Control risk

Control risk

Control risk

Where control risk is likely to be high, the auditor should mostly obtain the required assurance from substantive testing, as reliance cannot be placed on internal controls.
Compliance audit Financial audit
Planning
Ref: 14.150

Definition

Control risk is the risk that the internal control arrangements will fail to prevent material deviations, or to detect and correct them on a timely basis.

Instructions

Control risk is assessed by the auditor, based on his/her evaluation of the entity's internal control arrangements.

Compensating controls

The preliminary assessment of control risk requires the auditor to consider the five components of internal control . However, the auditor's primary consideration is whether, and how, a specific control prevents, or detects and corrects, deviations, rather than its classification as a particular component. If an expected control does not exist, auditors should enquire about any
compensating controls
that may be in place that would have the same effect.

Assessment of control risk

The auditor's assessment of control risk may be Low, Medium or High, as follows:
Status of internal control Control risk Description
Excellent Low In circumstances where information is available from recent audits in the same area that indicates that internal control is excellent in its design and implementation.
Good Medium Internal control appears to be in place and properly designed, and is likely to operate effectively and continuously throughout the period under review.
Poor High Internal control is non-existent, poorly designed or appears to be poorly implemented.
In addition to evaluating the control risk for all significant risks (including fraud risks), the auditor should also evaluate the entity's controls over those risks for which, in the auditor's judgement, it is not possible or practicable to reduce risks to an acceptable level using only substantive procedures. This is the case, for instance, if an entity's information system permits highly automated processing with minimal manual intervention; only evaluation and testing of controls as to the accuracy and completeness of information will provide sufficient appropriate audit evidence. The overall assessment of control risk should be no better than the assessment of the control environment, as even 'excellent' control procedures can be undermined by a poor control environment.

System design and tests of controls

On the basis of his/her evaluation of the relevant key high-level controls, the auditor can reach overall conclusions about the system design. Auditors should perform tests of controls in order to confirm their operation where:
  • the auditor assesses that internal control is designed properly, expects that it has operated continuously and effectively throughout the period under review, and intends to rely on it (that is, the auditor intends to rely on the operating effectiveness of controls when determining the nature, timing and extent of substantive procedures) or
  • substantive procedures alone cannot provide sufficient appropriate audit evidence at the
    assertions
    level.
The auditor does not need to test controls which are poorly designed because (s)he will not be able to rely on them.
Last Modified: 25/03/2021 15:58   Tags: