Examination of auditors' control risk assessments and their effect on planned substantive procedures

Statement on Auditing Standards No. 55 (SAS 55) indicates that control risk assessments should be made at the assertion, account, or class of transaction level, as appropriate, and utilized along with inherent risk assessments to determine the nature, extent and timing of audit procedures. The audit procedures should be designed to bring the detection risk to a level which will allow for an acceptable level of overall audit risk. In order for the audit to be performed effectively and efficiently, the audit program should require testing that adequately addresses the risks present in a given client situation, while calling for performance of only limited testing on assertions, account balances, and transactions for which little risk exists.; There is some evidence in prior studies of auditors' tendencies to make "global" judgments of control risk rather than specific, account- or assertion-level assessments. If actual risk varies across assertions and accounts, then global judgments are inappropriate in those circumstances. If inappropriate global judgments are made, then the planned substantive procedures may not be specifically directed toward high-risk assertions. This could result in either an inefficient audit ("over-auditing") or an ineffective audit ("under-auditing"). The purpose of this study is to determine if auditors are making assertion- or account-specific internal control risk assessments when appropriate, in accordance with SAS 55, and if they are making corresponding risk-directed adjustments to the audit plan.; An experiment was conducted in which experienced auditors from one Big Six accounting firm were asked to assess control risk at the assertion level for accounts in the revenue transaction cycle. They were then asked to choose audit procedures to be performed and indicate the amount of time to be budgeted to each procedure. The results provide evidence that the auditors did identify varying levels of control risk across assertions and accounts. However, varying risk levels did not always correspond to variations in planned substantive procedures.