CA Kamal Garg
In very broad terms, audit risk is the risk of a material misstatement of a financial statement item that is or should be included in the audited financial statements of an entity. In this regard, a financial statement item includes any related notes to the financial statements.
In theory, audit risk ranges anywhere from zero (0.0), where there is complete certainty of no material misstatement, to one (1.0), where there is complete certainty of a material misstatement. In practice, however, audit risk is always greater than zero. There is always some risk of material misstatement as it is not possible, (except for the audit of the simplest of financial statements), due to the limitations inherent in both accounting and auditing, to be absolutely certain a material misstatement will not exist. The present article discussed the Audit Risk Model along with the guidance on the same issued by the Institute of Chartered Accountants of India (ICAI) in the form of Engagement and Quality Control Standards on Risk Assessment and Internal Control.
COMPONENTS OF AUDIT RISK
Audit risk [AR] may be initially decomposed into two components:
Thus, if there was a 50% risk of a material misstatement in a financial statement item in the unaudited financial statements and a probability of 80% that the misstatement would be detected by the auditor, audit risk, or the risk of a material misstatement in the audited financial statements would be equal to 10%. i.e.
AR = RMM x (1 – Pr(Da)) = 0.5 x ( 1 – 0.8) = 0.10
The risk of material misstatement in the unaudited financial statement [RMM] may be decomposed as follows:
Thus, substituting the two components of RMM, audit risk can be mathematically defined as follows:
AR = RMMi x (1 – Pr(De)) x (1 – Pr(Da))
Thus, if there was:
audit risk, or the risk of a material misstatement in the audited financial statements would be equal to 33.6%. i.e.
AR = RMMi x (1 – Pr(De)) x (1 – Pr(Da))= 0.8 x ( 1 – 0.3) x (1 – 0.4) = 0.336
Audit risk model
The three components of audit risk (RMMi, 1 – Pr(De), and 1 – Pr(Da)), are referred to respectively as inherent risk [IR], control risk [CR] and detection risk [DR]. This gives rise to the audit risk model of:
AR = IR x CR x DR, where
In practice, however, auditors evaluate risk components using terms such as LOW, MODERATE or HIGH rather than using precise probabilities.
Concepts of audit risk
Before evaluating audit risk or its components, auditors first determine what they consider to be a material misstatement. Obviously, the likelihood of a material misstatement appearing in the audited financial statements of an entity depends on the value of a material misstatement: the lower the value, the greater the likelihood. It is only after determining the value of reporting materiality that an auditor is able to evaluate whether audit risk is, for example, LOW, MODERATE or HIGH. This is referred to in more detail below.
There are two distinct concepts of audit risk – the acceptable level of audit risk and the achievable level of audit risk. The acceptable level of audit risk [AR*] is the risk of a material financial statement misstatement that is acceptable to the auditor. The achievable level of audit risk [AR] is the risk the audited financial statements will contain a material misstatement. (AR is an ex ante concept and thus it is referred to as the achievable level of risk rather than an ex post concept of an achieved level of risk).
The acceptable level of audit risk [AR*] is estimated by reference to the expected reliance on the audited financial statements. The greater the expected reliance, the lower is the acceptable level of audit risk. The achievable level of audit risk [AR] is estimated by reference to the ex ante value of the components of the audit risk model. That is, the estimated values of inherent, control and (the achievable level of) detection risks. The aim of an auditor is to achieve an acceptable level of audit risk; to achieve a level of audit risk that is acceptable to the auditor.
There are similarly two concepts of detection risk – the allowable level of detection risk and the achievable level of detection risk. The allowable level of detection risk [DR*] is the maximum level of detection risk an auditor can allow to occur. On the other hand, the achievable level of detection risk [DR] is, broadly, the risk that a material misstatement in the unaudited information will not be detected by the auditor, (Again, DR is an ex ante concept and thus it is referred to as the achievable level of risk rather than an ex post concept of an achieved level of risk).
The allowable level of detection risk [DR*] is estimated by reference to specified levels of audit risk, inherent risk and control risk. The greater the acceptable level of audit risk, and the lower the inherent and control risk, then the greater is the allowable level of detection risk. The achievable level of detection risk [DR] is based on such factors as the auditor’s independence and ability. The lesser the independence and ability of the auditor, the greater is the level of detection risk that can be achieved (i.e. the greater is the risk that the auditor will not detect a material misstatement).
RISK ASSESSMENT AND INTERNAL CONTROL
Accounting system refers to the series of tasks and records of an entity by which transactions are processed as a means of maintaining final records. The auditor should obtain an understanding of the accounting system sufficient to identify and understand major classes of transactions, manner of initiation of transactions, significant accounting records, supporting documents and specific accounts in the financial statements and the accounting and financial reporting process. Internal Control System refers to all the policies and procedures adopted by the management of the entity to assist in achieving management’s objective ensuring the orderly and efficient conducting the business, the accuracy and completeness of accounting records, the timely preparation of financial information, safeguarding of assets of enterprise and defection of fraud and error in a timely manner.
The objectives of internal control can only be reasonably, and not absolutely, achieved due to the following limitations inherent in the system:
(i) Management’s concern about the operating system;
(ii) Transactions of unusual nature may be missed by most controls;
(iii) Potential of human error;
(iv) Circumvention of controls through collusion;
(v) Abuse of control by the person who is himself responsible for exercising it;
(vi) Inadequacy of procedures due to changes in conditions; and
(vii) Manipulations by management.
Inherent Risk – Inherent risk is the susceptibility of an account balance or class of transaction to a material misstatement either individually or when aggregated with misstatements of other balances or classes, assuming that there were no internal controls. The auditor should study and evaluate the degree of inherent risk in order to determine the audit plan. He should also consider other factors, which might compensate for an otherwise high degree of inherent risk. Some of these factors are: –
At the level of financial statements
At the level of account balance and class of transactions
Control Risk – Control risk is the risk that misstatements could occur in an account balance or class of transaction and that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the accounting and internal control system.
Steps in the Assessment of Risks Control
Preliminary Assessment of Control Risk
In order to make a preliminary assessment of the control risk, the auditor should obtain an understanding of the accounting system and related internal controls. This may be done by supplementing his knowledge gained through previous experience with the entity with
Test of Controls
Tests of controls are performed by an auditor to obtain audit evidence about the effectiveness of the following:
Test of control may include the following procedures:
Final assessment of control risk
On the basis of the results of the test of control the auditor should evaluate whether the preliminary assessment of control risk was correct or do they need to be revised. He should accordingly determine any modification in the nature; timing and extent of audit procedures.
Detection Risk – Detection risk is the risk that an auditor’s substantive procedures will not detect a misstatement that exists in an account balance or class of transactions that could be material, either individually or when aggregated with misstatements in other balances or classes. The auditor should consider the assessed levels of inherent and control risks in determining the, nature, timing and extent of substantive procedures required to reduce audit risk to an acceptably low level. There is an inverse relationship between detection risks and the combined level of inherent and control risks. Thus when inherent and control risks are high, acceptable detection risk should be low to reduce the audit risk to an acceptably low level.
Any internal weakness in the inherent control noticed by the auditor during the course of his evaluation or audit procedures should be communicated to the management. While communicating it should be made clear that the audit examination had not been designed to determine the adequacy of internal controls.
The Internal Control System comprises of –
The Control Environment – It refers to the overall attitude, awareness and actions of the directors and management regarding the internal control system and its importance in the entity. The control environment has an effect on the specific control procedures and provides the background against which other controls are operated. The internal control environment may be affected by the following factors
Control Procedures – Control procedures are those policies and procedures in addition to the control environment, established by the management to achieve entity’s specific objectives. These procedures include the following:
The relationship between different components of audit risks is given in the following table:
|Auditors’ assessment of control risk|
|Auditors’ assessment of inherent risk||High||Lowest||Lower||Medium|
The shaded areas in this table relate to detection risk.
The auditor should make a combined assessment of the inherent and control risks. This is because the management often reacts to inherent risk situations by designing suitable accounting and internal control system to prevent or detect and correct material misstatement. The higher the assessment of inherent and control risks, the more audit evidence the auditor should obtain from the performance of substantive procedures.
There is an inverse relationship between detection risks and the combined level of inherent and control risks. For example, when inherent and control risks are high, acceptable levels of detection risk need to be low to reduce audit risk to an acceptably low level. On the other hand, when inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level.
Compiled by CA Kamal Garg, a Fellow Member of ICAI. He is engaged in IFRS – Audit and Advisory, FEMA, Valuation and XBRL Services. He can be approached at firstname.lastname@example.org, 9811054015