CHAPTER - 3
Risk Assessment and Internal Control
Audit Risk and It’s Components
Inherent Risk is susceptibility of assertion about class of transaction, account balance
and disclosure (CAD) towards misstatements.
Inherent Risk
These are risks that arise from entity’s objectives, nature of operations & industry,
regulatory environment and its size and complexity.
It is the risk that entity’s internal control system will not prevent, detect and correct
material misstatement on a timely basis or such control will be missing.
Control Risk
Some control risk will always exist because there are inherent limitations of any internal
control system.
It is anticipated risk that material misstatement may exist in FS prior to audit.
It simply means there is a probability of frauds or errors in FS before audit.
It has two components: Inherent Risk and Control Risk.
ROMM = Inherent Risk x Control Risk
Risk of
It is influenced by the entity.
Material
Misstatement It exists at two levels :
The overall financial statement level: ROMM that relate pervasively to FS as a
whole and potentially affect many assertions
Assertion level for classes of transactions, account balances, and disclosures:
assessed in order to determine NTE of further audit procedures necessary to obtain
sufficient appropriate audit evidence
It is the risk that auditor will not be able to detect a material misstatement that exists in
an assertion.
ROMM is inversely related with Detection Risk. (i.e., if ROMM is high, auditor will do
Detection more checking, that results in low detection risk)
Risk Detection risk comprises sampling and non-sampling risk.
Auditor can influence detection risk.
It may be reduced by increasing area of checking, testing larger samples and by including
competent and experienced persons in engagement team.
Sampling It is the risk that auditor’s conclusion based on sample may be different from conclusion
Risk if entire population were subjected to same audit procedure.
It is the risk that auditor reaches an erroneous(wrong) conclusion for any reason not
Non-Sampling
related to sampling risk.
Risk
Example: Application of inappropriate audit procedure
It is a risk that auditor will issue inappropriate opinion while FS are materially
misstated. It has two components: ROMM and Detection Risk.
Audit Risk = ROMM x Detection Risk
Audit Risk
Objective of auditor is to reduce audit risk to an acceptably low level.
It does not include:
Risks such as loss from litigation, adverse publicity, or other events arising in
3.1
� Risk Assessment & Internal Control
connection with audit.
Risk that auditor might express an opinion that FS are materially misstated when
they are not. This risk is ordinarily insignificant.
Misstatement
Misstatement refers to a difference between the amount, classification, presentation, or disclosure of a
reported FS item and the amount, classification, presentation, or disclosure that is required for the item
to be in accordance with applicable FRF.
Misstatements can arise from error or fraud
Examples:
Charging of an item of capital expenditure to revenue or vice-versa
Difference in disclosure of FS item vis-à-vis its requirement in applicable FRF
Selection or application of inappropriate accounting policies
Difference in accounting estimate of FS item vis-à-vis its appropriateness in applicable FRF
Intentional booking of fake expenses in statement of profit and loss
Overstating or understating inventories
Risk Assessment Procedures
Audit procedures performed to obtain understanding of entity & its environment, including internal
control, to identify & assess ROMM, whether due to fraud or error, at financial statement & assertion level.
Information obtained by performing RAP may be used by auditor as audit evidence to support
assessments of ROMM.
The risk assessment procedures shall include following:
1. Inquiries of management and of others within entity who in auditor’s judgment
may have information that is likely to assist in identifying ROMM due to fraud or
RAP includes
error
2. Analytical procedures
3. Observation and inspection
Auditor obtains information by inquiries from management and other employees
with different levels of authority:
Internal audit personnel: Information about internal audit procedures
relating to design and effectiveness of entity’s internal control & whether
management has satisfactorily responded to findings from those procedures
Employees: Involved in initiating, processing or recording complex or unusual
1. Inquiries of transactions may help auditor to evaluate appropriateness of selection and
application of accounting policies
management
and of others In-house legal counsel: Information about litigation, compliance with laws
and regulations, knowledge of fraud or suspected fraud affecting entity,
within entity
warranties, post-sales obligations etc.
Marketing/sales personnel: Information about changes in entity’s marketing
strategies, sale trends, contractual arrangements with its customers.
Risk management function: Information about operational and regulatory
risks that may affect financial reporting.
Information systems personnel: Information about system changes, system
failures, or system- related risks
3.2
� Risk Assessment & Internal Control
2. Analytical Analytical procedures helps in identifying unusual transactions or events, and
Procedures amounts, ratios & trends that indicate matters having audit implications.
Identifies aspects of entity auditor was unaware of & unusual relationships may
assist in assessing ROMM, especially from fraud, to provide basis for designing
responses to assessed risks.
Includes both financial & non-financial information.
3. Observation Observation & inspection may support inquiries of management & others, and
and may also provide information about entity & its environment.
Inspection Examples involves observation or inspection of following:
Entity’s operations.
Documents, records, and internal control manuals.
Reports prepared by management (such as quarterly management reports
& interim financial statements) & TCWG (such as minutes of BOD meetings)
Entity’s premises & plant facilities
Understanding of Entity & its Environment including Entity's Internal Control
SA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity
and its Environment states that auditor shall obtain understanding of following:
Relevant industry factors includes:
industry conditions such as competitive environment,
supplier and
customer relationships, and
(a) Relevant industry, technological developments
regulatory, and Relevant regulatory environment includes:
other external applicable FRF
factors including legal & political environment
the applicable FRF Other external factors includes:
general economic conditions,
interest rates,
availability of financing,
inflation
The nature of entity, including:
its operations;
its ownership & governance structures;
types of investments that entity is making and plans to make, including
investments in special-purpose entities; and
(b) The nature of
entity way that entity is structured & how it is financed; to enable auditor to
understand classes of transactions, account balances, and disclosures to
be expected in FS
Examples of matters that auditor may consider while obtaining
understanding of nature of entity include:
Business operations such as nature of revenue sources, products or
3.3
� Risk Assessment & Internal Control
services, conduct of operations, location, customers & suppliers of goods
& services
Investment activities such as capital investment activities and
acquisitions
Financing activities such as major subsidiaries, debt structure etc.
Financial reporting such as accounting principles & revenue recognition
practices
(c) Entity’s selection Auditor shall evaluate whether entity’s accounting policies are appropriate
& application of for its business & consistent with applicable FRF and accounting policies
accounting used in relevant industry
policies, reasons
for changes
(d) Entity’s To respond to industry, regulatory & other internal and external factors,
objectives & entity’s management define objectives, which are overall plans for entity.
strategies, & Strategies are approaches by which management intends to achieve its
business risks objectives. Entity’s objectives and strategies may change over time.
that may result
Business risk is broader than ROMM of FS. Business risk may arise from
in ROMM
change or complexity.
Auditor does not have responsibility to identify or assess all business risks
because not all business risks give rise to ROMM.
Examples of matters auditor may consider when obtaining an
understanding of the entity’s objectives, strategies & related business risks
that may result in ROMM of FS include:
Industry developments (Example, entity does not have personnel or
expertise to deal with changes in industry).
New products and services (Example, increased product liability).
Expansion of business (Example, demand not accurately estimated).
(e) Measurement Performance measures, external or internal, create pressures on entity.
and review of These pressures may motivate management to take action to improve
entity’s financial business performance or to misstate FS.
performance
Assists auditor in considering whether pressures to achieve performance
targets result in management actions that increase ROMM.
Examples for measuring & reviewing financial performance:
Key performance indicators (financial & non-financial) and key ratios,
trends and operating statistics.
Period-on-period financial performance analyses.
Budgets, forecasts, variance analyses & departmental or other level
performance reports.
Credit rating agency reports
Understanding entity and environment helps auditor in:
planning audit
identifying areas requiring special attention
developing overall audit plan
3.4
� Risk Assessment & Internal Control
For conducting audit properly.
Understanding the entity - a continuous process
It is a continuous, dynamic process of gathering, updating and analysing information throughout audit.
Understanding establishes a frame of reference within which auditor plans audit and exercises
professional judgment throughout audit, for example, when:
Assessing ROMM of FS
Determining materiality in accordance with SA 320
Considering appropriateness of selection & application of accounting policies
Identifying areas where special audit consideration may be necessary, for example, related party
transactions, the appropriateness of management’s use of the going concern assumption, or
considering the business purpose of transactions
Developing expectations for use when performing analytical procedures
Evaluating sufficiency and appropriateness of audit evidence obtained. Example: appropriateness of
assumptions and of management’s oral and written representations.
3.5
