Assessing Audit Control Risk at High

By Charles Hall | Auditing

Apr 11

At times, auditors errantly assess control risk at less than high. Why? Because the (lower) assessment is not supported by a test of controls.

assessing control risk at high

So can you assess control risk at high without testing controls? Yes–and you may want to. Below you’ll see why.

We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the present risk assessment term).

Assessing Control Risk at High

First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then—if controls are appropriately designed and working—we can assess control risk (CR) at whatever level we desire. If CR is assessed at below high, then controls must be tested to support the lower risk assessment.

The Efficiency Decision

At this point, our assessment of control risk becomes a question of efficiency. We can:

  1. Assess control risk at high and not perform additional tests of controls, or
  2. Assess control risk at low to moderate and test the operating effectiveness of controls

The salient question is, “Which option is most efficient?”

Here’s a video that will help you understand when it’s best to use a test of details or test controls for effectiveness.

Risk Assessment Procedures

Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) allows us to see if appropriate controls are in place. They don’t, however, tell us if the controls are consistently working.

Testing Controls

AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).

A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.

Back to the Efficiency Issue

Now, let’s look at audit planning decisions.


To test and rely on controls, the auditor should examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.

If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).

For example, if it takes six hours to test forty transactions for appropriate purchase orders, and it takes four hours to vouch all additions to plant, property, and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.

Reducing Substantive Tests (Without Testing Controls)

Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?


If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level.)

For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:

 IR         CR         RMM            Audit Approach
Low X High = Moderate              Basic

This approach produces a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform more substantive tests).

In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.

This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.


I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. If we assess control risk at less than high, then we must test controls.

What are your thoughts about assessing control risk?

See my article about the audit risk model for more information about risks of material misstatement.


About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.

  • Charles Hall says:

    Thanks Armando. Yes, Haile’s comment is relevant when Single Audits are performed. Risk assessment and response is quite different for Single Audits–all directed at federal program requirements and not toward traditional accounting systems.

  • Charles Hall says:

    Ching ming, yes, it makes more sense, when the volume of transactions is low — e.g., a few fixed assets are purchased — to just vouch the additions to invoices and not test controls. Thanks.

  • Armando Balbin says:

    We used to do that. The article is excellent. We do A-133 audits. I agree with Haile Girma, CPA, “Charles, a great post. One caveat- you have to test controls if doing an A-133 audit (i.e. you don’t have a choice).

  • Tom Noce says:

    Hi Charles

    I enjoy your posts and insight into our standards. However, I have to take exception to a couple of items in your recent “Assessing Audit Control Risk at High (and Saving Time). In the article you do mention that we cannot default to maximum as many auditors felt they could do. You state we “can assess control risk at any level we desire”, I don’t believe that is the case. We are required to gain an understanding of controls that relevant to the audit. Based on that understanding we are to assess control risk. We establish RMM based on the controls as they exist. Granted once we establish RMM based on audit approach efficiency we can elect not to test controls and apply a completely substantive approach. So your article as written I’m reasonably confident implied that we can just arbitrarily assess control risk at high similar to defaulting to maximum risk.

    In support of this position consider the fact that in our internal control letter we can state that we noted “no material weaknesses”. That statement implies that we looked at the areas where material weaknesses could occur and found internal controls at least sufficient to prevent material misstatements including fraud. As CPA’s we could not make that assertion unless we performed procedures. The very reason we cannot comment on the lack of “significant deficiencies” is that our procedures are not inclusive enough. Significant deficiencies are more of a “stumble upon it” issue.

    One other item that I feel it necessary to address is your example relating to establishing RMM. In your example you state IR at Low and CR at H would result in a possible Medium for RMM. By definition this is impossible. IR risk by definition is the risk the transaction or account balance has assuming no internal controls. In the audit risk formula there are two things that reduce that risk, the controls the client has (CR) and our audit steps (DR). Internal controls cannot increase the IR. If the auditor assesses IR at low, regardless of CR RMM is low.

  • Charles Hall says:

    Tom, as unusual, you make some insightful comments. I agree with both of your points.

    Auditors can’t assess risk at less than high without testing controls. And, in all audits, we must gain an understanding of the entity’s controls. That understanding (gained through risk assessment procedures) provides the basis for the control risk assessment. My post should have been clearer about the gaining of the understanding prior to assessing risk.

    Regarding the issue of a low inherent risk and a high control risk yielding a moderate risk of material misstatement, I think you are correct. The lower of the two is usually the RMM. I do see in Thomas Reuters guidance that they show the RMM at moderate when one is high and the other is low.

    Thanks for your comments Tom.

  • Charles Hall says:

    Thanks, Dainis. Glad you found it helpful. I appreciate your kind comment.

  • >