Audit Risk Model

Audit risk model is a tool used by auditors to understand the relationship between various risks arising from an audit engagement enabling them to manage the overall audit risk. Audit risk model suggests that overall audit risk of an engagement is the product of the following three component risks:

  • Inherent Risk
  • Control Risk
  • Detection Risk

This is often represented in equation form as follows:

Audit Risk = Inherent Risk × Control Risk × Detection Risk

Since inherent risk and control risk make up risk of material misstatement, therefore another way to state audit risk model is:

Audit Risk = Risk of Material Misstatement × Detection Risk

The Components

Audit risk is the risk that the auditor gives an inappropriate opinion on an audit engagement. This usually means giving a clean/unqualified opinion when financial statements are in fact materially misstated.

Inherent risk arises due to susceptibility of an item to misstatement due to its nature. For example, there is inherent risk of misstatement in estimates because they involve judgement.

Control risk is the risk that internal controls established by a company, to prevent or detect and correct misstatements, fail and thus the financial statement items become misstated.

Detection risk arises because the auditor’s methods and procedures, to test balances and transactions for misstatements, fail to detect all the misstatements.

How Auditors Use Audit Risk Model?

Auditor’s goal is to reduce overall audit risk to an acceptable level. In order to do that, they will first assess the levels of each component risk of the model. The risk values are not readily quantifiable though and auditors use professional judgement to assess the risks. This means that the above equation is not typically used to calculate risks like other mathematical equations are normally used. The auditors will nevertheless assess the risk values in some form, often by descriptive means.

The auditors then use the model to establish relationship between the risks and take action to reduce overall audit risk to an acceptable level.

The risk of material misstatement is under the control of management of the company and the auditor can only directly manipulate detection risk. So, if their assessment of the risk of material misstatement and audit risk is high, they must reduce the detection risk in order to contain overall audit risk within acceptable level.

Detection risk can be manipulated by various means some of them being: changing the composition of the engagement team, changing the types of procedures and changing the duration of audit work. For example, detection risk and thus audit risk is normally reduced when more skilled personnel are assigned to engagement team or when larger sample sizes are selected or when substantive test of details are performed instead of analytical procedures.

Written by Irfanullah Jan and last modified on