Question

Assume you have performed control tests for a continuing audit client and decided that control risk must be increased from the prior year due to changes in the type of transactions being processed. Assuming no change in the client’s inherent risk, what is the implication for the substantive procedures you will need to perform? How will this keep audit risk at an acceptable level? Explain and be specific.

Answer 1

Control Risk

Control Risk is the risk of a material misstatement in the financial statements arising due to absence or failure in the operation of relevant controls of the entity.

Organizations must have adequate internal controls in place to prevent and detect instances of fraud and error. Control risk is considered to be high where the audit entity does not have adequate internal controls to prevent and detect instances of fraud and error in the financial statements.

Assessment of control risk may be higher for example in case of a small sized entity in which segregation of duties is not well defined and the financial statements are prepared by individuals who do not have the necessary technical knowledge of accounting and finance.

The auditor should increase the extent of tests of controls the more the auditor relies on the operating effectiveness of controls in the assessment of risk. In addition, as the rate of expected deviation from a control increases, the auditor should increase the extent of testing of the control. However, the auditor should consider whether the rate of expected deviation indicates that obtaining audit evidence from the performance of tests of controls will not be sufficient to reduce the control risk at the relevant assertion level. If the rate of expected deviation is expected to be too high, the auditor may determine that tests of controls for a particular assertion may be inappropriate.