## **Learning Outcomes**

After reading this article, you will be able to define audit risk and explain its key components: inherent risk, control risk, and detection risk. You will understand how these risks interact during the audit process and how auditors assess and manage them to minimize the chance of an inappropriate audit opinion.

## **ACCA Foundations in Audit (FAU) Syllabus**

For ACCA Foundations in Audit (FAU), you are required to understand the meaning and significance of audit risk and its components. Specific syllabus points addressed in this article include:

- The definition and elements of audit risk
- The relationship between inherent risk, control risk, and detection risk
- The impact of audit risk on audit planning and procedures
- How auditors assess and respond to audit risk during the engagement

## **Test Your Knowledge**

_Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision._

1. Which of the following best describes audit risk?
   a) The risk of fraud at an audited company  
   b) The risk of the auditor failing to detect all errors  
   c) The risk of expressing an incorrect audit opinion on materially misstated financial statements  
   d) The risk that material misstatements exist despite a qualified opinion

2. What does inherent risk refer to?
   a) The risk that audit procedures will not detect an error  
   b) The risk arising from the nature of the business and its transactions, before internal controls are considered  
   c) The risk that controls fail to prevent errors  
   d) The auditor’s sampling risk

3. True or false? Control risk is the risk that an error will not be prevented or detected by the entity’s internal controls.

4. Briefly explain the relationship between detection risk and the level of audit work performed.

## **Introduction**

Audit risk is at the centre of every audit engagement. It determines the nature, timing, and extent of audit work required. The aim is to keep audit risk at an acceptably low level, ensuring that the auditor expresses the correct opinion on the financial statements.

Audit risk is not a single concept, but the combination of three distinct types of risk: inherent risk, control risk, and detection risk. Understanding these components is critical for effective audit planning and execution.

> **Key Term: audit risk**
> The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.

## **THE COMPONENTS OF AUDIT RISK**

Audit risk is a function of three separate risks that are assessed and considered throughout the audit:

### Inherent Risk (IR)

Inherent risk is the chance that an assertion in the financial statements could be misstated before any controls are applied. It reflects the nature of the entity, its environment, and the specific items reported.

> **Key Term: inherent risk**
> The susceptibility of an assertion about a class of transaction, account balance, or disclosure to material misstatement, before considering any related controls.

### Control Risk (CR)

Control risk is the risk that the entity’s own internal controls will not prevent or detect and correct a material misstatement in a timely manner. Even effective controls have some limitations, and poor controls increase this risk.

> **Key Term: control risk**
> The risk that a misstatement that could occur in an assertion and that could be material will not be prevented, or detected and corrected, on a timely basis by the entity’s internal controls.

### Detection Risk (DR)

Detection risk is the chance that the audit procedures performed will not identify a misstatement that exists and is material, either individually or in aggregate.

> **Key Term: detection risk**
> The risk that audit procedures will not detect a misstatement that exists and that could be material, either individually or in aggregate.

## **THE RELATIONSHIP BETWEEN INHERENT, CONTROL AND DETECTION RISK**

Audit risk (AR) is the combined effect of its three components. It can be expressed as:

$$
\text{Audit risk} = \text{Inherent risk} \times \text{Control risk} \times \text{Detection risk}
$$

- Inherent risk and control risk together are called the risk of material misstatement (ROMM).
- Detection risk is influenced by the auditor’s assessment of the first two risks.

The auditor cannot directly control inherent risk or control risk, but can assess them and plan appropriate procedures. Detection risk is managed by adjusting the nature, timing, and extent of audit work.

If inherent and/or control risk are assessed as high, the auditor reduces detection risk by performing more detailed or additional testing.

### **Worked Example 1.1**

**ABC Ltd operates in a rapidly changing technology sector and has frequent complex transactions. The company recently changed its accounting system, which is still unfamiliar to staff. As the external auditor, you are planning the audit. How would you assess audit risk and decide on your procedures?**

> **Answer:**
>
> - Inherent risk is high due to complex transactions and rapid change, increasing the chance of errors before controls are applied.
> - Control risk is also high, since the accounting system is new and staff are not yet experienced.
> - The auditor must keep overall audit risk low. Therefore, detection risk must be reduced by designing extensive and targeted audit procedures, such as larger sample sizes, more substantive tests, and increased supervision.

### **Worked Example 1.2**

**You assess an entity’s inherent risk as low, but identify weak segregation of duties in their sales system (high control risk). How does this influence detection risk and audit work?**

> **Answer:**
>
> - Even with low inherent risk, high control risk increases the risk of material misstatement.
> - Detection risk must be set lower—auditor should not rely on the system and should carry out more substantive procedures.
> - Audit work focuses less on confirming the effectiveness of controls and more on directly checking balances and transactions.

### **Exam Warning**

> A common mistake is to assume that the auditor can reduce audit risk to zero. This is not possible. Inherent limitations of an audit mean that some risk always remains, even when procedures are extensive.

### **Revision Tip**

> When assessing audit risk, always consider the type of financial statement assertion involved. High inherent risk areas, such as estimates or complex transactions, almost always require increased audit work.

## **Summary**

Audit risk is the chance that the auditor gives an incorrect opinion on materially misstated financial statements. It is made up of inherent risk (the nature of the business and its transactions), control risk (the effectiveness of the company’s controls), and detection risk (effectiveness of audit procedures). Only detection risk is controlled directly by the auditor, who responds by altering the amount and type of audit work. The audit risk model supports effective planning and helps ensure audit quality.

## **Key Point Checklist**

_This article has covered the following key knowledge points:_

- Define audit risk as the likelihood of an incorrect audit opinion on materially misstated financial statements
- Distinguish between inherent risk, control risk, and detection risk
- Recognize that overall audit risk is the product of these three risks
- Understand that detection risk is managed through planned audit procedures
- Identify how risk assessment shapes the nature, timing, and extent of audit work
- Explain why audit risk can never be entirely eliminated

## **Key Terms and Concepts**

- audit risk
- inherent risk
- control risk
- detection risk

Audit risk - Definition including inherent, control and detection risk