What Is Detection Risk?
Detection risk is the chance that an auditor will fail to find material misstatements that exist in an entity's financial statements. These misstatements may be due to either fraud or error. Auditors make use of audit procedures to detect these misstatements.
However, because of the nature of audit procedures, some detection risk will always exist. For example, auditors often sample a certain type of company transaction because examining every transaction is impractical. Increasing the sample size can reduce detection risk, but some risk will always remain.
- Detection risk occurs when an auditor fails to identify a material misstatement in a company's financial statements.
- There are three types of audit risk: detection risk, inherent risk, and control risk.
- Auditors must implement correct audit procedures to limit detection risk.
- A certain amount of detection risk will always exist, but the auditor's goal is to lower the detection risk sufficiently for overall audit risk to maintain an acceptable level.
Understanding Detection Risk
Detection risk can reach unacceptable levels when an auditor fails to implement the correct audit procedures, implements the right procedures incorrectly, or fails to judge the results correctly. It’s important for auditors to assess both control and inherent risk first, then assign detection risk in order to bring the total audit risk to an acceptable level. However, it’s unlikely that an auditor can eliminate detection risk entirely, simply because most auditors will never be able to examine every single transaction that makes up a financial statement. Instead, auditors should aim to keep detection risk at an acceptable level.
These are the three main components of detection risk.
- Applying an audit procedure incorrectly. For example, when an auditor applies the wrong acceptable ratio when using ratios to evaluate the face value accuracy of an account balance.
- Incorrect audit testing method. Choosing an audit testing method that isn’t right for the type of financial account being audited, for example, testing for accuracy of the invoice rather than the occurrence of a particular sale.
- Misinterpreting the results of the audit, or just evaluating the results wrongly.
A common mistake that auditors make is to conclude that a detected misstatement is trivial. Sometimes a misstatement that is trivial in one unit of a company may become material when aggregated over multiple business units, making a significant impact on the company's financial statements. Detection risk may be higher in regions where regulatory bodies are relatively ineffective. Detection risk is also higher when the relationship between auditors and audited entities' employees becomes cozy. Cultural differences also can increase or decrease this risk among countries and regions around the world.
There are a number of audit procedures that auditors use to minimize detection risk, including classification testing, completeness testing, valuation testing, and occurrence testing.
Classification testing is used to determine whether transactions were classified correctly. For example, a cost to the company could be classified as either an expense or an asset depending on its total cost and the length of its useful life. An auditor may apply certain audit procedures to determine whether a large expenditure classifies as an asset or an expense.
Completeness testing is used to examine if any transactions are missing from the accounting records. For example, an auditor may review a client's bank statements in order to determine if payments to suppliers that exist in the bank statement were also recorded in the accounting system.
Valuation testing is used to test whether the value of the assets and liabilities on the company's books are accurate. This test could require an auditor to obtain an external valuation judgement on the asset or liability in question.
Occurrence testing is used to determine whether recorded transactions have actually occurred. This test could involve examining specific invoices listed on the sales ledger and tracing them back to the original customer order and shipping documentation.
Detection Risk vs. Control Risk vs. Inherent Risk
Inherent risk is always present and is specific to the company based on its given industry and business environment. Inherent risk is the likelihood that a material misstatement exists in the company's financial statements based on these given factors. Control risk is the risk that the company's own internal controls will be unable to prevent, detect, or correct material misstatements or errors that are present in the financial statements. If the auditors know the company being audited has poor internal control processes, this risk will be assessed higher.
Both inherent risk and control risk increase the level of audit procedures required in order to reduce the detection risk to an acceptable level. Because audit risk is comprised of all three elements, if both control risk and inherent risk are high, detection risk will need to be minimized through increased audit procedures. If inherent risk and control risk are both low, the level of audit procedures required will be lower.
|Acceptable Audit Risk||Inherent Risk||Control Risk||Planned Detection Risk||Audit Procedures / Evidence Required|
Example of Detection Risk
Smith and Co. Certified Public Accounting (CPA) firm is hired to perform an audit of ABC Corp.'s financial statements. Accountants from Smith and Co. have worked with ABC Corp. in the past, and they have previously expressed concerns to management around ABC's lack of internal controls around the company's payroll process. Going into this year's audit, Smith and Co. will assess the control risk as high for this particular area. ABC Corp.'s payroll system is also highly complex, and it involves a large degree of manual input by the payroll clerk. This would increase the inherent risk as well.
Because both the inherent risk and control risk are high, detection risk–the risk of the auditor's missing material issues–needs to be minimized sufficiently by an increase in audit procedures and required evidence. Normally, Smith and Co. would review the supporting documentation for three payroll cycles. However, due to the riskiness of this particular area, Smith and Co. has requested documentation and backup reports for six payroll cycles.
The auditors may trace the payroll expense recorded for specific individuals in the ledger back to their time cards, to confirm hours worked, and to their human resources (HR) file, to confirm pay rate. The auditors may also ensure the employee's supervisor has signed off on all time cards and the HR Manager has reviewed and signed off on all payroll checks. By increasing the amount of testing done around the payroll process, the auditors have effectively decreased the detection risk associated with these transactions.