CHAPTER 3- RISK ASSESSMENT

AND INTERNAL CONTROL

AUDIT RISK
Audit risk means the risk that the auditor gives an inappropriate audit opinion when the financial
statements are materially misstated.
SA-200 states that the auditor shall obtain sufficient appropriate audit evidence to reduce
audit risk to an acceptably low level and thereby enable the auditor to draw reasonable
conclusions on which to base the auditor’s opinion.

Risks of material misstatement

The risks of material misstatement may exist at two levels: -

(i) The overall financial statement level

(ii) The assertion level for classes of transactions, account balances, anddisclosures.

Risks of material misstatement at the overall financial statement level refer to risks of
material misstatement that relate pervasively to the financial statements as a whole and
potentially affect many assertions.

Risks of material misstatement at the assertion level are assessed in order to determine the
nature, timing, and extent of further audit procedures necessary to obtain sufficient appropriate
audit evidence. This evidence enables the auditor to express an opinion on the financial
statements at an acceptably low level of auditrisk.

Components of risk of material misstatement

The risk of material misstatement at assertion level comprises of two components i.e.,
inherent risk and control risk.

Inherent risk
Inherent risk is the susceptibility of an assertion about a class of transaction, account
balance or disclosure to a misstatement that could be material, either individually or when
aggregated with other misstatements before consideration of any related controls

External circumstances giving rise to business risks may also influence inherent risk. E.g.-
Technological changes may make mobile phone stock obsolete.

Control risk
Control risk is the risk that a misstatement that could occur in an assertion about a class of
transaction, account balance or disclosureand that could be material, either individually or
when aggregated with other misstatements, will not be prevented, or detected and
corrected, on a timely basis by the entity’s internal control.

Detection risk

SA 200 defines detection risk as the risk that the procedures performed by the auditor to
reduce audit risk to an acceptably low level will not detect a misstatement that exists and
that could be material, either individually or when aggregated with other misstatements.

Detection risk may bereduced by increasing area of checking, testing larger samples
and by including competent and experienced persons in the engagement team.

The assessment of risks is a matter of professional judgment, rather than a matter capable of
precise measurement.

Audit risk-What is not included?

Audit risk is a technical term related to the process of auditing; it does not refer to the auditor’s
business risks

Audit risk does not include the risk that the auditor might express an opinion that the financial
statements are materially misstated when they are not.

Identifying and assessing the risk of material misstatement

As per SA 315 “Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment”, the objective of the auditor is to identify
and assess the risks of material misstatement, whether due to fraud or error, at the financial
statement and assertion levels, through understanding the entity and its environment,
including the entity’s internal control

For the purpose of identifying and assessing the risks of materialmisstatement, the auditor
shall: -

(i) Identify risks throughout the process of obtaining an understanding of the entity and its
environment
(ii) Assess the identified risks, and evaluate whether they relate more pervasively to the
financial statements
(iii) Relate the identified risks to what can go wrong at the assertion level,
(iv) Consider Likelihood and magnitude of misstatement
Risk Assessment Procedures

The audit procedures performed to obtain an understanding of the entity and its
environment, including the entity’s internal control, to identify and assess the risks
of material misstatement, whether due to fraud or error, at the financial statement and
assertion level are defined as risk assessment procedures.
What is included in risk assessment procedures?

The risk assessment procedures shall include the following:

(a) Inquiries of management and of others within the entity who in the auditor’s
judgment may have information that is likely to assist in identifying risks of material
misstatement due to fraud or error.

Example-

• Inquiries directed toward internal audit personnel relating to the design and
effectiveness of the entity’s internal control

• Inquiries directed toward in-house legal counsel may provide information about
such matters as litigation, compliance with laws and regulations

• Inquiries directed to information systems personnel may provide information

about system changes, system or control failures
(b) Analytical procedures.
Analytical procedures performed as risk assessment procedures may identify aspects of
the entity of which the auditor was unaware. Analytical procedures may help identify the
existence of unusual transactions or events, and amounts, ratios, and trends that might
indicate matters that have audit implications. Unusual or unexpected relationships that
areidentified may assist the auditor in identifying risks of material misstatement, especially
risks of material misstatement due to fraud.

(c) Observation and inspection.

Observation and inspection may support inquiries of management and others, and may
also provide information about the entity and its environment.

MATERIALITY
What is meant by materiality?

SA 320 Materiality in Planning and Performing an Audit states that misstatements,

including omissions, are considered to be material if they, individually or in the aggregate,
could reasonably be expected to influence the economic decisions of users taken on the basis
of the financial statements.

Materiality is not always a matter of relative size. For example, a small amount lost by
fraudulent practices of certain employees can indicate a serious flaw in theenterprise’s internal
control system requiring immediate attention to avoid greater losses in future.

Materiality in Planning and performing an audit

Determination of materiality- a matter of professional judgment

The auditor’s determination of materiality is a matter of professional judgment, andis affected

by the auditor’s perception of the financial information needs of users of the financial
statements. In this context, it is reasonable for the auditor to assume that users:
(a) Have a reasonable knowledge of business and economic activities
(b) Understand that financial statements are prepared, presented and audited to levels of
materiality;
(c) Recognize the uncertainties inherent in the measurement of amounts based on the use
of estimates, judgment and the consideration of future events; and
(d) Make reasonable economic decisions on the basis of the information in the financial
statements.

Materiality Level or Levels for Particular Classes of Transactions, Account Balances or

Disclosures

Factors that may indicate the existence of one or more particular classes of transactions, account
balances or disclosures for which misstatements of lesser amounts than materiality for the
financial statements as a whole could reasonably be expected to influence the economic
decisions of users taken on the basis of the financial statements include the following:
1. Whether law, regulations or the applicable financial reporting framework affect users’
expectations regarding the measurement or disclosure of certain items like in case of
related party transactions, and the remuneration of management and those charged with
governance.
2. The key disclosures in relation to the industry in which the entity operates.For
example, research and development costs for a pharmaceutical company.
3. Whether attention is focused on a particular aspect of the entity’s businessthat is
separately disclosed in the financial statements like in case of newly acquired business.
Performance Materiality

Performance materiality means the amount or amounts set by the auditor at lessthan
materiality for the financial statements as a whole to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected misstatements exceeds
materiality for the financial statements as a whole. If applicable, performance materiality also
refers to the amount or amountsset by the auditor at less than the materiality level or levels
for particular classes of transactions, account balances or disclosures.

Use of Benchmarks in Determining Materiality for theFinancial Statements as a Whole

Determining materiality involves the exercise of professional judgment. A percentage is often
applied to a chosen benchmark as a starting point in determining materiality for the financial
statements as a whole. Factors that may affect the identification of an appropriate benchmark
include the following:
The elements of the financial statements like assets, liabilities, equity, revenue, expenses

Items on which users are focused.

The nature of the entity, the industry and economic environment in which the entity operates, the
entity’sownership structure and the way it is financed.

The relative volatility of the benchmark.

Chosen Benchmark – Relevant financial data

In relation to the chosen benchmark, relevant financial data ordinarily includes: -

✓ Prior periods’ financial results and financial positions,

✓ The period to-date financial results and financial position, and Budget or
forecasts for the current period,
✓ Adjusted for significant changes in the circumstances of the entity (for
example, a significant business acquisition) and relevant changes of
conditions in the industry or economic environment in which the entity
operates.
Documenting the Materiality

The audit documentation shall include the following amounts and the factorsconsidered in
their determination:
(a) Materiality for the financial statements as a whole
(b) If applicable, the materiality level or levels for particular classes oftransactions, account
balances or disclosures
(c) Performance materiality and
(d) Any revision of (a)-(c) as the audit progressed

Materiality and Audit Risk

There is an inverse relationship between materiality and Audit risk. Higher the materiality,
higher is the chance of misstatement being detected leading to low audit risk. Lower the
materiality, less are the chances of it being selected for auditing leading to high audit risk.

Materiality and Audit Risk are considered throughout the audit, in particular, when:
(a) Identifying and assessing the risks of material misstatement;

(b) Determining the nature, timing and extent of further audit procedures; and
(c) Evaluating the effect of uncorrected misstatements, if any, on the financial
statements and in forming the opinion in the auditor’s report.

UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

A. Relevant industry, regulatory, and other external factors including the applicable
financial reporting framework
Relevant industry factors include industry conditions such as the competitive
environment, supplier and customer relationships, and technological developments.

B. The nature of the entity, including: -

(i) its operations;

(ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make, including
investments in special-purpose entities; and
(iv) the way that the entity is structured and how it is financed; to enablethe auditor to
understand the classes of transactions, account balances, and disclosures to be expected
in the financial statements.
C. The entity’s selection and application of accounting policies, including
the reasons for changes thereto

The auditor shall evaluate whether the entity’s accounting policies are appropriate for its
business and consistent with the applicable financial reporting framework and
accounting policies used in the relevant industry.

D. The entity’s objectives and strategies, and those related business risks that
may result in risks of material misstatement. An understanding of the business risks
facing the entity increases the likelihood of identifying risks of material misstatement,
since most business risks will eventually have financial consequences and, therefore, an
effect on the financial statements.
 E. The measurement and review of the entity’s financial performance
An understanding of the entity’s performance measures assists the auditor in
considering whether pressuresto achieve performance targets may result in
management actions that increase the risks of material misstatement, including
those due to fraud.

Understanding the entity-a continuous process

Understanding of the entity is a continuous, dynamic process of gathering, updating and
analysing information throughout the audit. This understanding can be used in:

• Assessing risks of material misstatement of the financial statements

• Determining materiality in accordance with SA 320

• Considering the appropriateness of the selection and application of accounting policies

• Identifying areas where special audit consideration may be necessary,

• Developing expectations for use when performing analytical procedures

• Evaluating the sufficiency and appropriateness of audit evidence obtained

INTERNAL CONTROL
Meaning of Internal Control

As per SA-315, “Identifying and Assessing the Risk of Material Misstatement Through
Understanding the Entity and its Environment”, the internal control may be defined as
“the process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement
of an entity’s objectives with regard to reliability of financial reporting, effectiveness and
efficiency of operations, safeguarding of assets, and compliance with applicable laws and
regulations.

Limitations of Internal Control

(i) Internal control can provide only reasonable assurance

(ii) Human judgment in decision-making
Realities that human judgment in decision-making can be faulty and thatbreakdowns in
internal control can occur because of human error.

(iii) Lack of understanding the purpose

Equally, the operation of a control may not be effective because the individual responsiblefor
reviewing the information does not understand its purpose or fails to take appropriate action.
(iv) Collusion among People
Additionally, controls can be circumvented by the collusion of two or more people or
inappropriate management override of internal control.

(v) Judgements by Management

Management may make judgments on the nature and extent of the controls it chooses to
implement, and the nature and extent of the risks it chooses to assume.

(vi) Limitations in case of Small Entities

Smaller entities often have fewer employees due to which segregation ofduties is not
practicable. However, in small owner-managed entity there is more effective oversight than in
a larger entity.

Components of Internal Control

(CRICket-Match)

A. Control Environment
What is included in Control Environment?

The control environment includes:

(i) the governance and management functions and

(ii) the attitudes, awareness, and actions of those charged with governance and
management.
(iii) the control environment sets the tone of an organization, influencing the control
consciousness of its people.
Elements of the Control Environment
a) Communication and enforcement of integrity and ethical values
Integrity and ethical behaviour are the product of the entity’s ethical and behavioural
standards, how they are communicated, and how they are reinforced in practice

b) Commitment to competence

Matters such as management’s consideration of the competence levels for particular jobs and
how those levels translate into requisite skills and knowledge.

c) Participation by those charged with governance

It includes attributes of those charged with governance such as their independence from
management, their experience and stature, the extent of their involvement and the information
they receive and the scrutiny of activities.
 d) Management’s philosophy and operating style
Management’s philosophy and operating style encompass a broad range of characteristics.
For example, management’s attitudes and actions towards financial reporting

e) Organisational structure
The framework within which an entity’s activities for achieving its objectives are planned,
executed, controlled, and reviewed.

f) Assignment of authority and responsibility

Matters such as how authority and responsibility for operating activities are assigned and how
reporting relationships and authorization hierarchies are established.
g) Human resource policies and practices
Policies and practices that relate to, for example, recruitment, orientation, training, evaluation,
counselling, promotion, compensation, and remedial actions.

B. The Entity’s Risk Assessment Process

The auditor shall obtain an understanding of whether the entity has a process for:

(a) Identifying business risks relevant to financial reporting objectives

(b) Estimating the significance of the risks
(c) Assessing the likelihood of their occurrence
(d) Deciding about actions to address those risks

C. The information system, relevant to financial reporting and

communication
The auditor shall obtain an understanding of the information system, including the related
business processes, relevant to financial reporting, including the following areas: -

• Significant Class of transaction

• The procedures by which those transactions are initiated, recorded, processed,
corrected as necessary, transferred to the general ledger and reported in the financial
statements
• The related accounting records, supporting information
• How the information system captures events and conditions that are significant to the
financial statements
• The financial reporting process used to prepare the entity’s financial
Statements
• Controls surrounding journal entries.
D. Control Activities
An audit requires an understanding of only those control activities related to significant class
of transactions, account balance, and disclosure in the financial statements and the assertions
which the auditor finds relevant in his risk assessment process.

Control activities relevant to audit generally include policies and procedures relating to

• performance reviews
• information processing
• physical controls and
• segregation of duties

E. Monitoring of Controls
Monitoring of controls is a process to assess the effectiveness of internal control performance
over time. It helps in assessing the effectiveness of controls on a timely basis.

Management accomplishes monitoring of controls through ongoing activities, separate

evaluations, or a combination of the two. Ongoing monitoring activitiesare often built into
the normal recurring activities of an entity and include regular management and supervisory
activities.

Are all Controls Relevant to the audit?

The entity’s objectives, and therefore controls, relate to financial reporting, operations and
compliance.

Factors relevant to the auditor’s judgment about whether a control, individually or in

combination with others, is relevant to the audit may include such matters as the following:

• Materiality.
• The significance of the related risk.The size of the entity.
• The diversity and complexity of the entity’s operations.
• The nature of the entity’s business, including its organization and ownership
characteristics.
• Applicable legal and regulatory requirements.

Nature and Extent of the Understanding of Relevant Controls

Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and
correcting, material misstatements. Implementationof a control means that the control exists
and that the entity is using it.
An improperly designed control may represent a significant deficiency in internal control. Risk
assessment procedures to obtain audit evidence about the design and implementation of
relevant controls may include-
• Inquiring of entity personnel.
• Observing the application of specific controls.
• Inspecting documents and reports.
• Tracing transactions through the information system relevant to financial reporting.
Inquiry alone, however, is not sufficient for such purposes.

RISKS THAT REQUIRE SPECIAL AUDIT CONSIDERATION

Significant Risk-

Significant risks are inherent risks with both a higher likelihood of occurrence and a
higher magnitude of potential misstatement.

In exercising judgment as to which risks are significant risks, the auditor shall consider at least
the following:
✓ Whether the risk is a risk of fraud
✓ Whether the risk is related to recent significant economic, accounting, or other
developments like changes in regulatory environment, etc., and, therefore, requires
specific attention
✓ The complexity of transactions
✓ Whether the risk involves significant transactions with related parties
✓ The degree of subjectivity in the measurement of financial information
✓ Whether the risk involves significant transactions that are outside the normal course of
business for the entity, or that otherwise appear to be unusual.
Non-Routine Transactions:

Risks of material misstatement may be greater for significant non-routine transactions arising
from matters such as the following

✓ Greater management intervention to specify the accounting treatment.

✓ Greater manual intervention for data collection and processing.

✓ Complex calculations or accounting principles.
✓ The nature of non-routine transactions, which may make it difficult for theentity
to implement effective controls over the risks.
Judgmental Matters:

Risks of material misstatement may be greater for significant judgmental mattersthat require
the development of accounting estimates

EVALUATION OF INTERNAL CONTROL SYSTEM

Benefits of Evaluation of Internal Control to the Auditor

The review of internal controls will enable the auditor to know:

(i) whether errors and frauds are likely to be located in the ordinary course ofoperations
of the business
(ii) whether an adequate internal control system is in use and operating asplanned by the
management
(iii) whether an effective internal auditing department is operating
(iv) whether the controls adequately safeguard the assets
(v) how far and how adequately the management is discharging its function inso far as
correct recording of transactions is concerned

(vi) how reliable the reports, records and the certificates to the management canbe

Formulate Audit Program after understanding Internal Control

The auditor can formulate his entire audit programme only after he has had a satisfactory
understanding of the internal control systems and their actualoperation. If he does not care
to study this aspect, it is very likely that his audit programme may become unwieldy and
unnecessarily heavy and the object of the audit may be altogether lost in the mass of entries
and vouchers. It is also important for him to know whether the system is actually in
operation.

Evaluation of Internal Control– Methods

(A) Narrative record

(B) Check List

(C) Internal Control questionnaire and
(D) Flow chart

The Narrative Record

This is a complete and exhaustive description of the system as found in operationby the
auditor. Actual testing and observation are necessary before such a record can be developed.
Check List
This is a series of instructions and/or questions which a member of the auditing staff must
follow and/or answer. When he completes instruction, he initials the space against the
instruction. Answers to the check list instructions are usually Yes, No or Not Applicable.

Internal Control Questionnaire

This is a comprehensive series of questions concerning internal control. This is the most widely
used form for collecting information about the existence, operation and efficiency of internal
control in an organisation.

In the questionnaire, generally questions are so framed that a ‘Yes’ answer denotes
satisfactory position and a ‘No’ answer suggests weakness.

If on a perusal of the answers, inconsistencies are noticed, the matter is further discussed by
auditor’s staff with the client’s employees

Flow Chart

It is a graphic presentation of each part of the company’s system of internal control.A flow
chart is considered to be the most concise way of recording the auditor’s review of the system.
It minimizes the amount of narrative explanation and thereby achieves a consideration or
presentation not possible in any other form.
It gives bird’s eye view of the system and the flow of transactions and integrationand in
documentation, can be easily spotted and improvements can be suggested.

TESTING OF INTERNAL CONTROL

After assimilating the internal control system, the auditor needs to examine whether and how
far the same is actually in operation. For this, he resorts to actual testing of the system in
operation. This he does on a selective basis: he can planthis testing in such a manner that
all the important areas are covered in a periodof, say, three years.

Test of controls are performed to obtain audit evidence about the effectiveness of the: -
1. Design of the accounting and internal control system
2. Operation of the internal control throughout the period

Test of controls may include:

i. Inspection of documents supporting transactions and other events

ii. Inquiries about, and observation of, internal controls which leave no audit trail
iii. Re-performance involves the auditor’s independent execution of procedures or controls
that were originally performed as part of the entity’s internal control,
iv. Testing of internal control operating on specific computerised applications
WHAT IS AN AUTOMATED ENVIRONMENT?
An automated environment basically refers to a business environment where the processes,
operations, accounting and even decisions are carried out by using computer systems – also
known as Information Systems (IS) or Information Technology (IT) systems.

Key features of an automated environment

• Enables faster business operation

• Accuracy in data processing and computation
• Ability to process large volume of transactions
• Integration amongst business operations
• Better security and controls
• Less prone to human errorsProvides latest information
• Connectivity and networking capability

Understanding and documenting automated environment

In an audit of financial statements, an auditor is required to understand the entity and its
business, including IT. Understanding the entity and its automated environment involves
understanding how IT department is organised, IT activities, the IT dependencies, relevant
risks and controls.

Auditor would take an understanding of:

➢ Information systems being used (one or more application systems and whatthey are)
➢ Their purpose (financial and non-financial)Location of IT systems - local vs global
➢ Architecture (desktop based, client-server, web application, cloud based)
➢ Version (functions and risks could vary in different versions of sameapplication).
➢ Interfaces within systems (in case multiple systems exist).In-house vs Packaged.
➢ Outsourced activities (IT maintenance and support).
➢ Key persons (CIO, CISO, Administrators).

Risks arising from use of IT Systems

 Inaccurate processing of data, processing inaccurate data, or both.
 Unauthorized access to data.
 Lack of adequate segregation of duties.
 Unauthorized changes to systems or programs.
 Failure to make necessary changes to systems or programs.
 Loss of data.
Impact of IT related risks

The above risks have to be mitigated. If not mitigated, such risks, could have an impact on audit
in different ways discussed as under: -
Impact on substantive checking

All information, data, and reports would have to be tested thoroughly for their completeness
and accuracy. It could lead to increased substantive checking i.e., detailed checking.
Impact on controls

Non-reliance on automated controls, system calculations and accounting procedures built into
applications.
Impact on reporting

May lead to modification of auditor’s report in some instances.

Types of Controls in an automated environment

Controls in an automated environment can be categorized as under: -

(A) General IT controls

(B) Application controls

(C) IT-dependent controls

General IT controls

General IT controls are policies and procedures that relate to many applicationsand support
the effective functioning of application controls. General IT-controls that maintain the
integrity of information and security of data commonly includecontrols over the following:

(a) Controls over Data centre and network operations

The objective of controls over Data centre and network operations is to ensure that
production systems are processed to meet financial reporting objectives.

(b) Program Change

The objective of program change controls is to ensure that modified systems continue
to meet financial reporting objectives.

(c) Access Security

The objective of controls over access security is to ensure that access to programs and
data is authenticated and authorized to meet financial reporting objectives.
(d) Application system acquisition, development, and maintenance
The objective of such controls is to ensure that systems are developed, configured and
implemented to meet financial reporting objectives.

Application Controls
Application controls include both automated or manual controls that operate at a business
process level. Automated Application controls are embedded into IT applications viz., ERPs
and help in ensuring the completeness, accuracy and integrity of data in those systems.

IT dependent Controls
IT dependent controls are basically manual controls that make use of some form of data or
information or report produced from IT systems and applications.

Testing methods in an automated environment

When testing in an automated environment, some of the more common methods are as
follows:
 Obtain an understanding of how an automated transaction is processed by doing a
walkthrough of one end-to-end transaction using a combination of inquiry,
observation and inspection.
 Observe how a user processes transactions under different scenarios.
 Inspect the configuration defined in an application.

CHARACTERISTICS OF MANUAL AND AUTOMATED ELEMENTS OF

INTERNAL CONTROL RELEVANT TO THE AUDITOR’S RISK
ASSESSMENT
Controls in a manual system may include such procedures as approvals and reviews of
transactions, and reconciliations and follow-up of reconciling items. Alternatively, an entity
may use automated procedures to initiate, record, process, and report transactions, in which
case records in electronic format replace paper documents.

Manual elements vs automated elements in entity’s internal control

Manual elements in internal control may be more suitable where judgment and discretion are
required such as for the following circumstances:
 Large, unusual or non-recurring transactions.
 Circumstances where errors are difficult to define, anticipate or predict.
 In changing circumstances that require a control response outside the scope ofan existing
 automated control.
 In monitoring the effectiveness of automated controls.

Manual elements in internal control may be less reliable than automated elements because
they can be more easily bypassed, ignored, or overridden

DATA ANALYTICS FOR AUDIT

The combination of processes, tools and techniques that are used to tap vast amounts of
electronic data to obtain meaningful information is called data analytics.
The tools and techniques that auditors use in applying the principles of data analytics are
known as Computer Assisted Auditing Techniques or CAATs in short.
INTERNAL FINANCIAL CONTROLS AS PER REGULATORY
REQUIREMENTS
The term Internal Financial Controls (IFC) basically refers to the policies andprocedures put
in place by companies for ensuring:

✓ Reliability of financial reporting

✓ Effectiveness and efficiency of operations

✓ Compliance with applicable laws and regulations

✓ Safeguarding of assets

✓ Prevention and detection of frauds

DOCUMENTING THE RISKS

The auditor shall document:

 The discussion among the engagement team and the significant decisions reached

 Key elements of the understanding obtained

 The identified and assessed risks of material misstatement

 Related controls

ASSESS AND REPORT AUDIT FINDINGS

At the conclusion of each audit, it is possible that there will be certain findings or exceptions in
IT environment and IT controls of the company that need to be assessed and reported to
relevant stakeholders including management and those charged with governance-
Some points to consider are as follows:

✓ Are there any weaknesses in IT controls?

✓ What is the impact of these weaknesses on overall audit?
✓ Report deficiencies to management – Internal controls memo or
Management letter.
✓ Communicate in writing any significant deficiencies to those Charged with
governance.

THE AUDITOR’S RESPONSES TO ASSESSED RISKS

SA 330- The auditor’s responses to assessed risks deals with the auditor’s responsibility to design
and implement responses to the risks of materialmisstatement identified and assessed by the auditor
in accordance with SA 315

The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence
as to the operating effectiveness of relevant controls when:

(a) the auditor intends to rely on the operating effectiveness of controls or

(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the
assertion level.

Nature and Extent of Test of Controls

In designing and performing test of controls, the auditor shall:

(a) Perform other audit procedures in combination with inquiry to obtain auditevidence about
the operating effectiveness of the controls, including:
(i) How the controls were applied at relevant times during the periodunder audit.
(ii) The consistency with which they were applied.
(iii) By whom or by what means they were applied.

Inquiry alone is not sufficient to test the operating effectiveness of controls.

The nature of the particular control influences the type of procedure required to obtain audit evidence
about whether the control was operating effectively.

Matters the auditor may consider in determining the extent of test of controlsinclude the
following:

✓ The frequency of the performance of the control by the entity during theperiod.
✓ The length of time during the audit period that the auditor is relying on theoperating effectiveness
of the control.
✓ The expected rate of deviation from a control.
✓ The relevance and reliability of the audit evidence to be obtained regarding the operating
 effectiveness of the control at the assertion level.
✓ The extent to which audit evidence is obtained from tests of other controlsrelated to the assertion.

Using Audit Evidence Obtained in Previous Audits

The auditor shall consider the following:

(a) The effectiveness of other elements of internal control, including the control environment, the
entity’s monitoring of controls, and the entity’s risk assessment process

(b) The risks arising from the characteristics of the control, including whether itis manual or
automated

(c) The effectiveness of general IT-controls

(d) The effectiveness of the control and its application by the entity

(e) Whether the lack of a change in a particular control poses a risk due to changing circumstances
and

(f) The risks of material misstatement and the extent of reliance on the control

Specific inquiries by auditor when deviations from controls are detected

When deviations from controls upon which the auditor intends to rely are detected, the auditor shall
make specific inquiries to understand these matters and their potential consequences, and shall
determine whether:

(a) The test of controls that have been performed provide an appropriate basisfor reliance on the
controls

(b) Additional test of controls are necessary or

(c) The potential risks of misstatement need to be addressed using substantiveprocedures.

Irrespective of the assessed risks of material misstatement, the auditor shall design and perform
substantive procedures for each material class of transactions, account balance, and disclosure.

This requirement reflects the facts that:

(i) the auditor’s assessment of risk is judgmental and so may not identify all risks
of material misstatement and

(ii) there are inherent limitations to internal control, including managementoverride.