Auditor risk (audit risk) means the likelihood that the financial statements of an economic entity may contain undetected material errors and/or distortions after confirming their accuracy, or that they contain material misstatements when in fact there are no such distortions in the financial statements.

Audit risk consists of three components:

1. intra-economic risk;
2. control risk;
3. risk of non-detection.

To analyze the components, let’s present audit risk in the form of a simplified preliminary model:

where PAR is acceptable audit risk (relative value). Expresses the extent to which the auditor is willing to accept the fact that the financial statements may contain significant errors after the audit has already been completed and a positive audit opinion has been given; Water chemistry – on-farm risk (relative value). Expresses the probability of the existence of an error exceeding the permissible value before checking the on-farm control system; RK – control risk (relative value). Expresses the probability that an existing error exceeding the permissible value will be neither prevented nor detected in the internal control system; RN – risk of non-detection (relative value). Expresses the likelihood that the audit procedures used and the evidence to be collected will not detect errors exceeding the acceptable value.

When applying an audit risk model when planning an audit, the auditor can use the following methods.

The first method will help in assessing the plan in terms of the auditor's skill level.

For example, the auditor believes that intracompany risk is 80%, control risk is 50% and detection risk is 10%. After simple calculations we get an audit risk value of 4%

If the auditor has concluded that the acceptable level of audit risk in this case should not exceed 4%, then he may consider the plan acceptable. Such a plan may help the auditor obtain an acceptable level of audit risk, but it is ineffective.

To create a more effective plan, a second way to calculate risk is to determine the risk of non-detection and the corresponding amount of evidence to be collected. For these purposes, the audit risk model is transformed as follows:

Returning to the previous example, suppose that the auditor had established an acceptable audit risk of 5%, so that the audit plan could be modified to accommodate the need to match the amount of evidence to be selected with a detection risk of 10% because

With this form of risk model, the key factor is the risk of non-detection, since it predetermines the amount of evidence required. The amount of evidence required is inversely proportional to the level of detection risk: the lower the level of detection risk, the more evidence is required.

Based on the audit risk model, we can conclude that there is a direct relationship between acceptable audit risk and detection risk, as well as an inverse relationship between acceptable audit risk and the planned amount of evidence to be collected. For example, if the auditor decides to reduce the level of acceptable audit risk, he thereby reduces detection risk and increases the amount of evidence to be collected.

The third (more general) way of using an audit risk model is intended only to remind the auditor of the relationship between various risks and the relationship of risks to evidence. Understanding these relationships is important for organizing the collection of the required amount of evidence. To understand these connections, let's take a closer look at each component of the audit risk model.

Acceptable audit risk is a subjectively determined level of risk that the auditor is willing to take on. If the auditor determines for himself a lower level of audit risk, this will mean that he is seeking greater confidence that the financial statements do not contain material errors.

The amount of acceptable audit risk can be expressed by the ratio:

Zero risk means the auditor has complete confidence that the financial statements do not contain material errors.

The auditor cannot guarantee the complete absence of significant errors. Most auditors believe that the amount of acceptable audit risk should not exceed 5%.

The following main factors may influence the amount of acceptable audit risk:

• level of auditor competence;
• financial condition of the auditor;
• the degree of confidence of external users in financial statements;
• scale of the client's business;
• organizational and legal form of the client;
• form of ownership and its distribution in the client’s authorized capital;
• the nature and amount of the client’s obligations;
• the level of internal control of the client;
• probability of bankruptcy for the client, etc.

The auditor must conduct an examination of the client and assess the significance of each factor influencing the level of risk. Based on the examination and assessment of factors, the auditor will be able to subjectively determine the level of risk, asserting that the financial statements may contain significant errors even after the end of the audit. During the audit process, the auditor receives additional information about the client and can change his assessment of the acceptable level of audit risk. In cases where the auditor believes that the likelihood of bankruptcy of the client is high and, in connection with this, the auditor's business risk increases, it is necessary to reduce the level of acceptable audit risk.

