The audit risk model determines the total amount of risk associated with an audit, and describes how this risk can be managed. The calculation is:
Audit risk = Control risk x Detection risk x Inherent risk
These elements of the audit risk model are:
- Control risk. This risk is caused by the failure of existing controls or the absence of controls, leading to incorrect financial statements.
- Detection risk. This risk is caused by the failure of the auditor to discover a material misstatement in the financial statements.
- Inherent risk. This risk is caused by an error or omission arising from factors other than control failures. This risk is most common when accounting transactions are quite complex, there is a high degree of judgment involved in accounting for transactions, or the training level of the accounting staff is low.
When planning an audit engagement, the audit must review each of the subsidiary levels of risk to determine the total amount of audit risk. If the risk level is too high, the auditor conducts additional procedures to reduce the risk to an acceptable level. When the level of control risk and inherent risk is high, the auditor can increase the sample size for audit testing, thereby reducing detection risk. Conversely, when control risk and inherent risk are considered to be low, it is safe for the auditor to reduce the sample size for auditing testing, which increases detection risk.