CHAPTER NO

03 RISK ASSESSMENT AND

INTERNAL CONTROL

CONCEPT NO

01 AUDIT RISK & ITS COMPONENTS

02 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

RISKS THAT REQUIRE SPECIAL AUDIT CONSIDERATION

03
04 INTERNAL CONTROL

05 EVALUATION OF INTERNAL CONTROL BY THE AUDITOR

SA 320 MATERIALITY IN PLANNING AND

06 PERFORMING AN AUDIT

07 SA 330 – THE AUDITOR'S RESPONSES TO ASSESSED RISKS

SA 265 COMMUNICATING DEFICIENCIES IN INTERNAL

CONTROL TO THOSE CHARGED WITH GOVERNANCE
08 AND MANAGEMENT
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

1. AUDIT RISK & ITS COMPONENTS

Audit risk is the risk that the auditor may give an inappropriate opinion when the financial statements are
materially misstated. Thus, it is the risk that the auditor may fail to express an appropriate opinion in an audit
assignment.
SA 315 "Identifying and Assessing Risk of Material Misstatements through understanding the Entity and its
Environment” provides guidance on identifying and assessing the risks of material misstatements at the
financial statement level and assertion levels.
Audit risk is a function of the risks of material misstatement and detection risk.

1.1 MEANING OF MISSTATEMENT

SA 200 states that risk of material statement is the risk that the financial statements are materially misstated
prior to audit. It simply means that there is a probability of frauds or errors in financial statements
before audit.
Misstatement refers to a difference between the amount, classification, presentation, or disclosure of a
reported financial statement item and the amount, classification, presentation, or disclosure that is
required for the item to be in accordance with the applicable financial reporting framework. Misstatements
can arise from error or fraud.
Few examples of misstatements could be: -
a) Charging of an item of capital expenditure to revenue or vice-versa
b) Difference in disclosure of a financial statement item in comparison to its requirement in applicable
financial reporting framework
c) Selection or application of inappropriate accounting policies
d) Difference in accounting estimate of a financial statement item in comparison to its appropriateness in
applicable financial reporting framework
e) Intentional booking of fake expenses in statement of profit and loss
f) Overstating of receivables in financial statements by not writing off irrecoverable debts
g) Overstating or understating inventories

1.2 THE RISKS OF MATERIAL MISSTATEMENT MAY EXIST AT TWO LEVELS:

a) The overall financial statement level; and
b) The assertion level for classes of transactions, account balances, and disclosures.
1.Risks of material misstatement at the overall financial statement level refer to risks of material
misstatement that relate pervasively to the financial statements as a whole & potentially affect many
assertions.
2.Risks of material misstatement at the assertion level are assessed in order to determine the NTE of
further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence
enables the auditor to express an opinion on the financial statements at an acceptably low level of audit
risk.
3.The risks of material misstatement at the assertion level consist of two components: inherent risk and
control risk.

1.3 COMPONENTS OF AUDIT RISK & RISKS OF MATERIAL MISSTATEMENT

Audit Risk has three components: Inherent Risk, Control Risk and Detection Risk. Inherent Risk and Control
Risk are collectively known as Risk of Material Misstatement.
The risk of material misstatement at assertion level comprises of two components i.e., inherent risk

CA Kapil Goyal 3. 1
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
and control risk. Both inherent risk and control risk are the entity's risks and they exist independently of
the audit of financial statements.
Inherent risk and control risk are influenced by the client. These are entity's risks and are not
influenced by the auditor.
Inherent Risk Nov 12
• Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or
disclosure to a misstatement that could be material, either individually or when aggregated with other
misstatements before consideration of any related controls as described in SA-200.
• There is always a risk that before considering any existence of internal control in an entity, a
particular transaction, balance of an account or a disclosure required to be made in the financial
statements of an entity have a chance of being misstated and such misstatement can be material. This risk
is known as inherent risk.
• Inherent risk is higher for some assertions and related classes of transactions, account balances, and
disclosures than for others. For example, it may be higher for complex calculations.
• Inherent risk factors are considered while designing tests of controls and substantive procedures.
Category of auditor's assessment lower or higher, each category covers a range of degrees of inherent risk.
Auditor may assess the inherent risk of two different assertions as lower while recognizing that one
assertion has less inherent risk than the other, although both have been assessed as lower.
• It is important to consider the reason for each identified inherent risk even if the risk is lower, when
auditor designs tests of controls and substantive procedures.
• External circumstances giving rise to business risks may also influence inherent risk. For example,
technological developments might make a particular product obsolete. Factors in the entity and its
environment may also influence the inherent risk related to a specific assertion.
Few examples of inherent risks could include: -
a) An accounting standard provides guidance on some complex issue which might not be understood
by the management. Therefore, recording of this issue in financial statements carries inherent risk of
being misstated.
b) There are large number of business failures in an industry. Therefore, assertions in financial statements
of an entity operating in such an industry carry an inherent risk of being misstated.
Control Risk
· The risk that a misstatement that could occur in an assertion about a class of transaction, account balance
or disclosure and that could be material, either individually or when aggregated with other
misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity's internal
control.
· Control Risk is the risk that material misstatement will not be prevented or detected and corrected on a
timely basis by the internal control system.
· Therefore, in a way, it can be said that there exists an inverse relation between control risk and
efficiency of internal control of an entity. When efficiency of internal control of an entity is high, the
control risk is low and when efficiency of internal control of that entity is low, the control risk is high.
Examples of control risk could include: -
a) A company has devised control that cash and cheque books should be kept in a locked safe and access is
granted to authorized personnel only. There is risk that control is not being followed.
b) A company has devised a control relating to petty cash that items of expenditure of only less than
Rs.10,000 should be routed through imprest system of petty cash. There is a risk that control is not being
followed.
c) An entity has devised a control that fire extinguishers and smoke detectors are in place and are in

CA Kapil Goyal 3. 2
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
working condition at all times to reduce the risk of damage to inventories caused by fire. There is a risk
that fire extinguishers in place are expired and are not being refilled. Similarly, there is a possibility that
smoke detectors are not working.
Detection Risk
· SA 200 defines detection risk as the risk that the procedures performed by the auditor to reduce audit risk
to an acceptably low level will not detect a misstatement that exists and that could be material, either
individually or when aggregated with other misstatements.
· The auditor's control risk assessment, together with the inherent risk assessment, influences the nature,
timing and extent of substantive procedures to be performed to reduce detection risk, and therefore
audit risk, to an acceptably low level.
· Some detection risk would always be present even if an auditor was to examine 100 per cent of the
account balances or class of transactions.
Detection risk comprises sampling and non-sampling risk
Sampling risk is the risk that the auditor's conclusion based on a sample may be different from the
conclusion if the entire population were subjected to the same audit procedure. It simply means that the
sample was not representative of the population from which it was chosen.
Non-sampling risk is the risk that the auditor reaches an erroneous conclusion for any reason not related to
sampling risk. Like an auditor may reach an erroneous conclusion due to application to some inappropriate
audit procedure.
Examples of detection risk could include: -
a) Sizeable work-in-progress inventories are expected in financial statements of a company. However,
auditor of the company does not devote time to attending inventory count. Instead, he chooses to rely
upon alternative audit procedures.
b) The auditor of a company has audited revenue of a company by taking a sample. However, there is a risk
that sample of revenue is not representative of overall revenue.
Important Note - The auditor can only influence detection risk. Inherent risk and control risk belong to the
entity and are influenced by the entity. Therefore, auditor must reduce detection risk in order to keep audit
risk at low level. Detection risk may be reduced by increasing area of checking, testing larger samples
and by including competent and experienced persons in the engagement team.

ILLUSTRATION
XYZ Ltd is engaged in the business and running several stores dealing in variety of items such as ready
made garments for all seasons, shoes, gift items, watches etc. There are security tags on each and
every item. Moreover, inventory records are physically verified on monthly basis.
Discuss the types of inherent, control and detection risks as perceived by the auditor.
SOLUTION
Inherent Risk: Because items may have been misappropriated by employees, therefore, risk to the auditor is
that inventory records would be inaccurate.
Control Risk: There is a security tag on each item displayed. Moreover, inventory records are physically
verified on monthly basis. Despite various controls being implemented at the stores, still collusion among
employees may be there and risk to auditor would again be that inventory records would be inaccurate.
Detection Risk: Auditor checks the efficiency and effectiveness of various control systems in place. He would
do that by making observation, inspection, enquiry, etc. In addition to these, the auditor would also employ
sampling techniques to check few sales transactions from beginning to end. However, despite all these
procedures, the auditor may not detect the items which have been stolen or misappropriated.

CA Kapil Goyal 3. 3
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

ILLUSTRATION
A Partnership Firm of Chartered Accountants HT and Associates was appointed to audit the books of
accounts of Wind and Ice Limited for the financial year 2020-21. There was a risk that HT and
Associates would give an inappropriate audit opinion if the financial statements of Wind and Ice
Limited are materially misstated. State the Risk mentioned in the question
SOLUTION
The risk mentioned in the question is known as Audit Risk, because risk that auditor of a company will give an
inappropriate audit opinion if the financial statements of that company are materially misstated is known as
Audit Risk.

Test Your Understanding-I

Wear & Tear Private Limited is a “start-up” engaged in providing holistic solutions to problem of paddy
stubble burning mainly catering to needs of farmers of Northwestern India. Due to importance given by
governments to this issue, companies have entered in the market in past few years. Many of these companies
have not been successful and have gone bust. As an auditor of the company, can you spot the component of
risks of material misstatement involved in above?
Ans
It has been stated that many companies engaged in providing holistic solutions to problem of stubble burning
have not been successful. It shows that line of activity is inherently risky. Therefore, there is a greater
possibility of misstatements. The component of risks of material misstatement involved is “inherent risk.”
Test Your Understanding -II
A company has devised a control that its inventory of perishable goods is stored inappropriate conditions- in
a controlled environment to prevent any damages to inventory. Responsibility is fixed on two persons to
monitor environment using sensors and to report on deviations. Identify the component of risks of material
misstatement involved as an auditor of the company.
Ans
The company has devised a control that its inventory of perishable goods is stored in appropriate conditions
and responsibility is fixed on two persons to monitor environment using sensors and to report on deviations.
There is a possibility that persons given responsibility do not perform their work and report deviations. The
component of risks of material misstatement is “control
risk”.

Test Your Understanding -III

Shree Foods Private Limited is engaged in manufacturing of garlic bread. The auditors of company have
planned audit procedures in respect of recognition of revenues of the company. Despite that, there is a
possibility that misstatements in revenue recognition are not identified by planned audit procedures. Which
risk is being alluded to?
Ans
There is a possibility that planned audit procedures may not achieve desired result and fail to detect
misstatements in revenue recognition. The risk alluded to it is “detection risk”.

CA Kapil Goyal 3. 4
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
1.4 WHAT IS NOT INCLUDED IN AUDIT RISK?
i. Audit risk does not include the risk that the auditor might express an opinion that the financial statements
are materially misstated when they are not. This risk is ordinarily insignificant.
ii. Further, audit risk is a technical term related to the process of auditing; it does not refer to the auditor's
business risks such as loss from litigation, adverse publicity, or other events arising in connection
with the audit of financial statements.
The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined
assessment of the "risks of material misstatement".

1.5 ASSESSMENT OF RISKS - MATTER OF PROFESSIONAL JUDGEMENT

Audit risk is a function of the risks of material misstatement and detection risk. The assessment of risks is
based on audit procedures to obtain information necessary for that purpose and evidence obtained
throughout the audit.
The assessment of risks is a matter of professional judgment, rather than a matter capable of precise
measurement.
The distinguishing feature of the professional judgment expected of an auditor is that it is exercised by an
auditor whose training, knowledge and experience have assisted in developing the necessary competencies
to achieve reasonable judgments.

An Overview of Audit risk

Checkbox Audit risk- What is included?

ü Audit risk is the risk that the auditor gives an inappropriate audit opinion when the
financial statements are materially misstated.
A function of risks of material misstatement and detection risk.
ü
Auditor's business risks such as loss from litigation, adverse publicity, or other events
x arising in connection with the audit of financial statements.
Risk that the auditor might express an opinion that the financial statements are
x materially misstated when they are not.

CA Kapil Goyal 3. 5
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

1.6 RELATIONSHIP BETWEEN COMPONENTS OF AUDIT RISK

Relationship between IR and CR
1. Management often reacts to inherent risk situations by designing accounting and internal control
systems to prevent or detect and correct misstatements and therefore, in many cases, inherent risk and
control risk are highly interrelated.
2. In such situations, if the auditor attempts to assess inherent and control risks separately, there is a
possibility of inappropriate risk assessment.
As a result, audit risk may be more appropriately determined in such situations by making a combined
assessment of Inherent and Control Risk as Risk of Material Misstatement (RMM). This combined
assessment is considered to be the Risk of Material Misstatement (ROMM).
However, the auditor may make separate or combined assessments of inherent and control risk
depending on preferred audit techniques or methodologies and practical considerations.
The assessment of the risks of material misstatement may expressed in quantitative terms, such as in
percentages, or in non-quantitative terms

Relationship between ROMM and Detection Risk

1.There is an inverse relationship between detection risks and the combined level of inherent and control
risks.
2.When inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to
an acceptably low level. When inherent and control risks are low, an auditor can accept a higher detection
risk and still reduce audit risk to an acceptably low level.
3.When both inherent and control risks are assessed as high, the auditor needs to consider whether
substantive procedures can provide sufficient appropriate audit evidence to reduce detection risk, and
therefore audit risk, to an acceptably low level.
Mathematically Audit Risk (AR) can be expressed as a product of Inherent Risk (IR), Control Risk (CR) and
Detection Risk (DR), i.e. AR = IR x CR x DR
If detection risk Can't be reduced to acceptably low level the auditor should express a qualified
opinion or a disclaimer of opinion

1.7 SA 315 IDENTIFYING AND ASSESSING THE RISK OF MATERIAL MISSTATEMENT

As per SA 315 "Identifying and Assessing the Risk of Material Misstatement through Understanding
the Entity and its Environment” the objective of the auditor is:
· To identify and assess the risks of material misstatement, whether due to fraud or error,
· At the financial statement and assertion levels,
· Through understanding the entity and its environment, including the entity's internal control,
· Thereby providing a basis for designing and implementing responses to the assessed risks of material
misstatement.
This will help the auditor to reduce the risk of material misstatement to an acceptably low level.

The objective of the auditor as stated in SA 315 is to identify and assess the risks of material
misstatement.
(I) The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level
(b) the assertion level for classes of transactions, account balances, and disclosures to provide a basis
for designing and performing further audit procedures

CA Kapil Goyal 3. 6
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
(ii) For the purpose of identifying and assessing the risks of material misstatement, the auditor
shall: -
(a) Identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the classes of
transactions, account balances, and disclosures in the financial statements
(b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial
statements as a whole and potentially affect many assertions
(c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant
controls that the auditor intends to test and
(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements,
and whether the potential misstatement is of a magnitude that could result in a material
misstatement.

1.8 RISK ASSESSMENT PROCEDURES/COMPONENT OF RISK ASSESSMENT PROCEDURE

The audit procedures performed to obtain an understanding of the entity and its environment, including the
entity's internal control, to identify and assess the risks of material misstatement, whether due to fraud or
error, at the financial statement and assertion level are defined as risk assessment procedures.
Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit
evidence on which to base the audit opinion.
The risks to be assessed include both those due to error and those due to fraud.

1.8B WHAT IS INCLUDED IN RISK ASSESSMENT PROCEDURES? INQUIRY

1. Inquiries of management, and of others within the entity.

Much of the information is obtained by the auditor's through inquiry from
management and others. However, the auditor may also obtain information, or a Analytical
different perspective in identifying risks of material misstatement, through procedures
inquiries of others within the entity and other employees with different levels of
authority.
Observation
For example:
and
1. Inquiries directed towards TCWG may help the auditor understand the inspection
environment in which the financial statements are prepared.
2. Inquiries directed toward internal audit personnel may provide information about
internal audit procedures performed during the year relating to the design and
effectiveness of the entity's internal control and whether management has satisfactorily responded to
findings from those procedures.
3. Inquiries of employees involved in initiating, processing or recording complex or unusual transactions
may help the auditor to evaluate the appropriateness of the selection & application of certain accounting
policies.
4. Inquiries directed toward in-house legal counsel may provide information about such matters as
litigation, compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the
entity.
5. Inquiries directed towards marketing or sales personnel may provide information about changes in the
entity's marketing strategies, sales trends, or contractual arrangements with its customers.

CA Kapil Goyal 3. 7
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
2. Analytical procedures
· Analytical procedures may help identify the existence of unusual transactions or events, and amounts,
ratios, and trends that might indicate matters that have audit implications.
· Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of
material misstatement, especially risks of material misstatement due to fraud.
3. Observation and inspection
Observation and inspection may support inquiries of management and others, & may also provide
information about the entity and its environment.
Examples of such audit procedures include observation or inspection of the following:
· The entity's operations.
· Documents (such as business plans and strategies), records, and internal control manuals.
· Reports prepared by management (such as quarterly management reports and interim financial
statements) and TCWG (such as minutes of board of directors' meetings).
· The entity's premises and plant facilities.

1.9 INFORMATION OBTAINED BY PERFORMING RISK ASSESSMENT PROCEDURES -

USED AS AUDIT EVIDENCE
Information obtained by performing risk assessment procedures and related activities may be used by the
auditor as audit evidence to support assessments of the risks of material misstatement.
In addition, the auditor may obtain audit evidence about classes of transactions, account balances, or
disclosures and related assertions and about the operating effectiveness of controls, even though such
procedures were not specifically planned as substantive procedures or as tests of controls.
The auditor also may choose to perform substantive procedures or tests of controls concurrently with risk
assessment procedures because it is efficient to do so.

1.10 DOCUMENTATION UNDER SA 315/DOCUMENTING THE RISK

The auditor shall document :
a) The discussion among the engagement team and the signi icant decisions reached;
b) Key elements of the understanding obtained regarding each of the aspects of the entity and its
environment and of each of the internal control components, the sources of information from which the
understanding was obtained; and the risk assessment procedures performed;
c) The identi ied and assessed risks of material misstatement at the inancial statement level and at the
assertion level ; and
d) The risks identi ied, and related controls about which the auditor has obtained an understanding.”

Test Your Understandig -IV

Jo Jo Limited is planning to list on Bombay Stock Exchange next year. As an auditor of Jo Jo Limited, identify any one
reason of increased audit risk due to listing of the company next year.
Ans
Jo Jo Limited is planning to list on Bombay Stock Exchange next year. There is a greater chance of misstatements in the
inancial statements due to planned listing next year. There could be a possibility of intentional manipulation of inancial
statements so that good response is received to proposed issue. Therefore, there is increased audit risk i.e., risk of
expressinginappropriate opinion by the auditor when inancial statements are materially misstated.

CA Kapil Goyal 3. 8
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
Test Your Understanding-V
On perusing inancial statements of Jo Jo Limited put up for audit, it is observed by the auditor that current ratio has
improved from 1.20:1 (in preceding year) to 1.75:1(in current year). Identify what kind of risk assessment procedures
are being per formed by auditor? Has it any relation with listing of the company next year on Bombay Stock Exchange?
Ans
It is noticed by the auditor that current ratio has improved from 1.20:1 (in preceding year) to 1.75:1 (in current year).
The auditor is using “analytical procedures” as risk assessment procedures. Current ratio has improved from previous
year. There could be a possibility of misstatement in current assets and current liabilities. It is possible that
improvement in current ratio is arti icial due to misstatements and has been done to secure good response to the
proposed issue of company next year.

2.UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

2.1 WHY UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT IS SIGNIFICANT?

Understanding the entity and the environment in which it operates is very significant. It helps the auditor in
planning the audit and in identifying areas requiring special attention. Gaining knowledge about client's
business is one of the important principles in developing an overall audit plan. In fact, without adequate
knowledge of client's business, a proper audit is not possible.

2.2 SA 315 IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT STATES THAT THE AUDITOR SHALL
OBTAIN AN UNDERSTANDING OF THE FOLLOWING: -
(a) Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework
Relevant industry factors include industry conditions such as the competitive environment, supplier
and customer relationships, and technological developments.
Examples of matters the auditor may consider include
- market and competition, whether entity is engaged in seasonal activities, product technology
relating to the entity's products
- The industry in which the entity operates may give rise to specific risks of material misstatement
arising from the nature of the business or the degree of regulation.
Relevant regulatory factors include the regulatory environment. The regulatory environment includes,
among other matters, the applicable financial reporting framework and the legal and political
environment.
Examples of matters the auditor may consider
- include accounting principles and industry specific practices,
- regulatory framework for a regulated industry,
- legislation and regulation that significantly affect the entity's operations, including direct supervisory
activities,
- taxation, government policies currently affecting the conduct of the entity's business, environmental
requirements affecting the industry and the entity's business.

Examples of other external factors affecting the entity that the auditor may consider include the
general economic conditions, interest rates and availability of financing, and inflation etc.

CA Kapil Goyal 3. 9
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
(b)The nature of the entity, including: -
(i) its operations;
(ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make, including investments in
special-purpose entities; and
(iv) the way that the entity is structured and how it is financed; to enable the auditor to understand the
classes of transactions, account balances, and disclosures to be expected in the financial
statements.
Examples of matters that the auditor may consider while obtaining understanding of nature of entity
include: -
- Business operations such as nature of revenue sources, products or services, conduct of operations,
location of production facilities, key customers and suppliers of goods and services.
- Investment and investment activities such as capital investment activities and planned or recently
executed acquisitions
- Financing and financing activities such as major subsidiaries, debt structure etc.
- Financial reporting such as accounting principles and revenue recognition practices.

(c) The entity's selection and application of accounting policies, including the reasons for changes.
The auditor shall evaluate whether the entity's accounting policies are appropriate for its business and
consistent with the applicable financial reporting framework and accounting policies used in the relevant
industry.

(d) The entity's objectives and strategies, and those related business risks that may result in risks of
material misstatement.
The entity conducts its business in the context of industry, regulatory and other internal and external factors.
To respond to these factors, the entity's management define objectives, which are the overall plans for the
entity. Business risk is broader than the risk of material misstatement of the financial statements, though it
includes the latter. Business risk may arise from change or complexity. The auditor does not have a
responsibility to identify or assess all business risks because not all business risks give rise to risks of
material misstatement.
Examples of matters that the auditor may consider when obtaining an understanding of the entity's
objectives, strategies and related business risks that may result in a risk of material misstatement of
the financial statements include: -
- Industry developments (a potential related business risk might be, for example, that the entity does
not have the personnel or expertise to deal with the changes in the industry).
- New products and services (a potential related business risk might be, for example, that there is
increased product liability).
- Expansion of the business (a potential related business risk might be, for example, that the demand
has not been accurately estimated).

(e) The measurement and review of the entity's financial performance.

Management and others will measure and review those things they regard as important. Performance
measures, whether external or internal, create pressures on the entity. These pressures, in turn, may motivate
management to take action to improve the business performance or to misstate the financial statements.
Accordingly, an understanding of the entity's performance measures assists the auditor in considering
whether pressures to achieve performance targets may result in management actions that increase the risks
of material misstatement, including those due to fraud.

CA Kapil Goyal 3. 10
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
Examples for measuring and reviewing financial performance which may be used by an auditor may
include: -
- Key performance indicators (financial and non-financial) and key ratios, trends and operating
statistics.
- Period-on-period financial performance analyses.
- Budgets, forecasts, variance analyses, and departmental or other level performance reports.
- Credit rating agency reports

2.3 UNDERSTANDING OF THE ENTITY- A CONTINUOUS PROCESS

Obtaining an understanding of the entity and its environment, including the entity's internal control
(referred to hereafter as an “understanding of the entity”), is a continuous, dynamic process of gathering,
updating and analysing information throughout the audit. The understanding establishes a frame of
reference within which the auditor plans the audit and exercises professional judgment throughout the audit,
For example, when understanding of the entity is required,
· Assessing risks of material misstatement of the financial statements;
· Determining materiality in accordance with SA 320;
· Considering the appropriateness of the selection and application of accounting policies;
· Identifying areas where special audit consideration may be necessary, for example, related party
transactions, the appropriateness of management's use of the going concern assumption, or
considering the business purpose of transactions;
· Developing expectations for use when performing analytical procedures;
· Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the
appropriateness of assumptions and of management's oral and written representations.

ILLUSTRATION
The auditor of ABC Textiles Ltd chalks out an audit plan without understanding the entity's business. Since he has
carried out many audits of textile companies, there is no need to understand the nature of business of ABC Ltd.
Advise the auditor how he should proceed.
SOLUTION: Obtaining an understanding of the entity and its environment, including the entity's internal control
(referred to hereafter as an “understanding of the entity”), is a continuous, dynamic process of gathering, updating
and analysing information throughout the audit. The auditor should proceed accordingly.
ILLUSTRATION
While auditing the books of accounts of Heavy Material Limited for the financial year 2020-21, a team member of
the auditor of Heavy Material Limited showed no inclination towards understanding the business and the business
environment of the above mentioned company. Is the approach of team member of the auditor of Heavy Material
Limited correct or incorrect? Also give reason for your answer.
SOLUTION : The approach of team member of the auditor of Heavy Material Limited is incorrect because
understanding the business and the business environment of company whose audit is to be conducted is very
important, as it helps in planning the audit and identifying areas requiring special attention during the course of
audit of that company.
LLUSTRATION
Prince Blankets is engaged in business of blankets. Its major portion of sales is taking place through internet.
Advise the auditor how he would proceed in this regard as to understanding the entity and its environment
SOLUTION : While understanding entity and its environment, internet sales is being perceived as risky area by the
auditor and thereby would be spending substantial time and extensive audit procedures on this particular area.

CA Kapil Goyal 3. 11
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

3. RISKS THAT REQUIRE SPECIAL AUDIT CONSIDERATION

As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the
auditor's judgment, a significant risk. In exercising judgment as to which risks are significant risks, the
auditor shall consider at least the following
a. Whether the risk is a risk of fraud;
b.Whether the risk is related to recent significant economic, accounting, or other developments like
changes in regulatory environment, etc., and, therefore, requires specific attention;
c. The complexity of transactions;
d.Whether the risk involves significant transactions with related parties;
e. The degree of subjectivity in the measurement of financial information related to the risk, especially those
measurements involving a wide range of measurement uncertainty; and
f. Whether the risk involves significant transactions that are outside the normal course of business for the
entity, or that otherwise appear to be unusual.

3.1 IDENTIFYING SIGNIFICANT RISKS:

Significant risks often relate to significant non- routine transactions or judgmental matters. Non-routine
transactions are transactions that are unusual, due to either size or nature, and that therefore occur
infrequently. Judgmental matters may include the development of accounting estimates for which there is
significant measurement uncertainty.
Examples:
• Risks of material misstatement due to fraud.
• Significant transactions with related parties that are outside the normal course of business for the entity.

3.2 RISKS OF MATERIAL MISSTATEMENT– GREATER FOR SIGNFICANT NON-ROUTINE TRANSACTIONS

Risks of material misstatement may be greater for significant non-routine transactions arising from
matters such as the following:
· Greater management intervention to specify the accounting treatment.
· Greater manual intervention for data collection and processing.
· Complex calculations or accounting principles.
· The nature of non-routine transactions, which may make it difficult for the entity to implement effective
controls over the risks.

3.3 RISKS OF MATERIAL MISSTATEMENT– GREATER FOR SIGNIfiCANT JUDGMENTAL MATTERS

Risks of material misstatement may be greater for significant judgmental matters that require the
development of accounting estimates, arising from matters such as the following:
· Accounting principles for accounting estimates or revenue recognition may be subject to differing
interpretation.
· Required judgment may be subjective or complex, or require assumptions about the effects of future
events, for example, judgment about fair value.

CA Kapil Goyal 3. 12
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

4. INTERNAL CONTROL

4.1 MEANING OF INTERNAL CONTROL

The process designed, implemented and maintained by TCWG, management and other personnel to
provide reasonable assurance about the achievement of an entity's objectives with regard to,
Ø Reliability of financial reporting,
Ø Effectiveness and efficiency of operations,
Ø Safeguarding of assets, and
Ø Compliance with applicable laws and regulations.
The term "controls" refers to any aspects of one or more of the components of internal control.
4.2 OBJECTIVES/PURPOSE OF INTENAL CONTROL

Internal control is designed, implemented and maintained to address identified business risks that
threaten the achievement of any of the entity's objectives that concern :
a. Transactions are executed in accordance with managements general or specific authorization;
b. All transactions are promptly recorded in the correct amount in the appropriate accounts and in the
accounting period in which executed so as to permit preparation of financial information within a
framework of recognized accounting policies and practices and relevant statutory requirements, if any,
and to maintain accountability for assets;
c. Assets are safeguarded from unauthorised access, use or disposition; and
d. The recorded assets are compared with the existing assets at reasonable intervals and appropriate
action is taken with regard to any differences. (PHYSICAL VERIFICATION)
The way in which internal control is designed, implemented and maintained varies with an entity's
size and complexity.

4.3 BENEFITS OF UNDERSTANDING OF INTERNAL CONTROL

An understanding of internal control assists the auditor in: -
(i) Identifying types of potential misstatements;
(ii) Identifying factors that affect the risks of material misstatement, and designing the nature, timing,
and extent of further audit procedures
"The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls
relevant to the audit are likely to relate to inancial reporting, not all controls that relate to inancial reporting
are relevant to the audit.
It is a matter of the auditor's professional judgment whether a control, individually or in combination
with others, is relevant to the audit."

4.4 LIMITATIONS OF INTERNAL CONTROL SYSTEM / WHAT ARE THE INHERENT

LIMITATIONS OF INTERNAL CONTROL SYSTEM

REASON EXPLANATION
Internal control Internal control, no matter how effective, can provide an entity with only reasonable
can provide only assurance about achieving the entity's financial reporting objectives. The likelihood of
reasonable their achievement is affected by inherent limitations of internal control.
assurance:

CA Kapil Goyal 3. 13
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
Human judgment in Realities that human judgment in decision-making can be faulty and that breakdowns in
decision-making: internal control can occur because of human error.

Lack of Equally, the operation of a control may not be effective, such as where information
understanding the produced for the purposes of internal control (for example, an exception report) is not
purpose: effectively used because the individual responsible for reviewing the information does
not understand its purpose or fails to take appropriate action.
Collusion among Additionally, controls can be circumvented by the collusion of two or more people or
People: inappropriate management override of internal control. For example, management may
enter into side agreements with customers that alter the terms and conditions of the
entity's standard sales contracts, which may result in improper revenue recognition.
Also, edit checks in a software program that are designed to identify and report
transactions that exceed specified credit limits may be overridden or disabled.
Judgements by Further, in designing and implementing controls, management may make judgments on
Management: the nature and extent of the controls it chooses to implement, and the nature and extent
of the risks it chooses to assume.
Limitations in case Smaller entities often have fewer employees due to which segregation of duties is not
of Small Entities: practicable. However, in a small owner-managed entity, the owner-manager may be able
to exercise more effective oversight than in a larger entity. This oversight may
compensate for the generally more limited opportunities for segregation of duties.
On the other hand, the owner-manager may be more able to override controls because
the system of internal control is less structured. This is taken into account by the auditor
when identifying the risks of material misstatement due to fraud.

4.5 COMPONENTS OF INTERNAL CONTROL

(1) Control Environment - Component of Internal Control

The auditor shall obtain an understanding of the control
environment. As part of obtaining this understanding, Control
the auditor shall evaluate whether: Environment

i. Management has created and maintained a culture of

honesty and ethical behavior; and
Monitoring Risk
ii. The strengths in the control environment elements of Controls
Assessment
Process
collectively provide an appropriate foundation for the
COMPONENTS
other components of internal control. OF I.C

(A)What is included in Control Environment ?

The control environment includes:
i. The governance and management functions and Information
Control System –
ii. The attitudes, awareness, and actions of those charged Activities Areas to be
examined
with governance and management.
iii. The control environment sets the tone of an organization,
influencing the control consciousness of its people.

CA Kapil Goyal 3. 14
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
(B)Elements of the Control Environment–
Elements of the control environment that may be relevant when obtaining an understanding of the
control environment include the following:
a. Communication and enforcement of integrity and ethical values– These are essential elements
that influence the effectiveness of the design, administration and monitoring of controls.
b. Commitment to competence– Matters such as management's consideration of the competence levels
for particular jobs and how those levels translate into requisite skills and knowledge.
c. Participation by those charged with governance– Attributes of those charged with governance
such as :
Their independence from management.
·
Their experience and stature.
·
The extent of their involvement and the information they receive, and the scrutiny of activities.
·
The appropriateness of their actions, including the degree to which difficult questions are raised
·
and pursued with management, and their interaction with internal and external auditors.
d. Management's philosophy and operating style– Characteristics such as management's:
· Approach to taking and managing business risks.
· Attitudes and actions toward financial reporting.
· Attitudes toward information processing and accounting functions and personnel.
e. Organisational structure– The framework within which an entity's activities for achieving its
objectives are planned, executed, controlled, and reviewed.
f. Assignment of authority and responsibility– Matters such as how authority and responsibility for
operating activities are assigned and how reporting relationships and authorisation hierarchies are
established.
g. Human resource policies and practices– Policies and practices that relate to, for example,
recruitment, orientation, training, evaluation, counselling, promotion, compensation, and remedial
actions.
(C) Satisfactory control environment – Not an absolute deterrent to fraud
· The existence of a satisfactory control environment work as a positive factor when the auditor
assesses the RMM.
· But at the same time, it is to be kept in mind that a satisfactory control environment is not an absolute
deterrent to fraud. Deficiencies in the control environment may undermine the effectiveness of
controls, in particular in relation to fraud.
· As per SA 330, the control environment also influences the nature, timing, and extent of the auditor's
further procedures.
· The control environment in itself does not prevent, or detect and correct, a material misstatement. It
may, however, influence the auditor's evaluation of the effectiveness of other controls (for example,
the monitoring of controls and the operation of specific control activities) and thereby, the auditor's
assessment of the risks of material misstatement.
2. The Entity's Risk Assessment Process– Component of Control Environment

The auditor shall obtain an understanding of whether the entity has a process for:
a. Identifying business risks relevant to financial reporting objectives;
b. Estimating the significance of the risks;
c. Assessing the likelihood of their occurrence; and
d. Deciding about actions to address those risks.

CA Kapil Goyal 3. 15
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
The entity's risk assessment process forms the basis for the risks to be managed. If that process is
appropriate, it would assists the auditor in identifying risks of material misstatement. Whether the entity's
risk assessment process is appropriate to the circumstances is a matter of judgment.

3. The information system, including the related business processes, relevant to financial reporting
and communication– Component of Control Environment
The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following are as:
a. The classes of transactions in the entity's operations that are significant to the financial statements;
b. The procedures by which those transactions are initiated, recorded, processed, corrected as necessary,
transferred to the general ledger and reported in the financial statements;
c. The related accounting records, supporting information and specific accounts in the financial
statements that are used to initiate, record, process and report transactions;
d. How the information system captures events and conditions that are significant to the financial
statements;
e. The financial reporting process used to prepare the entity's financial statements;
f. Controls surrounding journal entries.

4. Control Activities– Component of Internal Control

The auditor shall obtain an understanding of control activities relevant to the audit, which the auditor
considers necessary to assess the risks of material misstatement. An audit requires an understanding of only
those control activities related to significant class of transactions, account balance, and disclosure in the
financial statements and the assertions which the auditor finds relevant in his risk assessment process.
Control activities are the policies and procedures that help ensure that management directives are carried
out.
Control activities, whether within IT or manual systems, have various objectives and are applied at various
organisational and functional levels.
Examples of specific control activities include those relating to the following:
1. Authorization
2. Performance Reviews
3. Information Processing
4. Physical Controls
5. Segregation of Duties

5. Monitoring of Controls – Component of Internal Control

The auditor shall obtain an understanding of the major activities that the entity uses to monitor
internal control over financial reporting.
i. Monitoring of controls Defined: Monitoring of controls is a process to assess the effectiveness of
internal control performance over time.
ii. Helps in assessing the effectiveness of controls on a timely basis: It involves assessing the effectiveness
of controls on a timely basis and taking necessary remedial actions.
iii. Management accomplishes through ongoing activities, separate evaluations etc.: Management
accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination
of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity
and include regular management and supervisory activities.
iv. Management's monitoring activities include: Management's monitoring activities may include using
information from communications from external parties such as customer complaints and regulator
comments that may indicate problems or highlight areas in need of improvement.
v. In case of Small Entities: Management's monitoring of control is often accomplished by management's

CA Kapil Goyal 3. 16
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
or the owner-manager's close involvement in operations. This involvement often will identify
significant variances from expectations and inaccuracies in financial data leading to remedial action to
the control.
Monitoring of Controls– If the entity has an internal audit function
If the entity has an internal audit function, the auditor shall obtain an understanding of the following :
a. The internal audit function's responsibilities and how the internal audit function fits in the entity's
organisational structure; and
b. The activities performed, or to be performed, by the internal audit function.

4.6 WHICH CONTROLS RELEVANT TO AUDIT / ARE ALL CONTROLS RELEVANT TO THE AUDIT
There is a direct relationship between an entity's objectives and the controls it implements to provide
reasonable assurance about their achievement. The entity's objectives, and therefore controls, relate to
financial reporting, operations and compliance; however, not all of these objectives and controls are relevant
to the auditor's risk assessment.
Factors relevant to the auditor's judgment about whether a control, individually or in combination
with others, is relevant to the audit may include such matters as the following:
a. Materiality.
b. The significance of the related risk.
c. The size of the entity.
d. The nature of the entity's business, including its organisation and ownership characteristics.
e. The diversity and complexity of the entity's operations.
f. Applicable legal and regulatory requirements.
g. The circumstances and the applicable component of internal control.
h. The nature and complexity of the systems that are part of the entity's internal control, including the use
of service organisations.
i. Whether, and how, a specific control, individually or in combination with others, prevents, or detects and
corrects, material misstatement.

4.7 CONTROLS OVER THE COMPLETENESS AND ACCURACY OF INFORMATION (IPE TESTING)
Controls over the completeness and accuracy of information produced by the entity may be relevant to the
audit if the auditor intends to make use of the information in designing and performing further procedures.
For example, in auditing revenue by applying standard prices to records of sales volume, the auditor
considers the accuracy of the price information and the completeness and accuracy of the sales volume data.
Controls relating to operations and compliance objectives may also be relevant to an audit if they relate to
data the auditor evaluates or uses in applying audit procedures.

4.8 INTERNAL CONTROL OVER SAFEGUARDING OF ASSETS

Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include
controls relating to both inancial reporting and operations objectives. The auditor's consideration of such
controls is generally limited to those relevant to the reliability of inancial reporting.
For example, use of access controls, such as passwords, that limit access to the data and programs that
process cash disbursements may be relevant to a inancial statement audit.
Conversely, safeguarding controls relating to operations objectives, such as controls to prevent the excessive
use of materials in production, generally are not relevant to a inancial statement audit.

CA Kapil Goyal 3. 17
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

4.9 CONTROLS RELATING TO OBJECTIVES THAT ARE NOT RELEVANT TO AN AUDIT

An entity generally has controls relating to objectives that are not relevant to an audit and therefore need not
be considered. For example, an entity may rely on a sophisticated system of automated controls to provide
efficient and effective operations (such as an airline’s system of automated controls to maintain flight
schedules), but these controls ordinarily would not be relevant to the audit.

4.10 NATURE AND EXTENT OF THE UNDERSTANDING OF RELEVANT CONTROLS

· Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting & correcting,
material misstatements.
· Implementation of a control means that the control exists and that the entity is using it. There is little
point in assessing the implementation of a control that is not effective, and so the design of a control is
considered first. An improperly designed control may represent a material weakness in the entity's
internal control.
· Risk assessment procedures to obtain audit evidence about the design and implementation of relevant
controls may include :
a. Inquiring of entity personnel.
b. Observing the application of specific controls.
c. Inspecting documents and reports.
d. Tracing transactions through the information system relevant to financial reporting.

Test Your Understanding

CA Smriti is auditor of a company. As part of audit, she is going through company policies and practices
regarding employee recruitment, training, orientation and related matters. She seems to be very much
interested in finding out whether company hires best candidates from applicant pool. Identify what she is
trying to do? How gaining knowledge about this aspect is useful to her as an auditor?
Ans
The study of company policies and practices regarding employee recruitment, training, orientation and
related matters including hiring of best candidates is part of understanding HR function of the company. It, in
turn, helps in understanding control environment of the company. By gaining such acknowledge, she can
better understand internal control of the company
Test Your Understanding
During the audit of same company, CA Smriti is keen to find out whether there exists a proper system of
segregation of duties in the company. She wants to be sure that a person responsible for recording a
transaction is different from the person authorising it. Discuss what she is trying to do and how its
understanding is significant to her as an auditor.
Ans
She is keen to find out whether there exists a proper system of segregation of duties in the company. She is
gaining an understanding of internal control of the company. In particular, she is understanding “control
activities”. When a person recording a transaction is different from one authorizing it, she gains confidence
that there exists a system for preventing misstatements. It helps her in gaining insight into the internal
control system of the company.

CA Kapil Goyal 3. 18
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

5. EVALUATION OF INTERNAL CONTROL BY THE AUDITOR

5.1 REVIEW OF INTERNAL CONTROL – MEANING

So far as the auditor is concerned, the examination and evaluation of the internal control system is an
indispensable part of the overall audit programme. The auditor needs reasonable assurance that the
accounting system is adequate and that all the accounting information which should be recorded has in fact
been recorded. Internal control normally contributes to such assurance.

5.2 BENEFITS OF EVALUATION OF INTERNAL CONTROL TO THE AUDITOR

The review of internal controls will enable the auditor to know:
• Whether errors and frauds are likely to be located in the ordinary course of operations of the business;
• Whether an adequate internal control system is in use and operating as planned by the management;
• Whether an effective internal auditing department is operating;
• Whether any administrative control has a bearing on his work (for example, if the control over
worker recruitment and enrolment is weak, there is a likelihood of dummy names being included in the
wages sheet and this is relevant for the auditor);
• Whether the controls adequately safeguard the assets;
• How far and how adequately the management is discharging its function in so far as correct
recording of transactions is concerned;
• How reliable the reports, records and the certificates to the management can be;
• The extent & the depth of the examination that he needs to carry out in the different areas of
accounting;
• What would be appropriate audit technique and the audit procedure in the given circumstances;
• What are the areas where control is weak and where it is excessive; and
• Whether some worthwhile suggestions can be given to improve the control system.

5.3 FORMULATE AUDIT PROGRAM AFTER UNDERSTANDING INTERNAL CONTROL

The auditor can formulate his entire audit programme only after he has had a satisfactory understanding of
the internal control systems and their actual operation.
If he does not care to study this aspect, it is very likely that his audit programme may become unwieldy and
unnecessarily heavy and the object of the audit may be all together lost in the mass of entries and vouchers.
It is also important for him to know whether the system is actually in operation. Often, after installation of a
system, no proper follow up is there by the management to ensure compliance.
The auditor, in such circumstances, may be led to believe that a system is in operation which in reality may not
be altogether in operation or may at best operate only partially. This state of affairs is probably the worst that
an auditor may come across and he would be in the midst of confusion, if he does not take care.

CA Kapil Goyal 3. 19
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
5.4 METHODS/TOOLS TO REVIEW THE INTERNAL CONTROL SYSTEM

Evaluation of Internal Control with the help of

Narrative Questionnaire
Check List Flow Chart
Record

1- Narrative Record
This is a complete and exhaustive description of the system as found in operation by the auditor. Actual
testing and observation are necessary before such a record can be developed. It may be recommended in
cases where no formal control system is in operation and would be more suited to small business.
Advantages
• To comprehend the system in operation is quite difficult.
• To identify weaknesses or gaps in the system.
• To incorporate changes arising on account of reshuffling of manpower, etc.

2- Check list
This is a series of instructions and/or questions which a member of the auditing staff must follow and/or
answer. When he completes instruction, he initials the space against the instruction. Answers to the check list
instructions are usually Yes, No or Not Applicable. This is again an on the job requirement and instructions are
framed having regard to the desirable elements of control.
The complete check list is studied by the Principal/Manager/Senior to ascertain existence of internal control
and evaluate its implementation and efficiency
Example
• Are tenders called before placing orders?
• Are the purchases made on the basis of a written order?
• Is the purchase order form standardised?
• Are purchase order forms pre-numbered?
• Are the inventory control accounts maintained by persons who have nothing to do with custody of work,
receipt of inventory, inspection of inventory and purchase of inventory?

3- Internal Control Questionnaire

This is a comprehensive series of questions concerning internal control. This is the most widely used form for
collecting information about the existence, operation and efficiency of internal control in an organisation.
The questionnaire is usually issued to the client and the client is requested to get it filled by the concerned
executives and employees. If on a perusal of the answers, inconsistencies or apparent incongruities are
noticed, the matter is further discussed by auditor's staff with the client's employees for a clear picture. The
concerned auditor then prepares a report of deficiencies and recommendations for improvement.
Example
“Do you keep invoice pre- numbered?” Now client answers as “yes”, “No” or “Not Applicable”. Usually
questions are framed in such a way that “no” shows weakness.

CA Kapil Goyal 3. 20
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
Examples of Extracts of Internal Control Questionnaire in respect of purchases, creditors, inventories
and fixed assets
A. Purchases (1) Are purchases centralised in the Purchase Department?
(2) (a) Are purchases made only from approved suppliers?
(b) Is a list of approved suppliers maintained for this purpose?
(c) Does the master list contain more than one source of supply for all important
materials?
(3) Are the purchase orders based on valid purchase requisitions duly signed by authorised
persons in this behalf?
(4) Are purchases based on competitive quotations from two or more suppliers?
(5) Are purchase orders pre-numbered?
(6) Are purchase orders signed only by employees authorized in this behalf?

