Summary Table of Contents
.01 This standard discusses the auditor's consideration of audit risk in an audit of financial statements as part of an integrated audit1 or an audit of financial statements only.
.02 The objective of the auditor is to conduct the audit of financial statements in a manner that reduces audit risk to an appropriately low level.
.03 To form an appropriate basis for expressing an opinion on the financial statements, the auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement2 due to error or fraud. Reasonable assurance3 is obtained by reducing audit risk to an appropriately low level through applying due professional care, including obtaining sufficient appropriate audit evidence.
.04 In an audit of financial statements, audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated, i.e., the financial statements are not presented fairly in conformity with the applicable financial reporting framework. Audit risk is a function of the risk of material misstatement and detection risk.
Note: The auditor should look to the requirements of the Securities and Exchange Commission for the company under audit with respect to the accounting principles applicable to that company.
Risk of Material Misstatement
.05 The risk of material misstatement refers to the risk that the financial statements are materially misstated. AS 2110, Identifying and Assessing Risks of Material Misstatement, indicates that the auditor should assess the risks of material misstatement at two levels: (1) at the financial statement level and (2) at the assertion4 level.5
.06 Risks of material misstatement at the financial statement level relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the financial statement level may be especially relevant to the auditor's consideration of the risk of material misstatement due to fraud. For example, an ineffective control environment, a lack of sufficient capital to continue operations, and declining conditions affecting the company's industry might create pressures or opportunities for management to manipulate the financial statements, leading to higher risk of material misstatement.
.07 Risk of material misstatement at the assertion level consists of the following components:
- Inherent risk, which refers to the susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls.
- Control risk, which is the risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company's internal control. Control risk is a function of the effectiveness of the design and operation of internal control.
.08 Inherent risk and control risk are related to the company, its environment, and its internal control, and the auditor assesses those risks based on evidence he or she obtains. The auditor assesses inherent risk using information obtained from performing risk assessment procedures and considering the characteristics of the accounts and disclosures in the financial statements.6 The auditor assesses control risk using evidence obtained from tests of controls (if the auditor plans to rely on those controls to assess control risk at less than maximum) and from other sources.7
.09 In an audit of financial statements, detection risk is the risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, individually or in combination with other misstatements. Detection risk is affected by (1) the effectiveness of the substantive procedures and (2) their application by the auditor, i.e., whether the procedures were performed with due professional care.
.10 The auditor uses the assessed risk of material misstatement to determine the appropriate level of detection risk for a financial statement assertion. The higher the risk of material misstatement, the lower the level of detection risk needs to be in order to reduce audit risk to an appropriately low level.
.11 The auditor reduces the level of detection risk through the nature, timing, and extent of the substantive procedures performed. As the appropriate level of detection risk decreases, the evidence from substantive procedures that the auditor should obtain increases.8
Footnotes (AS 1101 - Audit Risk):
1When the auditor is performing an integrated audit of financial statements and internal control over financial reporting, the requirements in AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, also apply. However, the risks of material misstatement of the financial statements are the same for both the audit of financial statements and the audit of internal control over financial reporting.
2Misstatement is defined in Appendix A of AS 2810, Evaluating Audit Results.
3See AS 1001, Responsibilities and Functions of the Independent Auditor, and paragraph .10 of AS 1015, Due Professional Care in the Performance of Work, for a further discussion of reasonable assurance.
4See AS 1105, Audit Evidence, for a description of financial statement assertions.
7Paragraphs .32-.34 of AS 2301, The Auditor's Responses to the Risks of Material Misstatement.