Every business activity carries a certain amount of risk. Whenever there is an audit there are several risks that need to be managed. The audit risk model classifies the risks that can happen, especially when an external auditor is being used.

What is audit risk?

Audit risk is the risk that the audit will have human errors in it and thus may not be able to uncover all the problems in the organization. Audit risk is inherent in all audits and needs to be mitigated through audit reviews and assessments carried out by someone other than the original auditor.

What is an audit risk model?

Businesses survive and thrive by making smart and informed decisions. Understanding the risks behind something is the smartest way to ensure that all risks are accounted for, and the activity is carried out using the best practices. The audit risk model is a model that divides the risks that have to be managed in an audit into three basic parts. The three basic components of an audit risk model are:

  • Control Risk
  • Detection Risk
  • Inherent Risk

The audit risk model has been designed to help businesses identify the problems that can occur in audits. There are many major accounting-related scandals that highlight the importance of these audits. Enron is perhaps the most well-known auditing scandal – and all three of these risks show up in the Enron scandal. Enron was regularly audited by what was perhaps the most respected auditing organization in the world, but it was still able to misreport figures and ended up losing money for hundreds of thousands of people.

The components of audit risk model

Let’s look at the three components in detail.

audit risk model

Control Risk

If a company hires an auditing company, the auditor from the external company will use the facts and figures provided by the company. There are many companies that have poor internal controls when it comes to data. People may misreport data or outright hide evidence of misdeeds from auditors because there were no internal controls to stop them, and the auditor will accept the data, assuming it can from a source of truth. When the audit is completed it will be based on the wrong numbers, which means that the audit itself will be wrong as well.

Control risk played a major part in the Enron scandal – the people providing the misleading numbers were widely respected and some of the most senior people in the organization. The audits were thus being carried out on the wrong numbers and no one knew until it was too late to do anything about it.

Learn about operational audit here: Operational audit

Detection Risk

Detection risk is also an important component of the audit risk model. Detection risk is the risk that the auditors will unintentionally not discover major problems and create a report which paints a good picture of the company. Every audit report carries a detection risk. We cannot guarantee that an audit has found all the major problems within the organization. External auditors can often miss major red flags, because they may not even realize how big the problem was or that something wrong was being done.

Going back to Enron, we can easily see how detection risks work. The people at the accounting firm who failed to detect the many problems in Enron’s books were not paid off or bribed in any way – they genuinely failed to discover any major problems in Enron. There are many reasons this happened – the major one being that no one really had a problem with Enron. The government was happy, the stockholders were happy, and Enron itself was happy with the audits being carried out, thus the auditing company had no reason to rethink their approach towards Enron.

Inherent Risk

Inherent risk is perhaps the hardest component of the audit risk model to mitigate. Sometimes, even with the best intentions and the right controls, the audit ends up missing vital information and does not uncover problems. There is an inherent risk of inaccuracy in audits due to the complex nature of businesses and the business environment. Sometimes the audit may make the right recommendations for the time when the audit was being performed, but those recommendations may no longer be viable once the audit report is published.

Managing all these components of the audit risk model isn’t easy. Want to see a better way of managing audits? Look at the functionality offered by the Predict360 Audit management solution and learn how your organization can do audits at a better pace with fewer resources.