Lecture – 19

Chapter – 3
“Risk Assessment and Internal Control”
(i) AUDIT RISK:
(a) Meaning:
Risk that the auditor gives an inappropriate audit opinion when the financial
statements are materially misstated.

(b) Consideration:
Audit Risk need to be considered both at overall F.S. level as well as at the level of
individual account balance or classes of transactions.

(c) Components of Audit Risk: 3 Components – Inherent, Control and Detection

(1) Inherent Risk:
Susceptibility of an account balance or class of transaction to a material
misstatement, assuming that there were no internal controls.
Factors to be evalauted to assess inherent risk:

(i) At the level of F.S. (ii) At the level of Account Balances

and class of transactions

- Integrity of management. - Quality of the accounting system.

- Management’s experience, - Susceptibility of F.S. to
knowledge and changes in misstatement.
management during the period. - Complexity of underlying
- Unusual pressures on mngt. transactions
- Nature of entity’s business. - Degree of judgement involved
- Factors affecting the industry - Susceptibility of assets to loss or
in which the entity operates. misappropriation
- Completion of unusual and complex
transactions, particularly at or
near period end.
- Transactions not subjected to
ordinary processing.

19.1
Risk Assessment and Internal Control Chapter 3

(2) Control Risk:

Risk that material misstatements will not be prevented or detected and
corrected on a timely basis by the internal control system.
Steps in Assessment of Control Risk:
(i) Preliminary assessment of control risk.
(ii) Documentation of understanding & assessment of control risk.
(iii) Performing Tests of Controls
(iv) Final Assessment of Control Risk.

(3) Detection Risk:

- Risk that the substantive procedures performed by auditor fails to
detect material misstatements
- Some detection risk would always be present even if an auditor was to
examine 100% of the account balance or class of transactions.

(d) Relationships between Components of Audit Risk:

(i) Inherent Risk (IR) & Control Risk (CR):

(a) IR and CR are highly interrelated as in many cases management reacts

to IR by designing accounting and internal control systems to prevent

or detect and correct misstatements.

(b) As a result, auditor needs to make a combined assessment of IR & CR

as Risk of Material Misstatement (RMM).

(ii) RMM & Detection Risk (DR):

(a) Inverse relationship between RMM and DR.

(b) When RMM is high, DR needs to be low to reduce audit risk to an

acceptable low level.

(c) When RMM is low, auditor can accept a higher DR.

(d) Mathematically AR = IR X CR X DR

19.2
Chapter 3 Risk Assessment and Internal Control
IR High Medium Low

CR

Highest RMM Higher RMM Medium RMM

High Lowest Lower Medium

DR DR DR

Higher RMM Medium RMM Lower RMM

Medium Lower Medium Higher

DR DR DR

Medium RMM Lower RMM Lowest RMM

Low Medium Higher Highest

DR DR DR

(ii) Risk Based Audit:

(1) Meaning:

An audit Approach that

(a) analyses Audit Risks,

(b) set materiality thresholds based on audit risk analysis and

(c) develop audit programmes that allocates a larger portion of resources to high

risk areas.

(2) Stages in Risk Based Audit:

(a) Understanding the auditee operations: in order to identify and prioritize the

risks that impact audit of financial statements.

(b) Determination of residual Risk: Auditor should assess entity management

strategies and controls so as to determine how the controls are designed

within the entity.

(c) Manage residual Risk: It requires design and execution of a risk reduction

approach so as to bring the residual audit risk to an acceptable level.

(d) Reporting to Auditee: The auditor should communicate to the auditee

- weaknesses in the internal control system,

- deficiencies in the design and operation of internal controls that affect the

organization’s ability to record, process, summarize & report financial data.

19.3
Risk Assessment and Internal Control Chapter 3
(iii) INTERNAL CONTROL:

(1) Definition (as per SA 315):

The process designed, implemented and maintained, by TCWG and Management, to

provide reasonable assurance about the achievement of an entity’s objectives with

regard to

- reliability of financial reporting,

- effectiveness and efficiency of operations,

- safeguarding of assets, and

- compliance with applicable laws and regulations.

