Back to Basics: Audit Risk
Have you got to grips with the Principles of Audit and Reporting (PAR)? Anna Cameron takes us back to basics on audit risks to make sure you’re on PAR for success!
What is risk?
Risk is a fundamental concept when performing an audit. It forms the basis for how the auditor will complete the audit engagement and drives the amount and type of work that will be performed.
The definition of ‘audit risk’ is the risk that the auditor gives the wrong opinion on the financial statements and so, ultimately, this is what the auditor is trying to avoid.
To support this, audit risk should be reduced to an acceptably low level. To help actually achieve this when completing an audit, we split audit risk into three components, as shown below:
Audit Risk = Inherent Risk x Control Risk x Detection Risk
Helpfully, this audit risk model ties in with the stages of the audit process. Understanding the audit risk model helps to explain why the audit process is structured as it is.
Inherent risk is the susceptibility of a financial statement account to a material misstatement, irrespective of related internal controls. Therefore, this risk is assessed by understanding the entity and is the driver behind much of the work performed at the acceptance and planning stages of the audit.
To effectively complete an audit, the auditor must thoroughly understand the entity that they are to give an opinion on. This understanding will allow for the inherent risks to be identified, which means the auditor can focus their attention towards areas more likely to contain errors.
This is the risk that the entity’s controls will not prevent / detect and correct a material misstatement in the financial statements on a timely basis.
In order to assess this risk, the auditor must understand the key business processes in place at the client and whether the controls over these processes are designed effectively, as well as assessing the overall control systems at the entity.
The auditor can then test the controls to assess whether they have operated effectively during the year, and therefore, will reduce the likelihood of a misstatement occurring in the financial statements.
This work will be completed after the planning work, as part of the systems and controls analysis stage of the audit.
Detection risk is the risk that the auditor’s procedures will not detect a material misstatement that exists in the financial statements. It is the only risk that can be controlled by the auditor as it will depend on the level of procedures performed by the auditor.
The level of detection risk will depend on the inherent risk and control risk that the auditor has already assessed, and it will drive the amount of work that is performed at the substantive testing stage of the audit.
At the end of the day, audit risk is the basis for completing an audit and the concept of risk is mentioned throughout the International Standards on Auditing (UK).
Understanding the drivers behind each of these different elements of the audit risk model helps to explain why an audit is structured as it is, and why each of the separate stages of the audit is necessary.