Audit Risk Model: AR = IR x CR x DR

Q: When must the auditor test controls instead of performing substantive procedures only?

ISA 330.8(b) requires the auditor to test operating effectiveness of controls when substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. This typically arises when the entity processes a high volume of routine transactions through an automated system. For example, if an entity's revenue consists of 500,000 automated invoices per year, the auditor cannot sample enough individual invoices without some reliance on automated controls.

A senior on a retail audit set detection risk at 5% across every balance. Inventory, receivables, cash, provisions: all the same detection risk. The partner asked one question: if inherent risk on inventory is high (physical count complexity, multiple warehouses, slow-moving stock, seasonal markdowns) and the client has weak inventory controls, why would detection risk for inventory be the same as for cash, where inherent risk is low and bank reconciliations are performed daily? The model answered the question. The senior hadn’t used it.

The audit risk model (AR = IR x CR x DR) under ISA 200 .A37 breaks audit risk into inherent risk, control risk, and detection risk, requiring the auditor to set substantive procedures based on the assessed combination of IR and CR at each assertion level.

Key takeaways

What each component of the audit risk model means, with the ISA 200 and ISA 315 (Revised 2019) paragraph references
How ISA 315 (Revised 2019) changed the assessment of inherent risk with the spectrum of inherent risk ( ISA 315 .A10-A14)
How to use the model to determine the nature and extent of substantive procedures at the assertion level
Why the model matters for your file even if you never write out the formula

The model in one paragraph

ISA 200 .A37-A44 presents the audit risk model. Audit risk (AR) is the risk that the auditor issues an inappropriate opinion on materially misstated financial statements. It is a function of the risk of material misstatement (RMM) and detection risk (DR). RMM itself has two components: inherent risk (IR) and control risk (CR). The full model is AR = IR x CR x DR. The auditor cannot control IR or CR (those are properties of the entity), but can control DR by adjusting the nature and extent of audit procedures, including their timing. The lower the acceptable AR, the more work the auditor must do. The higher the combined IR and CR, the lower DR must be, which means more persuasive evidence is needed.

Inherent risk: what ISA 315 (Revised 2019) actually requires

IR is the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material, before consideration of any related controls ( ISA 200 .A40). It is assessed at the assertion level, not the account level. The distinction matters: revenue as an account balance might have low IR for existence but high IR for completeness (if the entity has incentives to understate revenue for tax purposes) or for cut-off (if revenue spans reporting periods).

ISA 315 (Revised 2019) introduced the spectrum of inherent risk ( ISA 315 .A10-A14). Under the previous version, IR was assessed as high, medium, or low. Under the revised standard, the auditor assesses IR on a range from lower to higher, based on the likelihood of misstatement and its magnitude. This is not just a semantic change. The spectrum requires the auditor to consider how likely a misstatement is and how large it could be, and to position the risk assessment accordingly. A risk with high likelihood but low potential magnitude sits at a different point on the spectrum than a risk with low likelihood but catastrophic potential magnitude.

ISA 315 (Revised 2019) also identifies inherent risk factors ( ISA 315 .A222-A230) that drive the assessment. These include complexity, subjectivity, change, uncertainty, susceptibility to misstatement due to management bias, and susceptibility to misstatement due to other fraud risk factors. For each significant class of transactions, account balance, or disclosure, the auditor must assess which factors apply and how they affect IR at the assertion level.

In practice, this means your ISA 315 risk assessment working paper (WP) must show the assertion-level IR assessment for every material balance, not a single “inherent risk: medium” per account.

Control risk: when to test controls and when to skip them

Control risk is the risk that a misstatement that could occur in an assertion and that could be material will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control ( ISA 200 .A40). CR is a property of the entity’s control environment. The auditor assesses it; the auditor does not determine it.

The audit risk model creates a direct link between CR and DR. If the auditor assesses CR as low (strong controls exist and are operating effectively), DR can be higher, which means less substantive testing is needed. If the auditor assesses CR as high (controls are weak, absent, or untested), DR must be lower, which means more substantive testing.

ISA 330.8 gives the auditor a choice: test controls (and rely on a lower CR assessment to reduce substantive procedures) or accept CR at maximum and perform substantive procedures only. On mid-tier engagements with smaller entities, the second option is the practical default. Testing controls takes time, and if the entity’s controls are informal or undocumented, the cost of testing often exceeds the time saved on substantive procedures.

There is one case where the auditor must test controls: ISA 330.8 (b) requires the auditor to test operating effectiveness of controls when substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. In practice, this almost always means the entity processes a high volume of routine transactions through an automated system. If the entity’s revenue consists of 500,000 automated invoices per year, the auditor cannot sample enough individual invoices to get comfortable without some reliance on the automated controls that process them.

The decision to test or not test controls should be documented in the planning memorandum and linked to the risk assessment. A file that assesses CR as low for a balance but contains no tests of controls for that balance has an internal inconsistency that reviewers will flag.

Detection risk: the variable you control

DR is the risk that the procedures performed by the auditor to reduce AR to an acceptably low level will not detect a misstatement that exists and that could be material ( ISA 200 .A43). It is the only component of the model that the auditor directly controls.

DR is managed through four levers. The nature of procedures: substantive analytical procedures provide different levels of assurance than tests of detail. Tests of detail using external confirmations provide different assurance than tests using internal documents. The timing of procedures: procedures performed at an interim date provide less assurance about the year-end balance than procedures performed at or near year-end ( ISA 330 .A24-A25 requires additional procedures to cover the roll-forward period). The extent of procedures: larger sample sizes reduce DR. Dual-purpose tests that combine tests of controls with substantive procedures can reduce DR efficiently when controls are strong. The unpredictability of procedures: ISA 240.30 requires the auditor to incorporate an element of unpredictability in the procedures performed, which also reduces DR for fraud.

The model makes the relationship mechanical. If the auditor accepts AR at 5%, and IR is assessed at 90% and CR at 80% (controls not tested, assessed at maximum), DR must be set at: DR = AR / (IR x CR) = 0.05 / (0.90 x 0.80) = 0.069, or approximately 7%. That 7% DR drives the sample size, the nature of procedures, and the extent of analytical procedures for that assertion.

In practice, few mid-tier firms calculate DR numerically. Most use a qualitative assessment: if combined IR and CR is high, DR is set to low, which triggers more extensive procedures. The qualitative approach produces the same outcome as the formula but is easier to document.

How the components interact on a real engagement

The model is not applied at the financial statement (FS) level. It is applied at the assertion level for each material class of transactions, account balance, and disclosure. Different assertions on the same balance can have different risk profiles.

Take trade receivables. For the existence assertion, IR may be moderate (the entity has a stable customer base) and CR may be low (the entity sends monthly statements and follows up discrepancies). DR can therefore be higher, and the auditor might rely on a smaller sample of external confirmations supplemented by subsequent receipts testing.

For the valuation assertion on the same receivables balance, IR may be high (the entity has recently expanded into a new market with untested customers, and management must estimate the expected credit loss under IFRS 9 ). CR may also be high (the entity’s provision model is new and has not been validated). DR must therefore be very low, requiring the auditor to perform detailed testing of the ECL model inputs, challenge management’s assumptions, and potentially engage a specialist.

On too many files, the risk assessment is a tick box exercise: the same IR, the same CR, the same DR copied across every balance. The model exists to prevent exactly that. Without the differentiation it forces, the auditor applies the same procedures to every assertion on every balance, which is either insufficient (for high-risk assertions) or excessive (for low-risk assertions).

Worked example: Van Leeuwen Retail B.V.

Client profile

Van Leeuwen Retail B.V. is a Dutch fashion retailer with 14 stores and an e-commerce channel. Revenue: €24M. Reporting framework: Dutch GAAP. Inventory: €3.8M (the single largest balance sheet item). Year-end: 31 December 2025.

The group engagement team applies the audit risk model to inventory at the assertion level.

Existence assertion (does the inventory physically exist?)

IR: moderate. The entity sells standard clothing items, not bespoke products. Physical counts are performed annually. The risk of ghost inventory is low, but with 14 locations, there is a risk that inventory transfers between stores are double-counted. CR: moderate. The entity uses an ERP system to track inter-store transfers, but the process relies on manual scans at the receiving store, and the prior-year audit found two instances of unrecorded transfers. DR: set to low. The auditor plans to attend physical counts at four of the 14 stores (selected based on inventory value and the inter-store transfer volume), perform roll-forward procedures from the count date to year-end, and test a sample of inter-store transfers for proper recording at both ends.

Documentation note: Record the assertion (existence), the IR assessment (moderate, citing the inter-store transfer risk), the CR assessment (moderate, citing the prior-year finding), and the DR response (low, with four store counts and transfer testing). Cross-reference to the ISA 315 risk assessment and the ISA 501 physical count plan.

Valuation assertion (is inventory stated at the lower of cost and net realisable value?)

IR: high. Fashion retail has rapid product cycles. End-of-season stock loses value quickly. The entity’s markdown policy requires management judgment about which items will sell at full price and which will be discounted. The prior-year audit identified €180,000 of slow-moving stock that management had not written down. CR: high. The entity has no formal slow-moving stock policy. Markdown decisions are made by the merchandising team without a documented framework. No automated ageing report exists. DR: must be very low. The auditor plans to obtain the full inventory ageing report, independently calculate the aged stock at risk using sell-through rates from the ERP, compare the result to management’s provision, and test a sample of 30 specific items against post-year-end sales prices to verify net realisable value.

Documentation note: Record the higher DR response: larger sample (30 items versus the standard 15 for a balance of this size), independent recalculation of the ageing, and post-year-end NRV testing. State that the higher extent of testing is a direct response to the combined high IR and high CR on the valuation assertion. Reference ISA 330.7 (b) for the linkage between assessed risk and the audit response.

Completeness assertion (is all inventory recorded?)

