Auditing Standard No.

8
Audit Risk
Effective Date: For audits of fiscal years beginning on or
after Dec. 15, 2010

Final Rule: PCAOB Release No. 2010-004

Summary Table of Contents +

Introduction
1. This standard discusses the auditor's consideration of audit risk
in an audit of financial statements as part of an integrated audit1/ or an
audit of financial statements only.

Objective
2. The objective of the auditor is to conduct the audit of financial
statements in a manner that reduces audit risk to an appropriately low
level.

Audit Risk
3. To form an appropriate basis for expressing an opinion on the
financial statements, the auditor must plan and perform the audit to
obtain reasonable assurance about whether the financial statements
are free of material misstatement2/ due to error or fraud. Reasonable
assurance3/ is obtained by reducing audit risk to an appropriately low
level through applying due professional care, including obtaining
sufficient appropriate audit evidence.
4. In an audit of financial statements, audit risk is the risk that the
auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated, i.e., the financial statements are
not presented fairly in conformity with the applicable financial
reporting framework. Audit risk is a function of the risk of material
misstatement and detection risk.

Note: The auditor should look to the requirements of the Securities

and Exchange Commission for the company under audit with respect
to the accounting principles applicable to that company.

Risk of Material Misstatement

5. The risk of material misstatement refers to the risk that the
financial statements are materially misstated. Auditing Standard No.
12, Identifying and Assessing Risks of Material Misstatement, indicates that
the auditor should assess the risks of material misstatement at two
levels: (1) at the financial statement level and (2) at the
assertion4/level.5/

6. Risks of material misstatement at the financial statement level

relate pervasively to the financial statements as a whole and
potentially affect many assertions. Risks of material misstatement at
the financial statement level may be especially relevant to the
auditor's consideration of the risk of material misstatement due to
fraud. For example, an ineffective control environment, a lack of
sufficient capital to continue operations, and declining conditions
affecting the company's industry might create pressures or
opportunities for management to manipulate the financial statements,
leading to higher risk of material misstatement.

7. Risk of material misstatement at the assertion level consists of

the following components:
 a. Inherent risk, which refers to the susceptibility of an assertion to a
misstatement, due to error or fraud, that could be material,
individually or in combination with other misstatements, before
consideration of any related controls.
b. Control risk, which is the risk that a misstatement due to error or
fraud that could occur in an assertion and that could be material,
individually or in combination with other misstatements, will not
be prevented or detected on a timely basis by the company's
internal control. Control risk is a function of the effectiveness of
the design and operation of internal control.

8. Inherent risk and control risk are related to the company, its
environment, and its internal control, and the auditor assesses those
risks based on evidence he or she obtains. The auditor assesses
inherent risk using information obtained from performing risk
assessment procedures and considering the characteristics of the
accounts and disclosures in the financial statements.6/ The auditor
assesses control risk using evidence obtained from tests of controls (if
the auditor plans to rely on those controls to assess control risk at
less than maximum) and from other sources.7/

Detection Risk
9. In an audit of financial statements, detection risk is the risk that
the procedures performed by the auditor will not detect a
misstatement that exists and that could be material, individually or in
combination with other misstatements. Detection risk is affected by
(1) the effectiveness of the substantive procedures and (2) their
application by the auditor, i.e., whether the procedures were performed
with due professional care.

10. The auditor uses the assessed risk of material misstatement to

determine the appropriate level of detection risk for a financial
statement assertion. The higher the risk of material misstatement, the
lower the level of detection risk needs to be in order to reduce audit
risk to an appropriately low level.

11. The auditor reduces the level of detection risk through the
nature, timing, and extent of the substantive procedures performed. As
the appropriate level of detection risk decreases, the evidence from
substantive procedures that the auditor should obtain increases.8/

1/
When the auditor is performing an integrated audit of financial statements
and internal control over financial reporting, the requirements in Auditing
Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements, also apply. However, the risks
of material misstatement of the financial statements are the same for both
the audit of financial statements and the audit of internal control over
financial reporting.

2/
Misstatement is defined in Appendix A of Auditing Standard No.
14, Evaluating Audit Results.

3/
See AU sec. 110, Responsibilities and Functions of the Independent Auditor, and
paragraph .10 of AU sec. 230, Due Professional Care in the Performance of
Work, for a further discussion of reasonable assurance.

4/
See Auditing Standard No. 15, Audit Evidence, for a description of financial
statement assertions.

5/
Paragraph 59 of Auditing Standard No. 12.

