Audit risk takes many shapes and forms. While audits of small businesses are generally considered to be lower-risk audits than the audits of large, multinational companies, no strict rules relate company size and audit risk. Understanding the components that make up audit risk can help you evaluate whether your company would be considered a high or low audit risk engagement.
Inherent risk is the risk of errors or fraud in the financial statements, without considering whether internal controls are effective. Small businesses may have higher levels of inherent risk if they are involved in difficult or complex accounting transactions or they operate in an industry that is prone to accounting estimates. Small businesses with simple business models and few material accounting estimates may be considered to have low inherent risk.
Control risk is the auditor's judgment of how effective internal controls are at detecting any misstatements above a threshold amount that do exist. While larger companies may be subject to audits of internal control, most small businesses do not conduct internal control audits. Even so, auditors must still assess how likely internal controls are to detect errors as part of the audit planning process. Small businesses with well-established internal control procedures will have lower levels of control risk. Companies with poor internal controls will have higher levels of control risk.
Acceptable audit risk is the only part of the audit risk model that is completely out of the hands of the company. The level of acceptable audit risk is the amount of risk that the auditor is willing to accept that the financial statements might contain any amount of material misstatement. Auditors may have lower levels of acceptable audit risk for small businesses that operate in litigious environments and higher levels of acceptable audit risk for companies that do not. Publicly traded companies are usually deemed to be riskier for an auditor.
Planned detection risk is the overall risk that the audit evidence the auditor accumulates will fail to detect fraud or errors that exceed a tolerable level of misstatement. The planned detection risk is a function of inherent risk, control risk and acceptable audit risk. For small businesses, the amount of planned detection risk is directly related to the extent of audit procedures that the auditor plans to conduct during the audit. This implies that when inherent risk or control risk are relatively higher, if the auditor is unwilling to accept higher audit risk, audit procedures must increase. This will likely cause audit costs to increase for the small-business owner.