8. RISK ASSESSMENT AND INTERNAL CONTROL DEFINITON OF AUDIT RISK & ITS COMPONENTS A. MEANING OF AUDIT RISK: 1. Includes: a. The risk of expressing an inappropriate opinion when the financial statements are materially misstated is termed as audit risk. b. In other words, expression of unmodified opinion in a situation where modified opinion would be suitable. Further the assessment of risk is a matter of professional judgment. 2. Excludes: It does not include a. Risk of expressing a modified opinion when financial statements are not materially misstated. Further, audit risk is a technical term related to the process of auditing and it does not refer Business risk faced by auditor. c B. COMPONENTS OF AUDIT RISK: Audit risk is a function of the risks of material misstatement and detection risk. Au k of Mat Misstatement x Detection 1. RISK OF MMS: The risk that the financial statements are materially misstated prior to audit. This consists of 2 components namely inherent risk and control risk. Further the Risk of MMS is an entity’s risk and will exist irrespective of audit of financial statements. a. INHERENT RISK: i. Inherent risk and control risk are the entity’s risks and they exist independently (Irrespective) of the audit of the financial statements. (They cannot be controlled by auditor.) ii. The risk of that a transaction or balance could be materially misstated before considering the related internal control system. Absence of related control is also termed as inherent risk. . Inherent risk is generally unavoidable and inherent in the system. CHARACTERISTICS OF INHERENT RISK: i. Inherent risk is higher for some assertions and related classes of transactions, account balances, and disclosures than for CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAothers. For example, it may be higher for complex calculations. ii. External circumstances giving rise to business risks may also influence inherent risk. For example, technological developments might make a particular product obsolete. iii. Factors in the entity and its environment may also influence the inherent risk related to a specific assertion. iv. Inherent risk factors are considered while designing tests of controls and substantive procedures. Category of auditor's assessment, lower or higher, each category covers a range of degrees of inherent risk. v. Auditor may assess the inherent risk of two different assertions as lower while recognizing that one assertion has less inherent risk than the other, although both have been assessed as lower. vi. It is important to consider the reason for each identified inherent risk even if the risk is lower, when the auditor designs tests of controls and substantive procedures. b. CONTROL RISK: i. The risk that the internal control system, fails to prevent, detect or correct a misstatement on a timely basis. ii. This risk is also termed as control weakness or control deficiency. CHARACTERISTICS OF CONTROL RISK: Control risk is a function of the effectiveness of the design, implementation and maintenance of internal control by management. However, internal control can only reduce but not eliminate risks of material misstatement in the financial statements. This is because of the inherent limitations of internal control. c. COMBINED ASSESSMENT: The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement”. The auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages, or in non-quantitative terms. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHA eae2. DETECTION RISK: The risk that the audit procedures performed will not detect a material misstatement that exist. C. INTERRELATIONSHIP BETWEEN COMPONENTS: There exists an INVERSE RELATIONSHIP between Risk of MMS and Detection risk. For Example: If the Risk of MMS is high, the auditor will conduct an in- depth audit, resultantly he can detect MMS. FACTORS TO BE CONSIDERED TO EVALUATE CONTROL RISK When making control risk assessment, the auditor shall consider: 1. THE CONTROL ENVIRONMENT’S INFLUENCE OVER INTERNAL CONTROL: a. A control environment that supports the prevention, and detection and correction, of material misstatements allows greater confidence in the reliability of internal control and audit evidence generated within the entity. b. It does not guarantee the effectiveness of specific controls. c. We therefore, test the operating effectiveness of controls over significant class of transactions (SCOTs) when we plan to take a controls reliance strategy. d. The control environment may undermine the effectiveness of specific controls and is a key factor in our control risk assessments. 2. Evaluations of the related IT processes that support application and IT- dependent manual controls. 3. Our testing approach over SCOTs and disclosure processes (i.e., controls reliance or substantive only strategy). 4, The expectation of the operating effectiveness of controls based on the understanding of entity's processes. CONTROL RISK ASSESSMENT WHEN CONTROL DEFICIENCIES ARE IDENTIFIED 1. When auditor identifies deficiencies in internal controls, he evaluates the financial statement items that are affected by ineffective controls in order to evaluate the strategy for the audit of the financial statements. 2. When control deficiencies are identified the auditor may tests more than one control for each relevant assertion. 3. If the controls tested and other compensating controls are effective, the auditor may conclude ‘rely on controls’ is appropriate under control risk assessment. Otherwise, we change our control risk assessment to ‘not rely, on controls.’ ey CA INTER - AUDITING — P6 - SMART NOTES - EDITION 2022 — BY CA RAM HARSHA4. When a deficiency relates to an ineffective control and is the only control identified for a particular assertion, he revises risk assessment to ‘not rely on controls’ for associated assertions. . If the deficiency relates to one WCGW (what can go wrong) out of several Wwcqw’s, he can ‘rely on controls’ but performs additional substantive procedures to adequately address the risks related to the deficiency. (\.e., if one control is weak out of several controls, still the auditor can rely on controls but has to perform additional work.) IDENTIFYING AND ASSESSING RISK OF MATERIAL MISSTATEMENT UNDER SA 315 w 1. The objective of auditor is: a. To identify the risk of MMS at 2 levels: i. Financial statement level. ii. Assertion level. b. To assess (analyse) the risk of MMS for determining its significance. c. To minimise the audit risk to an acceptably low level by properly planning and performing audit (audit procedures) based on risk assessment process. The risk is identified and analysed by understanding the entity and its environment including entity’s internal controls by considering the classes of transactions, account balances, and disclosures in the financial statements. Evaluate whether the risks identified are impacting financial statements at @ pervasive level and affect many assertions potentially. Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is of a magnitude that could result in a material misstatement. . The assessment of risk is a matter of professional judgment rather than a matter capable of precise measurements. Further risk assessment is based ‘on information obtained through risk audit procedures. RISK ASSESSMENT PROCEDURES 1. DEFINITION: The audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to xX - * w 143 CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAidentify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels. 2. The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. 3. Risk assessment procedures by themselves, do not provide sufficient appropriate audit evidence on which to base the audit opinion. 4. Information obtained by performing risk assessment procedures - Used as audit evidence: a. Information obtained by performing risk assessment procedures and related activities may be used by the auditor as audit evidence to support assessments of the risks of material misstatement. b. In addition, the auditor may obtain audit evidence about classes of transactions, account balances, or disclosures and related assertions and about the operating effectiveness of controls, even though such procedures were not specifically planned as substantive procedures or as tests of controls. c. The auditor also may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures because it is efficient to do so. 5. The risks to be assessed include both those due to error and those due to fraud. RISK ASSESSMENT PROCEDURES INCLUDES: 1. INQUIRIES OF MANAGEMENT AND OF OTHERS WITHIN THE ENTITY: Much of the information obtained by the auditor's inquiries is obtained from management and those responsible for financial reporting. The auditor may also obtain information, or a different perspective in identifying risks of material misstatement, through inquiries of others within the entity and other employees with different levels of authority. Examples Inquiries with those charged with governance may enable the auditor to understand the environment in which financial statements are prepared. 2. ANALYTICAL PROCEDURES: a. Analytical procedures performed as risk assessment procedures may include both financial and non-financial information, for example, the relationship between profit and number of employees i.e., profit generated per employee. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHA erb. Analytical procedures may help identify the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have audit implications. c. When such analytical procedures use data aggregated at a high level the results of those analytical procedures only provide a broad initial indication about whether a material misstatement may exist. d. Analytical procedures include: i. Ratio Analysis ii. Trend Analysis . Reasonableness test iv. Structural modeling (A Statistical tool. Eg; Regression theorem) 3. OBSERVATION AND INSPECTION: a. Observing Entity’s operations. Eg: Production, Accounting etc., b. Inspecting Documents, records, internal control manuals may provide supporting information in addition to inquiries. Eg: Reading Standard Operating Manuals (SOP) c. Inspecting Reports prepared by management and those charged with governance. Eg: Minutes, MIS reports. d. Observing client’s premises like factory, offices etc., UNDERSTANDING AN ENTITY IS A CONTINUOUS AND DYNAMIC PROCESS. COMMENT Obtaining an understanding of the entity and its environment including the entity’s internal control, is a continuous and dynamic process of gathering, updating and analysing information throughout the audit. The understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment throughout the audit, for example, when: 1. Assessing risks of material misstatement of the financial statements; 2. Determining materiality in accordance with SA 320; 3. Considering the appropriateness of the selection and application of accounting policies; 4. Identifying areas where special audit consideration may be necessary, for example, related party transactions, the appropriateness of managements use of the going concern assumptior 5. Evaluating the sufficiency and appropriateness of audit evidence obtained. 6. Developing expectations for use when performing analytical procedures. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAMEANING AND OBJECTIVES OF INTERNAL CONTROL A. MEANING OF INTERNAL CONTROL: As per SA-315, The internal control may be defined as the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to 1. Reliability of financial reporting, 2. Effectiveness and efficiency of operations, 3. Safeguarding of assets, and 4. Compliance with applicable laws and regulations. B. OBJECTIVES OF INTERNAL CONTROL: 1. Transactions are executed in accordance with managements general or specific authorization. 2. All transactions are promptly recorded in the correct amount in the appropriate accounts and in the accounting period in which executed so as to permit preparation of financial information within a framework of recognized accounting policies and practices and relevant statutory requirements, and to maintain accountability for assets. Assets are safeguarded from unauthorized access, use or disposition and 4. The recorded assets are compared with the existing assets at reasonable intervals and appropriate action is taken with regard to any differences. » UNDERSTANDINGOF ENTITY’S INTERNAL CONTROLS 1. CONTROLS RELEVANT TO AUDIT: The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit 2. PROFESSIONAL JUDGMENT: It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. 3. FACTORS: Factors relevant to the auditor’s judgment about whether a control, individually or in combination with others, is relevant to the audit may include such matters as the following: a. Materiality. b. The significance of the related risk. c. The size of the entity. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAd. The nature of the entity’s business, including its organisation and ownership characteristics. e. The diversity and complexity of the entity’s operations. f. Applicable legal and regulatory requirements. g. The circumstances and the applicable component of internal control. h. The nature and complexity of the systems that are part of the entity’s internal control, including the use of service organisations. i. Whether, and how, a specific control, individually or in combination with others, prevents, or detects and corrects, material misstatement. 4. CONTROLS NOT RELEVANT TO AUDIT: An entity generally has controls relating to objectives that are not relevant to an audit and therefore need not be considered. 5. Further, although internal control applies to the entire entity or to any of its operating units or business processes, an understanding of internal control relating to each of the entity’s operating units and business processes may not be relevant to the audit. 6. Benefits of Understanding of Internal Control: An understanding of internal control assists the auditor in: a. Identifying types of potential misstatements. b. Identifying factors that affect the risks of material misstatement, and c. Designing the nature, timing, and extent of further audit procedures, ws Study of Internal Controls a , a ae Nature and Controls Relevant to Nature and Extent of Components of Characteristics audit understanind Controls SS Se Soot SS INHERENT LIMITATIONS OF INTERNAL CONTROLS Internal control, no matter how effective, can provide an entity with only reasonable assurance about achieving the entity’s financial reporting 147 CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAobjectives. Due to various inherent limitations the objectives may not be achieved fully. The limitations are as below: A. HUMAN JUDGMENT IN DECISION-MAKING: a. Judgment in decision-making can be faulty and that leads to failure in the internal control because of human error. b. There may be an error in the design of a control. B. LACK OF UNDERSTANDING THE PURPOSE: a. The person responsible to review the control may not understand the basic purpose of such control. b. This leads to ineffective utilisation of exception reports and taking a wrong course of action. C. COLLUSION AMONG PEOPLE: a. Controls can be overridden by the collusion of two or more people or inappropriate management override of internal control. b. For example, management may enter into side agreements with customers that alter the terms and conditions of the entity’s standard sales contracts, which may result in improper revenue recognition D. COST EXCEEDING BENEFITS: a. In Few situations the cost of designing and maintaining the controls may exceed the benefits there from. Resultantly the management may not implement such controls leading to excess cost. E. LIMITATIONS IN CASE OF SMALL ENTITIES: a. Smaller entities often have fewer employees due to which segregation of duties is not practicable. b. The owner-manager may be able to exercise more effective oversight than in a larger entity. c. This oversight may limit opportunities for segregation of duties. d. Further the owner-manager may override controls because the system of internal control is less structured. CONTROLS OVER THE COMPLETENESS AND ACCCURACY OF INFORMATION 1. Controls over the completeness and accuracy of information produced by the entity may be relevant to the audit if the auditor intends to make use of the information in designing and performing further procedures. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHA2. For example, in auditing revenue by applying standard prices to records of sales volume, the auditor considers the accuracy of the price information and the completeness and accuracy of the sales volume data. 3. Controls relating to operations and compliance objectives may also be relevant to an audit if they relate to data the auditor evaluates or uses in applying audit procedures. NTERNAL CONTROLS OVER SAFEGAURDING OF ASSETS 1. Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include controls relating to both financial reporting and operations objectives. 2. FINANCIAL REPORTING OBJECTIVE: The auditor’s consideration of such controls is generally limited to those relevant to the reliability of financial reporting. For example, use of access controls, such as passwords, that limit access to the data and programs that process cash disbursements may be relevant to a financial statement audit. 3. OPERATIONAL OBJECTIVE: Conversely, safeguarding controls relating to operations objectives, such as controls to prevent the excessive use of materials in production, generally are not relevant to a financial statement audit. (E.g., Targets related to input output ratio may not be related to auditor.) NATURE AND EXTENT OF THE UNDERSTANDING OF RELEVANT CONTROLS 1. Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. 2. Implementation of a control means that the control exists and that the entity is using it. The design of a control is considered first. An improperly designed control may represent a significant deficiency in internal control. 3. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include: a. Inquiring of entity personnel. b. Observing the application of specific controls. c. Inspecting documents and reports. d. Tracing transactions through the information system relevant to financial reporting. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHA4. Obtaining an understanding of an entity’s controls is not sufficient to test their operating effectiveness, unless there is some automation that provides for the consistent operation of the controls. COMPONENTS OF INTERNAL CONTROLS The division of internal control into the following 5 components provides a useful framework for auditors to understand how different aspects of an entity’s internal control may affect the audit. The following are components of control environment: 1. The control Environment (Governance, management structure and Culture of honesty). 2. Entity’s risk assessment process (Identification of risk to design a control to mitigate it). 3. Information system, including related business process, relevant to financial reporting. 4. Control activities (Implement and Review of policies to be implemented). 5. Monitoring of controls (Testing of controls to update them). CONTROL ENVIRONMENT AND ITS ELEMENTS A. CONTROL ENVIRONMENT INCLUDES: The control environment includes: 1. The governance and management functions. 2. The attitudes, awareness, and actions of those charged with governance and management. 3. The control environment sets the tone of an organization, influencing the control consciousness of its people B. ELEMENTS OF CONTROL ENVIRONMENT: Elements of control environment may be relevant to obtain an understanding of control environment which includes the following: 1. Communication and enforcement of integrity and ethical values: These are essential elements that influence the effectiveness of the design, administration and monitoring of controls. 2. Commitment to competence: Matters such as management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. 3. Participation by those charged with governance: Attributes of those charged with governance such as: CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAa. Their independence from management. b. Their experience and stature. c. The extent of their involvement and the information they receive, and the scrutiny of activities. d. The appropriateness of their actions, including the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external auditors. 4, Management’s philosophy and operating style: Characteristics such as management's: a. Approach to taking and managing business risks. b. Attitudes and actions toward financial reporting. c. Attitudes toward information processing and accounting functions and personnel. 5. Organisational structure: The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled, and reviewed. 6. Assignment of authority and responsibility: Matters such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established. 7. Human resource policies and practices: Policies and practices that relate to, for example, recruitment, orientation, training, evaluation, counselling, promotion, compensation, and remedial actions. ENTITY’S RISK ASSESSMENT PROCESS WHICH IS A COMPONENT OF CONTROL ENVIROMENT The auditor shall obtain an understanding of whether the entity has a process for: 1. Identifying business risks relevant to financial reporting objectives. (E.g. Doctor Prescription vs Bill) 2. Estimating the significance of the risks. 3. Assessing the likelihood of their occurrence and 4. Deciding about actions to address those risks. The entity’s risk assessment process helps to identify the basis for the risks to be managed. If that process is appropriate, it would assist the auditor in identifying risks of material misstatement. Whether the entity’s risk assessment process is appropriate to the circumstances is a matter of judgment. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHACONTROL ACTIVITIES AS A COMPONENT OD INTERNAL CONTROL SYSTEM 1. MEANING OF CONTROL ACTIVITIES: The policies and procedures that help ensure that management directives are carried out. E.g., Authorisations, SOD, Physical controls and performance reviews. 2. Control activities, whether within IT or manual systems, have various objectives and are applied at various organisational and functional levels. 3. An audit requires an understanding of only those control activities related to significant class of transactions, account balance, and disclosure in the financial statements which the auditor finds relevant in the risk assessment process. 4. Control activities related to audit are determined as below: a. Control activities that relate to items of financial statements where auditor finds significant risks and where substantive procedures alone do not provide sufficient and appropriate audit evidence or b. These are relevant in the professional judgment of the auditor. SIGNIFICANT RISK Significant risks are inherent risks with both a higher likelihood of occurrence and a higher magnitude of potential misstatement. The auditor assesses assertions affected by a significant risk as higher inherent risk. The following are always significant risks: 1. Risks of material misstatement due to fraud. 2. Significant transactions with related parties that are outside the normal course of business for the entity. In exercising judgment as to whether the risks identified in risk assessment process are significant risk, the auditor shall consider the following factors: 1. Whether the risk is a risk of fraud. 2. Whether the risk is related to recent significant economic, accounting, or other developments like changes in regulatory environment, etc., and, therefore, requires specific attention. The complexity of transactions Whether the risk involves significant transactions with related parties The degree of subjectivity in the measurement of financial information. Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. BS CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAMONITORING OF CONTROLS AS A FINAL COMPONENT OF INTERNAL CONTROL The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting: (IFCOFR) 1. Monitoring of controls is a process to assess the effectiveness of internal control performance over time. (E.g., Internal Audit) (E.g., Walk through test). 2. It involves assessing the effectiveness of controls on a timely basis and taking necessary remedial actions. 3. Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities. 4. Management’s monitoring activities may include using information from communications from external parties. 5. In case of small businesses, Management's monitoring of control is often accomplished by managements or the owner-manager’s close involvement in operations. This involvement often will identify significant variances from expectations and inaccuracies in financial data leading to remedial action to the control. MONITORING OF CONTROLS WHERE THE WNTITY HAS INTERNAL AUDIT FUNCTION If the entity has an internal audit function, the auditor shall obtain an understanding of the following: 1. The internal audit function’s responsibilities and how the internal audit function fits in the entity’s organisational structure and 2. The activities performed, or to be performed, by the internal audit function. 3. The following points merit consideration in this regard: a. Internal Audit Function relevant to the Audit: The entity’s internal audit function is likely to be relevant to the audit (SA 610 APPLIES) if its activities are related to the entity’s financial reporting. Also, if the auditor expects to use the work of the internal auditors to modify the audit procedures to be performed. b. Size and Structure of the Entity: The objectives of an internal audit function vary widely depending on the size and structure of the entity and the requirements of management. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAc. Internal audit function may include: The responsibilities of an internal audit function may include, monitoring of internal control, risk management, and review of compliance with laws and regulations. On the other hand, the responsibilities of the internal audit function may be limited to the review of the economy, efficiency and effectiveness of operations, for example, and accordingly, may not relate to the entity’s financial reporting. d. External auditor's activities on the basis of Internal Audit activities: If the internal audit function’s responsibilities are related to the entity’s financial reporting, the external auditor’s consideration of the activities performed may include review of the internal audit function’s audit plan for the period. SATISFACTORY CONTROL ENVIRONMENT NOT AN ABSOLUTE DETERRENT TO FRAUD. EXPLAIN. 1. The existence of a satisfactory control environment can be a positive factor when the auditor assesses the risks of material misstatement. Although it may help reduce the risk of fraud, a satisfactory control environment is not an absolute deterrent to fraud. 2. Conversely, deficiencies in the control environment may undermine the effectiveness of controls, in particular in relation to fraud. 3. For example, management's failure to commit sufficient resources to address IT security risks may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or unauthorized transactions to be processed. 4. As explained in SA 330, the control environment also influences the nature, timing, and extent of the auditor's further procedures 5. The control environment in itself does not prevent, or detect and correct, a material misstatement. It may influence the auditor's evaluation of the effectiveness of other controls and thereby, the auditor’s assessment of the risks of material misstatement. BENEFITS OF INTERNAL CONTROL EVALUATION The examination and evaluation of the internal control system is an indispensable part of the overall audit programme. The auditor needs reasonable assurance that the accounting system is adequate and that all the accounting information which should be recorded has in fact been recorded. Internal control normally contributes to such assurance. The auditor should gain an understanding of the accounting system and related internal controls ra tz CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAand should study and evaluate the operations of these internal controls upon which he wishes to rely in determining the nature, timing and extent of other audit procedures. BENEFITS OF EVALUATION OF INTERNAL CONTROL TO THE AUDITOR: The review of internal controls will enable the auditor to know: 1. 2: 3 . How management is discharging its function for correct recording of . How reliable the reports, records and the ce! . The extent and the depth of the examination that he needs to carry out in . What are the areas where control is weak; and . Whether any suggestions can be given to improve the control system to Whether an adequate internal control system is in use and operating as planned by the management; Whether an effective internal auditing department is operating; Whether the controls adequately safeguard the assets; transactions; icates to the management can be; the different areas of accounting; What would be appropriate audit technique and the audit procedure in the given circumstances; management by auditor. METHODS FOR EVALUATION OF INTERNAL CONTROLS BY THE AUDITOR . The first step involves determination of the control and procedures laid . To acquaint himself about how all the accounting information is collected . In many cases, very little of this information is available in writing; the . It would be better if he makes written notes of the relevant information . To facilitate the accumulation of the information necessary for the proper down by the management. By reading company manuals, studying organisation charts and flow charts and by making suitable enquiries from the officers and employees, the auditor may ascertain the character, scope and efficacy of the control system. and processed and to learn the nature of controls that makes the information reliable and protect the company’s assets, calls for considerable skill and knowledge. auditor must ask the right people the right questions if he is to get the information he wants. and procedures contained in the manual or ascertained on enquiry. review and evaluation of internal controls, the auditor can use one of the Ea sy CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAfollowing to help him to know and assimilate the system and evaluate the same: a. NARRATIVE RECORD: This is a complete and exhaustive description of the system as found in operation by the auditor. Actual testing and observation are necessary before such a record can be developed. It may be recommended in cases where no formal control system is in operation It would be more suited to small business. The basic disadvantages of narrative records are: To comprehend the system in operation is quite difficult. . To identify weaknesses or gaps in the system. |. To incorporate changes arising on account of reshuffling of manpower, etc. b. CHECK LIST: This is a series of instructions or questions which a member of the auditing staff must follow or answer. i. The Instructions and Questions are framed according to the desirable elements of control. ii. When he completes instruction, he shall mark the space against the instruction. iii. Answers to the check list instructions are usually Yes, No or Not Applicable. c. INTERNAL CONTROL QUESTIONNAIRE (ICQ): i. This is a comprehensive series of questions concerning internal control. This is the most widely used form for collecting information about the existence, operation and efficiency of internal control in an organisation. ii. An important advantage of the questionnaire approach is that oversight or omission of significant internal control review procedures is less likely to occur with this method. iii. With a proper questionnaire, all internal control evaluation can be completed at one time or in sections. The review can more easily be made on an interim basis. iv. The questionnaire form also provides an orderly means of disclosing control defects. It is the general practice to review the internal control system annually and record the review in detail. v. In the questionnaire, generally questions are so framed that a ‘Yes’ answer denotes satisfactory position and a ‘No’ answer CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAsuggests weakness. Provision is made for an explanation or further details of ‘No’ answers. In respect of questions not relevant to the business, ‘Not Applicable’ reply is given. vi. The questionnaire is usually issued to the client and the client is requested to get it filled by the concerned executives and employees. vii. If on a review of the answers, inconsistencies or apparent weaknesses are noticed, the matter is further discussed by auditor's staff with the client’s employees for a clear picture. The concerned auditor then prepares a report of deficiencies and recommendations for improvement. d. FLOWCHARTS: i. It is a graphic presentation of each part of the company’s system of internal control such as the nature of its activities and various channels of goods and materials as well as cash, both inward and outward. ii. A flowchart is considered to be the most concise i.e. briefest way of recording the auditor understanding and evaluation of the internal control system in the correct perspective. iii. It minimizes the amount of narrative explanation. iv. It gives bird’s eye view of the entire process of manufacturing, trading and administration. v. The flow of transactions through various stages can be easily spotted and improvements can be suggested. TESTS OF CONTROLS AND ITS PURPOSE 1. PUROPSE: Tests of control are performed to obtain audit evidence about the effectiveness of: a. Design of the accounting and internal control systems, that is, whether they are suitably designed to prevent or detect and correct material misstatements or not; and b. Operation of the internal controls throughout the period. c. The testing is being carried out on selective basis and will cover all important areas that are relevant to financial statements. 2. TESTS OF CONTROL MAY INCLUDE: a. Inspection of documents supporting transactions and other events to gain audit evidence that internal controls have operated properly. For example, verifying that a transaction has been authorized. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHAb. Inquiries about internal controls and observation of internal controls. For example, determining who actually performs each function and not merely who is supposed to perform it. c. Re-performance of internal controls. For example, reconciliation of bank accounts, to ensure that they were correctly performed by the entity. d. Testing of internal control operating on specific computerised applications or over the overall information technology function. For example, access or program change controls. 3. It has been suggested that actual operation of the internal control should be tested by the application of procedural tests and examination in depth. Procedural tests simply mean testing of the compliance with the procedures laid down by the management in respect of initiation, authorisation, recording and documentation of transaction at each stage through which it flows. INTERNAL CONTROL AND IT ENVIRONMENT An entity’s system of internal control contains manual elements and often contains automated elements. The characteristics of manual or automated elements are explained hereunder: The use of manual or automated elements in internal control affects the manner in which transactions are initiated, recorded, processed, and reported: a. Controls in a manual system may include such procedures as approvals and reviews of transactions, and reconciliations and follow-up of reconciling items. b. An entity may use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format replace paper documents. c. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls. d. Generally manual elements in internal control are less reliable than automated elements because they can be more easily bypassed, ignored, or overridden and they are also more prone to simple errors and mistakes. Consistency of application of a manual control element cannot therefore be assumed. MATERIALITY AND AUDIT RISK. CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHA1. MATERIALITY: The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, on the financial statements and in forming the opinion in the auditor’s report. 2. AUDIT RISK: Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk. 3. CONSIDERATION OF BOTH: Materiality and audit risk are considered throughout the audit, in particular, when: a. Identifying and assessing the risks of material misstatement. b. Determining the nature, timing and extent of further audit procedures and c. Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditor’s report. DOCUMENTING THE RISK IDENTIFIED AND ASSESSED BY THE AUDITOR The auditor shall documen 1. The discussion among the engagement team and the significant decisions reached; 2. Key elements of the understanding obtained regarding each of the aspects of the entity and its environment. 3. The identified and assessed risks of material misstatement at the financial statement level and at the assertion level and 4. The risks identified, and related controls about which the auditor has obtained an understanding. CONCEPT OF INTERNAL AUDIT MEANING: An independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view: 1. To suggest improvements thereto and 2. Add value to and strengthen the overall: a. Governance mechanism of the entity, b. Strategic risk management and c. Internal control system. OBJECTIVE AND SCOPE: The objectives and scope of internal audit functions typically include assurance and consulting a s designed to evaluate and CA INTER - AUDITING — P6 - SMART NOTES — EDITION 2022 — BY CA RAM HARSHAimprove the effectiveness of the entity’s governance processes, risk management and internal control such as the following: 1. ACTIVITIES RELATING TO GOVERNANCE: The internal audit function may assess the governance process in its accomplishment of objectives on ethics and values, performance management and accountability. 2. ACTIVITIES RELATING TO RISK MANAGEMENT: The internal audit function may assist the entity by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and internal control. 3. ACTIVITIES RELATING TO INTERNAL CONTROL: a. Evaluation of internal control: The internal audit function may be assigned specific responsibility for reviewing controls, evaluating their operation and recommending improvements thereto. b. Examination of financial and operating information: The internal audit function may be assigned to review the means used to identify, recognize, measure, classify and report financial and operating information. c. Review of operating activities: The internal audit function may be assigned to review the economy, efficiency and effectiveness of operating activities, including nonfinancial activities of an entity. d. Review of compliance with laws and regulations: The internal audit function may be assigned to review compliance with laws, regulations and other external requirements, and with management policies and directives and other internal requirements. INTERNAL FINANCIAL CONTROLS WITH REFERENE TO FINANCIAL STATEMENTS AND THEIR REPORTING REQUIREMENTS OBJECTIVE AND PURPOSE OF INTERNAL FINANCIAL CONTROLS: Internal financial controls are the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, 1. The safeguarding of its assets. 2. The prevention and detection of frauds and errors. 3. The accuracy and completeness of the accounting records. 4 The timely preparation of reliable financial information. 160 CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHA5. Compliance with applicable laws and regulations. AUDITORS’ RESPONSIBILITY: SEC. 143(3)(I): 1. The auditor shall express an opinion on effectiveness of internal financial controls with reference to financial statements. 2. It may be noted that auditor’s reporting on internal financial controls is a requirement specified in the Act and, therefore, will apply only in case of reporting on financial statements prepared under the Act and reported under Section 143. 3. Further this reporting responsibility is applicable only in respect of Audit of Annual financial statements and not applicable for Interim or Quarterly financial statements. IFC VS IFC WITH REFERENCE TO FINANCIAL STATEMENTS INTERNAL FINANCIAL CONTROL: As per Sec. 134(5)(e) of companies act, 2013, internal financial controls means, the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. INTERNAL FINANCIAL CONTROLS WITH REFERENCE TO FINANCIAL STATEMENTS: In this case the auditor has to express opinion on operating effectiveness of internal financial control with reference to financial statements. This opinion is in addition to the opinion expressed on financial statements of the entity. 161 CA INTER - AUDITING — P6 - SMART NOTES ~ EDITION 2022 ~ BY CA RAM HARSHA