STATEMENT ON STANDARD AUDITING PRACTICES (SAP) 6

(REVISED) ON RISK ASSESSMENTS AND INTERNAL

CONTROL
The following is the text of the of the Revised Statement on Standard Auditing
Practices (SAP) 6, on "Risk Assessments and Internal Control" issued by the Auditing
Practices Committee of the Institute of Chartered Accountants of India. This Statement
should be read in conjunction with the "Preface to the Statements on Standard Auditing
Practices", issued by the Institute.
Introduction
1. The purpose of this Statement on Standard Auditing Practices (SAP) is to establish
standards on the procedures to be followed to obtain an understanding of the
accounting and internal control systems and on audit risk and its components:
inherent risk, control risk and detection risk. The principles laid down in the other
SAPs, issued by the Institute of Chartered Accountants of India, would be
applicable, to the extent practicable, to this SAP also. In this Statement, the term
'financial information' encompasses 'financial statements'. In some circumstances,
specific legislations and regulations may require the auditor to undertake
procedures additional to those set out in this SAP.
2. The auditor should obtain an understanding of the accounting and internal
control systems sufficient to plan the audit and develop an effective audit
approach. The auditor should use professional judgement to assess audit
risk and to design audit procedures to ensure that it is reduced to an
acceptably low level.
3. "Audit risk" means the risk that the auditor gives an inappropriate audit opinion
when the financial statements are materially misstated. Audit risk has three
components: inherent risk, control risk and detection risk.
4. "Inherent risk" is the susceptibility of an account balance or class of transactions to
misstatement that could be material, either individually or when aggregated with
misstatements in other balances or classes, assuming that there were no related
internal controls.
5. "Control risk" is the risk that a misstatement, that could occur in an account
balance or class of transactions and that could be material, either individually or
when aggregated with misstatements in other balances or classes, will not be
prevented or detected and corrected on a timely basis by the accounting and
internal control systems.
1. The original Statement on Standard Auditing Practices (SAP) 6 "Study and Evaluation of the Accounting System
and Related Internal Controls in Connection with an Audit" issued in May, 1988 would continue to be operative for all
audits relating to accounting periods ending on or before March 31, 2002.

2. With the formation of the Auditing Practices Committee in 1982, the Council of the Institute has been issuing a
series of Statements on Standard Auditing Practices (SAPs). Statements on Standard Auditing Practices lay down
the principles governing an audit. These principles apply whenever an independent audit is carried out. Statements
on Standard Auditing Practices become mandatory on the dates specified in the respective SAPs. Their mandatory
status implies that, while discharging their attest function, it will be the duty of the members of the Institute to ensure
that the SAPs are followed in the audit of financial information covered by their audit reports. If, for any reason, a
member has not been able to perform an audit in accordance with the SAPs, his report should draw attention to the
material departures therefrom.
6. "Detection risk" is the risk that an auditor's substantive procedures will not detect a
misstatement that exists in an account balance or class of transactions that could
be material, either individually or when aggregated with misstatements in other
balances or classes.
7. "Accounting System" means the series of tasks and records of an entity by which
transactions are processed as a means of maintaining financial records. Such
systems identify, assemble, analyse, calculate, classify, record, summarise and
report transactions and other events.
8. "Internal Control System" means all the policies and procedures (internal controls)
adopted by the management of an entity to assist in achieving management's
objective of ensuring, as far as practicable, the orderly and efficient conduct of its
business, including adherence to management policies, the safeguarding of
assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of reliable
 financial information. The internal audit function constitutes a separate component
of internal control with the objective of determining whether other internal controls
are well designed and properly operated.
9. The system of internal control must be under continuing supervision by
management to determine that it is functioning as prescribed and is modified, as
appropriate, for changes in conditions. The internal control system extends beyond
those matters which relate directly to the functions of the accounting system and
comprises:

a. "the control environment" which means the overall attitude, awareness

and actions of directors and management regarding the internal control
system and its importance in the entity. The control environment has an
effect on the effectiveness of the specific control procedures and provides
the background against which other controls are operated. A strong control
environment, for example, one with tight budgetary controls and an
effective internal audit function, can significantly complement specific
control procedures. However, a strong control environment does not, by
itself, ensure the effectiveness of the internal control system. Factors
reflected in the control environment include:

o The entity's organisational structure and methods of assigning

authority and responsibility (including segregation of duties and
supervisory functions).

o The function of the board of directors and its committees in the

case of a company or the corresponding governing body in case
of any other entity.

o Management's philosophy and operating style.

o Management's control system including the internal audit function,

personnel policies and procedures.
b. "control procedures" which means those policies and procedures in
addition to the control environment which management has established to
achieve the entity's specific objectives. Specific control procedures
include:

o Reporting and reviewing reconciliations.

o Checking the arithmetical accuracy of the records.Controlling

applications and environment of computer information
environment systems, for example, by establishing controls over:

 changes to computer programs

 access to data files.

o Maintaining and reviewing control accounts and related subsidiary

ledgers.

o Approving and controlling of documents.

o Comparing internal data with external sources of information.

o Comparing the results of physical verification of cash, fixed

assets, investments and inventory with corresponding accounting
records.

o Restricting direct access to assets, records and information.

 o Comparing and analysing the financial results with corresponding
budgeted figures.
10. In the audit of financial statements, the auditor is concerned only with those
policies and procedures within the accounting and internal control systems that are
relevant to the assertions made in the financial statements. The understanding of
relevant aspects of the accounting and internal control systems, together with the
inherent and control risk assessments and other considerations, will enable the
auditor to:

a. assess the adequacy of the accounting system as a basis for preparing

the financial statements;

b. identify the types of potential material misstatements that could occur in

the financial statements;

c. consider factors that affect the risk of material misstatements; and

d. develop an appropriate audit plan and determine the nature, timing and
extent of his audit procedures.
11. When developing the audit approach, the auditor considers the preliminary
assessment of control risk (in conjunction with the assessment of inherent risk) to
determine the appropriate detection risk that may be accepted by the auditor for
the assertions made in the financial statements and to determine the nature, timing
and extent of substantive procedures for such assertions.
Inherent Risk
12. In developing the overall audit plan, the auditor should assess inherent risk
at the level of financial statements. In developing the audit programme, the
auditor should relate such assessment to material account balances and
classes of transactions at the level of assertions made in the financial
statements, or assume that inherent risk is high for the assertion, taking into
account factors relevant both to the financial statements as a whole and to
the specific assertions. When the auditor makes an assessment that the
inherent risk is not high, he should document the reasons for such
assessment.
13. To assess inherent risk, the auditor would use professional judgement to evaluate
numerous factors, having regard to his experience of the entity from previous audit
engagements of the entity, any controls established by management to
compensate for a high level of inherent risk, and his knowledge of any significant
changes which might have taken place since his last assessment. Examples of
such factors are:

At the Level of Financial Statements

• The integrity of the management.

• Management's experience and knowledge and changes in management

during the period, for example, the inexperience of management may
affect the preparation of the financial statements of the entity.

• Unusual pressures on management, for example, circumstances that

might predispose management to misstate the financial statements, such
as the industry experiencing a large number of business failures or an
entity that lacks sufficient capital to continue operations.

• The nature of the entity's business, for example, the potential for
technological obsolescence of its products and services, the complexity of
its capital structure, the significance of related parties and the number of
 locations and geographical spread of its production facilities.

• Factors affecting the industry in which the entity operates, for example,
economic and competitive conditions as indicated by financial trends and
ratios, and changes in technology, consumer demand and accounting
practices common to the industry.

At the Level of Account Balance and Class of Transactions

• Quality of the accounting system.

• Financial statements are likely to be susceptible to misstatement, for

example, accounts which required adjustment in the prior period or which
involve a high degree of estimation.

• The complexity of underlying transactions and other events which might

require using the work of an expert.

• The degree of judgement involved in determining account balances.

• Susceptibility of assets to loss or misappropriation, for example, assets

which are highly desirable and movable such as cash.

• The completion of unusual and complex transactions, particularly, at or

near period end.

• Transactions not subjected to ordinary processing.

Accounting and Internal Control Systems

14. Internal controls relating to the accounting system are concerned with achieving
the following objectives :

• Transactions are executed in accordance with management's general or

specific authorisation.

• All transactions and other events are promptly recorded in the correct
amount, in the appropriate accounts and in the proper accounting period
so as to permit preparation of financial statements in accordance with the
applicable accounting standards, other recognised accounting policies and
practices and relevant statutory requirements, if any, and to maintain
accountability for assets. .

• Assets and records are safeguarded from unauthorised access, use or

disposition.

• Recorded assets are compared with the existing assets at reasonable

intervals and appropriate action is taken with regard to any differences.
Inherent Limitations of Internal Controls
15. Accounting and internal control systems can provide only reasonable, but not
absolute, assurance that the objectives stated above are achieved. This is
because the internal control systems are subject to some inherent limitations, such
as:

• Management's consideration that the cost of an internal control does not

 exceed the expected benefits to be derived.

• The fact that most internal controls do not tend to be directed at

transactions of unusual nature.

• The potential for human error, such as, due to carelessness, distraction,
mistakes of judgement and the misunderstanding of instructions.

• The possibility of circumvention of internal controls through the collusion

with employees or with parties outside the entity.

• The possibility that a person responsible for exercising an internal control

could abuse that responsibility, for example, a member of management
overriding an internal control.

• The possibility that procedures may become inadequate due to changes in

conditions and compliance with procedures may deteriorate.

• Manipulations by management with respect to transactions or estimates

and judgements required in the preparation of financial statements.

Understanding the Accounting and Internal Control Systems

16. When obtaining an understanding of the accounting and internal control systems
to plan the audit, the auditor obtains a knowledge of the design of the accounting
and internal control systems, and their operation. For example, an auditor may
perform a "walk-through" test, that is, tracing a few transactions through the
accounting system. When the transactions selected are typical of those
transactions that pass through the system, this procedure may be treated as part
of the tests of control. The nature and extent of walk-through tests performed by
the auditor are such that they alone would not provide sufficient appropriate audit
evidence to support a control risk assessment which is less than high.
17. The nature, timing and extent of the procedures performed by the auditor to obtain
an understanding of the accounting and internal control systems will vary with,
among other things:
The size and complexity of the entity and of its information system.

Materiality considerations.

The type of internal controls involved.

The nature of the entity's documentation of specific internal controls.

The auditor's assessment of inherent risk.

18. Ordinarily, the auditor's understanding of the accounting and internal control
systems significant to the audit is obtained through previous experience with the
entity and is supplemented by:

a. inquiries of appropriate management, supervisory and other personnel at

various organisational levels within the entity, together with reference to
documentation, such as procedures manuals, job descriptions, systems
descriptions and flow charts;

b. inspection of documents and records produced by the accounting and

internal control systems; and

c. observation of the entity's activities and operations, including observation

of the organisation of computer operations, personnel performing control
procedures and the nature of transaction processing.
Accounting System
19. The auditor should obtain an understanding of the accounting system
sufficient to identify and understand:

a. major classes of transactions in the entity's operations;

b. how such transactions are initiated;

c. significant accounting records, supporting documents and specific

accounts in the financial statements; and

d. the accounting and financial reporting process, from the initiation of

significant transactions and other events to their inclusion in the
financial statements.
Control Environment
20. The auditor should obtain an understanding of the control environment
sufficient to assess management's attitudes, awareness and actions
regarding internal controls and their importance in the entity. Such an
understanding would also help the auditor to make a preliminary assessment of
the adequacy of the accounting and internal control systems as a basis for the
preparation of the financial statements, and of the likely nature, timing and extent
of audit procedures.
21. The auditor should obtain an understanding of the control procedures
sufficient to develop the audit plan. In obtaining this understanding, the auditor
would consider knowledge about the presence or absence of control procedures
obtained from the understanding of the control environment and accounting
system in determining whether any additional understanding of control procedures
is necessary. Because control procedures are integrated with the control
environment and the accounting system, as the auditor obtains an understanding
of the control environment and the accounting system, some knowledge about
control procedures is also likely to be obtained, for example, in obtaining an
understanding of the accounting system pertaining to cash, the auditor ordinarily
becomes aware of whether bank accounts are reconciled regularly. Ordinarily,
development of the overall audit plan does not require an understanding of control
procedures for every financial statement assertion in each account balance and
transaction class.
Control Risk
22. After obtaining an understanding of the accounting system and internal
control system, the auditor should make a preliminary assessment of control
risk, at the assertion level, for each material account balance or class of
transactions.
Preliminary Assessment of Control Risk
23. The preliminary assessment of control risk is the process of evaluating the likely
effectiveness of an entity's accounting and internal control systems in preventing
or detecting and correcting material misstatements. The preliminary assessment of
control risk is based on the assumption that the controls operate generally as
described and that they operate effectively throughout the period of intended
reliance. There will always be some control risk because of the inherent limitations
of any accounting and internal control system.
24. The auditor ordinarily assesses control risk at a high level for some or all
assertions when:

a. the entity's accounting and internal control systems are not effective; or

b. evaluating the effectiveness of the entity's accounting and internal control

systems would not be efficient.

In the above circumstances, the auditor would obtain sufficient appropriate audit
evidence from substantive procedures and from any audit work carried out in the
 preparation of financial statements.
25. The preliminary assessment of control risk for a financial statement
assertion should be high unless the auditor:

a. is able to identify internal controls relevant to the assertion which are

likely to prevent or detect and correct a material misstatement; and

b. plans to perform tests of control to support the assessment.

Documentation of Understanding and Assessment of Control Risk
26. The auditor should document in the audit working papers:

a. the understanding obtained of the entity's accounting and internal

control systems; and

b. the assessment of control risk.

When control risk is assessed at less than high, the auditor would also
document the basis for the conclusions.
27. Different techniques may be used to document information relating to accounting
and internal control systems. Selection of a particular technique is a matter for the
auditor's judgement. Common techniques, used alone or in combination, are
narrative descriptions, questionnaires, check lists and flow charts. The form and
extent of this documentation is influenced by the size and complexity of the entity
and the nature of the entity's accounting and internal control systems. Generally,
the more complex the entity's accounting and internal control systems and the
more extensive the auditor's procedures, the more extensive the auditor's
documentation will need to be.
Tests of Control
28. Tests of control are performed to obtain audit evidence about the effectiveness of
the:

a. design of the accounting and internal control systems, that is, whether
they are suitably designed to prevent or detect and correct material
misstatements; and

b. operation of the internal controls throughout the period.

Tests of control include tests of elements of the control environment where

strengths in the control environment are used by auditors to reduce control risk.
29. Some of the procedures performed to obtain the understanding of the accounting
and internal control systems may not have been specifically planned as tests of
control but may provide audit evidence about the effectiveness of the design and
operation of internal controls relevant to certain assertions and, consequently,
serve as tests of control. For example, in obtaining the understanding of the
accounting and internal control systems pertaining to cash, the auditor may have
obtained audit evidence about the effectiveness of the bank reconciliation process
through inquiry and observation.
30. When the auditor concludes that procedures performed to obtain the
understanding of the accounting and internal control systems also provide audit
evidence about the suitability of design and operating effectiveness of policies and
procedures relevant to a particular financial statement assertion, the auditor may
use that audit evidence, provided it is sufficient to support a control risk
assessment at less than a high level.
31. Tests of control may include:
Inspection of documents supporting transactions and other events to gain
audit evidence that internal controls have operated properly, for example,
verifying that a transaction has been authorised.
 Inquiries about, and observation of, internal controls which leave no audit
trail, for example, determining who actually performs each function and not
merely who is supposed to perform it.

Re-performance of internal controls, for example, reconciliation of bank

accounts, to ensure they were correctly performed by the entity.

Testing of internal control operating on specific computerised applications

or over the overall information technology function, for example, access or
program change controls.
32. The auditor should obtain audit evidence through tests of control to support
any assessment of control risk which is less than high. The lower the
assessment of control risk, the more evidence the auditor should obtain that
accounting and internal control systems are suitably designed and operating
effectively.
33. When obtaining audit evidence about the effective operation of internal controls,
the auditor considers how they were applied, the consistency with which they were
applied during the period and by whom they were applied. The concept of effective
operation recognises that some deviations may have occurred. Deviations from
prescribed controls may be caused by such factors as changes in key personnel,
significant seasonal fluctuations in volume of transactions and human error. When
deviations are detected the auditor makes specific inquiries regarding these
matters, particularly, the timing of staff changes in key internal control functions.
The auditor then ensures that the tests of control appropriately cover such a period
of change or fluctuation.
34. In a computer information systems environment, the objectives of tests of control
do not change from those in a manual environment; however, some audit
procedures may change. The auditor may find it necessary, or may prefer, to use
computer-assisted audit techniques. The use of such techniques, for example, file
interrogation tools or audit test data, may be appropriate when the accounting and
internal control systems provide no visible evidence documenting the performance
of internal controls which are programmed into a computerised accounting system.
35. Based on the results of the tests of control, the auditor should evaluate
whether the internal controls are designed and operating as contemplated in
the preliminary assessment of control risk. The evaluation of deviations may
result in the auditor concluding that the assessed level of control risk needs to be
revised. In such cases, the auditor would modify the nature, timing and extent of
planned substantive procedures.
Quality and Timeliness of Audit Evidence
36. Certain types of audit evidence obtained by the auditor are more reliable than
others. Ordinarily, the auditor's observation provides more reliable audit evidence
than merely making inquiries, for example, the auditor might obtain audit evidence
about the proper segregation of duties by observing the individual who applies a
control procedure or by making inquiries of appropriate personnel. However, audit
evidence obtained by some tests of control, such as observation, pertains only to
the point in time at which the procedure was applied. The auditor may decide,
therefore, to supplement these procedures with other tests of control capable of
providing audit evidence about other periods of time.
37. In determining the appropriate audit evidence to support a conclusion about
control risk, the auditor may consider the audit evidence obtained in prior audits. In
a continuing engagement, the auditor will be aware of the accounting and internal
control systems through work carried out previously but will need to update the
knowledge gained and consider the need to obtain further audit evidence of any
changes in control. Before relying on procedures performed in prior audits,
the auditor should obtain audit evidence which supports this reliance. The
auditor would obtain audit evidence as to the nature, timing and extent of any
changes in the entity's accounting and internal control systems since such
procedures were performed and assess their impact on the auditor's intended
reliance. The longer the time elapsed since the performance of such procedures
the less assurance that may result.
38. The auditor should consider whether the internal controls were in use
throughout the period. If substantially different controls were used at different
times during the period, the auditor would consider each separately. A breakdown
in internal controls for a specific portion of the period requires separate
consideration of the nature, timing and extent of the audit procedures to be applied
to the transactions and other events of that period.
39. The auditor may decide to perform some tests of control during an interim visit in
advance of the period end. However, the auditor cannot rely on the results of such
tests without considering the need to obtain further audit evidence relating to the
remainder of the period. Factors to be considered include:

• The results of the interim tests.

• The length of the remaining period.
• Whether any changes have occurred in the accounting and internal control
systems during the remaining period.
• The nature and amount of the transactions and other events and the
balances involved.
• The control environment, especially supervisory controls.

• The nature, timing and extent of substantive procedures which the auditor
plans to carry out.
Final Assessment of Control Risk
40. Before the conclusion of the audit, based on the results of substantive
procedures and other audit evidence obtained by the auditor, the auditor
should consider whether the assessment of control risk is confirmed. In
case of deviations from the prescribed accounting and internal control
systems, the auditor would make specific inquiries to consider their
implications. Where, on the basis of such inquiries, the auditor concludes
that the deviations are such that the preliminary assessment of control risk
is not supported, he would amend the same unless the audit evidence
obtained from other tests of control supports that assessment. Where the
auditor concludes that the assessed level of control risk needs to be revised,
he would modify the nature, timing and extent of his planned substantive
procedures.
Relationship between the Assessments of Inherent and Control Risks
41. Management often reacts to inherent risk situations by designing accounting and
internal control systems to prevent or detect and correct misstatements and
therefore, in many cases, inherent risk and control risk are highly interrelated. In
such situations, if the auditor attempts to assess inherent and control risks
separately, there is a possibility of inappropriate risk assessment. As a result, audit
risk may be more appropriately determined in such situations by making a
combined assessment.
Detection Risk
42. The level of detection risk relates directly to the auditor's substantive procedures.
The auditor's control risk assessment, together with the inherent risk assessment,
influences the nature, timing and extent of substantive procedures to be performed
to reduce detection risk, and therefore audit risk, to an acceptably low level. Some
detection risk would always be present even if an auditor were to examine 100
percent of the account balances or class of transactions because, for example,
most audit evidence is persuasive rather than conclusive.
43. The auditor should consider the assessed levels of inherent and control
risks in determining the nature, timing and extent of substantive procedures
required to reduce audit risk to an acceptably low level. In this regard the
auditor would consider:

a. the nature of substantive procedures, for example, using tests directed

toward independent parties outside the entity rather than tests directed
toward parties or documentation within the entity, or using tests of details
 for a particular audit objective in addition to analytical procedures;

b. the timing of substantive procedures, for example, performing them at

period end rather than at an earlier date; and

c. the extent of substantive procedures, for example, using a larger sample

size.
44. There is an inverse relationship between detection risk and the combined level of
inherent and control risks. For example, when inherent and control risks are high,
acceptable detection risk needs to be low to reduce audit risk to an acceptably low
level. On the other hand, when inherent and control risks are low, an auditor can
accept a higher detection risk and still reduce audit risk to an acceptably low level.
Refer to the Appendix to this SAP for an illustration of the interrelationship of the
components of audit risk.
45. While tests of control and substantive procedures are distinguishable as to their
purpose, the results of either type of procedure may contribute to the purpose of
the other. Misstatements discovered in conducting substantive procedures may
cause the auditor to modify the previous assessment of control risk. Refer to the
Appendix to this SAP for an illustration of the interrelationship of the components
of audit risk.
46. The assessed levels of inherent and control risks cannot be sufficiently low to
eliminate the need for the auditor to perform any substantive procedures.
Regardless of the assessed levels of inherent and control risks, the auditor
should perform some substantive procedures for material account balances
and classes of transactions.
47. The auditor's assessment of the components of audit risk may change during the
course of an audit, for example, information may come to the auditor's attention
when performing substantive procedures that differs significantly from the
information on which the auditor originally assessed inherent and control risks. In
such cases, the auditor would modify the planned substantive procedures based
on a revision of the assessed levels of inherent and control risks.
48. The higher the assessment of inherent and control risks, the more audit
evidence the auditor should obtain from the performance of substantive
procedures. When both inherent and control risks are assessed as high, the
auditor needs to consider whether substantive procedures can provide sufficient
appropriate audit evidence to reduce detection risk, and therefore audit risk, to an
acceptably low level. When the auditor determines that detection risk
regarding a financial statement assertion for a material account balance or
class of transactions cannot be reduced to an acceptable level, the auditor
should express a qualified opinion or a disclaimer of opinion as may be
appropriate.
Audit Risk in the Small Business
49. The auditor needs to obtain the same level of assurance in order to express an
unqualified opinion on the financial statements of both small and large entities.
However, many internal controls which would be relevant to large entities are not
practical in the small business. For example, in small businesses, accounting
procedures may be performed by a few persons who may have both operating and
custodial responsibilities, and therefore segregation of duties may be missing or
severely limited. Inadequate segregation of duties may, in some cases, be offset
by a strong management control system in which owner/manager supervisory
controls exist because of direct personal knowledge of the entity and involvement
in transactions. In circumstances where segregation of duties is limited and audit
evidence of supervisory controls is lacking, the audit evidence necessary to
support the auditor's opinion on the financial statements may have to be obtained
entirely through the performance of substantive procedures.
Communication of Weaknesses
50. As a result of obtaining an understanding of the accounting and internal control
systems and tests of control, the auditor may become aware of weaknesses in the
 systems. The auditor should make management aware, as soon as practical
and at an appropriate level of responsibility, of material weaknesses in the
design or operation of the accounting and internal control systems, which
have come to the auditor's attention. The communication to management of
material weaknesses would ordinarily be in writing. However, if the auditor judges
that oral communication is appropriate, such communication would be
documented in the audit working papers. It is important to indicate in the
communication that only weaknesses which have come to the auditor's attention
as a result of the audit have been reported and that the examination has not been
designed to determine the adequacy of internal control for management purposes.
51. This Statement on Standard Auditing Practices becomes operative for all audits
related to accounting periods beginning on or after 1st April, 2002.
Appendix
Illustration of the Interrelationship of the Components of Audit Risk
The following table shows how the acceptable level of detection risk may vary based on
assessments of inherent and control risks.
Auditor's assessment of control risk is:
High Medium Low
Auditor's assessment of High Lowest Lower Medium
inherent risk Medium Lower Medium Higher
Low Medium Higher Highest
The shaded areas in this table relate to detection risk.

There is an inverse relationship between detection risk and the combined level of
inherent and control risks. For example, when inherent and control risks are high,
acceptable levels of detection risk need to be low to reduce audit risk to an acceptably
low level. On the other hand, when inherent and control risks are low, an auditor can
accept a higher detection risk and still reduce audit risk to an acceptably low level.