Professional Documents
Culture Documents
Stated Another Way, This Is The Risk That There Is A Material Misstatement In The Financial
Statements, But The Auditor Misses It And Says That They Present A True And Fair View.
Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk (DR)
COMPONENTS OF AUDIT RISK
AUDIT RISK
RISK OF DETECTION
MATERIAL MIS RISK
STATEMENT
INHERENT CONTROL
RISK RISK
RISK OF MATERIAL MISSTATEMENT:
The risk of material misstatement is the risk that the financial statement of an organization have
been misstated to a material degree.
INHERENT RISK-
Inherent audit risks are the risks that the material misstatements could possibly happen
in financial statements due to other reasons rather than the failure of internal control over
financial reporting as well as detection risks.
Examples :
• A cash-based business
CONTROL RISK
CONTROL RISK is the risk of a material misstatement in the financial statements arising due to
absence or failure in the operation of relevant controls of the entity.
organizations must have adequate internal controls in place to prevent and detect instances of fraud and
error.
control risk is high where the audit entity does not have adequate internal controls to prevent and detect
instances of fraud and error in the financial statements.
INHERENT LIMITATIONS OF INTERNAL CONTROL
•POTENTIAL OF HUMAN ERROR
•ABUSE OF CONTROL BY THE PERSON WHO IS HIMSELF RESPONSIBLE FOR EXERCISING
IT
•MANIPULATIONS BY MANAGEMENT
•TRANSACTIONS OF UNUSUAL NATURE MAY BE MISSED BY MOST CONTROLS
Assessment of control risk
1. Preliminary assessment of Control Risk-
i. It refers to evaluating the likely effectiveness of an entity’s internal control system in
preventing or detecting and correcting material misstatements.
ii. The auditor should obtain an understanding of internal controls to make a preliminary
assessment of the control risk.
iii. The control risk is assessed as High unless the auditor:
a. Can verify internal controls which are likely to prevent or detect and correct a material
misstatement and
b. Plans to perform test of controls.
2. Test of Controls-
The auditor performs Test of Control to obtain audit evidence about the following:
a. Whether the accounting and the internal control systems are suitably designed to prevent or
detect and correct material misstatements and
b. Operation of internal controls throughout the period.
An auditor must apply audit procedures to detect material misstatements in the financial statements
whether due to fraud or error. misapplication or omission of critical audit procedures may result in a
material misstatement remaining undetected by the auditor.
“an attitude that includes a questioning mind, being alert to conditions that may
indicate possible misstatement due to fraud or error, and a critical assessment of
audit evidence.” as per SA 200.
• PROPER AUTHORISATION - transactions are executed with management’s general and specific authorisation.
• PROMPT RECORDING OF TRANSACTIONS all the transactions are promptly recorded in the correct amount in the
appropriate accounts and in the accounting period in which they are executed to permit preparation of financial
information within a framework of recognized accounting policies and to maintain accountability of assets .
• ACTIONS AGAINST DEVIATIONS the recorded accountability for assets is compared with the existing assets at
reasonable intervals and appropriate action is taken with regard to any differences.
Objectives in detail:
• To ensure that the business transactions take place as per the general and specific
authorisation of the management.
• To make sure that there is a sequential and systematic recording of every transaction, with
the accurate amount in their respective account and in the accounting period in which they
take place. It confirms that the financial statement fulfils the relevant statutory requirements.
• To provide security to the company’s assets from unauthorised use. For this purpose,
physical security systems are used to provide protection such as security guards, anti-theft
devices, surveillance cameras, etc.
• To compare the assets in the record with that of the existing ones at regular intervals and
report to the those charged with governance (TCWG), in case any difference is found.
• To evaluate the system of accounting for complete authorisation of the transactions.
• To review the working of the organization and the loopholes in the operations and take
necessary steps for its correction.
• To ensure there is the optimum utilization of the firm’s resources, i.e. men, material,
machine and money.
• To find out whether the financial statements are in alignment with the accounting
concepts and principles.
1.PREVENTIVE CONTROLS: THESE CONTROLS ARE INTRODUCED IN THE
FIRM TO STOP ERRORS AND IRREGULARITIES FROM TAKING PLACE.
1. Understand the System: The auditor should understand the control system by discussing with
personnel at various levels in the organization. He should also refer to organization charts and manuals
for this purpose.
2. Determining the Reliability: The management installs and maintains an adequate internal control
system considering the nature and size of the business. It is the duty of an auditor to establish a basis or
degree of reliance on the system of control.
3. Determining the Adequacy: The auditor should apply various compliance tests in order to determine
the adequacy of internal control system.
4. Review and Evaluation: Auditor should critically review and evaluate the internal control system to
determine the efficiency of its operations. If there is a good system of internal control the work of an
auditor becomes easy.
Methods of Evaluating Internal Control System.
1. Narrative Record or Memorandum Approach: It is a complete and exhaustive description of the system. It is
appropriate in circumstances where a formal control system is lacking, like in case of small businesses. Gaps in the
control system are difficult to identify using a narrative record.
2. Check List: It is a series of instructions that a member of the audit staff is required to follow. They must be signed
initialed by the audit assistant as proof for having followed the instructions given. A specific statement is required for
every weakness area.
3. Flow Chart: It is a pictorial representation of the internal control system depicting its various elements such as
operations, processes and controls, which help in giving a concise and comprehensive view of the organization’s
working to the auditor. A complete flow chart would depict the process of raising documents, personnel involved in
doing so, the flow of documents through various departments, maintenance of records, flow of goods and
consideration, and dealing with results. The internal control evaluation process becomes easier through a flow chart as
a broad picture of all the controls involved can be gauged in a glimpse.
4. Internal Control Questionnaire: This is the most widely used method for collecting information regarding the
internal control system and involves asking questions to various people at different levels in the organization. The
questionnaire is in a pre-designed format to ensure collection of complete and all relevant information. The questions
are formed in a manner that would facilitate obtaining full information through answers in “Yes” or “No’’.
ADVANTAGES OF INTERNAL CONTROL
1. DETECTION OF ERRORS AND FRAUDS: internal control
systems are structured in such a way that work done by one employee
in a process is checked by another without knowledge of the former. in
such an environment, any fraud committed is brought to light unless
there is collusion among fraudsters.
2. SIZE OF THE ORGANIZATION: small organizations have very low levels of internal control, which are almost negligible due to more
interference by owners and management.
3. UNUSUAL TRANSACTIONS: the internal control procedures normally fail to keep a check on unusual transactions.
4. COSTLY: the implementation of internal control procedures and processes involves incurring costs in terms of time, effort and resources.
5. ABUSE OF POWER: members at the top-level management may override or interfere with control.
6. COLLUSION OF TWO OR MORE PEOPLE: it may lead to internal controls being over- ridden.
7. OBSOLESCENCE: control system may become redundant with passage of time if not updated with change in the size and nature of
business.
8. HUMAN ERROR: internal control fails as there are posibility of human errors.
9. FREQUENT FOLLOW-UP MEASURES: follow-up procedures need to be frequent to ensure its effectiveness, which is extremely time-
consuming.
INTERNAL CONTROL QUESTIONNAIRE
An internal control questionnaire is basically a comprehensive list of questions, covering every aspect
of the client’s system, the answers to which will enable the auditor to assess the internal controls in
operation. To facilitate the assessment, the questions are asked in a form whereby the answer ‘yes’ is
satisfactory, whereas the answer ‘no’ appears to indicate a weakness.
2. DETECTION OF ERRORS AND FRAUDS: INTERNAL AUDITOR HAS TO ADOPT SUITABLE TECHNIQUES AND MEASURES TO
DETECT ERRORS AND FRAUDS, WHICH ARE LIKELY TO BE COMMITTED IN THE ORGANIZATION.
3. REVIEW THE INTERNAL CHECK AND CONTROL SYSTEM: THE AUDITOR HAS TO REVIEW AND COMMENT ON THE
EFFECTIVE FUNCTION OF THE INTERNAL CHECK AND INTERNAL CONTROL SYSTEM WITHIN THE ORGANIZATION. ANY
DEVIATION IN THE FUNCTION OF THE SYSTEM SHOULD BE REPORTED TO THE MANAGEMENT AND THE AUDITOR SHOULD
INITIATE SUITABLE RECOMMENDATIONS.
4. VERIFY THE ASSETS OF THE COMPANY: INTERNAL AUDITOR SHOULD VERIFY THE EXISTENCE OF THE ASSETS IN THE
COMPANY AND SHOULD VERIFY THAT PROPER MEASURES ARE TAKEN TO PROTECT OR MAINTAIN THE ASSETS. HE SHOULD
ALSO VERIFY THAT ASSETS ARE PURCHASED OR SOLD OR REPLACED ONLY WITH THE APPROVAL OF AN AUTHORIZED
PERSON.
5. VERIFY THE LIABILITIES: THE INTERNAL AUDITOR HAS TO VERIFY THAT THE LIABILITIES INCURRED BY THE
ORGANIZATION ARE LEGITIMATE AND THEY ARE LIKELY TO BE INCURRED FOR THE ORGANIZATIONAL ACTIVITIES.
6. ADHERENCE TO ACCOUNTING STANDARDS: INTERNAL AUDITOR HAS TO ENSURE THAT THE ACCOUNTING STANDARD
PRACTICES FOLLOWED BY THE ORGANIZATION ARE STRICTLY ADHERED.
7. REVIEW THE MANAGERIAL FUNCTIONS: INTERNAL AUDITOR HAS TO REVIEW THE MANAGERIAL FUNCTIONS OF AN
ORGANIZATION AND HAS TO REPORT ON THEM TO THE MANAGEMENT.
Functions of Internal Auditor
1. EVALUATING OF ACCOUNTING AND ADMINISTRATIVE CONTROL: INTERNAL AUDITING
ENSURES EFFECTIVE AND EFFICIENT SYSTEM OF ACCOUNTING CONTROL, STANDARD
COSTING, BUDGETARY CONTROL AND ALL OTHER ADMINISTRATIVE CONTROLS.
a. Every company to which Sec 138 is applicable shall appoint an internal auditor.
b. The internal auditor shall conduct the internal audit of the functions and activities
of the company.
c. The internal auditor shall be-
i. A Chartered Accountant or
ii. A Cost Accountant or
iii. Such other professional as may be decided by the Board.
Definitions
(b) Internal auditors – Those individuals who perform the activities of the internal audit
function. Internal auditors may belong to an internal audit department or equivalent function.
Requirements
Determining Whether and to What Extent to Use the Work of the Internal Auditors
The external auditor shall determine:
a. Whether the work of the internal auditors is likely to be adequate for purposes of the audit; and
b. If so, the planned effect of the work of the internal auditors on the nature, timing or extent of the external
auditor’s procedures.
In determining whether the work of the internal auditors is likely to be adequate for purposes of the audit, the
external auditor shall evaluate:
a. The objectivity of the internal audit function;
b. The technical competence of the internal auditors;
c. Whether the work of the internal auditors is likely to be carried out with due professional care; and
d. Whether there is likely to be effective communication between the internal auditors and the external auditor.
COMPARISON BETWEEN INTERNAL AUDIT AND EXTERNAL AUDIT
INTERNAL AUDIT
• Audit Conducted Internally I.E., By The Management To Ensure That The Company Complies With The Policies,
Procedures And Principles.
• The Person Who Conducts Internal Audit Is Called As Internal Auditor, Who Is Appointed By The Management.
The Scope Of Work, Powers And Duties Of Internal Auditor Are Determined By The Management.
• Internal Auditor Need Not Be A Qualified Chartered Accountant And Is Remunerated In The Form Of Salary As
He Is An Employee Of The Company.
• Internal Auditor Has To Submit An Internal Audit Report To The MANAGEMENT.
EXTERNAL AUDIT
• Audit Conducted Externally I.E., By The Shareholders To Examine The Accuracy Of The Books Of Accounts,
Records And Financial Statements.
• The Person Who Conducts External Audit Is Called As Statutory Or External Auditor Who Is Appointed By The
Shareholders Of The Company. The Scope Of Work, Powers And Duties Of Statutory Auditor Are Determined By
The Companies Act.
• Statutory Auditor Should Be A Qualified Chartered Accountant And Is Remunerated In The Form Of Audit Fees As
He Is An Independent Person.
• Statutory Auditor Submits Statutory Audit Report To The Shareholders Of The Company
SA 610 - USING THE WORK OF INTERNAL AUDITORS
OBJECTIVE
IF AN ENTITY HAS AN INTERNAL AUDIT FUNCTION AND ITS RELEVANCE TO
THE EXTERNAL AUDITOR’S WORK, THEN THE EXTERNAL AUDITOR SHOULD
DETERMINE:
A. IF THE SPECIFIC WORK OF THE INTERNAL AUDITOR CAN BE USED AND IF
SO, TO WHAT EXTENT.
B. SUCH WORK IS ADEQUATE FOR THE AUDIT PURPOSE.
SA 610 USING THE WORK OF INTERNAL AUDITORS IS EFFECTIVE FOR AN
AUDIT OF FINANCIAL STATEMENTS FOR PERIODS BEGINNING ON OR
AFTER 1ST APRIL 2010
THIS (SA) DEALS WITH THE EXTERNAL AUDITOR'S
RESPONSIBILITIES IF USING THE WORK OF INTERNAL AUDITORS.
IT INCLUDES
(a) USING THE WORK OF THE INTERNAL AUDIT FUNCTION IN
OBTAINING AUDIT EVIDENCE AND
(b) (B) USING INTERNAL AUDITORS TO PROVIDE DIRECT
ASSISTANCE UNDER THE DIRECTION, SUPERVISION AND REVIEW
OF THE EXTERNAL AUDITOR.
THIS SA DOES NOT APPLY IF THE ENTITY DOES NOT HAVE AN
INTERNAL AUDIT FUNCTION.
RELATIONSHIP BETWEEN SA 315 AND SA 610
OBJECTIVES AND SCOPE OF AN INTERNAL AUDIT FUNCTION, THE NATURE OF ITS
RESPONSIBILITIES AND ITS ORGANIZATIONAL STATUS, DEPEND ON THE SIZE AND
STRUCTURE OF THE ENTITY AND THE REQUIREMENTS OF MANAGEMENT AND,
WHERE APPLICABLE, THOSE CHARGED WITH GOVERNANCE.
THIS SA ADDRESSES THE EXTERNAL AUDITOR'S RESPONSIBILITIES WHEN, BASED
ON THE EXTERNAL AUDITOR'S PRELIMINARY UNDERSTANDING OF THE INTERNAL
AUDIT FUNCTION OBTAINED AS A RESULT OF PROCEDURES PERFORMED UNDER SA
315, THE EXTERNAL AUDITOR EXPECTS TO USE THE WORK OF THE INTERNAL AUDIT
FUNCTION AS PART OF THE AUDIT EVIDENCE OBTAINED.
4. SUCH USE OF THAT WORK MODIFIES THE NATURE OR TIMING, OR REDUCES THE
EXTENT, OF AUDIT PROCEDURES TO BE PERFORMED DIRECTLY BY THE EXTERNAL
AUDITOR.
5. IN ADDITION, THIS SA ALSO ADDRESSES THE EXTERNAL AUDITOR'S
RESPONSIBILITIES IF CONSIDERING USING INTERNAL AUDITORS TO PROVIDE
DIRECT ASSISTANCE UNDER THE DIRECTION, SUPERVISION AND REVIEW OF THE-
EXTERNAL AUDITOR .
THE RELATIONSHIP BETWEEN INTERNAL AUDITOR AND EXTERNAL AUDITOR
Objective/ Functions Set by the management and Different objectives but some
different from the external functions performed to
auditor achieve objective may be
similar
Independence& Responsibility Not independent of the entity Sole responsibility for the
irrespective of the degree of audit opinion expressed and
autonomy and objectivity not reduced by the use of
internal auditor’s work
THE OBJECTIVES OF THE EXTERNAL AUDITOR, WHERE THE ENTITY HAS AN
INTERNAL AUDIT FUNCTION ARE:
(a) TO DETERMINE WHETHER THE WORK OF THE INTERNAL AUDIT
FUNCTION OR DIRECT ASSISTANCE FROM INTERNAL AUDITORS CAN BE
USED, AND IF SO, IN WHICH AREAS AND TO WHAT EXTENT; OBJECTIVES
AND HAVING MADE THAT DETERMINATION:
(b) IF USING THE WORK OF THE INTERNAL AUDIT FUNCTION, TO
DETERMINE WHETHER THAT WORK IS ADEQUATE FOR PURPOSES OF
THE AUDIT; AND
(c) IF USING INTERNAL AUDITORS TO PROVIDE DIRECT ASSISTANCE, TO
APPROPRIATELY DIRECT, SUPERVISE AND REVIEW THEIR WORK
DETERMINING WHETHER, IN WHICH AREAS, AND TO WHAT EXTENT THE
WORK OF THE INTERNAL AUDIT FUNCTION CAN BE USED
• OBJECTIVITY
• QUALITY CONTROL
• COMPETENCE
WHETHER AND TO WHAT EXTENT TO USE OF INTERNAL AUDITOR WORK
B. PLANNED EFFECT OF INTERNAL AUDITOR’S WORK ON THE NATURE, TIMING OR EXTENT OF EXTERNAL
AUDITOR’S PROCEDURES AND CONSIDER:
I. NATURE AND SCOPE OF SPECIFIC WORK PERFORMED OR TO BE PERFORMED
II. ASSESSED RISK OF MATERIAL MISSTATEMENT AT THE ASSERTION LEVEL FOR A PARTICULAR CLASS OF
TRANSACTION, ACCOUNT BALANCE AND DISCLOSURE
III. THE DEGREE OF SUBJECTIVITY INVOLVED IN EVALUATING THE AUDIT EVIDENCE TO SUPPORT THE
RELEVANT ASSERTIONS
DOCUMENTATION
THE EVALUATION OF:
(I) WHETHER THE FUNCTION'S ORGANIZATIONAL STATUS AND RELEVANT POLICIES AND PROCEDURES ADEQUATELY SUPPORT THE
(III) WHETHER THE FUNCTION APPLIES A SYSTEMATIC AND DISCIPLINED APPROACH, INCLUDING QUALITY CONTROL;
(B) THE NATURE AND EXTENT OF THE WORK USED AND THE BASIS FOR THAT DECISION; AND
(C) THE AUDIT PROCEDURES PERFORMED BY THE EXTERNAL AUDITOR TO EVALUATE THE ADEQUACY OF THE WORK USED.
2. IF THE EXTERNAL AUDITOR USES INTERNAL AUDITORS TO PROVIDE DIRECT ASSISTANCE ON THE AUDIT, THE EXTERNAL AUDITOR
(A)THE EVALUATION OF THE EXISTENCE AND SIGNIFICANCE OF THREATS TO THE OBJECTIVITY OF THE INTERNAL AUDITORS, AND THE
(B) THE BASIS FOR THE DECISION REGARDING THE NATURE AND EXTENT OF THE WORK PERFORMED BY THE INTERNAL AUDITORS;
(C) WHO REVIEWED THE WORK PERFORMED AND THE DATE AND EXTENT OF THAT REVIEW IN ACCORDANCE WITH SA 230;
(D) THE WRITTEN AGREEMENTS OBTAINED FROM AN AUTHORIZED REPRESENTATIVE OF THE ENTITY AND THE INTERNAL AUDITORS.
(E)THE WORKING PAPERS PREPARED BY THE INTERNAL AUDITORS WHO PROVIDED DIRECT ASSISTANCE ON THE AUDIT ENGAGEMENT.
Specific work of Internal Auditor & Documentation
To use the work of the internal auditors, external auditor should evaluate and
perform audit procedures in that work to determine its adequacy if:
i. Work performed exhibits adequate technical training and proficiency
ii. Properly supervised, reviewed and documented
iii. Sufficient audit evidence has been obtained to draw reasonable conclusions
iv. Conclusions reached are appropriate
v. Reports are consistent with the working papers
vi. Exceptions or unusual matters, if any are properly resolved