The Audit Risk Model Explained: AR = IR × CR × DR

If there is one model that quietly powers a third of the AUD exam, it's this one. The audit risk model shows up directly in risk-assessment questions, and indirectly in almost every question about evidence, procedures, and timing. Candidates who memorize it as a formula get the easy questions; candidates who understand it as a logic get the hard ones too. This article aims for the second group.

The Model

Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR)

• Audit risk (AR) — the risk that the auditor expresses a clean opinion on financial statements that are materially misstated. The auditor chooses how low this must be (always low), and holds it there.
• Inherent risk (IR) — the susceptibility of an assertion to material misstatement before considering controls. Complex estimates, judgment-heavy balances, and transactions with related parties carry high inherent risk by nature.
• Control risk (CR) — the risk that the client's internal control fails to prevent or detect a material misstatement on a timely basis.
• Detection risk (DR) — the risk that the auditor's own procedures fail to detect a material misstatement that exists.

The One Distinction That Decides Most Questions

IR and CR belong to the client. The auditor assesses them but cannot change them — they exist whether or not an audit ever happens. Together they form the risk of material misstatement (RMM = IR × CR). DR belongs to the auditor — it's the only lever the auditor controls, and it's adjusted by changing the nature, timing, and extent of substantive procedures.

That ownership split produces the inverse relationship the exam loves: AR is fixed at a low level, so when RMM goes up, the auditor must drive DR down to compensate. Lower acceptable detection risk means more audit work: more effective procedures (nature), performed closer to year-end (timing), on larger samples (extent).

A Worked Example

Your client books large revenue accruals based on management estimates (judgment-heavy → high IR). During walkthroughs you find that the review control over those accruals isn't operating (high CR). RMM for the revenue assertion is now high. Since audit risk must stay low, acceptable DR collapses — and your plan responds on all three dials: nature (independent recalculation and external confirmation instead of inquiry and analytics), timing (move testing from interim to year-end), and extent (bigger samples, lower testing thresholds).

Every hard exam question in this area is some rearrangement of that story: they give you a change in IR or CR and ask what happens to DR or to the procedures. Translate the story into the model, and the answer falls out.

Trap Patterns to Watch For

• “The auditor reduces inherent risk by…” — never true. The auditor assesses IR and CR; only the client can change them. Any answer where the auditor “controls” or “reduces” IR or CR is wrong.
• Confusing direction. “Acceptable detection risk decreases” means more work, not less. If you flip this under time pressure, anchor on the phrase: low DR = low tolerance for missing things = dig deeper.
• Audit risk treated as a result. AR isn't computed at the end — it's set low up front, and the equation is solved for DR.
• Sampling crossovers. Lower acceptable DR → larger substantive samples. The exam likes to test the model through sample-size questions without ever naming it.

Where to Practice This

The model is taught in full — with concept cards, key terms, and practice MCQs — in topic A6: Risk Assessment and Materiality of our free AUD study guide. The related evidence-response side lives in A8: Audit Evidence and Documentation. After the lessons, the AUD Trainer's Risk Master boss battle tests exactly this area at the 80%+ level the exam expects.