Understanding the Audit Risk Model: A Comprehensive Guide
That being said, detection risk is present even if an auditor is very thorough in their audit process. Detection risk is also an important component of the audit risk model. Detection risk is the risk that the auditors will unintentionally not discover major problems and create a report which paints a good picture of the company. We cannot guarantee that an audit has found all the major problems within the organization. External auditors can often miss major red flags, because they may not even realize how big the problem was or that something wrong was being done.
- Further, there is a risk that even once the proper controls are applied, the auditor did not perform sufficient control testing to determine the adequacy of the design and operating effectiveness of controls (detection risk).
- Control risk is the risk that the client’s internal control cannot prevent or detect a material misstatement that occurs on financial statements.
- The client is said to demonstrate a high control risk of the controls if a specific assertion does not operate effectively or if the auditor deems that testing the internal controls would be an inefficient use of audit resources.
- Also, auditors cannot change or influence inherent risk; hence, the only way to deal with inherent risk is to tick it as high, moderate or low and perform more audit procedures to reduce the level of audit risk.
- The main area where candidates continue to lose marks is that they do not actually understand what audit risk relates to.
In this guide, we’ll break down the audit risk model formula, describe its elements, and give an example of how it works. In conclusion, given the level of the audit risk that the auditor is willing to accept, detection risk is determined by the auditor after taking into consideration of the inherent and control risks. Though this model seems simple enough, the problem is how to derive the inputs to the model. It is not possible to quantify any of the inputs to the planned level of detection risk – which means that the 9% planned level of detection risk noted in the preceding example could have been half that amount or double it simply by changing an estimate. Another concern is that, since every input to the equation is subjective, how can we realistically expect to multiply and divide them? In essence, we are attempting to apply mathematical concepts to opinions.
Risk of Material Misstatement
Inherent risk is generally considered to be higher where a high degree of judgment and estimation is involved or where transactions of the entity are highly complex. Before continuing, we need to understand the various risks included in the model. This document is unique and important because it provides up-to-date information to stakeholders. Similarly, business owners can address areas for improvement since the income statement brings attention to them.
Therefore, we’ll set detection risk as low and spend more time performing audit procedures to determine that the inventory stated on the balance sheet actually exists. Audit risk is the risk that auditors will issue the wrong opinion on the financial statements. For example, this would occur if an auditor issues an unqualified opinion (saying audit risk model the financial statements are materially correct) when the financial statements are materially misstated. Although the formula is written like a mathematical equation, it’s not able to be objectively assessed. Instead, auditors use their professional judgement, experience and research to determine the levels of each type of risk.
The Human Element in Audits
In addition, candidates’ must ensure that they do not provide impractical responses. A common example of this is to request directly from the company’s bank as to whether the bank will provide a loan or renew a bank overdraft. The bank is not going to provide this type of information to the auditor, especially if they have not yet informed the company, and therefore this response will not generate any marks. These three risks are multiplied together to calculate overall audit risk, or the risk of an auditor drawing inaccurate conclusions. The three types of audit risk included in the equation are expanded upon below. Inherent risk is based on factors that ultimately affect many accounts or are peculiar to a specific assertion.
For example, if the level of inherent and control risk is low, auditors can make an appropriate judgment that the level of audit risk can be still acceptably low even though the detection risk can be a bit high. This means auditors can reduce their substantive works and the risk is still acceptably low. On the other hand, if auditors believe that the client’s internal control is week and ineffective, they will tick the control risk as high.
Audit risk and business risk
Inherent risk is also more likely when the transactions in which a client engages are highly complex, and so are more likely to be completed or recorded incorrectly. Finally, this risk is present when a client engages in non-routine transactions for which it has no procedures or controls, thereby making it easier for employees to complete them incorrectly. Inherent risk is the auditor’s assessment of the susceptibility to material misstatement of an assertion about a transaction class, an account balance, or an attached disclosure, quoted individually or an aggregation.