Control risk continues to create confusion in audits. Some auditors assess control risk at less than high when they shouldn't. Others assess control risk at high when it would be better if they did not. The misunderstandings about this risk can result in faulty audits and problems in peer review. In this article, I explain what control risk is and how you can best leverage it to perform quality audits in less time. Show
Control Risk DefinedWhat is control risk? It’s the chance that an entity’s internal controls will not prevent or detect material misstatements in a timely manner. Companies develop internal controls to manage inherent risk. The greater the inherent risk, the greater the need for controls. Audit Risk ModelAs we begin this article, think about control risk in the context of the audit risk model: Audit risk = Inherent risk X Control risk X Detection risk Recall the client’s risk is made up of inherent risk and control risk. And the remainder, detection risk, is what the auditor controls. Auditors gain an understanding of inherent risk and control risk. Why? To develop their audit plan and lower their detection risk (the risk that the audit will not detect material misstatements). Put more simply, the auditor understands the client’s risk in order to lower her own. Further Audit ProceduresAnd how does the auditor reduce detection risk? With further audit procedures. Those include test of controls and substantive procedures (test of details or substantive analytics). After the auditor gains an understanding of the entity and its environment, including internal controls, control risk is often assessed at high. Why? Two reasons: one has to do with efficiency and the other with weak internal controls. Assessing Control Risk at HighConsider the first reason for high control risk assessments: efficiency. Control risk can be assessed at high, even if—during your walkthroughs— you see that controls are properly designed and in use. But why would you assess this risk at high when controls are okay? Let me answer that question with a billing and collection example. Risk At High: Efficiency DecisionYou can test billing and collection internal controls for effectiveness (assuming your walkthrough reveals appropriate controls). But if this test takes eight hours and a substantive approach takes five hours, which is more efficient? Obviously, the substantive approach. And if you use a fully substantive approach, you must assess control risk at high for all relevant assertions. At this point, you may still be thinking, But, Charles, if controls are appropriately designed and implemented, why is control risk high? Because a test of controls is required for control risk assessments below high: the auditor needs a basis (evidence) for the lower assessment. And a walkthrough is not (in most cases) considered a test of controls for effectiveness: it does not provide a sufficient basis for the lower risk assessment. A walkthrough provides an initial impression about controls, but that impression can be wrong. That’s why a test of controls is necessary when control risk is below high, to prove the effectiveness of the control. In our example above, a substantive approach is more efficient than testing controls. So we plan a substantive approach and assess control risk at high for all relevant assertions. Risk at High: Weak ControlsNow, let’s look at the second reason for high control risk assessments: weak internal controls. Here again, allow me to explain by way of example. If the billing and collection cycle walkthrough reveals weak internal controls, then control risk is high. Why? Because the controls are not designed appropriately or they are not in use. In other words, they would not prevent or detect a material misstatement. You could test those controls for effectiveness. But why would you? They are ineffective. Consequently, risk has to be high. Why? Again, because there is no basis for the lower risk assessment. (Even if you tested controls, the result would not support a lower risk assessment: the controls are not working.) If, on the other hand, controls are appropriate, then you might test them (though you are not required to). Assessing Control Risk at Less than HighWhat if, based on your walkthrough, controls are okay. And you believe the test of controls will take four hours while a substantive approach will take eight hours? Then you can test controls for effectiveness. And if the controls are effective, you can assess the risk at less than high. Now you have support for the lower risk assessment. But what if you test controls for effectiveness and the controls are not working? Then a substantive approach is your only choice. Many auditors don’t test controls for this reason: they are afraid the test of controls will prove the controls are ineffective. For example, if you test sixty transactions for the issuance of a purchase order, and seven transactions are without purchase orders, the sample does not support effectiveness. The result: the test of controls is a waste of time. Some auditors mistakenly believe they don’t need an understanding of controls because they plan to use a fully substantive audit approach. But is this true? Fully Substantive Audit ApproachWeak internal controls can result in more substantive procedures, even if you normally use a substantive approach. Suppose you assess control risk at high for all billing and collection cycle assertions and plan to use a fully substantive approach. Now, consider two scenarios, one where the entity has weak controls, and another where controls are strong. Billing and Collection Cycle - Weak ControlsThink about a business that has a cash receipt process with few internal controls. Suppose the following is true:
Obviously, a segregation of duties problem exists and theft could occur. For example, the clerks could steal money and write off the related receivables. Child’s play. Billing and Collection Cycle - Strong ControlsBut suppose the owner detects theft and fires the two employees. He does background checks on the replacements. Now the following is true:
Now, let me ask you: would you use the same substantive audit procedures for each of the above scenarios? Hopefully not. The first situation begs for a fraud test. For example, we might test the adjustments to receivables on a sample basis. Why? To ensure the clerks are not writing off customer balances and stealing cash. Audit Procedures: Basic and ExtendedBasic audit procedures for the billing and collection cycle might include:
We perform these basic procedures whether controls are good or weak. But we would add—when controls are weak and might allow theft—extended substantive procedures such as testing accounts receivable adjustments. Do you see how the understanding of controls impacts planning (even when control risk is assessed at high)? If we were unaware of the control weaknesses, we would not plan the needed fraud detection procedures. In summary, we need to understand controls even if we plan to use a fully substantive approach, and even if risks are assessed at high for all assertions. More risk means more audit work. A Simple Summary
See my inherent risk article here. For additional information about risk assessment, see the AICPA's SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement. The guidance was issued in October 2021. What is required for an auditor to assess control risk at below the maximum level?Assessing control risk below the maximum level most likely would involve: identifying specific control activities relevant to specific assertions. As the acceptable level of detection risk decreases, an auditor may: postpone the planned timing of substantive tests from interim dates to the year-end.
When control risk is assessed at the maximum level?Control risk should be assessed at the maximum level for relevant assertions (1) for which controls necessary to sufficiently address the assessed risk of material misstatement in those assertions are missing or ineffective or (2) when the auditor has not obtained sufficient appropriate evidence to support a control ...
When an auditor increases the assessed level of control risk because certain control procedures are determined to be ineffective the auditor will most likely increase the?Terms in this set (46) The relationship between control risk and detection risk is ordinarily parallel. When an auditor increase the assessed level of control risk because certain control activities were determined to be ineffective, the auditor would most likely increase the extent of substantive tests.
Which of the following best describes why an auditor is always required to document the auditor's understanding of internal controls?Monitoring is the means a company uses to make certain its controls are being followed appropriately. Which of the following best describes why an auditor is always required to document the auditor's understanding of internal controls? To avoid performing substantive procedures.
|