Chapter 4 -

• RISK ASSESSMENT AND INTERNAL CONTROL

CHAPTER 4 TOPICS SHORT NOTES

1 AUDIT RISK

2 IDENTIFYING AND ASSESSING RISK OF

MATERIAL MISSTATEMENT (SA 315)
3 INTERNAL CONTROL

4 REVIEW OF IC. BY AUDITOR/

EVALUATION OF INTERNAL CONTROL BY
THE AUDIT
5 INTERNAL CONTROL AND IT
ENVIRONMENT
6 ICQ AND ICE

7 EXAMINATION IN DEPTH/WT

8 INTERNAL CHECK

9 SA315- IDENTIFYING AND ASSESSING

THE RISK OF MATERIAL MISSTATEMENT
THROUGH UNDERSTANDING THE
ENTITY AND ITS ENVIRONMENT AND
RELATED INTERNAL CONTROLS
10 SA320- MATERIALITY IN PLANNING AND
PERFORMING AN AUDIT
11 SA 330- THE AUDITOR‟S RESPONSES TO
ASSESSED RISKS
12 SA 265- COMMUNICATING
DEFICIENCIES IN INTERNAL CONTROL
TO THOSE CHARGED WITH
GOVERNANCE AND MANAGEMENT
13 INTENRAL AUDIT

14 LEGAL REQUIREMENT OF INTERNAL

AUDIT
15 SA 610- USING THE WORK OF INTERNAL
AUDITORS
16 INTERNAL FINANCIAL CONTROL (IFC)
AND INTERNAL CONTROL OVER
FINANCIAL REPORTING
 1- AUDIT RISK AND ITS COMPONENTS

Audit risk is the risk that the auditor may give an inappropriate opinion when the financial
statements are materially misstated. Thus, it is the risk that the auditor may fail to express an
appropriate opinion in an audit assignment.

SA 315 "Identifying and Assessing Risk of Material Misstatements through understanding the
Entity and its Environment” provides guidance on identifying and assessing the risks of
material misstatements at the financial statement level and assertion levels.

Consideration
1. The SAs do not ordinarily refer to inherent risk and control risk separately, but rather
to a combined assessment of the "risks of material misstatement".
2. The risks of material misstatement may exist at two levels:
 The overall financial statement level; and
 The assertion level for classes of transactions, account balances, and
disclosures.
3. Risks of material misstatement at the overall financial statement level refer to risks of
material misstatement that relate pervasively to the financial statements as a whole
and potentially affect many assertions.
4. Risks of material misstatement at the assertion level are assessed in order to determine
the NTE of further audit procedures necessary to obtain sufficient appropriate audit
evidence.
5. The risks of material misstatement at the assertion level consist of two components:
inherent risk and control risk.
1.1- COMPONENTS OF AUDIT RISK/FACTORS CAUSING AUDIT RISK
Audit Risk has three components: Inherent Risk, Control Risk and Detection Risk. Inherent
Risk and Control Risk are collectively known as Risk of Material Misstatement.
Inherent Risk

 Inherent Risk is the susceptibility of an account balance or class of transaction to a

material misstatement, assuming that there were no internal controls.
 To assess inherent risk, the auditor should evaluate numerous factors, having regard
to his experience of the entity from previous audit engagements of the entity, controls
established by management to compensate for a high level of inherent risk, and his
knowledge of any significant changes which might have taken place since his last
assessment.

FACTORS AFFECTING INHERENT RISK

At level of Financial Statement At level of Account Balance & Transaction

Integrity of management. Quality of Accounting System.

Management experience and Accounts prone to misstatement.
knowledge.
Complex transaction.
Unusual pressure on management.
Judgement involved in determining balances.
Nature of entity‟s business.
Assets prone to misappropriation.
Factors affecting Industry.
Unusual transaction at or near period end.
Transaction not subjected to ordinary processing.
Control Risk

 The risk that a misstatement that could occur in an assertion about a class of
transaction, account balance or disclosure and that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or
detected and corrected, on a timely basis by the entity‟s internal control.
 Control Risk is the risk that material misstatement will not be prevented or detected
and corrected on a timely basis by the internal control system.

ASSESSMENT OF CONTROL RISK

Preliminary Assessment of Test of Controls Final assessment of

Control Risk control risk

1. It refers to evaluating the likely Auditor performs Test On the basis of the results of
effectiveness of an entity‟s internal of control to obtain the test of controls, the
control system in preventing or audit evidence about auditor should evaluate
detecting and correcting material the following- whether the preliminary
misstatements. assessment of control risk
(a) Whether the
was correct or need to be
2. The auditor should obtain an accounting and
revised. He should
understanding of internal controls internal control
accordingly determine any
to make a preliminary assessment systems are suitably
modification in the NTE of
of the control risk. designed to prevent or
audit procedures.
detect and correct
3. Thus, the auditor should assess
material
the control risk as high unless the
misstatements; &
auditor;
(b) Operation of
(a) Is able to identify internal
internal controls
controls which are likely to prevent
throughout the period.
or detect and correct a material
misstatement; and
(b) Plans to perform test of
controls.
The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to
a combined assessment of the "risks of material misstatement”.
Detection Risk

 It is the risk that the substantive procedures performed by the auditor fails to detect
material misstatement.
 The auditor‟s control risk assessment, together with the inherent risk assessment,
influences the nature, timing and extent of substantive procedures to be performed to
reduce detection risk, and therefore audit risk, to an acceptably low level.
 Some detection risk would always be present even if an auditor was to examine 100 per
cent of the account balances or class of transactions.
Summary For Quick Revision

Inherent Risk (I.R.) Control Risk (C.R.) Detection Risk (D.R.)

Risk that Material Risk that I.C. fail to Risk that auditor‟s
Misstatements may occur. operate as desired. substantive procedures will
not detect a Material
 Misstatement.

Arises at level of management. Arises at level of Arises at auditor‟s level.

management.

Auditor can only assess this Auditor can only assess Auditor can frame this risk.
risk. this risk.

Risk of System of Risk of I.C. System of Risk of Substantive procedure

management. management. adopted by auditor.

This is generally high. This is evaluated in D.R. should be inversely

stages (See chart proportionate to combined
However certain factors may be
below). assessment of I.R. & C.R.
present due to which it can be
less than high. D.R. ∝ I/(IR+C.R.)
If I.R. & C.R. are high, D.R.
should be kept at low level.

1.2- RELATIONSHIP BETWEEN COMPONENTS OF AUDIT RISK

Relationship between IR and CR
1. Management often reacts to inherent risk situations by designing accounting and
internal control systems to prevent or detect and correct misstatements and therefore,
in many cases, inherent risk and control risk are highly interrelated.
2. In such situations, if the auditor attempts to assess inherent and control risks
separately, there is a possibility of inappropriate risk assessment.

As a result, audit risk may be more appropriately determined in such situations by making a
combined assessment of Inherent and Control Risk as Risk of Material Misstatement (RMM).
This combined assessment is considered to be the Risk Of Material Misstatement (ROMM).
Relationship between RMM and Detection Risk
1. There is an inverse relationship between detection risks and the combined level of
inherent and control risks.
2. When inherent and control risks are high, acceptable detection risk needs to be low to
reduce audit risk to an acceptably low level. When inherent and control risks are low,
an auditor can accept a higher detection risk and still reduce audit risk to an
acceptably low level.
3. When both inherent and control risks are assessed as high, the auditor needs to
consider whether substantive procedures can provide sufficient appropriate audit
evidence to reduce detection risk, and therefore audit risk, to an acceptably low level.
Mathematically Audit Risk (AR) can be expressed as a product of Inherent Risk (IR), Control
Risk (CR) and Detection Risk (DR), i.e. AR = IR x CR x DR
If detection risk Can’t be reduced to acceptably low level the auditor should express a
qualified opinion or a disclaimer of opinion
1.3- CONDITIONS WHICH INCREASES RISK OF FRAUD AND ERROR/RISK THAT
REQUIRE SPECIAL AUDIT CONSIDERATION
While planning and performing an audit, the auditor should consider the risk of material
misstatements that may be caused due to fraud or error. Various conditions and events that
may increase risk of fraud or error are:

1. Weaknesses in the design of internal control system and non-compliance with the laid
down control procedures.
 2. Doubts about the integrity or competence of the management.
3. Unusual pressures within the entity.
4. Unusual transactions such as transactions with related parties, excessive payment for
certain services to lawyers, etc.

Problems in obtaining sufficient and appropriate audit evidence, e.g., inadequate

documentation, significant differences between the figures as per the accounting records and
confirmation received from third parties, etc.

2- IDENTIFYING AND ASSESSING RISK OF MATERIAL MISSTATEMENT (SA 315)

2.1- Risk Assessment Process

(a) Identify risks throughout the process of obtaining an understating of the entity and its
environment including the entity‟s internal control;
(b) Assess the identified risks and evaluate whether they relate more pervasively to the
financial statements as a whole;
(c) Relate the identified risks to what can go wrong at the assertion level; and
(d) Consider the likelihood of misstatement, including the possibility of multiple
misstatements.
2.2- Objective of Auditor

As per SA 315 "Identifying and Assessing the Risk of Material Misstatement through
Understanding the Entity and its Environment” the objective of the auditor is:

 to identify and assess the risks of material misstatement, whether due to fraud or error,
 at the financial statement and assertion levels,
 through understanding the entity and its environment, including the entity‟s internal
control,
 Thereby providing a basis for designing and implementing responses to the assessed
risks of material misstatement.
This will help the auditor to reduce the risk of material misstatement to an acceptably low
level.
2.3- Understanding required of entity and its environment

(a) Relevant industry, regulatory, and other external factors including applicable financial
reporting framework.
(b) The nature of the entity, including:
i. its operations; ,
ii. its ownership and governance structures;
iii. the types of investments that the entity is making and plan to make; &
iv. the way that the entity is structured and how it is financed;
(c) The entity‟s selection and application of accounting policies, including the reasons for
changes thereto.
(d) The entity‟s objectives and strategies, and those related business risks that may result
in risks of material misstatement.
(e) The measurement and review of the entity‟s financial performance.

2.4- Assessment of Risk of Material Misstatement at F.S and at Assertion Level

1. At F.S. Level
 It refers to risks of material misstatement that relate pervasively to the financial
statements as a whole and potentially affect many assertions.
 Risks at the financial statement level may derive in particular from deficient control
 environment (although these risks may also relate to other factors, such as declining
economic conditions). For example, deficiencies such as management‟s lack of
competence may have a more pervasive effect on the F.S. and may require an overall
response by the auditor.
 The auditor's understanding of internal control may raise doubts about the audit ability
of an entity‟s financial statements. For example:
i. Concerns about the integrity of the entity‟s management may be so serious as to
cause the auditor to conclude that the risk of management misrepresentation in
the financial statements is such that an audit cannot be conducted.
ii. Concerns about the condition and reliability of an entity‟s records may cause the
auditor to conclude that it is unlikely that SAAE will be available to support an
unqualified opinion on the F.S.
2. At Assertion Level
Risks of material misstatement at the assertion level for classes of transactions, account
balances, and disclosures need to be considered because such consideration directly assists in
determining the nature, timing, and extent of further audit procedures at the assertion level
necessary to obtain sufficient appropriate audit evidence.
Assertions Evaluated
Transaction occurred during the year

 Occurrence - transactions that have been recorded have occurred during the year.
 Completeness-transactions have been recorded completely.
 Accuracy - transactions have been recorded accurately.
 Cut-off - transactions have been recorded in correct accounting period.
 Classification - transactions have been properly classified into capital and revenue.

Account Balances at period end

 Existence - assets and liabilities shown in the balance sheet exists.

 Rights and obligations - rights of the entity have been shown as assets and the
obligations have been shown as liabilities.
 Completeness - assets and liabilities have been recorded completely.
 Valuation and allocation - assets and liabilities are included in the financial
statements at appropriate amounts and any allocation adjustments are
appropriately recorded.

Presentation and Disclosure

 Occurrence and Rights and obligations - disclosed transactions have occurred and
belong to the entity.
 Completeness - disclosures in the financial statements are complete.
 Classification and understand- ability- financial information is appropriately
presented and disclosures are clearly expressed.
 Accuracy and Valuation - financial and other information are disclosed fairly and at
appropriate amounts.
2.5- RISK ASSESSMENT PROCEDURES/COMPONENT OF RISK ASSESSMENT
PROCEDURE
Inquiries of management, and of others within the entity.
Much of the information is obtained by the auditor‟s through inquiry
from management and others. However, the auditor may also obtain
information, or a different perspective in identifying risks of material
misstatement, through inquiries of others within the entity and
INQUIRY other employees with different levels of authority.
For example:
Analytical
procedures 1. Inquiries directed towards TCWG may help the auditor
understand the environment in which the financial statements are
Observation prepared.
 3- INTERNAL CONTROL
3.1 DEFINITION(as per SA 315)

The process designed, implemented and maintained by TCWG, management and other
personnel to provide reasonable assurance about the achievement of an entity's objectives with
regard to,
 reliability of financial reporting,
 effectiveness and efficiency of operations,
 safeguarding of assets, and
 Compliance with applicable laws and regulations.

The term "controls" refers to any aspects of one or more of the components of internal control.
3.2 OBJECTIVES/PURPOSE OF INTENAL CONTROL

Internal control is designed, implemented and maintained to address identified business risks
that threaten the achievement of any of the entity‟s objectives that concern:

(a) Transactions are executed in accordance with managements general or specific

authorization;
(b) All transactions are promptly recorded in the correct amount in the appropriate
accounts and in the accounting period in which executed so as to permit preparation of
financial information within a framework of recognized accounting policies and
practices and relevant statutory requirements, if any, and to maintain accountability for
assets;

(c) Assets are safeguarded from unauthorised access, use or disposition; and
(d) The recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken with regard to any differences. (PHYSICAL VERIFICATION)
The way in which internal control is designed, implemented and maintained varies with an
entity‟s size and complexity.
3.3 LIMITATIONS OF I.C SYSTEM / WHAT ARE THE INHERENT LIMITATIONS
OF INTERNAL CONTROL SYSTEM

REASON EXPLANATION

Cost Cost of implementation of control may be

more than its benefits. Thus, management
effectiveness
usually doesn‟t implement best controls.

Human error Human Error, which may occur while

carrying out I.C. system. It may be due to
misunderstanding on part of personnel.

Collusion among employees Employees may commit fraud through

collusion. It may be among themselves or
with outsiders.

Abuse of authority The person responsible for exercising control

can himself override it.
Example, Person responsible for issuance of
stationery to various departments only for
authorised use, can himself misappropriate
 stationery for his personal use.

Manipulation by management Manipulation by high level management may

not be detected by control system.
Example, Manipulation in estimates
appearing in financial statements.

Unusual transaction Any unusual transaction may not be

controlled. Because control procedures are
generally made for usual transactions.

Change in conditions Established control procedures may become

inadequate in a fast changing environment.

3.4 COMPONENTS OF INTERNAL CONTROL

Control Environment
Control
Environment The control environment includes the
governance and management functions
and the attitudes, awareness, and actions
of those charged with governance and
management concerning the entity‟s
COMPONENTS
OF I.C
internal control and its importance in the
entity. The control environment sets the
Information
System – Areas
Risk tone of an organization, influencing the
control consciousness of its people.
Assessment
to be
Process
examined

Control environment includes the following

elements:
1. Communication and enforcement of integrity and Ethical values.
2. Commitment to competence.
3. Participation by TCWG.
4. Management philosophy and operating style.
5. Organisational Structure.
6. Assignment of Authority and Responsibility.
7. Human resources Policies and Practices.
Risk Assessment Process
The entity‟s risk assessment process forms the basis for how management determines the
risks to be managed. If that process is appropriate to the circumstances, including the
nature, size and complexity of the entity, it assists the auditor in identifying RMM. Risk can
arise or change due to below mentioned circumstances:

1. Changes in Regulatory or Operating environment.

2. Recruitment of New personnel.
3. New or revamped information systems
4. Significant and rapid expansion of operations
5. Incorporating new technologies into production processes.
6. Entering into business areas or transactions with which an entity has little experience.
7. Corporate restructurings.
8. Expansion or acquisition of foreign operations.
9. Adoption of new accounting principles or changing accounting principles.
Information System – Areas to be examined
The information system relevant to financial reporting objectives, which includes the
accounting system, consists of the procedures and records designed and established to:

1. Initiate, record, process, and report entity transactions;

2. Resolve incorrect processing of transactions;
3. Process and account for system overrides or bypasses to controls;
4. Transfer information from transaction processing systems to the general ledger;
5. Capture information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and amortisation of assets; and
6. Ensure information required to be disclosed by the applicable FRF is accumulated,
recorded, processed, summarized and appropriately reported in the F.S.

4- REVIEW OF IC. BY AUDITOR/ EVALUATION OF INTERNAL CONTROL BY THE

AUDIT

4.1 Review of I.C. –Meaning

Review of I.C. refers to, Examination and evaluation of Internal control system of the client.
Information required for review
The auditor should acquaint himself with the followings:

 important features of the business carried on by the concern,

 the nature of the activities
 system followed in the entire process of manufacturing, trading and administration,
 basis on which the control and procedures are laid down by the management.

This knowledge he can always obtain by having discussion with the various managers of the
organisation.

Auditor should also look at the company‟s procedures, manuals, organisation flow charts to
ascertain the character, scope and efficacy of the control system. Sometimes, manuals and
charts are not available or very little information is available. In that case, the auditor should
contact the right officers and employees to get the desired information.

4.2 Need for review/Control activities relevant to Audit

To assure that I.C. system is adequate. Control activities are the policies and procedures that
help ensure that management directives are carried out and may pertain to following:
1. Performance Reviews.
2. Information processing
3. Physical controls.
4. Segregation of Duties.
4.3 Role/Advantages of Review of I.C/ Accounting & financial controls help in
It enables the auditor to ascertain whether
(i) Internal control system is adequate & operating effectively.
(ii) I .C. is able to prevent, detect & correct material misstatement.
(iii) I.C. Properly safeguards the assets.
(iv) I.C. ensures correct recording of transaction.
(v) Reports & Certificate provided by management are reliable.
(vi) I.C. are weak / excessive in a particular area.
(vii) Effective internal audit department is in operation.
(viii) Suggestions can be given to management to improve the I.C. system.
(ix) Extensive Substantive procedures are required.
(x) Audit procedures or techniques need to be changed from planned ones.
Financial Control specially help in,
Preparation of periodical reports on timely basis.
Ensuring adequate and timely financial reporting.
Segregation of accounting & custodial functions.
Establishing procedures in such a way so that single person can’t have complete control over
a transaction from starting to end.
Providing for internal check, by which work of one person is reviewed by another.
Formulating cut-off procedures to separate transactions of two consecutive years.
Having proper documentation/ manual at every stage.

4.4 Methods/Tools to Review

the IC system
1- Narrative Record
This is a complete and exhaustive
description of the system as found in
operation by the auditor. Actual testing
and observation are necessary before such
a record can be developed. It may be
recommended in cases where no formal
control system is in operation and would
be more suited to small business.
Example
For stock control evaluation, it contains documents prepared, employees discharging various
duties, various stages of stock movements etc.
Advantages
 To comprehend the system in operation is quite difficult.
 To identify weaknesses or gaps in the system.
 To incorporate changes arising on account of reshuffling of manpower, etc.
Limitations
 Detailed observation is needed (time consuming).
 It doesn‟t readily identify weakness in system.
 Constant updating is needed if circumstances are changed.
2- Check list
This is a series of instructions and/or questions which a member of the auditing staff must
follow and/or answer. When he completes instruction, he initials the space against the
instruction. Answers to the check list instructions are usually Yes, No or Not Applicable. This is
again an on the job requirement and instructions are framed having regard to the desirable
elements of control.

Example
 Are tenders called before placing orders?
 Are the purchases made on the basis of a written order?
 Is the purchase order form standardised?
  Are purchase order forms pre-numbered?
Advantage
 On the job requirement, thus motivating.
 Completed checklist is studied by the senior audit staff, thus weaknesses can‟t be
overlooked.
 Easy location of weakness.

Limitations
 Requires intelligence to prepare proper checklist.
 Time consuming.
 Client can manipulate when responding to questions raised by audit staff.
3- I.C. questionnaire
This is a comprehensive series of questions concerning internal control. This is the most widely
used form for collecting information about the existence, operation and efficiency of internal
control in an organisation.
The questionnaire is usually issued to the client and the client is requested to get it filled by
the concerned executives and employees. If on a perusal of the answers, inconsistencies or
apparent incongruities are noticed, the matter is further discussed by auditor's staff with the
client's employees for a clear picture. The concerned auditor then prepares a report of
deficiencies and recommendations for improvement.
Example
“Do you keep invoice pre- numbered?” Now client answers as “yes”, “No” or “Not Applicable”.
Usually questions are framed in such a way that “no” shows weakness.
Advantage
 Detailed questionnaire, thus no important aspect is overlooked.
 Weaknesses are easily located.
 Evaluating LC system becomes Systematic & easy.
 Recommendations can be readily provided by auditor.

Limitation
 Time consuming.
 Client may answer it in a hasty way.
 Client may manipulate the answers.

4- Flowchart
It is a graphic presentation of each part of the company's system of internal control. A flow
chart is considered to be the most concise way of recording the auditor's review of the system.
It minimises the amount of narrative explanation and thereby achieves a consideration or
presentation not possible in any other form. It gives bird's eye view of the system and the flow
of transactions and integration and in documentation, can be easily spotted and improvements
can be suggested.
It is also necessary for the auditor to study the significant features of the business carried on
by the concern; the nature of its activities and various channels of goods and materials as well
as cash, both inward and outward; and also a comprehensive study of the entire process of
manufacturing, trading and administration. This will help him to understand and evaluate the
internal controls in the correct perspective.
Advantage
 Concise presentation.
 Easily understandable.
 Gives “birds eye view” of complete system.

Limitation
 Time consuming to prepare such a flowchart which is concise yet showing every
important aspect of I.C.
 Weakness can‟t be readily located.

4.5 WHICH CONTROLS RELEVANT TO AUDIT

There is a direct relationship between an entity‟s objectives and the controls it implements to
provide reasonable assurance about their achievement. The entity‟s objectives, and therefore
controls, relate to financial reporting, operations and compliance; however, not all of these
objectives and controls are relevant to the auditor‟s risk assessment.

Factors relevant to the auditor‟s judgment about whether a control, individually or in

combination with others, is relevant to the audit may include such matters as the following:

(a) Materiality.
(b) The significance of the related risk.
(c) The size of the entity.
(d) The nature of the entity's business, including its organisation and ownership
characteristics.
(e) The diversity and complexity of the entity's operations.
(f) Applicable legal and regulatory requirements.
(g) The circumstances and the applicable component of internal control.
(h) The nature and complexity of the systems that are part of the entity‟s internal control,
including the use of service organisations.
(i) Whether, and how, a specific control, individually or in combination with others,
prevents, or detects and corrects, material misstatement.

Nature and Extent of the Understanding of Relevant Controls

 Evaluating the design of a control involves considering whether the control, individually
or in combination with other controls, is capable of effectively preventing, or detecting
and correcting, material misstatements.
 Implementation of a control means that the control exists and that the entity is using
it. There is little point in assessing the implementation of a control that is not effective,
and so the design of a control is considered first. An improperly designed control may
represent a material weakness in the entity‟s internal control.
 Risk assessment procedures to obtain audit evidence about the design and
implementation of relevant controls may include:
(a) Inquiring of entity personnel.
(b) Observing the application of specific controls.
(c) Inspecting documents and reports.
 (d) Tracing transactions through the information system relevant to financial
reporting.

4.6 Testing of Internal Control System

After assimilating internal control system, the auditor needs to examine whether and how far
the same is actually in operation. Tests of control may include:
(a) Inspection of documents supporting transactions and other events to gain audit
evidence that internal controls have operated properly.
(b) Inquiries about and observation of internal controls which leave no audit trail.
(c) Re-performance of internal controls.
(d) Testing of internal controls operating on specific computerised applications.
Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as contemplated in the preliminary assessment of control
risk.

It has been suggested that actual operation of the internal control should be tested by the
application of procedural tests and examination in depth.

4.7 Impact of satisfactory control environment

 The existence of a satisfactory control environment work as a positive factor when the
auditor assesses the RMM.
 But at the same time, it is to be kept in mind that a satisfactory control environment is
not an absolute deterrent to fraud. Deficiencies in the control environment may
undermine the effectiveness of controls, in particular in relation to fraud.
 As per SA 330, the control environment also influences the nature, timing, and extent of
the auditor‟s further procedures.
 The control environment in itself does not prevent, or detect and correct, a material
misstatement. It may, however, influence the auditor‟s evaluation of the effectiveness of
other controls (for example, the monitoring of controls and the operation of specific
control activities) and thereby, the auditor‟s assessment of the risks of material
misstatement.

5- INTERNAL CONTROL AND IT ENVIRONMENT

5.1 Controls in Manual and IT System
As per SA 315, an entity‟s system of internal control contains manual elements and often
contains automated elements. The characteristics of manual or automated elements are
relevant to the auditor‟s risk assessment and further audit procedures based thereon.

The use of manual or automated elements in internal control also affects the manner in which
transactions are initiated, recorded, processed, and reported:

 Controls in a manual system may include such procedures as approvals and reviews of
transactions, and reconciliations and follow-up of reconciling items. Alternatively, an
entity may use automated procedures to initiate, record, process, and report
transactions, in which case records in electronic format replace paper documents.
 Controls in IT systems consist of a combination of automated controls (for example,
controls embedded in computer programs) and manual controls.

An entity's mix of manual and automated elements in internal control varies with the nature
and complexity of the entity‟s use of IT.
5.2 Benefits of IT to an entity’s Internal Control
As per SA 315, IT benefits an entity‟s internal control by enabling an entity to:

(a) Consistently apply predefined business rules and perform complex calculations in
processing large volumes of transactions or data;
(b) Enhance the timeliness, availability, and accuracy of information;
(c) Facilitate the additional analysis of information;
(d) Enhance the ability to monitor the performance of the entity‟s activities and its policies
and procedures;
(e) Reduce the risk that controls will be circumvented; and
(f) Enhance the ability to achieve effective segregation of duties by implementing security
controls in applications, databases, and operating systems.

5.3 Risk to internal control imposed by IT

As per SA 315, IT also poses specific risks to an entity‟s internal control, including, for
example:

(a) Reliance on systems or programs that are inaccurately processing data, processing
inaccurate data or both
(b) Unauthorised access to data that may result in destruction of data or improper changes
to data, including the recording of unauthorized or non-existent transactions, or
inaccurate recording of transactions. Particular risk may arise when multiple users
access a common database.
(c) The possibility of IT personnel gaining access beyond those necessary to perform their
assigned duties thereby breaking down segregation of duties.
(d) Unauthorised changes to data in Master files.
(e) Unauthorised changes to systems or programs.
(f) Failure to make necessary changes to systems or programs.
(g) In appropriate manual intervention
(h) Potential loss of data or inability to access data as required.
6- INTERNAL CONTROL QUESTIONNAIRE (ICQ) AND INTERNAL CONTROL
EVALUATION (ICE)

Internal Control Questionnaire (ICQ) contains a series of questions on various aspects of

internal control system adopted by the client. It is prepared by the auditor and generally filled
by the client's staff. The questions are framed in such a way that a „No‟ answer represents
weakness in client‟s system. It, however, does not give any idea about the importance of those
weaknesses i.e. as to how significantly a particular weakness can affect a material transaction
or account balance or a disclosure requirement in the financial statements.
Internal Control Evaluation (ICE,) on the other hand, attempts to identify the significance of
those weaknesses which have been listed in ICQ. It emphasizes whether and to what extent a
weakness may be material as far as accounting is concerned. It is thus more detailed and
provides auditor with a real insight into significance of weaknesses in internal control system
of the client and their potential effect.

7- EXAMINATION IN DEPTH / WALK THROUGH TEST

A walk-through test is a procedure used during an audit of an entity's accounting system to

gauge its reliability. A walk-through test traces a transaction step-by-step through the
accounting system from its inception to the final disposition that is IR PR. It enables the
auditor to study recording of transaction at various stages and auditor examines records &
authorities at each stage. Thus, he is able to understand overall internal control over a specific
item in an effective way.
Checking a few transactions, from the beginning to the end, through entire flow of transaction.
Example
If “receipt from debtor” regarding sale is to be checked in depth, following should be checked:
(i) The order received from customer;
(ii) The copy of sales invoice given to him by appropriate authority;
(iii) The entry in stock register showing dispatch of goods;
(iv) The statement of account given to him;
(v) Duplicate copy of receipt issued to him;&
(vi) Corresponding entry in his account as well as in cash Book.

8- INTERNAL CHECK

Check on day to day transactions, Operating continuously as part of routine system, whereby
work carried out by one person is automatically checked by another to prevent fraud/error, &
early detection of fraud and error.
Relation with I.C. System
Internal Check is part of overall Internal Control System & operates as a built in device.
MONITORING OF CONTROLS
Auditor shall obtain an understanding of the major activities that the entity uses to monitor
internal control over financial reporting. Following point merit consideration in this regard:
(a) Monitoring of controls is a process to assess the effectiveness of internal control
performance over time.
(b) It involves assessing the effectiveness of controls on a timely basis and taking necessary
corrective actions.
(c) Management accomplishes monitoring of controls through ongoing activities, separate
evaluations, or a combination of the two. Ongoing monitoring activities are often built
into the normal recurring activities of an entity and include regular management and
supervisory activities.
(d) Management‟s monitoring activities may also include using information from
communications from external parties such as customer complaints and regulator
comments that may indicate problems or highlight areas in need of improvement.
(e) Management's monitoring of control is often accomplished by management‟s or the
owner-manager‟s close involvement in operations.
General considerations in framing a system of internal check

Distribution of Administrative & financial powers (Eg:- ordering product, issuing cheques
powers etc) should be distributed among different personnel.

No Independent A Single person should not have independent control over any important
control aspect of business.

Custody-Records Persons having physical custody of assets should not have access to
distribution accounts or records.

Check by All acts of one person should come under the review of another.
another

Job rotation Duties of staff should be changed from time to time without previous
notice.

Leave Every personnel should be encouraged to go on leave at least once in a

 year. Fraud done by employee can be detected easily when he is absent.

Budgetary Budgets should be prepared for important activities. If difference between

control budgeted & actual figure is significant, it should be enquired into.

Accounting For each important asset, accounting control should also be periodically
control examined.

Stock control During stock taking at end of accounting period, trading activities should
be suspended, if possible.

Cash control To prevent misappropriation of cash, mechanical devices (Eg:- automatic

cash Register) can be employed.

Updation of Timely review of procedures enables the management to change them, if

procedure need arises.

9- SA 315 - IDENTIFYING AND ASSESSING THE RISK OF MATERIAL MISSTATEMENT

THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND RELATED
INTERNAL CONTROLS

Objective The auditor should identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement and assertion
levels.
Auditor should understand the entity and its environment, including the
entity‟s internal control.
Thus, he can design and implement responses to the assessed risks of
material misstatement.
This will help the auditor to reduce the risk of material misstatement to an
acceptably low level.

Definitions Assertions
Representations by management, explicit or otherwise, embodied in the
financial statements
Business risk
A risk resulting from significant conditions, events, circumstances, actions
or inactions that could adversely affect an entity‟s ability to achieve its
objectives.
Internal control
The process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable
assurance about the achievement of an entity‟s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations,
safeguarding of assets, and compliance with applicable laws and
regulations.

Risk assessment procedures

The audit procedures performed to obtain an understanding of the entity
and its environment, including the entity‟s internal control, to identify and
assess the risks of material misstatement at the financial statement and
 assertion levels.
Significant Risk
An identified and assessed risk of material misstatement that requires
special audit consideration.
Material Weakness
A weakness in internal control that could have a material effect on the
financial statements.

Risk assessment Risk assessment procedures by themselves, however, do not provide

procedures and sufficient appropriate audit evidence on which to base the audit opinion.
related activities
The risk assessment procedures shall include the following:
(a) Inquiries of management, and of others within the entity
(b) Analytical procedures.
(c) Observation and inspection.
The auditor shall consider whether information obtained from the
auditor‟s client acceptance or continuance process is relevant to
identifying risks of material misstatement.
Where engagement partner has performed other engagements for the
entity, consider whether information obtained is relevant to identifying
risks of material misstatement,
If auditor uses his previous experience, consider if changes have occurred
since the previous audit.
The engagement partner and other key engagement team members shall
discuss the susceptibility of the entity‟s financial statements to material
misstatement.

Understanding of The entity and its environment

the entity and
The auditor shall obtain an understanding of the following:
its environment,
including the 1. Relevant industry, regulatory, and other external factors
entity’s internal 2. The nature of the entity, including:
control
 its operations;
 its ownership and governance structures;
 the types of investments; and
 the way that the entity is structured and how it is financed;
3. The entity‟s selection and application of accounting policies,
including the reasons for changes thereto.
4. The entity‟s objectives and strategies, and those related business
risks that may result in risks of material misstatement.
5. The measurement and review of the entity‟s financial performance.
The entity’s internal control
The auditor shall obtain an understanding of internal control relevant to
the audit. Although most controls relevant to the audit are likely to relate
to financial reporting, not all controls that relate to financial reporting are
relevant to the audit.
Nature and extent of the understanding of relevant controls
Auditor will evaluate the design of controls and determine whether they
have been implemented.
Control environment
The auditor shall evaluate whether:
(a) Management, with those charged with governance, has created and
maintained a culture of honesty and ethical behaviour; and
(b) The strengths in the control environment provide an appropriate
foundation for the other components of internal control.
The entity’s risk assessment process
• Consider if entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks.
If the entity has established entity‟s risk assessment process, the auditor
shall obtain an understanding of it, and the results thereof.
If the entity has not established such a process or has an ad hoc process,
the auditor shall discuss with management whether business risks
relevant to financial reporting objectives have been identified and how they
have been addressed.
The information system, including the related business processes,
relevant to financial reporting, and communication
The auditor shall obtain an understanding of the following areas:
a. The classes of transactions ;
b. The procedures, within both information technology (IT) and
manual systems, by which those transactions are initiated,
recorded, processed and reported in the financial statements;
c. The related accounting records.
d. How the information system captures events and conditions, other
than transactions, that are significant to the financial statements;
e. The financial reporting process,
f. Controls surrounding journal entries.
The auditor shall obtain an understanding of:
 Communications between management and those charged with
governance; and
 External communications, such as those with regulatory
authorities.
Control activities relevant to the audit
 The auditor shall obtain an understanding of control to assess the
risks of material misstatement at the assertion level and design
further audit procedures.
 In understanding the entity‟s control activities, the auditor shall
obtain an understanding of how the entity has responded to risks
arising from IT.
 Monitoring of controls
Obtain an understanding of the :
(a) Activities that the entity uses to monitor internal control over financial
reporting, and
(b) Sources of the information used in the entity‟s monitoring activities and
their reliability.

Identifying and The auditor shall identify and assess the risks of material
assessing the misstatement at:
risks of material
(a) The financial statement level: and
misstatement
(b) The assertion level for classes of transactions, account balances, and
disclosures;
To provide a basis for designing and performing further audit
procedures.
For this purpose, the auditor shall:
(a) Identify risks,
(b) Assess and evaluate the identified risks,
(c) Relate the identified risks to what can go wrong at the assertion level,
(d) Consider the likelihood of misstatement.
Risks that require special audit consideration
In exercising judgment as to which risks are significant risks, the auditor
shall consider the following:
(a) Whether the risk is a risk of fraud;
(b) Whether the risk is related to recent significant economic, accounting,
or other developments;
(c) The complexity of transactions;
(d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information;
and
(f) Whether the risk involves significant unusual transactions.
Risks for which substantive procedures alone do not provide
sufficient appropriate audit evidence
Such risks may relate to the inaccurate or incomplete recording of routine
and significant classes of transactions or account balances, the
characteristics of which often permit highly automated processing with
little or no manual intervention. In such cases, the entity‟s controls over
such risks are relevant to the audit and the auditor shall obtain an
understanding of them.
Revision of risk assessment
The auditor‟s assessment of the risks of material misstatement at the
assertion level may change during the course of the audit as additional
audit evidence is obtained. The auditor shall revise the assessment and
modify the further planned audit procedures accordingly.

Material The auditor shall evaluate whether he identified a material weakness in

weakness in the design, implementation or maintenance of internal control.
internal control
The auditor shall communicate material weaknesses in internal control
 identified during the audit on a timely basis to management at an
appropriate level of responsibility, and, as required by SA 260

Documentation The auditor shall document:

1. The discussion among the engagement team;
2. Key elements of the understanding obtained regarding each of the
aspects of the entity and its environment;
3. The identified and assessed risks of material misstatement at the
financial statement level and at the assertion level; and
4. The risks identified, and related controls.

10- SA 320 (REVISED) MATERIALITY IN PLANNING AND PERFORMING AN AUDIT

Scope of this SA This Standard on Auditing (SA) deals with the auditor‟s responsibility to
apply the concept of materiality in planning and performing an audit of
financial statements. SA 450, explains how materiality is applied in
evaluating the effect of identified misstatements on the audit and of
uncorrected misstatements, if any, on the financial statements.

Materiality in 1. Financial reporting frameworks often discuss the concept of

the context of an materiality in the context of the preparation and presentation of
audit financial statements.
Although financial reporting frameworks may discuss materiality in
different terms, they generally explain that:
■ Misstatements, including omissions, are material if they,
individually or in the aggregate, influence the economic
decisions of users taken on the basis of the financial
statements;
■ Judgments about materiality are made in the light of
surrounding circumstances, and are affected by the size or
nature of a misstatement,; and
■ Judgments about matters that are material to users of the
financial statements are based on a consideration of the
common financial information needs of users as a group.
2. If the applicable financial reporting framework does not include a
discussion of the concept of materiality, the characteristics referred
to in above paragraph provide the auditor with such a frame of
reference.
3. The auditor‟s determination of materiality is a matter of professional
judgment, and is affected by the auditor‟s perception of the financial
information needs of users of the financial statements. In this
context, it is reasonable for the auditor to assume that users:
(a) Have a reasonable knowledge of business and economic
activities and accounting and a willingness to study the
information in the financial statements with reasonable
diligence;
(b) Understand that financial statements are prepared, presented
and audited to levels of materiality;
(c) Recognize the uncertainties inherent in the measurement of
amounts based on the use of estimates, judgment and the
consideration of future events; and
(d) Make reasonable economic decisions on the basis of the
 information in the financial statements.

4. The concept of materiality is applied by the auditor both in planning

and performing the audit, and in evaluating the effect of identified
misstatements on the audit and of uncorrected misstatements, if
any, on the financial statements and in forming the opinion in the
auditor‟s report.
5. In planning the audit, the auditor makes judgments about the size of
misstatements that will be considered material. These judgments
provide a basis for:
(a) Determining the nature, timing and extent of risk assessment
procedures;
(b) Identifying and assessing the risks of material misstatement;
and
(c) Determining the nature, timing and extent of further audit
procedures.
6. The auditor considers not only the size but also the nature of
uncorrected misstatements, when evaluating their effect on the financial
statements.

Effective date This SA is effective for audits of financial statements for periods
beginning on or after April 1, 2010.

Objective The objective of the auditor is to apply the concept of materiality

appropriately in planning and performing the audit.

Definition For purposes of the SAs, performance materiality means the amount or
amounts set by the auditor at less than materiality for the financial
statements as a whole to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected
misstatements exceeds materiality for the financial statements as a
whole. If applicable, performance materiality also refers to the amount or
amounts set by the auditor at less than the materiality level or levels for
particular classes of transactions, account balances or disclosures.

Determining 1. When establishing the overall audit strategy, the auditor shall
materiality and determine materiality for the financial statements as a whole. If
performance there is one or more particular item for which misstatements of
materiality lesser amounts than the materiality for the financial statements as
when planning a whole could reasonably be expected to influence the economic
the audit decisions of users taken on the basis of the financial statements,
the auditor shall also determine the materiality level or levels to be
applied to those particular items.
2. The auditor shall determine performance materiality for purposes of
assessing the risks of material misstatement and determining the
nature, timing and extent of further audit procedures.
Use of Benchmarks in determining Materiality for the Financial
Statements as a whole:
Determining materiality involves the exercise of professional judgment. A
percentage is often applied to a chosen benchmark as a starting point in
determining materiality for the financial statements as a whole. Factors
that may affect the identification of an appropriate benchmark include
 the following:
• The elements of the financial statements (for example, assets,
liabilities, equity, revenue, expenses);

• Whether there are items on which the attention of the users of the
particular entity‟s financial statements tends to be focused (for
example, for the purpose of evaluating financial performance users
may tend to focus on profit, revenue or net assets);
• The nature of the entity, where the entity is at in its life cycle, and
the industry and economic environment in which the entity
operates;
• The entity‟s ownership structure and the way it is financed (for
example, if an entity is financed solely by debt rather than equity,
users may put more emphasis on assets, and claims on them, than
on the entity‟s earnings); and
• The relative volatility of the benchmark.
Examples of benchmarks that may be appropriate, depending on the
circumstances of the entity, include categories of reported income such
as profit before tax, total revenue, gross profit and total expenses, total
equity or net asset value.
Profit before tax from continuing operations is often used for profit-
oriented entities. When profit before tax from continuing operations is
volatile, other benchmarks may be more appropriate, such as gross
profit or total revenues.
Determining a percentage to be applied to a chosen benchmark involves
the exercise of professional judgment. There is a relationship between
the percentage and the chosen benchmark, such that a percentage
applied to profit before tax from continuing operations will normally be
higher than a percentage applied to total revenue. For example, the
auditor may consider five percent of profit before tax from continuing
operations to be appropriate for a profit oriented entity in a
manufacturing industry, while the auditor may consider one percent of
total revenue or total expenses to be appropriate for a not-for-profit
entity. Higher or lower percentages, however, may be deemed
appropriate in different circumstances.

Revision as the 1. The auditor shall revise materiality for the financial statements as a
audit whole (and, if applicable, the materiality level or levels for particular
progresses classes of transactions, account balances or disclosures) in the
event of becoming aware of information during the audit that would
have caused the auditor to have determined a different amount (or
amounts) initially.
2. If the auditor concludes that a lower materiality for the financial
statements as a whole (and, if applicable, materiality level or levels
for particular classes of transactions, account balances or
disclosures) than that initially determined is appropriate, the
auditor shall determine whether it is necessary to revise
performance materiality, and whether the nature, timing and extent
of the further audit procedures remain appropriate.
Documentation The audit documentation shall include the following amounts and the
factors considered in their determination:
(a) Materiality for the financial statements as a whole ;
(b) If applicable, the materiality level or levels for particular classes of
transactions, account balances or disclosures;
(c) Performance materiality; and
(d) Any revision of (a)-(c) as the audit progressed.

11- SA 330- THE AUDITOR’S RESPONSES TO ASSESSED RISKS

Definitions (a) Substantive procedure - An audit procedure designed to detect

material misstatements at the assertion level. Substantive procedures
comprise:
(i) Tests of details (of classes of transactions, account balances, and
disclosures), and
(ii) Substantive analytical procedures.
(b) Test of controls - An audit procedure designed to evaluate the
operating effectiveness of controls in preventing, or detecting and
correcting, material misstatements at the assertion level.

Overall The auditor shall design and implement overall responses to address the
Responses assessed risks of material misstatement at the financial statement level.

Audit procedures ■ The auditor shall design and perform further audit procedures whose
responsive to the nature, timing and extent are based on and are responsive to the assessed
assessed risks of risks of material misstatement at the assertion level.
material
■ In designing the further audit procedures to be performed, the auditor
misstatement shall:
at the
a) Consider the likelihood of material misstatement due to the
assertion level
particular characteristics of the relevant class of transactions,
account balance, or disclosure (i.e., the inherent risk); and Whether
the risk assessment takes into account the relevant controls (i.e.,
the control risk)

b) Obtain more persuasive audit evidence the higher the auditor‟s

assessment of risk.
Study Step 1 to 3

STEP 1

Tests of Controls The auditor shall design and perform tests of controls when:
(a) He expects that the controls are operating effectively ,or
(b) Substantive procedures alone cannot provide sufficient appropriate
audit evidence at the assertion level.

Timing of Tests The auditor shall test controls for the particular time, or throughout the
of Controls period.

Using audit When the auditor obtains audit evidence about the operating effectiveness
evidence of controls during an interim period, the auditor shall:
obtained during (a) Consider significant changes to those controls; and
an interim
(b) Determine the additional audit evidence to be obtained for the
period
remaining period.

Using audit He shall establish the continuing relevance of that evidence by obtaining
evidence audit evidence about whether significant changes in those controls have
obtained in occurred subsequent to the previous audit.
previous audits
(a) If there have been changes, the auditor shall test the controls in the
current audit.
(b) If there have not been such changes, the auditor shall test the controls
at least once in every third audit, and shall test some controls each
audit.

Controls over When the auditor plans to rely on controls over a significant risk, the
significant risks auditor shall test those controls in the current period.

Evaluating the Auditor should consider whether misstatements that have been detected
operating indicate that controls are not operating effectively.
effectiveness of
Even if there are no identified misstatements, controls may not be
controls
effective.
The auditor shall communicate material weaknesses in internal control
identified during the audit on a timely basis to management at an
appropriate level and TCWG according to SA 265.

STEP 2

Substantive Irrespective of the assessed risks of material misstatement, the auditor

shall design and perform substantive procedures for each material class of
procedures
transactions, account balance, and disclosure.

Substantive Procedures Related to the Financial Statement Closing

Process
The auditor‟s substantive procedures shall include
(a) Agreeing or reconciling the financial statements with the
underlying accounting records; and
(b) Examining material journal entries and other adjustments made
during the course of preparing the financial statements.

Substantive Procedures Responsive to Significant Risks

When the auditor has determined a significant risk, the auditor shall
perform substantive procedures that are specifically responsive to that
risk.
Timing of Substantive Procedures
When substantive procedures are performed at an interim date, the
auditor shall cover the remaining period.

Adequacy of The auditor shall perform audit procedures to evaluate whether the overall
presentation and presentation of the financial statements, including the related disclosures,
disclosure is in accordance with the applicable financial reporting framework.
Evaluating the The auditor shall conclude whether sufficient appropriate audit evidence
sufficiency and has been obtained. In forming an opinion, the auditor shall consider all
appropriateness relevant audit evidence.
of audit evidence
If the auditor has not obtained sufficient appropriate audit evidence as to
a material financial statement assertion, try to obtain further audit
evidence. If the auditor is unable to obtain sufficient appropriate audit
evidence, the auditor shall express a qualified opinion or a disclaimer of
opinion.

STEP 3

Documentation The auditor shall document:

(a) The overall responses to address the assessed risks of material
misstatement at the financial statement level;
(b) The linkage of those procedures with the assessed risks at the
assertion level; and
(c) The results of the audit procedures.
If he uses audit evidence about the operating effectiveness of controls
obtained in previous audits, the auditor shall document the conclusions
reached about relying on such controls that were tested in a previous
audit.
The auditors‟ documentation shall demonstrate that the financial
statements agree or reconcile with the underlying accounting records.

12- SA 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE

CHARGED WITH GOVERNANCE AND MANAGEMENT

Scope of this SA 1. This Standard on Auditing (SA) deals with the auditor‟s
responsibility to communicate appropriately to those charged with
governance and management deficiencies in internal control that
the auditor has identified in an audit of financial statements.
2. The auditor is required to obtain an understanding of internal
control relevant to the audit when identifying and assessing the
risks of material misstatement. In making those risk assessments,
the auditor considers internal control in order to design audit
procedures that are appropriate in the circumstances, but not for
the purpose of expressing an opinion on the effectiveness of internal
control. The auditor may identify deficiencies in internal control not
only during this risk assessment process but also at any other stage
of the audit. This SA specifies which identified deficiencies the
auditor is required to communicate to those charged with
governance and management.
3. Nothing in this SA precludes the auditor from communicating to
those charged with governance and management other internal
control matters that the auditor has identified during the audit.

Definitions I. Deficiency in internal control - This exists when:

  A control is designed, implemented or operated in such a way that it
is unable to prevent, or detect and correct, misstatements in the
financial statements on a timely basis; or
 A control necessary to prevent, or detect and correct, misstatements
in the financial statements on a timely basis is missing.
II. Significant deficiency in internal control - A deficiency or
combination of deficiencies in internal control that, in the auditor‟s
professional judgment, is of sufficient importance to merit the
attention of those charged with governance.

Requirements 1. The auditor shall determine whether, on the basis of the audit work
performed, the auditor has identified one or more deficiencies in internal
control.
2. If the auditor has identified one or more deficiencies in internal
control, the auditor shall determine, they constitute significant
deficiencies.
3. The auditor shall communicate in writing significant deficiencies in
internal control identified during the audit to those charged with
governance on a timely basis. The auditor shall also communicate to
management at an appropriate level of responsibility on a timely basis:
(a) In writing, significant deficiencies in internal control that the
auditor has communicated or intends to communicate to those charged
with governance.
(b) Other deficiencies in internal control identified during the audit
that have not been communicated to management by other parties and
that, in the auditor‟s professional judgment, are of sufficient importance to
merit management‟s attention.
4. The auditor shall include in the written communication of significant
deficiencies in internal control:
(a) A description of the deficiencies and an explanation of their potential
effects: and
(b) Sufficient information to enable those charged with governance and
management to understand the context of the communication. In
particular, the auditor shall explain that:
(i) The purpose of the audit was for the auditor to express an opinion on
the financial statements;
(ii) The audit included consideration of internal control relevant to the
preparation of the financial statements in order to design audit procedures
that are appropriate in the circumstances, but not for the purpose of
expressing an opinion on the effectiveness of internal control; and
(iii) The matters being reported are limited to those deficiencies that the
auditor has identified during the audit and that the auditor has concluded
are of sufficient importance.

13- INTERNAL AUDIT

Internal audit is independent appraisal activity, within an organisation for review of activities
and Providing suggestions for improvement thereof.
 Scope of internal audit is not restricted to financial transactions, but also extends to the
task of review of all operations of the enterprise so as to evaluate the effectiveness of
management.

Objectives and The objectives and scope of internal audit functions typically include
Scope of assurance and consulting activities designed to evaluate and improve the
Internal Audit effectiveness of the entity‟s governance processes, risk management and
Function/ internal control.
Functions/
Activities of
Internal Auditor
Activities Relating to Governance

Internal audit function may assess the governance process in its

accomplishment of objectives on ethics and values, accountability and
communicating risk to appropriate areas of the organization.

Activities Relating to Risk Management

Internal audit function may assist the entity by identifying and evaluating
significant exposures to risk and contributing to the improvement of risk
management and internal control (including effectiveness of the financial
reporting process).
Activities Relating to Internal Control
1. Evaluation of internal control
Internal audit function may be assigned specific responsibility for
reviewing controls, evaluating their operation and recommending
improvements thereto.
2. Examination of financial and operating information
Internal audit function maybe assigned to review the means used to
identify, recognize, measure, classify and report financial and operating
information, and to make specific inquiry into individual items, including
detailed testing of transactions, balances and procedures.
3. Review of operating activities
The internal audit function may be assigned to review the economy,
efficiency and effectiveness of operating activities, including non-financial
activities of an entity.
4. Review of compliance with laws and regulations

Internal audit function may be assigned to review compliance with laws,

regulations and other external requirements, and with management
policies and directives and other internal requirements.

Internal Auditor/Audit Statutory Auditor/Audit

Examines activities/ operations Examines financial statements

Reporting on operational Opinion on financial statements

effectiveness (true and fair)

Appointment by management Appointment is generally made

by members

Report to management Report to members

 In case of companies, applicable In case of companies, every
only for prescribed classes of company is required to get its
companies accounts audited for every
financial year.

By CA or Cost Accountant or By CA (u/s 141)

other Professional (u/s 138)

Less independent More independent

Follows Standards on Internal Follows Standards on Auditing

Auditing (SIA) (SA)

Part of Internal Control system Reviews Internal Control system

[SA 610]

List of i) Standard on Internal Audit (SIA) 1, planning an Internal Audit

Standards on ii) Standard on Internal Audit (SIA) 2, Basic Principles Governing Internal
Internal Audit Audit
(SIA) issued by
iii) Standard on Internal Audit (SIA) 3, Documentation
ICAI
iv) Standard on Internal Audit (SIA) 4, Reporting
v) Standard on Internal Audit (SIA) 5, Sampling
vi) Standard on Internal Audit (SIA) 6, Analytical Procedures
vii) Standard on Internal Audit (SIA) 7, Quality Assurance in Internal Audit
viii) Standard on Internal Audit (SIA) 8, Terms of Internal Audit
Engagement
ix) Standard on Internal Audit (SIA) 9, Communication with Management
x) Standard on Internal Audit (SIA) 10, Internal Audit Evidence
xi) Standard on Internal Audit (SIA) 11, Consideration of Fraud in an
Internal Audit
xii) Standard on Internal Audit (SIA) 12, Internal Control Evaluation
xiii) Standard on Internal Audit (SIA) 13, Enterprise Risk Management
xiv) Standard on Internal Audit (SIA) 14, Internal Audit in an Information
Technology Environment
xv) Standard on Internal Audit (SIA) 15, Knowledge of the Entity and its
Environment
xvi) Standard on Internal Audit (SIA) 16, Using the Work of an Expert
xvii) Standard on Internal Audit (SIA) 17, Consideration of Laws and
Regulations in an Internal Audit
xviii) Standard on Internal Audit (SIA) 18, Related Parties

14- REQUIREMENT FOR INTERNAL AUDIT (Sec. 138 of the Companies Act,
2013)

Applicability of Sec. 138 shall apply only to such class or classes of companies as may be
Sec. 138 prescribed. As per Rule 13 of the Companies (Accounts) Rules, 2014,
following class of companies shall be covered u/s 138:
(a) Every listed company.
(b) Every unlisted public company having -
 (i) paid up share capital of Rs. 50 crore or more during the preceding
financial year; or
(ii) turnover of Rs. 200 crore or more during the preceding financial year;
or
(iii) outstanding loans or borrowings from banks or public financial
institutions exceeding Rs. 100 crore or more at any point of time during
the preceding financial year; or
(iv) Outstanding deposits of Rs. 25 crore or more at any point of time
during the preceding financial year.
(c) Every private company having -
(i) turnover of Rs. 200 crore or more during the preceding financial year; or
(ii) outstanding loans or borrowings from banks or public financial
institutions exceeding Rs. 100 crore or more at any point of time during
the preceding financial year.

Legal (a) Every company to which Sec. 138 is applicable, shall appoint an
requirements u/s internal auditor.
138 ,
(b) The internal auditor shall conduct the internal audit of the functions
and activities of the company,

Who can be Internal Auditor - Sec. 138

(c) The internal auditor shall be
(i) a chartered accountant; or
(ii) a cost accountant; or
(iii) such other professional as may be decided by the Board.
(d) The internal auditor may or may not be an employee of the company.
(e) A „Chartered Accountant" or a „Cost Accountant‟ may be appointed as
an internal auditor whether or not he is engaged in practice.

Manner and (a) CG may, by rules, prescribe the manner and the intervals in which the
interval of internal audit shall be conducted and reported to the Board.
internal audit
(b) The Audit Committee of the company or the Board shall, in
consultation with the Internal Auditor, formulate the scope, functioning,
periodicity and methodology for conducting the internal audit.

Legal If an existing company satisfies any of the criteria laid down under Rule 13
requirements for (i.e. it falls under the prescribed class(es) of companies for the purpose of
existing Sec. 138), it shall, within 6 months of commencement of Sec. 138 (viz. 1st
companies April. 2014). Comply with the requirements of Sec. 138 and Rule 13.

15- SA 610 “USING THE WORK OF INTERNAL AUDITORS"

Scope of this SA 1. This Standard on Auditing (SA) deals with the external auditor‟s
responsibilities if using the work of internal auditors. This includes
(a) using the work of the internal audit function in obtaining audit
evidence and (b) using internal auditors to provide direct assistance
under the direction, supervision and review of the external auditor.
2. This SA does not apply if the entity does not have an internal audit
function.
3. If the entity has an internal audit function, the requirements in this
 SA relating to using the work of that function do not apply if:
A. The responsibilities and activities of the function are not relevant to
the audit; or
B. Based on the auditor's preliminary understanding of the function
obtained as a result of procedures performed under SA 315, the
external auditor does not expect to use the work of the function in
obtaining audit evidence.
Nothing in this SA requires the external auditor to use the work of
the internal audit function to modify the nature or timing, or reduce
the extent, of audit procedures to be performed directly by the
external auditor; it remains a decision of the external auditor in
establishing the overall audit strategy.
4. Furthermore, the requirements in this SA relating to direct
assistance do not apply if the external auditor does not plan to use
internal auditors to provide direct assistance.
5. In some cases, the external auditor may be prohibited, or restricted
to some extent, by law or regulation from using the work of the
internal audit function or using internal auditors to provide direct
assistance. The SAs do not override laws or regulations that govern
an audit of financial statements. Such prohibitions or restrictions
will therefore not prevent the external auditor from complying with
the SAs.

Relationship 1. Many entities establish internal audit functions as part of their

between SA 315 internal control and governance structures.
and SA 610
2. The objectives and scope of an internal audit function, the nature of
(Revised)
its responsibilities and its organizational status, depend on the size
and structure of the entity and the requirements of management
and, where applicable, those charged with governance.
3. This SA addresses the external auditor‟s responsibilities when,
based on the external auditor‟s preliminary understanding of the
internal audit function obtained as a result of procedures performed
under SA 315, the external auditor expects to use the work of the
internal audit function as part of the audit evidence obtained.
4. Such use of that work modifies the nature or timing, or reduces the
extent, of audit procedures to be performed directly by the external
auditor.
5. In addition, this SA also addresses the external auditor‟s
responsibilities if considering using internal auditors to provide
direct assistance under the direction, supervision and review of the
external auditor.

The external 1. The external auditor has sole responsibility for the audit opinion
auditor’s expressed.
responsibility for
2. Responsibility is not reduced by the external auditor‟s use of the
the audit
work of the internal audit function or internal auditors to provide
direct assistance on the engagement.
3. Internal auditors are not independent of the entity as is required of
the external auditor in an audit of financial statements in
accordance with SA 200.
Objectives 1. The objectives of the external auditor, where the entity has an internal
audit function and the external auditor expects to use the work of the
function to modify the nature or timing, or reduce the extent, of audit
procedures to be performed directly by the external auditor, or to use
internal auditors to provide direct assistance, are:
a. To determine whether the work of the internal audit function or
direct assistance from internal auditors can be used, and if so, in
which areas and to what extent; and having made that
determination:
b. If using the work of the internal audit function, to determine
whether that work is adequate for purposes of the audit; and
c. If using internal auditors to provide direct assistance, to
appropriately direct, supervise and review their work.

Definitions For purposes of the SAs, the following terms have the meanings attributed
below:
(a) Internal audit function - A function of an entity that performs
assurance and consulting activities designed to evaluate and
improve the effectiveness of the entity‟s governance, risk
management and internal control processes.
(b) Direct assistance - The use of internal auditors to perform audit
procedures under the direction, supervision and review of the
external auditor.

Determining Whether, in Which Areas, and to What Extent the Work of the Internal Audit
Function Can Be Used

Evaluating the The external auditor shall determine whether the work of the internal
internal audit audit function can be used for purposes of the audit by evaluating the
function following:
(a) The extent to which the internal audit function‟s organizational status
and relevant policies and procedures support the objectivity of the
internal auditors;
(b) The level of competence of the internal audit function; and
(c) Whether the internal audit function applies a systematic and
disciplined approach, including quality control.

Determining the 1. The external auditor shall consider the nature and scope of the work
nature and that has been performed, or is planned to be performed, by the
extent of work of internal audit function and its relevance to the external auditor‟s
the internal overall audit strategy and audit plan.
audit function
2. The external auditor shall make all significant judgments in the audit
that can be used
engagement and, to prevent undue use of the work of the internal
audit function, shall plan to use less of the work of the function and
perform more of the work directly.
3. The external auditor shall also evaluate whether, using the work of
the' internal audit function to the extent planned would still result in
the external auditor being sufficiently involved in the audit.
4. The external auditor shall, in accordance with SA 260. Communicate
how the external auditor has planned to use the work of the internal
audit function.
Using the work 1. If the external auditor plans to use the work of the internal audit
of the internal function, the external auditor shall discuss the planned use of its
audit function work with the function as a basis for coordinating their respective
activities.
2. The external auditor shall read the reports of the internal audit
function to obtain an understanding of the nature and extent of audit
procedures it performed and the related findings.
3. The external auditor shall perform sufficient audit procedures on the
body of work of the internal audit function as a whole that the external
auditor plans to use to determine its adequacy for purposes of the
audit, including evaluating whether:
(a) The work of the function had been properly planned, performed,
supervised, reviewed and documented;
(b) Sufficient appropriate evidence had been obtained to enable the
function to draw reasonable conclusions; and
(c) Conclusions reached are appropriate in the circumstances and the
reports prepared by the function are consistent with the results of
the work performed.
4. The nature and extent of the external auditor‟s audit procedures shall
be responsive to the external auditor‟s evaluation of:
 The amount of judgment involved;
 The assessed risk of material misstatement;
 The extent to which the internal audit function‟s organizational
status and relevant policies and procedures support the
objectivity of the internal auditors; and
 The level of competence of the function; and shall include
re-performance of some of the work.

Determining whether, in which areas, and to what extent internal auditors can be used
to provide direct assistance

Determining 1. If using internal auditors to provide direct assistance is not prohibited

whether internal by law or regulation, and the external auditor plans to use internal
auditors can be auditors to provide direct assistance on the audit, the external auditor
used to provide shall evaluate the existence and significance of threats to objectivity
direct assistance and the level of competence of the internal auditors.
for purposes of
2. The external auditor shall not use an internal auditor to provide direct
the audit
assistance if:
(a) There are significant threats to the objectivity of the internal
auditor; or
(b) The internal auditor lacks sufficient competence to perform the
proposed work.

Determining the 1. In determining the nature and extent of work that may be assigned to
nature and internal auditors and the nature, timing and extent of direction,
extent of work supervision and review that is appropriate in the circumstances, the
that can be external auditor shall consider:
assigned to
(a) The amount of judgment involved in:
internal auditors
providing direct (i) Planning and performing relevant audit procedures; and
assistance (ii) Evaluating the audit evidence gathered;
 (b) The assessed risk of material misstatement; and
(c) The external auditor‟s evaluation of the existence and significance
of threats to the objectivity and level of competence of the internal
auditors who will be providing such assistance.
2. Having appropriately evaluated whether and, if so, to what extent
internal auditors can be used to provide direct assistance on the audit,
the external auditor shall, in accordance with SA 260, communicate
the nature and extent of the planned use of internal auditors to
provide direct assistance so as to reach a mutual understanding that
such use is not excessive in the circumstances of the engagement.
3. The external auditor shall evaluate whether, using internal auditors to
provide direct assistance to the extent planned, together with the
planned use of the work of the internal audit function, would still
result in the external auditor being sufficiently involved in the audit.

Using internal 1. Prior to using internal auditors to provide direct assistance for
auditors to purposes of the audit, the external auditor shall:
provide direct
(a) Obtain written agreement from an authorized representative of the
assistance
entity that the internal auditors will be allowed to follow the
external auditor‟s instructions, and that the entity will not
intervene in the work the internal auditor performs for the external
auditor; and
(b) Obtain written agreement from the internal auditors that they will
keep confidential specific matters as instructed by the external
auditor and inform the external auditor of any threat to their
objectivity.
2. The external auditor shall direct, supervise and review the work
performed by internal auditors on the engagement in accordance with
SA 220.
3. The direction, supervision and review by the external auditor of the
work performed by the internal auditors shall be sufficient in order for
the external auditor to be satisfied that the internal auditors have
obtained sufficient appropriate audit evidence to support the
conclusions based on that work.

Documentation 1. If the external auditor uses the work of the internal audit function, the
external auditor shall include in the audit documentation:
(a) The evaluation of:
(i) Whether the function‟s organizational status and relevant
policies and procedures adequately support the objectivity of
the internal auditors;
(ii) The level of competence of the function; and
(iii) Whether the function applies a systematic and disciplined
approach, including quality control;
(b) The nature and extent of the work used and the basis for that
decision; and
(c) The audit procedures performed by the external auditor to evaluate
the adequacy of the work used.
2. If the external auditor uses internal auditors to provide direct
assistance on the audit, the external auditor shall include in the audit
documentation:
 (a) The evaluation of the existence and significance of threats to the
objectivity of the internal auditors, and the level of competence of
the internal auditors used to provide direct assistance;
(b) The basis for the decision regarding the nature and extent of the
work performed by the internal auditors;
(c) Who reviewed the work performed and the date and extent of that
review in accordance with SA 230;
(d) The written agreements obtained from an authorized representative
of the entity and the internal auditors.
(e) The working papers prepared by the internal auditors who provided
direct assistance on the audit engagement.

16- INTERNAL FINANCIAL CONTROL (IFC) AND INTERNAL CONTROL OVER

FINANCIAL REPORTING
Meaning of IFC
Sec. 134(5)(e) of Companies Act, 2013 defines the term Internal Financial Control as the
policies and procedures adopted by the company for ensuring the orderly and efficient
conduct of its business, including

 adherence to company‟s policies,

 the safeguarding of its assets,
 the prevention and detection of frauds and errors,
 the accuracy and completeness of the accounting records, and
 the timely preparation of reliable financial information.
Rule 8(5)[viii] of the Companies (Accounts] Rules, 2014 requires that the director‟s report
should contain details in respect of adequacy of internal financial controls with reference to the
financial reporting.

Points to remember
Internal controls over financial reporting (ICFR): 1CFR differs from IFC in as much as that
ICFR is required where auditors are required to express an opinion on the effectiveness of an
entity's internal controls over financial reporting, such opinion is in addition to and distinct
from the opinion expressed by the auditor on the financial statements.
Auditor’s responsibility for reporting on IFC

Clause (i) of Sec. 143(3] of Companies Act, 2013 requires the company auditor to report
whether the company has adequate internal financial controls with reference to financial
statements in place and the operating effectiveness of such controls.
Exemption applicable to private companies
Clause (i)] of Sec. 143(3] shall not apply to a private company:

i. which is a one-person company or a small company; or

ii. which has turnover less than ` 50 crores as per latest audited financial statement and
iii. Which has aggregate borrowings from banks or financial institutions or anybody
corporate at any point of time during the financial year less than 25 Cr.
Objective of Auditor

To express an opinion on the effectiveness of the company‟s internal financial controls over
financial reporting. It is carried out along with an audit of the financial statements.