The auditor chooses what overall level of audit risk they are willing to accept. A higher level of audit risk means that the auditor is willing to accept more audit failures. 1% audit risk means that you are willing to accept that 1 out of 100 issued audit opinions will be incorrect. 5% audit risk means that you are willing to accept that 5 out of 100 issued audit opinions will be incorrect. So, the higher the audit risk you are willing to accept, the less audit work you have to perform.
Audit risk and audit work are inversely related.
Inherent Risk (IR) is the susceptibility of a particular transaction to be recorded in error. For example, revenue recognition related to software transactions is more inherently risky that revenue recognized at a point of sale transaction at a grocery store. In this example (all else constant), you would assign your software company client revenue accounts higher inherent risk than your grocery store client, due to the inherent difficulty in software revenue recognition.
Higher inherent risk, all else constant, leads to more audit work.
Inherent risk and audit work are directly related. Stated more specifically, if the inherent riskiness of one set of accounts is higher than another set of accounts, the auditor must increase the amount of testing done to achieve the given level of audit risk. Control risk (CR) is the risk that the company’s internal control system will fail to prevent or detect errors. A well established fortune 500 manufacturing company is likely to have better internal controls than a small biotech startup with one person playing the roles of accountant, chief financial officer and CEO.
In this example (again, all else constant) you would assign your manufacturing client a lower control risk than your biotech client (for whom, in all likelihood, you decide not to rely on controls at all, and assign a value of 1 to control risk). Higher control risk, all else constant, leads to more audit work. Control risk and audit work are directly related, stated more specifically, if the risk that controls will not catch accounting errors increases, you must do more testing to achieve a given level of audit risk.
Second: Let’s think about the equation, and the relation of each type of risk to each other s the risk that our audit procedures over a specific account or group of accounts will fail to detect a material misstatement. We know that we set the level of M. Shepardson audit risk, we assess the levels of inherent risk and control risk, and from that, we calculate the level of detection risk. Rewriting equation (1), we have the following: