What is audit risk?
Audit risk, as defined in ISA 200.13(c), is the risk that the auditor issues an inappropriate opinion when the financial statements are materially misstated. It is the central concept that determines how much work the auditor needs to do and where to focus that work.
The audit risk model decomposes this into two components: risk of material misstatement (RoMM) and detection risk (DR). Risk of material misstatement is the client's risk — how likely the financial statements are to contain a material error before the auditor does any work. Detection risk is the auditor's risk — the chance that the auditor's procedures will fail to catch a misstatement that exists.
The relationship is inverse: when the risk of material misstatement is high, the auditor must reduce detection risk by performing more extensive and more effective procedures. Most firms set acceptable audit risk at 5%, meaning they design the audit to achieve 95% confidence that the opinion is correct.
Key Points
- Audit risk = RoMM x DR. Risk of material misstatement further decomposes into inherent risk and control risk. The auditor controls only detection risk through the nature, timing, and extent of procedures.
- Most firms target 5% audit risk. This means the audit is designed to provide 95% confidence that material misstatements are detected. The percentage itself must be supported by the risk decomposition and linked to the audit response.
- The relationship is inverse. Higher assessed risk of material misstatement requires lower detection risk, which means more persuasive evidence, larger samples, and more experienced staff.
- Reassessment is required at completion. ISA 330.25 requires the auditor to conclude whether the assessment of risks at the assertion level remains appropriate in light of the audit evidence obtained.
Why it matters in practice
A documented audit risk percentage without the underlying risk decomposition and a linked audit response will not survive regulatory inspection. Inspectors look for the thread: the assessed inherent risk, the assessed control risk (or a decision to assess it at maximum), the combined risk of material misstatement, and the specific procedures designed to bring detection risk down to the level needed to achieve the target audit risk.
The model is not a one-time exercise at planning. ISA 330.25 requires the auditor to reassess audit risk at the conclusion stage. If evidence obtained during the audit reveals risks that were not identified or assessed during planning, the auditor must consider whether additional procedures are needed before signing the opinion.
In practice, the most common failure is treating the audit risk model as a form-filling exercise rather than a decision-making tool. When the model is applied properly, it drives real differences in the audit approach — different assertions get different levels of testing, and the file clearly explains why.
Key standard references
- ISA 200.13(c): Definition of audit risk as the risk of expressing an inappropriate audit opinion on materially misstated financial statements.
- ISA 200.A34–A38: Explanatory guidance on the components of audit risk and their interrelationships.
- ISA 200.A42–A44: Inherent limitations of an audit, including why audit risk cannot be reduced to zero.
- ISA 330.25: Requirement to evaluate whether the assessment of the risks of material misstatement at the assertion level remains appropriate at the conclusion of the audit.
Related terms
Related reading
Frequently asked questions
What is the audit risk formula?
Audit risk equals the risk of material misstatement multiplied by detection risk (AR = RoMM × DR). Risk of material misstatement itself breaks down into inherent risk and control risk (RoMM = IR × CR). Most firms set acceptable audit risk at 5%, meaning they target 95% confidence that the opinion is correct.
Can audit risk be eliminated entirely?
No. ISA 200.A44 acknowledges inherent limitations in every audit: sampling risk, the possibility that management conceals fraud, and the fact that audit evidence is persuasive rather than conclusive. The standard requires reducing audit risk to an acceptably low level, not eliminating it. This is why auditors provide reasonable assurance, not absolute assurance.
What is the difference between audit risk and engagement risk?
Audit risk is the technical risk of signing the wrong opinion on materially misstated financial statements (ISA 200.13(c)). Engagement risk is the broader business risk the firm faces from the client relationship, including litigation, reputational damage, and fee recoverability. A client can have high engagement risk but low audit risk if the financial statements are straightforward.