Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue an unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of inherent risk (IR), control risk (CR) and detection risk (DR), and can be calculated thus:
AR = IR × CR × DRIR refers to the risk involved in the nature of business or transaction. Example, transactions involving exchange of cash may have higher IR than transactions involving settlement by cheques.
CR refers to the risk that a misstatement could occur but may not be detected and corrected or prevented by the entity's internal control mechanism. Example,control risk assessment may be higher in an entity where separation of duties is not well defined.
DR is the probability that the audit procedures may fail to detect existence of a material error or fraud. While CR depends on the strength or weakness of the internal control procedures, DR is either due to sampling error or human factors.