Audit Risk


What is Audit Risk?

Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue an unqualified report due to the auditor’s failure to detect material misstatement either due to error or fraud.

Audit risk is the risk that an auditor will not detect errors or fraud while examining the financial statements of a client. Auditors can increase the number of audit procedures in order to reduce the level of audit risk. Reducing audit risk to a modest level is a key part of the audit function, since the users of financial statements are relying upon the assurances of auditors when they read the financial statements of an organization.

What Does Audit Risk Mean?

Audit risk is the risk that financial statements are materially incorrect, even though the audit opinion states that the financial reports are free of any material misstatements. The purpose of an audit is to reduce the audit risk to an appropriately low level through adequate testing and sufficient evidence. Because creditors, investors, and other stakeholders rely on the financial statements, audit risk may carry legal liability for a CPA firm performing audit work.

Over the course of an audit, an auditor makes inquiries and performs tests on the general ledger and supporting documentation. If any errors are caught during the testing, the auditor requests that management propose correcting journal entries. At the conclusion of an audit, after any corrections are posted, an auditor provides a written opinion as to whether the financial statements are free of material misstatement. Auditing firms carry malpractice insurance to manage audit risk and the potential legal liability.

Significance of Audit Risk

Low audit risk is significant as auditors can’t verify every transaction.

The auditors generally focus on main risk areas, for example, understated costs or overstated revenues, where errors may lead to material misstatements on the financial statements.

Moreover, auditing standards necessitate the auditors to plan and perform audits with professional skepticism as there is always a possibility for the financial statements being materially misstatement.

Audit Risk at the Financial Statement and Account Balance Levels

The auditor specifies an overall audit risk level to be achieved for the financial statements taken as a whole.

Generally, that same level applies to each account balance and all related assertions.

Currently, if an auditor were to use different audit risk levels for different accounts and assertions there would be no generally accepted way of combining the results to determine the achieved overall audit risk level for the financial statements as a whole.

In contrast, the assessed levels of inherent and control risk, and the acceptable level of detection risk can vary for each account and assertion.

The auditor does not control the levels of inherent and control risk and intentionally varies the acceptable level of detection risk inversely with the assessed levels of the other risk components to hold audit risk constant.

Thus, expressions of the levels inherent, control and detection risk pertain to individual assertions at the accounts balance level, not to the financial statements taken as a whole.

Types of Audit Risk

This risk is composed of:

  • Inherent risk (IR), the risk involved in the nature of business or transaction. Example, transactions involving exchange of cash may have higher IR than transactions involving settlement by cheques. The term inherent risk may have other definitions in other contexts;
  • Control risk (CR), the risk that a misstatement may not be prevented or detected and corrected due to weakness in the entity’s internal control mechanism. Example, control risk assessment may be higher in an entity where separation of duties is not well defined; and
  • Detection risk (DR), the probability that the auditing procedures may fail to detect existence of a material error or fraud. Detection risk may be due to sampling error or non-sampling error.

Audit risk can be calculated as:

AR = IR × CR × DR

Inherent Risk

Inherent Risk is the risk of a material misstatement in the financial statements arising due to error or omission as a result of factors other than the failure of controls (factors that may cause a misstatement due to absence or lapse of controls are considered separately in the assessment of control risk).

Inherent risk is generally considered to be higher where a high degree of judgment and estimation is involved or where transactions of the entity are highly complex.

For example, the inherent risk in the audit of a newly formed financial institution which has a significant trade and exposure in complex derivative instruments may be considered to be significantly higher as compared to the audit of a well established manufacturing concern operating in a relatively stable competitive environment.

Control Risk

Control Risk is the risk of a material misstatement in the financial statements arising due to absence or failure in the operation of relevant controls of the entity.

Organizations must have adequate internal controls in place to prevent and detect instances of fraud and error. Control risk is considered to be high where the audit entity does not have adequate internal controls to prevent and detect instances of fraud and error in the financial statements.

Assessment of control risk may be higher for example in case of a small sized entity in which segregation of duties is not well defined and the financial statements are prepared by individuals who do not have the necessary technical knowledge of accounting and finance.

Detection Risk

Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.

An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the use of sampling for the selection of transactions.

Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

Relationships among the Audit Risk Components

For a specified level of audit risk, there is an inverse relationship between the assessed levels of inherent and control risks for an assertion and the level of detection risk that the auditor can accept for that assertion.

Thus, the lower the assessments of inherent and control risks, the higher is the acceptable level of detection risk. Inherent and control risks relate to the client’s circumstances, whereas detection risk is controllable by the auditor.

Accordingly, the auditor controls audit risk by adjusting detection risk according to the assessed levels of inherent and control risks.

In relating the components of audit risk, the auditor may express each component in quantitative terms, such as percentages, or-non-quantitative terms, such as very low, low, moderate, high, and maximum.

In either case, an understanding of the relationship expressed in the audit risk model is essential in determining the panned acceptable level of detection risk.

How Auditors Use Audit Risk Model?

Auditor’s goal is to reduce overall audit risk to an acceptable level. In order to do that, they will first assess the levels of each component risk of the model. The risk values are not readily quantifiable though and auditors use professional judgement to assess the risks. This means that the above equation is not typically used to calculate risks like other mathematical equations are normally used. The auditors will nevertheless assess the risk values in some form, often by descriptive means.

The auditors then use the model to establish relationship between the risks and take action to reduce overall audit risk to an acceptable level.

The risk of material misstatement is under the control of management of the company and the auditor can only directly manipulate detection risk. So, if their assessment of the risk of material misstatement and audit risk is high, they must reduce the detection risk in order to contain overall audit risk within acceptable level.

Detection risk can be manipulated by various means some of them being: changing the composition of the engagement team, changing the types of procedures and changing the duration of audit work. For example, detection risk and thus audit risk is normally reduced when more skilled personnel are assigned to engagement team or when larger sample sizes are selected or when substantive test of details are performed instead of analytical procedures.

Assessing the Audit Risk

The audit risk model is used by the auditors to manage the overall risk of an audit engagement.

Auditors proceed by examining the inherent and control risks of an audit engagement while gaining an understanding of the entity and its environment.

Detection risk forms the residual risk after taking into consideration the inherent and control risks of the audit engagement and the overall audit risk that the auditor is willing to accept.

Where the auditor’s assessment of inherent and control risk is high, the detection risk is set at a lower level to keep the audit risk at an acceptable level.

Lower detection risk may be achieved by increasing the sample size for audit testing.

Conversely, where the auditor believes the inherent and control risks of engagement to below, detection risk is allowed to be set at a relatively higher level.

A Closer Look at Acceptable Audit Risk

The acceptable level of audit risk often depends on the type of client. For example, auditors will choose a lower level for public companies over private companies because more users depend on the financial statements of publicly-listed companies. However, there are other factors that also affect how an auditor sets audit risk for an engagement:

  • Reliance by external users: The more external users are likely to rely on the audit information, the lower the acceptable level of audit risk.
  • Likelihood of financial failure: The higher the risk of the company experiencing financial failure, the lower the acceptable level of audit risk.
  • Integrity of management: The more questionable the integrity/honesty of management, the lower the acceptable level of audit risk.


ABC Company produces cutting-edge environmentally friendly machines. ABC Company recently commercialized its newly developed product and is amortizing it over 50 years. The company financed its new manufacturing facility by issuing convertible debentures, and expects to complete an IPO in the future. The financial controller recently obtained his CPA. All management personnel are given stock options, as well as bonuses based on the company’s bottom line net income.

Some factors to consider:

  • New convertible debentures and potential future IPO means more external users. Therefore, the acceptable level of audit risk should be lowered.
  • Cutting-edge technology that is unproven may suggest a potential financial failure issue.
  • The financial controller is newly-trained and likely inexperienced, which makes for a higher level of inherent risk.
  • Stock option accounting can be difficult to perform adequately when the stock experiences high volatility.
  • The nature of the business seems to be risky because of the high-tech products the company deals in – there may be potential for inventory valuation issues.
  • The amortization period is subjectively chosen. Therefore, it may or may not accurately reflect the useful life of the asset.
  • Public companies are subject to more regulatory requirements than private companies are, which also poses a higher level of inherent risk.

How to Minimise Audit Risk?

  • Having a strong Audit team that has sufficient knowledge of the business and transactions involved.
  • Sufficient time is provided to the team to analyze financials.
  • Ensuring strong engagement with the management of the client firm to understand business philosophy and practices.
  • Ensuring proper and adequate sampling techniques.
  • Accurate assessment of clients internal control systems to know whether the control is strong or weak.
  • Proper audit planning and selection of Audit procedure.