First: Let’s think about each of the components of the audit risk model. The auditor selects the overall audit risk they are will to accept, assesses inherent and control risk at the account (or account group) level, and calculates planned detection risk at the account
(or account group) level.
Audit Risk (AR) is the probability that the auditor issues a clean opinion when the financial statements are materially misstated. Note that acceptable level of audit risk is the same across all accounts or account groups. The auditor chooses what overall level of audit risk they are willing to accept. A higher level of audit risk means that the auditor is willing to accept more audit failures. 1% audit risk means that you are willing to accept that 1 out of 100 issued audit opinions will be incorrect. 5% audit risk means that you are willing to accept that 5 out of 100 issued audit opinions will be incorrect. So, the higher the audit risk you are willing to accept, the less audit work you have to perform. Audit risk and audit work are inversely related.
Inherent Risk (IR) is the susceptibility of a particular transaction to be recorded in error.
For example, revenue recognition related to software transactions is more inherently risky that revenue recognized at a point of sale transaction at a grocery store. In this example
(all else constant), you would assign your software company client revenue accounts higher inherent risk than your grocery store client, due to the inherent difficulty in software revenue recognition. Higher inherent risk, all else constant, leads to more audit work. Inherent risk and audit work are directly related. Stated more specifically, if the inherent riskiness of one set of accounts is higher than another set of accounts, the auditor must increase the amount of testing done to achieve the given level of audit risk.
Control risk (CR) is the risk that the company’s internal control system will fail to