CPE for Government Auditors

Steps of an audit #7: control risk assessment

We are still working through how to perform an audit, step by step.  We are on step 7 – the control risk assessment.  To see previous posts on the steps of performing an audit, please see Steps 1-3 and Steps 4-6.

The 14 Steps of Performing an Audit

    1. Receive vague audit assignment
    2. Gather information about audit subject
    3. Determine audit criteria
    4. Break the universe into pieces
    5. Identify inherent risks
    6. Refine audit objective and sub-objectives
    7. Identify controls and assess control risk
    8. Choose methodologies
    9. Budget each methodology
    10. Formalize the audit program
    11. Perform & document audit methodologies
    12. Conclude
    13. Draft findings
    14. Finalize report

Step 7: Identify controls and assess control risk

After we have broken the universe into small pieces and we have chosen which pieces are inherently risky, we now need to ask if the auditee has controls in place to make sure those inherent risks don’t occur.  This stage is often called the control risk assessment.

What is control risk?

AICPA’s AU-C 200 defines control risk:

.A43     Control risk is a function of the effectiveness of the design, implementation, and maintenance of internal control by management to address identified risks that threaten the achievement of the entity’s objectives relevant to preparation and fair presentation of the entity’s financial statements. However, internal control, no matter how well designed and operated, can only reduce, but not eliminate, risks of material misstatement in the financial statements, because of the inherent limitations of internal control. These include, for example, the possibility of human errors or mistakes, or of controls being circumvented by collusion or inappropriate management override. Accordingly, some control risk will always exist. GAAS provide the conditions under which the auditor is required to, or may choose to, test the operating effectiveness of controls in determining the nature, timing, and extent of substantive procedures to be performed.

The COSO model describes internal control nirvana.

The COSO model describes internal control nirvana.

The AICPA points out that an entity can minimize, but not get rid of, control risk by using controls.

In order to do the topic of internal controls justice, we should study the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model.

Yes, I know, I know. You had to memorize it in order to get your certification and you are tired of looking at it. And if you are like me, you just flat out don’t like it! It isn’t intuitive and confuses and intimidates more people than it helps.  Instead of delving into detail here, I am going to refer you to another blog post on the topic.

And if you want to learn it, top to bottom, may I recommend the self-study course on the COSO model/Green Book available here.

The combination of the inherent and control risk assessment tell you what to do next

Now that we have covered the definition of inherent risk and control risk, it is time to bring them together to make a choice about where we are going to spend our precious audit time.

The inherent risk and control risk matrix

High INHERENT risk No issues ***Where auditors need to be!  ***
Low INHERENT risk Super boring/possibly over-controlled Who cares?
Low CONTROL risk High CONTROL risk

High inherent risk means that the inherent risk we identified is both of high magnitude and high likelihood.

High control risk means that controls are weak or non-existent and cannot be trusted to reduce the inherent risk as they are meant to.

The combination of significant inherent risk and poor, weak, or nonexistent controls (weak controls or high control risk) is where we auditors need to spend our time. Why? Because it is likely something undesirable could happen there.

If your objective is to make sure that the financial statements are presented in accordance with GAAP, it is possible when inherent risk is high and controls are weak, that some of the key figures on the financial statements are misstated.

In more simple terms, if you decide that cash collections at a casino are inherently risky (cash is usually inherently risky because it is hard to track and very desirable to thieves and teenagers alike) and you decide that the casino has poor controls (for instance, they leave the cash cage open during most of the day and they don’t count cash ahead of the evening deposit), the cash revenues that the casino is reporting are probably wrong. And your opinion (conclusion) on that audit will be that the financial statements are not presented in accordance with GAAP (GAAP requires that the numbers on the financial statement are accurate and complete!).

Or let’s go back to the school lunch example. Let’s say that you hope to eventually conclude that the school is serving free lunches to low-income kids. If you find out that the lunch room employees of the school you are auditing are prejudiced against low income children because they do not fit the race profile of the other children at the school (high inherent risk) and the school does not screen for eligibility for the program or track how many lunches are provided to low income children (high control risk), then it is possible that some, if not all, of the low- income children are not being fed.

Your audit conclusion – that the children are not being fed – will be a very hard pill for the school district to swallow. You and the team will need to gather strong evidence to convince the leadership that your conclusion is valid.  The star is where the work is!

The Auditor’s Response – also known as Detection Risk

Detection risk is a fancy term for “auditor response.” It is the only part of the risk assessment process over which the auditor has control. The inherent risk and the control risk are in the auditee’s hands, and once the auditor knows what the client is up to, the auditor has to decide how to respond to what the client is doing.

Auditor responses can range from dropping an issue completely to auditing the heck out of it by running several different in-depth tests.

The AICPA’s AU-Cs are the only standards that define the term ‘detection risk’ and identify ways that financial auditors can improve the effectiveness, selection, and application of appropriate audit procedures and the interpretation of the audit results.

.A46     For a given level of audit risk, the acceptable level of detection risk bears an inverse relationship to the assessed risks….. For example, the greater the risks of material misstatement the auditor believes exists, the less the detection risk that can be accepted and, accordingly, the more persuasive the audit evidence required by the auditor.

.A47     Detection risk relates to the nature, timing, and extent of the auditor’s procedures that are determined by the auditor to reduce audit risk to an acceptably low level. It is therefore a function of the effectiveness of an audit procedure and of its application by the auditor.

The Effect of the inherent risk and control risk assessments on detection risk

Here is yet another matrix (auditors really have a ‘thing’ for matrixes’ that will allow us to discuss what you do in response to inherent and control risk combinations. Remember, the AICPA calls the auditor response “detection risk.”

Here is a menu of choices:

If inherent risk is…


Sort of risky

Not risky

And controls are…

No controls

Weak controls

Decent controls

Strong controls

The auditor can respond by…

Hitting it hard

Spending a little time on it

Skimming it

Blowing it off

Writing a finding

Recommending fewer controls

The matrix will tell you that if the area is “risky” and your control risk assessment tells you that controls are “weak,” then you will have to “hit it hard” and “write a finding.” If the area is “sort of risky” and the client has “weak” controls, you can either “skim it” or “spend some time on it,” but I don’t think “hit it hard” is appropriate.

Here are most of the possible combinations of inherent risk and control risk and the resulting auditor response:

Inherent risk Control risk Response (detection risk) Notes
risky no controls

hit it hard

write a finding

You have to make sure that nothing bad is going on here. So you need to gather plenty of convincing evidence
risky weak controls

hit it hard

write a finding

weak controls aren’t much better than no controls – so you probably have to hit this one hard, too.
risky decent controls

hit it hard


spend some time on it

Your choice of how to respond depends on your personality and how much time you have to work on it given the other risks you are tackling
risky strong controls

spend some time on it or

skim it

Your choice of how to respond depends on your personality and how much time you have to work on it given the other risks you are tackling
sort of risky no controls or weak controls

skim it or spend some time on it

write a finding

Your choice of how to respond depends on your personality and how much time you have to work on it given the other risks you are tackling
sort of risky decent controls

skim it or

blow it off

Your choice of how to respond depends on your personality and how much time you have to work on it given the other risks you are tackling
sort of risky strong controls

skim it

or blow it off if no time is left in the budget

Your choice of how to respond depends on your personality and how much time you have to work on it given the other risks you are tackling
not risky no controls blow it off You don’t care and the client doesn’t care enough to control this risk. The clients response is appropriate and if you pursue this issue you will end up with a stupid finding asking them to put controls over something silly. Walk away.   Now! J
not risky weak controls blow it off Bravo to the client who puts no or minimal controls over low risk things. Extra bravo to the auditor who spends his or her time auditing something else (not this!) that matters!
not risky strong controls blow it off and warn the client The client is spending unnecessary resources controlling something silly. This is also known as an unwieldy bureaucracy. Let the client know that they should shift their resources to mitigate a more significant risk.

Do you get the picture that audit approach has a lot to do with personality, experience, and time pressure? Good. That is what I wanted you to see! This is one aspect of what the standards call “professional judgment,” and professionals differ!

I recommend that you take the matrix above to your supervisor and sit down with them and run through all of the options. It is good to know whether your supervisor is more conservative in their approach and want you to touch on everything, or whether they want you to conserve audit budget and blow off stuff that isn’t interesting.

Your supervisor, manager, and director can all have different takes on the same exact issue. No, this isn’t an exact science!

Next time, audit methodologies!

Visit the Yellowbook-CPE.com Student Center
Click to learn more about Yellowbook requirements.


Lost your password?