Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue an unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of:
- Inherent risk (IR), the risk involved in the nature of business or transaction. Example, transactions involving exchange of cash may have higher IR than transactions involving settlement by cheques. The term inherent risk may have other definitions in other contexts.;
- Control risk (CR), the risk that a misstatement may not be prevented or detected and corrected due to weakness in the entity's internal control mechanism. Example, control risk assessment may be higher in an entity where separation of duties is not well defined; and
- Detection risk (DR), the probability that the auditing procedures may fail to detect existence of a material error or fraud. Detection risk may be due to sampling error or non-sampling error.
Audit risk can be calculated as:
- AR = IR × CR × DR
- Rachel Slabotsky (7 September 2017). "Inherent Risk vs. Residual Risk Explained in 90 Seconds". fairinstitute.org. FAIR Institute. Retrieved 10 October 2018.
Inherent risk represents the amount of risk that exists in the absence of controls.
- "AU Section 350: Audit Sampling" (PDF). The Standards of Field Work. American Institute of Certified Public Accountants, Inc. 26 February 2010. pp. 2067–2079.
- Srivastava R.P. & Shafer G.R. (1992) " Belief function Formula for audit risk " Review: Accounting Review, Vol. 67 n° 2, pp. 249–283, for evidence theory applied on audit risk.
- Lesage (1999)" Evaluation du risque d'audit : proposition d'un modele linguistique " Review: Comptabilite, Controle, Audit, Tome 5, Vol. 2, September 1999, pp. 107–126, for fuzzy audit risk.
- Fendri-Kharrat et al. (2005)"Logique floue appliquee a l'inference du risque inherent en audit financier ", Review: RNTI : Revue des Nouvelles Technologies de l'Information, n° RNTI-E-5, (extraction des connaissances: etats et perspectives), November 2005, pp. 37–49, Cepadues editions, for fuzzy inherent audit risk.