[section separator="true"]
[section-item 9]
[row]
[column 12]
[toc-this]
Definition
Control risk is the risk that the internal control arrangements will fail to prevent material deviations, or to detect and correct them on a timely basis.
Instructions
Control risk is assessed by the auditor, based on his/her evaluation of the entity's internal control arrangements.
Compensating controls
The preliminary assessment of control risk requires the auditor to consider the [link title="five%20components%20of%20internal%20control%20" link="%2Faware%2FDocuments%2FInternal-control-components-list.docx" icon="file-word-o" /]
. However, the auditor's primary consideration is whether, and how, a specific control prevents, or detects and corrects, deviations, rather than its classification as a particular component. If an expected control does not exist, auditors should enquire about any [a-glossary term="compensating%20controls"]compensating controls[/a-glossary]
that may be in place that would have the same effect.
Assessment of control risk
The auditor's assessment of control risk may be Low, Medium or High, as follows:
|
Status of internal control
|
Control risk
|
Description
|
|
Excellent
|
Low
|
In circumstances where information is available from recent audits in the same area that indicates that internal control is excellent in its design and implementation.
|
|
Good
|
Medium
|
Internal control appears to be in place and properly designed, and is likely to operate effectively and continuously throughout the period under review.
|
|
Poor
|
High
|
Internal control is non-existent, poorly designed or appears to be poorly implemented.
|
In addition to evaluating the control risk for all significant risks (including [link title="fraud%20risks" link="%2faware%2FGAP%2FPages%2FRed-flags.aspx" /]
), the auditor should also evaluate the entity's controls over those risks for which, in the auditor's judgement, it is not possible or practicable to reduce risks to an acceptable level using only substantive procedures. This is the case, for instance, if an entity's information system permits highly automated processing with minimal manual intervention; only evaluation and testing of controls as to the accuracy and completeness of information will provide sufficient appropriate audit evidence.
The overall assessment of control risk should be no better than the assessment of the control environment, as even 'excellent' control procedures can be undermined by a poor control environment.
System design and tests of controls
On the basis of his/her evaluation of the relevant key high-level controls, the auditor can reach overall conclusions about the system design.
Auditors should perform tests of controls in order to confirm their operation where:
The auditor does not need to test controls which are poorly designed because (s)he will not be able to rely on them.
[/toc-this]
[/column]
[/row]
[/section-item]
[section-item 3]
[row]
[column 12]
[panel panel-style="boxed" title="Related%20documents" icon="book" class="ref-panel"]
[standards]
[link new-window title="ISA%20315" link="https%3a%2f%2fwww.ifac.org%2fsystem%2ffiles%2fpublications%2ffiles%2fIAASB-2020-Handbook-Volume-1.pdf%23INTERNATIONAL%2520STANDARD%2520ON%2520AUDITING%2520315%2520(REVISED%25202019)" /]
[/standards]
[/panel]
[/column]
[/row]
[row]
[column 12][/column]
[/row]
[row]
[column 12]
[toc fixed="true" selectors="h2%2Ch3" class="basic-toc" /]
[/column]
[/row]
[/section-item]
[/section]
