What happens if control risk is set too high or too low?
Audit risk is comprised of inherent risk, control risk, and detection risk. Depending on how the audit team assesses control risk, they would set detection risk, which determines the level of substantive testing that should be performed. To assess control risk, the audit team would use attribute sampling to determine if the controls were operating effectively.
Attribute Sampling – Controls Testing
As mentioned above, when an audit team is testing controls, they would perform attribute sampling to understand if the control works or doesn’t work.
The whole point of performing controls testing is to assess control risk. If control risk is high, then the audit team team would conclude that controls are not operating effectively and they will not rely the company’s internal controls. If control risk is low, then the audit team would conclude that controls are operating effectively.
Now there is a risk that the audit team incorrectly assesses the company’s internal controls. They can either deem control risk to be too high or control risk to be too low.
Control risk too high = Inefficient audit: This means that the audit team felt that controls were not designed and operating effectively, so they won’t rely on the internal controls. As a result, the audit team would have to lower detection risk and perform more substantive testing procedures (which costs more time and money). However, since control risk could have been set lower, then the team performed more substantive testing procedures than necessary, which means they essentially over audited.
Control risk too low = Ineffective audit: This means that the audit team felt that controls were designed and operating effectively, so they would rely on the internal controls. As a result, the audit team would increase detection risk and perform fewer substantive testing procedures (which saves time and money). However, since control risk should have been set higher, then that means that more substantive testing should have been performed. Since more performed fewer substantive procedures than they should have, there is a chance that the team won’t identify a misstatement and the audit won’t be effective.
Back To All Questions