Control risk continues to create confusion in audits. Some auditors assess control risk at less than high when they shouldn't. Others assess control risk at high when it would be better if they did not. The misunderstandings about this risk can result in faulty audits and problems in peer review. In this article, I explain what control risk is and how you can best leverage it to perform quality audits in less time.
Control Risk Defined
What is control risk? It’s the chance that an entity’s internal controls will not prevent or detect material misstatements in a timely manner.
Companies develop internal controls to manage inherent risk. The greater the inherent risk, the greater the need for controls.
Audit Risk Model
As we begin this article, think about control risk in the context of the audit risk model:
Audit risk = Inherent risk X Control risk X Detection risk
Recall the client’s risk is made up of inherent risk and control risk. And the remainder, detection risk, is what the auditor controls. Auditors gain an understanding of inherent risk and control risk. Why? To develop their audit plan and lower their detection risk (the risk that the audit will not detect material misstatements). Put more simply, the auditor understands the client’s risk in order to lower her own.
Further Audit Procedures
After the auditor gains an understanding of the entity and its environment, including internal controls, control risk is often assessed at high. Why? Two reasons: one has to do with efficiency and the other with weak internal controls.
Assessing Control Risk at High
Consider the first reason for high control risk assessments: efficiency.
Control risk can be assessed at high, even if—during your walkthroughs— you see that controls are properly designed and in use. But why would you assess this risk at high when controls are okay?
Let me answer that question with a billing and collection example.
Risk At High: Efficiency Decision
You can test billing and collection internal controls for effectiveness (assuming your walkthrough reveals appropriate controls). But if this test takes eight hours and a substantive approach takes five hours, which is more efficient? Obviously, the substantive approach. And if you use a fully substantive approach, you must assess control risk at high for all relevant assertions.
At this point, you may still be thinking, But, Charles, if controls are appropriately designed and implemented, why is control risk high? Because a test of controls is required for control risk assessments below high: the auditor needs a basis (evidence) for the lower assessment. And a walkthrough is not (in most cases) considered a test of controls for effectiveness: it does not provide a sufficient basis for the lower risk assessment. A walkthrough provides an initial impression about controls, but that impression can be wrong. That’s why a test of controls is necessary when control risk is below high, to prove the effectiveness of the control.
In our example above, a substantive approach is more efficient than testing controls. So we plan a substantive approach and assess control risk at high for all relevant assertions.
Risk at High: Weak Controls
Now, let’s look at the second reason for high control risk assessments: weak internal controls. Here again, allow me to explain by way of example.
If the billing and collection cycle walkthrough reveals weak internal controls, then control risk is high. Why? Because the controls are not designed appropriately or they are not in use. In other words, they would not prevent or detect a material misstatement. You could test those controls for effectiveness. But why would you? They are ineffective. Consequently, risk has to be high. Why? Again, because there is no basis for the lower risk assessment. (Even if you tested controls, the result would not support a lower risk assessment: the controls are not working.)
If, on the other hand, controls are appropriate, then you might test them (though you are not required to).
Assessing Control Risk at Less than High
What if, based on your walkthrough, controls are okay. And you believe the test of controls will take four hours while a substantive approach will take eight hours? Then you can test controls for effectiveness. And if the controls are effective, you can assess the risk at less than high. Now you have support for the lower risk assessment.
But what if you test controls for effectiveness and the controls are not working? Then a substantive approach is your only choice.
Many auditors don’t test controls for this reason: they are afraid the test of controls will prove the controls are ineffective. For example, if you test sixty transactions for the issuance of a purchase order, and seven transactions are without purchase orders, the sample does not support effectiveness. The result: the test of controls is a waste of time.
Some auditors mistakenly believe they don’t need an understanding of controls because they plan to use a fully substantive audit approach. But is this true?
Fully Substantive Audit Approach
Weak internal controls can result in more substantive procedures, even if you normally use a substantive approach.
Suppose you assess control risk at high for all billing and collection cycle assertions and plan to use a fully substantive approach. Now, consider two scenarios, one where the entity has weak controls, and another where controls are strong.
Billing and Collection Cycle - Weak Controls
Think about a business that has a cash receipt process with few internal controls. Suppose the following is true:
- Two employees receipt cash
- They both work from one cash drawer
- The two employees provide receipts to customers, but only if requested
- They apply the payments to the customer’s accounts, but they also have the ability to adjust (reduce or write off) customer balances
- At the end of the day, one of the two employees creates a deposit slip and deposits the money at a local bank (though this is not always done in a timely manner)
- These same employees also create and send bills to customers
- Additionally, they reconcile the related bank account
Obviously, a segregation of duties problem exists and theft could occur. For example, the clerks could steal money and write off the related receivables. Child’s play.
Billing and Collection Cycle - Strong Controls
But suppose the owner detects theft and fires the two employees. He does background checks on the replacements. Now the following is true:
- A separate cash drawer is assigned to each clerk
- The controller is required to review customer account adjustments on a daily basis (the controller can’t adjust receivable accounts)
- The cash receipt clerks reconcile their daily activity to a customer receipts report, and the money along with the report is provided to the controller
- The controller counts the daily funds received and reconciles the money to the cash receipts report
- Then the controller creates a deposit slip and provides the funds and deposit slip to a courier
- Once the deposit is made, the courier gives the bank deposit receipt to the controller
- A fourth person (that does not handle cash) reconciles the bank statement in a timely manner
- The monthly customer bills are created and mailed by someone not involved in the receipting process
- Moreover, the owner reviews a monthly cash receipts report
Now, let me ask you: would you use the same substantive audit procedures for each of the above scenarios? Hopefully not. The first situation begs for a fraud test. For example, we might test the adjustments to receivables on a sample basis. Why? To ensure the clerks are not writing off customer balances and stealing cash.
Audit Procedures: Basic and Extended
Basic audit procedures for the billing and collection cycle might include:
- Test the period-end bank reconciliation
- Create substantive analytics for receivable balances and revenues
- Confirm receivable accounts and examine subsequent receipts
We perform these basic procedures whether controls are good or weak. But we would add—when controls are weak and might allow theft—extended substantive procedures such as testing accounts receivable adjustments.
Do you see how the understanding of controls impacts planning (even when control risk is assessed at high)? If we were unaware of the control weaknesses, we would not plan the needed fraud detection procedures.
In summary, we need to understand controls even if we plan to use a fully substantive approach, and even if risks are assessed at high for all assertions. More risk means more audit work.
A Simple Summary
- Control risk is the probability that an entity’s internal controls will not prevent or detect material misstatements in a timely manner
- Internal control weaknesses may require a control risk assessment of high
- Control risk can only be assessed below high when a test of control proves the control to be effective (the test of control provides the basis for the lower risk assessment)
- If walkthroughs show controls to be appropriately designed and implemented, the auditor can (1) assess control risk at high and use a fully substantive approach, or (2) assess control risk below high and test controls for effectiveness, whichever is most efficient
- Even if an auditor intends to use a fully substantive approach, walkthroughs are necessary to determine if additional substantive tests are needed; additional substantive procedures may be necessary when material fraud is possible due to internal control weaknesses
See my inherent risk article here.
For additional information about risk assessment, see the AICPA's SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement. The guidance was issued in October 2021.