6/
Paragraph 59.a. of Auditing Standard No. 12.

7/
Paragraphs 32-34 of Auditing Standard No. 13, The Auditor's Responses to the
Risks of Material Misstatement.

8/
Paragraph 37 of Auditing Standard No. 13.
[Effective pursuant to SEC Release No. 34-63606, File No. PCAOB-2010-01
(December 23, 2010)]

Control risk has been defined under International Standards of Auditing (ISAs)
as following:

The risk that a misstatement that could occur in an assertion about a

class of transaction, account balance or disclosure and that could be
material, either individually or when aggregated with other
misstatements, will not be prevented, or detected and corrected, on a
timely basis by the entity’s internal control.

In simple words control risk is the probability that a material misstatement

exists in an assertion because that misstatement was not either prevented from
entering entity’s financial information or it was not detected and corrected by
the internal control system of the entity.

It is the responsibility of the management and those charged with governance

to implement internal control system and maintain it appropriately which
includes managing control risk.

Control risk is one of the components of Risk of material

misstatement while the other component is inherent risk. It is the
responsibility of the management to minimize inherent risk which is done by
implementing internal control system. But if internal control system is not
preventing, detecting and correcting misstatements on timely basis then
inherent problems will creep in the entity’s system and thus risk of material
misstatement will increase.

Remember
It is the responsibility of the management or where applicable those charged
with governance to manage inherent and control risks. It is NOT the duty of the
auditor. That is why they are also called “client side risks”
Auditor is not responsible for managing internal control system and also under
ISAs he is not under the duty to assess and report i.e. give his opinion on
internal control system of the entity unless he is required under other applicable
rules and regulations. But as said above if control risk is high which in other
words mean internal control system is not working effectively then risk of
material misstatement will increase which ultimately increases the chances that
auditor may end giving inappropriate opinion which is termed as audit risk. In
response to increased audit risk he is required detect material misstatements
through by designing appropriate audit procedures.

One important point to note about control risk is that this also is
assessed in relation to assertions i.e. at assertion level and not just at
financial statement level.

There can be many reasons for control risk to arise and why it cannot be
eliminated absolutely. But some of them are as follows:

 Cost-benefit constraints

 Circumvention of controls

 Inappropriate design of controls

 Inappropriate application of controls

 Lack of control environment and accountability

 Novel situations

 Outdated controls

 Inappropriate segregation of duties

Definition
Audit Risk is the risk that an auditor expresses an inappropriate opinion on the financial statements.
Explanation
Audit risk is the risk that an auditor issues an incorrect opinion on the financial statements. Examples of
inappropriate audit opinions include the following:
 Issuing an unqualified audit report where a qualification is reasonably justified;
 Issuing a qualified audit opinion where no qualification is necessary;
 Failing to emphasize a significant matter in the audit report;
 Providing an opinion on financial statements where no such opinion may be reasonably given due
to a significant limitation of scope in the performance of the audit.

Model
Audit Risk = Inherent Risk x Control Risk x Detection Risk

Audit risk may be considered as the product of the various risks which may be encountered in the
performance of the audit. In order to keep the overall audit risk of engagements below acceptable limit,
the auditor must assess the level of risk pertaining to each component of audit risk.

Components
Explanation of the 3 elements of audit risk is as follows:

Inherent Risk
Inherent Risk is the risk of a material misstatement in the financial statements arising due to error or
omission as a result of factors other than the failure of controls (factors that may cause a misstatement
due to absence or lapse of controls are considered separately in the assessment of control risk).

Inherent risk is generally considered to be higher where a high degree of judgment and estimation is
involved or where transactions of the entity are highly complex.

For example, the inherent risk in the audit of a newly formed financial institution which has a significant
trade and exposure in complex derivative instruments may be considered to be significantly higher as
compared to the audit of a well established manufacturing concern operating in a relatively stable
competitive environment.

Control Risk
Control Risk is the risk of a material misstatement in the financial statements arising due to absence or
failure in the operation of relevant controls of the entity.
Organizations must have adequate internal controls in place to prevent and detect instances of fraud and
error. Control risk is considered to be high where the audit entity does not have adequate internal controls
to prevent and detect instances of fraud and error in the financial statements.

Assessment of control risk may be higher for example in case of a small sized entity in which segregation
of duties is not well defined and the financial statements are prepared by individuals who do not have the
necessary technical knowledge of accounting and finance.

