What is the audit risk model?
The audit risk model is the conceptual framework that auditors use to plan and execute an audit engagement. It expresses audit risk — the risk that the auditor issues an inappropriate opinion on materially misstated financial statements — as a function of three components:
Audit Risk = Inherent Risk x Control Risk x Detection Risk
Inherent risk (IR) is the susceptibility of an assertion to a material misstatement, assuming no related controls exist. It is driven by the nature of the account, the complexity of underlying transactions, the degree of judgement or estimation involved, and external factors such as industry volatility or regulatory change.
Control risk (CR) is the risk that a material misstatement would not be prevented or detected on a timely basis by the entity's internal controls. It reflects the design and operating effectiveness of the entity's control environment as it relates to a specific assertion.
Detection risk (DR) is the risk that the auditor's own procedures will fail to detect a material misstatement that exists. Detection risk is the only component the auditor directly controls — by adjusting the nature, timing, and extent of substantive procedures.
Key Points
- The model drives all audit planning. The assessed levels of inherent risk and control risk determine how much substantive work the auditor must perform. Higher assessed risk of material misstatement means the auditor must reduce detection risk through more extensive procedures.
- Detection risk is the auditor's lever. Inherent risk and control risk exist independently of the audit. The auditor can only influence detection risk — by choosing more persuasive procedures, larger samples, or testing closer to the period-end date.
- ISA 315 (Revised 2019) introduced spectrum assessment. Rather than assessing inherent risk as simply "high," "medium," or "low," auditors now assess it on a spectrum, considering both the likelihood and magnitude of potential misstatement. This applies at the assertion level for each significant class of transactions, account balance, and disclosure.
- The model is conceptual, not mathematical. While the formula AR = IR x CR x DR suggests a precise calculation, in practice auditors exercise professional judgement at each step. The model provides a framework for structured reasoning, not a mechanical computation.
Why it matters in practice
Worked example: Janssen Pharma BV
Dekker Accountancy audits Janssen Pharma BV, a mid-size pharmaceutical company. The audit team applies the audit risk model to plan procedures for revenue recognition, specifically the assertion of occurrence for product sales.
Step 1 — Assess inherent risk
The audit team considers the inherent risk factors specified in ISA 315 (Revised 2019):
- Complexity: Moderate. Revenue arrangements include standard product sales, rebates, and milestone-based licensing income. The licensing component involves estimation.
- Subjectivity: Moderate to high. Variable consideration under IFRS 15 requires management to estimate rebate accruals and milestone probability.
- Change: High. Janssen launched two new products in Q3, creating new revenue streams with no historical baseline for estimation.
- Susceptibility to management bias: Moderate. Revenue targets are linked to management bonuses, creating an incentive for overstatement.
Based on the spectrum assessment, the team assesses inherent risk for the occurrence assertion as higher on the spectrum (not the maximum, but above the midpoint) — driven by the new product launches and variable consideration estimates.
Step 2 — Assess control risk
The team evaluates the relevant controls over revenue recognition:
- Automated three-way match (purchase order, delivery note, invoice) for standard product sales — well-designed and consistently operating. Control risk: lower.
- Manual review and approval of rebate accrual calculations by the finance director — the review is performed but the team notes the finance director does not document the basis for challenging management's estimates. Control risk: moderate.
- No specific control over milestone revenue recognition — the CFO makes the determination without a formalized review process. Control risk: higher.
The combined assessment of inherent and control risk for the occurrence of revenue is significant risk for the licensing/milestone component and moderate risk for standard product sales.
Step 3 — Set detection risk and plan procedures
Because the risk of material misstatement is assessed as significant for licensing revenue, the auditor must reduce detection risk to a very low level. The planned response includes:
- Nature: External confirmation of milestone achievement with the licensing counterparty, rather than relying solely on management's assessment. Inspection of underlying contracts for each new product launched in Q3.
- Timing: Substantive procedures performed at year-end (not interim), with additional cutoff testing in the first two weeks of January.
- Extent: 100% testing of licensing revenue transactions (small population). For standard product sales, a larger MUS sample than the prior year, reflecting the new product launches.
For standard product sales (moderate risk), the auditor accepts a higher detection risk and performs a standard-sized sample with analytical procedures as a secondary source of evidence.
What reviewers catch
- No linkage between risk assessment and procedures. The most common finding. Auditors assessed risk as "significant" but designed the same procedures they would for a moderate-risk area. The audit risk model requires a documented, logical connection between assessed risk and the auditor's response.
- Binary risk assessment after ISA 315 (Revised). Regulators now expect spectrum-based inherent risk assessments. Audit files that still use "high/medium/low" without considering the inherent risk factors (complexity, subjectivity, change, uncertainty, susceptibility to bias) are flagged as non-compliant.
- Detection risk not adjusted for control deficiencies. When controls are found to be ineffective during testing, the auditor must reassess control risk and increase the extent of substantive procedures. Reviewers flag cases where control exceptions were noted but the substantive audit plan was not updated.
Audit risk vs business risk
- Whose risk. Audit risk is the auditor's risk of issuing an inappropriate opinion; business risk is the entity's risk of failing to achieve its objectives.
- Components. Audit risk has three formal components (IR, CR, DR); business risk is broader and includes strategic, operational, financial, and compliance risks.
- Relationship. Business risks can create risks of material misstatement (the combination of inherent and control risk), but not all business risks are relevant to the audit. The auditor considers business risk to the extent it could result in material misstatement of the financial statements.
- Control. The auditor controls detection risk; the entity controls business risk through its strategy and internal controls.
Key standard references
- ISA 200.13(c): Definition of audit risk — the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.
- ISA 200.A37-A40: The relationship between the components of audit risk (inherent risk, control risk, detection risk).
- ISA 315.12-14: Identifying and assessing risks of material misstatement at the assertion level, using the spectrum approach for inherent risk.
- ISA 315.A3-A4: Inherent risk factors — complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud.
- ISA 330.7: The auditor's response to assessed risks — designing further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement.
Related terms
Related tools
Related reading
Frequently asked questions
What are the three components of the audit risk model?
The three components are: (1) Inherent risk — the susceptibility of an assertion to misstatement before considering controls. It depends on the nature of the account, the complexity of transactions, and the degree of estimation involved. (2) Control risk — the risk that a misstatement would not be prevented or detected by the entity's internal controls. It depends on the design and operating effectiveness of relevant controls. (3) Detection risk — the risk that the auditor's procedures fail to detect a misstatement that exists. Detection risk is the only component the auditor directly controls by adjusting the nature, timing, and extent of audit procedures.
How does the revised ISA 315 (2019) change risk assessment?
The revised ISA 315 replaces the binary high/low/medium approach with a spectrum assessment of inherent risk. Auditors now assess inherent risk on a scale, considering both the likelihood and magnitude of misstatement. The standard also introduces explicit inherent risk factors (complexity, subjectivity, change, uncertainty, susceptibility to misstatement due to management bias or fraud) and requires a more granular assessment at the assertion level rather than the financial statement level.
What is the relationship between audit risk and the extent of procedures?
There is an inverse relationship between the assessed risk of material misstatement (IR x CR) and the acceptable level of detection risk. When inherent risk and control risk are assessed as higher, the auditor must reduce detection risk by performing more extensive procedures — larger samples, more persuasive evidence, testing at or near period-end rather than at an interim date. Conversely, when inherent and control risks are lower, the auditor can accept a higher detection risk and perform less extensive procedures.