1.

Business Risk
 What it is:
Business risk is the broad risk that an entity will fail to achieve its objectives or that
its operations will be significantly impacted by internal or external factors.1 It
encompasses all the uncertainties and threats that could jeopardize the financial
viability, strategic goals, profitability, or very existence of a business. It's the risk
inherent in operating a business in a dynamic environment.
 Whose Risk: This is primarily the entity's (management's) risk.
 Examples:
o A technology company's business risk from rapid technological
change might be that its core product becomes obsolete overnight.
o A manufacturing company's business risk from supply chain
disruptions (e.g., a natural disaster in a key raw material supplier's
region).2
o A retail chain's business risk from intense competition leading to
price wars and reduced market share.3
o A company's business risk from changes in government
regulations (e.g., new environmental laws) that significantly increase
operating costs.4
 How it's Managed: Business risks are managed by the entity's
management through strategic planning, risk management frameworks,
internal controls, diversification, contingency planning, and operational
adjustments.
 Relevant Standard (in the context of auditing): While not explicitly
defined as an "audit risk" in the standards, auditors are required to
understand the entity's business risks because these risks can directly
influence the risks of material misstatement in the financial statements. 5
o Philippine Standard on Auditing (PSA) 315 (Identifying and
Assessing the Risks of Material Misstatement Through
Understanding the Entity and Its Environment): Requires the
auditor to obtain an understanding of the entity and its environment,
including its relevant industry, regulatory, and other external factors,
and the nature of the entity's operations and its business risks that
may result in a material misstatement of the financial statements. 6

2. Information Risk
 What it is:
Information risk is the risk that the information used by decision-makers (especially
external users of financial statements) is materially misstated, misleading, or
unreliable, leading to incorrect decisions. It's the risk that financial data does not
accurately reflect the economic reality of the business.
 Whose Risk: This is primarily the user's risk (e.g., investors, creditors) who
rely on the information.
 Examples:
o An investor making an investment decision based on fraudulent
financial statements where revenues are overstated and expenses
are understated.7
o A bank lending money to a company based on a balance sheet that
significantly undervalues its liabilities due to errors in accounting.
o A business partner relying on a company's outdated sales report to
plan production, leading to overproduction.
o A financial report being unreliable because the underlying IT systems
lack adequate security controls, making data vulnerable to
manipulation.
 How it's Managed: Information risk is primarily managed by the entity
through strong internal controls over financial reporting, reliable information
systems, and adherence to accounting standards. An external audit is
specifically performed to reduce information risk for external users.
 Relevant Standard:
o PSA 200 (Overall Objectives of the Independent Auditor and
the Conduct of an Audit in Accordance with Philippine
Standards on Auditing): States that the purpose of an audit is to
enhance the degree of confidence of intended users in the financial
statements. This is achieved by the expression of an opinion by the
auditor on whether the financial statements are prepared, in all
material respects, in accordance with an applicable finan 8cial reporting
framework.9 By providing this opinion, the audit reduces the
information risk for users.

3. Audit Risk
 What it is:
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when
the financial statements are materially misstated.10 In simpler terms, it's the risk
that the auditor issues a "clean" (unmodified) opinion on financial statements that
are, in fact, misleading.11
 Whose Risk: This is the auditor's risk. The auditor is responsible for
managing and reducing audit risk to an acceptably low level. 12
 Components of Audit Risk (as per auditing standards):
o Inherent Risk (IR): The susceptibility of an assertion about a class of
transaction, account balance, or disclosure to a misstatement that
could be material, individually or when aggregated with other
misstatements, before consideration of any related controls.13 (e.g.,
complex calculations, transactions involving high-value inventory are
inherently riskier).14
o Control Risk (CR): The risk that a material misstatement will not be
prevented, or detected and corrected, on a timely basis by the entity's
internal control.15 (e.g., if a company has weak internal controls over
cash disbursements, there's a higher control risk that unauthorized
payments could occur and not be caught). 16
o Detection Risk (DR): The risk that the procedures performed by the
auditor to reduce audit risk to an acceptably low level will not detect
a misstatement that exists and that could be material,
individually or when aggregated with other misstatements. 17 This is the
risk that the auditor fails to find the misstatement. (e.g., due to
inadequate sample size, ineffective audit procedures).
o Audit Risk Model: AR = IR x CR x DR. Auditors assess IR and CR,
which exist independently of the audit. 18 They then adjust DR by
varying the nature, timing, and extent of their audit procedures to
achieve an acceptably low overall AR.
 Examples:
o An auditor issues an unmodified opinion on a company's financial
statements. Later, it's discovered that the company engaged in a
massive revenue recognition fraud that the audit procedures failed
to detect. This is an audit risk materializing.
o Due to a miscalculation in the audit sample size (affecting
Detection Risk), the auditor misses a recurring error in inventory
valuation (Inherent Risk high for inventory, Control Risk moderate due
to some manual processes), leading to materially misstated inventory
figures that get a clean opinion.
 Relevant Standard:
o PSA 200 (Overall Objectives of the Independent Auditor and
the Conduct of an Audit in Accordance with Philippine
Standards on Auditing): Defines audit risk and states that the
auditor is responsible for planning and performing the audit to obtain
reasonable assurance that the financial statements are free from
 material misstatement, whether due to fraud or error, thereby reducing
audit risk to an acceptably low level. 19
o PSA 315 (Identifying and Assessing the Risks of Material
Misstatement Through Understanding the Entity and Its
Environment): Focuses on assessing Inherent and Control Risk.
o PSA 330 (The Auditor's Responses to Assessed Risks): Explains
how the auditor designs and performs audit procedures to respond to
the assessed risks of material misstatement, thereby controlling
Detection Risk.

Key Differences:

Feature Business Risk Information Risk Audit Risk

Entity's ability to Reliability/ Auditor's

Primary
achieve objectives & Truthfulness of opinion being
Focus
survive information for users wrong

The The User of

Whose
Entity/Manageme Information (e.g., The Auditor
Risk
nt investor)

Credibility of
Overall business User's decisions the audit
What it
strategy, based on unreliable opinion,
Affects
operations, profits data auditor's
reputation

Economic Failure of audit

conditions, Bias, fraud, error, procedures to
Cause
competition, unreliable systems detect
operations, etc. misstatements

Audit planning,
Strategic planning, Internal controls,
Manageme nature, timing,
internal controls, external audit
nt extent of
risk management (reduces it)
procedures

Relationshi Impacts information What the audit aims The risk the
p risk; assessed by to reduce for users. auditor accepts
auditor. in issuing an
 Feature Business Risk Information Risk Audit Risk

opinion

Understanding these distinctions is crucial for students, business professionals, and

auditors alike to effectively manage risks and ensure reliable financial reporting.