Detection Risk
Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial
statements.
An auditor must apply audit procedures to detect material misstatements in the financial statements
whether due to fraud or error. Misapplication or omission of critical audit procedures may result in a
material misstatement remaining undetected by the auditor. Some detection risk is always present due to
the inherent limitations of the audit such as the use of sampling for the selection of transactions.

Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed
testing.

Application
Audit risk model is used by the auditors to manage the overall risk of an audit engagement.

Auditors proceed by examining the inherent and control risks pertaining to an audit engagement while
gaining an understanding of the entity and its environment.

Detection risk forms the residual risk after taking into consideration the inherent and control risks
pertaining to the audit engagement and the overall audit risk that the auditor is willing to accept.

Where the auditor's assessment of inherent and control risk is high, the detection risk is set at a lower
level to keep the audit risk at an acceptable level. Lower detection risk may be achieved by increasing the
sample size for audit testing. Conversely, where the auditor believes the inherent and control risks of an
engagement to be low, detection risk is allowed to be set at a relatively higher level.

Example
ABC is an audit and assurance firm which has recently accepted the audit of XYZ. During the planning of
the audit, engagement manager has noted the following information regarding XYZ for consideration in
the risk assessment of the assignment:
 XYZ is a listed company operating in the financial services sector
 XYZ has a large network of subsidiaries, associates and foreign branches
 The company does not have an internal audit department and its audit committee does not
include any members with a background in finance as suggested in the corporate governance
guidelines
  It is the firm's policy to keep the overall audit risk below 10%

Inherent risk in the audit of XYZ's financial statements is particularly high because the entity is operating
in a highly regularized sector and has a complex network of related entities which could be
misrepresented in the financial statements in the absence of relevant financial controls. The first audit
assignment is also inherently risky as the firm has relatively less understanding of the entity and its
environment at this stage. The inherent risk for the audit may therefore be considered as high.

Control risk involved in the audit also appears to be high since the company does not have proper
oversight by a competent audit committee of financial aspects of the organization. The company also
lacks an internal audit department which is a key control especially in a highly regulated environment. The
control risk for the audit may therefore be considered as high.

If inherent risk and control risk are assumed to be 60% each, detection risk has to be set at 27.8% in
order to prevent the overall audit risk from exceeding 10%.

Working

Audit Risk = Inherent Risk x Control Risk x Detection Risk

0.10 = 0.60 x 0.60 x Detection Risk

0.10 = Detection Risk = 0.278 = 27.8%

0.36

HOW TO ASSESS CONTROL

RISK WHEN PERFORMING
AN AUDIT

RELATED BOOK
Auditing For Dummies

By Maire Loughran

During your risk-assessment procedures before you begin an audit,

you interview members of the company and observe how they do their
jobs to make your assessment of control risk. Company management
is ultimately responsible for the financial statements. The internal
controls set in place by the company have the goal of producing
accurate and effective reporting.

Here are some examples of control activities and the specific

procedures that should be in place in an adequate control
environment:

 Segregation of duties: In particular, this applies to

authorization, custody, and recordkeeping. For example, the
person who requests an order of computer components
shouldn’t be the person who authorizes the request. The
physical custody of the computer components after receipt
should be the task of a third employee. The business should also
have yet another employee keeping files of the related purchase
orders and paid invoices.

 Adequate documents and records: The company must

maintain source documents like purchase orders, paid invoices,
and customer invoices in a proper filing system. A classic
documentation control is using prenumbered documents and
saving voided documents. If you spot a missing invoice number
with no void information, you know right off the bat that the
company may have sales that haven’t hit its financial records.

 Physical control of assets and records: This includes

providing safe and secure locations for the assets, tagging
 furniture and equipment, and having backup procedures for
records should they be misplaced or lost in a fire or flood.

Not quite sure what it means to tag a piece of furniture?

Businesses with good internal controls have a unique label on
each piece of furniture and equipment they own and a record of
where each label is placed. Every year, someone goes around to
see if any tagged assets are missing.

IMPORTANT AUDITING
VOCABULARY AND KEY
TERMS

RELATED BOOK
Auditing For Dummies

By Maire Loughran

Part of Auditing For Dummies Cheat Sheet

Every profession has its own lexicon. To communicate with your audit
peers and supervisors, you must know key auditing phrases. Knowing
these buzzwords is also helpful if you’re a business owner, because
auditors sometimes forget to switch from audit-geek talk to regular
language when speaking with you.
 Audit evidence: Facts gathered during the audit procedures that
provide a reasonable basis for forming an opinion regarding the
financial statements under audit.

 Audit risk: The risk of forming an inappropriate opinion on the

financial statements under audit.

 Control risk: The risk that a company’s internal controls won’t

detect or prevent mistakes.

 Due professional care: Taking the time to gather reasonable

audit evidence to support the fact that the financial statements
are free of material misstatement.

 Generally accepted accounting principles (GAAP): Standard

U.S. accounting guidelines for reporting financial statement
transactions.

 Generally accepted auditing standards (GAAS): Standard

U.S. auditing guidelines for planning, conducting, and reporting
on audits.

 Going concern: The expectation that a business will remain

operating for at least another 12 months.

 Independence: Having an arm’s-length relationship — meaning

no special or close relationship — with the client under audit.

 Inherent risk: The likelihood of arriving at an inaccurate audit

conclusion based on the nature of the client’s business.

 Internal controls: The operating standards a client uses to

prevent or uncover mistakes.
  Management assertions: Representations the managers of a
company make on the financial statements.

 Materiality: The importance placed on an area of financial

reporting based on its overall significance.

 Objectivity: The ability to evaluate client records with no

preconceived notions or prejudices.

 Professional skepticism: Approaching an audit with a

questioning mind-set.

 Sampling: Selecting a small but pertinent and representative

number of records to represent the entire population of records.

Definition:
Audit risk is the risk that auditors issued the incorrect
audit opinion to the audited financial statements. For
example, auditor issued unqualified opinion to the audited
financial statements even though the financial statements
are materially misstated. Or the qualified opinion is issued
as the result of immateriality found in financial statements
which the correct opinion should be unqualified.
Audit risks come from two main different sources: Clients
and Auditors themselves. The risks are classified into
three different types: Inherent risks, Control Risks and
Detection Risks. We will discuss in detail below.
Auditor is required to assess the risks of material
misstatements in the financial statements as per
requirement from ISA 315 Identifying and Assessing the
Risks of Material Misstatement Through Understanding
the Entity and Its Environment. The procedures that
auditors use to perform risks assessment are inquiry,
inspection, observation, and analytical procedures.
Model and Calculation of Audit Risks:
Audit risk can be presented by the risks model as the
combination of inherent risks, control risks and detection
risks. As mention above, inherent risks and control risks
are control by clients whereas detection risks are control
by auditors. All of these three risks are discuss below:
Here is the formula:

Let me clarify about the formula here. Just because the

model use multiply here it does not mean that the need to
be multiple to get audit risk. Detection Risk alone could
also make high audit risk.
Want to understand more about audit, this article will help
you: What is Audit?
Inherent Risks:
Inherent risk refer to the risk that could not be protected
or detected by entity’s internal control. This risk could
happened as the result of complexity of client nature of
business or transactions. Sometime, that nature of
business could link to complexity of financial transactions
and require high involvement with judgement.
The risk is normally high if the transaction or even involve
highly with human judgement. For example, the exposure
in complex derivative instrument. This kind of risk could
also be effected by external environment; for example,
climate change, political problem, or some other PESTEL
effect to the business.
Auditor required to assess those kind of risks and set up
audit procedures to address inherent risks properly. For
example, auditor need to set up proper audit plan, audit
approach and audit strategy to that all relevance inherent
risks that might affect the financial statements are
identify and rectify on time.

Related article What is the objective of assurance engagement?

Those include the sufficient time for audit team to work on

the significant areas or having a member that have deep
understanding about the business as well as accounting
transactions of the auditing financial statements.
In case auditor being aware that the potential client has
high exposure to inherent risks, and auditor also know that
the current resources are not capable to handle such
client, audit should not accept the engagement.
This procedure could help auditor to minimize audit risks
that come from inherent risks.
Control Risks:
Control risk or internal control risk is the risk that current
internal control could not detect or fail to protect
significant error or misstatement in the financial
statements. Basically, managements are required to set
up and assess the effectiveness and efficiency of internal
control over financial reporting to make sure that financial
statements are free from material misstatements. Why is
weak internal control lead bring risk to auditor?
Basically, if the control is weak, there is a high chance
that financial statements are material misstated, and
there are subsequently high chance that auditors could
not detect all kind of those misstatement. That mean
control risk could lead to audit risk. Don’t be confuse that
it is the detection risk.
Auditor need to understand and assess client’s internal
control over financial reporting conclude that whether
those control could be rely on or not. If the client internal
control seem to be strong, then audit need to confirm if
the control is worked by testing internal control.
There are certain ways that auditors could use to help
them to minimize the control risks that results from poor
internal control. For example, auditors should have proper
risks assessment at the planning stages. These risks
assessment required auditors to understand not only the
nature of business, but also internal control activities that
link to financial reporting.
Mostly, COSO frameworks is the popular frameworks that
use by most of international audit firms to documents and
assess internal controls. Once the internal over financial
statements and risks are properly assess, the audit
programs are properly tailored, then Control Risks are
minimize.
Detection Risk:
Well detection risk is the risk that auditor fail to detect the
material misstatement in the financial statements and
then issued incorrect opinion to the audited financial
statements.

Related article #10 Checklists of Preliminary Information for the Due

Diligence:

The common cause of detection risk is improper audit

planning, poor engagement management, wrong audit
methodology, low competency and lack of understanding
of audit client. Detection risk is occurred because of
auditor part rather than client part.
As mentioned, detection risk could be result of poor audit
planning. For example, if audit planning is poor, not all kind
of risks are defined and the audit program that use to
detect those risks is deploy incorrectly. Then, the result is
the material misstates are not detected.
There are certain guidance that could help auditors to
minimize detection risks so that the audit risks are also
subsequently minimize. At the time planning, auditors
should setting right audit strategy, employed right audit
approach, and having the strong strategic audit plan.
Those including having good understanding about the
nature of business, complexity of business operation,
complexity of client’s financial statements, and deep
understanding about client’s internal control over financial
reporting. Clear understanding about audit objective, and
scope of audit could help auditors to set audit approach
and tailors the right audit program.
Having the strong audit team could also help auditors to
minimize detection risks. For example, the having enough
team members and those team member have good
experiences and knowledge related to clients’ business
and financial statements.
Why auditor need to perform risks
assessment?
Auditor require to perform risks assessments to make sure
that all possible risks of misstatements that might happen
to the financial statements are identify. This is normally
perform during and after audit plan. If the certain risks are
identified during the cause of audit, auditor should
perform additional assessments to figure out the real size
of the risks.
Auditor should assess audit risks before audit
engagements by understanding the nature of business that
its client operating in, and the complexity of financial
reporting in that sector.
This might help them to understand more about the audit
risks and let them ready for detect this risks. Different
industry might face different challenging in financial
reporting. For example, financial reporting of
merchandising company might be easy than financial
reporting in agriculture or oil.
Auditor should also assess audit risks at the time they
prepare audit plan. Normally, this is done by using control
framework like COSO to assess. At this stage, auditor
might obtain an understanding in detail of client nature of
business, major internal control over financial reporting,
financial reporting system and many more. Auditor will
also assess the assess the leadership of management
team as well as the entity’s culture.

Related article Ultimate Guideline to Prepare Annual Internal Audit Planning

How to calculate audit risks?

The above, we have mention the audit risks model and by
that you might think of the way to casting audit risk.
Before we say whether or not audit risk is calculable, let
see the model first.
The audit risks model is:
Audit Risks = Inherent Risk X Control Risk X Deletion Risk
This formula seem to tell us that the audit risks are
quantifiable yet it does not.
This formula is just the concept. The thing is if either one
is high the likelihood that auditor issued incorrect opinion
is also hight.
Audit Risks Vs Fraud Risks:
What is the different between audit risks and fraud risk?
Let assume you already have better understanding about
audit risks and let check above if you still not sure. Now,
let talk about fraud risks. Fraud risk is the risks that
financial statements have material misstatement without
detection by both auditor and management.
Management have the primary role and responsibility to
design the control that could prevent and detect fraud.
They also have the primary responsibility to investigate
fraud.
Auditor is not responsible for fraud but they are
responsible for providing the reasonable assurance to the
users of financial statements. Based on audit standard,
auditor need to assess the risks of fraud that might
happen as well as the materiality.
Recommended Material:
The following is the one of best audit material that could
help you gain better understanding about audit in more
deep and detail. The book cover many areas in audit and
focus deeply on perform a risks based on audit approach.
This book is authored by one of the well known authors in
audit, accounting and finance areas, Karla M. Johnstone,
Ph.D., C.P.A. The author hold PhD in accounting and
information system. He is currently the rofessor and
Accounting Department Chair at Colorado State University.
Conclusion:
Audit risk is the risk that audit opinion is incorrectly
issued and it is come from leak of internal control over
financial reporting, poor audit quality and inherent risks.