Audit risk is the risk that the auditor gives an inappropriate opinion of the financial statements.
Audit risk = Inherent risk × Control risk × Detection risk
Audit risk consists of 3 components: inherent risk, control risk and detection risk
1. Inherent risk — the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material before consideration of any related controls.
Inherent risk can be considered at two levels: (1) entity level; (2) account balance level.
At entity level
The auditor needs to consider that there are certain aspects of the company that make it likely that misstatements will occur in the financial statements. This will include factors largely outside the control of the company and factors within the control of the company.
At balance level
Risk factors will include the complexity involved in accounting for an item in financial statements.
2.Control risk — the risk that could occur in an account balance or class of transactions which would not be prevented or detected and corrected on a timely basis by the accounting and internal control systems.
Control risk could be considered at two levels: general level and specific level.
General level: control environment
It refers to management’s awareness, attitude and action towards risk, the company’s organizational structure, the existence of a budgetary system and the existence of an internal audit department would also be factors the a consideration of the control environment.
Specific level: control procedures
The auditor will also consider the control procedures which are specific procedures established in the internal control system to prevent and detect errors and misstatements in the financial statements.
3. Detection risk — the risk that substantive procedures do not detect a misstatement that exists in an account balance or class of transactions.
As a matter of course, the auditor will carry out substantive tests in the form of analytical review or detailed tests of transactions and balances. In order to decide how much of this type of testing to carry out, the auditor needs to determine how much detection risk he is willing to live and ultimately to reduced audit risk to an acceptable level.