Audit Risk

Inherent risk (IR)

Inherent risk is susceptibility of misstatement in the financial statements or in any account of
financial statements.

In simple words, it is the risk that an error or fraud can happen because of the nature of the
business, account, or transaction itself.

Why it happens:

 Some accounts are more complex

 Some transactions are unusual or difficult to measure
 Certain assets are easier to steal or manipulate

Example:

 Cash has high inherent risk because it is easy to steal.

 Inventory may have high inherent risk because it can be damaged, lost, or valued
incorrectly.

Inherent risk can be reduced or mitigated, but it cannot be fully eliminated, because it is built into
the nature of the account or transaction.

A) Susceptibility to misstatement at the account balance level

Some account balances have a higher inherent risk because of their nature. This means there is
a greater chance that a material misstatement may occur in those accounts.

This usually happens when the account involves:

1) Estimates
Some accounts depend on accounting estimates, so the exact amount cannot be measured with
complete certainty. Because of this, the balance may be misstated.
Example:

 Useful life of non-current assets - management must estimate how long the asset will be
used, and this affects depreciation expense.

2) Judgment
Some accounts require management judgment in applying accounting standards. When
judgment is involved, different people may reach different conclusions, which increases the risk
of misstatement.
Example:

 Under IAS 38 - Intangible Assets, development costs may be capitalized only if there
is technical feasibility and other recognition criteria are met. Deciding whether these
conditions exist requires judgment.

3) Complex transactions or balances

Accounts involving complex transactions, unusual items, or difficult measurement are more
likely to contain errors.
Example:

 Inventory count of oil wells or livestock can be difficult because of valuation, physical
counting, and industry-specific issues.

B) Susceptibility to misstatement in the financial statements as a whole

This refers to inherent risk at the overall financial statement level. It means that the entire set of
financial statements are likely to contain material misstatements because of general factors
affecting the business.

This may happen because of the following:

1) Inexperienced management
When management lacks enough knowledge, skill, or experience, they may make mistakes in
recording transactions, applying accounting standards, or preparing financial statements. This
increases the risk of material misstatement.

2) Integrity of management
If management lacks honesty or ethical values, there is a higher risk of intentional
misstatement or fraud in the financial statements. Poor integrity makes the auditor more
concerned about the reliability of accounting records and representations.

3) Nature of the entity

The type and condition of the business can also increase inherent risk. For example, a company
with complex operations, many branches, rapid growth, unusual transactions, or operating in a
highly regulated industry may have a greater risk of misstatement in the financial statements as a
whole.
Control Risk (CR)

Control risk is the risk that a material misstatement in the financial statements will not be
prevented, detected, or corrected on time by the entity’s internal control system.

In simple words, it is the risk that the company’s controls fail to work properly.

Why control risk exists

Even if a business has internal controls, those controls may still fail because of:

 human error
 carelessness
 collusion
 management override
 weak design of controls

Because of these inherent limitations of internal control, control risk can be reduced or
mitigated, but it cannot be completely eliminated.

Internal Control

Internal control refers to the policies, procedures, and systems established by an entity to help
achieve its objectives, protect its resources, and ensure that financial information is reliable.

In simple words, internal control is the company’s system of checks and safeguards to make
sure operations are done properly and errors or fraud are reduced.

Internal control is established to ensure that:

1) All transactions are authorized

This means transactions should be approved by the proper person before they are made.
This helps prevent unauthorized or illegal transactions.

2) Completeness and accuracy of data

All accounting data must be recorded fully and correctly.
This helps avoid missing information and recording mistakes.

3) All transactions are accounted for

Every transaction that happens should be properly recorded in the books of accounts.
This supports the completeness assertion.
4) Safeguarding of assets
Assets such as cash, inventory, and equipment should be protected from theft, misuse, or loss.
This can be done through physical controls, proper custody, and monitoring.

5) Prevention and detection of fraud and error

Internal control helps reduce the chance of fraudulent acts and unintentional errors, and also
helps discover them early.

6) Promotion of operating efficiency

Internal control supports the efficient and effective use of company resources.
It helps the entity carry out operations smoothly and avoid waste.

7) Preparation of reliable financial information

Internal control helps ensure that financial statements are accurate, complete, and dependable
for decision-making.

8) Regular comparison of recorded assets with physical assets

The entity should regularly compare the amount of assets shown in the records with the actual
physical assets on hand.
Example:

 comparing the cash book balance with actual cash

 comparing inventory records with physical stock count

This helps identify shortages, errors, or possible fraud.

Types of Internal Controls: Preventive, Detective and Corrective

 Preventive controls – designed to stop errors or fraud before they occur

 Detective controls – designed to identify errors or fraud after they occur
 Corrective controls – designed to correct detected problems and prevent recurrence

Inherent Limitations of Internal Control System

Even if a company has a good internal control system, it is not perfect.

There are always some inherent limitations, which means natural weaknesses that make it
impossible to eliminate control risk completely.

1) Cost of establishing a control may exceed its benefit

A business cannot put a control over every activity because some controls are too expensive.
Management must consider cost-benefit.
Example:
Hiring many employees just to check very small transactions may cost more than the possible
loss.

2) Human errors

Controls may fail because of mistakes, carelessness, misunderstanding, or fatigue by

employees.

Example:
An employee may enter the wrong amount in the accounting records.

3) Management override of controls

Management may ignore or bypass established controls for some reason.

This is dangerous because management usually has authority over the system.

Example:
A manager may approve a payment without following normal procedures.

4) Obsolete or inadequate controls

Controls may become outdated or may not be strong enough when business conditions change.

Example:
A manual control system may no longer be effective when the company starts using
computerized transactions.

5) Controls may not be established for non-routine transactions

Some controls are designed mainly for routine and regular transactions.
They may not work well for unusual, one-time, or complex transactions.

Example:
A merger, sale of a major asset, or foreign exchange transaction may not be covered by normal
controls.
Detection Risk (DR)

Detection risk is the risk that the auditor’s substantive procedures will not detect a material
misstatement because of the test nature of auditing. The higher the sample size, the lower the
detection risk.

In simple words, it is the risk that the auditor will fail to detect an important error or fraud
during the audit.

Detection risk may arise because of:

 use of sampling
 inappropriate audit procedures
 poor timing of audit tests
 incorrect application of audit procedures
 misinterpretation of audit evidence

The audit work is based on testing, not checking every single transaction. Because auditors
examine only a sample, there is a chance that some material misstatements will not be found.

Unlike inherent risk and control risk, detection risk can be influenced by the auditor.
The auditor can reduce detection risk by:

 increasing sample size

 performing more effective substantive procedures
 using better audit techniques
 assigning more experienced audit staff
 performing tests closer to year-end

Easy comparison

 Inherent risk = risk comes from the nature of the account/business

 Control risk = risk comes from failure of internal controls
 Detection risk = risk comes from failure of audit procedures