In risk based audit engagements understanding different kinds of risk become extremely important. Proper understand will not only differentiate between different kinds of risks but also help you in recognizing the duties of management and auditor in a given context and the nature of their responsibilities. Another reason of having a clear understanding of these risk is that they are connected to each other.
Business risk in simple words is the risk that entity might not be able to achieve its objectives and strategic targets. One of the easiest to understand is to maximize profits. But it is not the only objective entity has to meet. Another important objective is reporting correct information regarding financial performance, financial position and cash flows of entity to the users of financial statements. Entity’sinabilit to achieve its objective may arise due to the factors external or internal to entity. According to International Auditing Standards (ISAs) business risk has been defined as:
A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.
So we understand that business risk may arise due to two reasons:
- Significant conditions that seriously limit entity’s ability to achieve its objectives
- Setting inappropriate objectives
Inherent risk in simple words is the risk that problems “inherited” due to conditions adversely affecting entity could cause material misstatement if they are not controlled. ISAs define inherent risk as:
The susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls
The point to be noted here is that definition of business risk is more of a general nature whereas inherent risk has been defined in context of financial information underlying financial statements i.e. inherent risk is connected with financial statements whereas business risk is not. But it is very important to understand it is the business risk that cause inherent risk which in turn cause risk of material misstatement if these risks are left uncontrolled.
Emphasizing one important point which has been mentioned several times now is that inherent risk may cause material misstatements if no controls are considered i.e. inherent risks are catered by implementing internal control system and it is the responsibility of the management to implement internal control system. Although internal control system is implemented to control inherent risks arising out of business risks but even internal controls have limitations and controls may not be able to counter inherent risks which may ultimately result in material misstatement. In simple words the risk that material misstatements due to inherent problems of the situation (inherent risk) might go unnoticed or not rectified by internal control system is called control risk.
Control risk has been defined by IASs as follows:
The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.
Two things must be remembered regarding control risk:
- Control risk arises due to inability of the internal control system to counter inherent risk
- The risk is that internal control system might NOT prevent i.e. keep misstatements from affecting financial information or detect and correct (any misstatement that exists in the financial information) on timely basis.
An important point to remember is that risk of material misstatement arise not only due to inherent risks (arising out of business risk) but also due to inability of the control system to cater such inherent risk i.e. control risk. In short, risk of material misstatement is the product of inherent risk and control risk because of these risk contribute towards risk of material misstatement
Therefore, risk of material misstatement is the product of inherent risk and control risk. If inherent risk and control risks are high then risk of material misstatement will be high as well.
But who is responsible to mitigate risk of material misstatement including inherent risk and control risk? Answer is simple, the one who is responsible to control business risk must also be responsible for managing risk of material misstatement. It is management who has the responsibility to look after risk of material misstatements.
Management manages business risk and inherent risks by maintaining internal control system where maintenance means making improvements as and when they are necessary so that it operates effectively.
In the midst of all this, auditor’s responsibility is no more than of expressing opinion on financial statements and nothing more than that. Auditor is not responsible to do anything to reduce any of such risks. But question arises that if he only has to express opinion than why he assesses risk of material misstatement and what risk assessment procedures are for?
Auditor gets involved in all this because if risk of material misstatement is high then there is a high probability that auditor end up expressing an inappropriate opinion.
The risk that auditor might express an inappropriate audit opinion is called audit risk. Audit opinion is said to be inappropriate when financial statements were materially misstated but in auditor’s opinion financial statements were giving true and fair view of the business.
With the increased risk of material misstatement audit risk also increases. In other words if inherent risk and control risk is high then audit risk will be high also.
The objective of audit engagement is to provide reasonable assurance and this is only possible if audit risk is reduced to an acceptably low level. Because audit risk is connected with risk of material misstatement due to this reason and this reason only auditor assesses the risk of material misstatement. Students must be very clear that auditor performs risk assessment procedures to conduct effective audit engagement rather than providing service to management.
One important that must be emphasized here again is that although audit risk increases because of increased risk of material misstatement (i.e. increased inherent risk and control risk). But in order to reduce audit risk audit does not have the authority to reduce inherent risk and control risk. Therefore, to reduce audit risk he has to use different channel.
To reduce audit risk, auditor performs different kinds of audit procedures which basically serve two purpose:
- Confirm the assessed risk as a result of risk assessment procedures
- Detect material misstatements by applying substantive procedures, if any, in the financial information underlying financial statements
In short, if risk of material misstatement is expected to be high then auditor will perform such procedures that detect material misstatements and if material misstatement is detected then it will either confirm the initial assessment. But if initial assessment is otherwise and later detective procedures found a misstatement than auditor will extend his procedures in result of which auditor may revise level of assessed risk and resultant procedures.
Although auditor wishes to apply appropriate substantive procedures to detect misstatements that may amount to materiality level but there is no absolute assurance that all material misstatements will be detected by auditor’s substantive procedures. This happens because of inherent limitations of audit. Because of such limitations, material misstatements may go undetected and this gives rise to yet another kind of risk named as detection risk. Even if auditor does his best but he cannot completely eliminate detection risk. ISAs define detection risk as:
The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
Having clear understanding of each of the risk and how each is connected to each and even more importantly who is responsible to manage what risk and why and to what extent, we can now understand last important point in this discussion related to auditor’s work.
Simply, if inherent risk and control risk is high (i.e. risk of material misstatement is high then to keep the audit risk to appropriate level detection risk must be reduced. Because only detection risk is in controllable for the auditor and not the inherent and control risk.