What Is Audit Risk;How Does Its Works

Last time and two times before , I explained that it is important to understand the purpose of auditing and submit materials that match the auditing points set in the account to the auditor so as not to incur unnecessary auditing costs. In addition, I advised that even when a new transaction occurs, it is possible to receive an audit smoothly by making good use of the auditor.
This time, we will continue to explain the knowledge that audit responders need to know in order to reduce audit costs.

table of contents

  • How are audits conducted in the first place?
  • How is the risk approach done?
  • Relationship between specific risk assessment and audit procedures
  • What is inherent risk?
  • What is control risk?
  • Summary

How are audits conducted in the first place?

As explained last time, the auditor sets audit points for the accounts that make up the financial statements and verifies these audit points to ensure that the financial statements are properly prepared. ..
However, it is impossible for the auditor to verify all the transactions that the company has made throughout the year, both in terms of time and human resources.
As a result, audits focus on high-risk matters, that is, matters that are likely to be misrepresented in financial statements. Specifically, it means that measures will be taken such as allocating personnel with appropriate abilities and securing a large amount of audit time.
This method of auditing is called the “risk approach.”

How is the risk approach done?

The risk approach is expressed by the following conceptual formula.

Audit risk = inherent risk x control risk x discovery risk

Audit risk refers to the possibility that an auditor may overlook a material misstatement of financial statements and form a false opinion. In other words, auditors are required to keep this audit risk low.
The above formula shows that when audit risk is decomposed, it consists of inherent risk, control risk, and discovery risk.
Let me explain each risk.
Intrinsic risk is the risk of material misstatement if the company does not have internal controls.
The next control risk is that material misstatements may not be prevented by the company’s internal controls.
And discovery risk is the risk that important misstatements that are not prevented by the company’s internal control will not be discovered even if the auditor conducts an audit.
Auditors are required to keep audit risk low to a reasonable level, but among the components of audit risk, inherent risk is risk specific to the account, and control risk is risk that changes depending on the internal control of the company. Therefore, the auditor cannot raise or lower it.
Therefore, as an auditor, in order to keep the audit risk at a reasonably low level, the degree of discovery risk is determined and the audit procedure is carried out according to the results of evaluating the inherent risk and control risk.


Relationship between specific risk assessment and audit procedures

To explain this risk approach in detail, for example, if it is determined that both inherent risk and control risk are high for a certain matter, the auditor will focus on that matter in order to keep the discovery risk sufficiently low. We will carry out audit procedures.
The priority audit procedure is, for example, to assign personnel with appropriate abilities, secure a large amount of audit time, and carry out audits by combining various procedures.
From the perspective of the company, an increase in audit procedures means an increase in audit costs, so understanding the risk approach in audits and preparing for audits will lead to a reduction in audit costs. ..
Of the audit risks, the discovery risk is increased or decreased by the auditor, so it is impossible for the company to deal with it. Therefore, it is important to understand and respond to inherent risks and control risks in order to reduce audit costs.

What is inherent risk?

For example, suppose an audit point of “existence” is set for the account “cash”.
As I explained last time, reality is the point of auditing “does it really exist?”
Since the inherent risk assessment is a risk assessment in the absence of internal control, assets that are vulnerable to theft or embezzlement, such as cash, inevitably have a higher inherent risk.
On the contrary, for example, the reality of “land” would have a lower inherent risk.
However, even on the same land, if the audit point is “validity of evaluation”, the inherent risk may be high. In principle, land is recorded at acquisition cost, but it may be necessary to reflect the decline in value through impairment accounting.

What is control risk?

Control risk is the possibility that important misstatements cannot be prevented by the company’s internal control, so it can be kept low by properly maintaining and operating the internal control.
However, excessive internal control not only increases operating costs, but may also hinder the flexible management activities of companies, so it is important to develop and operate internal control according to the inherent risks.
For example, regarding the existence of cash, which is highly evaluated for its inherent risk, the person in charge of handling and the person in charge are clarified, and the person in charge reviews the cash account book created by the person in charge at an appropriate time and conducts an internal audit. Control risk can be kept low by establishing and operating strict internal controls, such as the fact that the actual amount is checked irregularly by departments.
This simplifies the audit process because the auditor does not have to overestimate the discovery risk.
On the other hand, if the land is considered to have low inherent risk, it may be possible to tolerate higher control risk and use simpler internal control.
Of course, internal control is not just for auditing, but building appropriate internal control is to achieve management objectives such as operational effectiveness and efficiency, legal compliance and asset conservation. It is also effective for.


As explained in this paper, the auditor evaluates the inherent risk for each audit point of the account and establishes and establishes internal control according to the degree of the inherent risk so that the auditor can raise the discovery risk to a reasonable level. It may be lowered to. As I said last time, the auditor also wants to carry out audits efficiently so as not to burden the company as much as possible.
As the discovery risk decreases, the corresponding audit procedure becomes simpler, and as a result, the cost for audit response can be reduced.
Currently, I think that your company also has internal control, but why not review it once from the perspective of inherent risk and control risk and try to reduce audit costs.


Leave a Comment