Risk Assessment and Internal Control

1. Audit risk
2. Identifying and assessing the risks of material misstatement
3. Internal control
4. Evaluation of internal control by the auditor
5. Testing of internal control
6. Internal control and IT evironment
7. Materiality and audit risk
8. Documenting the risk
9. Internal audit
10. Basics of standard on internal audit issued by ICAI
11. Basics of internal financial control and reporting requirements
12. Difference between internal financial control and integral control over financial reporting
    
    

 

Audit risk means the risk that the auditor gives an inappropriate audit opinion  when the financial statement are materially misstated. Thus, it is the risk that the auditor may fail to express an appropriate opinion in an audit assignment.

Audit Risk could be simply understood as follows:

During the audit of a company if the financial statements of that company are misstated and those misstatements are material in nature, then there will be a risk that audit opinion given by the auditor regarding audit of that company would be incorrect. Then that risk will be known as Audit Risk.

Strength limited purchased a Plant and Machinery for Rs. 2 Crores in the financial year 2020-2021. The accountant of strength limited debited Rs 2 crores in the Repair and Maintenance account in the statement of Profit and loss instead of taking it to the balance sheet as PPE and claim depreciation on it. While auditing the accounts of this company the auditor did not notice this and consequently did not report anything regarding the plant and machinery. Therefore, opinion given by the auditor would be inappropriate resulting in audit risk.

Audit risk is a function of the risks of material misstatement and detection risk.

From the above, it is clear that –

Audit Risk = Risk of Material Misstatement x Detection Risk (1)

Note 1: Risk of material misstatement may be defined as the risk that the financial statements are materially misstated prior to audit. This consists of two components, described as follows at the assertion level:

1. Inherent risk—The susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. There is always a risk that before considering any existence of internal control in an entity, a particular transaction, balance of an account or a  disclosure required to  be  made in  the financial statements of an entity have a chance of being misstated and such misstatement can be material. This risk is known as Inherent Risk.
2. Control risk—The risk that a misstatement that could occur in an assertion about a class of transaction, account balance  or  disclosure and  that  could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. Control Risk is a risk  that  internal control existing and operating in an entity would not be efficient enough to stop from happening, or find and then rectify in an appropriate time, any material misstatement relating to a transaction, balance of an account or disclosure required to be made in the financial statements of that entity. So  in a way it can be said that there exists an inverse relation between Control Risk and Efficiency of Internal Control of an Entity. When efficiency of internal control of an entity is high the control risk is low and  when  efficiency of internal control of that entity is low the control risk is high.

During the financial year 2020-21, certain accounting transactions regarding purchases of material and some disclosures required to be made in the financial statements of Appreciation Limited were misstated and those misstatements were material in nature. There was a risk that internal control operating in Appreciation Limited would not be able to find and then rectify those misstatements in proper time. This risk is called as Control Risk.

Note 2: Misstatement refers to a difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Misstatements can arise from error or fraud.

The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement.

1. Audit risk does not include the risk that the auditor might express an opinion that the financial statements are materially misstated when they are not. This risk is ordinarily insignificant.
2. Further, audit risk is a technical term related to the process of auditing; it does not refer to the auditor’s business risks such as loss from litigation, adverse publicity, or other events arising in connection with the audit of financial statements.

Risks of Material Misstatement at Two levels

The risks of material misstatement may exist at two levels:

1. The overall financial statement level- Risks of material misstatement the overall financial statement level refer to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions.
2. The assertion level for classes of transactions, account balances, and disclosures-Risks of material misstatement at the assertion level are assessed in order to determine the nature, timing, and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion on the financial statements at an acceptably low level of audit risk.

The risks of material misstatement at the assertion level consist of two components:

1. Inherent risk and
2. control risk.

Inherent risk and control risk are the entity’s risks; they exist independently of the

audit of the financial statements.

Inherent risk is higher for some assertions and related classes of transactions, account balances, and disclosures than for others. For example, it may be higher for complex calculations. External circumstances giving rise to business risks may also influence inherent risk. For example, technological developments might make a particular product obsolete. Factors in the entity and its environment may also influence the inherent risk related to a specific assertion.

Inherent risk factors are considered while designing tests of controls and substantive procedures. Category of auditor’s assessment lower or higher, each category covers a  range of degrees of inherent  risk. Auditor may assess the inherent risk of two different assertions as lower while recognizing that one assertion has less inherent risk than the other, although both have been  assessed as lower. It is important to consider the reason for each identified inherent risk even if the risk is lower, when auditor designs tests of controls and substantive procedures.

 

A lack of sufficient working capital to continue operations or a declining industry characterised by a large number of business failures.

 

Control risk is a function of the effectiveness of the design, implementation and maintenance of internal control by management. However, internal control can only reduce but not eliminate risks of material misstatement in the financial statements. This is because of the inherent limitations of internal control.

The possibility of human errors or mistakes, or of controls being circumvented by collusion. Accordingly, some control risk will always exist.

The SAs provide the conditions under which the auditor is required to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures to be performed.

Auditor assesses control risk as Rely or Not rely on Controls. When making control risk assessments, consider:

• The control environment’s influence over internal control. A control environment that supports the prevention, and detection and correction, of material misstatements allows greater confidence in the reliability of internal control and audit evidence generated within the entity. However it does not guarantee the effectiveness of specific controls. We therefore, test the operating effectiveness of controls over significant class of transactions (SCOTs) when we plan to take a controls reliance strategy. Conversely, the control environment may undermine the effectiveness of specific controls and is a key factor in our control risk assessments.
• Evaluations of the related IT processes that support application and IT- dependent manual controls.
• Our testing approach over SCOTs and disclosure processes (i.e., controls reliance or substantive only strategy).
• The expectation of the operating effectiveness of controls based on the understanding of entity’s processes.

Identify a control that a shipping report is prepared only for goods that have been shipped. To determine that only sales that have occurred are recorded, identify a further control that sales cannot be recorded unless a shipping report is produced. In this example, several controls operate collectively in order to address the occurrence assertion for sales.

In another example, a regular reconciliation of quantities shipped to quantities billed is a specific control that may be effective enough by itself to address the WCGW (What Could Go Wrong) regarding the completeness assertion in a sales process.

Whether several controls are required to operate collectively (i.e., a suite of controls) to achieve a financial reporting objective. If so, the auditor should assess whether all controls operate effectively in order to rely on controls.

Control risk assessment when control deficiencies are identified :  When auditor identifies deficiencies and report on internal controls, he determines the significant financial statement assertions that are affected by the ineffective controls in order to evaluate the effect on control risk assessments and strategy for the audit of the financial statements.

When control deficiencies are identified and auditor identifies and tests more than one control for each relevant assertion, he evaluates control risk considering all of the controls he has tested. If auditor determines that they support a ‘rely on controls’ risk assessment, or if compensating controls are identified, tested and evaluated to be effective, he may conclude that the ‘rely on controls’ is still appropriate. Otherwise we

change our control risk assessment to ‘not rely on controls.’

When a deficiency relates to an ineffective control that is the only control identified for an assertion, he revises risk assessment to ‘not rely on controls’ for associated assertions, as no other controls have been identified that mitigate the risk related to the assertion. If the deficiency relates to one WCGW (what can go wrong) out of several WCGW’s, he can ‘rely on controls’ but performs additional substantive procedures to adequately address the risks related to the deficiency.

The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement”. However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages, or in non-quantitative terms. In any case, the need  for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made.

It can be concluded from the above that-

Risk of Material Misstatement= Inherent Risk x Control Risk (2)

From (1) and (2), we arrive at-

Audit Risk = Inherent Risk x Control Risk x Detection Risk

SA 315 establishes requirements and provides guidance on identifying and assessing the risks of material misstatement at the financial statement and assertion levels.

Detection risk: The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.

Suppose auditor of a company uses certain audit procedures for the purpose of obtaining audit evidence and reducing audit risk, but still there will remain a risk that audit procedures used by the auditor may not be able to detect a misstatement  which by nature is material, then that risk is known as Detection Risk.

While auditing the books of accounts of Grateful Limited for the financial year 2020- 21, the auditor of the above mentioned company used various audit procedures, for example-observation, inspection, reperformance, recalculation etc for obtaining audit evidence regarding stock, Debtors, sales, purchases etc., and consequently reducing the audit risk. However, there will always remain a risk that various audit procedures as used by auditor of Grateful Limited will not be able to detect misstatements which are material in nature. This risk is known as Detection Risk.

Objective of Auditor as per SA 315: As per SA 315 - “Identifying and Assessing the  Risks of Material Misstatement through Understanding the Entity and its Environment”, the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion  levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. This will help the auditor to reduce the risk of material misstatement to an acceptably low level.

Let us understand the objective of the auditor as stated in SA 315 in detail.

(i) The auditor shall identify and assess the risks of material misstatement at:

1. the financial statement level
2. the assertion level for classes of transactions, account balances, and disclosures

to provide a basis for designing and performing further audit procedures

(ii) For the purpose of Identifying and assessing the risks of material misstatement, the auditor shall:

1. Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate  to the risks, and by considering the classes of transactions, account balances, and disclosures in the financial statements;
2. Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions;
3. Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test; and
4. Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is  of  a magnitude that could result in a material misstatement.

Definition: The audit procedures performed to obtain an understanding of  the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels.

The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. Risk assessment procedures by themselves, however, do not provide suffcient appropriate audit evidence on which to base the audit opinion.

Information obtained by performing risk assessment procedures and related activities may be used by the auditor as audit evidence to support assessments of the risks of material misstatement. In addition, the auditor may obtain audit evidence about classes of transactions, account balances, or disclosures and related assertions and about the operating effectiveness of controls, even though such procedures were not specifically planned as substantive procedures or as tests of controls. The auditor also may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures because it is efficient to do so.

The risks to be assessed include both those due to error and those due to fraud, and both are covered by this SA. However, the significance of fraud is such that further requirements and guidance are included in SA 240, “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements”, in  relation to risk assessment procedures and related activities to obtain information that is used to identify the risks of material misstatement due to fraud.

 

The risk assessment procedures shall include the following:

 

(a) Inquiries of Management and Others Within the Entity: Much of the information obtained by the auditor’s inquiries is  obtained  from management and those responsible for financial reporting. However, the auditor may also obtain information, or a different perspective in identifying risks of material misstatement, through inquiries of others within the entity and other employees with different levels of authority.

 

• Inquiries directed towards those charged with governance may help the auditor understand the environment in which the financial statements are prepared.
• Inquiries directed toward internal audit personnel may provide information about internal audit procedures performed during the year relating to the design and effectiveness of the entity’s internal control and whether management has satisfactorily responded to findings from those procedures.
• Inquiries of employees involved in initiating, processing  or  recording complex or unusual transactions may help the auditor to evaluate the appropriateness of the selection and application of certain accounting policies.
• Inquiries directed toward in-house legal counsel may provide information about such matters as litigation, compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, warranties, post-sales obligations, arrangements (such as joint ventures) with business partners and the meaning of contract
• Inquiries directed towards marketing or sales personnel may provide information about changes in the entity’s marketing strategies, sales trends, or contractual arrangements with its customers.
• Inquiries directed to the risk management function (or those performing such roles) may provide information about operational and regulatory risks that may affect financial reporting.
• Inquiries directed to information systems personnel may provide information about system changes, system or control failures, or other information system- related risks.

(b) Analytical Procedures: Analytical procedures performed as risk assessment procedures may identify aspects of the entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. Analytical procedures performed as risk assessment procedures may include both financial and non-financial information, for example, the relationship between sales and square footage of selling space or volume of goods sold.

Analytical procedures may help identify the existence of unusual  transactions or events, and amounts, ratios, and trends that might indicate matters that have audit implications. Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material misstatement due to fraud.

However, when such analytical procedures use data aggregated at a high level (which may be the situation with analytical procedures performed as risk assessment procedures), the results of those analytical procedures only provide a broad initial indication about whether a  material  misstatement may exist. Accordingly, in such cases, consideration of  other  information that has been gathered when identifying the risks of material misstatement together with the results of such analytical procedures may assist the auditor in understanding and evaluating the results of the analytical procedures.

(c) Observation and Inspection: Observation and inspection may support inquiries of management and others, and may also provide  information  about the entity and its environment.

Examples of such audit procedures include observation or inspection of the following:

The entity’s operations.

Documents (such as business plans and strategies), records,  and internal  control manuals.

Reports prepared by management (such as quarterly management reports and interim financial statements) and those charged with governance (such as minutes of board of director’s meetings)

The entity’s premises and plant facilities.

Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred to hereafter as an “understanding of the entity”), is a continuous, dynamic process of gathering, updating and analysing information throughout the audit. The understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment throughout theaudit, for example, when:

• Assessing risks of material misstatement of the financial statements;
• Determining materiality in accordance with SA 320;
• Considering the appropriateness of the selection and application of accounting policies;
• Identifying areas where special audit consideration may be necessary, for example, related party transactions, the appropriateness of management’s use of the going concern assumption, or  considering the  business purpose  of transactions;
• Developing expectations for use when performing analytical procedures;
• Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the appropriateness of assumptions and of management’s oral and written representations.

The auditor shall obtain an understanding of the following:

(a) Relevant industry, regulatory, and other external factors including the applicable financial reporting framework.

(b) The nature of the entity, including:

1. its operations;
2. its ownership and governance structures;
3. the types of investments that the entity is making and plans to make, including investments in special-purpose entities; and
4. the way that the entity is structured and how it is financed;

to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements.

(c) The entity’s selection and application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.

(d) The entity’s objectives and strategies, and those related business risks that may result in risks of material misstatement.

(e) The measurement and review of the entity’s financial performance.

As per SA-315, “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment”, the internal control may be defined as “the process designed, implemented and maintained by those charged with governance, management and other personnel to providereasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of  assets, and compliance with  applicable laws and regulations. The term “controls” refers to any aspects of one or more of the  components of internal control.”

1. transactions are executed in accordance with managements general or specific authorization;
2. all transactions are promptly recorded in the correct amount in the appropriate accounts and in the accounting period in which executed so as to permit preparation of financial information within a framework of recognized accounting policies and practices and relevant statutory requirements, if any, and to maintain accountability for assets;
3. assets are safeguarded from unauthorised access, use or disposition; and
4. the recorded assets are compared with the existing assets at reasonable intervals and appropriate action is taken with regard to any differences.

The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of  the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit.

An understanding of internal control assists the auditor in :

1. identifying types of potential misstatements ;
2. identifying factors that affect the risks of material misstatement, and
3. designing the nature, timing, and extent of further audit  procedures.

Study of various aspects of internal control is divided into four sections, as follows:

Purpose of  Internal Control: Internal control is designed, implemented  and

maintained to address identified business risks that threaten the achievement of any of the entity’s objectives that concern:

• The reliability of the entity’s financial reporting;
• The effectiveness and efficiency of its operations;
• Its compliance with applicable laws and regulations; and
• Safeguarding of assets.

The way in which internal control is designed, implemented and maintained varies with an entity’s size and complexity.

1. Internal control can provide only reasonable assurance:
   Internal control, no matter how effective, can provide an entity with only reasonable assurance about achieving the entity’s financial reporting objectives. The likelihood of their achievement is affected by inherent limitations of internal control.
   
   
2. Human judgment in decision-making:
   Realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human error.
   Example
   There may be an error in the design of, or in the change to, a control.
   
   
3. Lack of understanding the purpose:
   Equally, the operation of a control may not be effective, such as where information produced for the purposes of internal control (for example, an exception report) is not effectively used because the individual responsible for reviewing the information does not understand its purpose or fails to take appropriate action.
   
   
4. Collusion among People:
   Additionally, controls can be circumvented by the collusion of two or more people or inappropriate management override of internal control. For example, management may enter into side agreements with customers that alter the terms and conditions of the entity’s standard sales contracts, which may result in improper revenue recognition. Also, edit checks in a software program that are designed to identify and report transactions that exceed specified credit limits may be overridden or disabled.
   
   
5. Judgements by Management:
   Further, in designing and implementing controls, management may make judgments on the nature and extent of the controls it chooses to implement, and the nature and extent of the risks it chooses to assume.
   
   
6. Limitations in case of Small Entities:
   Smaller entities often have fewer employees due to which segregation of duties  is  not  practicable. However, in a small owner-managed entity, the owner-manager may be able to exercise more effective oversight than in a larger entity. This oversight may compensate for the generally more limited opportunities for segregation of duties.
   
   On the other hand, the owner-manager may be more able to override controls because the system of internal control is less structured. This is taken into account by the auditor when identifying the risks of material misstatement due to fraud.

There is a direct relationship between an entity’s objectives and the control sit implements to provide reasonable assurance about their achievement. The entity’s objectives, and therefore controls, relate to financial reporting, operations and  compliance; however, not all of these objectives and controls are  relevant to

the auditor’s risk assessment.

• Materiality.
• The significance of the related risk.
• The size of the entity.
• The nature of the entity’s business, including its organisation and ownership characteristics.
• The diversity and complexity of the entity’s operations.
• Applicable legal and regulatory requirements.
• The circumstances and the applicable component of internal control.
• The nature and complexity of the systems that are part of the  entity’s internal control, including the use of service organisations.
• Whether, and how, a specific control, individually or in combination with others, prevents, or detects and corrects, material misstatement.

Controls over the completeness and accuracy of information produced by the entity may be relevant to the audit if the auditor intends to make use of the information in designing and performing further procedures. For example, in auditing revenue by applying standard prices to records of sales volume, the auditor considers the accuracy of the price information and the completeness and accuracy of the sales volume data. Controls relating to operations and compliance objectives may also be relevant to an audit if they relate to data the auditor evaluates or uses in applying audit procedures.

Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include controls relating to both financial reporting and operations objectives. The auditor’s consideration of such controls is generally limited to those relevant to the reliability of financial reporting. For example, use of access controls, such as passwords, that limit access to the data and programs that process cash disbursements may be relevant to a financial statement audit. Conversely, safeguarding controls relating to operations objectives, such as controls to prevent the excessive use of materials in production, generally are not relevant to a financial statement audit.

An entity generally has controls relating to objectives that are not relevant to an  audit and therefore need not be considered. For example, an entity may rely on a sophisticated system of automated controls to provide efficient and effective operations (such as an airline’s system of automated controls to maintain flight schedules), but these controls ordinarily would not be relevant to the audit. Further, although internal control applies to the entire entity or to any of its operating units or business processes, an understanding of internal control relating to each of the entity’s operating units and business processes may not be relevant to the audit.

In certain circumstances, the statute or the regulation governing the entity may require the auditor to report on compliance with certain specific aspects of internal controls as a result, the auditor’s review of internal control may be

broader and more detailed.

 

(i) Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.

Implementation of a control means that the control exists and  that  the  entity is using it. There is little point in assessing the implementation of a control that is not effective, and so the design of a control is considered first An improperly designed control may represent a significant defficiency in internal control.

(ii) Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include-

• Inquiring of entity personnel.
• Observing the application of specific controls.
• Inspecting documents and reports.
• Tracing transactions through the information system relevant to financial reporting.

Inquiry alone, however, is not sufficient for such purposes.

(iii) Obtaining an understanding of an entity’s controls is not sufficient to test their operating effeectiveness, unless there is some automation that provides for the consistent operation of the controls.

Obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effeectiveness of the control at other times during the period under audit. However, because of the inherent consistency of IT processing, performing audit procedures to determine whether an automated control has been implemented may serve as a test of that control’s operating effectiveness, depending on the auditor’s assessment and testing of controls such as those over program changes

The division of internal control into the following five components provides a useful framework for auditors to consider how different aspects of an entity’s internal control may affect the audit:

1. The control environment;
2. The entity’s risk assessment process
3. The information system, including the related business processes, relevant to financial reporting, and communication
4. Control activities
5. Monitoring of controls.

(A) Control Environment– Component of Internal Control– The auditor shall obtain an understanding of the control environment. As part of  obtaining  this understanding, the auditor shall evaluate whether:

1. Management has created and maintained a culture of honesty and ethical behavior; and
2. The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control.

What is included in Control Environment ?

The control environment includes:

1.  the governance and management functions and
2. the attitudes, awareness, and actions of those charged with governance and management .
3. the control environment sets the tone of an organization, influencing the control consciousness of its people.

Elements of the Control Environment– Elements of the control environment that may be relevant when obtaining an understanding of the control environment include the following:

(a) Communication and enforcement of integrity and ethical values– These are essential elements that influence the effectiveness of the design, administration and monitoring of controls.

(b) Commitment to competence– Matters such as management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.

 

(c) Participation by those charged with governance– Attributes of those charged with governance such as:

• Their independence from management.
• Their experience and stature.
• The extent of their involvement and the information they  receive, and the scrutiny of activities.
• The appropriateness of their actions, including the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external auditors.

(d) Management’s philosophy and operating style– Characteristics such as management’s:

• Approach to taking and managing business risks.
• Attitudes and actions toward financial reporting.
• Attitudes toward information processing and accounting functions and personnel.

(e) Organisational structure– The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled, and reviewed.

(f) Assignment of authority and responsibility– Matters such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established.

(g) Human resource policies and practices– Policies and practices that relate to, for example, recruitment, orientation, training, evaluation, counselling, promotion, compensation, and remedial actions.

The auditor shall obtain an understanding of whether the entity has a process for:

1. Identifying business risks relevant to financial reporting objectives;
2. Estimating the significance of the risks;
3. Assessing the likelihood of their occurrence; and
4. Deciding about actions to address those risks.

The entity’s risk assessment process forms the basis for the risks to be managed. If that process is appropriate, it would assists the auditor in identifying risks of material misstatement. Whether the entity’s risk assessment process is appropriate to the circumstances is a matter of judgment.

The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following are as:

1. The classes of transactions in the entity’s operations that are significant to the financial statements;
2. The procedures by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements;
3. The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions;
4. How the information system captures events and conditions that are significant to the financial statements;
5. The financial reporting process used to prepare the entity’s financial statements;
6. Controls surrounding journalentries.

Communicating Financial Roles and Responsibilities– Obtaining an Understanding by the Auditor: The auditor shall obtain an understanding of how the entity communicates financial reporting roles and responsibilities

1. Communications between management and those charged with governance; and
2. External communications, such as those with regulatory authorities.

The following points need consideration in this regard:

1. Understanding of Roles and Responsibilities: Communication by the entity of the financial reporting roles and responsibilities would involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.
2. Understanding regarding Relation of Activities: It includes understanding by employees as to how their activities relate to  the work  of others and the means of reporting exceptions to higher level within the entity.
3. Policy Manuals and Financial Reporting Manuals: Communication may take such forms as policy manuals and financial reporting manuals.
4. Open Communication Channels: Open communication channels help ensure that exceptions are reported and acted on.
5. Less structured and easier for Small Entities: Communication may be less structured and easier to achieve in a small entity than  in  a  larger entity due to fewer levels of responsibility and management’s greater visibility and availability.

(D) Control Activities– Component of Internal Control
The auditor shall obtain an understanding of control activities relevant to the audit, which the auditor considers necessary to assess the risks of material misstatement. An audit requires an understanding of only those control activities related to significant class of transactions, account balance, and disclosure in the financial statements and the assertions which the auditor finds relevant in his risk assessment process.

Control activities are the policies and procedures that help ensure that management directives are carried out.

Control activities, whether within IT or manual systems, have various objectives and are applied at various organisational and functional levels.

 

• Authorization
• Performance Reviews
• Information Processing
• Physical controls
• Segregation of Duties

Control activities that are relevant to the audit are:

• Control activities that relate to significant risks and those that relate to risks for which substantive procedures alone do not provide sufficient appropriate audit evidence; or
• Those that are considered to be relevant in the judgment of  the auditor;
• As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk.

In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:

1. Whether the risk is a risk of fraud;
2. Whether the risk is related to recent significant economic, accounting, or other developments like changes in regulatory environment, etc., and, therefore, requires specific attention;
3. The complexity of transactions;
4. Whether the risk involves significant transactions with related parties;
5. The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
6. Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.

Identifying Significant Risks: Significant risks often relate to significant non- routine transactions or judgmental matters. Non-routine transactions are transactions that are unusual, due to either size or nature, and that therefore occur infrequently. Judgmental matters may include the development of accounting estimates for which there is signifycant measurement uncertainty.

Significant risks are inherent risks with both a higher likelihood of occurrence and a higher magnitude of potential misstatement. The auditor assess assertions affected by a significant risk as higher inherent risk. The following are always significant risks:

• Risks of material misstatement due to fraud
• Significant transactions with related parties that are outside the normal course of business for the entity

Risks of material misstatement may be greater for significant non-routine transactions arising from matters such as the following:

• Greater management intervention to specify the accounting treatment.
• Greater manual intervention for data collection and processing.
• Complex calculations or accounting principles.
• The nature of non-routine transactions, which may make it diffcult for the entity to implement effective controls over the risks.

