CA Final Audit RISK ASSESSMENT AND INTERNAL CONTROL Notes
CA Final Audit RISK ASSESSMENT AND INTERNAL CONTROL Notes
CA Final Audit RISK ASSESSMENT AND INTERNAL CONTROL Notes
2 RISK-BASED AUDIT
Audit risk is the risk that the auditor may give an inappropriate opinion when the financial
statements are materially misstated. Thus, it is the risk that the auditor may fail to express an
appropriate opinion in an audit assignment.
SA 315 "Identifying and Assessing Risk of Material Misstatements through understanding the
Entity and its Environment” provides guidance on identifying and assessing the risks of material
misstatements at the financial statement level and assertion levels.
1.1 CONSIDERATION
The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a
combined assessment of the "risks of material misstatement".
1. The risks of material misstatement may exist at two levels:
The overall financial statement level; and
The assertion level for classes of transactions, account balances, and disclosures.
2. Risks of material misstatement at the overall financial statement level refer to risks of
material misstatement that relate pervasively to the financial statements as a whole and
potentially affect many assertions.
3. Risks of material misstatement at the assertion level are assessed in order to determine
the NTE of further audit procedures necessary to obtain sufficient appropriate audit
evidence.
4. The risks of material misstatement at the assertion level consist of two components:
inherent risk and control risk.
A. INHERENT RISK
Inherent Risk is the susceptibility of an account balance or class of transaction to a
material misstatement, assuming that there were no internal controls.
To assess inherent risk, the auditor should evaluate numerous factors, having regard to
his experience of the entity from previous audit engagements of the entity, controls
established by management to compensate for a high level of inherent risk, and his
knowledge of any significant changes which might have taken place since his last
assessment.
Factors Affecting Inherent Risk
1. It refers to evaluating the likely Auditor performs Test of On the basis of the
effectiveness of an entity’s internal control to obtain audit results of the test of
control system in preventing or detecting evidence about the controls, the auditor
and correcting material misstatements. following- should evaluate
whether the
2. The auditor should obtain an (a) Whether the accounting
preliminary
understanding of internal controls to and internal control
assessment of control
make a preliminary assessment of the systems are suitably
risk was correct or
control risk. designed to prevent or
need to be revised. He
detect and correct material
3. Thus, the auditor should assess the should accordingly
misstatements; &
control risk as high unless the auditor; determine any
(b) Operation of internal modification in the
(a) Is able to identify internal controls
controls throughout the NTE of audit
which are likely to prevent or detect and
period. procedures.
correct a material misstatement; and
(b) Plans to perform test of controls.
The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to
a combined assessment of the "risks of material misstatement”.
C. DETECTION RISK
It is the risk that the substantive procedures performed by the auditor fails to detect material
misstatement.
The auditor’s control risk assessment, together with the inherent risk assessment,
influences the nature, timing and extent of substantive procedures to be performed to
reduce detection risk, and therefore audit risk, to an acceptably low level.
Some detection risk would always be present even if an auditor was to examine 100 per
cent of the account balances or class of transactions.
If detection risk Can’t be reduced to acceptably low level the auditor should express a
qualified opinion or a disclaimer of opinion
CONDITIONS WHICH INCREASES RISK OF FRAUD AND ERROR
While planning and performing an audit, the auditor should consider the risk of material
misstatements that may be caused due to fraud or error. Various conditions and events that
may increase risk of fraud or error are:
1. Weaknesses in the design of internal control system and non-compliance with the laid
down control procedures.
2. Doubts about the integrity or competence of the management.
3. Unusual pressures within the entity.
4. Unusual transactions such as transactions with related parties, excessive payment for
certain services to lawyers, etc.
Problems in obtaining sufficient and appropriate audit evidence, e.g., inadequate
documentation, significant differences between the figures as per the accounting records and
confirmation received from third parties, etc.
2. RISK-BASED AUDIT
Audit should be risk-based or focused on areas of greatest risk to the achievement of the audited
entity’s objectives. Risk-based audit (RBA) is an approach to audit that analyzes audit risks,
sets materiality thresholds based on audit risk analysis and develops audit programmes that
allocate a larger portion of audit resources to high-risk areas
The auditor does not normally need to perform specific audit procedures on all areas of audit.
He only needs to design audit programmes and procedures on areas earlier identified as major
risks that could result in the financial statements being materially misstated. RBA is an
essential element of financial audit- both in the attest audit of the financial statements and in
the audit of financial systems and transactions including evaluation of internal controls. It
focuses primarily on the identification and assessment of the financial statement misstatement
risks and provides a framework to reduce the impact to the financial statement of these
identified risks to an acceptable level before rendering an opinion on the financial statements.
It also provides indicators of risks as a basis of opportunity for improvement of auditee risk
management and control processes. This affords an opportunity to the auditee to improve its
operations from recommendations on risks that do not have a current impact on the financial
statements but impact the audited entity’s operational strategies and performance over the
longer term.
In the context of performance audit, it is the risk to delivery of an activity or scheme or
programme of the entity with economy, efficiency and effectiveness. Awareness of areas that
puts the programme or resources at risk from the point of view of economy, efficiency and
effectiveness helps focus audit attention on them. The risk analysis provides a framework for
assurance in performance auditing.
Audit Risk Analysis: The auditor should perform an analysis of the audit risks that impact on
the auditee before undertaking specific audit procedures. Risk assessment is a subjective
process. It is part of the professional judgment of the auditor and of the particular
circumstances. It is the risk that the auditor may unknowingly fail to appropriately modify his
opinion on financial statements that are materially misstated.
Audit risks are brought about by error and fraud:
Error is an unintentional mistake resulting from omission, as when legitimate
transactions and/or balances are excluded from the financial statements; or by
commission, as when erroneous transactions and/or balances are included in the
financial statements.
Fraud is an intentional misstatement in the accounting records or supporting documents
from which the financial statements are prepared. It is intended to deceive financial
statement users or to conceal misappropriations.
The auditor has the responsibility to plan and perform the audit to obtain reasonable assurance
about whether the financial statements are free of material misstatements, whether caused by
error or fraud.
An error risk may arise from an error in principle, estimate, critical information processing,
financial reporting process or disclosure.
Fraud risk involves manipulation, falsification of accounting records, or misrepresentation in
the financial statements of events, transactions or other significant information, or
misapplication of accounting principles or misappropriation of funds.
1.1 GENERAL STEPS IN THE CONDUCT OF RBA:
RBA consists of four main phases starting with the identification and prioritization of risks, to
the determination of residual risk, reduction of residual risk to acceptable level and the reporting
to auditee of audit results. These are achieved through the following:
(a) Identify risks throughout the process of obtaining an understating of the entity and its
environment including the entity’s internal control;
(b) Assess the identified risks and evaluate whether they relate more pervasively to the
financial statements as a whole;
(c) Relate the identified risks to what can go wrong at the assertion level; and
(d) Consider the likelihood of misstatement, including the possibility of multiple
misstatements.
Analytical procedures
Analytical procedures may help identify the existence of unusual transactions or
events, and amounts, ratios, and trends that might indicate matters that have audit
implications.
Unusual or unexpected relationships that are identified may assist the auditor in
identifying risks of material misstatement, especially risks of material misstatement
due to fraud.
(a) Relevant industry, regulatory, and other external factors including applicable financial
reporting framework.
(b) The nature of the entity, including:
i. its operations; ,
ii. its ownership and governance structures;
iii. the types of investments that the entity is making and plan to make; &
iv. the way that the entity is structured and how it is financed;
(c) The entity’s selection and application of accounting policies, including the reasons for
changes thereto.
(d) The entity’s objectives and strategies, and those related business risks that may result
in risks of material misstatement.
(e) The measurement and review of the entity’s financial performance.
3.6 ASSESSMENT OF RISK OF MATERIAL MISSTATEMENT AT F.S AND AT ASSERTION
LEVEL
1. At F.S. Level
It refers to risks of material misstatement that relate pervasively to the financial
statements as a whole and potentially affect many assertions.
Risks at the financial statement level may derive in particular from deficient control
environment (although these risks may also relate to other factors, such as declining
economic conditions). For example, deficiencies such as management’s lack of
competence may have a more pervasive effect on the F.S. and may require an overall
response by the auditor.
2. At Assertion Level
Risks of material misstatement at the assertion level for classes of transactions, account
balances, and disclosures need to be considered because such consideration directly assists in
determining the nature, timing, and extent of further audit procedures at the assertion level
necessary to obtain sufficient appropriate audit evidence
3.Assertions Evaluated
Transaction occurred during the year
Occurrence - transactions that have been recorded have occurred during the year.
Completeness-transactions have been recorded completely.
Accuracy - transactions have been recorded accurately.
Cut-off - transactions have been recorded in correct accounting period.
Classification - transactions have been properly classified into capital and revenue.
Account Balances at period end
The term "controls" refers to any aspects of one or more of the components of internal control.
4.2 NATURE OF INTERNAL CONTROL
REASON EXPLANATION
Cost Cost of implementation of control may be more than its benefits. Thus,
management usually doesn’t implement best controls.
effectiveness
Human error Human Error, which may occur while carrying out I.C. system. It may
be due to misunderstanding on part of personnel.
Collusion among Employees may commit fraud through collusion. It may be among
employees themselves or with outsiders.
Abuse of authority The person responsible for exercising control can himself override it.
Example, Person responsible for issuance of stationery to various
departments only for authorised use, can himself misappropriate
stationery for his personal use.
1. Control Environment
The control environment includes the governance and management functions and the
attitudes, awareness, and actions of those charged with governance and management
concerning the entity’s internal control and its importance in the entity. The control
environment sets the tone of an organization, influencing the control consciousness of its
people.
Control environment includes the following elements:
1. Communication and enforcement of integrity and Ethical values.
2. Commitment to competence.
3. Participation by TCWG.
4. Management philosophy and operating style.
5. Organisational Structure.
6. Assignment of Authority and Responsibility.
7. Human resources Policies and Practices.
2. Risk Assessment Process
The entity’s risk assessment process forms the basis for how management determines the
risks to be managed. If that process is appropriate to the circumstances, including the
nature, size and complexity of the entity, it assists the auditor in identifying RMM. Risk
can arise or change due to below mentioned circumstances:
3. Control Activities
Generally, control activities that may be relevant to an audit may be categorised as policies
and procedures that pertain to the following:
a. Performance reviews - These control activities include reviews and analyses of actual
performance versus budgets, forecasts, and prior period performance.
4.8 The overall systems of internal control comprises of Administrative Control and
Accounting Controls, Internal Checks and Internal Audit are important constituents of
Accounting Controls.
Internal Check System
Internal check system implies organization of the overall system of book-keeping and
arrangement of Staff duties in such a way that no one person can carry through a transaction
and record every aspect thereof. It is a part of overall control system and operates basically as
a built-in-device as far as organization and job-allocation aspects of the controls are concerned.
The following are the objectives of the internal check system:
(i) To detect error and frauds with ease.
(ii) To avoid and minimize the possibility of commission of errors and fraud by any staff.
(iii) To increase the efficiency of the staff working within the organization.
(iv) To locate the responsibility area or the stages where actual fraud and error occurs.
(v) To protect the integrity of the business by ensuring that accounts are always subject to proper
scrutiny and check.
(vi) To prevent and avoid the misappropriation or embezzlement of cash and falsification of
accounts.
The effectiveness of an efficient system of internal check depends on the following
considerations-
Clarity of The responsibility of different persons engaged in various operations of
Responsibility business transactions should be properly identified. A well-integrated
organizational chart depicting the names of responsible persons
associated with specific functions may help to fix up responsibility.
Division of Work The segregation of work should be made in such a manner that the
free flow of work is not interrupted and also helps to determine that
the work of one person is complementary to the other. Then, it is
suggested that rotation of different employees through various
components of job should be effectively implemented.
Appraisal Periodic review should be made of the chain of operations and work flow.
Such process may be carried out by preparing an audit flow chart.
Internal Audit
Internal audit may be defined as, an independent appraisal function established within an
organization to examine and evaluate its activities as a service to the organization. The scope of
the internal audit is determined by the management. Internal auditing includes a series of
processes and techniques through which an organizations own employees ascertain for the
management, by means of on-the-job observation, whether established management controls
are adequate, and are effectively maintained; records and reports financial, accounting and
otherwise reflect actual operation and results accurately and properly; each division,
department or other un its are carrying out the plans, policies and procedures for which they
are responsible.
Review of I.C. - Review of I.C. refers to, Examination and evaluation of Internal control
Meaning system of the client.
Information required for review
The auditor should acquaint himself with the followings:
important features of the business carried on by the concern,
the nature of the activities
system followed in the entire process of manufacturing, trading
and administration,
basis on which the control and procedures are laid down by
the management.
This knowledge he can always obtain by having discussion with the
various managers of the organisation.
Auditor should also look at the company’s procedures, manuals,
organisation flow charts to ascertain the character, scope and efficacy
of the control system. Sometimes, manuals and charts are not
available or very little information is available. In that case, the
auditor should contact the right officers and employees to get the
desired information.
Methods of
Recording
1. NARRATIVE RECORD
Complete & exhaustive detail of system, As found in operation by the
auditor.
Example: For stock control evaluation, it contains documents
prepared, employees discharging various duties, various stages of
stock movements etc.
Advantages
When properly framed formal I.C. system is not found, complete
description is needed and suitable for small business.
Limitations
Detailed observation is needed (time consuming).
It doesn’t readily identify weakness in system.
Constant updating is needed if circumstances are changed.
2. CHECK LIST
It contains series of questions, to be answered by the audit staff.
Example: “Are tenders invited before placing orders”? Now a member
of audit staff checks the same & answer it (“yes”, “No”, “or “Not
Applicable”). After answering, he puts his initials.
Advantage
On the job requirement, thus motivating.
Completed checklist is studied by the senior audit staff, thus
weaknesses can’t be overlooked.
Easy location of weakness.
Limitations
Requires intelligence to prepare proper checklist.
Time consuming.
Client can manipulate when responding to questions raised by
audit staff.
3. I.C. QUESTIONNAIRE
Comprehensive series of questions, on each aspect of I.C., prepared
by auditor & filled by the client’s employees Example “Do you keep
invoice pre- numbered?” Now client answers as “yes”, “No” or “Not
Applicable”. Usually questions are framed in such a way that “no”
shows weakness.
Advantage
Detailed questionnaire, thus no important aspect is overlooked.
Weaknesses are easily located.
Evaluating LC system becomes Systematic & easy.
Recommendations can be readily provided by auditor.
Limitation
Time consuming.
Client may answer it in a hasty way.
Client may manipulate the answers.
4. Flowchart
Graphic presentation, of each part of entity’s internal control
system.Stock control procedure can be depicted in a form of diagram.
The Auditor prepares it after proper study of I. C. System of client.
Advantage
Concise presentation.
Easily understandable.
Gives “birds eye view” of complete system.
Limitation
Time consuming to prepare such a flowchart which is concise
yet showing every important aspect of I.C.
Weakness can’t be readily located.
The quality & effectiveness of internal controls is directly dependant on the Organisational
environment. The tone at the top (the Board & Executive Management) & the credibility of the
message on internal controls from top plays an important role in establishing strong control
environment. Following are some of the key components to assess & evaluate the controls
environment:
Standard Operating Procedures (SOPs): A well defined set of SOPs helps define role,
responsibilities, process & controls & thus helps clearly communicate the operating controls
to all touch points of a process. The controls are likely to be clearly understood & consistently
applied even during employee turnover.
Enterprise Risk Management
Segregation of Job Responsibilities
Job Rotation in Sensitive Areas
Delegation of Financial Powers Document
Information Technology based Controls
TESTING OF INTERNAL CONTROL SYSTEM
After assimilating internal control system, the auditor needs to examine whether and how
far the same is actually in operation. Tests of control may include:
(a) Inspection of documents supporting transactions and other events to gain audit
evidence that internal controls have operated properly.
(b) Inquiries about and observation of internal controls which leave no audit trail.
(c) Re-performance of internal controls.
(d) Testing of internal controls operating on specific computerised applications.
Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as contemplated in the preliminary assessment of
control risk.
It has been suggested that actual operation of the internal control should be tested by the
application of procedural tests and examination in depth.
IMPACT OF SATISFACTORY CONTROL ENVIRONMENT
The existence of a satisfactory control environment work as a positive factor when the
auditor assesses the RMM.
But at the same time, it is to be kept in mind that a satisfactory control environment is
not an absolute deterrent to fraud. Deficiencies in the control environment may
undermine the effectiveness of controls, in particular in relation to fraud.
As per SA 330, the control environment also influences the nature, timing, and extent
of the auditor’s further procedures.
The control environment in itself does not prevent, or detect and correct, a material
misstatement. It may, however, influence the auditor’s evaluation of the effectiveness of
other controls (for example, the monitoring of controls and the operation of specific
control activities) and thereby, the auditor’s assessment of the risks of material
misstatement.
Corporate internal controls are part of governance mechanisms of every organisation and,
whether a company adopts a global internal control framework or develops its own, management
should always be guided by the need to safeguard business value. There are a number of global
internal control frameworks that provide guidance to entities for developing and establishing
their internal control systems.
OBJECTIVE Internal control is fundamental to the successful operation and day-to-day running
of a business and it assists the company in achieving its business objectives. It is wider in scope
and encompasses all controls incorporated into the strategic, governance and management
process, covering the company's entire range of activities and operations, and not limited to
those directly related to financial operations and reporting. There are many internal control
frameworks.
The objective of this chapter is to give an overview of the common international frameworks.
However, the Framework clarifies the requirements for effective internal control. This was
largely done through the articulation of the 17 principles, which are relevant to every entity
and must be present and functioning in order to have an effective system of internal control.
Here are the tiles of the 17 internal control principles by internal control component as
presented in COSO's framework: