Audit risk refers to the chance of an error slipping through an audit review and resulting in a flawed report. This term is most common in the business sector, where outside accounting firms provide “financial checkup” services and audit reporting for major corporations, divisions, and sometimes even individual departments. The main concern with this risk is that a financial disclosure form won’t show fraud or other inconsistencies that are present, and that the report will accordingly paint a picture of a financial scene that isn’t complete and in fact looks better than it really is. Fraud and reporting mistakes aren’t always easy to detect, particularly when they’re part of a larger scheme. Most of the time, errors or oversights in audit reports are unintentional, and auditors usually carry malpractice insurance to protect themselves from liability suits from people like investors who relied on their reports.
Why it Matters
Business finances can be very complex. Most executives take steps to make sure that their books are in line to maximize profits, but the desire for success and profitability usually needs to be balanced against the obligation to keep accurate accounting and to only engage in legal and accepted transactions. At the same time, most corporate leaders have what’s known as a fiduciary duty to their shareholders to use all monies invested both wisely and appropriately.
It’s pretty common for companies to employ internal accountants and financial professionals to help set policies and prepare paperwork, but it’s equally common for leaders to hire external accounting firms to perform additional reviews, called audits, that can identify weaknesses or problems. In many countries companies of a certain size or threshold are actually required to undergo regular audits, the results of which usually have to be filed with the government as well as published publicly. Audit risk is basically the risk that these audits are going to miss something, or that the reviewers will overlook a problem that should have been noticed.
The risk is usually represented by the with the formula AR = IR x CR x DR. AR is, of course, audit risk; IR is “inherent risk,” and refers to the susceptibility of misstatement, assuming that there are no internal controls to counter that chance of misstatement. Control risk (CR) expresses the chance that internal controls won't catch a misstatement, and detection risk (DR) refers to the chances that the auditor won't detect the misstatement in his or her audit.
Depending on the percentage that results from the formula, the risk for a particular audit is often characterized as high, medium, or low. What percentage range constitutes a high risk is not absolute — it depends on the particular factors of a given audit. Though this determination provides a definitive starting point in risk assessment, this tool is certainly not dispositive of actual risk in any given scenario.
Materiality is considered to be the amount by which a user of the financial data, who has a reasonable understanding of the business, would have made a different decision had the information omitted or misstated been made available. The higher the perceived risk, the lower the materiality threshold. In most cases this results in an increased scope of testing.
There are a couple of different standards auditors can use. Those outlined in the Generally Accepted Auditing Standards (GAAS) are some of the most common; these assist auditors in structuring their audit procedures to mitigate risk. GAAS are issued by the American Institute of Certified Public Accountants (AICPA) but are used in multiple countries to create a high-level framework to reduce the inherent risk associated with each engagement. Through the auditor's testing of the financial statement assertions, risk must be reduced to a level acceptable to the auditors before a clean audit opinion on the financial statements is provided.
During the planning stages of an audit, auditors typically assess the various factors that can increase or decrease the risk associated with a particular engagement. When performing an initial risk assessment, auditors consider the likelihood of material misstatement both at the individual account balance level and for the financial statements taken as a whole.
Mitigating risk factors, such as the experience of personnel, simplicity of the audited transactions and assertions, and the existing internal control framework, are often used by auditors when assessing risk and developing the scope of the audit. Such considerations are used to define the materiality that will be the benchmark used by auditors when developing the nature, timing, and extent of the audit procedures over the financial information.