Risk Assessment and Internal Control - E-Notes

Risk Assessment
4 and Internal Control

CHAPTER
1. AUDIT RISK
Audit risk means the risk that the auditor gives an inappropriate audit opinion when the financial statement are
materially misstated. Thus, it is the risk that the auditor may fail to express an appropriate opinion in an audit assignment.
Audit Risk could be simply understood as follows:
During the audit of a company if the financial statements of that company are misstated and those misstatements are
material in nature, then there will be a risk that audit opinion given by the auditor regarding audit of that company would
be incorrect. Then that risk will be known as Audit Risk.
Audit Risk
Understanding Identify & Assess

the Entity and its Risk Assessment
Risk of Material
Environment & Internal Contral
Misstatement
Risk Assessment
Procedures
Example
Strength limited purchased a Plant and Machinery for ` 2 Crores in the financial year 2020-2021. The accountant of
strength limited debited Rs 2 crores in the Repair and Maintenance account in the statement of Profit and loss instead of
taking it to the balance sheet as PPE and claim depreciation on it . While auditing the accounts of this company the auditor
did not notice this and consequently did not report anything regarding the plant and machinery. Therefore, opinion given
by the auditor would be inappropriate resulting in audit risk.
Audit risk is a function of the risks of material misstatement and detection risk.
Example
From the above, it is clear that –

Audit Risk = Risk of Material Misstatement x Detection Risk.................(1)
Note 1: Risk of material misstatement may be defined as the risk that the financial statements are materially misstated
prior to audit. This consists of two components, described as follows at the assertion level:
(a) Inherent risk—The susceptibility of an assertion about a class of transaction, account balance or disclosure to
a misstatement that could be material, either individually or when aggregated with other misstatements, before
consideration of any related controls. There is always a risk that before considering any existence of internal
control in an entity, a particular transaction, balance of an account or a disclosure required to be made in the financial
statements of an entity have a chance of being misstated and such misstatement can be material. This risk is known
as Inherent Risk.
(b) Control risk—The risk that a misstatement that could occur in an assertion about a class of transaction, account
balance or disclosure and that could be material, either individually or when aggregated with other misstatements,
will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. Control Risk is a
risk that internal control existing and operating in an entity would not be efficient enough to stop from happening, or
find and then rectify in an appropriate time, any material misstatement relating to a transaction, balance of an account
or disclosure required to be made in the financial statements of that entity. So in a way it can be said that there exists
an inverse relation between Control Risk and Efficiency of Internal Control of an Entity. When efficiency of internal
control of an entity is high the control risk is low and when efficiency of internal control of that entity is low the control
risk is high.
Example
During the financial year 2020-21, certain accounting transactions regarding purchases of material and some disclosures
required to be made in the financial statements of Appreciation Limited were misstated and those misstatements were
material in nature. There was a risk that internal control operating in Appreciation Limited would not be able to find and
then rectify those misstatements in proper time. This risk is called as Control Risk.
Note 2: Misstatement refers to a difference between the amount, classification, presentation, or disclosure of a reported
financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in
accordance with the applicable financial reporting framework. Misstatements can arise from error or fraud.
1.1 Assessment of Risks - Matter of Professional Judgement
The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence
obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter
capable of precise measurement.
1.2 What is not included in Audit Risk?
(i) Audit risk does not include the risk that the auditor might express an opinion that the financial statements are
materially misstated when they are not. This risk is ordinarily insignificant.
(ii) Further, audit risk is a technical term related to the process of auditing; it does not refer to the auditor’s business
risks such as loss from litigation, adverse publicity, or other events arising in connection with the audit of financial
statements.
1.3 Risks of Material Misstatement at Two levels
The risks of material misstatement may exist at two levels:
(i) The overall financial statement level- Risks of material misstatement at the overall financial statement level
refer to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially
affect many assertions.
(ii) The assertion level for classes of transactions, account balances, and disclosures-Risks of material misstatement
at the assertion level are assessed in order to determine the nature, timing, and extent of further audit procedures
necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion
on the financial statements at an acceptably low level of audit risk.
1.4 Components of Risk of Material Misstatement

The risks of material misstatement at the assertion level consist of two components:
(i) Inherent risk and
(ii) control risk.
Inherent risk and control risk are the entity’s risks; they exist independently of the audit of the financial statements.
Inherent risk is higher for some assertions and related classes of transactions, account balances, and disclosures than for
others. For example, it may be higher for complex calculations. External circumstances giving rise to business risks may
also influence inherent risk. For example, technological developments might make a particular product obsolete. Factors
2 Strategic Management P
W
in the entity and its environment may also influence the inherent risk related to a specific assertion.
Inherent risk factors are considered while designing tests of controls and substantive procedures. Category of
auditor’s assessment lower or higher, each category covers a range of degrees of inherent risk. Auditor may assess the
inherent risk of two different assertions as lower while recognizing that one assertion has less inherent risk than the other,
although both have been assessed as lower. It is important to consider the reason for each identified inherent risk even if
the risk is lower, when auditor designs tests of controls and substantive procedures.
Example
A lack of sufficient working capital to continue operations or a declining industry characterised by a large number of
business failures.
Control risk is a function of the effectiveness of the design, implementation and maintenance of internal control
by management. However, internal control can only reduce but not eliminate risks of material misstatement in the
financial statements. This is because of the inherent limitations of internal control.
Example
The possibility of human errors or mistakes, or of controls being circumvented by collusion. Accordingly, some control
risk will always exist.
The SAs provide the conditions under which the auditor is required to test the operating effectiveness of controls in
determining the nature, timing and extent of substantive procedures to be performed.
Auditor assesses control risk as Rely or Not rely on Controls. When making control risk assessments, consider:
The control environment’s influence over internal control. A control environment that supports the prevention,
and detection and correction, of material misstatements allows greater confidence in the reliability of internal
control and audit evidence generated within the entity. However it does not guarantee the effectiveness of specific
controls. We therefore, test the operating effectiveness of controls over significant class of transactions (SCOTs) when
we plan to take a controls reliance strategy. Conversely, the control environment may undermine the effectiveness of
specific controls and is a key factor in our control risk assessments.
Evaluations of the related IT processes that support application and IT- dependent manual controls.
Our testing approach over SCOTs and disclosure processes (i.e., controls reliance or substantive only strategy).
The expectation of the operating effectiveness of controls based on the understanding of entity’s processes.
Example
Identify a control that a shipping report is prepared only for goods that have been shipped. To determine that only
sales that have occurred are recorded, identify a further control that sales cannot be recorded unless a shipping report
is produced. In this example, several controls operate collectively in order to address the occurrence assertion for
sales.
In another example, a regular reconciliation of quantities shipped to quantities billed is a specific control that may be
effective enough by itself to address the
WCGW (What Could Go Wrong) regarding the completeness assertion in a sales process.
Whether several controls are required to operate collectively (i.e., a suite of controls) to achieve a financial reporting
objective. If so, the auditor should assess whether all controls operate effectively in order to rely on controls.
Control risk assessment when control deficiencies are identified: When auditor identifies deficiencies and report on
internal controls, he determines the significant financial statement assertions that are affected by the ineffective controls
in order to evaluate the effect on control risk assessments and strategy for the audit of the financial statements.
When control deficiencies are identified and auditor identifies and tests more than one control for each relevant
assertion, he evaluates control risk considering all of the controls he has tested. If auditor determines that they support
a ‘rely on controls’ risk assessment, or if compensating controls are identified, tested and evaluated to be effective,
P Risk Assessment and Internal Control 3
W
he may conclude that the ‘rely on controls’ is still appropriate. Otherwise we change our control risk assessment to ‘not
rely on controls.’
When a deficiency relates to an ineffective control that is the only control identified for an assertion, he revises risk
assessment to ‘not rely on controls’ for associated assertions, as no other controls have been identified that mitigate
the risk related to the assertion. If the deficiency relates to one WCGW (what can go wrong) out of several WCGW’s, he
can ‘rely on controls’ but performs additional substantive procedures to adequately address the risks related to the
deficiency.
1.5 Combined Assessment of the Risk of Material Misstatement
The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment
of the “risks of material misstatement”. However, the auditor may make separate or combined assessments of inherent
and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment
of the risks of material misstatement may be expressed in quantitative terms, such as in percentages, or in non-
quantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the
different approaches by which they may be made.
It can be concluded from the above that-
Example
Risk of Material Misstatement= Inherent Risk x Control Risk ............ (2)

From (1) and (2), we arrive at-
Audit Risk = Inherent Risk × Control Risk × Detection Risk
SA 315 establishes requirements and provides guidance on identifying and assessing the risks of material misstatement
at the financial statement and assertion levels.
1.6 Detection Risk
Detection risk: The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level
will not detect a misstatement that exists and that could be material, either individually or when aggregated with other
misstatements.
Suppose auditor of a company uses certain audit procedures for the purpose of obtaining audit evidence and reducing audit
risk, but still there will remain a risk that audit procedures used by the auditor may not be able to detect a misstatement
which by nature is material, then that risk is known as Detection Risk.
Example
While auditing the books of accounts of Grateful Limited for the financial year 2020- 21, the auditor of the above
mentioned company used various audit procedures, for example-observation, inspection, reperformance, recalculation
etc for obtaining audit evidence regarding stock, Debtors, sales, purchases etc., and consequently reducing the audit risk.
However, there will always remain a risk that various audit procedures as used by auditor of Grateful Limited will not be
able to detect misstatements which are material in nature. This risk is known as Detection Risk.
ILLUSTRATION 1
XYZ Ltd is engaged in the business and running several stores dealing in variety of items such as ready made garments for
all seasons, shoes, gift items, watches etc. There are security tags on each and every item. Moreover, inventory records are
physically verified on monthly basis.
Discuss the types of inherent, control and detection risks as perceived by the auditor.
SOLUTION
Inherent Risk: Because items may have been misappropriated by employees, therefore, risk to the auditor is that
inventory records would be inaccurate.
Control Risk: There is a security tag on each item displayed. Moreover, inventory records are physically verified on
monthly basis. Despite various controls being implemented at the stores, still collusion among employees may be there
and risk to auditor would again be that inventory records would be inaccurate.
Detection Risk: Auditor checks the efficiency and effectiveness of various control systems in place. He would do that by
W
making observation, inspection, enquiry, etc. In addition to these, the auditor would also employ sampling techniques to
check few sales transactions from beginning to end. However, despite all these procedures, the auditor may not detect the
items which have been stolen or misappropriated.
ILLUSTRATION 2
A Partnership Firm of Chartered Accountants HT and Associates was appointed to audit the books of accounts of Wind
and Ice Limited for the financial year 2020-21. There was a risk that HT and Associates would give an inappropriate audit
opinion if the financial statements of Wind and Ice Limited are materially misstated. State the Risk mentioned in the
question
SOLUTION
The risk mentioned in the question is known as Audit Risk, because risk that auditor of a company will give an inappropriate
audit opinion if the financial statements of that company are materially misstated is known as Audit Risk.
2. IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT

Objective of Auditor as per SA 315: As per SA 315 - “Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and its Environment”, the objective of the auditor is to identify and assess the risks
of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through
understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for
designing and implementing responses to the assessed risks of material misstatement. This will help the auditor to
reduce the risk of material misstatement to an acceptably low level.
Let us understand the objective of the auditor as stated in SA 315 in detail.
2.1 Identify and Assess the Risks of Material Misstatement
(i) The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level
(b) the assertion level for classes of transactions, account balances, and disclosures
to provide a basis for designing and performing further audit procedures
(ii) For the purpose of Identifying and assessing the risks of material misstatement, the auditor shall:
(a) Identify risks throughout the process of obtaining an understanding of the entity and its environment,
including relevant controls that relate to the risks, and by considering the classes of transactions, account balances,
and disclosures in the financial statements;
(b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a
whole and potentially affect many assertions;
(c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that
the auditor intends to test; and
(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the
potential misstatement is of a magnitude that could result in a material misstatement.
Example
Definition: The audit procedures performed to obtain an understanding of the entity and its environment, including
the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error,
Risk assessment procedure - a basis for the identification and assessment of risks of material misstatement at the
financial statement and assertion levels
The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks
of material misstatement at the financial statement and assertion levels. Risk assessment procedures by themselves,
however, do not provide sufficient appropriate audit evidence on which to base the audit opinion.
Information obtained by performing risk assessment procedures - Used as audit evidence
Information obtained by performing risk assessment procedures and related activities may be used by the auditor as
audit evidence to support assessments of the risks of material misstatement. In addition, the auditor may obtain audit
evidence about classes of transactions, account balances, or disclosures and related assertions and about the operating

W
effectiveness of controls, even though such procedures were not specifically planned as substantive procedures or as tests
of controls. The auditor also may choose to perform substantive procedures or tests of controls concurrently with
risk assessment procedures because it is efficient to do so.
The risks to be assessed include both those due to error and those due to fraud
The risks to be assessed include both those due to error and those due to fraud, and both are covered by this SA.
However, the significance of fraud is such that further requirements and guidance are included in SA 240, “The Auditor’s
Responsibilities Relating to Fraud in an Audit of Financial Statements”, in relation to risk assessment procedures and
related activities to obtain information that is used to identify the risks of material misstatement due to fraud. (Fraud risk
is discussed in detail in Chapter 5 Fraud and Responsibilities of an Auditor in this regard).
What is included in Risk Assessment Procedures ?
The risk assessment procedures shall include the following:
(a) Inquiries of management and of others within the entity who in the auditor’s judgment may have information
that is likely to assist in identifying risks of material misstatement due to fraud or error.
(b) Analytical procedures.
(c) Observation and inspection.
(a) Inquiries of Management and Others Within the Entity: Much of the information obtained by the auditor’s
inquiries is obtained from management and those responsible for financial reporting. However, the auditor may
also obtain information, or a different perspective in identifying risks of material misstatement, through inquiries of
others within the entity and other employees with different levels of authority.
Example
Inquiries directed towards those charged with governance may help the auditor understand the
environment in which the financial statements are prepared.
Inquiries directed toward internal audit personnel may provide information about internal audit procedures
performed during the year relating to the design and effectiveness of the entity’s internal control and whether
management has satisfactorily responded to findings from those procedures.
Inquiries of employees involved in initiating, processing or recording complex or unusual transactions may help
the auditor to evaluate the appropriateness of the selection and application of certain accounting policies.
Inquiries directed toward in-house legal counsel may provide information about such matters as litigation,
compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, warranties,
post-sales obligations, arrangements (such as joint ventures) with business partners and the meaning of contract
Inquiries directed towards marketing or sales personnel may provide information about changes in the entity’s
marketing strategies, sales trends, or contractual arrangements with its customers.
Inquiries directed to the risk management function (or those performing such roles) may provide information
about operational and regulatory risks that may affect financial reporting.
Inquiries directed to information systems personnel may provide information about system changes, system or
control failures, or other information system- related risks.
(b) Analytical Procedures: Analytical procedures performed as risk assessment procedures may identify aspects of the
entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to
provide a basis for designing and implementing responses to the assessed risks. Analytical procedures performed as
risk assessment procedures may include both financial and non-financial information, for example, the relationship
between sales and square footage of selling space or volume of goods sold.
Analytical procedures may help identify the existence of unusual transactions or events, and amounts, ratios,
and trends that might indicate matters that have audit implications. Unusual or unexpected relationships
that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material
misstatement due to fraud.
However, when such analytical procedures use data aggregated at a high level (which may be the situation with
analytical procedures performed as risk assessment procedures), the results of those analytical procedures only
provide a broad initial indication about whether a material misstatement may exist. Accordingly, in such cases,
W
consideration of other information that has been gathered when identifying the risks of material misstatement
together with the results of such analytical procedures may assist the auditor in understanding and evaluating the
results of the analytical procedures.
(c) Observation and Inspection: Observation and inspection may support inquiries of management and others, and
may also provide information about the entity and its environment.
Example
Examples of such audit procedures include observation or inspection of the following:
The entity’s operations.

Documents (such as business plans and strategies), records, and internal control manuals.
Reports prepared by management (such as quarterly management reports and interim financial statements) and
those charged with governance (such as minutes of board of director’s meetings)
The entity’s premises and plant facilities.
2.2 Understanding Of The Entity- A Continuous Process

Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred to hereafter
as an “understanding of the entity”), is a continuous, dynamic process of gathering, updating and analysing
information throughout the audit. The understanding establishes a frame of reference within which the auditor plans the
audit and exercises professional judgment throughout the audit, for example, when:
Assessing risks of material misstatement of the financial statements;
Determining materiality in accordance with SA 320;
Considering the appropriateness of the selection and application of accounting policies;
Identifying areas where special audit consideration may be necessary, for example, related party transactions,
the appropriateness of management’s use of the going concern assumption, or considering the business purpose of
transactions;
Developing expectations for use when performing analytical procedures;
Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the appropriateness of
assumptions and of management’s oral and written representations.
ILLUSTRATION 3
The auditor of ABC Textiles Ltd chalks out an audit plan without understanding the entity’s business. Since he has carried
out many audits of textile companies, there is no need to understand the nature of business of ABC Ltd. Advise the auditor
how he should proceed.
SOLUTION
Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred to hereafter
as an “understanding of the entity”), is a continuous, dynamic process of gathering, updating and analysing information
throughout the audit. The auditor should proceed accordingly.
ILLUSTRATION 4
While auditing the books of accounts of Heavy Material Limited for the financial year 2020-21, a team member of the auditor
of Heavy Material Limited showed no inclination towards understanding the business and the business environment of
the above mentioned company. Is the approach of team member of the auditor of Heavy Material Limited correct or
incorrect? Also give reason for your answer.
SOLUTION
The approach of team member of the auditor of Heavy Material Limited is incorrect because understanding the business
and the business environment of company whose audit is to be conducted is very important, as it helps in planning the
audit and identifying areas requiring special attention during the course of audit of that company.
2.3 The Required Understanding of the Entity and Its Environment, Including the Entity’s
Internal Control
The auditor shall obtain an understanding of the following:
W
(a) Relevant industry, regulatory, and other external factors including the applicable financial reporting framework.
(b) The nature of the entity, including:
(i) its operations;
(ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make, including investments in special-purpose
entities; and
(iv) the way that the entity is structured and how it is financed;
to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in
the financial statements.
(c) The entity’s selection and application of accounting policies, including the reasons for changes thereto.
The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and consistent
with the applicable financial reporting framework and accounting policies used in the relevant industry.
(d) The entity’s objectives and strategies, and those related business risks that may result in risks of material misstatement.
(e) The measurement and review of the entity’s financial performance.
ILLUSTRATION 5
Prince Blankets is engaged in business of blankets. Its major portion of sales is taking place through internet. Advise the
auditor how he would proceed in this regard as to understanding the entity and its environment.
SOLUTION
While understanding entity and its environment, internet sales is being perceived as risky area by the auditor and thereby
would be spending substantial time and extensive audit procedures on this particular area.
3. INTERNAL CONTROL
Meaning of Internal Control
As per SA-315, “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and
its Environment”, the internal control may be defined as “the process designed, implemented and maintained by those
charged with governance, management and other personnel to provide reasonable assurance about the achievement
of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations,
safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects
of one or more of the components of internal control.”
Objectives of Internal Control

(i) transactions are executed in accordance with managements general or specific authorization;
(ii) all transactions are promptly recorded in the correct amount in the appropriate accounts and in the accounting period
in which executed so as to permit preparation of financial information within a framework of recognized accounting
policies and practices and relevant statutory requirements, if any, and to maintain accountability for assets;
(iii) assets are safeguarded from unauthorised access, use or disposition; and
(iv) the recorded assets are compared with the existing assets at reasonable intervals and appropriate action is taken with
regard to any differences.
The Entity’s Internal Control
The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the
audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the
audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others,
is relevant to the audit.
Benefits of Understanding of Internal Control
An understanding of internal control assists the auditor in :
(i) identifying types of potential misstatements ;
(ii) identifying factors that affect the risks of material misstatement, and
W
(iii) designing the nature, timing, and extent of further audit procedures.
ILLUSTRATION 6
Auditor GR and Associates, appointed for audit of PNG Ltd, a manufacturing company engaged in manufacturing of various
food items. While planning an audit, the auditor does not think that it would be necessary to understand internal controls.
Advise the auditor in this regard.
SOLUTION
The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the
audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It
is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant
to the audit.
ILLUSTRATION 7
The team member of the auditor of Simple and Easy Limited was of the view that understanding the internal control of
the company would not help them in any manner in relation to audit procedures to be applied while conducting the audit.
SOLUTION
The view of the team member of the auditor is incorrect because understanding the internal control of the company would
help the auditor and his team members in designing the nature, timing and extent of audit procedures to be applied while
conducting the audit of the company.
Study of various aspects of internal control is divided into four sections, as follows:
(iii) Nature and

(i) General Nature (ii) Controls
Extent of the (iv) Components of
and Characteristics Relevant to the
Understanding of Internal Control.
of Internal control Audit.
Relevant controls.
I. General Nature and Characteristics of Internal Control

Purpose of Internal Control: Internal control is designed, implemented and maintained to address identified
business risks that threaten the achievement of any of the entity’s objectives that concern:
The reliability of the entity’s financial reporting;
The effectiveness and efficiency of its operations;
Its compliance with applicable laws and regulations; and
Safeguarding of assets.
The way in which internal control is designed, implemented and maintained varies with an entity’s size and complexity.
Limitations of Internal Control
(i) Internal control can provide only reasonable assurance:
Internal control, no matter how effective, can provide an entity with only reasonable assurance about achieving
the entity’s financial reporting objectives. The likelihood of their achievement is affected by inherent limitations of
internal control.
(ii) Human judgment in decision-making:
Realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur
because of human error.
Example
There may be an error in the design of, or in the change to, a control.
(iii) Lack of understanding the purpose:

W
Equally, the operation of a control may not be effective, such as where information produced for the purposes of
internal control (for example, an exception report) is not effectively used because the individual responsible for
reviewing the information does not understand its purpose or fails to take appropriate action.
(iv) Collusion among People:
Additionally, controls can be circumvented by the collusion of two or more people or inappropriate management
override of internal control. For example, management may enter into side agreements with customers that alter the
terms and conditions of the entity’s standard sales contracts, which may result in improper revenue recognition. Also,
edit checks in a software program that are designed to identify and report transactions that exceed specified credit
limits may be overridden or disabled.
(v) Judgements by Management:
Further, in designing and implementing controls, management may make judgments on the nature and extent of the
controls it chooses to implement, and the nature and extent of the risks it chooses to assume.
(vi) Limitations in case of Small Entities:
Smaller entities often have fewer employees due to which segregation of duties is not practicable. However, in a small
owner-managed entity, the owner-manager may be able to exercise more effective oversight than in a larger entity.
This oversight may compensate for the generally more limited opportunities for segregation of duties.
On the other hand, the owner-manager may be more able to override controls because the system of internal control
is less structured. This is taken into account by the auditor when identifying the risks of material misstatement due
to fraud.
II. Controls Relevant to the Audit
There is a direct relationship between an entity’s objectives and the control sit implements to provide reasonable assurance
about their achievement. The entity’s objectives, and therefore controls, relate to financial reporting, operations and
compliance; however, not all of these objectives and controls are relevant to the auditor’s risk assessment.
Factors relevant to the auditor’s judgment about whether a control, individually or in combination with others, is
relevant to the audit may include such matters as the following:
Materiality.
The significance of the related risk.
The size of the entity.
The nature of the entity’s business, including its organisation and ownership characteristics.
The diversity and complexity of the entity’s operations.
Applicable legal and regulatory requirements.
The circumstances and the applicable component of internal control.
The nature and complexity of the systems that are part of the entity’s internal control, including the use of service
organisations.
Whether, and how, a specific control, individually or in combination with others, prevents, or detects and corrects,
material misstatement.
Controls over the completeness and accuracy of information
Controls over the completeness and accuracy of information produced by the entity may be relevant to the audit if the
auditor intends to make use of the information in designing and performing further procedures. For example, in auditing
revenue by applying standard prices to records of sales volume, the auditor considers the accuracy of the price information
and the completeness and accuracy of the sales volume data. Controls relating to operations and compliance objectives
may also be relevant to an audit if they relate to data the auditor evaluates or uses in applying audit procedures.
Internal control over safeguarding of assets
Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include controls
relating to both financial reporting and operations objectives. The auditor’s consideration of such controls is generally
limited to those relevant to the reliability of financial reporting. For example, use of access controls, such as passwords,
that limit access to the data and programs that process cash disbursements may be relevant to a financial statement
audit. Conversely, safeguarding controls relating to operations objectives, such as controls to prevent the excessive use of
materials in production, generally are not relevant to a financial statement audit.
Controls relating to objectives that are not relevant to an audit
An entity generally has controls relating to objectives that are not relevant to an audit and therefore need not be
W
considered. For example, an entity may rely on a sophisticated system of automated controls to provide efficient and
effective operations (such as an airline’s system of automated controls to maintain flight schedules), but these controls
ordinarily would not be relevant to the audit. Further, although internal control applies to the entire entity or to any of its
operating units or business processes, an understanding of internal control relating to each of the entity’s operating units
and business processes may not be relevant to the audit.
The statute may require the auditor to report on compliance with certain internal controls
In certain circumstances, the statute or the regulation governing the entity may require the auditor to report on compliance
with certain specific aspects of internal controls as a result, the auditor’s review of internal control may be broader and
more detailed.
III. Nature and Extent of the Understanding of Relevant Controls.
(i) Evaluating the design of a control involves considering whether the control, individually or in combination with
other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.
Implementation of a control means that the control exists and that the entity is using it. There is little point in assessing
the implementation of a control that is not effective, and so the design of a control is considered first
An improperly designed control may represent a significant deficiency in internal control.
(ii) Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may
include-
Inquiring of entity personnel.
Observing the application of specific controls.
Inspecting documents and reports.
Tracing transactions through the information system relevant to financial reporting.
Inquiry alone, however, is not sufficient for such purposes.
(iii) Obtaining an understanding of an entity’s controls is not sufficient to test their operating effectiveness, unless
there is some automation that provides for the consistent operation of the controls.
Example
Obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit
evidence about the operating effectiveness of the control at other times during the period under audit. However,
because of the inherent consistency of IT processing, performing audit procedures to determine whether an automated
control has been implemented may serve as a test of that control’s operating effectiveness, depending on the auditor’s
assessment and testing of controls such as those over program changes.
IV.Components of Internal Control

The division of internal control into the following five components provides a useful framework for auditors to consider
how different aspects of an entity’s internal control may affect the audit:
(a) The control environment;

(b) The entity’s risk assessment process
(c) The information system, including the related business processes, relevant to financial reporting, and
communication
(d) Control activities
(e) Monitoring of controls.
(A) Control Environment– Component of Internal Control–The auditor shall obtain an understanding of the control
environment. As part of obtaining this understanding, the auditor shall evaluate whether:
(i) Management has created and maintained a culture of honesty and ethical behavior; and
(ii) The strengths in the control environment elements collectively provide an appropriate foundation for the other
components of internal control.
What is included in Control Environment ?

W
The control environment includes:
(i) the governance and management functions and
(ii) the attitudes, awareness, and actions of those charged with governance and management.
(iii) the control environment sets the tone of an organization, influencing the control consciousness of its people.
Elements of the Control Environment–Elements of the control environment that may be relevant when obtaining

an understanding of the control environment include the following:
(a) Communication and enforcement of integrity and ethical values–These are essential elements that influence
the effectiveness of the design, administration and monitoring of controls.
(b) Commitment to competence–Matters such as management’s consideration of the competence levels for
particular jobs and how those levels translate into requisite skills and knowledge.
(c) Participation by those charged with governance–Attributes of those charged with governance such as:
Their independence from management.
Their experience and stature.
The extent of their involvement and the information they receive, and the scrutiny of activities.
The appropriateness of their actions, including the degree to which difficult questions are raised and pursued
with management, and their interaction with internal and external auditors.
(d) Management’s philosophy and operating style–Characteristics such as management’s:
Approach to taking and managing business risks.
Attitudes and actions toward financial reporting.
Attitudes toward information processing and accounting functions and personnel.
(e) Organisational structure–The framework within which an entity’s activities for achieving its objectives are
planned, executed, controlled, and reviewed.
(f) Assignment of authority and responsibility–Matters such as how authority and responsibility for operating
activities are assigned and how reporting relationships and authorisation hierarchies are established.
(g) Human resource policies and practices–Policies and practices that relate to, for example, recruitment,
orientation, training, evaluation, counselling, promotion, compensation, and remedial actions.
(B) The Entity’s Risk Assessment Process– Component of Control Environment
The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks.

The entity’s risk assessment process forms the basis for the risks to be managed. If that process is appropriate,
it would assists the auditor in identifying risks of material misstatement. Whether the entity’s risk assessment
process is appropriate to the circumstances is a matter of judgment.
(C) The information system, including the related business processes, relevant to financial reporting and
communication– Component of Control Environment
The auditor shall obtain an understanding of the information system, including the related business processes,
relevant to financial reporting, including the following are as:
(a) The classes of transactions in the entity’s operations that are significant to the financial statements;
(b) The procedures by which those transactions are initiated, recorded, processed, corrected as necessary,
transferred to the general ledger and reported in the financial statements;
(c) The related accounting records, supporting information and specific accounts in the financial statements that are
used to initiate, record, process and report transactions;
(d) How the information system captures events and conditions that are significant to the financial statements;
(e) The financial reporting process used to prepare the entity’s financial statements;
(f) Controls surrounding journal entries.
W
Communicating Financial Roles and Responsibilities–Obtaining an Understanding by the Auditor: The auditor
shall obtain an understanding of how the entity communicates financial reporting roles and responsibilities
(a) Communications between management and those (b) External communications, such as those with regulatory
charged with governance; and authorities.
The following points need consideration in this regard:
(i) Understanding of Roles and Responsibilities: Communication by the entity of the financial reporting roles and
responsibilities would involves providing an understanding of individual roles and responsibilities pertaining to
internal control over financial reporting.
(ii) Understanding regarding Relation of Activities: It includes understanding by employees as to how their activities
relate to the work of others and the means of reporting exceptions to higher level within the entity.
(iii) Policy Manuals and Financial Reporting Manuals: Communication may take such forms as policy manuals and
financial reporting manuals.
(iv) Open Communication Channels: Open communication channels help ensure that exceptions are reported and acted on.
(v) Less structured and easier for Small Entities: Communication may be less structured and easier to achieve in
a small entity than in a larger entity due to fewer levels of responsibility and management’s greater visibility and
availability.
(D) Control Activities– Component of Internal Control
The auditor shall obtain an understanding of control activities relevant to the audit, which the auditor considers necessary
to assess the risks of material misstatement. An audit requires an understanding of only those control activities related
to significant class of transactions, account balance, and disclosure in the financial statements and the assertions
which the auditor finds relevant in his risk assessment process.
Control activities are the policies and procedures that help ensure that management directives are carried out.
Control activities, whether within IT or manual systems, have various objectives and are applied at various organisational
and functional levels.
Examples of specific control activities include those relating to the following:
Authorization
Segregation of Performance
Duties Revies
Physical Information
Controls Processing
Control activities that are relevant to the audit are:

Control activities that relate to significant risks and those that relate to risks for which substantive procedures alone
do not provide sufficient appropriate audit evidence; or
Those that are considered to be relevant in the judgment of the auditor;
As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s
judgment, a significant risk.
In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:
(a) Whether the risk is a risk of fraud;
(b) Whether the risk is related to recent significant economic, accounting, or other developments like changes in
regulatory environment, etc., and, therefore, requires specific attention;

W
(c) The complexity of transactions;
(d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information related to the risk, especially those
measurements involving a wide range of measurement uncertainty; and
(f) Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that
otherwise appear to be unusual.
(Note : Student may refer Chapter 5 on for detailed understanding of Fraud Risk)
Identifying Significant Risks: Significant risks often relate to significant non-routine transactions or judgmental
matters. Non-routine transactions are transactions that are unusual, due to either size or nature, and that therefore occur
infrequently. Judgmental matters may include the development of accounting estimates for which there is significant
measurement uncertainty.
Example
Significant risks are inherent risks with both a higher likelihood of occurrence and a higher magnitude of potential
misstatement. The auditor assess assertions affected by a significant risk as higher inherent risk. The following are
always significant risks:
Risks of material misstatement due to fraud
Significant transactions with related parties that are outside the normal course of business for the entity
Risks of Material Misstatement– Greater for Significant Non-Routine Transactions

Risks of material misstatement may be greater for significant non-routine transactions arising from matters such as the
following:
Greater management intervention to specify the accounting treatment.
Greater manual intervention for data collection and processing.
Complex calculations or accounting principles.
The nature of non-routine transactions, which may make it difficult for the entity to implement effective controls
over the risks.
Risks of material misstatement– Greater for Significant Judgmental Matters
Risks of material misstatement may be greater for significant judgmental matters that require the development of
accounting estimates, arising from matters such as the following:
Accounting principles for accounting estimates or revenue recognition may be subject to differing interpretation.
Required judgment may be subjective or complex, or require assumptions about the effects of future events, for
example, judgment about fair value.
(E) Monitoring of Controls – Component of Internal Control
The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over
financial reporting.
(i) Monitoring of controls Defined: Monitoring of controls is a process to assess the effectiveness of internal control
performance over time.
(ii) Helps in assessing the effectiveness of controls on a timely basis: It involves assessing the effectiveness of controls
on a timely basis and taking necessary remedial actions.
(iii) Management accomplishes through ongoing activities, separate evaluations etc.: Management accomplishes
monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing
monitoring activities are often built into the normal recurring activities of an entity and include regular management
and supervisory activities.
(iv) Management’s monitoring activities include: Management’s monitoring activities may include using information
from communications from external parties such as customer complaints and regulator comments that may indicate
problems or highlight areas in need of improvement.
(v) In case of Small Entities: Management’s monitoring of control is often accomplished by management’s or the
owner-manager’s close involvement in operations. This involvement often will identify significant variances from
expectations and inaccuracies in financial data leading to remedial action to the control.
Monitoring of Controls– If the entity has an internal audit function
W
If the entity has an internal audit function, the auditor shall obtain an understanding of the following :
(a) The internal audit function’s responsibilities and how the internal audit function fits in the entity’s organisational
structure; and
(b) The activities performed, or to be performed, by the internal audit function.
The following points merit consideration in this regard:

(i) Internal Audit Function relevant to the Audit: The entity’s internal audit function is likely to be relevant to the
audit if its activities are related to the entity’s financial reporting. Also if the auditor expects to use the work of the
internal auditors to modify the audit procedures to be performed. When the auditor determines that the internal
audit function is likely to be relevant to the audit, SA 610 applies.
(ii) Size and Structure of the Entity: The objectives of an internal audit function vary widely depending on the size
and structure of the entity and the requirements of management.
(iii) Internal audit function may include: The responsibilities of an internal audit function may include, for example,
monitoring of internal control, risk management, and review of compliance with laws and regulations.
On the other hand, the responsibilities of the internal audit function may be limited to the review of the economy,
efficiency and effectiveness of operations, for example, and accordingly, may not relate to the entity’s financial
reporting.
(iv) External auditor’s activities- on the basis of Internal Audit activities: If the internal audit function’s responsibilities
are related to the entity’s financial reporting, the external auditor’s consideration of the activities performed may
include review of the internal audit function’s audit plan for the period.
Satisfactory Control Environment – not an absolute deterrent to fraud:

The existence of a satisfactory control environment can be a positive factor when the auditor assesses the risks of
material misstatement. However, although it may help reduce the risk of fraud, a satisfactory control environment is
not an absolute deterrent to fraud. Conversely, deficiencies in the control environment may undermine the effectiveness
of controls, in particular in relation to fraud. For example, management’s failure to commit sufficient resources to address
IT security risks may adversely affect internal control by allowing improper changes to be made to computer programs
or to data, or unauthorized transactions to be processed. As explained in SA 330, the control environment also influences
the nature, timing, and extent of the auditor’s further procedures.
The control environment in itself does not prevent, or detect and correct, a material misstatement. It may, however,
influence the auditor’s evaluation of the effectiveness of other controls (for example, the monitoring of controls and
the operation of specific control activities) and thereby, the auditor’s assessment of the risks of material misstatement.
4. EVALUATION OF INTERNAL CONTROL BY THE AUDITOR

So far as the auditor is concerned, the examination and evaluation of the internal control system is an indispensable part
of the overall audit programme. The auditor needs reasonable assurance that the accounting system is adequate and that
all the accounting information which should be recorded has in fact been recorded. Internal control normally contributes
to such assurance. The auditor should gain an understanding of the accounting system and related internal controls and
should study and evaluate the operations of these internal controls upon which he wishes to rely in determining the
nature, timing and extent of other audit procedures.
Benefits of Evaluation of Internal Control to the Auditor
The review of internal controls will enable the auditor to know:
(i) whether errors and frauds are likely to be located in the ordinary course of operations of the business;
(ii) whether an adequate internal control system is in use and operating as planned by the management;
(iii) whether an effective internal auditing department is operating;
(iv) whether any administrative control has a bearing on his work (for example, if the control over worker recruitment
and enrolment is weak, there is a likelihood of dummy names being included in the wages sheet and this is relevant
for the auditor);
(v) whether the controls adequately safeguard the assets;
(vi) how far and how adequately the management is discharging its function in so far as correct recording of transactions
is concerned;

W
(vii) how reliable the reports, records and the certificates to the management can be;
(viii) the extent and the depth of the examination that he needs to carry out in the different areas of accounting;
(ix) what would be appropriate audit technique and the audit procedure in the given circumstances;
(x) what are the areas where control is weak and where it is excessive; and
(xi) whether some worthwhile suggestions can be given to improve the control system.
ILLUSTRATION 8
Mr. Y, one of the team member of the auditors of What and Where Limited was very keen in knowing whether the internal
control of the company would safeguard the company’s assets. Advise Mr. Y.
SOLUTION
The review of internal controls will enable the auditors to know whether the controls adequately safeguard the assets.
ILLUSTRATION 9
Mr. H, a team member of the auditor of There and Here Limited was of the view that evaluation of internal control of the
company would help in identifying the areas where internal control is weak. Advise
SOLUTION
The review of internal controls will enable the auditor to know what are the areas where control is weak and where it is
excessive.
Formulate Audit Program after understanding Internal Control
The auditor can formulate his entire audit programme only after he has had a satisfactory understanding of
the internal control systems and their actual operation. If he does not care to study this aspect, it is very likely that his
audit programme may become unwieldy and unnecessarily heavy and the object of the audit may be altogether lost in the
mass of entries and vouchers. It is also important for him to know whether the system is actually in operation. Often,
after installation of a system, no proper follow up is there by the management to ensure compliance. The auditor, in such
circumstances, may be led to believe that a system is in operation which in reality may not be altogether in operation or
may at best operate only partially. This state of affairs is probably the worst that an auditor may come across and he would
be in the midst of confusion, if he does not take care.
It would be better if the auditor can undertake the review of the internal control system of client. This will give him enough
time to assimilate the controls and implications and will enable him to be more objective in the framing of the audit
programme. He will also be in a position to bring to the notice of the management the weaknesses of the system and to
suggest measures for important for him to know whether the system is actually in operation. Often, after installation of
a system, no proper follow up is there by the management to ensure compliance. The auditor, in such circumstances, may
be led to believe that a system is in operation which in reality may not be altogether in operation or may at best operate
only partially. This state of affairs is probably the worst that an auditor may come across and he would be in the midst of
confusion, if he does not take care.
It would be better if the auditor can undertake the review of the internal control system of client. This will give him enough
time to assimilate the controls and implications and will enable him to be more objective in the framing of the audit
programme. He will also be in a position to bring to the notice of the management the weaknesses of the system and
to suggest measures for improvement. At a further interim date or in the course of the audit, he may ascertain how far
the weaknesses have been removed.
From the foregoing, it can be concluded that the extent and the nature of the audit programme is substantially
influenced by the internal control system in operation. In deciding upon a plan of test checking, the existence and
operation of internal control system is of great significance.
A proper understanding of the internal control system in its content and working also enables an auditor to decide upon
the appropriate audit procedure to be applied in different areas to be covered in the audit programme.
In a situation where the internal controls are considered weak in some areas, the auditor might choose an auditing
W
procedure or test that otherwise might not be required; he might extend certain tests to cover a large number of
transactions or other items than he otherwise would examine and at times he may perform additional tests to bring him
the necessary satisfaction.
Example
Normally the distribution of wages is not observed by the auditor. But if the internal control over wages is so weak that
there exists a possibility of dummy workers being paid, the auditor might include observation of wages distribution in
his programme in order to find out the workers who do not turn up for receipt of wages.
On the other hand, if he is satisfied with the internal control on sales and trade receivables, the auditor can get trade
receivables’ balances confirmed at almost any time reasonably close to the balance sheet date. But if the control is
weak, he may feel that he should get the confirmation exactly on the date of the year closing so that he may eliminate
the risk of errors and frauds occurring between the intervening period. Also, he may in that situation, decide to have
a large coverage of trade receivables by the confirmation procedure.
Evaluation of Internal Control– Methods

A review of the internal control can be done by a process of study, examination and evaluation of the control system
installed by the management.
The first step involves determination of the control and procedures laid down by the management. By reading company
manuals, studying organisation charts and flow charts and by making suitable enquiries from the officers and employees,
the auditor may ascertain the character, scope and efficacy of the control system. To acquaint himself about how all the
accounting information is collected and processed and to learn the nature of controls that makes the information reliable
and protect the company’s assets, calls for considerable skill and knowledge. In many cases, very little of this information
is available in writing; the auditor must ask the right people the right questions if he is to get the information he wants.
It would be better if he makes written notes of the relevant information and procedures contained in the manual or
ascertained on enquiry.
To facilitate the accumulation of the information necessary for the proper review and evaluation of internal controls,
the auditor can use one of the following to help him to know and assimilate the system and evaluate the same:
(i) Narrative record;
(ii) Check List;
(iii) Questionnaire; and
(iv) Flow chart.
Evaluation of Internal Control with

the help of
Narrative
Check List Questionnaire Flow Chart
Record
4.1 The Narrative Record

This is a complete and exhaustive description of the system as found in operation by the auditor. Actual testing and
observation are necessary before such a record can be developed. It may be recommended in cases where no formal
control system is in operation and would be more suited to small business.
The basic disadvantages of narrative records are:
(i) To comprehend the system in operation is quite difficult.
(ii) To identify weaknesses or gaps in the system.
(iii) To incorporate changes arising on account of reshuffling of manpower, etc.
4.2 A Check List
This is a series of instructions and/or questions which a member of the auditing staff must follow and/or answer.
When he completes instruction, he initials the space against the instruction. Answers to the check list instructions are

W
usually Yes, No or Not Applicable. This is again an on the job requirement and instructions are framed having regard to
the desirable elements of control.
Example
A few examples of check list instructions are given hereunder:
1. Are tenders called before placing orders?
2. Are the purchases made on the basis of a written order?
3. Is the purchase order form standardised?
4. Are purchase order forms pre-numbered?
5. Are the inventory control accounts maintained by persons who have nothing to do with custody of work, receipt of
inventory, inspection of inventory and purchase of inventory?
The complete check list is studied by the Principal/Manager/Senior to ascertain existence of internal control and evaluate
its implementation and efficiency.
4.3 Internal Control Questionnaire
This is a comprehensive series of questions concerning internal control. This is the most widely used form for
collecting information about the existence, operation and efficiency of internal control in an organisation.
An important advantage of the questionnaire approach is that oversight or omission of significant internal control review
procedures is less likely to occur with this method. With a proper questionnaire, all internal control evaluation can be
completed at one time or in sections. The review can more easily be made on an interim basis. The questionnaire form
also provides an orderly means of disclosing control defects. It is the general practice to review the internal control system
annually and record the review in detail. In the questionnaire, generally questions are so framed that a ‘Yes’ answer
denotes satisfactory position and a ‘No’ answer suggests weakness. Provision is made for an explanation or further
details of ‘No’ answers. In respect of questions not relevant to the business, ‘Not Applicable’ reply is given.
The questionnaire is usually issued to the client and the client is requested to get it filled by the concerned executives
and employees. If on a perusal of the answers, inconsistencies or apparent incongruities are noticed, the matter is further
discussed by auditor’s staff with the client’s employees for a clear picture. The concerned auditor then prepares a report
of deficiencies and recommendations for improvement.
4.4 Flow Chart
It is a graphic presentation of each part of the company’s system of internal control. A flow chart is considered to be the
most concise way of recording the auditor’s review of the system. It minimises the amount of narrative explanation and
thereby achieves a consideration or presentation not possible in any other form. It gives bird’s eye view of the system and
the flow of transactions and integration and in documentation, can be easily spotted and improvements can be suggested.
It is also necessary for the auditor to study the significant features of the business carried on by the concern; the nature of its
activities and various channels of goods and materials as well as cash, both inward and outward; and also a comprehensive
study of the entire process of manufacturing, trading and administration. This will help him to understand and evaluate
the internal controls in the correct perspective.
ILLUSTRATION 10
In order to evaluate the Internal Control of Your and My Limited, a team member of the auditors used a method according
to which, number of questions relating to internal control of the company were required to be answered by the employees
of the company. After obtaining the answers there was a discussion relating to those answers between team member
of the auditor and employees of the company for a clear picture. State the method of evaluation of internal control as
discussed above.
SOLUTION
The method of evaluation of internal control used in the above question is known as Internal Control Questionnaire
because in questionnaire method, a number of questions relating to internal control of a company are required to be
answered by employees of that company and when answers to the questions are obtained, there is a discussion relating
to those answers between team members of the auditors and employees of that company for a clear picture.
ILLUSTRATION 11
Healthy and Useful Limited is into small manufacturing as well as trading business. For the purpose of evaluating the
internal control of Healthy and Useful Limited, a team member of the auditors of the company used a method according
W
to which the whole description of internal control that was operating in the said company was to be recorded. Identify the
method of evaluation of internal control as mentioned above.
SOLUTION
The method of evaluation of internal control referred above is known as Narrative Record because in Narrative Record
method, a whole description of internal control operating in an entity is recorded. Narrative Record method is also
appropriate for small manufacturing as well as trading business as is mentioned in the question above case.
5. TESTING OF INTERNAL CONTROL

After assimilating the internal control system, the auditor needs to examine whether and how far the same is actually in
operation. For this, he resorts to actual testing of the system in operation. This he does on a selective basis: he can plan
this testing in such a manner that all the important areas are covered in a period of, say, three years. Selective testing is
being done by application of procedural tests and auditing in depth.
Test of Controls:
Test of controls are performed to obtain audit evidence about the effectiveness of the:
(a) design of the accounting and internal

control systems, i.e., whether they are (b) operation of the internal controls
suitably designed to prevent or detect and throughout the period.
correct material misstatements; and
Test of controls include tests of elements of the control environment where strengths in the control environment are used
by auditors to reduce control risk.
Some of the procedures performed to obtain the understanding of the accounting and internal control systems may not
have been specifically planned as tests of control but may provide audit evidence about the effectiveness of the design
and operation of internal controls relevant to certain assertions and, consequently, serve as tests of control. For example,
in obtaining the understanding of the accounting and internal control systems pertaining to cash, the auditor may have
obtained audit evidence about the effectiveness of the bank reconciliation process through inquiry and observation.
When the auditor concludes that procedures performed to obtain the understanding of the accounting and internal control
systems also provide audit evidence about the suitability of design and operating effectiveness of policies and procedures
relevant to a particular financial statement assertion, the auditor may use that audit evidence, provided it is sufficient to
support a control risk assessment at less than a high level.
Example
Test of controls may include:

Inspection of documents supporting transactions and other events to gain audit evidence that internal controls
have operated properly, for example, verifying that a transaction has been authorised.
Inquiries about, and observation of, internal controls which leave no audit trail, for example, determining who
actually performs each function and not merely who is supposed to perform it.
Re-performance involves the auditor’s independent execution of procedures or controls that were originally
performed as part of the entity’s internal control, for example, reconciliation of bank accounts, to ensure they
were correctly performed by the entity.
Testing of internal control operating on specific computerised applications or over the overall information
technology function, for example, access or program change controls.
(Students may note that testing of IT System related controls are discussed in details in Chapter 6 Audit in an
Automated Environment)

W
While obtaining audit evidence about the effective operation of internal controls, the auditor considers how they were
applied, the consistency with which they were applied during the period and by whom they were applied. The concept
of effective operation recognises that some deviations may have occurred. Deviations from prescribed controls may be
caused by such factors as changes in key personnel, significant seasonal fluctuations in volume of transactions and human
error. When deviations are detected the auditor makes specific inquiries regarding these matters, particularly, the timing
of staff changes in key internal control functions. The auditor then ensures that the tests of control appropriately cover
such a period of change or fluctuation.
Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and
operating as contemplated in the preliminary assessment of control risk. The evaluation of deviations may result in the
auditor concluding that the assessed level of control risk needs to be revised. In such cases, the auditor would modify the
nature, timing and extent of planned substantive procedures.
Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained
by the auditor, the auditor should consider whether the assessment of control risk is confirmed. In case of deviations
from the prescribed accounting and internal control systems, the auditor would make specific inquiries to consider their
implications. Where, on the basis of such inquiries, the auditor concludes that the deviations are such that the preliminary
assessment of control risk is not supported, he would amend the same unless the audit evidence obtained from other
tests of control supports that assessment. Where the auditor concludes that the assessed level of control risk needs to be
revised, he would modify the nature, timing and extent of his planned substantive procedures.
It has been suggested that actual operation of the internal control should be tested by the application of procedural
tests and examination in depth. Procedural tests simply mean testing of the compliance with the procedures laid down
by the management in respect of initiation, authorisation, recording and documentation of transaction at each stage
through which it flows.
Example
For example, the procedure for sales requires the following:

1. Before acceptance of any order the position of inventory of the relevant article should be known to ascertain
whether the order can be executed in time.
2. An advice under the authorisation of the sales manager should be sent to the party placing the order, internal
reference number, and the acceptance of the order. This advice should be prepared on a standardised form and
copy thereof should be forwarded to inventory section to enable it to prepare for the execution of the order in
time.
3. The credit period allowed to the party should be the normal credit period. For any special credit period a special
authorisation of the sales manager would be necessary.
4. The rate at which the order has been accepted and other terms about transport, insurance, etc., should be clearly
specified.
5. Before deciding upon the credit period, a reference should be made to the credit section to know the creditworthiness
of the party and particularly whether the party has honoured its commitments in the past.
An auditor testing the internal controls on sales should invariably test whether any of the aforesaid procedures have been
omitted. If credit has actually been granted without a reference to the credit section to know the creditworthiness of the
party, it is possible that the amount may prove bad because of the financial crisis or deadlock in the management of the
party, a fact which could have been easily gathered from the credit section. Similarly, if an order is received without a
reference to the inventory section, it is likely due to non-availability of the inventory on the stipulated date; execution of
the order may be delayed and the company may have to compensate the buyer for the damages suffered by him.
6. INTERNAL CONTROL AND IT ENVIRONMENT

Characteristics of Manual and Automated Elements of Internal Control Relevant to the Auditor’s Risk Assessment: An
entity’s system of internal control contains manual elements and often contains automated elements. The characteristics
of manual or automated elements relevant to the auditor’s risk assessment and further audit procedures are explained
hereunder-
(i) Controls in Manual and IT System: The use of manual or automated elements in internal control affects the
manner in which transactions are initiated, recorded, processed, and reported:
W
(1) Controls in a manual system may include such procedures as approvals and reviews of transactions, and
reconciliations and follow- up of reconciling items. Alternatively, an entity may use automated procedures
to initiate, record, process, and report transactions, in which case records in electronic format replace paper
documents.
(2) Controls in IT systems consist of a combination of automated controls (for example, controls embedded
in computer programs) and manual controls. Further, manual controls may be independent of IT, may use
information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated
controls, and to handling exceptions.
(ii) Use of IT: An entity’s mix of manual and automated elements in internal control varies with the nature and complexity
of the entity’s use of IT.
(iii) Generally, IT benefits an entity’s internal control by enabling an entity to:
Consistently apply predefined business rules and perform complex calculations in processing large volumes
of transactions or data;
Enhance the timeliness, availability, and accuracy of information;
Facilitate the additional analysis of information;
Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures;
Reduce the risk that controls will be circumvented; and
Enhance the ability to achieve effective segregation of duties by implementing security controls in applications,
databases, and operating systems.
Processing of large volumes of transactions or data becomes simple;
Enhance the timeliness, availability, and accuracy of information;
Facilitate the additional analysis of information;
Enhance the ability to monitor the performance of the entity’s activities and
its policies and procedures;
Reduce the risk that controls will be circumvented; and
Effective segregation of duties through security controls.
Benefits of IT in an Entity’s Internal Control

(iv) IT also poses specific risks to an entity’s internal control, including, for example:
Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
Unauthorised access to data that may result in destruction of data or improper changes to data, including the
recording of unauthorised or non- existent transactions, or inaccurate recording of transactions. Particular risks
may arise where multiple users access a common database.
The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned
duties thereby breaking down segregation of duties.
Unauthorised changes to data in master files.
Unauthorised changes to systems or programs.
Failure to make necessary changes to systems or programs.
Inappropriate manual intervention.
Potential loss of data or inability to access data as required.
(v) Suitability: Manual elements in internal control may be more suitable where judgment and discretion are required.

W
(vi) Reliability: Manual elements in internal control may be less reliable than automated elements because they can be
more easily bypassed, ignored, or overridden and they are also more prone to simple errors and mistakes. Consistency
of application of a manual control element cannot therefore be assumed.
(vii) Nature of Entity’s Information System: The extent and nature of the risks to internal control vary depending on the
nature and characteristics of the entity’s information system. The entity responds to the risks arising from the use of
IT or from use of manual elements in internal control by establishing effective controls in light of the characteristics
of the entity’s information system.
7. MATERIALITY AND AUDIT RISK

The concept of materiality is applied by the auditor both in planning and
performing the audit, and in evaluating the effect of identified misstatements on
the audit and of uncorrected misstatements, if any, on the financial statements
and in forming the opinion in the auditor’s report.
In conducting an audit of financial statements, the overall objectives of the
auditor are to obtain reasonable assurance about whether the financial
statements as a whole are free from material misstatement, whether due to
fraud or error, thereby enabling the auditor to express an opinion on whether
the financial statements are prepared, in all material respects, in accordance
with an applicable financial reporting framework; and to report on the financial
statements, and communicate as required by the SAs, in accordance with the
auditor’s findings. The auditor obtains reasonable assurance by obtaining
sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially
misstated. Audit risk is a function of the risks of material misstatement and detection risk. Materiality and audit risk are
considered throughout the audit, in particular, when:
(a) Identifying and assessing the risks of material misstatement;
(b) Determining the nature, timing and extent of further audit procedures; and
(c) Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming the
opinion in the auditor’s report.
ILLUSTRATION 12
One of the team members of auditors of Highly Capable Limited was of the view that Materiality and Audit Risk are only
considered at planning stage of an audit. Comment as an auditor
SOLUTION
The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the
effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements and
in forming the opinion in the auditor’s report.
8. DOCUMENTING THE RISK

The auditor shall document:
(a) The discussion among the engagement team and the significant decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its environment and of
each of the internal control components, the sources of information from which the understanding was obtained; and
the risk assessment procedures performed;
(c) The identified and assessed risks of material misstatement at the financial statement level and at the assertion level ;
and
(d) The risks identified, and related controls about which the auditor has obtained an understanding.
ILLUSTRATION 13
Mr. N, one of the team members of the auditors of Reasonably Cheerful Limited was of the view that risks that were
identified during the course of audit were not required to be documented. Explain with a reason whether the viewpoint
of Mr. N is justified.
W
SOLUTION
The auditor shall document the identified and assessed risks of material misstatement at the financial statement
level and at the assertion level ; and
the risks identified, and related controls about which the auditor has obtained an understanding.
Keeping in view the above, the viewpoint of Mr. N is not justified because risks that were identified during the course of
audit of Reasonably Cheerful Limited were required to be documented by the auditors.
9. INTERNALAUDIT
As defined in scope of the Standards on Internal Audit, Internal Audit means “An independent management function,
which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements
thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s
strategic risk management and internal control system”.
9.1 Applicability of Provisions of Internal Audit
As per section 138 of the Companies Act, 2013 the following class of companies (prescribed in rule 13 of Companies
(Accounts) Rules, 2014) shall be required to appoint an internal auditor or a firm of internal auditors, namely-
(a) every listed company;
(b) every unlisted public company having-
(i) paid up share capital of fifty crore rupees or more during the preceding financial year; or
(ii) turnover of two hundred crore rupees or more during the preceding financial year; or
(iii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore
rupees or more at any point of time during the preceding financial year; or
(iv) outstanding deposits of twenty five crore rupees or more at any point of time during the preceding financial
year; and
(c) every private company having-
(i) turnover of two hundred crore rupees or more during the preceding financial year; or
(ii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees
or more at any point of time during the preceding financial year:
It is provided that an existing company covered under any of the above criteria shall comply with the requirements within
six months of commencement of such section.
ILLUSTRATION 14
Windy Limited is an unlisted public limited company. During the financial year 2019-20, the paid up share capital of Windy
Limited was ` 60 crore. During the financial year 2020-21, Board of Directors of the company , in order to comply with the
provisions of Companies Act, 2013 appointed an internal auditor. Give the justification of this appointment done by Board
of Directors of Windy Limited according to the provisions of Companies Act, 2013.
SOLUTION
The appointment done by Board of Directors of Windy Limited is justified because according to Section 138 of the
Companies Act, 2013, every unlisted public company having a paid up share capital of ` 50 crore or more during the
preceding financial year is required to appoint an internal auditor.
ILLUSTRATION 15
Extremely Fine Limited is an unlisted public limited company. For the financial year 2019-20, the turnover of the above
mentioned company was ` 256 crore. In order to comply with provisions of Companies Act, 2013 the Board of Directors
of Extremely Fine Limited during the financial year 2020-21, appointed an internal auditor. Comment on the appointment
of Internal Auditor.
SOLUTION
The appointment done by Board of Directors of Extremely Fine Limited is justified because according to Section 138 of
the Companies Act, 2013 every unlisted public company having a turnover of ` 200 crore or more during the preceding
financial year is required to appoint an internal auditor.
In the above mentioned question, Extremely Fine Limited is an unlisted public company having a turnover of ` 256 crore

W
for the financial year 2019-20, which is more than ` 200 crore, therefore during the financial year 2020-21, Extremely Fine
Limited is required to appoint an internal auditor.
9.2 Who can be appointed as Internal Auditor?
As per section 138, the internal auditor shall either be a chartered accountant or a cost accountant (whether engaged in
practice or not), or such other professional as may be decided by the Board to conduct internal audit of the functions and
activities of the companies. The internal auditor may or may not be an employee of the company.
9.3 Internal audit function
A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness
of the entity’s governance, risk management and internal control processes.
9.3.1 The objectives and scope of internal audit functions
As per SA-610, “Using the Work of an Internal Auditor”, the objectives of internal audit functions vary widely and depend
on the size and structure of the entity and the requirements of management and, where applicable, those charged with
governance.
The objectives and scope of internal audit functions typically include assurance and consulting activities designed
to evaluate and improve the effectiveness of the entity’s governance processes, risk management and internal
control such as the following:
1. Activities Relating to Governance: The internal audit function may assess the governance process in its
accomplishment of objectives on ethics and values, performance management and accountability, communicating
risk and control information to appropriate areas of the organization and effectiveness of communication among
those charged with governance, external and internal auditors, and management.
2. Activities Relating to Risk Management: The internal audit function may assist the entity by identifying and
evaluating significant exposures to risk and contributing to the improvement of risk management and internal control
(including effectiveness of the financial reporting process). The internal audit function may perform procedures to
assist the entity in the detection of fraud.
3. Activities Relating to Internal Control:
(i) Evaluation of internal control: The internal audit function may be assigned specific responsibility for reviewing
controls, evaluating their operation and recommending improvements thereto. In doing so, the internal audit
function provides assurance on the control. For example, the internal audit function might plan and perform
tests or other procedures to provide assurance to management and those charged with governance regarding the
design, implementation and operating effectiveness of internal control, including those controls that are relevant
to the audit.
(ii) Examination of financial and operating information: The internal audit function may be assigned to review
the means used to identify, recognize, measure, classify and report financial and operating information, and to
make specific inquiry into individual items, including detailed testing of transactions, balances and procedures.
(iii) Review of operating activities: The internal audit function may be assigned to review the economy, efficiency
and effectiveness of operating activities, including nonfinancial activities of an entity.
W
Internal Auditor Function
Activities relating to
Governance
Evaluation of Internal Control

Activities relating to Risk
Management
Examination of Financial and
Operating Information
Activities relating to Internal
Control
Review of Operating Activities
Review of Compliance with

Laws & Regulations
(iv) Review of compliance with laws and regulations: The internal audit function may be assigned to review
compliance with laws, regulations and other external requirements, and with management policies and directives
and other internal requirements.
ILLUSTRATION 16
One of the directors of Stability Establishment Limited was of the view that Internal Audit has no relation with Internal
Control of a company. Comment
SOLUTION
The objectives and scope of internal audit functions typically include assurance and consulting activities designed to
evaluate and improve the effectiveness of the entity’s governance processes, risk management and internal control such
as the Activities Relating to Internal Control:
function provides assurance on the control. For example, the internal audit function might plan and perform tests
or other procedures to provide assurance to management and those charged with governance regarding the design,
implementation and operating effectiveness of internal control, including those controls that are relevant to the audit.
(ii) Examination of financial and operating information: The internal audit function may be assigned to review the
means used to identify, recognize, measure, classify and report financial and operating information, and to make
specific inquiry into individual items, including detailed testing of transactions, balances and procedures.
(iii) Review of operating activities: The internal audit function may be assigned to review the economy, efficiency and
effectiveness of operating activities, including nonfinancial activities of an entity.
(vi) Review of compliance with laws and regulations: The internal audit function may be assigned to review compliance
with laws, regulations and other external requirements, and with management policies and directives and other
internal requirements.
Keeping in view above, the viewpoint of the director of Stability Establishment Limited is incorrect because internal
audit has a very strong relation with internal control of a company. Internal Audit analyzes the effectiveness with
which the internal control of a company is operating and also makes suggestions for improvement in that internal
control.
10. BASICS OF STANDARDS ON INTERNAL AUDIT ISSUED BY ICAI

Considering the increasing importance of internal auditing, the Institute of Chartered Accountants of India has constituted
a Committee on Internal Audit (CIA) as a non- standing committee on February 5, 2004. The CIA was constituted with the
object of formulating Standards and Guidance Notes on Internal Audit now it is known as Internal Audit Standard Board.
The Board has, till date, issued thirteen new Standards on Internal Audit (SIAs) and the list is given below. The SIAs aim
to codify the best practices in the area of internal audit and also serve to provide a benchmark of the performance of the
internal audit services. While formulating SIAs, the Board takes into consideration the applicable laws, customs, usages

W
and business environment and generally accepted auditing practices in India.
The following SIAs are recommendatory in nature. The Standards shall become mandatory from such date as
notified by the council:
SIA-110 NATURE OF ASSURANCE
SIA-120 INTERNAL CONTROLS
SIA-210 MANAGING THE INTERNAL AUDIT FUNCTION
SIA-220 CONDUCTING OVERALL INTERNAL AUDIT PLANNING
SIA-230 OBJECTIVES OF INTERNAL AUDIT
SIA-240 USING THE WORK OF AN EXPERT
SIA-310 PLANNING THE INTERNAL AUDIT ASSIGNMENT
SIA-320 INTERNAL AUDIT EVIDENCE
SIA-330 INTERNAL AUDIT DOCUMENTATION
SIA-350 REVIEW AND SUPERVISION OF AUDIT ASSIGNMENTS
SIA-360 COMMUNICATION WITH MANAGEMENT
SIA-370 REPORTING RESULTS
SIA-390 MONITORING AND REPORTING OF PRIOR AUDIT ISSUES
11. BASICS OF INTERNAL FINANCIAL CONTROL AND REPORTING REQUIREMENTS
Clause (e) of Sub-section 5 of Section 134 explains the meaning of internal financial controls as, “the policies and
procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence
to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial information.”
From the above definition, it is clear that internal financial controls are the policies and procedures adopted by the
company for :
1. ensuring the orderly and efficient conduct of its business, including adherence to company’s policies,
2. the safeguarding of its assets,
3. the prevention and detection of frauds and errors,
4. the accuracy and completeness of the accounting records, and
5. the timely preparation of reliable financial information.”
ILLUSTRATION 17
Mr. T, one of the directors of Over Careful Limited was of the view that internal financial controls have nothing to do with
accounting records of a company. Comment on the views of Mr T.
SOLUTION
Clause (e) of Sub-section 5 of Section 134 explains the meaning of internal financial controls as, “the policies and
procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence
to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial information.”
In view of above, viewpoint of Mr. T is incorrect.
Auditors’ Responsibility for Reporting on Internal Financial Controls over Financial Reporting in India
Clause (i) of Sub-section 3 of Section 143 of the Act requires the auditors’ report to state whether the company has
adequate internal financial controls system in place and the operating effectiveness of such controls.
It may be noted that auditor’s reporting on internal financial controls is a requirement specified in the Act and, therefore,
will apply only in case of reporting on financial statements prepared under the Act and reported under Section 143.
Accordingly, reporting on internal financial controls will not be applicable with respect to interim financial statements,
such as quarterly or half-yearly financial statements, unless such reporting is required under any other law or
regulation.
W
Objectives of an auditor in an audit of internal financial controls over financial reporting: The auditor’s objective
in an audit of internal financial controls over financial reporting is, “to express an opinion on the effectiveness of
the company’s internal financial controls over financial reporting.” It is carried out along with an audit of the
financial statements.
Reporting under Section 143(3)(i) is dependent on the underlying criteria for internal financial controls over financial
reporting adopted by the management. However, any system of internal controls provides only a reasonable assurance on
achievement of the objectives for which it has been established. Also, the auditor shall use the concept of materiality in
determining the extent of testing such controls.
Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the board report of all companies to state the details
in respect of adequacy of internal financial controls with reference to the financial statements.
The inclusion of the matters relating to internal financial controls in the directors responsibility statement is in addition
to the requirement of the directors stating that they have taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of the 2013 Act for safeguarding the assets of the company and for
preventing and detecting fraud and other irregularities.
12. DIFFERENCE BETWEEN INTERNAL FINANCIAL CONTROL AND INTERNAL

CONTROL OVER FINANCIAL REPORTING
Internal Financial Control as per Section 134(5)(e), “the policies and procedures adopted by the company for ensuring
the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets,
the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the
timely preparation of reliable financialinformation.”
On the other hand, Internal controls over financial reporting-is required where auditors are required to express an
opinion on the effectiveness of an entity’s internal controls over financial reporting, such opinion is in addition to and
distinct from the opinion expressed by the auditor on the financial statements.
SUMMARY
Audit risk means the risk that the auditor gives an inappropriate audit opinion when the financial statement are materially
misstated. Audit risk is a function of the risks of material misstatement and detection risk. Risk of material misstatement
may be defined as the risk that the financial statements are materially misstated prior to audit. This consists of two
components- Inherent risk and Control risk. Inherent risk is the susceptibility of an assertion to a misstatement before
consideration of any related controls. Control risk is the risk that a misstatement that could occur in an assertion will not
be prevented, or detected and corrected, on a timely basis by the entity’s internal control.
Misstatement refers to a difference between the amount, classification, presentation, or disclosure of a reported financial
statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance
with the applicable financial reporting framework.
The assessment of risks is a matter of professional judgment.
Detection risk refers to the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low
level will not detect a misstatement that exists and that could be material, either individually or when aggregated with
other misstatements.
Audit Risk = Inherent Risk x Control Risk x Detection Risk
Objective of Auditor as per SA 315: As per SA 315 - “Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment”, the objective of the auditor is to identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding
the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement. This will help the auditor to reduce the risk of
material misstatement to an acceptably low level.
As per SA-315, “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and
its Environment”, the internal control may be defined as “the process designed, implemented and maintained by those
charged with governance, management and other personnel to provide reasonable assurance about the achievement of an
entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding
of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more
of the components of internal control.”
The control environment includes the governance and management functions and the attitudes, awareness, and actions

W
of those charged with governance and management. The existence of a satisfactory control environment can be a positive
factor when the auditor assesses the risks of material misstatement. However, although it may help reduce the risk of
fraud, a satisfactory control environment is not an absolute deterrent to fraud.
So far as the auditor is concerned, the examination and evaluation of the internal control system is an indispensable part
of the overall audit programme. The auditor needs reasonable assurance that the accounting system is adequate and that
all the accounting information which should be recorded has in fact been recorded. Internal control normally contributes
to such assurance.
The auditor can formulate his entire audit programme only after he has had a satisfactory understanding of the internal
control systems and their actual operation.
After assimilating the internal control system, the auditor needs to examine whether and how far the same is actually in
operation. Selective testing is done by application of procedural tests and auditing in depth.
The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the
effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements and
in forming the opinion in the auditor’s report
As defined in scope of the Standards on Internal Audit, Internal Audit means “An independent management function,
which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements
thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic
risk management and internal control system”.
Clause (i) of Sub-section 3 of Section 143 of the Act requires the auditors’ report to state whether the company has adequate
internal financial controls system in place and the operating effectiveness of such controls. The auditor’s objective in an
audit of internal financial controls over financial reporting is, “to express an opinion on the effectiveness of the company’s
internal financial controls over financial reporting.” It is carried out along with an audit of the financial statements.
TEST YOUR KNOWLEDGE
Correct/Incorrect
State with reasons (in short) whether the following statements are correct or incorrect:
(i) As per section 138 of the Companies Act, 2013 private companies are not required to appoint internal auditor.
(ii) There is direct relationship between materiality and the degree of audit risk.
(iii) Control risk is the susceptibility of an account balance or class of transactions to misstatement that could be material
either individually or, when aggregated with misstatements in other balances or classes, assuming that there were no
related internal controls.
(iv) Tests of control are performed to obtain audit evidence about the effectiveness of Internal Controls Systems.
(v) Maintenance of Internal Control System is the responsibility of the Statutory Auditor.
(vi) One of the directors of Very Fresh Fruits Limited was of the view that internal auditor to be appointed must be an
employee of Very Fresh Fruits Limited.
(vii) Mr. W, one of the team members of auditor of Different Limited was of the view that understanding the Internal
Control of Different Limited will not help in developing an Audit Programme.
(viii) Information obtained by performing risk assessment procedures shall not be used by the auditor as audit evidence
to support assessments of the risks of material misstatement.
Theoretical Questions
1. “The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over
financial reporting” Explain.
2. Risk of material misstatement consists of two components” Explain clearly defining risk of material misstatement.
3. “The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of
the “risks of material misstatement”” Explain
4. “The auditor shall obtain an understanding of the control environment” Explain stating what is included in control
environment.
5. When auditor identifies deficiencies and report on internal controls, he determines the significant financial statement
assertions that are affected by the ineffective controls in order to evaluate the effect on control risk assessments and
strategy for the audit of the financial statements. Explain
W
6. Obtaining an understanding of the entity and its environment, including the entity’s internal control, is a continuous,
dynamic process of gathering, updating and analysing information throughout the audit. Analyse and explain giving
examples.
7. Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include controls
relating to both financial reporting and operations objectives. Explain stating clearly the objectives of Internal Control.
8. It has been suggested that actual operation of the internal control should be tested by the application of procedural
tests and examination in depth. Explain with the help of example in respect of the procedure for sales.
9. Sweet Fruits Private Limited had a turnover of ` 155 crore for the financial year 2019-20. Explain whether during the
financial year 2020-21, Sweet Fruits Private Limited would be required or not required to appoint an internal auditor,
keeping in view the provisions of Companies Act, 2013.
ANSWERS/SOLUTIONS
Answers to Correct/Incorrect
(i) Incorrect: Section 138 of the Companies Act, 2013 requires every private company to appoint an internal auditor
having turnover of ` 200 crore or more during the preceding financial year; or outstanding loans or borrowings from
banks or public financial institutions exceeding ` 100 crore or more at any point of time during the preceding financial
year.
(ii) Incorrect: There is an inverse relationship between materiality and the degree of audit risk. The higher the
materiality level, the lower the audit risk and vice versa. For example, the risk that a particular account balance or
class of transactions could be misstated by an extremely large amount might be very low but the risk that it could be
misstated by an extremely small amount might be very high.
(iii) Incorrect: Inherent risk is the susceptibility of an account balance or class of transactions to misstatement that could
be material either individually or, when aggregated with misstatements in other balances or classes, assuming that
there were no related internal controls.
(iv) Correct: Tests of Control are performed to obtain audit evidence about the effectiveness of:
(a) the design of the accounting and internal control systems that is whether, they are suitably designed to prevent
or detect or correct material misstatements and
(b) the operation of the internal controls throughout the period.
(v) Incorrect: The management is responsible for maintaining an adequate accounting system incorporating various
internal controls to the extent appropriate to the size and nature of the business. Maintenance of Internal Control
System is responsibility of management because the internal control is the process designed, implemented and
maintained by those charged with governance/management to provide reasonable assurance about the achievement
of entity’s objectives.
(vi) Incorrect: As per section 138, the internal auditor shall either be a chartered accountant or a cost accountant (whether
engaged in practice or not), or such other professional as may be decided by the Board to conduct internal audit of the
functions and activities of the companies. The internal auditor may or may not be an employee of the company.
(vii) Incorrect: Understanding the Internal Control of Different Limited will help in developing an Audit Programme
because it will assist the auditor and his team to understand as to how much they can rely on internal control of the
company and what audit procedures would be appropriate to be used during the course of audit.
(viii)Incorrect: Information obtained by performing risk assessment procedures and related activities may be used by the
auditor as audit evidence to support assessments of the risks of material misstatement.
Answers to Theoretical Questions
1. Refer Para 3.
2. Refer Para 1.
3. Refer Para 1.5
4. Refer Para 3.
5. Control risk assessment when control deficiencies are identified: When auditor identifies deficiencies and report
on internal controls, he determines the significant financial statement assertions that are affected by the ineffective
controls in order to evaluate the effect on control risk assessments and strategy for the audit of the financial statements.
a ‘rely on controls’ risk assessment, or if compensating controls are identified, tested and evaluated to be effective, he
W
may conclude that the ‘rely on controls’ is still appropriate. Otherwise we change our control risk assessment to ‘not
rely on controls.’
When a deficiency relates to an ineffective control that is the only control identified for an assertion, he revises risk
assessment to ‘not rely on controls’ for associated assertions, as no other controls have been identified that mitigate
the risk related to the assertion. If the deficiency relates to one WCGW (what can go wrong) out of several WCGW’s,
he can ‘rely on controls’ but performs additional substantive procedures to adequately address the risks related to the
deficiency.
dynamic process of gathering, updating and analysing information throughout the audit. The understanding establishes
a frame of reference within which the auditor plans the audit and exercises professional judgment throughout the
audit, for example, when:
the appropriateness of management’s use of the going concern assumption, or considering the business purpose
of transactions;
Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the appropriateness of
7. Objectives of Internal Control
Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include controls
relating to both financial reporting and operations objectives. The auditor’s consideration of such controls is generally
limited to those relevant to the reliability of financial reporting. For example, use of access controls, such as passwords,
that limit access to the data and programs that process cash disbursements may be relevant to a financial statement
audit. Conversely, safeguarding controls relating to operations objectives, such as controls to prevent the excessive
use of materials in production, generally are not relevant to a financial statement audit.
Objectives of Internal Control are :
(ii) all transactions are promptly recorded in the correct amount in the appropriate accounts and in the accounting
period in which executed so as to permit preparation of financial information within a framework of recognized
accounting policies and practices and relevant statutory requirements, if any, and to maintain accountability for
assets;
(iv) the recorded assets are compared with the existing assets at reasonable intervals and appropriate action is taken
with regard to any differences.
tests and examination in depth. Procedural tests simply mean testing of the compliance with the procedures laid
down by the management in respect of initiation, authorisation, recording and documentation of transaction at each
stage through which it flows.
time.
3. The credit period allowed to the party should be the normal credit period. For any special credit period a special
authorisation of the sales manager would be necessary.
4. The rate at which the order has been accepted and other terms about transport, insurance, etc., should be clearly
specified.
W
5. Before deciding upon the credit period, a reference should be made to the credit section to know the
creditworthiness of the party and particularly whether the party has honoured its commitments in the past.
9. During the financial year 2020-21, Sweet Fruits Private Limited would not be required to appoint an internal auditor
because according to Section 138 of the Companies Act, 2013 every private company having a turnover of more than
or equal to ` 200 crore during the preceding financial year is required to appoint an internal auditor.
It is given in the question that Sweet Fruits Private Limited during the financial year 2018-19 had a turnover of ` 155
crore which is less than ` 200 crore. Therefore, during the financial year 2020-21, Sweet Fruits Private Limited will
not be required to appoint an internal auditor.

W
QUESTIONS
Correct/Incorrect
State with reasons (in short) whether the following statements are correct or incorrect:
1. As per section 138 of the Companies Act, 2013 private companies are not required to appoint internal auditor.
Topic: Applicability of Provisions of Internal Audit (ICAI Study Material)
Ans. Correct: Section 138 of the Companies Act, 2013 requires every private company to appoint an internal auditor
having turnover of ₹ 200 crore or more during the preceding financial year; or outstanding loans or borrowings
from banks or public financial institutions exceeding ₹ 100 crore or more at any point of time during the preceding
financial year.
2. There is direct relationship between materiality and the degree of audit risk.
Topic: AUDIT RISK (ICAI Study Material)
Ans. Incorrect: There is an inverse relationship between materiality and the degree of audit risk. The higher the
materiality level, the lower the audit risk and vice versa. For example, the risk that a particular account balance or
class of transactions could be misstated by an extremely large amount might be very low but the risk that it could
be misstated by an extremely small amount might be very high.
3. Control risk is the susceptibility of an account balance or class of transactions to misstatement that could be
material either individually or, when aggregated with misstatements in other balances or classes, assuming that
Topic: AUDIT RISK (ICAI Study Material)
Ans. Incorrect: Inherent risk is the susceptibility of an account balance or class of transactions to misstatement that could
be material either individually or, when aggregated with misstatements in other balances or classes, assuming that
4. Tests of control are performed to obtain audit evidence about the effectiveness of Internal Controls Systems.
Topic: TESTING OF INTERNAL CONTROL (ICAI Study Material)
Ans. Correct: Tests of Control are performed to obtain audit evidence about the effectiveness of:
(a) the design of the accounting and internal control systems that is whether, they are suitably designed to prevent
or detect or correct material misstatements and
(b) the operation of the internal controls throughout the period.
5. Maintenance of Internal Control System is the responsibility of the Statutory Auditor.
Topic: INTERNAL CONTROL (ICAI Study Material)
Ans. Incorrect: The management is responsible for maintaining an adequate accounting system incorporating various
internal controls to the extent appropriate to the size and nature of the business. Maintenance of Internal Control
System is responsibility of management because the internal control is the process designed, implemented and
maintained by those charged with governance/management to provide reasonable assurance about the achievement
of entity’s objectives.
6. One of the directors of Very Fresh Fruits Limited was of the view that internal auditor to be appointed must be an
employee of Very Fresh Fruits Limited.
Topic: Internal Auditor (ICAI Study Material)
Ans. Incorrect: As per section 138, the internal auditor shall either be a chartered accountant or a cost accountant (whether
engaged in practice or not), or such other professional as may be decided by the Board to conduct internal audit of
the functions and activities of the companies. The internal auditor may or may not be an employee of the company.
7. Mr. W, one of the team members of auditor of Different Limited was of the view that understanding the Internal
Control of Different Limited will not help in developing an Audit Programme.
Ans. Incorrect: Understanding the Internal Control of Different Limited will help in developing an Audit Programme
because it will assist the auditor and his team to understand as to how much they can rely on internal control of the
W
company and what audit procedures would be appropriate to be used during the course of audit. 2.
There is direct relationship between materiality and the degree of audit risk.
8. Information obtained by performing risk assessment procedures shall not be used by the auditor as audit evidence
to support assessments of the risks of material misstatement.
Topic: Audit Risk (ICAI Study Material)
Ans. Incorrect: Information obtained by performing risk assessment procedures and related activities may be used by
the auditor as audit evidence to support assessments of the risks of material misstatement.
9. “The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control
over financial reporting” Explain.
Topic: Internal Control (ICAI Study Material)
Ans. Correct: The information system, including the related business processes, relevant to financial reporting and
communication– Component of Control Environment
The auditor shall obtain an understanding of the information system, including the related business processes,
relevant to financial reporting, including the following are as:
(a) The classes of transactions in the entity’s operations that are significant to the financial statements;
(b) The procedures by which those transactions are initiated, recorded, processed, corrected as necessary,
transferred to the general ledger and reported in the financial statements;
(c) The related accounting records, supporting information and specific accounts in the financial statements that
are used to initiate, record, process and report transactions;
(d) How the information system captures events and conditions that are significant to the financial statements;
(e) The financial reporting process used to prepare the entity’s financial statements;
(f) Controls surrounding journal entries.
10. Risk of material misstatement consists of two components” Explain clearly defining risk of material misstatement.
Topic:- IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT (ICAI Study Material)
Ans. As per SA 315 - “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and
its Environment”, the objective of the auditor is to identify and assess the risks of material misstatement, whether due
to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment,
including the entity’s internal control, thereby providing a basis for designing and implementing responses to the
assessed risks of material misstatement. This will help the auditor to reduce the risk of material misstatement to an
acceptably low level.
The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level
(b) the assertion level for classes of transactions, account balances, and disclosures to provide a basis for
designing and performing further audit procedures
11. “The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment
of the “risks of material misstatement” Explain
Topic: Combined Assessment of the Risk of Material Misstatement (ICAI Study Material)
Ans. The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of
the “risks of material misstatement”. However, the auditor may make separate or combined assessments of inherent
and control risk depending on preferred audit techniques or methodologies and practical considerations. The
assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages,
or in non-quantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more
important than the different approaches by which they may be made.
It can be concluded from the above that-
Risk of Material Misstatement= Inherent Risk x Control Risk (2)

From (1) and (2), we arrive at-
Audit Risk = Inherent Risk x Control Risk x Detection Risk

SA 315 establishes requirements and provides guidance on identifying and assessing the risks of material misstatement

W
12. When auditor identifies deficiencies and report on internal controls, he determines the significant financial statement
assertions that are affected by the ineffective controls in order to evaluate the effect on control risk assessments and
strategy for the audit of the financial statements. Explain
Ans. Control risk assessment when control deficiencies are identified: When auditor identifies deficiencies and report on
internal controls, he determines the significant financial statement assertions that are affected by the ineffective
controls in order to evaluate the effect on control risk assessments and strategy for the audit of the financial
statements.
a ‘rely on controls’ risk assessment, or if compensating controls are identified, tested and evaluated to be effective,
he may conclude that the ‘rely on controls’ is still appropriate. Otherwise we change our control risk assessment to
‘not rely on controls.’
When a deficiency relates to an ineffective control that is the only control identified for an assertion, he revises
risk assessment to ‘not rely on controls’ for associated assertions, as no other controls have been identified that
mitigate the risk related to the assertion. If the deficiency relates to one WCGW (what can go wrong) out of several
WCGW’s, he can ‘rely on controls’ but performs additional substantive procedures to adequately address the risks
related to the deficiency.
dynamic process of gathering, updating and analysing information throughout the audit. Analyse and explain giving
examples.
Ans. Obtaining an understanding of the entity and its environment, including the entity’s internal control, is a continuous,
dynamic process of gathering, updating and analysing information throughout the audit. The understanding
establishes a frame of reference within which the auditor plans the audit and exercises professional judgment
throughout the audit, for example, when:
the appropriateness of management’s use of the going concern assumption, or considering the business
purpose of transactions;
Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the appropriateness of
14. Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include
controls relating to both financial reporting and operations objectives. Explain stating clearly the objectives of
Internal Control.
Topic: Objectives of Internal Control (ICAI Study Material)
Ans. Objectives of Internal Control: Internal control over safeguarding of assets against unauthorised acquisition,
use, or disposition may include controls relating to both financial reporting and operations objectives. The
auditor’s consideration of such controls is generally limited to those relevant to the reliability of financial reporting.
For example, use of access controls, such as passwords, that limit access to the data and programs that process cash
disbursements may be relevant to a financial statement audit. Conversely, safeguarding controls relating to operations
objectives, such as controls to prevent the excessive use of materials in production, generally are not relevant to a
financial statement audit.
Objectives of Internal Control are :
(ii) all transactions are promptly recorded in the correct amount in the appropriate accounts and in the accounting
period in which executed so as to permit preparation of financial information within a framework of
W
recognized accounting policies and practices and relevant statutory requirements, if any, and to maintain
accountability for assets;
(iv) the recorded assets are compared with the existing assets at reasonable intervals and appropriate action
is taken with regard to any differences.
tests and examination in depth. Explain with the help of example in respect of the procedure for sales
Topic: Internal control (ICAI Study Material)
Ans. It has been suggested that actual operation of the internal control should be tested by the application of procedural
down by the management in respect of initiation, authorisation, recording and documentation of transaction at
each stage through which it flows.
(1) Before acceptance of any order the position of inventory of the relevant article should be known to ascertain
(2) An advice under the authorisation of the sales manager should be sent to the party placing the order, internal
reference number, and the acceptance of the order. This advice should be prepared on a standardised form
and copy thereof should be forwarded to inventory section to enable it to prepare for the execution of the order
in time.
(3) The credit period allowed to the party should be the normal credit period. For any special credit period a
special authorisation of the sales manager would be necessary.
(4) The rate at which the order has been accepted and other terms about transport, insurance, etc., should be
clearly specified.
(5) Before deciding upon the credit period, a reference should be made to the credit section to know the
16. Sweet Fruits Private Limited had a turnover of ₹ 155 crore for the financial year 2019-20. Explain whether during
the financial year 2020-21, Sweet Fruits Private Limited would be required or not required to appoint an internal
auditor, keeping in view the provisions of Companies Act, 2013.
Topic:- Internal auditor (ICAI Study Material)
Ans. During the financial year 2020-21, Sweet Fruits Private Limited would not be required to appoint an internal auditor
because according to Section 138 of the Companies Act, 2013 every private company having a turnover of more than
or equal to ₹ 200 crore during the preceding financial year is required to appoint an internal auditor.
It is given in the question that Sweet Fruits Private Limited during the financial year 2018-19 had a turnover of ₹
155 crore which is less than ₹ 200 crore. Therefore, during the financial year 2020-21, Sweet Fruits Private Limited
will not be required to appoint an internal auditor.
tests and examination in depth. Explain with the help of example in respect of the procedure for sales.
Topic: TESTING OF INTERNAL CONTROL (ICAI Study Material)
Ans. (a) It has been suggested that actual operation of the internal control should be tested by the application of procedural
down by the management in respect of initiation, authorisation, recording and documentation of transaction
at each stage through which it flows.
time.

W
3. The credit period allowed to the party should be the normal credit period. For any special credit period a
special authorisation of the sales manager would be necessary.
4. The rate at which the order has been accepted and other terms about transport, insurance, etc., should be
clearly specified.
5. Before deciding upon the credit period, a reference should be made to the credit section to know the
17. Briefly discuss the limitations of Internal Control.
Ans. (b) Limitations of Internal Control:
(i) Internal control can provide only reasonable assurance: Internal control, no matter how effective, can provide
an entity with only reasonable assurance about achieving the entity’s financial reporting objectives. The
likelihood of their achievement is affected by inherent limitations of internal control.
(ii) Human judgment in decision-making: Realities that human judgment in decision-making can be faulty and that
breakdowns in internal control can occur because of human error.
(iii) Lack of understanding the purpose: Equally, the operation of a control may not be effective, such as where
information produced for the purposes of internal control (for example, an exception report) is not effectively
used because the individual responsible for reviewing the information does not understand its purpose or fails
to take appropriate action.
(iv) Collusion among People: Additionally, controls can be circumvented by the collusion of two or more people
or inappropriate management override of internal control. For example, management may enter into side
agreements with customers that alter the terms and conditions of the entity’s standard sales contracts, which
may result in improper revenue recognition. Also, edit checks in a software program that are designed to
identify and report transactions that exceed specified credit limits may be overridden or disabled.
(v) Judgements by Management: Further, in designing and implementing controls, management may make
judgments on the nature and extent of the controls it chooses to implement, and the nature and extent of the
risks it chooses to assume.
(vi) Limitations in case of Small Entities: Smaller entities often have fewer employees due to which segregation
of duties is not practicable. However, in a small owner-managed entity, the owner-manager may be able to
exercise more effective oversight than in a larger entity. This oversight may compensate for the generally more
limited opportunities for segregation of duties. On the other hand, the owner-manager may be more able to
override controls because the system of internal control is less structured. This is taken into account by the
auditor when identifying the risks of material misstatement due to fraud.
18. The division of internal control into five components provides a useful framework for auditors to consider how
different aspects of an entity’s internal control may affect the audit. Mention those components of internal control.
Ans. Division of Internal Control into Components: The division of internal control into the following five components
provides a useful framework for auditors to consider how different aspects of an entity’s internal control may affect
the audit:
(i) The control environment;
(ii) The entity’s risk assessment process;
(iii) Monitoring of controls.
(iv) Control activities; and
(v) The information system, including the related business processes, relevant to financial reporting, and
communication;
19. Define Monitoring of Controls and in respect of monitoring of controls, answer the following questions:
(i) How monitoring of controls would be helpful in assessing the effectiveness of controls?
(ii) How can management accomplish monitoring of controls?
(iii) What is included in the Management’s monitoring activities?
Topic: Monitoring of controls (ICAI Study Material)
W
Ans. Monitoring of controls Defined: Monitoring of controls is a process to assess the effectiveness of internal control
performance over time.
(i) Helps in assessing the effectiveness of controls on a timely basis: It involves assessing the effectiveness of
controls on a timely basis and taking necessary remedial actions.
(ii) Management accomplishes through ongoing activities, separate evaluations etc.: Management accomplishes
monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing
monitoring activities are often built into the normal recurring activities of an entity & include regular
management and supervisory activities.
(iii) Management’s monitoring activities include: Management’s monitoring activities may include using information
from communications from external parties such as customer complaints and regulator comments that may
indicate problems or highlight areas in need of improvement.
20. Explain the matters which should be included for factors relevant to the auditors’ judgement about whether a control
is relevant to the audit.
Ans. Controls Relevant to the Audit: Factors relevant to the auditor’s judgment about whether a control, individually or
in combination with others, is relevant to the audit may include such matters as the following:
(i) Materiality.
(ii) The significance of the related risk.
(iii) The size of the entity.
(iv) The nature of the entity’s business, including its organisation and ownership characteristics.
(v) The diversity and complexity of the entity’s operations.
(vi) Applicable legal and regulatory requirements.
(vii) The circumstances and the applicable component of internal control.
(viii) The nature and complexity of the systems that are part of the entity’s internal control, including the use of
service organisations.
(ix) Whether, and how, a specific control, individually or in combination with others, prevents, or detects and
corrects, material misstatement.
21. The review of internal controls will enable the auditor to know the areas where control is weak. Explain stating
clearly the benefits of evaluation of internal control to the auditor.
Topic: Evaluation of Internal Control to the Auditor (ICAI Study Material)
Ans. Benefits of Evaluation of Internal Control to the Auditor
The review of internal controls will enable the auditor to know:
(i) whether errors and frauds are likely to be located in the ordinary course of operations of the business;
(ii) whether an adequate internal control system is in use and operating as planned by the management;
(iii) whether an effective internal auditing department is operating;
(iv) whether any administrative control has a bearing on his work (for example, if the control over worker
recruitment and enrolment is weak, there is a likelihood of dummy names being included in the wages sheet
and this is relevant for the auditor);
(v) whether the controls adequately safeguard the assets;
(vi) how far and how adequately the management is discharging its function in so far as correct recording of
transactions is concerned;
(vii) how reliable the reports, records and the certificates to the management can be;
(viii) the extent and the depth of the examination that he needs to carry out in the different areas of accounting;
(ix) what would be appropriate audit technique and the audit procedure in the given circumstances;
(x) what are the areas where control is weak and where it is excessive; and
(xi) whether some worthwhile suggestions can be given to improve the control system.
22. Generally, IT benefits an entity’s internal control by enabling an entity to enhance the timeliness, availability, and
accuracy of information. Discuss explaining the other relevant points in the above context.

W
Topic: INTERNAL CONTROL AND IT ENVIRONMENT(ICAI Study Material)
Ans. Generally, IT benefits an entity’s internal control by enabling an entity to:
(i) Consistently apply predefined business rules and perform complex calculations in processing large volumes of
transactions or data;
(ii) Enhance the timeliness, availability, and accuracy of information;
(iii) Facilitate the additional analysis of information;
(iv) Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures;
(v) Reduce the risk that controls will be circumvented; and
(vi) Enhance the ability to achieve effective segregation of duties by implementing security controls in applications,
databases, and operating systems.
23. While conducting the audit of Smart TV Ltd, engagement team of HTR& Co, has considered materiality and audit
risk throughout the audit. Discuss explaining the meaning of audit risk.
Ans. Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are
materially misstated. Audit risk is a function of the risks of material misstatement and detection risk. Materiality
and audit risk are considered throughout the audit, in particular, when:
(a) Identifying and assessing the risks of material misstatement;
(b) Determining the nature, timing and extent of further audit procedures; and
(c) Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming the
opinion in the auditor’s report.
24. Saburi Textile Ltd is an established player in the textile manufacturing sector. It has developed strong internal controls
in almost every area. It has appointed you as an Internal Audit team head. Internal audit has a very strong relation
with internal control of the company. Internal Audit analyses the effectiveness with which the internal control of the
company is operating and also makes suggestions for improvement in that internal control. Explain stating clearly
activities relating to Internal Control.
Ans. The objectives and scope of internal audit functions typically include assurance and consulting activities designed to
evaluate and improve the effectiveness of the entity’s governance processes, risk management and internal control
such as the activities Relating to Internal Control:
tests or other procedures to provide assurance to management and those charged with governance regarding
the design, implementation and operating effectiveness of internal control, including those controls that are
relevant to the audit.
(ii) Examination of financial and operating information: The internal audit function may be assigned to review
the means used to identify, recognize, measure, classify and report financial and operating information, and to
and effectiveness of operating activities, including nonfinancial activities of an entity.
(vi) Review of compliance with laws and regulations: The internal audit function may be assigned to review
compliance with laws, regulations and other external requirements, and with management policies and
directives and other internal requirements.
Internal audit has a very strong relation with internal control of a company. Internal Audit analyzes the
effectiveness with which the internal control of a company is operating and also makes suggestions for
improvement in that internal control.
25. Z Ltd. is a manufacturer of ready-made garments. During the year 2021-22, they have opened two new branches
and there is a substantial increase in their sales. The management has appointed CA R to review the internal control
system of the company as they feel that there are lapses in the control environment of the company. What is included
in the control environment and what will the auditor evaluate in order obtain an understanding of the control
environment?
W
Ans. Control Environment:
The control environment includes:
[i] the governance and management functions and
[ii] the attitudes, awareness, and actions of those charged with governance and management.
[iii] the control environment sets the tone of an organization, influencing the control consciousness of its people.
The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding,
the auditor shall evaluate whether:
(a) Management has created and maintained a culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an appropriate foundation for the
other components of internal control.
26. ABC Ltd. has many divisions and branches across the country. They have an internal control system which is well
established maintained by the management on a regular basis. Explain the meaning of internal control as per SA-315
and also state the benefits of understanding the internal controls of a company.
Ans. Meaning and benefits of understanding Internal Control: Meaning of Internal Control: As per SA-315, “Identifying and
Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment”, the internal
control may be defined as “the process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives
with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets,
and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of
the components of internal control.” Benefits of Understanding of Internal Control: An understanding of internal
control assists the auditor in:
(i) identifying types of potential misstatements;
(ii) identifying factors that affect the risks of material misstatement, and
(iii) designing the nature, timing, and extent of further audit procedures.
27. Internal audit not only analyses the effectiveness with which the internal control of a company is operating but also
improves the effectiveness of internal control. Elucidate the statement.
Topic:- Internal audit function (ICAI Study Material)
Ans. Improvement in Effectiveness of Internal Control: Internal Audit means “An independent management function, which
involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto
and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk
management and internal control system”.
Activities Relating to Internal Control:
tests or other procedures to provide assurance to management and those charged with governance regarding
the design, implementation and operating effectiveness of internal control, including those controls that are
relevant to the audit.
(ii) Examination of financial and operating information: The internal audit function may be assigned to review the
means used to identify, recognize, measure, classify and report financial and operating information, and to
and effectiveness of operating activities, including non-financial activities of an entity.
(iv) Review of compliance with laws and regulations: The internal audit function may be assigned to review
compliance with laws, regulations and other external requirements, and with management policies and
directives and other internal requirements.
Therefore, one of the important aspects of internal audit is not only to evaluate internal control system of an
organization but also to suggest improvements for adding value and strengthening it.

W
28. State with reasons whether the following statements are correct or incorrect.
Topic: INTERNAL CONTROL(ICAI Study Material)
Ans. Internal control cannot eliminate risk of material misstatements in the financial statements.
Correct: Control risk is a function of the effectiveness of the design, implementation and maintenance of internal
control by management. However, internal control can only reduce but not eliminate risks of material misstatement
in the financial statements. This is because of the inherent limitations of internal control.
There is possibility of human errors or mistakes, or of controls being circumvented by collusion. Accordingly, some
control risk will always exist.
W
Audit Risk = Risk that auditor gives an → Inappropriate Audit opinion → When F.S. are MM
Auditor may fail to express an appropriate opinion in an Audit Engagement
Audit Risk = RoMM × Detection Risk
↓
Risk that F.S. are MM → prior to Audit
↓
Inherent Risk × Control Risk × Detection Risk
RoMM
(A) (B) (C)
CoT
(A) Inherent Risk = The susceptibility of an assertion about A/c. Balance

↓
Disclosure
To a Misstatement
↓
Individually
That could be material
Aggregate
↓
(B) Control Risk = The Risk that a Misstatement could occur → about
↓ CoT A/c. Balance Disclosure

In an assertion
↓
That could be Material
↓
with other misstatements
↓
Prevented (P)
Will not be Detected (D)

↓
Corrected (C)
on a timely manner
Design
It is a function of Effectiveness of Implementation of I.C. by Mgt.
Individually
It can Reduce But not eliminate → RoMM
↓

Due to ‘Inherent Limitations of I.C’
(C) Detection Risk = Risk that procedures performed by Auditor
↓
To Reduce Risk → To an Acceptably low level

↓

W
Will not detect a Misstatement
Individually
CoT Material
Aggregate
Assessment of Risk → Matter of Professional Judgement
↓
Info.
Based on Audit procedure → To obtain
Evidence
W
Audit Risk does not include:
(i) Risk that → Auditor might express on opinion → F.S. are MM → when they are not
↓
Originally in significant
Loss from litigation
(ii) Risk such as Adverse publicity
Other elements
RoMM at 2 Levels
CoT
Overall F.S. Level Assertion Level for A/c. Balance
↓ ↓
Disclosure
Relate pervasively to F.S. Assessed to determine N.T.C.
as a whole of further Audit procedures
+ ↓
Potentially effect many Enables the Auditor to
assertions Express an opinion
↓
At an Acceptedly low Level of
Audit Risk
When making Control Risk Assessment → Consider :
(i) The control Environments influence over I.C.
P
A Control Env. That support D of MM → allow greater confidence

C
In reliability of I.C. A.E. generated within the Entity

However → It does not guarantee → the effectiveness of specific control
 We test the operating effectiveness of control → over → Significant CoT
MM → may undermine effectiveness of specific control
+

is a key factor in over control Risk Assessment
(ii) Evaluation of related IT process → that support
Application IT dependent
Manual control
(iii) Our testing approach over
Significant CoT Disclosure Process

(iv) The expectation of operating effectiveness of controls
↓
Based on understanding of Entity’s process
Control Risk Assessment → When control Deficiencies are Identified → by Auditor
W
↓
Are ineffective + Report on I.C.
(i) When control deficiencies are identified → by Auditor
↓
Tests more than one control for each relevant assertions
↓
Auditor Evaluates control Risk considering all of the controls he has tested
(ii) If Auditor determines that they support a → ‘Rely on controls’ Risk Assessment
→ Compensatory controls are
Identified Tested Evaluated

Auditor may conclude that ‘Rely
on Control’s is still appropriate →
otherwise we → the risk assessment
to → ‘Not to rely on controls
(iii) When deficiencies relate to an Ineffective Control
↓
that is the only control identified for an assertion
(i.e. no other controls have been identified that mitigate the risk related to the assertion)
↓
He revises Risk assessment to → “Not to Rely on Controls’ → for associated assertion only
If deficiencies related to → 1 ‘what could go wrong (WCGW)’
↓
� Out of several WCGW → He can ‘Rely on controls’
↓
� But perform Additional Audit procedures → To adequately assess Risk → Related to deficiency
IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT

SA-315 “Identifying & Assessing the RoMM through understanding the Entity & its Environment”
Objective of Auditor
Identifying + Assessing → RoMM → due to F/E → A.E. → F.S. → Assertion → Level
CoT A/c. Balance Disclosure

→ through →Understanding

Entity Environment I.C.

