Audit Principles and Practices – DFA 3103

UNIT 5 AUDIT RISK

Unit Structure

5.0 Overview
5.1 Learning Outcomes
5.2 Audit Risk
5.2.1 Damages to Audit Firms
5.3 Relevant Audit Standards
5.4 Components of Total Audit Risk
5.4.1 Inherent Risk
5.4.2 Control Risk
5.4.3 Detection Risk
5.5 The Audit Risk Model
5.6 Limitations of the Audit Risk Model
5.7 Summary
5.8 Activity

5.0 OVERVIEW

Prior to the 1980s, auditors did not have a systematic way that could justify a reduction in
audit testing (test of controls and substantive test) on financial statements even if the
client company had a good internal control system. Auditors had to use their professional
judgement, which could be difficult to justify in a court of law. However, in the mid
1980s, the concept of audit risk was introduced. Audit risk is particularly important in
determining the nature, timing and extent of audit procedures.

Unit 5 1
 Audit Principles and Practices – DFA 3103

5.1 LEARNING OUTCOMES

By the end of this Unit, you should be able to do the following:

1. Define the concept of audit risk.

2. Explain the key terms of audit risk.
3. Define the three components of total audit risk.
4. Describe the main auditing standards affecting the assessment of risk.
5. Describe the significance of the audit risk model.
6. Explain the limitations of the audit risk model.

5.2 AUDIT RISK

According to APB, audit risk is the risk that the auditor gives an inappropriate opinion on
the financial statements of the client company. The term ‘inappropriate opinion’ means
that the auditors state that the financial statements present fairly the financial position of
an entity, when in fact they do not. This may happen when the audit procedures fail to
detect material misstatements in the financial statements of the entity. Audit risk,
therefore, is related to materiality, as it the risk that the auditor comes to an invalid
conclusion, in particular, that either

(a) the audit report is unqualified but subsequently material errors are found
in the financial statements; or
(b) The audit report is qualified but subsequently no material errors are found
in the financial statements.

The audit risk describes in (a) is more likely to occur than in (b) and there is a greater risk
that the auditor being sued for negligence.

Unit 5 2
 Audit Principles and Practices – DFA 3103

5.2.1 Damages to Audit firm

It is in the interest of audit firms to minimise audit risk otherwise they may suffer
damages for giving an audit opinion that is incorrect in some particular.

Damages may be in the form of:

 Monetary damages paid to client as compensation for loss caused due to the
incorrect opinion of the auditor.
 Loss of reputation with the client or business community.

5.3 RELEVANT AUDIT STANDARDS

There are three main audit standards which auditors should consider when dealing with
audit risk, namely,

 IAS 315 Understanding the Entity and its Environment and Assessing
the Risks of Material Misstatement

The standard states that the auditor ‘should obtain an understanding of the entity and its
environment, including its internal control, sufficient to identify and assess the risks of
material misstatement of the financial statements whether due to fraud or error, and
sufficient to design and perform further audit procedures’.

This standard implies that the auditor can never be absolutely sure of any conclusion.
There will be always a risk that the conclusion is incorrect and this is known as audit risk.
The auditor would normally express the audit risk in terms of percentage, say 2 %. The
auditor aims to ensure that there is no more than 2% risk that their opinion on the
financial statements is incorrect. In other words, the auditor is ensuring that he/she is 98%
certain that their opinion on the financial statements is correct.

Unit 5 3
 Audit Principles and Practices – DFA 3103

 ISA 330 The Auditor’s Procedures in Response to Assessed Risk

The standard requires that the auditor ‘perform tests of controls to obtain sufficient
appropriate audit evidence that the controls were operating effectively at relevant times
during the period under audit’. In other words, the auditor should ensure that decisions
and judgement on audit risk are well documented, as the process of risk assessment is a
highly subjective process.

 ISA 500 Audit Evidence

The standard requires that auditors ‘obtain sufficient, appropriate evidence to support the
assessed level of control risk’. This implies that the auditor should gather adequate
reliable and relevant evidence to justify the assessed level of control risk. This will assist
the auditor in designing the appropriate audit programme and thus draw reasonable
conclusions on which to base the audit opinion. The assessment of risk affects the amount
of evidence required.

5.4 COMPONENTS OF TOTAL AUDIT RISK

Total audit risk is the risk of giving an inappropriate opinion when financial statements
are materially misstated. It is composed of three main components, namely:

 Inherent risk
 Control risk
 Detection risk

Unit 5 4
 Audit Principles and Practices – DFA 3103

5.4.1 Inherent Risk (IR)

Inherent risk is the susceptibility of an account balance or class of transaction to material

misstatement, either individually or aggregated, irrespective of related internal controls.
Inherent risk arises from the nature of the entity and its environment and is largely a
matter of observation and measurement.

IR can be assessed on the following:

 Complexity of transactions (stock can be manipulated easily than bank balances).

 The extent the entity is influenced by internal and external factors such as market
forces, cash problems, management attitudes, volatility of the business.

5.4.2 Control Risk

Control risk is the risk that a material misstatement occurs in an account balance or class
of transactions, either individually or aggregated. Control risk is estimated from audit
tests on internal controls in accounting systems. Internal controls are controls which the
company implements to deter and detect fraud and error. The auditor will test a sample of
transactions to determine the control risk. If internal controls are very weak, or non-
existent, the auditor may decide not to test internal controls.

5.4.3 Detection Risk

The risk that the auditor’s substantive procedures will not detect material misstatements
in account balances or classes of transactions. The auditor performs substantive
procedures at the final audit to quantify detection risk. The detection risk is largely under
the control of the audit firm and it is counteract in setting adequate procedures or staff
control systems.

Unit 5 5
 Audit Principles and Practices – DFA 3103

5.5 THE AUDIT RISK MODEL

Risk Model is a tool used to determine the risks associated with different areas of an
organisation. It indicates the risk profile of an audit assignment, for example, low or high
risk. Risk model also allows auditors to quantify the effect of internal controls on the
amount of work carried out in verifying the financial statements.

The audit risk model is based on the fact that audit risk is a function of

 Risk of material misstatement in Financial Statements, i.e., prior to the audit

(Inherent risk and control risk).
 Risk that the auditor will not detect such misstatement (Detection risk).

Audit risk can be expressed by the following equation:

AR = IR * CR * DR
Where: AR = Audit risk
IR = Inherent risk
CR = Control risk
DR = Detection risk

Illustration

At the start of the audit assignment, i.e at the planning stage, the auditor will have:

 Set a value for audit risk

 Estimated the value of inherent risk and
 The control risk will have been quantified from tests on controls

Unit 5 6
 Audit Principles and Practices – DFA 3103

From this, detection risk will be calculated from the other components of audit risk to
achieve the desired level of audit risk. For example, say the auditor has already
determined:

AR = 2%

IR = 90%

CR = 30%

The audit risk equation is:

AR = IR * CR * DR

0.02 = 0.9 * 0.3 * DR

Therefore, DR = 0.074 or 7.4%

Thus, substantive procedures should be designed to be sufficient for there to be no more

than a 7.4 % risk of a material error. This level of confidence will determine the sample
size for the substantive procedures. If errors are found, the number of items checked will
be increased.

5.6 LIMITATIONS OF THE AUDIT RISK MODEL

Some problems with the audit risk model include:

 It appears that there is no way of estimating inherent risk other than using
judgement. Thus, attributing a low value to inherent risk could be dangerous as it
could be impossible to justify in a court of law.

Unit 5 7
 Audit Principles and Practices – DFA 3103

 The value of control risk is based on subjective judgement. It may happen that
control risk does not include all factors which determine the figure in the financial
statements.
 It may be difficult to quantify analytical review risk, i.e., detection risk. This is
because calculating ratios can highlight problems when none exist. For example,
an increase in debtors age indicates there may be more bad and doubtful debts,
but adequate provision may have been made for them. On the contrary, analytical
review can indicate no problems when there are materials errors, for example, a
large bad debt in debtors which is only a month old.
 Dividing the audit risk between accounting systems is difficult. The auditor may
decide to set the overall audit risk at 5 %. The audit work is concerned with
testing accounting systems and verifying balance sheet items. If a 5 % audit risk is
allocated to each accounting system, the overall audit risk will be substantially
more than 5 %. For example, let assume that the five accounting systems in which
material errors could occur are fixed assets, stock, sales/debtors,
purchases/creditors and other systems. Then, a 5 % audit risk is allocated to each
system. However, the risk of material error in each system is not the same.
Therefore, higher risk system should be allowed a higher audit risk, say 5 %, and
lower risk systems should be given a lower audit risk, say 2%.

5.7 SUMMARY

It is important to remember the following:

1. According to APB, audit risk is the risk that the auditor gives an inappropriate
opinion on the financial statements of the client company.
2. The term ‘inappropriate opinion’ means that the auditors state that the financial
statements present fairly the financial position of an entity, when in fact they do
not.

Unit 5 8
 Audit Principles and Practices – DFA 3103

3. It is in the interest of audit firms to minimise audit risk otherwise they may suffer
damages for giving an audit opinion that is incorrect in some particular.
4. Total audit risk is the risk of giving an inappropriate opinion when financial
statements are materially misstated. It is composed of three main components,
namely, inherent risk, control risk and detection risk.
5. Inherent risk arises from the nature of the entity and its environment and is largely
a matter of observation and measurement.
6. Control risk is the risk that a material misstatement occurs in an account balance
or class of transactions, either individually or aggregated, will not be prevented or
detected and corrected by the entity’s internal control systems.
7. The risk that the auditor’s substantive procedures will not detect material
misstatements in account balances or classes of transactions.
8. Risk Model is a tool used to determine the risks associated with different areas of
an organisation. It indicates the risk profile of an audit assignment, for example,
low or high risk.

5.8 ACTIVITY

Question 1

Audit risk and statistical sampling

‘The modern approach to ‘risk-based auditing’ is a most welcome development’.

Required:

(a) Explain what you understand by risk-based auditing.

(b) List FOUR factors which could indicate potential high risk areas on a
particular audit. You should give reasons in your answer.

Unit 5 9
 Audit Principles and Practices – DFA 3103

(c) Explain why there has been an increased use of risk-based auditing
approaches in the last few years and what advantages arise for the auditor
from the adoption of such an approach.

(d) Risk-based auditing is often associated with the use of statistical sampling
techniques in auditing. Explain why the two are associated giving an
illustration of the circumstances when statistical sampling techniques are, and
when they are not, appropriate in this context.

(e) State what you understand by ‘confidence level’ in relation to statistical

sampling.

Unit 5 10