Welcome

Audit risk - Risk-based approach to audit

ResourcesAudit risk - Risk-based approach to audit

Learning Outcomes

After reading this article, you will be able to define audit risk and explain its key components—inherent, control, and detection risk. You will understand the risk-based approach to auditing, including how auditors assess and respond to risk, and recognise why materiality and risk assessment are central to efficient audit planning and execution.

ACCA Foundations in Audit (FAU) Syllabus

For ACCA Foundations in Audit (FAU), you are required to understand the concepts of audit risk and the risk-based approach for effective audit planning. This article addresses the following syllabus points relevant for your revision:

  • Define audit risk, including inherent, control, and detection risk
  • Explain the risk-based approach to an audit assignment
  • Understand the role and calculation of materiality in planning and performing an audit
  • Identify how auditors obtain knowledge of the entity and its environment to assess risk
  • Describe the process of assessing and responding to risks of material misstatement
  • Recognise the link between audit risk and audit evidence requirements

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. Which of the following best describes audit risk?
    1. The risk that the client's financial statements show a loss
    2. The risk that the auditor issues an inappropriate opinion when the financial statements are materially misstated
    3. The risk that the accountant makes an error when preparing the accounts
    4. The risk of fraud occurring in the company
  2. What is 'inherent risk' in the context of audit risk?
    1. The risk controls fail to detect a misstatement
    2. The risk due to auditor error
    3. The susceptibility to misstatement before considering controls
    4. The risk arising from audit sampling

  3. True or false? Detection risk can be reduced by increasing the quality and quantity of audit procedures.

  4. List the three components of audit risk and provide one practical example of each.

  5. Briefly explain the main objective of a risk-based approach to audit planning.

Introduction

Before an auditor begins detailed audit testing, it is essential to plan the audit to ensure resources are allocated efficiently and risks are managed. The risk-based audit approach means identifying and focusing audit work on the areas most likely to result in material misstatements within the financial statements. This concept is central to modern auditing standards and enables the auditor to achieve a high level of assurance while remaining effective and efficient.

Understanding audit risk and its components helps auditors to plan work that addresses the highest risks, avoid unnecessary procedures, and support a well-founded opinion on the truth and fairness of the financial statements.

Key Term: audit risk
The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.

The Three Components of Audit Risk

Audit risk is commonly seen as made up of three interconnected components: inherent risk, control risk, and detection risk.

  • Inherent risk refers to the chance of a material misstatement occurring due to the nature of the business or transaction, before considering any internal controls.
  • Control risk is the risk that a material misstatement will not be prevented or detected and corrected by the entity’s internal controls.
  • Detection risk is the chance that the auditor’s procedures fail to detect a material misstatement that exists.

Key Term: inherent risk
The susceptibility of a financial statement assertion to material misstatement, before considering any related controls.

Key Term: control risk
The risk that a material misstatement will not be prevented or detected and corrected on a timely basis by the entity’s internal controls.

Key Term: detection risk
The risk that the procedures performed by the auditor will not detect a material misstatement that exists and that could be material, individually or in aggregate.

Audit risk is often expressed as:

Audit risk=Inherent risk×Control risk×Detection risk\text{Audit risk} = \text{Inherent risk} \times \text{Control risk} \times \text{Detection risk}

The auditor aims to reduce audit risk to an acceptably low level by properly assessing risks and planning sufficient audit procedures.

Risk-Based Approach to an Audit

The risk-based approach, as required by International Standards on Auditing (ISA 315 and 330), directs audit effort toward areas of higher assessed risk of material misstatement. The auditor undertakes the following steps:

  • Obtains an understanding of the entity, its environment, and its internal control system
  • Identifies and assesses the risks of material misstatement at both the financial statement and assertion level
  • Designs audit procedures that directly address the most significant risks

This allows auditors to focus resources on the areas most likely to contain errors or fraud, improving audit effectiveness and efficiency.

Key Term: risk-based approach
An audit strategy involving the identification, assessment, and targeted response to areas with increased risk of material misstatement.

Understanding the Entity and Its Environment

Risk assessment begins with gaining an in-depth understanding of:

  • The client’s industry, regulatory environment, and internal controls
  • Past financial performance and management’s objectives
  • How transactions are processed and recorded

Auditors use these observations to identify where inherent risk or control risk may be particularly high. For example, complex estimates, rapid changes in business, or reliance on manual processes may increase the risk of misstatement.

Sources of information for this assessment include:

  • Enquiry of management and staff
  • Analysis of prior financial statements and budgets
  • Review of board minutes and major contracts

Assessing and Responding to Risk

Once risks have been identified and assessed, auditors must tailor their responses:

  • For higher-risk areas, more extensive or detailed audit procedures are needed
  • Detection risk should be reduced in these areas by increasing sample sizes, performing additional tests, or involving more experienced staff
  • Lower-risk areas may require less work

Key Term: significant risk
A risk of material misstatement, identified by the auditor's judgement, requiring special audit consideration.

Materiality must be considered alongside risk: for items that are both high-risk and material in size or nature, rigorous testing is warranted.

Role of Materiality in Risk Assessment

Materiality represents the threshold above which missing or misstated information could influence users’ decisions. The auditor must:

  • Set an overall materiality level for the financial statements
  • Establish a lower 'performance materiality' for audit work, to account for aggregate or undetected misstatements

Materiality affects the design and scope of audit procedures but always must be considered in conjunction with risk assessments.

Key Term: materiality
Information is material if its omission or misstatement could influence the decisions that users make based on the financial statements.

Responding to Assessed Risks: Practical Examples

For significant risks identified during audit planning, auditors may:

  • Assign experienced staff to high-risk audit sections
  • Increase the size and depth of samples for testing
  • Perform more substantive procedures, such as confirmations or recalculations
  • Use external specialists (e.g., for valuations or technical estimates)
  • Increase supervision and review of audit work in these areas

Worked Example 1.1

Scenario:
Pacific Ltd operates internationally and has recently developed new products involving complex accounting estimates for warranty provisions. The auditor identifies this area as high inherent risk due to estimation uncertainty.

Question:
How should the audit team respond to the elevated risk in this area?

Answer:

  • Increase the focus on warranty provisions during the audit
  • Review and test management's estimation methods and calculations
  • Obtain external evidence, such as historical claim data or industry statistics
  • Consider using an expert if needed
  • Lower detection risk through additional substantive procedures (such as recalculation, review of post-year-end claims, and direct enquiries)

Worked Example 1.2

Scenario:
The auditor of Green Thumb Co identifies that revenue recognition processes are largely manual and significant transactions occur near the year-end.

Question:
Explain how the risk-based approach guides the auditor’s work on revenue.

Answer:

  • The manual processes and timing of transactions increase control and cut-off risk
  • The auditor plans extensive substantive testing on year-end revenue
  • Performs detailed cut-off tests, traces transactions from source documents to ledgers, and tests for unrecorded sales
  • Takes a larger sample of transactions to reduce detection risk
  • Allocates more experienced staff to this section of the audit

Exam Warning

It is a common error to focus only on inherent risk or internal controls and overlook detection risk. Remember, detection risk is within the auditor’s control and directly influenced by the nature, timing, and extent of audit procedures. Always tailor your response to the level of risk previously assessed.

Summary

Audit risk is the risk of an incorrect audit opinion due to the presence of a material misstatement. It consists of inherent risk, control risk, and detection risk—each must be considered separately and together. The risk-based audit approach ensures that audit efforts are targeted where errors are most likely or most impactful. This is essential for efficient, compliant, and effective audits.

Key Point Checklist

This article has covered the following key knowledge points:

  • Define audit risk and its three elements: inherent, control, and detection risk
  • Explain the risk-based audit approach and why it is used
  • Recognise the importance of understanding the client’s business in assessing risk
  • Relate materiality to audit risk and its role in audit planning
  • Describe how auditors respond to identified risks with targeted audit procedures
  • Identify the link between assessed risk and detection risk in designing audit work

Key Terms and Concepts

  • audit risk
  • inherent risk
  • control risk
  • detection risk
  • risk-based approach
  • significant risk
  • materiality

Assistant

Responses can be incorrect. Please double check.