A company's senior management is responsible for its financial statements. Under generally accepted auditing standards, or GAAS, auditors are required to obtain reasonable assurances that these statements are free of material misstatements caused by error or fraud. According to the International Auditing and Assurance Standards Board, quoted by the U.S. Public Oversight Board, audit risk is defined as "the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated." There are three types of audit risks: inherent, control and detection.
The GAAS audit risk model requires auditors to use their judgment in assessing risks. It allows auditors to take various circumstances into account in selecting an audit approach, including the client's business and industry, the systems employed to process transactions, the quality of the personnel involved and the internal controls and risk assessment processes. An auditor should try to limit audit risk, which is the product of inherent risk, control risk and detection risk.
Inherent risk is the risk that a financial assertion is susceptible to a material misstatement. The assertion could be about a class of transactions, account balances or disclosures about significant company events. Examples include double counting sales, incorrectly valuing inventory for cost of goods calculations and failing to disclose significant accounting changes.
Control risk is the risk that one or more material misstatements might not be prevented or detected on a timely basis by the organisation's internal control systems. For example, if the revenue is misstated on a company's income statement, control risk means that the company's internal auditing processes will not be able to catch it before the financial statements are published.
Detection risk is the risk that an audit might not be able to detect a material misstatement. For example, if there are revenue or cost misstatements on a company's income statement, detection risk refers to the possibility that an audit fails to detect these misstatements and, consequently, expresses an inappropriate favourable opinion.
Auditors are required to assess inherent risk and control risk on three levels: maximum or high risk, moderate or medium risk and low risk. If the inherent and control risks are high, the detection risk must be low in order to have a low overall audit risk. Therefore, the auditor has to carry out more detection procedures to be reasonably assured that the financial statements are free of material misstatements.
A low audit risk is important because it is not possible for auditors to verify all transactions. Auditors tend to focus on key risk areas -- for example, overstated revenues or understated costs, where it is more likely that errors will lead to material misstatements on the financial statements. Auditing standards require auditors to plan and perform audits with professional scepticism because there is always the possibility that the financial statements are materially misstated. Professional scepticism involves a questioning mind and a critical evaluation of evidence.