Professional Documents
Culture Documents
Inherent Risk: Inherent Risk is the risk of a material misstatement in the financial statements
arising due to error or omission as a result of factors other than the failure of controls (factors that
may cause a misstatement due to absence or lapse of controls are considered separately in the
assessment of control risk). Inherent risk is generally considered to be higher where a high degree
of judgment and estimation is involved or where transactions of the entity are highly complex.
Control Risk; Control Risk is the risk of a material misstatement in the financial statements
arising due to absence or failure in the operation of relevant controls of the entity.
Risk of material misstatement is defined as ‘the risk that the financial statements
are materially misstated prior to audit.
It is the risk that a misstatement that could occur in an assertion about a class of transaction,
account balance or disclosure and that could be material, either individually or when aggregated
Organizations must have adequate internal controls in place to prevent and detect instances of
fraud and error. Control risk is considered to be high where the audit entity does not have
adequate internal controls to prevent and detect instances of fraud and error in the financial
statements. Assessment of control risk may be higher for example in case of a small sized entity
in which segregation of duties is not well defined and the financial statements are prepared by
individuals who do not have the necessary technical knowledge of accounting and finance.
Detection Risk: Detection Risk is the risk that the auditors fail to detect a material misstatement
in the financial statements. It is the risk that the procedures performed by the auditor to reduce
audit risk to an acceptably low level will not detect a misstatement that exists and that could be
material, either individually or when aggregated with other misstatements.
An auditor must apply audit procedures to detect material misstatements in the financial
statements whether due to fraud or error. Misapplication or omission of critical audit procedures
may result in a material misstatement remaining undetected by the auditor. Some detection risk is
always present due to the inherent limitations of the audit such as the use of sampling for the
selection of transactions.
Detection risk can be reduced by auditors by increasing the number of sampled transactions for
detailed testing.
Where the auditor's assessment of inherent and control risk is high, the detection risk is set at a
lower level to keep the audit risk at an acceptable level. Lower detection risk may be achieved by
increasing the sample size for audit testing. Conversely, where the auditor believes the inherent
and control risks of an engagement to be low, detection risk is allowed to be set at a relatively
higher level
Risk Matrix
3. Audit prioritization:
Audit prioritization of risk areas based on the level and direction of risk. The direction of risk
is assessed by comparing the risk matrix of two different periods and reviewing their
movement from one cell to another.
4. Conducting detailed information systems audit of selected areas: The information systems
auditor will conduct substantive testing for all high-risk areas. The auditor should note the
details of the findings in each area of audit and maintain working papers describing the tests
conducted and results observed.
5. Reporting: The risk-based information systems audit report will generally contain auditor’s
findings and observations regarding deviations from standard guidelines. The highlight of the
report of risk-based information systems audit will be an assessment of the impact of the audit
findings on risk exposure of the auditee. The auditor, in addition to bringing to the fore the
errors and deviations observed, will comment on the impact of those findings on the risk
matrix.
Sampling risk is the risk that the sample chosen does not appropriately reflect the population as a
whole, ie risk that the auditors’ conclusions based on a sample may be different from the
conclusion they would reach if they examined every item in the population
Audit Sampling risk” arises from the possibility that the auditor’s conclusion, based on a sample
may be different from the conclusion reached if the entire population were subjected to the same
audit procedure. There are two types of Audit sampling risk:
1) The risk the auditor will conclude, in the case of a test of controls, that controls are more
effective than they actually are, or in the case of a test of details, that a material error does not
exist when in fact it does. This type of risk affects audit effectiveness and is more likely to
lead to an inappropriate audit opinion; and
2) The risk the auditor will conclude, in the case of a test of controls, that controls are less
effective than they actually are, or in the case of a test of details, that a material error exists
when in fact it does not. This type of risk affects audit efficiency as it would usually lead to
additional work to establish that initial conclusions were incorrect.
Non-sampling risk
risk pertaining to non-sampling errors
Can be reduced to low levels through effective planning and supervisions of audit
engagements