Inherent Risk vs. Control Risk: What’s the Difference?

Inherent risk and control risk are two of the three parts of the audit risk model, which auditors use to determine the overall risk of an audit. Inherent risk is the initial risk related to the company’s business activities without considering internal controls and their impact on the overall risk rating of those activities.

Control risk, on the other hand, is the chance of a risk materializing due to a failure in the set of controls placed by the business. For example, material misstatements could appear while preparing a company’s financial statement due to a lack of relevant internal controls to mitigate a particular risk.

There is a distinct difference between inherent risk and control risk. The inherent risk stems from the nature of the business operation without implementing internal controls to mitigate the risk. Control risk arises because an organization lacks adequate internal controls to prevent and detect fraud and error.

Every business transaction has a high, medium, or low risk that companies should mitigate via internal controls. However, just implementing an internal control system isn’t good enough.

Inherent risk and control risk are essential concepts in risk management. By nature, business actions are subject to various risks that can diminish the positive effects they can bring to a company.

The third component of the audit risk model is detection risk, which is the risk that the auditors won’t detect a material misstatement in an organization’s financial statements.

Explaining the three elements of audit risk

Audit risk is the risk that a company’s financial statements are materially incorrect, even though the auditors state that the financial statements don’t contain any material misstatements.

The purpose of an audit is to cut the audit risk to an acceptable level. During an audit, the auditors examine the audit’s inherent and control risks while also understanding the company and its environment.

Consequently, auditors have to do a risk assessment of each component of audit risk and ensure the accuracy of the information in the financial statements. Since investors, creditors, and others depend on the financial statements, audit risk may carry legal liability for a Certified Public Accountant (CPA) firm that conducts the audits.

Audit risk is usually considered the product of the various risks that auditors may find when they conduct audits. That is, audit risk = inherent risk x control risk x detection risk.

Inherent Risk

Inherent risk is looked at as untreated risk, i.e., the natural level of risk inherent in a business process or activity before the company implements any procedures to reduce the risk. This is the amount of risk before a company applies any internal controls.

One key factor that brings about inherent risk is how a company conducts its day-to-day operations. A company that can’t cope with a rapidly changing business environment and indicates that it’s unable to adapt could increase the level of inherent risk.

Another issue that could increase the inherent risk level is how a company records complex transactions and activities. A company collecting data from several subsidiaries to combine that information later is considered engaging in complicated work, which could comprise material misstatements and give rise to inherent risk.

In addition, inherent risk can be increased because of the lack of integrity of a company’s management. A company can mitigate inherent risk by implementing internal controls.

Examples of Inherent Risk

• Lack of Integrity in the Company’s management. Company leadership engaging in unethical business practices could negatively affect the company’s reputation, leading to a loss of business and increasing inherent risk.
• Inadequate Audits. Previous weak, biased audits or in which auditors intentionally ignored misstatements could increase the risk of material misstatement.
• Transactions between related entities. There’s a chance that the asset’s value involved in any financial deal between the associated parties might be overstated or understated.
• Cybersecurity breach due to human error. Employees entering the workplace or accessing papers often utilize tags and key passes. These key passes and tags might be stolen or lost and used to gain unlawful access to the business infrastructure, creating information security risks.

How do you Identify Inherent Risks?

The presence of inherent risk is unavoidable. This means that any company is vulnerable to inherent risk. The odds of inherent risk are minimal when a corporation has a simple corporate structure. However, more sophisticated organizations with convoluted structures have greater inherent risk.

Companies working in highly regulated industries, as with financial institutions, are more likely to have higher inherent risk, notably if the business needs a team of internal auditors or an audit department lacking an oversight group with a financial background.

Auditors can utilize inherent risk to identify prospective threats, the likelihood of an incident, and the potential impact. When looking for the risk profile of your company, take into consideration the following risk factors:

• Business Type

• Execution of Data Processing

• Complexity Level

• Management Style and Reliability

• Previous Audits

Control Risk

Control risk is the likelihood of loss stemming from the malfunction of the relevant internal controls a company implements to mitigate risks or the absence of those appropriate internal controls altogether.

Control risks happen because of the limitations of a company’s internal control system. If the internal control systems aren’t reviewed periodically, they will likely lose effectiveness over time.

In a financial environment, control risk is the chance that financial statements are materially misstated because of failures in a company’s system of internal controls.

If there is a significant control failure, an organization will probably suffer undocumented asset losses, i.e., its financial statements might identify a profit although there’s a loss.

An organization’s leadership is responsible for designing, implementing, and maintaining a system of internal controls that can adequately prevent the loss of assets. However, it’s not easy for a company to maintain a solid system of internal controls.

Management should review the internal control system annually and update the internal controls to fit ongoing changes in the business.

The following elements increase control risk:

• There’s no segregation of duties.
• Documents are approved without management review.
• Transactions aren’t verified.
• The supplier selection process isn’t transparent.

Companies should decide what type of internal controls to implement for each risk based on the likelihood of the risk and the amount of financial loss if the risk does occur.

A risk’s likelihood and impact can be high, medium, or low. A company that thinks it’s highly likely that a particular risk will occur and cause significant financial loss should implement highly effective internal controls.

Companies develop internal controls to manage inherently risky areas. An organization might implement internal controls to decrease the risk that payables are understated.

Examples of such internal controls include:

• The chief financial officer reviews the payables details at the end of each period and determines if the list is complete.
• The payables manager reviews all the invoices entered into the payables system.
• The payables manager asks all payables clerks about unprocessed invoices at the end of the period.
• Department heads review the budget-to-actual report.

Inherent risk exists independent of internal controls. Control risk exists when the design or operation of a control doesn’t eliminate the risk of a material misstatement.

But even after a company implements the required internal controls, there’s no guarantee that the risk can be removed entirely. As such, part of the risk might remain. This type of risk is known as residual risk, as it is the risk that remains after the company implements the internal controls.

Detection Risk

Detection risk is the risk that the auditors’ procedures cannot detect any material misstatements in a company’s financial statements.

An auditor uses the audit risk model to understand the relationship between the detection risk and the other audit risks, i.e., inherent risk, control risk, and the overall audit risk, enabling him to determine an acceptable level of detection risk.

Although detection risk can’t be eliminated totally, the auditor can reduce it by modifying certain factors, including:

• The makeup of the engagement team, e.g., the competence and skill of the auditors and the size of the engagement team
• The types of audit procedures, e.g., the degree of substantive procedures compared to the tests of internal controls, the evidence collection procedures, including if the evidence is internally or externally generated
• The rigorousness of the audit procedures, e.g., the sample sizes and the length of the audit engagement
• Quality control, e.g., the CPA firm’s system of quality control and reviews by qualified personnel outside the audit engagement team

Take Control with RiskOptics ROAR

As your company grows, you may discover that your risk tolerance shifts. After all, it is your job to operate it, and you may be more daring in some fields now than you were before. On the other hand, maintaining a record of your control, detection, inherent and residual risks can prove too strenuous for spreadsheets or traditional methods.

This is where RiskOptics ROAR can assist you. RiskOptics ROAR is a governance, risk, and compliance platform that can help you create, manage, and track your framework for risk management and corrective actions. 

RiskOptics ROAR’s risk assessment modules can provide valuable insight into areas in which your documentation falls short, allowing you to take quick action to collect the necessary evidence.

Schedule a demo and get started on the path to worry-free risk management.