Control Risk
Control risk is the risk that a material misstatement would not be prevented, detected or corrected by the accounting and internal control systems.
Control risk has been defined under International Standards on Auditing (ISA) as following:
“The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.”
In simple-swords control risk is the probability that a material misstatement exists in an assertion because that misstatement was not either prevented from entering entity’s financial information or it was not detected and corrected by the internal control system of the entity.
Assessment of control risk is a measure of the auditor’s expectation that internal controls will neither prevent material misstatements from occurring nor detect and correct them if they have occurred; control risk is assessed for each transaction-related audit objective in a cycle or class of transactions.
After obtaining an understanding of internal control, the auditor makes an initial assessment of control risk.
Assessment of control risk is the process of evaluating the effectiveness of the design and operation of an entity’s internal control structure policies and procedures in preventing or detecting material misstatements in the financial statements.
Control risk assessments are made for individual financial statements assertions of the internal control structure as a whole.
Following are the steps are taken by the auditor for assessing control risk:
The auditor performs procedures to obtain, an understanding of relevant internal control structure policies and procedures for significant financial statements assertions. He/she documents the understanding in the form of completed internal control questionnaires, flowcharts, and narrative memoranda.
For policies and procedures relevant to particular assertions, the auditor carefully considers the Yes, No, and N/A responses and written comments in the questionnaires and the strengths and weaknesses noted in the flowcharts and narrative memoranda.
Analysis of this documentation is the starting point for assessing control risk.
Most audit firms have developed checklists that enumerate the types of potential misstatements that could occur in specific assertions. And some audit firms use computer software for this purpose.
Using either the checklists or the computer software aid and his/her understanding of the entity’s internal control structure, the auditor identifies the potential misstatements applicable to specific assertions given the entity’s circumstances.
Potential misstatements may be identified for assertions about each major class of transactions and assertions about each significant account balance.
Whether by using computer software that processes internal control questionnaire responses or manually by using checklists, auditors can identify necessary controls that could likely prevent or detect specific potential misstatements.
In some cases, several controls may pertain to a given potential misstatement. In other cases, a single control may apply.
Also, a single control may pertain to more than one type of potential misstatement. Specifying necessary controls also requires consideration of circumstances and judgment.
Thus, .the auditor must assimilate information about a wide variety of possible control policies and procedures related to any of the ICS components in considering the risk of potential misstatements in particular assertions.
In determining the tests to be performed, the auditor considers the types of evidence that will be provided and the cost of performing the test.
The tests include selecting a sample and inspecting related documents, inquiring of client personnel, observing client personnel performing control procedures, and the auditor’s re-performance of certain controls.
The results of each-test of controls should provide evidence about the effectiveness of the design and/or operation of the related necessary control.
Once the tests to be performed have teen selected, it is customary for the auditor to prepare a formal written audit program for the planned tests of controls.
The final assessment of control risk for a financial statement assertion is based on evaluating the evidence gained from
1. procedures to obtain an understanding of relevant, internal control structure policies and procedures, and
2. related tests of controls.
Based on the nature of the procedures performed, the information obtained might be in the form of any combination of documentary, electronic, mathematical, oral, or physical evidence.
When different types of evidence support the same conclusion about the effectiveness of control, the degree of assurance increases.
Conversely, when they support different conclusions, the degree of assurance decreases.