B. Creditors (1) (a) Are suppliers' invoices routed direct to the Accounts Department?
(b) Are they entered in a Bill register before submitting them to other departments for
check and/or approval?
(c) Are advance and partial payments entered on the invoices before they are submitted to
other departments?
(2) Does the system ensure that all invoices are duly processed?
(3) In respect of raw material and supplies, are reconciliations made of quantities and/or
values received as shown by purchase invoices with receipt into stock records?
(4) Does the Accounts Department match the invoices of supplies with Goods Received Notes
and purchase orders?
(5) Do all invoices bear evidence of being checked for prices, freight, terms etc.?
(6) Are all advance payments duly authorized by persons competent to authorize such
payments?

C. Inventories (1) Are stocks stored in assigned areas?

(2) Are stocks insured comprehensively against different risks? If some risk is not insured,
whether it is due to specific decision taken by a senior official?
(3) Is a record maintained for the insurance policies?
(4) Is the record reviewed periodically?
(5) Is there an official who decides on the value for which stocks are to be insured?
(6) Is the adequacy of insurance cover reviewed periodically?

D. Fixed (1) Are budgets for capital expenditure approved?

Assets
(2) Is the authority to incur capital expenditure restricted to specified officials?
(3) Are purchases of capital expenditure subject to same controls as applicable to purchases
of raw materials, stores etc.?
(4) Is there proper check to see that amounts expended do not exceed the amount
authorized?
(5) Are fixed assets verified periodically?
(6) Is there a written procedure for such verification?

CA Kapil Goyal 3. 21
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
4- Flowchart
It is a graphic presentation of each part of the company's system of internal control. A flow chart is considered
to be the most concise way of recording the auditor’s review of the system. It minimises the amount of
narrative explanation and thereby achieves a consideration or presentation not possible in any other form. It
gives bird's eye view of the system and the flow of transactions and integration and in documentation, can be
easily spotted and improvements can be suggested.
It is also necessary for the auditor to study the significant features of the business carried on by the concern;
the nature of its activities and various channels of goods and materials as well as cash, both inward and
outward; and also a comprehensive study of the entire process of manufacturing, trading and administration.
This will help him to understand and evaluate the internal controls in the correct perspective.
Advantage
•Concise presentation.
•Easily understandable.
•Gives “birds eye view” of complete system.
Limitation
•Time consuming to prepare such a flowchart which is concise yet showing every important aspect of I.C.
•Weakness can't be readily located.

5.5TESTING OF INTERNAL CONTROL SYSTEM

After assimilating internal control system, the auditor needs to examine whether and how far the same is
actually in operation. Tests of control may include:
(a) Inspection of documents supporting transactions and other events to gain audit evidence that internal
controls have operated properly.
(b) Inquiries about and observation of internal controls which leave no audit trail.
(c) Re-performance of internal controls.
(d) Testing of internal controls operating on specific computerised applications.
Based on the results of the tests of control, the auditor should evaluate whether the internal controls are
designed and operating as contemplated in the preliminary assessment of control risk.
It has been suggested that actual operation of the internal control should be tested by the application of
procedural tests and examination in depth.

EXAMINATION IN DEPTH / WALK THROUGH TEST

A walk-through test is a procedure used during an audit of an entity's accounting system to gauge its reliability. A walk-through test traces a
transaction step-by-step through the accounting system from its inception to the final disposition that is IR PR. It enables the auditor to study
recording of transaction at various stages and auditor examines records & authorities at each stage. Thus, he is able to understand overall internal
control over a specific item in an effective way.
Checking a few transactions, from the beginning to the end, through entire flow of transaction.
AUDIT TRAIL
An audit trail is a documented flow of a transaction. It is used to investigate how a source document was translated into an account entry
and from there it was inserted into financial statement It is used as audit evidence to establish authentication & integrity of a transaction.
It help in maintaining record of system and user activity. Like, in case of banks, there is an audit trail keeping track of log-on activity
detailing record of log-on attempts and device used.
It help to enhance internal controls & data security. It can help in fixing responsibility, rebuilding events & in thorough analysis of
problem areas. For example, audit trails can track activities of users thus fixing responsibility for users. These can also be used to rebuild
events upon occurring of some problem. It can also help in ensuring operation of system as intended.
However, It involve costs. The cost is not only in terms of system expenditure but also in terms of time involved in analysing data.
Systems having feature of audit trail inspires confidence in auditors. It helps auditors in verifying whether controls were operating
effectively. Since audit trails also enhance data security, these can be used by auditor while performing audit procedures thus increasing
reliability of audit evidence obtained.

CA Kapil Goyal 3. 22
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

6. SA 320 MATERIALITY IN PLANNING AND

PERFORMING AN AUDIT

Materiality • A company should disclose by way of notes additional information regarding any
as per item of income or expenditure which exceeds 1% of the revenue from operations
Schedule-III or ` 1,00,000 whichever is higher (Refer general Institutions for preparation of
statement of Profit and Loss in Schedule-III to the Companies Act, 2013).
• A company should disclose in Notes to Accounts, shares in the company held by
each shareholder holding more than 5 percent shares specifying the number of
shares held.

Scope of this SA This Standard on Auditing (SA) deals with the auditor's responsibility to apply the
concept of materiality in planning and performing an audit of financial statements. SA
450, explains how materiality is applied in evaluating the effect of identified
misstatements on the audit and of uncorrected misstatements, if any, on the financial
statements.
Materiality in the 1. Financial reporting frameworks often discuss the concept of materiality in the
context of an context of the preparation and presentation of financial statements.
audit Although financial reporting frameworks may discuss materiality in
different terms, they generally explain that :
■ Misstatements, including omissions, are material if they, individually or in the
aggregate, influence the economic decisions of users taken on the basis of the
financial statements;
■ Judgments about materiality are made in the light of surrounding
circumstances, and are affected by the size or nature of a misstatement,; and
■ Judgments about matters that are material to users of the financial statements
are based on a consideration of the common financial information needs of
users as a group. The possible effect of misstatements on specific individual
users, whose needs may vary widely, is not considered.
Materiality is not always a matter of relative size. For example, a small amount lost by
fraudulent practices of certain employees can indicate a serious law in the
enterprise's internal control system requiring immediate attention to avoid greater
losses in future

2. If the applicable financial reporting framework does not include a discussion of the
concept of materiality, the characteristics referred to in above paragraph provide
the auditor with such a frame of reference.

Materiality in 1. When establishing the overall audit strategy, the auditor shall determine
Planning and materiality for the financial statements as a whole. and auditor shall determine
performing an performance materiality for purposes of assessing the risks of material
audit- misstatement and determining the nature, timing and extent of further audit
Auditor's procedures.
responsibility 2. The concept of materiality is applied by the auditor both in planning and
performing the audit, and in evaluating the effect of identified misstatements on the
audit and of uncorrected misstatements, if any, on the financial statements & in
forming the opinion in the auditor's report.

CA Kapil Goyal 3. 23
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
3. In planning the audit, the auditor makes judgments about the size of
misstatements that will be considered material. These judgments provide a
basis for:
(a)Determining the nature, timing and extent of risk assessment procedures;
(b)Identifying and assessing the risks of material misstatement; and
(c)Determining the nature, timing and extent of further audit procedures.4.
4. The auditor considers not only the size but also the nature of uncorrected misstatements,
when evaluating their effect on the financial statements.

Determination The auditor's determination of materiality is a matter of professional judgment, and is

of materiality- a affected by the auditor's perception of the financial information needs of users of the
matter of financial statements.
professional In this context, it is reasonable for the auditor to assume that users:
judgment
(a) Have a reasonable knowledge of business and economic activities and
accounting and a willingness to study the information in the financial
statements with reasonable diligence;
(b) Understand that financial statements are prepared, presented and audited to
levels of materiality;
(c) Recognize the uncertainties inherent in the measurement of amounts based on
the use of estimates, judgment and the consideration of future events; and
(d) Make reasonable economic decisions on the basis of the information in the
financial statements.

Definition For purposes of the SAs, performance materiality means the amount or amounts set by
performance the auditor at less than materiality for the financial statements as a whole to reduce to
materiality an appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeds materiality for the financial statements as a whole.
If applicable, performance materiality also refers to the amount or amounts set by the
auditor at less than the materiality level or levels for particular classes of transactions,
account balances or disclosures
Performance materiality is set at a value lower than overall materiality. It lowers the
risk that auditor will not be able to identify misstatements that are material when
added together

Use of Use of Benchmarks in determining Materiality for the Financial Statements as a

Benchmarks whole: Nov. 20
in Determining materiality involves the exercise of professional judgment. A percentage
determining is often applied to a chosen benchmark as a starting point in determining materiality
Materiality for for the financial statements as a whole.
the Financial
Statements as Factors that may affect the identification of an appropriate benchmark include
a whole: the following :
· The elements of the financial statements (for example, assets, liabilities, equity,
revenue, expenses);
· Whether there are items on which the attention of the users of the particular
entity's financial statements tends to be focused (for example, for the purpose of
evaluating financial performance users may tend to focus on profit, revenue or
net assets);

CA Kapil Goyal 3. 24
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
· The nature of the entity, where the entity is at in its life cycle, and the industry and
economic environment in which the entity operates;
· The entity's ownership structure and the way it is financed (for example, if an
entity is financed solely by debt rather than equity, users may put more emphasis
on assets, and claims on them, than on the entity's earnings); and
· The relative volatility of the benchmark.
Examples of benchmarks that may be appropriate, depending on the circumstances of
the entity, include categories of reported income such as profit before tax, total
revenue, gross profit and total expenses, total equity or net asset value.
Profit before tax from continuing operations is often used for profit-oriented entities.
When profit before tax from continuing operations is volatile, other benchmarks may
be more appropriate, such as gross profit or total revenues.

Chosen In relation to the chosen benchmark, relevant financial data ordinarily includes:
benchmark, a) Prior periods' financial results and financial positions,
relevant
b) The period to-date financial results and financial position, and
financial data
c) Budgets or forecasts for the current period,
d) Adjusted for significant changes in the circumstances of the entity (for example, a
significant business acquisition) and relevant changes of conditions in the
industry or economic environment in which the entity operates.

Determining a Determining a percentage to be applied to a chosen benchmark involves the exercise of

percentage to professional judgment. There is a relationship between the percentage and the chosen
be applied to a benchmark, such that a percentage applied to profit before tax from continuing
chosen operations will normally be higher than a percentage applied to total revenue.
benchmark For example, the auditor may consider five percent of profit before tax from continuing
involves the operations to be appropriate for a profit oriented entity in a manufacturing industry,
exercise of while the auditor may consider one percent of total revenue or total expenses to be
professional appropriate for a not-for-profit entity. Higher or lower percentages, however, may be
judgment deemed appropriate in different circumstances.

Materiality Level Factors that may indicate the existence of one or more particular classes of
for Particular transactions, account balances or disclosures for which misstatements of lesser
Classes of amounts than materiality for the financial statements as a whole could reasonably be
Transactions, expected to influence the economic decisions of users taken on the basis of the
Account Balances financial statements include the following:
or Disclosures 1. Whether law, regulations or the applicable FRF affect users' expectations
regarding the measurement or disclosure of certain items like in case of related
party transactions, & remuneration of management and TCWG
2. The key disclosures in relation to the industry in which the entity operates. For
example, research and development costs for a pharmaceutical company.
3. Whether attention is focused on a particular aspect of the entity's business that
is separately disclosed in the FS like in case of newly acquired business.
Revision as the 1. The auditor shall revise materiality for the financial statements as a whole (and, if
audit progresses applicable, the materiality level or levels for particular classes of transactions,
account balances or disclosures) in the event of becoming aware of information

CA Kapil Goyal 3. 25
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

during the audit that would have caused the auditor to have determined a different
amount (or amounts) initially.
2. If the auditor concludes that a lower materiality for the financial statements as a whole
(and, if applicable, materiality level or levels for particular classes of transactions, account
balances or disclosures) than that initially determined is appropriate, the auditor shall
determine whether it is necessary to revise performance materiality, and whether the
nature, timing and extent of the further audit procedures remain appropriate.

Documentation The audit documentation shall include the following amounts and the factors
considered in their determination:
a. Materiality for the financial statements as a whole ;
b. If applicable, the materiality level or levels for particular classes of
transactions, account balances or disclosures;
c. Performance materiality; and
d. Any revision of (a)-(c) as the audit progressed.

Materiality and The concept of materiality is applied in planning & performing the audit, & in
Audit Risk evaluating effect of identified misstatements on the audit & in forming the opinion in
the auditor's report. The auditor obtains reasonable assurance by obtaining sufficient
appropriate audit evidence to reduce audit risk to an acceptably low level.
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when
the financial statements are materially misstated. Audit risk is a function of the risks of
material misstatement and detection risk
Materiality and audit risk are considered throughout the audit, in particular,
when:
a. Identifying and assessing the risks of material misstatement;
b. Determining the nature, timing and extent of further audit procedures; and
c. Evaluating the effect of uncorrected misstatements, if any, on the financial
statements and in forming the opinion in the auditor's report.

Test Your Understanding

CA A. Raja is auditor of Build Well Forgings Private Limited having a revenue of ` 25 crore. The company has
been sanctioned a term loan of ` 50 lacs from a bank. However, as at end of the year, only ` 1 lac was availed
due to delay in procurement of asset. The financial statements of the company do not disclose nature of
security against which loan has been taken. Schedule III of Companies Act,2013 requires disclosure in this
respect. Discuss, whether, non-disclosure of nature of security is material for auditor.
Ans: If there is any statutory requirement of disclosure, it is to be considered material. Schedule III mandates
disclosure of nature of security in relation to loan. The amount involved is irrelevant.

ILLUSTRATION
One of the team members of auditors of Highly Capable Limited was of the view that Materiality and Audit Risk
are only considered at planning stage of an audit. Comment as an auditor
SOLUTION
The concept of materiality is applied by the auditor both in planning and performing the audit, and in
evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on
the financial statements and in forming the opinion in the auditor's report.

CA Kapil Goyal 3. 26
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

7. SA 330 – THE AUDITOR'S RESPONSES TO ASSESSED RISKS

Definitions (a) Substantive procedure - An audit procedure designed to detect material

misstatements at the assertion level. Substantive procedures comprise:
(i) Tests of details (of classes of transactions, account balances, and disclosures),
and
(ii) Substantive analytical procedures.
(b) Test of controls - An audit procedure designed to evaluate the operating
effectiveness of controls in preventing, or detecting and correcting, material
misstatements at the assertion level.
Overall The auditor shall design and implement overall responses to address the assessed
Responses risks of material misstatement at the financial statement level.

Audit ■ The auditor shall design and perform further audit procedures whose nature,
procedures timing & extent are based on and are responsive to the assessed risks of material
responsive to misstatement at the assertion level.
the assessed ■ In designing the further audit procedures to be performed, the auditor shall :
risks of material a) Consider the likelihood of material misstatement due to the particular
misstatement at characteristics of the relevant class of transactions, account balance, or
the assertion disclosure (i.e., the inherent risk); and Whether the risk assessment takes into
level account the relevant controls (i.e., the control risk)
b) Obtain more persuasive audit evidence the higher the auditor's assessment of
risk.
Study Step 1 to 3
STEP 1 The auditor shall design and perform tests of controls to obtain sufficient appropriate
audit evidence as to the operating effectiveness of relevant controls when:
Tests of The auditor shall design and perform tests of controls when:
Controls (a) He expects that the controls are operating effectively ,or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at
the assertion level.The auditor shall test controls for the particular time, or throughout
the period.

Nature and In designing and performing test of controls, the auditor shall:
Extent of Test of (a) Perform other audit procedures in combination with inquiry to obtain audit
Controls evidence about the operating effectiveness of the controls, including:
(i) How the controls were applied at relevant times during the period under
audit.
(ii) The consistency with which they were applied.
(iii)By whom or by what means they were applied.
(b) Determine whether the controls to be tested depend upon other controls
(indirect controls), and if so, whether it is necessary to obtain audit evidence
supporting the effective operation of those indirect controls.
Inquiry alone is not sufficient to test the operating effectiveness of controls.
Accordingly, other audit procedures are performed in combination with inquiry. In
this regard, inquiry combined with inspection or reperformance may provide more

CA Kapil Goyal 3. 27
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
assurance than inquiry and observation, since an observation is pertinent only at the
point in time at which it is made.
Matters the auditor may consider in determining the extent of test of controls
include the following
• The frequency of the performance of the control by the entity during the period.
• The length of time during the audit period that the auditor is relying on the
operating effectiveness of the control.
• The expected rate of deviation from a control.
• The relevance and reliability of the audit evidence to be obtained regarding the
operating effectiveness of the control at the assertion level.
• The extent to which audit evidence is obtained from tests of other controls
related to the assertion.

Timing of Tests of The auditor shall test controls for the particular time, or throughout the period, for
Controls which the auditor intends to rely on those controls in order to provide an appropriate
basis for the auditor's intended reliance.
Audit evidence pertaining only to a point in time may be sufficient for the auditor's
purpose, for example, when testing controls over the entity's physical inventory
counting at the period end. If, on the other hand, the auditor intends to rely on a
control over a period, tests that are capable of providing audit evidence that the
control operated effectively at relevant times during that period are appropriate. Such
tests may include tests of the entity's monitoring of controls.
Using audit When the auditor obtains audit evidence about the operating effectiveness of controls
evidence obtained during an interim period, the auditor shall :
during an interim (a) Consider significant changes to those controls; and
period (b) Determine the additional audit evidence to be obtained for the remaining period.

Using audit In determining whether it is appropriate to use audit evidence about the operating
evidence obtained effectiveness of controls obtained in previous audits, and, if so, the length of the time
in previous audits period that may elapse before retesting a control, the auditor shall consider the
following:
(a) The effectiveness of other elements of internal control, including the control
environment, the entity's monitoring of controls, and the entity's risk
assessment process
(b) The risks arising from the characteristics of the control, including whether it is
manual or automated
(c) The effectiveness of general IT-controls
(d) The effectiveness of the control and its application by the entity, including the
nature and extent of deviations in the application of the control noted in
previous audits, and whether there have been personnel changes that
significantly affect the application of the control
(e) Whether the lack of a change in a particular control poses a risk due to changing
circumstances and
(f) The risks of material misstatement and the extent of reliance on the control.
If the auditor plans to use audit evidence from a previous audit about the operating
effectiveness of specific controls, the auditor shall establish the continuing relevance
of that evidence by obtaining audit evidence about whether significant changes in
those controls have occurred subsequent to the previous audit.

CA Kapil Goyal 3. 28
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

Controls over When the auditor plans to rely on controls over a significant risk, the auditor shall test
significant risks those controls in the current period.

Evaluating the Auditor should consider whether misstatements that have been detected indicate that
operating controls are not operating effectively.
effectiveness of Even if there are no identified misstatements, controls may not be effective.
controls The auditor shall communicate material weaknesses in internal control identified
during the audit on a timely basis to management at an appropriate level & TCWG
according to SA265.
Specific inquiries When deviations from controls upon which the auditor intends to rely are
by auditor when detected, the auditor shall make specific inquiries to understand these matters and
deviations from their potential consequences, and shall determine whether:
controls are (a) The test of controls that have been performed provide an appropriate basis for
detected reliance on the controls
(b) Additional test of controls are necessary or
(c) The potential risks of misstatement need to be addressed using substantive
procedures.
Irrespective of the assessed risks of material misstatement, the auditor shall design
and perform substantive procedures for each material class of transactions, account
balance, and disclosure.
This requirement reflects the facts that:
(i) the auditor's assessment of risk is judgmental and so may not identify all risks of
material misstatement and
(ii) there are inherent limitations to internal control, including management
override.

STEP 2 Substantive Audit Procedures / Test of Details

Substantive Tests of details are further classified into tests of transactions i.e., vouching and tests
procedures / Test of balances i.e., verification.
of Details Substantive analytical procedures refer to analytical procedures used as
substantive procedures by auditor
Nature and extent of Substantive procedures
Depending on the circumstances, the auditor may determine that:
• Performing only substantive analytical procedures will be sufficient to reduce
audit risk to an acceptably low level. For example, where the auditor's assessment
of risk is supported by audit evidence from tests of controls.
• Only tests of details are appropriate.
A combination of substantive analytical procedures and tests of details are most
responsive to the assessed risks

CA Kapil Goyal 3. 29
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

STEP 3 Documentation
The auditor shall document:
a. The overall responses to address the assessed risks of material misstatement at
the financial statement level;
b. The linkage of those procedures with the assessed risks at the assertion level; and
c. The results of the audit procedures.
If he uses audit evidence about the operating effectiveness of controls obtained in
previous audits, the auditor shall document the conclusions reached about relying on
such controls that were tested in a previous audit.
The auditors' documentation shall demonstrate that the financial statements agree or
reconcile with the underlying accounting records.

Test Your Understanding

Zomba Products Private limited is a small company. The control systems in the company are rudimentary.
How, you as an auditor of the company, would proceed to evaluate internal control of the company?
Ans
In a small company, control systems are basic and not formalized. Therefore, auditor should proceed to
evaluate internal control using narrative record
Test Your Understanding
A Chartered accountant during course of audit of a company finds that cash is not deposited into bank
frequently although concerned staff of company was required to do so. Further, the official responsible for
ensuring performance of above function, has also not paid any attention to it. Discuss what does it represent
from auditor's perspective.
Ans
Cash is not deposited into bank frequently, although, concerned staff of company was required to do so.
Further, the official responsible for ensuring performance of above function, has also not paid any attention to
it. It means that control is not working as planned. It would not be able to prevent misstatement and very
purpose of control is defeated. It represents a “controlled efficiency”.

STUDENT NOTES

CA Kapil Goyal 3. 30
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL

8. SA 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL

TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT

Scope of this SA 1. This Standard on Auditing (SA) deals with the auditor's responsibility to
communicate appropriately to those charged with governance and management
deficiencies in internal control that the auditor has identified in an audit of
financial statements.
2. The auditor is required to obtain an understanding of internal control relevant to
the audit when identifying and assessing the risks of material misstatement. In
making those risk assessments, the auditor considers internal control in order to
design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of internal control. The
auditor may identify deficiencies in internal control not only during this risk
assessment process but also at any other stage of the audit. This SA specifies which
identified deficiencies the auditor is required to communicate to those charged
with governance and management.
3. Nothing in this SA precludes the auditor from communicating to those charged
with governance and management other internal control matters that the auditor
has identified during the audit.

Definitions I. Deficiency in internal control - This exists when:

· A control is designed, implemented or operated in such a way that it is unable to
prevent, or detect & correct, misstatements in the financial statements on a
timely basis; or
· A control necessary to prevent, or detect and correct, misstatements in the
financial statements on a timely basis is missing.
II. Significant deficiency in internal control - A deficiency or combination of
deficiencies in internal control that, in the auditor's professional judgment, is of
sufficient importance to merit the attention of those charged with governance.

Examples of • The likelihood of the de iciencies leading to material misstatements in the

matters that the inancial statements in the future.
auditor may • The susceptibility to loss or fraud of the related asset or liability.
consider in • The subjectivity and complexity of determining estimated amounts, such as fair
determining value accounting estimates.
whether a • The inancial statement amounts exposed to the de iciencies.
deficiency or
• The volume of activity that has occurred or could occur in the account balance or
combination of class of transactions exposed to the de iciency or de iciencies.
deficiencies in
• The cause and frequency of the exceptions detected as a result of the de iciencies
internal control
in the controls.
constitutes a
significant • The interaction of the de iciency with other de iciencies in internal control
deficiency • The importance of the controls to the inancial reporting process, for
example:
§ General monitoring controls (such as oversight of management).
§ Controls over the prevention and detection of fraud.

CA Kapil Goyal 3. 31
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
§ Controls over the selection and application of signi icant accounting policies.
§ Controls over signi icant transactions with related parties.
§ Controls over signi icant transactions outside the entity's normal course of
business.
§ Controls over the period-end inancial reporting process (such as controls
over non-recurring journal entries).

Examples of • Evidence of ineffective aspects of the control environment, such as: -

indicators of § Indications that signi icant transactions in which management is inancially
significant interested are not being appropriately scrutinised by those charged with
deficiencies in governance.
internal control § Identi ication of management fraud, whether or not material, that was not
prevented by the entity's internal control.
§ Management's failure to implement appropriate remedial action on signi icant
de iciencies previously communicated.
• Absence of a risk assessment process within the entity where such a process would
ordinarily be expected to have been established.
• Evidence of an ineffective entity risk assessment process, such as management's
failure to identify a risk of material misstatement that the auditor would expect the
entity's risk assessment process to have identi ied.
• Evidence of an ineffective response to identi ied signi icant risks (e.g., absence of
controls over such a risk).
• Misstatements detected by the auditor's procedures that were not prevented, or
detected and corrected, by the entity's internal control.
• Disclosure of a material misstatement due to error or fraud as prior period items in
the current year's Statement of Pro it and Loss.
• Evidence of management's inability to oversee the preparation of the inancial
statements.

Determination 1. The auditor shall determine whether, on the basis of the audit work performed, the
AND auditor has identified one or more deficiencies in internal control.
Communication of 2. If the auditor has identified one or more deficiencies in internal control, the auditor
significant shall determine, they constitute significant deficiencies.
deficiencies in 3. The auditor shall communicate in writing significant deficiencies in internal
internal control to control identified during the audit to those charged with governance on a timely
those charged basis. The auditor shall also communicate to management at an appropriate
with governance level of responsibility on a timely basis:
(a) In writing, significant deficiencies in internal control that the auditor has
communicated or intends to communicate to those charged with governance.
(b) Other deficiencies in internal control identified during the audit that have not
been communicated to management by other parties and that, in the auditor's
professional judgment, are of sufficient importance to merit management's
attention.

CA Kapil Goyal 3. 32
w w w. c a i n d i a . o rg
Chapter 3 RISK ASSESSMENT AND INTERNAL CONTROL
4. The auditor shall include in the written communication of significant deficiencies
in internal control :
(a) A description of the deficiencies and an explanation of their potential effects:
and
(b) Sufficient information to enable those charged with governance &
management to understand the context of the communication. In particular,
the auditor shall explain that:
(i) The purpose of the audit was for the auditor to express an opinion on the
financial statements;
(ii) The audit included consideration of internal control relevant to the
preparation of the financial statements in order to design audit
procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of internal control;
and
(iii) The matters being reported are limited to those deficiencies that the
auditor has identified during the audit and that the auditor has concluded
are of sufficient importance.

Test Your Understanding

On reviewing internal control over inventories as part of statutory audit of a company, auditor finds that physical
verification is not being conducted at regular intervals as stipulated by the management. The auditor finds it to be
significant deficiency in internal control over inventories. He points it out to the management in a one-liner as under: -
“Physical verification of inventories is not being conducted at regular intervals as stipulated by management.”Is above
communication by auditor proper? Ignore statutory reporting requirements, if any in this regard.
Ans : While pointing out significant deficiencies in internal control, auditor has not only to communicate significant
deficiencies giving their description but also explain the potential effects and sufficient information to those charged
with governance and management to understand context of communication. Therefore, the above communication is not
proper. Not only significant deficiency has to be communicated, it should also be explained to management the potential
effects of not carrying out physical verification of inventories at regular intervals as stipulated by management. It should
explain that such a significant deficiency can lead to misstatement of inventories impacting profits of the company.
Highlighting importance of such a control, it should be stated that responsibility be fixed for concerned persons for
adhering to such an important control.

STUDENT NOTES

CA Kapil Goyal 3. 33
w w w. c a i n d i a . o rg