Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. There are two concepts of audit risk: the acceptable level of audit risk, which is based on the expected reliance on the financial statements by users, and the achievable level of audit risk, which is based on evaluations of inherent, control and detection risks. The auditor aims are to achieve an acceptable level of audit risk; to achieve a level of audit risk that is acceptable to the auditor.
Audit risk. In very broad terms, audit risk is the risk of a material misstatement of a financial statement item that is or should be included in the audited financial statements of an entity. In this regard, a financial statement item includes any related notes to the financial statements. (The Glossary to ISAs defines audit risk as "the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.")
In theory, audit risk ranges anywhere from zero (0.0), where there is complete certainty of no material misstatement, to one (1.0), where there is complete certainty of a material misstatement. In practice, however, audit risk is always greater than zero. There is always some risk of material misstatement as it is not possible, (except for the audit of the simplest of financial statements), due to the limitations inherent in both accounting and auditing, to be absolutely certain a material misstatement will not exist.
Components of audit risk. Audit risk [AR] may be initially decomposed into two components:
· the risk of a material misstatement of a financial statement item in the unaudited financial statements [RMM] and
· the risk that the misstatement will not be detected by the auditor (equal to one minus the probability of detection by the auditor, (1 - Pr(Da)).
Thus, if there was a 50% risk of a material misstatement in a financial statement item in the unaudited financial statements and a probability of 80% that the misstatement would be detected by the auditor, audit risk, or the risk of a material misstatement in the audited financial statements would be equal to 10%. i.e.
AR = RMM x (1 - Pr(Da))= 0.5 x ( 1 - 0.8) = 0.10
The risk of material misstatement in the unaudited financial statement [RMM] may be decomposed as follows:
· the inherent risk of a material misstatement occurring (RMMi) and
· the risk that it will not be detected by the entity (equal to one minus the probability of the entity detecting the misstatement (1 - Pr(De)).
Thus, substituting the two components of RMM, audit risk can be mathematically defined as follows:
AR = RMMi x (1 - Pr(De)) x (1 - Pr(Da))
Thus, if there was:
· an 80% inherent risk of a material misstatement in a financial statement item,
· a 30% probability of such a misstatement being detected by the entity, and
· a probability of 40% that, if not detected by the entity, the misstatement would be detected by the auditor,
audit risk, or the risk of a material misstatement in the audited financial statements would be equal to 33.6%. i.e.
AR = RMMi x (1 - Pr(De)) x (1 - Pr(Da))= 0.8 x ( 1 - 0.3) x (1 - 0.4) = 0.336