What is control risk?

Inspection findings repeatedly flag the same gap: the file describes a three-way match or a monthly reconciliation, then designs substantive procedures that quietly assume the control works. Nobody tested it. The risk assessment narrative becomes a tick box exercise rather than evidence supporting reduced substantive work, and the file collapses on review.

Control risk, defined in ISA 200.13 (n)(ii), is the risk that a misstatement could occur in an assertion and not be prevented, or detected and corrected, on a timely basis by the entity's internal controls. In practice, the auditor faces a binary decision per ISA 330.8 : either test the operating effectiveness of controls and assess control risk below maximum, or skip the testing and assess at maximum. There is no middle ground.

When control risk sits at maximum, substantive procedures must reduce audit risk to an acceptably low level on their own, without any reliance on internal controls. When control risk is assessed below maximum (because controls have been tested), the auditor can reduce the nature, timing, or extent of substantive procedures accordingly.

Key Points

  • Binary decision. Either test controls and assess control risk below maximum, or assess at maximum and design substantive procedures accordingly. Describing controls without testing them creates a documentation gap.
  • No test = no reliance. ISA 330.8 is explicit: the auditor cannot reduce the assessed control risk below maximum without testing operating effectiveness. A walkthrough alone is not a test of operating effectiveness.
  • Testing reduces substantive work. When controls are tested and found effective, the auditor can reduce sample sizes, use less experienced staff for certain procedures, or shift testing to an interim date.
  • Rotation requirement. ISA 330.14 requires relied-upon controls to be tested at least once every three audits, with some evidence about changes obtained in the intervening periods.

Why it matters in practice

The decision to test controls is a cost-benefit analysis. Testing takes time (selecting a sample, inspecting evidence of the control operating, and evaluating any deviations). If the controls work, the payoff is meaningful: substantive sample sizes can be materially reduced, and certain procedures can shift to interim rather than year-end.

For recurring audits of entities with stable control environments, the efficiency gain from a controls-reliance strategy often outweighs the cost of testing. For first-year audits or entities with weak control environments, a fully substantive approach (assessing control risk at maximum for all assertions) is usually more efficient. That trade-off is a real one, and getting it wrong on a recurring file feels like running uphill year after year for no reason.

The documentation requirement is strict. ISA 330.28 requires the auditor to document the basis for conclusions about the operating effectiveness of controls. This means recording what was tested, how many items were examined, what deviations (if any) were found, and the conclusion on whether the control can be relied upon. A simple "controls tested, effective" note will not survive inspection.

Key standard references

  • ISA 200.13 (n)(ii): Definition of control risk as the risk that a misstatement will not be prevented or detected and corrected by the entity's internal controls.
  • ISA 315.26 : Requirement to identify controls relevant to the audit, including understanding their design and determining whether they have been implemented.
  • ISA 315 .A172–A178: Application guidance on evaluating the design of controls and determining implementation.
  • ISA 330.8 : Requirement to design and perform tests of operating effectiveness when the auditor intends to rely on controls or when substantive procedures alone are not sufficient.
  • ISA 330.14 : Rotation requirement (controls relied upon must be tested at least once in every three-year period).

Related terms

Inherent RiskRisk of Material MisstatementDetection RiskAudit RiskSignificant Risk

Related tools

Materiality Calculator
ISA 320
Sample Size Calculator
ISA 530

Related reading

ISA 315: Risk Assessment in Practice
Blog guide
How to Document Internal Controls
Blog guide

Frequently asked questions

When should you assess control risk below maximum?

Only when you have both identified a specific control relevant to the assertion and tested its operating effectiveness under ISA 330.8(a). If the control test finds no deviations, control risk can be assessed below maximum, which reduces the extent of substantive testing needed. Without testing, control risk stays at maximum regardless of how well-designed the control appears.

What happens if you describe controls but don't test them?

This is one of the most common inspection findings. If the risk assessment narrative describes controls but operating effectiveness is never tested, and the substantive procedures implicitly assume those controls work, the file has a gap. ISA 330.8 is clear: no test means no reliance. The substantive procedures must then be designed to address the full risk of material misstatement without any control reduction.

How often do controls need to be tested?

ISA 330.14 requires controls to be tested at least once every third audit if the auditor plans to rely on them. This is a rotation requirement, not a three-year holiday. Some controls must be tested each period, and all relied-upon controls must be tested at least once in a three-year cycle.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: · Standards version: IAASB 2024 Handbook