UNIT – III

UNIT III: RISK ASSESSMENT AND INTERNAL CONTROL

Risk Assessment and Internal Control: Evaluation of internal control procedures -
Components of internal controls-Risk based audit risk analysis, general steps-Internal audit -
Management and Operational Audit - Internal Check.

Risk Assessment and Internal Control

Risk Assessment:
1. Definition:

1
 • Risk assessment is the process of identifying, analyzing, and evaluating
potential risks that may affect the achievement of organizational objectives.
2. Purpose:
• Identify Risks: Identify and understand the risks inherent in business operations,
processes, and activities.
• Prioritize Risks: Assess the significance and potential impact of risks to
prioritize them for mitigation.
• Mitigate Risks: Develop strategies and controls to mitigate, manage, or transfer
identified risks effectively.
• Enhance Decision Making: Provide management with valuable insights and
information to make informed decisions and allocate resources efficiently.
3. Steps in Risk Assessment:
a. Identification: Identify internal and external risks relevant to the organization. b.
Analysis: Analyze the likelihood and potential impact of identified risks on
organizational objectives.
c. Evaluation: Evaluate the significance and materiality of risks to prioritize them for
further action.
d. Treatment: Develop risk response strategies, controls, and mitigation plans to address
identified risks.
e. Monitoring: Continuously monitor and review the effectiveness of risk management
processes and controls.

Internal Control:
1. Definition:
• Internal control refers to the policies, procedures, and mechanisms implemented
by management to safeguard assets, ensure compliance with laws and
regulations, and achieve organizational objectives effectively and efficiently.

2. Components of Internal Control:

a. Control Environment: The tone set by management regarding the importance of
internal control and ethical behavior.
b. Risk Assessment: The process of identifying, analyzing, and managing risks to
achieve organizational objectives.
c. Control Activities: Policies, procedures, and mechanisms implemented to mitigate
risks and achieve control objectives.

2
 d. Information and Communication: The flow of information and communication
channels to ensure timely and relevant information is communicated throughout the
organization.
e. Monitoring: Ongoing monitoring and review of internal control processes to assess
their effectiveness and make necessary improvements.

3. Objectives of Internal Control:

a. Safeguard Assets: Protect organizational assets from loss, theft, misuse, or damage.
b. Ensure Compliance: Ensure compliance with laws, regulations, policies, and
procedures governing organizational activities.
c. Enhance Operational Efficiency: Improve operational efficiency and effectiveness by
streamlining processes, reducing errors, and optimizing resource utilization.
d. Ensure Reliability of Financial Reporting: Ensure the accuracy, reliability, and
integrity of financial reporting by maintaining proper accounting records and internal
controls.
e. Promote Accountability: Hold individuals and departments accountable for their
actions and responsibilities within the organization.

Implementation Challenges:
1. Resource Constraints: Limited resources, including financial, human, and
technological resources, may pose challenges in implementing robust risk assessment
and internal control processes.
2. Complexity of Operations: Complex business operations, multiple stakeholders, and
global supply chains may increase the complexity of risk assessment and internal
control implementation.
3. Regulatory Compliance: Compliance with evolving laws, regulations, and industry
standards requires continuous monitoring and updates to internal control processes.
4. Technological Risks: Rapid advancements in technology introduce new risks, such as
cybersecurity threats, data breaches, and IT system failures, which require proactive
measures to address.
5. Cultural and Organizational Challenges: Resistance to change, lack of awareness,
and cultural barriers may hinder the adoption and effectiveness of risk assessment and
internal control measures.

3
Best Practices:
1. Top Management Commitment: Demonstrate leadership commitment and support
for risk management and internal control initiatives.
2. Risk Awareness and Training: Provide regular training and awareness programs to
employees to enhance their understanding of risks and internal control processes.
3. Segregation of Duties: Implement segregation of duties to prevent fraud, errors, and
conflicts of interest by ensuring that critical tasks are divided among different
individuals.
4. Continuous Monitoring: Establish mechanisms for continuous monitoring, review,
and assessment of internal control processes to identify weaknesses and areas for
improvement.
5. Adoption of Technology: Leverage technology, such as automated controls, data
analytics, and risk management software, to enhance the efficiency and effectiveness
of risk assessment and internal control activities.

Conclusion:
Risk assessment and internal control are essential components of effective governance,
risk management, and compliance (GRC) frameworks within organizations. By proactively
identifying, assessing, and managing risks, and implementing robust internal control measures,
organizations can safeguard their assets, enhance operational efficiency, ensure compliance
with regulations, and achieve their strategic objectives effectively.

EVALUATION OF INTERNAL CONTROL PROCEDURES

Evaluating internal control procedures involves assessing the effectiveness, efficiency,
and reliability of the controls implemented within an organization to achieve its objectives and
mitigate risks. Here's a structured approach to evaluating internal control procedures:

Steps in Evaluating Internal Control Procedures:

1. Review Control Documentation:
• Obtain and review documentation related to internal control procedures,
including policies, procedures manuals, flowcharts, and control matrices.
• Understand the design and implementation of control procedures, including
their objectives, scope, and key responsibilities.

4
2. Identify Key Controls:
• Identify key controls within business processes that are essential for achieving
control objectives and mitigating significant risks.
• Focus on controls that are critical for preventing or detecting material errors,
fraud, or non-compliance with laws and regulations.

3. Assess Control Design:

• Evaluate the design of internal control procedures to determine whether they are
adequately designed to achieve their intended objectives.
• Assess the appropriateness of control activities, segregation of duties,
authorization processes, and documentation requirements.

4. Test Control Effectiveness:

• Perform testing procedures to assess the operating effectiveness of internal
controls in preventing or detecting errors, fraud, or non-compliance.
• Select a sample of transactions or activities and perform control tests to
determine whether controls are functioning as intended.
• Use a combination of inquiry, observation, inspection of documentation, and re-
performance of control activities to test control effectiveness.

5. Evaluate Control Efficiency:

• Evaluate the efficiency of internal control procedures by assessing their cost-
effectiveness, resource utilization, and alignment with organizational
objectives.
• Consider factors such as the time, effort, and resources required to implement
and maintain control procedures relative to the benefits achieved.

6. Assess Control Reliability:

• Assess the reliability and accuracy of information generated by internal control
procedures to support decision-making and compliance requirements.
• Ensure that control activities produce timely, complete, and accurate
information that is relevant for management and external stakeholders.

5
 7. Review Control Monitoring:
• Review mechanisms for monitoring and oversight of internal control
procedures, including management reviews, internal audits, and self-
assessments.
• Evaluate the frequency, scope, and effectiveness of monitoring activities in
identifying control deficiencies, deviations, or weaknesses.

8. Document Findings and Recommendations:

• Document findings from the evaluation of internal control procedures, including
strengths, weaknesses, and areas for improvement.
• Provide recommendations for enhancing control effectiveness, efficiency, and
reliability based on identified deficiencies and best practices.

9. Communicate Results:
• Communicate evaluation results and recommendations to relevant stakeholders,
including management, internal audit, board of directors, and external auditors.
• Ensure transparency, accountability, and follow-up on remediation efforts to
address identified control deficiencies and improve overall control
environment.
10. Continuous Improvement:
• Foster a culture of continuous improvement by incorporating feedback, lessons
learned, and best practices into the design and implementation of internal
control procedures.
• Monitor changes in the business environment, risks, and regulatory
requirements to adapt internal control procedures accordingly and maintain
their relevance and effectiveness over time.
Conclusion:
Evaluating internal control procedures is a critical component of organizational
governance, risk management, and compliance efforts. By systematically assessing the design,
effectiveness, efficiency, and reliability of internal controls, organizations can identify areas
for improvement, strengthen their control environment, and enhance their ability to achieve
objectives and mitigate risks effectively. Continuous monitoring, evaluation, and improvement
of internal control procedures are essential for maintaining a robust control framework and
ensuring the integrity and reliability of financial reporting, operational processes, and
compliance activities within the organization.

6
COMPONENTS OF INTERNAL CONTROLS

Internal controls encompass various components designed to ensure the achievement of

organizational objectives, mitigate risks, safeguard assets, and promote operational efficiency
and effectiveness. Here are the key components of internal controls:

7
1. Control Environment:
• The control environment sets the tone at the top and establishes the foundation
for effective internal control. It encompasses the overall attitude, awareness, and
commitment of management and employees towards internal control and ethical
behavior. Factors influencing the control environment include management's
integrity and ethical values, organizational structure, governance processes, and
the assignment of authority and responsibility.
2. Risk Assessment:
• Risk assessment involves identifying, analyzing, and evaluating risks that may
affect the achievement of organizational objectives. It includes assessing the
likelihood and potential impact of risks on the organization's operations,
financial reporting, and compliance requirements. Risk assessment helps
prioritize risks for mitigation and determines the design and implementation of
appropriate control activities to address identified risks effectively.
3. Control Activities:
• Control activities are policies, procedures, and mechanisms implemented to
mitigate risks and achieve control objectives. They are designed to prevent,
detect, and correct errors, fraud, and non-compliance with laws and regulations.
Control activities include authorization and approval processes, segregation of
duties, physical controls, information processing controls, and reconciliations.
They are applied throughout the organization's processes and operations to
ensure the integrity, reliability, and accuracy of financial reporting and other key
activities.
4. Information and Communication:
• Information and communication are essential components of internal control
that facilitate the flow of relevant, timely, and accurate information throughout
the organization. Effective communication ensures that relevant stakeholders
receive necessary information to fulfill their responsibilities, make informed
decisions, and carry out control activities effectively. Information systems,
reporting mechanisms, and communication channels play a critical role in
supporting internal control by providing management and employees with
access to relevant information and promoting transparency, accountability, and
collaboration.

8
 5. Monitoring:
• Monitoring involves ongoing assessment and review of internal control
processes to ensure their effectiveness, reliability, and compliance with
established policies and procedures. Monitoring activities include management
reviews, internal audits, self-assessments, and compliance testing. They are
designed to identify control deficiencies, deviations, or weaknesses and initiate
corrective actions to address them promptly. Monitoring provides assurance that
internal controls are operating as intended and are responsive to changes in the
business environment, risks, and regulatory requirements.

These components of internal controls work together to establish a comprehensive and

integrated framework for managing risks, achieving organizational objectives, and promoting
good governance practices within the organization. By addressing each component effectively,
organizations can strengthen their control environment, enhance operational efficiency, and
mitigate risks to achieve sustainable business success.

Risk based audit risk analysis, general steps

Risk-based audit risk analysis involves assessing the risks associated with an
organization's operations, processes, and activities to determine the focus and scope of audit
procedures. Here are the general steps involved in conducting a risk-based audit risk analysis:

1. Understand the Organization and its Environment:

• Organizational Structure: Gain an understanding of the organization's structure,
including its business operations, industry, and regulatory environment.
• Strategic Objectives: Identify the organization's strategic objectives, goals, and key
performance indicators (KPIs) to align audit activities with its priorities.
• Business Processes: Map out the organization's key business processes, including
inputs, activities, outputs, and interdependencies.

2. Identify Potential Risks:

• Risk Identification: Identify potential risks that may impact the achievement of
organizational objectives, including operational, financial, compliance, and strategic
risks.

9
 • Sources of Risk: Consider internal and external factors that may contribute to risk,
such as changes in the business environment, regulatory requirements, technological
advancements, and organizational changes.
• Risk Categories: Categorize risks based on their nature, severity, and potential impact
on the organization, stakeholders, and objectives.

3. Assess Risk Severity and Likelihood:

• Risk Assessment: Evaluate the severity and likelihood of identified risks using
qualitative and quantitative methods, such as risk matrices, probability-impact
assessments, and scenario analysis.
• Risk Criteria: Establish criteria for assessing risk severity and likelihood, considering
factors such as financial impact, reputational damage, regulatory non-compliance, and
operational disruptions.
• Risk Rankings: Rank risks based on their assessed severity and likelihood to prioritize
them for further analysis and audit focus.

4. Determine Audit Objectives and Scope:

• Audit Objectives: Define audit objectives and priorities based on the assessed risks,
organizational objectives, and stakeholder expectations.
• Audit Scope: Determine the scope of the audit, including the areas, processes, and
activities to be covered, considering the highest-risk areas and significant control
deficiencies.
• Audit Criteria: Establish criteria and benchmarks against which audit findings will be
evaluated, such as regulatory requirements, industry standards, best practices, and
organizational policies.

5. Develop Audit Plan and Procedures:

• Audit Planning: Develop an audit plan that outlines the approach, methodology,
resources, and timelines for conducting the audit, considering the identified risks and
audit objectives.
• Audit Procedures: Design audit procedures and tests to assess the effectiveness and
adequacy of internal controls, compliance with policies and regulations, and the
accuracy and reliability of financial and operational information.

10
 • Sampling Methodologies: Determine sampling methodologies and sample sizes for
testing audit assertions, considering risk-based sampling approaches and statistical
sampling techniques.

6. Execute Audit Fieldwork:

• Audit Fieldwork: Conduct audit fieldwork in accordance with the established audit
plan and procedures, gathering evidence, performing testing, and documenting
findings.
• Risk-Based Testing: Focus audit efforts on areas of highest risk, allocating resources
and attention to key control areas and processes where significant risks are identified.
• Document Findings: Document audit findings, observations, and recommendations in
a clear, concise, and objective manner, supported by sufficient and relevant evidence.

7. Evaluate Audit Findings and Communicate Results:

• Findings Evaluation: Evaluate audit findings and observations against audit criteria,
assessing the significance, root causes, and implications of identified deficiencies and
weaknesses.
• Management Communication: Communicate audit results, including findings,
recommendations, and management responses, to relevant stakeholders, such as
management, audit committee, and board of directors.
• Follow-up Actions: Collaborate with management to develop corrective action plans
and timelines for addressing identified deficiencies and implementing audit
recommendations.

8. Continuous Improvement:
• Lessons Learned: Reflect on audit experiences and lessons learned to enhance audit
methodologies, processes, and practices for future audits.
• Feedback Mechanisms: Establish feedback mechanisms and channels for receiving
input from stakeholders, management, and audit team members to improve the
effectiveness and efficiency of audit activities.
• Risk Monitoring: Continuously monitor and review organizational risks, control
deficiencies, and audit findings to adapt audit strategies and priorities in response to
changing risk profiles and business environments.

11
 By following these general steps in conducting a risk-based audit risk analysis, auditors can
effectively identify, assess, and prioritize risks, tailor audit procedures to focus on high-risk
areas, and provide valuable insights and recommendations to support organizational decision-
making and risk management efforts.

Internal audit - Management and Operational Audit

12
 Internal audit is an independent, objective assurance and consulting activity designed
to add value and improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes. Internal auditors provide
insights and recommendations to management to enhance operations, mitigate risks, and
achieve organizational goals.
Functions and Responsibilities of Internal Audit:
1. Risk Assessment:
• Identifying and assessing risks that may affect the achievement of
organizational objectives.
• Evaluating the effectiveness of existing risk management processes and
controls.
2. Control Evaluation:
• Reviewing the design and implementation of internal controls to ensure they
mitigate identified risks effectively.
• Testing the operating effectiveness of controls through audit procedures and
tests of control.
3. Compliance Verification:
• Ensuring compliance with laws, regulations, policies, and procedures applicable
to the organization's operations.
• Conducting compliance audits to assess adherence to internal and external
requirements.
4. Financial Auditing:
• Reviewing financial statements, transactions, and accounting records to ensure
accuracy, completeness, and compliance with accounting standards.
• Verifying the reliability of financial reporting processes and controls.
5. Operational Auditing:
• Evaluating the efficiency and effectiveness of operational processes, systems,
and activities.
• Identifying opportunities for process improvements, cost savings, and
performance enhancements.
6. Fraud Detection and Prevention:
• Investigating allegations of fraud, misconduct, or unethical behavior within the
organization.

13
 • Implementing measures to prevent and detect fraudulent activities and
irregularities.
7. Consulting and Advisory Services:
• Providing consulting services to management on risk management, internal
controls, and process improvements.
• Offering recommendations and best practices to address identified deficiencies
and enhance organizational performance.
8. Reporting and Communication:
• Communicating audit findings, observations, and recommendations to
management, the audit committee, and other stakeholders.
• Issuing audit reports summarizing the results of audit activities and
management's responses to audit recommendations.
9. Follow-up and Monitoring:
• Monitoring the implementation of audit recommendations and corrective action
plans by management.
• Conducting follow-up audits to assess the effectiveness of remedial actions
taken in response to identified deficiencies.
10. Quality Assurance:
• Establishing and maintaining quality assurance and improvement programs to
ensure the effectiveness and professionalism of internal audit activities.
• Conducting internal assessments and external assessments (e.g., external quality
assessments) to evaluate compliance with internal audit standards and best
practices.
Internal audit functions independently within the organization, reporting functionally
to the audit committee of the board of directors and administratively to executive management.
Its role is critical in providing assurance and insights to stakeholders, enhancing governance
processes, and supporting the achievement of organizational objectives.

Management and operational audits

Management and operational audits are two distinct types of internal audit activities
that focus on different aspects of an organization's management practices and operational
processes. Here's an overview of each:

14
Management Audit:
1. Purpose:
• Management audits evaluate the effectiveness of management practices,
policies, and decision-making processes within an organization.
• The primary purpose is to assess whether management is achieving its
objectives, exercising proper stewardship of resources, and adhering to ethical
standards and corporate governance principles.
2. Scope:
• Management audits may cover a wide range of areas, including strategic
planning, organizational structure, leadership effectiveness, corporate culture,
and performance management systems.
• They may also examine management's adherence to regulatory requirements,
compliance with internal policies and procedures, and alignment with industry
best practices.
3. Key Areas of Focus:
• Strategic Planning: Assess the development, implementation, and alignment of
strategic plans with organizational objectives and market conditions.
• Leadership Effectiveness: Evaluate the competence, integrity, and
accountability of senior management in guiding the organization and fostering
a culture of ethical conduct.
• Governance Practices: Review the effectiveness of governance structures, board
oversight, and management accountability in promoting transparency,
accountability, and risk management.
4. Objectives:
• Assess the efficiency and effectiveness of management practices in achieving
organizational goals and objectives.
• Identify areas for improvement in leadership, decision-making, communication,
and resource allocation to enhance organizational performance and
sustainability.
Operational Audit:
1. Purpose:
• Operational audits focus on evaluating the efficiency and effectiveness of
operational processes, systems, and activities within an organization.

15
 • The primary purpose is to assess whether operational activities are conducted in
accordance with established policies, procedures, and performance standards to
achieve desired outcomes.
2. Scope:
• Operational audits typically examine specific functional areas or business
processes, such as production, sales, procurement, inventory management, and
customer service.
• They may also assess cross-functional processes, interdepartmental workflows,
and key performance indicators (KPIs) to identify opportunities for
improvement and cost savings.
3. Key Areas of Focus:
• Process Efficiency: Evaluate the efficiency of operational processes in terms of
resource utilization, cycle times, throughput, and productivity.
• Control Effectiveness: Assess the effectiveness of internal controls, risk
management practices, and compliance with regulatory requirements in
mitigating operational risks.
• Performance Metrics: Review performance metrics, benchmarks, and key
performance indicators (KPIs) to measure performance against targets and
identify areas for performance improvement.
4. Objectives:
• Identify inefficiencies, bottlenecks, and process gaps that may hinder
operational performance and profitability.
• Provide recommendations for process improvements, cost reductions, and
performance enhancements to optimize operational effectiveness and achieve
organizational objectives.
Conclusion:
While management audits focus on assessing the effectiveness of management
practices and governance structures, operational audits concentrate on evaluating the efficiency
and effectiveness of operational processes and activities. Both types of audits play a critical
role in enhancing organizational performance, risk management, and governance practices to
support sustainable growth and value creation.

16
Internal Check

Internal check is a fundamental concept in internal control and accounting. It refers to

the division of duties and responsibilities within an organization in such a way that no single
individual has complete control over a transaction from beginning to end. The objective of
internal check is to reduce the risk of errors, fraud, and irregularities by ensuring that different
individuals are involved in various stages of a transaction process. Here's an overview of
internal check:
Key Components of Internal Check:

1. Segregation of Duties:
• Segregation of duties is a cornerstone of internal check. It involves dividing key
tasks and responsibilities among different individuals to prevent one person
from having complete control over a transaction.
• Common segregation of duties includes separating the functions of
authorization, recording, custody, and reconciliation.
2. Authorization:
• Authorization involves approving transactions or activities before they occur. It
ensures that transactions are initiated only by authorized individuals and are
consistent with organizational policies and procedures.
• For example, approvals may be required for expenditures, purchases, contracts,
and access to sensitive information or systems.
3. Recording:
• Recording involves accurately capturing and documenting transactions in the
organization's records or accounting system. It ensures that transactions are
properly recorded, classified, and summarized in accordance with accounting
principles and standards.

17
 • Different individuals should be responsible for initiating transactions, entering
data, and maintaining accounting records to prevent errors or manipulation.
4. Custody:
• Custody involves safeguarding assets, documents, and resources belonging to
the organization. It ensures that assets are protected from loss, theft, or misuse.
• Custodial responsibilities should be segregated from authorization and
recording functions to prevent conflicts of interest and ensure accountability.
5. Reconciliation:
• Reconciliation involves comparing and reconciling different sets of records,
accounts, or documents to ensure accuracy and consistency.
• Reconciliation activities may include bank reconciliations, inventory counts,
accounts receivable/payable reconciliations, and intercompany reconciliations.

Benefits of Internal Check:

1. Risk Mitigation:
• Internal check helps mitigate the risk of errors, fraud, and irregularities by
creating checks and balances within the organization.
• It reduces the likelihood of unauthorized transactions, misappropriation of
assets, and manipulation of financial information.
2. Accuracy and Reliability:
• Internal check enhances the accuracy and reliability of financial reporting and
operational processes by ensuring that transactions are properly authorized,
recorded, and processed.
• It helps detect and correct errors and discrepancies in a timely manner,
preventing them from escalating into larger issues.
3. Compliance Assurance:
• Internal check helps ensure compliance with laws, regulations, and internal
policies by enforcing controls and accountability mechanisms.
• It provides assurance to stakeholders, regulators, and auditors that the
organization's operations are conducted in a transparent and accountable
manner.
4. Operational Efficiency:
• Internal check promotes operational efficiency by streamlining processes,
reducing duplication of efforts, and optimizing resource allocation.

18
 • It enables tasks to be performed more effectively by leveraging the expertise
and skills of different individuals within the organization.
Conclusion:
Internal check is a fundamental component of internal control systems designed to
safeguard assets, ensure accuracy and reliability, and promote operational efficiency within an
organization. By segregating duties, establishing authorization controls, maintaining proper
records, safeguarding assets, and reconciling accounts, internal check helps mitigate risks and
enhance the integrity and effectiveness of organizational processes and controls.

19