ISA 315 states that the auditor should identify and assess the risks of material misstatement of the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures.
Audit risk, as it directly affects the specific audit approach to the engagement, is generally considered at the account balance or class of transaction level.
At this level, audit risk consists of :
- The risk (consisting of inherent and control risk) that the account balance or class of transactions contain misstatements that could be material to the financial statements whether individually or when aggregated with misstatements in other balances or classes.
- the risk (detection risk) that the auditor will not detect such misstatements.
Audit Risk Model : AR = IR X CR X DR, where AR = Audit Risk, IR = Inherent Risk, CR = Control Risk, DR = Detection Risk
Inherent risk is the susceptibility of an account balance or class of transactions to material misstatement, individually or when aggregated with misstatements in other balances or classes assuming that there were no related internal controls. The inherent risk of misstatement is greater for some types of transactions or accounts than for others. For example :
- Account balances and transactions subject to complex calculations are more susceptible to error than those based on simple calculations.
- Assets such as cash are more susceptible to theft than assets such as fixed assets.
- Account balances subject to judgment and estimation are more likely to be misstated than account balances based on historical, factual data.
Control risk is the risk that a misstatement, that could occur in an account balance or class of transactions and that could be material individually or when aggregated with misstatements in other balances or classes, will not be prevented or detected and corrected on a timely basis by the accounting and internal control systems.
Control risk will vary inversely with the level of effectiveness of the internal control structure. However, because of the inherent limitations of any internal control structure (e.g. those due to human error), there will always be some level of control risk within internal control structure.
It is often difficult to distinguish between inherent and control risk because of the close relationship between the two.
Assume, for example, the auditor believes there is a 50 percent inherent risk that inventory is misstated by more than tolerable error because of technological changes that have taken place in the client's industry during the past year. The auditor also concludes that internal accounting controls are sufficiently effective to assign a control risk of 30 percent. Using a portion of the audit risk model, AR = IR X CR X DR, the likelihood of an error occurring is 15 percent (IR X CR = 50% X 30%).
Before an auditor can use a control risk of less than 100 percent, he is required to do two things : evaluate how well a client's internal control system functions and test the system for effectiveness.
Detection risk is the risk that auditor's substantive procedures will not detect a misstatement that exist in an account balance or class of transactions that could be material, individually or when aggregated with misstatements in other balances or classes.
Detection risk is a function of the effectiveness of auditor's audit procedures and how well the auditor apply them. Such risk exists partly because auditor typically examine less than 100% of an entity's transactions (sampling risk) and partly because auditor may select inappropriate audit procedures, apply audit procedures incorrectly, or misinterpret the results of audit procedures.
The level of detection risk that auditor can accept varies inversely with the level of inherent and control risk. The higher the inherent and control risk, the less detection risk that auditor can accept to keep the risk of material misstatement at an acceptably low level.
The less detection risk that auditor can accept, the more reliable of substantive procedures must be.
Using the example discussed in the control risk section, assume there was a detection risk of 20 %. The audit risk is therefore 3 % (IR X CR X DR = 0,50 x 0,30 x 0,20). The auditor can conclude there is a 3 percent risk that inventory is misstated by more than tolerable error. This conclusion is based upon the assumption that the auditor can measure the component risks in a precise manner (Hrd) ***