At times, auditors errantly assess control risk at less than high. Why? Because the (lower) assessment is not supported by a test of controls.
So can you assess control risk at high without testing controls? Yes–and you may want to. Below you’ll see why.
We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the present risk assessment term).
First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then—if controls are appropriately designed and working—we can assess control risk (CR) at whatever level we desire. If CR is assessed at below high, then controls must be tested to support the lower risk assessment.
At this point, our assessment of control risk becomes a question of efficiency. We can:
The salient question is, “Which option is most efficient?”
Here’s a video that will help you understand when it’s best to use a test of details or test controls for effectiveness.
Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) allows us to see if appropriate controls are in place. They don’t, however, tell us if the controls are consistently working.
AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).
A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.
Now, let’s look at audit planning decisions.
To test and rely on controls, the auditor should examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.
If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).
For example, if it takes six hours to test forty transactions for appropriate purchase orders, and it takes four hours to vouch all additions to plant, property, and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.
Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?
If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level.)
For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:
This approach produces a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform more substantive tests).
In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.
This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.
I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. If we assess control risk at less than high, then we must test controls.
What are your thoughts about assessing control risk?
See my article about the audit risk model for more information about risks of material misstatement.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.