How is the overall risk assessed?
Once individual identified items of risk are analysed (see previous article), overall audit risk must be identified. As mentioned Overall Audit Risk (OAR) is the product of the various risks which may be encountered in the performance of the audit, Detection Risk (DR) and Risk of material misstatement (which is broken down into Inherent Risk (IR) and Control Risk (CR)) expressed as:
OAR = IR x CR x DR
In order to keep the overall audit risk of engagements below an acceptable limit, the auditor must assess the level of risk pertaining to each component of audit risk.
Inherent Risk is the risk of a material misstatement in the financial statements arising due to error or omission as a result of factors other than the failure of controls. It is is generally considered to be higher where a high degree of judgment and estimation is involved or where transactions of the entity are highly complex (e.g. the inherent risk in the audit of a newly formed financial institution which has a significant trade and exposure in complex derivative instruments may be considered to be significantly higher as compared to the audit of a well established manufacturing concern operating in a relatively stable competitive environment).
Control risk is the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. Internal control, no matter how well designed and operated, can only reduce, but not eliminate, risks of material misstatement in the financial statements, because of the inherent limitations of internal control (e.g. the possibility of human errors or mistakes, or of controls being circumvented by collusion or inappropriate management override). Accordingly, some control risk will always exist.
Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. Detection Risk is set by the auditor depending on the assessment of the other items, in order to reduce the overall risk to an acceptable level.
Inherent risk - Observe and assess
Control risk - Observe and assess
Detection risk - SET
This is a great illustration of why we set detection risk - the cloud represents the accounting system and the rain drops are misstatements. The likelihood of misstatements occurring is inherent risk. The possibility that internal controls (1st umbrella) may not prevent or detect misstatements is control risk. The possibility that audit procedures (2nd umbrella) may not detect material misstatements is detection risk. The possibility that the financial statements may include undetected material misstatements is audit risk. The more rain and the smaller the control umbrella the bigger we have to make our detection risk umbrella to compensate (from an original very good article here):
Note:
ISA 315 (revised 2019), 34 says "If we do not plan to test the operating effectiveness of controls, our assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk." So in a job where we are doing fully substantive testing we must rate CR the same as IR.
For example:
If Inherent risk - Observed and assessed as Medium (say because the organisation is a charity involving a lot of volunteers).
And Control risk - Observed and assessed as High (say because there is a lack of division of duties), and we are testing controls. (If we are not testing controls the CR would be medium - the same as IR.)
Then Detection risk - SET as Low (in order that overall Audit Risk is acceptable).
Setting the detection risk LOW means that we do a lot of work, so that the risk of failing to detect a material misstatement is LOW.
- To be able to do less work we have to have a control risk that is medium or low, so that the auditor may set the detection risk to MEDIUM or HIGH.
- To be able to assess the control risk as anything but HIGH, the auditor has to identify and test the control(s).
So in other words the level of detection risk is dependent on the auditor's assessment of the first two types of risk.
If controls are poor and there is a high inherent risk then we set detection risk low. This may seem a bit counter-intuitive - to set the detection risk as low when other risks are high but it makes sense when you realise that it simply means more work is required to achieve that low risk - we have to make the bottom umbrella larger to reduce detection risk.