All organizations in all industries face a certain amount of inherent risk. Inherent risk is the amount of risk that exists when some threat goes untreated or unaddressed. This also means that the less an organization tries to manage risk, the more inherent risk it has.

Auditors analyze inherent risk as part of their effort to assess the risk of material misstatement in financial reporting or the risk of non-compliance with regulatory obligations. They also analyze control risk, which is the risk that a control you put in place to reduce inherent risk won’t work. An understanding of inherent risk is crucial for organizations as they build systems of internal control to keep the organization’s risks at acceptable levels.

What Are the Components of Inherent Risk?

Inherent risk is an assessed level of raw or untreated risk. It is the natural level of risk inherent in a process before applying controls to prevent and mitigate the risk. Inherent risk should not be confused with residual risk. Residual risk is the level of risk that remains after implementing a set of controls to reduce the inherent risk.

Inherent risk has several components that auditors can use to identify potential risks, the probability of occurrence, and the potential impacts. These are:

Business Type

How the company conducts its day-to-day business operations is a primary factor for inherent risk. The amount of inherent risk increases if the organization displays an inability to adapt to external factors and cannot cope with a dynamic environment.

Execution of Data Processing

Data processing refers to a company’s capacity to use technology and computers to convert raw data into usable information. When a company uses weak IT infrastructure to drive and analyze data, that increases its inherent risk.

Complexity Level

This characteristic focuses on how a company records complicated transactions and operations. A company that performs highly complex work will usually also have a higher chance of completing the work improperly, increasing the amount of inherent risk.

For example, gathering information from multiple subsidiaries to report them at a single, globally level is a highly complicated task that may contain significant misstatements. That can drive up inherent risk.

Poor Management

Management that is oblivious to the everyday actions of employees can increase the levels of inherent risk. If leadership is not engaged, significant errors emerging from general operation of the business may be missed, giving rise to inherent risk.

Integrity of Management

Poor integrity of management is a decisive factor resulting in inherent risk. A senior management team pushing unethical business practices will continually degrade the organization’s reputation and its ability to meet regulatory compliance obligations, leading to a loss of business and raising the inherent risk.

Previous Results on Audits

If past audits were inadequate, discriminatory, or purposefully disregarded serious misstatements, such events might introduce inherent risk. These incidents or events tend to recur.

Transactions Among Related Parties

Transactions among related parties are likewise fraught with inherent risk because of the potential for conflicts of interest. Checks and balances are diminished, and there is an increased risk of misstatement in financial transactions or the risk of other regulatory compliance violations (say, corruption).

What Is Inherent Risk in Auditing?

Inherent risk in auditing is the risk of a material misstatement in financial statements because of something other than the failure of internal and related controls.

In addition, inherent risk is widespread in accounts with complex financial instruments or when leadership makes many approximate calculations or value judgments. As such, auditors will likely need to interview a company’s leaders about the estimation techniques to reduce errors.

When reviewing financial statements, an auditor uses inherent risk, control risk, and detection risk to assess the risk of material misstatement.

Audit Risk = Inherent Risk * Control Risk * Detection Risk

From this formula, it is also possible to identify the inherent risk formula as follows:

Inherent risk = Audit Risk / (Control Risk * Detection Risk)

The inherent risk can also be calculated by dividing the risk of a material misstatement by the control risk:

Inherent Risk = Risk of Material Misstatements / Control Risk

Accounting firms use this material misstatement risk assessment to develop audit procedures for the associated accounts.

The audit risk model determines the total risk associated with an audit and then describes the appropriate risk management strategies. Audit risk is the risk of error as auditors conduct an audit and develop their audit opinion.

Auditors use the audit risk model to manage the overall risk of an audit. An auditor first looks at the inherent risk and the control risk that is related to performing the audit, while at the same time learning about the organization and its culture.

If the auditor’s risk assessment determines that the inherent and control risks are high, then the auditor can set the detection risk to a lower level. A lower detection risk level will keep the audit’s overall risk reasonable.

For example, the auditor can increase the audit’s testing sample size to decrease the detection risk. On the other hand, if the auditor determines that inherent risk and control risk are low, he or she can set the detection risk higher.

Control Risk

This risk is due to the lack of internal controls or the failure of existing internal controls, resulting in material financial misstatements. The main difference between control and inherent risk lies in how the risk is assessed.

Control risks assess the risk after the risk controls have been applied. Here, auditors focus on the chance that the controls will fail or be insufficient to prevent the risk, rather than the likelihood of the initial risk occurring after it has been mitigated.

For example, there is a control risk of fraudulent behaviors if duties have not been sufficiently segregated. On the other hand, residual risk remains even if segregation of duties is implemented to a reasonable extent; a group of employees might collude to override internal controls. This is a tricky differentiation, so having experienced and objective auditors is valuable.

Detection Risk

This is the risk that the auditor won’t discover a material misstatement in the financial statements. An organization may desire to lower detection risks for sensitive financial figures and processes prone to errors. Detection risks can be reduced by increasing the audit frequency and sample sizes.

For example, an organization’s financial statements are audited by a Certified Public Accounting (CPA) firm. The firm’s accountants have previously worked with the company and highlighted concerns to top management about a lack of internal controls over the financial information within the payroll process.

The accounting firm will rate the control risk in this area as high going into this year’s audit. In addition, the company payroll system might be manual and complicated, requiring a significant amount of human input from the payroll clerk. These factors also raise the inherent risk.

Because both the inherent and the control risks are high, the detection risk – the chance of the auditor overlooking major issues – must be reduced substantially by increasing audit sampling and the rigor of auditing standards.

Examples of Inherent Risk

The volatile and ever-changing environment of the technology industry exhibits a broad example of inherent risk. Inherent risk will grow for a company that does not adapt to evolving market needs and develops new goods. As a result, technology companies have their own research and development departments to create new products and control inherent risk.

Another example can be found in the financial service industry if a company released an unaudited financial statement with forward-looking figures yet to be achieved. Management’s biases and judgment influence these forward-looking data. To limit the inherent risk, management must clearly warn stakeholders that these figures are only estimates.

Inherent risks also exist within the retail industry. With the rise of social media, organizations no longer have complete control over their messaging. A single unfavorable post online could be disastrous for your business. Given the vast number of client touchpoints, the inherent risk that your brand’s reputation (and revenue) could be harmed is rather significant.

Manage Inherent Risk with ZenRisk

As your business grows, you’ll find that your risk tolerance varies. After all, running a business is your job, and you may be bolder in certain areas now than you were a year ago. Still, keeping track of your inherent, control, detection, and residual risks may be too tricky for spreadsheets or traditional approaches.

That’s where Reciprocity ZenRisk can help you. ZenRisk can assist you in establishing, managing, and tracking your risk management framework and corrective tasks. The risk assessment modules in ZenRisk give significant insight into where your measures are lacking, enabling you to take immediate action.

Workflow management features offer easy tracking, automated reminders, and audit trails. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.

The platform provides an intuitive user experience mixed with extensive automation and analytics to further simplify the majority of the process.

Schedule a demo and get started on the path to worry-free risk management.

How to Approach Inherent
Residual Risk