Risk is the defining concept of an audit. Auditors examine businesses primarily to identify operational and financial risks. Both of these risk categories factor into a broader risk category, engagement risk. The 1995 Audit Risk Alert introduced the term engagement risk. It consists of three interrelated components: entity business risk, auditor business risk and audit risk.
An company's business risk is the risk associated with its ongoing operation. This may include outside business and industry factors, macroeconomic variables or failed speculative ventures. The decisions of a company and its management factor heavily into this risk assessment.
Audit risk is the risk that an auditor will provide an unqualified or clean opinion on financial statements that have been materially misstated or are otherwise inaccurate. Statement of Accounting Standards Number 47 defines an auditor’s business risk as the risk that the auditor “may be exposed to injury or loss … from litigation, adverse publicity, or other events arising in connection with financial statements that he has examined and reported on.”
Entity business risk, auditor business risk and audit risk threaten the reputation and effectiveness of the audit firm and contribute to overall engagement risk, which is the risk that an audit faces from association with a particular client. This includes the risk of material misstatement, the risk to one's reputation from being associated with a particular client, the inability of the client to pay the firm, or potential financial losses.
When choosing whether to accept or continue serving a client, the audit firm should consider engagement risk and its three components. If a client is accepted, the audit must be planned so that the component risks are held to an acceptable level. Management integrity is a key factor in acceptable engagement risk. Reviewing prior-year audits, talking with previous auditors, and consulting independent sources such as industry and trade publications allow the auditor to assess management competence. Auditors should also consider the independence and composition of the board of directors. Auditors must evaluate risk processes and controls and regulatory reporting requirements. When reviewed alongside past financial reports, the auditor should begin to understand the financial health and integrity of the organization. If engagement risk is thought to be too high, the auditor should not serve the client. If an engagement is accepted, the auditor should continue to monitor engagement risk and react accordingly.