Audit risk is the risk that an auditor may give an inappropriate opinion on financial information that is materially misstated. Audit risk is composed of three components viz. inherent risk, control risk and
detection risk. Control risk is the risk that misstatement that could occur in an account balance or class of transactions and that could be material, individually or when aggregated with misstatements in other balances or classes, will not be prevented or detected on a timely basis by the system of internal control. There will always be some control risk because of the intrinsic limitations of any system of internal control.
For assessing control risk, the auditor should consider the adequacy of control design, as well as test adherence to control procedures. In the absence of such assessment, the auditor should assume that control risk is high. The auditor ordinarily assesses control risk at a high level for some or all assertions where:
The entity`s policies and procedures relating to an assertion are not effective or
Evaluating the effectiveness of the entity`s policies and procedures would be inefficient
The auditor may make a preliminary assessment of control risk at less than a high level only when the auditor:
Is able to identify policies and procedures of the accounting and internal control systems relevant to specific assertions which are likely to prevent or detect material misstatements in the financial statements; and
Plans to perform tests of control or support the assessment.
It may be noted that nature, timing and extent of substantive audit procedures to be performed would depend upon the auditor`s assessment of the inter-relationship between inherent risk, control risk and detection risk.