top of page
  • Fullah Kamara

What is Audit Risk and How to Mitigate It?

Audit risk refers to the risk that an auditor may issue an incorrect opinion on the financial statements of an organization. It is important to understand that audit risk does not imply that the auditor will always make a mistake, but rather that there is a possibility of error or misstatement in the financial statements.


A lady sitting on the edge of a cliff

To better understand audit risk, let's consider an analogy. Imagine someone visits a doctor for a comprehensive health check-up. After running multiple diagnostics, the doctor concludes that the person is healthy and strong, like a horse. However, when they return home, they start experiencing severe pain and rush to the emergency room. The doctors there diagnose them with a blood clot in their lungs. In this scenario, the initial assessment by the doctor was incorrect, highlighting the possibility of a misdiagnosis.


Audit risk is divided into two components: the risk of material misstatements and detection risk.


Risk of Material Misstatements


The risk of material misstatements could occur at the financial statements or at the assertions level. The risk of material misstatements at the financial statement level refers to the possibility of errors or fraud that could significantly impact the overall accuracy and reliability of the financial statements as a whole. The risk of material misstatements at the assertion level, impact specific assertions within the account balances, classes of transactions, or disclosure.


Let's consider an example to illustrate the risk of material misstatements at the financial statements level. Suppose a company records the purchase of property, plant, and equipment of $7 million as an expense in the income statement instead of capitalizing it. This misclassification understates the company's profit by $6 million ($7 million purchase cost minus $1 million depreciation expense calculated by dividing the $7 million by the 7 years useful life), understates the tax liability by $2.2 million (based on a corporate tax rate of 37%), the carrying value of fixed assets in the balance sheet by $6 million, and the cash flows from operations and cash outflow from investing activities by $7 million.


The risk of material misstatements at the assertion level has two components: inherent risk and control risk.


Inherent Risk

Inherent risk refers to the susceptibility of an assertion about a class of transactions, account balance, or disclosure to contain material misstatements even before considering any controls. Consider inherent risk as the risk that account balances, or classes of transactions have, if the company did not institute controls. For example, cash is more likely to get stolen if the company fails to institute physical controls to protect it. Meanwhile, plants and machinery are less likely to get stolen if the company fails to protect them.


We normally perform walkthroughs on various cycles (Revenue cycle, treasury cycle, etc.) to understand the processes and identify possible inherent risks and controls gaps. When assessing inherent risks, we normally look at indicators of high inherent risks such as MR HICCS (Management Integrity and Competence, Regulation and Legal Compliance, Historical Performance and Financial Stability, Industry-Specific Risks, Complexity of Transactions, Changes In the Business Environment, and Susceptibility to Fraud).


Control Risk

Control risk is the risk that a misstatement could occur in an assertion about classes or transactions, account balance, or disclosure, and that it will not be prevented, detected, and corrected in a timely manner by the company's system of internal controls. This may happen either due to management overriding controls, collusion, poorly implemented controls, ineffective controls, or human errors.


For instance, let's say a company has controls in place that require the accounts payable team to match the invoice, purchase order, and goods received note before approving an invoice. However, the CEO or CFO decides to override this control for an invoice from a specific vendor (brother/sister or spouse), which is missing the necessary supporting documents. This control failure could result in the approval of an incorrect invoice. We normally assess control risk by reviewing the prior year audit file to identify any history of control failures and selecting specific transactions from our walkthroughs and tracing them through critical paths (Initiation, Recording, and Reporting) to identify instances of MIIL (Management Override of Controls, Inadequate Monitoring and Review, Ineffective IT Controls, Lack of Segregation of Duties) to confirm our understanding.


Detection Risk


Detection risk refers to the risk that the auditor fails to detect material misstatements in the financial statements during the audit. The detection is under the auditor's control. It is the risk that the auditor's procedures and tests do not detect existing misstatements. This normally happens when the auditor fails to look in the right direction. Just like going to the doctor with a headache, but the doctor runs diagnostics on the fingernails. An athlete can run very fast, but if they run off track, they will likely lose the race. Detection risk is influenced by the effectiveness of the auditor's procedures and the sample size selected for testing. If the auditor would like to accept low detection risk, they would increase the sample sizes and perform more work. The auditor's testing procedures should target the risk the auditor is trying to address.

For example, if the auditor's intention is to address the risk relating to the existence of accounts receivable, they would send confirmation to customers or perform alternative procedures such as vouching invoices to subsequent payments received. Therefore, completeness assertion is not a relevant assertion in this case. As such, tests or audit procedures should focus on addressing the risk that affects the assertion. That's why some people over audit, but still fail to address the risk.

The detection risk can be significantly reduced using automated audit techniques such as Robotic Process Automation (RPA) (Bots), Computer-assisted Audit Tools, Natural Language Generation (NLG), and Data Analytics Tools, etc.





In summary, audit risk is the risk that an auditor may issue an incorrect opinion on the financial statements. It is divided into the risk of material misstatements and detection risk. The risk of material misstatements can occur at the financial statement level or at the assertion level. Detection risk refers to the risk that the auditor fails to detect existing misstatements during the audit.


It is crucial for auditors to assess and address these risks effectively to ensure they arrive at the correct conclusion and issue the correct opinion. Auditors should consider risk assessments as the GPS that directs the overall audit procedures.


15 views0 comments


bottom of page