Audit Risk Model

What is the audit risk model?

Every inspection cycle, regulators flag the same problem: auditors who assessed a risk as significant and then tested it exactly the same way they tested a low-risk area. The audit risk model exists to prevent that disconnect, yet the gap persists because too many firms treat the model as a form-filling exercise rather than a reasoning tool.

At its core, the model expresses audit risk (the risk that the auditor issues an inappropriate opinion on materially misstated financial statements) as a function of three components:

Audit Risk = Inherent Risk x Control Risk x Detection Risk

Inherent risk (IR) is the susceptibility of an assertion to material misstatement, assuming no related controls exist. IR is driven by the nature of the account, complexity of underlying transactions, the degree of judgement or estimation involved, and external factors such as industry volatility or regulatory change.

Control risk (CR) is the risk that a material misstatement would not be prevented or detected on a timely basis by the entity's internal controls. CR reflects the design and operating effectiveness of the control environment as it relates to a specific assertion.

Detection risk (DR) is the risk that the auditor's own procedures will fail to detect a material misstatement that exists. DR is the only component the auditor directly controls (by adjusting the nature, timing, and extent of substantive procedures).

I have reviewed files where the IR and CR assessments on page two of the planning memo bear no visible relationship to the sample sizes on page forty. That is not a documentation gap. It is a thinking gap, and the model is supposed to close it.

Why it matters in practice

The standard says: assess risk, then design a response proportional to that risk ( ISA 330.7 ). What actually happens is that most teams roll forward last year's WPs with minor date changes. SALY (same as last year) is not an audit methodology, but it functions as one whenever the model becomes a tick box exercise instead of a reasoning structure that shapes real decisions about sample sizes and testing timing.

That creates a structural contradiction. Regulators want bespoke risk responses. Firms want standardised efficiency. The audit risk model sits at the collision point between these two pressures, and the auditors caught in the middle often resolve the tension by writing a risk assessment that sounds bespoke while running a programme that is entirely standardised.

Worked example: Janssen Pharma BV

Dekker Accountancy audits Janssen Pharma BV, a mid-size pharmaceutical company. The audit team applies the audit risk model to plan procedures for revenue recognition, specifically the assertion of occurrence for product sales.

Step 1: assess inherent risk

For each IR factor specified in ISA 315 (Revised 2019), the audit team documents its assessment:

• Complexity: moderate. Revenue arrangements include standard product sales, rebates, milestone-based licensing income, and a recently introduced consignment channel. The licensing component and consignment returns both involve estimation.
• Subjectivity: moderate to high. Variable consideration under IFRS 15 requires management to estimate rebate accruals and milestone probability.
• Change: high. Janssen launched two new products in Q3, creating new revenue streams with no historical baseline for estimation.
• Susceptibility to management bias: moderate. Revenue targets are linked to management bonuses, creating an incentive for overstatement.

Based on the spectrum assessment, the team assesses IR for the occurrence assertion as higher on the spectrum (not the maximum, but above the midpoint), driven primarily by the new product launches and variable consideration estimates.

Step 2: assess control risk

Next, relevant controls over revenue recognition are evaluated:

• Automated three-way match (purchase order, delivery note, invoice) for standard product sales. Well-designed and consistently operating. CR: lower.
• Manual review and approval of rebate accrual calculations by the finance director. The review is performed, but the team notes the finance director does not document the basis for challenging management's estimates. CR: moderate.
• No specific control over milestone revenue recognition. The CFO makes the determination without a formalised review process. CR: higher.

Combined IR and CR for the occurrence of revenue: significant risk for the licensing/milestone component, moderate risk for standard product sales.

Step 3: set detection risk and plan procedures

Because RMM is assessed as significant for licensing revenue, the auditor must reduce DR to a very low level. The planned response includes:

• Nature: external confirmation of milestone achievement with the licensing counterparty, rather than relying solely on management's assessment. Inspection of underlying contracts for each new product launched in Q3.
• Timing: substantive procedures performed at year-end (not interim), with additional cutoff testing in the first two weeks of January.
• Extent: 100% testing of licensing revenue transactions (small population). For standard product sales, a larger MUS sample than the prior year, reflecting the new product launches.

For standard product sales (moderate risk), the auditor accepts a higher DR and performs a standard-sized sample with analytical procedures as a secondary source of evidence.

The complication

During year-end fieldwork, the team discovers that Janssen's Q4 consignment sales included a side letter granting the distributor unconditional return rights for 90 days after shipment. Management had not disclosed this arrangement. The three-way match control passed because the system only checks order, delivery note, invoice, and payment status; it does not flag contingent return clauses embedded in separate agreements.

This is where the model earns its keep. The team must now revisit step 2: the automated control they relied on did not address the relevant assertion (occurrence) for consignment revenue. CR for that revenue stream moves from "lower" to "higher." The cascade is immediate. Higher CR means higher RMM, which means DR must drop, which means the team needs to test 100% of consignment transactions and confirm terms directly with the distributor rather than relying on Janssen's records alone.

I think this kind of mid-engagement pivot is where the model genuinely proves its value, because it forces you to document why your response changed and by how much, rather than quietly adding a few extra samples and hoping nobody asks.

What reviewers catch

Missing linkage between risk assessment and procedures is the most common inspection finding. Auditors who assessed a risk as "significant" but designed the same response they would use for a moderate-risk area will draw a finding every time. A documented, logical connection between assessed RMM and the auditor's response is not optional.

Regulators also flag binary risk assessment after ISA 315 (Revised 2019). Audit files that still use "high/medium/low" without considering the inherent risk factors (complexity, subjectivity, change, uncertainty, susceptibility to bias) are treated as non-compliant with the standard.

A subtler problem is DR not adjusted for control deficiencies discovered during testing. When controls are found to be ineffective, the auditor must reassess CR and increase the extent of substantive procedures. Reviewers consistently flag cases where control exceptions were noted in the testing section but the substantive audit plan on the following page was not updated. The file reads as if two different teams wrote it.

Audit risk vs business risk

Audit risk is the auditor's risk of issuing an inappropriate opinion. Business risk is the entity's risk of failing to achieve its objectives. They overlap but are not the same thing.

Audit risk has three formal components (IR, CR, DR). Business risk is broader and includes strategic, operational, financial, and compliance risks. Business risks can create RMM, but not all business risks are relevant to the audit. The auditor considers business risk only to the extent it could result in material misstatement of the FS.

Why does this distinction matter in practice? Some auditors, particularly on first-year engagements, confuse the entity's biggest commercial threat with the audit's biggest risk. A client facing intense price competition may have a genuine business risk, but if their revenue is straightforward product sales with no estimation, that business risk does not automatically translate into a high IR for revenue occurrence.

Key standard references

• ISA 200.13 (c) defines audit risk as the risk that the auditor expresses an inappropriate audit opinion when the FS are materially misstated.
• ISA 200 .A37-A40 explains the relationship between the components of audit risk (IR, CR, DR) and how they interact.
• ISA 315.12 -14 sets out requirements for identifying and assessing RMM at the assertion level, using the spectrum approach for IR.
• ISA 315 .A3-A4 lists the inherent risk factors: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud.
• ISA 330.7 requires the auditor to design further audit procedures whose nature, timing, and extent are responsive to the assessed RMM at the assertion level.

Related terms

Related tools

Related reading

Frequently asked questions