Control risk has been defined under International Standards of Auditing (ISAs) as following:
The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.
In simple words control risk is the probability that a material misstatement exists in an assertion because that misstatement was not either prevented from entering entity’s financial information or it was not detected and corrected by the internal control system of the entity.
It is the responsibility of the management and those charged with governance to implement internal control system and maintain it appropriately which includes managing control risk.
Control risk is one of the components of Risk of material misstatement while the other component is inherent risk. It is the responsibility of the management to minimize inherent risk which is done by implementing internal control system. But if internal control system is not preventing, detecting and correcting misstatements on timely basis then inherent problems will creep in the entity’s system and thus risk of material misstatement will increase.
Auditor is not responsible for managing internal control system and also under ISAs he is not under the duty to assess and report i.e. give his opinion on internal control system of the entity unless he is required under other applicable rules and regulations. But as said above if control risk is high which in other words mean internal control system is not working effectively then risk of material misstatement will increase which ultimately increases the chances that auditor may end giving inappropriate opinion which is termed as audit risk. In response to increased audit risk he is required detect material misstatements through by designing appropriate audit procedures.
One important point to note about control risk is that this also is assessed in relation to assertions i.e. at assertion level and not just at financial statement level.
There can be many reasons for control risk to arise and why it cannot be eliminated absolutely. But some of them are as follows:
- Cost-benefit constraints
- Circumvention of controls
- Inappropriate design of controls
- Inappropriate application of controls
- Lack of control environment and accountability
- Novel situations
- Outdated controls
- Inappropriate segregation of duties