CHAPTER-4 RISK ASSESSMENT AND INTERNAL CONTROL

AUDIT RISK
Audit risk means the risk that the auditor gives an inappropriate audit opinion when the financial
statement are materially misstated. Thus, it is the risk that the auditor may fail to express an appropriate
opinion in an audit assignment.

Audit Risk = Risk of Material Misstatement x Detection Risk

Risk of material misstatement may be defined as the risk that the financial statements are materially
misstated prior to audit. This consists of two components, described as follows at the assertion level:

(a) Inherent risk—The susceptibility of an assertion about a class of transaction, account balance or
disclosure to a misstatement that could be material, either individually or when aggregated with other
misstatements, before consideration of any related controls.
(b) Control risk—The risk that a misstatement that could occur in an assertion about a class of transaction,
account balance or disclosure and that couldbe material, either individually or when aggregated with
other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s
internal control.
Misstatement refers to a difference between the amount, classification, presentation, or disclosure of a
reported financial statement item and the amount, classification, presentation, or disclosure that is required
for the item to be in accordance with the applicable financial reporting framework. Misstatements can arise
from error or fraud.

What is not included in Audit Risk?

(i) Audit risk does not include the risk that the auditor might express an opinion that the financial statements
are materially misstated when they are not. This risk is ordinarily insignificant.
(ii) Further, audit risk is a technical term related to the process of auditing; it does not refer to the auditor’s
business risks such as loss from litigation, adverse publicity, or other events arising in connection with
the audit of financial statements.

Risks of Material Misstatement at Two levels

(i) The overall financial statement level- Risks of material misstatement at the overall financial statement level
refer to risks of material misstatement that relate pervasively to the financial statements as a whole and
potentially affect many assertions.
(ii) The assertion level for classes of transactions, account balances, and disclosures-Risks of material
misstatement at the assertion level are assessed in order to determine the nature, timing, and extent of further
audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables theauditor to
express an opinion on the financial statements at an acceptably low level of audit risk.

Detection risk: The risk that the procedures performed by the auditor to reduce audit risk to an acceptably
low level will not detect a misstatement that exists andthat could be material, either individually or when
aggregated with othermisstatements.
IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT

Identify and assess the risks of material misstatement

(i) The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level
(b) the assertion level for classes of transactions, account balances,and disclosures to provide a
basis for designing and performing further audit procedures
 (ii) For the purpose of Identifying and assessing the risks of materialmisstatement, the auditor shall:
(a) Identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relateto the risks, and by considering the classes of
transactions, accountbalances, and disclosures in the financial statements;
(b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial
statements as a whole and potentially affect many assertions;
(c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant
controls that the auditor intends to test; and
(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and
whether the potential misstatement is ofa magnitude that could result in a material misstatement.

Risk Assessment Procedures

Definition: The audit procedures performed to obtain an understanding of the entity and its environment,
including the entity’s internal control, to identify and assess the risks of material misstatement, whether due
to fraud or error, at the financial statement and assertion levels.
 Risk assessment procedure - a basis for the identification and assessment of risks of material misstatement
at the financial statement and assertion levels.
 Information obtained by performing risk assessment procedures - Used as audit evidence.
 The risks to be assessed include both those due to error and those due to fraud.
What is included in Risk Assessment Procedures?
The risk assessment procedures shall include the following:
(a) Inquiries of management and of others within the entity who in the auditor’s judgment may have
information that is likely to assist inidentifying risks of material misstatement due to fraud or error.
(b) Analytical procedures.
(c) Observation and inspection.
Example of Inquiries

 Inquiries directed towards those charged with governance may help the auditor understand the
environment in which the financial statements are prepared.
 Inquiries directed toward internal audit personnel may provide information about internal audit
procedures performed during the year relating to the design and effectiveness of the entity’s internal
control and whether management has satisfactorily responded to findings from those procedures.
 Inquiries of employees involved in initiating, processing or recording complex or unusual
transactions may help the auditor to evaluate the appropriateness of the selection and application of
certain accounting policies.
 Inquiries directed toward in-house legal counsel may provide information about such matters as
litigation, compliance with lawsand regulations, knowledge of fraud or suspected fraud affecting
the entity, warranties, post-sales obligations, arrangements (such as joint ventures) with business
partners and the meaning of contract
 Inquiries directed towards marketing or sales personnel may provide information about changes in
the entity’s marketing strategies, sales trends, or contractual arrangements with its customers.
 Inquiries directed to the risk management function (or thoseperforming such roles) may provide
information about operationaland regulatory risks that may affect financial reporting.
 Inquiries directed to information systems personnel may provide information about system changes,
system or control failures, or other information system- related risks.

UNDERSTANDING OF THE ENTITY- A CONTINUOUS PROCESS

Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred
to hereafter as an “understanding of the entity”), is a continuous, dynamic process of gathering, updating
and analysing information throughout the audit. The understanding establishes a frame of reference within
which the auditor plans the audit and exercises professional judgment throughout the audit,for example, when:
 Assessing risks of material misstatement of the financial statements;
 Determining materiality in accordance with SA 320;
 Considering the appropriateness of the selection and application of accounting policies;
 Identifying areas where special audit consideration may be necessary, for example, related party
transactions, the appropriateness of management’s use of the going concern assumption, or
considering the business purposeof transactions;
 Developing expectations for use when performing analytical procedures;
 Evaluating the sufficiency and appropriateness of audit evidence obtained,such as the appropriateness
of assumptions and of management’s oral and written representations.

INTERNAL CONTROL
Meaning of Internal Control
As per SA-315, “Identifying and Assessing the Risk of Material Misstatement Through Understanding the
Entity and its Environment”, the internal control may be defined as “the process designed, implemented
and maintained by those charged with governance, management and other personnel to provide
reasonable assurance about the achievement of an entity’s objectives with regardto reliability of financial
reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable
laws and regulations. The term “controls” refers to any aspects of one or more of the components of
internal control.”
Objectives of Internal Control

(i) transactions are executed in accordance with managements general or specific authorization;
(ii) all transactions are promptly recorded in the correct amount in theappropriate accounts and in the
accounting period in which executed so asto permit preparation of financial information within a
framework ofrecognized accounting policies and practices and relevant statutory requirements, if any,
and to maintain accountability for assets;
(iii) assets are safeguarded from unauthorised access, use or disposition; and
(iv) the recorded assets are compared with the existing assets at reasonable intervals and appropriate
action is taken with regard to any differences.
Benefits of Understanding of Internal Control
An understanding of internal control assists the auditor in:
(i) identifying types of potential misstatements;
(ii) identifying factors that affect the risks of material misstatement, and
(iii) designing the nature, timing, and extent of further audit procedures.
Study of various aspects of internal control is divided into four sections, as follows:

(I) General Nature and Characteristics of Internal Control

Purpose of Internal Control: Internal control is designed, implemented and maintained to address
identified business risks that threaten the achievement of any of the entity’s objectives that concern:

 The reliability of the entity’s financial reporting;

 The effectiveness and efficiency of its operations;
  Its compliance with applicable laws and regulations; and
 Safeguarding of assets.
The way in which internal control is designed, implemented and maintained varies with an entity’s
size and complexity.
Limitations of Internal Control

(i) Internal control can provide only reasonable assurance: Internal control, no matter how effective,
can provide an entity with only reasonable assurance about achieving the entity’s financial reporting
objectives. The likelihood of their achievement is affected by inherent limitations of IC.
(ii) Human judgment in decision-making: Realities that human judgment in decision-making can be
faulty and that breakdowns in internal control can occur because of human error.
(iii) Lack of understanding the purpose: Equally, the operation of a control may not be effective, such
as where information produced for the purposes of internal control (for example, an exception
report) is not effectively used because the individual responsible for reviewing the information does
not understand its purpose or fails totake appropriate action.
(iv) Collusion among People: Additionally, controls can be circumvented by the collusion of two or more
people or inappropriate management override of internal control.
(v) Judgements by Management: Further, in designing and implementing controls, management may
make judgments on the nature and extent of the controls it chooses to implement, and the nature
and extent of the risks it chooses to assume.
(vi) Limitations in case of Small Entities: Smaller entities often have fewer employees due to which
segregation of duties is not practicable.
On the other hand, the owner-manager may be more able to override controls because the system
of internal control is less structured. This is taken into account by the auditor when identifying the
risks of material misstatement due to fraud.
(II) Controls Relevant to the Audit
There is a direct relationship between an entity’s objectives and the control sit implements to provide
reasonable assurance about their achievement. The entity’s objectives, and therefore controls, relate
to financial reporting, operations and compliance; however, not all of these objectives and controls
are relevant tothe auditor’s risk assessment.
Factors relevant to the auditor’s judgment about whether a control, individually or in combination with others, is
relevant to the audit may include such matters as the following:
 Materiality.
 The significance of the related risk.
 The size of the entity.
 The nature of the entity’s business, including its organisation and ownershipcharacteristics.
 The diversity and complexity of the entity’s operations.
 Applicable legal and regulatory requirements.
 The circumstances and the applicable component of internal control.
 The nature and complexity of the systems that are part of the entity’s internal control, including
the use of service organisations.
(III) Nature and Extent of the Understanding of Relevant Controls.
(i) Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and correcting,
material misstatements.
Implementation of a control means that the control exists and that the entity is using it. There is
little point in assessing the implementation of a control that is not effective, and so the design of
a control is considered first
 An improperly designed control may represent a significant deficiency in internal control.
(ii) Risk assessment procedures to obtain audit evidence about the design and implementation of
relevant controls may include-
 Inquiring of entity personnel.
 Observing the application of specific controls.
 Inspecting documents and reports.
 Tracing transactions through the information system relevant to financial reporting.
Inquiry alone, however, is not sufficient for such purposes.
(iii) Obtaining an understanding of an entity’s controls is not sufficient to test their operating
effectiveness, unless there is some automation that provides for the consistent operation of the
controls.
(IV) Components of Internal Control
The division of internal control into the following five components provides a useful framework for
auditors to consider how different aspects of an entity’s internal control may affect the audit:
(A) The control environment;
(B) The entity’s risk assessment process
(C) The information system, including the related business processes, relevant to financial
reporting, and communication
(D) Control activities
(E) Monitoring of controls.
(A) Control Environment– Component of Internal Control– The auditor shall obtain an understanding of
the control environment. As part of obtainingthis understanding, the auditor shall evaluate whether:
(i) Management has created and maintained a culture of honesty and ethical behavior; and
(ii) The strengths in the control environment elements collectively providean appropriate foundation
for the other components of internal control.
What is included in Control Environment ?
The control environment includes:
(i) the governance and management functions and
(ii) the attitudes, awareness, and actions of those charged with governance and management .
(iii) the control environment sets the tone of an organization, influencing the control consciousness of
its people.
Elements of the Control Environment– Elements of the control environment that may be relevant when obtaining
an understanding of the control environment include the following:

(a) Communication and enforcement of integrity and ethical values– These are essential elements that
influence the effectiveness of the design, administration and monitoring of controls.
(b) Commitment to competence– Matters such as management’s consideration of the competence levels
for particular jobs and how those levels translate into requisite skills and knowledge.
(c) Participation by those charged with governance– Attributes of those charged with governance
such as:
 Their independence from management.
 Their experience and stature.
 The extent of their involvement and the information they receive, and the scrutiny of activities.
 The appropriateness of their actions, including the degree to which difficult questions are raised
and pursued with management, and their interaction with internal and external auditors.
(d) Management’s philosophy and operating style– Characteristics such as management’s:
 Approach to taking and managing business risks.
 Attitudes and actions toward financial reporting.
  Attitudes toward information processing and accounting functions and personnel.
(e) Organisational structure– The framework within which an entity’s activities for achieving its objectives
are planned, executed, controlled, and reviewed.
(f) Assignment of authority and responsibility– Matters such as how authority and responsibility for
operating activities are assigned and how reporting relationships and authorisation hierarchies are
established.
(g) Human resource policies and practices– Policies and practices that relate to, for example, recruitment,
orientation, training, evaluation, counselling, promotion, compensation, and remedial actions.
(B) The Entity’s Risk Assessment Process– Component of Control Environment
The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks.
The entity’s risk assessment process forms the basis for the risks to be managed. If that process is
appropriate, it would assists the auditor in identifying risks of material misstatement. Whether the
entity’s risk assessment process is appropriate to the circumstances is a matter of judgment.
(C) The information system, including the related business processes, relevant to financial reporting
and communication– Component of Control Environment
The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following are as:
(a) The classes of transactions in the entity’s operations that are significant to the financial statements;
(b) The procedures by which those transactions are initiated, recorded, processed, corrected as necessary,
transferred to the general ledger and reported in the financial statements;
(c ) The related accounting records, supporting information and specific accounts in the financial statements
that are used to initiate, record, process and report transactions;
(d) How the information system captures events and conditions that are significant to the F . S .
(e) The financial reporting process used to prepare the entity’s financial statements;
(f) Controls surrounding journal entries.
Communicating Financial Roles and Responsibilities– Obtaining an
Understanding by the Auditor: The auditor shall obtain an understanding of
how the entity communicates financial reporting roles and responsibilities
(a) Communications between (b) External communications, such asthose
management and those charged with with regulatory authorities.
governance; and
T he following points need consideration in this regard:

(i) Understanding of Roles and Responsibilities: Communication by the entity of the financial reporting
roles and responsibilities would involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.
(ii) Understanding regarding Relation of Activities: It includes understanding by employees as to how their
activities relate to the work of others and the means of reporting exceptions to higher level within the
entity.
(iii) Policy Manuals and Financial Reporting Manuals: Communication may take such forms as policy manuals
and financial reporting manuals.
(iv) Open Communication Channels: Open communication channels help ensure that exceptions are reported
 and acted on.
(v) Less structured and easier for Small Entities: Communication may be less structured and easier to
achieve in a small entity than in a larger entity due to fewer levels of responsibility and management’s
greater visibility and availability.
(vi) Control Activities– Component of Internal Control
The auditor shall obtain an understanding of control activities relevant to the audit, which the auditor
considers necessary to assess the risks of material misstatement. An audit requires an understanding of
only those control activities related to significant class of transactions, account balance, and disclosure
in the financial statements and the assertions which the auditor finds relevant in his risk assessment
process.

(D) Control activities are the policies and procedures that help ensure that management directives are
carried out.
Control activities, whether within IT or manual systems, have variousobjectives and are applied at
various organisational and functional levels.
Examples of specific control activities include those relating to the following:

Control activities that are relevant to the audit are:

 Control activities that relate to significant risks and those that relate to risks for which substantive
procedures alone do not provide sufficient appropriate audit evidence; or
 Those that are considered to be relevant in the judgment of the auditor;
 As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in
the auditor’s judgment, a significant risk.
In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:
(a) Whether the risk is a risk of fraud;
(b) Whether the risk is related to recent significant economic, accounting, or other developments like
changes in regulatory environment, etc., and, therefore, requires specific attention;
(c) The complexity of transactions;
(d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information related to the risk, especially
those measurements involving a wide range of measurement uncertainty; and
(f) Whether the risk involves significant transactions that are outside the normal course of business for the
entity, or that otherwise appear to be unusual.
Identifying Significant Risks: Significant risks often relate to significant non- routine transactions or
judgmental matters. Non-routine transactions are transactions that are unusual, due to either size or
nature, and that therefore occur infrequently. Judgmental matters may include the development of
accounting estimates for which there is significant measurement uncertainty.
Risks of Material Misstatement– Greater for Significant Non-Routine Transactions
Significant risks are inherent risks with both a higher likelihood of occurrence anda higher magnitude
of potential misstatement. The auditor assess assertions affected by a significant risk as higher inherent
risk. The following are always significant risks:
 Risks of material misstatement due to fraud
 Significant transactions with related parties that are outside the normal course of business for the
entity
Risks of material misstatement may be greater for significant non-routinetransactions arising from
matters such as the following:
 Greater management intervention to specify the accounting treatment.
 Greater manual intervention for data collection and processing.
 Complex calculations or accounting principles.
 The nature of non-routine transactions, which may make it difficult for the entity to implement effective
controls over the risks.
Risks of material misstatement– Greater for Significant Judgmental Matters
Risks of material misstatement may be greater for significant judgmental mattersthat require the
development of accounting estimates, arising from matters suchas the following:
 Accounting principles for accounting estimates or revenue recognition may be subject to differing
interpretation.
 Required judgment may be subjective or complex, or require assumptions about the effects of
future events, for example, judgment about fair value.
(E) Monitoring of Controls – Component of Internal Control
The auditor shall obtain an understanding of the major activities that theentity uses to monitor internal
control over financial reporting.
a. Monitoring of controls Defined: Monitoring of controls is a process to assess the effectiveness of
internal control performance over time.
b. Helps in assessing the effectiveness of controls on a timely basis: It involves assessing the
effectiveness of controls on a timely basis and taking necessary remedial actions.
c. Management accomplishes through ongoing activities, separate evaluations etc.: Management
accomplishes monitoring of controls through ongoing activities, separate evaluations, or a
combination of the two. Ongoing monitoring activities are often built into the normal recurring
activities of an entity and include regular management and supervisory activities.
d. Management’s monitoring activities include: Management’smonitoring activities may include using
information from communications from external parties such as customer complaints and regulator
comments that may indicate problems or highlight areas in need of improvement.
e. In case of Small Entities: Management’s monitoring of control is often accomplished by
management’s or the owner-manager’s close involvement in operations. This involvement often will
identify significant variances from expectations and inaccuracies in financial data leading to remedial
action to the control.
Monitoring of Controls– If the entity has an internal audit function
If the entity has an internal audit function, the auditor shall obtain an understanding of the following :
(a) The internal audit function’s responsibilities and how the internal audit function fits in the
entity’s organisational structure; and
(b) The activities performed, or to be performed, by the internal audit function.

The following points merit consideration in this regard:

(i) Internal Audit Function relevant to the Audit: The entity’s internal audit function is likely to be relevant
to the audit if its activities are related to the entity’s financial reporting. Also if the auditor expects to
use the work of the internal auditors to modify the audit procedures to be performed. When the auditor
determines that the internal audit function is likely to be relevant to the audit, SA 610 applies.
(ii) Size and Structure of the Entity: The objectives of an internal audit function vary widely depending on
the size and structure of the entity and the requirements of management.
(iii) Internal audit function may include: The responsibilities of an internal audit function may include, for
example, monitoring of internal control, risk management, and review of compliance with laws and
regulations.
(iv) External auditor’s activities- on the basis of Internal Audit activities: If the internal audit function’s
responsibilities are related to the entity’s financial reporting, the external auditor’s consideration of the
activities performed may include review of the internal audit function’s audit plan for the period.
EVALUATION OF INTERNAL CONTROL BY THE AUDITOR
So far as the auditor is concerned, the examination and evaluation of the internal control system is an
indispensable part of the overall audit programme. The auditor needs reasonable assurance that the
accounting system is adequate and that all the accounting information which should be recorded has in fact
been recorded. Internal control normally contributes to such assurance. The auditor should gain an
understanding of the accounting system and related internal controls and should study and evaluate the
operations of these internal controls upon which he wishes to rely in determining the nature, timing and
extent of other audit procedures.
Benefits of Evaluation of Internal Control to the Auditor
The review of internal controls will enable the auditor to know:
(i) whether errors and frauds are likely to be located in the ordinary course ofoperations of the business;
(ii) whether an adequate internal control system is in use and operating asplanned by the management;
(iii) whether an effective internal auditing department is operating;
(iv) whether any administrative control has a bearing on his work (for example,if the control over worker
recruitment and enrolment is weak, there is a likelihood of dummy names being included in the wages
sheet and this is relevant for the auditor);
(v) whether the controls adequately safeguard the assets;
(vi) how far and how adequately the management is discharging its function in sofar as correct recording of
transactions is concerned;
(vii) how reliable the reports, records and the certificates to the management canbe;
(viii) the extent and the depth of the examination that he needs to carry out in the different areas of
accounting;
(ix) what would be appropriate audit technique and the audit procedure in thegiven circumstances
(x) what are the areas where control is weak and where it is excessive

To facilitate the accumulation of the information necessary for the proper review and evaluation of
internal controls, the auditor can use one of the following to help him to know and assimilate the
system and evaluate the same:

1. The Narrative Record

This is a complete and exhaustive description of the system as found in operationby the auditor.
Actual testing and observation are necessary before such a record can be developed. It may be
recommended in cases where no formal control system is in operation and would be more suited to
small business.
The basic disadvantages of narrative records are:
(i) To comprehend the system in operation is quite difficult.
(ii) To identify weaknesses or gaps in the system.
(iii) To incorporate changes arising on account of reshuffling of manpower, etc.
2. A Check List
This is a series of instructions and/or questions which a member of the auditing staff must follow
and/or answer. When he completes instruction, he initials the space against the instruction. Answers
to the check list instructions are usually Yes, No or Not Applicable. This is again an on the job
requirement and instructions areframed having regard to the desirable elements of control.
 3. Internal Control Questionnaire
This is a comprehensive series of questions concerning internal control. This is the most widely used
form for collecting information about the existence, operationand efficiency of internal control in
an organisation.
An important advantage of the questionnaire approach is that oversight or omission of significant
internal control review procedures is less likely to occur with this method. With a proper questionnaire,
all internal control evaluation can be completed at one time or in sections. The review can more easily
be made on an interim basis. The questionnaire form also provides an orderly means of disclosing
control defects. It is the general practice to review the internal control system annually and record the
review in detail. In the questionnaire, generally questions are so framed that a ‘Yes’ answer denotes
satisfactory position and a ‘No’ answer suggests weakness. Provision is made for an explanation or
further detailsof ‘No’ answers. In respect of questions not relevant to the business, ‘Not Applicable’
reply is given.
4. Flow Chart
It is a graphic presentation of each part of the company’s system of internal control.A flow chart is
considered to be the most concise way of recording the auditor’s review of the system. It minimises the
amount of narrative explanation and thereby achieves a consideration or presentation not possible
in any other form. It gives bird’s eye view of the system and the flow of transactions and integration
and in documentation, can be easily spotted and improvements can be suggested.
It is also necessary for the auditor to study the significant features of the business carried on by the
concern; the nature of its activities and various channels of goods and materials as well as cash, both
inward and outward; and also a comprehensive study of the entire process of manufacturing, trading
and administration. This will help him to understand and evaluate the internal controls in the correct
perspective
Test of Controls:

Test of controls are performed to obtain audit evidence about the effectiveness of the:

Test of control may includes:

 Inspection of documents supporting transactions and other events to gainaudit evidence that
internal controls have operated properly, for example,verifying that a transaction has been authorised.
 Inquiries about, and observation of, internal controls which leave no audit trail, for example,
determining who actually performs each function and not merely who is supposed to perform it.
 Re-performance involves the auditor’s independent execution of procedures or controls that were
originally performed as part of the entity’s internal control, for example, reconciliation of bank
accounts, to ensure they were correctly performed by the entity.
 Testing of internal control operating on specific computerised applications or over the overall
information technology function, for example, access or program change controls.

INTERNAL CONTROL AND IT ENVIRONMENT

Characteristics of Manual and Automated Elements of Internal Control Relevant to the Auditor’s Risk
Assessment: An entity’s system of internal control contains manual elements and often contains automated
elements.
The characteristics of manual or automated elements relevant to the auditor’s risk assessment and further
audit procedures are explained hereunder-
(i) Controls in Manual and IT System: The use of manual or automated elements in internal control affects
the manner in which transactions are initiated, recorded, processed, and reported:
(1) Controls in a manual system may include such procedures as approvals and reviews of transactions,
and reconciliations and follow-up of reconciling items. Alternatively, an entity may use automated
procedures to initiate, record, process, and report transactions, in which case records in electronic
format replace paper documents.
(2) Controls in IT systems consist of a combination of automated controls (for example, controls
embedded in computer programs) and manual controls. Further, manual controls may be independent
of IT, may use information produced by IT, or may be limited to monitoring the effective functioning
of IT and of automated controls, and to handling exceptions.
(ii) Use of IT: An entity’s mix of manual and automated elements in internal control varies with the nature
and complexity of the entity’s use of IT.
(iii) Generally, IT benefits an entity’s internal control by enabling an entityto:
 Consistently apply predefined business rules and perform complex calculations in processing
large volumes of transactions or data;
 Enhance the timeliness, availability, and accuracy of information;
 Facilitate the additional analysis of information;
 Enhance the ability to monitor the performance of the entity’sactivities and its policies and procedures;
 Reduce the risk that controls will be circumvented; and
 Enhance the ability to achieve effective segregation of duties by implementing security controls in
applications, databases, andoperating systems.
(iv) IT also poses specific risks to an entity’s internal control, including, for example:
 Reliance on systems or programs that are inaccurately processing data, processing inaccurate data,
or both.
 Unauthorised access to data that may result in destruction of data or improper changes to data, including
the recording of unauthorised or non- existent transactions, or inaccurate recording of transactions.
Particular risks may arise where multiple users access a common database.
 The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned
duties thereby breaking down segregation of duties.
 Unauthorised changes to data in master files.
 Unauthorised changes to systems or programs.
 Failure to make necessary changes to systems or programs.
 Inappropriate manual intervention.
 Potential loss of data or inability to access data as required.
(v) Suitability: Manual elements in internal control may be more suitable where judgment and discretion
are required.
(vi) Reliability: Manual elements in internal control may be less reliable thanautomated elements because
they can be more easily bypassed, ignored, or overridden and they are also more prone to simple errors
and mistakes. Consistency of application of a manual control element cannot therefore be assumed.
(vii) Nature of Entity’s Information System: The extent and nature of the risks to internal control vary
depending on the nature and characteristics of the entity’s information system. The entity responds to
the risks arising from theuse of IT or from use of manual elements in internal control by establishing
effective controls in light of the characteristics of the entity’s information system.

MATERIALITY AND AUDIT RISK

The concept of materiality is applied by the auditor both in planning and performing the audit, and in
evaluating the effect of identified misstatements on the audit and of uncorrectedmisstatements, if any, on the
financial statements and in forming the opinion in the auditor’sreport.
In conducting an audit of financial statements, the overall objectives of the auditor are to obtain reasonable
assurance about whether the
financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby
enabling the auditor to express an opinion on whether the financial statements are prepared, in all material
respects, in accordance with an applicable financial reporting framework; and to report on the financial
statements, and communicate as required by the SAs, in accordance with the auditor’s findings. The auditor
obtains reasonable assurance by obtaining sufficient appropriate audit evidence to reduce audit risk to an
acceptably low level.
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements
are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.
Materiality and audit riskare considered throughout the audit, in particular, when:
(a) Identifying and assessing the risks of material misstatement;
(b) Determining the nature, timing and extent of further audit procedures; and
(c) Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming
the opinion in the auditor’s report.

DOCUMENTING THE RISK

The auditor shall document:
(a) The discussion among the engagement team and the significant decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its
environment and of each of the internal control components, the sources of information from which
the understanding was obtained; and the risk assessment procedures performed The identified and
assessed risks of material misstatement at the F.S. level and at the assertion level ; and
(c) The risks identified, and related controls about which the auditor hasobtained an understanding.

INTERNALAUDIT
As defined in scope of the Standards on Internal Audit, Internal Audit means “An independent management
function, which involves a continuous and critical appraisal of the functioning of an entity with a view to
suggest improvementsthereto and add value to and strengthen the overall governance mechanism of the
entity, including the entity’s strategic risk management and internal control system”.

Applicability of Provisions of Internal Audit

As per section 138 of the Companies Act, 2013 the following class of companies (prescribed in rule 13 of
Companies (Accounts) Rules, 2014) shall be required to appoint an internal auditor or a firm of internal
auditors, namely-
(a) every listed company;
(b) every unlisted public company having-
(i) paid up share capital of fifty crore rupees or more during the preceding financial year; or
(ii) turnover of two hundred crore rupees or more during the preceding financial year; or
(iii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred
crore rupees or more at any pointof time during the preceding financial year; or
(iv) outstanding deposits of twenty five crore rupees or more at any point of time during the preceding
financial year; and
(c) every private company having-
(i) turnover of two hundred crore rupees or more during the preceding financial year; or
(ii) outstanding loans or borrowings from banks or public financial institutions exceeding one hundred
crore rupees or more at any pointof time during the preceding financial year:
 It is provided that an existing company covered under any of the above criteriashall comply with the
requirements within six months of commencement of such section.

Internal audit function

A function of an entity that performs assurance and consulting activities designed to evaluate and improve
the effectiveness of the entity’s governance, risk management and internal control processes.
The objectives and scope of internal audit functions
As per SA-610, “Using the Work of an Internal Auditor”, the objectives of internal audit functions vary widely
and depend on the size and structure of the entity and the requirements of management and, where
applicable, those charged with governance.
The objectives and scope of internal audit functions typically include assuranceand consulting activities
designed to evaluate and improve the effectiveness of the entity’s governance processes, risk management
and internal control such as the following:
1. Activities Relating to Governance: The internal audit function may assess the governance process in
its accomplishment of objectives on ethics and values, performance management and accountability,
communicating risk and control information to appropriate areas of the organization and effectiveness
of communication among those charged with governance, external and internal auditors, and
management.
2. Activities Relating to Risk Management: The internal audit function may assist the entity by
identifying and evaluating significant exposures to riskand contributing to the improvement of risk
management and internal control (including effectiveness of the financial reporting process). The
internal audit function may perform procedures to assist the entity in the detection of fraud.
3. Activities Relating to Internal Control:
(i) Evaluation of internal control: The internal audit function may be assigned specific responsibility
for reviewing controls, evaluating their operation and recommending improvements thereto. In
doing so, the internal audit function provides assurance on the control. For example, the internal
audit function might plan and perform tests or other procedures to provide assurance to
management and those charged with governance regarding the design, implementation and
operating effectiveness of internal control, including those controls that are relevant to the audit.
(ii) Examination of financial and operating information: The internal audit function may be
assigned to review the means used to identify, recognize, measure, classify and report financial and
operating information, and to make specific inquiry into individual items, including detailed
testing of transactions, balances and procedures.
(iii) Review of operating activities: The internal audit function may be assigned to review the
economy, efficiency and effectiveness ofoperating activities, including nonfinancial activities of
an entity.
(iv) Review of compliance with laws and regulations: The internal audit function may be assigned
to review compliance with laws, regulations and other external requirements, and with
management policies and directives and other internal requirements

BASICS OF INTERNAL FINANCIAL CONTROL AND REPORTING REQUIREMENTS

Clause (e) of Sub-section 5 of Section 134 Internal financial controls are the policies and procedures adopted by the
company for :

1. ensuring the orderly and efficient conduct of its business, including adherence to company’s policies,
2. the safeguarding of its assets,
3. the prevention and detection of frauds and errors,
4. the accuracy and completeness of the accounting records, and
5. the timely preparation of reliable financial information.”
 Auditors’ Responsibility for Reporting on Internal Financial Controls over Financial Reporting in India
It may be noted that auditor’s reporting on internal financial controls is a requirement specified in the Act
and, therefore, will apply only in case of reporting on financial statements prepared under the Act and
reported under Section 143.
Clause (i) of Sub-section 3 of Section 143 of the Act requires the auditors’ reportto state whether the
company has adequate internal financial controls system inplace and the operating effectiveness of
such controls.

Accordingly, reporting on internal financial controls will not be applicable with respect to interim financial
statements, such as quarterly or half-yearly financialstatements, unless such reporting is required under any
other law or regulation.
Objectives of an auditor in an audit of internal financial controls over financial reporting: The auditor’s
objective in an audit of internal financial controls over financial reporting is, “ to express an opinion on the
effectiveness of the company’s internal financial controls over financial reporting.” It is carried out
along with an audit of the financial statements.
Reporting under Section 143(3)(i) is dependent on the underlying criteria for internal financial controls over
financial reporting adopted by the management.However, any system of internal controls provides only a
reasonable assurance on achievement of the objectives for which it has been established. Also, the auditor
shall use the concept of materiality in determining the extent of testing such controls.
Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the board report of all companies to
state the details in respect of adequacy of internal financial controls with reference to the financial
statements.
The inclusion of the matters relating to internal financial controls in the directors responsibility statement is
in addition to the requirement of the directors statingthat they have taken proper and sufficient care for
the maintenance of adequate accounting records in accordance with the provisions of the 2013 Act for
safeguarding the assets of the company and for preventing and detecting fraudand other irregularities.

DIFFERENCE BETWEEN INTERNAL FINANCIAL CONTROL AND INTERNAL

CONTROL OVER FINANCIAL REPORTING
Internal Financial Control as per Section 134(5)(e), “the policies and procedures adopted by the company
for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the
safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness
of the accounting records, and the timely preparation of reliable financialinformation.”
On the other hand, Internal controls over financial reporting-is required where auditors are required to express an
opinion on the effectiveness of an entity’s internal controls over financial reporting, such opinion is in addition to
and distinct from the opinion expressed by the auditor on the financial statements.