Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. By its very definition, this risk is a direct function of the effectiveness of an organization's internal control structure. If internal controls are well-designed and operating effectively, control risk is assessed as low. Conversely, if controls are weak or non-existent, control risk is assessed as high. The auditor's assessment of control risk directly influences the nature, timing, and extent of further audit procedures.

A. inherent risk: This is the susceptibility of an assertion to a material misstatement, assuming there are no related controls. It exists independently of the audit or internal controls.

C. detection risk: This is the risk that the auditor's own procedures will fail to detect a material misstatement. It is controlled by the auditor, not the organization's internal controls.

D. audit risk: This is the overall risk of issuing an incorrect audit opinion. While influenced by control risk, it is a composite of inherent, control, and detection risks.

1. AICPA. (2021). AU-C Section 200: Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing Standards. In Professional Standards. Paragraph .14 defines control risk as "The risk that a misstatement that could occur in an assertion about a class of transaction, account balance, or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control."

2. U.S. Government Accountability Office (GAO). (2018). Government Auditing Standards (GAGAS). GAO-18-568G. Chapter 7, Paragraph 7.23, discusses the components of audit risk, stating that the risk of material misstatement is the combination of inherent risk and control risk at the assertion level.

3. MIT OpenCourseWare. (2002). 15.973: Leader to Leader. Session 7: Auditing and Corporate Governance. The lecture notes explain the audit risk model (AR = IR x CR x DR) and define Control Risk (CR) as the risk that the client's internal controls will fail to prevent or detect a material error. This directly links control risk to the internal control system's effectiveness.