Risks of material misstatement may be greater for significant judgmental matters that require the development of accounting estimates, arising from matters such as the following:

• Accounting principles for accounting estimates or revenue recognition may be subject to differing interpretation.
• Required judgment may be subjective or complex, or require assumptions about the effects of future events, for example, judgment about fair value.

The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting.

1. Monitoring of controls Defined: Monitoring of controls is a process to assess the effectiveness of internal control performance over time.
2. Helps in assessing the effectiveness of controls on a timely basis: It involves assessing the effectiveness of controls on a timely basis and taking necessary remedial actions.
3. Management accomplishes through ongoing activities, separate evaluations etc.: Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities.
4. Management’s monitoring activities include: Management’s monitoring activities may include using information from communications from external parties such as customer  complaints and regulator comments that may indicate  problems  or  highlight  areas in need of improvement.
5. In case of Small Entities: Management’s monitoring of control is often accomplished by management’s or the owner-manager’s close involvement in operations. This involvement often will identify significant variances from expectations and inaccuracies in financial data leading to remedial action to the control.

If the entity has an internal audit function, the auditor shall obtain an understanding of the following :

1. The internal audit function’s responsibilities and how the internal audit function fits in the entity’s organisational structure; and
2. The activities performed, or to be performed, by the internal audit function.

The following points merit consideration in this regard:

1. Internal Audit Function relevant to the Audit: The entity’s internal audit function is likely to be relevant to the audit if its activities are related to the entity’s financial reporting. Also if the auditor expects to use the work of the internal auditors to modify the audit procedures to be performed. When the auditor determines that the internal audit function is likely to be relevant to the audit, SA 610 applies.
2. Size and Structure of the Entity: The objectives of an internal audit function vary widely depending on the size and structure of the entity and the requirements of management.
3. Internal audit function may include: The responsibilities of an internal audit function may include, for example, monitoring of internal control, risk management, and review of compliance with laws and regulations.
   On the other hand, the responsibilities of the internal audit function may be limited to the review of the economy, efficiency and effectiveness of operations, for example, and accordingly, may not relate to the entity’s financial reporting.
4. External auditor’s activities- on the basis of Internal Audit activities: If the internal audit function’s responsibilities are related to the entity’s financial reporting, the external auditor’s consideration of the activities performed may include review of the internal audit function’s audit plan for the period.

The existence of a satisfactory control environment can be a positive factor when the auditor assesses the risks of material misstatement. However, although it may help reduce the risk of fraud, a satisfactory control environment is not an absolute deterrent to fraud. Conversely, deficiencies in the control environment may undermine the effectiveness of controls, in particular in relation to fraud. For example, management’s failure to commit sufficient resources to address IT security risks may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or unauthorized transactions to be processed. As explained in SA 330, the control environment also influences the nature, timing, and extent of the auditor’s further procedures.

The control environment in itself does not prevent, or detect and correct, a  material misstatement. It may, however, influence the auditor’s evaluation of the effectiveness of other controls (for example, the monitoring of controls and the operation of specific control activities) and thereby, the auditor’s assessment of the risks of material misstatement.

 

So far as the auditor is concerned, the examination and evaluation of the internal control system is an indispensable part of the overall audit  programme. The auditor needs reasonable assurance that the accounting system is adequate and that all the accounting information which should be recorded has in fact been recorded. Internal control normally contributes to such assurance. The auditor should gain an understanding of the accounting system and related internal controls and should study and evaluate the operations of these internal controls upon which he wishes to rely in determining the nature, timing  and  extent  of other audit procedures.

Benefits of Evaluation of Internal Control to the Auditor

The review of internal controls will enable the auditor to know:

1. whether errors and frauds are likely to be located in the ordinary course of operations of the business;
2. whether an adequate internal control system is in use and operating as planned by the management;
3. whether an effective internal auditing department is operating;
4. whether any administrative control has a  bearing on  his work (for example,  if the control over worker recruitment and enrolment is weak, there is a likelihood of dummy names being included in the wages sheet and this is relevant for the auditor);
5. whether the controls adequately safeguard the assets;
6. how far and how adequately the management is discharging its function in so far as correct recording of transactions is concerned;
7. how reliable the reports, records and the certificates to the management can be;
8. the extent and the depth of the examination that he needs to carry out in the different areas of accounting;
9. what would be appropriate audit technique and the audit procedure in the given circumstances;
10. what are the areas where control is weak and where it is excessive; and
11. whether some worthwhile suggestions can be given to improve the control system.

The auditor can formulate his entire audit programme only after he has had a satisfactory understanding of the internal control systems and their actual operation. If he does not care to study this aspect, it is very likely that his audit programme may become unwieldy and unnecessarily heavy and the object of the audit may be altogether lost in the mass of entries and vouchers. It is also important for him to know whether the system is actually in operation. Often, after installation of a system, no proper follow up is there by the management to ensure compliance. The auditor, in such circumstances, may be led  to  believe that a system is in operation which in reality may not be altogether in operation or may at best operate only partially. This state of affairs is probably the worst that

an auditor may come across and he would be in the midst of confusion, if he does

not take care.

It would be better if the auditor can undertake the review of the internal control system of client. This will give him enough time to assimilate the controls and implications and will enable him to be more objective in the framing of the audit programme. He will also be in a position to bring to the  notice  of  the  management the weaknesses of the system and to suggest measures for improvement. At a further interim date or in the course of the audit, he may ascertain how far the weaknesses have been removed.

From the foregoing, it can be concluded that the extent and the nature of  the audit programme is substantially influenced by the internal control system in operation. In deciding upon a plan of  test checking, the  existence and operation  of internal control system is of great significance.

A proper understanding of the internal control system in its content and working also enables an auditor to decide upon the appropriate audit procedure to be applied in different areas to be covered in the audit programme.

In a situation where the internal controls are considered weak in some areas, the auditor might choose an auditing procedure or test that otherwise might not be required; he might extend certain tests to cover a large number of transactions or other items than he otherwise would examine and at times he may perform additional tests to bring him the necessary satisfaction.

Normally the distribution of wages is not observed by the auditor. But if the internal control over wages is so weak that there exists a possibility of dummy workers being paid, the auditor might include observation of wages distribution in his programme in order to find out the workers who do not turn up for receipt of wages.

On the other hand, if he is satisfied with the internal control on sales and trade receivables, the auditor can get trade receivables’ balances confirmed at almost any time reasonably close to the balance sheet date. But if the control is weak, he may feel that he should get the confirmation exactly on the date of the year closing so that he may eliminate the risk of errors and frauds occurring between the intervening period. Also, he may in that situation, decide to have a large coverage of trade receivables by the confirmation procedure.

A review of the internal control can be done by a process of study, examination  and evaluation of the control system installed by the management.

The first step involves determination of the control and procedures laid down by the management. By reading company manuals, studying organisation charts and flow charts and by making suitable enquiries from the offcers and employees, the auditor may ascertain the character, scope and efficacy of the control system. To acquaint  himself  about how all the accounting information is collected and processed and to learn the nature of controls that makes the information reliable and protect the company’s assets, calls for considerable skill and knowledge. In many cases, very little of this information is available in writing; the auditor must ask the right people the right questions if he is to get the information he wants. It would be better if he makes written notes of the relevant information and procedures contained in the manual or ascertained on enquiry.

1. Narrative record;
2. Check List;
3. Questionnaire; and
4. Flow chart.

This is a complete and exhaustive description of the system as found in operation by the auditor. Actual testing and observation are necessary before such a record can be developed. It may be recommended in cases where no formal  control system is in operation and would be more suited to small business.

The basic disadvantages of narrative records are:

1. To comprehend the system in operation is quite difficult.
2. To identify weaknesses or gaps in the system.
3. To incorporate changes arising on account of reshuffling of manpower, etc.

This is a series of instructions and/or questions which a member of the auditing staff must follow and/or answer. When he completes instruction, he initials the space against the instruction. Answers to the check list instructions are usually Yes, No or Not Applicable. This is again an on the job requirement and instructions are framed having regard to the desirable elements of control.

A few examples of check list instructions are given hereunder:

1. Are tenders called before placing orders?
2. Are the purchases made on the basis of a written order?
3. Is the purchase order form standardised?
4. Are purchase order forms pre-numbered?
5. Are the inventory control accounts maintained by persons who have nothing to do with custody of work, receipt of inventory, inspection of inventory and purchase of inventory?

The complete check list is studied by the Principal/Manager/Senior to ascertain existence of internal control and evaluate its implementation and effciency.

This is a comprehensive series of questions concerning internal control. This is the most widely used form for collecting information about the existence, operation and effciency of internal control in an organisation.

An important advantage of the questionnaire approach is that oversight or  omission of significant internal control review procedures is less likely to occur with this method. With a proper questionnaire, all internal control evaluation can be completed at one time or in sections. The review can more easily be made on an interim basis. The questionnaire form also provides an orderly means  of disclosing control defects. It is the general practice to review the internal control system annually and record the review in detail. In the questionnaire, generally questions are so framed that a ‘Yes’ answer denotes satisfactory position and a ‘No’ answer suggests weakness. Provision is made for an explanation or further details of ‘No’ answers. In respect of questions not relevant to the business, ‘Not Applicable’ reply is given.

The questionnaire is usually issued to the client and the client is requested to get it filled by the concerned executives and employees. If on a perusal of the answers, inconsistencies or apparent incongruities are noticed, the matter is  further discussed by auditor’s staff with the client’s employees for a clear picture. The concerned auditor then prepares a report of deficiencies and recommendations for improvement.

 

It is a graphic presentation of each part of the company’s system of internal control. A flow chart is considered to be the most concise way of recording the auditor’s review of the  system. It minimises the amount of narrative explanation and thereby achieves a consideration or presentation not possible in any other form. It gives bird’s eye view of the system and the flow of transactions and integration and in documentation, can be easily spotted and improvements can be suggested.

It is also necessary for the auditor to study the significant features of the business

carried on by the concern; the nature of its activities and various channels of goods

and materials as well as cash, both inward and outward; and also a comprehensive study of the entire process of manufacturing, trading and administration. This will help him to understand and evaluate the internal controls in the correct perspective.

After assimilating the internal control system, the auditor needs to examine whether and how far the same is actually in  operation. For this, he resorts to actual testing of the system in operation. This he does on a selective basis: he can plan this testing in such a manner that all the important areas are covered in a period of, say, three years. Selective testing is being done by application of procedural tests and auditing in depth.

Test of controls are performed to obtain audit evidence about the effectiveness of the:

1. design of the accounting and internal control systems i.e., whether they are suitably designed to prevent or detect and correct material misstatements
2. operation of the internal controls throughout the period

Test of controls include tests of elements of the control environment where strengths in the control environment are used by auditors to reduce control risk.

Some of the procedures performed to obtain  the  understanding  of  the accounting and internal control systems may not have been specifically planned as tests of control but may provide audit evidence about the effectiveness of the design and operation of internal controls relevant to certain assertions and, consequently, serve as tests of control. For example, in obtaining  the understanding of  the accounting and internal control systems pertaining to cash, the auditor may have obtained audit evidence about the effectiveness of the bank reconciliation process through inquiry and observation.

When the auditor concludes that procedures performed to obtain the understanding of the accounting and internal control systems also provide audit evidence about the suitability of design and operating effectiveness of policies and procedures relevant to a particular financial statement assertion, the auditor may use that audit evidence, provided it is suffcient to support a control risk assessment at less than a high level.

While obtaining audit evidence about the effective operation of internal controls,

• Inspection of documents supporting transactions and other events to gain audit evidence that internal controls have operated properly, for example, verifying that a transaction has been authorised.
• Inquiries about, and observation of, internal controls which leave  no  audit trail, for example, determining who actually performs each function and not merely who is supposed to perform it.
• Re-performance involves the auditor’s independent execution of procedures or controls that were originally performed as part of the entity’s internal control, for example, reconciliation of bank accounts, to ensure they were correctly performed by the entity.
• Testing of internal control operating on  specific computerised applications  or over the overall information technology function, for example, access or program change controls.

the auditor considers how they were applied, the consistency with which they were

applied during the period and by whom they were applied. The concept of effective operation recognises that some deviations may have occurred. Deviations from prescribed controls may be caused by such factors as changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. When  deviations  are  detected the auditor makes specific inquiries regarding these matters, particularly, the timing of staff changes in key internal control functions. The auditor then ensures that the tests of control appropriately cover such a period of change or fluctuation.

Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in  the preliminary assessment of control risk. The evaluation of deviations may result in the auditor concluding that the assessed level of control risk needs to be revised. In such cases, the auditor would modify the nature, timing and extent of planned substantive procedures.

 

Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained by the auditor, the auditor should consider whether the assessment of control risk is confirmed. In case of deviations from the prescribed accounting and internal control systems, the auditor would make specific inquiries to consider their implications. Where, on the basis of such inquiries, the auditor concludes that the deviations are such that the preliminary assessment of control risk is not supported, he would amend the same unless the audit evidence obtained from other tests of control supports that assessment. Where the auditor concludes that the assessed level of control risk needs to be revised, he would modify the nature, timing and extent of his planned substantive procedures. It has been suggested that actual operation of the internal control should be tested by the application of procedural tests and examination in depth. Procedural tests simply mean testing of the compliance with the procedures laid down by the management in respect of initiation, authorisation, recording and documentation of transaction at each stage through which it flows.

For example, the procedure for sales requires the following:

1. Before acceptance of any order the position of inventory of the relevant article should be known to ascertain whether the order can be executed in time.
2. An advice under the authorisation of  the sales manager should be  sent to  the party placing the order, internal reference number, and the acceptance of the order. This advice should be prepared on a standardised form and copy thereof should be forwarded to inventory section to enable it to prepare for the execution of the order in time.
3. The credit period allowed to the party should be the normal credit period. For any special credit period a special authorisation of the sales manager would be necessary.
4. The rate at which the order has been accepted and other terms about transport, insurance, etc., should be clearly specified.
5. Before deciding upon the credit period, a reference should be made to the credit section to know the creditworthiness of the party and particularly whether the party has honoured its commitments in the past.

An auditor testing the internal controls on sales should invariably test whether any of the aforesaid procedures have been omitted. If credit has actually been granted without a reference to the credit section to know the creditworthiness of the party, it is possible that the amount may prove bad because of the financial crisis or deadlock in the management of the party, a fact which could have been easily gathered from the credit section. Similarly, if an order is received without a reference to the inventory section, it is likely due to non-availability of the inventory  on  the  stipulated  date;  execution of the order may be delayed and the company may have to compensate the buyer for the damages suffered by him.