audit planning. For example, if audit planning is poor, not all kinds of risks are defined and the audit program that use to detect those risks is to deploy incorrectly. Then, the result is the material misstates are not detected.
There are certain guidelines that could help auditors to minimize detection risks so that the audit risks are also subsequently minimized.
At the time planning, auditors should set the right audit strategy, employed the right audit approach, and having a strong strategic audit plan.
Those including having a good understanding of the nature of the business, the complexity of the business operation, the complexity of the client’s financial statements, and a deep understanding of the client’s internal control over financial reporting.
A clear understanding of audit objectives and scope of audit could help auditors to set audit approaches and tailors the right audit program.
Having a strong audit team could also help auditors to minimize detection risks.
For example, having enough team members and those team members have good experiences and knowledge related to clients’ business and financial statements.
Why do auditors need to perform a risk assessment?
Auditor requires to perform risk assessments to make sure that all possible risks of misstatements that might happen to the financial statements are identified.
This is normally performed during and after the audit plan. If certain risks are identified during the cause of audit, the auditor should perform additional assessments to figure out the real size of the risks.
The auditor should assess audit risks before accepting the audit engagements by understanding the nature of the business that its client operating in, and the complexity of financial reporting in that sector.
This might help them to understand more about the audit risks and let them ready to detect these risks. The different industry might face different challenging in financial reporting.
For example, the financial reporting of the merchandising company might be easy to audit than financial reporting in agriculture or oil.
The auditor should also assess audit risks at the time they prepare the audit plan. Normally, this is done by using a control framework like COSO to assess all angles of the business process.
At this stage, the auditor might obtain an understanding in detail of the client nature of the business, major internal control over financial reporting, financial reporting system and many more.
Auditor will also assess the leadership of the management team as well as the entity’s culture.
How to calculate audit risks?
The above, we have mentioned the audit risks model and by that, you might think of the way to casting audit risk. Before we say whether or not audit risk is calculable, let see the model first.
The audit risks model is:
Audit Risks = Inherent Risk X Control Risk X Deletion Risk
This formula seems to tell us that the audit risks are quantifiable yet it does not.
This formula is just the concept. The thing is if either one is high the likelihood that auditor issued incorrect opinion is also hight.
Audit Risks Vs Fraud Risks:
What is the difference between audit risks and fraud risk?
Let assume you already have a better understanding of audit risks and let check above if you still not sure.
Now, let talk about fraud risks. Fraud risk is the risk that financial statements have material misstatement without detection by both auditor and management.
Management has the primary role and responsibility to design the control that could prevent and detect fraud. They also have the primary responsibility to investigate fraud.
The auditor is not responsible for fraud but they are responsible for providing reasonable assurance to the users of financial statements.
Based on the audit standard, the auditor needs to assess the risks of fraud that might happen as well as the materiality.
The following is one of the best audit material that could help you gain a better understanding of audit in more deep and detail.
The book covers many areas in audit and focuses deeply on perform a risk-based audit approach.
This book is authored by one of the well-known authors in audit, accounting and finance areas, Karla M. Johnstone, Ph.D., C.P.A. The author holds a Ph.D. in accounting and information systems.
He is currently the professor and Accounting Department Chair at Colorado State University.
Audit risk is the risk that audit opinion is incorrectly issued and it has come from a leak of internal control over financial reporting, poor audit quality, and inherent risks.
Written by Sinra