(2) Internal Control Structure:

- Internal Control structure in an organization is referred to as the policies and

procedures established by the entity to provide reasonable assurance that

the objectives are achieved.

- Control structure in an organization has the following components:

(a) Control Environment

(b) Accounting Systems

(c) Control Procedures

(3) Control Objectives of Accounting Control System:

(a) Whether all transactions are recorded;

(b) Whether recorded transactions are real;

(c) Whether all recorded transactions are properly valued;

(d) Whether all transactions are recorded timely and properly posted;

(e) Whether all transactions are properly classified, summarized & disclosed.

(4) Methods of Collecting info to review I.C.:

(a) Narrative Records:

Complete and exhaustive description of system as found in the operation by

the auditor.

(b) Check List:

Series of instructions and/or questions which a member of auditing staff must

follow.

19.4
Chapter 3 Risk Assessment and Internal Control
(c) IC Questionnaire (ICQ):

- Set of Questions designed to provide a thorough view of state of I.C.

- Questions are generally prepared in sections of distinct control areas

like: purchase and creditors, sales & debtors, inventories, etc.

Assumptions presumed about elements of good control while using

standardized internal control questionnaire:

(i) Certain procedures in general used by most business concerns are

essential in achieving reliable internal control.

(ii) Extensive division of duties and responsibilities within the organisation.

(iii) Separation of accounting function with the custodial function.

(iv) No single person is entrusted with the responsibility of completing a

transaction all by himself.

(v) There should always be evidence to identify the person who has done

the work whether involving authorisation, implementation or checking.

(vi) The work performed by each one is expected to come under review of

another in the usual course of routine.

(vii) There is proper documentation and recording of the transactions.

(d) Flow Chart:

- Graphic presentation of I.C. of various sections in form of a diagram

full with lines & Symbols.

- Provide most concise and comprehensive way to review I.C.

- Provide a neat visual picture of various activities involving flow of

documents through various stages, authorizations required, filing of

documents, final disposal.

(5) Surprise check in Internal Control:

- Useful method to determine whether errors exist and where they exist.
- Bring the matters promptly to the attention of the management so that

corrective action can be taken immediately.

- ICAI Recommendation: Surprise checks are a part of the normal audit and
the results of such checks are important primarily to the auditor himself in

deciding the scope of his audit and submitting his report thereon.
- Surprise check should be made at least once in the course of an audit.

19.5
Risk Assessment and Internal Control Chapter 3
(6) Key components to assess and evaluate the control environment (Standard Operating
Procedures – SOPs):
(a) Enterprise Risk Management: Organization having robust processes to identify
& mitigate risks across the entity, will assist in early identification of
weaknesses in internal control and taking effective control measures.
(b) Segregation of Job Responsibilities: Segregation of duties is an important
element of control which ensures that no two commercial activities should be
conducted by the same person.
(c) Job Rotation in Sensitive Areas: In key commercial functions, job rotation is
regularly followed to avoid degeneration of controls.
(d) Documents of delegation of Financial Powers: It allow controls to be clearly
operated without being dependant on individuals.

(e) IT based Controls: In an IT Environment, it is much easier to embed controls

through the system instead of being human dependant. Failure rate for IT
embedded controls are likely to be low & is likely to have better audit trail.

(7) Letter of weakness

(a) Weaknesses in I.C. identified during the audit should be communicated to
mngt. & TCWG.
(b) Helps TCWG to improve the systems.

This communication should be, preferably, in writing through a letter of weakness.

Important points with regard to such a letter are as follows:
(a) It lists down the area of weaknesses in the internal control system and

recommends suggestions for improvement.

(b) It should clearly indicate that this letter covers only weaknesses which have
come to the attention of the auditor during his evaluation of internal control
for the purpose of determining NTE of further audit procedures.
(c) Letter should clearly indicate that his examination of internal control has not

been designed to determine the adequacy of internal control for management.

(d) This letter serves as a significant means for management and governing body
for the purpose of improving the system and its strict implementation.
(e) The letter may also serve to minimize legal liability in the event of a major
defalcation or other loss resulting from a weakness in internal control.

19.6
Chapter 3 Risk Assessment and Internal Control

19.7
Risk Assessment and Internal Control Chapter 3

19.8