Skip to main content

Legal

Tax & Accounting

Trade & Supply

Risk & Fraud

News & Media

Books

Developers

Internal control

Assess Control Risk

In the Internal Control Assess Control Risk form, document your control risk assessments for each COSO component, audit area, and related assertions.
For those areas in which controls were tested, indicate your control risk assessment, considering the displayed test results. If sampling was applied using CX-10.2 - Tests of Controls Sampling Planning and Evaluation Form, ensure that your risk assessments are appropriate given the sample size and number of deviations noted.

Public Company Audit of Internal Control

When performing a public company integrated audit of internal control and the financial statements, you should test controls to simultaneously accomplish the objectives of both audits. In performing the audit of internal control, and you should obtain evidence that internal control has operated effectively for a sufficient period of time, which may be less than the financial statement period (ordinarily a year).
To assess control risk for specific assertions at less than the maximum for the financial statement audit, you are required to obtain evidence that the relevant controls operated effectively during the entire period upon which you plan to place reliance on those controls. (However, you are not required to assess control risk at less than the maximum for all relevant assertions and may choose not to do so.)
At this point, you will have completed your control testing and will assess control risk for each assertion for purposes of your financial statement audit. You will also be able to reach a tentative conclusion regarding control effectiveness at CX-15 for purposes of your audit of internal control. (Your final conclusion regarding internal control effectiveness will be reached once you complete your substantive audit procedures.)
You should ensure that your control risk assessments (High, Moderate, Low) for your financial statement audit are consistent with your internal control audit conclusions, keeping in mind that your control risk assessments are for the entire period under audit and your internal control effectiveness conclusion at CX-15 is as of a point in time. Ordinarily, effective internal control equates to a Low control risk assessment (assuming that controls were tested for a sufficient period), and ineffective internal control equates to a High control risk assessment.
The control risk assessments that you enter in the Assess Control Risk section carry forward to the applicable area in Step 2 - Assess the Effects of Risks.