Any business activity carries certain risks. Auditing is no exception. Audit risk is the risk that the auditor will make erroneous conclusions in his report. Let's consider the types of audit risk and ways to assess it.

Types of audit risk

Audit risk consists of components, which include:

1. On-farm (inherent) risk. This is the likelihood of distortions in accounting or reporting due to the characteristics of the audited entity as a whole. This risk depends on the characteristics of the industry and a particular enterprise, the qualifications of personnel, as well as the possibility of external pressure on management and performers.
2. Control risk (control risk) is the likelihood that the enterprise’s existing accounting and internal control system is not reliable enough and does not guarantee the correct reflection of all transactions in the accounts.
3. The risk of non-detection, unlike the two previous types, is associated not with the subject being audited, but with the work methods of the auditor himself. It represents the likelihood that the auditor's control procedures will not detect misstatements in accounting or reporting.

Methods for assessing audit risk and ways to reduce it

Audit risk is assessed using two main methods:

Estimative or intuitive method. In this case, the risk is assessed by the auditor expertly, based on his professional experience and available information about the subject being audited. Based on the results of the expert assessment, a conclusion is given on the level of risk. For this, as a rule, a rating scale is used, consisting of three levels - high, medium and low.

Quantitative method. In this case, audit risk is calculated using a formula that takes into account the influence of all its components. In the standard calculation method, all indicators that make up the audit risk are multiplied by each other. The formula in this case will look like this:

• AR = Rv. x Rk. x Rn.,
• where Rv., Rk. and Rn. – respectively, on-farm, control and non-detection risks.

Since only the risk of non-detection depends on the auditor himself, another model is often used when the emphasis is shifted to calculating this particular type of risk:

• Rn. = AR / (Rv. x Rk.)

Standard values ​​of audit risk are not established by law in the Russian Federation. Most experts in this field believe that 5% or less - in this case it will take the following form:

• Rn. = 5% / (Rv. x Rk.)

Thus, when planning an audit, first of all, the auditor must assess those risks that he cannot influence, i.e. on-farm and control. Then, based on the target (acceptable) value of the overall audit risk, determine the acceptable level of detection risk.

If it turns out that the level of this risk is too high, measures must be taken to reduce it. To do this, auditors use the following methods:

• increasing the intensity of audit procedures performed, both by increasing the number and by modifying them;
• increasing the duration of the inspection;
• growth in the volume of audit samples.

Conclusion

The concept of audit risk is the risk that the auditor will give an erroneous conclusion without noticing significant misstatements in accounting or reporting. In order to determine how to calculate audit risk, it is necessary to evaluate all its components related to both the characteristics of the entity being audited and the audit methodology used. If the calculated audit risk exceeds the acceptable value, then intensification of control procedures is used to reduce it.

The types and procedure for determining audit risk are reflected both in the International Standard on Auditing ISA 400 and in the Russian Federal Standard No. 8 “Risk Assessment and Internal Control Performed by the Audited Entity.”

Auditor risk (audit risk) means the likelihood of the presence in the financial statements of an economic entity of undetected significant errors and (or) distortions after confirming its accuracy or the likelihood of recognizing significant misstatements in it, while in fact there are no such distortions.

The auditor should use his or her professional judgment to assess audit risk and design the audit procedures necessary to reduce that risk to an acceptably low level.

Audit risk refers to the risk of expressing an inappropriate audit opinion when the financial statements contain material misstatements.

Audit risk is the business risk of the auditor (audit firm), which is an assessment of the risk of ineffectiveness of the audit. Audit risk is based on an assessment of the risk of ineffectiveness of the client's accounting system, the risk of ineffectiveness of the client's internal control system, and the risk of auditors not identifying the client's errors.

Audit risk has three components: inherent risk; control risk; risk of non-detection.

The auditor is required to study these risks during the course of work, evaluate them and document the results of the assessment.

Auditing organizations may decide to use a greater number of gradations in their activities when assessing risks or to use quantitative indicators (percentages or fractions of a unit) to assess risks.

When conducting an audit, the auditor must take the necessary steps to reduce audit risk to a reasonable minimum level.

Inherent risk reflects the susceptibility of an account balance or group of similar transactions to misstatements that could be material, individually or when aggregated with misstatements in other account balances or groups of similar transactions, assuming that adequate internal controls are not in place.

Inherent risk characterizes the degree of exposure to significant violations of an accounting account, balance sheet item, a similar group of business transactions and reporting in general for the economic entity being audited.

When developing the overall audit plan, the auditor should evaluate the inherent risk at the accounting level. In developing the audit program, the auditor should relate the assessment to significant account balances and groups of similar transactions at the assertion level or assume that the inherent risk in relation to a given assertion is high.

To assess inherent risk, the auditor relies on his or her professional judgment to take into account numerous factors, such as:

at the level of financial statements -

• - experience and knowledge of management, as well as changes in its composition over a certain period, for example, inexperience of management may affect the preparation of the financial statements of the audited entity;
• - unusual pressure on management, for example, circumstances due to which management may be inclined to distort financial statements, such as a large number of bankruptcies of enterprises in a given industry or a lack of capital necessary for the further activities of the entity;
• - the nature of the entity’s business, for example, the potential for technical obsolescence of its products and services, the complexity of the capital structure, the importance of related parties, as well as the number of production facilities and their geographical distribution;
• - factors affecting the industry to which the entity belongs, for example, the state of the economy and competitive conditions, reflected in financial trends and indicators, as well as changes in technology, consumer demand and accounting policies specific to this industry;

at the level of account balance and group of similar transactions --

• - accounting accounts that may be subject to distortion, for example, items that required adjustments in previous periods or associated with a large role of subjective assessment;
• - the complexity of the underlying transactions and other events that may require the involvement of experts;
• - the role of subjective judgment required to determine account balances;
• - exposure of assets to loss or misappropriation, for example, the most attractive and mobile assets, such as cash;
• - completion of unusual and complex transactions, especially at or near the end of the reporting period;
• - operations that are not subject to normal processing.

When assessing inherent risk, the auditor may use audit data from previous years, but must ensure that it is also valid for the year being audited.

Control risk means the risk that a misstatement that may occur in an account balance(s) or group of similar transactions, which may be material individually or when aggregated with misstatements in other account balances or groups of similar transactions, will not be prevented in a timely manner or detected and corrected through accounting and internal control systems. Control risk characterizes the degree of reliability of the accounting system and internal control system of an economic entity.

Reliability of controls and risk of controls are complementary categories: high reliability corresponds to low risk, low reliability corresponds to high risk. Preliminary assessment of control risk is the process of determining the effectiveness of the entity's accounting and internal control systems in terms of preventing or detecting and correcting significant distortions. Some control risk always exists due to the limitations inherent in any accounting and internal control system.

After the auditor understands the accounting and internal control systems, it is necessary to conduct a preliminary assessment of control risk at the assertion level for each significant account balance or group of similar transactions.

Based on some or all of the assumptions, control risk is generally assessed by the auditor as high when the entity's accounting and internal control systems are not effective and an assessment of the effectiveness of the entity's accounting and internal control systems is not appropriate.

The preliminary assessment of control risk in relation to an accounting assertion should be high unless the auditor can identify specific internal controls relevant to that assertion that are likely to prevent or detect and correct material misstatements and plans to perform tests of the controls. control to confirm the assessment.

Audit working papers reflect the understanding and assessment of control risk. The auditor is required to set out his or her understanding of the entity's accounting and internal control systems and assessment of control risk. If the control risk assessment is less than high, the rationale for this conclusion should also be reflected in the working documents.

There are various methods for documenting information related to accounting and internal control systems. The choice of a particular method is a matter of auditor judgment. Common methods, used alone or in combination, include narrative (text) description, questionnaires, checklists and flow charts. The size and complexity of an entity's structure, as well as the nature of its accounting and internal control systems, influence the form and extent of documentation. As a general rule, the more complex an entity's accounting and internal control systems and the more extensive the audit procedures, the greater the auditor's documentation volume.

Tests of controls are performed to obtain audit evidence regarding the effectiveness of the design of the accounting and internal control systems, i.e. how well they are designed to prevent or detect and correct material misstatements, and the effectiveness of internal controls during the period under review.

Some procedures performed to obtain an understanding of accounting and internal control systems may not be specifically designed as tests of controls, but may provide audit evidence regarding the effectiveness of the design and operation of internal controls. Thus, such procedures can serve as tests of controls. For example, in obtaining an understanding of the accounting and internal control systems for cash, the auditor can obtain evidence regarding the effectiveness of the bank reconciliation process through inquiries and observation.

If the auditor concludes that the procedures performed to understand the accounting and internal control systems provide audit evidence, the auditor may use that audit evidence if it is sufficient to support the assessment of control risk at a level less than high.

Tests of controls include:

• - reviewing documents supporting transactions and other events to obtain audit evidence regarding the proper application of internal controls in practice, for example, the existence of authorization to carry out a transaction;
• - sending inquiries and monitoring the use of internal controls that do not leave documentary evidence for audit, for example, determining the actual performer of a function, and not who is supposed to perform it;
• - re-application of internal controls, such as bank reconciliations, to ensure that these actions were performed correctly by the entity.

The auditor needs to obtain audit evidence by performing tests of controls to support any assessment of control risk that is less than high. The lower the control risk assessment, the more evidence the auditor needs to obtain regarding the proper design and effective operation of the accounting and internal control systems.

Detection risk refers to the risk that the audit procedures will not substantially detect a misstatement in an account balance or group of transactions that could be material, individually or when aggregated with misstatements in other account balances or a group of transactions.

The risk of non-detection is an indicator of the effectiveness and quality of the auditor’s work and depends on the procedure for conducting a specific audit, as well as on the qualifications of the auditors and the degree of their previous familiarity with the activities of the economic entity being audited.

The auditor is obliged, based on an assessment of intra-business risk and the risk of control means, to determine the risk of non-detection that is acceptable in his work and, taking into account minimization of the risk of non-detection, to plan appropriate audit procedures.

The level of detection risk is directly related to the audit's substantive procedures. The assessment of control risk, along with the assessment of inherent risk, influences the nature, timing and extent of substantive audit procedures performed to reduce detection risk and, therefore, reduce audit risk to an acceptably low level. But even if the auditor were to examine all account balances or transactions of the same type in a given group, a certain detection risk will always be present, in particular because the majority of audit evidence only provides evidence in support of a certain conclusion and is not exhaustive.

The auditor should consider the assessed levels of inherent and control risk in determining the nature, timing and extent of substantive procedures necessary to reduce audit risk to an acceptably low level. In this regard, the auditor considers:

• — the nature of the substantive procedures, for example, conducting tests that focus on independent parties outside the entity rather than on employees or documentation within the entity, or conducting detailed tests in addition to analytical procedures to address a specific audit objective;
• - the time frame for performing substantive verification procedures, for example, carrying out these procedures at the end of the reporting period, and not at an earlier date;
• - the scope of substantive testing procedures, for example the use of a larger sample size.

There is an inverse relationship between detection risk, on the one hand, and the combined level of inherent and control risk, on the other hand. For example, if inherent and control risk are high, then acceptable detection risk should be low to reduce audit risk to an acceptably low level. If, on the other hand, inherent and control risk are low, the auditor can accept higher detection risk and still reduce audit risk to an acceptably low level.

In table Figure 1 shows how the acceptable level of detection risk can vary depending on assessments of inherent and control risk.

Table 1 - Analysis of non-detection risk level factors

Although tests of controls and verification procedures differ in their substantive objectives, the results of some procedures may contribute to the achievement of the objectives of others. Misstatements discovered during substantive procedures may cause the auditor to change his previous assessment of control risk.

