What kinds of risk are there?
The ISAs identify two levels of risk (ISA 200,A36):
Risk at the assertion level. An assertion is defined generally as: "A confident and forceful statement of fact or belief" (Oxford Dictionary). If the preparers of the financial statements are confidently and forcefully stating that say, inventory is valued at a certain amount, we as auditors are required to assess whether their confidence and force is justified.
So at the assertion level we consider specific accounts and what risks are involved in these accounts (for instance we identify certain specific risks in the inventory account - say the risk that not all costs are correctly allocated to inventory, or the risk that some of the stock was miscounted). ISA 200,13(n) then breaks this down into two components:
- Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, (either individually or when aggregated with other misstatements), before consideration of any related controls.
- Control risk – The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.
Risk at the financial statement level. This type of risk affects the financial statements as a whole and potentially affects many assertions. These risks will probably not affect one account more that another (for instance if the management of the company are involved in fraud say, or if the overall level of competence is such that controls are ineffective). Obviously these kinds of risks impact significantly on whether any reliance at all can be placed on internal controls, or whether the audit can actually proceed. ISA (NZ) 315, A124 states that:
- 'Concerns about the integrity of the entity’s management may be so serious as to cause the auditor to conclude that the risk of misrepresentation in the financial statements is such that an audit cannot be conducted.
- Concerns about the condition and reliability of an entity’s records may cause the auditor to conclude that it is unlikely that sufficient appropriate audit evidence will be available to support an unmodified opinion on the financial statements.'
These terms come up often in the ISAs, and in analysing identified risks within Audit Assistant this distinction must be made: