Chapter 3 Risk Assement & Internal Control

3
RISK ASSESSMENT AND

INTERNAL CONTROL
LEARNING OUTCOMES
After studying this chapter, you will be able to:

 Know the Internal Control System-Nature, Scope, Objective and
Structure.
 Identify the components of Internal Control.
 Learn to review of the systems of Internal Control.
 Understand the concept of Risk Based Audit, Internal Control and Risk
Assessment.
 Gain knowledge of reporting to clients on Internal Control weaknesses.
 Know the framework of Reporting of Internal Control
© The Institute of Chartered Accountants of India

3.2 ADVANCED AUDITING AND PROFESSIONAL ETHICS
CHAPTER OVERVIEW
Internal
Control
System -
Nature,
Scope,
Reporting to Objective and
clients on Structure Components
Internal of Internal
Control Control
Weaknesses
RISK
ASSESSMEN
T AND
Framework on INTERNAL Review of the
Reporting of CONTROL System of
Internal Internal
Controls Controls
Internal
Control and Methods of
Risk Recording
Assessment
1. INTRODUCTION
It is the risk that the auditor may fail to express an appropriate
opinion in an audit assignment. An auditor may consider audit
risk both at overall level as well as at the level of individual
account balances or classes of transactions. This means that at
overall level the auditor applies their professional judgement to
determine the extent of risk which he considers to be an
acceptable level. At account balance level, audit risk refers to
the risk that error in monetary terms exists beyond a tolerable
error limit in the account balances or class of transaction which
the auditor fails to defect. Fig.: Internal Control and Risk Assessment ∗
∗
Source : SlideShare

RISK ASSESSMENT AND INTERNAL CONTROL 3.3
AUDIT RISK means the risk that the auditor gives an inappropriate
audit opinion when the financial statement are materially misstated.
SA 315 establishes requirements and provides guidance on
identifying and assessing the risks of material misstatement at the
financial statement and assertion levels.
Audit risk is a function of the Risk of material misstatement may be defined as the
risks of material misstatement risk that the financial statements are materially
and detection risk misstated prior to audit. This consists of two
components, described as follows at the assertion level:
(A) Inherent risk—The susceptibility of an assertion
Audit Risk = Risk of Material about a class of transaction, account balance or
Misstatement x Detection disclosure to a misstatement that could be material,
Risk------(1) either individually or when aggregated with other
misstatements, before consideration of any related
Risk of Material controls.
Misstatement= Inherent Risk x (B) Control risk—The risk that a misstatement that
Control Risk------(2) could occur in an assertion about a class of transaction,
From (1) and (2), we arrive at- account balance or disclosure and that could be
material, either individually or when aggregated with
Audit Risk = Inherent Risk x other misstatements, will not be prevented, or detected
Control Risk x Detection Risk and corrected, on a timely basis by the entity’s internal
control.
(C) Detection Risk: The risk that the procedures
performed by the auditor to reduce audit risk to an
acceptably low level will not detect a misstatement that
exists and that could be material, either individually or
when aggregated with other misstatements.
Assessment of Risks - Matter of Professional Judgement
The Internal Control structure in an organization is referred to as the policies and procedures
established by the entity to provide reasonable
assurance that the objectives are achieved. The control
structure in an organization basically has the following
components:
1. Control Environment - Control environment Control Control
Procedure Environment
covers the effect of various factors like
management attitude, awareness and actions for
establishing, enhancing or mitigating the
effectiveness of specific policies and procedures.
Accounting System
2. Accounting System - Accounting system means
the series of task and records of an entity by

which transactions are processed for maintaining financial records. Such system identifies,
assemble, analyze, calculate, classify, record, summarize and report transactions and other
events.
3. Control Procedure - Policies and procedures means those policies and procedures in
addition to the control environment and accounting systems which the management has
established to achieve the entity’s specific objectives.
In this regard, the management is responsible for maintaining an adequate accounting
system incorporating various internal controls to the extent that they are appropriate to the
size and nature of the business. There should be reasonable assurance for the auditor that
the accounting system is adequate and that all the accounting information required to be
recorded has in fact been recorded.
Internal controls normally contribute to such assurance. The auditor should gain an
understanding of the accounting system and related internal controls and should study and
evaluate the operation of those internal controls upon which he wishes to rely in
determining the nature, timing and extent of other audit procedures. Where the auditor
concludes that he can rely on certain internal controls, he could reduce his substantive
procedures which otherwise may be required and may also differ as to the nature and
timing.
Specific Requirement under SA 315 - “Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and its Environment” deals with the
auditor’s responsibility to identify and assess the risks of material misstatement in the
financial statements, through understanding the entity and its environment, including the
entity’s internal control.
SA 315 defines the system of internal control as the process designed, implemented
and maintained by those charged with governance, management and other personnel
to provide reasonable assurance about the achievement of an entity’s objectives with
regard to reliability of financial reporting, effectiveness and efficiency of operations,
safeguarding of assets, and compliance with applicable laws and regulations.
SA 315 further states that the auditor should identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement and assertion levels,
through understanding the entity and its environment, including the entity’s internal control,
thereby providing a basis for designing and implementing responses to the assessed risks
of material misstatement. This will help the auditor to reduce the risk of material
misstatement to an acceptably low level.

2. INTERNAL CONTROL SYSTEM - NATURE, SCOPE,

OBJECTIVES AND STRUCTURE
Internal controls are a system consisting of specific policies and procedures designed to provide
management with reasonable assurance that the goals and objectives
it believes important to the entity will be met.
"Internal Control System" means all the policies and procedures
(internal controls) adopted by the management of an entity to assist in
achieving management's objective of ensuring, as far as practicable,
the orderly and efficient conduct of its business, including adherence
to management policies, the safeguarding of assets, the prevention and detection of fraud and
error, the accuracy and completeness of the accounting records, and the timely preparation of
reliable financial information.
To state whether a set of financial statements presents a true and fair view, it is essential to
benchmark and check the financial statements for compliance with the framework. The Accounting
Standards specified under the Companies Act, 1956 (which are deemed to be applicable as per
Section 133 of the 2013 Act, read with Rule 7 of Companies (Accounts) Rules, 2014) is one of the
criteria constituting the financial reporting framework on which companies prepare and present
their financial statements under the Act and against which the auditors evaluate if the financial
statements present a true and fair view of the state of affairs and the results of operations of the
company in an audit of the financial statements carried out under the Act.
The following are the Nature, Scope, Objectives and Structure of an Internal Control Audit:
2.1 Nature of Internal Control
A set of internally generated policies and procedures adopted by the management of an
enterprise is a prerequisite for an organisations efficient and effective performance. It is thus, a
primary responsibility of every management to create and maintain an adequate system of
internal control appropriate to the size and nature of the business entity.
SA 315 defines the system of internal control as the process designed, implemented and
maintained by those charged with governance, management and other personnel to provide
reasonable assurance about the achievement of an entity’s objectives with regard to reliability of
financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and
compliance with applicable laws and regulations.
Internal control is a process/set of processes designed to facilitate and support the
achievement of business objectives. Any system of internal control is based on a consideration
of significant risks in operations, compliance and financial reporting. Objectives such as
improving business effectiveness are included, as are compliance and reporting objectives.

2.2 Scope of Internal Controls

The scope of internal controls extends beyond mere accounting controls and includes all
administrative controls concerned with the decision - making process leading to managements
authorization of transaction, such controls include, production method, time and motion study,
pricing policies, quality control, work standard, budgetary control, policy appraisal, quantitative
controls etc. In an independent financial audit, the auditor is primarily concerned with those
policies and procedures having a bearing on the assertions underlying the financial statements.
These comprise primarily controls relating to safeguarding of assets, prevention and detection of
fraud and error, accuracy and completeness of accounting records and timely preparation of
reliable financial information. Administrative controls, on the other hand, have only a remote
relationship with financial records and the auditor may evaluate only those administrative
controls which have a bearing on the reliability of the financial records.
The fundamental therefore is that effective internal control is a process effected by people that
supports the organization in several ways, enabling it to provide reasonable assurance regarding
risk and to assist in the achievement of objectives.
Fundamental to a system of internal control is that it is integral to the activities of the company,
and not something practiced in isolation.
Facilitates the effectiveness and

efficiency of operations.
INTERNAL CONTROL SYSTEM:
Helps ensure the reliability of internal

and external financial reporting.
Assists compliance with laws and

regulations.
Helps safeguarding the assets of the

entity.
2.3 Objectives of Internal Control System

The objectives of internal control systems are determined by the management, after considering
the nature of business, scale operations, the extent of professionalism of the management etc.

The objectives of internal controls relating to the accounting system are:

(i) Transactions are executed through general or specific management authorization.
(ii) All transactions are promptly recorded in an appropriate manner to permit the
preparation of financial information and to maintain accountability of assets.
(iii) Assets and records are safeguarded from unauthorized access, use or
disposition.
(iv) Assets are verified at reasonable intervals and appropriate action is taken with
regard to the discrepancies.
Precisely, the control objectives ensure that the transactions processed are complete, valid and
accurate. The basic accounting control objectives which are sought to be achieved by any
accounting control system are:
Ensure all transactions are
Properly
Recorded Properly Recorded Properly Classified Properly
Real
Valued Timely Posted and Summarized.
Disclosed
If the response to all the above answer is positive, the auditor would be justified in limiting his
account balance tests considerably.
In case of excellent companies it may also be possible to rely on account balance with minimum
of external tests, such as direct confirmation, management representation etc. Where in a
system a particular control is found to be deficient, audit attention can be focused on the areas
where basic accounting control objectives are not being adhered to.
In case, if it found that sales transactions are not being properly valued in
accordance with the price list determined by the management, the auditor would have
to perform extensive searching tests on sales invoices to assure himself that the
recoverable amounts are correctly posted. He may also want to expand his
confirmation request at the year end to cover a large majority of trade receivables.
2.3.1 Limitations of Internal Control - Internal control, no matter how effective, can provide an
entity with only reasonable assurance and not absolute assurance about achieving the entity’s
operational, financial reporting and compliance objectives.

Internal control systems are subject to certain inherent limitations, such as:
Management's consideration that the cost of an internal control does not exceed the
expected benefits to be derived.
The fact that most internal controls do not tend to be directed at transactions of unusual
nature. The potential for human error, such as, due to carelessness, distraction, mistakes
of judgement and misunderstanding of instructions.
The possibility of circumvention of internal controls through collusion with employees or
with parties outside the entity.
The possibility that a person responsible for exercising an internal control could abuse
that responsibility, for example, a member of management overriding an internal control.
Manipulations by management with respect to transactions or estimates and judgements
required in the preparation of financial statements.
2.4 Structure of Internal Control

In order to achieve the objectives of internal controls, it is necessary to establish adequate control
policies and procedures. Most of these policies and procedures cover:
2.4.1 Segregation of duties - Transaction processing are allocated to different persons in such a
manner that no one person can carry through the completion of a transaction from start to finish
or the work of one person is made complimentary to the work of another person. The purpose is
to minimize the occurrence of fraud and errors and to detect them on a timely basis, when they
take place. The following functions are segregated -
(a) authorization of transactions;
(b) execution of transactions;
(c) physical custody of related assets; and
(d) maintenance of records and documents, while allocating duties, the considerations of cost
and efficacy should be kept in mind as there is a tendency to stretch the allocation of tasks
involved in a job to more persons than what is required resulting in cumbersome
procedures, over elaboration of records and unduly high cost of administration.
Apart from segregation of duties, periodic rotation of duties of personnel is also desirable. The
rotation of duties seeks to ensure that if a fraud and error is committed by a person, it does not
remain undetected for long. It also ensures that a person cannot develop vested interest by
holding a position for to long. Rotation of duties also ensures that each employee keeps his work
up to date. This also makes an employee to be careful because he is aware that his performed
tasks will be reviewed by others when duties are rotated.
2.4.2 Authorization of Transaction - Delegation of authority to different levels and to particular
persons are required to establish by the management for controlling the execution of transaction

in accordance with prescribed conditions. Authorization may be general or it may be specific with
reference to a single transaction. It is necessary to establish procedures which provide assurance
that authorizations are issued by persons acting within the scope of their authority, and that the
transactions conform to the terms of the authorizations. This objective can be achieved by making
independent comparison of transaction document with general or specific authorizations, as the
case may be.
2.4.3 Adequacy of Records and Documents - Accounting controls should ensure that -
(i) Transactions are executed in accordance with management’s general or specific
authorization.
(ii) Transactions and other events are promptly recorded at correct amounts.
(iii) Transactions should be classified in appropriate accounts and in the appropriate period
to which it relates.
(iv) Transaction should be recorded in a manner so as to facilitate preparation of financial
statements in accordance with applicable accounting standards, other accounting
policies and practices and relevant statutory requirements.
(v) Recording of transaction should facilitate maintaining accountability for assets.
(vi) Assets and records are required to be protected from unauthorized access, use or
disposition.
(vii) Records of assets such as sufficient description of the assets (to facilitate identification)
its location should also be maintained so that the assets could be physically verified
periodically.
For prompt, accurate, complete and appropriate recording of accounting transaction, several
procedures are often established by the management. The assurance that transactions have been
properly recorded can also be obtained through a comparison of records with an independent
source of information which provides an indication of the execution of the relevant transactions.
2.4.4 Accountability and Safeguarding of Assets - The process of accountability of assets
commences from acquisitions of assets its use and final disposal. Safeguarding of assets requires
appropriate maintenance of records, their periodic reconciliation with the related assets. Assets
like cash, inventories, investment scrips require frequent physical verification with book records.
The frequency of reconciliation would differ for different assets depending upon their nature and
amount. Assets which are considered sensitive or susceptible to error need to be reconcile more
frequently than others. For proper safeguarding of assets, only authorized personnel should be
given access to such asset. This not only means physical access but also exercising control
over processing of documents relating to authorization for use and disposal of assets. It is
essential to have effective controls over physical custody of cash, inventories, investments and
other fixed assets. In some cases, as per requirement, special procedures regarding physical
custody of assets may have to be designed by the management.

2.4.5 Independent Checks - Independent verification of the control systems, designed and
implemented by the management, involves periodic or regular review by independent persons to
ascertain whether the control procedures are operating effectively or not. Such process may be
carried out by specially assigned staff under the banner of external audit.
3. COMPONENTS OF INTERNAL CONTROLS

In general, a system of internal control to be considered adequate should include the following five
components:
(i) Control environment;
(ii) Entity’s Risk assessment Process;
(iii) Control activities;
(iv) Information system and communication;
(v) Monitoring of Controls
Components of
Internal Control
Entity’s risk Information

Control Control Monitoring of
assessment system and
environment activities controls
process communication
3.1 Control Environment

The control environment encompasses the following elements:
(a) Communication and enforcement of integrity and ethical values: The effectiveness of
controls cannot rise above the integrity and ethical values of the people who create,
administer, and monitor them. Integrity and ethical behavior are the product of the entity’s
ethical and behavioral standards, how they are communicated, and how they are reinforced
in practice. The enforcement of integrity and ethical values includes, for example,
management actions to eliminate or mitigate incentives or temptations that might prompt
personnel to engage in dishonest, illegal, or unethical acts. The communication of entity
policies on integrity and ethical values may include the communication of behavioral
standards to personnel through policy statements and codes of conduct and by example.
(b) Commitment to competence: Competence is the knowledge and skills necessary to
accomplish tasks that define the individual’s job.

(c) Participation by those charged with governance: An entity’s control consciousness is

influenced significantly by those charged with governance. The importance of the
responsibilities of those charged with governance is recognised in codes of practice and
other laws and regulations or guidance produced for the benefit of those charged with
governance. Other responsibilities of those charged with governance include oversight of
the design and effective operation of whistle blower procedures and the process for
reviewing the effectiveness of the entity’s internal control.
(d) Management’s philosophy and operating style: Management’s philosophy and operating
style encompass a broad range of characteristics. For example, management’s attitudes
and actions toward financial reporting may manifest themselves through conservative or
aggressive selection from available alternative accounting principles, or conscientiousness
and conservatism with which accounting estimates are developed.
(e) Organisational structure: Establishing a relevant organizational structure includes
considering key areas of authority and responsibility and appropriate lines of reporting. The
appropriateness of an entity’s organisational structure depends, in part, on its size and the
nature of its activities.
(f) Assignment of authority and responsibility: The assignment of authority and
responsibility may include policies relating to appropriate business practices, knowledge
and experience of key personnel, and resources provided for carrying out duties. In
addition, it may include policies and communications directed at ensuring that all personnel
understand the entity’s objectives, know how their individual actions interrelate and
contribute to those objectives, and recognize how and for what they will be held
accountable.
(g) Human resource policies and practices: Human resource policies and practices often
demonstrate important matters in relation to the control consciousness of an entity. For
example, standards for recruiting the most qualified individuals – with emphasis on
educational background, prior work experience, past accomplishments, and evidence of
integrity and ethical behaviour – demonstrate an entity’s commitment to competent and
trustworthy people. Training policies that communicate prospective roles and
responsibilities and include practices such as training schools and seminars illustrate
expected levels of performance and behaviour. Promotions driven by periodic performance
appraisals demonstrate the entity’s commitment to the advancement of qualified personnel
to higher levels of responsibility.
3.2 Entity’s Risk Assessment Process
For financial reporting purposes, the entity’s risk assessment process includes how management
identifies business risks relevant to the preparation of financial statements in accordance with the
entity’s applicable financial reporting framework, estimates their significance, assesses the
likelihood of their occurrence, and decides upon actions to respond to and manage them and the

results thereof. For example, the entity’s risk assessment process may address how the entity
considers the possibility of unrecorded transactions or identifies and analyses significant estimates
recorded in the financial statements.
Risks relevant to reliable financial reporting include external and internal events, transactions or
circumstances that may occur and adversely affect an entity’s ability to initiate, record, process,
and report financial data consistent with the assertions of management in the financial statements.
Management may initiate plans, programs, or actions to address specific risks or it may decide to
accept a risk because of cost or other considerations.
Risks can arise or change due to circumstances such as the following:

(a) Changes in operating environment. Changes in the regulatory or operating
environment can result in changes in competitive pressures and significantly different
risks.
(b) New personnel. New personnel may have a different focus on or understanding of
internal control.
(c) New or revamped information systems. Significant and rapid changes in information
systems can change the risk relating to internal control.
(d) Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
(e) New technology. Incorporating new technologies into production processes or

information systems may change the risk associated with internal control.
(f) New business models, products, or activities. Entering into business areas or
transactions with which an entity has little experience may introduce new risks
associated with internal control.
(g) Corporate restructurings. Restructurings may be accompanied by staff reductions and

changes in supervision and segregation of duties that may change the risk associated
with internal control.
(h) Expanded foreign operations. The expansion or acquisition of foreign operations

carries new and often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
(i) New accounting pronouncements. Adoption of new accounting principles or changing

accounting principles may affect risks in preparing financial statements.

3.3 Control Activities

Generally, control activities that may be relevant to an audit may be categorised as policies and
procedures that pertain to the following:
(a) Performance reviews: These control activities include reviews and analyses of actual
performance versus budgets, forecasts, and prior period performance; relating different sets
of data – operating or financial – to one another, together with analyses of the relationships
and investigative and corrective actions; comparing internal data with external sources of
information; and review of functional or activity performance.
(b) Information processing: The two broad groupings of information systems control activities
are application controls, which apply to the processing of individual applications, and
general IT-controls, which are policies and procedures that relate to many applications and
support the effective functioning of application controls by helping to ensure the continued
proper operation of information systems. Examples of application controls include checking
the arithmetical accuracy of records, maintaining and reviewing accounts and trial balances,
automated controls such as edit checks of input data and numerical sequence checks, and
manual follow-up of exception reports. Examples of general IT-controls are program change
controls, controls that restrict access to programs or data, controls over the implementation
of new releases of packaged software applications, and controls over system software that
restrict access to or monitor the use of system utilities that could change financial data or
records without leaving an audit trail.
(c) Physical controls: Controls that encompass:
 The physical security of assets, including adequate safeguards such as secured facilities
over access to assets and records.
 The authorisation for access to computer programs and data files.
 The periodic counting and comparison with amounts shown on control records (for
example, comparing the results of cash, security and inventory counts with accounting
records). The extent to which physical controls intended to prevent theft of assets are
relevant to the reliability of financial statement preparation, and therefore the audit,
depends on circumstances such as when assets are highly susceptible to
misappropriation.
(d) Segregation of duties: Assigning different people the responsibilities of authorising
transactions, recording transactions, and maintaining custody of assets. Segregation of
duties is intended to reduce the opportunities to allow any person to be in a position to both
perpetrate and conceal errors or fraud in the normal course of the person’s duties.
Certain control activities may depend on the existence of appropriate higher level policies
established by management or those charged with governance. For example, authorisation
controls may be delegated under established guidelines, such as, investment criteria set by

those charged with governance; alternatively, non-routine transactions such as, major
acquisitions or divestments may require specific high level approval, including in some
cases that of shareholders.
3.4 Information System, Including the Related Business Processes,
Relevant to Financial Reporting, and Communication
An information system consists of infrastructure (physical and hardware components), software,
people, procedures, and data. Many information systems make extensive use of information
technology (IT).
The information system relevant to financial reporting objectives, which includes the
financial reporting system, encompasses methods and records that:
(a) Identify and record all valid transactions.
(b) Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
(c) Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.
(d) Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
(e) Present properly the transactions and related disclosures in the financial statements.
The quality of system-generated information affects management’s ability to make appropriate

decisions in managing and controlling the entity’s activities and to prepare reliable financial
reports.
Communication, which involves providing an understanding of individual roles and responsibilities
pertaining to internal control over financial reporting, may take such forms as policy manuals,
accounting and financial reporting manuals, and memoranda. Communication also can be made
electronically, orally, and through the actions of management.
3.5 Monitoring of Controls
An important management responsibility is to establish and maintain internal control on an ongoing
basis. Management’s monitoring of controls includes considering whether they are operating as
intended and that they are modified as appropriate for changes in conditions. Monitoring of
controls may include activities such as, management’s review of whether bank reconciliations are
being prepared on a timely basis, internal auditors’ evaluation of sales personnel’s compliance
with the entity’s policies on terms of sales contracts, and a legal department’s oversight of
compliance with the entity’s ethical or business practice policies. Monitoring is done also to ensure

that controls continue to operate effectively over time. For example, if the timeliness and accuracy
of bank reconciliations are not monitored, personnel are likely to stop preparing them.
Internal auditors or personnel performing similar functions may contribute to the monitoring of an
entity’s controls through separate evaluations. Ordinarily, they regularly provide information about
the functioning of internal control, focusing considerable attention on evaluating the effectiveness
of internal control, and communicate information about strengths and deficiencies in internal
control and recommendations for improving internal control.
Monitoring activities may include using information from communications from external parties that
may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate
billing data by paying their invoices or complaining about their charges. In addition, regulators may
communicate with the entity concerning matters that affect the functioning of internal control, for
example, communications concerning examinations by bank regulatory agencies. Also,
management may consider communications relating to internal control from external auditors in
performing monitoring activities.
The overall systems of internal control comprises of Administrative Control and
Accounting Controls, Internal Checks and Internal Audit are important constituents of
Accounting Controls.
1. Internal Check System - Internal check system implies organization of the overall system
of book-keeping and arrangement of Staff duties in such a way that no one person can carry
through a transaction and record every aspect thereof. It is a part of overall control system and
operates basically as a built-in-device as far as organization and job-allocation aspects of the
controls are concerned.
The system provides existence of checks on the day to day transactions which operate
continuously as part of the routine system whereby the work of each person is either proved
independently or is made complimentary to the work of another.
The following are the objectives of the internal check system:

(i) To detect error and frauds with ease.
(ii) To avoid and minimize the possibility of commission of errors and fraud by any staff.
(iii) To increase the efficiency of the staff working within the organization.
(iv) To locate the responsibility area or the stages where actual fraud and error occurs.
(v) To protect the integrity of the business by ensuring that accounts are always subject to
proper scrutiny and check.
(vi) To prevent and avoid the misappropriation or embezzlement of cash and falsification of
accounts.

The effectiveness of an efficient system of internal check depends on the following

considerations-
(i) Clarity of Responsibility - The responsibility of different persons engaged in various
operations of business transactions should be properly identified. A well integrated
organizational chart depicting the names of responsible persons associated with specific
functions may help to fix up responsibility.
(ii) Division of Work - The segregation of work should be made in such a manner that the
free flow of work is not interrupted and also helps to determine that the work of one person
is complementary to the other. Then, it is suggested that rotation of different employees
through various components of job should be effectively implemented.
(iii) Standardization - The entire process of accounting should be standardized by creating
suitable policies commensurate with the nature of the business, so as to strengthen the
system of internal check.
(iv) Appraisal - Periodic review should be made of the chain of operations and work flow.
Such process may be carried out by preparing an audit flow chart.
The general condition pertaining to the internal check system may be summarized as
under:
(i) no single person should have complete control over any important aspect of the
business operation. Every employee’s action should come under the review of another
person.
(ii) Staff duties should be rotated from time to time so that members do not perform the
same function for a considerable length of time.
(iii) Every member of the staff should be encouraged to go on leave at least once a year.
(iv) Persons having physical custody of assets must not be permitted to have access to the
books of accounts.
(v) There should exist an accounting control in respect of each class of assets, in addition,
there should be periodical inspection so as to establish their physical condition.
(vi) Mechanical devices should be used, where ever practicable to prevent loss or
misappropriation of cash.
(vii) Budgetary control should be exercised and wide deviations observed should be
reconciled.
(viii) For inventory taking, at the close of the year, trading activities should, if possible be
suspended, and it should be done by staff belonging to several sections of the
organization.
(ix) The financial and administrative powers should be distributed very judiciously among
different officers and the manner in which those are actually exercised should be
reviewed periodically.
(x) Procedures should be laid down for periodical verification and testing of different
sections of accounting records to ensure that they are accurate.

The scope of statutory audit is limited by both time and cost. Therefore, it is increasingly being
recognized that for an audit to be effective especially in case of large organization, the existence
of a system of internal check is essential.
2. Internal Audit - Internal audit may be defined as, an independent appraisal function
established within an organization to examine and evaluate its activities as a service to the
organization. The scope of the internal audit is determined by the management. Internal auditing
includes a series of processes and techniques through which an organizations own employees
ascertain for the management, by means of on-the-job observation, whether established
management controls are adequate, and are effectively maintained; records and reports financial,
accounting and otherwise reflect actual operation and results accurately and properly; each
division, department or other units are carrying out the plans, policies and procedures for which
they are responsible.
Note: For a detailed discussion on internal audit refer to Chapter 15.
4. REVIEW OF THE SYSTEM OF INTERNAL CONTROLS

The control environment sets the tone of an organization, influencing the control consciousness of
its people. The control environment includes the governance and management functions and the
attitudes, awareness, and actions of those charged with governance and management concerning
the entity’s internal control and its importance in the entity.
Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and correcting,
material misstatements. Implementation of a control means that the control exists and that the
entity is using it. There is little point in assessing the implementation of a control that is not
effective, and so the design of a control is considered first. An improperly designed control may
represent a material weakness or significant deficiency in the entity’s internal control.
An entity’s system of internal control contains manual elements and often contains automated
elements. The use of manual or automated elements in internal control also affects the manner in
which transactions are initiated, recorded, processed, and reported. An entity’s mix of manual and
automated elements in internal control varies with the nature and complexity of the entity’s use of
information technology.
Manual elements in internal control may be more suitable where judgment and discretion are
required such as for the following circumstances:
Large, unusual or non-recurring transactions.
Circumstances where errors are difficult to define, anticipate or predict.
In changing circumstances that require a control response outside the scope of an existing
automated control.

In monitoring the effectiveness of automated controls.

The extent and nature of the risks to internal control vary depending on the nature and
characteristics of the entity’s information system. The entity responds to the risks arising from the
use of IT or from use of manual elements in internal control by establishing effective controls in
light of the characteristics of the entity’s information system.
The review of the internal control system enables the auditor -
(i) to formulate his opinion as to the reliance he may place on the system itself i.e. whether the
system is such as would enable the management to produce a true and fair set of financial
statements; and
(ii) to locate the areas of weakness in the system so that the audit programme and the nature,
timing and extent of substantive and compliance audit procedures can be adjusted to meet
the situation. For example, if the auditor is not satisfied with the control system as regards
trade receivable, he may decide to have a wider coverage for confirmation of trade
receivables’ balances. Normally, investments and cash are physically verified at the end of the
period and this routine is known to the client and his employees. In case the auditor comes
across a weakness in the control either he may provide in the programme for a surprise cash
count or investment verification on a day preceding or succeeding the routine verification. In
such a case, a surprise check will be more useful if it is undertaken after the routine
verification is over. Similarly, if he is of the view that because of weak controls the possibility
of wrong billing to customers exists, be may extend the programme for comparison of the
invoices with the forwarding notes and for checking of the extensions and castings of the
invoices.
Deciding the point of time appropriate for undertaking the review of the internal controls is a matter
for individual judgement of the auditor. This decision can be taken on a consideration of the size
and complexity of the client’s operations. If the auditor, because of his continuing relationship with
his client, is already aware of the features and efficacy of internal controls, he may just review the
changes that have taken place in the intervening period because of changes in the operations of
the client. However, a comprehensive review in such cases must be made at an interval of, say, 3
years. Ordinarily, the review of internal controls should be undertaken as a distinct phase of audit
before finalisation of the audit programme. However, if the size of operations is rather small, the
review can be undertaken in conjunction with other audit procedures and the programmes can be
adjusted for any extension or elimination of checking.
When the auditor finds inadequacies or weaknesses in the internal control system, he should
advise his client about such inadequacies and weaknesses and the consequences that may follow.
It should be the duty of the auditor to see, in the course of his audit, how far the inadequacies and
weaknesses have been removed. He will take this into account in preparing his audit report. It is a
useful practice to note the following after each function, set out in the audit programme -

(a) Any change in the system of internal control from that record in the appropriate section of
the internal control questionnaire.
(b) Any further weakness noted in the internal control.
(c) Any instance where the prescribed system or procedure has not been followed.
These should be considered in deciding whether any further modification in the audit programme is
called for. Also, these should be communicated to the client and confirmation should be sought as
regards changes in the system.
The review of internal control consists mainly of enquiries of personnel at various organisational
levels within the enterprise together with reference to documentation such as procedures,
manuals, job description and flow-charts, to gain knowledge about the controls which the auditor
has identified as significant to his audit. The auditor may trace a few transactions through the
accounting system to assist in understanding that system and it is related to internal controls. The
auditor’s preliminary evaluation of internal controls should be made on the assumption that the
controls operate generally as described and that they function effectively throughout the period of
intended reliance. The purpose of the preliminary evaluation is to identify the particular controls
on which the auditor still intends to rely and to test through compliance procedures. Different
techniques are used to record information relating to an internal control system. Selection of a
particular technique is a matter for the auditor’s judgement.
5. METHODS OF RECORDING
The following are the methods of recording:
5.1 Questionnaire
Because of the widespread experience that auditors possess about the business operations in
general and the knowledge about the appropriate control, most of the auditing firms have
developed their own standardised internal control questionnaire on a generally applicable basis. In
developing the standard questionnaire, endeavour is made to make it as wide as possible so that
all situations, generally found, are included therein but all of these may not be applicable in a
particular case. A questionnaire is a set of questions framed in an organised manner, about each
functional area, which has as purpose the evaluation of the effectiveness of control and detection
of its weakness if any. A questionnaire usually consists of several separate sections devoted to
areas such as purchases, sales, trade receivables, trade payables, wages, etc. The questionnaire
is intended to be filled by the company executives who are in charge of the various areas.
However, this poses some practical difficulties. The questionnaire is to travel from executives and,
therefore, it may take a pretty long time to be filled; also the questions may not be readily
intelligible to busy executives and there is a possibility of the questionnaire being misplaced while
travelling from one table to another. Having regard to these difficulties, it is now almost an
accepted practice that the auditor (or his representative) arranges meetings with the executives

concerned and gets the answers filled by each executive. Sometimes, the auditor himself may be
required to fill the answers. In such a case, he should ensure that the concerned executive has
initiated the answers as a token of his agreement therewith.
Questions are so framed as generally to dispense with the requirement of a detailed answer to
each question. For this purpose, often one general question is broken down into a number of
questions and sub-questions to enable the executive to provide a just ‘Yes’, ‘No’ or ‘Not applicable’
form of reply. Questions are also framed in such a manner that generally a “No” answer will effect
weakness in the control system. This requires giving a positive power to the question, keeping in
view what the proper control should be. Consider the question ‘Are all receipts recorded promptly
and deposited in bank daily? If the answer to this is ‘Yes’, it fits with the plan of good internal
control. But if it is ‘No’ it indicates weakness in the system in as much as the moneys received may
not be recorded and may be defalcated because the cashier has continued control over the
amount for an uncertain period. However, this should not be taken as an unbreakable rule.
Questions may be framed also when a ‘Yes’ answer would indicate weakness. The only thing that
should be borne in mind is that the scheme of questions should be consistent, sequential, logical,
and if possible corroborative. Wherever it is necessary, slightly detailed answers also may be
asked for to bring clarity to the matter.
In the use of standardized internal control questionnaire, certain basic assumptions

about elements of good control are taken into account. These are -
(i) Certain procedures in general used by most business concerns are essential in
achieving reliable internal control. This is a time-tested assumption. Deposit into bank
of the entire receipts of a day or daily balancing of the cash book and ledgers or
periodic reconciliation with the control accounts are examples of widely used practices
which are considered good internal control practices. Besides, basic operations giving
rise to these practices exist in all businesses irrespective of their nature.
(ii) Organisations are such that permit an extensive division of duties and
responsibilities. The larger the organisation, the greater is the scope of such division.
(iii) Employees concerned with accounting function are not assigned any custodial
function.
(iv) No single person is thrust with the responsibility of completing a transaction all by
himself.
(v) There should always be evidence to identify the person who has done the work
whether involving authorisation, implementation or checking.
(vi) The work performed by each one is expected to come under review of another in the
usual course of routine.
(vii) There is proper documentation and recording of the transactions.
The questionnaire serves the purpose of a record so far as the auditor is concerned about the
state of internal control as given to him officially. A question naturally arises as to whether it is
necessary to issue questionnaire for every year of the auditor’s engagement.

For the first year of engagements issue of questionnaire is necessary.

For subsequent years, the auditor, instead of issuing a questionnaire again, may request the client
to confirm whether any change in the nature and scope of business has taken place that
necessitated a corresponding change in the control system, or whether, even without a change in
the nature and scope of business, the control system has undergone a change.
If there has been a change, the auditor should take note of its and enter appropriate comments on
the relevant part of the questionnaire. However, it would be a good practice in the case of
continuing engagements to issue a questionnaire irrespective of any change, say, every third year.
This will obviate unnecessary trouble of filling the answers every time and to that extent the client’s
and the auditor’s own time will be saved. The rationale for issuance of a questionnaire every three
years, in the case of even no change, lies in altering the client as regards unnoticed and
unspectacular changes that might have taken place during the intervening period; also this will
make the client more control-conscious. Questionnaires can be prepared for various aspects of
the internal control system.
5.2 Check List
It is a series of instructions or questions on internal control which the auditor must follow or
answer. When a particular instruction is carried out, the auditor initials the space opposite the
instruction. If it is in the form of a question, the answer generally ‘Yes’, ‘No’ or ‘Not Applicable’ is
entered opposite the question. A check list is more in the nature of a reminder to the auditor about
the matters to be checked for testing the internal control system. While a questionnaire is basically
a set of questions put to the client, a check list which may be in a form of instructions, questions or
just points to be checked may be meant for the auditor’s own staff it is a set of instructions or
points; it may be meant for the client if it is in the form of questions. The question form of check list
may even be meant for the auditor’s own staff.
Questions in the check list may be formed in the following manner (this is an
illustrative set of questions to be answered by the audit staff).
Have you checked that the cashier -
(i) is not responsible for opening the incoming mails;
(ii) does not authorise any of the ledgers;
(iii) does not authorise any expenditure or receipt;
(iv) does not sign cheques;
(v) takes his annual leave regularly;
(vi) inks and balances the cash book everyday;
(vii) verifies physical cash balance with the book figure daily at the end of the day;
(viii) prepares monthly bank reconciliation statement;

(ix) holds no other funds or investment;

(x) holds no unnecessary balance in hand;
(xi) does not pay money without looking into compliance with proper procedure and due
authorisation; and
(xii) has tendered proper security or has executed a fidelity bond?
When the check list is in question form, it is hardly different from a questionnaire. However,
generally questionnaire is a popular medium for the evaluation of the internal control system.
The basic distinction between internal control questionnaire and check list are as under:
1. The ICQ incorporates a large number of detailed questions but the check list generally
contains questions relating to the main control objective with the area under review.
2. ICQ, the weaknesses are highlighted by the ‘Yes’ while in the check list, it is indicated by
‘No’.
3. The significance of ‘No’ in an ICQ does indicate a weakness but the significance of that
weakness is not revealed automatically. However, in the check list, a specific statement
is required where an apparent weakness may prove to be material in relation to the
accounts as a whole.
5.3 Flow chart

The flow charting technique can also be resorted to for evaluation of the internal control system. It is a
graphic presentation of internal controls in the organisation and is normally drawn up to show the
controls in each section or sub-section. As distinct from a narrative form, it provides the most concise
and comprehensive way for reviewing the internal controls and the evaluator’s findings. In a flow chart,
narratives, though cannot perhaps be totally banished are reduced to the minimum and by that process,
it can successfully bring the whole control structure, specially the essential parts thereof, in a
condensed but wholly meaningful manner. It gives a bird’s eye view of the system and is drawn up as a
result of the auditor’s review thereof. It should, however, not be understood that details are not
reflected in a flow chart. Every detail relevant from the control point of view and the details about how
an operation is performed can be included in the flow chart. Essentially a flow chart is a diagram full
with lines and symbols and, if judicious use of them can be made, it is probably the most effective way
of presenting the state of internal controls in the client’s organisation.
A properly drawn up flow chart can provide a neat visual picture of the whole activities of the
section or department involving flow of documents and activities. More specifically it can show -
(i) at what point a document is raised internally or received from external sources;
(ii) the number of copies in which a document is raised or received;
(iii) the intermediate stages set sequentially through which the document and the activity pass;

(iv) distribution of the documents to various sections, department or operations;

(v) checking authorisation and matching at relevant stages;
(vi) filing of the documents; and
(vii) final disposal by sending out or destruction.
As a matter of fact a very sound knowledge of internal control requirements is imperative for,
adopting flow-charting technique for evaluation of internal controls; also it demands a highly
analytical mind to be able to see clearly the inter division of a job and the appropriate control at
relevant points.
It has been stated earlier that flow charts should be made section-wise or department-wise. The
suggestion has been made to ensure readability and intelligibility of the flow charts.
Drawing of a flow chart - A flow chart is normally a horizontal one in which documents and
activities are shown to flow horizontally from section to section and the concerned sections are
shown as the vertical column heads; in appropriate cases an individual also may be shown as the
vertical column head. Care should be taken to see that the first column head is devoted to the
section or the individual wherefrom a transaction originates and the placements of other column
heads should be in the order of the actual flow of the transaction.
It has been started earlier that a flow chart is a symbolic representation the flow of activity and
related documents through the section from origin to conclusion. These can be sales, purchases,
wages, production, etc. Each one of the main functions is to be linked with related functions for
making a complete course. Purchase is to be linked with trade payables and payments; sales with
trade receivables and collections. By this process, a flow chart will become self contained,
complete and meaningful for evaluation of internal controls.

Generally, a questionnaire is also enclosed with a flow chart, incorporating questions, the answers
to which are to be looked into from the flow chart. This is an evaluation of the control system
through the process of flow charting. The internal control questionnaire contains questions;
answers are available in the flow chart and they will reveal weakness, if any, in the system. In
fact, the questionnaire is a guide for the study of a control system through flow charts.
We may examine the flow charting techniques for evaluation of internal controls on the sales and
trade receivables function. Let us assume that these are -
1. Order receiving function.
2. Dispatch function.
3. Billing function.
4. Accounting in the trade receivables’ ledger.
5. Main accounting functions.
6. Inventory recording function.
All these functions are carried out in distinct sections. As regards the Order Receiving Section, let
us further assume that the section receives orders:
(i) through mail;
(ii) by telephone; and
(iii) through the company’s salesmen.
Basing the receipts of orders of customers, the section raises internal “Sales advices”. These
sales advices are consecutively numbered (by reference to the last number on the order book) and
entered in the order book with the consecutive number, date, the party and other relevant details.
The orders received from customers are temporarily filed in the alphabetical order. The sales
advices are prepared in sets of four with a noting for the customer’s sales-tax status. All the four
copies are sent to the dispatch section. The dispatch section, after dispatch of the goods, sends
back to the Order receiving Section the last copy of the sales advice after entering thereon the
date of dispatch and the quantity despatched. Upon receipt of the last copy, the Order receiving
Section enters the date of dispatch and the quantity despatched in the order book. If the quantity
despatched is fulfillment of the quantity ordered, the last copy of the sales invoices is annexed to
customer’s order and filed in the customer’s file. If, however, the order is only partly executed, the
copy of the sales advice is kept in a temporary file in numerical order. Periodically this file is
checked to determine the unfulfilled orders and, if inventory is then available, the Section again
initiates fresh sales advices in respect of the unfulfilled part and all the processes, as in the case
of original, are repeated. The last copy of the original set is annexed to the customer’s order and
kept in the customer’s file.
The salesmen use the same advice form as is being used by the order receiving section.

For the purpose of drawing a flow chart to incorporate the above narration it is useful to know -
1. the point for originating the flow of transaction.
2. the documents, internal and external, and the flow of the transaction, number of copies,
distribution flow and the details.
3. the books, if any, maintained and the details recorded there in and the source or sources for
the details.
4. that there exists an alternative possibility.
The flow chart for the above may be as under -
CHART 1
We can extend the activity flow now to the dispatch section which is the logical second stage of
operation. The work and procedure content of the dispatch section is assumed to be as follows:
After the receipt of the sales advices in sets of four, the dispatch section arranges dispatch of
materials and put the date of dispatch and the quantities despatched; the head of the Section
initials the advices. The last copy of the advice is sent back to the Order Receiving Section. The
first copy is sent as a packing slip with the goods, the second copy goes to the Billing Department
and the third copy accompanies the goods when delivered to the buyer and, obtaining the buyer’s
acknowledgement of the receipt of the goods therein, is received back and filed date-wise. In case
of goods not directly delivered to the buyers, i.e., when the goods are sent either by rail, road or
water transport, the copy constitutes the basis for raising the relevant forwarding note on the basis
of which R.R. etc., can be prepared.

The flow chart for the dispatch section may be as follows -
CHART 2
This flow is taken to the Billing Section. The Section generally accumulates the second copy of the
Sales Advice for two or three days and prepares sales invoices in sets of four. The pricing of the
sales invoice is done by reference to the company’s current price list or the catalogue. The number
of the sales advice is entered on the corresponding invoice which is pre-numbered, also, the
number of the invoice is recorded on the copy of the sales advice which is then filed alphabetically.
The first copy of the invoice is sent to the customer while the second, third and fourth copies are
respectively sent to the trade receivables ledger clerk, the Inventory Section and the Accounts
Section. The Billing Section also is responsible for raising credit notes on the basis of documents
received. Credit notes are also prepared in sets of four and are distributed in exactly the same way
as invoices. The inventories of invoice and the credit note forms remain in the Billing Section.

The Flow Chart for this Section is given below -

CHART 3
Now, in the order of the flow of activities, more sectional flow charts can be prepared to cover the
activities in the Accounts Section and the Inventory Section and they together, when sequentially
assembled, will constitute the complete flow chart for the sales transactions and trade receivables
recordings.
(These flow charts have been prepared on the basis of the approach and the symbols used in the
book “Analytical Auditing” by Skinner and Anderson. Students who desire to study the subject of
preparation of flow charts further may refer to Chapter 4 of that book.)

It is now left for us to see how these flow charts reveal the state of internal control. A close look
into flow charts will show the following:
(i) The advices are sent by salesmen; though prepared on the same sales advice form as is
prepared in the section, there is no check that all the advices sent by salesmen have been
received. This may entail loss of business because of non-receipt of sales advice. (Refer to
the flow chart for the Order Receiving Section).
(ii) The raising of sales advises on the basis of telephonic orders, irrespective of the party’s
standing and record of performance is risky from the business point of view. (Refer to the
flow chart for the Order Receiving Section).
(iii) There is no system of prior credit sanction to the parties; in consequence, there may be
dispatch of goods to bad credit risks. (Refer to the flow chart for the Dispatch Section).
(iv) There is no check that all the second copies of the sales advices sent by the Dispatch
Section have been received by the Billing Section. The possibility of dispatch not being,
billed exists, (Refer to the flow chart for the Dispatch as well as the Billing Section.
(v) There is no check in respect of pricing, extension and addition on the invoice or the credit
notes. This may result in loss of revenue for wrong pricing or wrong calculation. (Refer to
the flow chart for Billing Section).
(vi) It is not clear whether the supporting documents are adequate for authorising the issue of
credit notes where there is a need for a greater caution. (Refer to the flow chart for Billing
Section).
So far we have seen the points of weaknesses that are evident from these flow charts. For a
clearer understanding of the flow chart as a medium for evaluating internal controls, the following
further points may be useful:
(a) There exists proper numerical control over orders booked (except the case for the
salesmen’s orders).
(b) There is a permanent and continuous record of the orders booked in the form of order book.
(c) There is a definite basis for raising sales advices.
(d) The order book record is always kept complete by entering the information about the
execution of the order and this keeps the information about the pending orders ready at any
moment.
(e) Partly executed orders are reviewed from time to time so that as soon as goods are
available, the same may be despatched to customers.
(f) The customer’s purchase order and the related sales advice are matched and kept together
in the customer’s file.

(g) The sales advices are initialed by the Dispatch Section head as token of his having satisfied
himself about the correctness of the entries as regards the quantity despatched and the
date of dispatch.
(h) Record of actual direct delivery is maintained through the copy of the sales advice bearing
the customer’s, acknowledgement of his having received the goods. Similarly, the record of
out station deliveries is kept in the copy of the forwarding note annexed to the sales advice
copy.
(i) Documents have as many copies as are necessary for ensuring proper flow and proper
control. There is neither wastage through unnecessary copies nor any hold up because of
inadequacy of copies.
(j) There are supporting documents for raising invoices and credit notes.
(k) The distribution of invoices and credit notes is such as would enable the recording of billing
at the relevant centres independent of each other.
(l) There is control over the number of invoices and credit notes by pre-numbering.
Thus, by flow charting, an auditor can very clearly see the inter-relationships of the activities and
flows and how they are integrated from stage to stage. However, the auditor has to be careful
about the readability and intelligibility of the chart. Identification of all individual functions in a
section is also highly relevant for preparation of the flow chart. The smaller the segment, the better
is the possibility of quick comprehension. Naturally, the auditor should try to see each section as
the natural assembly of distinct and identified components.
6. INTERNAL CONTROL AND RISK ASSESSMENT

The auditor should obtain an understanding of the control environment sufficient to assess
management's attitudes, awareness and actions regarding internal controls and their importance in
the entity. Such an understanding would also help the auditor to make a preliminary assessment of
the adequacy of the accounting and internal control systems as a basis for the preparation of the
financial statements, and of the likely nature, timing and extent of audit procedures.
The auditor should obtain an understanding of the control procedures sufficient to develop the
audit plan. In obtaining this understanding, the auditor would consider knowledge about the
presence or absence of control procedures obtained from the understanding of the control
environment and accounting system in determining whether any additional understanding of
control procedures is necessary. Because control procedures are integrated with the control
environment and the accounting system, as the auditor obtains an understanding of the control
environment and the accounting system, some knowledge about control procedures is also likely
to be obtained, for example, in obtaining an understanding of the accounting system pertaining to
cash, the auditor ordinarily becomes aware of whether bank accounts are reconciled regularly.

Ordinarily, development of the overall audit plan does not require an understanding of control
procedures for every financial statement assertion in each account balance and transaction class.
Fig.: Risks of Material Mis-statement ∗

An auditor’s judgement as to what is sufficient and appropriate audit evidence is affected by the
degree of risk of mis-statement. Audit risk is the risk that an auditor may give an inappropriate
opinion on financial information which is materially misstated.
As per SA 200 “Overall Objectives of the Independent Auditor and the Conduct of an Audit in
Accordance with Standards on Auditing”, the risks of material misstatement at the assertion level
consist of two components: inherent risk and control risk. Inherent risk and control risk are the
entity’s risks; they exist independently of the audit of the financial statements. The nature of each
of these types of risk and their interrelationship is discussed below:
(i) Inherent risk: It is the susceptibility of an account balance or class of transactions to
misstatement that could be material either individually or, when aggregated with
misstatements in other balances or classes, assuming that there were no related internal
controls. External circumstances giving rise to business risks may also influence inherent
risk. For example, technological developments might make a particular product obsolete,
thereby causing inventory to be more susceptible to overstatement.
(ii) Control Risk: It is the risk that a misstatement that could occur in an assertion about a
class of transaction, account balance or disclosure and that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or
detected and corrected, on a timely basis by the entity’s internal control. It is a function of
the effectiveness of the design, implementation and maintenance of internal control by
management to address identified risks that threaten the achievement of the entity’s
objectives relevant to preparation of the entity’s financial statements.
∗
Source : Source : cjess1 audit class pln - WordPress.com

The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a
combined assessment of the “risks of material misstatement”. However, the auditor may
make separate or combined assessments of inherent and control risk depending on
preferred audit techniques or methodologies and practical considerations.
(iii) Detection Risk: It is the risk that the procedures performed by the auditor to reduce audit
risk to an acceptably low level will not detect a misstatement that exists and that could be
material, either individually or when aggregated with other misstatements. Detection risk
relates to the nature, timing, and extent of the auditor’s procedures that are determined by
the auditor to reduce audit risk to an acceptably low level. It is therefore a function of the
effectiveness of an audit procedure and of its application by the auditor.
Fig.: Audit Risk ∗

The inherent and control risks are functions of the entity’s business and its environment and the
nature of the account balances or classes of transactions, regardless of whether an audit is
conducted. Even though inherent and control risks cannot be controlled by the auditor, the auditor
can assess them and design his substantive procedures to produce on acceptable level of
detection risk, thereby reducing audit risk to an acceptably low level.
6.1 Preliminary Assessment of Control Risk
After obtaining an understanding of the accounting system and internal control system, the auditor
should make a preliminary assessment of control risk, at the assertion level, for each material
account balance or class of transactions.
∗ Source: cplusglobal - WordPress.com

The preliminary assessment of control risk is the process of evaluating the likely effectiveness of
an entity's accounting and internal control systems in preventing or detecting and correcting
material misstatements. The preliminary assessment of control risk is based on the assumption
that the controls operate generally as described and that they operate effectively throughout the
period of intended reliance. There will always be some control risk because of the inherent
limitations of any accounting and internal control system.
The auditor ordinarily assesses control risk at a high level for some or all assertions
when:
(a) the entity's accounting and internal control systems are not effective; or
(b) evaluating the effectiveness of the entity's accounting and internal control systems
would not be efficient.
In the above circumstances, the auditor would obtain sufficient appropriate audit evidence from
substantive procedures and from any audit work carried out in the preparation of financial
statements.
The preliminary assessment of control risk for a financial statement assertion should be
high unless the auditor:
(a) is able to identify internal controls relevant to the assertion which are likely to prevent
or detect and correct a material misstatement; and
(b) plans to perform tests of control to support the assessment.
Documentation of Understanding and Assessment of Control Risk - The auditor should
document in the audit working papers:
(a) the understanding obtained of the entity's accounting and internal control systems; and
(b) the assessment of control risk.
When control risk is assessed at less than high, the auditor would also document the basis for the
conclusions.
Different techniques may be used to document information relating to accounting and internal
control systems. Selection of a particular technique is a matter for the auditor's judgement.
Tests of Control - Tests of control are performed to obtain audit evidence about the
effectiveness of the:
(a) design of the accounting and internal control systems, that is, whether they are suitably
designed to prevent or detect and correct material misstatements; and
(b) operation of the internal controls throughout the period.

Tests of control include tests of elements of the control environment where strengths in the control
environment are used by auditors to reduce control risk.
Some of the procedures performed to obtain the understanding of the accounting and internal
control systems may not have been specifically planned as tests of control but may provide audit
evidence about the effectiveness of the design and operation of internal controls relevant to certain
assertions and, consequently, serve as tests of control. For example, in obtaining the
understanding of the accounting and internal control systems pertaining to cash, the auditor may
have obtained audit evidence about the effectiveness of the bank reconciliation process through
inquiry and observation.
When the auditor concludes that procedures performed to obtain the understanding of the
accounting and internal control systems also provide audit evidence about the suitability of design
and operating effectiveness of policies and procedures relevant to a particular financial statement
assertion, the auditor may use that audit evidence, provided it is sufficient to support a control risk
assessment at less than a high level.
Tests of control may include:

♦ Inspection of documents supporting transactions and other events to gain audit
evidence that internal controls have operated properly, for example, verifying that a
transaction has been authorised.
♦ Inquiries about, and observation of, internal controls which leave no audit trail, for
example, determining who actually performs each function and not merely who is
supposed to perform it.
♦ Re-performance of internal controls, for example, reconciliation of bank accounts, to
ensure they were correctly performed by the entity.
♦ Testing of internal control operating on specific computerised applications or over the
overall information technology function, for example, access or program change
controls.
The auditor should obtain audit evidence through tests of control to support any assessment of
control risk which is less than high. The lower the assessment of control risk, the more evidence
the auditor should obtain that accounting and internal control systems are suitably designed and
operating effectively.
When obtaining audit evidence about the effective operation of internal controls, the auditor
considers :
how they were the consistency with by whom they were

applied, which they were applied applied.
during the period and

The concept of effective operation recognises that some deviations may have occurred.
Deviations from prescribed controls may be caused by such factors as changes in key personnel,
significant seasonal fluctuations in volume of transactions and human error. When deviations are
detected the auditor makes specific inquiries regarding these matters, particularly, the timing of
staff changes in key internal control functions. The auditor then ensures that the tests of control
appropriately cover such a period of change or fluctuation.
Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as contemplated in the preliminary assessment of control risk.
The evaluation of deviations may result in the auditor concluding that the assessed level of control
risk needs to be revised. In such cases, the auditor would modify the nature, timing and extent of
planned substantive procedures.
Quality and Timeliness of Audit Evidence
Certain types of audit evidence obtained by the auditor are more reliable than others. Ordinarily,
the auditor's observation provides more reliable audit evidence than merely making inquiries, for
example, the auditor might obtain audit evidence about the proper segregation of duties by
observing the individual who applies a control procedure or by making inquiries of appropriate
personnel. However, audit evidence obtained by some tests of control, such as observation,
pertains only to the point in time at which the procedure was applied. The auditor may decide,
therefore, to supplement these procedures with other tests of control capable of providing audit
evidence about other periods of time.
In determining the appropriate audit evidence to support a conclusion about control risk, the
auditor may consider the audit evidence obtained in prior audits. In a continuing engagement, the
auditor will be aware of the accounting and internal control systems through work carried out
previously but will need to update the knowledge gained and consider the need to obtain further
audit evidence of any changes in control. Before relying on procedures performed in prior audits,
the auditor should obtain audit evidence which supports this reliance. The auditor would obtain
audit evidence as to the nature, timing and extent of any changes in the entity's accounting and
internal control systems since such procedures were performed and assess their impact on the
auditor's intended reliance. The longer the time elapsed since the performance of such
procedures the less assurance that may result.
The auditor should consider whether the internal controls were in use throughout the period. If
substantially different controls were used at different times during the period, the auditor would
consider each separately. A breakdown in internal controls for a specific portion of the period
requires separate consideration of the nature, timing and extent of the audit procedures to be
applied to the transactions and other events of that period.
The auditor may decide to perform some tests of control during an interim visit in advance of the
period end. However, the auditor cannot rely on the results of such tests without considering the
need to obtain further audit evidence relating to the remainder of the period.

Factors to be considered include:

♦ The results of the interim tests.
♦ The length of the remaining period.
♦ Whether any changes have occurred in the accounting and internal control systems
during the remaining period.
♦ The nature and amount of the transactions and other events and the balances
involved.
♦ The control environment, especially supervisory controls.
♦ The nature, timing and extent of substantive procedures which the auditor plans to carry
out.
Final Assessment of Control Risk

Before the conclusion of the audit, based on the results of substantive procedures and other audit
evidence obtained by the auditor, the auditor should consider whether the assessment of control
risk is confirmed. In case of deviations from the prescribed accounting and internal control
systems, the auditor would make specific inquiries to consider their implications. Where, on the
basis of such inquiries, the auditor concludes that the deviations are such that the preliminary
assessment of control risk is not supported, he would amend the same unless the audit evidence
obtained from other tests of control supports that assessment. Where the auditor concludes that
the assessed level of control risk needs to be revised, he would modify the nature, timing and
extent of his planned substantive procedures.
6.2 Relationship between the Assessments of Inherent and Control
Risk
Management often reacts to inherent risk situations by designing accounting and internal control
systems to prevent or detect and correct misstatements and therefore, in many cases, inherent
risk and control risk are highly interrelated. In such situations, if the auditor attempts to assess
inherent and control risks separately, there is a possibility of inappropriate risk assessment. As a
result, audit risk may be more appropriately determined in such situations by making a combined
assessment.
6.3 Detection Risk
The level of detection risk relates directly to the auditor's substantive procedures. The auditor's
control risk assessment, together with the inherent risk assessment, influences the nature, timing
and extent of substantive procedures to be performed to reduce detection risk, and therefore audit
risk, to an acceptably low level.

Some detection risk would always be present even if an auditor was to examine 100 percent of the
account balances or class of transactions because, for example, most audit evidence is persuasive
rather than conclusive.
The auditor should consider the assessed levels of inherent and control risks in determining the
nature, timing and extent of substantive procedures required to reduce audit risk to an acceptably
low level. In this regard the auditor would consider:
(a) the nature of substantive procedures, for example, using tests directed toward
independent parties outside the entity rather than tests directed toward parties or
documentation within the entity, or using tests of details for a particular audit
objective in addition to analytical procedures;
(b) the timing of substantive procedures, for example, performing them at period end
rather than at an earlier date; and
(c) the extent of substantive procedures, for example, using a larger sample size.
There is an inverse relationship between detection risk and the combined level of inherent
and control risks. For example, when inherent and control risks are high, acceptable
detection risk needs to be low to reduce audit risk to an acceptably low level. On the other
hand, when inherent and control risks are low, an auditor can accept a higher detection risk
and still reduce audit risk to an acceptably low level.
While tests of control and substantive procedures are distinguishable as to their purpose, the
results of either type of procedure may contribute to the purpose of the other. Misstatements
discovered in conducting substantive procedures may cause the auditor to modify the previous
assessment of control risk.
The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need
for the auditor to perform any substantive procedures. Regardless of the assessed levels of
inherent and control risks, the auditor should perform some substantive procedures for material
account balances and classes of transactions.
The auditor's assessment of the components of audit risk may change during the course of an
audit, for example, information may come to the auditor's attention when performing substantive
procedures that differs significantly from the information on which the auditor originally assessed
inherent and control risks. In such cases, the auditor would modify the planned substantive
procedures based on a revision of the assessed levels of inherent and control risks.
The higher the assessment of inherent and control risks, the more audit evidence the auditor
should obtain from the performance of substantive procedures. When both inherent and control
risks are assessed as high, the auditor needs to consider whether substantive procedures can
provide sufficient appropriate audit evidence to reduce detection risk, and therefore audit risk, to
an acceptably low level. When the auditor determines that detection risk regarding a financial
statement assertion for a material account balance or class of transactions cannot be reduced to

an acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion as
may be appropriate.
Mathematically Audit Risk (AR) can be expressed as a product of Inherent Risk (IR), Control Risk
(CR) and Detection Risk (DR), i.e. AR = IR x CR x DR
It should be noted that:
1. The combined level of Inherent Risk and Control Risk is inversely related with Detection
Risk, and
2. Audit Materiality is also inversely related with audit risk.
The relationship between different components of audit risks is given in the following table:
Auditors’ assessment of control risk
High Medium Low
Auditors’ assessment of High Lowest Lower Medium
inherent risk
Medium Lower Medium Higher
Low Medium Higher Highest
The shaded areas in this table relate to detection risk.

Y Co. Ltd. has five entertainment centers to provide recreational facilities for public
especially for children and youngsters at 5 different locations in the peripheral of 200
kilometers. Collections are made in cash. Specify the adequate system towards
collection of money.
Control System over Selling and Collection of Tickets: In order to achieve proper internal
control over the sale of tickets and its collection by the Y Co. Ltd., following system should be
adopted -
(i) Printing of tickets: Serially numbered pre-printed tickets should be used and designed in
such a way that any type of ticket used cannot be duplicated by others in order to avoid
forgery. Serial numbers should not be repeated during a reasonable period, say a month or
year depending on the turnover. The separate series of the serial should be used for such
denomination.
(ii) Ticket sales: The sale of tickets should take place from the Central ticket office at each of
the 5 centres, preferably through machines. There should be proper control over the keys of
the machines.
(iii) Daily cash reconciliation: Cash collection at each office and machine should be
reconciled with the number of tickets sold. Serial number of tickets for each entertainment
activity/denomination will facilitate the reconciliation.

(iv) Daily banking: Each day’s collection should be deposited in the bank on next working day
of the bank. Till that time, the cash should be in the custody of properly authorized person
preferably in joint custody for which the daily cash in hand report should be signed by the
authorized persons.
(v) Entrance ticket: Entrance tickets should be cancelled at the entrance gate when public
enters the centre.
(vi) Advance booking: If advance booking of facility is made available, the system should
ensure that all advance booked tickets are paid for.
(vii) Discounts and free pass: The discount policy of the Y Co. Ltd. should be such that the
concessional rates, say, for group booking should be properly authorized and signed forms
for such authorization should be preserved.
(viii) Surprise checks: Internal audit system should carry out periodic surprise checks for cash
counts, daily banking, reconciliation and stock of unsold tickets etc.
7. INTERNAL CONTROL ASSESSMENT & EVALUATION

The quality & effectiveness of internal controls is directly dependent on the Organisational
environment. The tone at the top (the Board & Executive Management) & the credibility of the
message on internal controls from top plays an
important role in establishing strong control
environment. Following are some of the key
components to assess & evaluate the controls
environment:
Standard Operating Procedures (SOPs): A well
defined set of SOPs helps define role,
responsibilities, process & controls & thus helps
clearly communicate the operating controls to all
touch points of a process. The controls are likely to be clearly understood & consistently applied
even during employee turnover
1. Enterprise Risk Management: An organization which has robust process to identify & mitigate
risks across the enterprise & its periodical review will assist in early identification of gaps &
taking effective control measures. In such organizations, surprises of failures in controls is likely
to be few.
2. Segregation of Job Responsibilities: A key element of control is that multiple activities in a
transaction/decision should not be concentrated with one individual. Segregation of duties is an
important element of control such that no two commercial activities should be conducted by the
same person.

a buyer should not be involved in receiving of materials or passing of bills. Similarly

bank reconciliation should be prepared by a person other than the one who maintains
bank book.
3. Job Rotation in Sensitive Areas: Any job carried out by the same person over a long
period of time is likely to lead to complacency & possible misuse in sensitive areas. It is
therefore important that in key commercial functions, the job rotation is regularly followed to
avoid degeneration of controls. For example if the same buyer continues to conduct
purchase function for long period, it is likely that he gets into comfort zone with existing
vendors & hence does not exercise adequate controls in terms of vendor development,
competitive quotes etc.
4. Delegation of Financial Powers Document: As the organization grows, it needs to
delegate the financial & other powers to their employees. A clearly defined document on
delegation of powers allows controls to be clearly operated without being dependent on
individuals.
5. Information Technology based Controls: With the advent of computers & enterprise
resource planning (ERP) systems, it is much easier to embed controls through the system
instead of being human dependent. The failure rate for IT embedded controls is likely to be
low, is likely to have better audit trail & is thus easier to monitor. For example at the stage
of customer invoicing, application of correct rates in invoices or credit control can all be
exercised directly through IT system improving control environment.
8. REPORTING TO CLIENTS ON INTERNAL CONTROL

WEAKNESSES
During the course of audit work, the audit may notice material weaknesses in the internal control
system. Material weaknesses are defined as absence of adequate controls on flow of transactions
that increases the possibility of errors and frauds in the financial statements of the entity.
In case, if monthly age-wise analysis of trade receivables is not performed then it may
result in inadequate provisioning of bad debts for the fiscal year under audit.
The auditor should communicate such material weaknesses to the management or the audit
committee, if any, on a timely basis. This communication should be, preferably, in writing through a
letter of weakness or management letter. Important points with regard to such a letter are as
follows:
(a) The letter lists down the area of weaknesses in the system and offers suggestions for
improvement.
(b) It should clearly indicate that it discusses only weaknesses which have come to the
attention of the auditor as a result of his audit and that his examination has not been
designed to determine the adequacy of internal control for management.

(c) This letter serves as a valuable reference document for management for the purpose of
revising the system and insisting on its strict implementation.
(d) The letter may also serve to minimize legal liability in the event of a major defalcation or
other loss resulting from a weakness in internal control.
It should be appreciated that by writing a letter to the management about the weaknesses in the
system, the auditor is not absolved from his duty to report the shortcomings in the accounts by way
of qualification where the defects have not been corrected to the auditor’s satisfaction weighing the
materiality of weaknesses and their impact, if considered necessary.
The practice of the issue of letter of weaknesses has a great merit in relieving the auditor from
liability in case serious frauds or losses have occurred, which probably would not have taken place
had the client taken due note of the auditor’s points in the letter of weakness. In the case Re S.P.
Catterson & Ltd. (1937, 81, Act L.R. 62), the auditor was acquitted of the charge of negligence for
employee’s fraud in view of the fact that he had already informed the client about the
unsatisfactory state in the specific areas of accounts and had suggested improvements which were
not acted upon by the management.
The Council of ICAI has issued SA 265 on “Communicating Deficiencies in Internal Control to
Those Charged with Governance and Management” in this regard. This Standard on Auditing (SA)
deals with the auditor’s responsibility to communicate appropriately to those charged with
governance and management deficiencies in internal control that the auditor has identified in an
audit of financial statements. This SA does not impose additional responsibilities on the auditor
regarding obtaining an understanding of internal control and designing and performing tests of
controls over and above the requirements of SA 315 and SA 330.
The objective of the auditor is to communicate appropriately to those charged with governance and
management deficiencies in internal control that the auditor has identified during the audit and
that, in the auditor’s professional judgment, are of sufficient importance to merit their respective
attentions.
The auditor shall determine whether, on the basis of the audit work performed, the auditor has
identified one or more deficiencies in internal control.
If the auditor has identified one or more deficiencies in internal control, the auditor shall determine,
on the basis of the audit work performed, whether, individually or in combination, they constitute
significant deficiencies.

The auditor shall communicate in writing significant deficiencies in internal control identified during
the audit to those charged with governance on a timely basis.
The auditor shall also communicate to management at an appropriate level of

responsibility on a timely basis:
(a) In writing, significant deficiencies in internal control that the auditor has
communicated or intends to communicate to those charged with governance,
unless it would be inappropriate to communicate directly to management in
the circumstances; and
(b) Other deficiencies in internal control identified during the audit that have
not been communicated to management by other parties and that, in the
auditor’s professional judgment, are of sufficient importance to merit
management’s attention.
The auditor shall include in the written communication of significant deficiencies in internal control:
(a) A description of the deficiencies and an explanation of their potential effects; and
(b) Sufficient information to enable those charged with governance and management to
understand the context of the communication. In particular, the auditor shall explain
that:
(i) The purpose of the audit was for the auditor to express an opinion on the
financial statements;
(ii) The audit included consideration of internal control relevant to the preparation
of the financial statements in order to design audit procedures that are
appropriate in the circumstances, but not for the purpose of expressing an
opinion on the effectiveness of internal control; and
(iii) The matters being reported are limited to those deficiencies that the auditor
has identified during the audit and that the auditor has concluded are of
sufficient importance to merit being reported to those charged with
governance.
9. RISK-BASED AUDIT
Audit should be risk-based or focused on areas of greatest risk to the achievement of the audited
entity’s objectives. Risk-based audit (RBA) is an approach to audit that analyzes audit risks, sets
materiality thresholds based on audit risk analysis and develops audit programmes that allocate a
larger portion of audit resources to high-risk areas.

The auditor does not normally need to perform specific audit procedures on all areas of audit. He
only needs to design audit programmes and procedures on areas earlier identified as major risks
that could result in the financial statements being materially misstated. RBA is an essential
element of financial audit- both in the attest audit of the financial statements and in the audit of
financial systems and transactions including evaluation of internal controls. It focuses primarily on
the identification and assessment of the financial statement misstatement risks and provides a
framework to reduce the impact to the financial statement of these identified risks to an acceptable
level before rendering an opinion on the financial statements. It also provides indicators of risks as
a basis of opportunity for improvement of auditee risk management and control processes. This
affords an opportunity to the auditee to improve its operations from recommendations on risks that
do not have a current impact on the financial statements but impact the audited entity’s operational
strategies and performance over the longer term.
In the context of performance audit, it is the risk to delivery of an activity or scheme or programme
of the entity with economy, efficiency and effectiveness. Awareness of areas that puts the
programme or resources at risk from the point of view of economy, efficiency and effectiveness
helps focus audit attention on them. The risk analysis provides a framework for assurance in
performance auditing.
9.1 Audit Risk Analysis
The auditor should perform an analysis of the audit risks that impact on the auditee before
undertaking specific audit procedures. Risk assessment is a subjective process. It is part of the
professional judgment of the auditor and of the particular circumstances. It is the risk that the
auditor may unknowingly fail to appropriately modify his opinion on financial statements that are
materially misstated.
Audit risks are brought about by error and fraud:

♦ Error is an unintentional mistake resulting from omission, as when legitimate
transactions and/or balances are excluded from the financial statements; or by
commission, as when erroneous transactions and/or balances are included in the
financial statements.
♦ Fraud is an intentional misstatement in the accounting records or supporting
documents from which the financial statements are prepared. It is intended to deceive
financial statement users or to conceal misappropriations.
The auditor has the responsibility to plan and perform the audit to obtain reasonable assurance
about whether the financial statements are free of material misstatements, whether caused by
error or fraud.
An error risk may arise from an error in principle, estimate, critical information processing, financial
reporting process or disclosure.

Fraud risk involves manipulation, falsification of accounting records, or misrepresentation in the

financial statements of events, transactions or other significant information, or misapplication of
accounting principles or misappropriation of funds.
9.2 General Steps in the Conduct of RBA
RBA consists of four main phases starting with the identification and prioritization of risks, to the
determination of residual risk, reduction of residual risk to acceptable level and the reporting to
auditee of audit results. These are achieved through the following:
Assess auditee
Understand management Manage Inform auditee
auditee strategies and residual risk to of audit results
operations to controls to reduce it to through
identify and determine acceptable appropriate
prioritize risks residual audit level report
risk
Step 1 Understand auditee operations to identify and prioritize risks: Understanding auditee
operations involves processes for reviewing and understanding the audited organization’s risk
management processes for its strategies, framework of operations, operational performance and
information process framework, in order to identify and prioritize the error and fraud risks that
impact the audit of financial statements. The environment in which the auditee operates, the
information required to monitor changes in the environment, and the process or activities integral
to the audited entity’s success in meeting its objectives are the key factors to an understanding of
agency risks. Likewise, a performance review of the audited entity’s delivery of service by
comparing expectations against actual results may also aid in understanding agency operations.
Step 2 Assess auditee management strategies and controls to determine residual audit risk:
Assessment of management risk strategies and controls is the determination as to how controls
within the auditee are designed. The role of internal audit in promoting a sound accounting system
and internal control is recognized, thus the SAI should evaluate the effectiveness of internal audit
to determine the extent to which reliance can be placed upon it in the conduct of substantive tests.
Step 3 Manage residual risk to reduce it to acceptable level: Management of residual risk
requires the design and execution of a risk reduction approach that is efficient and effective to
bring down residual audit risk to an acceptable level. This includes the design and execution of
necessary audit procedures and substantive testing to obtain evidence in support of transactions
and balances. More resources should be allocated to areas of high audit risks, which were earlier
known through the analytical procedures undertaken.
Step 4 Inform auditee of audit results through appropriate report: The results of audit shall be
communicated by the auditor to the audited entity. The auditor must immediately communicate to

the auditee reportable conditions that have been observed even before completion of the audit,
such as weaknesses in the internal control system, deficiencies in the design and operation of
internal controls that affect the organization’s ability to record, process, summarize and report
financial data.
10. FRAMEWORKS OF INTERNAL CONTROL

Corporate internal controls are part of governance mechanisms of every organisation and, whether
a company adopts a global internal control framework or develops its own, management should
always be guided by the need to safeguard business value. There are a number of global internal
control frameworks that provide guidance to entities for developing and establishing their internal
control systems.
Control should be built and established within the processes through which the company pursues
its objectives. It follows that, rather than developing separate risk reporting systems, it would be
more appropriate to build early warning mechanisms into existing management information
systems. The board of directors or those charged with governance need to consider whether they
have enough timely, relevant and reliable reports on progress against business objectives and
significant risks.
Objective: Internal control is fundamental to the successful operation and day-to-day running of a
business and it assists the company in achieving its business objectives. It is wider in scope and
encompasses all controls incorporated into the strategic, governance and management process,
covering the company’s entire range of activities and operations, and not limited to those directly
related to financial operations and reporting. There are many internal control frameworks. The
objective of this chapter is to give an overview of the common international frameworks.
Guidance Note on Audit of Internal Financial Controls Over Financial Reporting: ICAI has
issued a Guidance Note on Audit of Internal Financial Controls Over Financial Reporting which
covers aspects such as Scope of reporting on internal financial controls under Companies Act
2013, essential components of internal controls, Technical guidance on audit of Internal Financial
Controls, Implementation guidance on audit of Internal Financial Controls. The Guidance Note
states as below:
“To state whether a set of financial statements presents a true and fair view, it is essential to
benchmark and check the financial statements for compliance with the financial reporting framework.
The Accounting Standards specified under the Companies Act, 1956 (which are deemed to be
applicable as per Section 133 of the 2013 Act, read with Rule 7 of Companies (Accounts) Rules,
2014) is one of the criteria constituting the financial reporting framework based on which
companies prepare and present their financial statements and against which the auditors evaluate
if the financial statements present a true and fair view of the state of affairs and operations of the
company in an audit of the financial statements carried out under the Companies Act, 2013.

Similarly, a benchmark internal control system, based on suitable criteria, is essential to enable
the management and auditors to assess and state adequacy of and compliance with the system of
internal control. In the Indian context, students are advised to refer Appendix 1 “Internal Control
Components” of SA 315, “Identifying and Assessing the Risks of Material Misstatement Through
Understanding the Entity and its Environment” provides the necessary criteria for internal financial
controls over financial reporting for companies.
10.1 International Internal Control Frameworks
An overview of different internal control frameworks followed internationally are given below:
A. Internal Control - Integrated Framework issued by Committee of the Sponsoring
Organisations of the Treadway Commission (COSO Framework).
COSO’s Internal Control – Integrated Framework was introduced in 1992 as guidance on how to
establish better controls so companies can achieve their objectives. COSO categorizes entity-level
objectives into operations, financial reporting, and compliance. The framework includes more than
20 basic principles representing the fundamental concepts associated with its five components:
control environment, risk assessment, control activities, information and communication, and
monitoring. Some of the principles include key elements for compliance, such as integrity and
ethical values, authorities and responsibilities, policies and procedures, and reporting deficiencies.
However, the Framework clarifies the requirements for effective internal control. This was largely
done through the articulation of the 17 principles, which are relevant to every entity and must be
present and functioning in order to have an effective system of internal control. Here are the tiles
of the 17 internal control principles by internal control component as presented in COSO’s
framework:
Control Environment Risk Control Information and Monitoring

Assessment Activities Communication
Demonstrates Specifies Selects and Uses relevant Conducts

commitment to suitable develops information ongoing
integrity and ethical objectives control Communicates and/or
values Identifies activities internally separate
Exercises oversight and Selects and evaluations
Communicates
responsibility analyses develops externally Evaluates and
Establishes risk general communicate
structure, authority, Assesses controls deficiencies
and responsibility fraud risk over
technology
Demonstrates Identifies
commitment to and Deploys
competence analyses through
significant policies and
Enforces
change procedures
accountability

The COSO Framework is designed to be used by organizations to assess the effectiveness of the
system of internal control to achieve objectives as determined by management. The Framework
lists three categories of objectives as below:
• Operations Objectives – related to the effectiveness and efficiency of the entity’s operations,
including operational and financial performance goals, and safeguarding assets against loss.
• Reporting Objectives – related to internal and external financial and non-financial reporting to
stakeholders, which would encompass reliability, timeliness, transparency, or other terms as
established by regulators, standard setters, or the entity’s policies.
• Compliance objectives – In the Framework, the compliance objective was described as “relating
to the entity’s compliance with applicable laws and regulations.” The Framework considers the
increased demands and complexities in laws, regulations, and accounting standards.
Limitations of Internal Control: The Framework acknowledges that there are limitations related
to a system of internal control. For example, certain events or conditions are beyond an
organization’s control, and no system of internal control will always do what it was designed to do.
Controls are performed by people and are subject to human error, uncertainties inherent in
judgment, management override, and their circumvention due to collusion. An effective system of
internal control recognizes their inherent limitations and addresses ways to minimize these risks by
the design, implementation, and conduct of the system of internal control. However, an effective
system will not eliminate these risks. An effective system of internal control provides reasonable
assurance, not absolute assurance, that the entity will achieve its defined operating, reporting, and
compliance objectives.
B. Guidance on Assessing Control published by the Canadian Institute of Chartered
Accountants (CoCo)
CoCo was introduced in 1992 with the objective of improving organizational performance and
decision-making with better controls, risk management, and corporate governance.
The Criteria of Control (CoCo) framework was developed by the Canadian Institute of Chartered
Accountants with the objective of improving organisational performance and decision making with
better controls, risk management, and corporate goverance. In 1995, Guidance on Control was
produced and described the CoCo framework and defining controls. The framework includes 20
criteria for effective control in four areas of an organization: purpose (direction), commitment
(identity and values), capability (competence), and monitoring and learning (evolution).
The framework emphasizes that control involves the entire organization but begins on an individual
level, with the employee.
The CoCo framework outlines criteria for effective control in the following four areas:
• Purpose
• Commitment

• Capability
• Monitoring and Learning
In order to assess whether controls exist and are operating effectively, each criterion would be
examined to identify the controls that are in place to address them.
C. Control Objectives for Information and Related Technology (COBIT)
COBIT stands for Control Objectives for Information and Related Technology. It is a framework
created by the ISACA (Information Systems Audit and Control Association) for IT governance and
management. COBIT has 34 high-level processes that cover 210 control objectives categorized in
four domains: planning and organization, acquisition and implementation, delivery and support,
and monitoring and evaluation. It is designed as a supportive tool for managers and allows
bridging the crucial gap between technical issues, business risks and control requirements.
Business managers are equipped with a model to deliver value to the organization and practice better
risk management practices associated with the IT processes. It is a control model that guarantees the
integrity of the information system. Today, COBIT is used globally by all managers who are responsible
for the IT business processes. It is a thoroughly recognized guideline that can be applied to any
organization across industries. Overall, COBIT ensures quality, control and reliability of information
systems in organization, which is also the most important aspect of every modern business.
This framework guides an organization on how to use IT resources (i.e., applications, information,
infrastructure, and people) to manage IT domains, processes, and activities to respond to business
requirements, which include compliance, effectiveness, efficiency, confidentiality, integrity,
availability, and reliability. Well-governed IT practices can assist businesses in complying with
laws, regulations, and contractual arrangements.
D. Internal Control: Guidance for Directors on the Combined Code, published by the
Institute of Chartered Accountants in England & Wales (known as the Turnbull Report)
When the Combined Code of the Committee on Corporate Governance (the Code) was published,
the Institute of Chartered Accountants in England & Wales agreed with the London Stock
Exchange that it would provide guidance to assist listed companies to implement the requirements
in the Code relating to internal control. The key principles of the Code are enunciated as below:
• The board should maintain a sound system of internal control to safeguard shareholders’
investment and the company’s assets.
• The directors should, at least annually, conduct a review of the effectiveness of the group’s
system of internal control and should report to shareholders that they have done so. The review
should cover all controls, including financial, operational and compliance controls and risk
management.
• Companies which do not have an internal audit function should from time to time review the
need for one.

