RISK ASSESMENT AND INTERNAL CONTROL SA 400 Objective Para 7.1 The objective of this SA is to prescribed on the procedures to be followed to obtain an understanding of accounting and internal control system and on audit risk. The auditor should design audit procedure to ensure that it is reduce to an acceptable low level. What is audit risk? 7.2 Audit risk means the risk that the auditor gives an inappropriate opinion when the financial statements are materially mis-stated. Types of Audit Risk 7.3 Total audit risk can be divided into three risks: • Inherent Risk • Control risk • Detection risk 7.3-1 Inherent risk - The risk is that there will be material error in accounting process when there are no related controls. For example, closely held companies may present more inherent risk with respect to understatement of income due to tax minimization incentive and publicly held companies may pose more inherent risk with respect to overstatement of income due to incentive plan based on income to top management. 7.3.2
Control Risk – Risk assessment that internal control structure will fail to detect error equal to the tolerable error. Example- Whenever an employee goes on tour the traveling advance given to him and amount is debited / classified as staff advance. When the employee comes back from tour, he submits the traveling expenses bill and advance is adjusted. All advances given to staff other than traveling advance to staff advance like car advance, festival advance etc. In this system of internal control of traveling advance there is possibility expense if employee does not submit/forgets to submit the traveling bill and, therefore, there is risk that traveling expense of a particular period may be understand materially. It is kind of control risk because internal control system may fail to detect the understatement of traveling expense.
7.3.3
Detection risk – Detection risk is the risk that substantive test of details will fail to detect error equal to adequate limit.
Developing audit program for inherent risk 7.4 The following points should be considered for assessing the inherent risk and developing audit plan for inherent risk : • Inherent risk should be assessed at financial statement level and not at the transaction level or for a period less than financial statement period. For example – Rs. 2 lakhs was wrongly debited to Mr. A (Debtor) instead of Mr. B (Debtor). Such error may be material • Previous experience of the auditor of the entity from previous audit engagement.
• • • • • • •
Any control established by the management to compensate for a high level inherent risk. Any significant change as compared to previous year affecting degree of inherent risk. The integrity of the management. Management experience and knowledge. Unusual pressure on management. Nature of entity business. Factors affecting the industry to which entity belongs.
7.4-1 Audit objective – Audit objective in this situation ensure accuracy of the securities, pricing, completeness and validity. Audit procedure for inherent risk volatility of price suggests a year-end pricing test, low activity expectation and excellent record keeping procedures justify observing the control of securities at a time prior to year-end review activity and consider the need for year-end count, keep abreast of development in general business environment and environment within which the client operates. 7.4.2
Documentations of inherent risk- When the auditor makes an assessment that inherent risk is not high, he should document the reasons for such assessments.
Preliminary assessment of control risk 7.5 Preliminary assessment of control risk is the process of evaluating the likely effectiveness of an entity’s accounting system and internal control system in preventing and detection and correcting material misstatement. 7.5-1 Accounting system- Auditor should understand the entity’s accounting system in force. Like: • Major class of transaction • How the transaction are initiated • Accounting record maintained • Accounting and financial reporting process. 7.5-2 Internal control- It is a plan of orgnisation and procedure and records concerned with safeguarding the assets against loss from unintentional. Or international errors irregularities and ensuring the reliability of financial records for external reporting purpose. Internal control: • General controls • Specific Controls • Preventive control • Detective control 7.5-3 Understanding of control environment- The auditor should obtain an understanding of control environments. Such understanding will help the auditor to make preliminary assessment of adequacy of accounting and internal control system as a basis of preparation of financial statement level.
7.5-4 Test of control – It is the process of obtaining the evidence that accounting and internal control system designed by the management is working effectively through out the year and the auditor performs test of control by• Inspection of document • Inquiries • Reconciliation • Access or program change control in computrised accounting. 7.5.5
Control risk, accounting system and internal control – The auditor ordinarily assesses control risk at high level if entity’s accounting system and internal control re not operating effectively.
7.5.6
Documentation of control risk – The auditor should document in the audit working papers. If assessment based on substantive of control risk is less than high, the auditor should also document the basis of such conclusion.
7.5.7
Final assessment of control risk – Before the conclusion of audit, The auditor should make final assessment based on substantive test that control risk earlier by preliminary assessment is confirmed, if not, the control risk needs to be revised and therefore the auditor should modify the nature, timing and extent of his planned substantive procedure.
Relationship between Inherent risk and control risk 7.6 Generally, the management tries to restrict the inherent risk by designing appropriate accounting system and internal control. Therefore, in many cases inherent risk and control risk re highly interrelated because both are linked to accounting and internal control. Therefore, the auditor should determine audit risk more appropriately by making combined assessment. Detection risk 7.7 There is a positive relationship between detection risk and substantive procedure. Some detection risk would always be present even if an auditor examines 100 % transaction, because most audit evidence are persuasive and not conclusive. 7.7-1 Audit procedure and detection risk – While developing audit program for detection risk, an auditor should consider like following : • Assessed level of inherent risk • Nature, and timing of substantive procedure • Extent of substantive procedure 7.7.2
Relationship between detection risk and combined inherent and control risk – There is a inverse relationship between detection risk and combined level of inherent and control risk. E.g. If inherent and control risk high, acceptable detection risk needs to be low to reduce the control audit risk to acceptable low level.
However, the sufficiently low level of assessed inherent risk and control risk cannot eliminate the need for the auditor to perform any substantive procedure. In other words, regardless of the assessed level of inherent and control risk, the auditor should perform some substantive procedures. The higher the assessment of inherent and control risk the more audit evidence the auditor should obtain by performance of substantive procedure. 7.7.3
Detection risk and auditor’s report – When the auditor determines that detection risk regarding financial assertion for material account balance or transaction cannot be reduced to acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion as appropriate.
Audit risk in small business 7.8 In small business, the accounting procedures are performed by few persons who may be also performing operating and custodial responsibilities. There may not be clear cut division of duties and responsibilities, in such a situation control risk is at very high level and not to reduce the audit risk and an auditors has to perform extensive substantive procedure to get audit evidence and assurance that financial statements are fairly presented. Communication of weakness in internal control 7.9 The auditor should make management aware at appropriate level of responsibility of material weakness in the design or operation of accounting and internal control system, which has come to his attention.