To start a business and assume that it will never face risks is quite a mistake. There is no business that does not take risks. Depending on the direction of business, there may be fewer or more of them. To some extent, auditing is also a risk. After completion of the audit, such risks as entrepreneur and auditorial risks may arise.
The essence of entrepreneurial risk is that there may be a conflict between the auditor and the client, even if the audit’s conclusion is positive. As a result, there is a risk that the auditor’s work will fail. The entrepreneurial risk of the auditor depends significantly on the following: possible lawsuits against the auditor; its competitiveness (professionalism); time of audit; financial condition of the client and his business operations; competence and knowledge of the staff and administration of the company, etc.
Audit risk is an assumed risk that an auditor may draw inaccurate or erroneous conclusions in his own analysis.
Audit risk components include:
Acceptable risk – a relatively acceptable risk in the process of verifying business transactions in order to collect and systematize data that confirm certain verification actions and procedures and allow (from an auditor’s point of view) existing levels of control risk (that is, when it is not at maximum, but decreased). If an auditor determines for himself a lower level of audit risk, it will mean that he wants to be more confident that his financial statements are not materially or fundamentally wrong. The level of acceptable risk of audit may be influenced by:
- auditor’s competence;
- the financial condition of the company;
- trust (its level) of customers to the financial statements;
- scale of business and institutional-legal form of activity of the client;
- form of business ownership and its distribution in the authorized capital of the client;
- the nature and amount of its obligations;
- internal (own) control of the enterprise;
- bankruptcy probability.
An internal or integral risk is an auditor’s assumption that there may be an inaccuracy in the financial statements and that it may be greater than an acceptable amount for internal control. When determining the level of such an internal economic risk, the internal control is not taken into account, as an independent element, it is already part of the audit risk. In assessing this component, the auditor should take into account:
- the direction and features of the client’s business;
- the integrity and integrity of the company’s management;
- the motives of the client’s behavior;
- the results of previous audits;
- primary and repeated audit;
- relationships with dependent and subsidiary enterprises;
- non-standard operations;
- professionalism and knowledge of the accounting staff;
- account balances and amounts by reporting line
- quantity and composition of customer’s operations, etc.
Control risk (control risk) – auditor’s assumption that errors or inaccuracies in financial statements that are above the allowed amount will not be corrected or detected during the company’s internal control. The auditor seeks to determine the assessment of the efficiency of the internal control processes of the company (client) at a level that is below 100% (maximum), perceiving this as an element of the audit plan.
Non-detection (search) risk – the degree to which the auditor is prepared to accept that the audit information to be collected and analyzed does not reveal errors (if any) that are higher than the allowed amount. This level of risk is determined by the number of certificates the auditor has planned to collect.
According to the audit activity standard «Materiality and audit risk», audit risk includes control risk, internal business risk and non-detection risk.
In practice, two main methods are used to assess audit risk:
- evaluative (intuitive);
The evaluation (intuitive) method of assessing audit risk is the essence of this method in that, based on their knowledge and practice of working with clients, auditors determine audit risk based on the accounts of general or individual operations as high, probable, and unlikely. This assessment is used in future audit planning.
The quantitative method of assessing audit risk is the essence of this method in that many audit risk models are assumed to be quantified. The practicable model of audit risk can be represented by the formula:
Ar = Br * Kr * Pr
- Ar is audit risk;
- Br is an inherent risk;
- Kr – control risk;
- Pr – The risk of non-detection.
According to the methodology, the audit risk assessment should begin with a list of identified risks of maladministration, assessing their likelihood and significance of consequences. In the next stage, these risks relate to organizational units, existing controls, and positions of the company’s employees. The controls are then evaluated for intended effectiveness, and then the actual effectiveness of the controls is validated by the test results. At the end, the residual risks of significant distortion and the auditor’s response to them are identified.
The method proposed here for assessing the risks of bad faith is not the only one. Different methodologies and approaches can be applied, either completely or at the stage level.
But in any case, three important circumstances need to be taken into account:
- Industry and scale differences, as well as other factors make it impossible to simplify the evaluation process for all organizations, so constantly need to adjust their approaches depending on the activities and characteristics of the enterprise, which is audited.
The more difficult the chosen evaluation method is, the more difficult it will be to apply it in practice.
An assessment of any risk of maladministration as substantial and at the same time a lack of adequate action by the auditor is considered a clear violation of auditing standards.
The nature of the audit risk is that there is a risk that the auditor will form an erroneous or inaccurate conclusion as a result of not noticing policy distortions in accounts or conclusion. But the audit risk can be calculated: to do this, it is needed to make an assessment of all its components, which reflect both the specificity of the activity of the audited company and the method used for testing. To reduce the identified audit risk (if it exceeds an acceptable value) the intensification of the control procedures is used.