It is important to understand how control risk factors into the amount of substantive testing that the audit team must perform. As you can see in the visual below, if control risk is higher (as well as inherent risk), that means that the audit team cannot really rely on internal controls to prevent or detect material misstatement. If control risk is higher, that means that the audit team must set detection risk at low, which means that the level of substantive testing procedures will increase.
What Increases control risk?
Now that we understand control risk, what would cause control risk to be high? Control risk is increased if the audit determines that controls are not operating effectively (i.e. they will not prevent or detect material misstatements). Audit teams will use sampling to determine whether or not controls are operating effectively.
What is tolerable deviation rate?
Based on materiality and the level of importance placed on the control, the audit team will calculate what the tolerable deviation rate is. The tolerable deviation rate is the max allowable difference (e.g. % or $ difference) that is allowed before the audit team determines that the control is not operating effectively.
What is actual deviation rate?
When the audit team actually tests the control, they will identify the actual deviation rate. Again, this would be the % or $ difference identified, which could vary based on the control type.
Tolerable deviation rate vs actual deviation rate?
After testing the control, the audit team will compare the actual deviation rate to the tolerable deviation rate. For example, imagine you are going on a date. You’ll likely compare what the guy/girl looked like in their profile picture on Bumble versus what they look like in real life!
If the tolerable deviation rate exceeds the actual deviation rate, then that means that the audit team can accept the test and rely on the internal control. If the actual deviation rate exceeds the tolerable deviation rate, then the audit team cannot rely on the internal control.
How do control testing results impact control risk?
Earlier we talked about how control risk would be high if the audit team cannot rely on intern controls. So if the audit team rejects the internal control test, then that means that control risk will be high and the audit team will have to perform a higher level of substantive testing. If the audit team accepts the internal control test, then control risk will be lower and the audit team can likely perform a lower amount of substantive testing.
What happens if the audit team incorrectly assesses test results?
If the audit team determines that the actual deviation rate based on their testing is higher than the actual deviation rate in the population, then they may incorrectly reject the test. That means that they will assess control risk at high when they could have assessed it at low and performed a lower level of substantive testing.
If the audit team determines the actual deviation rate based on their testing is lower than the actual deviation rate in the population, then they may incorrectly accept the test. That means that they will assess control risk at low when it should be assessed at high, which means they will perform lower substantive testing and may not identify a misstatement.