Audit Risk Considerations
The auditor should plan and perform the audit to obtain reasonable assurance whether the financial statements are free from material misstatement due to error or fraud, in order to provide an appropriate basis for expressing an opinion on the financial statements. Even if the audit opinion states that the financial reports are free of material misstatement, the risk that the financial statements will be materially inaccurate is defined as audit risk.
Material misstatement is one that may affect the economic decision-making of users of financial statements. The main purpose of the financial audit performed by independent auditors is to evaluate whether the financial statements contain any material misstatement that may prevent their fair presentation. Auditors are unlikely to provide an unqualified (or unmodified) audit opinion on the report unless the material misstatement is corrected by the client’s management. As a result, auditors may need to modify their opinion based on the severity of the material misstatement found in the client’s account. In this case, the auditors may give a modified audit opinion such as qualified opinion, adverse opinion or disclaimer of opinion. There are three types of misstatement;
- Factual Misstatement; misstatements about which there is no doubt
- Judgmental Misstatement; differences between the client’s judgment and auditor’s judgment
- Projected Misstatement; the auditor’s best estimate of misstatements in populations, auditors usually make an evaluation of projected misstatements to consider whether further audit testing is appropriate.
Audit Risk Model
An audit risk model is a conceptual tool applied by auditors to evaluate and manage the various risks arising from performing an audit engagement. The tool helps the auditor decide on the types of evidence and how much is needed for each relevant assertion. Audit risk is a function of the risk of material misstatement which exists at the financial statement level and assertion level for all transaction classes, account balances, presentation, and disclosure and detection risk.
Audit Risk = (Inherent Risk x Control Risk)* x Detection Risk
*Risk of Material Misstatement (RMM) = IR x CR
Inherent Risk and Control Risk: Inherent risk and control risk are two of the three parts of the audit risk model, which auditors use to determine the overall risk of an audit. Inherent risks refer to a material misstatement as a result of an omission or an error in the financial statements due to factors other than the failure of control. This is normally higher where a high degree of estimation or judgement is involved. On the other side, Control risk is the chance of a material misstatement in a company’s financial statements because there aren’t any relevant internal controls to mitigate a particular risk or the internal controls in place malfunctioned.
Inherent risk and control risk are related to the company, its environment, and its internal control, and the auditor assesses those risks based on evidence obtained. The auditor assesses inherent risk using information obtained from performing risk assessment procedures and considering the characteristics of the accounts and disclosures in the financial statements. The auditor assesses control risk using evidence obtained from tests of controls and from other sources.
When it comes to difference between inherent risk and control risk, the inherent risk stems from the nature of the business transaction or operation without the implementation of internal controls to mitigate the risk, whereas Control Risk arises because an organization doesn’t have adequate internal controls in place to prevent and detect fraud and error.
Detection Risk: Detection risk is the possibility that an auditor fails to identify material misstatements in the financial statements of a firm and determines that there are no omissions or material errors before the statements are issued even though there are mistakes present.
Audit Risk and Materiality considerations
- Audit risk and materiality should be considered together in designing the nature, extent, and timing of audit procedures and in evaluating the results of those procedures. Consideration of audit risk and materiality are affected by the size and complexity of the entity, as well as the auditor’s experience with and knowledge of the entity, its environment, and its internal control.
- Audit risk and materiality must be considered at both the financial statement level and the account balance, individual transaction class, or disclosure item level.
- There is an inverse relationship between audit risk and materiality. The risk of a very large misstatement may be low, whereas the risk of a small misstatement may be high. Also, the more material a misstatement is, the less likely is that the auditor will not detect it.
- Detection risk can be changed at the auditor’s discretion, whereas control risk and inherent risk exist independently of the financial statement audit, and cannot be changed by the auditor.
Preliminary Audit Strategy
AU-C 300, Planning an Audit, states that the audit strategy; the auditor should establish an overall audit strategy that sets the scope, timing, and direction of the audit and that guides the development of the audit plan. In establishing the overall audit strategy, the auditor should
- identify the characteristics of the engagement
- ascertain the reporting objectives of the engagement
- consider the factors that, in the auditor’s professional judgment
- consider the results of preliminary engagement activities
- ascertain the nature, timing, and extent of resources necessary to perform the engagement
A preliminary strategy is not a detailed description of the audit procedures to be performed during the completion of the audit. Rather, it represents the auditor’s preliminary judgments about an audit approach and is based on specific assumptions about the conduct of the audit.
Inverse relationship of RMM to Detection Risk; if the auditor determines that the risk of material misstatement is high, it means that substantive testing (sample size) will be increasing, thereby reducing detection risk. In the context, with the substantive testing, the risks can be interpreted differently.
The auditor can change the level of detection risk by varying the nature, extent, and timing of audit procedures. When control risk is assessed as at the maximum level, then test of controls is typically not required. But, even when the assessed risk of material misstatement is low, substantive procedures will always be necessary for all relevant assertions.