Chapter 3 Risk Assement & Internal Control
Chapter 3 Risk Assement & Internal Control
Chapter 3 Risk Assement & Internal Control
CHAPTER OVERVIEW
Internal
Control
System -
Nature,
Scope,
Reporting to Objective and
clients on Structure Components
Internal of Internal
Control Control
Weaknesses
RISK
ASSESSMEN
T AND
Framework on INTERNAL Review of the
Reporting of CONTROL System of
Internal Internal
Controls Controls
Internal
Control and Methods of
Risk Recording
Assessment
1. INTRODUCTION
It is the risk that the auditor may fail to express an appropriate
opinion in an audit assignment. An auditor may consider audit
risk both at overall level as well as at the level of individual
account balances or classes of transactions. This means that at
overall level the auditor applies their professional judgement to
determine the extent of risk which he considers to be an
acceptable level. At account balance level, audit risk refers to
the risk that error in monetary terms exists beyond a tolerable
error limit in the account balances or class of transaction which
the auditor fails to defect. Fig.: Internal Control and Risk Assessment ∗
∗
Source : SlideShare
AUDIT RISK means the risk that the auditor gives an inappropriate
audit opinion when the financial statement are materially misstated.
SA 315 establishes requirements and provides guidance on
identifying and assessing the risks of material misstatement at the
financial statement and assertion levels.
Audit risk is a function of the Risk of material misstatement may be defined as the
risks of material misstatement risk that the financial statements are materially
and detection risk misstated prior to audit. This consists of two
components, described as follows at the assertion level:
(A) Inherent risk—The susceptibility of an assertion
Audit Risk = Risk of Material about a class of transaction, account balance or
Misstatement x Detection disclosure to a misstatement that could be material,
Risk------(1) either individually or when aggregated with other
misstatements, before consideration of any related
Risk of Material controls.
Misstatement= Inherent Risk x (B) Control risk—The risk that a misstatement that
Control Risk------(2) could occur in an assertion about a class of transaction,
From (1) and (2), we arrive at- account balance or disclosure and that could be
material, either individually or when aggregated with
Audit Risk = Inherent Risk x other misstatements, will not be prevented, or detected
Control Risk x Detection Risk and corrected, on a timely basis by the entity’s internal
control.
(C) Detection Risk: The risk that the procedures
performed by the auditor to reduce audit risk to an
acceptably low level will not detect a misstatement that
exists and that could be material, either individually or
when aggregated with other misstatements.
Assessment of Risks - Matter of Professional Judgement
The Internal Control structure in an organization is referred to as the policies and procedures
established by the entity to provide reasonable
assurance that the objectives are achieved. The control
structure in an organization basically has the following
components:
1. Control Environment - Control environment Control Control
Procedure Environment
covers the effect of various factors like
management attitude, awareness and actions for
establishing, enhancing or mitigating the
effectiveness of specific policies and procedures.
Accounting System
2. Accounting System - Accounting system means
the series of task and records of an entity by
which transactions are processed for maintaining financial records. Such system identifies,
assemble, analyze, calculate, classify, record, summarize and report transactions and other
events.
3. Control Procedure - Policies and procedures means those policies and procedures in
addition to the control environment and accounting systems which the management has
established to achieve the entity’s specific objectives.
In this regard, the management is responsible for maintaining an adequate accounting
system incorporating various internal controls to the extent that they are appropriate to the
size and nature of the business. There should be reasonable assurance for the auditor that
the accounting system is adequate and that all the accounting information required to be
recorded has in fact been recorded.
Internal controls normally contribute to such assurance. The auditor should gain an
understanding of the accounting system and related internal controls and should study and
evaluate the operation of those internal controls upon which he wishes to rely in
determining the nature, timing and extent of other audit procedures. Where the auditor
concludes that he can rely on certain internal controls, he could reduce his substantive
procedures which otherwise may be required and may also differ as to the nature and
timing.
Specific Requirement under SA 315 - “Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and its Environment” deals with the
auditor’s responsibility to identify and assess the risks of material misstatement in the
financial statements, through understanding the entity and its environment, including the
entity’s internal control.
SA 315 defines the system of internal control as the process designed, implemented
and maintained by those charged with governance, management and other personnel
to provide reasonable assurance about the achievement of an entity’s objectives with
regard to reliability of financial reporting, effectiveness and efficiency of operations,
safeguarding of assets, and compliance with applicable laws and regulations.
SA 315 further states that the auditor should identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement and assertion levels,
through understanding the entity and its environment, including the entity’s internal control,
thereby providing a basis for designing and implementing responses to the assessed risks
of material misstatement. This will help the auditor to reduce the risk of material
misstatement to an acceptably low level.
(ii) All transactions are promptly recorded in an appropriate manner to permit the
preparation of financial information and to maintain accountability of assets.
(iii) Assets and records are safeguarded from unauthorized access, use or
disposition.
(iv) Assets are verified at reasonable intervals and appropriate action is taken with
regard to the discrepancies.
Precisely, the control objectives ensure that the transactions processed are complete, valid and
accurate. The basic accounting control objectives which are sought to be achieved by any
accounting control system are:
Properly
Recorded Properly Recorded Properly Classified Properly
Real
Valued Timely Posted and Summarized.
Disclosed
If the response to all the above answer is positive, the auditor would be justified in limiting his
account balance tests considerably.
In case of excellent companies it may also be possible to rely on account balance with minimum
of external tests, such as direct confirmation, management representation etc. Where in a
system a particular control is found to be deficient, audit attention can be focused on the areas
where basic accounting control objectives are not being adhered to.
In case, if it found that sales transactions are not being properly valued in
accordance with the price list determined by the management, the auditor would have
to perform extensive searching tests on sales invoices to assure himself that the
recoverable amounts are correctly posted. He may also want to expand his
confirmation request at the year end to cover a large majority of trade receivables.
2.3.1 Limitations of Internal Control - Internal control, no matter how effective, can provide an
entity with only reasonable assurance and not absolute assurance about achieving the entity’s
operational, financial reporting and compliance objectives.
Internal control systems are subject to certain inherent limitations, such as:
Management's consideration that the cost of an internal control does not exceed the
expected benefits to be derived.
The fact that most internal controls do not tend to be directed at transactions of unusual
nature. The potential for human error, such as, due to carelessness, distraction, mistakes
of judgement and misunderstanding of instructions.
The possibility of circumvention of internal controls through collusion with employees or
with parties outside the entity.
The possibility that a person responsible for exercising an internal control could abuse
that responsibility, for example, a member of management overriding an internal control.
Manipulations by management with respect to transactions or estimates and judgements
required in the preparation of financial statements.
in accordance with prescribed conditions. Authorization may be general or it may be specific with
reference to a single transaction. It is necessary to establish procedures which provide assurance
that authorizations are issued by persons acting within the scope of their authority, and that the
transactions conform to the terms of the authorizations. This objective can be achieved by making
independent comparison of transaction document with general or specific authorizations, as the
case may be.
2.4.3 Adequacy of Records and Documents - Accounting controls should ensure that -
(i) Transactions are executed in accordance with management’s general or specific
authorization.
(ii) Transactions and other events are promptly recorded at correct amounts.
(iii) Transactions should be classified in appropriate accounts and in the appropriate period
to which it relates.
(iv) Transaction should be recorded in a manner so as to facilitate preparation of financial
statements in accordance with applicable accounting standards, other accounting
policies and practices and relevant statutory requirements.
(v) Recording of transaction should facilitate maintaining accountability for assets.
(vi) Assets and records are required to be protected from unauthorized access, use or
disposition.
(vii) Records of assets such as sufficient description of the assets (to facilitate identification)
its location should also be maintained so that the assets could be physically verified
periodically.
For prompt, accurate, complete and appropriate recording of accounting transaction, several
procedures are often established by the management. The assurance that transactions have been
properly recorded can also be obtained through a comparison of records with an independent
source of information which provides an indication of the execution of the relevant transactions.
2.4.4 Accountability and Safeguarding of Assets - The process of accountability of assets
commences from acquisitions of assets its use and final disposal. Safeguarding of assets requires
appropriate maintenance of records, their periodic reconciliation with the related assets. Assets
like cash, inventories, investment scrips require frequent physical verification with book records.
The frequency of reconciliation would differ for different assets depending upon their nature and
amount. Assets which are considered sensitive or susceptible to error need to be reconcile more
frequently than others. For proper safeguarding of assets, only authorized personnel should be
given access to such asset. This not only means physical access but also exercising control
over processing of documents relating to authorization for use and disposal of assets. It is
essential to have effective controls over physical custody of cash, inventories, investments and
other fixed assets. In some cases, as per requirement, special procedures regarding physical
custody of assets may have to be designed by the management.
2.4.5 Independent Checks - Independent verification of the control systems, designed and
implemented by the management, involves periodic or regular review by independent persons to
ascertain whether the control procedures are operating effectively or not. Such process may be
carried out by specially assigned staff under the banner of external audit.
Components of
Internal Control
results thereof. For example, the entity’s risk assessment process may address how the entity
considers the possibility of unrecorded transactions or identifies and analyses significant estimates
recorded in the financial statements.
Risks relevant to reliable financial reporting include external and internal events, transactions or
circumstances that may occur and adversely affect an entity’s ability to initiate, record, process,
and report financial data consistent with the assertions of management in the financial statements.
Management may initiate plans, programs, or actions to address specific risks or it may decide to
accept a risk because of cost or other considerations.
(b) New personnel. New personnel may have a different focus on or understanding of
internal control.
(c) New or revamped information systems. Significant and rapid changes in information
systems can change the risk relating to internal control.
(d) Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
(f) New business models, products, or activities. Entering into business areas or
transactions with which an entity has little experience may introduce new risks
associated with internal control.
those charged with governance; alternatively, non-routine transactions such as, major
acquisitions or divestments may require specific high level approval, including in some
cases that of shareholders.
3.4 Information System, Including the Related Business Processes,
Relevant to Financial Reporting, and Communication
An information system consists of infrastructure (physical and hardware components), software,
people, procedures, and data. Many information systems make extensive use of information
technology (IT).
The information system relevant to financial reporting objectives, which includes the
financial reporting system, encompasses methods and records that:
(a) Identify and record all valid transactions.
(b) Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
(c) Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.
(d) Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
(e) Present properly the transactions and related disclosures in the financial statements.
that controls continue to operate effectively over time. For example, if the timeliness and accuracy
of bank reconciliations are not monitored, personnel are likely to stop preparing them.
Internal auditors or personnel performing similar functions may contribute to the monitoring of an
entity’s controls through separate evaluations. Ordinarily, they regularly provide information about
the functioning of internal control, focusing considerable attention on evaluating the effectiveness
of internal control, and communicate information about strengths and deficiencies in internal
control and recommendations for improving internal control.
Monitoring activities may include using information from communications from external parties that
may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate
billing data by paying their invoices or complaining about their charges. In addition, regulators may
communicate with the entity concerning matters that affect the functioning of internal control, for
example, communications concerning examinations by bank regulatory agencies. Also,
management may consider communications relating to internal control from external auditors in
performing monitoring activities.
The overall systems of internal control comprises of Administrative Control and
Accounting Controls, Internal Checks and Internal Audit are important constituents of
Accounting Controls.
1. Internal Check System - Internal check system implies organization of the overall system
of book-keeping and arrangement of Staff duties in such a way that no one person can carry
through a transaction and record every aspect thereof. It is a part of overall control system and
operates basically as a built-in-device as far as organization and job-allocation aspects of the
controls are concerned.
The system provides existence of checks on the day to day transactions which operate
continuously as part of the routine system whereby the work of each person is either proved
independently or is made complimentary to the work of another.
The scope of statutory audit is limited by both time and cost. Therefore, it is increasingly being
recognized that for an audit to be effective especially in case of large organization, the existence
of a system of internal check is essential.
2. Internal Audit - Internal audit may be defined as, an independent appraisal function
established within an organization to examine and evaluate its activities as a service to the
organization. The scope of the internal audit is determined by the management. Internal auditing
includes a series of processes and techniques through which an organizations own employees
ascertain for the management, by means of on-the-job observation, whether established
management controls are adequate, and are effectively maintained; records and reports financial,
accounting and otherwise reflect actual operation and results accurately and properly; each
division, department or other units are carrying out the plans, policies and procedures for which
they are responsible.
Note: For a detailed discussion on internal audit refer to Chapter 15.
(a) Any change in the system of internal control from that record in the appropriate section of
the internal control questionnaire.
(b) Any further weakness noted in the internal control.
(c) Any instance where the prescribed system or procedure has not been followed.
These should be considered in deciding whether any further modification in the audit programme is
called for. Also, these should be communicated to the client and confirmation should be sought as
regards changes in the system.
The review of internal control consists mainly of enquiries of personnel at various organisational
levels within the enterprise together with reference to documentation such as procedures,
manuals, job description and flow-charts, to gain knowledge about the controls which the auditor
has identified as significant to his audit. The auditor may trace a few transactions through the
accounting system to assist in understanding that system and it is related to internal controls. The
auditor’s preliminary evaluation of internal controls should be made on the assumption that the
controls operate generally as described and that they function effectively throughout the period of
intended reliance. The purpose of the preliminary evaluation is to identify the particular controls
on which the auditor still intends to rely and to test through compliance procedures. Different
techniques are used to record information relating to an internal control system. Selection of a
particular technique is a matter for the auditor’s judgement.
5. METHODS OF RECORDING
The following are the methods of recording:
5.1 Questionnaire
Because of the widespread experience that auditors possess about the business operations in
general and the knowledge about the appropriate control, most of the auditing firms have
developed their own standardised internal control questionnaire on a generally applicable basis. In
developing the standard questionnaire, endeavour is made to make it as wide as possible so that
all situations, generally found, are included therein but all of these may not be applicable in a
particular case. A questionnaire is a set of questions framed in an organised manner, about each
functional area, which has as purpose the evaluation of the effectiveness of control and detection
of its weakness if any. A questionnaire usually consists of several separate sections devoted to
areas such as purchases, sales, trade receivables, trade payables, wages, etc. The questionnaire
is intended to be filled by the company executives who are in charge of the various areas.
However, this poses some practical difficulties. The questionnaire is to travel from executives and,
therefore, it may take a pretty long time to be filled; also the questions may not be readily
intelligible to busy executives and there is a possibility of the questionnaire being misplaced while
travelling from one table to another. Having regard to these difficulties, it is now almost an
accepted practice that the auditor (or his representative) arranges meetings with the executives
concerned and gets the answers filled by each executive. Sometimes, the auditor himself may be
required to fill the answers. In such a case, he should ensure that the concerned executive has
initiated the answers as a token of his agreement therewith.
Questions are so framed as generally to dispense with the requirement of a detailed answer to
each question. For this purpose, often one general question is broken down into a number of
questions and sub-questions to enable the executive to provide a just ‘Yes’, ‘No’ or ‘Not applicable’
form of reply. Questions are also framed in such a manner that generally a “No” answer will effect
weakness in the control system. This requires giving a positive power to the question, keeping in
view what the proper control should be. Consider the question ‘Are all receipts recorded promptly
and deposited in bank daily? If the answer to this is ‘Yes’, it fits with the plan of good internal
control. But if it is ‘No’ it indicates weakness in the system in as much as the moneys received may
not be recorded and may be defalcated because the cashier has continued control over the
amount for an uncertain period. However, this should not be taken as an unbreakable rule.
Questions may be framed also when a ‘Yes’ answer would indicate weakness. The only thing that
should be borne in mind is that the scheme of questions should be consistent, sequential, logical,
and if possible corroborative. Wherever it is necessary, slightly detailed answers also may be
asked for to bring clarity to the matter.
The basic distinction between internal control questionnaire and check list are as under:
1. The ICQ incorporates a large number of detailed questions but the check list generally
contains questions relating to the main control objective with the area under review.
2. ICQ, the weaknesses are highlighted by the ‘Yes’ while in the check list, it is indicated by
‘No’.
3. The significance of ‘No’ in an ICQ does indicate a weakness but the significance of that
weakness is not revealed automatically. However, in the check list, a specific statement
is required where an apparent weakness may prove to be material in relation to the
accounts as a whole.
Generally, a questionnaire is also enclosed with a flow chart, incorporating questions, the answers
to which are to be looked into from the flow chart. This is an evaluation of the control system
through the process of flow charting. The internal control questionnaire contains questions;
answers are available in the flow chart and they will reveal weakness, if any, in the system. In
fact, the questionnaire is a guide for the study of a control system through flow charts.
We may examine the flow charting techniques for evaluation of internal controls on the sales and
trade receivables function. Let us assume that these are -
1. Order receiving function.
2. Dispatch function.
3. Billing function.
4. Accounting in the trade receivables’ ledger.
5. Main accounting functions.
6. Inventory recording function.
All these functions are carried out in distinct sections. As regards the Order Receiving Section, let
us further assume that the section receives orders:
(i) through mail;
(ii) by telephone; and
(iii) through the company’s salesmen.
Basing the receipts of orders of customers, the section raises internal “Sales advices”. These
sales advices are consecutively numbered (by reference to the last number on the order book) and
entered in the order book with the consecutive number, date, the party and other relevant details.
The orders received from customers are temporarily filed in the alphabetical order. The sales
advices are prepared in sets of four with a noting for the customer’s sales-tax status. All the four
copies are sent to the dispatch section. The dispatch section, after dispatch of the goods, sends
back to the Order receiving Section the last copy of the sales advice after entering thereon the
date of dispatch and the quantity despatched. Upon receipt of the last copy, the Order receiving
Section enters the date of dispatch and the quantity despatched in the order book. If the quantity
despatched is fulfillment of the quantity ordered, the last copy of the sales invoices is annexed to
customer’s order and filed in the customer’s file. If, however, the order is only partly executed, the
copy of the sales advice is kept in a temporary file in numerical order. Periodically this file is
checked to determine the unfulfilled orders and, if inventory is then available, the Section again
initiates fresh sales advices in respect of the unfulfilled part and all the processes, as in the case
of original, are repeated. The last copy of the original set is annexed to the customer’s order and
kept in the customer’s file.
The salesmen use the same advice form as is being used by the order receiving section.
For the purpose of drawing a flow chart to incorporate the above narration it is useful to know -
1. the point for originating the flow of transaction.
2. the documents, internal and external, and the flow of the transaction, number of copies,
distribution flow and the details.
3. the books, if any, maintained and the details recorded there in and the source or sources for
the details.
4. that there exists an alternative possibility.
The flow chart for the above may be as under -
CHART 1
We can extend the activity flow now to the dispatch section which is the logical second stage of
operation. The work and procedure content of the dispatch section is assumed to be as follows:
After the receipt of the sales advices in sets of four, the dispatch section arranges dispatch of
materials and put the date of dispatch and the quantities despatched; the head of the Section
initials the advices. The last copy of the advice is sent back to the Order Receiving Section. The
first copy is sent as a packing slip with the goods, the second copy goes to the Billing Department
and the third copy accompanies the goods when delivered to the buyer and, obtaining the buyer’s
acknowledgement of the receipt of the goods therein, is received back and filed date-wise. In case
of goods not directly delivered to the buyers, i.e., when the goods are sent either by rail, road or
water transport, the copy constitutes the basis for raising the relevant forwarding note on the basis
of which R.R. etc., can be prepared.
CHART 2
This flow is taken to the Billing Section. The Section generally accumulates the second copy of the
Sales Advice for two or three days and prepares sales invoices in sets of four. The pricing of the
sales invoice is done by reference to the company’s current price list or the catalogue. The number
of the sales advice is entered on the corresponding invoice which is pre-numbered, also, the
number of the invoice is recorded on the copy of the sales advice which is then filed alphabetically.
The first copy of the invoice is sent to the customer while the second, third and fourth copies are
respectively sent to the trade receivables ledger clerk, the Inventory Section and the Accounts
Section. The Billing Section also is responsible for raising credit notes on the basis of documents
received. Credit notes are also prepared in sets of four and are distributed in exactly the same way
as invoices. The inventories of invoice and the credit note forms remain in the Billing Section.
Now, in the order of the flow of activities, more sectional flow charts can be prepared to cover the
activities in the Accounts Section and the Inventory Section and they together, when sequentially
assembled, will constitute the complete flow chart for the sales transactions and trade receivables
recordings.
(These flow charts have been prepared on the basis of the approach and the symbols used in the
book “Analytical Auditing” by Skinner and Anderson. Students who desire to study the subject of
preparation of flow charts further may refer to Chapter 4 of that book.)
It is now left for us to see how these flow charts reveal the state of internal control. A close look
into flow charts will show the following:
(i) The advices are sent by salesmen; though prepared on the same sales advice form as is
prepared in the section, there is no check that all the advices sent by salesmen have been
received. This may entail loss of business because of non-receipt of sales advice. (Refer to
the flow chart for the Order Receiving Section).
(ii) The raising of sales advises on the basis of telephonic orders, irrespective of the party’s
standing and record of performance is risky from the business point of view. (Refer to the
flow chart for the Order Receiving Section).
(iii) There is no system of prior credit sanction to the parties; in consequence, there may be
dispatch of goods to bad credit risks. (Refer to the flow chart for the Dispatch Section).
(iv) There is no check that all the second copies of the sales advices sent by the Dispatch
Section have been received by the Billing Section. The possibility of dispatch not being,
billed exists, (Refer to the flow chart for the Dispatch as well as the Billing Section.
(v) There is no check in respect of pricing, extension and addition on the invoice or the credit
notes. This may result in loss of revenue for wrong pricing or wrong calculation. (Refer to
the flow chart for Billing Section).
(vi) It is not clear whether the supporting documents are adequate for authorising the issue of
credit notes where there is a need for a greater caution. (Refer to the flow chart for Billing
Section).
So far we have seen the points of weaknesses that are evident from these flow charts. For a
clearer understanding of the flow chart as a medium for evaluating internal controls, the following
further points may be useful:
(a) There exists proper numerical control over orders booked (except the case for the
salesmen’s orders).
(b) There is a permanent and continuous record of the orders booked in the form of order book.
(c) There is a definite basis for raising sales advices.
(d) The order book record is always kept complete by entering the information about the
execution of the order and this keeps the information about the pending orders ready at any
moment.
(e) Partly executed orders are reviewed from time to time so that as soon as goods are
available, the same may be despatched to customers.
(f) The customer’s purchase order and the related sales advice are matched and kept together
in the customer’s file.
(g) The sales advices are initialed by the Dispatch Section head as token of his having satisfied
himself about the correctness of the entries as regards the quantity despatched and the
date of dispatch.
(h) Record of actual direct delivery is maintained through the copy of the sales advice bearing
the customer’s, acknowledgement of his having received the goods. Similarly, the record of
out station deliveries is kept in the copy of the forwarding note annexed to the sales advice
copy.
(i) Documents have as many copies as are necessary for ensuring proper flow and proper
control. There is neither wastage through unnecessary copies nor any hold up because of
inadequacy of copies.
(j) There are supporting documents for raising invoices and credit notes.
(k) The distribution of invoices and credit notes is such as would enable the recording of billing
at the relevant centres independent of each other.
(l) There is control over the number of invoices and credit notes by pre-numbering.
Thus, by flow charting, an auditor can very clearly see the inter-relationships of the activities and
flows and how they are integrated from stage to stage. However, the auditor has to be careful
about the readability and intelligibility of the chart. Identification of all individual functions in a
section is also highly relevant for preparation of the flow chart. The smaller the segment, the better
is the possibility of quick comprehension. Naturally, the auditor should try to see each section as
the natural assembly of distinct and identified components.
Ordinarily, development of the overall audit plan does not require an understanding of control
procedures for every financial statement assertion in each account balance and transaction class.
∗
Source : Source : cjess1 audit class pln - WordPress.com
The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a
combined assessment of the “risks of material misstatement”. However, the auditor may
make separate or combined assessments of inherent and control risk depending on
preferred audit techniques or methodologies and practical considerations.
(iii) Detection Risk: It is the risk that the procedures performed by the auditor to reduce audit
risk to an acceptably low level will not detect a misstatement that exists and that could be
material, either individually or when aggregated with other misstatements. Detection risk
relates to the nature, timing, and extent of the auditor’s procedures that are determined by
the auditor to reduce audit risk to an acceptably low level. It is therefore a function of the
effectiveness of an audit procedure and of its application by the auditor.
The preliminary assessment of control risk is the process of evaluating the likely effectiveness of
an entity's accounting and internal control systems in preventing or detecting and correcting
material misstatements. The preliminary assessment of control risk is based on the assumption
that the controls operate generally as described and that they operate effectively throughout the
period of intended reliance. There will always be some control risk because of the inherent
limitations of any accounting and internal control system.
The auditor ordinarily assesses control risk at a high level for some or all assertions
when:
(a) the entity's accounting and internal control systems are not effective; or
(b) evaluating the effectiveness of the entity's accounting and internal control systems
would not be efficient.
In the above circumstances, the auditor would obtain sufficient appropriate audit evidence from
substantive procedures and from any audit work carried out in the preparation of financial
statements.
The preliminary assessment of control risk for a financial statement assertion should be
high unless the auditor:
(a) is able to identify internal controls relevant to the assertion which are likely to prevent
or detect and correct a material misstatement; and
(b) plans to perform tests of control to support the assessment.
Documentation of Understanding and Assessment of Control Risk - The auditor should
document in the audit working papers:
(a) the understanding obtained of the entity's accounting and internal control systems; and
(b) the assessment of control risk.
When control risk is assessed at less than high, the auditor would also document the basis for the
conclusions.
Different techniques may be used to document information relating to accounting and internal
control systems. Selection of a particular technique is a matter for the auditor's judgement.
Tests of Control - Tests of control are performed to obtain audit evidence about the
effectiveness of the:
(a) design of the accounting and internal control systems, that is, whether they are suitably
designed to prevent or detect and correct material misstatements; and
(b) operation of the internal controls throughout the period.
