Control Risk: Assessing a Client’s Ability to Detect and Correct Problems

By Kenneth Boyd, Lita Epstein, Mark P. Holtzman, Frimette Kass-Shraibman, Maire Loughran, Vijay S. Sampath, John A. Tracy, Tage C. Tracy, Jill Gilbert Welytok

Control risk is the risk that the company’s internal controls won’t prevent or detect mistakes. Company management is ultimately responsible for the financial statements. The internal controls set in place by the company have the goal of producing accurate and effective reporting.

During your risk-assessment procedures, you interview members of the company and observe how they do their jobs to make your assessment of control risk. Here are some examples of control activities and the specific procedures that should be in place in an adequate control environment:

  • Segregation of duties: In particular, this applies to authorization, custody, and recordkeeping. Ideally, three different people should perform these three tasks. For example, the person who keeps the records for computer components in stock shouldn’t be the person who authorizes a request for more components. The physical custody of the computer components after receipt should be the task of a third employee.

  • Adequate documents and records: The company must maintain source documents such as purchase orders, paid invoices, and customer invoices in a proper filing system. A classic documentation control is using pre-numbered documents and saving voided documents. If you spot a missing sales invoice number without the voided invoice, for example, you know right off the bat that the company may have unrecorded sales.

  • Physical control of assets and records: This includes providing safe and secure locations for the assets, tagging all assets with a control number, and having backup procedures for records in case they’re misplaced or lost in a fire or flood.

Not quite sure what it means to tag a particular asset? Businesses with good internal controls have a unique label on each piece of furniture and equipment they own and a record of where each label is placed. Every year, someone goes around to see whether any tagged assets are missing.