Chapter 4 - Materiality, Risk Assessment & Internal Control

Ch. 4 Materiality, Risk Assessment

and Internal Control

I - Materiality & Risk Assessment

1) As per SA 320, the concept of materiality is applied by the auditor both in planning and
performing the audit, and in evaluating the effect of identified misstatements on the audit and of
uncorrected misstatements, if any, on the financial statements and in forming the opinion in the
auditor's report.
2) Materiality and audit risk are considered throughout the audit, in particular,
a) When identifying and assessing the risks of material misstatement,
b) Determining the nature, timing and extent of further audit procedures; and
c) Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in
forming the opinion in the auditor's report.
3) Risk assessment assesses the level of risk in the various business processes. Risk assessment
focuses on the business environment, regulatory environment, organisation structure,
organizational and business environmental changes and specific concerns of management and the
audit committee to determine the areas of greatest risk.

AUDIT RISK
1) Audit risk means the risk that the auditor gives an inappropriate audit opinion when the financial
statement are materially misstated. Thus, it is the risk that the auditor may fail to express an
appropriate opinion in an audit assignment.
2) Audit risk is a function of the risks of material misstatement and detection risk.

AUDIT RISK COMPONENTS

INHERENT RISK
1) Susceptibility of an assertion to a misstatement that could be material, individually or when
aggregated with other misstatements, assuming that there are no related controls. Inherent
risk is addressed at both the financial statement level and at the assertion level.
2) Risks of particular concern to the auditor might include:
a) Complex calculations which could be misstated;
b) High value inventory;
c) Accounting estimates that are subject to significant measurement uncertainty
d) Lack of sufficient working capital to continue operations;
e) A declining or volatile industry with many business failures; and
f) Technological developments that might make a particular product obsolete.

CONTROL RISK
1) Risk that the entity’s internal control system will not prevent, or detect and correct on a timely

CA Rishabh Jain 4.1

 Chapter 4 - Materiality, Risk Assessment & Internal Control

basis, a misstatement that could be material, individually or when aggregated with other
misstatements.
2) Some control risk will always exist because of inherent limitations of any internal control system.
3) The auditor is required to understand the entity's internal control and perform procedures to
assess the risks of material misstatement at the assertion level.

DETECTION RISK
1) This is the risk that the auditor will not detect a misstatement that exists in an assertion that
could be material, either individually or when aggregated with other misstatements.
2) The acceptable level of detection risk for a given level of audit risk bears an inverse relationship
to the risks of material misstatement at the assertion level.
3) In designing and evaluating the results of performing procedures, the auditor should consider the
possibility of:
a) Selecting an inappropriate audit procedure;
b) Misapplying an appropriate audit procedure; or
c) Misinterpreting the results from an audit procedure.

Audit Risk = Risk of Material Misstatement x Detection Risk ------ (1)

Risk of Material Misstatement= Inherent Risk x Control Risk ------ (2)

From (1) and (2), we arrive at-

Audit Risk = Inherent Risk x Control Risk x Detection Risk

It should be noted that the combined level of Inherent Risk and Control Risk is
inversely related with Detection Risk, and Audit Materiality is also inversely
related with Audit Risk.

ASSERTION
OBJECTIVE OF AUDIT
SA 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding
the Entity and Its Environment” categorises the types of assertions used by the auditor to consider
the different types of potential misstatements that may occur.

ASSERTIONS ABOUT CLASSES OF TRANSACTIONS

AND EVENTS FOR THE PERIOD UNDER AUDIT
a) Occurrence: Transactions and events that have been recorded have occurred and pertain to the
entity.
b) Completeness: All transactions and events that should have been recorded have been recorded.
c) Accuracy: Amounts and other data relating to recorded transactions and events have been
recorded appropriately.

4.2 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

d) Cut-off: Transactions and events have been recorded in the correct accounting period.
e) Classification: Transactions and events have been recorded in the proper accounts.

ASSERTIONS ABOUT ACCOUNT BALANCES AT THE PERIOD END

a) Existence: Assets, liabilities, and equity interests exist.
b) Rights and obligations: The entity holds or controls the rights to assets, and liabilities are the
obligations of the entity.
c) Completeness: All assets, liabilities and equity interests that should have been.
d) Valuation and allocation: Assets, liabilities, and equity interests are included in the FS at
appropriate amounts and any resulting valuation or allocation adjustments are appropriately
recorded.

ASSERTIONS ABOUT PRESENTATION AND DISCLOSURE

a) Occurrence and rights and obligations: Disclosed events, transactions, and other matters have
occurred and pertain to the entity.
b) Completeness: All disclosures that should have been included in the financial statements have
been included.
c) Classification and understandability: Financial information is appropriately presented and
described, and disclosures are clearly expressed.
d) Accuracy and valuation: Financial and other information are disclosed fairly and at appropriate
amounts.”
NOTES:
1) Auditors are required to assess the risks of material misstatement at two levels. The first is at
the overall financial statement level, which refers to risks of material misstatement that relate
pervasively to the financial statements as a whole and potentially affect many assertions.
2) The second relates to risks identifiable with specific assertions at the class of transactions,
account balance, or disclosure level. This means that for each account balance, class of
transactions and disclosure, an assessment of risk (such as high, moderate, or low) should be made
for each individual assertion being addressed.

STEPS FOR RISK IDENTIFICATION

1) Assess the significance of the assessed risk, impact of its occurrence .
2) Determine the likelihood for assessed risk to occur and its impact on our auditing procedures.
3) Document the assertions that are effected.
4) Consider the impact of the risk on each of the assertions relevant to the account balance, class of
transactions, or disclosure.
5) Identify the degree of Significant risks that would require separate attention and response by
the auditor.
6) Enquire and document the management's response.

CA Rishabh Jain 4.3

 Chapter 4 - Materiality, Risk Assessment & Internal Control

7) Consider the nature of the internal control system in place and its possible effectiveness in
mitigating the risks involved. Ensure the controls :
a) Routine in nature (occur daily) or periodic such as monthly.
b) Designed to prevent or detect and correct errors.
c) Manual or automated.
8) Consider any unique characteristics of the risk.

POSSIBLE POTENTIAL MISSTATEMENTS - INDICATIONS

COMPLETENESS
a) Transactions not identified
b) Source documents not prepared
c) Source documents not captured
d) Rejected source documents not represented

EXISTENCE
a) Fictitious or unauthorised transactions entered on source documents
b) Source documents overstated.
c) Transactions duplicated on source documents
d) Capture of source documents duplicated
e) Invalid source documents captured on subsidiary ledgers

RECORDING
a) Source documents captured inaccurately
b) Processing of transactions is inaccurate
c) Inaccurate adjustments made in subsidiary ledgers

CUT-OFF PROCEDURES
Transactions that occur in one period are recorded in another period.

II- Risk-based Audit Approach

1) Risk-based audit (RBA) is an approach to audit that analyzes audit risks, sets materiality
thresholds based on audit risk analysis and develops audit programmes that allocate a larger
portion of audit resources to high-risk areas.
2) RBA is an essential element of financial audit- both in the attest audit of the financial statements
and in the audit of financial systems and transactions including evaluation of internal controls.
3) It focuses primarily on the identification and assessment of the financial statement
misstatement risks and provides a framework to reduce the impact to the financial statement of
these identified risks to an acceptable level before rendering an opinion on the financial
statements.

4.4 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

4) It also provides indicators of risks as a basis of opportunity for improvement of auditee risk
management and control processes.
5) In the context of performance audit, it is the risk to delivery of an activity or scheme or
programme of the entity with economy, efficiency and effectiveness.

GENERAL STEPS IN THE CONDUCT OF RBA

This involves the following three key steps:
a) Risk assessment: Assessing the risks of material misstatement in the financial statements
b) Risk response: Designing and performing further audit procedures that respond to assessed risks
and reduce the risks of material misstatements in the financial statements to an acceptably low
level; and
c) Reporting: Issuing an appropriate audit report based on the audit findings.

A) RISK ASSESSMENT
The risk assessment phase of the audit involves the following steps:
1) Performing client acceptance or continuance procedures;
2) Planning the overall engagement;
3) Performing risk assessment procedures to understand the business and identify inherent and
control risks;
4) Identifying relevant internal control procedures and assessing their design and implementation
5) Assessing the risks of material misstatement in the financial statements;
6) Identifying the significant risks that require special audit consideration
7) Communicating any material weaknesses in the design and implementation of internal control to
management and TCWG and
8) Making an informed assessment of the risks of material misstatement at the financial statement
level.

B) RISK RESPONSE
1) This phase of the audit is to design and perform further audit procedures that respond to the
assessed risks of material misstatement.
2) Matters the auditor should consider when planning the audit procedures include:
a) Assertions that cannot be addressed by substantive procedures alone.
b) Existence of internal control that, if tested, could reduce the need/scope for other
substantive procedures.
c) The potential for substantive analytical procedures .
d) The need to incorporate an element of unpredictability in procedures performed.
3) Audit procedures designed to address the assessed risks could include a mixture of:
a) Tests of the operational effectiveness of internal control; and
b) Substantive procedures such as tests of details and analytical procedures.

CA Rishabh Jain 4.5

 Chapter 4 - Materiality, Risk Assessment & Internal Control

C) REPORTING
1) The final phase of the audit is to assess the audit evidence obtained and determine whether it is
sufficient and appropriate to reduce the risks of material misstatement in the financial statements
to an acceptably low level.
2) It is important at this stage to determine:
a) If there had been a change in the assessed level of risk;
b) Whether conclusions drawn from work performed are appropriate; and
c) If any suspicious circumstances have been encountered.
3) Any additional risks should be appropriately assessed, and further audit procedures performed as
required.
4) When all procedures have been performed and conclusions reached:
a) Audit findings should be reported to management and those charged with governance; and
b) An audit opinion should be formed, and a decision made on the appropriate wording for the
auditor's report.

AUDIT RISK ANALYSIS

1) The auditor should perform an analysis of the audit risks that impact on the auditee before
undertaking specific audit procedures.
2) It is the risk that the auditor may unknowingly fail to appropriately modify his opinion on financial
statements that are materially misstated.

a) Error is an unintentional mistake resulting from omission, as when

3) Audit risks are legitimate transactions and/or balances are excluded from the
financial statements; or by commission, as when erroneous
brought about transactions and/or balances are included in the financial
by error statements.
b) Fraud is an intentional misstatement in the accounting records or
and fraud:
supporting documents from which the financial statements are
prepared. It is intended to deceive financial statement users or to
conceal misappropriations.

4) Fraud risk involves:

a) Manipulation, falsification of accounting records, or
b) Misrepresentation in the financial statements of events, transactions or other significant
information, or
c) Misapplication of accounting principles or
d) Misappropriation of funds.

4.6 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

III- Internal Control System

WHAT IS INTERNAL CONTROL SYSTEM

1) "Internal Control System" means all the policies and procedures (internal controls) adopted by
the management of an entity to assist in achieving management's objective of ensuring, as far as
practicable,
a) The orderly and efficient conduct of its business,
b) Including adherence to management policies,
c) The safeguarding of assets,
d) The prevention and detection of fraud and error,
e) The accuracy and completeness of the accounting records, and
f) The timely preparation of reliable financial information.
2) SA 315 defines the system of internal control as the process designed, implemented and
maintained by those charged with governance, management and other personnel to provide
reasonable assurance about the achievement of an entity's objectives with regard to
a) Reliability of financial reporting,
b) Effectiveness and efficiency of operations,
c) Safeguarding of assets, and
d) Compliance with applicable laws and regulations

SCOPE OF INTERNAL CONTROLS

1) The scope of internal controls extends beyond mere accounting controls and includes all
administrative controls concerned with the decision - making process leading to managements
authorization of transaction.
2) In an independent financial audit, the auditor is primarily concerned with those policies and
procedures having a bearing on the assertions underlying the financial statements.
3) These comprise primarily controls relating to
a) Safeguarding of assets,
b) Prevention and detection of fraud and error,
c) Accuracy and
d) Completeness of accounting records and
e) Timely preparation of reliable financial information.
4) Fundamental to a system of internal control is that it is integral to the activities of the company,
and not something practiced in isolation.

CA Rishabh Jain 4.7

 Chapter 4 - Materiality, Risk Assessment & Internal Control

Internal Control System

Facilitates the Helps ensure the Assists compliance Helps safeguarding

effectiveness and reliability of internal with laws and the assets of the
efficiency of and external financial regulations entity
operations reporting

OBJECTIVES OF INTERNAL CONTROL SYSTEM

1) The objectives of internal controls relating to the accounting system are:
a) Transactions are executed through general or specific management authorization.
b) All transactions are promptly recorded in an appropriate manner.
c) Assets and records are safeguarded from unauthorized access, use or disposition.
d) Assets are verified at reasonable intervals and appropriate action is taken with regard to the
discrepancies.
2) Precisely, the control objectives ensure that the transactions processed are complete, valid and
accurate.
3) The basic accounting control objectives which are sought to be achieved by any accounting control
system are :

Ensure all Transaction are :

Properly Recorded Properly Properly Properly

Recorded Real posted classified summarized
valued timely
& disclosed

LIMITATIONS OF INTERNAL CONTROL

1) Internal control, no matter how effective, can provide an entity with only reasonable assurance
and not absolute assurance about achieving the entity's operational, financial reporting and
compliance objectives.
2) Internal control systems are subject to certain inherent limitations, such as:
a) Management's consideration that the cost of an internal control does not exceed the
expected benefits to be derived.
b) The fact that most internal controls do not tend to be directed at transactions of unusual
nature.
c) The potential for human error.
d) Collusion with employees or with parties outside the entity.
e) The possibility that a person responsible for exercising an internal control could abuse that
responsibility.
f) Manipulations by management with respect to transactions or estimates.

4.8 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

STRUCTURE OF INTERNAL CONTROL

SEGREGATION OF DUTIES
1) Transaction processing is allocated to different persons in such a manner that no one person can
carry through the completion of a transaction from start to finish or the work of one person is
made complimentary to the work of another person.
2) The purpose is to minimize the occurrence of fraud and errors and to detect them on a timely basis,
when they take place.
3) The following functions are segregated –
a) Authorization of transactions;
b) Execution of transactions;
c) Physical custody of related assets; and
d) Maintenance of records and documents, while allocating duties.

AUTHORIZATION OF TRANSACTION
1) Delegation of authority to different levels and to particular persons are required to establish by
the management for controlling the execution of transaction in accordance with prescribed
conditions.
2) Authorization may be general or it may be specific with reference to a single transaction.

ADEQUACY OF RECORDS AND DOCUMENTS

Accounting controls should ensure that –
a) Transactions are executed in accordance with management's general or specific authorization.
b) Transactions and other events are promptly recorded at correct amounts.
c) Transactions should be classified in appropriate accounts and in the appropriate period to which it
relates.
d) Transaction should be recorded in a manner so as to facilitate preparation of financial statements
in accordance with applicable accounting standards, other accounting policies and practices and
relevant statutory requirements.
e) Recording of transaction should facilitate maintaining accountability for assets.

ACCOUNTABILITY AND SAFEGUARDING OF ASSETS

1) The process of accountability of assets commences from acquisitions of assets its use and final
disposal. Safeguarding of assets requires appropriate maintenance of records, their periodic
reconciliation with the related assets.
2) Assets like cash, inventories, investment scrips require frequent physical verification with book
records.
3) The frequency of reconciliation would differ for different assets depending upon their nature and
amount.
4) Assets which are considered sensitive or susceptible to error need to be reconcile more
frequently than others.

CA Rishabh Jain 4.9

 Chapter 4 - Materiality, Risk Assessment & Internal Control

5) For proper safeguarding of assets, only authorized personnel should be given access to such asset.
This not only means physical access but also exercising control overprocessing of documents
relating to authorization for use and disposal of assets.

INDEPENDENT CHECKS
Independent verification of the control systems, designed and implemented by the management,
involves periodic or regular review by independent persons to ascertain whether the control
procedures are operating effectively or not.

WHEN OBTAINING AUDIT EVIDENCE ABOUT THE EFFECTIVE

OPERATION OF INTERNAL CONTROLS, THE AUDITOR CONSIDERS:
a) How they were applied,
b) The consistency with which they were applied during the period and
c) By whom they were applied.

EVALUATION OF DEVIATIONS
1) The concept of effective operation recognises that some deviations may have occurred.
Deviations from prescribed controls may be caused by such factors as
a) Changes in key personnel,
b) Significant seasonal fluctuations in volume of transactions and
c) Human error.
2) When deviations are detected the auditor makes specific inquiries regarding these matters,
particularly, the timing of staff changes in key internal control functions. The auditor then ensures
that the tests of control appropriately cover such a period of change or fluctuation.
3) Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as contemplated in the preliminary assessment of control
risk.
4) The evaluation of deviations may result in the auditor concluding that the assessed level of
control risk needs to be revised.
5) The auditor should consider whether the internal controls were in use throughout the period.

IV - Components Of Internal Controls

Internal Control System

Control Entity’s Risk Control Information system Monitoring

Environment Assessment Process activities and communication of Controls

4.10 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

CONTROL ENVIRONMENT
The control environment encompasses the following elements:
a) Communication and enforcement of integrity and ethical values: The effectiveness of controls
cannot rise above the integrity and ethical values of the people who create, administer, and monitor
them.
b) Commitment to competence: Competence is the knowledge and skills necessary to accomplish
tasks that define the individual's job.
c) Participation by those charged with governance: An entity's control consciousness is influenced
significantly by TCWG. The importance of the responsibilities of TCWG is recognised in codes of
practice and other laws and regulations or guidance produced for the benefit of TCWG.
d) Management's philosophy and operating style: Management's philosophy and operating style
encompass a broad range of characteristics.
e) Organisational structure: Establishing a relevant organizational structure includes considering
key areas of authority and responsibility and appropriate lines of reporting.
f) Assignment of authority and responsibility: The assignment of authority and responsibility may
include policies relating to appropriate business practices, knowledge and experience of key
personnel, and resources provided for carrying out duties.
g) Human resource policies and practices: Human resource policies and practices often demonstrate
important matters in relation to the control consciousness of an entity.

ENTITY'S RISK ASSESSMENT PROCESS

1) The entity's risk assessment process includes how management identifies business risks relevant
to the preparation of financial statements in accordance with the entity's applicable FRF,
estimates their significance, assesses the likelihood of their occurrence, and decides upon actions
to respond to and manage them and the results thereof.
2) Risks can arise or change due to circumstances such as the following:
a) Changes in operating environment.
b) New personnel.
c) New or revamped information systems.
d) Rapid growth.
e) New technology.
f) New business models, products, or activities.
g) Corporate restructurings.
h) Expanded foreign operations.
i) New accounting pronouncements.

CONTROL ACTIVITIES
Generally, control activities that may be relevant to an audit may be categorised as policies and
procedures that pertain to the following:
1) Performance reviews: These control activities include reviews and analyses of actual performance

CA Rishabh Jain 4.11

 Chapter 4 - Materiality, Risk Assessment & Internal Control

versus budgets, forecasts, and prior period performance; relating different sets of data.
2) Information processing: The two broad groupings of information systems control activities are
application controls, which apply to the processing of individual applications, and general IT-
controls.
3) Physical controls: Controls that encompass:
a) The physical security of assets, including adequate safeguards such as secured facilities over
access to assets and records.
b) The authorisation for access to computer programs and data files.
c) The periodic counting and comparison with amounts shown on control records
4) Segregation of duties: Assigning different people the responsibilities of authorising
transactions, recording transactions, and maintaining custody of assets. Segregation of duties is
intended to reduce the opportunities to allow any person to be in a position to both perpetrate and
conceal errors or fraud in the normal course of the person's duties.

INFORMATION SYSTEM, INCLUDING THE RELATED BUSINESS PROCESSES,

RELEVANT TO FINANCIAL REPORTING, AND COMMUNICATION
1) An information system consists of infrastructure (physical and hardware components), software,
people, procedures, and data. Many information systems make extensive use of information
technology (IT).
2) The information system relevant to financial reporting objectives, which includes the financial
reporting system, encompasses methods and records that:
a) Identify and record all valid transactions.
b) Describe on a timely basis the transactions in sufficient detail to permit proper classification
of transactions for financial reporting.
c) Measure the value of transactions in a manner that permits recording their proper monetary
value in the financial statements.
d) Determine the time period in which transactions occurred to permit recording of transactions
in the proper accounting period.
e) Present properly the transactions and related disclosures in the financial statements.

MONITORING OF CONTROLS
1) Management's monitoring of controls includes considering whether they are operating as intended
and that they are modified as appropriate for changes in conditions.
2) Monitoring of controls may include activities such as,
a) Management's review of whether bank reconciliations are being prepared on a timely basis,
b) Internal auditors' evaluation of sales personnel's compliance with the entity's policies on
terms of sales contracts, and
c) A legal department's oversight of compliance with the entity's ethical or business practice
policies.
3) Monitoring is done also to ensure that controls continue to operate effectively over time.

4.12 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

4) Internal auditors or personnel performing similar functions may contribute to the monitoring of
an entity's controls through separate evaluations.
5) Monitoring activities may include using information from communications from external parties
that may indicate problems or highlight areas in need of improvement.
6) In addition, regulators may communicate with the entity concerning matters that affect the
functioning of internal control.

INTERNAL CHECK SYSTEM

1) Internal check system implies organization of the overall system of book-keeping and arrangement
of Staff duties in such a way that no one person can carry through a transaction and record every
aspect thereof.
2) The following are the objectives of the internal check system:
a) To detect error and frauds with ease.
b) To avoid and minimize the possibility of commission of errors and fraud by any staff.
c) To increase the efficiency of the staff working within the organization.
d) To locate the responsibility area or the stages where actual fraud and error occurs.
f) To prevent and avoid the misappropriation or embezzlement of cash and falsification of
accounts.
3) The effectiveness of an efficient system of internal check depends on the following
considerations-
(i) Clarity of Responsibility - The responsibility of different persons engaged in various
operations of business transactions should be properly identified.
(ii) Division of Work - The segregation of work should be made in such a manner that the free flow
of work is not interrupted and also helps to determine that the work of one person is
complementary to the other.
(iii) Standardization - The entire process of accounting should be standardized by creating
suitable policies commensurate with the nature of the business, so as to strengthen the
system of internal check.
(iv) Appraisal - Periodic review should be made of the chain of operations and workflow. Such
process may be carried out by preparing an audit flow chart.
4) The general condition pertaining to the internal check system may be summarized as under:
a) No single person should have complete control over any important aspect of the business
operation. Every employee's action should come under the review of another person.
b) Staff duties should be rotated from time to time so that members do not perform the same
function for a considerable length of time.
c) Every member of the staff should be encouraged to go on leave at least once a year.
d) Persons having physical custody of assets must not be permitted to have access to the books of
accounts.
e) There should exist an accounting control in respect of each class of assets, in addition, there
should be periodical inspection so as to establish their physical condition.

CA Rishabh Jain 4.13

 Chapter 4 - Materiality, Risk Assessment & Internal Control

f) Mechanical devices should be used, where ever practicable to prevent loss or

misappropriation of cash.

INTERNAL AUDIT
1) Internal audit may be defined as, an independent appraisal function established within an
organization to examine and evaluate its activities as a service to the organization.
2) The scope of the internal audit is determined by the management. (Refer Chapter 16 for more
details)

V - Review of the System of Internal Controls

1) The control environment sets the tone of an organization, influencing the control consciousness of
its people.
2) Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and correcting,
material misstatements.
3) Implementation of a control means that the control exists and that the entity is using it.
4) An entity's system of internal control contains manual elements and often contains automated
elements.
5) The use of manual or automated elements in internal control also affects the manner in which
transactions are initiated, recorded, processed, and reported.
6) Manual elements in internal control may be more suitable where judgment and discretion are
required such as for the following circumstances:
a) Large, unusual or non-recurring transactions.
b) Circumstances where errors are difficult to define, anticipate or predict.
c) In changing circumstances that require a control response outside the scope of an existing
automated control.
d) In monitoring the effectiveness of automated controls.

THE REVIEW OF THE INTERNAL CONTROL SYSTEM ENABLES THE AUDITOR

1) To formulate his opinion as to the reliance he may place on the system itself i.e. whether the
system is such as would enable the management to produce a true and fair set of financial
statements; and
2) To locate the areas of weakness in the system so that the audit programme and the nature, timing
and extent of substantive and compliance audit procedures can be adjusted to meet the situation.

4.14 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

VI - Internal Control Assessment & Evaluation

Following are some of the key components to assess & evaluate the controls environment:
Standard Operating Procedures (SOPs): A well-defined set of SOPs helps define role,
responsibilities, process & controls & thus helps clearly communicate the operating controls to all
touch points of a process. The controls are likely to be clearly understood & consistently applied even
during employee turnover.

1) Enterprise An organization which has robust process to identify & mitigate risks across
Risk the enterprise & its periodical review will assist in early identification of gaps
Management & taking effective control measures.

2) Segregation Segregation of duties is an important element of control such that no two

of Job commercial activities should be conducted by the same person.
Responsibilities

Any job carried out by the same person over a long period of time is likely to
3) Job Rotation in
lead to complacency & possible misuse in sensitive areas. It is therefore
Sensitive Areas
important that in key commercial functions, the job rotation is regularly
followed to avoid degeneration of controls.

4) Delegation of A clearly defined document on delegation of powers allows controls to be

Financial Powers clearly operated without being dependent on individuals.
Document

5) Information With the advent of computers & enterprise resource planning (ERP) systems,
Technology it is much easier to embed controls through the system instead of being
based Controls human dependent. The failure rate for IT embedded controls is likely to be
low, is likely to have better audit trail & is thus easier to monitor.

TECHNIQUES OF EVALUATION OF INTERNAL CONTROL

The following are the methods of recording:
QUESTIONNAIRE
1) A questionnaire is a set of questions framed in an organised manner, about each functional area,
which has as purpose the evaluation of the effectiveness of control and detection of its weakness
if any.
2) A questionnaire usually consists of several separate sections devoted to areas such as purchases,
sales, trade receivables, trade payables, wages, etc.
3) The questionnaire is intended to be filled by the company executives who are in charge of the
various areas.
4) Questions are so framed as generally to dispense with the requirement of a detailed answer to
each question. For this purpose, often one general question is broken down into a number of
questions and sub-questions to enable the executive to provide a just 'Yes', 'No' or 'Not
applicable' form of reply.

CA Rishabh Jain 4.15

 Chapter 4 - Materiality, Risk Assessment & Internal Control

5) Questions are also framed in such a manner that generally a “No” answer will reflect weakness in
the control system.
6) The only thing that should be borne in mind is that the scheme of questions should be consistent,
sequential, logical, and if possible corroborative.
7) For the first year of engagements issue of questionnaire is necessary.
8) For subsequent years, the auditor, instead of issuing a questionnaire again, may request the client
to confirm whether any change in the nature and scope of business has taken place that
necessitated a corresponding change in the control system, or whether, even without a change in
the nature and scope of business, the control system has undergone a change.
9) If there has been a change, the auditor should take note of its and enter appropriate comments
on the relevant part of the questionnaire.

In the use of standardized internal control questionnaire, certain basic assumptions about
elements of good control are taken into account. These are -
a) Certain procedures in general used by most business concerns are essential in achieving reliable
internal control. This is a time-tested assumption.
b) Organisations are such that permit an extensive division of duties and responsibilities.
c) Employees concerned with accounting function are not assigned any custodial function.
d) No single person is thrust with the responsibility of completing a transaction all by himself.
e) The work performed by each one is expected to come under review of another in the usual course
of routine.
CHECK LIST
1) It is a series of instructions or questions on internal control which the auditor must follow or
answer. When a particular instruction is carried out, the auditor initials the space opposite the
instruction.
2) If it is in the form of a question, the answer generally 'Yes', 'No' or 'Not Applicable' is entered
opposite the question.
3) A check list is more in the nature of a reminder to the auditor about the matters to be checked for
testing the internal control system. While a questionnaire is basically a set of questions put to the
client, a check list which may be in a form of instructions, questions or just points to be checked
may be meant for the auditor's own staff it is a set of instructions or points; it may be meant for
the client if it is in the form of questions.

The basic distinction between internal control questionnaire and check list are as under:
1) The ICQ incorporates a large number of detailed questions but the check list generally contains
questions relating to the main control objective with the area under review.
2) ICQ, the weaknesses are highlighted by the 'Yes' while in the check list, it is indicated by 'No'.
3) The significance of 'No' in an ICQ does indicate a weakness but the significance of that
weakness is not revealed automatically. However, in the check list, a specific statement is
required where an apparent weakness may prove to be material in relation to the accounts as a
whole.

4.16 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

FLOW CHART
1) It is a graphic presentation of internal controls in the organisation and is normally drawn up to
show the controls in each section or sub-section.
2) As distinct from a narrative form, it provides the most concise and comprehensive way for
reviewing the internal controls and the evaluator's findings.
3) It gives a bird's eye view of the system and is drawn up as a result of the auditor's review
thereof. It should, however, not be understood that details are not reflected in a flow chart.
4) Essentially a flow chart is a diagram full with lines and symbols and, if judicious use of them can
be made, it is probably the most effective way of presenting the state of internal controls in the
client's organisation.

A properly drawn up flow chart can provide a neat visual picture of the whole activities of the
section or department involving flow of documents and activities. More specifically it can show -
(i) At what point a document is raised internally or received from external sources;
(ii) The number of copies in which a document is raised or received;
(iii) The intermediate stages set sequentially through which the document and the activity pass;
(iv) Distribution of the documents to various sections, department or operations;
(v) Checking authorisation and matching at relevant stages;
(vi) Filing of the documents; and
(vii) Final disposal by sending out or destruction.

VII - Reporting to Clients on Internal Control Weaknesses

1) During the course of audit work, the audit may notice material weaknesses in the internal control
system. Material weaknesses are defined as absence of adequate controls on flow of transactions
that increases the possibility of errors and frauds in the financial statements of the entity.
Example:
In case, if monthly age-wise analysis of trade receivables is not performed then it may result in
inadequate provisioning of bad debts for the fiscal year under audit.
2) The auditor should communicate such material weaknesses to the management or the audit
committee, if any, on a timely basis. This communication should be, preferably, in writing through a
letter of weakness or management letter.
3) Important points with regard to such a letter are as follows:

(a) The letter lists down the area of weaknesses in the system and offers suggestions for
improvement.
(b) It should clearly indicate that it discusses only weaknesses which have come to the
attention of the auditor as a result of his audit and that his examination has not been
designed to determine the adequacy of internal control for management.

CA Rishabh Jain 4.17

 Chapter 4 - Materiality, Risk Assessment & Internal Control

(c) This letter serves as a valuable reference document for management for the purpose
of revising the system and insisting on its strict implementation.
(d) The letter may also serve to minimize legal liability in the event of a major defalcation
or other loss resulting from a weakness in internal control.

In certain cases, the auditor was acquitted of the charge of negligence for employee's fraud
in view of the fact that he had already informed the client about the unsatisfactory state in
the specific areas of accounts and had suggested improvements which were not acted upon by
the management.

SA 265 ON "COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL

TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT"
1) This Standard on Auditing (SA) deals with the auditor's responsibility to communicate
appropriately to TCWG and management deficiencies in internal control that the auditor has
identified in an audit of financial statements. This SA does not impose additional responsibilities
on the auditor regarding obtaining an understanding of internal control and designing and
performing tests of controls over and above the requirements of SA 315 and SA 330.
2) The objective of the auditor is to communicate appropriately to those charged with governance
and management deficiencies in internal control that the auditor has identified during the audit and
that, in the auditor's professional judgment, are of sufficient importance to merit their respective
attentions.
3) The auditor shall determine whether, on the basis of the audit work performed, the auditor has
identified one or more deficiencies in internal control.
4) If the auditor has identified one or more deficiencies in internal control, the auditor shall
determine, on the basis of the audit work performed, whether, individually or in combination, they
constitute significant deficiencies.
5) The auditor shall communicate in writing significant deficiencies in internal control identified
during the audit to TCWG on a timely basis.
6) The auditor shall (a) In writing, significant deficiencies in internal control that the
also communicate to auditor has communicated or intends to communicate to those
management at an charged with governance, unless it would be inappropriate to
appropriate level of communicate directly to management in the circumstances; and
responsibility on a
timely basis: (b) Other deficiencies in internal control identified during the audit
that have not been communicated to management by other
parties and that, in the auditor's professional judgment, are of
sufficient importance to merit management's attention.

4.18 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

7) The auditor shall (a) A description of the deficiencies and an explanation of

include in the their potential effects; and
written
communication of (b) Sufficient information to enable TCWG and management to
significant understand the context of the communication.
deficiencies in
In particular, the auditor shall explain that:
internal control:
i) The purpose of the audit was for the auditor to express an
opinion on the financial statements;
ii) The audit included consideration of internal control relevant
to the preparation of the financial statements in order to
design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an
opinion on the effectiveness of internal control; and
iii) The matters being reported are limited to those deficiencies
that the auditor has identified during the audit and that the
auditor has concluded are of sufficient importance to merit
being reported to those charged with governance.

Based upon Risks of Material Misstatements Identified and Assessed

by the Auditor, Auditor Develops Responses to Assessed Risks. [SA 330]

OBJECTIVE OF AUDITOR IN THIS SA

1) The objective of the auditor in accordance with SA 330 is to obtain sufficient appropriate audit
evidence about the assessed risks of material misstatement, through designing and implementing
appropriate responses to those risks.
2) SA 330 states that:
a) The auditor shall design and implement overall responses to address the assessed risks of
material misstatement at the financial statement level.
b) The auditor shall design and perform further audit procedures whose nature, timing and
extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level.

SCOPE OF THIS SA
SA 330, “The Auditor's Responses to Assessed Risks” deals with the auditor's responsibility to
design and implement responses to the risks of material misstatement identified and assessed by the
auditor in accordance with SA 315.

IN DESIGNING THE FURTHER AUDIT PROCEDURES TO BE PERFORMED, THE AUDITOR SHALL

1) Consider the reasons for the assessment given to the risk of material misstatement at the
assertion level for each class of transactions, account balance, and disclosure, including:

CA Rishabh Jain 4.19

 Chapter 4 - Materiality, Risk Assessment & Internal Control

a) The likelihood of material misstatement due to the particular characteristics of the relevant
class of transactions, account balance, or disclosure (i.e., the inherent risk); and
b) Whether the risk assessment takes into account the relevant controls (i.e., the control risk),
thereby requiring the auditor to obtain audit evidence to determine whether the controls are
operating effectively (i.e., the auditor intends to rely on the operating effectiveness of
controls in determining the nature, timing and extent of substantive procedures); and
2) Obtain more persuasive audit evidence the higher the auditor's assessment of risk.

THE AUDITOR SHALL DESIGN & PERFORM TESTS OF CONTROLS TO OBTAIN SUFFICIENT
APPROPRIATE AUDIT EVIDENCE AS TO THE OPERATING EFFECTIVENESS OF RELEVANT CONTROLS
WHEN
1) The auditor's assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively (i.e., the auditor intends to rely on the
operating effectiveness of controls in determining the nature, timing and extent of substantive
procedures); or
2) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the
assertion level.
3) In designing and performing tests of controls, the auditor shall obtain more persuasive audit
evidence the greater the reliance the auditor places on the effectiveness of a control.
Irrespective of the assessed risks of material misstatement, the auditor shall design and perform
substantive procedures for each material class of transactions, account balance, and disclosure.

VII - INTERNATIONAL INTERNAL CONTROL FRAMEWORKS

An overview of different internal control frameworks followed internationally are given below:
A) Internal Control - Integrated Framework issued by Committee of the Sponsoring
Organisations of the Treadway Commission (COSO Framework).

