https://linktr.

ee/ankushchirimar
Follow us on #Learn with Audit-95!

Risk Assessment & Internal Control

Risk Assessment

Audit risk is risk of expressing inappropriate audit Materiality & Audit Risk
opinion on FS that are materially misstated Materiality is inversely related with Audit Risk
They are considered throughout audit
Audit Risk has 2 Components
1. ROMM - Risk that MM may exist in FS before Steps for Risk Identification
start of audit. It has 2 components – • Assess significance of risk & its impact
• Inherent Risk - Susceptibility of assertion to • Document assertions effected
misstatement that could be material, • Consider impact of risk on each assertion
individually or when aggregated, assuming that • Consider unique characteristics of risk
there are no related controls • Identify significant risks requiring separate
Risks of particular concern to auditor include - attention & response by auditor
o Technological developments making product • Determine likelihood for risk to occur & its
obsolete impact on procedures
o Declining industry with business failures • Enquire & document Mgt’s response
o Lack of sufficient working capital • Consider nature of ICS in place & its
o High value inventory effectiveness in mitigating risks
o A/cing estimates having significant • Consider existence of particular
measurement uncertainty characteristics (inherent risks) that need to
o Complex calculation might be misstated be addressed in designing FAP
• Control Risk - Risk that ICS will not prevent
or detect & correct, misstatement that could Indicators of Possible Potential Misstatements
be material, individually or when aggregated. • Recording – Inaccurate –
Some control risk will always exist due to o Capturing of Source docs
inherent limitations of ICS o Processing of transactions
2. Detection Risk - Risk that auditor will not o Adjustments in subsidiary ledgers
detect misstatement that could be material, • Existence -
individually or when aggregated. Detection o Fictitious / unauthorised / duplicated
risk bears inverse relationship to ROMM transactions entered
o Source docs overstated/duplicated
Audit Risk = ROMM X Detection Risk • Completeness -
Audit Risk = Inherent X Control X Detection Risk o Transactions not identified
o Source docs not prepared/captured
Objective of audit is to reduce audit risk to • Cut-Off - Transactions occurring in a period
acceptably low level are recorded in another period

Risk-based Audit Approach

This approach analyses audit risks, sets materiality thresholds based on audit risk analysis & develops
audit programmes allocating larger portion of resources to high-risk areas

Steps for Risk Based Audit

• Risk Assessment - Assessing ROMM in FS
• Risk Response - Designing & performing FAP that respond to assessed risks
• Reporting - Issuing appropriate report based on findings

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 1

 Risk Assessment & Internal Control

Risk Assessment Steps Risk response - Matters to consider -

• Performing client acceptance procedures • Need to perform FAP to address Mgt
• Planning overall engagement override of controls
• Performing RAP to understand business • Need to perform specific procedures to
• Assessing ROMM in FS address “significant risks”
• Making informed assessment of ROMM • Existence of IC that could reduce need for
• Identifying significant risks that require substantive procedures
special audit consideration • Assertions that cannot be addressed by
• Identifying IC & assessing design & substantive procedures alone
implementation • Need to incorporate element of
• Communicating material weaknesses in design unpredictability in procedures
& implementation of IC to Mgt & TCWG • Substantive AP that could reduce need for
other procedures

Internal Control System (ICS)

• ICS means all policies & procedures adopted Objectives of ICS for A/cing System are
by entity to assist in achieving its objective • All transactions are promptly recorded to
of ensuring orderly & efficient conduct of its permit preparation of financial info
business, including • Transactions are executed through Mgt
o Adherence to Mgt policies authorization
o Safeguarding of assets • Assets are verified at reasonable intervals &
o Accuracy & completeness of records appropriate action is taken for discrepancies
o Timely preparation of reliable financial • Assets are safeguarded from unauthorized
info access, use or disposition
o Prevention & detection of fraud & error
Basic objectives of a/cing control system are
When obtaining evidence about effective • Ensure All transactions are – Real, Recorded,
operation of IC, Auditor considers - Properly Valued, Recorded Timely, Properly
• How they were applied Classified & Disclosed, Properly Posted &
• Consistency with which they were applied Properly Summarized
• By whom they were applied • If reply to all above answer is positive, auditor
is justified to limit his a/c balance tests

Limitations of IC - IC can provide entity with only ICS comprises Administrative Control & A/cing
reasonable assurance due to - Controls. Internal Checks & Internal Audit are
• Potential for human error due to carelessness important constituents of A/cing Controls
& misunderstanding of instructions 1. Internal Check System (SOD) – Objectives-
• Possibility of circumvention of IC through • To protect integrity of business by proper
collusion with employees or external parties scrutiny & check
• Possibility that person responsible for IC • To increase efficiency of staff
could abuse that responsibility • To avoid & minimize errors & fraud
• Fact that most IC are not directed at • To prevent & avoid misappropriation of cash
transactions of unusual nature & falsification of a/c
• Manipulations by Mgt for transactions & • To detect error & frauds with ease
judgements in preparation of FS • To locate responsibility area where actual
fraud & error occurs

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 2

 Risk Assessment & Internal Control

• Mgt's consideration that cost of IC does not Effectiveness of efficient system of internal
exceed expected benefits check depends on following -
• Division of Work – SODs
Structure of IC - Control policies & procedures - • Standardization
• Authorization of Transaction • Clarity of Responsibility
• SOD - Transaction processing is allocated to • Appraisal
diff persons so that no 1 person can complete
transaction from start to finish or work of 1 General condition pertaining to internal check -
person is made complimentary to work of • No single person should have complete
another person. Following is segregated – control over important aspect of business
o Execution of transactions • Every employee’s action should come under
o Authorization of transactions review of another person
o Maintenance of records & docs • Staff duties should be rotated so that they
o Physical custody of assets do not perform same function for long time
o Rotation of duties of personnel is also • Person having physical custody of assets must
desirable not be permitted to have access to BOA
• Independent Checks • There should exist a/cing control for assets
• Adequacy of Records & Docs – A/cing & there should be periodical inspection
controls should ensure that – • For inventory taking, trading should be
o Transactions are promptly recorded at suspended & it should be done by staff of diff
correct amounts sections of org
o Transactions are executed as per Mgt’s • Mechanical devices should be used to prevent
authorization loss of cash
o Records of assets & its location should be • Every staff should be encouraged to go on
maintained to physically verify them leave at least once a year
periodically • Budgetary control should be exercised & wide
o Assets should be protected from deviations should be reconciled
unauthorized access, use or disposition • Financial & admin powers should be
o Transactions should be classified in distributed very judiciously among diff
appropriate a/c & period officers & should be reviewed periodically
o Recording of transaction should facilitate • Procedures for periodical verification &
maintaining accountability for assets testing of a/cing records should be there
o Transaction should be recorded to
facilitate preparation of FS as per AFRF 2. Internal Audit – Refer Chapter on IA
• Accountability & Safeguarding of Assets

Components of IC Techniques of evaluation of IC

1. Control Environment – Elements – 1. Questionnaire
• Participation by TCWG It is set of ques for evaluation of effectiveness
• Mgt’s philosophy & operating style of control & detection of weaknesses. It is to be
• Communication & enforcement of integrity & filled by co. executives who are in charge of
ethical values - Effectiveness of controls various areas. However, It may take long time to
cannot rise above integrity & ethical values be filled & there is possibility of questionnaire
of people who create & monitor them. being misplaced. Therefore, auditor arranges
Integrity & ethical behavior are product of meetings with executives & gets answers filled by
entity’s ethical & behavioral standards, how them. They are answered as ‘Yes’, ‘No’ or ‘Not
they are communicated, & how they are applicable’. “No” answer will reflect weakness
reinforced in practice. It includes Mgt actions
to eliminate or mitigate incentives prompting

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 3

 Risk Assessment & Internal Control

personnel to engage in dishonest, illegal, or Basic assumptions about elements of good control
unethical acts through policy statements & in IC questionnaire are -
codes of conduct • Orgs permitting extensive division of
• Commitment to competence responsibilities
• Organizational structure • Employees of a/cing function are not assigned
• Assignment of authority & responsibility any custodial function
• Human resource policies • No single person has responsibility of
completing transaction all by himself
2. Entity’s RAP – includes – How Mgt - • Work performed by 1 person comes under
• Identifies business risks review of another in routine
• Estimates their significance • There should always be evidence to identify
• Assesses likelihood of their occurrence person who has done work
• Decides actions to respond to them • Certain procedures used by most businesses
are essential in achieving reliable IC. This is
Risks can arise or change due to following - time-tested assumption
• Rapid growth • There is proper documentation & recording of
• Expanded foreign operations transactions
• New a/cing pronouncements • For 1st year of audit, issue of questionnaire
• Changes in operating environment is necessary. For subsequent years, auditor
• Corporate restructurings may request client to confirm whether there
• New business models, products, or activities is any change in ICS. However, auditor may
• New personnel issue questionnaire irrespective of any
• New technology change every 3rd year
• New or revamped IS
2. Check List
3. Control Activities It is series of instructions or ques on IC which
• Performance reviews - Analyses of actual auditor must follow or answer. When instruction is
performance v/s budgets, forecasts, & prior performed, auditor initials space opposite
period performance instruction. If it is ques, answer ‘Yes’, ‘No’ or ‘Not
• Info processing - 2 types of IS control Applicable’ is entered opposite ques
activities are –
o Application controls - Apply to processing E.g. of Check List - Has Auditor checked that
of individual applications. E.g. checking cashier -
arithmetical accuracy of records, reviewing • Is not responsible for opening mails
a/c balances, edit checks, numerical • Does not authorise ledgers
sequence checks, follow-up of exception • Does not authorise expenditure or receipt
reports • Does not sign cheques
o General IT-controls - Policies & procedures • Takes his annual leave regularly
that relate to many applications & supports • Balances cash book everyday
effective functioning of application • Verifies physical cash balance with book
controls. E.g. program change controls, figure daily
restricting access to data, controls over • Prepares monthly bank reconciliations
implementation of new packaged software & • Holds no other funds or investment
system software restricting access to • Holds no unnecessary balance in hand
system utilities • Does not pay money without looking into
• Physical controls – includes – compliance with authorization
o Physical security of assets • Has provided proper security or executed
o Authorization for access to data fidelity bond
o Periodic counting & comparison with
amounts in records

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 4

 Risk Assessment & Internal Control

• SODs Diff b/w Questionnaire & Check list

• Questionnaire contains large number of
4. Info System for FR & Communication - detailed ques but check list contains ques for
includes methods & records that - main control objective under review
• Identify & record all transactions • In Questionnaire, ques are answered by co.
• Measure value of transactions for recording executives. In check list, same are answered
proper monetary value in FS by auditor/auditor staff
• Determine time period in which transactions • ‘No’ in Questionnaire indicates weakness but
occurred for recording in proper a/cing period not its significance. In check list, specific
• Describe transactions in detail to permit statement is required if weakness is material
proper classification for FR
• Present properly transactions & disclosures in 3. Flow chart
FS It is graphic presentation of IC & is drawn to show
controls in each section. It provides most concise
5. Monitoring of Controls - considering whether & comprehensive way for reviewing IC. It gives
controls are operating as intended & that bird’s eye view of system. It is most effective
they are modified as appropriate for changes way of presenting state of IC
in conditions
Flow chart can provide neat picture of activities of
Review of ICS - Enables Auditor - dept involving flow of docs & activities. It shows -
• To locate areas of weakness in system so • At what point document is raised internally
that procedures can be adjusted to meet or received from external sources
situation • Number of copies in which document is raised
• To formulate his opinion for reliance to place or received
on system itself • Intermediate stages through which document
• If auditor is already aware of IC, he may just pass
review changes in intervening period. • Distribution of docs to various sections
However, comprehensive review in such cases • Checking authorization & matching at stages
must be made at interval of 3 years • Filing of docs
• Review of IC is to be done before finalisation • Final disposal by sending or destruction
of audit programme. However, if size of
operations is small, review can be done with For drawing flow chart to incorporate narration, it
other audit procedures as well is useful to know -
• Point for originating flow of transaction
Revision in Audit Programme is needed when - • Docs & flow of transaction, number of copies,
• Any change in ICS in IC questionnaire distribution
• Any further weakness noted in IC • Books maintained & details & its sources
• Any instance where system is not followed • There exists alternative possibility

IC Assessment & Evaluation - Key components to Reporting to Client on IC Material Weaknesses

assess & evaluate control environment /Standard through letter of weakness or Mgt letter -
Operating Procedures (SOPs) elements - • Letter lists down area of weaknesses &
• Enterprise Risk Mgt offers suggestions for improvement
• Info Technology based Controls • This letter serves as valuable reference
• Segregation of Job Responsibilities – SODs document for Mgt for purpose of revising
• Job Rotation in Sensitive Areas system & its strict implementation
• Delegation of Financial Powers Document • Letter serves to minimize legal liability in
case of major loss from weakness in IC

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 5

 Risk Assessment & Internal Control

• Indicate that it discusses only weaknesses

which have come to attention of auditor & his
audit does not determine adequacy of IC
• By writing above letter, auditor is not relieved
from reporting weaknesses by qualifications
if defects are not corrected to his
satisfaction considering materiality of
weaknesses

International IC Frameworks

Integrated Framework issued by Committee of Sarbanes-Oxley Act - Section 404 (USA)

Sponsoring Organizations of Treadway It mandates that all publicly-traded co. must
Commission (COSO Framework) establish IC & must document, test those controls
• It includes 17 principles with 5 components - to ensure their effectiveness. It was followed up
control environment, risk assessment, control with constitution of PCAOB. SEC rules & PCAOB
activities, info & communication, & monitoring standard require that -
• It lists 3 categories of objectives – • Mgt perform assessment of IC over FR
o Reporting Objectives – related to internal including testing design & operating
& external reporting to stakeholders effectiveness of controls
o Operations Objectives – related to • Mgt include in annual report, assessment of
effectiveness & efficiency of operations & IC over FR
safeguarding assets against loss • External auditors provide 2 opinions as part
o Compliance objectives – relating to of single audit of co. –
compliance with applicable L&R o Independent opinion on effectiveness of
• Limitations of IC - Framework acknowledges IC over FR
limitations of IC o Traditional opinion on FS

Guidance on Assessing Control published by Guidance for Directors on Combined Code,

Canadian Institute of CAs (CoCo) published by Institute of CAs in England & Wales
Criteria of Control (CoCo) has objective of (known as Turnbull Report) - Key principles are -
improving organisational performance & decision • Board should maintain ICS to safeguard
making with better controls, risk mgt & corporate shareholders’ investment & co.’s assets
goverance. It includes 20 criteria for effective • Directors should, at least annually, conduct
control in 4 areas – review of effectiveness of ICS & report to
• Purpose (direction) shareholders that they have done so. Review
• Commitment (identity & values) should cover all controls
• Capability (competence) • Co. not having IAF should, from time to time,
• Monitoring & Learning (evolution) review need for having IAF

Control Objectives for Information and Related Technology (COBIT)

It is created by ISACA (Info Systems Audit & Control Association) for IT governance & Mgt. COBIT
has 34 high-level processes covering 210 control objectives categorized in 4 domains - Planning &
organization, Acquisition & Implementation, Delivery & Support & Monitoring & Evaluation

#Hum_CA_Banenge Ankush Chirimar (AIR 5, 6, 32) Page | 6