Audit risk assessment is the cornerstone of a risk-based audit approach. It determines where auditors focus their attention and how much testing is required.
The Audit Risk Model
Audit risk is the risk that the auditor expresses an inappropriate opinion. It's composed of:
Audit Risk = Inherent Risk Γ Control Risk Γ Detection Risk
Inherent Risk
- Risk of misstatement before considering controls
- Influenced by: complexity, estimation, management bias
- Higher for: unusual transactions, complex calculations, subjective judgments
Control Risk
- Risk that internal controls fail to prevent or detect misstatement
- Assessed through understanding and testing of controls
- Higher when: controls are weak, informal, or untested
Detection Risk
- Risk that audit procedures fail to detect a misstatement
- The only component auditors directly control
- Managed through: nature, timing, and extent of procedures
Risk Assessment Process
1. Understanding the Entity
- Industry and regulatory environment
- Nature of the entity and its operations
- Accounting policies and financial reporting
- Internal control system
2. Identifying Risks
- Significant accounts and disclosures
- Fraud risk factors (pressure, opportunity, rationalization)
- Related party transactions
- Going concern indicators
3. Evaluating Risks
- Assess likelihood and magnitude
- Classify as significant or not
- Determine if risks require special audit consideration
- Document risk assessment conclusions
4. Responding to Risks
- Design audit procedures responsive to identified risks
- Determine appropriate staffing and supervision
- Apply professional skepticism throughout
- Adjust scope as new information emerges
Fraud Risk Assessment
Auditors must specifically assess fraud risk:
- Revenue recognition: Presumed fraud risk in most audits
- Management override of controls: Always a significant risk
- Asset misappropriation: Theft and embezzlement risks
- Financial reporting fraud: Intentional misstatement
Documentation Requirements
Risk assessment must be documented in:
- Planning memorandum
- Risk assessment workpapers
- Linkage to audit program procedures
- Summary of identified significant risks