Audit risk model definition
/What is the Audit Risk Model?
The audit risk model determines the total amount of risk associated with an audit, and describes how this risk can be managed. The model incorporates three types of audit risk into the following equation:
Audit risk (AR) = Control risk (CR) × Detection risk (DR) × Inherent risk (IR)
The three types of audit risk included in the equation are expanded upon below.
Related AccountingTools Courses
How to Conduct an Audit Engagement
Control Risk
Control risk is the risk that potential material misstatements would not be detected or prevented by a client’s control systems. When there are significant control failures, a client is more likely to experience undocumented asset losses, which means that its financial statements may reveal a profit when there is actually a loss. In this situation, the auditor cannot rely on the client’s control system when devising an audit plan.
Detection Risk
Detection risk is the risk that the audit procedures used are not capable of detecting a material misstatement. This is especially likely when there are several misstatements that are individually immaterial, but which are material when aggregated. The outcome is that the auditor would conclude that there is no material misstatement of the financial statements when such an error actually exists. Increasing the quantity and especially the quality of audit procedures will reduce detection risk.
Inherent Risk
Inherent risk is the risk that a client’s financial statements are susceptible to material misstatements in the absence of any internal controls to guard against such misstatement. Inherent risk is greater when a high degree of judgment is involved in business transactions, since this introduces the risk that an inexperienced person is more likely to make an error. It is also more likely when significant estimates must be included in transactions, where an estimation error can be made. Inherent risk is also more likely when the transactions in which a client engages are highly complex, and so are more likely to be completed or recorded incorrectly. Finally, this risk is present when a client engages in non-routine transactions for which it has no procedures or controls, thereby making it easier for employees to complete them incorrectly.
Inherent Limitations of an Audit
Of these three risks, only detection risk is largely under the control of the auditor. That being said, there will always be some amount of detection risk, due to the inherent limitations of an audit. These inherent limitations are caused by the following issues:
The nature of the financial reporting. The creation of financial statements usually involves a certain amount of subjective decision-making, where there is a range of possible numerical values that may be considered acceptable. This means that some line items will inherently be subject to a certain amount of variability that cannot be resolved by adding more audit procedures.
The nature of the audit procedures conducted. There are limitations on an auditor’s ability to obtain audit evidence, because the information provided by the client may not be complete, there is always a fraud risk, and the auditor does not have the legal power to conduct a proper investigation into wrongdoing at a client.
The timing and cost restrictions imposed on an audit. The auditor must make sufficient time and resources available to conduct an audit. Nonetheless, it is impracticable to address all information that may exist, or to pursue every matter in exhaustive detail. Consequently, the auditor is expected to focus resources on those areas most likely to contain risks of material misstatement, which means that reduced resources are targeted at other areas of an audit.
How to Evaluate Audit Risk
The standard approach to the evaluation of risk is to first assess control risk and inherent risk, and use this information to decide upon the most appropriate planned level of detection risk. Then, audit programs are designed to obtain the audit evidence that will support the planned level of detection risk. To arrive at the planned level of detection risk, the following modified version of the audit risk equation can be used:
Planned level of detection risk = (Control risk × Inherent risk) ÷ Acceptable audit risk
Example of the Audit Risk Model
An auditor is conducting an initial assessment of a new client, where the acceptable audit risk is 5%. The control risk is initially assessed to be 50%, while the inherent risk is assessed at 90%. By plugging this information into the revised audit risk equation, he arrives at the following outcome:
Planned level of detection risk = (0.50 control risk × 0.90 Inherent risk) ÷ 0.05 acceptable audit risk
Planned level of detection risk = 9%
Given these risk levels, the auditor needs to plan his substantive audit tests to reduce the risk of not detecting material misstatements to 9%.
Problems with the Audit Risk Model
Though the audit risk model seems simple enough, there are some issues to be aware of, which are as follows:
Subjectivity in risk assessment. The audit risk model relies on auditors' judgment to estimate inherent risk, control risk, and detection risk. This subjectivity can lead to inconsistent assessments, especially when auditors lack sufficient experience or understanding of the client's industry and internal controls.
Assumption of independence among risks. The model assumes that inherent risk, control risk, and detection risk are independent of each other, which may not always hold true. For example, weak internal controls (high control risk) might influence the likelihood of material misstatements (inherent risk), complicating risk assessment.
Oversimplification of audit risk. The audit risk model simplifies audit risk into a straightforward mathematical equation (Audit Risk = Inherent Risk × Control Risk × Detection Risk). However, audit risk is influenced by many qualitative factors, such as management integrity and organizational complexity, which are not adequately captured by the model.
Challenges in controlling detection risk. Detection risk (the risk that audit procedures fail to detect a material misstatement) is supposed to be manageable through the scope and nature of audit tests. However, limitations in audit evidence, sampling risks, and time constraints can hinder the auditor’s ability to effectively control detection risk.
Limited guidance for complex environments. The model may not adequately address risks in complex or rapidly evolving environments, such as businesses with significant digital assets, extensive use of automation, or complex financial instruments. In such cases, the model’s traditional risk components may not capture all relevant risks.
False sense of precision. Assigning numerical values to different types of risk can create a false sense of precision and security. The actual effectiveness of the model heavily depends on the auditor's ability to make accurate judgments, which are inherently uncertain.
These problems suggest that while the audit risk model provides a useful framework, auditors must apply it cautiously, supplementing it with professional judgment and a deeper analysis of the client's specific risk environment.