Ask Joey ™ a Question

What happens if control risk is set too high or too low?

Audit risk is comprised of inherent risk, control risk, and detection risk. Depending on how the audit team assesses control risk, they would set detection risk, which determines the level of substantive testing that should be performed. To assess control risk, the audit team would use attribute sampling to determine if the controls were operating effectively.

Attribute Sampling – Controls Testing

As mentioned above, when an audit team is testing controls, they would perform attribute sampling to understand if the control works or doesn’t work.

The whole point of performing controls testing is to assess control risk. If control risk is high, then the audit team team would conclude that controls are not operating effectively and they will not rely the company’s internal controls. If control risk is low, then the audit team would conclude that controls are operating effectively.

Now there is a risk that the audit team incorrectly assesses the company’s internal controls. They can either deem control risk to be too high or control risk to be too low.

Control risk too high = Inefficient audit: This means that the audit team felt that controls were not designed and operating effectively, so they won’t rely on the internal controls. As a result, the audit team would have to lower detection risk and perform more substantive testing procedures (which costs more time and money). However, since control risk could have been set lower, then the team performed more substantive testing procedures than necessary, which means they essentially over audited.

Control risk too low = Ineffective audit: This means that the audit team felt that controls were designed and operating effectively, so they would rely on the internal controls. As a result, the audit team would increase detection risk and perform fewer substantive testing procedures (which saves time and money). However, since control risk should have been set higher, then that means that more substantive testing should have been performed. Since more performed fewer substantive procedures than they should have, there is a chance that the team won’t identify a misstatement and the audit won’t be effective.


You might also be interested in...

  • Does the audit team assess the efficiency of internal controls?

    The audit team will obviously assess internal controls, but do they care about whether the internal controls help the business run efficiently? For purposes of the audit, the answer is likely “No”. However, the external audit team could provide some value to the company and offer suggestions on how they could add some efficiency to […]

  • Why is a noncompete agreement an intangible asset?

    A noncompete agreement is a type of clause that restricts one party from starting or competing in a business that is similar to another party. For example, if Maria sells Bob her Jet Ski business, Bob may force Maria to sign a noncompete agreement that would prevent Maria from starting a Jet Ski business for […]

  • Is Tracing Always The Default Test for Management’s Completeness Assertion?

    When I say completeness you say what?!  Trac… Oof! We actually wouldn’t ideally be tracing when testing for management’s completeness assertion for account payable balances. Tracing is a better test applied when testing for management’s overstatement of something in their financial statements (e.g., revenue, cash etc.)  When testing for completeness on accounts payable, while technically […]