1) COSO's Internal Control – Integrated Framework was introduced in 1992 as guidance on how
to establish better controls so companies can achieve their objectives.
2) COSO categorizes entity -level objectives into operations, financial reporting, and
compliance.
3) The framework includes more than 17 basic principles representing the fundamental concepts
associated with its five components:
a) Control environment,
b) Risk assessment,
c) Control activities,
d) Information and communication, and
e) Monitoring.

4) Here are the tiles of the 17 internal control principles by internal control component as
presented in COSO's framework:

4.20 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

Control Risk Control Information and Monitoring

Environment Assessment Activities Communication

Ÿ Demonstrates Ÿ Specifies Ÿ Selects and Ÿ Uses relevant Ÿ Conducts

commitment to suitable develops information ongoing
integrity and ethical objectives control Ÿ Communicates and/or
values Ÿ Identifies activities internally separate
Ÿ Exercises oversight and Ÿ Selects and evaluations
Ÿ Communicates
responsibility analyses develops externally Ÿ Evaluates &
Ÿ Establishes structure, risk general communicate
authority, and Ÿ Assesses controls deficiencies
responsibility fraud risk over
technology
Ÿ Demonstrates Ÿ Identifies
commitment to and Ÿ Deploys
Competence analyses through
significant policies and
Ÿ Enforces
change procedures
accountability

5) The COSO Framework is designed to be used by organizations to assess the effectiveness of

the system of internal control to achieve objectives as determined by management. The
Framework lists three categories of objectives as below:
a) Operations Objectives
b) Reporting Objectives
c) Compliance objectives

B. Guidance on Assessing Control published by the Canadian Institute of Chartered

Accountants (CoCo)

1) CoCo was introduced in 1992 with the objective of improving organizational performance and
decision-making with better controls, risk management, and corporate governance.
2) The Criteria of Control (CoCo) framework was developed by the Canadian Institute of
Chartered Accountants with the objective of improving organisational performance and decision
making with better controls, risk management, and corporate goverance.
3) The framework includes 20 criteria for effective control in four areas of an organization:
purpose (direction), commitment (identity and values), capability (competence), and monitoring
and learning (evolution).
5) The CoCo framework outlines criteria for effective control in the following four areas:
a) Purpose b) Commitment
c) Capability d) Monitoring and Learning

CA Rishabh Jain 4.21

 Chapter 4 - Materiality, Risk Assessment & Internal Control

C. Control Objectives for Information and Related Technology (COBIT)

1) COBIT stands for Control Objectives for Information and Related Technology.
2) It is a framework created by the ISACA (Information Systems Audit and Control Association)
for IT governance and management.
3) COBIT has 34 high-level processes that cover 210 control objectives categorized in four
domains:
a) Planning and organization,
b) Acquisition and implementation,
c) Delivery and support, and
d) Monitoring and evaluation.

4) It is designed as a supportive tool for managers and allows bridging the crucial gap between
technical issues, business risks and control requirements.

5) This framework guides an organization on how to use IT resources (i.e., applications,

information, infrastructure, and people) to manage IT domains, processes, and activities to
respond to business requirements, which include compliance, effectiveness, efficiency,
confidentiality, integrity, availability, and reliability.

D. Internal Control: Guidance for Directors on the Combined Code, published by the
Institute of Chartered Accountants in England & Wales (known as the Turnbull Report)

1) The key principles of the Code are enunciated as below:

a) The board should maintain a sound system of internal control to safeguard shareholders'
investment and the company's assets.
b) The directors should, at least annually, conduct a review of the effectiveness of the group's
system of internal control and should report to shareholders that they have done so. The
review should cover all controls, including financial, operational and compliance controls and
risk management.
c) Companies which do not have an internal audit function should from time to time review
the need for one.
2) The guidance requires directors to exercise judgement in reviewing how the company has
implemented the requirements of the Code relating to internal control and reporting to
shareholders thereon.

E. Sarbanes-Oxley Section 404

1) SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly-traded
companies must establish internal controls and procedures for financial reporting and must
document, test and maintain those controls and procedures to ensure their effectiveness.
2) The purpose of SOX is to reduce the possibilities of corporate fraud by increasing the
stringency of procedures and requirements for financial reporting.

4.22 CA Rishabh Jain

 Chapter 4 - Materiality, Risk Assessment & Internal Control

3) It regulates the audits of public companies and SEC-registered brokers and dealers in order to
protect investors and further the public interest in the preparation of informative, accurate,
and independent audit reports.
4) The SEC rules and PCAOB standard require that:
a) Management perform a formal assessment of its controls over financial reporting including
tests that confirm the design and operating effectiveness of the controls.
b) Management include in its annual report an assessment of ICFR.
c) The external auditors provide two opinions as part of a single integrated audit of the
company:
i) An independent opinion on the effectiveness of the system of ICFR.
ii) The traditional opinion on the financial statements.

Guidance Note on Audit of Internal Financial Controls Over Financial Reporting:

ICAI has issued a Guidance Note on Audit of Internal Financial Controls Over Financial Reporting
which covers aspects such as
ü Scope of reporting on internal financial controls under Companies Act 2013,
ü essential components of internal controls,
ü Technical guidance on audit of Internal Financial Controls,
ü Implementation guidance on audit of Internal Financial Controls.

CA Rishabh Jain 4.23

 Chapter 4 - Materiality, Risk Assessment & Internal Control

4.24 CA Rishabh Jain