PROF.

CA TEJAS SHAH PDLC

CHAPTER 3 RISK ASSESSMENT AND

INTERNAL CONTROL

CHAPTER OVERVIEW

1. AUDIT RISK
INTRODUCTION
Audit risk means the risk that the auditor gives an inappropriate audit opinion when the
financial statement are materially misstated. Thus, it is the risk that the auditor may fail to
express an appropriate opinion in an audit assignment.
It means that an auditor expresses an unmodified opinion when financial statements are
materially misstated. In such a case, not only reputation of auditor would be damaged, but
he could also invite regulatory action from professional body and could face probable legal
action by intended users.
Audit risk is a function of the risks of material misstatement and detection risk.

1.1 Risks of material misstatement

Misstatement refers to a difference between the amount, classification, presentation, or
disclosure of a reported financial statement item and the amount, classification, presentation,
or disclosure that is required for the item to be in accordance with the applicable financial
reporting framework. Misstatements can arise from error or fraud.
Risks of Material Misstatement at Two levels
The risks of material misstatement may exist at two levels:
(i) The overall financial statement level- Risks of material misstatement at the overall
financial statement level refer to risks of material misstatement that relate pervasively to the
financial statements as a whole and potentially affect many assertions.
(ii) The assertion level for classes of transactions, account balances, and disclosures-
Risks of material misstatement at the assertion level are assessed in order to determine the
nature, timing, and extent of further audit procedures necessary to obtain sufficient

AUDITING & ETHICS Page 1

PROF. CA TEJAS SHAH PDLC

appropriate audit evidence. This evidence enables the auditor to express an opinion on the
financial statements at an acceptably low level of audit risk.

1.2 Risk of material misstatement may be defined as the risk that the financial statements are
materially misstated prior to audit. This consists of two components, described as follows at the
assertion level:
(a) Inherent risk—
• The susceptibility of an assertion about a class of transaction, account balance or
disclosure to a misstatement that could be material, either individually or when
aggregated with other misstatements, before consideration of any related controls.
(SA 200)
• Inherent risk factors are considered while designing tests of controls and substantive
procedures.
• External circumstances giving rise to business risks may also influence inherent
risk. For example, technological developments might make a particular product
obsolete.

(b) Control risk—

• The risk that a misstatement that could occur in an assertion about a class of
transaction, account balance or disclosure and that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or
detected and corrected, on a timely basis by the entity’s internal control. (SA-200)
• Control risk is a risk that internal control existing and operating in an entity would not
be efficient enough to stop from happening, or find and then rectify in an appropriate
time, any material misstatement relating to a transaction, balance of an account or
disclosure required to be made in the financial statements of that entity.
• Therefore, in a way, it can be said that there exists an inverse relation between control
risk and efficiency of internal control of an entity. When efficiency of internal control
of an entity is high, the control risk is low and when efficiency of internal control of
that entity is low, the control risk is high.

1.3 Detection risk –

• The risk that the procedures performed by the auditor to reduce audit risk to an
acceptably low level will not detect a misstatement that exists and that could be
material, either individually or when aggregated with other misstatements.(SA 200)
• Detection risk comprises sampling and non-sampling risk.

AUDITING & ETHICS Page 2

PROF. CA TEJAS SHAH PDLC

Detection risk

Sampling risk is the risk that the

auditor’s conclusion based on a Non-sampling risk is the risk that the
sample may be different from the auditor reaches an erroneous conclusion
conclusion if the entire population for any reason not related to sampling
were subjected to the same audit risk. Like an auditor may reach an
procedure. It simply means that the erroneous conclusion due to application
sample was not representative of the to some inappropriate audit procedure.
population from which it was chosen.

▪ The auditor can only influence detection risk. Inherent risk and control risk
belong to the entity and are influenced by the entity. Therefore, auditor must
reduce detection risk in order to keep audit risk at low level. Detection risk
may be reduced by increasing area of checking, testing larger samples and by
including competent and experienced persons in the engagement team.

1.4 What is not included in Audit Risk?

● Audit risk does not include the risk that the auditor might express an opinion that the financial
statements are materially misstated when they are not. This risk is ordinarily insignificant.
● Further, audit risk is a technical term related to the process of auditing; it does not refer to the
auditor’s business risks such as loss from litigation, adverse publicity, or other events arising
in connection with the audit of financial statements.

1.5 Assessment of Risks - Matter of Professional Judgement

The assessment of risks is based on audit procedures to obtain information necessary for that purpose
and evidence obtained throughout the audit. The assessment of risks is a matter of professional
judgment, rather than a matter capable of precise measurement.

1.5.1 Combined Assessment of the Risk of Material Misstatement

The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined
assessment of the “risks of material misstatement”. However, the auditor may make separate or
combined assessments of inherent and control risk depending on preferred audit techniques or
methodologies and practical considerations.
Risk of Material Misstatement = Inherent Risk x Control Risk - (2)
From (1) and (2), we arrive at
Audit Risk = Inherent Risk x Control Risk x Detection Risk

AUDITING & ETHICS Page 3

PROF. CA TEJAS SHAH PDLC

1.6 IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT

✓ Meaning:
As per SA 315 - “Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment”, the objective of the auditor is to identify and assess
the risks of material misstatement, whether due to fraud or error, at the financial statement and
assertion levels, through understanding the entity and its environment, including the entity’s internal
control, thereby providing a basis for designing and implementing responses to the assessed risks
of material misstatement. This will help the auditor to reduce the risk of material misstatement to an
acceptably low level.

✓ Objective of Auditor as per SA 315

(i) The auditor shall identify and assess the risks of material misstatement:
(a) the financial statement level
(b) the assertion level for classes of transactions, account balances, and disclosures
to provide a basis for designing and performing further audit procedures.
(ii) For the purpose of Identifying and assessing the risks of material misstatement, the auditor
shall:
(a) Identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the
classes of transactions, account balances, and disclosures in the financial statements;
(b) Assess the identified risks, and evaluate whether they relate more pervasively to the
financial statements as a whole and potentially affect many assertions;
(c) Relate the identified risks to what can go wrong at the assertion level, taking account
of relevant controls that the auditor intends to test; and
(d) Consider the likelihood of misstatement, including the possibility of multiple
misstatements, and whether the potential misstatement is of a magnitude that could result
in a material misstatement.

1.7 Risk Assessment Procedures

Definition: The audit procedures performed to obtain an understanding of the entity and its
environment, including the entity’s internal control, to identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement and assertion levels.
✓ Risk assessment procedure is a basis for the identification and assessment of risks of material
misstatement at the financial statement and assertion levels.
✓ The risks to be assessed include both those due to error and those due to fraud

AUDITING & ETHICS Page 4

PROF. CA TEJAS SHAH PDLC

1.8 Information obtained by performing risk assessment procedures - Used as audit evidence

✓ Information obtained by performing risk assessment procedures and related activities may be
used by the auditor as audit evidence to support assessments of the risks of material
misstatement.
✓ In addition, the auditor may obtain audit evidence about classes of transactions, account
balances, or disclosures and related assertions and about the operating effectiveness of
controls, even though such procedures were not specifically planned as substantive
procedures or as tests of controls.
✓ The auditor also may choose to perform substantive procedures or tests of controls
concurrently with risk assessment procedures because it is efficient to do so.

2. MATERIALITY
2.1 Introduction
✓ SA 320 Materiality in Planning and Performing an Audit states that misstatements, including
omissions, are considered to be material if they, individually or in the aggregate, could
reasonably be expected to influence the economic decisions of users taken on the basis of the
financial statements.
✓ The objective of an independent auditor is to obtain reasonable assurance about whether the
financial statements as a whole are free from material misstatement, whether due to fraud or
error, thereby enabling the auditor to express an opinion on whether the financial statements
are prepared, in all material respects, in accordance with an applicable financial reporting
framework. Herein, lies the significance of materiality.
✓ The auditor has to obtain reasonable assurance that financial statements as a whole are free
from material misstatement whether due to fraud or error. As a result, an audit strives to
identify significant risks of material misstatement and audit procedures are geared towards it.
Materiality is not always a matter of relative size.
✓ For example, a small amount lost by fraudulent practices of certain employees can indicate a
serious flaw in the enterprise’s internal control system requiring immediate attention to avoid
greater losses in future.

AUDITING & ETHICS Page 5

PROF. CA TEJAS SHAH PDLC

2.2 Materiality in Planning and performing an auditAuditor’s responsibility

✓ The concept of materiality is applied by the auditor both in planning and performing the audit,
and in evaluating the effect of identified misstatements on the audit and of uncorrected
misstatements, if any, on the financial statements and in forming the opinion in the auditor’s
report.
✓ Although financial reporting frameworks may discuss materiality in different terms, they
generally explain that:

Judgments about
matters that are
Misstatements, including Judgments about material to users of the
omissions, are considered materiality are financial statements are
to be material if they, made in the light of based on a
individually or in the surrounding consideration of the
aggregate, could circumstances, and common financial
reasonably be expected to are affected by the information needs of
influence the economic size or nature of a users as a group. The
decisions of users taken misstatement, or a possible effect of
on the basis of the combination of misstatements on
financial statements. both; and specific individual users,
whose needs may vary
widely, is not considered

✓ Such a discussion, if present in the applicable financial reporting

framework, provides a frame of reference to the auditor in determining
materiality for the audit.
✓ If the applicable financial reporting framework does not include a
discussion of the concept of materiality, the characteristics referred to
above provide the auditor with such a frame of reference.

✓ In planning the audit, the auditor makes judgments about the size of misstatements that will
be considered material. These judgments provide a basis for:
• Determining the nature, timing and extent of risk assessment procedures;
• Identifying and assessing the risks of material misstatement; and
• Determining the nature, timing and extent of further audit procedures.
✓ The auditor has to apply his professional judgement in determining materiality, choosing
appropriate benchmark and determining level of benchmark. Materiality forms the basis for
determination of audit scope and the levels of testing the transactions.
✓ While judging materiality, the significance of an item has to be viewed from different
perspectives. Materiality of an item may be judged by considering the impact on the profit
and loss, or on the balance sheet, or in the total of the category of expenditure or income to
which it pertains, and on its comparison with the corresponding figure for the previous year.
✓ Materiality is not always a matter of relative size. In certain cases quantitative limits of

AUDITING & ETHICS Page 6

PROF. CA TEJAS SHAH PDLC

materiality is specified. A few of such cases are given below:

✓ A company should disclose by way of notes additional information regarding any item of
income or expenditure which exceeds 1% of the revenue from operations or `1,00,000
whichever is higher (Refer general Instructions for preparation of Statement of Profit and
Loss in Schedule III to the Companies Act, 2013).
✓ A company should disclose in Notes to Accounts, shares in the company held by each
shareholder holding more than 5 per cent shares specifying the number of shares held.

2.3 Determination of materiality- a matter of professional judgment

In this context, it is reasonable for the auditor to assume that users:

Have a reasonable knowledge of business and economic activities and
accounting and a willingness to study the information in the financial
statements with reasonable diligence;

Understand that financial statements are prepared, presented and audited

to levels of materiality;

Recognize the uncertainties inherent in the measurement of amounts based

on the use of estimates, judgment and the consideration of future events;
and

Make reasonable economic decisions on the basis of the information in the

financial statements

2.4 Performance Materiality

✓ Practically, it is difficult for auditors to design tests to identify individual misstatements. It is
likely that misstatements are material in aggregate. It takes us to the concept of “performance
materiality.”
✓ Performance materiality means the amount or amounts set by the auditor at less than
materiality for the financial statements as a whole to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected misstatements exceeds
materiality for the financial statements as a whole. If applicable, performance materiality also
refers to the amount or amounts set by the auditor at less than the materiality level or levels
for particular classes of transactions, account balances or disclosures.
✓ Performance materiality is set at a value lower than overall materiality. It lowers the risk that
auditor will not be able to identify misstatements that are material when added together.

AUDITING & ETHICS Page 7

PROF. CA TEJAS SHAH PDLC

7 Lacs(PM)
(Uncorrected
misstmt)
10 Lacs (TM)
Tolerance
3 Lacs(HAIRCUT)
(Undetected)

2.5 Determining Materiality and Performance Materiality when Planning the Audit
✓ When establishing the overall audit strategy, the auditor shall determine materiality for the
financial statements as a whole.
✓ If, in the specific circumstances of the entity, there is one or more particular classes of
transactions, account balances or disclosures for which misstatements of lesser amounts than
the materiality for the financial statements as a whole could reasonably be expected to
influence the economic decisions of users taken on the basis of the financial statements, the
auditor shall also determine the materiality level or levels to be applied to those particular
classes of transactions, account balances or disclosures.

2.6 Use of Benchmarks in Determining Materiality for the Financial Statements as a Whole
✓ Determining materiality involves the exercise of professional judgment. A percentage is
often applied to a chosen benchmark as a starting point in determining materiality for the
financial statements as a whole.
✓ Factors that may affect the identification of an appropriate benchmark include the following
:

AUDITING & ETHICS Page 8

PROF. CA TEJAS SHAH PDLC

The elements of the financial statements like assets, liabilities,

equity, revenue, expenses

Whether there are items on which the attention of the users of the
particular entity’s financial statements tends to be focused

The nature of the entity, where the entity is at in its life cycle, and
the industry and economic environment in which the entity
operates, the entity’s ownership structure and the way it is
financed.

The relative volatility of the benchmark.

2.6.1 Chosen Benchmark – Relevant financial data

Prior periods’ financial results and The period to-date financial results and
financial positions financial position

In relation to the
chosen benchmark,
relevant financial data
ordinarily includes: -

Budgets or forecasts for the current Adjusted for significant changes in the
period circumstances of the entity

2.6.2 Determining a percentage to be applied to a chosen benchmark involves the exercise of

professional judgment.

There is a relationship between the percentage and the chosen benchmark, such that a percentage
applied to profit before tax from continuing operations will normally be higher than a percentage
applied to total revenue.

2.7 Materiality Level or Levels for Particular Classes of Transactions, Account Balances or
Disclosures
Factors that may indicate the existence of one or more particular classes of transactions, account

AUDITING & ETHICS Page 9

PROF. CA TEJAS SHAH PDLC

balances or disclosures for which misstatements of lesser amounts than materiality for the financial
statements as a whole could reasonably be expected to influence the economic decisions of users
taken on the basis of the financial statements include the following:
✓ Whether law, regulations or the applicable financial reporting framework affect users’
expectations regarding the measurement or disclosure of certain items like in case of related
party transactions, and the remuneration of management and those charged with governance.
✓ The key disclosures in relation to the industry in which the entity operates. For example,
research and development costs for a pharmaceutical company.
✓ Whether attention is focused on a particular aspect of the entity’s business that is separately
disclosed in the financial statements like in case of newly acquired business.

2.8 Revision in Materiality level as the Audit Progresses

✓ Materiality for the financial statements as a whole may need to be revised as a result of a
change in circumstances that occurred during the audit.
✓ If during the audit it appears as though actual financial results are likely to be substantially
different from the anticipated period end financial results that were used initially to determine
materiality for the financial statements as a whole, the auditor revises that materiality.

2.9 Documenting the Materiality

The audit documentation shall include the following amounts and the factors considered in their
determination:
(a) Materiality for the financial statements as a whole
(b) If applicable, the materiality level or levels for particular classes of transactions, account balances
or disclosures
(c) Performance materiality and
(d) Any revision of (a)-(c) as the audit progressed

2.10 Materiality and Audit Risk

Materiality and Audit Risk are considered throughout the audit, in particular, when:
(a) Identifying and assessing the risks of material misstatement;
(b) Determining the nature, timing and extent of further audit procedures; and
(c) Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in
forming the opinion in the auditor’s report.

AUDITING & ETHICS Page 10

PROF. CA TEJAS SHAH PDLC

3. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

3.2 UNDERSTANDING OF THE ENTITY- A CONTINUOUS PROCESS

The understanding establishes a frame of reference within which the auditor plans the audit and
exercises professional judgment throughout the audit, for example, when:
Assessing risks of material misstatement of the financial statements;
Determining materiality in accordance with SA 320;
Considering the appropriateness of the selection and application of accounting policies;
Identifying areas where special audit consideration may be necessary, for example, related
party transactions, the appropriateness of management’s use of the going concern assumption,
or considering the business purpose of transactions;
Developing expectations for use when performing analytical procedures;
Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the
appropriateness of assumptions and of management’s oral and written representations.

AUDITING & ETHICS Page 11

PROF. CA TEJAS SHAH PDLC

QUES 1:
Prince Blankets is engaged in business of blankets. Its major portion of sales is taking place through
internet. Advise the auditor how he would proceed in this regard as to understanding the entity and
its environment.
SOLUTION:
While understanding entity and its environment, internet sales is being perceived as risky area by the
auditor and thereby would be spending substantial time and extensive audit procedures on this
particular area.

QUES 2:
While auditing the books of accounts of Heavy Material Limited for the financial year 2022-23, a
team member of the auditor of Heavy Material Limited showed no inclination towards understanding
the business and the business environment of the above mentioned company. Is the approach of team
member of the auditor of Heavy Material Limited correct or incorrect? Also give reason for your
answer.
SOLUTION:
The approach of team member of the auditor of Heavy Material Limited is incorrect because
understanding the business and the business environment of company whose audit is to be conducted
is very important, as it helps in planning the audit and identifying areas requiring special attention
during the course of audit of that company.

QUES 3:
The auditor of ABC Textiles Ltd chalks out an audit plan without understanding the entity’s business.
Since he has carried out many audits of textile companies, there is no need to understand the nature
of business of ABC Ltd. Advise the auditor how he should proceed.
SOLUTION
Obtaining an understanding of the entity and its environment, including the entity’s internal control
(referred to hereafter as an “understanding of the entity”), is a continuous, dynamic process of
gathering, updating and analysing information throughout the audit. The auditor should proceed
accordingly.

4. INTERNAL CONTROL
4.1 Meaning of Internal Control
As per SA-315, “Indetifying and Assessing the Risk of Material Misstatement Through
Understanding the Entity and its Environment”, the internal control may be defined as “the process
designed, implemented and maintained by those charged with governance, management and other
personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard
to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets,

AUDITING & ETHICS Page 12

PROF. CA TEJAS SHAH PDLC

and compliance with applicable laws and regulations. The term “controls” refers to any aspects of
one or more of the components of internal control.”

4.2 As derived from above definition, the purpose of Internal Control is as under
Purpose of Internal Control: Internal control is designed, implemented and maintained to address
identified business risks that threaten the achievement of any of the entity’s objectives that concern:
• The reliability of the entity’s financial reporting;
• The effectiveness and efficiency of its operations;
• Its compliance with applicable laws and regulations; and
• Safeguarding of assets.
The way in which internal control is designed, implemented and maintained varies with an entity’s
size and complexity.

Objectives of Internal Control (NOT GIVEN IN THE MODULE BUT STILL ASKED IN ICAI
EXAMS)
(i) transactions are executed in accordance with managements generator specific authorization;
(ii) all transactions are promptly recorded in the correct amount in the appropriate accounts and
in the accounting period in which executed so as to permit preparation of financial information
within a framework of recognized accounting policies and practices and relevant statutory
requirements, if any, and to maintain accountability for assets;
(iii) assets are safeguarded from unauthorised access, use or disposition; and
(iv) the recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken with regard to any differences.

4.3 Benefits of Understanding of Internal Control

An understanding of internal control assists the auditor in :
(i) identifying types of potential misstatements;
(ii) identifying factors that affect the risks of material misstatement, and
(iii) designing the nature, timing, and extent of further audit procedures.

QUESTION:
Auditor GR and Associates, appointed for audit of PNG Ltd, a manufacturing company engaged in
manufacturing of various food items. While planning an audit, the auditor does not think that it would
be necessary to understand internal controls. Advise the auditor in this regard.
SOLUTION
The auditor shall obtain an understanding of internal control relevant to the audit. Although most
controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to
financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment

AUDITING & ETHICS Page 13

PROF. CA TEJAS SHAH PDLC

whether a control, individually or in combination with others, is relevant to the audit.

4.4 Limitations of Internal Control

AUDITING & ETHICS Page 14

PROF. CA TEJAS SHAH PDLC

(IV) Components of Internal Control

(A) Control Environment

Component of Internal Control– The auditor shall obtain an understanding of the control
environment. As part of obtaining this understanding, the auditor shall evaluate whether:
(i) Management has created and maintained a culture of honesty and ethical behavior; and
(ii) The strengths in the control environment elements collectively provide an appropriate
foundation for the other components of internal control.
What is included in Control Environment ?
The control environment includes:
(i) the governance and management functions and
(ii) the attitudes, awareness, and actions of those charged with governance and
management.
(iii) the control environment sets the tone of an organization, influencing the control
consciousness of its people.

Satisfactory Control Environment – not an absolute deterrent to fraud:

• The existence of a satisfactory control environment can be a positive factor when the auditor
assesses the risks of material misstatement.
• However, although it may help reduce the risk of fraud, a satisfactory control environment is not
an absolute deterrent to fraud.
• Conversely, deficiencies in the control environment may undermine the electiveness of controls, in
particular in relation to fraud.
• For example, management’s failure to commit sufficient resources to address IT security risks may
adversely affect internal control by allowing improper changes to be made to computer programs or
to data, or unauthorized transactions to be processed.
• As explained in SA 330, the control environmental so influences the nature, timing, and extent of
the auditor’s further procedures.

AUDITING & ETHICS Page 15

PROF. CA TEJAS SHAH PDLC

(B) The Entity’s Risk Assessment Process

The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks
(C) The information system, including the related business processes, relevant to financial
reporting and communication
The auditor shall obtain an understanding of the information system, including the related
business processes, relevant to financial reporting, including the following are as:
(a) The classes of transactions in the entity’s operations that are significant to the financial
statements;
(b) The procedures by which those transactions are initiated, recorded, processed, corrected
as necessary, transferred to the general ledger and reported in the financial statements;
(c) The related accounting records, supporting information and specific accounts in the
financial statements that are used to initiate, record, process and report transactions;
(d) How the information system captures events and conditions that are significant to the
financial statements;
(e) The financial reporting process used to prepare the entity’s financial statements;
(f) Controls surrounding journal entries.
Communicating Financial Roles and Responsibilities– Obtaining an Understanding by the
Auditor: The auditor shall obtain an understanding of how the entity communicates
financial reporting roles and responsibilities including:
(a) Communications between management (b) External communications, such as those
and those charged with governance; and with regulatory authorities.

(D) Control Activities

The auditor shall obtain an understanding of control activities relevant to the audit, which the
auditor considers necessary to assess the risks of material misstatement.
• An audit requires an understanding of only those control activities related to significant class
of transactions, account balance, and disclosure in the financial statements and the assertions
which the auditor finds relevant in his risk assessment process.

AUDITING & ETHICS Page 16

PROF. CA TEJAS SHAH PDLC

• Control activities are the policies and procedures that help ensure that management directives
are carried out. Control activities, whether within IT or manual systems, have various
objectives and are applied at various organisational and functional levels.
• Control activities relevant to audit generally include policies and procedures relating to
performance reviews (reviews of actual performance with budgets), information processing
(for example controls over checking arithmetical accuracy of records, program change
controls etc), physical controls( like controls over physical security of assets) and segregation
of duties (controls over ensuring that different people are assigned the responsibilities of
authorising transactions, recording transactions and maintaining custody of assets)

(E) Monitoring of Controls

The auditor shall obtain an understanding of the major activities that the entity uses to monitor
internal control over financial reporting.
(i) Monitoring of controls is a process to assess the effectiveness of internal control
performance overtime.
(ii) It involves assessing the effectiveness of controls on a timely basis and taking necessary
remedial actions.
(iii) Management accomplishes monitoring of controls through ongoing activities, separate
evaluations, or a combination of the two. Ongoing monitoring activities are often built
into the normal recurring activities of an entity and include regular management and
supervisory activities.
(iv) Management’s monitoring activities may include using information from
communications from external parties such as customer complaints and regulator
comments that may indicate problems or highlight areas in need of improvement.

4.6 Are all Controls Relevant to the audit?

There is a direct relationship between an entity’s objectives and the control sit implements to provide
reasonable assurance about their achievement. The entity’s objectives, and therefore controls, relate
to financial reporting, operations and compliance; however, not all of these objectives and controls
are relevant to the auditor’s risk assessment.
Factors relevant to the auditor’s judgment about whether a control, individually or in
combination with others, is relevant to the audit may include such matters as the following:
Materiality.
The significance of the related risk.
The size of the entity.
The nature of the entity’s business, including its organization and ownership characteristics.
The diversity and complexity of the entity’s operations.
Applicable legal and regulatory requirements.

AUDITING & ETHICS Page 17

PROF. CA TEJAS SHAH PDLC

4.7 Controls over the completeness and accuracy of information

Controls over the completeness and accuracy of information produced by the entity may be
relevant to the audit if the auditor intends to make use of the information in designing and
performing further procedures.
For example, in auditing revenue by applying standard prices to records of sales volume, the
auditor considers the accuracy of the price information and the completeness and accuracy of
the sales volume data.
Controls relating to operations and compliance objectives may also be relevant to an audit if
they relate to data the auditor evaluates or uses in applying audit procedures.

4.8 Internal control over safeguarding of assets

Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition
may include controls relating to both financial reporting and operations objectives.
The auditor’s consideration of such controls is generally limited to those relevant to the
reliability of financial reporting. For example, use of access controls, such as passwords, that
limit access to the data and programs that process cash disbursements may be relevant to a
financial statement audit.
Conversely, safeguarding controls relating too perations objectives, such as controls to prevent
the excessive use of materials in production, generally are not relevant to a financial statement
audit.

4.9 Controls relating to objectives that are not relevant to an audit

• An entity generally has controls relating to objectives that are not relevant to an audit and
therefore need not be considered.
• For example, an entity may rely on a sophisticated system of automated controls to provide
efficient and effective operations (such as an airline’s system of automated controls to
maintain flight schedules), but these controls ordinarily would not be relevant to the audit.
• Further, although internal control applies to the entire entity or to any of its operating units or
business processes, an understanding of internal control relating to each of the entity’s
operating units and business processes may not be relevant to the audit.
• In certain circumstances, the statute or the regulation governing the entity may require the
auditor to report on compliance with certain specific aspects of internal controls as a result,
the auditor’s review of internal control may be broader and more detailed.

4.10 Nature and Extent of the Understanding of Relevant Controls.

(i) Evaluating the design of a control involves considering whether the control, individually
or in combination with other controls, is capable of effectively preventing, or detecting
and correcting, material misstatements. Implementation of a control means that the
AUDITING & ETHICS Page 18
PROF. CA TEJAS SHAH PDLC

control exists and that the entity is using it. There is little point in assessing the
implementation of a control that is not effective, and so the design of a control is
considered first. An improperly designed control may represent a significant deficiency
in internal control.
(ii) Risk assessment procedures to obtain audit evidence about the design and
implementation of relevant controls may include-
Inquiring of entity personnel.
Observing the application of specific controls.
Inspecting documents and reports.
Tracing transactions through the information system relevant to financial reporting.
Inquiry alone, however, is not sufficient for such purposes.
(iii) Obtaining an understanding of an entity’s controls is not sufficient to test their operating
effectiveness, unless there is some automation that provides for the consistent operation of the
controls.

5. RISKS THAT REQUIRE SPECIAL AUDIT CONSIDERATION

In exercising judgment as to which risks are significant risks, the auditor shall consider at least
the following:
(a) Whether the risk is a risk of fraud;
(b) Whether the risk is related to recent significant economic, accounting, or other developments
like changes in regulatory environment, etc., and, therefore, requires specific attention;
(c) The complexity of transactions;
(d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and
(f) Whether the risk involves significant transactions that are outside the normal course of business
for the entity, or that otherwise appear to be unusual.

5.1 Identifying Significant Risks:

Significant risks often relate to significant non- routine transactions or judgmental matters.
Non-routine transactions are transactions that are unusual, due to either size or nature, and that
therefore occur infrequently. Eg. Greater management intervention to specify the accounting
treatment.
Judgmental matters may include the development of accounting estimates for which there is
significant measurement uncertainty. Eg. Accounting principles for accounting estimates or
revenue recognition may be subject to differing interpretation.

6. EVALUATION OF INTERNAL CONTROL BY THE AUDITOR

AUDITING & ETHICS Page 19

PROF. CA TEJAS SHAH PDLC

6.1 Benefits of Evaluation of Internal Control to the Auditor

The review of internal controls will enable the auditor to know:
(i) whether errors and frauds are likely to be located in the ordinary course of operations of the
business;
(ii) whether an adequate internal control system is in use and operating as planned by the
management;
(iii) whether an effective internal auditing department is operating;
(iv) whether any administrative control has a bearing on his work;
(v) whether the controls adequately safeguard the assets;how far and how adequately the
management is discharging its function in so far as correct recording of transactions is
concerned;
(vi) how reliable the reports, records and the certificates to the management can be;
(vii) the extent and the depth of the examination that he needs to carry out inthe different areas of
accounting;
(viii) what would be appropriate audit technique and the audit procedure in the given circumstances;
(ix) what are the areas where control is weak and where it is excessive; and
(x) whether some worthwhile suggestions can be given to improve the control system

6.2 Evaluation of Internal Control– Methods

(a) The Narrative Record

This is a complete and exhaustive description of the system as found in operation by the
auditor. Actual testing and observation are necessary before such a record can be developed.
It may be recommended in cases where no formal control system is in operation and would be
more suited to small business.
The basic disadvantages of narrative records are:
(i) To comprehend the system in operation is quite difficult.
(ii) To identify weaknesses or gaps in the system.
(iii) To incorporate changes arising on account of reshuffling of manpower, etc.

(b) Check List

This is a series of instructions and/or questions which a member of the auditing staff must

AUDITING & ETHICS Page 20

PROF. CA TEJAS SHAH PDLC

follow and/or answer. When he completes instruction, he initials the space against the
instruction. Answers to the check list instructions are usually Yes, No or Not Applicable. This
is again an on the job requirement and instructions are framed having regard to the desirable
elements of control.
Example
A few examples of check list instructions are given here under:
1. Are tenders called before placing orders?
2. Are the purchases made on the basis of a written order?
3. Is the purchase order form standardized?

(c) Internal Control Questionnaire

This is a comprehensive series of questions concerning internal control. This is the most
widely used form for collecting information about the existence, operation and efficiency
of internal control in an organisation.
An important advantage of the questionnaire approach is that oversight or omission of
significant internal control review procedures is less likely to occur with this method.
With a proper questionnaire, all internal control evaluation can be completed at one time
or in sections.
The review can more easily be made on an interim basis.
The questionnaire form also provides an orderly means of disclosing control defects. It
is the general practice to review the internal control system annually and record the
review in detail.
In the questionnaire, generally questions are so framed that a ‘Yes’ answer denotes
satisfactory position and a ‘No’ answer suggests weakness. Provision is made for an
explanation or further details of ‘No’ answers. In respect of questions not relevant to the
business, ‘Not Applicable’ reply is given.
The questionnaire is usually issued to the client and the client is requested to get it
filled by the concerned executives and employees.

(d) Flow Chart

It is a graphic presentation of each part of the company’s system of internal control.
A flow chart is considered to be the most concise way of recording the auditor’s
review of the system.
It minimises the amount of narrative explanation and thereby achieves a consideration or
presentation not possible in any other form.
It gives bird’s eye view of the system and the flow of transactions and integration and in
documentation, can be easily spotted and improvements can be suggested.
It is also necessary for the auditor to study the significant features of the business carried
on by the concern; the nature of its activities and various channels of goods and materials
as well as cash, both inward and outward; and also a comprehensive study of the entire

AUDITING & ETHICS Page 21

PROF. CA TEJAS SHAH PDLC

process of manufacturing, trading and administration. This will help him to understand
and evaluate the internal controls in the correct perspective.

7. TESTING OF INTERNAL CONTROL

✓ Test of controls are performed to obtain audit evidence about the effectiveness of the:-
(i) Design of the accounting and internal control system
(ii) Operation of the internal control throughout the period
✓ Test of controls include tests of elements of the control environment where strengths in the
control environment are used by auditors to reduce control risk.
✓ Some of the procedures performed to obtain the understanding of the accounting and internal
control systems may not have been specifically planned as tests of control but may provide
audit evidence about the effectiveness of the design and operation of internal controls relevant
to certain assertions and, consequently, serve as tests of control.
✓ While obtaining audit evidence about the effective operation of internal controls, the auditor
considers how they were applied, the consistency with which they were applied during the
period and by whom they were applied.
✓ Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as contemplated in the preliminary assessment of control
risk. The evaluation of deviations may result in the auditor concluding that the assessed level
of control risk needs to be revised.
✓ In such cases, the auditor would modify the nature, timing and extent of planned substantive
procedures.
✓ Before the conclusion of the audit, based on the results of substantive procedures and other
audit evidence obtained by the auditor, the auditor should consider whether the assessment of
control risk is confirmed.
✓ In case of deviations from the prescribed accounting and internal control systems, the auditor
would make specific inquiries to consider their implications.
✓ It has been suggested that actual operation of the internal control should be tested by the
application of procedural tests and examination in depth.
✓ Procedural tests simply mean testing of the compliance with the procedures laid down by the
management in respect of initiation, authorization, recording and documentation of
transaction at each stage through which it flows.
✓ An auditor testing the internal controls on sales should invariably test whether any of the
aforesaid procedures have been omitted.

8. WHAT IS AN AUTOMATED ENVIRONMENT?

AUDITING & ETHICS Page 22

PROF. CA TEJAS SHAH PDLC

8.1 Key features of an automated environment

8.2 Understanding and documenting automated environment

8.3 Risks arising from use of IT Systems

AUDITING & ETHICS Page 23

PROF. CA TEJAS SHAH PDLC

8.4 Impact of IT related risks

Impact on substantive
Impact on controls Impact on reporting
checking
• Inability to address • It can lead to non- • Due to regulatory
above discussed risks reliance on automated requirements in
may lead to non- controls, system respect of internal
reliance of data calculations and financial controls
obtained from systems. accounting procedures (discussed in
• In such a case, all built into applications subsequent paras) in
information, data, and • may result in additional case of companies, it
reports would have to audit work may lead to
be tested thoroughly modification of
for their completeness auditor’s report in
and accuracy. some instances
• It could lead to
increased substantive
checking i.e., detailed
checking

8.5 Types of Controls in an automated environment

AUDITING & ETHICS Page 24

PROF. CA TEJAS SHAH PDLC

(A) General IT controls

1) Data Center and Network Operations

Objective:To ensure that production systems are processed to meet financial reporting objectives.

Activities:
• Overall Management of Computer Operations Activities
• Batch jobs–preparing, scheduling and executing
• Backups–monitoring, storage & retention
• Performance Monitoring– operating system, database and networks
• Recovery from Failures–BCP, DRP

2) Program Change
Objective:To ensure that modified systems continue to meet financial reporting objectives.
Activities:
• Change Management Process–definition, roles & responsibilities
• Change Requests –record, manage, track
• Making Changes–analyze, design, develop

3) Access Security
Objective:To ensure that access to programs and data is authenticated and authorized to meet
financial reporting objectives.
Activities:
• Security Organization & Management

AUDITING & ETHICS Page 25

PROF. CA TEJAS SHAH PDLC

• Security Policies & Procedures

• Application Security
• Data Security
• Operating System Security
• Network Security–internalnetwork, perimeternetwork
• Physical Security–accesscontrols, environmentcontrols

4) Application system acquisition, development, and maintenance

Objective :To ensure that systems are developed, configured and implemented to meet financial
reporting objectives.
Activities:
• Overall Mgmt. of Development Activities
• Project Initiation
• Analysis & Design Construction
• Testing & Quality Assurance Data Conversion

(B) Application Controls

Application controls include Automated Application controls Examples of automated
both automated or manual are embedded into IT applications include edit
controls that operate at a business applications viz., ERPs and help checks and validation of input
process level. in ensuring the completeness, data, sequence number checks,
accuracy and integrity of data in mandatory data fields.
those systems.

(C) IT dependent Controls

IT dependent controls are basically manual controls that Due to the inherent dependency on IT, the
make use of some form of data or information or report effectiveness and reliability of Automated
produced from ITsystems and applications. In this case, application controls and IT dependent
even though the control is performed manually, the controls require the General IT Controls
designand effectiveness of such controls depends on to be effective.
there liability of source data.
Reliabiliy

8.6 General IT Controls vs. Application Controls

AUDITING & ETHICS Page 26

PROF. CA TEJAS SHAH PDLC

8.7 Testing methods in an automated environment

Inquiry is the most efficient audit test but it also gives the least audit evidence.
Hence, inquiry should always be used in combination with any one of the other audit testing methods.
Inquiry alone is not sufficient.
Reperformance is most effective as an audit test and gives the best audit evidence.
However, testing by reperformance could be very time consuming and least efficient most of the
time.
Generally, applying inquiry in combination with inspection gives the most effective and efficient
audit evidence.
However, which audit test to use, when and in what combination is a matter of professional
judgement and will vary depending on several factors including risk assessment, control
environment, desired level of evidence required, history of errors/misstatements, complexity of

AUDITING & ETHICS Page 27

PROF. CA TEJAS SHAH PDLC

business, assertions being addressed etc.

The auditor should document the nature of test (or combination of tests) applied along with the
judgements in the audit file.
When testing in an automated environment, some of the more common methods are as follows :
✓ Obtain an understanding of how an automated transaction is processed by doing a
walkthrough of one end-to-end transaction using a combination of inquiry, observation and
inspection.
✓ Observe how a user processes transactions under different scenarios.
✓ Inspect the configuration defined in an application

9. CHARACTERISTICS OF MANUAL AND AUTOMATED ELEMENTS OF INTERNAL

CONTROL RELEVANT TO THE AUDITOR’S RISK ASSESSMENT

Controls in Manual and IT System: The use of manual or automated elements in internal control
affects the manner in which transactions are initiated, recorded, processed, and reported:
(1) Controls in a manual system may include such procedures as approvals and reviews of
transactions, and reconciliations and follow-up of reconciling items. Alternatively, an
entity may use automated procedures to initiate, record, process, and report transactions,
in which case records in electronic format replace paper documents.
(2) Controls in IT systems consist of a combination of automated controls (for example,
controls embedded in computer programs) and manual controls. Further, manual controls
may be independent of IT, may use information produced by IT, or may be limited to
monitoring the effective functioning of IT and of automated controls, and to handling
exceptions.

9.1 Suitability: Manual elements in internal control may be more suitable where judgment and
discretion are required. For eg. Large, unusual or non-recurring transactions., etc

9.2 Reliability: Manual elements in internal control may be less reliable than automated elements
because they can be more easily bypassed, ignored, or overridden and they are also more prone
to simple errors and mistakes. Consistency of application of a manual control element cannot
therefore be assumed. For eg. High volume or recurring transactions, or in situations where
errors that can be anticipated or predicted can be prevented, or detected and corrected, by
control parameters that are automated

Nature of Entity’s Information System: The extent and nature of the risks to internal control vary
depending on the nature and characteristics of the entity’s information system. The entity
responds to the risks arising from the use of IT or from use of manual elements in internal
control by establishing effective controls in light of the characteristics of the entity’s
information system.

AUDITING & ETHICS Page 28

PROF. CA TEJAS SHAH PDLC

10. AUDIT APPROACH IN AN AUTOMATEDENVIRONMENT

11. DATA ANALYTICS FOR AUDIT

✓ In today’s digital age when companies rely on more and more on IT systems and networks
to operate business, the amount of data and information that exists in these systems is
enormous. The combination of processes, tools and techniques that are used to tap vast
amounts of electronic data to obtain meaningful information is called ‘DATA
ANALYTICS.”
✓ While it is true that companies can benefit immensely from the use of data analytics in terms
of increased profitability, better customer service, gaining competitive advantage, more
efficient operations, etc., even auditors can make use of similar tools and techniques in the
audit process and obtain good results.
✓ The tools and techniques that auditors use in applying the principles of data analytics are
known as Computer Assisted Auditing Techniques or CAATs in short.
✓
Data analytics can be used in testing of electronic records and data residing in IT systems
using spreadsheets and specialised audit tools viz., IDEA and ACL to perform the following:

AUDITING & ETHICS Page 29

PROF. CA TEJAS SHAH PDLC

12. DIGITAL AUDIT

✓ Entities are embracing digitization as part of their operations to keep pace with changing
times. New technologies are helping companies revamp their operations and rethink the way
business is conducted.
✓ Companies are restructuring their business models driven by technology. Automation is key
to digitization.
✓ In such a business environment, use of digital technology is being made by auditors right
from planning to expression of final opinion.
✓ Auditors are making use of artificial intelligence, data analytics and other latest technologies
to help understand business processes in a better way.
✓ By using such tools, auditors can conduct audit in a better way and devote more attention to
areas requiring greater focus.
✓ Digital audit is helping auditors to better identify risks making use of technology.

AUDITING & ETHICS Page 30

 PROF. CA TEJAS SHAH PDLC

13. INTERNAL FINANCIAL CONTROLS AS PER REGULATORY

REQUIREMENTS
The term Internal Financial Controls (IFC) basically refers to thepolicies
and procedures put in place by companies for ensuring:

Reliability of Effectiveness Compliance Safeguarding Prevention

financial and efficiency with applicable of assets and
reporting of operations laws and detection of
regulations frauds

The Companies Act, 2013 has placed a greater emphasis on the effective implementation and
reporting on the internal controls for a company. The term “internal financial controls” is used at
some places in Companies Act, 2013 casting responsibilities as under: -

Reference Whois responsible Applicability

Sec 134(5)(e) Board of Directors In case of Listed Companies, the Directors’
responsibility statement shall state that the Directors
had laid down Internal Financial Controls to be
followed by the company and that such Internal
Financial Controls are adequate and were operating
effectively.

Sec 149(8)and Schedule Independent All companieshavingIndependent Directors

IV Directors
Sec 177(4)(vii) Audit Committee Every Audit Committee shall act in accordance with
the terms of reference specified in writing by the Board
which shall, inter alia, include - evaluation of internal
financial controls and risk management systems
Sec 143(3)(i) Statutory Auditors All Companies

14. DOCUMENTING THE RISK

The auditor shall document:
team
(a) The discussion among the engagement to amand the significant decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its
environment and of each of the internal control components, the sources of information from
which the understanding was obtained; and the risk assessment procedures performed;

AUDITING & ETHICS Page 31

PROF. CA TEJAS SHAH PDLC

(c) The identified and assessed risks of material misstatement at the financial statement level and
at the assertion level ; and
(d) The risks identified, and related controls about which the auditor has obtained an
understanding.

15. ASSESS AND REPORT AUDIT FINDINGS

At the conclusion of each audit, it is possible that there will be certain findings or exceptions in IT
environment and IT controls of the company that need to be assessed and reported to relevant
stakeholders including management and those charged with governance viz., Board of directors,
Audit committee .
Some points to consider are as follows:

✓ The auditor needs to assess each finding or exception to determine impact on the audit and
evaluate if the exception results in a deficiency in internal control.
✓ A deficiency in internal control exists if a control is designed, implemented or operated in
such a way that it is unable to prevent, or detect and correct, misstatements in the financial
statements on a timely basis; or the control is missing.
✓ Evaluation and assessment of audit findings and control deficiencies involves applying
professional judgement that include considerations for quantitative and qualitative
measures.
✓ Each finding should be looked at individually and in the aggregate by combining with other
findings/deficiencies.

16. THE AUDITOR’S RESPONSES TO ASSESSED RISKS

SA 330- The auditor’s responses to assessed risks deals with the auditor’s responsibility to design
and implement responses to the risks of material misstatement identified and assessed by the
auditor in accordance with SA 315, “Identifying and Assessing Risks of Material Misstatement
Through Understanding the Entity and Its Environment” in a financial statement audit.
The objective of the auditor is to obtain sufficient appropriate audit evidence about the assessed

AUDITING & ETHICS Page 32

PROF. CA TEJAS SHAH PDLC

risks of material misstatement, through designing and implementing appropriate responses to those
risks.
SA 330 states that: -
(a) The auditor shall design and implement overall responses to address the assessed risks of
material misstatement at the financial statement level.
(b) The auditor shall design and perform further audit procedures whose nature, timing and extent
are based on and are responsive to the assessed risks of material misstatement at the assertion level.
In designing the further audit procedures to be performed, the auditor shall:
(a) Consider the reasons for the assessment given to the risk of material misstatement at the
assertion level for each class of transactions, account balance, and disclosure, including:
(i) The likelihood of material misstatement due to the particular characteristics of the
relevant class of transactions, account balance, or disclosure (i.e., the inherent risk); and
(ii) Whether the risk assessment takes into account the relevant controls (i.e., the control
risk), thereby requiring the auditor to obtain audit evidence to determine whether the
controls are operating effectively (i.e., the auditor intends to rely on the operating
effectiveness of controls in determining the nature, timing and extent of substantive
procedures); and
(b) Obtain more persuasive audit evidence the higher the auditor’s assessment of risk.

The auditor shall design and perform tests

of controls to obtain sufficient appropriate
audit evidence as to the operating
effectiveness of relevant controls when :

(a) The auditor’s assessment of risks of

material misstatement at the assertion level
includes an expectation that the controls are (b) Substantive procedures
operating effectively (i.e., the auditor intends alone cannot provide sufficient
to rely on the operating effectiveness of appropriate audit evidence at
controls in determining the nature, timing and the assertion level.
extent of substantive procedures); or

16.1 Nature and Extent of Test of Controls

✓ In designing and performing test of controls, the auditor shall:

✓ Perform other audit procedures in combination with inquiry to obtain audit evidence about
the operating effectiveness of the controls, including:
o How the controls were applied at relevant times during the period under audit.
o The consistency with which they were applied.
o By whom or by what means they were applied.
✓ Determine whether the controls to be tested depend upon other controls (indirect controls),
AUDITING & ETHICS Page 33
PROF. CA TEJAS SHAH PDLC

and if so, whether it is necessary to obtain audit evidence supporting the effective operation
of those indirect controls.
✓ Inquiry alone is not sufficient to test the operating effectiveness of controls. Accordingly,
other audit procedures are performed in combination with inquiry. In this regard, inquiry
combined with inspection or reperformance may provide more assurance than inquiry and
observation, since an observation is pertinent only at the point in time at which it is made.
✓ The nature of the particular control influences the type of procedure required to obtain audit
evidence about whether the control was operating effectively.

Matters the auditor may consider in determining the extent of test of controls include the
following:
✓ The frequency of the performance of the control by the entity during the period.
✓ The length of time during the audit period that the auditor is relying on the operating
effectiveness of the control.
✓ The expected rate of deviation from a control.
✓ The relevance and reliability of the audit evidence to be obtained regarding the operating
effectiveness of the control at the assertion level.
✓ The extent to which audit evidence is obtained from tests of other controls related to the
assertion.

16.2 Timing of Test of Controls

✓ The auditor shall test controls for the particular time, or throughout the period, for which the
auditor intends to rely on those controls in order to provide an appropriate basis for the
auditor’s intended reliance.
✓ Audit evidence pertaining only to a point in time may be sufficient for the auditor’s
purpose, for example, when testing controls over the entity’s physical inventory counting at
the period end.
✓ If, on the other hand, the auditor intends to rely on a control over a period, tests that are
capable of providing audit evidence that the control operated effectively at relevant times
during that period are appropriate.
✓ Such tests may include tests of the entity’s monitoring of controls.

16.3 Using Audit Evidence Obtained in Previous Audits

(a) The effectiveness of other elements of internal control, including the control environment, the
entity’s monitoring of controls, and the entity’s risk assessment process
(b) The risks arising from the characteristics of the control, including whether it is manual or
automated
(c) The effectiveness of general IT-controls
(d) The effectiveness of the control and its application by the entity, including the nature and extent
of deviations in the application of the control noted in previous audits, and whether there have been
personnel changes that significantly affect the application of the control

AUDITING & ETHICS Page 34

PROF. CA TEJAS SHAH PDLC

(e) Whether the lack of a change in a particular control poses a risk due to changing circumstances
and
(f) The risks of material misstatement and the extent of reliance on the control

16.4 Evaluating the Operating Effectiveness of Controls

✓ When evaluating the operating effectiveness of relevant controls, the auditor shall evaluate
whether misstatements that have been detected by substantive procedures indicate that
controls are not operating effectively.
✓ The absence of misstatements detected by substantive procedures, however, does not
provide audit evidence that controls related to the assertion being tested are effective.
✓ A material misstatement detected by the auditor’s procedures is a strong indicator of the
existence of a significant deficiency in internal control.

16.5 Specific inquiries by auditor when deviations from controls are detected

When deviations from controls upon which the auditor intends to rely are detected, the auditor shall
make specific inquiries to understand these matters and their potential consequences, and shall
determine whether:
(a) The test of controls that have been performed provide an appropriate basis for reliance
on the controls
(b) Additional test of controls are necessary or
(c) The potential risks of misstatement need to be addressed using substantive procedures.
Irrespective of the assessed risks of material misstatement, the auditor shall design and
perform substantive procedures for each material class of transactions, account balance, and
disclosure.

This requirement reflects the facts that:

(I) the auditor’s assessment of risk is judgmental and so may not identify all risks of
material misstatement and
(II) there are inherent limitations to internal control, including management override.

Substantive procedures are audit procedures designed to detect material misstatements at the
assertion level. Substantive procedures comprise:
(i) Tests of details (of classes of transactions, account balances, and disclosures), and
(ii) Substantive analytical procedures.

16.6 Tests of Details

• Tests of details are further classified into tests of transactions i.e., vouching and tests of
balances i.e., verification.
• Tests of balances consist of verification of assets as well as liabilities. Verification of an

AUDITING & ETHICS Page 35

PROF. CA TEJAS SHAH PDLC

item of fixed asset.

• This may be obtained by reviewing entity’s plan for performing physical verification of
fixed assets and obtaining evidence for performance of physical verification of fixed assets
by management.

16.7 Substantive analytical procedures (SA 520)

• Substantive analytical procedures refer to analytical procedures used as substantive
procedures by auditor.
• The term “analytical procedures” means evaluations of financial information through
analysis of plausible relationships among both financial and non-financial data.
• Analytical procedures also encompass such investigation as is necessary of identified
fluctuations or relationships that are inconsistent with other relevant information or that
differ from expected values by a significant amount.
• The use of widely recognised ratios (such as profit margins for different types of retail
entities) can often be used effectively in substantive analytical procedures to provide
evidence to support the reasonableness of recorded amounts.
• Analytical procedures involving, for example, the prediction of total rental income on a
building divided into apartments, taking the rental rates, the number of apartments and
vacancy rates into consideration, can provide persuasive evidence and may eliminate the
need for further verification by means of tests of details.
• Substantive analytical procedures are generally more applicable to large volumes of
transactions that tend to be predictable over time.

16.7.1 Nature and extent of Substantive procedure

Depending on the circumstances, the auditor may determine that:
• Performing only substantive analytical procedures will be sufficient to reduce audit risk to
an acceptably low level. For example, where the auditor’s assessment of risk is supported
by audit evidence from tests of controls.
• Only tests of details are appropriate.
• A combination of substantive analytical procedures and tests of details are most responsive
to the assessed risks.

AUDITING & ETHICS Page 36

PROF. CA TEJAS SHAH PDLC

“You have daily income 86400

seconds, spend it wisely”

AUDITING & ETHICS Page 37