Control Risk is the risk that a material error in an account will not be prevented or detected on a timely basis by the client’s internal control structure.
Assessing control risk is the process of evaluating the effectiveness of an entity’s internal control structure in preventing or detecting material misstatements in the financial statements.
Control risk must ultimately be assessed in terms of financial statement assertions. For example, there should be separate assessments of the existence and completeness assertions for sales.
Control risk may be assessed at the maximum level or below the maximum.
An initial assessment of control risk at the maximum occurs when (1) controls do not pertain to an assertion, (2) controls that pertain are unlikely to be effective, or (3) evaluating the effectiveness of relevant controls would be inefficient. An assessment of control risk below the maximum means that there are effective controls to prevent or detect misstatements in a financial statement assertion. The assessment of control risk below the maximum should be based on evidence of the operating effectiveness of the controls.
Control risk may be expressed qualitatively such as low, moderate, or high. Alternatively, the risk may be stated quantitatively as a percentage or a numerical probability such as .75 or 1.0. The initial assessment of control risk starts with the auditor’s understanding of the control environment followed by his knowledge of the accounting system. If management’s attitude toward controls is good, the likelihood of making an initial assessment of control risk below the maximum is enhanced. In some cases, the initial assessment may be based on the effectiveness of the controls in the prior year’s audit, provided that the auditor has determined that such controls are still effective in the current year.
Assessing control risk is a matter of professional judgment. In making the assessment, it is necessary for the auditor to :
- Identify misstatements that could occur in financial statement assertions.
- Identify the controls that could likely prevent or detect the misstatements.
- Obtain evidence from test of controls as to whether the controls are operating effectively.
The first two steps should be performed for all material financial statement assertions. The third step is required only when the auditor assesses control risk below the maximum (Hrd).