Control risk is the material misstatement that would not be prevented, detected, or corrected by the accounting and internal control systems.
What is Control Risk?
Control risk is the possible misstatement in an assertion about a transaction, account balance, or disclosure; that could be material, either individually or when aggregated with other misstatements, which the internal control process will not detect, prevent, and correct on time.
International Auditing and Assurance Standards Board (IAASB) and International Standards on Auditing (ISA) define the control risk as;
“The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.”
In simple-swords control, the risk is the probability that a material misstatement exists in an assertion because that misstatement was not either prevented from entering the entity’s financial information or was not detected and corrected by the internal control system of the entity.
Assessment of Control Risk
Assessment of control risk is a measure of the auditor’s expectation that internal controls will neither prevent material misstatements from occurring nor detect and correct them if they have occurred; control risk is assessed for each transaction-related audit objective in a cycle or class of transactions.
After understanding internal control, the auditor makes an initial assessment of control risk.
Assessment of control risk is the process of evaluating the effectiveness of the design and operation of an entity’s internal control structure policies and procedures in preventing or detecting material misstatements in the financial statements.
Control risk assessments are made for individual financial statements assertions of the internal control structure as a whole.
5 Steps of Assessing Control Risk
Step#1: Consider knowledge acquired front procedures to obtain an understanding
The auditor performs procedures to understand relevant internal control structure policies and procedures for significant financial statement assertions.
Auditor documents the understanding in the form of completed internal control questionnaires, flowcharts, and narrative memoranda.
For policies and procedures relevant to particular assertions, the auditor carefully considers the Yes, No, and N/A responses, written comments in the questionnaires, and the strengths and weaknesses noted in the flowcharts and narrative memoranda.
Analysis of this documentation is the starting point for assessing control risk.
Step#2: Identify potential misstatements
Most audit firms have developed checklists that enumerate the types of potential misstatements that could occur in specific assertions. And some audit firms use computer software for this purpose.
Using either the checklists or the computer software aid and their understanding of the entity’s internal control structure, the auditor identifies the potential misstatements applicable to specific assertions given the entity’s circumstances.
Potential misstatements may be identified for assertions about each major class of transactions and assertions about each significant account balance.
Step#3: Identify necessary controls
Whether by using computer software that processes internal control questionnaire responses or manually by using checklists, auditors can identify necessary controls that could likely prevent or detect specific potential misstatements.
In some cases, several controls may pertain to a given potential misstatement. In other cases, a single control may apply.
Also, a single control may pertain to more than one type of potential misstatement. Specifying necessary controls also requires consideration of circumstances and judgment.
Thus, the auditor must assimilate information about a wide variety of possible control policies and procedures related to any of the ICS components in considering the risk of potential misstatements in particular assertions.
Step#4: Perform tests of controls
In determining the tests to be performed, the auditor considers the types of evidence that will be provided and the cost of performing the test.
The tests include selecting a sample and inspecting related documents, inquiring of client personnel, observing client personnel performing control procedures, and the auditor’s re-performance of certain controls.
The results of each test of controls should provide evidence about the effectiveness of the design and/or operation of the necessarily related control.
Once the tests to be performed have been selected, it is customary for the auditor to prepare a formal written audit program for the planned tests of controls.
Step#5: Evaluate evidence and make an assessment
The final assessment of control risk for a financial statement assertion is based on evaluating the evidence gained from
- procedures to obtain an understanding of relevant internal control structure policies and procedures, and
- related tests of controls.
Based on the nature of the procedures performed, the information obtained might be in the form of any combination of documentary, electronic, mathematical, oral, or physical evidence.
When different types of evidence support the same conclusion about the effectiveness of control, the degree of assurance increases.
Conversely, when they support different conclusions, the degree of assurance decreases.
Conclusion: Additional Considerations in Assessing Control Risk
The auditor typically assesses control risk for assertions about transaction classes such as cash receipts and cash disbursements.
These assessments are then used in assessing control risk for significant account balance assertions so that the appropriateness of the planned level of substantive tests for the account balances can be determined and specific substantive tests can be designed.
This process is considered next, first for accounts affected by a single transaction class and then for accounts affected by multiple transaction classes.
1. Accounts Affected by a Single Transaction Class
Assessing control risk for account balance assertions is straightforward for accounts affected by a single transaction class.
For example, sales are increased by credits for sales transactions in the revenue cycle, and debits increase many expenses accounts for purchase transactions in the expenditure cycle.
In these cases, the auditor’s control risk assessment for each account balance assertion is the same as the control risk assessment for the same transaction class assertion.
For example, the control risk assessment for the existence or occurrence assertion for the sales account balance should be the same as the control risk assessment for the existence or occurrence assertion for transactions.
Similarly, the control risk assessment for the valuation or allocation assertion for many expenses should be the same as for the valuation or allocation assertion for purchase transactions.
2. Accounts Affected by Multiple Transaction Classes
Many balance sheet accounts are significantly affected by more than one transaction class.
For example, the cash balance is increased by cash receipts transactions in the revenue cycle and decreased by cash disbursement transactions in the expenditure cycle.
In these cases, assessing control risk for an account balance assertion requires consideration of the relevant control risk assessments for each transaction class that significantly affects the balance.
Thus, the control risk assessment for the valuation or allocation assertion for the cash balance is based on the control risk assessments for the valuation or allocation assertions for both cash receipts and cash disbursement transactions.