Risk Assessment and Internal Control – Short Notes

1. Risk Assessment Procedures (SA 315)

Meaning

Risk Assessment Procedures are audit procedures performed to understand the entity and identify risks of material misstatement due to fraud or error.

Objectives

Identify risks at:
- Financial Statement Level
- Assertion Level
Provide basis for designing audit procedures.

Components of Risk Assessment Procedures

(a) Inquiry

Information obtained from:

Management
Internal auditors
Legal counsel
Sales and marketing professionals
Risk management personnel
IT personnel

(b) Analytical Procedures

Analysis of:

Ratios
Trends
Relationships between financial and non-financial data

Example: Current Ratio increasing from 1.20:1 to 1.75:1.

(c) Observation and Inspection

Examination of:

Operations
Internal control manuals
Board meeting minutes
Premises and plant facilities

2. Materiality (SA 320)

Meaning

Misstatements are material if they can influence users’ economic decisions.

Importance

Auditor aims to obtain reasonable assurance that financial statements are free from material misstatement.

Materiality Depends Upon

Size of item
Nature of item
Circumstances

Examples

Fraud of even a small amount may be material.
Statutory disclosures are material irrespective of amount.

3. Materiality in Audit Planning

Materiality helps in:

Determining audit scope.
Identifying risk areas.
Deciding nature, timing and extent of audit procedures.

Auditor Considers

Size of misstatement
Nature of misstatement
Circumstances of occurrence

4. Performance Materiality

Meaning

Amount set below overall materiality to reduce risk that aggregate misstatements exceed materiality.

Purpose

Provides safety margin.
Reduces possibility of undetected material misstatements.

Formula Concept:
Performance Materiality < Overall Materiality

5. Determination of Materiality

Appropriate Benchmarks

Profit before tax
Revenue
Gross profit
Total assets
Net assets
Equity

Factors Affecting Benchmark Selection

Nature of business
Industry
Ownership structure
Financing pattern
Volatility of benchmark

Example

Profit-oriented company → Profit before tax.
Not-for-profit entity → Revenue or expenses.

6. Revision of Materiality

Materiality may be revised when:

Business circumstances change.
Actual results differ significantly from estimates.
Auditor obtains new information.

7. Materiality and Audit Risk

Audit Risk

Risk that auditor expresses inappropriate opinion on materially misstated financial statements.

Relationship

Higher Audit Risk → Lower Materiality

Materiality and Audit Risk are considered while:

Assessing risks
Designing audit procedures
Forming audit opinion

8. Understanding the Entity and Its Environment (SA 315)

Auditor should understand:

(a) Industry & External Environment

Competition
Technology
Regulations
Taxation
Economic conditions
Inflation

(b) Nature of Entity

Operations
Ownership structure
Investments
Financing arrangements

(c) Accounting Policies

Selection
Application
Changes

(d) Objectives, Strategies & Business Risks

(e) Measurement of Financial Performance

Examples:

KPIs
Budgets
Variance Analysis
Credit Rating Reports

Importance of Understanding Entity

Helps auditor in:

Planning audit
Identifying high-risk areas
Assessing going concern
Evaluating accounting policies
Identifying related party transactions

Important Point

Understanding the entity is a continuous process throughout the audit.

9. Internal Control

Meaning

Internal Control is a process designed to provide reasonable assurance regarding:

Reliability of financial reporting
Efficiency and effectiveness of operations
Compliance with laws
Safeguarding of assets

Benefits of Understanding Internal Control

Helps auditor:

Identify potential misstatements
Assess risks
Design audit procedures

Limitations of Internal Control

Provides only reasonable assurance.
Human errors.
Lack of understanding by employees.
Collusion among employees.
Management override.
Limited segregation of duties in small entities.

10. Components of Internal Control

1. Control Environment

2. Entity’s Risk Assessment Process

3. Information System & Communication

4. Control Activities

5. Monitoring of Controls

Mnemonic: CRICM
(Control Environment – Risk Assessment – Information System – Control Activities – Monitoring)

11. Control Environment

Meaning

Sets the tone of the organization.

Elements

(a) Integrity and Ethical Values

Code of conduct
Ethical culture

(b) Commitment to Competence

(c) Participation by Those Charged with Governance

(d) Management Philosophy & Operating Style

(e) Organisational Structure

(f) Assignment of Authority & Responsibility

(g) Human Resource Policies

12. Entity’s Risk Assessment Process

Entity should:

Identify risks.
Estimate significance.
Assess likelihood.
Decide responses.

Risks may arise due to:

New technology
New products
Business expansion
Regulatory changes

13. Information System & Communication

Auditor should understand:

Significant transactions
Recording process
Accounting records
Financial reporting process
Journal entry controls

Information System Consists of

Hardware
Software
People
Procedures
Data

14. Control Activities

Policies and procedures ensuring management directives are carried out.

Examples

Performance reviews
IT controls
Physical controls
Segregation of duties

Segregation of Duties

Different persons should:

Authorize transaction
Record transaction
Maintain custody of assets

15. Monitoring of Controls

Meaning

Assessment of effectiveness of controls over time.

Methods

Ongoing monitoring
Separate evaluations

Examples

Customer complaints
Regulatory comments
Internal review reports

16. Significant Risks (Special Audit Consideration)

Factors Indicating Significant Risk

Fraud risk
Regulatory changes
Complex transactions
Related party transactions
High estimation uncertainty
Unusual transactions

Always Significant Risks

Fraud risks
Related party transactions outside normal course of business

17. Evaluation of Internal Control

Why Auditor Evaluates Internal Control?

To know:

Chances of fraud and errors
Effectiveness of controls
Adequacy of asset protection
Reliability of records
Areas of weakness
Appropriate audit procedures

18. Methods of Evaluating Internal Control

(A) Narrative Record

Detailed written description.
Suitable for small businesses.

(B) Check List

Series of questions/instructions answered by auditor.

(C) Internal Control Questionnaire (ICQ)

Most commonly used method.

Responses:

Yes
No
Not Applicable

(D) Flow Chart

Graphical presentation of internal control system.

Mnemonic: NCIF
(Narrative – Checklist – ICQ – Flowchart)

19. Testing of Internal Control

Purpose

To determine whether controls:

Are properly designed.
Operate effectively throughout the period.

Methods

Inquiry
Observation
Inspection
Reperformance

Result

Strong controls → Less substantive testing

Weak controls → More extensive audit procedures

Exam-Oriented Mnemonics

Risk Assessment Procedures

IAO

Inquiry
Analytical Procedures
Observation & Inspection

Components of Internal Control

CRICM

Control Environment
Risk Assessment
Information System
Control Activities
Monitoring

Methods of Evaluating Internal Control

NCIF

Narrative Record
Checklist
Internal Control Questionnaire
Flowchart

Internal Control Objectives

RECS

Reliability of Reporting
Efficiency of Operations
Compliance with Laws
Safeguarding of Assets

These notes cover the most important ICAI exam points from the chapter “Risk Assessment and Internal Control.”