Risk Assessment and Internal Control PDF

CHAPTER 3 RISK ASSESSMENT AND INTERNAL CONTROL LEARNING OUTCOMES.. After studying this chapter, you would be able to understand- ♦ Meaning of audit risk and variables affecting it. ♦...

CHAPTER 3 RISK ASSESSMENT AND INTERNAL CONTROL LEARNING OUTCOMES.. After studying this chapter, you would be able to understand- ♦ Meaning of audit risk and variables affecting it. ♦ Risk assessment procedures. ♦ Concept of materiality in planning and performing an audit. ♦ Importance of understanding the entity and its environment. ♦ Meaning, objectives, benefits and limitations of internal control. ♦ Components of internal control. ♦ Whether all the controls are relevant to an audit. ♦ Nature and Extent of the Understanding of Relevant Controls. ♦ Risks that require special audit consideration. ♦ Evaluation of Internal control system-Benefits and methods. ♦ Testing of internal control. ♦ Automated environments-its key features. ♦ Risks arising from use of IT Systems. ♦ Types of Controls in an automated environment. ♦ Importance of data analytics for audit. ♦ Internal financial controls as per regulatory requirements. ♦ Auditor’s responses to assessed risks. ♦ Practicality of above concepts by studying through examples and case studies. © The Institute of Chartered Accountants of India 3.2 AUDITING AND ETHICS CHAPTER ♦ OVERVIEW Audit Risk Risk Assessment Understanding the & Identify & Assess Entity and its Internal Control Risk of Material Environment Misstatement Risk Assessment Procedures Automated Environment SA - 315, SA IT Related 320 & Risks SA 330 Data DIGITAL Controls & AUDIT Types of IT Analytics Controls Testing Impact on Methods Controls Internal Financial Controls © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.3 Sameer had now subscribed to online subscription of a pink newspaper using his android phone. He was getting regular news updates pertaining to financial matters of companies. While going through such updates, he stumbled upon one report relating to audited accounts of a listed company. Scrolling the same, he gathered that SEBI had referred the matter to regulator for further action. He was flummoxed. He had learnt that audit is carried out after proper planning and performing audit procedures. However, the news report was hinting at possibility of inappropriate opinion expressed by the auditor. Was it a single odd case? Or is there a chance of inappropriate opinion being expressed by an auditor when there are significant wrong doings in financial statements in every audit? What is this risk known as? What causes presence of this risk? Can’t it be eliminated completely? How this risk can be addressed? He needed answers to such questions. It was clear to him that a meaningful and effective audit is possible only after gaining knowledge about client’s business. What are the specifics about it? It cannot be limited merely to understanding about nature of client’s business. Apart from this, it must include a study and evaluation of client’s systems and controls. What system has been devised and put into operation by the client to carry out its business efficiently and effectively? How the client is ensuring reliability of financial reporting? All these questions should be important to an auditor. Whether gaining knowledge of client’s systems and controls is enough? Shouldn’t it be followed up with actual testing of client’s controls? It is only when controls are actually tested, these can be relied upon. A thought was gaining in his mind how auditor responds to the risks. Is testing of controls enough or something more to be done? He already knew how actively business entities are using technology to develop their systems with minimal human intervention. Shouldn’t use of technology ease up the things? Can use of technology also involve risks which may be relevant to an auditor so that he doesn’t give an inappropriate opinion? To satiate his mind, he turned to Chapter 3. © The Institute of Chartered Accountants of India 3.4 AUDITING AND ETHICS 1. AUDIT RISK Audit risk means the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated. It means that an auditor expresses an unmodified opinion when financial statements are materially misstated. In such a case, not only reputation of auditor would be damaged, but he could also invite regulatory action from professional body and could face probable legal action by intended users. To avoid such unpleasant consequences, the auditor will plan and perform the audit in such a way that audit risk is reduced to an acceptably low level. SA-200 states that the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion. Consider, for example, that profits of a company have been increased artificially by showing fake revenues of sizeable amounts in its financial statements. In such a case, financial statements are materially misstated. The probability, that auditor in such a case, expresses an inappropriate audit opinion is referred to as audit risk. It is the possibility that auditor expresses an unmodified opinion even when financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk. 1.1 Risks of material misstatement SA 200 states that risk of material statement is the risk that the financial statements are materially misstated prior to audit. It simply means that there is a probability of frauds or errors in financial statements before audit. What is meant by misstatement? Misstatement refers to a difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Misstatements can arise from error or fraud. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.5 Few examples of misstatements could be: -  Charging of an item of capital expenditure to revenue or vice-versa  Difference in disclosure of a financial statement item vis-à-vis its requirement in applicable financial reporting framework  Selection or application of inappropriate accounting policies  Difference in accounting estimate of a financial statement item vis-à-vis its appropriateness in applicable financial reporting framework  Intentional booking of fake expenses in statement of profit and loss  Overstating of receivables in financial statements by not writing off irrecoverable debts  Overstating or understating inventories The risks of material misstatement may exist at two levels: - (i) The overall financial statement level (ii) The assertion level for classes of transactions, account balances, and disclosures. Risks of material misstatement at the overall financial statement level refer to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the assertion level are assessed in order to determine the nature, timing, and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion on the financial statements at an acceptably low level of audit risk. 1.2 Components of risk of material misstatement The risk of material misstatement at assertion level comprises of two components i.e., inherent risk and control risk. Both inherent risk and control risk are the entity’s risks and they exist independently of the audit of financial statements. Inherent risk and control risk are influenced by the client. These are entity’s risks and are not influenced by the auditor. © The Institute of Chartered Accountants of India 3.6 AUDITING AND ETHICS 1.2A Inherent risk Inherent risk is the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements before consideration of any related controls as described in SA-200. There is always a risk that before considering any existence of internal control in an entity, a particular transaction, balance of an account or a disclosure required to be made in the financial statements of an entity have a chance of being misstated and such misstatement can be material. This risk is known as inherent risk. Inherent risk is higher for some assertions and related classes of transactions, account balances, and disclosures than for others. For example, it may be higher for complex calculations. Inherent risk factors are considered while designing tests of controls and substantive procedures. Category of auditor’s assessment lower or higher, each category covers a range of degrees of inherent risk. Auditor may assess the inherent risk of two different assertions as lower while recognizing that one assertion has less inherent risk than the other, although both have been assessed as lower. It is important to consider the reason for each identified inherent risk even if the risk is lower, when auditor designs tests of controls and substantive procedures. External circumstances giving rise to business risks may also influence inherent risk. For example, technological developments might make a particular product obsolete. Factors in the entity and its environment may also influence the inherent risk related to a specific assertion. Few examples of inherent risks could include: -  An accounting standard provides guidance on some complex issue which might not be understood by the management. Therefore, recording of this issue in financial statements carries inherent risk of being misstated.  There are large number of business failures in an industry. Therefore, assertions in financial statements of an entity operating in such an industry carry an inherent risk of being misstated. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.7 1.2B Control risk In accordance with SA-200, control risk is the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. Control risk is a risk that internal control existing and operating in an entity would not be efficient enough to stop from happening, or find and then rectify in an appropriate time, any material misstatement relating to a transaction, balance of an account or disclosure required to be made in the financial statements of that entity. Therefore, in a way, it can be said that there exists an inverse relation between control risk and efficiency of internal control of an entity. When efficiency of internal control of an entity is high, the control risk is low and when efficiency of internal control of that entity is low, the control risk is high. Examples of control risk could include: -  A company has devised control that cash and cheque books should be kept in a locked safe and access is granted to authorized personnel only. There is risk that control is not being followed.  An entity has devised a control that fire extinguishers and smoke detectors are in place and are in working condition at all times to reduce the risk of damage to inventories caused by fire. There is a risk that fire extinguishers in place are expired and are not being refilled. Similarly, there is a possibility that smoke detectors are not working.  A company has devised a control relating to petty cash that items of expenditure of only less than ` 10000 should be routed through imprest system of petty cash. There is a risk that control is not being followed. 1.3 Detection risk SA 200 defines detection risk as the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. For example, auditor of a company uses certain audit procedures for the purpose © The Institute of Chartered Accountants of India 3.8 AUDITING AND ETHICS of obtaining audit evidence and reducing audit risk, but still there will remain a risk that audit procedures used by the auditor may not be able to detect a misstatement which by nature is material, then that risk is known as detection Risk. Detection risk comprises sampling and non-sampling risk.  Sampling risk is the risk that the auditor’s conclusion based on a sample may be different from the conclusion if the entire population were subjected to the same audit procedure. It simply means that the sample was not representative of the population from which it was chosen.  Non-sampling risk is the risk that the auditor reaches an erroneous conclusion for any reason not related to sampling risk. Like an auditor may reach an erroneous conclusion due to application to some inappropriate audit procedure. Examples of detection risk could include: -  Sizeable work-in-progress inventories are expected in financial statements of a company. However, auditor of the company does not devote time to attending inventory count. Instead, he chooses to rely upon alternative audit procedures.  The auditor of a company has audited revenue of a company by taking a sample. However, there is a risk that sample of revenue is not representative of overall revenue. The auditor can only influence detection risk. Inherent risk and control risk belong to the entity and are influenced by the entity. Therefore, auditor must reduce detection risk in order to keep audit risk at low level. Detection risk may be reduced by increasing area of checking, testing larger samples and by including competent and experienced persons in the engagement team. 1.4 Audit risk-What is not included? Audit risk is a technical term related to the process of auditing; it does not refer to the auditor’s business risks such as loss from litigation, adverse publicity, or other events arising in connection with the audit of financial statements. For purposes of the SAs, audit risk does not include the risk that the auditor might express an opinion that the financial statements are materially misstated when they are not. This risk is ordinarily insignificant. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.9 1.5 Assessment of risks- A matter of professional Judgment As discussed at the outset, audit risk is a function of the risks of material misstatement and detection risk. The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement. The distinguishing feature of the professional judgment expected of an auditor is that it is exercised by an auditor whose training, knowledge and experience have assisted in developing the necessary competencies to achieve reasonable judgments. An Overview of Audit risk Checkbox Audit risk- What is included?  Audit risk is the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated.  A function of risks of material misstatement and detection risk. X Auditor’s business risks such as loss from litigation, adverse publicity, or other events arising in connection with the audit of financial statements. X Risk that the auditor might express an opinion that the financial statements are materially misstated when they are not. Audit risk Risks of material Detection risk misstatement Non-Sampling Inherent risk Control risk Sampling risk risk © The Institute of Chartered Accountants of India 3.10 AUDITING AND ETHICS 1.5.1 Combined Assessment of the Risk of Material Misstatement Standards on auditing do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement”. However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risks of material misstatement may expressed in quantitative terms, such as in percentages, or in non-quantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made. It can be concluded from the above that: - Audit risk = Risks of material misstatement X Detection risk Since risks of material misstatement is a function of inherent risk and control risk, it can also be shown as: - Audit risk = Inherent risk X Control risk X Detection risk ILLUSTRATION 1 XYZ Ltd is engaged in the business and running several stores dealing in variety of items such as ready made garments for all seasons, shoes, gift items, watches etc. There are security tags on each and every item. Moreover, inventory records are physically veriﬁed on monthly basis. Discuss the types of inherent, control and detection risks as perceived by the auditor. SOLUTION Inherent Risk: Because items may have been misappropriated by employees, therefore, risk to the auditor is that inventory records would be inaccurate. Control Risk: There is a security tag on each item displayed. Moreover, inventory records are physically veriﬁed on monthly basis. Despite various controls being implemented at the stores, still collusion among employees may be there and risk to auditor would again be that inventory records would be inaccurate. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.11 Detection Risk: Auditor checks the eﬃciency and eﬀectiveness of various control systems in place. He would do that by making observation, inspection, enquiry, etc. In addition to these, the auditor would also employ sampling techniques to check few sales transactions from beginning to end. However, despite all these procedures, the auditor may not detect the items which have been stolen or misappropriated. ILLUSTRATION 2 A Partnership Firm of Chartered Accountants HT and Associates was appointed to audit the books of accounts of Wind and Ice Limited for the financial year 2020-21. There was a risk that HT and Associates would give an inappropriate audit opinion if the financial statements of Wind and Ice Limited are materially misstated. State the Risk mentioned in the question SOLUTION The risk mentioned in the question is known as Audit Risk, because risk that auditor of a company will give an inappropriate audit opinion if the financial statements of that company are materially misstated is known as Audit Risk. Test Your Understanding 1 Wear & Tear Private Limited is a “start-up” engaged in providing holistic solutions to problem of paddy stubble burning mainly catering to needs of farmers of North western India. Due to importance given by governments to this issue, companies have entered in the market in past few years. Many of these companies have not been successful and have gone bust. As an auditor of the company, can you spot the component of risks of material misstatement involved in above? Test Your Understanding 2 A company has devised a control that its inventory of perishable goods is stored in appropriate conditions- in a controlled environment to prevent any damages to inventory. Responsibility is fixed on two persons to monitor environment using sensors and to report on deviations. Identify the component of risks of material misstatement involved as an auditor of the company. © The Institute of Chartered Accountants of India 3.12 AUDITING AND ETHICS Test Your Understanding 3 Shree Foods Private Limited is engaged in manufacturing of garlic bread. The auditors of company have planned audit procedures in respect of recognition of revenues of the company. Despite that, there is a possibility that misstatements in revenue recognition are not identified by planned audit procedures. Which risk is being alluded to? 1.6 Identifying and assessing the risk of material misstatement As per SA 315 “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment”, the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. This will help the auditor to reduce the risk of material misstatement to an acceptably low level. The objective of the auditor as stated in SA 315 is to identify and assess the risks of material misstatement. (i) The auditor shall identify and assess the risks of material misstatement at: (a) the financial statement level (b) the assertion level for classes of transactions, account balances, and disclosures to provide a basis for designing and performing further audit procedures (ii) For the purpose of identifying and assessing the risks of material misstatement, the auditor shall: - (a) Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances, and disclosures in the financial statements (b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.13 (c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test and (d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is of a magnitude that could result in a material misstatement. 1.7 Risk Assessment Procedures You have already gained a little knowledge about risk assessment procedures in Chapter 2. The audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion level are defined as risk assessment procedures. Risk assessment procedures are a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. The risks to be assessed include both those due to error and those due to fraud. What is included in risk assessment procedures? The risk assessment procedures shall include the following: (a) Inquiries of management and of others within the entity who in the auditor’s judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error. (b) Analytical procedures. (c) Observation and inspection. (a) Inquiries of Management and Others Within the Entity: Much of the information obtained by the auditor’s inquiries is obtained from management and those responsible for financial reporting. However, the auditor may also © The Institute of Chartered Accountants of India 3.14 AUDITING AND ETHICS obtain information, or a different perspective in identifying risks of material misstatement, through inquiries of others within the entity and other employees with different levels of authority.  Inquiries directed toward internal audit personnel may provide information about internal audit procedures performed during the year relating to the design and effectiveness of the entity’s internal control and whether management has satisfactorily responded to findings from those procedures.  Inquiries of employees involved in initiating, processing or recording complex or unusual transactions may help the auditor to evaluate the appropriateness of the selection and application of certain accounting policies.  Inquiries directed toward in-house legal counsel may provide information about such matters as litigation, compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, warranties, post-sales obligations, arrangements (such as joint ventures) with business partners and the meaning of contract  Inquiries directed towards marketing or sales personnel may provide information about changes in the entity’s marketing strategies, sales trends, or contractual arrangements with its customers.  Inquiries directed to the risk management function (or those performing such roles) may provide information about operational and regulatory risks that may affect financial reporting.  Inquiries directed to information systems personnel may provide information about system changes, system or control failures, or other information system- related risks. (b) Analytical Procedures: Analytical procedures performed as risk assessment procedures may identify aspects of the entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. Analytical procedures performed as risk assessment procedures may include both financial and non-financial information, for © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.15 example, relationship between sales and square footage of selling space or volume of goods sold. Analytical procedures may help identify the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have audit implications. Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material misstatement due to fraud. However, when such analytical procedures use data aggregated at a high level (which may be the situation with analytical procedures performed as risk assessment procedures), the results of those analytical procedures only provide a broad initial indication about whether a material misstatement may exist. Accordingly, in such cases, consideration of other information that has been gathered when identifying the risks of material misstatement together with the results of such analytical procedures may assist the auditor in understanding and evaluating the results of the analytical procedures. (c) Observation and Inspection: Observation and inspection may support inquiries of management and others, and may also provide information about the entity and its environment. Examples of such audit procedures include observation or inspection of the following:  The entity’s operations.  Documents (such as business plans and strategies), records, and internal control manuals.  Reports prepared by management (such as quarterly management reports and interim financial statements) and those charged with governance (such as minutes of board of director’s meetings)  The entity’s premises and plant facilities. 1.8 Information obtained by performing risk assessment procedures - Used as audit evidence Information obtained by performing risk assessment procedures and related activities may be used by the auditor as audit evidence to support assessments of the risks of material misstatement. In addition, the auditor may obtain audit evidence about classes of transactions, account balances, or disclosures and related © The Institute of Chartered Accountants of India 3.16 AUDITING AND ETHICS assertions and about the operating effectiveness of controls, even though such procedures were not specifically planned as substantive procedures or as tests of controls. The auditor also may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures because it is efficient to do so. Test Your Understanding 4 Jo Jo Limited is planning to list on Bombay Stock Exchange next year. As an auditor of Jo Jo Limited, identify any one reason of increased audit risk due to listing of the company next year. Test Your Understanding 5 On perusing financial statements of Jo Jo Limited put up for audit, it is observed by the auditor that current ratio has improved from 1.20:1 (in preceding year) to 1.75:1 (in current year). Identify what kind of risk assessment procedures are being performed by auditor? Has it any relation with listing of the company next year on Bombay Stock Exchange? 2. MATERIALITY 2.1 What is meant by materiality? SA 320 Materiality in Planning and Performing an Audit states that misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements. The objective of an independent auditor is to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. Herein, lies the significance of materiality. The auditor has to obtain reasonable assurance that financial statements as a whole are free from material misstatement whether due to fraud or error. As a result, an audit strives to identify significant © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.17 risks of material misstatement and audit procedures are geared towards it. Materiality is not always a matter of relative size. For example, a small amount lost by fraudulent practices of certain employees can indicate a serious flaw in the enterprise’s internal control system requiring immediate attention to avoid greater losses in future. 2.2 Materiality in Planning and performing an audit- Auditor’s responsibility The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditor’s report. SA 320 deals with auditor’s responsibility to apply the concept of materiality in planning and performing an audit of financial statements. Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and presentation of financial statements. Although financial reporting frameworks may discuss materiality in different terms, they generally explain that: Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements; Judgments about materiality are made in the light of surrounding circumstances, and are affected by the size or nature of a misstatement, or a combination of both; and Judgments about matters that are material to users of the financial statements are based on a consideration of the common financial information needs of users as a group. The possible effect of misstatements on specific individual users, whose needs may vary widely, is not considered. Such a discussion, if present in the applicable financial reporting framework, provides a frame of reference to the auditor in determining materiality for the audit. If the applicable financial reporting framework does not include a discussion of the concept of materiality, the characteristics referred to above provide the auditor with such a frame of reference. © The Institute of Chartered Accountants of India 3.18 AUDITING AND ETHICS In planning the audit, the auditor makes judgments about the size of misstatements that will be considered material. These judgments provide a basis for: (a) Determining the nature, timing and extent of risk assessment procedures; (b) Identifying and assessing the risks of material misstatement; and (c) Determining the nature, timing and extent of further audit procedures. The materiality determined when planning the audit does not necessarily establish an amount below which uncorrected misstatements, individually or in aggregate, will always be evaluated as immaterial. The circumstances related to some misstatements may cause the auditor to evaluate them as material even if they are below materiality. Although, it is not practicable to design audit procedures to detect misstatements that could be material solely because of their nature, the auditor considers not only the size but also the nature of uncorrected misstatements, and the particular circumstances of their occurrence, when evaluating their effect on the financial statements. The auditor has to apply his professional judgement in determining materiality, choosing appropriate benchmark and determining level of benchmark. Materiality forms the basis for determination of audit scope and the levels of testing the transactions. While judging materiality, the significance of an item has to be viewed from different perspectives. Materiality of an item may be judged by considering the impact on the profit and loss, or on the balance sheet, or in the total of the category of expenditure or income to which it pertains, and on its comparison with the corresponding figure for the previous year. If there is any statutory requirement of disclosure, it is to be considered material irrespective of the value of amount. Examples are given below: -  As per Division I of schedule III of Companies Act, 2013, any item of income or expenditure which exceeds one percent of the revenue from operations or ` 1,00,000, whichever is higher, needs to be disclosed separately.  A company should disclose in notes to accounts, shares in the company held by each shareholder holding more than 5 per cent shares specifying the number of shares held as per requirements of Division I of Schedule III of Companies Act,2013. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.19 2.3 Determination of materiality- a matter of professional judgment The auditor’s determination of materiality is a matter of professional judgment, and is affected by the auditor’s perception of the financial information needs of users of the financial statements. In this context, it is reasonable for the auditor to assume that users: (a) Have a reasonable knowledge of business and economic activities and accounting and a willingness to study the information in the financial statements with reasonable diligence; (b) Understand that financial statements are prepared, presented and audited to levels of materiality; (c) Recognize the uncertainties inherent in the measurement of amounts based on the use of estimates, judgment and the consideration of future events; and (d) Make reasonable economic decisions on the basis of the information in the financial statements. 2.4 Performance Materiality Practically, it is difficult for auditors to design tests to identify individual material misstatements. It is likely that misstatements are material in aggregate. It takes us to the concept of “performance materiality.” Performance materiality means the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures. Performance materiality is set at a value lower than overall materiality. It lowers the risk that auditor will not be able to identify misstatements that are material when added together. © The Institute of Chartered Accountants of India 3.20 AUDITING AND ETHICS 2.5 Determining Materiality and Performance Materiality when Planning the Audit When establishing the overall audit strategy, the auditor shall determine materiality for the financial statements as a whole. If, in the specific circumstances of the entity, there is one or more particular classes of transactions, account balances or disclosures for which misstatements of lesser amounts than the materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements, the auditor shall also determine the materiality level or levels to be applied to those particular classes of transactions, account balances or disclosures. 2.6 Use of Benchmarks in Determining Materiality for the Financial Statements as a Whole Determining materiality involves the exercise of professional judgment. A percentage is often applied to a chosen benchmark as a starting point in determining materiality for the financial statements as a whole. Factors that may affect the identification of an appropriate benchmark include the following:  The elements of the financial statements like assets, liabilities, equity, revenue, expenses  Whether there are items on which the attention of the users of the particular entity’s financial statements tends to be focused. For example, for the purpose of evaluating financial performance users may tend to focus on profit, revenue or net assets.  The nature of the entity, where the entity is at in its life cycle, and the industry and economic environment in which the entity operates, the entity’s ownership structure and the way it is financed. For example, If an entity is financed solely by debt rather than equity, users may put more emphasis on assets, and claims on them, than on the entity’s earnings;  The relative volatility of the benchmark. Examples of benchmarks that may be appropriate, depending on the circumstances of the entity, include categories of reported income such as profit before tax, total revenue, gross profit and total expenses, total equity or net asset value. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.21 Profit before tax from continuing operations is often used for profit-oriented entities. When profit before tax from continuing operations is volatile, other benchmarks may be more appropriate, such as gross profit or total revenues. 2.6.1 Chosen Benchmark – Relevant financial data In relation to the chosen benchmark, relevant financial data ordinarily includes: -  Prior periods’ financial results and financial positions,  The period to-date financial results and financial position, and  Budgets or forecasts for the current period,  Adjusted for significant changes in the circumstances of the entity (for example, a significant business acquisition) and relevant changes of conditions in the industry or economic environment in which the entity operates. Consider, for example, when, as a starting point, the materiality for the financial statements as a whole is determined for a particular entity based on a percentage of profit before tax from continuing operations, circumstances that give rise to an exceptional decrease or increase in such profit may lead the auditor to conclude that the materiality for the financial statements as a whole is more appropriately determined using a normalized profit before tax from continuing operations figure based on past results. 2.6.2 Determining a percentage to be applied to a chosen benchmark involves the exercise of professional judgment. There is a relationship between the percentage and the chosen benchmark, such that a percentage applied to profit before tax from continuing operations will normally be higher than a percentage applied to total revenue. Consider, for example, that the auditor may consider 5% of profit before tax from continuing operations to be appropriate for a profit-oriented entity in a manufacturing industry, while the auditor may consider 1% of total revenue or total expenses to be appropriate for a not-for-profit entity. Higher or lower percentages, however, may be deemed appropriate in different circumstances. © The Institute of Chartered Accountants of India 3.22 AUDITING AND ETHICS 2.7 Materiality Level or Levels for Particular Classes of Transactions, Account Balances or Disclosures Factors that may indicate the existence of one or more particular classes of transactions, account balances or disclosures for which misstatements of lesser amounts than materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements include the following: 1. Whether law, regulations or the applicable financial reporting framework affect users’ expectations regarding the measurement or disclosure of certain items like in case of related party transactions, and the remuneration of management and those charged with governance. 2. The key disclosures in relation to the industry in which the entity operates. For example, research and development costs for a pharmaceutical company. 3. Whether attention is focused on a particular aspect of the entity’s business that is separately disclosed in the financial statements like in case of newly acquired business. 2.8 Revision in Materiality level as the Audit Progresses Materiality for the financial statements as a whole (and, if applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures) may need to be revised as a result of a change in circumstances that occurred during the audit (for example, a decision to dispose of a major part of the entity’s business), new information, or a change in the auditor’s understanding of the entity and its operations as a result of performing further audit procedures. If during the audit it appears as though actual financial results are likely to be substantially different from the anticipated period end financial results that were used initially to determine materiality for the financial statements as a whole, the auditor revises that materiality. If the auditor concludes that a lower materiality for the financial statements as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures) than that initially determined is appropriate, the auditor shall determine whether it is necessary to revise performance materiality, and whether the nature, timing and extent of the further audit procedures remain appropriate. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.23 2.9 Documenting the Materiality The audit documentation shall include the following amounts and the factors considered in their determination: (a) Materiality for the financial statements as a whole (b) If applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures (c) Performance materiality and (d) Any revision of (a)-(c) as the audit progressed 2.10 Materiality and Audit Risk The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditor’s report. In conducting an audit of financial statements, the overall objectives of the auditor are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and to report on the financial statements, and communicate as required by the SAs, in accordance with the auditor’s findings. The auditor obtains reasonable assurance by obtaining sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk. Materiality and Audit Risk are considered throughout the audit, in particular, when: (a) Identifying and assessing the risks of material misstatement; (b) Determining the nature, timing and extent of further audit procedures; and (c) Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditor’s report. © The Institute of Chartered Accountants of India 3.24 AUDITING AND ETHICS ILLUSTRATION 3 One of the team members of auditors of Highly Capable Limited was of the view that Materiality and Audit Risk are only considered at planning stage of an audit. Comment as an auditor SOLUTION The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the eﬀect of identiﬁed misstatements on the audit and of uncorrected misstatements, if any, on the ﬁnancial statements and in forming the opinion in the auditor’s report. Test Your Understanding 6 CA A. Raja is auditor of Build Well Forgings Private Limited having a revenue of ` 25 crore. The company has been sanctioned a term loan of ` 50 lacs from a bank. However, as at end of the year, only ` 1 lac was availed due to delay in procurement of asset. The financial statements of the company do not disclose nature of security against which loan has been taken. Schedule III of Companies Act,2013 requires disclosure in this respect. Discuss, whether, non-disclosure of nature of security is material for auditor. 3. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT SA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment states that the auditor shall obtain an understanding of the following: - (a) Relevant industry, regulatory, and other external factors including the applicable financial reporting framework Relevant industry factors include industry conditions such as the competitive environment, supplier and customer relationships, and technological developments. Examples of matters the auditor may consider include market and competition, whether entity is engaged in seasonal activities, product © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.25 technology relating to the entity’s products. The industry in which the entity operates may give rise to specific risks of material misstatement arising from the nature of the business or the degree of regulation. Relevant regulatory factors include the regulatory environment. The regulatory environment includes, among other matters, the applicable financial reporting framework and the legal and political environment. Examples of matters the auditor may consider include accounting principles and industry specific practices, regulatory framework for a regulated industry, legislation and regulation that significantly affect the entity’s operations, including direct supervisory activities, taxation, government policies currently affecting the conduct of the entity’s business, environmental requirements affecting the industry and the entity’s business. Examples of other external factors affecting the entity that the auditor may consider include the general economic conditions, interest rates and availability of financing, and inflation etc. (b) The nature of the entity, including: - (i) its operations; (ii) its ownership and governance structures; (iii) the types of investments that the entity is making and plans to make, including investments in special-purpose entities; and (iv) the way that the entity is structured and how it is financed; to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements. An understanding of nature of entity enables the auditor to understand whether entity has a complex structure for example, whether it has subsidiaries. Complex structures often introduce issues that may give rise to risks of material misstatement. It also helps in understanding matters relating to the ownership, and relations between owners and other people or entities. This understanding assists in determining whether related party transactions have been identified and accounted for appropriately. Examples of matters that the auditor may consider while obtaining understanding of nature of entity include: - © The Institute of Chartered Accountants of India 3.26 AUDITING AND ETHICS  Business operations such as nature of revenue sources, products or services, conduct of operations, location of production facilities, key customers and suppliers of goods and services  Investment and investment activities such as capital investment activities and planned or recently executed acquisitions  Financing and financing activities such as major subsidiaries, debt structure etc.  Financial reporting such as accounting principles and revenue recognition practices (c) The entity’s selection and application of accounting policies, including the reasons for changes thereto The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry. (d) The entity’s objectives and strategies, and those related business risks that may result in risks of material misstatement. The entity conducts its business in the context of industry, regulatory and other internal and external factors. To respond to these factors, the entity’s management define objectives, which are the overall plans for the entity. Strategies are the approaches by which management intends to achieve its objectives. The entity’s objectives and strategies may change over time. Business risk is broader than the risk of material misstatement of the financial statements, though it includes the latter. Business risk may arise from change or complexity. An understanding of the business risks facing the entity increases the likelihood of identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements. However, the auditor does not have a responsibility to identify or assess all business risks because not all business risks give rise to risks of material misstatement. Examples of matters that the auditor may consider when obtaining an understanding of the entity’s objectives, strategies and related business risks © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.27 that may result in a risk of material misstatement of the financial statements include: -  Industry developments (a potential related business risk might be, for example, that the entity does not have the personnel or expertise to deal with the changes in the industry).  New products and services (a potential related business risk might be, for example, that there is increased product liability).  Expansion of the business (a potential related business risk might be, for example, that the demand has not been accurately estimated). (e) The measurement and review of the entity’s financial performance Management and others will measure and review those things they regard as important. Performance measures, whether external or internal, create pressures on the entity. These pressures, in turn, may motivate management to take action to improve the business performance or to misstate the financial statements. Accordingly, an understanding of the entity’s performance measures assists the auditor in considering whether pressures to achieve performance targets may result in management actions that increase the risks of material misstatement, including those due to fraud. Examples for measuring and reviewing financial performance which may be used by an auditor may include: -  Key performance indicators (financial and non-financial) and key ratios, trends and operating statistics.  Period-on-period financial performance analyses.  Budgets, forecasts, variance analyses, and departmental or other level performance reports.  Credit rating agency reports 3.1 Why understanding the entity and its environment is significant? Understanding the entity and the environment in which it operates is very significant. It helps the auditor in planning the audit and in identifying areas requiring special attention. Gaining knowledge about client’s business is one of the © The Institute of Chartered Accountants of India 3.28 AUDITING AND ETHICS important principles in developing an overall audit plan. In fact, without adequate knowledge of client’s business, a proper audit is not possible. 3.2 Understanding the entity-a continuous process Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred to hereafter as an “understanding of the entity”), is a continuous, dynamic process of gathering, updating and analysing information throughout the audit. The understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment throughout the audit, for example, when:  Assessing risks of material misstatement of the financial statements  Determining materiality in accordance with SA 320  Considering the appropriateness of the selection and application of accounting policies  Identifying areas where special audit consideration may be necessary, for example, related party transactions, the appropriateness of management’s use of the going concern assumption, or considering the business purpose of transactions  Developing expectations for use when performing analytical procedures  Evaluating the sufficiency and appropriateness of audit evidence obtained such as the appropriateness of assumptions and of management’s oral and written representations. ILLUSTRATION 4 The auditor of ABC Textiles Ltd chalks out an audit plan without understanding the entity’s business. Since he has carried out many audits of textile companies, there is no need to understand the nature of business of ABC Ltd. Advise the auditor how he should proceed. SOLUTION Obtaining an understanding of the entity and its environment, including the entity’s internal control (referred to hereafter as an “understanding of the entity”), is a continuous, dynamic process of gathering, updating and analysing information © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.29 throughout the audit. The auditor should proceed accordingly. ILLUSTRATION 5 While auditing the books of accounts of Heavy Material Limited for the financial year 2022-23, a team member of the auditor of Heavy Material Limited showed no inclination towards understanding the business and the business environment of the above mentioned company. Is the approach of team member of the auditor of Heavy Material Limited correct or incorrect? Also give reason for your answer. SOLUTION The approach of team member of the auditor of Heavy Material Limited is incorrect because understanding the business and the business environment of company whose audit is to be conducted is very important, as it helps in planning the audit and identifying areas requiring special attention during the course of audit of that company. ILLUSTRATION 6 Prince Blankets is engaged in business of blankets. Its major portion of sales is taking place through internet. Advise the auditor how he would proceed in this regard as to understanding the entity and its environment. SOLUTION While understanding entity and its environment, internet sales is being perceived as risky area by the auditor and thereby would be spending substantial time and extensive audit procedures on this particular area. 4. INTERNAL CONTROL 4.1 Meaning of Internal Control As per SA-315, “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment”, the internal control may be defined as “the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” © The Institute of Chartered Accountants of India 3.30 AUDITING AND ETHICS refers to any aspects of one or more of the components of internal control.” 4.2 As derived from above definition, the purpose of Internal Control is as under Internal control is designed, implemented and maintained to address identified business risks that threaten the achievement of any of the entity’s objectives that concern:  The reliability of the entity’s financial reporting;  The effectiveness and efficiency of its operations;  Its compliance with applicable laws and regulations; and  Safeguarding of assets. The way in which internal control is designed, implemented and maintained varies with an entity’s size and complexity. 4.3 Benefits of Understanding of Internal Control An understanding of internal control assists the auditor in: - (i) Identifying types of potential misstatements; (ii) Identifying factors that affect the risks of material misstatement, and (iii) Designing the nature, timing, and extent of further audit procedures. 4.4 Limitations of Internal Control (i) Internal control can provide only reasonable assurance Internal control, no matter how effective, can provide an entity with only reasonable assurance about achieving the entity’s financial reporting objectives. The likelihood of their achievement is affected by inherent limitations of internal control. (ii) Human judgment in decision-making Realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human error. For example, there may be an error in the design of, or in the change to, a control. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.31 (iii) Lack of understanding the purpose Equally, the operation of a control may not be effective, such as where information produced for the purposes of internal control (for example, an exception report) is not effectively used because the individual responsible for reviewing the information does not understand its purpose or fails to take appropriate action. (iv) Collusion among People Additionally, controls can be circumvented by the collusion of two or more people or inappropriate management override of internal control. For example, management may enter into side agreements with customers that alter the terms and conditions of the entity’s standard sales contracts, which may result in improper revenue recognition. Also, edit checks in a software program that are designed to identify and report transactions that exceed specified credit limits may be overridden or disabled. (v) Judgements by Management Further, in designing and implementing controls, management may make judgments on the nature and extent of the controls it chooses to implement, and the nature and extent of the risks it chooses to assume. (vi) Limitations in case of Small Entities Smaller entities often have fewer employees due to which segregation of duties is not practicable. However, in a small owner-managed entity, the owner-manager may be able to exercise more effective oversight than in a larger entity. This oversight may compensate for the generally more limited opportunities for segregation of duties. On the other hand, the owner- manager may be more able to override controls because the system of internal control is less structured. This is taken into account by the auditor when identifying the risks of material misstatement due to fraud. ILLUSTRATION 7 Auditor GR and Associates, appointed for audit of PNG Ltd, a manufacturing company engaged in manufacturing of various food items. While planning an audit, the auditor does not think that it would be necessary to understand internal controls. Advise the auditor in this regard. © The Institute of Chartered Accountants of India 3.32 AUDITING AND ETHICS SOLUTION The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to ﬁnancial reporting, not all controls that relate to ﬁnancial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. ILLUSTRATION 8 The team member of the auditor of Simple and Easy Limited was of the view that understanding the internal control of the company would not help them in any manner in relation to audit procedures to be applied while conducting the audit. SOLUTION The view of the team member of the auditor is incorrect because understanding the internal control of the company would help the auditor and his team members in designing the nature, timing and extent of audit procedures to be applied while conducting the audit of the company. 4.5 Components of Internal Control The division of internal control into the following five components provides a useful framework for auditors to consider how different aspects of an entity’s internal control may affect the audit: - (A) The control environment (B) The entity’s risk assessment process (C) The information system, including the related business processes, relevant to financial reporting, and communication (D) Control activities (E) Monitoring of controls © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.33 Components of Internal control Entity's risk Information Control Monitoring of assessment system and Control activities environment controls process communiaction 4.5(A) Control Environment The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether: (i) Management has created and maintained a culture of honesty and ethical behaviour and (ii) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control. What is included in Control Environment? The control environment includes: (i) the governance and management functions and (ii) the attitudes, awareness, and actions of those charged with governance and management. (iii) the control environment sets the tone of an organization, influencing the control consciousness of its people. Elements of the Control Environment Elements of the control environment that may be relevant when obtaining an understanding of the control environment include the following: (a) Communication and enforcement of integrity and ethical values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and © The Institute of Chartered Accountants of India 3.34 AUDITING AND ETHICS ethical behaviour are the product of the entity’s ethical and behavioural standards, how they are communicated, and how they are reinforced in practice. The enforcement of integrity and ethical values includes, for example, management actions to eliminate or mitigate incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. The communication of entity policies on integrity and ethical values may include the communication of behavioural standards to personnel through policy statements and codes of conduct and by example. (b) Commitment to competence Matters such as management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. (c) Participation by those charged with governance It includes attributes of those charged with governance such as their independence from management, their experience and stature, the extent of their involvement and the information they receive and the scrutiny of activities. (d) Management’s philosophy and operating style Management’s philosophy and operating style encompass a broad range of characteristics. For example, management’s attitudes and actions towards financial reporting- what approach is taken by management in selecting accounting policies, approach in developing accounting estimates etc. Matters such as approach of management to taking and managing business risks, management’s attitude towards information processing and accounting function and personnel reflects upon management’s philosophy and operating style. (e) Organisational structure The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled, and reviewed. Establishing a relevant organisational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. The appropriateness of an entity’s organisational structure depends, in part, on its size and the nature of its activities. © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.35 (f) Assignment of authority and responsibility Matters such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established. (g) Human resource policies and practices Policies and practices that relate to, for example, recruitment, orientation, training, evaluation, counselling, promotion, compensation, and remedial actions. Human resource policies and practices often demonstrate important matters in relation to the control consciousness of an entity. For example, standards for recruiting the most qualified individuals – with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behaviour – demonstrate an entity’s commitment to competent and trustworthy people. Training policies that communicate prospective roles and responsibilities and include practices such as training schools and seminars illustrate expected levels of performance and behaviour. Promotions driven by periodic performance appraisals demonstrate the entity’s commitment to the advancement of qualified personnel to higher levels of responsibility. Existence of a satisfactory control environment-not an absolute deterrent to fraud The existence of a satisfactory control environment can be a positive factor when the auditor assesses the risks of material misstatement. However, although it may help reduce the risk of fraud, a satisfactory control environment is not an absolute deterrent to fraud. Conversely, deficiencies in the control environment may undermine the effectiveness of controls, in particular in relation to fraud. For example, management’s failure to commit sufficient resources to address IT security risks may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or unauthorized transactions to be processed. The control environment in itself does not prevent, or detect and correct, a material misstatement. It may, however, influence the auditor’s evaluation of the effectiveness of other controls (for example, the monitoring of controls and the operation of specific control activities) and thereby, the auditor’s assessment of the risks of material misstatement. © The Institute of Chartered Accountants of India 3.36 AUDITING AND ETHICS 4.5(B) The Entity’s Risk Assessment Process The auditor shall obtain an understanding of whether the entity has a process for: (a) Identifying business risks relevant to financial reporting objectives (b) Estimating the significance of the risks (c) Assessing the likelihood of their occurrence (d) Deciding about actions to address those risks The entity’s risk assessment process forms the basis for the risks to be managed. If that process is appropriate, it would assist the auditor in identifying risks of material misstatement. Risks can arise or change due to factor such as new technology, new business models, products or activities, changes in operating environment etc. Whether the entity’s risk assessment process is appropriate to the circumstances is a matter of judgment. 4.5(C) The information system, including the related business processes, relevant to financial reporting and communication The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: - (a) The classes of transactions in the entity’s operations that are significant to the financial statements (b) The procedures by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements (c) The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions (d) How the information system captures events and conditions that are significant to the financial statements (e) The financial reporting process used to prepare the entity’s financial statements © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.37 (f) Controls surrounding journal entries. An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Many information systems make extensive use of information technology (IT). Information system should provide qualitative financial information. The quality of system-generated information affects management’s ability to make appropriate decisions in managing and controlling the entity’s activities and to prepare reliable financial reports. The auditor shall obtain an understanding of how the entity communicates financial reporting roles and responsibilities. It may take such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management. 4.5(D) Control Activities The auditor shall obtain an understanding of control activities relevant to the audit, which the auditor considers necessary to assess the risks of material misstatement. An audit requires an understanding of only those control activities related to significant class of transactions, account balance, and disclosure in the financial statements and the assertions which the auditor finds relevant in his risk assessment process. Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organisational and functional levels. Control activities relevant to audit generally include policies and procedures relating to performance reviews (reviews of actual performance with budgets), information processing (for example controls over checking arithmetical accuracy of records, program change controls etc), physical controls( like controls over physical security of assets) and segregation of duties (controls over ensuring that different people are assigned the responsibilities of authorising transactions, recording transactions and maintaining custody of assets) 4.5(E) Monitoring of Controls The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting. © The Institute of Chartered Accountants of India 3.38 AUDITING AND ETHICS Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It helps in assessing the effectiveness of controls on a timely basis. It involves assessing the effectiveness of controls on a timely basis and taking necessary remedial actions. It includes considering whether controls are operating as intended and that they are modified as appropriate for change in conditions. Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities. Management’s monitoring activities may include using information from communications from external parties such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement. Test Your Understanding 7 CA Smriti is auditor of a company. As part of audit, she is going through company policies and practices regarding employee recruitment, training, orientation and related matters. She seems to be very much interested in finding out whether company hires best candidates from applicant pool. Identify what she is trying to do? How gaining knowledge about this aspect is useful to her as an auditor? Test Your Understanding 8 During the audit of same company, CA Smriti is keen to find out whether there exists a proper system of segregation of duties in the company. She wants to be sure that a person responsible for recording a transaction is different from the person authorising it. Discuss what she is trying to do and how its understanding is significant to her as an auditor. 4.6 Are all Controls Relevant to the audit? There is a direct relationship between an entity’s objectives and the control it implements to provide reasonable assurance about their achievement. The entity’s objectives, and therefore controls, relate to financial reporting, operations and compliance; however, not all of these objectives and controls are relevant to the © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.39 auditor’s risk assessment. Factors relevant to the auditor’s judgment about whether a control, individually or in combination with others, is relevant to the audit may include such matters as the following:  Materiality.  The significance of the related risk.  The size of the entity.  The nature of the entity’s business, including its organisation and ownership characteristics.  The diversity and complexity of the entity’s operations.  Applicable legal and regulatory requirements.  The circumstances and the applicable component of internal control.  The nature and complexity of the systems that are part of the entity’s internal control, including the use of service organisations.  Whether, and how, a specific control, individually or in combination with others, prevents, or detects and corrects, material misstatement. 4.7 Controls over the completeness and accuracy of information Controls over the completeness and accuracy of information produced by the entity may be relevant to the audit if the auditor intends to make use of the information in designing and performing further procedures. For example, in auditing revenue by applying standard prices to records of sales volume, the auditor considers the accuracy of the price information and the completeness and accuracy of the sales volume data. Controls relating to operations and compliance objectives may also be relevant to an audit if they relate to data the auditor evaluates or uses in applying audit procedures. 4.8 Internal control over safeguarding of assets Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include controls relating to both financial reporting and © The Institute of Chartered Accountants of India 3.40 AUDITING AND ETHICS operations objectives. The auditor’s consideration of such controls is generally limited to those relevant to the reliability of financial reporting. For example, use of access controls, such as passwords, that limit access to the data and programs that process cash disbursements may be relevant to a financial statement audit. Conversely, safeguarding controls relating to operations objectives, such as controls to prevent the excessive use of materials in production, generally are not relevant to a financial statement audit. 4.9 Controls relating to objectives that are not relevant to an audit An entity generally has controls relating to objectives that are not relevant to an audit and therefore need not be considered. For example, an entity may rely on a sophisticated system of automated controls to provide efficient and effective operations (such as an airline’s system of automated controls to maintain flight schedules), but these controls ordinarily would not be relevant to the audit. Further, although internal control applies to the entire entity or to any of its operating units or business processes, an understanding of internal control relating to each of the entity’s operating units and business processes may not be relevant to the audit. In certain circumstances, the statute or the regulation governing the entity may require the auditor to report on compliance with certain specific aspects of internal controls as a result, the auditor’s review of internal control may be broader and more detailed. 4.10 Nature and Extent of the Understanding of Relevant Controls Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. There is little point in assessing the implementation of a control that is not effective, and so the design of a control is considered first. An improperly designed control may represent a significant deficiency in internal control. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include- © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.41  Inquiring of entity personnel.  Observing the application of specific controls.  Inspecting documents and reports.  Tracing transactions through the information system relevant to financial reporting. Inquiry alone, however, is not sufficient for such purposes. Obtaining an understanding of an entity’s controls is not sufficient to test their operating effectiveness, unless there is some automation that provides for the consistent operation of the controls. For example, obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit. However, because of the inherent consistency of IT processing, performing audit procedures to determine whether an automated control has been implemented may serve as a test of that control’s operating effectiveness, depending on the auditor’s assessment and testing of controls such as those over program changes. 5. RISKS THAT REQUIRE SPECIAL AUDIT CONSIDERATION As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk. In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following: (a) Whether the risk is a risk of fraud (b) Whether the risk is related to recent significant economic, accounting, or other developments like changes in regulatory environment, etc., and, therefore, requires specific attention (c) The complexity of transactions (d) Whether the risk involves significant transactions with related parties (e) The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty and © The Institute of Chartered Accountants of India 3.42 AUDITING AND ETHICS (f) Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. 5.1 Identifying Significant Risks Significant risks often relate to significant non-routine transactions or judgmental matters. Non-routine transactions are transactions that are unusual, due to either size or nature, and that therefore occur infrequently. Judgmental matters may include the development of accounting estimates for which there is significant measurement uncertainty. Significant risks are inherent risks with both a higher likelihood of occurrence and a higher magnitude of potential misstatement. The auditor assesses assertions affected by a significant risk as higher inherent risk. The following are always significant risks:  Risks of material misstatement due to fraud  Significant transactions with related parties that are outside the normal course of business for the entity 5.2 Risks of Material Misstatement – Greater for Significant Non-Routine Transactions Risks of material misstatement may be greater for significant non-routine transactions arising from matters such as the following:  Greater management intervention to specify the accounting treatment.  Greater manual intervention for data collection and processing.  Complex calculations or accounting principles.  The nature of non-routine transactions, which may make it difficult for the entity to implement effective controls over the risks. 5.3 Risks of material misstatement– Greater for Significant Judgmental Matters Risks of material misstatement may be greater for significant judgmental matters that require the development of accounting estimates, arising from matters such as the following: © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.43  Accounting principles for accounting estimates or revenue recognition may be subject to differing interpretation.  Required judgment may be subjective or complex, or require assumptions about the effects of future events, for example, judgment about fair value. 6. EVALUATION OF INTERNAL CONTROL SYSTEM So far as the auditor is concerned, the examination and evaluation of the internal control system is an indispensable part of the overall audit programme. The auditor needs reasonable assurance that the accounting system is adequate and that all the accounting information which should be recorded has in fact been recorded. Internal control normally contributes to such assurance. 6.1 Benefits of Evaluation of Internal Control to the Auditor The review of internal controls will enable the auditor to know: (i) whether errors and frauds are likely to be located in the ordinary course of operations of the business (ii) whether an adequate internal control system is in use and operating as planned by the management (iii) whether an effective internal auditing department is operating (iv) whether any administrative control has a bearing on his work (for example, if the control over worker recruitment and enrolment is weak, there is a likelihood of dummy names being included in the wages sheet and this is relevant for the auditor) (v) whether the controls adequately safeguard the assets (vi) how far and how adequately the management is discharging its function in so far as correct recording of transactions is concerned (vii) how reliable the reports, records and the certificates to the management can be © The Institute of Chartered Accountants of India 3.44 AUDITING AND ETHICS (viii) the extent and the depth of the examination that he needs to carry out in the different areas of accounting (ix) what would be appropriate audit technique and the audit procedure in the given circumstances (x) what are the areas where control is weak and where it is excessive and (xi) whether some worthwhile suggestions can be given to improve the control system. ILLUSTRATION 9 Mr. Y, one of the team member of the auditors of What and Where Limited was very keen in knowing whether the internal control of the company would safeguard the company’s assets. Advise Mr. Y. SOLUTION The review of internal controls will enable the auditors to know whether the controls adequately safeguard the assets. ILLUSTRATION 10 Mr. H, a team member of the auditor of There and Here Limited was of the view that evaluation of internal control of the company would help in identifying the areas where internal control is weak. Advise SOLUTION The review of internal controls will enable the auditor to know what are the areas where control is weak and where it is excessive. Formulate Audit Program after understanding Internal Control The auditor can formulate his entire audit programme only after he has had a satisfactory understanding of the internal control systems and their actual operation. If he does not care to study this aspect, it is very likely that his audit programme may become unwieldy and unnecessarily heavy and the object of the audit may be altogether lost in the mass of entries and vouchers. It is also important for him to know whether the system is actually in operation. Often, after installation of a system, no proper follow up is there by the management to ensure compliance. The auditor, in such circumstances, may be led to believe that a system is in operation which in reality may not be altogether in operation or may at best operate only partially. This state of affairs is probably the worst that an auditor may © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.45 come across and he would be in the midst of confusion, if he does not take care. It would be better if the auditor can undertake the review of the internal control system of client. This will give him enough time to assimilate the controls and implications and will enable him to be more objective in the framing of the audit programme. He will also be in a position to bring to the notice of the management the weaknesses of the system and to suggest measures for improvement. At a further interim date or in the course of the audit, he may ascertain how far the weaknesses have been removed. From the foregoing, it can be concluded that the extent and the nature of the audit programme is substantially influenced by the internal control system in operation. In deciding upon a plan of test checking, the existence and operation of internal control system is of great significance. A proper understanding of the internal control system in its content and working also enables an auditor to decide upon the appropriate audit procedure to be applied in different areas to be covered in the audit programme. In a situation where the internal controls are considered weak in some areas, the auditor might choose an auditing procedure or test that otherwise might not be required; he might extend certain tests to cover a large number of transactions or other items than he otherwise would examine and at times he may perform additional tests to bring him the necessary satisfaction. For example, normally the distribution of wages is not observed by the auditor. But if the internal control over wages is so weak that there exists a possibility of dummy workers being paid, the auditor might include observation of wages distribution in his programme in order to find out the workers who do not turn up for receipt of wages. On the other hand, if he is satisfied with the internal control on sales and trade receivables, the auditor can get trade receivables’ balances confirmed at almost any time reasonably close to the balance sheet date. But if the control is weak, he may feel that he should get the confirmation exactly on the date of the year closing so that he may eliminate the risk of errors and frauds occurring between the intervening period. Also, he may in that situation, decide to have a large coverage of trade receivables by the confirmation procedure. © The Institute of Chartered Accountants of India 3.46 AUDITING AND ETHICS 6.2 Evaluation of Internal Control– Methods A review of the internal control can be done by a process of study, examination and evaluation of the control system installed by the management. The first step involves determination of the control and procedures laid down by the management. By reading company manuals, studying organisation charts and flow charts and by making suitable enquiries from the officers and employees, the auditor may ascertain the character, scope and efficacy of the control system. The auditor must ask the right people the right questions if he is to get the information he wants. It would be better if he makes written notes of the relevant information and procedures contained in the manual or ascertained on enquiry. To facilitate the accumulation of the information necessary for the proper review and evaluation of internal controls, the auditor can use one of the following to help him to know and assimilate the system and evaluate the same: (A) Narrative record (B) Check List (C) Internal Control questionnaire and (D) Flow chart Methods of evaluation of internal control Narrative Internal Control Check list Flow Chart record questionnaire 6.2(A) The Narrative Record This is a complete and exhaustive description of the system as found in operation by the auditor. Actual testing and observation are necessary before such a record can be developed. It may be recommended in cases where no formal control system is in operation and would be more suited to small business. The basic disadvantages of narrative records are: © The Institute of Chartered Accountants of India RISK ASSESSMENT AND INTERNAL CONTROL 3.47 (i) To comprehend the system in operation is quite difficult. (ii) To identify weaknesses or gaps in the system. (iii) To incorporate changes arising on account of reshuffling of manpower, etc. 6.2(B) Check List This is a series of instructions and/or questions which a member of the auditing staff must follow and/or answer. When he completes instruction, he initials the space against the instruction. Answers to the check list instructions are usually Yes, No or Not Applicable. This is again an on-the-job requirement and instructions are framed having regard to the desirable elements of control. Example A few examples of check list instructions are given hereunder: 1. Are tenders called before placing orders? 2. Are the purc

Risk Assessment and Internal Control PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue