Control risk
Show/hide Sharepoint toolbar
Toggle navigation
Menu
Home
General
Currently selected
Compliance
Concepts
Planning
Examination
Reporting
Financial
Concepts
Planning
Examination
Reporting
Performance
Concepts
Planning
Examination
Reporting
More
Review
Opinion
Tools
How To ?
Page index
Resources
Terms
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
Control risk
Control risk
Where control risk is likely to be high, the auditor should mostly obtain the required assurance from substantive testing, as reliance cannot be placed on internal controls.
Compliance audit
Financial audit
Planning
Ref: 14.150
Page Content
Definition
Control risk is the risk that the internal control arrangements will fail to prevent material deviations, or to detect and correct them on a timely basis.
Instructions
Control risk is assessed by the auditor, based on his/her evaluation of the entity's
internal control
arrangements.
Compensating controls
The preliminary assessment of control risk requires the auditor to consider the
five components of internal control
. However, the auditor's primary consideration is whether, and how, a specific control prevents, or detects and corrects, deviations, rather than its classification as a particular component. If an expected control does not exist, auditors should enquire about any
compensating controls
that may be in place that would have the same effect.
Assessment of control risk
The auditor's assessment of control risk may be
Low
,
Medium
or
High
, as follows:
Status of internal control
Control risk
Description
Excellent
Low
In circumstances where information is available from recent audits in the same area that indicates that internal control is excellent in its design and implementation.
Good
Medium
Internal control appears to be in place and properly designed, and is likely to operate effectively and continuously throughout the period under review.
Poor
High
Internal control is non-existent, poorly designed or appears to be poorly implemented.
In addition to evaluating the control risk for all significant risks (including
fraud risks
), the auditor should also evaluate the entity's controls over those risks for which, in the auditor's judgement, it is not possible or practicable to reduce risks to an acceptable level using only substantive procedures. This is the case, for instance, if an entity's information system permits highly automated processing with minimal manual intervention; only evaluation and testing of controls as to the accuracy and completeness of information will provide sufficient appropriate audit evidence.
The overall assessment of control risk should be no better than the assessment of the control environment, as even 'excellent' control procedures can be undermined by a poor control environment.
System design and tests of controls
On the basis of his/her evaluation of the relevant key high-level controls, the auditor can reach overall
conclusions about the system design
.
Auditors should perform
tests of controls
in order to
confirm
their
operation
where:
the auditor assesses that internal control is designed properly, expects that it has operated continuously and effectively throughout the period under review, and intends to rely on it (that is, the auditor intends to rely on the operating effectiveness of controls when determining the nature, timing and extent of substantive procedures) or
substantive procedures
alone cannot provide sufficient appropriate audit evidence at the
assertions
level.
The auditor does not need to test controls which are poorly designed because (s)he will not be able to rely on them.
Related documents
Standards
ISA 315
Definition
Instructions
Compensating controls
Assessment of control risk
System design and tests of controls
Last Modified
: 25/03/2021 15:58
Tags
:
‹
›
×