Statement On Standard Auditing Practices (Sap) 6 (Revised) On Risk Assessments and Internal Control
Statement On Standard Auditing Practices (Sap) 6 (Revised) On Risk Assessments and Internal Control
Statement On Standard Auditing Practices (Sap) 6 (Revised) On Risk Assessments and Internal Control
2. With the formation of the Auditing Practices Committee in 1982, the Council of the Institute has been issuing a
series of Statements on Standard Auditing Practices (SAPs). Statements on Standard Auditing Practices lay down
the principles governing an audit. These principles apply whenever an independent audit is carried out. Statements
on Standard Auditing Practices become mandatory on the dates specified in the respective SAPs. Their mandatory
status implies that, while discharging their attest function, it will be the duty of the members of the Institute to ensure
that the SAPs are followed in the audit of financial information covered by their audit reports. If, for any reason, a
member has not been able to perform an audit in accordance with the SAPs, his report should draw attention to the
material departures therefrom.
6. "Detection risk" is the risk that an auditor's substantive procedures will not detect a
misstatement that exists in an account balance or class of transactions that could
be material, either individually or when aggregated with misstatements in other
balances or classes.
7. "Accounting System" means the series of tasks and records of an entity by which
transactions are processed as a means of maintaining financial records. Such
systems identify, assemble, analyse, calculate, classify, record, summarise and
report transactions and other events.
8. "Internal Control System" means all the policies and procedures (internal controls)
adopted by the management of an entity to assist in achieving management's
objective of ensuring, as far as practicable, the orderly and efficient conduct of its
business, including adherence to management policies, the safeguarding of
assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of reliable
financial information. The internal audit function constitutes a separate component
of internal control with the objective of determining whether other internal controls
are well designed and properly operated.
9. The system of internal control must be under continuing supervision by
management to determine that it is functioning as prescribed and is modified, as
appropriate, for changes in conditions. The internal control system extends beyond
those matters which relate directly to the functions of the accounting system and
comprises:
d. develop an appropriate audit plan and determine the nature, timing and
extent of his audit procedures.
11. When developing the audit approach, the auditor considers the preliminary
assessment of control risk (in conjunction with the assessment of inherent risk) to
determine the appropriate detection risk that may be accepted by the auditor for
the assertions made in the financial statements and to determine the nature, timing
and extent of substantive procedures for such assertions.
Inherent Risk
12. In developing the overall audit plan, the auditor should assess inherent risk
at the level of financial statements. In developing the audit programme, the
auditor should relate such assessment to material account balances and
classes of transactions at the level of assertions made in the financial
statements, or assume that inherent risk is high for the assertion, taking into
account factors relevant both to the financial statements as a whole and to
the specific assertions. When the auditor makes an assessment that the
inherent risk is not high, he should document the reasons for such
assessment.
13. To assess inherent risk, the auditor would use professional judgement to evaluate
numerous factors, having regard to his experience of the entity from previous audit
engagements of the entity, any controls established by management to
compensate for a high level of inherent risk, and his knowledge of any significant
changes which might have taken place since his last assessment. Examples of
such factors are:
• The nature of the entity's business, for example, the potential for
technological obsolescence of its products and services, the complexity of
its capital structure, the significance of related parties and the number of
locations and geographical spread of its production facilities.
• Factors affecting the industry in which the entity operates, for example,
economic and competitive conditions as indicated by financial trends and
ratios, and changes in technology, consumer demand and accounting
practices common to the industry.
• All transactions and other events are promptly recorded in the correct
amount, in the appropriate accounts and in the proper accounting period
so as to permit preparation of financial statements in accordance with the
applicable accounting standards, other recognised accounting policies and
practices and relevant statutory requirements, if any, and to maintain
accountability for assets. .
• The potential for human error, such as, due to carelessness, distraction,
mistakes of judgement and the misunderstanding of instructions.
Materiality considerations.
a. the entity's accounting and internal control systems are not effective; or
In the above circumstances, the auditor would obtain sufficient appropriate audit
evidence from substantive procedures and from any audit work carried out in the
preparation of financial statements.
25. The preliminary assessment of control risk for a financial statement
assertion should be high unless the auditor:
When control risk is assessed at less than high, the auditor would also
document the basis for the conclusions.
27. Different techniques may be used to document information relating to accounting
and internal control systems. Selection of a particular technique is a matter for the
auditor's judgement. Common techniques, used alone or in combination, are
narrative descriptions, questionnaires, check lists and flow charts. The form and
extent of this documentation is influenced by the size and complexity of the entity
and the nature of the entity's accounting and internal control systems. Generally,
the more complex the entity's accounting and internal control systems and the
more extensive the auditor's procedures, the more extensive the auditor's
documentation will need to be.
Tests of Control
28. Tests of control are performed to obtain audit evidence about the effectiveness of
the:
a. design of the accounting and internal control systems, that is, whether
they are suitably designed to prevent or detect and correct material
misstatements; and
• The nature, timing and extent of substantive procedures which the auditor
plans to carry out.
Final Assessment of Control Risk
40. Before the conclusion of the audit, based on the results of substantive
procedures and other audit evidence obtained by the auditor, the auditor
should consider whether the assessment of control risk is confirmed. In
case of deviations from the prescribed accounting and internal control
systems, the auditor would make specific inquiries to consider their
implications. Where, on the basis of such inquiries, the auditor concludes
that the deviations are such that the preliminary assessment of control risk
is not supported, he would amend the same unless the audit evidence
obtained from other tests of control supports that assessment. Where the
auditor concludes that the assessed level of control risk needs to be revised,
he would modify the nature, timing and extent of his planned substantive
procedures.
Relationship between the Assessments of Inherent and Control Risks
41. Management often reacts to inherent risk situations by designing accounting and
internal control systems to prevent or detect and correct misstatements and
therefore, in many cases, inherent risk and control risk are highly interrelated. In
such situations, if the auditor attempts to assess inherent and control risks
separately, there is a possibility of inappropriate risk assessment. As a result, audit
risk may be more appropriately determined in such situations by making a
combined assessment.
Detection Risk
42. The level of detection risk relates directly to the auditor's substantive procedures.
The auditor's control risk assessment, together with the inherent risk assessment,
influences the nature, timing and extent of substantive procedures to be performed
to reduce detection risk, and therefore audit risk, to an acceptably low level. Some
detection risk would always be present even if an auditor were to examine 100
percent of the account balances or class of transactions because, for example,
most audit evidence is persuasive rather than conclusive.
43. The auditor should consider the assessed levels of inherent and control
risks in determining the nature, timing and extent of substantive procedures
required to reduce audit risk to an acceptably low level. In this regard the
auditor would consider:
There is an inverse relationship between detection risk and the combined level of
inherent and control risks. For example, when inherent and control risks are high,
acceptable levels of detection risk need to be low to reduce audit risk to an acceptably
low level. On the other hand, when inherent and control risks are low, an auditor can
accept a higher detection risk and still reduce audit risk to an acceptably low level.