Ask Joey ™ a Question

What happens if control risk is set too high or too low?

Audit risk is comprised of inherent risk, control risk, and detection risk. Depending on how the audit team assesses control risk, they would set detection risk, which determines the level of substantive testing that should be performed. To assess control risk, the audit team would use attribute sampling to determine if the controls were operating effectively.

Attribute Sampling – Controls Testing

As mentioned above, when an audit team is testing controls, they would perform attribute sampling to understand if the control works or doesn’t work.

The whole point of performing controls testing is to assess control risk. If control risk is high, then the audit team team would conclude that controls are not operating effectively and they will not rely the company’s internal controls. If control risk is low, then the audit team would conclude that controls are operating effectively.

Now there is a risk that the audit team incorrectly assesses the company’s internal controls. They can either deem control risk to be too high or control risk to be too low.

Control risk too high = Inefficient audit: This means that the audit team felt that controls were not designed and operating effectively, so they won’t rely on the internal controls. As a result, the audit team would have to lower detection risk and perform more substantive testing procedures (which costs more time and money). However, since control risk could have been set lower, then the team performed more substantive testing procedures than necessary, which means they essentially over audited.

Control risk too low = Ineffective audit: This means that the audit team felt that controls were designed and operating effectively, so they would rely on the internal controls. As a result, the audit team would increase detection risk and perform fewer substantive testing procedures (which saves time and money). However, since control risk should have been set higher, then that means that more substantive testing should have been performed. Since more performed fewer substantive procedures than they should have, there is a chance that the team won’t identify a misstatement and the audit won’t be effective.


You might also be interested in...

  • What is the relationship between volume and variable cost per unit?

    If the variable cost per unit remains fixed, then any increase or decrease in unit volume will result in an increase or decrease in total variable costs for a business. For example, if variable cost per unit was steady at $5, then if unit volume were to increase from 100 to 200 units, then total […]

  • How can variable sampling risk impact the efficiency or effectiveness of an audit?

    Audit risk is comprised of inherent risk, control risk, and detection risk. The level of substantive testing that the audit performs is based on detection risk, which is set after the audit team assesses inherent risk and control risk. Variable Sampling – Substantive Testing When the audit team is performing substantive testing, they will use […]

  • What is business intelligence?

    In general, business intelligence is the strategy and technology used by a company to analyze their data. There are a number of difference functions that fall under the business intelligence umbrella. These include analytics, data mining, processing mining, use of dashboards, etc. The biggest problem most companies face is that they have a ton, and […]