IR: low. The entity has no incentive to understate inventory (no loan covenants tied to inventory levels, no tax benefit from lower inventory). Goods received are processed through the ERP on arrival. CR: low. The ERP creates a goods received note automatically when the purchase order is matched. Unmatched receipts generate an exception report reviewed weekly. DR: set to moderate. The auditor plans to perform a proof-in-total analytical procedure comparing the relationship between purchases and closing inventory to prior year, incorporating sales volume data, and to test a small sample of December goods received notes to confirm recording.

Documentation note: Record the lower extent of testing (analytical procedure plus small sample). State that the moderate DR is appropriate because both IR and CR are assessed as low. The model saves time here: the same balance (inventory) gets less work on the completeness assertion than on the valuation assertion, because the risk profile is different.

The total planned inventory hours for Van Leeuwen Retail: 68 hours. Without the model, a SALY approach (same as last year, same procedures on every assertion) would have required approximately 90 hours. The model directed 22 hours of effort away from low-risk assertions and toward the valuation assertion where the risk was concentrated.

Van Leeuwen Retail inventory hours

68 vs 90

Hours planned with the audit risk model versus a SALY approach — 22 hours redirected from low-risk assertions to the valuation risk.

Practical checklist for applying the model

Assess IR at the assertion level

Assess IR at the assertion level, not the account level. Each material balance should have an IR assessment for every relevant assertion (existence, completeness, valuation, rights and obligations, presentation and disclosure). Use the ISA 315 (Revised 2019) inherent risk factors to support each assessment.

Decide whether to test controls before setting DR

If you plan to rely on controls (assess CR below maximum), you must test operating effectiveness under ISA 330.8 . If you accept CR at maximum, document that decision and plan substantive-only procedures.

Set DR inversely to combined IR and CR

High combined risk means low DR, which means more persuasive, more extensive procedures. Low combined risk means higher DR, which means less extensive procedures.

Document the linkage

For every significant assertion, the file should show: IR assessment with reasons, CR assessment with reasons (including whether controls were tested), DR level, and the specific procedures that respond to that DR level. ISA 330.28 requires documentation of the overall responses to assessed risks and the linkage of procedures to assessed risks at the assertion level.

Review the model at completion

ISA 330.25 -26 requires the auditor to conclude whether sufficient appropriate audit evidence has been obtained. If misstatements were found that were not anticipated at planning, reassess whether the original risk assessments and DR levels were appropriate.

Common mistakes reviewers flag

Quality reviewers flag files where DR is implicitly set at the same level for every assertion on every balance. This is sometimes called “flat-risk” auditing. ISA 200 .A38 makes clear that the components of AR vary at the assertion level. A file where every balance receives the same sample size and the same procedures suggests the auditor did not apply the model. Most auditors know the theory. The honest truth is that under time pressure, the risk assessment gets filled in after the testing is already done, reverse-engineering the IR and CR to justify procedures that were decided by budget, not by risk. It feels wrong when you’re doing it, and it should, because the file no longer tells you what actually happened.

Risk assessment glossary entry: Covers the ISA 315 (Revised 2019) risk assessment process, including the spectrum of IR and the inherent risk factors.
ISA 530 sampling calculator: The ciferi sampling calculator links sample size to the assessed DR level, so changes in the risk assessment flow through automatically to the planned extent of testing.
ISA 315 : risk assessment complete guide: The full ciferi ISA 315 (Revised 2019) guide, covering the identification and assessment of RMM at both the FS and assertion levels.

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

What is the audit risk model formula?

The audit risk model states that audit risk equals inherent risk multiplied by control risk multiplied by detection risk (AR = IR x CR x DR). ISA 200 .A37 defines audit risk as the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. The auditor cannot control inherent risk or control risk (those are properties of the entity), but can control detection risk by adjusting the nature, timing, and extent of audit procedures.

What changed about inherent risk under ISA 315 (Revised 2019)?

ISA 315 (Revised 2019) introduced the spectrum of inherent risk ( ISA 315 .A10–A14). Under the previous version, inherent risk was assessed as high, medium, or low. Under the revised standard, the auditor assesses inherent risk on a range from lower to higher, based on both the likelihood of misstatement and its magnitude. The standard also identifies specific inherent risk factors: complexity, subjectivity, change, uncertainty, susceptibility to management bias, and susceptibility to other fraud risk factors.

When must the auditor test controls instead of performing substantive procedures only?

ISA 330.8 (b) requires the auditor to test operating effectiveness of controls when substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. This typically arises when the entity processes a high volume of routine transactions through an automated system. For example, if an entity's revenue consists of 500,000 automated invoices per year, the auditor cannot sample enough individual invoices without some reliance on automated controls.

Is the audit risk model applied at the financial statement level or assertion level?

The model is applied at the assertion level for each material class of transactions, account balance, and disclosure. Different assertions on the same balance can have different risk profiles. For example, trade receivables might have moderate inherent risk for existence but high inherent risk for valuation. ISA 200 .A38 makes clear that the components of audit risk vary at the assertion level.

Do auditors need to calculate detection risk numerically?

No. In practice, few mid-tier firms calculate detection risk numerically. Most use a qualitative assessment: if combined inherent and control risk is high, detection risk is set to low, which triggers more extensive procedures. The qualitative approach produces the same outcome as the formula but is easier to document. Either approach is acceptable under the standards.