Control risk is a type of risk that reflects the probability that an entity’s financial statements would be experience material misstatement due to flawed internal controls applied by the entity. Failure in internal controls (weak or non-existent controls) may give room for occurrence of error or fraud as to an assertion and that could be material, either on an individual basis or in combination with other misstatements. If such errors or fraud situations are not prevented or detected on a timely basis or pre-emptively by internal controls, a control risk arises. Therefore, control risk is perceived as a function of the effectiveness of the design and operation of internal controls: the more effective these controls, the lesser the control risk, and vice versa.

On the other hand, inherent risk is the risk that arises from an error, omission or misstatement in a financial statement due to an inherent factor (other than a failure of internal control). A financial statement is said to be exposed to inherent risk if it is probable that it would become defective due to error, omission, or misstatement, associated with factors beyond the reach of internal controls. Generally, inherent risk is the natural risk associated with a process that has not been subject to mitigation or control by means of risk management. In accounting, it indicates the probability of any material misstatements in financial reporting instigated by non-intervention factors.

Both control risk and inherent are components of the risk of material misstatement at the assertion level (audit risk). Inherent risk is assessed by auditors and analysts when reviewing financial statements. While control risk arises in the case of a financial misstatement caused by a lack of proper accounting controls in an entity.