What is audit risk?
Most audit files document a 5% audit risk target with no risk decomposition behind it. The figure is written into the planning memo, never revisited, and never linked to the response. In our experience, this is the single most common finding on inspected files: a number that looks defensible on its own but cannot be traced to the procedures that produced it.
Audit risk, defined in ISA 200.13 (c), is the risk that the auditor issues an inappropriate opinion when the financial statements (FS) are materially misstated. The audit risk model decomposes this into two components: risk of material misstatement (RoMM) and detection risk (DR). RoMM is the client's risk, covering how likely the FS are to contain a material error before the auditor does any work. DR is the auditor's risk, covering the chance that procedures fail to catch a misstatement that exists.
The relationship is inverse. When RoMM is high, the auditor must reduce DR by performing more extensive and more effective procedures. Most firms set acceptable audit risk at 5%, meaning they design the audit to achieve 95% confidence that the opinion is correct. The percentage is fine. The problem is almost always the missing decomposition that sits behind it.
Key Points
- Audit risk = RoMM x DR. RoMM further decomposes into inherent risk (IR) and control risk (CR). The auditor controls only DR, through the nature, timing, and extent of procedures.
- Most firms target 5% audit risk. This means the audit is designed to provide 95% confidence that material misstatements are detected. The percentage itself must be supported by the risk decomposition and linked to the audit response.
- The relationship is inverse. Higher assessed RoMM requires lower DR, which drives larger samples, more persuasive evidence, and more experienced staff on the harder assertions.
- Reassessment is required at completion. ISA 330.25 requires the auditor to conclude whether the assessment of risks at the assertion level remains appropriate in light of the audit evidence obtained.
Why it matters in practice
A documented audit risk percentage without the underlying risk decomposition and a linked audit response will not survive regulatory inspection. Inspectors look for the thread: assessed IR, assessed CR (or a decision to assess it at maximum), the combined RoMM, and the specific procedures designed to bring DR down to the level needed to achieve the target audit risk. At firms like ours, the file usually has the first three and fails on the fourth.
The model is not a one-time exercise at planning. ISA 330.25 requires the auditor to reassess audit risk at the conclusion stage. If evidence obtained during the audit reveals risks that were not identified or assessed during planning, the auditor must consider whether additional procedures are needed before signing the opinion. This is the reassessment that generates the most review notes, because the planning RoMM often gets copied forward without anyone asking whether the fieldwork evidence still supports it.
In practice, the most common failure is treating the audit risk model as a tick box exercise rather than a decision-making tool. When the model is applied properly, it drives real differences in the audit approach. Different assertions get different levels of testing, and the file clearly explains why.
Key standard references
- ISA 200.13 (c): Definition of audit risk as the risk of expressing an inappropriate audit opinion on materially misstated financial statements.
- ISA 200 .A34–A38: Explanatory guidance on the components of audit risk and their interrelationships.
- ISA 200 .A42–A44: Inherent limitations of an audit, including why audit risk cannot be reduced to zero.
- ISA 330.25 : Requirement to evaluate whether the assessment of the risks of material misstatement at the assertion level remains appropriate at the conclusion of the audit.
Related terms
Related tools
Related reading
Jurisdiction notes
The audit risk model is adopted consistently across jurisdictions, but regulators emphasise different aspects. In the United Kingdom, ISA (UK) 315 (Revised July 2020) and ISA (UK) 330 require auditors to link risk assessments to the nature, timing, and extent of audit procedures. FRC inspection reports have identified insufficient linkage between assessed risks and audit responses as a common deficiency. In the Netherlands, NV COS 315 and NV COS 330 mirror the IAASB base text; the AFM expects auditors to demonstrate how risk assessments at the assertion level drive specific audit procedures. In Australia, ASA 200.A1 uses “financial report” terminology and ASIC inspections focus on whether the risk assessment process is sufficiently granular to identify risks at the assertion level for material account balances.
In the United States, the audit risk model is governed by AU-C 200 (non-public) and PCAOB AS 1101, Audit Risk (SEC registrants). PCAOB AS 2110, Identifying and Assessing Risks of Material Misstatement, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement, establish the risk assessment and response framework for public company audits. For integrated audits, AS 2201 requires the auditor to integrate the audit of internal control over financial reporting with the financial statement audit, creating an additional layer of risk assessment not present under the ISA framework. PCAOB inspection findings have consistently cited deficiencies in linking identified risks to specific audit procedures and in evaluating the sufficiency of audit evidence obtained (AS 2810).
Frequently asked questions
What is the audit risk formula?
Audit risk equals the risk of material misstatement multiplied by detection risk (AR = RoMM × DR). Risk of material misstatement itself breaks down into inherent risk and control risk (RoMM = IR × CR). Most firms set acceptable audit risk at 5%, meaning they target 95% confidence that the opinion is correct.
Can audit risk be eliminated entirely?
No. ISA 200.A44 acknowledges inherent limitations in every audit: sampling risk, the possibility that management conceals fraud, and the fact that audit evidence is persuasive rather than conclusive. The standard requires reducing audit risk to an acceptably low level, not eliminating it. This is why auditors provide reasonable assurance, not absolute assurance.
What is the difference between audit risk and engagement risk?
Audit risk is the technical risk of signing the wrong opinion on materially misstated financial statements (ISA 200.13(c)). Engagement risk is the broader business risk the firm faces from the client relationship, including litigation, reputational damage, and fee recoverability. A client can have high engagement risk but low audit risk if the financial statements are straightforward.