Chapter 3 -

• RISK ASSESSMENT AND INTERNAL CONTROL

CHAPTER 3 TOPICS SHORT NOTES

1 AUDIT RISK AND ITS COMPONENTS

2 RISK-BASED AUDIT

3 IDENTIFYING AND ASSESSING RISK OF

MATERIAL MISSTATEMENT (SA 315)
4 INTERNAL CONTROL

5 REVIEW OF IC. BY AUDITOR/

EVALUATION OF INTERNAL CONTROL
BY THE AUDIT
6 INTERNAL CONTROL ASSESSMENT &
EVALUATION
7 FRAMEWORKS OF INTERNAL CONTROL
 1. AUDIT RISK AND ITS COMPONENTS

Audit risk is the risk that the auditor may give an inappropriate opinion when the financial
statements are materially misstated. Thus, it is the risk that the auditor may fail to express an
appropriate opinion in an audit assignment.
SA 315 "Identifying and Assessing Risk of Material Misstatements through understanding the
Entity and its Environment” provides guidance on identifying and assessing the risks of material
misstatements at the financial statement level and assertion levels.

1.1 CONSIDERATION
The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a
combined assessment of the "risks of material misstatement".
1. The risks of material misstatement may exist at two levels:
 The overall financial statement level; and
 The assertion level for classes of transactions, account balances, and disclosures.

2. Risks of material misstatement at the overall financial statement level refer to risks of
material misstatement that relate pervasively to the financial statements as a whole and
potentially affect many assertions.
3. Risks of material misstatement at the assertion level are assessed in order to determine
the NTE of further audit procedures necessary to obtain sufficient appropriate audit
evidence.
4. The risks of material misstatement at the assertion level consist of two components:
inherent risk and control risk.

1.2 COMPONENTS OF AUDIT RISK/FACTORS CAUSING AUDIT RISK

Audit Risk has three components: Inherent Risk, Control Risk and Detection Risk. Inherent
Risk and Control Risk are collectively known as Risk of Material Misstatement.

A. INHERENT RISK
 Inherent Risk is the susceptibility of an account balance or class of transaction to a
material misstatement, assuming that there were no internal controls.
 To assess inherent risk, the auditor should evaluate numerous factors, having regard to
his experience of the entity from previous audit engagements of the entity, controls
established by management to compensate for a high level of inherent risk, and his
knowledge of any significant changes which might have taken place since his last
assessment.
Factors Affecting Inherent Risk

At level of Financial Statement At level of Account Balance & Transaction

Integrity of management. Quality of Accounting System.

Management experience and Accounts prone to misstatement.
knowledge.
Complex transaction.
Unusual pressure on management.
Judgement involved in determining balances.
Nature of entity’s business.
Assets prone to misappropriation.
Factors affecting Industry.
Unusual transaction at or near period end.
Transaction not subjected to ordinary
processing.
B. CONTROL RISK
 The risk that a misstatement that could occur in an assertion about a class of
transaction, account balance or disclosure and that could be material, either individually
or when aggregated with other misstatements, will not be prevented, or detected and
corrected, on a timely basis by the entity’s internal control.
 Control Risk is the risk that material misstatement will not be prevented or detected and
corrected on a timely basis by the internal control system.
Reason of failure of I.C/Inherent limitations of Internal Controls
 Cost effectiveness;
 Transactions of unusual nature may be missed by most controls;
 Potential of human error;
 Circumvention of controls through collusion;
 Abuse of control by the person who is himself responsible for exercising it;
 Inadequacy of procedures due to changes in conditions; and
 Manipulations by management
Assessment of Control Risk

Preliminary Assessment of Control Test of Controls Final assessment of

Risk control risk

1. It refers to evaluating the likely Auditor performs Test of On the basis of the
effectiveness of an entity’s internal control to obtain audit results of the test of
control system in preventing or detecting evidence about the controls, the auditor
and correcting material misstatements. following- should evaluate
whether the
2. The auditor should obtain an (a) Whether the accounting
preliminary
understanding of internal controls to and internal control
assessment of control
make a preliminary assessment of the systems are suitably
risk was correct or
control risk. designed to prevent or
need to be revised. He
detect and correct material
3. Thus, the auditor should assess the should accordingly
misstatements; &
control risk as high unless the auditor; determine any
(b) Operation of internal modification in the
(a) Is able to identify internal controls
controls throughout the NTE of audit
which are likely to prevent or detect and
period. procedures.
correct a material misstatement; and
(b) Plans to perform test of controls.
The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to
a combined assessment of the "risks of material misstatement”.
C. DETECTION RISK

It is the risk that the substantive procedures performed by the auditor fails to detect material
misstatement.

 The auditor’s control risk assessment, together with the inherent risk assessment,
influences the nature, timing and extent of substantive procedures to be performed to
reduce detection risk, and therefore audit risk, to an acceptably low level.
 Some detection risk would always be present even if an auditor was to examine 100 per
cent of the account balances or class of transactions.

Relationship between components of Audit Risk

a) Relationship between IR and CR
1. Management often reacts to inherent risk situations by designing accounting and
internal control systems to prevent or detect and correct misstatements and therefore,
in many cases, inherent risk and control risk are highly interrelated.
2. In such situations, if the auditor attempts to assess inherent and control risks
separately, there is a possibility of inappropriate risk assessment.
As a result, audit risk may be more appropriately determined in such situations by
making a combined assessment of Inherent and Control Risk as Risk of Material
Misstatement (RMM). This combined assessment is considered to be the Risk Of Material
Misstatement (ROMM).
b) Relationship between RMM and Detection Risk
1. There is an inverse relationship between detection risks and the combined level of
inherent and control risks.
2. When inherent and control risks are high, acceptable detection risk needs to be low to
reduce audit risk to an acceptably low level. When inherent and control risks are low, an
auditor can accept a higher detection risk and still reduce audit risk to an acceptably
low level.
3. When both inherent and control risks are assessed as high, the auditor needs to consider
whether substantive procedures can provide sufficient appropriate audit evidence to
reduce detection risk, and therefore audit risk, to an acceptably low level.
Mathematically Audit Risk (AR) can be expressed as a product of Inherent Risk (IR),
Control Risk (CR) and Detection Risk (DR), i.e. AR = IR x CR x DR

If detection risk Can’t be reduced to acceptably low level the auditor should express a
qualified opinion or a disclaimer of opinion
CONDITIONS WHICH INCREASES RISK OF FRAUD AND ERROR
While planning and performing an audit, the auditor should consider the risk of material
misstatements that may be caused due to fraud or error. Various conditions and events that
may increase risk of fraud or error are:

1. Weaknesses in the design of internal control system and non-compliance with the laid
down control procedures.
2. Doubts about the integrity or competence of the management.
3. Unusual pressures within the entity.
4. Unusual transactions such as transactions with related parties, excessive payment for
certain services to lawyers, etc.
Problems in obtaining sufficient and appropriate audit evidence, e.g., inadequate
documentation, significant differences between the figures as per the accounting records and
confirmation received from third parties, etc.

2. RISK-BASED AUDIT

Audit should be risk-based or focused on areas of greatest risk to the achievement of the audited
entity’s objectives. Risk-based audit (RBA) is an approach to audit that analyzes audit risks,
sets materiality thresholds based on audit risk analysis and develops audit programmes that
allocate a larger portion of audit resources to high-risk areas
The auditor does not normally need to perform specific audit procedures on all areas of audit.
He only needs to design audit programmes and procedures on areas earlier identified as major
risks that could result in the financial statements being materially misstated. RBA is an
essential element of financial audit- both in the attest audit of the financial statements and in
the audit of financial systems and transactions including evaluation of internal controls. It
focuses primarily on the identification and assessment of the financial statement misstatement
risks and provides a framework to reduce the impact to the financial statement of these
identified risks to an acceptable level before rendering an opinion on the financial statements.
It also provides indicators of risks as a basis of opportunity for improvement of auditee risk
management and control processes. This affords an opportunity to the auditee to improve its
operations from recommendations on risks that do not have a current impact on the financial
statements but impact the audited entity’s operational strategies and performance over the
longer term.
In the context of performance audit, it is the risk to delivery of an activity or scheme or
programme of the entity with economy, efficiency and effectiveness. Awareness of areas that
puts the programme or resources at risk from the point of view of economy, efficiency and
effectiveness helps focus audit attention on them. The risk analysis provides a framework for
assurance in performance auditing.

Audit Risk Analysis: The auditor should perform an analysis of the audit risks that impact on
the auditee before undertaking specific audit procedures. Risk assessment is a subjective
process. It is part of the professional judgment of the auditor and of the particular
circumstances. It is the risk that the auditor may unknowingly fail to appropriately modify his
opinion on financial statements that are materially misstated.
Audit risks are brought about by error and fraud:
 Error is an unintentional mistake resulting from omission, as when legitimate
transactions and/or balances are excluded from the financial statements; or by
commission, as when erroneous transactions and/or balances are included in the
financial statements.
 Fraud is an intentional misstatement in the accounting records or supporting documents
from which the financial statements are prepared. It is intended to deceive financial
statement users or to conceal misappropriations.
The auditor has the responsibility to plan and perform the audit to obtain reasonable assurance
about whether the financial statements are free of material misstatements, whether caused by
error or fraud.
An error risk may arise from an error in principle, estimate, critical information processing,
financial reporting process or disclosure.
Fraud risk involves manipulation, falsification of accounting records, or misrepresentation in
the financial statements of events, transactions or other significant information, or
misapplication of accounting principles or misappropriation of funds.
1.1 GENERAL STEPS IN THE CONDUCT OF RBA:
RBA consists of four main phases starting with the identification and prioritization of risks, to
the determination of residual risk, reduction of residual risk to acceptable level and the reporting
to auditee of audit results. These are achieved through the following:

Step 1 Understand auditee operations to identify and prioritize risks:

Understanding auditee operations involves processes for reviewing and understanding the
audited organization's risk management processes for its strategies, framework of operations,
operational performance and information process framework, in order to identify and
prioritize the error and fraud risks that impact the audit of financial statements. The
environment in which the auditee operates, the information required to monitor changes in
the environment, and the process or activities integral to the audited entity’s success in
meeting its objectives are the key factors to an understanding of agency risks. Likewise, a
performance review of the audited entity’s delivery of service by comparing expectations
against actual results may also aid in understanding agency operations.
Step 2 Assess auditee management strategies and controls to determine residual audit
risk:
Assessment of management risk strategies and controls is the determination as to how
controls within the auditee are designed. The role of internal audit in promoting a sound
accounting system and internal control is recognized, thus the SAI should evaluate the
effectiveness of internal audit to determine the extent to which reliance can be placed upon it
in the conduct of substantive tests.
Step 3 Manage residual risk to reduce it to acceptable level:
Management of residual risk requires the design and execution of a risk reduction approach
that is efficient and effective to bring down residual audit risk to an acceptable level. This
includes the design and execution of necessary audit procedures and substantive testing to
obtain evidence in support of transactions and balances. More resources should be allocated
to areas of high audit risks, which were earlier known through the analytical procedures
undertaken.

Step 4 Inform auditee of audit results through appropriate report:

The results of audit shall be communicated by the auditor to the audited entity. The auditor
must immediately communicate to the auditee reportable conditions that have been observed
even before completion of the audit, such as weaknesses in the internal control system,
deficiencies in the design and operation of internal controls that affect the organization’s
ability to record, process, summarize and report financial data.
 3. IDENTIFYING AND ASSESSING RISK OF MATERIAL MISSTATEMENT (SA 315)
3.1 RISK ASSESSMENT PROCESS

(a) Identify risks throughout the process of obtaining an understating of the entity and its
environment including the entity’s internal control;
(b) Assess the identified risks and evaluate whether they relate more pervasively to the
financial statements as a whole;
(c) Relate the identified risks to what can go wrong at the assertion level; and
(d) Consider the likelihood of misstatement, including the possibility of multiple
misstatements.

3.2 COMPONENT OF RISK ASSESSMENT PROCEDURE

Inquiries of management, and of others within the entity.
Much of the information is obtained by the auditor’s through inquiry from management and
others. However, the auditor may also obtain information, or a different perspective in
identifying risks of material misstatement, through inquiries of others within the entity and
other employees with different levels of authority.
For example:
1. Inquiries directed towards TCWG may help the auditor understand the environment in
which the financial statements are prepared.
2. Inquiries directed toward internal audit personnel may provide information about
internal audit procedures performed during the year relating to the design and
effectiveness of the entity’s internal control and whether management has
satisfactorily responded to findings from those procedures.

Analytical procedures
 Analytical procedures may help identify the existence of unusual transactions or
events, and amounts, ratios, and trends that might indicate matters that have audit
implications.
 Unusual or unexpected relationships that are identified may assist the auditor in
identifying risks of material misstatement, especially risks of material misstatement
due to fraud.

Observation and inspection

Observation and inspection may support inquiries of management and others, and may also
provide information about the entity and its environment.
Examples of such audit procedures include observation or inspection of the following:

 The entity’s operations.

 Documents (such as business plans and strategies), records, and internal control
manuals.
 Reports prepared by management (such as quarterly management reports and interim
financial statements) and TCWG (such as minutes of board of directors’ meetings).
 The entity’s premises and plant facilities.
3.3 RISKS that REQUIRE SPECIAL AUDIT CONSIDERATIONS
In exercising judgment as to which risks are significant risks, the auditor shall consider the
following:

(a) Whether the risk is a risk of fraud;

(b) Whether the risk is related to recent significant economic, accounting, or other
developments;
(c) The complexity of transactions;
(d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information; and
(f) Whether the risk involves significant unusual transactions.
3.4 OBJECTIVE OF AUDITOR
As per SA 315 "Identifying and Assessing the Risk of Material Misstatement through
Understanding the Entity and its Environment” the objective of the auditor is:
 to identify and assess the risks of material misstatement, whether due to fraud or
error,
 at the financial statement and assertion levels,
 through understanding the entity and its environment, including the entity’s internal
control,
 Thereby providing a basis for designing and implementing responses to the assessed
risks of material misstatement.
This will help the auditor to reduce the risk of material misstatement to an acceptably low
level.
3.5 UNDERSTANIDNG REQUIRED OF ENTITY AND ITS ENVIRONMENT

(a) Relevant industry, regulatory, and other external factors including applicable financial
reporting framework.
(b) The nature of the entity, including:
i. its operations; ,
ii. its ownership and governance structures;
iii. the types of investments that the entity is making and plan to make; &
iv. the way that the entity is structured and how it is financed;
(c) The entity’s selection and application of accounting policies, including the reasons for
changes thereto.
(d) The entity’s objectives and strategies, and those related business risks that may result
in risks of material misstatement.
(e) The measurement and review of the entity’s financial performance.
3.6 ASSESSMENT OF RISK OF MATERIAL MISSTATEMENT AT F.S AND AT ASSERTION
LEVEL

1. At F.S. Level
 It refers to risks of material misstatement that relate pervasively to the financial
statements as a whole and potentially affect many assertions.
 Risks at the financial statement level may derive in particular from deficient control
environment (although these risks may also relate to other factors, such as declining
economic conditions). For example, deficiencies such as management’s lack of
competence may have a more pervasive effect on the F.S. and may require an overall
response by the auditor.
2. At Assertion Level
Risks of material misstatement at the assertion level for classes of transactions, account
balances, and disclosures need to be considered because such consideration directly assists in
determining the nature, timing, and extent of further audit procedures at the assertion level
necessary to obtain sufficient appropriate audit evidence
3.Assertions Evaluated
Transaction occurred during the year

 Occurrence - transactions that have been recorded have occurred during the year.
 Completeness-transactions have been recorded completely.
 Accuracy - transactions have been recorded accurately.
 Cut-off - transactions have been recorded in correct accounting period.
 Classification - transactions have been properly classified into capital and revenue.
Account Balances at period end

 Existence - assets and liabilities shown in the balance sheet exists.

 Rights and obligations - rights of the entity have been shown as assets and the
obligations have been shown as liabilities.
 Completeness - assets and liabilities have been recorded completely.
 Valuation and allocation - assets and liabilities are included in the financial
statements at appropriate amounts and any allocation adjustments are
appropriately recorded.

Presentation and Disclosure

 Occurrence and Rights and obligations - disclosed transactions have occurred

and belong to the entity.
 Completeness - disclosures in the financial statements are complete.
 Classification and understand- ability- financial information is appropriately
presented and disclosures are clearly expressed.
 Accuracy and Valuation - financial and other information are disclosed fairly and
at appropriate amounts.
4. INTERNAL CONTROL
4.1 DEFINITION(as per SA 315)
The process designed, implemented and maintained by TCWG, management and other
personnel to provide reasonable assurance about the achievement of an entity's objectives
with regard to,

 reliability of financial reporting,

 effectiveness and efficiency of operations,
 safeguarding of assets, and
 Compliance with applicable laws and regulations.

The term "controls" refers to any aspects of one or more of the components of internal control.
4.2 NATURE OF INTERNAL CONTROL

A set of internally generated policies and procedures adopted by the management of an

enterprise is a prerequisite for an organisations efficient and effective performance. It is thus,
a primary responsibility of every management to create and maintain an adequate system of
internal control appropriate to the size and nature of the business entity.

4.3 SCOPE OF INTERNAL CONTROLS-

The scope of internal controls extends beyond mere accounting controls and includes all
administrative controls concerned with the decision. These comprise primarily controls
relating to safeguarding of assets, prevention and detection of fraud and error, accuracy and
completeness of accounting records and timely preparation of reliable financial information.
4.4 OBJECTIVES/PURPOSE OF INTERNAL CONTROL
Internal control is designed, implemented and maintained to address identified business
risks that threaten the achievement of any of the entity’s objectives that concern:

(a) Transactions are executed in accordance with managements general or specific

authorization;
(b) All transactions are promptly recorded in the correct amount in the appropriate
accounts and in the accounting period in which executed so as to permit preparation of
financial information within a framework of recognized accounting policies and
practices and relevant statutory requirements, if any, and to maintain accountability
for assets;
(c) Assets are safeguarded from unauthorised access, use or disposition; and
(d) The recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken with regard to any differences.
The way in which internal control is designed, implemented and maintained varies with an
entity’s size and complexity.

4.5 LIMITATIONS OF I.C SYSTEM / WHAT ARE THE INHERENT LIMITATIONS OF

INTERNAL CONTROL SYSTEM

REASON EXPLANATION

Cost Cost of implementation of control may be more than its benefits. Thus,
management usually doesn’t implement best controls.
effectiveness

Human error Human Error, which may occur while carrying out I.C. system. It may
be due to misunderstanding on part of personnel.

Collusion among Employees may commit fraud through collusion. It may be among
employees themselves or with outsiders.

Abuse of authority The person responsible for exercising control can himself override it.
Example, Person responsible for issuance of stationery to various
departments only for authorised use, can himself misappropriate
stationery for his personal use.

Manipulation by Manipulation by high level management may not be detected by control

management system.
Example, Manipulation in estimates appearing in financial statements.

Unusual Any unusual transaction may not be controlled. Because control

transaction procedures are generally made for usual transactions.

Change in Established control procedures may become inadequate in a fast

conditions changing environment.

4.6 STRUCTURE OF INTERNAL CONTROL

In order to achieve the objectives of internal controls, it is necessary to establish adequate
control policies and procedures. Most of these policies and procedures cover:
1- Segregation of duties –
Transaction processing are allocated to different persons in such a manner that no one person
can carry through the completion of a transaction from start to finish or the work of one
person is made complimentary to the work of another person. The purpose is to minimize the
occurrence of fraud and errors and to detect them on a timely basis, when they take place.
 2- Authorization of Transaction
Delegation of authority to different levels and to particular persons are required to
establish by the management for controlling the execution of transaction in accordance
with prescribed conditions.
3- Adequacy of Records and Documents
Accounting controls should ensure that –
- Transactions are executed in accordance with management’s general or specific
authorization.
- Transactions and other events are promptly recorded at correct amounts.
- Transactions should be classified in appropriate accounts and in the appropriate
period to which it relates.
4- Accountability and Safeguarding of Assets
The process of accountability of assets commences from acquisitions of assets its use and
final disposal. Safeguarding of assets requires appropriate maintenance of records, their
periodic reconciliation with the related assets.
5- Independent Checks
Independent verification of the control systems, designed and implemented by the
management, involves periodic or regular review by independent persons to ascertain
whether the control procedures are operating effectively or not. Such process may be
carried out by specially assigned staff under the banner of external audit.
4.7 COMPONENTS OF INTERNAL CONTROL
In general, a system of internal control to be considered adequate should include the following
five components:
i. Control environment;
ii. Entity’s Risk assessment Process;
iii. Control activities;
iv. Information system and communication;
v. Monitoring of Controls

1. Control Environment
The control environment includes the governance and management functions and the
attitudes, awareness, and actions of those charged with governance and management
concerning the entity’s internal control and its importance in the entity. The control
environment sets the tone of an organization, influencing the control consciousness of its
people.
Control environment includes the following elements:
1. Communication and enforcement of integrity and Ethical values.
2. Commitment to competence.
3. Participation by TCWG.
4. Management philosophy and operating style.
5. Organisational Structure.
6. Assignment of Authority and Responsibility.
7. Human resources Policies and Practices.
2. Risk Assessment Process
The entity’s risk assessment process forms the basis for how management determines the
risks to be managed. If that process is appropriate to the circumstances, including the
nature, size and complexity of the entity, it assists the auditor in identifying RMM. Risk
can arise or change due to below mentioned circumstances:

1. Changes in Regulatory or Operating environment.

2. Recruitment of New personnel.
3. New or revamped information systems
4. Significant and rapid expansion of operations
5. Incorporating new technologies into production processes.
6. Entering into business areas or transactions with which an entity has little experience.
7. Corporate restructurings.
8. Expansion or acquisition of foreign operations.
9. Adoption of new accounting principles or changing accounting principles.

3. Control Activities
Generally, control activities that may be relevant to an audit may be categorised as policies
and procedures that pertain to the following:
a. Performance reviews - These control activities include reviews and analyses of actual
performance versus budgets, forecasts, and prior period performance.

b. Information processing- The two broad groupings of information systems control

activities are application controls, which apply to the processing of individual
applications, and general IT-controls, which are policies and procedures that relate to
many applications and support the effective functioning of application controls by
helping to ensure the continued proper operation of information systems.
c. Physical controls- Controls that encompass:
 The physical security of assets, including adequate safeguards such as secured
facilities over access to assets and records.
 The authorisation for access to computer programs and data files.

d. Segregation of duties- Assigning different people the responsibilities of authorising

transactions, recording transactions, and maintaining custody of assets.
4. Information System, Including the Related Business Processes, Relevant to Financial
Reporting, and Communication
An information system consists of infrastructure (physical and hardware components),
software, people, procedures, and data. Many information systems make extensive use of
information technology (IT).
The information system relevant to financial reporting objectives, which includes the financial
reporting system, encompasses methods and records that:
(a) Identify and record all valid transactions.
(b) Describe on a timely basis the transactions in sufficient detail to permit proper classification
of transactions for financial reporting.
(c) Measure the value of transactions in a manner that permits recording their proper monetary
value in the financial statements.
(d) Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
(e) Present properly the transactions and related disclosures in the financial statements.
5. Monitoring of Controls
An important management responsibility is to establish and maintain internal control on an
ongoing basis. Management’s monitoring of controls includes considering whether they are
operating as intended and that they are modified as appropriate for changes in conditions.
Monitoring of controls may include activities such as, management’s review of whether bank
reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales
personnel’s compliance with the entity’s policies on terms of sales contracts, and a legal
department’s oversight of compliance with the entity’s ethical or business practice policies.
Monitoring is done also to ensure that controls continue to operate effectively over time. For
example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel
are likely to stop preparing them.

4.8 The overall systems of internal control comprises of Administrative Control and
Accounting Controls, Internal Checks and Internal Audit are important constituents of
Accounting Controls.
Internal Check System
Internal check system implies organization of the overall system of book-keeping and
arrangement of Staff duties in such a way that no one person can carry through a transaction
and record every aspect thereof. It is a part of overall control system and operates basically as
a built-in-device as far as organization and job-allocation aspects of the controls are concerned.
The following are the objectives of the internal check system:
(i) To detect error and frauds with ease.
(ii) To avoid and minimize the possibility of commission of errors and fraud by any staff.
(iii) To increase the efficiency of the staff working within the organization.
(iv) To locate the responsibility area or the stages where actual fraud and error occurs.
(v) To protect the integrity of the business by ensuring that accounts are always subject to proper
scrutiny and check.
(vi) To prevent and avoid the misappropriation or embezzlement of cash and falsification of
accounts.
The effectiveness of an efficient system of internal check depends on the following
considerations-
Clarity of The responsibility of different persons engaged in various operations of
Responsibility business transactions should be properly identified. A well-integrated
organizational chart depicting the names of responsible persons
associated with specific functions may help to fix up responsibility.

Division of Work The segregation of work should be made in such a manner that the
free flow of work is not interrupted and also helps to determine that
the work of one person is complementary to the other. Then, it is
suggested that rotation of different employees through various
components of job should be effectively implemented.

Standardization The entire process of accounting should be standardized by creating

suitable policies commensurate with the nature of the business, so as to
strengthen the system of internal check.

Appraisal Periodic review should be made of the chain of operations and work flow.
Such process may be carried out by preparing an audit flow chart.
Internal Audit
Internal audit may be defined as, an independent appraisal function established within an
organization to examine and evaluate its activities as a service to the organization. The scope of
the internal audit is determined by the management. Internal auditing includes a series of
processes and techniques through which an organizations own employees ascertain for the
management, by means of on-the-job observation, whether established management controls
are adequate, and are effectively maintained; records and reports financial, accounting and
otherwise reflect actual operation and results accurately and properly; each division,
department or other un its are carrying out the plans, policies and procedures for which they
are responsible.

5. REVIEW OF IC. BY AUDITOR/ EVALUATION OF INTERNAL CONTROL BY THE

AUDIT

Review of I.C. - Review of I.C. refers to, Examination and evaluation of Internal control
Meaning system of the client.
Information required for review
The auditor should acquaint himself with the followings:


important features of the business carried on by the concern,

the nature of the activities

system followed in the entire process of manufacturing, trading
and administration,
 basis on which the control and procedures are laid down by
the management.
This knowledge he can always obtain by having discussion with the
various managers of the organisation.
Auditor should also look at the company’s procedures, manuals,
organisation flow charts to ascertain the character, scope and efficacy
of the control system. Sometimes, manuals and charts are not
available or very little information is available. In that case, the
auditor should contact the right officers and employees to get the
desired information.

Need for review To assure that I.C. system is adequate.

Role/Advantages of It enables the auditor to ascertain whether

Review
(i) Internal control system is adequate & operating effectively.
(ii) I .C. is able to prevent, detect & correct material misstatement.
(iii) I.C. Properly safeguards the assets.
(iv) I.C. ensures correct recording of transaction.
(v) Reports & Certificate provided by management are reliable.
(vi) I.C. are weak / excessive in a particular area.
(vii) Effective internal audit department is in operation.
(viii) Suggestions can be given to management to improve the I.C.
system.
(ix) Extensive Substantive procedures are required.
(x) Audit procedures or techniques need to be changed from planned
ones.
Methods/Tools to
Review the IC
system

Methods of
Recording

1. NARRATIVE RECORD
Complete & exhaustive detail of system, As found in operation by the
auditor.
Example: For stock control evaluation, it contains documents
prepared, employees discharging various duties, various stages of
stock movements etc.
Advantages
When properly framed formal I.C. system is not found, complete
description is needed and suitable for small business.
Limitations
 Detailed observation is needed (time consuming).
 It doesn’t readily identify weakness in system.
 Constant updating is needed if circumstances are changed.

2. CHECK LIST
It contains series of questions, to be answered by the audit staff.
Example: “Are tenders invited before placing orders”? Now a member
of audit staff checks the same & answer it (“yes”, “No”, “or “Not
Applicable”). After answering, he puts his initials.
Advantage
 On the job requirement, thus motivating.
 Completed checklist is studied by the senior audit staff, thus
weaknesses can’t be overlooked.
 Easy location of weakness.

Limitations
 Requires intelligence to prepare proper checklist.
 Time consuming.
 Client can manipulate when responding to questions raised by
audit staff.

3. I.C. QUESTIONNAIRE
Comprehensive series of questions, on each aspect of I.C., prepared
by auditor & filled by the client’s employees Example “Do you keep
invoice pre- numbered?” Now client answers as “yes”, “No” or “Not
Applicable”. Usually questions are framed in such a way that “no”
shows weakness.
 Advantage
 Detailed questionnaire, thus no important aspect is overlooked.
 Weaknesses are easily located.
 Evaluating LC system becomes Systematic & easy.
 Recommendations can be readily provided by auditor.
Limitation
 Time consuming.
 Client may answer it in a hasty way.
 Client may manipulate the answers.

4. Flowchart
Graphic presentation, of each part of entity’s internal control
system.Stock control procedure can be depicted in a form of diagram.
The Auditor prepares it after proper study of I. C. System of client.
Advantage
 Concise presentation.
 Easily understandable.
 Gives “birds eye view” of complete system.
Limitation
 Time consuming to prepare such a flowchart which is concise
yet showing every important aspect of I.C.
 Weakness can’t be readily located.

6. INTERNAL CONTROL ASSESSMENT & EVALUATION

The quality & effectiveness of internal controls is directly dependant on the Organisational
environment. The tone at the top (the Board & Executive Management) & the credibility of the
message on internal controls from top plays an important role in establishing strong control
environment. Following are some of the key components to assess & evaluate the controls
environment:
Standard Operating Procedures (SOPs): A well defined set of SOPs helps define role,
responsibilities, process & controls & thus helps clearly communicate the operating controls
to all touch points of a process. The controls are likely to be clearly understood & consistently
applied even during employee turnover.
 Enterprise Risk Management
 Segregation of Job Responsibilities
 Job Rotation in Sensitive Areas
 Delegation of Financial Powers Document
 Information Technology based Controls
TESTING OF INTERNAL CONTROL SYSTEM
After assimilating internal control system, the auditor needs to examine whether and how
far the same is actually in operation. Tests of control may include:
(a) Inspection of documents supporting transactions and other events to gain audit
evidence that internal controls have operated properly.
(b) Inquiries about and observation of internal controls which leave no audit trail.
(c) Re-performance of internal controls.
(d) Testing of internal controls operating on specific computerised applications.
 Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as contemplated in the preliminary assessment of
control risk.
It has been suggested that actual operation of the internal control should be tested by the
application of procedural tests and examination in depth.
IMPACT OF SATISFACTORY CONTROL ENVIRONMENT
 The existence of a satisfactory control environment work as a positive factor when the
auditor assesses the RMM.
 But at the same time, it is to be kept in mind that a satisfactory control environment is
not an absolute deterrent to fraud. Deficiencies in the control environment may
undermine the effectiveness of controls, in particular in relation to fraud.
 As per SA 330, the control environment also influences the nature, timing, and extent
of the auditor’s further procedures.
 The control environment in itself does not prevent, or detect and correct, a material
misstatement. It may, however, influence the auditor’s evaluation of the effectiveness of
other controls (for example, the monitoring of controls and the operation of specific
control activities) and thereby, the auditor’s assessment of the risks of material
misstatement.

REPORTING TO CLIENTS ON INTERNAL CONTROL WEAKNESSES (Refer SA 265)

7. FRAMEWORKS OF INTERNAL CONTROL

Corporate internal controls are part of governance mechanisms of every organisation and,
whether a company adopts a global internal control framework or develops its own, management
should always be guided by the need to safeguard business value. There are a number of global
internal control frameworks that provide guidance to entities for developing and establishing
their internal control systems.
OBJECTIVE Internal control is fundamental to the successful operation and day-to-day running
of a business and it assists the company in achieving its business objectives. It is wider in scope
and encompasses all controls incorporated into the strategic, governance and management
process, covering the company's entire range of activities and operations, and not limited to
those directly related to financial operations and reporting. There are many internal control
frameworks.
The objective of this chapter is to give an overview of the common international frameworks.

A. GUIDANCE NOTE ON AUDIT OF INTERNAL FINANCIAL CONTROLS OVER FINANCIAL

REPORTING:
ICAI has issued a Guidance Note on Audit of Internal Financial Controls Over Financial
Reporting which covers aspects such as Scope of reporting on internal financial controls
under Companies Act 2013, essential components of internal controls, Technical guidance on
audit of Internal Financial Controls, Implementation guidance on audit of Internal Financial
Controls. The Guidance Note states as below:
“To state whether a set of financial statements presents a true and fair view, it is essential to
benchmark and check the financial statements for compliance with the financial reporting
framework.
International Internal Control Frameworks

A.Internal COSO’s Internal Control - Integrated Framework was introduced in 1992

Control - as guidance on how to establish better controls so companies can achieve
Integrated their objectives. COSO categorizes entity-level objectives into operations,
Framework financial reporting, and compliance. The framework includes more than
issued by 20 basic principles representing the fundamental concepts associated
Committee of with its five components: control environment, risk assessment, control
the Sponsoring activities, information and communication, and monitoring. Some of the
Organisations principles include key elements for compliance, such as integrity and
of the ethical values, authorities and responsibilities, policies and procedures,
Treadway and reporting deficiencies.
Commission
Operations Objectives - related to the effectiveness and efficiency of the
(COSO
entity's operations, including operational and financial performance goals,
Framework)
and safeguarding assets against loss.
Reporting Objectives - related to internal and external financial and non-
financial reporting to stakeholders, which would encompass reliability,
timeliness, transparency, or other terms as established by regulators,
standard setters, or the entity’s policies.
Compliance objectives - In the Framework, the compliance objective was
described as “relating to the entity’s compliance with applicable laws and
regulations.” The Framework considers the increased demands and
complexities in laws, regulations, and accounting standards.

However, the Framework clarifies the requirements for effective internal control. This was
largely done through the articulation of the 17 principles, which are relevant to every entity
and must be present and functioning in order to have an effective system of internal control.
Here are the tiles of the 17 internal control principles by internal control component as
presented in COSO's framework:

Control  Demonstrates commitment to integrity and ethical values

Environment
 Exercises oversight responsibility
 Establishes structure, authority, and responsibility
 Demonstrates commitment to competence
Enforces accountability

Risk Assessment  Specifies suitable objectives

 Identifies and analyses risk
 Assesses fraud risk
Identifies and analyses significant change

Control Activities  Selects and develops control activities

 Selects and develops general controls over technology
Deploys through policies and procedures

Information and  Uses relevant information

Communication
 Communicates internally
Communicates externally

Monitoring  Conducts ongoing and/or separate evaluations

Evaluates and communicate deficiencies
B- Guidance on Assessing Control published by the Canadian Institute of Chartered
Accountants (CoCo)
CoCo was introduced in 1992 with the objective of improving organizational performance and
decision-making with better controls, risk management, and corporate governance.
The Criteria of Control (CoCo) framework was developed by the Canadian Institute of
Chartered Accountants with the objective of improving organisational performance and
decision making with better controls, risk management, and corporate goverance. In 1995,
Guidance on Control was produced and described the CoCo framework and defining controls.
The framework includes 20 criteria for effective control in four areas of an organization:
purpose (direction), commitment (identity and values), capability (competence), and monitoring
and learning (evolution).
The framework emphasizes that control involves the entire organization but begins on an
individual level, with the employee.
The CoCo framework outlines criteria for effective control in the following four areas:
• Purpose
• Commitment
• Capability
• Monitoring and Learning
In order to assess whether controls exist and are operating effectively, each criterion would
be examined to identify the controls that are in place to address them.

C- Control Objectives for Information and Related Technology (COBIT)

COBIT stands for Control Objectives for Information and Related Technology. It is a framework
created by the ISACA (Information Systems Audit and Control Association) for IT governance
and management. COBIT has 34 high-level processes that cover 210 control objectives
categorized in four domains: planning and organization, acquisition and implementation,
delivery and support, and monitoring and evaluation. It is designed as a supportive tool for
managers and allows bridging the crucial gap between technical issues, business risks and
control requirements.
Business managers are equipped with a model to deliver value to the organization and practice
better risk management practices associated with the IT processes. It is a control model that
guarantees the integrity of the information system. Today, COBIT is used globally by all
managers who are responsible for the IT business processes. It is a thoroughly recognized
guideline that can be applied to any organization across industries. Overall, COBIT ensures
quality, control and reliability of information systems in organization, which is also the most
important aspect of every modern business.
This framework guides an organization on how to use IT resources (i.e., applications,
information, infrastructure, and people) to manage IT domains, processes, and activities to
respond to business requirements, which include compliance, effectiveness, efficiency,
confidentiality, integrity, availability, and reliability. Well-governed IT practices can assist
businesses in complying with laws, regulations, and contractual arrangements.
D- Internal Control: Guidance for Directors on the Combined Code, published by the
Institute of Chartered Accountants in England & Wales (known as the Turnbull Report)
When the Combined Code of the Committee on Corporate Governance (the Code) was
published, the Institute of Chartered Accountants in England & Wales agreed with the London
Stock Exchange that it would provide guidance to assist listed companies to implement the
requirements in the Code relating to internal control. The key principles of the Code are
enunciated as below:
The board should maintain a sound system of internal control to safeguard shareholders'
investment and the company’s assets.
The directors should, at least annually, conduct a review of the effectiveness of the group’s
system of internal control and should report to shareholders that they have done so. The review
should cover all controls, including financial, operational and compliance controls and risk
management.
Companies which do not have an internal audit function should from time to time review the
need for one.
The guidance requires directors to exercise judgement in reviewing how the company has
implemented the requirements of the Code relating to internal control and reporting to
shareholders thereon. The guidance is based on the adoption by a company’s board of a risk-
based approach to establishing a sound system of internal control and reviewing its
effectiveness. This should be incorporated by the company within its normal management and
governance processes. It should not be treated as a separate exercise undertaken to meet
regulatory requirements

E- Sarbanes-Oxley Section 404

SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly-traded
companies must establish internal controls and procedures for financial reporting and must
document, test and maintain those controls and procedures to ensure their effectiveness. The
purpose of SOX is to reduce the possibilities of corporate fraud by increasing the stringency of
procedures and requirements for financial reporting. The Sarbanes Oxley Act, signed into law
in 2002, has revamped federal regulations pertaining to publicly traded companies' corporate
governance and reporting obligations. The PCAOB followed with AS 2, which was approved by
the SEC in June 2004. AS 2 was replaced in May 2007 by AS 5.
The SEC rules and PCAOB standard require that:
• Management perform a formal assessment of its controls over financial reporting including
tests that confirm the design and operating effectiveness of the controls.
• Management include in its annual report an assessment of ICFR.
• The external auditors provide two opinions as part of a single integrated audit of the
company:
- An independent opinion on the effectiveness of the system of ICFR.
- The traditional opinion on the financial statements.
There are a number of different definitions of the term internal control. For the purposes of
Section 404, the great majority of companies and all the CPA firms use the definition in COSO’s
Internal Control — Integrated Framework. The COSO framework has made it easier for
management to see what’s covered and here gaps may exist in their SOX 404 compliance
program.
Management needs to determine whether the system of internal control in effect as of the date
of the assessment provides reasonable assurance that material errors, in either interim or
annual financial statements, will be prevented or detected.
The rules issued by Securities and Exchange Commission require a company’s annual report
to include an internal control report of management that contains:
- A statement of management’s responsibility for establishing and maintaining adequate
internal control over financial reporting for the company.
- A statement identifying the framework used by management to conduct the required
evaluation of the effectiveness of the company’s internal control over financial reporting.
- Management’s assessment of the effectiveness of the company's internal control over
financial reporting as of the end of the company’s most recent fiscal year, including a
statement as to whether or not the company's internal control over financial reporting is
effective. The assessment must include disclosure of any “material weaknesses” in the
company’s internal control over financial reporting identified by management.
Management is not permitted to conclude that the company’s internal control over
financial reporting is effective if there are one or more material weaknesses in the
company’s internal control over financial reporting. A statement that the registered public
accounting firm that audited the financial statements included in the annual report has
issued an attestation report on management’s assessment of the registrant’s internal
control over financial reporting.
The final rules also require a company to file, as part of the company’s annual report, the
attestation report of the registered public accounting firm that audited the company's financial
statements.