Maggie has over 15 years of experience in Risk Management and IT Compliance. She spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as audit risk model the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions.

• The first part of the audit risk model is the risk of material misstatement (RMM).
• This means auditors can reduce their substantive works and the risk is still acceptably low.
• The independent and external audit report is typically published with the company’s annual report.
• Their objective is confirming whether the financial statement assertions have been adhered to, and whether the financial statements are true and fair.
• Control risk is the risk that internal controls established by a company, to prevent or detect and correct misstatements, fail and thus the financial statement items become misstated.
• Inherent risk is perhaps the hardest component of the audit risk model to mitigate.

Control Risk is the risk of a material misstatement in the financial statements arising due to absence or failure in the operation of relevant controls of the entity. The model then uses inherent, detection, and control risks to solve audit risks. By understanding how the model is limited, auditors and companies can understand how to mitigate these and still provide the proper risk assessments. For example, jewelry stores’ inventory are inherently susceptible to theft.

Detection Risk (DR)

With automation software, businesses can reduce their inherent risk and control risk, making the audit risk model easier to manage when it comes time for an auditor to perform their job. Also, audit risk formula can be in the form of risk of material misstatement and detection risk. This is due to the risk of material misstatement is the combination of inherent risk and control risk. If auditors believe that the client’s internal control can reduce the risk of material misstatement, they will assess the control risk as low and perform the test of controls to obtain evidence to support their assessment. The detection risk of audit evidence for an assertion failing to detect material misstatements is 5%. The audit, therefore, provides (1 – .05) assurance that the financial statements are free from material misstatement.

Sometimes, even with the best intentions and the right controls, the audit ends up missing vital information and does not uncover problems. There is an inherent risk of inaccuracy in audits due to the complex nature of businesses and the business environment. Sometimes the audit may make the right recommendations for the time when the audit was being performed, but those recommendations may no longer be viable once the audit report is published. Auditors usually make use of the relationship of the three components of audit risk to determine an acceptable level of risk.

Exploring the Key Components of the Audit Risk Model

Detection risk is the risk that the auditor will not identify a material misstatement. Key risks can be identified at any stage of the audit process, and ISA 315 requires that the engagement partner should also determine which matters are to be communicated to those engagement team members not involved in the discussion. However, there’s some level of detection risk involved with every audit due to its inherent limitations. This includes the fact that financial statements are created with a standard range of acceptable numerical values. The conclusion of the audit risk model is that there’s a planned detection risk of 14%, meaning that the auditor needs to manage risks to ensure the risk of detecting material misstatements falls to below this level. Inherent risk is perhaps the hardest component of the audit risk model to mitigate.

It would not make economic sense to perform extensive tests on the existence assertion for this inventory. The auditor’s efforts would be better utilized on a high risk assertion. The audit risk model states that audit risk is a function of RMM (which is made up of IR and CR) and DR. Inherent risk is higher when there’s estimation or transactions have layers of complexity. To illustrate, the inherent risk of a newly formed startup that operates in a fast-paced and risky market environment is more likely to be higher than that of an established big box retailer that operates in a consistent, predictable environment.

Transforming Internal Audit: Breaking Through the “Good Enough” Barrier

We should not take internal control into consideration when assessing inherent risk. Detection risk is the risk that the audit procedures used are not capable of detecting a material misstatement. This is especially likely when there are several misstatements that are individually immaterial, but which are material when aggregated. The outcome is that the auditor would conclude that there is no material misstatement of the financial statements when such an error actually exists.

• Now let’s say management has not hired security guards or equipped the store with cameras.
• From Question 3b June 2011, in relation to the risk of valuation of receivables, as Donald Co had a number of receivables who were struggling to pay, many candidates suggested that management needed to chase these outstanding customers.
• The audits were thus being carried out on the wrong numbers and no one knew until it was too late to do anything about it.
• Inherent risk comes from the size, nature and complexity of the client’s business transactions.
• For example, there is inherent risk of misstatement in estimates because they involve judgement.
• Detection risk is also an important component of the audit risk model.