What Is An Audit Risk Model? (With Definition And Example)

By Indeed Editorial Team

Published 13 July 2022

The Indeed Editorial Team comprises a diverse and talented team of writers, researchers and subject matter experts equipped with Indeed's data and insights to deliver useful tips to help guide your career journey.

Audit risk models are conceptual tools used by auditors to evaluate and manage the various risks associated with an audit. This tool helps an auditor determine the type and the amount of evidence required for each assertion. If you work in a finance or accounting firm, understanding this model can enhance your work performance. In this article, we learn what an audit risk model is, find out the risks it classifies, examine the steps to implement it and review an example to help you understand the concept better.

What Is An Audit Risk Model?

Before learning about audit risk models, it is essential to understand the concept of audit risks. Audit risk is a financial risk that arises when an auditor cannot identify errors or fraud that exist in a client's financial statements. Auditors can reduce audit risk by increasing the number of audit procedures. Maintaining a modest level of audit risk is an important component of auditing, since investors rely on auditor assurances when interpreting financial statements.

These professionals use various models to control audit risk to evaluate and manage the overall risk involved in conducting an audit. Using this model, the auditing team determines which procedures to use for the transactions and accounts in the financial statements of a company. These models are most effective when applied at the planning stage, but may not prove useful in evaluating audit activities.

Related: 10 Types Of Risks In Finance And Tips For Mitigating Impact

Risks Included In An Audit Risk Model

This model considers the following risks in each audit cycle:

Inherent risk

A company's inherent risk (IR) refers to the possibility of a material misstatement in its financial statements caused by errors or omissions other than the failure of internal controls. Inherent risk is higher with the involvement of judgment and estimation or when an entity's transactions are highly complex.

For example, auditing a newly formed financial institution entails inherent risks associated with significant trade and exposure to complex financial instruments. The exposure is higher than that associated with auditing a well-established manufacturing company that operates in a relatively stable environment.

Related: What Does An Internal Auditor Do? (Skills And Duties)

Control risk

Control risk (CR) is the risk of material misstatement of financial statements arising from ineffective or non-operating controls of an entity. Internal controls are necessary for preventing and detecting fraud and errors within organisations. A high level of control risk occurs when the audited entity does not maintain adequate internal controls for preventing and detecting instances of fraud and error in financial statements.

Control risk assessment can be higher for small companies that operate without a clear division of duties and prepare their financial reports by non-financial professionals.

Related: Governance, Risk And Compliance Tools (With Benefits)

Detection risk

Detection risk (DR) refers to the risk of the auditors failing to detect a material misstatement in the financial statements. Auditors use audit procedures to inspect the financial statements about material misstatements. It is possible to overlook a material misstatement if auditors cannot follow critical audit procedures.

Because of inherent limitations of the audit, such as the sampling process used to select transactions, there is always a possibility of detection risk. By increasing the number of sampled transactions for detailed testing, auditors can reduce this type of risk.

Related: What Does An Assistant Audit Officer Do? A Complete Guide

Elements Of Applying An Audit Risk Model

When applying the model, it is necessary for an auditor to perform the following actions:

Analyse the client's environment

Understanding the client's business and its environment is the first step in applying the model. There are several external factors that can affect how an organisation measures its financial performance, such as:

  • Nature of the client: This describes how the client conducts business, makes investments and files financial reports.

  • External factors: These include factors influencing client activity that are not within their control. For example, regulation of the industry, government policies and the specific characteristics of the industry, such as how fast products or services change or the difficulty to enter a new market.

  • Management strategies: This includes assessing how the company's management approaches external factors.

  • Financial performance indicators: This includes evaluating indicators regarding the financial performance of the client organisation, including key performance indicators, performance standards, incentive policies, key operating data and financial performance. Competitor information, current trends and forecasts are also a part of this assessment.

Related: What Is Financial Modelling? (With Benefits And Types)

Analyse the client's internal controls

The next phase involves assessing the company's internal controls, their design and implementation after analysing its business environment. Some of them include:

  • Control environment: This involves analysing the management's general attitude towards internal control practices.

  • Control activities: This includes analysing the effectiveness of the company's control systems.

  • Approach to risk assessment: This step involves reviewing the organisation's risk assessment, communication and monitoring policies and procedures

Related: What Is Risk Management? (Crucial Steps And Strategies)

Assess risk based on gathered data

By analysing both internal and external factors that may impact the accuracy of the financial statements of the client, an auditor can determine various aspects of an audit, such as timing, nature and scope. It is usually a good idea to identify the aspects that pose moderate to high risks and plan to test more rigorously based on those findings.

Related: What Does A Risk Manager Do? (How To Become One And Skills)

Evaluation Of Audit Risk

It is standard procedure to evaluate control risk and inherent risk first and use that information to determine the level of detection risk. After this, auditor programmes provide relevant audit evidence to demonstrate the intended level of detection risk. The following audit risk equation is used to determine the level of detection risk:

Audit risk = inherent risk x control risk x detection risk

Detection risk = (control risk x inherent risk) / audit risk

Related: 16 Types Of Audits (And Why Companies Conduct Them)

Example f An Audit Risk Modell

Consider this example of calculating the detection risk:

XYZ Global hired ABC Financial to audit its financial statements. During the audit planning, the auditors find the following factors that might influence risk assessment:

  • There are many branches, franchisees and subsidiaries within the company.

  • XYZ Global is a stock market-listed financial institution that is not a bank.

  • The company does not have an internal audit department, despite corporate governance guidelines.

  • The aim of audit firms is to keep audit risk under 5%.

Darling Global operates in a sector with many complex regulations. This results in a high level of inherent risk because of numerous related entities that could cause misinterpretation of its financial statements. Because the company lacks a competent internal audit department, control risk is also high. The audit team performs an initial assessment of XYZ Global and determines that control risk is 50% and inherent risk is 90%. Using the auditor risk model formula, they can assume an appropriate detection risk and keep the audit risk below 5%:

  • Audit risk: 0.05

  • Control risk: 0.5

  • Inherent risk: 0.9

0.05 = 0.9 (inherent risk) x 0.5 (control risk) x detection risk

Detection risk = 0.05 / (0.9 x 0.5) = 0.11 = 11/100 = 11%

Ways To Reduce Audit Risk

Professionals tasked with auditing require performing risk assessment at the planning stage of an audit. Since auditors cannot control inherent risk or control risk, they focus on reducing the detection risk. Here are some ways in which they can reduce audit risk:

  • Design audit procedures that are appropriate for the assessed risk

  • Ensure proper audit planning before beginning the audit process

  • Monitor audit tasks

  • Delegate audit tasks to other team members based on their skills and experience

  • Document the problems encountered during the audit procedure and the steps taken to resolve them

  • Review the audit work, including hot review and cold review, which includes a detailed verification of audit accounts and rectifying any issues

  • Perform extensive research and collaborate with other team members to ensure that the tasks are on schedule


Explore more articles