Audit Risk (AR): risk that auditor will opine (render an opinion) with an unqualified opinion when unknown to auditor, FS are materially misstated (ultimate risk)


Inherent Risk (IR): risk that errors (or misstatements or deviations) will occur," client‑controlled


Control Risk (CR): risk that client's internal control system will fail to prevent/ detect/correct errors ... client‑controlled


Detection Risk (DRI_ risk that auditor's procedures will fail to detect errors ... auditor‑controlled




Audit risk = inherent risk * control risk * detection risk


Audit risk: always set priority at a low level (.0 1, 05, 10)


Inherent risk: controlled by client ... function of type of business, degree of liquidity, complexity


Control risk: controlled by client ... relates to effectiveness of client's control system in preventing, detecting, and correcting errors.


Detection risk: controlled by auditor ... function of nature, timing, and extent of audit procedures applied ... allowable or acceptable


Solution Set:

          (1)      Detection risk = audit risk / (inherent risk * control risk)

(2)     Detection risk low ... the more evidence you have to collect

(3)     Detection risk high ... the less evidence you have to collect


Audit Risk: risk that auditor issues unqualified opinion when statements are materially misstated, audit risk and detection risk exactly related.  IR/CR and detection risk inversely related.


Mgmt Assertions:

(1)      existence or occurrence

(2)     completeness

(3)     rights and obligations

(4)     valuation

(5)     presentation and disclosure

*auditor's judgment about risks are based on assertions

*assertions translated to account balances, then create audit objectives and procedures


Inherent Risk Factors:

(1)      nature of activities (complexity)

(2)     regulatory nature

(3)     degree of estimates

(4)     competency and training of those reporting the financial statements

(5)     previous history with entity

(6)     preliminary analysis testing ( req'd by SAS in planning)…indicates areas where misstatements occur


Control Risk: SAS 78 requires auditor to document control risk assessment ... if controls are not working, control risk is assessed at maximum


Detection Risk: test of details and analytical procedures (ratios)... 1‑DR = confidence level... The detection risk cannot be lower than the audit risk (the highest of CR or IR):

(1)      If CR is moderate or low, test must be designed to prove it

(2)     IR - no implied tests, more efficient, doesn't require tests, simply document assessment


Inherent Risk Assessment:


(1)      IR for cash @ maximum level (not fraud, theft or misappropriations)… deal with error

(2)     What is the likelihood that client has goofed up enough transactions to materially misstate an account?

(3)           SAS 99 - must consider fraud or misappropriations in IR




Inherent Risk Assessment


Control Risk Assessment

Auditor must document


below maximum At maximum

auditor must document and test


SAS 78 – internal controls

SAS  – Audit Risk