This blog is written by Mr. Maaz Khan, Associate Audit and Assurance Services. Please read this blog and provide your valued comments.


Audit risk model

Audit risk is the risk (chance) that the auditor reaches an inappropriate (wrong) conclusion on

the area under audit. The audit risk is derived from errors  which are not prevented/detected by entity’s internal controls and are not detected by further audit procedures.

A standard audit risk model is available to help auditors identify and quantify the main elements making up overall audit risk.

1) Inherent risk (IR)

Inherent risk is the risk that items may be misstated because of its inherent characteristics.

Inherent risk may result from either:

The nature of the items themselves. For example, estimated items (Provisions etc) are inherently risky because their measurement depends on an estimate rather than a precise measure.

The nature of the entity and the industry in which it operates. For example, a company in the construction industry operates in a volatile and high-risk environment, and items in its financial statements are more likely to be misstated than items in the financial statements of companies in a more low-risk environment, such as a manufacturer of food and drinks.

Key points regarding inherent risk

When inherent risk is high, this means that there is a high risk of misstatement of an item in the financial statements.

Inherent risk operates independently of controls. It cannot be controlled. The auditor must accept that the risk exists and will not ‘go away’.

 2) Control risk (CR)

Control risk is the risk that a misstatement would not be prevented or detected by the internal control systems that the client has in operation.

Key points regarding control risk

In preparing an audit plan, the auditor needs to make an assessment of control risk for different areas of the audit. Evidence about control risk can be obtained through ‘tests of control’. The initial assumption should be that control risk is very high, and that existing internal controls are insufficient to prevent the risk of material misstatement. However, tests of control may provide sufficient evidence to justify a reduction in the estimated control risk, for the purpose of audit planning.

How to reduce control risk

Control risk can be reduced by improving the quality of internal controls of the entity. However, recommendations to the client about improvements in its internal controls can only affect control risk in the future, not control risk for the financial period that is subject to audit.

3) Detection risk (DR)[The most important one for auditors]

Detection risk is the risk that the audit testing procedures will fail to detect a misstatement in a transaction or in an account balance. For example, if detection risk is 10%, this means that there is a 10% probability that the audit tests will fail to detect a material misstatement.

Key points regarding detection risk

Detection risk can be managed by the auditor in order to control the overall audit risk.

How to reduce detection risk

Detection risk can be lowered by carrying out more tests in the audit. For example, to reduce the detection risk from 10% to 5%, the auditor should carry out more tests.

 Auditor’s Responsibility and audit risk model

In preparing an audit plan, the auditor will usually:

set an overall level of audit risk(AR) which he judges to be acceptable for the particular audit,

assess the levels of inherent risk(IR) and control risk(CR), and then

adjust the level of detection risk in order to achieve the overall required level of risk in the Audit.

Maaz Khan