AUDIT RISK – (ISA 400)

DEFINITION

According to International Standard on Auditing (ISA 400), ‘audit risk’ means the risk that the
auditor expresses an inappropriate audit opinion when the financial statements are materially
misstated. Information is said to be material if its omission or misstatement could influence the
economic decisions of users taken on the basis of the financial statements.

The above definition of audit risk has made tremendous changes in the approach used by audit
firms, especially those in charge of publicly listed companies. The audit risk-based approach,
which emerged in the 1990s as the dominant audit model, was the response of the audit
profession to an increasing demand for more effective and efficient auditing. This approach
requires auditors to pay considerable attention to the risks that they face at the time of the
audit.

Audit risk is a combination of three risks namely:

(1) A material misstatement (error or fraud) occurring in the financial statements.

(Inherent risk)
(2) The internal control system failing to detect and correct a misstatement. (Control
risk)
(3) The auditor failing to detect the misstatement. (detection risk)

Given the above definitions, audit risk can be expressed as:

Audit risk = Probability of material misstatement

X Probability of internal control failure

X Probability of auditor failure

I.e. AR = IRxCRxDR

Auditors plan the audit engagement based upon the level of audit risk they hope to achieve.
Audit risk is considered as part of the overall audit process.

A premise of the audit process is that audit tests of financial statement assertions will be
conditional on the strategic and process risks that an organization faces. Accordingly, a full
understanding of an organization’s strategic position, plans, risks, controls and processes is
critical for the performance of an effective audit.

Page 1 of 2
There is an inverse relationship between audit risk and error detection. That is, as audit risk is
set lower, more audit work will be performed and, presumably, more errors will be detected. It
also follows that the more errors detected, the greater the likelihood that detected error rates
will approximate actual error rates in the population, particularly with regard to material error.

In planning an audit, independent auditors are concerned that adequate internal controls are in
place and functioning properly (control risk), and that the audit procedures will detect any
misstatements (detection risk). The auditors are also concerned about inherent risk – i.e.,
factors that affect the financial welfare of the organization and that are difficult to manage and
control. The risk of material misstatement at the assertion level consists of two components,
inherent risk and control risk.

Page 2 of 2