What is Inherent Risk?
Inherent risk refers to the natural risk level in a process that has not been controlled or mitigated in risk management. In accounting, inherent risk indicates the probability of any material misstatements in financial reporting caused by factors other than an internal control failure.
- In risk management, inherent risk is the natural risk level without using controls or mitigations to reduce its impact or severity.
- Risk control procedures can lower the impact and likelihood of inherent risk, and the remaining risk is known as residual risk.
- In accounting, inherent risk is one of the audit risks that measures the possibility of a material financial misstatement caused by factors beyond internal control.
Inherent Risk in Risk Management
Inherent risk comes with diverse meanings in different areas. In risk management, it represents the risk level that exists without controls or mitigations in place. It can be measured by two factors – impact and likelihood. Inherent impact measures the impact of an event on a company or organization when it occurs as there are no mitigation actions. Inherent likelihood measures the possibility for an event to take place in the absence of risk control.
Inherent Risk vs. Residual Risk
Risk management or risk control approaches are supposed to reduce both the impact and likelihood of inherent risk. Typically, risks cannot be eliminated completely, and the level of risk that remains after undertaking all controls and treatments is known as residual risk.
Compared with inherent risk, residual risk is lower in both the impact of an event on the organization and the likelihood for the event to take place. Residual risk should be controlled within the range of a company’s risk appetite as the inherent risk is often beyond acceptable. If the inherent risk level’s already been able to meet the risk appetite, treatment and control will not be required.
Inherent Risk in Accounting
In accounting, the concept of inherent risk is often used in financial audits. It refers to the risk that a material mistake, such as an omission or error, appears in a company’s financial statements due to non-internal-control reasons. Inherent risk is one of the risks that auditors must evaluate while conducting the examination.
Inherent risk is embedded in a business and its transactions regardless of the mitigation through internal control. The more complex a company’s business model and transactions are, the higher the inherent risk is. Companies in highly regulated industries also face greater inherent risk.
Inherent risk is particularly high in certain sectors, and the financial services sector is a prominent example. Financial institutions such as banks are highly regulated, and the regulations are complex and always changing. The wide span of networks between financial institutions and client companies, as well as a large variety of financial derivatives, further increases the complexity of the operation and transactions. All the said reasons lead to the notably higher inherent risk in financial services than in other sectors.
Other Audit Risks
The other two components of audit risk are control risk and detection risk. Control risk measures the possibility of material financial misstatements because of internal control failure. Companies implement internal controls to prevent fraud and ensure accounting integrity. However, the internal control procedures may not be sufficient or effective to eliminate these misstatements. Some procedures might be missing or malfunctioning. Control risk and inherent risk together are known as the risk of material misstatement (RMM).
Detection risk refers to the risk when an auditor fails to identify a material financial misstatement. Since companies usually engage in tons of transactions every year, it is impractical for auditors to go through every one of them. Auditors often sample certain types of transaction records for examination. Given the nature of the audit procedure, detection risk always exists, but different from the other two risks, it can be lowered by improving the audit procedure.
Targeted audit selections and increasing sample sizes are some of the approaches. When the risk of material misstatements (inherent risk and control risk) is high, an auditor can try to control the overall audit risk at a reasonable level by lowering the detection risk.
Thank you for reading CFI’s guide to Inherent Risk. To keep learning and advance your career, the following resources will be helpful: