What is control risk?
Control risk, defined in ISA 200.13(n)(ii), is the risk that a misstatement could occur in an assertion and not be prevented, or detected and corrected, on a timely basis by the entity's internal controls.
In practice, the auditor faces a binary decision per ISA 330.8: either test the operating effectiveness of controls and assess control risk below maximum, or skip the testing and assess control risk at maximum. There is no middle ground. The danger lies in describing controls in the risk assessment narrative — acknowledging they exist, documenting how they work — but never actually testing whether they operate effectively, and then designing substantive procedures that implicitly assume those controls are working.
When control risk is assessed at maximum, the auditor must design substantive procedures that are sufficient on their own to reduce audit risk to an acceptably low level, without any reliance on internal controls. When control risk is assessed below maximum (because controls have been tested), the auditor can reduce the nature, timing, or extent of substantive procedures accordingly.
Key Points
- Binary decision. Either test controls and assess control risk below maximum, or assess at maximum and design substantive procedures accordingly. Describing controls without testing them creates a documentation gap.
- No test = no reliance. ISA 330.8 is explicit: the auditor cannot reduce the assessed control risk below maximum without testing operating effectiveness. A walkthrough alone is not a test of operating effectiveness.
- Testing reduces substantive work. When controls are tested and found effective, the auditor can reduce sample sizes, use less experienced staff for certain procedures, or shift testing to an interim date — real efficiency gains.
- Rotation requirement. ISA 330.14 requires relied-upon controls to be tested at least once every three audits, with some evidence about changes obtained in the intervening periods.
Why it matters in practice
The decision to test controls is fundamentally a cost-benefit analysis. Testing controls takes time — the auditor must select a sample of transactions, inspect evidence of the control operating, and evaluate any deviations. But if the controls work, the payoff is significant: substantive sample sizes can be materially reduced, and certain procedures can be performed at interim rather than year-end.
For recurring audits of entities with stable control environments, the efficiency gain from a controls-reliance strategy often outweighs the cost of testing. For first-year audits or entities with weak control environments, a fully substantive approach — assessing control risk at maximum for all assertions — is usually more efficient.
The documentation requirement is strict. ISA 330.28 requires the auditor to document the basis for conclusions about the operating effectiveness of controls. This means recording what was tested, how many items were examined, what deviations (if any) were found, and the conclusion on whether the control can be relied upon. A simple "controls tested — effective" note will not survive inspection.
Key standard references
- ISA 200.13(n)(ii): Definition of control risk as the risk that a misstatement will not be prevented or detected and corrected by the entity's internal controls.
- ISA 315.26: Requirement to identify controls relevant to the audit, including understanding their design and determining whether they have been implemented.
- ISA 315.A172–A178: Application guidance on evaluating the design of controls and determining implementation.
- ISA 330.8: Requirement to design and perform tests of operating effectiveness when the auditor intends to rely on controls or when substantive procedures alone are not sufficient.
- ISA 330.14: Rotation requirement — controls relied upon must be tested at least once in every three-year period.
Related terms
Related reading
Frequently asked questions
When should you assess control risk below maximum?
Only when you have both identified a specific control relevant to the assertion and tested its operating effectiveness under ISA 330.8(a). If the control test finds no deviations, control risk can be assessed below maximum, which reduces the extent of substantive testing needed. Without testing, control risk stays at maximum regardless of how well-designed the control appears.
What happens if you describe controls but don't test them?
This is one of the most common inspection findings. If the risk assessment narrative describes controls but operating effectiveness is never tested, and the substantive procedures implicitly assume those controls work, the file has a gap. ISA 330.8 is clear: no test means no reliance. The substantive procedures must then be designed to address the full risk of material misstatement without any control reduction.
How often do controls need to be tested?
ISA 330.14 requires controls to be tested at least once every third audit if the auditor plans to rely on them. This is a rotation requirement, not a three-year holiday. Some controls must be tested each period, and all relied-upon controls must be tested at least once in a three-year cycle.