Елисиченко О.А.

Донецкий национальный университет экономики и торговли имени Михаила Туган-Барановского

Audit risk

 

     Audit risk is a term that is commonly used in relation to the audit of the financial statements of an entity. The primary objective of such an audit is to provide an opinion as to whether or not the financial statements under audit present fairly the financial position, profit/loss and cash flows of the entity. Audit risk is the risk of the auditor providing an inappropriate opinion on the financial statements, particularly when those financial statements contain a material misstatement. Of less concern is the situation where the auditor states that the financial statements do not meet the standard of fair presentation, when in fact they do.

     Audit risk is assessed during the planning phase of the audit, and is a very important activity, as the testing to be performed during the next phase of the audit is determined in response to the risk assessment. Note that, at this stage, the auditor has not yet done any testing, so his assessment of risk is essentially a provisional one. During the testing phase, after testing the entity's control system, the auditor has to consider if the control system is better or worse than expected during the planning phase, and adjust his testing accordingly.

     Having said the above, there are indications that the large auditing firms are shifting elements of the risk assessment into the preliminary engagement phase of the audit (formerly referred to as the pre-engagement phase), which refers to the phase where work is done prior to entering into a contract with the then still prospective audit client. Firms are doing this to avoid involvement with clients that may cause them reputation damage.

     Risk is supposed to be assessed at two levels, being the financial statement level and the assertion level. Risk at financial statement level refers to a risk factor that can produce a misstatement in any one of a number of assertions, like the management of the entity being dishonest or incompetent. Risk at assertion level refers to a risk factor that makes a misstatement of a specific assertion more likely.

     A contentious matter in this regard is the interplay between the determination of materiality and risk assessment during the planning phase. Some sources state that risk should be assessed before the determination of materiality, but the argument that materiality should be determined before the risk assessment makes more sense; for the simple reason that the definition of audit risk includes a reference to material misstatement. Hence, if the auditor has not yet determined materiality, he will not be able to do a meaningful risk assessment.

 

     The audit risk formula

     Audit Risk = Inherent Risk x Control Risk x Detection Risk

     The purpose of this equation is to calculate detection risk, which then indicates to the auditor how much substantive testing he has to do to arrive at the acceptable audit risk. This is explained below in more detail.

     Inherent risk represents the auditor's assessment that there may be a material misstatement relating to an assertion in the financial statements under audit, without taking the effectiveness of the related internal controls into account. If the auditor concludes that there is a high likelihood of such a misstatement, ignoring internal controls, he would assess the inherent risk as being high. An example of inherent risk: the valuation of inventory is inherently more risky when the type of inventory is difficult to value due to its nature, so the valuation of diamonds are inherently much more risky than, say, tennis balls. Internal controls are ignored during the assessment of inherent risk because they are considered when assessing another component of audit risk, namely control risk. The assessment of inherent risk (and also control risk) is an exercise that requires professional judgement on the part of the auditor. Hence, two auditors assessing the same company may assess the inherent and control risks differently, but it is to be expected that their assessments should be in the same vicinity. Auditors express their risk assessment in one of two ways (and this goes for all the components of the risk formula): as a percentage, or described as low, medium or high.

     Control risk represents the auditor's assessment of the likelihood that a material misstatement relating to an assertion in the financial statements will not be detected and corrected, on a timely basis, by the client's internal control system. To return to the example of an entity having an inventory of diamonds, which is inherently risky in terms of valuation: if the entity has competent, experienced valuers valuing its inventory, the control risk will be lower as compared to a situation where incompetent people are tasked with performing that function. The product of inherent risk and control risk is referred to as the Risk of Material Misstatement, and represents the risk that the auditor adequately has to respond to when doing substantive testing. It is permissible to do a combined assessment of inherent and control risk, instead of formally separating the two components as done above.

     Detection risk is defined as the likelihood that a material misstatement relating to an assertion will be not detected by the auditor's substantive testing. It is important to note that the detection risk indicates the detection risk that the auditor is willing to "live with", given the acceptable audit risk and his assessment of inherent and control risk. This means that if the detection risk is high, the auditor is willing to accept a high detection risk, and will do less substantive testing as compared to a situation where the detection risk is lower.