Inherent Risk

Updated July 25, 2023

Definition of Inherent Risk

Inherent risk is the variant of enterprise-level risk wherein the probability of loss is derived from the organization’s type and complexity without any potential modifications to the prevalent environment. It is one of the major components of audit risk. The audit risk comprises inherent risk, detection risk, and control risk.

Components of Inherent Risk

The components of Inherent Risk are as follows:

1. Business Type

The organization’s day-to-day business operations are a key factor that gives rise to inherent risk (IR). If it cannot cope with the dynamic environment and shows susceptibility to adaption, it increases the level of inherent risk.

2. Execution of Data Processing

Data processing is the business’s ability to employ technology and computers to transform raw data into meaningful information. The business employing poor IT infrastructure to drive and perform data processing can increase the organization’s inherent risk.

3. Complexity Level

This attribute focuses on how the business record complex transactions and activities. We assume that businesses driving highly complex work to execution and completion have a higher probability of completing them incorrectly, thus increasing the level of inherent risk. Collecting information from several subsidiaries intending to collate is a highly complex task that can result in material misstatements and create inherent risk.

4. Ignorant Management

Management that is fairly ignorant towards their subordinates and daily activities can give rise to levels of inherent risk. If not proactive, the management can always miss out on material misstatements arising in the general nature of the business, which in turn gives rise to IR.

5. Integrity of Management

A very strong and critical driver in raising the organization’s inherent risk is the low and decreased integrity of the management. A management driving unethical business could always lead to deterioration in the organization’s reputation, further leading to a loss in business and raising the level of IR.

6. Previous Results on Audits

If the audits performed by previous auditors were weak, biased, or intentionally ignored material misstatements, such scenarios can give rise to inherent risk. These events or occurrences have tendencies to reappear and repeat themselves.

7. Transactions Among Related Parties

The transactions that happen between related parties also give rise to inherent risk. There is an equal likelihood that the asset’s value in the financial deal between related entities may over or understate.

8. Misappropriation

The organization may deal with financial assets whose values are always misappropriated, with the transaction happening on biased terms. Again, this gives rise to inherent risk because of a rise in fraud.

9. Acquiring New Engagements

Whenever a firm acquires new activities, deliverables, or tasks, there is always a probability that the tasks submitted to the client may be inaccurate or wrong. This again gives rise to the level of inherent risk.

Inherent Risk Formula

An investigation performed by the auditor can only determine the level of inherent risk. The auditor can have discussions with management. He may further look into prior results on the audits performed by earlier auditors. The basis on the level of discussions and data gathering, the auditor can develop an inherent level risk matrix model.

The calculation of inherent risk can bifurcate under various broad qualitative parameters. Another method to determine the IR may involve bifurcating the activities in the organization into low risk, moderate and high risk, with each risk having some threshold number, and then multiplying the risk levels together to arrive at the IR score. The IR is always inversely proportional to the detection risk. Hence methods should develop that compute detection risk.

The IR can derive and computed using the audit risk model formula as displayed below: –

The inherent risk can also deduce by using the ratio of the risk of material misstatements and control. This can illustrate as displayed below: –

Control risk is defined as the risk which tends to surface when the internal controls in place have failed and the financial statements have missed highlighting the failures of internal controls. The audit risk corresponds to the risk that arises when material misstatements exist on the financial statements, whereas audit opinions present a fair picture. The detection risk corresponds to the risk where the auditor cannot catch material misstatements.

The risk of material misstatements corresponds to the risks borne by the unaudited financial statements. To curb material misstatements, audits of the financials become critical.

Examples of Inherent Risk

Examples of IR are given below

Example #1

A very broad example of inherent risk can be illustrated by highlighting the nature of the technology business. The technology business operates in a dynamic and ever-changing environment. The lifecycles of products developed by them always remain short.

The IR rises if the technology business does not adapt to a dynamic environment and innovate on new products. Hence, each technology business has its own research and development wing, developing new products and curbing IR.

Example #2

The Financial service business has released unaudited financial statements. Such financial statements may be composed of forward-looking numbers yet to be materialized. These forward-looking numbers may be based on bias, judgments, and estimates of the management. It may hide substantial information impacting users of the financial statements, resulting in inherent risk.

To reduce inherent risk, the management should release a broad advisory that these numbers are just approximations and should be utilized to clarify among internal stakeholders.

Example #3 – Practical Application

In the recent US financial crisis of 2007-2008, collateralized debt obligations were used. Each tranche of CDO had variable quality and was repetitively repackaged to the investors. The financial transactions were so complex that they were difficult for financial experts and analysts to comprehend. The complexity of transactions gave rise to the IR.

Important Points

1. The inherent risk is directly related to the volume and the complexity of business transactions.
2. If the volume and complexity are adverse and high, they can give rise to high inherent risk.
3. They are additionally prone to subjective estimates with zero groundwork.
4. It also rises with the quick changes in accounting policies within a short span of time.

Conclusion

The audit risk model comprises three broad risks: inherent risk, control risk, and detection risk. The auditor is responsible for assessing past audited results, conducting investigations, and engaging in comprehensive discussions with the management at all levels of the organization to comprehend the nature of the business and the results achieved by the organization. However, this process is susceptible to inherent risk. The IR could only be reduced if there is timely detection of material misstatements by the auditor.

Recommended Articles

This is a guide to Inherent Risk. Here we discuss the Introduction and Examples of IR and Components of Inherent Risk. You can also go through our other suggested articles to learn more –

1. Risk Assessment Example
2. Risk Management in Banks – Introducing Awesome Theory
3. Risk Management Process
4. Equity Ratio