Risk-based approach to auditingKey feature of modern auditing is the ‘risk-based’ approachthat is taken in most audits. At the planning stage, as required by BSA 315, the auditor will identify and assess the main risks associated with the business to be audited.
Audit RiskAudit risk is the risk (chance) that the auditor reaches an inappropriate (wrong) conclusion on the area under audit. For example, if the audit risk is 5%, this means that the auditor accepts that there will be a 5% risk that the audited item will be misstated in the financial statements, and only a 95% probability that it is materially correct.
Audit Risk Model
IR (Inherent Risk)Inherent risk is the risk that items may be misstated as a result of their inherent characteristics. Inherent risk may result from either:•the nature of the items themselves. For example, estimated items are inherently risky because their measurement depends on an estimate rather than a precise measure; or
IR•the nature of the entity and the industry in which it operates.For example, a company in the construction industry operates in a volatile and high-risk environment, and items in its financial statements are more likelyto be misstated than items in the financial statements of companies in a more low-risk environment, such as a manufacturer of food and drinks.
IRWhen inherent risk is high, this means that there is a high risk of misstatement of an item in the financial statements.
CR (Control Risk)Control risk is the risk that a misstatement would not be prevented or detected by the internal control systems that the client has in operation.In preparing an audit plan, the auditor needs to make an assessment of control risk for different areas of the audit. Evidence about control risk can be obtained through ‘tests of control’.
DR (Detection risk)Detection risk is the risk that the audit testing procedureswill fail to detect a misstatementin a transaction or in an account balance. For example, if detection risk is 10%, this means that there is a 10% probability that the audit tests will fail to detect a material misstatement.Detection risk can be lowered by carrying out more tests in the audit. For example, to reduce the detection risk from 10% to 5%, the auditor should carry out more tests.
Audit RiskThe detection risk can be managed by the auditor in order to control the overall audit risk through increasing audit work. Inherent risk cannotbe controlled. Control risk can be reduced by improving the quality of internal controls.