Definition

Audit Risk is the risk that an auditor expresses an inappropriate opinion on the financial statements.

Explanation
Audit risk is the risk that an auditor issues an incorrect opinion on the financial statements. Examples of inappropriate
audit opinions include the following:

Issuing an unqualified audit report where a qualification is reasonably justified;

Issuing a qualified audit opinion where no qualification is necessary;

Failing to emphasize a significant matter in the audit report;

Providing an opinion on financial statements where no such opinion may be reasonably given due to a significant
limitation of scope in the performance of the audit.

Model
Audit Risk = Inherent Risk x Control Risk x Detection Risk
Audit risk may be considered as the product of the various risks which may be encountered in the performance of the
audit. In order to keep the overall audit risk of engagements below acceptable limit, the auditor must assess the level of
risk pertaining to each component of audit risk.

Components
Explanation of the 3 elements of audit risk is as follows:

Inherent Risk
Inherent Risk is the risk of a material misstatement in the financial statements arising due to error or omission as a result
of factors other than the failure of controls (factors that may cause a misstatement due to absence or lapse of controls are
considered separately in the assessment of control risk).
Inherent risk is generally considered to be higher where a high degree of judgment and estimation is involved or where
transactions of the entity are highly complex.
For example, the inherent risk in the audit of a newly formed financial institution which has a significant trade and
exposure in complex derivative instruments may be considered to be significantly higher as compared to the audit of a
well established manufacturing concern operating in a relatively stable competitive environment.

Control Risk
Control Risk is the risk of a material misstatement in the financial statements arising due to absence or failure in the
operation of relevant controls of the entity.
Organizations must have adequate internal controls in place to prevent and detect instances of fraud and error. Control
risk is considered to be high where the audit entity does not have adequate internal controls to prevent and detect
instances of fraud and error in the financial statements.
Assessment of control risk may be higher for example in case of a small sized entity in which segregation of duties is not
well defined and the financial statements are prepared by individuals who do not have the necessary technical knowledge
of accounting and finance.

Detection Risk
Detection Risk is the risk that the auditors fail to detect a material misstatement in the financial statements.
An auditor must apply audit procedures to detect material misstatements in the financial statements whether due to fraud
or error. Misapplication or omission of critical audit procedures may result in a material misstatement remaining
undetected by the auditor. Some detection risk is always present due to the inherent limitations of the audit such as the
use of sampling for the selection of transactions.
Detection risk can be reduced by auditors by increasing the number of sampled transactions for detailed testing.

Application
Audit risk model is used by the auditors to manage the overall risk of an audit engagement.
Auditors proceed by examining the inherent and control risks pertaining to an audit engagement while gaining an
understanding of the entity and its environment.
Detection risk forms the residual risk after taking into consideration the inherent and control risks pertaining to the audit
engagement and the overall audit risk that the auditor is willing to accept.

Where the auditor's assessment of inherent and control risk is high, the detection risk is set at a lower level to keep the
audit risk at an acceptable level. Lower detection risk may be achieved by increasing the sample size for audit testing.
Conversely, where the auditor believes the inherent and control risks of an engagement to be low, detection risk is allowed
to be set at a relatively higher level.

Example
ABC is an audit and assurance firm which has recently accepted the audit of XYZ. During the planning of the audit,
engagement manager has noted the following information regarding XYZ for consideration in the risk assessment of the
assignment:

XYZ is a listed company operating in the financial services sector

XYZ has a large network of subsidiaries, associates and foreign branches

The company does not have an internal audit department and its audit committee does not include any members
with a background in finance as suggested in the corporate governance guidelines

It is the firm's policy to keep the overall audit risk below 10%

Inherent risk in the audit of XYZ's financial statements is particularly high because the entity is operating in a highly
regularized sector and has a complex network of related entities which could be misrepresented in the financial
statements in the absence of relevant financial controls. The first audit assignment is also inherently risky as the firm has
relatively less understanding of the entity and its environment at this stage. The inherent risk for the audit may therefore
be considered as high.
Control risk involved in the audit also appears to be high since the company does not have proper oversight by a
competent audit committee of financial aspects of the organization. The company also lacks an internal audit department
which is a key control especially in a highly regulated environment. The control risk for the audit may therefore be
considered as high.
If inherent risk and control risk are assumed to be 60% each, detection risk has to be set at 27.8% in order to prevent the
overall audit risk from exceeding 10%.
Working
Audit Risk = Inherent Risk x Control Risk x Detection Risk
0.10 = 0.60 x 0.60 x Detection Risk
0.10 = Detection Risk = 0.278 = 27.8%
0.36

Business Risk - Definition

Business risks are the factors that could prevent or hinder the achievement of organizational goals and objectives.

Difference between Audit Risk and Business Risk

Business risks facing an organization can be wide-ranging and diverse. The ultimate business risk any organization faces
is the risk that it seizes to be a going concern. Business risks therefore comprise any factors that may contribute towards
business failure.
Examples of business risks include:

Loss of customers

Increase in production costs

Cash flow problems

Decline in product demand

Litigations and claims

Technological obsolescence

Increase in market competition

Decrease in profitability

Political and economic instability

Over trading

Inadequate financing

High financial risk

Risk of fraud and theft

Audit risk is the risk that the auditor expresses an inappropriate audit opinion on the financial statements. Audit risk
therefore includes any factors that may cause a material misstatement or omission in the financial statements.
Whereas business risks relate to the organization and its stakeholders, audit risk relates specifically to an auditor.
Although audit risks and business risks are dissimilar in nature, it is often the case that identification of significant
business risks lead to the detection of audit risks as we shall see in the following example.

Example
AM is the audit manager of Energy PLC, a company operating in the energy exploration and production sector. As part of
the risk assessment procedures during the planning for audit of Energy PLC, AM identified the following significant
matters while examining the minutes of a meeting of the Company's Board of Directors held at the start of the year.
Matter

Business Risks

The CFO apprised the Board of the

initiation of legal proceedings against
Energy PLC regarding damage caused to
a customer's pipelines as a result of the
supply of low quality gas by the Company.

The litigation may result in a significant Liabilities of Energy PLC might be

outflow of economic resources in the understated as a result of non
future.
recognition of the provision in respect of
the litigation.
Significant management time will also
need to be expended over the course Alternatively, the disclosure regarding
of the litigation.
contingencies may not adequately
disclose the effects of the pending
litigation.

The Board accepted the proposal of the

Finance Director to sell off a low
performing subsidiary of the Company
after two year.

The full worth of the subsidiary may notFinancial results of the subsidiary might
be realized by Energy PLC through the be manipulated to influence the market
sale transaction.
value of its shares prior to the sale
transaction.

The Finance Director remarked that the

current market price of the subsidiary's
shares is too low.

Related party transactions with the

subsidiary may be misrepresented in
order to improve the market perception
of financial performance of the
subsidiary.

CFO informed the Board about the

progress towards the finalization of the gas
sales agreement in respect of a gas field
which commenced production in the
preceding year.
CFO explained the basis of the provisional
price being charged to the customer at the
moment and that any price differential
arising on the determination of the final
price will be subsequently settled with the

The finalization of the gas sales

agreement may result in a significant
cash outflow in the form of a price
differential adjustment if the final price
determined is lower than the price
currently charged to the customer.

Audit Risks

Sales revenue is currently being

recognized on an estimate basis in
respect of the mentioned gas field. The
estimate may be biased and not based
on realistic assumptions regarding the
sales price.
The effect of provisional pricing and any
future revisions in price may not be
adequately disclosed in the financial

customer upon the finalization the gas

sales agreement.

statement.

The managing director apprised the Board The cost to be incurred on drilling of
Exploration and evaluation assets of the
regarding plans to drill a second
the second exploratory well may not be company may be overstated as a result
exploratory well in an area.
recoverable if a similar rock formation of the unsuccessful exploratory well
to the first well is discovered.
whose cost must be immediately
The drilling of the first exploratory well in
expensed in the income statement.
the same area in the previous period could
not be successful due to unsuitable rock
The cost incurred in the current period,
formation.
if any, on the second well may also not
be recoverable in which case the assets
of Energy PLC may be overstated.

Importance of considering business risks in audit planning

In view of the high profile accounting scandals in recent times, the role and responsibilities of auditors has been
questioned. In the particular instance of Enron, the company auditors, Arthur Anderson, were alleged to have lacked
sufficient understanding of the business, risks and exposures of the Company which ultimately caused them to overlook
the effects of Enron's aggressive accounting practices.
It is in view of such scandals that the adoption of a top down approach in auditing has been emphasized where the
auditor proceeds by gaining an understanding of the entity, its environment, significant business risks and how these risks
might translate into audit risks.
ISA 315 requires auditors to obtain an understanding of the entity and its environment in order to assess the risks of
material misstatement of financial statements. This reinforces the importance of obtaining a bird's eye view of the entity's
business and significant business risks by the auditor at the audit planning stage.