Audit risk is the risk that auditors give a clean opinion on financial statements that contain material misstatement. There are three types of audit risk that lead to auditors providing an inappropriate opinion.
- Inherent risk
- Control risk
- Detection risk
Inherent and control risk are the risks of material misstatement arising in the financial statements. These types of audit risk are dependent on the business, transactions and internal control system that the client has in place.
On the other hand, detection risk is the risk that is dependent entirely on the auditors. It is the type of audit risk that occurs due to the auditors fail to detect material misstatements in the financial statements.
Inherent Risk
Inherent risk is the risk that financial statements contain material misstatement before consideration of any related controls. This is the first type of audit risk as it occurs before putting any internal control in place and already exist before any audit work performed.
Inherent risk is the susceptibility of transaction or account balance to misstatement. It comes with the business’s transactions and its environment.
Among the three types of audit risk, inherent risk comes directly from the business nature itself. For example, if the business is in a high-risk area, the level of inherent risk is also high.
It is related to the complexity and dynamic of the business and transactions. So, the more complex and dynamic the business is, the higher the inherent risk will be. If a transaction is so complex and difficult for calculation, there is a higher chance of misstatement in calculation than a transaction that is simple.
For example, the company in the financial service sector that provides derivative products is inherently riskier than the trading company that does not provide such products. This is due to the derivative is the type of financial instrument that is generally considered complex in the accounting field.
The inherent risk cannot be reduced as it is related to the nature of the business and transaction itself. Hence, auditors can only assess whether it is high, moderate, or low and plan the audit procedures accordingly so that overall audit risk can be minimized.
Control Risk
Control risk is the risk that the internal control fails to prevent or detect material misstatements in the financial statements. Among the three types of audit risk, control risk is in the middle as the control is usually put in place to reduce the chance of error or fraud that inherits from the business and its environment.
In this case, once auditors have assessed that the inherent risk is high, the level of risk of material misstatement can only be reduced if the control risk is low. On the other hand, if both inherent and control risks are high, auditors can only lower detection risk to have an acceptable audit risk.
For example, if a restaurant allows its cashier to perform both receiving cash from customers and recording it into the accounting system, there is a risk that the cashier forgets to record the transactions into the system or record the incorrect amount into the system which leads to misstatement. This means that the control risk is high.
Auditors need to perform control risk assessment when obtaining an understanding of the client’s internal controls. In this case, they need to assess whether the controls can prevent or detect material misstatements related to relevant assertion for each significant account and disclosure.
If auditors believe that the internal controls are effective in preventing or detecting material misstatement, they will perform the test of controls to obtain evidence in supporting the effectiveness of controls before relying on the internal controls.
If the internal controls are strong and the auditors can rely upon, the audit work can be reduced by lowering the amount of substantive tests. However, if the internal controls are weak, the auditors will have to perform more substantive tests so that the overall audit risk can be minimized.
Detection Risk
Detection risk is the risk that auditors fail to detect the material misstatement that exists in the financial statements. This type of audit risk occurs when audit procedures performed by the audit team could not locate the existed material misstatement.
Detection risk could occur due to many factors such as:
- Not proper audit planning
- Not appropriated audit procedures
- Not proper allocate of staff based on their skills and experiences
- Not proper monitoring and supervision of work
- Not proper documenting and dealing with problem arose
- Not performing regular review neither hot review nor cold review
- Staff’s not competent enough to perform the tasks etc.
- Lack of professional skepticism when performing the audit work
Unlike inherent risk and control risk, auditors can influence the level of detection risk. For example, if the risk of material misstatement is high, auditors can reduce the level of detection risk by performing more substantive tests or increasing the sample size in the tests of details.
In this case, auditors need to make sure that the level of audit risk is acceptably low. This is so that auditors can minimize the risk of providing a wrong opinion on financial statements.
In summary, the three types of audit risk that include inherent risk, control risk, and detection risk are closely related to each other. Even though inherent risk and control risk are not in the control of auditors, they need to make sure that the level of detection risk is suitable in responding to these types of audit risk so that the overall level of audit risk is acceptably low.
Control risk continues to create confusion in audits. Some auditors assess control risk at less than high when they shouldn't. Others assess control risk at high when it would be better if they did not. The misunderstandings about this risk can result in faulty audits and problems in peer review. In this article, I explain what control risk is and how you can best leverage it to perform quality audits in less time.
What is control risk? It’s the chance that an entity’s internal controls will not prevent or detect material misstatements in a timely manner.
Companies develop internal controls to manage inherent risk. The greater the inherent risk, the greater the need for controls.
Audit Risk Model
As we begin this article, think about control risk in the context of the audit risk model:
Audit risk = Inherent risk X Control risk X Detection risk
Recall the client’s risk is made up of inherent risk and control risk. And the remainder, detection risk, is what the auditor controls. Auditors gain an understanding of inherent risk and control risk. Why? To develop their audit plan and lower their detection risk (the risk that the audit will not detect material misstatements). Put more simply, the auditor understands the client’s risk in order to lower her own.
Further Audit Procedures
And how does the auditor reduce detection risk? With further audit procedures. Those include test of controls and substantive procedures (test of details or substantive analytics).
After the auditor gains an understanding of the entity and its environment, including internal controls, control risk is often assessed at high. Why? Two reasons: one has to do with efficiency and the other with weak internal controls.
Assessing Control Risk at High
Consider the first reason for high control risk assessments: efficiency.
Control risk can be assessed at high, even if—during your walkthroughs— you see that controls are properly designed and in use. But why would you assess this risk at high when controls are okay?
Let me answer that question with a billing and collection example.
Risk At High: Efficiency Decision
You can test billing and collection internal controls for effectiveness (assuming your walkthrough reveals appropriate controls). But if this test takes eight hours and a substantive approach takes five hours, which is more efficient? Obviously, the substantive approach. And if you use a fully substantive approach, you must assess control risk at high for all relevant assertions.
At this point, you may still be thinking, But, Charles, if controls are appropriately designed and implemented, why is control risk high? Because a test of controls is required for control risk assessments below high: the auditor needs a basis (evidence) for the lower assessment. And a walkthrough is not (in most cases) considered a test of controls for effectiveness: it does not provide a sufficient basis for the lower risk assessment. A walkthrough provides an initial impression about controls, but that impression can be wrong. That’s why a test of controls is necessary when control risk is below high, to prove the effectiveness of the control.
In our example above, a substantive approach is more efficient than testing controls. So we plan a substantive approach and assess control risk at high for all relevant assertions.
Risk at High: Weak Controls
Now, let’s look at the second reason for high control risk assessments: weak internal controls. Here again, allow me to explain by way of example.
If the billing and collection cycle walkthrough reveals weak internal controls, then control risk is high. Why? Because the controls are not designed appropriately or they are not in use. In other words, they would not prevent or detect a material misstatement. You could test those controls for effectiveness. But why would you? They are ineffective. Consequently, risk has to be high. Why? Again, because there is no basis for the lower risk assessment. (Even if you tested controls, the result would not support a lower risk assessment: the controls are not working.)
If, on the other hand, controls are appropriate, then you might test them (though you are not required to).
Assessing Control Risk at Less than High
What if, based on your walkthrough, controls are okay. And you believe the test of controls will take four hours while a substantive approach will take eight hours? Then you can test controls for effectiveness. And if the controls are effective, you can assess the risk at less than high. Now you have support for the lower risk assessment.
But what if you test controls for effectiveness and the controls are not working? Then a substantive approach is your only choice.
Many auditors don’t test controls for this reason: they are afraid the test of controls will prove the controls are ineffective. For example, if you test sixty transactions for the issuance of a purchase order, and seven transactions are without purchase orders, the sample does not support effectiveness. The result: the test of controls is a waste of time.
Some auditors mistakenly believe they don’t need an understanding of controls because they plan to use a fully substantive audit approach. But is this true?
Fully Substantive Audit Approach
Weak internal controls can result in more substantive procedures, even if you normally use a substantive approach.
Suppose you assess control risk at high for all billing and collection cycle assertions and plan to use a fully substantive approach. Now, consider two scenarios, one where the entity has weak controls, and another where controls are strong.
Billing and Collection Cycle - Weak Controls
Think about a business that has a cash receipt process with few internal controls. Suppose the following is true:
- Two employees receipt cash
- They both work from one cash drawer
- The two employees provide receipts to customers, but only if requested
- They apply the payments to the customer’s accounts, but they also have the ability to adjust (reduce or write off) customer balances
- At the end of the day, one of the two employees creates a deposit slip and deposits the money at a local bank (though this is not always done in a timely manner)
- These same employees also create and send bills to customers
- Additionally, they reconcile the related bank account
Obviously, a segregation of duties problem exists and theft could occur. For example, the clerks could steal money and write off the related receivables. Child’s play.
Billing and Collection Cycle - Strong Controls
But suppose the owner detects theft and fires the two employees. He does background checks on the replacements. Now the following is true:
- A separate cash drawer is assigned to each clerk
- The controller is required to review customer account adjustments on a daily basis (the controller can’t adjust receivable accounts)
- The cash receipt clerks reconcile their daily activity to a customer receipts report, and the money along with the report is provided to the controller
- The controller counts the daily funds received and reconciles the money to the cash receipts report
- Then the controller creates a deposit slip and provides the funds and deposit slip to a courier
- Once the deposit is made, the courier gives the bank deposit receipt to the controller
- A fourth person (that does not handle cash) reconciles the bank statement in a timely manner
- The monthly customer bills are created and mailed by someone not involved in the receipting process
- Moreover, the owner reviews a monthly cash receipts report
Now, let me ask you: would you use the same substantive audit procedures for each of the above scenarios? Hopefully not. The first situation begs for a fraud test. For example, we might test the adjustments to receivables on a sample basis. Why? To ensure the clerks are not writing off customer balances and stealing cash.
Audit Procedures: Basic and Extended
Basic audit procedures for the billing and collection cycle might include:
- Test the period-end bank reconciliation
- Create substantive analytics for receivable balances and revenues
- Confirm receivable accounts and examine subsequent receipts
We perform these basic procedures whether controls are good or weak. But we would add—when controls are weak and might allow theft—extended substantive procedures such as testing accounts receivable adjustments.
Do you see how the understanding of controls impacts planning (even when control risk is assessed at high)? If we were unaware of the control weaknesses, we would not plan the needed fraud detection procedures.
In summary, we need to understand controls even if we plan to use a fully substantive approach, and even if risks are assessed at high for all assertions. More risk means more audit work.
A Simple Summary
- Control risk is the probability that an entity’s internal controls will not prevent or detect material misstatements in a timely manner
- Internal control weaknesses may require a control risk assessment of high
- Control risk can only be assessed below high when a test of control proves the control to be effective (the test of control provides the basis for the lower risk assessment)
- If walkthroughs show controls to be appropriately designed and implemented, the auditor can (1) assess control risk at high and use a fully substantive approach, or (2) assess control risk below high and test controls for effectiveness, whichever is most efficient
- Even if an auditor intends to use a fully substantive approach, walkthroughs are necessary to determine if additional substantive tests are needed; additional substantive procedures may be necessary when material fraud is possible due to internal control weaknesses
See my inherent risk article here.
For additional information about risk assessment, see the AICPA's SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement. The guidance was issued in October 2021.