Inherent Risk vs. Control Risk: What’s the Difference?Published February 27, 2020 by Tricia Scherer • 5 min read
Inherent risk and control risk are two of the three parts of the audit risk model, which auditors use to determine the overall risk of an audit.
Control risk is the chance of a material misstatement in a company’s financial statements because there aren’t any relevant internal controls to mitigate a particular risk or the internal controls in place malfunctioned.
There is a distinct difference between inherent risk and control risk. The inherent risk stems from the nature of the business transaction or operation without the implementation of internal controls to mitigate the risk. Control risk arises because an organization doesn’t have adequate internal controls in place to prevent and detect fraud and error.
Every business transaction has either a high, medium or low risk that companies should mitigate via internal controls. However, just implementing an internal control system isn’t good enough.
An organization must also establish periodic reviews to ensure the continued success of the system to effectively identify and mitigate risks. An organization has to review its internal control system annually and update the internal controls.
The third component of the audit risk model is detection risk, which is the risk that the auditors won’t detect a material misstatement in an organization’s financial statements.
Audit risk is the risk that a company’s financial statements are materially incorrect, even though the auditors state that the financial statements don’t contain any material misstatements.
The following are examples of auditors’ opinions that are inappropriate:
- Providing an unqualified audit report although the qualification is reasonably justified
- Issuing a qualified audit opinion although the qualification isn’t necessary
- Not calling attention to a significant issue in the audit report
Audit risk is usually considered as the product of the various risks that auditors may find when they conduct audits. That is audit risk = inherent risk x control risk x detection risk.
The purpose of an audit is to cut the audit risk to an acceptable level. During an audit, the auditors examining the inherent and control risks pertaining to that audit while also gaining an understanding of the company and its environment.
Consequently, auditors have to do a risk assessment of each component of audit risk and ensure the accuracy of the information in the financial statements. Since investors, creditors, and others depend on the financial statements, audit risk may carry legal liability for a CPA firm that conducts the audits.
Explaining the three elements of audit risk
Inherent risk is looked at as untreated risk, i.e., the natural level of risk that’s inherent in a business process or activity before the company implements any processes to reduce the risk. This is the amount of risk before a company applies any internal controls.
One of the key factors that bring about inherent risk is the way a company conducts its day-to-day operations. A company that can’t cope with a rapidly changing business environment and indicates that it’s not able to adapt could increase the level of inherent risk.
Another issue that could increase the level of inherent risk is the way a company records complex transactions and activities. A company collecting data from several subsidiaries with the intention of combining that information later is considered to be engaging in complex work, which could comprise material misstatements and give rise to inherent risk.
In addition, inherent risk can be increased because of the lack of integrity of a company’s management. For example, leadership that engages in unethical business practices could negatively affect the company’s reputation, leading to a loss of business and increasing the level of inherent risk.
Another situation that could give rise to inherent risk involves audits performed by previous auditors. Audits that were weak or biased or audits in which auditors ignored material misstatements intentionally could increase the level of inherent risk.
Transactions between related entities could also increase the level of inherent risk. That’s because there’s a chance that the value of the asset involved in any financial deal between the related parties might be overstated or understated.
A company can mitigate inherent risk by implementing internal controls.
Control risk is the chance that financial statements are materially misstated because of failures in a company’s system of internal controls.
If there is a major control failure, an organization will probably suffer undocumented asset losses, i.e., its financial statements might identify a profit although there’s really a loss.
An organization’s leadership is responsible for designing, implementing, and maintaining a system of internal controls that can adequately prevent the loss of assets. However, it’s not easy for a company to maintain a solid system of internal controls. To maintain a solid system of internal controls, management has to alter the system periodically to fit ongoing changes in the business.
Control risks happen because of the limitations of a company’s internal control system. If the internal control systems aren’t reviewed periodically, it will likely lose its effectiveness over time. Management should review the internal control system annually and update the internal controls.
The following elements increase control risk:
- There’s no segregation of duties.
- Documents are approved without management review.
- Transactions aren’t verified.
- The supplier selection process isn’t transparent.
Companies should decide what type of internal controls to implement for each risk based on the likelihood that the risk will occur and the amount of financial loss if the risk does occur.
The likelihood and the impact of a risk can be high, medium, or low. A company that thinks it’s highly likely that a certain risk will occur and cause significant financial loss should implement highly effective internal controls.
Companies develop internal controls to manage areas that are inherently risky. An organization might implement internal controls to decrease the risk that payables are understated.
Examples of such internal controls include:
- The chief financial officer reviews the payables details at the end of each period and determines if the list is complete.
- The payables manager reviews all the invoices that are entered into the payables system.
- The payables manager asks all payables clerks about any invoices that are unprocessed at the end of the period.
- Department heads review the budget-to-actual report
Inherent risk exists independent of internal controls. Control risk exists when the design or operation of a control doesn’t eliminate the risk of a material misstatement.
But even after a company implements the required internal controls, there’s no guarantee that the risk can be removed entirely. As such, part of the risk might remain. This type of risk is known as residual risk, as it is the risk that remains after the company implements the internal controls.
Detection risk is the risk that the auditors’ procedures are unable to detect any material misstatements in a company’s financial statements
An auditor uses the audit risk model to understand the relationship between the detection risk and the other audit risks, i.e., inherent risk, control risk, and the overall audit risk, enabling him to determine an acceptable level of detection risk.
Although detection risk can’t be eliminated totally, the auditor can manipulate it by modifying certain factors, including:
- The makeup of the engagement team, e.g., the competence and skill of the auditors and the size of the engagement team
- The types of audit procedures, e.g., the degree of substantive procedures compared to the tests of internal controls, the evidence collection procedures, including if the evidence is internally or externally generated
- The rigorousness of the audit procedures, e.g., the sample sizes and the length of the audit engagement
- Quality control, e.g., the CPA firm’s system of quality control and reviews by qualified personnel outside the audit engagement team
Inherent risk and control risk are important concepts in risk management. By nature, business actions are subject to various risks that can diminish the positive effects that they can bring to a company.
The key difference between inherent risk and control risk is that inherent risk is the raw or untreated risk, i.e., the natural level of risk that’s inherent in a business activity or process without implementing any internal controls to reduce the risk. Control risk, on the other hand, is the likelihood of loss stemming from the malfunction of the relevant internal controls a company implements to mitigate risks or the absence of those relevant internal controls altogether.