ICAI Notes: Risk Assessment and Internal Control | Auditing and Ethics for CA Intermediate PDF Download

 Page 1


.. 
LEARNING OUTCOMES 
    
 
CHAPTER
3 
 RISK ASSESSMENT  
AND INTERNAL  
CONTROL 
 
After studying this chapter, you would be able to understand- 
? Meaning of audit risk and variables affecting it. 
? Risk assessment procedures. 
? Concept of materiality in planning and performing an audit. 
? Importance of understanding the entity and its environment. 
? Meaning, objectives, benefits and limitations of internal control. 
? Components of internal control. 
? Whether all the controls are relevant to an audit. 
? Nature and Extent of the Understanding of Relevant Controls. 
? Risks that require special audit consideration. 
? Evaluation of Internal control system-Benefits and methods. 
? Testing of internal control. 
? Automated environments-its key features. 
? Risks arising from use of IT Systems. 
? Types of Controls in an automated environment. 
? Importance of data analytics for audit. 
? Internal financial controls as per regulatory requirements. 
? Auditor’s responses to assessed risks. 
? Practicality of above concepts by studying through examples and case studies. 
© The Institute of Chartered Accountants of India
Page 2


.. 
LEARNING OUTCOMES 
    
 
CHAPTER
3 
 RISK ASSESSMENT  
AND INTERNAL  
CONTROL 
 
After studying this chapter, you would be able to understand- 
? Meaning of audit risk and variables affecting it. 
? Risk assessment procedures. 
? Concept of materiality in planning and performing an audit. 
? Importance of understanding the entity and its environment. 
? Meaning, objectives, benefits and limitations of internal control. 
? Components of internal control. 
? Whether all the controls are relevant to an audit. 
? Nature and Extent of the Understanding of Relevant Controls. 
? Risks that require special audit consideration. 
? Evaluation of Internal control system-Benefits and methods. 
? Testing of internal control. 
? Automated environments-its key features. 
? Risks arising from use of IT Systems. 
? Types of Controls in an automated environment. 
? Importance of data analytics for audit. 
? Internal financial controls as per regulatory requirements. 
? Auditor’s responses to assessed risks. 
? Practicality of above concepts by studying through examples and case studies. 
© The Institute of Chartered Accountants of India
 
AUDITING AND ETHICS  
 
3.2 
?  
 
 
 
 
 
 
 
 
 
 
  
DIGITAL 
AUDIT
Automated 
Environment
IT Related 
Risks
Controls & 
Types of IT 
Controls
Impact on 
Controls
Internal 
Financial 
Controls
Testing 
Methods
Data 
Analytics
SA - 315, SA 
320 & 
SA 330
Audit Risk 
Risk Assessment  
& 
Internal Control
Understanding the 
Entity and its 
Environment 
Identify & Assess 
Risk of Material 
Misstatement 
Risk Assessment 
Procedures 
CHAPTER OVERVIEW 
 
© The Institute of Chartered Accountants of India
Page 3


.. 
LEARNING OUTCOMES 
    
 
CHAPTER
3 
 RISK ASSESSMENT  
AND INTERNAL  
CONTROL 
 
After studying this chapter, you would be able to understand- 
? Meaning of audit risk and variables affecting it. 
? Risk assessment procedures. 
? Concept of materiality in planning and performing an audit. 
? Importance of understanding the entity and its environment. 
? Meaning, objectives, benefits and limitations of internal control. 
? Components of internal control. 
? Whether all the controls are relevant to an audit. 
? Nature and Extent of the Understanding of Relevant Controls. 
? Risks that require special audit consideration. 
? Evaluation of Internal control system-Benefits and methods. 
? Testing of internal control. 
? Automated environments-its key features. 
? Risks arising from use of IT Systems. 
? Types of Controls in an automated environment. 
? Importance of data analytics for audit. 
? Internal financial controls as per regulatory requirements. 
? Auditor’s responses to assessed risks. 
? Practicality of above concepts by studying through examples and case studies. 
© The Institute of Chartered Accountants of India
 
AUDITING AND ETHICS  
 
3.2 
?  
 
 
 
 
 
 
 
 
 
 
  
DIGITAL 
AUDIT
Automated 
Environment
IT Related 
Risks
Controls & 
Types of IT 
Controls
Impact on 
Controls
Internal 
Financial 
Controls
Testing 
Methods
Data 
Analytics
SA - 315, SA 
320 & 
SA 330
Audit Risk 
Risk Assessment  
& 
Internal Control
Understanding the 
Entity and its 
Environment 
Identify & Assess 
Risk of Material 
Misstatement 
Risk Assessment 
Procedures 
CHAPTER OVERVIEW 
 
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 
 
 
3.3 
Sameer had now subscribed to online subscription of a pink newspaper using his 
android phone. He was getting regular news updates pertaining to financial matters 
of companies. While going through such updates, he stumbled upon one report 
relating to audited accounts of a listed company. Scrolling the same, he gathered 
that SEBI had referred the matter to regulator for further action. 
He was flummoxed. He had learnt that audit is carried out after proper planning 
and performing audit procedures. However, the news report was hinting at 
possibility of inappropriate opinion expressed by the auditor. Was it a single odd 
case? Or is there a chance of inappropriate opinion being expressed by an auditor 
when there are significant wrong doings in financial statements in every audit? 
What is this risk known as?  What causes presence of this risk? Can’t it be eliminated 
completely?  How this risk can be addressed?  He needed answers to such 
questions. 
It was clear to him that a meaningful and effective audit is possible only after 
gaining knowledge about client’s business. What are the specifics about it? It 
cannot be limited merely to understanding about nature of client’s business. Apart 
from this, it must include a study and evaluation of client’s systems and controls. 
What system has been devised and put into operation by the client to carry out its 
business efficiently and effectively? How the client is ensuring reliability of financial 
reporting? All these questions should be important to an auditor. 
Whether gaining knowledge of client’s systems and controls is enough? Shouldn’t 
it be followed up with actual testing of client’s controls? It is only when controls 
are actually tested, these can be relied upon. A thought was gaining in his mind 
how auditor responds to the risks. Is testing of controls enough or something more 
to be done? 
He already knew how actively business entities are using technology to develop 
their systems with minimal human intervention. Shouldn’t use of technology ease 
up the things? Can use of technology also involve risks which may be relevant to 
an auditor so that he doesn’t give an inappropriate opinion? To satiate his mind, 
he turned to Chapter 3. 
© The Institute of Chartered Accountants of India
Page 4


.. 
LEARNING OUTCOMES 
    
 
CHAPTER
3 
 RISK ASSESSMENT  
AND INTERNAL  
CONTROL 
 
After studying this chapter, you would be able to understand- 
? Meaning of audit risk and variables affecting it. 
? Risk assessment procedures. 
? Concept of materiality in planning and performing an audit. 
? Importance of understanding the entity and its environment. 
? Meaning, objectives, benefits and limitations of internal control. 
? Components of internal control. 
? Whether all the controls are relevant to an audit. 
? Nature and Extent of the Understanding of Relevant Controls. 
? Risks that require special audit consideration. 
? Evaluation of Internal control system-Benefits and methods. 
? Testing of internal control. 
? Automated environments-its key features. 
? Risks arising from use of IT Systems. 
? Types of Controls in an automated environment. 
? Importance of data analytics for audit. 
? Internal financial controls as per regulatory requirements. 
? Auditor’s responses to assessed risks. 
? Practicality of above concepts by studying through examples and case studies. 
© The Institute of Chartered Accountants of India
 
AUDITING AND ETHICS  
 
3.2 
?  
 
 
 
 
 
 
 
 
 
 
  
DIGITAL 
AUDIT
Automated 
Environment
IT Related 
Risks
Controls & 
Types of IT 
Controls
Impact on 
Controls
Internal 
Financial 
Controls
Testing 
Methods
Data 
Analytics
SA - 315, SA 
320 & 
SA 330
Audit Risk 
Risk Assessment  
& 
Internal Control
Understanding the 
Entity and its 
Environment 
Identify & Assess 
Risk of Material 
Misstatement 
Risk Assessment 
Procedures 
CHAPTER OVERVIEW 
 
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 
 
 
3.3 
Sameer had now subscribed to online subscription of a pink newspaper using his 
android phone. He was getting regular news updates pertaining to financial matters 
of companies. While going through such updates, he stumbled upon one report 
relating to audited accounts of a listed company. Scrolling the same, he gathered 
that SEBI had referred the matter to regulator for further action. 
He was flummoxed. He had learnt that audit is carried out after proper planning 
and performing audit procedures. However, the news report was hinting at 
possibility of inappropriate opinion expressed by the auditor. Was it a single odd 
case? Or is there a chance of inappropriate opinion being expressed by an auditor 
when there are significant wrong doings in financial statements in every audit? 
What is this risk known as?  What causes presence of this risk? Can’t it be eliminated 
completely?  How this risk can be addressed?  He needed answers to such 
questions. 
It was clear to him that a meaningful and effective audit is possible only after 
gaining knowledge about client’s business. What are the specifics about it? It 
cannot be limited merely to understanding about nature of client’s business. Apart 
from this, it must include a study and evaluation of client’s systems and controls. 
What system has been devised and put into operation by the client to carry out its 
business efficiently and effectively? How the client is ensuring reliability of financial 
reporting? All these questions should be important to an auditor. 
Whether gaining knowledge of client’s systems and controls is enough? Shouldn’t 
it be followed up with actual testing of client’s controls? It is only when controls 
are actually tested, these can be relied upon. A thought was gaining in his mind 
how auditor responds to the risks. Is testing of controls enough or something more 
to be done? 
He already knew how actively business entities are using technology to develop 
their systems with minimal human intervention. Shouldn’t use of technology ease 
up the things? Can use of technology also involve risks which may be relevant to 
an auditor so that he doesn’t give an inappropriate opinion? To satiate his mind, 
he turned to Chapter 3. 
© The Institute of Chartered Accountants of India
 
AUDITING AND ETHICS  
 
3.4 
 1. AUDIT RISK 
Audit risk means the risk that the auditor gives an inappropriate audit opinion when 
the financial statements are materially misstated.  
It means that an auditor expresses an unmodified opinion when financial 
statements are materially misstated. In such a case, not only reputation of auditor 
would be damaged, but he could also invite regulatory action from professional 
body and could face probable legal action by intended users. 
To avoid such unpleasant consequences, the auditor will plan and perform the audit 
in such a way that audit risk is reduced to an acceptably low level. SA-200 states 
that the auditor shall obtain sufficient appropriate audit evidence to reduce audit 
risk to an acceptably low level and thereby enable the auditor to draw reasonable 
conclusions on which to base the auditor’s opinion. 
Consider, for example, that profits of a company have been increased artificially by 
showing fake revenues of sizeable amounts in its financial statements. In such a 
case, financial statements are materially misstated. The probability, that auditor in 
such a case, expresses an inappropriate audit opinion is referred to as audit risk.  It 
is the possibility that auditor expresses an unmodified opinion even when 
financial statements are materially misstated. 
Audit risk is a function of the risks of material misstatement and detection risk.  
1.1 Risks of material misstatement 
SA 200 states that risk of material statement is the risk that the financial statements 
are materially misstated prior to audit. It simply means that there is a probability 
of frauds or errors in financial statements before audit.  
What is meant by misstatement? 
Misstatement refers to a difference between the amount, classification, 
presentation, or disclosure of a reported financial statement item and the amount, 
classification, presentation, or disclosure that is required for the item to be in 
accordance with the applicable financial reporting framework. Misstatements can 
arise from error or fraud. 
© The Institute of Chartered Accountants of India
Page 5


.. 
LEARNING OUTCOMES 
    
 
CHAPTER
3 
 RISK ASSESSMENT  
AND INTERNAL  
CONTROL 
 
After studying this chapter, you would be able to understand- 
? Meaning of audit risk and variables affecting it. 
? Risk assessment procedures. 
? Concept of materiality in planning and performing an audit. 
? Importance of understanding the entity and its environment. 
? Meaning, objectives, benefits and limitations of internal control. 
? Components of internal control. 
? Whether all the controls are relevant to an audit. 
? Nature and Extent of the Understanding of Relevant Controls. 
? Risks that require special audit consideration. 
? Evaluation of Internal control system-Benefits and methods. 
? Testing of internal control. 
? Automated environments-its key features. 
? Risks arising from use of IT Systems. 
? Types of Controls in an automated environment. 
? Importance of data analytics for audit. 
? Internal financial controls as per regulatory requirements. 
? Auditor’s responses to assessed risks. 
? Practicality of above concepts by studying through examples and case studies. 
© The Institute of Chartered Accountants of India
 
AUDITING AND ETHICS  
 
3.2 
?  
 
 
 
 
 
 
 
 
 
 
  
DIGITAL 
AUDIT
Automated 
Environment
IT Related 
Risks
Controls & 
Types of IT 
Controls
Impact on 
Controls
Internal 
Financial 
Controls
Testing 
Methods
Data 
Analytics
SA - 315, SA 
320 & 
SA 330
Audit Risk 
Risk Assessment  
& 
Internal Control
Understanding the 
Entity and its 
Environment 
Identify & Assess 
Risk of Material 
Misstatement 
Risk Assessment 
Procedures 
CHAPTER OVERVIEW 
 
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 
 
 
3.3 
Sameer had now subscribed to online subscription of a pink newspaper using his 
android phone. He was getting regular news updates pertaining to financial matters 
of companies. While going through such updates, he stumbled upon one report 
relating to audited accounts of a listed company. Scrolling the same, he gathered 
that SEBI had referred the matter to regulator for further action. 
He was flummoxed. He had learnt that audit is carried out after proper planning 
and performing audit procedures. However, the news report was hinting at 
possibility of inappropriate opinion expressed by the auditor. Was it a single odd 
case? Or is there a chance of inappropriate opinion being expressed by an auditor 
when there are significant wrong doings in financial statements in every audit? 
What is this risk known as?  What causes presence of this risk? Can’t it be eliminated 
completely?  How this risk can be addressed?  He needed answers to such 
questions. 
It was clear to him that a meaningful and effective audit is possible only after 
gaining knowledge about client’s business. What are the specifics about it? It 
cannot be limited merely to understanding about nature of client’s business. Apart 
from this, it must include a study and evaluation of client’s systems and controls. 
What system has been devised and put into operation by the client to carry out its 
business efficiently and effectively? How the client is ensuring reliability of financial 
reporting? All these questions should be important to an auditor. 
Whether gaining knowledge of client’s systems and controls is enough? Shouldn’t 
it be followed up with actual testing of client’s controls? It is only when controls 
are actually tested, these can be relied upon. A thought was gaining in his mind 
how auditor responds to the risks. Is testing of controls enough or something more 
to be done? 
He already knew how actively business entities are using technology to develop 
their systems with minimal human intervention. Shouldn’t use of technology ease 
up the things? Can use of technology also involve risks which may be relevant to 
an auditor so that he doesn’t give an inappropriate opinion? To satiate his mind, 
he turned to Chapter 3. 
© The Institute of Chartered Accountants of India
 
AUDITING AND ETHICS  
 
3.4 
 1. AUDIT RISK 
Audit risk means the risk that the auditor gives an inappropriate audit opinion when 
the financial statements are materially misstated.  
It means that an auditor expresses an unmodified opinion when financial 
statements are materially misstated. In such a case, not only reputation of auditor 
would be damaged, but he could also invite regulatory action from professional 
body and could face probable legal action by intended users. 
To avoid such unpleasant consequences, the auditor will plan and perform the audit 
in such a way that audit risk is reduced to an acceptably low level. SA-200 states 
that the auditor shall obtain sufficient appropriate audit evidence to reduce audit 
risk to an acceptably low level and thereby enable the auditor to draw reasonable 
conclusions on which to base the auditor’s opinion. 
Consider, for example, that profits of a company have been increased artificially by 
showing fake revenues of sizeable amounts in its financial statements. In such a 
case, financial statements are materially misstated. The probability, that auditor in 
such a case, expresses an inappropriate audit opinion is referred to as audit risk.  It 
is the possibility that auditor expresses an unmodified opinion even when 
financial statements are materially misstated. 
Audit risk is a function of the risks of material misstatement and detection risk.  
1.1 Risks of material misstatement 
SA 200 states that risk of material statement is the risk that the financial statements 
are materially misstated prior to audit. It simply means that there is a probability 
of frauds or errors in financial statements before audit.  
What is meant by misstatement? 
Misstatement refers to a difference between the amount, classification, 
presentation, or disclosure of a reported financial statement item and the amount, 
classification, presentation, or disclosure that is required for the item to be in 
accordance with the applicable financial reporting framework. Misstatements can 
arise from error or fraud. 
© The Institute of Chartered Accountants of India
RISK ASSESSMENT AND INTERNAL CONTROL 
 
 
3.5 
Few examples of misstatements could be: - 
? Charging of an item of capital expenditure to revenue or vice-versa 
? Difference in disclosure of a financial statement item vis-à-vis its requirement in 
applicable financial reporting framework 
? Selection or application of inappropriate accounting policies 
? Difference in accounting estimate of a financial statement item vis-à-vis its 
appropriateness in applicable financial reporting framework 
? Intentional booking of fake expenses in statement of profit and loss 
? Overstating of receivables in financial statements by not writing off irrecoverable 
debts 
? Overstating or understating inventories 
The risks of material misstatement may exist at two levels: -  
(i)  The overall financial statement level  
(ii)  The assertion level for classes of transactions, account balances, and 
disclosures.  
Risks of material misstatement at the overall financial statement level refer to 
risks of material misstatement that relate pervasively to the financial statements as 
a whole and potentially affect many assertions.  
Risks of material misstatement at the assertion level are assessed in order to 
determine the nature, timing, and extent of further audit procedures necessary to 
obtain sufficient appropriate audit evidence. This evidence enables the auditor to 
express an opinion on the financial statements at an acceptably low level of audit 
risk.  
1.2 Components of risk of material misstatement 
The risk of material misstatement at assertion level comprises of two 
components i.e., inherent risk and control risk. Both inherent risk and control 
risk are the entity’s risks and they exist independently of the audit of financial 
statements. Inherent risk and control risk are influenced by the client. These are 
entity’s risks and are not influenced by the auditor. 
© The Institute of Chartered Accountants of India