Tests of control include tests of elements of the control environment where strengths in the control
environment are used by auditors to reduce control risk.
Some of the procedures performed to obtain the understanding of the accounting and internal
control systems may not have been specifically planned as tests of control but may provide audit
evidence about the effectiveness of the design and operation of internal controls relevant to certain
assertions and, consequently, serve as tests of control. For example, in obtaining the
understanding of the accounting and internal control systems pertaining to cash, the auditor may
have obtained audit evidence about the effectiveness of the bank reconciliation process through
inquiry and observation.
When the auditor concludes that procedures performed to obtain the understanding of the
accounting and internal control systems also provide audit evidence about the suitability of design
and operating effectiveness of policies and procedures relevant to a particular financial statement
assertion, the auditor may use that audit evidence, provided it is sufficient to support a control risk
assessment at less than a high level.
The auditor should obtain audit evidence through tests of control to support any assessment of
control risk which is less than high. The lower the assessment of control risk, the more evidence
the auditor should obtain that accounting and internal control systems are suitably designed and
operating effectively.
When obtaining audit evidence about the effective operation of internal controls, the auditor
considers :
The concept of effective operation recognises that some deviations may have occurred.
Deviations from prescribed controls may be caused by such factors as changes in key personnel,
significant seasonal fluctuations in volume of transactions and human error. When deviations are
detected the auditor makes specific inquiries regarding these matters, particularly, the timing of
staff changes in key internal control functions. The auditor then ensures that the tests of control
appropriately cover such a period of change or fluctuation.
Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as contemplated in the preliminary assessment of control risk.
The evaluation of deviations may result in the auditor concluding that the assessed level of control
risk needs to be revised. In such cases, the auditor would modify the nature, timing and extent of
planned substantive procedures.
Quality and Timeliness of Audit Evidence
Certain types of audit evidence obtained by the auditor are more reliable than others. Ordinarily,
the auditor's observation provides more reliable audit evidence than merely making inquiries, for
example, the auditor might obtain audit evidence about the proper segregation of duties by
observing the individual who applies a control procedure or by making inquiries of appropriate
personnel. However, audit evidence obtained by some tests of control, such as observation,
pertains only to the point in time at which the procedure was applied. The auditor may decide,
therefore, to supplement these procedures with other tests of control capable of providing audit
evidence about other periods of time.
In determining the appropriate audit evidence to support a conclusion about control risk, the
auditor may consider the audit evidence obtained in prior audits. In a continuing engagement, the
auditor will be aware of the accounting and internal control systems through work carried out
previously but will need to update the knowledge gained and consider the need to obtain further
audit evidence of any changes in control. Before relying on procedures performed in prior audits,
the auditor should obtain audit evidence which supports this reliance. The auditor would obtain
audit evidence as to the nature, timing and extent of any changes in the entity's accounting and
internal control systems since such procedures were performed and assess their impact on the
auditor's intended reliance. The longer the time elapsed since the performance of such
procedures the less assurance that may result.
The auditor should consider whether the internal controls were in use throughout the period. If
substantially different controls were used at different times during the period, the auditor would
consider each separately. A breakdown in internal controls for a specific portion of the period
requires separate consideration of the nature, timing and extent of the audit procedures to be
applied to the transactions and other events of that period.
The auditor may decide to perform some tests of control during an interim visit in advance of the
period end. However, the auditor cannot rely on the results of such tests without considering the
need to obtain further audit evidence relating to the remainder of the period.
Some detection risk would always be present even if an auditor was to examine 100 percent of the
account balances or class of transactions because, for example, most audit evidence is persuasive
rather than conclusive.
The auditor should consider the assessed levels of inherent and control risks in determining the
nature, timing and extent of substantive procedures required to reduce audit risk to an acceptably
low level. In this regard the auditor would consider:
(a) the nature of substantive procedures, for example, using tests directed toward
independent parties outside the entity rather than tests directed toward parties or
documentation within the entity, or using tests of details for a particular audit
objective in addition to analytical procedures;
(b) the timing of substantive procedures, for example, performing them at period end
rather than at an earlier date; and
(c) the extent of substantive procedures, for example, using a larger sample size.
There is an inverse relationship between detection risk and the combined level of inherent
and control risks. For example, when inherent and control risks are high, acceptable
detection risk needs to be low to reduce audit risk to an acceptably low level. On the other
hand, when inherent and control risks are low, an auditor can accept a higher detection risk
and still reduce audit risk to an acceptably low level.
While tests of control and substantive procedures are distinguishable as to their purpose, the
results of either type of procedure may contribute to the purpose of the other. Misstatements
discovered in conducting substantive procedures may cause the auditor to modify the previous
assessment of control risk.
The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need
for the auditor to perform any substantive procedures. Regardless of the assessed levels of
inherent and control risks, the auditor should perform some substantive procedures for material
account balances and classes of transactions.
The auditor's assessment of the components of audit risk may change during the course of an
audit, for example, information may come to the auditor's attention when performing substantive
procedures that differs significantly from the information on which the auditor originally assessed
inherent and control risks. In such cases, the auditor would modify the planned substantive
procedures based on a revision of the assessed levels of inherent and control risks.
The higher the assessment of inherent and control risks, the more audit evidence the auditor
should obtain from the performance of substantive procedures. When both inherent and control
risks are assessed as high, the auditor needs to consider whether substantive procedures can
provide sufficient appropriate audit evidence to reduce detection risk, and therefore audit risk, to
an acceptably low level. When the auditor determines that detection risk regarding a financial
statement assertion for a material account balance or class of transactions cannot be reduced to
an acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion as
may be appropriate.
Mathematically Audit Risk (AR) can be expressed as a product of Inherent Risk (IR), Control Risk
(CR) and Detection Risk (DR), i.e. AR = IR x CR x DR
It should be noted that:
1. The combined level of Inherent Risk and Control Risk is inversely related with Detection
Risk, and
2. Audit Materiality is also inversely related with audit risk.
The relationship between different components of audit risks is given in the following table:
Auditors’ assessment of control risk
High Medium Low
Auditors’ assessment of High Lowest Lower Medium
inherent risk
Medium Lower Medium Higher
Low Medium Higher Highest
(iv) Daily banking: Each day’s collection should be deposited in the bank on next working day
of the bank. Till that time, the cash should be in the custody of properly authorized person
preferably in joint custody for which the daily cash in hand report should be signed by the
authorized persons.
(v) Entrance ticket: Entrance tickets should be cancelled at the entrance gate when public
enters the centre.
(vi) Advance booking: If advance booking of facility is made available, the system should
ensure that all advance booked tickets are paid for.
(vii) Discounts and free pass: The discount policy of the Y Co. Ltd. should be such that the
concessional rates, say, for group booking should be properly authorized and signed forms
for such authorization should be preserved.
(viii) Surprise checks: Internal audit system should carry out periodic surprise checks for cash
counts, daily banking, reconciliation and stock of unsold tickets etc.
(c) This letter serves as a valuable reference document for management for the purpose of
revising the system and insisting on its strict implementation.
(d) The letter may also serve to minimize legal liability in the event of a major defalcation or
other loss resulting from a weakness in internal control.
It should be appreciated that by writing a letter to the management about the weaknesses in the
system, the auditor is not absolved from his duty to report the shortcomings in the accounts by way
of qualification where the defects have not been corrected to the auditor’s satisfaction weighing the
materiality of weaknesses and their impact, if considered necessary.
The practice of the issue of letter of weaknesses has a great merit in relieving the auditor from
liability in case serious frauds or losses have occurred, which probably would not have taken place
had the client taken due note of the auditor’s points in the letter of weakness. In the case Re S.P.
Catterson & Ltd. (1937, 81, Act L.R. 62), the auditor was acquitted of the charge of negligence for
employee’s fraud in view of the fact that he had already informed the client about the
unsatisfactory state in the specific areas of accounts and had suggested improvements which were
not acted upon by the management.
The Council of ICAI has issued SA 265 on “Communicating Deficiencies in Internal Control to
Those Charged with Governance and Management” in this regard. This Standard on Auditing (SA)
deals with the auditor’s responsibility to communicate appropriately to those charged with
governance and management deficiencies in internal control that the auditor has identified in an
audit of financial statements. This SA does not impose additional responsibilities on the auditor
regarding obtaining an understanding of internal control and designing and performing tests of
controls over and above the requirements of SA 315 and SA 330.
The objective of the auditor is to communicate appropriately to those charged with governance and
management deficiencies in internal control that the auditor has identified during the audit and
that, in the auditor’s professional judgment, are of sufficient importance to merit their respective
attentions.
The auditor shall determine whether, on the basis of the audit work performed, the auditor has
identified one or more deficiencies in internal control.
If the auditor has identified one or more deficiencies in internal control, the auditor shall determine,
on the basis of the audit work performed, whether, individually or in combination, they constitute
significant deficiencies.
The auditor shall communicate in writing significant deficiencies in internal control identified during
the audit to those charged with governance on a timely basis.
The auditor shall include in the written communication of significant deficiencies in internal control:
(a) A description of the deficiencies and an explanation of their potential effects; and
(b) Sufficient information to enable those charged with governance and management to
understand the context of the communication. In particular, the auditor shall explain
that:
(i) The purpose of the audit was for the auditor to express an opinion on the
financial statements;
(ii) The audit included consideration of internal control relevant to the preparation
of the financial statements in order to design audit procedures that are
appropriate in the circumstances, but not for the purpose of expressing an
opinion on the effectiveness of internal control; and
(iii) The matters being reported are limited to those deficiencies that the auditor
has identified during the audit and that the auditor has concluded are of
sufficient importance to merit being reported to those charged with
governance.
9. RISK-BASED AUDIT
Audit should be risk-based or focused on areas of greatest risk to the achievement of the audited
entity’s objectives. Risk-based audit (RBA) is an approach to audit that analyzes audit risks, sets
materiality thresholds based on audit risk analysis and develops audit programmes that allocate a
larger portion of audit resources to high-risk areas.
The auditor does not normally need to perform specific audit procedures on all areas of audit. He
only needs to design audit programmes and procedures on areas earlier identified as major risks
that could result in the financial statements being materially misstated. RBA is an essential
element of financial audit- both in the attest audit of the financial statements and in the audit of
financial systems and transactions including evaluation of internal controls. It focuses primarily on
the identification and assessment of the financial statement misstatement risks and provides a
framework to reduce the impact to the financial statement of these identified risks to an acceptable
level before rendering an opinion on the financial statements. It also provides indicators of risks as
a basis of opportunity for improvement of auditee risk management and control processes. This
affords an opportunity to the auditee to improve its operations from recommendations on risks that
do not have a current impact on the financial statements but impact the audited entity’s operational
strategies and performance over the longer term.
In the context of performance audit, it is the risk to delivery of an activity or scheme or programme
of the entity with economy, efficiency and effectiveness. Awareness of areas that puts the
programme or resources at risk from the point of view of economy, efficiency and effectiveness
helps focus audit attention on them. The risk analysis provides a framework for assurance in
performance auditing.
9.1 Audit Risk Analysis
The auditor should perform an analysis of the audit risks that impact on the auditee before
undertaking specific audit procedures. Risk assessment is a subjective process. It is part of the
professional judgment of the auditor and of the particular circumstances. It is the risk that the
auditor may unknowingly fail to appropriately modify his opinion on financial statements that are
materially misstated.
Assess auditee
Understand management Manage Inform auditee
auditee strategies and residual risk to of audit results
operations to controls to reduce it to through
identify and determine acceptable appropriate
prioritize risks residual audit level report
risk
Step 1 Understand auditee operations to identify and prioritize risks: Understanding auditee
operations involves processes for reviewing and understanding the audited organization’s risk
management processes for its strategies, framework of operations, operational performance and
information process framework, in order to identify and prioritize the error and fraud risks that
impact the audit of financial statements. The environment in which the auditee operates, the
information required to monitor changes in the environment, and the process or activities integral
to the audited entity’s success in meeting its objectives are the key factors to an understanding of
agency risks. Likewise, a performance review of the audited entity’s delivery of service by
comparing expectations against actual results may also aid in understanding agency operations.
Step 2 Assess auditee management strategies and controls to determine residual audit risk:
Assessment of management risk strategies and controls is the determination as to how controls
within the auditee are designed. The role of internal audit in promoting a sound accounting system
and internal control is recognized, thus the SAI should evaluate the effectiveness of internal audit
to determine the extent to which reliance can be placed upon it in the conduct of substantive tests.
Step 3 Manage residual risk to reduce it to acceptable level: Management of residual risk
requires the design and execution of a risk reduction approach that is efficient and effective to
bring down residual audit risk to an acceptable level. This includes the design and execution of
necessary audit procedures and substantive testing to obtain evidence in support of transactions
and balances. More resources should be allocated to areas of high audit risks, which were earlier
known through the analytical procedures undertaken.
Step 4 Inform auditee of audit results through appropriate report: The results of audit shall be
communicated by the auditor to the audited entity. The auditor must immediately communicate to
the auditee reportable conditions that have been observed even before completion of the audit,
such as weaknesses in the internal control system, deficiencies in the design and operation of
internal controls that affect the organization’s ability to record, process, summarize and report
financial data.
Similarly, a benchmark internal control system, based on suitable criteria, is essential to enable
the management and auditors to assess and state adequacy of and compliance with the system of
internal control. In the Indian context, students are advised to refer Appendix 1 “Internal Control
Components” of SA 315, “Identifying and Assessing the Risks of Material Misstatement Through
Understanding the Entity and its Environment” provides the necessary criteria for internal financial
controls over financial reporting for companies.
10.1 International Internal Control Frameworks
An overview of different internal control frameworks followed internationally are given below:
A. Internal Control - Integrated Framework issued by Committee of the Sponsoring
Organisations of the Treadway Commission (COSO Framework).
COSO’s Internal Control – Integrated Framework was introduced in 1992 as guidance on how to
establish better controls so companies can achieve their objectives. COSO categorizes entity-level
objectives into operations, financial reporting, and compliance. The framework includes more than
20 basic principles representing the fundamental concepts associated with its five components:
control environment, risk assessment, control activities, information and communication, and
monitoring. Some of the principles include key elements for compliance, such as integrity and
ethical values, authorities and responsibilities, policies and procedures, and reporting deficiencies.
However, the Framework clarifies the requirements for effective internal control. This was largely
done through the articulation of the 17 principles, which are relevant to every entity and must be
present and functioning in order to have an effective system of internal control. Here are the tiles
of the 17 internal control principles by internal control component as presented in COSO’s
framework:
The COSO Framework is designed to be used by organizations to assess the effectiveness of the
system of internal control to achieve objectives as determined by management. The Framework
lists three categories of objectives as below:
• Operations Objectives – related to the effectiveness and efficiency of the entity’s operations,
including operational and financial performance goals, and safeguarding assets against loss.
• Reporting Objectives – related to internal and external financial and non-financial reporting to
stakeholders, which would encompass reliability, timeliness, transparency, or other terms as
established by regulators, standard setters, or the entity’s policies.
• Compliance objectives – In the Framework, the compliance objective was described as “relating
to the entity’s compliance with applicable laws and regulations.” The Framework considers the
increased demands and complexities in laws, regulations, and accounting standards.
Limitations of Internal Control: The Framework acknowledges that there are limitations related
to a system of internal control. For example, certain events or conditions are beyond an
organization’s control, and no system of internal control will always do what it was designed to do.
Controls are performed by people and are subject to human error, uncertainties inherent in
judgment, management override, and their circumvention due to collusion. An effective system of
internal control recognizes their inherent limitations and addresses ways to minimize these risks by
the design, implementation, and conduct of the system of internal control. However, an effective
system will not eliminate these risks. An effective system of internal control provides reasonable
assurance, not absolute assurance, that the entity will achieve its defined operating, reporting, and
compliance objectives.
B. Guidance on Assessing Control published by the Canadian Institute of Chartered
Accountants (CoCo)
CoCo was introduced in 1992 with the objective of improving organizational performance and
decision-making with better controls, risk management, and corporate governance.
The Criteria of Control (CoCo) framework was developed by the Canadian Institute of Chartered
Accountants with the objective of improving organisational performance and decision making with
better controls, risk management, and corporate goverance. In 1995, Guidance on Control was
produced and described the CoCo framework and defining controls. The framework includes 20
criteria for effective control in four areas of an organization: purpose (direction), commitment
(identity and values), capability (competence), and monitoring and learning (evolution).
The framework emphasizes that control involves the entire organization but begins on an individual
level, with the employee.
The CoCo framework outlines criteria for effective control in the following four areas:
• Purpose
• Commitment
• Capability
• Monitoring and Learning
In order to assess whether controls exist and are operating effectively, each criterion would be
examined to identify the controls that are in place to address them.
C. Control Objectives for Information and Related Technology (COBIT)
COBIT stands for Control Objectives for Information and Related Technology. It is a framework
created by the ISACA (Information Systems Audit and Control Association) for IT governance and
management. COBIT has 34 high-level processes that cover 210 control objectives categorized in
four domains: planning and organization, acquisition and implementation, delivery and support,
and monitoring and evaluation. It is designed as a supportive tool for managers and allows
bridging the crucial gap between technical issues, business risks and control requirements.
Business managers are equipped with a model to deliver value to the organization and practice better
risk management practices associated with the IT processes. It is a control model that guarantees the
integrity of the information system. Today, COBIT is used globally by all managers who are responsible
for the IT business processes. It is a thoroughly recognized guideline that can be applied to any
organization across industries. Overall, COBIT ensures quality, control and reliability of information
systems in organization, which is also the most important aspect of every modern business.
This framework guides an organization on how to use IT resources (i.e., applications, information,
infrastructure, and people) to manage IT domains, processes, and activities to respond to business
requirements, which include compliance, effectiveness, efficiency, confidentiality, integrity,
availability, and reliability. Well-governed IT practices can assist businesses in complying with
laws, regulations, and contractual arrangements.
D. Internal Control: Guidance for Directors on the Combined Code, published by the
Institute of Chartered Accountants in England & Wales (known as the Turnbull Report)
When the Combined Code of the Committee on Corporate Governance (the Code) was published,
the Institute of Chartered Accountants in England & Wales agreed with the London Stock
Exchange that it would provide guidance to assist listed companies to implement the requirements
in the Code relating to internal control. The key principles of the Code are enunciated as below:
• The board should maintain a sound system of internal control to safeguard shareholders’
investment and the company’s assets.
• The directors should, at least annually, conduct a review of the effectiveness of the group’s
system of internal control and should report to shareholders that they have done so. The review
should cover all controls, including financial, operational and compliance controls and risk
management.
• Companies which do not have an internal audit function should from time to time review the
need for one.
The guidance requires directors to exercise judgement in reviewing how the company has
implemented the requirements of the Code relating to internal control and reporting to
shareholders thereon. The guidance is based on the adoption by a company’s board of a risk-
based approach to establishing a sound system of internal control and reviewing its effectiveness.
This should be incorporated by the company within its normal management and governance
processes. It should not be treated as a separate exercise undertaken to meet regulatory
requirements
E. Sarbanes-Oxley Section 404
SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly-traded companies
must establish internal controls and procedures for financial reporting and must document, test
and maintain those controls and procedures to ensure their effectiveness. The purpose of SOX is
to reduce the possibilities of corporate fraud by increasing the stringency of procedures and
requirements for financial reporting. The Sarbanes Oxley Act, signed into law in 2002, has
revamped federal regulations pertaining to publicly traded companies’ corporate governance and
reporting obligations. The PCAOB followed with AS 2, which was approved by the SEC in June
2004. AS 2 was replaced in May 2007 by AS 5.
The SEC rules and PCAOB standard require that:
• Management perform a formal assessment of its controls over financial reporting including
tests that confirm the design and operating effectiveness of the controls.
• Management include in its annual report an assessment of ICFR.
• The external auditors provide two opinions as part of a single integrated audit of the
company:
- An independent opinion on the effectiveness of the system of ICFR.
- The traditional opinion on the financial statements.
There are a number of different definitions of the term internal control. For the purposes of Section
404, the great majority of companies and all the CPA firms use the definition in COSO’s Internal
Control — Integrated Framework. The COSO framework has made it easier for management to
see what’s covered and here gaps may exist in their SOX 404 compliance program.
Management needs to determine whether the system of internal control in effect as of the date of
the assessment provides reasonable assurance that material errors, in either interim or annual
financial statements, will be prevented or detected.
The rules issued by Securities and Exchange Commission require a company’s annual report to
include an internal control report of management that contains:
- A statement of management’s responsibility for establishing and maintaining adequate
internal control over financial reporting for the company.
During the course of risk assessment by the auditors, it was discussed that the company is
operating in an industry where the operations are not very complicated and mostly the
processes are known to all. Considering the same they decided that assessment of inherent
risk should not be done for this company as that would be inefficient. However, the auditors
will take due care of the control risks. The same assessment was deliberated upon and
after lot of discussions it was finalized like this.
In the given situation, please advise which one of the following would be correct.
(a) The assessment of audit team is correct.
(b) The assessment of audit team is wrong considering the fact that this is a private
company wherein such assessment is not possible.
(c) The assessment of audit team is wrong for this company.
(d) The assessment of audit team is correct considering the fact that this has been
thoroughly discussed.
2. Kshitij Private Ltd is a company based out of Noida having operations in India and Dubai.
The company’s operations in Dubai have increase over the last 2 years and the
management is earning very good profits.
Because of the profits, the management also planned that they should now focus on
strengthening of internal controls of the company and for that purpose they have discussed
with the statutory auditors to carry out the audit for the financial year ended 31 March 2019
very rigorously.
The report on internal financial controls is also applicable to the company and hence the
auditors during the course of their work asked for Risk-control matrices from the company.
During the year ended 31 March 2018, Risk-control matrix was not available with the
company and was prepared in a draft manner and the same was shared with the audit team
during that year and the auditors completed their work on the basis of that.
However, for the year ended 31 March 2019, the auditors would like to have robust
documentation and are not ready to accept the same Risk-control matrices.
In the given situation, please suggest what should be the course of action.
(a) The request of audit team is correct and the management should provide that.
(b) The requirement of audit team is not justified considering the fact that last year same
documentation was used by them.
(c) The requirement of audit team is not justified considering the fact that it’s a private
company and auditor anyways is required to perform rigorous audit procedures.
(d) In case of a private company on which internal financial controls report is required,
the auditor is not allowed to take any Risk-control matrix from the management.
Seems to be an ethical issue.
3. SK Private Limited is a medium-sized company having operations in Jharkhand. The
company manufactures some parts and sells that to various dealers on ex-works basis. The
financial statements of the company are prepared as per Ind AS and internal financial
controls report is also applicable on the same.
During the course of audit of the financial statements for the year ended 31 March 2019, the
management of the company had a detailed discussion with the auditors for audit planning.
Further it was also decided that any observations of the auditors should also be discussed
with the management before conclusion by the audit team which was not done in the past
years.
Considering this, the auditors started the risk assessment and requested the management
to share their documentation for the same on which the management said that they don’t
have any risks and if the auditors come across any such thing they can discuss that with the
management.
But the auditors were not convinced with the view of the management and the same thing
has happened in the past years as well.
You are required to provide your inputs to resolve this matter.
(a) The requirement of the audit team is not correct.
(b) The view of the management is correct because of the applicability of Ind AS.
(c) The view of the management is correct because of the applicability of internal
financial controls reporting.
(d) The view of the management is not correct.
4. AJ Private Ltd is in the business of telecom and have significant operations across India
predominantly in Northern India.
The statutory auditors of the company have been continuing for the last 3 years and have
been issuing clean report.
For the financial year ended 31 March 2019, the statutory auditors commenced their work in
March 2019 as per discussions with the management and with a plan to complete the audit
by first week of May 2019.
The audit team concluded the work as per the agreed timelines and the financial statements
and audit report were signed on 5 May 2019 along with the engagement letter for the
financial year ended 31 March 2019.
In the given situation, please advise which of the following would be correct.
(a) The engagement letter should have been signed before commencing the audit work.
(b) The engagement letter should have been signed at least a day before signing the
audit report.
(c) The engagement letter should have been signed at least a day before signing the
financial statements.
(d) The engagement letter is optional in case of a private company and hence can be
signed anytime.
5. RIM Private Ltd is engaged in the business of manufacturing of water bottles and is
experiencing significant increase in turnover year on year. It is a subsidiary of RIM Gmbh,
based out of Germany.
During the financial year ended 31 March 2019, the company carried out a detailed physical
verification of its inventory and property, plant and equipment.
During the year, various other activities were carried out to increase efficiency in operations
and reductions of costs.
The statutory auditors of the company started their audit work from April 2019 and
requested for a documentation on changes in processes and activities during the year as
well as any resultant impact of the same on management controls.
The management of the company told the auditors that all such documentation is
maintained by the parent company as this is a closely held private company and even
though internal financial controls reporting is applicable on this company, the parent
company is taking due care of each and every process.
The auditors did not agree with the views of the management. Please advise both the
management and the auditors.
(a) The auditors should look for documentation as per Sarbanes Oxley in this case.
(b) The auditors are correct in this case and the management should provide the
required documentation.
(c) The auditors are correct in this case and the management should provide the
required documentation. However, in case the parent company is covered by
Sarbanes Oxley then it can be ignored by the auditors.
(d) The management is correct.
(2) It should clearly indicate that it discusses only weaknesses which have come to the
attention of the auditor as a result of his audit and that his examination has not been
designed to determine the adequacy of internal control for management.
(3) This letter serves as a valuable reference document for management for the purpose
of revising the system and insisting on its strict implementation.
(4) The letter may also serve to minimize legal liability in the event of a major defalcation
or other loss resulting from a weakness in internal control.
4. Refer Para 5.3
5. Refer Para 9.2.
Answers to Multiple Choice Questions
1. (c) 2. (a) 3. (d) 4. (a) 5. (b)