In IAASB auditing standards the term Audit risk has been defined as:
The risk that auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of risk of material misstatement and detection risk.
In simple words a risk that auditor expresses an opinion that financial statements are giving true and fair view when in fact they don’t because of existence of material misstatement, it is an audit risk.
Audit risk is the primary risk that auditor faces in respect of audit engagement and he has to reduce the audit risk to an acceptable level.
Last sentence of audit risk’s definition explains how audit risk may increase. As audit risk is a function of risk of material misstatement and detection risk which in mathematical form can be written as follows:
Audit risk = Risk of material misstatement x Detection Risk
From this equation we can understand that audit risk will increase if either risk of material misstatement increases or detection risk increases. And if one wants to reduce audit risk then he will have to reduce either risk of material misstatement or reduce detection risk. Now which risk auditor can reduce and which he cannot it depends on who is responsible for what risk. We will discuss that later but lets first of all have a brief look at each type of risks.
Risk of material misstatement is simply a risk that financial statements might be misstated and this risk can further be divided into two components:
- Inherent risk
- Control risk
Detection risk is a risk that auditor’s procedures will not be able to detect material misstatements in the financial statements and thus audit risk may not be reduced to an acceptably low level.
Now let’s understand who is responsible for what risk.
It is the duty of the management of the entity to prevent material misstatements from entering in financial information. This is done by installing Internal Control System. The purpose of internal control system is to safeguard entity against inherent risks. However, even internal control system can have deficiencies and might be unable to prevent, detect and correct material misstatements. This is control risk. Again this is the duty of the management to maintain internal control system so that risk of material misstatement can be reduced.
As auditor expresses his opinion on the financial statements which are based on the financial information. If internal control system is not working effectively (control risk) then financial information may have material misstatements and if such misstatements are not detected by the auditor (detection risk) during his audit procedures then he might end up expressing wrong opinion (audit risk).
So we understood that is management who is responsible to reduce risk of material misstatement (both inherent and control risks) whereas auditor is responsible for detection risk and in the end audit risk. As auditor have to reduce audit risk, only thing he can do best is to reduce detection risk which in simple words mean that his examination of financial information will be more strict, detailed. Simply put auditor reduces audit risk by reducing detection risk.
If auditor expresses an opinion that financial statements are materially misstated when they in fact are not then it is NOT an audit risk.
Author’s recommended readings:
- What is Inherent risk?
- What is the difference between Inherent Risk and Business Risk and implications of these two in auditing?