Audit risk is the objective probability of assuming possible inaccuracies and deviations from real data arising during the audit of the company
General audit risk is the probability of an incorrect opinion and, as a result, a false conclusion that there are no significant errors during the audit.
Thus, the overall audit risk consists of the internal risk of the client 's activity (business), the risk of control, and the risk of non-discovery.
Overall audit risk at an acceptable level is a subjective level of risk that an auditor is willing to assume that the client 's financial statements will reveal errors after the audit is completed and a positive audit opinion is provided without reservations.
The risk cannot be completely eliminated, so the audit practice has established an acceptable level of risk - 5%, hence the level of trust is 95% and this ratio is sometimes called the "magic figure of audit risk."
Internal risk is a collection of possible risks associated with the operation of the enterprise and describes the level of all potential errors resulting from the enterprise 's activities prior to internal control review.
The risk of such errors is related to the influence of both objective and subjective factors.
Objective factors of internal risk - inflation processes, competition, change of credit conditions, taxation, reduction of the market of products, etc.
Subjective factors of internal risk - essence and content of the client 's business; Degree of complexity of the organizational structure of the enterprise; Management and management policies, including accounting and economic policies; Staff incentive system; Unusual and rare business transactions; Degree of security of property; Scope of activities.
Based on an assessment of the impact of these internal risk factors, the auditor must determine which business transactions as audit objects will be affected. At the same time, maximum attention should be paid to those points that may affect the quality of financial reporting, and therefore those risks of the client that are not related to the preparation of financial reporting are cut off.
Even if the factors listed are positive, the internal risk will not be less than 50%, and if they are negative, it may approach 100%.
Control risk is an assessment of the effectiveness of a customer 's internal control system in terms of its ability to prevent or detect errors.
The internal control system of the enterprise is formed by the internal control and internal audit subsystems. In turn, in the subsystem of internal control, the functions of which are implemented by all structural subdivisions of the management apparatus, it is necessary to emphasize internal control implemented by specialists of the financial service.
Therefore, when determining the control risk, it is necessary to assess the reliability and efficiency of the internal control and internal audit subsystems.
In order to assess the level of control risk, it is necessary to:
- ensure availability and familiarity with the customer 's internal control system (availability and quality of organizational regulations:
Regulations on internal control and consolidation of control functions in personnel job descriptions (especially accountants);
Internal Audit Regulations and Internal Auditors Job Instructions);
- Ensure that internal audit plans and programmes are specific and detailed;
- determine the degree of completeness and compliance with the inspection programs of working documents and reports of internal auditors;
- Ensure the validity of the applied internal audit techniques for individual objects;
- on the basis of available internal control information (lists of control of individual objects, control calculations, reports of surveys, conclusions of internal auditors) Assess the quality of the internal control system as a whole;
- Determine the effectiveness of corrective actions taken as a result of the internal audit;
- Test control points confirming the quality of the internal control system (visually assess the accuracy, correctness and timeliness of the maintenance of accounting registers, compliance of balances for order journals (machine programs) and general ledger accounts, correctness of account correspondence, etc.);
- Determine the quality control status of internal auditors by the head of internal audit;
- familiarize yourself with the personnel policy for internal auditors (personal files, qualifications, training programmes).
Audit practice shows that the level of control risk increases in the computer version of accounting with the application of unapproved accounting programs.
In addition, the fact that the previous audit has detected errors and inaccuracies in the customer 's accounting system is a factor in increasing the risk of control.
There is a direct relationship between the control risk and the audit information base. If the internal control system is considered sufficiently reliable, the volume of objects selected for testing can be reduced.
Risk of non-discovery means a measure of an auditor 's willingness to acknowledge that its audit procedures for specific objects will not detect errors that exceed the limit (if any).
The determination of the non-detection risk is closely related to the internal and control risk. The higher the risk of the latter, which implies a low degree of trust of the auditor in accounting systems and internal control, the less the risk of non-detection needs to be established for a particular audit.
Internal and control risks are independent of the auditor, and cannot be affected because they are the result of the contracting entity 's activities regardless of the audit.
Unlike these elements, the risk of non-discovery is a consequence of the work performed by the auditor, for which he is fully responsible.
Thus, the main task of the auditor is to minimize the risk of non-detection, which is achieved by a sufficient volume of audit procedures based on the application of well-designed methods of auditing, testing of risk zones.