Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.

in

Compiled by: Pankaj Garg

Page 1
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in
Chapter 4
Risk Assessment and Internal Control

"Marks Distribution of Past Exams (New Syllabus)"

20
18
16
14
12
Marks

10
8
6
4
2
0
May-18 Nov-18 May-19 Nov-19 May-20 Nov-20 May-21 -
Series1 19 5 6 7

4.1 – Audit Risk (SA 315)

Q.1 The assessment of risks is a matter of professional judgment. Explain

stating clearly what is not included in Audit Risk? [MTP-Aug. 18]

Answer: Assessment of Audit Risk:

• Audit Risk is the risk that the auditor gives an inappropriate audit

opinion when the financial statements are materially misstated.

Thus, it is the risk that the auditor may fail to express an

appropriate opinion in an audit assignment.

Compiled by: Pankaj Garg

Page 2
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

• SA 315 “Identifying and Assessing Risk of Material Misstatements

through understanding the Entity and its Environment” provides

guidance on identifying and assessing the risks of material

misstatements at the financial statement level and assertion levels.

Risks not forming part of Audit Risk:

• Audit risk does not include the risk that the auditor might express

an opinion that the financial statements are materially misstated

when they are not. This risk is ordinarily insignificant.

• Audit risk is a technical term related to the process of auditing; it

does not refer to the auditor’s business risks such as loss from

litigation, adverse publicity, or other events arising in connection

with the audit of financial statements.

Q.2 “Risk of material misstatement consists of two components” Explain

clearly defining risk of material misstatement.

Answer: Components of Risk of Material Misstatements:

Audit Risk may be defined as the risk that the auditor gives an
inappropriate audit opinion when the financial statements are
materially misstated. Thus, it is the risk that the auditor may fail to
express an appropriate opinion in an audit assignment. Audit Risk
has three components: Inherent Risk, Control Risk and Detection
Risk. Inherent Risk and Control Risk are collectively known as Risk
of Material Misstatement.

Compiled by: Pankaj Garg

Page 3
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

SA 315 “Identifying and Assessing Risk of Material Misstatements

through understanding the Entity and its Environment” provides
guidance on identifying and assessing the risks of material
misstatements at the financial statement level and assertion levels.

Inherent Risk:

• Inherent Risk is the susceptibility of an account balance or class of

transaction to a material misstatement, assuming that there were
no internal controls.

• To assess inherent risk, the auditor should evaluate numerous

factors, having regard to his experience of the entity from
previous audit engagements of the entity, controls established by
management to compensate for a high level of inherent risk, and
his knowledge of any significant changes which might have taken
place since his last assessment.

Control Risk:

• The risk that a misstatement that could occur in an assertion

about a class of transaction, account balance or disclosure and
that could be material, either individually or when aggregated
with other misstatements, will not be prevented, or detected and
corrected, on a timely basis by the entity’s internal control.

• Control Risk is the risk that material misstatement will not be

prevented or detected and corrected on a timely basis by the
internal control system.

Compiled by: Pankaj Garg

Page 4
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Q.3 “The SAs do not ordinarily refer to inherent risk and control risk
separately, but rather to a combined assessment of the “risks of material
misstatement”. Explain. [RTP-Oct. 19]

Answer: Risk of Material Misstatement:

Refer Answer of Q. No. 2

Q. 3A When auditor identifies deficiencies and report on internal controls, he

determines the significant financial statement assertions that are
affected by the ineffective controls in order to evaluate the effect on
control risk assessments and strategy for the audit of the financial
statements. Explain. [RTP-May 20]

Answer: Control risk assessment when control deficiencies are

identified:

• When auditor identifies deficiencies and report on internal

controls, he determines the significant financial statement
assertions that are affected by the ineffective controls in order
to evaluate the effect on control risk assessments and strategy
for the audit of the financial statements.

• When control deficiencies are identified and auditor identifies

and tests more than one control for each relevant assertion,
auditor evaluates control risk considering all of the controls,
auditor has tested. If auditor determines that they support a
‘rely on controls’ risk assessment, or if compensating controls
are identified, tested and evaluated to be effective, he may
conclude that the ‘rely on controls’ is still appropriate. Otherwise
we change our control risk assessment to ‘not rely on controls.’

Compiled by: Pankaj Garg

Page 5
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

• When a deficiency relates to an ineffective control that is the

only control identified for an assertion, he revises risk
assessment to ‘not rely on controls’ for associated assertions, as
no other controls have been identified that mitigate the risk
related to the assertion. If the deficiency relates to one WCGW
(what can go wrong) out of several WCGW’s, he can ‘rely on
controls’ but performs additional substantive procedures to
adequately address the risks related to the deficiency.

Q.4 Discuss in brief the types of audit risk and inter relationship of
components of audit risk. [Nov. 14 (4 Marks)]

Answer: Types of Audit Risk:

Risk that the auditor may express an inappropriate audit opinion

when the financial statements are materially misstated, is known as
audit risk. It is a function of the risks of material misstatement and
detection risk.

(i) Risk of Material Misstatements: The risk that the financial

statements are materially misstated prior to audit. This consists
of two components: Inherent Risk and Control Risk.

(a) Inherent risk: The susceptibility of an assertion about a

class of transaction, account balance or disclosure to a
misstatement that could be material, either individually or
when aggregated with other misstatements, before
consideration of any related controls.

Compiled by: Pankaj Garg

Page 6
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

(b) Control risk: The risk that a misstatement that could occur

in an assertion about a class of transaction, account balance

or disclosure and that could be material, either individually

or when aggregated with other misstatements, will not be

prevented, or detected and corrected, on a timely basis by

the entity’s internal control.

(ii) Detection Risk: The risk that the procedures performed by the

auditor to reduce audit risk to an acceptably low level will not

detect a misstatement that exists and that could be material,

either individually or when aggregated with other

misstatements.

Relationship between Components of Audit Risk:

(a) Inherent Risk and Control Risk:

Management often reacts to inherent risk situations by

designing accounting and internal control systems to prevent or

detect and correct misstatements and therefore, in many cases,

inherent risk and control risk are highly interrelated. In such

situations, if the auditor attempts to assess inherent and control

risks separately, there is a possibility of inappropriate risk

assessment. As a result, audit risk may be more appropriately

determined in such situations by making a combined

assessment of Inherent and Control Risk as Risk of Material

Misstatement (RMM).

Compiled by: Pankaj Garg

Page 7
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

(b) Relationship between RMM and Detection Risk:

There is an inverse relationship between detection risk and the

combined level of inherent and control risks. When inherent

and control risks are high, acceptable detection risk needs to be

low to reduce audit risk to an acceptably low level. When

inherent and control risks are low, an auditor can accept a

higher detection risk and still reduce audit risk to an acceptably

low level.

Q.5 Explain the inherent risk with reference to the relevant standard on

auditing.

Or

Write short note on: Inherent Risk. [Nov. 12 (4 Marks)]

Answer: Inherent Risk:

SA 200 “Overall Objectives of Independent Auditor and Conduct

of audit in accordance with Standards on Auditing” defines

inherent risk as the susceptibility of an assertion about a class of

transaction, account balance or disclosure to a misstatement that

could be material, either individually or when aggregated with other

misstatements, before consideration of any related controls.

Standards on Auditing do not ordinarily refer to inherent risk

separately, but rather to a combined assessment of inherent risk and

control risk as “Risks of Material Misstatement”.

Compiled by: Pankaj Garg

Page 8
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

As per SA 315 “Identifying and Assessing the Risk of Material

Misstatement Through Understanding the Entity and its

Environment”, auditor is required to assess the risk of material

misstatement be performing the following procedure:

(i) Identify risks throughout the process of obtaining an

understanding of the entity and its environment.

(ii) Assess the identified risks, and evaluate whether they relate

more pervasively to the financial statements as a whole and

potentially affect many assertions;

(iii)Relate the identified risks to what can go wrong at the assertion

level; and

(iv) Consider the likelihood of misstatement.

As per SA 330 "The Auditor’s Responses to Assessed Risks" ,

while designing the further audit procedures to be performed, the

auditor shall consider the reasons for the assessment given to the

risk of material misstatement at the assertion level for the likelihood

of material misstatement due to the particular characteristics of the

relevant class of transactions, account balance, or disclosure (i.e., the

inherent risk) and obtain more persuasive audit evidence the higher

the auditor’s assessment of risk.

Compiled by: Pankaj Garg

Page 9
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Q.6 Doing a statutory audit is full of risk. Narrate the factors which causes
the risk.

Answer: Factors causes the Audit Risk:

The risk that the auditor expresses an inappropriate audit opinion

when the financial statements are materially misstated. Audit risk is
a function of the risks of material misstatement (RMM) and detection
risk. RMM comprises of Inherent Risk and Control risk. Various
factors which causes different types of risks are given below:

1. Inherent Risk: Inherent risk arises on account of nature of

financial reporting & auditing. Entire process of auditing is
based on the assessment of judgements made by the management
of the entity as well as evaluation of internal controls.

2. Control Risk: Control Risk arises on account of Inherent

limitations of internal control. Internal control can provide
only reasonable, but not absolute, assurance on account of
several inherent limitations such as potential for human error,
possibility of circumstances of control through collusion, etc.

3. Detection Risk: Detection risk arises on account of judgement

on part of auditor, test nature of audit and nature of audit
evidences collected. The auditor’s work involves exercise of
judgement in many areas like deciding the extent of audit
procedures and assessing the reasonableness of the judgements
and estimates made by management in preparing the financial
statements. The auditor normally relies upon persuasive
evidence rather than conclusive evidence. Even in circumstances
where conclusive evidence is available, the cost of obtaining such
an evidence may far exceed the benefits.

Compiled by: Pankaj Garg

Page 10
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Q.7 Discuss the following: Weaknesses in the design of the internal control
system and non-compliance with identified control procedures amongst
other conditions or events which increase the risk of fraud or error.

Or

Mention briefly the conditions or events, which increase the risk of

fraud or error leading to material misstatements in financial
statements.

Answer: Conditions or Events which increase the risk of fraud or error:

While planning and performing an audit, the auditor should consider

the risk of material misstatements that may be caused due to fraud
or error. Various conditions and events that may increase risk of
fraud or error are:

1. Weaknesses in the design of internal control system and non-

compliance with the laid down control procedures.

2. Doubts about the integrity or competence of the management.

3. Unusual pressures within the entity.

4. Unusual transactions such as transactions with related parties,

excessive payment for certain services to lawyers, etc.

5. Problems in obtaining sufficient and appropriate audit evidence,

e.g., inadequate documentation, significant differences between
the figures as per the accounting records and confirmation
received from third parties, etc.

Compiled by: Pankaj Garg

Page 11
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

4.2 – Identifying and Assessing Risk of Material Misstatement (SA 315)

Q.8 “Risk of material misstatement at the assertion level for classes of

transactions, account balances and disclosures need to be considered”.
Explain stating the different categories of assertions used by the
auditor.

Answer: Assertions used by auditor about account balances at the

period end:

• SA 315 “Identifying and Assessing Risk of Material

Misstatements through understanding the Entity and its
Environment” requires the auditor to identify and assess the
risks of material misstatement, whether due to fraud or error, at
the financial statement and assertion levels.

• Risks of material misstatement at the assertion level for classes

of transactions, account balances, and disclosures need to be
considered because such consideration directly assists in
determining the nature, timing, and extent of further audit
procedures at the assertion level necessary to obtain sufficient
appropriate audit evidence.

• Assertions used by auditor with respect to transactions

occurred during the year are:

1. Occurrence – transactions that have been recorded have

occurred during the year.

2. Completeness – transactions have been recorded

completely.

3. Accuracy – transactions have been recorded accurately.

Compiled by: Pankaj Garg

Page 12
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

4. Cut-off – transactions have been recorded in correct

accounting period.

5. Classification – transactions have been properly classified

into capital and revenue.

• Assertions used by auditor with respect to account balances at

the period end are:

1. Existence – assets and liabilities shown in the balance sheet exists.

2. Rights and obligations – rights of the entity have been
shown as assets and the obligations have been shown as
liabilities.

3. Completeness – assets and liabilities have been recorded

completely.

4. Valuation and allocation – assets and liabilities are

included in the financial statements at appropriate amounts
and any allocation adjustments are appropriately recorded.

• Assertions used by auditor with respect to Presentation and

Disclosure are:

1. Occurrence and Rights and obligations – disclosed

transactions have occurred and belong to the entity.

2. Completeness – disclosures in the financial statements are

complete.

3. Classification and understandability – financial

information is appropriately presented and disclosures are
clearly expressed.

4. Accuracy and Valuation – financial and other information

are disclosed fairly and at appropriate amounts.

Compiled by: Pankaj Garg

Page 13
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Q.9 Write short note on: Assertion about balance at the end of the
reporting period. [May 13 (4 marks)]

Or

Discuss the following: The assertions used by auditor to consider

potential misstatements about account balances at the period end.

[Nov. 15 (5 Marks)]

Answer: Assertions used by auditor about account balances at the

period end:

• SA 315 “Identifying and Assessing Risk of Material

Misstatements through understanding the Entity and its
Environment” requires the auditor to identify and assess the
risks of material misstatement, whether due to fraud or error, at
the financial statement and assertion levels.

• Risks of material misstatement at the assertion level for classes

of transactions, account balances, and disclosures need to be
considered because such consideration directly assists in
determining the nature, timing, and extent of further audit
procedures at the assertion level necessary to obtain sufficient
appropriate audit evidence.

• Assertions used by auditor with respect to account balances at

the period end are:

1. Existence – assets and liabilities shown in the balance sheet

exists.

Compiled by: Pankaj Garg

Page 14
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

2. Rights and obligations – rights of the entity have been

shown as assets and the obligations have been shown as
liabilities.

3. Completeness – assets and liabilities have been recorded

completely.

4. Valuation and allocation – assets and liabilities are

included in the financial statements at appropriate amounts
and any allocation adjustments are appropriately recorded.

Q.10 In the context of SA 315, state the assertions used by auditor to

consider the different types of potential mis-statements that may occur

w.r.t. classes of transactions and events for period under audit.

[Nov. 17 (4 Marks)]

Answer: Assertions used by auditor to consider the potential

misstatement w.r.t. transactions and events:

Refer Answer of Q. No. 8

Q.11 Write short note on: Assertions used by auditor to consider potential

misstatements about presentation and disclosure at the period end.

Answer: Assertions used by auditor to consider the potential

misstatement about presentation and disclosure:

Refer Answer of Q. No. 8

Compiled by: Pankaj Garg

Page 15
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Q.12 The auditor shall identify and assess the risks of material misstatement

at both levels to provide a basis for designing and performing further

audit procedures. For the purpose of Identifying and assessing the

risks of material misstatement the auditor shall Identify risks, assess

the identified risks, relate the identified risks and consider the

likelihood of misstatement.

Explain the above in detail. [MTP-Oct. 18]

Answer: Identifying and assessing the risks of material misstatement:

• The auditor shall identify and assess the risks of material

misstatement at:

(A) the financial statement level -

(B) the assertion level for classes of transactions, account

balances, and disclosures to provide a basis for designing and

performing further audit procedures

• For the purpose of Identifying and assessing the risks of material

misstatement, the auditor shall:

(a) Identify risks throughout the process of obtaining an

understanding of the entity and its environment, including

relevant controls that relate to the risks, and by considering

the classes of transactions, account balances, and disclosures

in the financial statements;

Compiled by: Pankaj Garg

Page 16
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

(b) Assess the identified risks, and evaluate whether they relate

more pervasively to the financial statements as a whole and

potentially affect many assertions;

(c) Relate the identified risks to what can go wrong at the

assertion level, taking account of relevant controls that the

auditor intends to test; and

(d) Consider the likelihood of misstatement, including the

possibility of multiple misstatements, and whether the

potential misstatement is of a magnitude that could result in a

material misstatement.

Q.13 Discuss what is included in risk assessment procedures to obtain audit

evidence about the design and implementation of relevant controls.

[RTP-May 18]

Answer: Risk Assessment procedure:

SA 315 “Identifying and Assessing Risk of Material Misstatements

through understanding the Entity and its Environment” defines the
term Risk Assessment procedure as audit procedures performed to
obtain an understanding of the entity and its environment,
including the entity’s internal control, to identify and assess the
risks of material misstatement, whether due to fraud or error, at the
financial statement and assertion levels.

Risk Assessment Procure includes the following:

Compiled by: Pankaj Garg

Page 17
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

(a) Inquiries of management, and of others within the entity:

Much of the information is obtained by the auditor’s through
inquiry from management and others. However, the auditor
may also obtain information, or a different perspective in
identifying risks of material misstatement, through inquiries of
others within the entity and other employees with different
levels of authority.

(b) Analytical procedures: Analytical procedures may help

identify the existence of unusual transactions or events, and
amounts, ratios, and trends that might indicate matters that
have audit implications.

(c) Observation and inspection: Observation and inspection may

support inquiries of management and others, and may also
provide information about the entity and its environment.

Q. 13A Obtaining an understanding of the entity and its environment,

including the entity’s internal control, is a continuous, dynamic process
of gathering, updating and analysing information throughout the audit.
Analyse and explain giving examples. [RTP-May 20]

Answer: Understanding of the Entity - a continuous process:

Obtaining an understanding of the entity and its environment,

including the entity’s internal control, is a continuous, dynamic
process of gathering, updating and analysing information
throughout the audit. The understanding establishes a frame of
reference within which the auditor plans the audit and exercises
professional judgment throughout the audit, for example, when:

Compiled by: Pankaj Garg

Page 18
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

1. Assessing risks of material misstatement of the financial

statements;

2. Determining materiality in accordance with SA 320;

3. Considering the appropriateness of the selection and

application of accounting policies;

4. Identifying areas where special audit consideration may be

necessary, for example, related party transactions, the
appropriateness of management’s use of the going concern
assumption, or considering the business purpose of
transactions;

5. Developing expectations for use when performing analytical

procedures;

6. Evaluating the sufficiency and appropriateness of audit

evidence obtained, such as the appropriateness of assumptions
and of management’s oral and written representations.

Q.14 The auditor may exercise his judgement to identify which risks are
significant risks. Explain the above in the context of SA 315.

[May 15 (6 Marks)]

Or

As part of the risk assessment, the auditor shall determine whether any
of the risks identified are, in the auditor’s judgment, a significant risk.

In exercising judgment as to which risks are significant risks, state the

factors which shall be considered by the auditor.

Explain the above in context of SA-315. [RTP-May 18]

Compiled by: Pankaj Garg

Page 19
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Identification of Significant Risks:

As per SA 315 “Identifying and Assessing Risk of Material

Misstatements through understanding the Entity and its
Environment” the auditor shall determine whether any of the risks
identified are, in the auditor’s judgment, a significant risk. In
exercising this judgment, the auditor shall exclude the effects of
identified controls related to the risk. In exercising judgment as to
which risks are significant risks, the auditor shall consider the
following:

1. Whether the risk is a risk of fraud;

2. Whether the risk is related to recent significant economic,

accounting, or other developments;

3. The complexity of transactions;

4. Whether the risk involves significant transactions with related parties;

5. The degree of subjectivity in the measurement of financial

information; and

6. Whether the risk involves significant unusual transactions.

Q.15 Name the assertions for the following audit procedures:

1. Year-end inventory verification.

2. Depreciation has been properly charged on all assets.

3. The title deeds of the lands disclosed in the balance sheet are held
in the name of the company.

4. All liabilities are properly recorded in the financial statements.

5. Related party transactions are shown properly. [May 18 (5 Marks)]

Compiled by: Pankaj Garg

Page 20
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Name of Assertions of Different Audit procedure:

1. Existence and Condition

2. Allocation & Valuation

3. Ownership and Rights and Obligations

4. Completeness

5. Presentation and Disclosure

Q.16 State assertions that are implied in the extract of financial statement

given below:

(Rs.) (Rs.)

Plant & Machinery (at Cost) 4,00,000

Less: Depreciation:

Up to Previous year 1,40,000

For the year 26,000 1,66,000

2,34,000

(i) Indicate assertions in respect of transactions and events for the

period relating to Fixed Assets.

(ii) State specific assertions relating to the above extract of financial

statement. [MTP-April 19]

Compiled by: Pankaj Garg

Page 21
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: (i) Assertions in respect of transactions and events for the

period: Refer Answer of Q. No. 8

(ii) Specific assertions:

(1) the firm owns the plant and machinery;

(2) the historical cost of plant and machinery is Rs. 4 lacs;

(3) the plant and machinery physically exist;

(4) the asset is being utilised in the business of the company

productively;

(5) total charge of depreciation on this asset is Rs. 1,66,000 to

date on which Rs. 26,000 relates to the year in respect of
which the accounts are drawn up; and

(6) the amount of depreciation has been calculated on

recognised basis and the calculation is correct

4.3 – Internal Control

Q. 17 Explain the concept of Internal Control. Also state the objectives of

Internal Control.

Answer: Internal Control:

SA 315 “Identifying and Assessing the Risk of Material

Misstatement through Understanding the Entity and its
environment” defines internal control as the process designed,
implemented and maintained by TCWG, management and other
personnel to provide reasonable assurance about the achievement
of an entity’s objectives with regard to

Compiled by: Pankaj Garg

Page 22
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

1. reliability of financial reporting,

2. effectiveness and efficiency of operations,

3. safeguarding of assets, and

4. compliance with applicable laws and regulations.

Objectives of Internal Control:

(a) Transactions are executed in accordance with managements

general or specific authorization;

(b) All transactions are promptly recorded in the correct amount in

the appropriate accounts and in the accounting period in which
executed so as to permit preparation of financial information
within a framework of recognized accounting policies and
practices and relevant statutory requirements, if any, and to
maintain accountability for assets;

(c) Assets are safeguarded from unauthorised access, use or

disposition; and

(d) The recorded assets are compared with the existing assets at
reasonable intervals and appropriate action is taken with
regard to any differences.

Q. 17A Internal control over safeguarding of assets against unauthorised

acquisition, use, or disposition may include controls relating to both
financial reporting and operations objectives. Explain stating clearly
the objectives of Internal Control. [RTP-May 20]

Compiled by: Pankaj Garg

Page 23
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Internal Control over safeguarding of assets:

Internal control over safeguarding of assets against unauthorised

acquisition, use, or disposition may include controls relating to both
financial reporting and operations objectives. The auditor’s
consideration of such controls is generally limited to those relevant
to the reliability of financial reporting. For example, use of access
controls, such as passwords, that limit access to the data and
programs that process cash disbursements may be relevant to a
financial statement audit. Conversely, safeguarding controls
relating to operations objectives, such as controls to prevent the
excessive use of materials in production, generally are not relevant
to a financial statement audit.

Objectives of Internal Control: Refer answer of Q. No. 17

Q.18 Explain inherent limitations of Internal control system.

[Nov. 13 (8 Marks), May 15 (5 Marks)]

Or

Internal Control System can provide only reasonable but not absolute
assurance that its objective relating to prevention and detection of
errors/frauds, safeguarding of assets etc., are achieved. Briefly explain
the inherent limitations that the system suffers.

Or

Briefly discuss the limitations of internal control.

[May 18 (6 Marks), MTP-April 19]

Compiled by: Pankaj Garg

Page 24
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Inherent Limitations of Internal Control:

(a) Management’s consideration that a control should be cost-

effective.

(b) The fact that the most controls do not tend to be directed at
transactions of unusual nature.

(c) Potential for human error.

(d) Possibility of circumvention of controls through collusion with

parties outside the entity or with employees of entity.

(e) Possibility that a person responsible for exercising control

could abuse that authority.

(f) Possibility that procedures may become inadequate due to

changes in conditions and compliance with procedures may
deteriorate.

(g) Manipulations by management with respect to transactions or

estimates and judgments required in the preparation of
financial statements.

Q.19 What is Internal Control. Explain various components of Internal

Control.

Answer: Meaning of Internal Control:

Internal Control may be defined as the process designed,

implemented and maintained by TCWG, management and other
personnel to provide reasonable assurance about the achievement
of an entity’s objectives with regard to

Compiled by: Pankaj Garg

Page 25
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

• reliability of financial reporting,

• effectiveness and efficiency of operations,

• safeguarding of assets, and

• compliance with applicable laws and regulations.

Components of Internal Control: It includes the followings:

(a) Control Environment: The control environment includes the

governance and management functions and the attitudes,
awareness, and actions of those charged with governance and
management concerning the entity’s internal control and its
importance in the entity. The control environment sets the tone
of an organization, influencing the control consciousness of its
people.

(b) Risk Assessment Process: The entity’s risk assessment

process forms the basis for how management determines the
risks to be managed. If that process is appropriate to the
circumstances, including the nature, size and complexity of the
entity, it assists the auditor in identifying risks of material
misstatement. Whether the entity’s risk assessment process is
appropriate to the circumstances is a matter of judgment.

(c) Information System: The information system relevant to

financial reporting objectives, which includes the accounting
system, consists of the procedures and records designed and
established to:

Compiled by: Pankaj Garg

Page 26
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

• Initiate, record, process, and report entity transactions;

• Resolve incorrect processing of transactions;

• Process and account for system overrides or bypasses to

controls;

• Transfer information from transaction processing systems

to the general ledger;

• Capture information relevant to financial reporting for

events and conditions other than transactions, such as the

depreciation and amortisation of assets; and

• Ensure information required to be disclosed by the

applicable FRF is accumulated, recorded, processed,

summarized and appropriately reported in the F.S.

(d) Control Activities relevant to Audit: Control activities are the

policies and procedures that help ensure that management

directives are carried out. Control activities, whether within IT

or manual systems, have various objectives and are applied at

various organisational and functional levels.

(e) Monitoring of Controls: Monitoring of controls is a process to

assess the effectiveness of internal control performance over

time. It involves assessing the effectiveness of controls on a

timely basis and taking necessary corrective actions.

Compiled by: Pankaj Garg

Page 27
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Q.20 “The auditor shall obtain an understanding of the control

environment” Explain stating what is included in control environment.

Or

The auditor of XYZ Ltd, engaged in FMCG (Fast Moving Consumable

Goods) obtains an understanding of the control environment. As part of
obtaining this understanding, the auditor evaluates whether:

(i) Management has created and maintained a culture of honesty and

ethical behavior; and

(ii) The strengths in the control environment elements collectively

provide an appropriate foundation for the other components of
internal control.

Advise what is included in control environment. Also explain the

elements of control environment.

[MTP-March 18, RTP-May 18, MTP-Aug.18, March 19, RTP-Nov. 19]

Answer: Elements of Control Environment:

The control environment includes the governance and management

functions and the attitudes, awareness, and actions of those charged
with governance and management concerning the entity’s internal
control and its importance in the entity. The control environment
sets the tone of an organization, influencing the control
consciousness of its people.

Control environment includes the following elements:

1. Communication and enforcement of integrity and Ethical values.

2. Commitment to competence.

Compiled by: Pankaj Garg

Page 28
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

3. Participation by TCWG.

4. Management philosophy and operating style.

5. Organisational Structure.

6. Assignment of Authority and Responsibility.

7. Human resources Policies and Practices.

Q.21 “The auditor shall obtain an understanding of the major activities that

the entity uses to monitor internal control over financial reporting”

Explain.

Answer: Monitoring of Controls:

Auditor shall obtain an understanding of the major activities that

the entity uses to monitor internal control over financial reporting.

Following point merit consideration in this regard:

(a) Monitoring of controls is a process to assess the effectiveness of

internal control performance over time.

(b) It involves assessing the effectiveness of controls on a timely

basis and taking necessary corrective actions.

(c) Management accomplishes monitoring of controls through

ongoing activities, separate evaluations, or a combination of the

two. Ongoing monitoring activities are often built into the

normal recurring activities of an entity and include regular

management and supervisory activities.

Compiled by: Pankaj Garg

Page 29
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

(d) Management’s monitoring activities may also include using

information from communications from external parties such as

customer complaints and regulator comments that may indicate

problems or highlight areas in need of improvement.

(e) Management’s monitoring of control is often accomplished by

management’s or the owner-manager’s close involvement in

operations.

4.4 –Evaluation of Internal Control by the Auditor

Q. 22 Write a short note on: Narrative record. [Nov. 17 (4 Marks)]

Answer: Narrative record:

It is a complete and exhaustive description of the system as found

in operation by the auditor. Actual testing and observation are
necessary before such a record can be developed.

It may be recommended in cases where no formal control system

in operation and would be more suited to small business.
Disadvantages of narrative records are:

(i) To comprehend the system in operation is quite difficult.

(ii) To identify weaknesses or gaps in the system

(iii)To incorporate changes arising on account of reshuffling of

manpower, etc.

Compiled by: Pankaj Garg

Page 30
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Q.23 What is check list? Give few examples of check list instruction.

Answer: Check List:

Check List is a series of instructions and/or questions which a

member of the auditing staff must follow and/or answer. This is an
on the job requirement and instructions are framed having regard
to the desirable elements of control.

A few examples of check list instructions are:

• Are tenders invited before placing orders?

• Is the purchase order from standardized?

• Are purchase orders forms pre-numbered?

• Are inventory control accounts maintained by appropriate

persons?

Q.24 Explain briefly technique of "Internal Control Questionnaire" to

facilitate the accumulation of information necessary for proper
evaluation of internal control. [Nov. 10 (4 Marks)]

Or

Write short note on: Internal Control Questionnaire.

[May 13 (4 Marks)]

Answer: Internal Control Questionnaire:

It is a set of questions designed to provide a thorough view of the

state of internal control in an organisation.

The questions are generally prepared in sections of distinct control

areas like: purchase and creditors, sales & debtors, inventories,
cash &bank, etc.

Compiled by: Pankaj Garg

Page 31
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Evaluation through internal control questionnaire now forms an

important part of any properly organised audit with the following
purposes:

• Identification of weaknesses in the internal control system

• Determination of extent of substantive checking

• Selection of samples in rational manner.

• Suitable modifications in audit programmes.

Q.25 Write short note on: Use of Flow Charts in evaluation of internal

Control. [Nov. 13, May 16 (4 Marks)]

Or

A Flow Chart is a graphic presentation of each part of the company’s

system of internal control. Explain elaborating each and every aspect

about flow chart. [RTP-Nov. 18]

Answer: Uses of Flow Charts in Evaluation of Internal Control:

Flowchart is a graphic presentation of internal controls in the

organisation and is normally drawn up to show the controls in

each section or sub-section. It provides the most concise and

comprehensive way for reviewing the internal controls and the

evaluator’s findings.

A flow chart is a diagram full with lines and symbols and if

judicious use of them can be made, it is probably an effective way

of presenting the state of internal controls in the client’s

Compiled by: Pankaj Garg

Page 32
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

organisation. A properly drawn up flow chart can provide a neat

visual picture of the whole activities of the section or department

involving flow of documents and activities. More specifically it can

show –

1. at what point a document is raised internally or received from

external sources;

2. the number of copies in which a document is raised or received;

3. the intermediate stages set sequentially through which the

document and the activity pass;

4. distribution of the documents to various sections, department

or operations;

5. checking authorisation and matching at relevant stages;

6. filing of the documents; and

7. final disposal by sending out or destruction.

Q. 26 Why tests of controls are performed? Also explain what does they
include. [Nov. 15 (4 Marks)]

Answer: Tests of Controls:

After assimilating internal control system, the auditor needs to

examine whether and how far the same is actually in operation.
For this purpose, auditor may perform tests of control. Tests of
control are performed to obtain audit evidence about the
effectiveness of the:

Compiled by: Pankaj Garg

Page 33
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

(i) design of the accounting and internal control systems, that is,

whether they are suitably designed to prevent or detect and

correct material misstatements; and

(ii) operation of the internal controls throughout the period.

Based on the results of the tests of control, the auditor should

evaluate whether the internal controls are designed and operating

as contemplated in the preliminary assessment of control risk.

Tests of control may include:

(a) Inspection of documents supporting transactions and other

events to gain audit evidence that internal controls have

operated properly.

(b) Inquiries about and observation of internal controls which

leave no audit trail.

(c) Re-performance of internal controls.

(d) Testing of internal controls operating on specific computerised

applications.

Q. 26A It has been suggested that actual operation of the internal control

should be tested by the application of procedural tests and

examination in depth. Explain with the help of example in respect of

the procedure for sales. [RTP-May 20]

Compiled by: Pankaj Garg

Page 34
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Testing of Internal Control System:

It has been suggested that actual operation of the internal control

should be tested by the application of procedural tests and

examination in depth. Procedural tests simply mean testing of the

compliance with the procedures laid down by the management in

respect of initiation, authorisation, recording and documentation

of transaction at each stage through which it flows. For example,

the procedure for sales requires the following:

1. Before acceptance of any order the position of inventory of the

relevant article should be known to ascertain whether the order

can be executed in time.

2. An advice under the authorisation of the sales manager should

be sent to the party placing the order, internal reference

number, and the acceptance of the order. This advice should be

prepared on a standardised form and copy thereof should be

forwarded to inventory section to enable it to prepare for the

execution of the order in time.

3. The credit period allowed to the party should be the normal

credit period. For any special credit period a special

authorisation of the sales manager would be necessary.

4. The rate at which the order has been accepted and other terms

about transport, insurance, etc., should be clearly specified.

Compiled by: Pankaj Garg

Page 35
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

5. Before deciding upon the credit period, a reference should be

made to the credit department to know the creditworthiness of

the party and particularly whether the party has honoured its

commitments in the past.

Q. 27 “A satisfactory control environment may help reduce the risk of fraud

but is not an absolute deterrent for fraud”. Explain.

[May 17 (5 Marks), RTP-May 18]

Or

The existence of a satisfactory control environment can be a positive

factor when the auditor assesses the risks of material misstatement.

Analyse and explain. [RTP-May 19]

Answer: Impact of Satisfactory Control Environment:

• The existence of a satisfactory control environment work as a

positive factor when the auditor assesses the RMM.

• But at the same time, it is to be kept in mind that a satisfactory

control environment is not an absolute deterrent to fraud.

Deficiencies in the control environment may undermine the

effectiveness of controls, in particular in relation to fraud.

• As per SA 330, the control environment also influences the

nature, timing, and extent of the auditor’s further procedures.

Compiled by: Pankaj Garg

Page 36
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

• The control environment in itself does not prevent, or detect

and correct, a material misstatement. It may, however,

influence the auditor’s evaluation of the effectiveness of other

controls (for example, the monitoring of controls and the

operation of specific control activities) and thereby, the

auditor’s assessment of the risks of material misstatement.

Q.28 So far as the auditor is concerned, the examination and evaluation of

the internal control system is an indispensable part of the overall

audit programme. The auditor needs reasonable assurance that the

accounting system is adequate and that all the accounting information

which should be recorded has in fact been recorded. Internal control

normally contributes to such assurance. Explain stating clearly the

benefits of evaluation of internal control to the auditor. [RTP-May 19]

Answer: Benefits of Evaluation of Internal Control to Auditor:

The review of internal controls will enable the auditor to know:

1. whether errors and frauds are likely to be located in the

ordinary course of operations of the business;

2. whether an adequate internal control system is in use and

operating as planned by the management;

3. whether an effective internal auditing department is operating;

Compiled by: Pankaj Garg

Page 37
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

4. whether any administrative control has a bearing on his work

(for example, if the control over worker recruitment and
enrolment is weak, there is a likelihood of dummy names being
included in the wages sheet and this is relevant for the
auditor);

5. whether the controls adequately safeguard the assets;

6. how far and how adequately the management is discharging its

function in so far as correct recording of transactions is
concerned;

7. how reliable the reports, records and the certificates to the

management can be;

8. the extent and the depth of the examination that he needs to

carry out in the different areas of accounting;

9. what would be appropriate audit technique and the audit

procedure in the given circumstances;

10. what are the areas where control is weak and where it is
excessive; and

11. whether some worthwhile suggestions can be given to improve

the control system.

Q.29 While obtaining audit evidence about the effective operation of

internal controls, the auditor considers how they were applied, the
consistency with which they were applied during the period and by
whom they were applied. The concept of effective operation
recognises that some deviations may have occurred. Analyse and
Explain. [RTP-Nov. 18]

Compiled by: Pankaj Garg

Page 38
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Or

Based on the results of the tests of control, the auditor should evaluate
whether the internal controls are designed and operating as
contemplated in the preliminary assessment of control risk. Analyse
and Explain. [RTP-Nov. 19]

Answer: Deviations from internal controls:

• As per SA 330 “Responses to Assessed Risks”, while obtaining

audit evidence about the effective operation of internal controls,
the auditor considers how they were applied, the consistency
with which they were applied during the period and by whom
they were applied. The concept of effective operation
recognises that some deviations may have occurred.

• Deviations from prescribed controls may be caused by such

factors as

 changes in key personnel,

 significant seasonal fluctuations in volume of transactions

and

 human error.

• When deviations are detected the auditor makes specific

inquiries regarding these matters, particularly, the timing of
staff changes in key internal control functions. The auditor then
ensures that the tests of control appropriately cover such a
period of change or fluctuation.

Compiled by: Pankaj Garg

Page 39
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

• Based on the results of the tests of control, the auditor should

evaluate whether the internal controls are designed and

operating as contemplated in the preliminary assessment of

control risk.

• The evaluation of deviations may result in the auditor

concluding that the assessed level of control risk needs to be

revised. In such cases, the auditor would modify the nature,

timing and extent of planned substantive procedures.

• Before the conclusion of the audit, based on the results of

substantive procedures and other audit evidence obtained by

the auditor, the auditor should consider whether the

assessment of control risk is confirmed.

• It has been suggested that actual operation of the internal

control should be tested by the application of procedural tests

and examination in depth. Procedural tests simply mean testing

of the compliance with the procedures laid down by the

management in respect of initiation, authorisation, recording

and documentation of transaction at each stage through which

it flows.

Q.30 The auditor can formulate his entire audit programme only after he
has had a satisfactory understanding of the internal control systems
and their actual operation. Analyse and explain. [RTP-Nov. 18]

Compiled by: Pankaj Garg

Page 40
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Or

The extent and the nature of the audit programme is substantially

influenced by the internal control system in operation. Analyse and
explain. [RTP-Nov. 19]

Answer: Requirement of Understanding of Internal Control to

formulate entire audit programme:

• The auditor can formulate his entire audit programme only

after he has had a satisfactory understanding of the internal
control systems and their actual operation. If he does not care
to study this aspect, it is very likely that his audit programme
may become unwieldy and unnecessarily heavy and the object
of the audit may be altogether lost in the mass of entries and
vouchers.

• Review of the internal control system will provide the auditor

enough time to assimilate the controls and implications and
will enable him to be more objective in the framing of the audit
programme.

• Auditor will also be in a position to bring to the notice of the

management the weaknesses of the system and to suggest
measures for improvement.

• A proper understanding of the internal control system in its

content and working also enables an auditor to decide upon
the appropriate audit procedure to be applied in different
areas to be covered in the audit programme.

Compiled by: Pankaj Garg

Page 41
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

• In a situation where the internal controls are considered weak

in some areas, the auditor might choose an auditing procedure

or test that otherwise might not be required; he might extend

certain tests to cover a large number of transactions or other

items than he otherwise would examine and at times he may

perform additional tests to bring him the necessary

satisfaction.

4.5 –Internal Control and IT Environment

Q.31 What are the specific risks related to internal controls in an IT

Environment? [May 16 (5 Marks)]

Or

The auditor should understand and consider the risks that may arise
from the use of information technology (IT) Systems.

[May 18 (4 Marks)]

Or

IT poses specific risks to an entity’s internal control. Explain.

[RTP-May 19]

Or

Which are specific risks to the company’s internal control having IT

environment? [May 19 (4 Marks)]

Compiled by: Pankaj Garg

Page 42
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Risk to internal control imposed by IT:

As per SA 315, “Identifying and Assessing Risk of Material

Misstatement through understanding the Entity and its

Environment” IT also poses specific risks to an entity’s internal

control, including, for example:

(a) Reliance on systems or programs that are inaccurately

processing data, processing inaccurate data or both

(b) Unauthorised access to data that may result in destruction of

data or improper changes to data, including the recording of

unauthorized or non-existent transactions, or inaccurate

recording of transactions. Particular risk may arise when

multiple users access a common database.

(c) The possibility of IT personnel gaining access beyond those

necessary to perform their assigned duties thereby breaking

down segregation of duties.

(d) Unauthorised changes to data in Master files.

(e) Unauthorised changes to systems or programs.

(f) Failure to make necessary changes to systems or programs.

(g) Inappropriate manual intervention

(h) Potential loss of data or inability to access data as required.

Compiled by: Pankaj Garg

Page 43
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

4.6 –Internal Audit

Q.32 Write short note on: Provisions for applicability of internal audit as per

Companies Act, 2013. [May 16 (4 Marks)]

Answer: Provisions for applicability of internal audit:

As per Section 138 of Companies, Act, 2013 such class or classes of

companies as may be prescribed shall be required to appoint an

internal auditor.

As per Rule 13 of Companies (Accounts) Rules, 2014, following

companies must appoint Internal Auditor:

(1) Every listed company;

(2) Every unlisted public company having-

• paid up share capital of 50 crore rupees or more during the

preceding financial year; or

• turnover of 200 crore rupees or more during the preceding

financial year; or

• outstanding loans or borrowings from banks or public

financial institutions exceeding 100 crore rupees or more at

any point of time during the preceding financial year; or

• outstanding deposits of 25 crore rupees or more at any

point of time during the preceding financial year; and

Compiled by: Pankaj Garg

Page 44
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

(3) Every private company having-

• turnover of 200 crore rupees or more during the preceding

financial year; or

• outstanding loans or borrowings from banks or public

financial institutions exceeding 100 crore rupees or more at

any point of time during the preceding financial year.

Q.33 JKT (P) Ltd. having Rs. 40 lacs paid up capital, Rs. 9.50 crores reserves
and turnover of last three consecutive financial years, immediately
preceding the financial year under audit, being Rs. 49 crores, Rs. 145
crores and Rs. 260 crores, but does not have any internal audit system.
In view of the management, internal audit system is not mandatory.
Comment.

Answer: Applicability of Provisions of Internal Audit:

As per section 138 of the Companies Act, 2013, read with rule 13 of
Companies (Accounts) Rules, 2014 every private company shall be
required to appoint an internal auditor or a firm of internal
auditors, having-

(i) turnover of two hundred crore rupees or more during the

preceding financial year; or

(ii) outstanding loans or borrowings from banks or public financial

institutions exceeding one hundred crore rupees or more at any
point of time during the preceding financial year:

Compiled by: Pankaj Garg

Page 45
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

In the instant case, JKT (P) Ltd. is having turnover of Rs. 260 crores
during the preceding financial year which is more than two
hundred crore rupees. Hence, the Company has the statutory
liability to appoint an Internal Auditor and mandatorily conduct
internal audit.

Q.34 “MMJ Ltd., an unlisted public company, did not appoint any internal
auditor for the financial year ending on 31st March, 2019. The company
had paid up capital of Rs. 20 crores and reserves of Rs. 25 crores. Its
turnover for the preceding 3 years were Rs. 75 crores for the year
ended 31st March, 2018, Rs. 150 crores for March, 2017 and Rs. 190
crores for March, 2016. The company had availed term loan from the
bank of Rs. 130 crores. The outstanding balance of the term loan as on
31st March, 2018 is Rs. 90 crores.”

As an auditor of the company, how would you deal with the above?

[Nov. 18 (5 Marks)]

Answer: Applicability of Provisions of Internal Audit:

As per section 138 of the Companies Act, 2013, read with rule 13 of
Companies (Accounts) Rules, 2014 every unlisted public company
having-

(i) paid up share capital of 50 crore rupees or more during the

preceding financial year; or

(ii) turnover of 200 crore rupees or more during the preceding

financial year; or

Compiled by: Pankaj Garg

Page 46
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

(iii) outstanding loans or borrowings from banks or public financial

institutions exceeding 100 crore rupees or more at any point of

time during the preceding financial year; or

(iv) outstanding deposits of 25 crore rupees or more at any point of

time during the preceding financial year

shall be required to appoint an internal auditor or a firm of internal

auditors,

In the instant case, company is an unlisted public company. Paid up

capital of the company is less than ₹50 crores. Turnover for the

immediate preceding financial year was ₹75 crores, which is lower

than ₹200 Crores. The company had availed term loan from the

bank of ₹130 crores. The outstanding balance of the term loan as on

31st March, 2018 is ₹90 crores.

Conclusion: As the company is having outstanding loan exceeding

₹100 crore at the time when loan was availed during the immediate

preceding year, company has the statutory liability to appoint an

Internal Auditor and mandatorily conduct internal audit. Statutory

Auditor need to state the fact in his report as to noncompliance of

Sec. 138.

Compiled by: Pankaj Garg

Page 47
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Q.35 Explain the meaning, objectives and scope of internal audit functions as
per SA 610. Also discuss who can be appointed as Internal Auditor?

[RTP-May 19]

Answer: Meaning of Internal Audit Function:

SA 610 “Using the Work of Internal Auditor” internal audit function

is a function of an entity that performs assurance & consulting
activities designed to evaluate and improve the effectiveness of the
entity’s governance, risk management and internal control
processes.

Objective and Scope of Internal Audit Function as per SA 610:

The objectives and scope of internal audit functions typically

include assurance and consulting activities designed to evaluate
and improve the effectiveness of the entity’s governance processes,
risk management and internal control.

1. Activities Relating to Governance: Internal audit function may

assess the governance process in its accomplishment of
objectives on ethics and values, accountability and
communicating risk to appropriate areas of the organization.

2. Activities Relating to Risk Management: Internal audit

function may assist the entity by identifying and evaluating
significant exposures to risk and contributing to the
improvement of risk management and internal control (including
effectiveness of the financial reporting process).

Compiled by: Pankaj Garg

Page 48
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

3. Activities Relating to Internal Control:

(a) Evaluation of internal control: Internal audit function may

be assigned specific responsibility for reviewing controls,
evaluating their operation and recommending improvements
thereto.

(b) Examination of financial and operating information:

Internal audit function may be assigned to review the means
used to identify, recognize, measure, classify and report
financial and operating information, and to make specific
inquiry into individual items, including detailed testing of
transactions, balances and procedures.

(c) Review of operating activities: The internal audit function

may be assigned to review the economy, efficiency and
effectiveness of operating activities, including non-financial
activities of an entity.

(d) Review of compliance with laws and regulations: Internal

audit function may be assigned to review compliance with
laws, regulations and other external requirements, and with
management policies and directives and other internal
requirements.

Persons who can be appointed as internal auditor:

As per Sec. 138 of Companies Act, 2013 read with Rule 13 of

Companies (Accounts) rules, 2014, internal auditor shall either
be a chartered accountant (Whether in Practice or not) or a cost

Compiled by: Pankaj Garg

Page 49
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

accountant, or such other professional as may be decided by the

Board to conduct internal audit of the functions and activities of
the company. Internal Auditor may or may not be an employee of
the company.

Q.36 Board of Directors of MN Ltd. wants to appoint CA B, a practicing

Chartered Accountant, as an internal auditor of the company as they
believe that they could not appoint any other person as an internal
auditor other than practicing chartered accountant.

Examine the correctness of the statement of Board of Directors of MN

Ltd. with respect to provision of Companies Act, 2013.

[Nov. 19 (3 Marks)]

Answer: Eligibility to be appointed as internal auditor:

• As per Sec. 138 of the Companies Act, 2013, internal auditor shall
either be a chartered accountant (Whether in Practice or not) or a
cost accountant, or such other professional as may be decided by
the Board to conduct internal audit of the functions and activities
of the company.

• Internal Auditor may or may not be an employee of the company.

• Hence, the statements that Board of Directors of MN Ltd. wants to

appoint CA B, a practicing Chartered Accountant, as an internal
auditor of the company as they believe that they could not
appoint any other person as an internal auditor other than
practicing chartered accountant, is not correct.

Compiled by: Pankaj Garg

Page 50
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

4.7 – Internal Financial Control (IFC) and Internal Control over Financial

Reporting (ICFR)

Q.37 Write a short note on: Meaning of Internal Financial Control and

Auditor’s responsibilities thereon.

Answer: Meaning of Internal Financial Control:

Sec. 134(5)(e) of Companies Act, 2013 defines the term Internal

Financial Control as the policies and procedures adopted by the

company for ensuring the orderly and efficient conduct of its

business, including

• adherence to company’s policies,

• the safeguarding of its assets,

• the prevention and detection of frauds and errors,

Q.38 Auditor’s reporting on internal financial controls is a requirement
• the accuracy and completeness of the accounting records, and
specified in the Act and, therefore, will apply only in case of reporting
• the timely preparation of reliable financial information.
on financial statements prepared under the Act and reported under
Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires that
Section 143. Explain stating clearly the auditor’s responsibility for
the director’s report should contain details in respect of adequacy of
reporting on internal financial controls over financial reporting.
internal financial controls with reference to the financial reporting.
[RTP-Nov. 18]
Auditor’s Responsibilities w.r.t. Internal Financial Control:

Compiled
Clause (i) of Sec. 143(3) of Companies by: Pankaj
Act, 2013 requires Garg
the
Page 51
company auditor to report whether the company has adequate
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Auditors’ Responsibility for Reporting on Internal Financial

Controls over Financial Reporting in India

• Sec. 143(3)(i) of the Companies Act, 2013 requires the

auditors’ report to state whether the company has adequate

internal financial controls with reference to financial

statements in place and the operating effectiveness of such

controls.

• It may be noted that auditor’s reporting on internal financial

controls is a requirement specified in the Act and, therefore,

will apply only in case of reporting on financial statements

prepared under the Act and reported under Section 143.

Accordingly, reporting on internal financial controls will not

be applicable with respect to interim financial statements,

such as quarterly or half-yearly financial statements, unless

such reporting is required under any other law or regulation.

Objectives of an auditor in an audit of internal financial

controls over financial reporting: The auditor's objective in an

audit of internal financial controls over financial reporting is, “to

express an opinion on the effectiveness of the company's internal

financial controls over financial reporting.” It is carried out along

with an audit of the financial statements.

Compiled by: Pankaj Garg

Page 52
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Objective Type Questions (True/False, Correct/Incorrect)

1 SA 315 has a purpose to establish standards to form procedures to be

followed to have an understanding of the entity and its environment.

Answer: Statement is True. SA 315 “Identifying and Assessing the Risk of

Material Misstatements through Understanding the Entity and its

Environment” deals with the auditor’s responsibility to identify and

assess the risks of material misstatement in the financial statements,

through understanding the entity and its environment, including the

entity’s internal control.

2 The scope of work of an internal auditor may extend even beyond the

financial accounting. [MTP-Oct. 19]

Answer: Statement is Correct.

As per SA 610 “Using the Work of Internal Auditor” the scope of

internal audit function may include:

• Monitoring of internal control

• Examination of financial & operating information

• Review of operating activities

• Review of compliance with laws & regulations

• Risk management

• Governance

Compiled by: Pankaj Garg

Page 53
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

3 Risk of material misstatement may be defined as the risk that the

financial statements are materially misstated subsequent to audit.

Answer: Statement is Incorrect.

• Risk of material misstatements is the risk that the financial

statements may be materially misstated prior to audit.

• It consists of two components – Inherent Risk and Control Risk.

4 Internal control can provide absolute assurance.

Answer: Statement is incorrect.

• Internal control can provide only reasonable but not absolute

assurance that its objective relating to prevention and detection of
errors/frauds, safeguarding of assets etc., are achieved. This is
because it suffers from some inherent limitations.

5 Inherent and Control Risk, and detection risk have same meaning.

[Nov. 13 (2 Marks)]

Answer: Statement is Incorrect.

• Inherent and Control risk constitutes Risk of Material

Misstatements which occurs when related internal controls do not
exists or when exists, are ineffective.

• Detection Risk occurs due to nature of test checking procedures

followed by the auditor while carrying out the audit.

Compiled by: Pankaj Garg

Page 54
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

6 “Maintenance of internal Control system is responsibility of Auditor.

[May 14 (2 Marks)]

Answer: Statement is Incorrect.

• Maintenance of Internal control system is the responsibility of the

Management.

• Auditor evaluates the internal control system for the purpose of

determining Nature, Timing & Extent of Audit procedures.

7 As per section 138 of the Companies Act, 2013 private companies are not

required to appoint internal auditors. [May 15 (2 Marks)]

Answer: Statement is Incorrect.

As per Rule 13 of Companies (Accounts) Rules, 2014, every private

company having turnover of Rs. 200 Cr. or more during the preceding

financial year; or outstanding loans or borrowings from banks or

public financial institutions exceeding Rs. 100 Cr. or more at any point

of time during the preceding financial year must appoint Internal

Auditor.

8 Internal control questionnaires are a good source of identifying

weakness in internal control system. [May 16 (2 Marks)]

Compiled by: Pankaj Garg

Page 55
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Statement is correct.

• Internal Control Questionnaire is a set of questions designed to

provide a thorough view of the state of internal control in an

organisation.

• Evaluation through internal control questionnaire now forms an

important part of any properly organised audit with the purpose of

identification of weaknesses in the internal control system.

9 The use of computer facilities by a small enterprise may increase the

control risk.

Answer: Statement is correct.

The use of computer facilities by a small entity may have the effect of

increasing control risk. For example, it is common for users to be able

to perform two or more of the following functions in the accounting

system:

• Initiating and authorizing source documents.

• Entering data into the system.

• Operating the computer.

• Changing programs and data files.

• Using or distributing output.

• Modifying the operating systems.

Compiled by: Pankaj Garg

Page 56
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

10 There is no relation between Inherent risk, Control risk and Detection

risk. [Nov. 17 (2 Marks), MTP-Oct. 19]

Answer: Statement is Incorrect.

• Inherent Risk and Control Risk are collectively known as Risk of

Material Misstatements.

• There is an inverse relationship between detection risk and the

combined level of inherent and control risks. When inherent and
control risks are high, acceptable detection risk needs to be low to
reduce audit risk to an acceptably low level. When inherent and
control risks are low, an auditor can accept a higher detection risk
and still reduce audit risk to an acceptably low level.

11 The assessment of risks is a matter capable of precise measurement.

[MTP-March 18, March 19, RTP-Nov. 19]

Answer: Statement is incorrect.

• The assessment of risks is based on audit procedures to obtain

information necessary for that purpose and evidence obtained
throughout the audit.

• It is a matter of professional judgment, rather than a matter capable

of precise measurement.

12 Control risk is the susceptibility of an account balance or class of

transactions to misstatement that could be material either individually
or, when aggregated with misstatements in other balances or classes,
assuming that there were no related internal controls. [RTP-May 18]

Compiled by: Pankaj Garg

Page 57
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Answer: Statement is incorrect.

• Susceptibility of an account balance or class of transactions to

misstatement that could be material either individually or, when
aggregated with misstatements in other balances or classes,
assuming that there were no related internal controls is known as
Inherent Risk.

13 The term “internal audit” is defined as the “checks on day to day

transactions which operate continuously as part of the routine system
whereby the work of one person is proved independently or is
complementary to the work of another, the object being the prevention
or early detection of errors or fraud”. [RTP-May 18]

Answer: Statement is incorrect.

• Scope of Standards on Internal Audit, defines the term internal

audit as an independent management function, which involves a
continuous and critical appraisal of the functioning of an entity
witha view to suggest improvements thereto and add value to and
strengthen the overall governance mechanism of the entity,
including the entity’s strategic risk management and internal
control system.

• Checks on day to day transactions which operate continuously as

part of the routine system whereby the work of one person is
proved independently or is complementary to the work of another,
the object being the prevention or early detection of errors or fraud
is known as internal check.

Compiled by: Pankaj Garg

Page 58
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

14 Few members of the Board of Directors oppose the appointment of Mr. N,

an employee of the company, as an Internal Auditor, stating that Mr. N, is
not a Chartered Accountant and further he is an employee of the
company. [May 18 (2 Marks), MTP-April 19]

Answer: Statement is incorrect.

• As per Sec. 138 of Companies Act, 2013 read with Rule 13 of

Companies (Accounts) Rules, 2014, Internal Auditor shall either be
a chartered accountant (Whether in Practice or not) or a cost
accountant, or such other professional as may be decided by the
Board to conduct internal audit of the functions and activities of
the company.

• Internal Auditor may or may not be an employee of the company.

15 Inquiry alone is sufficient to test the operating effectiveness of controls.

[May 18 (2 Marks)]

Answer: Statement is incorrect.

Operating effectiveness of internal controls may be tested through the

following:

(a) Inspection of documents supporting transactions and other

events to gain audit evidence that internal controls have operated
properly.

(b) Inquiries about and observation of internal controls which leave

no audit trail.

(c) Re-performance of internal controls.

(d) Testing of internal controls operating on specific computerised

applications.

Compiled by: Pankaj Garg

Page 59
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

16 The assessment of risks is a matter of professional judgement.

Answer: Statement is correct.

• The assessment of risks is a matter of professional judgment, rather

than a matter capable of precise measurement.

• The assessment of risks is based on audit procedures to obtain

information necessary for that purpose and evidence obtained

throughout the audit.

17 When the auditor has determined that an assessed risk of material

misstatement at the assertion level is a significant risk, the auditor shall

not perform substantive procedures that are specifically responsive to

that risk. [RTP-May 19]

Answer: Statement is incorrect.

• When the auditor has determined that an assessed risk of material

misstatement at the assertion level is a significant risk, the auditor

shall perform substantive procedures that are specifically

responsive to that risk.

• When the approach to a significant risk consists only of substantive

procedures, those procedures shall include tests of details.

Compiled by: Pankaj Garg

Page 60
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

18 The SAs ordinarily refer to inherent risk and control risk separately.

[RTP-May 19]

Answer: Statement is incorrect.

• The SAs do not ordinarily refer to inherent risk and control risk

separately, but rather to a combined assessment of the “risks of

material misstatement”.

• However, the auditor may make separate or combined assessments

of inherent and control risk depending on preferred audit

techniques and practical considerations.

19 Satisfactory Control environment is not an absolute deterrent to fraud.

[May 19 (2 Marks)]

Answer: Statement is correct.

• The existence of a satisfactory control environment work as a

positive factor when the auditor assesses the Risk of Material

Misstatements.

• But at the same time, it is to be kept in mind that a satisfactory

control environment is not an absolute deterrent to fraud.

Deficiencies in the control environment may undermine the

effectiveness of controls, in particular in relation to fraud.

Compiled by: Pankaj Garg

Page 61
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

20 The auditor's reporting on internal financial control will be applicable

with respect to interim financial statements. [Nov. 19 (2 Marks)]

Answer: Statement is incorrect.

• Clause (i) of Sec. 143(3) of Companies Act, 2013 requires the

company auditor to report whether the company has adequate
internal financial controls with reference to financial statements in
place and the operating effectiveness of such controls.
• It may be noted that auditor’s reporting on internal financial
controls is a requirement specified in the Act and, therefore, will
apply only in case of reporting on financial statements prepared
under the Act and reported under Section 143.
• Accordingly, reporting on internal financial controls will not be
applicable with respect to interim financial statements, such as
quarterly or half-yearly financial statements, unless such reporting
is required under any other law or regulation.

21 For an auditor, the Risk assessment procedure provides sufficient

appropriate audit evidence to base the audit opinion. [Nov. 19 (2 Marks)]

Answer: Statement is incorrect.

• The auditor shall perform risk assessment procedures to provide a

basis for the identification and assessment of risks of material
misstatement at the financial statement and assertion levels.
• Risk assessment procedures by themselves, however, do not
provide sufficient appropriate audit evidence on which to base the
audit opinion.

Compiled by: Pankaj Garg

Page 62
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

22 Risk assessment procedures are not performed to obtain an

understanding of the entity and its environment. [RTP-May 20]

Answer: Statement is incorrect.

• Risk assessment procedures refer to the audit procedures

performed to obtain an understanding of the entity and its
environment, including the entity’s internal control, to identify and
assess the risks of material misstatement, whether due to fraud or
error, at the financial statement and assertion levels.

------------------------------

Compiled by: Pankaj Garg

Page 63
Chapter 4 “Risk Assessment and internal Control” ©www.altclasses.in

Notes

__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________

__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________
__________________________________________________________________________________________________

-------------------------
Compiled by: Pankaj Garg
Page 64