A practitioner (or simply auditor) performing audit engagement is required to reduce audit risk to such level that is suitable to provide reasonable assurance to the intended users.
By audit risk we mean that probability that auditor express an inappropriate audit opinion when the financial statements are materially misstated i.e. auditor stated that financial statements are giving true and fair view of the business but financial statements were materially misstated.
So we understood that reducing audit risk is vital for auditor.
Now if we can understand that:
- why or how audit risk increases; and
- how auditor reduces audit risk
then we not only understand the meaning of lowering detection risk but also other important connected concepts.
As we understood that presence of material misstatements in the financial statements causes audit risk.
Safeguarding financial statements from material misstatements is the duty of management and those charged with governance and this responsibility is fulfilled by implementing internal control system. The purpose of internal control system is to safeguard against the inherent risk of material misstatements. However, internal control systems are not without limitations and thus the risk is always there that a material misstatement is not prevent or identified and corrected on timely basis by the control system we call it control risk.
Putting this in a sequence we get, inherent risk is controlled by implementing control system. But the risk that even internal control system might not catch the misstatement is control risk. And these two risks i.e. inherent risk and control risk together causes risk of material misstatement. Thus higher the inherent and control risks, higher the risk of material misstatement will be.
Remember, monitoring inherent and control risk is the duty of management and not the auditor.
Being an auditor required to express an opinion, if the financial statements are misstated then he might end up expressing inappropriate opinion. But he cannot control risk of material misstatement by reducing inherent and control risk rather the only option available to him is that he applies his own procedures to detect misstatements to confirm that if there is any misstatement then it must be corrected before auditor issues a clean report otherwise auditor express a qualified or adverse opinion.
Greater the risk of material misstatement, greater the number of detective procedures will be because only by applying more procedures auditor will be sure that there is no material misstatement. But if risk of material misstatement is lower then auditor can relax and may apply lesser detective procedures which also means increased detection risk.
That is why audit risk is defined as the function of risk of material misstatement and detection risk and have inverse relationship.
If you are still unsure how and why lower detection is required in case of increased risk of material misstatement OR how higher detection risk is acceptable if risk of material misstatement is low then consider the following set of diagrams:
In figure 1 above we can see that there was an inherent risk that misstatements A and E might enter the accounting system and distort financial statements but internal control system prevented them from entering or identified and corrected them on timely basis. Although control risk is lower then inherent still it is not low enough to prevent majority of misstatements. Therefore, misstatements B, C and D were not prevented or identified and corrected by internal control system. Therefore, understanding the situation, auditor lowered the detection risk and thus misstatements B and D were detected by the auditor and if same are corrected by the management then audit risk is lowered. One more thing to understand here is the fact that detection risk cannot be eliminated completely by the auditor and some detection risk still exists. Although auditor tries to ensure that no misstatements are left undetected that can amount to material misstatement, but we cannot be certain that is why reasonable assurance is offered and not the absolute assurance.
In figure 2 we can see that although inherent and control risk are equally high, but situation was rightly interpreted by the auditor and as appropriate audit procedures are applied by the auditor, almost all of the misstatements were detected and thus audit risk was significantly reduced. But situation would have been different if detection risk was not lowered which is explained in the following figure.
In figure 3 we can understand that risk of material misstatement (inherent and control risk collectively) was higher but auditor failed to apply appropriate audit procedures and thus failing to reduce detection risk caused the misstatements to go undetected and thus audit risk has increased and most likely auditor will express an inappropriate audit opinion. Inappropriate application of audit procedures include:
- misapplication of audit procedures
- misinterpretation of evidence gathered; and
- inappropriate testing methodology
But increased detection risk might not caused increased audit risk if risk of material misstatement is low which is explained as in the following figure.
Figure 4 presents the situation where entity has implemented an effective internal control system that is able to control majority of the misstatements even if inherent risk is high. Under such situations auditor can relax and can rely on entity’s internal control system. Due to this reliance, auditor will apply lesser detective procedures and due to lesser audit procedures detection risk will be high. But as control system, according to auditor’s expectations, is working fine therefore, audit risk is already at sufficiently low level.