In theory, audit risk ranges anywhere from zero (0.0), where there is complete certainty of no material misstatement, to one (1.0), where there is complete certainty of a material misstatement. In practice, however, audit risk is always greater than zero. There is always some risk of material misstatement as it is not possible, (except for the audit of the simplest of financial statements), due to the limitations inherent in both accounting and auditing, to be absolutely certain a material misstatement will not exist.
Thus, if there was a 50% risk of a material misstatement in a financial statement item in the unaudited financial statements and a probability of 80% that the misstatement would be detected by the auditor, audit risk, or the risk of a material misstatement in the audited financial statements would be equal to 10%. i.e.
AR = RMM x (1 - Pr(Da))
= 0.5 x ( 1 - 0.8) = 0.10
The risk of material misstatement in the unaudited financial statement [RMM] may be decomposed as follows:
Thus, substituting the two components of RMM, audit risk can be mathematically defined as follows:
AR = RMMi x (1 - Pr(De)) x (1 - Pr(Da))
Thus, if there was:
audit risk, or the risk of a material misstatement in the audited financial statements would be equal to 33.6%. i.e.
AR = RMMi x (1 - Pr(De)) x (1 - Pr(Da))
= 0.8 x ( 1 - 0.3) x (1 - 0.4) = 0.336
AR = IR x CR x DR, where
The product of inherent and control risk (i.e. IR x CR) is referred to as the risk of material misstatement and in the above example is equal to 56%. In practice, however, auditors evaluate risk components using terms such as LOW, MODERATE or HIGH rather than using precise probabilities.
Note there are a number of significant limitations [fn] to this model which need to be borne in mind when the model is applied in practical situations.
Before evaluating audit risk or its components, auditors first determine what they consider to be a material misstatement. Obviously, the likelihood of a material misstatement appearing in the audited financial statements of an entity depends on the value of a material misstatement: the lower the value, the greater the likelihood. It is only after determining the value of reporting materiality that an auditor is able to evaluate whether audit risk is, for example, LOW, MODERATE or HIGH. This is referred to in more detail below.
There are two distinct concepts of audit risk - the acceptable level of audit risk and the achievable level of audit risk. The acceptable level of audit risk [AR*] is the risk of a material financial statement misstatement that is acceptable to the auditor. The achievable level of audit risk [AR] is the risk the audited financial statements will contain a material misstatement. (AR is an ex ante concept and thus it is referred to as the achievable level of risk rather than an ex post concept of an achieved level of risk).
The acceptable audit risk [AR*] is estimated by reference to the expected reliance on the audited financial statements. The greater the expected reliance, the lower is the acceptable level of audit risk. The achievable audit risk [AR] is estimated by reference to the ex ante value of the components of the audit risk model. That is, the estimated achievable values of inherent, control and detection risks. The aim of an auditor is to achieve an acceptable level of audit risk; to achieve a level of audit risk that is acceptable to the auditor.
There are similarly two concepts of detection risk - the acceptable level of detection risk and the achievable level of detection risk. The acceptable level of detection risk [DR*] is the maximum level of detection risk an auditor can allow to occur. On the other hand, the achievable level of detection risk [DR] is, broadly, the risk that a material misstatement in the unaudited information will not be detected by the auditor, (Again, DR is an ex ante concept and thus it is referred to as the achievable level of risk rather than an ex post concept of an achieved level of risk).
The acceptable level of detection risk [DR*] is estimated by reference to specified levels of audit risk, inherent risk and control risk. The greater the acceptable level of audit risk, and the lower the inherent and control risk, then the greater is the acceptable level of detection risk. The achievable level of detection risk [DR] is based on such factors as the auditor's independence and ability. The lesser the independence and ability of the auditor, the greater is the level of detection risk that can be achieved (i.e. the greater is the risk that the auditor will not detect a material misstatement).
Given the values of any three of the four variables in the audit risk model (AR, IR, CR, DR), a value for the unknown variable can be determined from a knowm equilibbrium position.
All the components of acceptable and achievable audit risk may be evaluated at different levels of aggregation. For example, in the client acceptance and opinion formulation stages, audit risk components are evaluated at the financial statement level, whereas in the other audit stages, the components are evaluated at the account balance level, or in some cases, the class of transaction level.
Copyright, Australian Educational Research Pty Ltd. Any person accessing this site agrees to the Terms of Use.