� There
by providing a basis a for → Designing → Implementing → Responses (SA 330) → to the assessed
RoMM It will help Auditor to → Reduce RoMM → At acceptably low level
� R.A.P. → The Audit procedure performed → To achieve the objectives of SA-315
↓
� Provide a basis for → Identification → Assessment → of RoMM @ → FS → Assertion → Level
� However → by themselves → Do not provide → Suff + Appro A.E. → To Base the Audit opinion
Info obtained by performing
W
CoT
A/c. Balance
Disclosure
R.A.P. Related Activities
Operating Effectiveness of Control
May be used by Auditor as A.E. → about Related Assertions

To support assessment of RoMM → Even though R.A.P. were not specifically planned as Substantive procedures
↓
� Inclusions of R.A.P.
(a) Inquiries of → Mgt. → Others → within the Entity → who in Auditor’s Judgement → may have info. That is
likely to assist in → Identifying RoMM → due to F/E
(b) Analytical procedures → May help in Identifying
Unusual transaction Events Amounts Ratios Trends
That might indicate matters that have audit implications

� Unusual transactions may help in identifying RoMM → due to F/E
(c) Observation + Inspection
UNDERSTANDING OF THE ENTITY- A CONTINUOUS PROCESS
� Understanding the Entity → A continuous + Dynamic Process

↓
By
Gathering Updating Analysing
Information
↓
Through Audit
Entity
The required understanding of the Environment
I.C.
THE REQUIRED UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT, INCLUDING

THE ENTITY’S INTERNAL CONTROL
� The Auditor shall obtain an understanding of
Industry
(i) Relevant Regulatory Factors + app F.R.F.

External

W
(iii) Entity’s
Ownership & Types of Financial

Nature Operations
Governance Investment structure
(iii) Entity’s → Selection → Application → of A/c. Policies + Reasons for As

(iv) Entity’s → Objectives → Strategies
(v) The → Measurement → Review → of F.S.
INTERNAL CONTROL
Internal Control (I.C.)
Mgt.
Designed
As per SA-315 → The process Implemented by TCWG

↓
Maintained
To provide R.A. about Other Personnel
↓
achievement of Entity’s objectives
Reliability Compliance
Eff. & Eff. Of Safeguarding
of financial with laws &
operations of Assets
Reporting Regulations
The Entity’s Internal Control

The Entity’s I.C. → Auditor shall obtain an understanding
→ It is a matter of Auditor’s professional Judgement
↓
Whether a control
In combination
Individual
with others
is effective
Benefit of understanding IC
Identifying Identifying Designing

types of factors N.E.T.
↓ ↓ ↓
Potential That affect If further
Misstatements RoMM Audit
procedures
An indispensable part of overall Audit programme
Benefits : Whether
(i) F/E are likely to be located ↓ in the ordinary course of operations
(ii) Adequate I.C. system is in use + operating as planned
W
(iii) An Effective Internal Auditing Department is operating
(iv) Any administrative control ↓ has a bearing on his work
(v) The controls adequately safeguards the assets etc.
Various aspects of internal control
Various aspects of I.C.
(A) General Nature & Characteristics of I.C.
(i) Purpose of I.C.
Designed
I.C. Implemented To address Identified Business Risk
Maintained
That threaten the achievement of any of the Entity’s objectives
(ii) Limitations of I.C.
(i) Only R.A.
(ii) Human Judgement in Decision Making
(iii) Lock of understanding of purpose
(iv) Collusion among people
(v) Judgement by Mgt.
(vi) Limitations in case of small Entities
(B) Controls Relevant to Audit
(i) Materiality
(ii) Significance of Related Risk
(iii) Size of Entity
(iv) Nature of Business
(v) Organisational & Ownership Characteristics
(vi) Diversity & Complexity
Legal
(vii) Applicable Requirements
Regulatory
(viii) Circumstances & Applicable component of IC

(ix) Nature & complexity of systems
(x) How a specified control
(C) Nature & Extent of the understanding of Relevant controls
(i) Evaluating the design of a control → Involves → Considering whether the controls → Individually → In
combinations with other control → is capable of Effective
P D C
MM
(ii) R.A.P → to obtain A.E. → about → Design → Implementation
↓
About
↓
of various control
W
↓
may include
Inquiring Observing Inspecting Tracing

Entity’s application of Document & transactions
personnel specific control Record system
(iii) Obtaining an understanding → of Entity’s control → Not sufficient to test their ‘operating Effectiveness’ → Unless
there are some ‘Automation’ that provides for → consistent operation of control
(D) Components of I.C.
(i) The control Environment
Sets the tone

Governance & Attitude, Awareness & of originations →
Management function Actions of Mgt. / TCWG Influencing control
consciousness of people
(ii) Entity’s R.A.P.
Identifying
Assessing the Deciding about
Business Risk Estimating
likelihood of their actions to address
relevant to financial significance of Risk
occurrence those risks
reporting
objectives
(iii) The Info. System → obtain understanding of
Financial
Procedures of
CoT Supporting Reporting
I.R.P.R.
process
A/c. Info.
I → Initiated R → Recorded P → Processed R →Reported

(iv) Control Activities → Relevant to → Significant Risk → As per Auditor → Identified by R.A.P.
Monitoring → helps in assessing → effectiveness of control → on timely basis
Understanding I.C.
→ Formulate Audit programme → After

Nature & Extent of Audit programme
↓ Actual operation
Is substantially influenced by I.C. system in operation
EVALUATION OF INTERNAL CONTROL BY THE AUDITOR
Method of Evaluation of I.C.
W
Narrative Record
↓ Check List
Questionnaire Flow Chart
Complete & ↓
↓ ↓
Exhaustive Series of Instruction
Comprehensive A graphic
description of & / or questions
series of questions presentation of each
System ↓
↓ part of Co’s System
↓ Auditing staff must
Concerning I.C. of I.C.
As found in follow
operation by Auditor
Testing of I.C. → How far I.C. is actually in operation?

On selective basis → done by
Application of Auditing in
procedural test depth
→ ToC are performed → to obtain A.E. → about effectiveness of → operation of I.C. →

↓ through the audit
Design of A/c. & I.C. System
↓
i.e. whether they are suitably designed to
P D C
MM
ToC may include
(1) Inspection → of Document supporting transactions & other events to gain A.E. → that I.C. has operated properly.
(2) Inquiries + observation → about I.C. → which leaves → No Audit trail
(3) Reperformance → involves the Auditor’s Independent execution of
Procedures Controls
That were
originally
framed
(4) Testing → of I.C. → operating on specified computerized application
OR
over the overall Infor. Technology function
INTERNAL CONTROL AND IT ENVIRONMENT

I.C. and I.T. Environment

All entity’s system of I.C. → Contains → Manual → Automated →Elements
Characteristics

W
(i) Control in manual & IT System
The use of
Manual Automated
Elements → affect the manner in

which transactions are
I R P R
Controls in
IT System
Manual Combination of → Manual → Automated →
Such procedures are approved Controls
+ +
Review of transactions Manual controls may be
+ – Independent of IT
Reconciliations
– Use of Info. Produced by IT
+
– Be limited to monitoring effective
functioning of
Follow up on Reconciling items
May use Automated procedures to
I.R.P.R. transactions
IT Automated
↓
In which case, electronic format MM
replace paper document
Hanling exceptions
(ii) Combination varies with → Nature → Complexity → of Entity’s use of IT
(iii) Generally IT enables an entity to :
(1) Constantly apply → Pre-defined business rules
(2) Enhance
Timeliness Availability Accuracy
Of Info.
(3) Facilitates → Additional analysis of Info.
(4) Enhance → ability to monitor
Performance Policies Procedures
W
(5) Reduce → ability to achieve → Effective segregation of Duties → Through Security Controls
(iv) IT poses specific Risk to Entity’s I.C.
(1) Reliance → Over
Systems Programs
That are
Inaccurately Processing
Both
processing Date Inaccurate Data
(2) Unauthorized access to data → may result in
Improper D to
Data Inaccurately
Destruction of
recording of
Data ↓
transaction
Recording of
Unauthorized Non-Existent
Transactions
(3) Possibility of IT person → gaining access privileges beyond requirement

(4) Unauthorized → to data in master file
(5) Unauthorized → to → Systems → Programs
(6) Inappropriate manual intervention
(7) Potential loss of Data
(8) Inability to access data as required
(v) Suitability → Manual Elements more suitable → where
Judgements Description
Are required
(vi) Reliability → Manual less reliable → as they can be easily
Prove to simple error

By-passed Ignored Over-ridden
/ mistake
(vii) Nature of Entity’s Info. System

Manual or IT elements are established → according to Entity’s Info. System
MATERIALITY AND AUDIT RISK
W
Materiality & Audit Risk → are considered throughout audit
↓
Particularly when
Evaluating the
Determining N.E.T effect of
Identifying &
of further audit
Assessing RoMM ↓
procedures (SA-
(SA.315) Uncorrected
330)
misstatements on
Forming opinion in
F.S.
Auditors Report
DOCUMENTING THE RISK

Documenting the Risk
Discussion among
Engagement team & Key Elements of Identified &
The risk of
Significant decision Understanding of Assessed RoMM @
Reached
Source of Identified Related

Entity Environment I.C. R.A.P
Info.
Control
F.S. Assertion
Level
INTERNAL AUDIT
As defined by standards on Internal Audit (SIA)
↓
Internal Audit means
An Independent Mgt. Function → which involves → critical →Continuous →Appraisal →of functioning of an entity →
with a view to
Internal Audit
As defined by standards on Internal Audit (SIA)
↓
Internal Audit means
An Independent Mgt. Function → which involves → critical → Continuous → Appraisal → of functioning of an entity →
with a view to
W
Suggest Add value to &
Improvement Strengthen
Overall Mechanism of Entity

↓
Including
Entity’s strategic
I.C. System
Risk Mgt.
Applicable provisions of Internal Audit

As per Sec. 138 of the companies Act. 2013
↓ Individual Firm
The following class of companies shall be required to appoint Internal Auditor
Unlisted T/O > ₹ 200 crore

Listed Co. Private Co.
Public Co.
O/S or
Borrowings ≥ ₹ 100
O/S Loans + crore at any time
Paid up share capital Borrowings > ₹ 100 O/s. Deposit > ₹ 25 ↑
T/O. ≥ ₹ 50 crore
≥ ₹ 50 crore Crore at any time → crore at any time
Banks or F.I.
Banks or FI
In the Preceding F.Y.
→ Existing Company → Should comply within 6 months from commencement of such section
→ Eligibility for appointment
Decided by BOD
↓
CA CMA
Professional
(Employee / not)
→ Internal Audit Functions → Activities relating to

W
Risk Internal Control
Governance
Management (IC)
Examination of
Review of operating Review of
Evaluation of I.C. financial & operating
Activities compliance with
Info.
Laws Regulations
Basics of SIA issued by ICAI

↓
Constituted a ‘committee on internal Audit’ (CIA)
↓
As a non-standing committee of Feb. 5, 2004
↓
Constituted with an object of formulating
↓
Standards & Guidance Notes on Internal Audit
↓
Known as → Internal Audit standard Board (IASB)
↓
Issued 13 SIA
↓
Will becomes mandatory from such date as notified
Basics of Internal Financial Control (IFC) and Reporting Requirements
→ As per Sec. 134 (5) (e) of the companies Act, 2013
↓
IFC means
↓
Orderly
The P & P → adopted by the Co. for ensuring Conduct of

Business
↓
Effective
Including
W
Accuracy & Timely
Adherence to Co. Safeguarding of completeness preparation of
P & D of F/E
Policy Assets of Accounting Reliable financial
Records Information
→ Sec. 143(3)(i) → Requires Auditor’s Report to state whether Co. had
The operating
Adequate IFC in place effectiveness of such
control
→ Reporting on IFC → not applicable to → Interim F.S. → Quarterly → Half-Yearly

↓
as sec. 143 applies to Final F.S.
+
Private Co.
Small Co. O/s. Borrowings < ₹

OPC T/o. < ₹ 50 Crore
25 crore
→ Rule 8(5)(viii) of the companies (Accounts) Rules, 2014

↓
Requires BOD Report of all companies → To State in Detail → Adequacy of IFC with regard to F.S

W

Risk Assessment and Internal Control - E-Notes

Uploaded by

Copyright:

Available Formats

Risk Assessment and Internal Control - E-Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Assessment and Internal Control - E-Notes

Uploaded by

Copyright:

Available Formats

Risk Assessment

4 and Internal Control

Understanding Identify & Assess

 From the above, it is clear that –

1.4 Components of Risk of Material Misstatement

Risk of Material Misstatement= Inherent Risk x Control Risk ............ (2)

2. IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT

P Risk Assessment and Internal Control 5

The entity’s operations.

2.2 Understanding Of The Entity- A Continuous Process

Objectives of Internal Control

(iii) Nature and

I. General Nature and Characteristics of Internal Control

(iii) Lack of understanding the purpose:

P Risk Assessment and Internal Control 9

IV.Components of Internal Control

(a) The control environment;

P Risk Assessment and Internal Control 11

Control activities that are relevant to the audit are:

P Risk Assessment and Internal Control 13

Risks of Material Misstatement– Greater for Signiﬁcant Non-Routine Transactions

The following points merit consideration in this regard:

Satisfactory Control Environment – not an absolute deterrent to fraud:

4. EVALUATION OF INTERNAL CONTROL BY THE AUDITOR

P Risk Assessment and Internal Control 15

Evaluation of Internal Control– Methods

Evaluation of Internal Control with

4.1 The Narrative Record

P Risk Assessment and Internal Control 17

5. TESTING OF INTERNAL CONTROL

(a) design of the accounting and internal

Test of controls may include:

P Risk Assessment and Internal Control 19

For example, the procedure for sales requires the following:

6. INTERNAL CONTROL AND IT ENVIRONMENT

Processing of large volumes of transactions or data becomes simple;

Enhance the timeliness, availability, and accuracy of information;

Facilitate the additional analysis of information;

Reduce the risk that controls will be circumvented; and

Effective segregation of duties through security controls.

Beneﬁts of IT in an Entity’s Internal Control

P Risk Assessment and Internal Control 21

7. MATERIALITY AND AUDIT RISK

8. DOCUMENTING THE RISK

P Risk Assessment and Internal Control 23

Evaluation of Internal Control

Review of Operating Activities

Review of Compliance with

10. BASICS OF STANDARDS ON INTERNAL AUDIT ISSUED BY ICAI

P Risk Assessment and Internal Control 25

12. DIFFERENCE BETWEEN INTERNAL FINANCIAL CONTROL AND INTERNAL

P Risk Assessment and Internal Control 27

P Risk Assessment and Internal Control 31

P Risk Assessment and Internal Control 33

P Risk Assessment and Internal Control 35

P Risk Assessment and Internal Control 37

P Risk Assessment and Internal Control 39

(A) Inherent Risk = The susceptibility of an assertion about A/c. Balance

↓ CoT A/c. Balance Disclosure

From the above, it is clear that –

It is a function of Effectiveness of Implementation of I.C. by Mgt.