WHAT IS RISK?

In auditing, there are two types of risk:

1. Audit risk
2. Engagement risk
AUDIT RISK

•Is the risk that an auditor might issue an unqualified opinion

on materially misstated financial statements.
ENGAGEMENT RISK

• Is the risk that the auditor or audit firm will suffer harm after the audit is finished,
even though the audit report was correct. This may arise when the auditor is sued
by the client or a third party although the auditor has complied with appropriate
auditing standards in the conduct of the audit.
AUDIT RISK
• There are no clear-cut provisions specified in the auditing standards on
how to determine what an acceptable level of audit risk is, it’s for the
professional judgement of the auditor to decide so long as the objective
of reducing audit risk to an acceptable low level is achieved. To do this,
auditors use the AUDIT RISK MODEL.
AUDIT RISK MODEL
•Acts as a guide for auditors to determine the scope of audit work
and the auditing procedures that are to be conducted. Audit risk
model is expressed as:

AUDIT RISK (AR) = INHERENT RISK (IR) X CONTROL RISK (CR) X DETECTION RISK (DR)
INHERENT RISK

•Is the susceptibility of an assertion to material misstatements

assuming that there are no related controls.
INHERENT RISK
• Inherent risk is higher for some items:
Example:
1. Cash VS inventory. Cash has a higher inherent risk when it comes to theft
because by its nature, it is the most liquid of all assets.
2. Complex or non-routine transactions are more likely to be misstated/wrongly
recorded than simple transactions
• INVERSE RELATIONSHIP WITH DR; DIRECT WITH EVIDENCE
CONTROL RISK
• Is the risk that material misstatements that could occur in an assertion will not be
prevented or detected in a timely basis by the client’s internal controls. Internal
controls can never be completely effective, regardless of the care followed in their
design and implementation because its effectiveness depends on the competency
and dependability of the people using it. (Inherent limitation)
• INVERSE RELATIONSHIP WITH DR; DIRECT WITH EVIDENCE
CONTROL RISK
• Main types of controls:
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
DETECTION RISK
• Is the risk that the auditor will not detect a misstatement that exists in an
assertion. It relates to the effectiveness of the audit procedure and its
application. It is also the only component of audit risk that can be
controlled or manipulated by the auditor through the nature, timing and
extent (NTE) of audit procedures to be used in the conduct of an audit.
• INVERSE RELATIONSHIP WITH THE AMOUNT OF EVIDENCE TO BE ACCUMULATED
RELATIONSHIP OF RISK COMPONENTS IN
THE AUDIT RISK MODEL
• INHERENT RISK is directly related to the amount of evidence to be accumulated and
has an inverse relationship with detection risk.
• CONTROL RISK, same with inherent risk, is directly related to the amount of
evidence and has an inverse relationship with detection risk.
• DETECTION RISK has an inverse relationship to the combined elements of inherent
risk and control risk (auditee risk) and also has an inverse relationship with the
amount of evidence to be obtained.
RELATIONSHIP AMONG AUDIT RISK, AUDIT
PROCEDURES AND AUDIT EVIDENCE
• IF THE PRELIMINARY CONTROL RISK IS LOW, THE AUDITOR PERFORMS TEST OF CONTROLS TO SUPPORT
OR ASCERTAIN THE LOW LEVEL OF CONTROL RISK. IF CONTROL RISK IS INDEED LOW:
1. Detection risk is high
2. Internal control is effective and functioning well in the company therefore, the auditor can easily
detect misstatements
3. Make the audit procedures less extensive and conduct the audit less strictly
4. Gather only a few audit evidence
RELATIONSHIP AMONG AUDIT RISK, AUDIT
PROCEDURES AND AUDIT EVIDENCE
• IF CONTROL RISK IS HIGH (NO NEED TO PERFORM TEST OF CONTROLS) OR AFTER PERFORMING TEST OF
CONTROLS, THE CONTROL RISK HAS GONE UP:
1. Detection risk is low
2. Internal control is ineffective and functioning poorly so the auditor will have a hard time
detecting errors and misstatements
3. Therefore, the auditor will use more extensive audit procedures and will conduct the audit more
strictly
4. Obtain more evidence
AUDIT RISK MODEL LIMITATIONS
1. It is only a planning tool so the actual level of audit risk may be greater or lesser than the audit
risk indicated by the formula
2. The assessment of the auditor is based on his professional judgement. Because of this, such
assessments may be higher or lower than the actual inherent and control risk that exist for the
client.
3. It does not consider the possibility of auditor’s error in the assessment.

• BECAUSE OF THIS LIMITATIONS, MANY AUDITORS USE IT ONLY AS A FUNCTIONAL MODEL AND A GUIDE.
SAMPLE COMPUTATION
Acquisition and Payment Payroll and Personnel Inventory and Warehousing
Auditor’s assessment of:
Cycle Cycle Cycle

Expectation of Material
Expect many (High) Expect few (Low) Expect many (High)
Misstatement (Inherent Risk)

Effectiveness of internal controls High effectiveness

High effectiveness (Low) Low effectiveness (High)
(Control Risk) (Low)

Detection Risk Medium High Low

Extent of Evidence to be
Medium Level Low Level High Level
accumulated

AUDIT RISK (AR) = INHERENT RISK (IR) X CONTROL RISK (CR) X DETECTION
RISK (DR)
ACQUISITION AND PAYMENT
AR = HIGH X LOW X MEDIUM = 80% X 20% X 50% = 8%
• To reduce AR, DR should be lower. To do this, auditor must obtain more evidence
and conduct more extensive audit procedures.

LOWERED DR: AR = 80% X 20% X 25% = 4%

PAYROLL AND PERSONNEL

AR = LOW X LOW X HIGH = 20% X 15% X 75% = 2.25%

• AR is low because IR is low and the internal controls are effective.

INVENTORY AND WAREHOUSING
AR = HIGH X HIGH X LOW = 80% X 75% X 15% = 9%
• Even though DR is low, AR is still above the desired range of 2-5% so the auditor must further lower the
DR by conducting a more extensive audit and gather more evidence.

LOWERED DR: AR = 80% X 75% X 8% = 4.8%

NOTE: PERCENTAGES ARE SUBJECTIVE AND BASED ON THE PROFESSIONAL JUDGEMENT OF THE AUDITOR