Which explanation best describes how inherent risk relates to internal controls?

The following auditing standard is not the current version and does not reflect any amendments effective on or after December 31, 2016. The current version of the auditing standards can be found  here.

Audit Risk

Effective Date: For audits of fiscal years beginning on or after Dec. 15, 2010

Final Rule: PCAOB Release No. 2010-004

Summary Table of Contents

• (1) Introduction
• (2) Objective
• (3 - 11) Audit Risk

Introduction

1.     This standard discusses the auditor's consideration of audit risk in an audit of financial statements as part of an integrated audit 1/ or an audit of financial statements only.

Objective

2.     The objective of the auditor is to conduct the audit of financial statements in a manner that reduces audit risk to an appropriately low level.

Audit Risk

3.     To form an appropriate basis for expressing an opinion on the financial statements, the auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement 2/ due to error or fraud. Reasonable assurance 3/ is obtained by reducing audit risk to an appropriately low level through applying due professional care, including obtaining sufficient appropriate audit evidence.

4.     In an audit of financial statements, audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated, i.e., the financial statements are not presented fairly in conformity with the applicable financial reporting framework. Audit risk is a function of the risk of material misstatement and detection risk.

Note:   The auditor should look to the requirements of the Securities and Exchange Commission for the company under audit with respect to the accounting principles applicable to that company.

Risk of Material Misstatement

5.     The risk of material misstatement refers to the risk that the financial statements are materially misstated. Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement, indicates that the auditor should assess the risks of material misstatement at two levels: (1) at the financial statement level and (2) at the assertion 4/ level. 5/

6.     Risks of material misstatement at the financial statement level relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the financial statement level may be especially relevant to the auditor's consideration of the risk of material misstatement due to fraud. For example, an ineffective control environment, a lack of sufficient capital to continue operations, and declining conditions affecting the company's industry might create pressures or opportunities for management to manipulate the financial statements, leading to higher risk of material misstatement.

7.     Risk of material misstatement at the assertion level consists of the following components:

1. Inherent risk, which refers to the susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or in combination with other misstatements, before consideration of any related controls.
2. Control risk, which is the risk that a misstatement due to error or fraud that could occur in an assertion and that could be material, individually or in combination with other misstatements, will not be prevented or detected on a timely basis by the company's internal control. Control risk is a function of the effectiveness of the design and operation of internal control.

8.     Inherent risk and control risk are related to the company, its environment, and its internal control, and the auditor assesses those risks based on evidence he or she obtains. The auditor assesses inherent risk using information obtained from performing risk assessment procedures and considering the characteristics of the accounts and disclosures in the financial statements. 6/ The auditor assesses control risk using evidence obtained from tests of controls (if the auditor plans to rely on those controls to assess control risk at less than maximum) and from other sources. 7/

Detection Risk

9.     In an audit of financial statements,detection risk is the risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, individually or in combination with other misstatements. Detection risk is affected by (1) the effectiveness of the substantive procedures and (2) their application by the auditor, i.e., whether the procedures were performed with due professional care.

10.     The auditor uses the assessed risk of material misstatement to determine the appropriate level of detection risk for a financial statement assertion. The higher the risk of material misstatement, the lower the level of detection risk needs to be in order to reduce audit risk to an appropriately low level.

11.     The auditor reduces the level of detection risk through the nature, timing, and extent of the substantive procedures performed. As the appropriate level of detection risk decreases, the evidence from substantive procedures that the auditor should obtain increases. 8/