Key Takeaways

  • The audit risk model states that audit risk equals inherent risk multiplied by control risk multiplied by detection risk (AR = IR x CR x DR). ISA 200.A37–A44 presents the model.
  • Inherent risk is assessed at the assertion level using the spectrum of inherent risk introduced by ISA 315 (Revised 2019), considering likelihood of misstatement and its potential magnitude.
  • Control risk is a property of the entity. The auditor can test controls (and rely on a lower control risk) or accept control risk at maximum and perform substantive procedures only (ISA 330.8).
  • Detection risk is the only component the auditor directly controls, through the nature, timing, extent, and unpredictability of audit procedures.
  • The model is applied at the assertion level, not the account level. Different assertions on the same balance can have different risk profiles and different detection risk responses.

The model in one paragraph

ISA 200.A37–A44 presents the audit risk model. Audit risk (AR) is the risk that the auditor issues an inappropriate opinion on materially misstated financial statements. It is a function of the risk of material misstatement (RoMM) and detection risk (DR). The risk of material misstatement itself has two components: inherent risk (IR) and control risk (CR). The full model is AR = IR x CR x DR. The auditor cannot control inherent risk or control risk (those are properties of the entity), but the auditor can control detection risk by adjusting the nature and extent of audit procedures, including their timing. The lower the acceptable audit risk, the more work the auditor must do. The higher the combined inherent and control risk, the lower detection risk must be, which means more persuasive evidence is needed.

Inherent risk: what ISA 315 (Revised 2019) actually requires

Inherent risk is the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material, before consideration of any related controls (ISA 200.A40). It is assessed at the assertion level, not the account level. The distinction matters: revenue as an account balance might have low inherent risk for existence but high inherent risk for completeness (if the entity has incentives to understate revenue for tax purposes) or for cut-off (if revenue spans reporting periods).

ISA 315 (Revised 2019) introduced the spectrum of inherent risk (ISA 315.A10–A14). Under the previous version, inherent risk was assessed as high, medium, or low. Under the revised standard, the auditor assesses inherent risk on a range from lower to higher, based on the likelihood of misstatement and its magnitude. This is not just a semantic change. The spectrum requires the auditor to consider how likely a misstatement is and how large it could be, and to position the risk assessment accordingly. A risk with high likelihood but low potential magnitude sits at a different point on the spectrum than a risk with low likelihood but catastrophic potential magnitude.

ISA 315 (Revised 2019) also identifies inherent risk factors (ISA 315.A222–A230) that drive the assessment. These include complexity, subjectivity, change, uncertainty, susceptibility to misstatement due to management bias, and susceptibility to misstatement due to other fraud risk factors. For each significant class of transactions, account balance, or disclosure, the auditor must assess which factors apply and how they affect the inherent risk at the assertion level.

Assertion-level documentation

In practice, this means your risk assessment working paper must show the assertion-level inherent risk assessment for every material balance, not a single "inherent risk: medium" per account.

Control risk: when to test controls and when to skip them

Control risk is the risk that a misstatement that could occur in an assertion and that could be material will not be prevented, or detected and corrected, on a timely basis by the entity's internal control (ISA 200.A40). Control risk is a property of the entity's control environment. The auditor assesses it; the auditor does not determine it.

The audit risk model creates a direct link between control risk and detection risk. If the auditor assesses control risk as low (strong controls exist and are operating effectively), detection risk can be higher, which means less substantive testing is needed. If the auditor assesses control risk as high (controls are weak, absent, or untested), detection risk must be lower, which means more substantive testing.

ISA 330.8 gives the auditor a choice: test controls (and rely on a lower control risk assessment to reduce substantive procedures) or accept control risk at maximum and perform substantive procedures only. For many non-Big 4 engagements on smaller entities, the second option is the practical default. Testing controls takes time, and if the entity's controls are informal or undocumented, the cost of testing often exceeds the time saved on substantive procedures.

But there is one case where the auditor must test controls: ISA 330.8(b) requires the auditor to test operating effectiveness of controls when substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. This typically arises when the entity processes a high volume of routine transactions through an automated system. If the entity's revenue consists of 500,000 automated invoices per year, the auditor cannot sample enough individual invoices to get comfortable without some reliance on the automated controls that process them.

Internal consistency check

The decision to test or not test controls should be documented in the planning memorandum and linked to the risk assessment. A file that assesses control risk as low for a balance but contains no tests of controls for that balance has an internal inconsistency that reviewers will flag.

Detection risk: the variable you control

Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material (ISA 200.A43). It is the only component of the model that the auditor directly controls.

Detection risk is managed through four levers:

  • The nature of procedures: substantive analytical procedures provide different levels of assurance than tests of detail. Tests of detail using external confirmations provide different assurance than tests using internal documents.
  • The timing of procedures: procedures performed at an interim date provide less assurance about the year-end balance than procedures performed at or near year-end (ISA 330.A24–A25 requires additional procedures to cover the roll-forward period).
  • The extent of procedures: larger sample sizes reduce detection risk. Dual-purpose tests that combine tests of controls with substantive procedures can reduce detection risk efficiently when controls are strong.
  • The unpredictability of procedures: ISA 240.30 requires the auditor to incorporate an element of unpredictability in the procedures performed, which also reduces detection risk for fraud.

The model makes the relationship mechanical. If the auditor accepts audit risk at (say) 5%, and inherent risk is assessed at 90% and control risk at 80% (controls not tested, assessed at maximum), detection risk must be set at: DR = AR / (IR x CR) = 0.05 / (0.90 x 0.80) = 0.069, or approximately 7%. That 7% detection risk drives the sample size, the nature of procedures, and the extent of analytical procedures for that assertion.

In practice, few mid-tier firms calculate detection risk numerically. Most use a qualitative assessment: if combined inherent and control risk is high, detection risk is set to low, which triggers more extensive procedures. The qualitative approach produces the same outcome as the formula but is easier to document. Either approach is acceptable under the standards.

How the components interact on a real engagement

The model is not applied at the financial statement level. It is applied at the assertion level for each material class of transactions, account balance, and disclosure. Different assertions on the same balance can have different risk profiles.

Take trade receivables. For the existence assertion, inherent risk may be moderate (the entity has a stable customer base) and control risk may be low (the entity sends monthly statements and follows up discrepancies). Detection risk can therefore be higher, and the auditor might rely on a smaller sample of external confirmations supplemented by subsequent receipts testing.

For the valuation assertion on the same receivables balance, inherent risk may be high (the entity has recently expanded into a new market with untested customers, and management must estimate the expected credit loss under IFRS 9). Control risk may also be high (the entity's provision model is new and has not been validated). Detection risk must therefore be very low, requiring the auditor to perform detailed testing of the ECL model inputs, challenge management's assumptions, and potentially engage a specialist.

Same balance, same audit. Different assertions, different risk profiles, different detection risk, different procedures. The model forces this differentiation. Without it, the auditor applies the same procedures to every assertion on every balance, which is either insufficient (for high-risk assertions) or excessive (for low-risk assertions).

Worked example: Van Leeuwen Retail B.V.

Client profile: Van Leeuwen Retail B.V., a Dutch fashion retailer with 14 stores and an e-commerce channel. Revenue: €24M. Reporting framework: Dutch GAAP. Inventory: €3.8M (the single largest balance sheet item). Year-end: 31 December 2025.

The engagement team applies the audit risk model to inventory at the assertion level.

Existence assertion (does the inventory physically exist?)

Inherent risk: moderate. The entity sells standard clothing items, not bespoke products. Physical counts are performed annually. The risk of ghost inventory is low, but with 14 locations, there is a risk that inventory transfers between stores are double-counted.

Control risk: moderate. The entity uses an ERP system to track inter-store transfers, but the process relies on manual scans at the receiving store, and the prior-year audit found two instances of unrecorded transfers.

Detection risk: set to low. The auditor plans to attend physical counts at four of the 14 stores (selected based on inventory value and the inter-store transfer volume), perform roll-forward procedures from the count date to year-end, and test a sample of inter-store transfers for proper recording at both ends.

Documentation note

Record the assertion (existence), the inherent risk assessment (moderate, citing the inter-store transfer risk), the control risk assessment (moderate, citing the prior-year finding), and the detection risk response (low, with four store counts and transfer testing). Cross-reference to the ISA 315 risk assessment and the ISA 501 physical count plan.

Valuation assertion (is inventory stated at the lower of cost and net realisable value?)

Inherent risk: high. Fashion retail has rapid product cycles. End-of-season stock loses value quickly. The entity's markdown policy requires management judgment about which items will sell at full price and which will be discounted. The prior-year audit identified €180,000 of slow-moving stock that management had not written down.

Control risk: high. The entity has no formal slow-moving stock policy. Markdown decisions are made by the merchandising team without a documented framework. No automated ageing report exists.

Detection risk: must be very low. The auditor plans to obtain the full inventory ageing report, independently calculate the aged stock at risk using sell-through rates from the ERP, compare the result to management's provision, and test a sample of 30 specific items against post-year-end sales prices to verify net realisable value.

Documentation note

Record the higher detection risk response: larger sample (30 items versus the standard 15 for a balance of this size), independent recalculation of the ageing, and post-year-end NRV testing. State that the higher extent of testing is a direct response to the combined high inherent and high control risk on the valuation assertion. Reference ISA 330.7(b) for the linkage between assessed risk and the audit response.

Completeness assertion (is all inventory recorded?)

Inherent risk: low. The entity has no incentive to understate inventory (no loan covenants tied to inventory levels, no tax benefit from lower inventory). Goods received are processed through the ERP on arrival.

Control risk: low. The ERP creates a goods received note automatically when the purchase order is matched. Unmatched receipts generate an exception report reviewed weekly.

Detection risk: set to moderate. The auditor plans to perform a proof-in-total analytical procedure comparing the relationship between purchases and closing inventory to prior year, incorporating sales volume data, and to test a small sample of December goods received notes to confirm recording.

Documentation note

Record the lower extent of testing (analytical procedure plus small sample). State that the moderate detection risk is appropriate because both inherent and control risk are assessed as low. The model saves time here: the same balance (inventory) gets less work on the completeness assertion than on the valuation assertion, because the risk profile is different.

The total planned inventory hours for Van Leeuwen Retail: 68 hours. Without the model, a flat approach (same procedures on every assertion) would have required approximately 90 hours. The model directed 22 hours of effort away from low-risk assertions and toward the valuation assertion where the risk was concentrated.

Practical checklist for applying the model

  1. Assess inherent risk at the assertion level, not the account level. Each material balance should have an inherent risk assessment for every relevant assertion (existence, completeness, valuation, rights and obligations, presentation and disclosure). Use the ISA 315 (Revised 2019) inherent risk factors to support each assessment.
  2. Decide whether to test controls before setting detection risk. If you plan to rely on controls (assess control risk below maximum), you must test operating effectiveness under ISA 330.8. If you accept control risk at maximum, document that decision and plan substantive-only procedures.
  3. Set detection risk inversely to the combined inherent and control risk. High combined risk means low detection risk means more persuasive, more extensive procedures. Low combined risk means higher detection risk means less extensive procedures.
  4. Document the linkage. For every significant assertion, the file should show: inherent risk assessment with reasons, control risk assessment with reasons (including whether controls were tested), detection risk level, and the specific procedures that respond to that detection risk level. ISA 330.28 requires documentation of the overall responses to assessed risks and the linkage of procedures to assessed risks at the assertion level.
  5. Review the model at completion. ISA 330.25–26 requires the auditor to conclude whether sufficient appropriate audit evidence has been obtained. If misstatements were found that were not anticipated at planning, reassess whether the original risk assessments and detection risk levels were appropriate.

Common mistakes reviewers flag

  • The AFM's inspection findings for non-PIE firms have identified files where the risk assessment and the audit programme are not linked. The planning working paper assesses a risk as "high" but the audit programme applies standard (not enhanced) procedures. The model requires the linkage to be explicit, and ISA 330.28 requires it to be documented.
  • Quality reviewers flag files where detection risk is implicitly set at the same level for every assertion on every balance. This is sometimes called "flat-risk" auditing. ISA 200.A38 makes clear that the components of audit risk vary at the assertion level. A file where every balance receives the same sample size and the same procedures suggests the auditor did not apply the model.

Related products

ISAE 3402 Workbook → · ISA 240 Toolkit →

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

No spam — we're auditors, not marketers.

Related Ciferi content

Related guides:

ISA 315: Identifying and Assessing Risks of Material Misstatement
The full ISA 315 (Revised 2019) guide including the spectrum of inherent risk
ISA 330: The Auditor's Responses to Assessed Risks
How the risk assessment translates into audit procedures
ISA 320: Materiality in Planning and Performing an Audit
Materiality interacts directly with the audit risk model

Put audit concepts into practice with these free tools:

Sampling Calculator
ISA 530
Materiality Calculator
ISA 320
Analytical Review Tool
ISA 520
ECL Calculator
IFRS 9

Frequently asked questions

What is the audit risk model formula?

The audit risk model states that audit risk equals inherent risk multiplied by control risk multiplied by detection risk (AR = IR x CR x DR). ISA 200.A37 defines audit risk as the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. The auditor cannot control inherent risk or control risk (those are properties of the entity), but can control detection risk by adjusting the nature, timing, and extent of audit procedures.

What changed about inherent risk under ISA 315 (Revised 2019)?

ISA 315 (Revised 2019) introduced the spectrum of inherent risk (ISA 315.A10–A14). Under the previous version, inherent risk was assessed as high, medium, or low. Under the revised standard, the auditor assesses inherent risk on a range from lower to higher, based on both the likelihood of misstatement and its magnitude. The standard also identifies specific inherent risk factors: complexity, subjectivity, change, uncertainty, susceptibility to management bias, and susceptibility to other fraud risk factors.

When must the auditor test controls instead of performing substantive procedures only?

ISA 330.8(b) requires the auditor to test operating effectiveness of controls when substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. This typically arises when the entity processes a high volume of routine transactions through an automated system. For example, if an entity's revenue consists of 500,000 automated invoices per year, the auditor cannot sample enough individual invoices without some reliance on automated controls.

Is the audit risk model applied at the financial statement level or assertion level?

The model is applied at the assertion level for each material class of transactions, account balance, and disclosure. Different assertions on the same balance can have different risk profiles. For example, trade receivables might have moderate inherent risk for existence but high inherent risk for valuation. ISA 200.A38 makes clear that the components of audit risk vary at the assertion level.

Do auditors need to calculate detection risk numerically?

No. In practice, few mid-tier firms calculate detection risk numerically. Most use a qualitative assessment: if combined inherent and control risk is high, detection risk is set to low, which triggers more extensive procedures. The qualitative approach produces the same outcome as the formula but is easier to document. Either approach is acceptable under the standards.

Further reading and source references

  • IAASB Handbook 2024: the authoritative source for ISA 200 (paras. A37–A44 on the audit risk model) and ISA 315 (Revised 2019).
  • ISA 315 (Revised 2019), Identifying and Assessing Risks of Material Misstatement: the standard that governs inherent risk assessment, including the spectrum of inherent risk and inherent risk factors.
  • ISA 330, The Auditor's Responses to Assessed Risks: the standard that translates risk assessments into audit procedures and requires documentation of the linkage.
  • ISA 530, Audit Sampling: detection risk drives sample sizes and the tolerable misstatement used in sampling plans.
  • ISA 240, The Auditor's Responsibilities Relating to Fraud: requires unpredictability in procedures as an additional response to fraud risk.

This guide reflects the ISA 200 and ISA 315 (Revised 2019) text as published in the IAASB 2024 Handbook. ISA 315 (Revised 2019) is effective for audits of financial statements for periods beginning on or after 15 December 2021. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook