top of page

Understanding Audit Risk in Planning an Audit Engagement

Audit risk is the risk of financial statements being materially misstated and the risk that the auditor expresses an inappropriate audit opinion on the misstated financial statements.

No matter how well auditors planned and performed their audit works, audit risk always exists.

Audit risk can be reduced if audit is carefully planned and performed. Auditors follow a risk-based approach where they analyze and assess the risks which could lead to misstatements in the financial statements.

Is audit risk and business risk the same?

No, audit risk and business is different.

The difference between audit risk and business risk is that business risks are those factors that could hinder the achievement of organizational goals and contribute towards business failure whereas audit risk is those factors that cause material misstatement in the financial statements.

Audit risks and business risks are different in nature because audit risk relates to an auditor and business risk relates to an organization and its stakeholders.

Audit Risk Model

Audit risk model can be explained by the following formula –

Audit Risk = Inherent Risk x Control Risk x Detection Risk

In which:

Inherent risk is ‘the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.’

Control risk is ‘the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.’

While inherent risk and control risk are the components of Risk of Material Misstatement (RoMM), which is defined as the risk that the financial statements are materially misstated prior to audit.

In addition to these two risk, there is one more variable in the audit risk formula which is detection risk. It is defined as:

Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.

In ACCA exam, audit risk model can also be written as: Audit Risk = RoMM x Detection Risk

In other words, audit risk is the risk of material misstatement of financials not being detected.

The auditor should assess the level of risk in order to keep the overall audit risk to an acceptable limit.

ISA 200 – Overall Objectives of The Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing

The overall objective of an independent audit is to conduct an audit in accordance with International Standards on Auditing. The International Auditing and Assurance Standards Board (IAASB) makes it apparent that the understanding of ISA 200 is important for auditors as the ISA contains basic objectives and requirements that should be followed in the audit.

The ISA enables an independent auditor to meet the objectives so that it increases the level of confidence of users of financial statements. It requires the auditor to obtain reasonable assurance that is not an absolute assurance on financial statements.

The main objectives of ISA 200 is to obtain reasonable assurance so that the auditor can express an opinion on whether the financial statements are free from material misstatement and to report on the financial statements and communicate in accordance with the audit findings.

  • The auditor should comply with relevant ethical requirements that includes quality control measures.

  • It is essential to maintain an attitude of professional skepticism throughout the audit and the auditor should plan and perform the audit with professional skepticism.

  • Auditors should exercise professional judgment in planning and performing the audit.

  • Auditors should obtain sufficient appropriate audit evidence in order to reduce audit risk to an acceptably low level.

  • Auditors should conduct an audit in accordance with the objectives and requirements of the ISAs relevant to the audit.

Importance of Audit Risk in Audit Planning

Audit planning is not a simple activity as it involves consideration of client industry, regulatory factors, client operations, engagement timing and other considerable issues.

Audit risk is essential in the audit planning because auditors cannot check all transactions. The risk assessment is gaining an understanding of the client and its environment to create a complete view of the regulatory and other factors that may influence the audit. Identifying the risky areas will allow for additional testing that will reduce the possibility of error.

Auditors should use a risk-based approach to ensure the audit work is carried out effectively. In addition, auditors should consider the key risks while planning an audit to minimize the chance of giving an inappropriate audit opinion.

Risk Assessment Procedures – ISA 315 (Revised)

Next, we move to the procedures on assessing risk. It is governed by ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement.

ISA 315 (Revised) considers the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statement. The standard sets out requirements and application materials to support the auditor’s risk assessment process.

The risk assessment procedures include the following:

  1. The auditor should inquire of management and others within the entity who may have information that can assist in identifying risks of material misstatement. They should consider information obtained from the auditor’s client is relevant to identifying risks of material misstatement. They should obtain an understanding of the nature of the entity, its operations, its ownership and other regulatory affairs.

  2. The auditor evaluate the entity’s accounting policies and reasons for changes and understand the classes of transactions and disclosures in the financial statements.

  3. The auditor should obtain an understanding of internal control relevant to the audit, evaluate the design of those controls and determine whether they have been implemented or not. They should obtain an understanding of the control environment, the entity’s risk assessment procedure, the information system, control activities and monitoring of controls.

  4. The auditor should obtain an understanding of control activities relevant to the audit and the major activities the entity uses to monitor internal control over financial reporting and the sources of information used in the monitoring activities.

  5. The auditor should identify and assess the risks of material misstatement at the financial statement level and assertion level. The risk assessment procedure includes inquiries of management, analytical procedures, observation and enquiry. When the identified risks are significant in the auditor’s judgment, they require special audit consideration.

  6. The auditor should simply maintain a proper documentation including the discussion among the engagement team, key elements of the understanding of internal control components, the risks identified and risk assessment procedures performed.

  7. The auditor should perform analytical procedures to identify the existence of unusual transactions, events and trends. Unusual transactions may help the auditor to identify risks of material misstatement due to fraud or error. Analytical procedures include both financial and non-financial information and the results of those analytical procedures may provide an indication that a material misstatement may exist.

  8. Auditors should observe and inspect the entity’s operations, documents and reports prepared by management. They should observe the information obtained from prior period audits and determine whether the information remains relevant for the purpose of current period audit.

  9. It is necessary for the auditors to revise the original risk assessment and modify the audit procedures in response to new risks identified.

ISA 315 (Revised) stresses external auditors should pay attention to internal control in order to make effective and efficient enquiries. We expect an increase of the work relationship between internal audit functions and external auditor in future of such new requirement.

If you find this article is helpful and you want to help others too, just share it in any social media (such as Facebook, LinkedIn).

Recent Posts


bottom of page