Audit Risk
Domain 1 — Information Systems Auditing Process
Definition
Audit risk is the risk that the auditor may issue an incorrect opinion or conclusion. It is composed of inherent risk (the susceptibility of a process to material misstatement), control risk (the risk that controls will not prevent or detect errors), and detection risk (the risk that audit procedures will not find errors). IS auditors manage audit risk by adjusting the nature, timing, and extent of audit procedures based on assessed risk levels.
Real-World Audit Scenario
Early in my career, I accepted a client's assertion that their access controls were "very mature" and reduced my testing scope accordingly. I later discovered that they had never actually conducted a user access review — the IT manager had simply assumed that because the system enforced password complexity, access controls were fine. I had underestimated control risk and my detection risk increased as a result. I now always conduct a walkthrough of at least one control before relying on management assertions about control maturity.
Common Exam Trap
Audit risk = inherent risk × control risk × detection risk. The exam tests the relationship: if inherent risk and control risk are high, detection risk must be low (more testing). You cannot accept high detection risk when other risks are already elevated.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →