Skip to main content

Accounting & Audit

The Audit Risk Model: Your First Step in Risk Assessment

The audit risk model is the foundation of any audit. This might seem like CPA 101, but are you correctly applying it to your engagements?


The audit risk model is the foundation of any audit. This might seem like CPA 101, but are you correctly applying it to your engagements?

In doing so, your first consideration is your client’s risks of material misstatement (RMM), which is made up of inherent risk and control risk. As a reminder, inherent risk is the risk of material misstatement assuming no related controls, while control risk is the risk that your client’s controls won’t prevent or detect and correct a material misstatement. So how do you apply this to your audit?

Understand your client and its environment

Because RMM drives your audit planning and procedures, your first step in applying the audit risk model is to obtain an understanding of your client and its environment. You should consider the nature of your client’s business, external factors that impact it, and how the organization measures and reviews its financial performance. This includes:

  • Nature of the client – Make sure to think about business operations, investment and financing activities, and financial reporting.
  • External factors – Consider industry conditions, the regulatory environment, and government policies. How competitive is your client’s industry? How easy is it to enter? What are its revenue characteristics? How quickly do products change?
  • Organization strategies – How does your client address these external factors?
  • Financial Performance – Consider your client’s financial performance, including key ratios and operating statistics; key performance indicators; employee performance measures and incentive compensation policies; trends, forecasts, budgets, variance analysis, and competitor analysis; and period-on-period financial performance (revenue growth, profitability, and leverage).

With each of these areas, make sure to document the steps you took to gain an understanding, any changes to your understanding of the client from previous years as well as risks identified and whether they are significant.

Understand your client’s internal control

Your next step in applying the audit risk model is to obtain an understanding of your client’s internal control. You’ll want to know what controls (either individually or in combination) are in place, if they are designed properly to meet their objective, and if they have been implemented. Make sure to consider the following:

  • Control environment: What are management’s attitudes and actions related to internal control? How much emphasis do they put on achieving reliable financial reporting?
  • Control activities: For all material classes of transactions, account balances, and disclosures, you’ll need to identify the relevant assertion(s), control objective, key controls, whether the control’s design is effective or ineffective, and whether the control is properly implemented.
  • Your client’s risk assessment, information and communication, and monitoring: While smaller entities may not have well-documented controls or procedures in these areas, they likely still have some controls in place. For example, does the owner review financial results on a monthly basis?

Again, you’ll want to document your understanding of your client’s internal control, including the control environment. Then document the steps you took to understand it, any changes over the previous period, and all identified risks.

Use RMM to drive detection risk

Based upon your assessment of RMM, you’ll determine the nature, timing, and extent of your audit procedures. For example, if you determine that your client has low inherent and control risks at the assertion level, you might accept detection risk at high and thus use less rigorous substantive tests (i.e., analytical procedures or tests of details). On the other hand, if your client’s inherent and control risks are moderate to high, you would plan more rigorous substantive tests in order to obtain more persuasive audit evidence about the assertion as part of your audit.

The key for using RMM to drive detection risk is to remember that the nature, timing, and extent of further audit procedures planned needs to be responsive to the RMM identified.

The audit risk model is the basis for any audit. For a step-by-step guide to help you apply it to your engagements, download our free Audit Risk Assessment Tool, listen to the latest podcast episode from the Small Firm Philosophies series on risk assessment, and check out other resources on the AICPA risk assessment resources page.


This blog post first appeared on the AICPA’s website. It is the third in a series on risk assessment, a significant audit quality issue. View the first blog post here and the second here.

Bob Dohrer, CPA, is Chief Auditor at the AICPA. Bob previously served as the Global Leader – Quality & Risk for RSM between 2012 and 2018 where he had overall responsibility for the network’s audit and other attest services policies, procedures and guidance.  He was also responsible for overseeing RSM’s global quality inspection programs in accordance with International Standards on Quality Control. 

See inside May 2019

Going All In

As we reflect back on the end of another busy season of the accounting industry, we are left as always to reflect back on one simple question. Why is busy season always so hard?


Getting to Know the 2018 Intuit Small Business App Showdown Finalists

As your clients’ trusted advisor, you’re expected to deliver seamless solutions to their everyday needs, tapping into the best tools and technology to bring their business and your firm long-term success and growth.