Updated July 25, 2023
Definition of Inherent Risk
Inherent risk is the variant of enterprise-level risk wherein the probability of loss is derived from the organization’s type and complexity without any potential modifications to the prevalent environment. It is one of the major components of audit risk. The audit risk comprises inherent risk, detection risk, and control risk.
Components of Inherent Risk
The components of Inherent Risk are as follows:
1. Business Type
The organization’s day-to-day business operations are a key factor that gives rise to inherent risk (IR). If it cannot cope with the dynamic environment and shows susceptibility to adaption, it increases the level of inherent risk.
2. Execution of Data Processing
Data processing is the business’s ability to employ technology and computers to transform raw data into meaningful information. The business employing poor IT infrastructure to drive and perform data processing can increase the organization’s inherent risk.
3. Complexity Level
This attribute focuses on how the business record complex transactions and activities. We assume that businesses driving highly complex work to execution and completion have a higher probability of completing them incorrectly, thus increasing the level of inherent risk. Collecting information from several subsidiaries intending to collate is a highly complex task that can result in material misstatements and create inherent risk.
4. Ignorant Management
Management that is fairly ignorant towards their subordinates and daily activities can give rise to levels of inherent risk. If not proactive, the management can always miss out on material misstatements arising in the general nature of the business, which in turn gives rise to IR.
5. Integrity of Management
A very strong and critical driver in raising the organization’s inherent risk is the low and decreased integrity of the management. A management driving unethical business could always lead to deterioration in the organization’s reputation, further leading to a loss in business and raising the level of IR.
6. Previous Results on Audits
If the audits performed by previous auditors were weak, biased, or intentionally ignored material misstatements, such scenarios can give rise to inherent risk. These events or occurrences have tendencies to reappear and repeat themselves.
7. Transactions Among Related Parties
The transactions that happen between related parties also give rise to inherent risk. There is an equal likelihood that the asset’s value in the financial deal between related entities may over or understate.
The organization may deal with financial assets whose values are always misappropriated, with the transaction happening on biased terms. Again, this gives rise to inherent risk because of a rise in fraud.
9. Acquiring New Engagements
Whenever a firm acquires new activities, deliverables, or tasks, there is always a probability that the tasks submitted to the client may be inaccurate or wrong. This again gives rise to the level of inherent risk.
Inherent Risk Formula
An investigation performed by the auditor can only determine the level of inherent risk. The auditor can have discussions with management. He may further look into prior results on the audits performed by earlier auditors. The basis on the level of discussions and data gathering, the auditor can develop an inherent level risk matrix model.
The calculation of inherent risk can bifurcate under various broad qualitative parameters. Another method to determine the IR may involve bifurcating the activities in the organization into low risk, moderate and high risk, with each risk having some threshold number, and then multiplying the risk levels together to arrive at the IR score. The IR is always inversely proportional to the detection risk. Hence methods should develop that compute detection risk.
The IR can derive and computed using the audit risk model formula as displayed below: –
The inherent risk can also deduce by using the ratio of the risk of material misstatements and control. This can illustrate as displayed below: –
Control risk is defined as the risk which tends to surface when the internal controls in place have failed and the financial statements have missed highlighting the failures of internal controls. The audit risk corresponds to the risk that arises when material misstatements exist on the financial statements, whereas audit opinions present a fair picture. The detection risk corresponds to the risk where the auditor cannot catch material misstatements.
The risk of material misstatements corresponds to the risks borne by the unaudited financial statements. To curb material misstatements, audits of the financials become critical.
Examples of Inherent Risk
Examples of IR are given below
A very broad example of inherent risk can be illustrated by highlighting the nature of the technology business. The technology business operates in a dynamic and ever-changing environment. The lifecycles of products developed by them always remain short.
The IR rises if the technology business does not adapt to a dynamic environment and innovate on new products. Hence, each technology business has its own research and development wing, developing new products and curbing IR.
The Financial service business has released unaudited financial statements. Such financial statements may be composed of forward-looking numbers yet to be materialized. These forward-looking numbers may be based on bias, judgments, and estimates of the management. It may hide substantial information impacting users of the financial statements, resulting in inherent risk.
To reduce inherent risk, the management should release a broad advisory that these numbers are just approximations and should be utilized to clarify among internal stakeholders.
Example #3 – Practical Application
In the recent US financial crisis of 2007-2008, collateralized debt obligations were used. Each tranche of CDO had variable quality and was repetitively repackaged to the investors. The financial transactions were so complex that they were difficult for financial experts and analysts to comprehend. The complexity of transactions gave rise to the IR.
- The inherent risk is directly related to the volume and the complexity of business transactions.
- If the volume and complexity are adverse and high, they can give rise to high inherent risk.
- They are additionally prone to subjective estimates with zero groundwork.
- It also rises with the quick changes in accounting policies within a short span of time.
The audit risk model comprises three broad risks: inherent risk, control risk, and detection risk. The auditor is responsible for assessing past audited results, conducting investigations, and engaging in comprehensive discussions with the management at all levels of the organization to comprehend the nature of the business and the results achieved by the organization. However, this process is susceptible to inherent risk. The IR could only be reduced if there is timely detection of material misstatements by the auditor.
This is a guide to Inherent Risk. Here we discuss the Introduction and Examples of IR and Components of Inherent Risk. You can also go through our other suggested articles to learn more –