The old rule (standard) (“Materiality and Audit Risk 1998”) provides the following definition of audit risk.

Auditor risk (audit risk) means the likelihood that the financial statements of an economic entity may contain undetected material errors and (or) distortions after confirming their accuracy, or admit that they contain material misstatements when in fact there are no such distortions in the financial statements.

Audit risk refers to the risk of expressing an inappropriate audit opinion when the financial statements contain material misstatements.

Audit risk is the risk that the auditor will express an inappropriate audit opinion when there are material misstatements in the financial (accounting) statements.

Depending on the sources, all risks can be divided into external and internal.

External risks include:

legislative, caused by the tightening of existing provisions of regulations (laws, Government resolutions, etc.) in the field of finance, taxes, ecology, customs law, etc.;

political - for example, military actions, previously unforeseen export restrictions;

macroeconomic, related to the development of economic processes in the world and the country. These are inflationary, currency, interest, etc. risks. For example, a sharp increase in the exchange rate of a foreign currency against the national currency can lead to losses for the company if it enters into a contract with a foreign supplier of materials;

natural – possible natural disasters (fires, earthquakes, etc.) and environmental pollution;

regional related to the state of individual regions, local legislation, etc.;

sectoral depending on industry development trends, incl. public opinion. For example, there may be a refusal to consume products produced by the organization that contain high levels of cholesterol.

The internal risks include the following:

investment risks that pose a potential threat of failure to achieve the planned result. For example, incorrectly formulated goals and objectives encountered when developing strategic as well as short-term plans of the company can cause the planned profit not to be received;

commercial risks caused by changes in the market situation. For example, competitors pose a constant threat of reduced sales and overall loss of business; buyers and customers pose a threat of late payment for shipped and sold products, and may also fail to fulfill other conditions of concluded contracts, etc.;

production risks associated with the peculiarities of production organization at a particular enterprise. The sources of this type of risk can be employees (it is human nature to make mistakes, periodically suffer from illnesses, organize strikes, commit disciplinary offenses, including dishonesty in the performance of their official duties; dishonest employees can commit forgery, theft, and other economic crimes), machines and equipment (if production capacity is overloaded, they may fail), suppliers and contractors (they may not deliver the required amount of inventory or demand an unreasonably high price under the contract), etc.

Based on the presented classification, all risks of an organization can be divided into four main types:

1) risks with relatively small negative consequences and a low degree of probability of their occurrence;

2) risks that can cause significant negative consequences for the organization, but have a low probability of adverse events occurring;

3) risks with relatively small negative consequences, but with a high probability of their occurrence;

4) the most dangerous risks are those for which the likelihood of adverse events occurring is high and the consequences are significant.

There are two main methods for assessing audit risk:

1) evaluative (intuitive);

2) quantitative.

The assessment (intuitive) method, most widely used by Russian audit firms, is that auditors, based on their own experience and knowledge of the client, determine audit risk based on reporting as a whole or individual groups of transactions as high, probable and unlikely and use this assessment in audit planning.

The quantitative method involves the quantitative calculation of numerous audit risk models.

In accordance with Federal Rule (Standard) No. 8 “Understanding the activities of the audited entity, the environment in which it is carried out, and assessing the risks of material misstatement of the audited financial (accounting) statements”, two components of audit risk are distinguished using the quantitative method:

risk of material misstatement;

risk of non-detection.

AR = RSI x RN,

where RSI is the risk of material misstatement,

RN - risk of non-detection.

The risk of material misstatement can be defined as the ratio of audit risk to detection risk or as the product of intracompany risk (inherent) and control risk.

Audit risk is the risk that the auditor will express an inappropriate audit opinion when there is a material misstatement in the financial statements.

This is standard No. 8. It complies with the international standard ISA 330 and ISA 315.

Audit risk depends on 2 components:

1. The risk of material misstatement is the risk that the financial statements have already been misstated before the audit begins.

2. Non-detection risk is the risk that the auditor will not detect such misstatements in the financial statements.

Audit risk consists of 3 parts:

1. Inherent risk.

2. Control risk.

3. Risk of non-detection.

Inherent risk (intrabusiness risk) is the exposure of the balance of funds in the accounting accounts or some group of similar transactions to distortion, which can be significant (individually or together), in the absence of the necessary internal controls.

Internal control risk (see printout).

Risk of non-detection:

1. Risk of analytical procedures - inspection, study of records, documents, inspection of tangible assets, observation (study of the actions of other persons), inquiry, analytical procedures (study of financial and economic indicators of the company’s activities, comparison of these indicators).

2. Risk of detailed tests of transactions and account balances.

3. Risk of sampling method.

The appendix to Standard 8 (Appendix 3 to Standard 8) sets out conditions and events that may indicate a risk of material misstatement exists.

Internal control system is a set of organizational measures, methods and procedures adopted by the management of an organization for the orderly and efficient conduct of business activities, which also includes supervision and verification of:

1. Compliance with laws.

2. Accuracy and completeness of accounting.

3. Asset safety

4. Execution of orders and instructions, etc.

It includes:

1. Accounting system.

2. Control environment. This concept characterizes the general attitudes, awareness and practical actions of the management of the audited organization aimed at developing internal control. It includes:

a. Basic principles of organization management.

b. Organizational structure of the organization.

c. Personnel policy and practice.

d. Distribution of responsibilities and powers, etc.

3. Separate controls.

Examples of internal controls:

1. Inventory.

2. Registration of documents in special journals.

3. Counter mutual checks of accounting records.

4. Continuous numbering of created documents, etc.

Unlike the risk of material misstatement, detection risk characterizes the effectiveness and quality of the auditor’s work and depends on the procedure for conducting a particular audit and the level of the auditor.

Methods for assessing audit risk:

1. Evaluative (intuitive) – auditors, based on their own professional experience and understanding of the activities of the audited entity and the environment in which it is carried out, determine the audit risk based on the financial statements as a whole as high, medium or low and use this when planning the audit.

2. More widely applied quantitative calculation method audit risk assessments. Audit risk = VR * RK * RN = internal risk (inherent) * risk of internal controls * risk of non-detection.

Audit risk is a certain characteristic that is acceptable from the point of view. A value often mentioned is 5%, i.e. in 5 cases out of 100, the audit organization gives an erroneous audit opinion.

If the audit risk has a specified value, then the risk of non-detection (DR) and the risk of internal controls (IC) must be assessed by the auditor at the stage of preparing the audit and its planning. The lower the auditor's assessment of these components, the higher the detection risk he can anticipate.

In practice, the audit risk model is used in several ways:

1. Establish the values ​​of the components of audit risk.

2. The emphasis is shifted to calculating the value of detection risk and the corresponding amount of required audit evidence - this is a more effective way.

Detection risk = Audit risk / (intra-business risk (inherent) * internal control risk).

When assessing risks, the auditor, when identifying such risks, requires special audit consideration; they are defined as significant risks. When determining significant risks, the auditor considers a number of issues:

1. The risk of dishonest actions in the organization.

2. Complexity of business operations.

3. Subjectivity when calculating some estimated values ​​contained in financial statements, etc.

Example 5:

Auditors in the pre-planning process rated inherent risk as very high (80%), control risk as medium (50%) and detection risk as 20%. Assess the overall audit risk.

Audit risk is calculated using our first formula: 0.8 * 0.5 * 0.2 * 100 = 8%, i.e. in 8 cases out of a hundred it can give an incorrect conclusion.

Example 6:

During the planning of the audit, the auditor rated the inherent risk as high (80%) and the risk of internal controls as medium (50%). Estimate what the detection risk should be to ensure an audit risk of 5%.

pH = 0.05/(0.8*0.5) * 100 = 12.5%