The guidance requires directors to exercise judgement in reviewing how the company has
implemented the requirements of the Code relating to internal control and reporting to
shareholders thereon. The guidance is based on the adoption by a company’s board of a risk-
based approach to establishing a sound system of internal control and reviewing its effectiveness.
This should be incorporated by the company within its normal management and governance
processes. It should not be treated as a separate exercise undertaken to meet regulatory
requirements
E. Sarbanes-Oxley Section 404
SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly-traded companies
must establish internal controls and procedures for financial reporting and must document, test
and maintain those controls and procedures to ensure their effectiveness. The purpose of SOX is
to reduce the possibilities of corporate fraud by increasing the stringency of procedures and
requirements for financial reporting. The Sarbanes Oxley Act, signed into law in 2002, has
revamped federal regulations pertaining to publicly traded companies’ corporate governance and
reporting obligations. The PCAOB followed with AS 2, which was approved by the SEC in June
2004. AS 2 was replaced in May 2007 by AS 5.
The SEC rules and PCAOB standard require that:
• Management perform a formal assessment of its controls over financial reporting including
tests that confirm the design and operating effectiveness of the controls.
• Management include in its annual report an assessment of ICFR.
• The external auditors provide two opinions as part of a single integrated audit of the
company:
- An independent opinion on the effectiveness of the system of ICFR.
- The traditional opinion on the financial statements.
There are a number of different definitions of the term internal control. For the purposes of Section
404, the great majority of companies and all the CPA firms use the definition in COSO’s Internal
Control — Integrated Framework. The COSO framework has made it easier for management to
see what’s covered and here gaps may exist in their SOX 404 compliance program.
Management needs to determine whether the system of internal control in effect as of the date of
the assessment provides reasonable assurance that material errors, in either interim or annual
financial statements, will be prevented or detected.
The rules issued by Securities and Exchange Commission require a company’s annual report to
include an internal control report of management that contains:
- A statement of management’s responsibility for establishing and maintaining adequate
internal control over financial reporting for the company.

- A statement identifying the framework used by management to conduct the required

evaluation of the effectiveness of the company’s internal control over financial reporting.
- Management’s assessment of the effectiveness of the company’s internal control over
financial reporting as of the end of the company’s most recent fiscal year, including a
statement as to whether or not the company’s internal control over financial reporting is
effective. The assessment must include disclosure of any “material weaknesses” in the
company’s internal control over financial reporting identified by management. Management
is not permitted to conclude that the company’s internal control over financial reporting is
effective if there are one or more material weaknesses in the company’s internal control
over financial reporting. A statement that the registered public accounting firm that audited
the financial statements included in the annual report has issued an attestation report on
management’s assessment of the registrant’s internal control over financial reporting.
The final rules also require a company to file, as part of the company’s annual report, the
attestation report of the registered public accounting firm that audited the company’s financial
statements.
TEST YOUR KNOWLEDGE

Theoretical Questions
1. Briefly describe the various stages of a Risk Assessment process.
2. What are the components of an internal control framework?
3. During the course of his audit, the auditor noticed material weaknesses in the internal
control system and he wishes to communicate the same to the management. You are
required to elucidate the important points the auditor should keep in the mind while drafting
the letter of weaknesses in internal control system.
4. Explain briefly the Flow Chart technique for evaluation of the Internal Control system.
5. What are the General Steps in the conduct of Risk based audit?
Multiple Choice Questions:
1. Raj Private Limited is engaged in the business of retail and has its retail outlets
concentrated towards Northern India. Currently, the company has 59 outlets and the plan of
the management is to take this to at least 100 over the next 2 years.
The company is audited by Raj & Associates, a firm of Chartered Accountants, who have
been operating for over 20 years, however, they don’t have much experience in the retail
sector. Because of this fact the audit team decided to plan efficiently for the audit of the
financial statements of the company for the year ended 31 March 2019, being their first year
of audit.

During the course of risk assessment by the auditors, it was discussed that the company is
operating in an industry where the operations are not very complicated and mostly the
processes are known to all. Considering the same they decided that assessment of inherent
risk should not be done for this company as that would be inefficient. However, the auditors
will take due care of the control risks. The same assessment was deliberated upon and
after lot of discussions it was finalized like this.
In the given situation, please advise which one of the following would be correct.
(a) The assessment of audit team is correct.
(b) The assessment of audit team is wrong considering the fact that this is a private
company wherein such assessment is not possible.
(c) The assessment of audit team is wrong for this company.
(d) The assessment of audit team is correct considering the fact that this has been
thoroughly discussed.
2. Kshitij Private Ltd is a company based out of Noida having operations in India and Dubai.
The company’s operations in Dubai have increase over the last 2 years and the
management is earning very good profits.
Because of the profits, the management also planned that they should now focus on
strengthening of internal controls of the company and for that purpose they have discussed
with the statutory auditors to carry out the audit for the financial year ended 31 March 2019
very rigorously.
The report on internal financial controls is also applicable to the company and hence the
auditors during the course of their work asked for Risk-control matrices from the company.
During the year ended 31 March 2018, Risk-control matrix was not available with the
company and was prepared in a draft manner and the same was shared with the audit team
during that year and the auditors completed their work on the basis of that.
However, for the year ended 31 March 2019, the auditors would like to have robust
documentation and are not ready to accept the same Risk-control matrices.
In the given situation, please suggest what should be the course of action.
(a) The request of audit team is correct and the management should provide that.
(b) The requirement of audit team is not justified considering the fact that last year same
documentation was used by them.
(c) The requirement of audit team is not justified considering the fact that it’s a private
company and auditor anyways is required to perform rigorous audit procedures.

(d) In case of a private company on which internal financial controls report is required,
the auditor is not allowed to take any Risk-control matrix from the management.
Seems to be an ethical issue.
3. SK Private Limited is a medium-sized company having operations in Jharkhand. The
company manufactures some parts and sells that to various dealers on ex-works basis. The
financial statements of the company are prepared as per Ind AS and internal financial
controls report is also applicable on the same.
During the course of audit of the financial statements for the year ended 31 March 2019, the
management of the company had a detailed discussion with the auditors for audit planning.
Further it was also decided that any observations of the auditors should also be discussed
with the management before conclusion by the audit team which was not done in the past
years.
Considering this, the auditors started the risk assessment and requested the management
to share their documentation for the same on which the management said that they don’t
have any risks and if the auditors come across any such thing they can discuss that with the
management.
But the auditors were not convinced with the view of the management and the same thing
has happened in the past years as well.
You are required to provide your inputs to resolve this matter.
(a) The requirement of the audit team is not correct.
(b) The view of the management is correct because of the applicability of Ind AS.
(c) The view of the management is correct because of the applicability of internal
financial controls reporting.
(d) The view of the management is not correct.
4. AJ Private Ltd is in the business of telecom and have significant operations across India
predominantly in Northern India.
The statutory auditors of the company have been continuing for the last 3 years and have
been issuing clean report.
For the financial year ended 31 March 2019, the statutory auditors commenced their work in
March 2019 as per discussions with the management and with a plan to complete the audit
by first week of May 2019.
The audit team concluded the work as per the agreed timelines and the financial statements
and audit report were signed on 5 May 2019 along with the engagement letter for the
financial year ended 31 March 2019.

In the given situation, please advise which of the following would be correct.
(a) The engagement letter should have been signed before commencing the audit work.
(b) The engagement letter should have been signed at least a day before signing the
audit report.
(c) The engagement letter should have been signed at least a day before signing the
financial statements.
(d) The engagement letter is optional in case of a private company and hence can be
signed anytime.
5. RIM Private Ltd is engaged in the business of manufacturing of water bottles and is
experiencing significant increase in turnover year on year. It is a subsidiary of RIM Gmbh,
based out of Germany.
During the financial year ended 31 March 2019, the company carried out a detailed physical
verification of its inventory and property, plant and equipment.
During the year, various other activities were carried out to increase efficiency in operations
and reductions of costs.
The statutory auditors of the company started their audit work from April 2019 and
requested for a documentation on changes in processes and activities during the year as
well as any resultant impact of the same on management controls.
The management of the company told the auditors that all such documentation is
maintained by the parent company as this is a closely held private company and even
though internal financial controls reporting is applicable on this company, the parent
company is taking due care of each and every process.
The auditors did not agree with the views of the management. Please advise both the
management and the auditors.
(a) The auditors should look for documentation as per Sarbanes Oxley in this case.
(b) The auditors are correct in this case and the management should provide the
required documentation.
(c) The auditors are correct in this case and the management should provide the
required documentation. However, in case the parent company is covered by
Sarbanes Oxley then it can be ignored by the auditors.
(d) The management is correct.

Answers to Theoretical Questions

1. Risk Assessment is one of the most critical components of Enterprise Risk Management.
The risk assessment process involves considerations for qualitative and quantitative
factors, definition of key performance and risk indicators, risk appetite, risk scores, scales
and maps, use of data & metrics and benchmarking. The various stages in a Risk
Assessment process are as follows:
• Define Business Objectives and Goals;
• Identify events that affect achievement of business objectives;
• Assess likelihood and impact;
• Respond and mitigate risks;
• Assess residual risk.
2. There are five components of an internal control framework. They are as follows:
• Control Environment;
• Risk Assessment;
• Information & Communication;
• Monitoring;
• Control Activities.
3. Important Points to be kept in Mind While Drafting Letter of Weakness: As per SA 265,
“Communicating Deficiencies in Internal Control to Those who Charged with Governance
and Management”, the auditor shall include in the written communication of significant
deficiencies in internal control -
(i) A description of the deficiencies and an explanation of their potential effects; and
(ii) Sufficient information to enable those charged with governance and management to
understand the context of the communication.
In other words, the auditor should communicate material weaknesses to the management or
the audit committee, if any, on a timely basis. This communication should be, preferably, in
writing through a letter of weakness or management letter. Important points with regard to
such a letter are as follows-
(1) The letter lists down the area of weaknesses in the system and offers suggestions
for improvement.

(2) It should clearly indicate that it discusses only weaknesses which have come to the
attention of the auditor as a result of his audit and that his examination has not been
designed to determine the adequacy of internal control for management.
(3) This letter serves as a valuable reference document for management for the purpose
of revising the system and insisting on its strict implementation.
(4) The letter may also serve to minimize legal liability in the event of a major defalcation
or other loss resulting from a weakness in internal control.
4. Refer Para 5.3
5. Refer Para 9.2.
Answers to Multiple Choice Questions
1. (c) 2. (a) 3. (d) 4. (a) 5. (b)

Chapter 3 Risk Assement & Internal Control

Uploaded by

Copyright:

Available Formats

Chapter 3 Risk Assement & Internal Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 3 Risk Assement & Internal Control

Uploaded by

Copyright:

Available Formats

3

RISK ASSESSMENT AND

After studying this chapter, you will be able to:

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

2. INTERNAL CONTROL SYSTEM - NATURE, SCOPE,

© The Institute of Chartered Accountants of India

2.2 Scope of Internal Controls

Facilitates the effectiveness and

Helps ensure the reliability of internal

Assists compliance with laws and

Helps safeguarding the assets of the

2.3 Objectives of Internal Control System

© The Institute of Chartered Accountants of India

The objectives of internal controls relating to the accounting system are:

Ensure all transactions are

© The Institute of Chartered Accountants of India

2.4 Structure of Internal Control

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

3. COMPONENTS OF INTERNAL CONTROLS

Entity’s risk Information

3.1 Control Environment

© The Institute of Chartered Accountants of India

(c) Participation by those charged with governance: An entity’s control consciousness is

© The Institute of Chartered Accountants of India

Risks can arise or change due to circumstances such as the following:

(e) New technology. Incorporating new technologies into production processes or

(g) Corporate restructurings. Restructurings may be accompanied by staff reductions and

(h) Expanded foreign operations. The expansion or acquisition of foreign operations

(i) New accounting pronouncements. Adoption of new accounting principles or changing

© The Institute of Chartered Accountants of India

3.3 Control Activities

© The Institute of Chartered Accountants of India

The quality of system-generated information affects management’s ability to make appropriate

© The Institute of Chartered Accountants of India

The following are the objectives of the internal check system:

© The Institute of Chartered Accountants of India

The effectiveness of an efficient system of internal check depends on the following

© The Institute of Chartered Accountants of India

4. REVIEW OF THE SYSTEM OF INTERNAL CONTROLS

© The Institute of Chartered Accountants of India

In monitoring the effectiveness of automated controls.

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

In the use of standardized internal control questionnaire, certain basic assumptions

© The Institute of Chartered Accountants of India

For the first year of engagements issue of questionnaire is necessary.

© The Institute of Chartered Accountants of India

(ix) holds no other funds or investment;

5.3 Flow chart

© The Institute of Chartered Accountants of India

(iv) distribution of the documents to various sections, department or operations;

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

The flow chart for the dispatch section may be as follows -