RIS K ASSESSMENT &

INTERNAL CONTROLS
BY C A , I S A , M A ( E C O ) , B . C O M
MRUGESH MADL ANI
AUDIT RISK

• It is a risk that Auditor gives inappropriate opinion when the

financial statements are materially misstated

• It is risk that auditor may fail to express an appropriate opinion in

an audit assignment
• It does not include risk that auditor might express an opinion that
financial statements are materially misstated when they are not
RISK OF MATERIAL MISSTATEMENT
CONSISTS OF 2 COMPONENTS :
• Inherent Risk – Possibility of an assertion about class of
transaction , account balance or disclosures to a material
misstatement either individually or when aggregated with other
misstatement , before consideration of any related controls

• Control Risk – Risk that there could be material misstatement in

class of transaction , account balance or disclosures either
individually or when aggregated with other misstatement
because failure of controls to prevent or detect & correct risk of
material misstatement
DETECTION RISK

• It is a risk that audit procedures performed by the auditor will not

detect a misstatement that could be material either individually or
when aggregated with other misstatements
RISK OF MATERIAL MISSTATEMENT AT
2 LEVELS -
• Overall Financial Statement Level – That relate pervasively to
financial statements as a whole & potentially affect many
assertions

• Assertion Level for class of transactions , account balances &

disclosures - These risks are assessed to determine nature ,
timing & extent of further audit procedures necessary to
obtain sufficient appropriate audit evidence which enables
auditor to express an opinion on financial statements at an
AUDITOR ASSESSES CONTROL RISK AS
TO RELY OR NOT RELY ON CONTROLS
• Control environment’s influence over Internal Control . A favourable
Environment allows greater reliability in internal controls , However it
does not guarantee effectiveness of specific controls
• We therefore test operating effectiveness of controls over Significant
Class of Transactions (SCOT’s) , when we plan a controls reliance
strategy
• Evaluation of related IT processes that support application & IT
dependent manual controls
• Out testing approach over SCOT’s & disclosure processes (controls
reliance or substantive only strategy)
• Expectation of operating effectiveness of controls based on
CONTROL RISK ASSESSMENT WHEN
CONTROL DEFICIENCIES ARE IDENTIFIED
• When auditor identified deficiencies in Internal controls , he
determines significant financial statement assertions that are affected
by ineffective controls to decide audit strategy for audit of financial
statements
• When there are control deficiencies , auditor identifies & tests more
than one control for each relevant assertion
• If auditor determines they support “rely on controls” or if
compensating controls are effective , still “rely on controls” is effective.
If not we change our control assessment to “not reply on controls”
• When there is only one control for that assertions , he revises risk
assessment to “not reply on controls” as no other controls are there to
mitigate risk related to that assertion
IDENTIFY & ASSESS RISK OF
MATERIAL MISSTATEMENTS
• Auditor shall identify & assess risk of material misstatements at –

• Financial Statement Level

• Assertion Level for classes of transactions , account balances &
disclosures to provide basis for designing & performing further audit
procedures
IDENTIFYING & ASSESSING RISK OF
MATERIAL MISSTATEMENT AUDITOR
SHALL
• Obtain Understanding of entity , its environment including relevant
controls that relate to risk
• Assess the identified risk & evaluate whether they related pervasively
to financial statements as a whole & affect many assertions
• Relate to identified risks to what can go wrong at assertion level ,
taking account of relevant controls that auditor intends to test
• Evaluate the probability & impact of risk and whether it can be material
misstatement
INFORMATION OBTAINED BY
PERFORMING RISK ASSESSMENT
PROCEDURES –USED AS AUDIT EVIDENCE
• It may be used as audit evidence to support assessments of risk of
material misstatement
• In addition auditor may obtain audit evidence about class of
transactions , account balances or disclosures & related assertions &
about operating effectiveness of controls , even thou such procedures
were not specifically planned as substantive procedures or as test of
controls
• Auditor may also perform substantive procedures or test of controls
along with risk assessment procedures if they feel to do so
WHAT IS INCLUDED IN RISK
ASSESSMENT PROEDURES TO GET AUDIT
EVIDENCE- (AIO)
• Inquiries with management & other within Entity – Much Information is
obtained from management and those responsible for financial reporting .
However , auditor may obtain information or different perspective from
inquiry of others within the entity and other employees with different levels of
authority

• Analytical Procedures – To identify aspects of entity auditor was unaware that

may assist to identify risk of material misstatements . It helps to identify
unusual transactions or events and amounts , ratios & trends that have
implications on entity

• Observation & Inspection – May support inquiries and others and may
provide information about entity and its environment
THE AUDITOR SHALL OBTAIN AN
UNDERSTANDING OF THE FOLLOWING
1. Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework.
2. The nature of the entity, including:
• its operations;
• its ownership and governance structures;
• the types of investments that the entity is making and plans to make, including investments in
special-purpose entities; and
• the way that the entity is structured and how it is financed; to enable the auditor to
understand the classes of transactions, account balances, and disclosures to be expected in the
financial statements.
1. The entity’s selection and application of accounting policies, including the reasons for
changes thereto. The auditor shall evaluate whether the entity’s accounting policies are
appropriate for its business and consistent with the applicable financial reporting framework
and accounting policies used in the relevant industry.
2. The entity’s objectives and strategies, and those related business risks that may result in risks
NICE REVIEW
1. The nature of the entity, including:
• its operations;
• its ownership and governance structures;
• the types of investments that the entity is making and plans to make, including
investments in special-purpose entities; and
• the way that the entity is structured and how it is financed; to enable the auditor to
understand the classes of transactions, account balances, and disclosures to be expected
in the financial statements.
2. Relevant industry, regulatory, and other external factors including the applicable
financial reporting framework
3. The entity’s selection and application of accounting policies, including the reasons for
changes thereto
4. The entity’s objectives and strategies, and those related business risks that may result in
risks of material misstatement.
5. The measurement and review of the entity’s financial performance
INTERNAL CONTROLS

• As per SA 315 Internal Control can be defined as “Process

designed , implemented & maintained by those charged with
governance , management & other personnel to provide
reasonable assurance about achievement of entity’s objectives
with regards to (CARE)
• Compliance with applicable laws & regulations
• Safeguarding of Assets
• Reliability of Financial reporting
• Effectiveness & efficiency of operations
OBJECTIVES OF INTERNAL CONTROL

• Transactions are executed in accordance with management’s

general or specific authorization
• All transactions are promptly recorded in the correct amount
in the appropriate accounts & in the accounting period
• Assets are safeguarded from unauthorized access , use or
disposition &
• Recorded assets are compared with existing assets at
reasonable intervals & appropriate action is taken with
regard to differences
CONTROL RELEVANT TO AUDIT
• Auditor should obtain understanding of internal controls relevant to
audit. Although most controls relevant to audit are likely to relate to
financial reporting
• But not all controls relating to financial reporting , will relate to audit

• Benefits of Understanding of Internal Controls

• Identifying types of potential misstatements
• Identifying factors that affect risk of material misstatements
• Determining Nature , Timing & Extent of further audit procedures
STUDY OF VARIOUS ASPECTS OF
INTERNAL CONTROL
• General Nature & Characteristics of Internal Control
• Controls Relevant to Audit
• Nature & Extent of Understanding of Relevant Controls
(Relevant to Audit)
• Components of Internal Control
GENERAL NATURE & CHARACTERISTICS
OF INTERNAL CONTROL
• Purpose of Internal Control
• Internal controls are designed , implemented & maintained to achieve
entity’s objective that relates to (CARE) :
• Compliance with laws & regulations
• Safeguarding of Assets
• Reliability of Financial Reporting
• Effectiveness & Efficiency of operations
LIMITATIONS OF INTERNAL CONTROL
(JUDGEMENT IN LIC)
• Human Judgement in decision making
• Judgements by management
• Lack of Understanding the purpose of control
• Limitations in case of Small Entities
• Internal Control can only provide reasonable assurance
• Collusion among people
CONTROLS RELEVANT TO AUDIT –
FACTORS TO BE KEPT IN MIND FOR
FINDING CONTROLS RELEVANT TO AUDIT
• Size of the entity
• Nature of entity’s business including its organisation & ownership
characteristics
• Nature & Complexity of system
• Diversity & Complexity of entity operations
• Applicable legal & regulatory requirements
• Circumstance & applicable component of internal control
• Materiality
• Significance of related risk
• Whether control individually or in combination with other prevents ,
CONTROLS OVER COMPLETENESS &
ACCURACY OF INFORMATION
• Controls over Completeness & Accuracy of Information – It is relevant to
audit if auditor intends to make use of information in designing & performing
further audit procedures
• Controls relating to Operations & Compliance Objectives – It is relevant to
audit if they relate to data auditor evaluates or uses in applying audit
procedures

• Internal Controls over Safeguarding of Assets

• Financial Reporting –Auditor’s consideration of such controls is limited to
those relevant to reliability of financial reporting
• Operating Objectives – Safeguarding controls related to operating objectives
are not relevant to financial statement audit
CONTROLS RELATING TO OBJECTIVES
THAT ARE NOT RELEVANT TO AUDIT
• Controls relating to objectives that are not relevant to audit need not to be
considered

• Statute May Require Auditor to report on Compliance with Certain Controls –

• If Statute tells Auditor to report on certain controls , the auditor’s review of

internal control may be broader and more detailed and such controls are
relevant to audit
 NATURE & EXTENT OF UNDERSTANDING
OF RELEVANT CONTROLS (AUDIT)
• Evaluating the Design – Involves considering whether control individually or in
combination can effectively prevent or detect & correct material misstatements
• Implementation – Means controls exists & entity is using it. First we see design
& only them implementation
• Risk Assessment Procedures – Procedures performed to obtain audit evidence
about Design & Implementation of relevant Controls include –
1. Inquiring with entity personnel
2. Observing application of specific controls
3. Inspecting documents & reports
4. Tracing Transactions through system relevant to financial reporting
• Obtaining understanding of entity’s control is not sufficient to test operating
effectiveness of such controls , unless they are automated controls
COMPONENTS OF INTERNAL
CONTROLS
• Internal Controls are divided into 5 components , which
provides auditor useful framework to consider How different
aspects on an entity’s internal controls may affect the audit
1. Control Environment
2. Risk Assessment
3. Information System including Related Business Process
4. Control Activity
5. Monitoring
CONTROL ENVIRONMENT
• Control Environment sets the tone of the organisation ,
influencing the control consciousness of its people
• Elements of Control Environment – Which helps us in
understanding the Control Environment are :
• Organisational Structure – Framework within which activities are
planned , executed , controlled & reviewed for achieving
objectivities
• Communication & Enforcement of Integrity & Ethical Values – Will
Influence design , administration & monitoring of controls
• Assignment of Authority & Responsibility – How operating
activities are assigned , reporting relationships & authorization
• Management Philosophy & Operating Style – Management’s approach
to taking & managing business risk , actions towards financial reporting
, information processing & accounting functions & personnel
• Participation by those Charged with Governance – Their Independence
from management , experience & stature , extent of their involvement
& information they receive & appropriateness of their actions
• Human Resource Policies & Practices – Policies regarding recruitment ,
orientation , training , evaluation , counselling , promotion ,
compensation & remedial actions
• Commitment to Competence – Management’s consideration of
competence levels for particular jobs and how those levels translate
into requisite skills & knowledge
ELEMENTS OF CONTROL
ENVIRONMENT (PC-COMA)
• Participation by those Charged with Governance
• Human Resource Policies & Practices
• Communication & Enforcement of Integrity & Ethical Values
• Commitment to Competence
• Organisational Structure
• Management Philosophy & Operating Style
• Assignment of Authority & Responsibility
ENTITY’S RISK ASSESSMENT
PROCESS
• Auditor Shall obtain an understanding of whether entity has
process for –

• Identifying Business risks relevant to financial reporting

objectives
• Estimating Significance of the risks
• Assessing likelihood of their occurrence
• Deciding about actions to address those risks
INFORMATION SYSTEM INCLUDING
RELATED BUSINESS PROCESS RELEVANT
TO FINANCIAL REPORTING
• Auditor Shall obtain understanding of IS including related business process
relevant to financial reporting including following areas :
• Classes of transactions in entity’s operations that are significant to financial
statements
• Procedures by which those transactions are initiated , recorded , processed
,corrected as necessary , transferred to general ledger
• Related records , supporting Information & specific accounts in financial
statements that are used to record such transactions
• Controls surrounding journal entries
• Financial reporting process used to prepare financial statements
• How Information System capture events & conditions that are significant to
COMMUNICATING FINANCIAL ROLES
& RESPONSIBILITIES
• Auditor shall obtain understanding about how entity
communicates financial reporting roles & responsibilities
including :
1. Communications between Management & those charged
with Governance &

2. External Communications such as those with regulatory

authorities
POINTS TO BE CONSIDERED BY AUDITOR
REGARDING COMMUNICATION OF
FINANCIAL ROLES & RESPONSIBILITIES
• Understanding of Roles & Responsibility – Communication by entity of roles
& responsibilities pertaining to internal control over financial reporting
• Policy Manuals & Financial Reporting Manuals – Communication may take in
the form of manuals
• Understanding regarding Relation of Activities – Understanding by
employees how their work is related with other & means of reporting
exceptions to higher level
• Open Communication Channels – Help to ensure exceptions are reported &
acted upon
• Less Structured & Easier for Smaller Entities – It is easier and less structured in
small entity due to fewer levels of responsibility & management’s greater
CONTROL ACTIVITIES
• Auditor shall obtain an understanding of control activities
relevant to audit
• Control Activities are policies & procedures that help ensure
that management directives are carried out .
• Whether IT or manual systems have various objectives and
are applied at organisational & functional level
• Control Activities that are relevant to Audit are :
• That relate to significant risks & for which substantive
procedures alone do not provide sufficient appropriate
evidence
• Those that are considered to be relevant in the judgment of
AUDITOR SHOULD CONSIDER FOLLOWING
POINTS IN DECIDING SIGNIFICANT RISKS
• Whether risk is a risk of fraud
• Whether risk involves significant transaction with related party
• Whether risk involves significant transactions that are outside the
normal course of business for the entity or that appear to be unusual
• Complexity of transactions
• Degree of subjectivity in measurement of financial information related
to the risk
• Whether risk is related to significant economic , accounting or other
development like changes in regulatory requirement
IDENTIFYING SIGNIFICANT RISKS
• Following are always Significant Risks –
1. Risk of material misstatement due to fraud
2. Significant transactions with related parties that are outside
normal course of business for entity
3. Risk of Material Misstatement – Greater for significant non-
routine transactions
4. Risk of Material Misstatement – Greater for significant
Judgemental matters
MONITORING OF CONTROLS
• Auditor shall obtain an understanding of major activities entity uses to
monitor internal controls over financial reporting
• Monitoring of Controls Defined – It is process to assess effectiveness of
internal control performance over time
• Helps in Assessing of Controls on Timely Basis – Assessing
effectiveness of controls on timely basis and taking necessary remedial
actions
• Management accomplishes through ongoing activities , separate
evaluation – On going activities are built into normal recurring
activities of an entity and include regular management & supervisory
activities
• Management Monitoring includes – Information from communication
from external parties such as customer complaints that indicate areas
• In Case of Small Entities – Management’s monitoring of
control is often accomplished by management’s or owner-
manger’s close involvement in operations. This will identify
significant variances from expectations , leading to remedial
action to control
MONITORING OF CONTROLS –IF ENTITY
HAS INTERNAL AUDIT FUNCTION
• Auditor shall obtain understanding of the following :
1. Internal audit functions responsibilities & how
internal audit function fits in entity’s organisational
structure
2. Activities performed or to be performed by internal
audit function
FOLLOWING POINTS MERIT
CONSIDERATION IN THIS REGARD
1. Internal Audit Function relevant to Audit - If activities are related to entity’s
financial reporting , when auditor determines that internal audit function is
likely to be relevant to the audit SA 610 applies
2. Size & Structure of Entity – Objectives of an internal audit varies depending
on size & structure of entity & requirements of management
3. Internal Audit Function may include – It includes monitoring of internal
control , risk management & review of compliance with laws & regulations.
On Other hand responsibilities of internal audit function may be limited to
economy , effectiveness & efficiency of operations
4. External Auditor’s Activities on the basis of Internal Audit Activities –
External Auditor’s consideration of activities performed may include review
of internal audit function audit plan for the period
SATISFACTORY CONTROL ENVIRONMENT
– NOT AN ABSOLUTE DETERRENT TO
FRAUD
• Existence of satisfactory control environment can be a positive factor
when auditor assesses the risks of material misstatement
• However it may reduce fraud , a satisfactory control environment is not
an absolute deterrent to fraud
• Control environment in itself does not prevent or detect & correct a
material misstatement
• It may , however influence auditor’s evaluation of effectiveness of other
controls & thereby auditor’s assessment of risks of material
misstatements
EVALUATION OF INTERNAL CONTROL
BY AUDITOR
Benefits of Evaluation of Internal Control to the Auditor
• Whether adequate internal control system is in use & operating as
planned
• Whether effective internal auditing department is operating
• What are areas where control is weak or excessive
• Extent & depth of examination he needs to carry out in different areas
of accounting
• What would be appropriate audit techniques & procedures in given
circumstances
• Whether controls adequately safeguard the assets
• Whether errors & frauds are likely to be located in ordinary in course
• How far management is discharging its function as far as correct
recording of transactions is concerned
• How reliable reports , records & certificates to management can be
• Whether administrative control has a bearing on his work
FORMULATE AUDIT PROGRAM AFTER
UNDERSTANDING OF INTERNAL
CONTROLS
• After understanding controls , we need to review & evaluate
internal controls , auditor can use any of the following to
help him to review & evaluate Internal Controls

• Narrative Record
• Flow chart
• Check List
• Questionnaire
NARRATIVE RECORD
• It is Complete & Exhaustive description of system as found in operation
by auditor
• Actual Testing & Operation are necessary before such a record can be
developed
• Good in cases when no formal control system is in operation
• More suited to small business
• Disadvantages
• To understand system in operation is difficult
• To identify weakness in system
• To incorporate changes arising on account of reshuffling of manpower
CHECK LIST

• It is series of questions or instructions which member of auditing staff

must follow or answer
• When he completes it he writes answers in Yes No or Not Applicable
• It is on Job Requirement & instruction are framed having regard to
desirable elements of control
• Complete check list is studied by Principal / Manager / Senior to
ascertain existence of internal control & evaluate its implementation &
efficiency
INTERNAL CONTROL QUESTIONNAIRE
• It is comprehensive series of questions concerning internal control
• It is most widely used form for collecting information about existence ,
operation & efficiency of internal control in organisation
• With proper questionnaire all internal control evaluation can be
completed 1 time or in sections
• In this yes denotes positive control and No suggests weakness
• It is issued to client and client gets it filled by executives & employees
• All inconsistencies are discussed by auditor’s staff with client’s
employees to get clear picture
• Auditor then prepares report of deficiencies & recommendations for
improvement
FLOWCHART
• It is graphic presentation of each part of company’s system
of internal control
• It is most concise way of recording auditor’s review of system
• It gives bird’s eye view of system & flow of transactions and
integration & in documentation can be easily spotted and
improvements can be suggested
• It is also necessary for auditor to study the significant
features of business carried on by concern
• It helps him to understand & evaluate internal controls in
correct perspective
TESTING OF INTERNAL CONTROL

• After understanding & reviewing controls , auditor needs to examine

whether and how far same is actually in operation
• For this he will do actual testing of system in operation
• He does this on selective basis , he can plan testing in such a manner
that all important areas are covered in a period of say 3 years
• It is done by application of procedural tests & auditing in depth
TEST OF CONTROLS

• Test of Controls are performed to obtain audit evidence

about effectiveness of the –
• Design of accounting & internal controls systems , i.e
whether they are suitably designed to prevent or detect and
correct material misstatements &
• Operation of Internal control throughout the period
TEST OF CONTROLS INCLUDE

• Inspection – of documents supporting transactions & other events to

gain audit evidence that internal controls have operated properly
• Inquiries – about & observation of internal controls which leave no
audit trail
• Reperformance – involves auditor’s independent execution of
procedures or controls that were originally performed as part of
entity’s internal control
• Testing of internal control operation on specific computerized
applications or over the overall information technology function
• When obtaining audit evidence about effectiveness of controls ,
auditor considers –
• How they were applied
• By whom they were applied
• The consistency with which they were applied during the period

• When deviations are detected , auditor makes specific inquiries

regarding these matters , & ensure test of controls appropriately cover
such period of change or fluctuation
MATERIALITY & AUDIT RISK
• Materiality & Audit risk are considered through out
the audit in particular when –
1. Identifying and assessing risk of material
misstatements
2. Determining the nature , timing & extent of further
audit procedures
3. Evaluating effect of uncorrected misstatements , if
any on financial statements & in forming opinion in
the auditor’s report
INTERNAL AUDIT

• An Independent management functions which

involves continuous & critical appraisal of functioning
of an entity with a view to suggest improvement
thereto and add value to & strengthen the overall
governance mechanism of the entity including
entity’s strategic risk management & internal control
system
APPLICABILITY OF PROVISIONS OF
INTERNAL AUDIT
• Every Listed Company
• Every Unlisted Public Company having
1. Deposits >= 25cr at any point of time during preceding financial year
or
2. Paid up Share Capital >=50cr during preceding financial year or
3. Borrowings >100 cr at any point of time during preceding financial
year or
4. Turnover >= 200 cr during preceding financial year
• Every Private company having
WHO CAN BE APPOINTED AS
INTERNAL AUDITOR
• As per Section 138 , Internal Auditor shall be
1. A Chartered Accountant or a cost accountant (whether engaged in
practice or not) or
2. Such other Professional as may be decided by board
• Internal Auditor may or may not be an employee of the company
OBJECTIVE & SCOPE OF INTERNAL
AUDIT FUNCTION
• Activities Relating to Governance – May Assist Governance process in
accomplishing of objectives on ethics & values , performance
management & accountability , communication risks & control
information to appropriate areas of organization & effectiveness of
communication among TCWG , external & internal auditors &
management
• Activities Relating to Risk Management – May assist in identifying &
evaluating significant exposures to risk and contributing to
improvement of risk management & internal control
ACTIVITIES RELATING TO INTERNAL
CONTROL
• Evaluation of Internal Control – May be assigned specific responsibility for
reviewing controls , evaluating their operation & recommending
improvements thereto
• Examination of financial & operating information – May be assigned to
review means to identify , recognise , measure , classify & report financial &
operating information & to make specific inquiry into individual items ,
including detailed testing of transactions , balances & procedures
• Review of Operating Activities – May be assigned to review economy ,
effectiveness & efficiency of operating activities including non-financial
activities of an entity
• Review of Compliance with laws & regulations – Assigned to review
compliance with laws , regulations & other external requirements &
management policies & directives
BASICS OF INTERNAL FINANCIAL
CONTROL & REPORTING REQUIREMENTS
• Internal Financial Control – The policies & procedures adopted by the
company for ensuring orderly & efficient conduct by business including
(PASTA)
• Prevention & detection of errors & frauds
• Adherence to company’s policies
• Safeguarding of its assets
• Timely preparation of reliable financial information
• Accuracy & Completeness of the accounting records
IFC – REGULATORY REQUIREMENTS

• Section 143(3)(i) requires Auditor to state that whether company

has adequate internal financial controls in place & operating
effectiveness of such controls. Auditor has to express an opinion
on internal financial controls over financial reporting. It is carried
out along with audit of financial statements
• It is carried along with an audit of financial statements
• Rule 8(5)(vii) of Companies Rules , 2014 requires Board report of
all companies to state details in respect of internal financial
controls with reference to financial statements
DIFFERENCE BETWEEN INTERNAL
FINANCIAL CONTROL & INTERNAL
CONTROL OVER FINANCIAL REPORTING
• Internal Financial Control – The policies & procedures adopted by the company for
ensuring orderly & efficient conduct by business including (PASTA)
• Prevention & detection of errors & frauds
• Adherence to company’s policies
• Safeguarding of its assets
• Timely preparation of reliable financial information
• Accuracy & Completeness of the accounting records

• On Other hand , Internal Controls over financial reporting is required where auditors
are required to express an opinion on internal controls over financial reporting &
such opinion is in addition to and distinct from report on financial statements