SYNOPSIS: In recent years, auditors have reported on the effectiveness of internal control, usually as part of integrated audits. The audit risk model currently in auditing standards was designed for financial statement audits, not internal control audits—a key part of integrated audits. Because the audit of processes (internal control) is conceptually different from the audit of outputs (financial statements), the auditor needs a different risk model to provide a conceptual framework for internal control audits. The model I propose1 provides the auditor a method to determine the appropriate nature, timing, and extent of testing in an integrated audit. My model is focused on the risk of material weakness, rather than the risk of material misstatement. I also show how the auditor would use two different models in an integrated audit.