Audit Risk
Outline
Audit Risk
 Audit risk definition
 Components of Audit Risk
o Inherent Risk
o Control Risk
o Detection Risk
 The Relationship Between Tests of Controls and Substantive Tests
Audit Risk
Risk-based auditing: business risk and financial reporting risk originate with the audit
client and its environment, and these risks then affect the auditor’s engagement risk and
audit risk.

Business risk refers to a threat to the company’s ability to achieve its financial
goals.

Engagement Risk- risk that auditors encounter by being associated with a
particular client, including loss of reputation, inability of the client to pay the
auditor, or financial loss because management is not honest and inhibits the
audit process.

Financial Reporting Risk - incorrectly reporting information in the financial
statements.
Risk Assessment: A major part of this phase of the audit is the analysis of audit risk.
Audit risk: The probability that the auditor will render an unqualified (clean) opinion on
financial statements that are, in fact, materially misstated.
Unqualified opinion: Free from material misrepresentations and in accordance with
the GAAP.
Material misstatements may be caused by errors or irregularities or both.
o
Errors are unintentional mistakes.
o
Irregularities are intentional misrepresentations associated with the
commission of a fraud

such as the misappropriation of physical assets or the deception of
financial statement users.
Audit Risk Components
Auditor’s objective: To achieve a level of audit risk that is acceptable to the auditor.
Audit risk components: inherent risk, control risk, and detection risk.

Inherent risk depends on the nature and transaction of the industry.

Control risk depends on the company’s accounting system.

Detection risk depends on the auditor.
Audit Risk Model: Financial auditors use the audit risk components in a model to
determine the scope, nature, and timing of substantive tests.

The audit risk model is AR = IR ×CR ×DR

The nature of the tests of controls that will provide appropriate evidence depends
on the nature of the control to be tested.

The timing of tests of controls relates to when the evidence about the operating
effectiveness of the controls is obtained and the period of time to which it
applies.
Inherent Risk
Inherent risk refers to the risk associated with the unique characteristics of the
business or industry of the client.
o
Firms in declining industries have greater inherent risk than firms in stable
or thriving industries.
o
Industries that have a heavy volume of cash transactions have a higher
level of inherent risk than those that do not.
o
Placing a value on inventory when the inventory value is difficult to assess
due to its nature is associated with higher inherent risk than in situations
where inventory values are more objective.

Example: the valuation of diamonds is inherently riskier than
assessing the value of automobile tires.
Auditors cannot reduce the level of inherent risk.
o
Even in a system protected by excellent controls, financial data and,
consequently, financial statements, can be materially misstated.
Control Risk
Control risk is the likelihood that the control structure is flawed because controls are
either absent or inadequate to prevent or detect errors in the accounts.
o
The chance that material misstatements will not be prevented or detected
by internal controls.
How do Auditors assess the level of control risk: by performing tests of internal
controls.
Examples of tests of controls: Enquiry and confirmation, inspection, observation
Detection Risk
Detection risk is the chance that an auditor will fail to find material misstatements that
exist in an entity's financial statements.
o
These misstatements may be due to either fraud or error.
o
Auditors make use of audit procedures to detect these misstatements.
The Relationship Between Tests of
Controls and Substantive Tests
Test of controls phase involves determining whether internal controls are in place and
whether they function properly.
o
Internal controls are policies and procedures put in place by management
to ensure that the assets are safeguarded.
Substantive testing phase involves a detailed investigation of specific account balances
and transactions.
Relationship between tests of controls and substantive tests:
o
The relationship between tests of controls and substantive tests is directly
related the auditor’s risk assessment.
o
The stronger the internal controls, the less substantive testing the auditor
must do.
Auditor’s Risk Assessment: If Low CR, High DR, then Less Substantive Testing:
o
Low control risk means strong internal control structure, high detection risk
thus less substantive testing the auditor must do to reduce total audit risk.
o
High detection risk means high chance that material misstatement will be
detected by the auditors
Auditor’s Risk Assessment: If High CR, Low DR, then More Substantive Testing:
o
High control risk means weak internal control structure, low detection risk
thus more substantive testing the auditor must perform to reduce total audit
risk.
o
Low detection risk means less chance that material misstatement will be
detected by the auditors
Summary
Audit risk: The probability that the auditor will render an unqualified (clean) opinion on
financial statements that are, in fact, materially misstated.
Audit risk components: inherent risk, control risk, and detection risk.
Inherent risk: refers to the risk associated with the unique characteristics of the
business or industry of the client.
depends on the nature and transaction of the industry.
Control risk: the likelihood that the control structure is flawed because controls are
either absent or inadequate to prevent or detect errors in the accounts.
depends on the company’s accounting system.
Detection risk: the chance that material misstatement will not be detected by the
auditors.
depends on the auditor.
The Relationship Between Tests of Controls and Substantive Tests:

Low CR, High DR, Less Substantive Testing

High CR, Low DR, More Substantive Testing