Assessing Control Risk

September 11, 2020

How To Quantify The Risk Of Material Misstatement – With Examples

Inherent in every audit is the risk that not all misstatements will be detected. Auditors plan the audit with an objective of identifying material misstatements, which are those misstatements that would make a difference in the decisions made by financial statement users. When planning the audit, CPAs must quantify the risk of material misstatement to determine the types of tests and procedures needed in the audit.

The Audit Risk Formula

Audit Risk is composed of the Risk that a Material Misstatement (RMM) exists compounded by Detection Risk (DR), which is the possibility that the auditor will not discover the misstatement. RMM is further broken into its components of Inherent Risk (IR) multiplied by Control Risk (CR); Audit risk is therefore calculated as AR = IR x CR x DR

Inherent Risk Example

An Example of Inherent Risk In An Audit

Inherent risk is the risk innate to a type of asset. For example, cash has a greater risk of being lost or stolen than does a building, and businesses on the Gulf Coast have a higher risk of damage due to hurricanes and floods than do those that are further inland. 

Control Risk Definition & Meaning

Control risk is the possibility that a material misstatement will not be detected by the internal controls of the company, and an auditor must evaluate whether the company under audit has appropriate control measures in place, and whether the internal control procedures are practiced at every level within the business. If the internal controls are designed and operating effectively, the auditor can rely on them, thus reducing the number of substantive tests, those designed to look for errors in the financial statements and related documents, that must be done during an audit.

Applications associated with control risk are illustrated in the sample questions below:

Inspecting and Counting Inventory

Which of the following procedures would an auditor use to assess control risk?

  1. Inspect financial ratios comparing current and past balance sheet accounts.
  2. Observe employees processing invoices.
  3. Physically count inventory.


Observing the employees processing invoices is a method to determine whether internal control procedures are in place and are being used. Inspecting ratios and counting inventory are substantive tests that are designed to look for errors.

What impact does the assessment of control risk have on the type and extent of substantive testing needed in an audit?

  1. Control risk is unrelated to substantive testing, so it has no impact on the tests.
  2. If assessed control risk is higher than expected, the type and extent of substantive testing must be increased.
  3. If assessed control risk is lower than expected, substantive tests must be increased to make up the difference.


If assessed control risk is higher than expected, a greater risk exists that material misstatements will go undetected by the auditor. The increased detection risk can be reduced by increasing substantive tests, which are designed to identify errors.

Are you looking for more practice with Control Risk and other CPA exam topics?