The components of audit risk

M. V. Kali Prasad | Updated on November 15, 2017

From an auditor's viewpoint, the three components of audit risk are inherent risk, control risk and detection risk.

What is risk? The term risk refers to the probability of not achieving the goal.


The goal of an audit is to form and express an opinion, on whether the financial statements give a true and fair view. The term audit risk refers to the probability of the statements not giving a true and fair view after the audit is completed.

As a result, audit risk is the possibility of a material misstatement, remaining undetected even after the audit is completed.


Such risk can be perceived from the point of view of the management, as well as that of the auditor.

Management Viewpoint

The management of any entity is saddled with the following responsibilities: Safeguarding the assets created out of the resources of the shareholders. Preventing, detecting and correcting frauds and errors. Maintaining books of account as required by the law in force. Preparing and presenting financial statements from the books of account maintained by the company.

Auditor's Point of View

There are three components of an audit risk from the viewpoint of the auditor — inherent risk, control risk and detection risk.

Inherent risk lies inherent in the audit. This springs from the reason that the systems, as designed by the management, may not be implemented in true letter and spirit. Control risk emanates from the inadequacy or inefficiency of the internal control systems in place.

Especially in small entities, the internal control systems may not exist at all, or even if the systems exist, they may not be followed by the managements.

Detection risk is that component of the audit risk resulting from the failure on the part of the auditor to notice a misstatement.

This could be due to want of experience, negligence, sacrificing integrity, or frauds being skilfully woven into the financial statements.


The auditor has the following recourse at his disposal to minimise the inherent risk to a limited extent:

Updating himself with the latest position of law, regulations, etc. Thorough knowledge of the business of the client and understanding the critical areas. Exercising proper care in selecting his own staff and their training. Comprehensive audit strategies, plans, programmes. Diligence in selecting outsourcing agencies, such as experts. Meticulous planning and scrupulous execution of the procedures. Thorough professional approach.


The internal control systems are designed and developed by the management. Hence control risk isn't in the hands of the auditor. Control risk is said to be high if the systems or their functioning isn't up to the mark.

It is advisable that the auditor presumes the control risk to be high at the planning stage of the audit. Evaluation of the internal control systems is crucial for an auditor, since it is critical for the auditor to Determine the extent of test check to be carried out. Fix up the materiality levels for the substantive procedures to be carried out by him. Decide upon the size of sample to be verified. Decide the nature, extent and timing of the audit procedures to be carried out by him, based upon his evaluation of internal control systems.

After careful evaluation of the internal control systems, the auditor may decide the extent of control risk. He may presume the control risk to be less than high. It isn't advisable for the auditor to presume the control risk to be low at any time.


The probability of the auditor's failure to detect any misstatements during the course of his audit is termed as detection risk. The auditor has to design his substantive procedures to minimize the audit risk.

The extent of overall risk the auditor is willing to take and the efficiency of the internal control systems decides the nature, extent and timing of the audit procedures to be carried out by him.

The auditor would carry out intensive audit procedures on presuming the control risk to be high. Intensive audit procedures would lower the detection risk.

If the auditor presumes the control risk to be low, he would reduce the intensity of the audit procedures, thereby running a higher detection risk.

(The author is a Hyderabad-based chartered accountant.)

Published on February 19, 2012

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor