What is Inherent Risk?

Published January 2, 2020 • 2 min read

Inherent risk in financial and managerial accounting is the risk of a material misstatement in a company’s financial statements because of something other than the failure of internal controls.

Inherent risk is widespread in all industries. This is especially true if an organization doesn’t have an internal audit department or its audit department doesn’t have an oversight committee with a background in finance.

Inherent risk is an assessed level of raw or untreated risk, i.e., the natural level of risk inherent in a process before applying mitigating controls. In contrast, residual risk is the remaining level of risk following the implementation of controls.

In addition, inherent risk is particularly common in accounts with complex financial instruments or leadership makes a lot of approximate calculations or value judgments. As such, auditors will likely have to interview a company’s leaders about the estimation techniques to reduce errors. 

When reviewing financial statements, an auditor uses inherent risk along with control risk and detection risk to assess the risk of material misstatement. 

Audit risk = the inherent risk x the control risk x the detection risk. 

Accounting firms use this material misstatement risk assessment to develop audit procedures that they apply to the associated accounts.

The audit risk model determines the total amount of risk associated with an audit and describes the appropriate risk management strategies. Audit risk is the risk of error while auditors are conducting an audit. 

Audit risk consists of inherent risk as well as control and detection risk:

  • Control risk: This risk is due to the lack of internal controls or the failure of existing internal controls, resulting in financial misstatements.
  • Detection risk: This is the risk that the auditor won’t uncover a material misstatement in the financial statements.

Auditors use the audit risk model to manage the overall risk of an audit. An auditor first looks at the inherent risk and the control risk that are related to performing the audit while at the same time learning about the organization and its culture.

If the auditor’s risk assessment determines that the inherent risk and the control risk are high, then the auditor can set the detection risk to a lower level. This will keep the audit’s overall risk at a reasonable level. To decrease the detection risk, the auditor can increase the audit testing’s sample size. However, if the auditor determines the inherent risk and the control risk are low, he can set the detection risk at a higher level.

Related Content

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo