An audit risk model is an integral part of compliance management as it preempts and mitigates the risks associated with human error. Accounting for audit risks enables businesses to ensure that they are prepared for such an eventuality.

This model classifies the risks that can happen, especially when an external auditor is being used. Every business activity carries a certain amount of risk. Whenever there is an audit there are several risks that need to be managed.

What is the Audit Risk Model?

Businesses survive and thrive by making smart and informed decisions. Understanding the risks behind something is the smartest way to ensure that all risks are accounted for, and the activity is carried out using the best practices. The audit risk model divides the risks that must be managed in an audit into three basic parts:

  • Control Risk
  • Detection Risk
  • Inherent Risk

The audit risk model has been designed to help businesses identify the problems that can occur during audits. There are a few examples of major accounting-related scandals that highlight these problems and how they can be mitigated.

The Enron auditing scandal is perhaps the most well-known auditing scandal, and an example of where all three of the above risks show up. Enron was regularly audited by what was perhaps the most respected auditing organization in the world, but it still misreported figures and lost money for hundreds of thousands of people.

Three Basic Components of Audit Risk Model

Let’s look at the three components in detail to better understand how they are interconnected.

How to Utilize an Audit Risk Model

Control Risk

If a company hires an auditing company, the auditor from the external company will use the facts and figures provided by the company. There are many companies that have poor internal controls when it comes to data.

People may misreport data or outright hide evidence of misdeeds from auditors because there were no internal controls to stop them. The auditor may accept the data, assuming it came from a source of truth. The audit is then based on the wrong numbers, which means it will be wrong as well.

Control risk played a major part in the Enron scandal. The people providing the misleading numbers were widely respected and some of the most senior people in the organization. The operational audits were thus being carried out on the wrong numbers, and no one knew until it was too late to do anything about it.

Detection Risk

Detection risk is also an important component of the audit risk model. Detection risk is the risk that the auditors will unintentionally not discover major problems and create a report which paints a good picture of the company.

Every audit report carries a detection risk. We cannot guarantee that an audit has found all the major problems within the organization. External auditors can often miss major red flags, because they may not even realize how big the problem was or that something wrong was being done.

Going back to Enron, we can easily see how detection risks work. The people at the accounting firm who failed to detect the many problems in Enron’s books were not paid off or bribed in any way – they genuinely failed to discover any major problems in Enron.

The major reason that this happened is likely that there were historically no problems with Enron. The government was happy, the stockholders were happy, and Enron itself was happy with the audits being carried out, thus the auditing company had no reason to rethink their approach towards Enron.

Inherent Risk

Inherent risk is perhaps the hardest component of the audit risk model to mitigate. Sometimes, even with the best intentions and the right controls, the audit ends up missing vital information and does not uncover problems.

There is an inherent risk of inaccuracy in audits due to the complex nature of businesses and the business environment. Sometimes the audit may make the right recommendations for the time when the audit was being performed, but those recommendations may no longer be viable once the audit report is published.

Mitigating Audit Risk

The three risk components above work together in a formula to quantify risk and determine what the appropriate level of testing for each would be. The audit planning process also takes a predetermined percentage of acceptable risk into account.

A few of the common mistakes made by teams in setting up this process include:

  • Treating risks as independent when they interact and relate to one another.
  • Using overly precise decimal values, such as 0.53 instead of 0.50.
  • Setting acceptable audit risk without stakeholder input. The audit risk level should reflect organizational tolerance for risk and regulatory requirements.
  • Failing to reassess risks as evidence arises during the audit.

However, there is a better way of managing audits. Organizations are now using GRC technology with built-in functionality, like that offered by Predict360’s audit management software. Learn how your organization can do audits at a better pace with fewer resources.