Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Risk Assessment & Internal Control
Microlesson · 5-min read

Audit Risk — Inherent Risk, Control Risk, Detection Risk (SA 200)

## Audit Risk

### Definition

Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated — specifically, issuing an unmodified (clean) opinion on materially misstated statements.

$$\text{Audit Risk} = \text{Risk of Material Misstatement (RMM)} \times \text{Detection Risk (DR)}$$

---

### Risk of Material Misstatement (RMM)

RMM is the risk that financial statements are materially misstated prior to audit (i.e., due to fraud or error before the auditor begins work).

RMM operates at two levels:

LevelMeaning
Financial statement levelPervasive risks affecting the statements as a whole; potentially impact many assertions
Assertion levelRisks for specific classes of transactions, account balances, or disclosures — drives nature, timing, and extent of further audit procedures

#### Components of RMM at Assertion Level

Inherent Risk (IR)

> The susceptibility of an assertion to a material misstatement before consideration of any related controls.

Driven by the nature of the business, the complexity of the transaction, and management judgment.

Control Risk (CR)

> The risk that a material misstatement in an assertion will not be prevented, or detected and corrected on a timely basis, by the entity's internal control.

---

### Detection Risk (DR)

The risk that the auditor's own procedures will not detect a material misstatement that exists.

Sub-componentMeaning
Sampling riskSample chosen is not representative — conclusion from the sample differs from testing the whole population
Non-sampling riskErroneous conclusion for reasons unrelated to sampling — e.g., applying an inappropriate procedure or incorrect execution

---

### Critical Principle: Only Detection Risk Is in the Auditor's Control

RiskControlled by
Inherent RiskThe entity (nature of transactions, business environment)
Control RiskThe entity (quality of internal controls)
Detection RiskThe auditor

The auditor reduces detection risk by:

  • Increasing the area of checking
  • Testing larger samples
  • Deploying competent and experienced engagement team members

---

### What Audit Risk Does NOT Include

Audit risk is a technical, process-specific concept. It does not include business risks such as:

  • Loss from litigation
  • Adverse publicity
  • Other events arising in connection with the audit

### Assessment of Risks

Risk assessment is a matter of professional judgment — it is not capable of precise measurement.

Worked example

### Example 1

High IR + High CR → Must drastically reduce DR: A company deals in complex financial derivatives (high inherent risk for fair value). Its internal controls over derivative valuation are poorly designed (high control risk). To keep overall audit risk acceptably low, the auditor must significantly reduce detection risk — e.g., engaging a valuation expert, expanding sample sizes, and deploying the most experienced team members.

### Example 2

Sampling risk illustration: An auditor tests 20 sales invoices out of 500, and the 20 chosen happen to exclude the 5 fraudulent invoices clustered in a specific customer account. The sample conclusion (no misstatement) differs from what testing all 500 would show. This is sampling risk — mitigated by using statistical/random sampling or increasing sample size.

### Example 3

Non-sampling risk illustration: An auditor applies analytical procedures to verify payroll by comparing total wages to headcount, but inadvertently uses last year's headcount data instead of the current year. The conclusion is wrong — not because of the sample, but because of an incorrect application of the procedure. This is non-sampling risk.

⚠️ Common exam mistakes

  • Thinking the auditor can directly reduce inherent risk or control risk — these belong to the entity; the auditor can only influence detection risk.
  • Including business risks (lawsuits, reputational damage from the audit) within the definition of audit risk — audit risk relates solely to the risk of issuing an inappropriate opinion.
  • Treating risk assessment as a mathematical formula yielding a precise percentage — it is professional judgment, not precise measurement.
  • Confusing inherent risk with control risk: IR is about the susceptibility of the assertion before any controls; CR is about whether controls actually prevent or catch the error.
  • Forgetting that detection risk has two sub-components — sampling risk (unrepresentative sample) and non-sampling risk (wrong procedure or wrong execution).
Bare-Act text Definitions — Inherent Risk, Control Risk, Detection Risk · SA 200 — Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing · click to expand
Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. Control risk is the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
Next →
SA 315 — Identifying and Asses
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic