UNIT - 3

AUDIT RISK AND

INTERNAL CONTROL
TOPICS TO BE COVERED
 AUDIT RISK – Concept and Types, Relationship with audit materiality.
 PROFESSIONAL SKEPTICISM.
 INTERNAL CONTROL-Definition, Objectives, Evaluation, Internal Control Check List,
Internal Control Questionnaire and COSO’s Internal Control Framework.
 INTERNAL CHECK- Definition, Objectives and General Principles on Internal Check for
selected transactions
 INTERNAL AUDIT - Definition, Objectives, Regulatory Requirement, Use of Internal
Auditor’s Work by Statutory Auditor
 AUDIT RISK
AUDIT RISK 
‘The Risk That The Auditor Expresses An Inappropriate Audit Opinion When The Financial
Statements Are Materially Misstated. Audit Risk Is A Function Of Material Misstatement And
Detection Risk.’

Stated Another Way, This Is The Risk That There Is A Material Misstatement In The Financial
Statements, But The Auditor Misses It And Says That They Present A True And Fair View.

Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk (DR)
COMPONENTS OF AUDIT RISK
AUDIT RISK

RISK OF DETECTION
MATERIAL MIS RISK
STATEMENT

INHERENT CONTROL
RISK RISK
 RISK OF MATERIAL MISSTATEMENT:
 The risk of material misstatement is the risk that the financial statement of an organization have
been misstated to a material degree.

 INHERENT RISK-
 Inherent audit risks are the risks that the material misstatements could possibly happen
in financial statements due to other reasons rather than the failure of internal control over
financial reporting as well as detection risks. 
 Examples :
• A cash-based business
CONTROL RISK

CONTROL RISK is the risk of a material misstatement in the financial statements arising due to
absence or failure in the operation of relevant controls of the entity.
organizations must have adequate internal controls in place to prevent and detect instances of fraud and
error. 
control risk is high where the audit entity does not have adequate internal controls to prevent and detect
instances of fraud and error in the financial statements.
INHERENT LIMITATIONS OF INTERNAL CONTROL
•POTENTIAL OF HUMAN ERROR
•ABUSE OF CONTROL BY THE PERSON WHO IS HIMSELF RESPONSIBLE FOR EXERCISING
IT
•MANIPULATIONS BY MANAGEMENT
•TRANSACTIONS OF UNUSUAL NATURE MAY BE MISSED BY MOST CONTROLS
Assessment of control risk
1. Preliminary assessment of Control Risk-
i. It refers to evaluating the likely effectiveness of an entity’s internal control system in
preventing or detecting and correcting material misstatements.
ii. The auditor should obtain an understanding of internal controls to make a preliminary
assessment of the control risk.
iii. The control risk is assessed as High unless the auditor:
a. Can verify internal controls which are likely to prevent or detect and correct a material
misstatement and
b. Plans to perform test of controls.
2. Test of Controls-
The auditor performs Test of Control to obtain audit evidence about the following:
a. Whether the accounting and the internal control systems are suitably designed to prevent or
detect and correct material misstatements and
b. Operation of internal controls throughout the period.

3. Final assessment of Control risk-

Based on the results of the test of controls, the auditor should evaluate whether the preliminary
assessment of control risk was correct or needs to be revised. He should accordingly determine
any modification in the NTE of the auditor procedures.
DETECTION RISK
DETECTION RISK is the risk that the auditors fail to detect a material misstatement in the financial
statements.

An auditor must apply audit procedures to detect material misstatements in the financial statements
whether due to fraud or error. misapplication or omission of critical audit procedures may result in a
material misstatement remaining undetected by the auditor. 

RMM + DR = AUDIT RISK

IR+CR + DR = AUDIT RISK
Relationship between Materiality and Audit Risk
There Is An Inverse Relationship Between Materiality And Audit Risk.
IN TERMS OF SA 320, PARAGRAPH A1, A RELATIONSHIP EXISTS BETWEEN AUDIT RISK AND
MATERIALITY. THIS RELATIONSHIP IS INVERSE. THE HIGHER THE AUDIT RISK, THE LOWER THE
MATERIALITY WILL BE SET. THE LOWER THE AUDIT RISK, THE HIGHER THE MATERIALITY WILL BE SET.
As Audit Risk Increases, The Auditor Will Compensate For This Risk By Lowering Materiality. This Has The Effect Of
Increasing The Amount Of Substantive Testing The Auditor Must Perform (As Increasingly Smaller Amounts Are Included
In The Scope Of Testing) In Order To Obtain Sufficient Evidence.
As Risk Decreases However, The Auditor Is Core Comfortable With The Effectiveness Of Controls In Which Case He Will
Raise Materiality In Order To Scope Out Small Amounts And Have To Perform Less Substantive Testing To Obtain
Sufficient Evidence.
In Short:
Audit Risk Rises, Materiality Decreases, Testing Increases.
Audit Risk Decreases, Materiality Increases, Testing Decreases.
PROFESSIONAL SKEPTICISM

 “an attitude that includes a questioning mind, being alert to conditions that may
indicate possible misstatement due to fraud or error, and a critical assessment of
audit evidence.” as per SA 200.

 Professional skepticism includes being alert to, for example:

• Audit evidence that contradicts other audit evidence obtained.
• Information that brings into question the reliability of documents and responses to
inquiries to be used as audit evidence.
• Conditions that may indicate possible fraud.
INTERNAL CONTROL
INTERNAL CONTROL REFERS TO THE VARIOUS METHODS AND PROCEDURES ADOPTED
FOR THE CONTROL OF PRODUCTION, DISTRIBUTION AND THE WHOLE SYSTEM
(FINANCIAL AND NON-FINANCIAL) OF THE ENTERPRISE.

DEFINITION: INTERNAL CONTROL CAN BE DEFINED AS A SYSTEM DESIGNED,

INTRODUCED AND MAINTAINED BY THE COMPANY’S MANAGEMENT AND TOP-LEVEL
EXECUTIVES, TO PROVIDE A SUBSTANTIAL DEGREE OF ASSURANCE IN ACHIEVING
BUSINESS OBJECTIVE, WHILE COMPLYING WITH THE POLICIES AND LAWS,
SAFEGUARDING THE ASSETS, MAINTAINING EFFICIENCY AND EFFECTIVENESS IN
REGULAR OPERATIONS AND RELIABILITY OF FINANCIAL STATEMENTS.
OBJECTIVES OF INTERNAL CONTROL

• PROPER AUTHORISATION -  transactions are executed with management’s general and specific authorisation.

• PROMPT RECORDING OF TRANSACTIONS   all the transactions are promptly recorded in the correct amount in the
appropriate accounts and in the accounting period in which they are executed to permit preparation of financial
information within a framework of recognized accounting policies and to maintain accountability of assets .

• RESTRICTED ACCESS TO ASSETS   access to assets is permitted only in accordance with management’s

authorisation.

• ACTIONS AGAINST DEVIATIONS   the recorded accountability for assets is compared with the existing assets at
reasonable intervals and appropriate action is taken with regard to any differences.
 Objectives in detail:
• To ensure that the business transactions take place as per the general and specific
authorisation of the management.
• To make sure that there is a sequential and systematic recording of every transaction, with
the accurate amount in their respective account and in the accounting period in which they
take place. It confirms that the financial statement fulfils the relevant statutory requirements.
• To provide security to the company’s assets from unauthorised use. For this purpose,
physical security systems are used to provide protection such as security guards, anti-theft
devices, surveillance cameras, etc.
• To compare the assets in the record with that of the existing ones at regular intervals and
report to the those charged with governance (TCWG), in case any difference is found.
• To evaluate the system of accounting for complete authorisation of the transactions.
• To review the working of the organization and the loopholes in the operations and take
necessary steps for its correction.
• To ensure there is the optimum utilization of the firm’s resources, i.e. men, material,
machine and money.
• To find out whether the financial statements are in alignment with the accounting
concepts and principles.
1.PREVENTIVE CONTROLS: THESE CONTROLS ARE INTRODUCED IN THE
FIRM TO STOP ERRORS AND IRREGULARITIES FROM TAKING PLACE.

2.DETECTIVE CONTROLS: THESE CONTROLS ARE IMPLEMENTED TO

REVEAL ERRORS AND IRREGULARITIES, ONCE THEY TAKE PLACE.

3.CORRECTIVE CONTROLS: THESE CONTROLS ARE DESIGNED TO TAKE

CORRECTIVE ACTION FOR REMOVING ERRORS AND IRREGULARITIES
AFTER THEY ARE DETECTED.
Auditor’s Duty in Evaluating the System of Internal Control

 1. Understand the System: The auditor should understand the control system by discussing with
personnel at various levels in the organization. He should also refer to organization charts and manuals
for this purpose.

 2. Determining the Reliability: The management installs and maintains an adequate internal control
system considering the nature and size of the business. It is the duty of an auditor to establish a basis or
degree of reliance on the system of control.

 3. Determining the Adequacy: The auditor should apply various compliance tests in order to determine
the adequacy of internal control system.

 4. Review and Evaluation: Auditor should critically review and evaluate the internal control system to
determine the efficiency of its operations. If there is a good system of internal control the work of an
auditor becomes easy.
 Methods of Evaluating Internal Control System.
 1. Narrative Record or Memorandum Approach: It is a complete and exhaustive description of the system. It is
appropriate in circumstances where a formal control system is lacking, like in case of small businesses. Gaps in the
control system are difficult to identify using a narrative record.

 2. Check List: It is a series of instructions that a member of the audit staff is required to follow. They must be signed
initialed by the audit assistant as proof for having followed the instructions given. A specific statement is required for
every weakness area.

 3. Flow Chart: It is a pictorial representation of the internal control system depicting its various elements such as
operations, processes and controls, which help in giving a concise and comprehensive view of the organization’s
working to the auditor. A complete flow chart would depict the process of raising documents, personnel involved in
doing so, the flow of documents through various departments, maintenance of records, flow of goods and
consideration, and dealing with results. The internal control evaluation process becomes easier through a flow chart as
a broad picture of all the controls involved can be gauged in a glimpse.

 4. Internal Control Questionnaire: This is the most widely used method for collecting information regarding the
internal control system and involves asking questions to various people at different levels in the organization. The
questionnaire is in a pre-designed format to ensure collection of complete and all relevant information. The questions
are formed in a manner that would facilitate obtaining full information through answers in “Yes” or “No’’.
ADVANTAGES OF INTERNAL CONTROL
1. DETECTION OF ERRORS AND FRAUDS: internal control
systems are structured in such a way that work done by one employee
in a process is checked by another without knowledge of the former. in
such an environment, any fraud committed is brought to light unless
there is collusion among fraudsters.

2. 2. TIME SAVING: auditor can test check or sample check the

transactions to ensure reliability, and accuracy of entries in the books.
hence, he can complete his audit work and prepare financial
statements within the prescribed time
3. MINIMUM SCOPE FOR ERRORS AND FRAUDS: each employee does only a limited work assigned to him,
moreover, consciousness of his work being independently checked by another keeps him to be always alert at work. in
such a context, chances for commission of error or fraud are lesser.

4. OPERATIONAL EFFICIENCY:it facilitates fixation of accountability, error – free work performance,

accuracy reliability and authenticity of entries and eradicate inefficiency, fraud, theft, etc. moreover, this
system enables the management to assess the performance of employees. all these collectively contribute
to enhance the operational efficiency of organization.
DISADVANTAGES OF INTERNAL CONTROL
1. ORGANIZATIONAL STRUCTURE: deficiencies in organizational structure make internal control ineffective.

2. SIZE OF THE ORGANIZATION: small organizations have very low levels of internal control, which are almost negligible due to more
interference by owners and management.

3. UNUSUAL TRANSACTIONS: the internal control procedures normally fail to keep a check on unusual transactions.

4. COSTLY: the implementation of internal control procedures and processes involves incurring costs in terms of time, effort and resources.

5. ABUSE OF POWER: members at the top-level management may override or interfere with control.

6. COLLUSION OF TWO OR MORE PEOPLE: it may lead to internal controls being over- ridden.

7. OBSOLESCENCE: control system may become redundant with passage of time if not updated with change in the size and nature of
business.

8. HUMAN ERROR: internal control fails as there are posibility of human errors.

9. FREQUENT FOLLOW-UP MEASURES: follow-up procedures need to be frequent to ensure its effectiveness, which is extremely time-
consuming.
 INTERNAL CONTROL QUESTIONNAIRE
An internal control questionnaire is basically a comprehensive list of questions, covering every aspect
of the client’s system, the answers to which will enable the auditor to assess the internal controls in
operation. To facilitate the assessment, the questions are asked in a form whereby the answer ‘yes’ is
satisfactory, whereas the answer ‘no’ appears to indicate a weakness.

 Basic characteristics of internal control questionnaire

 The internal control questionnaires will be drafted as far as possible in a form whereby the
questions can be answered simply with a “yes/no/not applicable”.
Evaluation of Internal Control
An evaluation of internal control involves an examination of the effectiveness of an organization's
system of internal controls. By engaging in this evaluation, an auditor can determine the extent of
other tests that must be performed in order to arrive at an opinion regarding the fairness of the entity's
financial statements. A robust system of internal controls reduces the risk of fraudulent activity, which
moderates the need for additional audit procedures.
 Tools to review the I.C system
1. Narrative record-
Meaning- It is a complete and exhaustive detail of system as found in operation by the auditor.
Advantages- i. When properly framed formal IC system is not found, complete description is needed.
ii. Suitable for small business.
Limitations- i. Detailed observation is needed(time consuming)
ii. It doesn’t readily identify weakness in system
iii. Constant updating is needed if circumstances are changed
2. I.C Check list-
Meaning- It contains series of questions to be answered by the audit staff.
Advantages- i. On the job requirement, thus motivating
ii. Completed checklist is studied by the senior audit staff, thus weaknesses can’t be overlooked
iii. Easy location of weakness
Limitations- i. Requires intelligence to prepare proper checklist
ii. Time consuming
iii. Client can manipulate when responding to questions raised by audit staff
3. I.C Questionnaire-
Meaning- It is a comprehensive series of questions on each aspect of I.C., prepared by auditor and filled by the client’s
employees.
Advantages- i. Detailed questionnaire, thus no important aspect is overlooked
ii. Weaknesses are easily located
iii. Evaluating I.C. system becomes systematic and easy
iv. Recommendations can be easily provided by auditor
Limitations- i. Time consuming
ii. Client may answer in a hasty way
iii. Client may manipulate the answers.
4. Flowchart-
Meaning- It is a graphic presentation of each part of entity’s internal control system.
Advantage- i. Concise presentation
ii. Easily understandable
iii. Gives “birds eye view” of complete system
Limitations- i. Time consuming to prepare such a flowchart which is concise yet showing every
important aspect of I.C.
ii. Weakness can’t be readily located.
DIFFERENCES BETWEEN INTERNAL CHECK AND INTERNAL CONTROL
COSO’s Internal Control Framework
 What does COSO stand for?
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed
a model for evaluating internal controls. This model has been adopted as the generally accepted
framework for internal control and is widely recognized as the definitive standard against which
organizations measure the effectiveness of their systems of internal control. 
 What is the COSO framework?
The COSO model defines internal control as “a process effected by an entity’s board of directors,
management and other personnel designed to provide reasonable assurance of the achievement of
objectives in the following categories:
a. Operational Effectiveness and Efficiency
b. Financial Reporting Reliability
c. Applicable Laws and Regulations Compliance
In an effective internal control system, the following five components work to support the achievement of an
entity’s mission, strategies and related business objectives:
1. Control Environment
 Exercise integrity and ethical values.
 Make a commitment to competence.
 Use the board of directors and audit committee.
 Facilitate management’s philosophy and operating style.
 Create organizational structure.
 Issue assignment of authority and responsibility.
 Utilize human resources policies and procedures.
2. Risk Assessment
 Create companywide objectives.
 Incorporate process-level objectives.
 Perform risk identification and analysis.
 Manage change.
3. Control Activities
 Follow policies and procedures.
 Improve security (application and network).
 Conduct application change management.
 Plan business continuity/backups.
 Perform outsourcing.
4. Information and Communication
 Measure quality of information.
 Measure effectiveness of communication.
5. Monitoring
 Perform ongoing monitoring.
 Conduct separate evaluations.
 Report deficiencies
INTERNAL AUDIT
 “Internal auditing consists of a continuous critical review of financial and operating activities by
a staff of auditor’s function as full-time salaried employees”

 According to The Institute of Internal Auditor’s, USA, “Internal auditing is an independent

appraisal function established within an organization to examine and evaluate its activities as a
service to the organization. It is a type of control which functions by measuring and evaluating
the effectiveness of other types of control”
Objectives of Internal Audit
1. VERIFY THE ACCURACY OF ACCOUNTS: THE PRIMARY AIM OF INTERNAL AUDIT IS TO VERIFY THE CORRECTNESS AND
ACCURACY OF THE FINANCIAL RECORDS AND ACCOUNTS THAT ARE BEING PRESENTED TO THE MANAGEMENT.

2. DETECTION OF ERRORS AND FRAUDS: INTERNAL AUDITOR HAS TO ADOPT SUITABLE TECHNIQUES AND MEASURES TO
DETECT ERRORS AND FRAUDS, WHICH ARE LIKELY TO BE COMMITTED IN THE ORGANIZATION.

3. REVIEW THE INTERNAL CHECK AND CONTROL SYSTEM: THE AUDITOR HAS TO REVIEW AND COMMENT ON THE
EFFECTIVE FUNCTION OF THE INTERNAL CHECK AND INTERNAL CONTROL SYSTEM WITHIN THE ORGANIZATION. ANY
DEVIATION IN THE FUNCTION OF THE SYSTEM SHOULD BE REPORTED TO THE MANAGEMENT AND THE AUDITOR SHOULD
INITIATE SUITABLE RECOMMENDATIONS.

4. VERIFY THE ASSETS OF THE COMPANY: INTERNAL AUDITOR SHOULD VERIFY THE EXISTENCE OF THE ASSETS IN THE
COMPANY AND SHOULD VERIFY THAT PROPER MEASURES ARE TAKEN TO PROTECT OR MAINTAIN THE ASSETS. HE SHOULD
ALSO VERIFY THAT ASSETS ARE PURCHASED OR SOLD OR REPLACED ONLY WITH THE APPROVAL OF AN AUTHORIZED
PERSON.

5. VERIFY THE LIABILITIES: THE INTERNAL AUDITOR HAS TO VERIFY THAT THE LIABILITIES INCURRED BY THE
ORGANIZATION ARE LEGITIMATE AND THEY ARE LIKELY TO BE INCURRED FOR THE ORGANIZATIONAL ACTIVITIES.

6. ADHERENCE TO ACCOUNTING STANDARDS: INTERNAL AUDITOR HAS TO ENSURE THAT THE ACCOUNTING STANDARD
PRACTICES FOLLOWED BY THE ORGANIZATION ARE STRICTLY ADHERED.

7. REVIEW THE MANAGERIAL FUNCTIONS: INTERNAL AUDITOR HAS TO REVIEW THE MANAGERIAL FUNCTIONS OF AN
ORGANIZATION AND HAS TO REPORT ON THEM TO THE MANAGEMENT.
Functions of Internal Auditor
1. EVALUATING OF ACCOUNTING AND ADMINISTRATIVE CONTROL: INTERNAL AUDITING
ENSURES EFFECTIVE AND EFFICIENT SYSTEM OF ACCOUNTING CONTROL, STANDARD
COSTING, BUDGETARY CONTROL AND ALL OTHER ADMINISTRATIVE CONTROLS.

2. PROTECTION OF ASSETS: INTERNAL AUDITING BESIDES ENSURING PROPER ACCOUNTING

AND CUSTODY OF COMPANIES ASSET’S IT IS CONCERNED WITH THE PROTECTION OF THE
ASSETS. IT REPORTS TO THE MANAGEMENT ABOUT THE UTILIZATION OF THE ASSET AND THE
ADEQUACY OF RETURN FROM THE INVESTMENT.

3. COMPLIANCE WITH ESTABLISHED POLICIES AND PROCEDURES: INTERNAL AUDITING IS

CONCERNED WITH REPORTING TO THE MANAGEMENT ABOUT THE COMPLIANCE OF THE
PREDETERMINED POLICIES, PROCEDURES AND STANDARDS OF PERFORMANCE.

4. RELIABILITY AND VALIDITY OF REPORTS: INTERNAL AUDITING ASCERTAINS THE

RELIABILITY OF FINANCIAL AND OPERATING REPORTS PREPARED THROUGHOUT THE
ENTERPRISE. IT ALSO PROVIDES ASSURANCE TO THE MANAGEMENT OF THE VALIDITY OF
THE REPORTS AND RECORDS. INTERNAL AUDITING BRINGS TO LIGHT THE INADEQUACIES IN
THE CHECK AND CONTROL SYSTEM IN OPERATION TO THE MANAGEMENT. FURTHER, IT
PROVIDES ADVISORY SERVICES TO THE MANAGEMENT FOR THE IMPROVEMENT OF THE
SYSTEM.
 Regulatory requirements for Internal Audit

 Applicability of Sec. 138

Section 138 shall apply only to such class or classes of companies as may be prescribed. As per Rule 13 of the Companies
Act, 2014, following class of companies shall be covered u/s 138:
a. Every listed company
b. Every unlisted public company having-
i. Paid up share capital of Rs. 50 crore or more during the preceding financial year; or
ii. Turnover of Rs. 200 crore of more during the preceding financial year; or
iii. Outstanding loans or borrowings from banks or public financial institutions exceeding Rs. 100 crore or more at any
point of time during the preceding financial year; or
iv. Outstanding deposits of Rs. 25 crore or more at any point of time during the preceding financial year
c. Every private company having-
v. Turnover of Rs. 200 crore or more during the preceding financial year or
vi. Outstanding loans or borrowings from banks or public financial institutions exceeding Rs. 100 crore or more at any
point of time during the preceding financial year
Legal requirements u/s 138

a. Every company to which Sec 138 is applicable shall appoint an internal auditor.
b. The internal auditor shall conduct the internal audit of the functions and activities
of the company.
c. The internal auditor shall be-
i. A Chartered Accountant or
ii. A Cost Accountant or
iii. Such other professional as may be decided by the Board.
Definitions

a)  Internal audit function – An appraisal activity established or provided as a service to the

entity. Its functions include, amongst other things, examining, evaluating and monitoring the
adequacy and effectiveness of internal control. The Preface to the Standards on Internal Audit,
issued by the Institute of Chartered Accountants of India, issued in November 2004 describes
internal audit as “an independent management function, which involves a continuous and
critical appraisal of the functioning of an entity with a view to suggest improvements thereto
and add value to and strengthen the overall governance mechanism of the entity, including the
entity’s strategic risk management and internal control system. Internal audit, therefore,
provides assurance that there is transparency in reporting, as a part of good governance.”

(b)  Internal auditors – Those individuals who perform the activities of the internal audit
function. Internal auditors may belong to an internal audit department or equivalent function.
Requirements

Determining Whether and to What Extent to Use the Work of the Internal Auditors
 The external auditor shall determine:
a. Whether the work of the internal auditors is likely to be adequate for purposes of the audit; and
b. If so, the planned effect of the work of the internal auditors on the nature, timing or extent of the external
auditor’s procedures.
 In determining whether the work of the internal auditors is likely to be adequate for purposes of the audit, the
external auditor shall evaluate:
a. The objectivity of the internal audit function;
b. The technical competence of the internal auditors;
c. Whether the work of the internal auditors is likely to be carried out with due professional care; and
d. Whether there is likely to be effective communication between the internal auditors and the external auditor.
COMPARISON BETWEEN INTERNAL AUDIT AND EXTERNAL AUDIT

INTERNAL AUDIT
• Audit Conducted Internally I.E., By The Management To Ensure That The Company Complies With The Policies,
Procedures And Principles.
• The Person Who Conducts Internal Audit Is Called As Internal Auditor, Who Is Appointed By The Management.
The Scope Of Work, Powers And Duties Of Internal Auditor Are Determined By The Management.
• Internal Auditor Need Not Be A Qualified Chartered Accountant And Is Remunerated In The Form Of Salary As
He Is An Employee Of The Company.
• Internal Auditor Has To Submit An Internal Audit Report To The MANAGEMENT.

EXTERNAL AUDIT
• Audit Conducted Externally I.E., By The Shareholders To Examine The Accuracy Of The Books Of Accounts,
Records And Financial Statements.
• The Person Who Conducts External Audit Is Called As Statutory Or External Auditor Who Is Appointed By The
Shareholders Of The Company. The Scope Of Work, Powers And Duties Of Statutory Auditor Are Determined By
The Companies Act.
• Statutory Auditor Should Be A Qualified Chartered Accountant And Is Remunerated In The Form Of Audit Fees As
He Is An Independent Person.
• Statutory Auditor Submits Statutory Audit Report To The Shareholders Of The Company
SA 610 - USING THE WORK OF INTERNAL AUDITORS
OBJECTIVE
IF AN ENTITY HAS AN INTERNAL AUDIT FUNCTION AND ITS RELEVANCE TO
THE EXTERNAL AUDITOR’S WORK, THEN THE EXTERNAL AUDITOR SHOULD
DETERMINE:
A. IF THE SPECIFIC WORK OF THE INTERNAL AUDITOR CAN BE USED AND IF
SO, TO WHAT EXTENT.
B. SUCH WORK IS ADEQUATE FOR THE AUDIT PURPOSE.
SA 610 USING THE WORK OF INTERNAL AUDITORS IS EFFECTIVE FOR AN
AUDIT OF FINANCIAL STATEMENTS FOR PERIODS BEGINNING ON OR
AFTER 1ST APRIL 2010
 THIS (SA) DEALS WITH THE EXTERNAL AUDITOR'S
RESPONSIBILITIES IF USING THE WORK OF INTERNAL AUDITORS.
IT INCLUDES
(a) USING THE WORK OF THE INTERNAL AUDIT FUNCTION IN
OBTAINING AUDIT EVIDENCE AND
(b) (B) USING INTERNAL AUDITORS TO PROVIDE DIRECT
ASSISTANCE UNDER THE DIRECTION, SUPERVISION AND REVIEW
OF THE EXTERNAL AUDITOR.
THIS SA DOES NOT APPLY IF THE ENTITY DOES NOT HAVE AN
INTERNAL AUDIT FUNCTION.
RELATIONSHIP BETWEEN SA 315 AND SA 610
OBJECTIVES AND SCOPE OF AN INTERNAL AUDIT FUNCTION, THE NATURE OF ITS
RESPONSIBILITIES AND ITS ORGANIZATIONAL STATUS, DEPEND ON THE SIZE AND
STRUCTURE OF THE ENTITY AND THE REQUIREMENTS OF MANAGEMENT AND,
WHERE APPLICABLE, THOSE CHARGED WITH GOVERNANCE.
THIS SA ADDRESSES THE EXTERNAL AUDITOR'S RESPONSIBILITIES WHEN, BASED
ON THE EXTERNAL AUDITOR'S PRELIMINARY UNDERSTANDING OF THE INTERNAL
AUDIT FUNCTION OBTAINED AS A RESULT OF PROCEDURES PERFORMED UNDER SA
315, THE EXTERNAL AUDITOR EXPECTS TO USE THE WORK OF THE INTERNAL AUDIT
FUNCTION AS PART OF THE AUDIT EVIDENCE OBTAINED.
4. SUCH USE OF THAT WORK MODIFIES THE NATURE OR TIMING, OR REDUCES THE
EXTENT, OF AUDIT PROCEDURES TO BE PERFORMED DIRECTLY BY THE EXTERNAL
AUDITOR.
5. IN ADDITION, THIS SA ALSO ADDRESSES THE EXTERNAL AUDITOR'S
RESPONSIBILITIES IF CONSIDERING USING INTERNAL AUDITORS TO PROVIDE
DIRECT ASSISTANCE UNDER THE DIRECTION, SUPERVISION AND REVIEW OF THE-
EXTERNAL AUDITOR .
 THE RELATIONSHIP BETWEEN INTERNAL AUDITOR AND EXTERNAL AUDITOR
Particulars Internal Audit Function/
Internal Auditor
Role and Scope Determined by the
management
Objective/ Functions Set by the management and
different from the external
auditor
Independence& Responsibility Not independent of the entity
irrespective of the degree of
autonomy and objectivity
External Auditor
Statutory and defined by the
applicable law and regulation
Different objectives but some
functions performed  to
achieve objective may be
similar
Sole responsibility for the
audit opinion expressed and
not reduced by the use of
internal auditor’s work
THE OBJECTIVES OF THE EXTERNAL AUDITOR, WHERE THE ENTITY HAS AN
INTERNAL AUDIT FUNCTION ARE:
(a) TO DETERMINE WHETHER THE WORK OF THE INTERNAL AUDIT
FUNCTION OR DIRECT ASSISTANCE FROM INTERNAL AUDITORS CAN BE
USED, AND IF SO, IN WHICH AREAS AND TO WHAT EXTENT; OBJECTIVES
AND HAVING MADE THAT DETERMINATION:
(b) IF USING THE WORK OF THE INTERNAL AUDIT FUNCTION, TO
DETERMINE WHETHER THAT WORK IS ADEQUATE FOR PURPOSES OF
THE AUDIT; AND
(c) IF USING INTERNAL AUDITORS TO PROVIDE DIRECT ASSISTANCE, TO
APPROPRIATELY DIRECT, SUPERVISE AND REVIEW THEIR WORK
DETERMINING WHETHER, IN WHICH AREAS, AND TO WHAT EXTENT THE
WORK OF THE INTERNAL AUDIT FUNCTION CAN BE USED

• OBJECTIVITY
• QUALITY CONTROL
• COMPETENCE
WHETHER AND TO WHAT EXTENT TO USE OF INTERNAL AUDITOR WORK

EXTERNAL AUDITOR SHOULD DETERMINE:

A. IF THE INTERNAL AUDITOR’S WORK IS ADEQUATE FOR AUDIT PURPOSE AND EVALUATE:
I. OBJECTIVITY OF INTERNAL AUDIT FUNCTION
II. INTERNAL AUDITOR’S TECHNICAL COMPETENCE
III. INTERNAL AUDITOR’S WORK IS CARRIED OUT WITH PROFESSIONAL CARE
IV. EFFECTIVE COMMUNICATION BETWEEN THE INTERNAL AUDITOR AND THE EXTERNAL AUDITOR

B. PLANNED EFFECT OF INTERNAL AUDITOR’S WORK ON THE NATURE, TIMING OR EXTENT OF EXTERNAL
AUDITOR’S PROCEDURES AND CONSIDER:
I. NATURE AND SCOPE OF SPECIFIC WORK PERFORMED OR TO BE PERFORMED
II. ASSESSED RISK OF MATERIAL MISSTATEMENT AT THE ASSERTION LEVEL FOR A PARTICULAR CLASS OF
TRANSACTION, ACCOUNT BALANCE AND DISCLOSURE
III. THE DEGREE OF SUBJECTIVITY INVOLVED IN EVALUATING THE AUDIT EVIDENCE TO SUPPORT THE
RELEVANT ASSERTIONS
DOCUMENTATION
THE EVALUATION OF:

(I) WHETHER THE FUNCTION'S ORGANIZATIONAL STATUS AND RELEVANT POLICIES AND PROCEDURES ADEQUATELY SUPPORT THE

OBJECTIVITY OF THE INTERNAL AUDITORS;

II) THE LEVEL OF COMPETENCE OF THE FUNCTION; AND

(III) WHETHER THE FUNCTION APPLIES A SYSTEMATIC AND DISCIPLINED APPROACH, INCLUDING QUALITY CONTROL;

(B) THE NATURE AND EXTENT OF THE WORK USED AND THE BASIS FOR THAT DECISION; AND

(C) THE AUDIT PROCEDURES PERFORMED BY THE EXTERNAL AUDITOR TO EVALUATE THE ADEQUACY OF THE WORK USED.

2. IF THE EXTERNAL AUDITOR USES INTERNAL AUDITORS TO PROVIDE DIRECT ASSISTANCE ON THE AUDIT, THE EXTERNAL AUDITOR

SHALL INCLUDE IN THE AUDIT DOCUMENTATION:

(A)THE EVALUATION OF THE EXISTENCE AND SIGNIFICANCE OF THREATS TO THE OBJECTIVITY OF THE INTERNAL AUDITORS, AND THE

LEVEL OF COMPETENCE OF THE INTERNAL AUDITORS USED TO PROVIDE DIRECT ASSISTANCE,

(B) THE BASIS FOR THE DECISION REGARDING THE NATURE AND EXTENT OF THE WORK PERFORMED BY THE INTERNAL AUDITORS;

(C) WHO REVIEWED THE WORK PERFORMED AND THE DATE AND EXTENT OF THAT REVIEW IN ACCORDANCE WITH SA 230;

(D) THE WRITTEN AGREEMENTS OBTAINED FROM AN AUTHORIZED REPRESENTATIVE OF THE ENTITY AND THE INTERNAL AUDITORS.

(E)THE WORKING PAPERS PREPARED BY THE INTERNAL AUDITORS WHO PROVIDED DIRECT ASSISTANCE ON THE AUDIT ENGAGEMENT.
 Specific work of Internal Auditor & Documentation
 To use the work of the internal auditors, external auditor should evaluate and
perform audit procedures in that work to determine its adequacy if:
 i. Work performed exhibits adequate technical training and proficiency
 ii. Properly supervised, reviewed and documented
 iii. Sufficient audit evidence has been obtained to draw reasonable conclusions
 iv. Conclusions reached are appropriate
 v. Reports are consistent with the working papers
 vi. Exceptions or unusual matters, if any are properly resolved