Audit risk [AR] may be initially decomposed into two components:
· the risk of a material misstatement of a financial statement item in the unaudited financial statements [RMM] and
· the risk that the misstatement will not be detected by the auditor (equal to one minus the probability of detection by the auditor, (1 - Pr(Da)).
Thus, if there was a 50% risk of a material misstatement in a financial statement item in the unaudited financial statements and a probability of 80% that the misstatement would be detected by the auditor, audit risk, or the risk of a material misstatement in the audited financial statements would be equal to 10%. i.e.
AR = RMM x (1 - Pr(Da))= 0.5 x ( 1 - 0.8) = 0.10
The risk of material misstatement in the unaudited financial statement [RMM] may be decomposed as follows:
· the inherent risk of a material misstatement occurring (RMMi) and
· the risk that it will not be detected by the entity (equal to one minus the probability of the entity detecting the misstatement (1 - Pr(De)).
Thus, substituting the two components of RMM, audit risk can be mathematically defined as follows:
AR = RMMi x (1 - Pr(De)) x (1 - Pr(Da))
Thus, if there was:
· an 80% inherent risk of a material misstatement in a financial statement item,
· a 30% probability of such a misstatement being detected by the entity, and
· a probability of 40% that, if not detected by the entity, the misstatement would be detected by the auditor,
audit risk, or the risk of a material misstatement in the audited financial statements would be equal to 33.6%. i.e.
AR = RMMi x (1 - Pr(De)) x (1 - Pr(Da))= 0.8 x ( 1 - 0.3) x (1 - 0.4) = 0.336
The three components of audit risk (RMMi, 1 - Pr(De), and 1 - Pr(Da)), are referred to respectively as inherent risk [IR], control risk [CR] and detection risk [DR]. This gives rise to the audit risk model of:
AR = IR x CR x DR, where
· IR, inherent risk, is the perceived level of risk that a material misstatement may occur in the client's unaudited financial statements, or underlying levels of aggregation, in the absence of internal control procedures. In the last example above, inherent risk was 80%.
· CR, control risk, is the perceived level of risk that a material misstatement in the client's unaudited financial statements, or underlying levels of aggregation, will not be detected and corrected by the management's internal control procedures. In the last example above, control risk was 70%.
· DR, detection risk, is the perceived level of risk that a material misstatement in the client's unaudited financial statements, or underlying levels of aggregation, will not be detected by the auditor. In the last example above, detection risk was 60%.
The product of inherent and control risk (i.e. IR x CR) is referred to as the risk of material misstatement and in the above example is equal to 56%. In practice, however, auditors evaluate risk components using terms such as LOW, MODERATE or HIGH rather than using precise probabilities.
Note: there are a number of significant limitations to this model which needs to be borne in mind when the model is applied in practical situations.
Concepts of audit risk. Before evaluating audit risk or its components, auditors first determine what they consider to be a material misstatement. Obviously, the likelihood of a material misstatement appearing in the audited financial statements of an entity depends on the value of a material misstatement: the lower the value, the greater the likelihood. It is only after determining the value of reporting materiality that an auditor is able to evaluate whether audit risk is, for example, LOW, MODERATE or HIGH. This is referred to in more detail below.
There are two distinct concepts of audit risk - the acceptable level of audit risk and the achievable level of audit risk. The acceptable level of audit risk [AR*] is the risk of a material financial statement misstatement that is acceptable to the auditor. The achievable level of audit risk [AR] is the risk the audited financial statements will contain a material misstatement. (AR is an ex ante concept and thus it is referred to as the achievable level of risk rather than an ex post concept of an achieved level of risk).
The acceptable audit risk [AR*] is estimated by reference to the expected reliance on the audited financial statements. The greater the expected reliance, the lower is the acceptable level of audit risk. The achievable audit risk [AR] is estimated by reference to the ex ante value of the components of the audit risk model. That is, the estimated achievable values of inherent, control and detection risks. The aim of an auditor is to achieve an acceptable level of audit risk; to achieve a level of audit risk that is acceptable to the auditor.