Risk Assessments and Internal Control

Risk assessment procedures are performed to obtain an understanding of the entity and
its environment, including the entity’s internal control, to identify and assess the risks of
material misstatement, whether due to fraud or error, at the financial statement and
assertion levels.

The auditor’s risk assessment procedures shall include:

1. Inquiries of management and of others within the entity who in the auditor’s
judgment may have information that is likely to 

assist in identifying risks of material misstatement due to fraud or error. 


2. Analytical procedures 


3. Observation and inspection. 


Substantive test procedures are audit procedures designed to detect material

misstatements at the assertion level. Tests of controls are audit procedures designed to
evaluate the effectiveness of controls in preventing, or detecting and correcting, material
misstatements at the assertion level.

As defined in PSA 315, business risk is “a risk resulting from significant conditions,
events, circumstances, actions or inactions that could adversely affect an entity’s ability
to achieve its objectives and execute its strategies, or from the setting of inappropriate
objectives and strategies.”

The auditor does not have a responsibility to identify or assess all business risks facing
the entity because not all business risks give rise to risks of material misstatement.

The three components of audit risk are:

1. “Inherent risk” is the susceptibility of an account balance or class of transactions

to misstatement that could be material, 

individually or when aggregated with misstatements in other balances or classes,
assuming that there were no related internal 

controls. 


2. “Control risk” is the risk that a misstatement that could occur in an account
balance or class of transactions that could be 

material, individually or when aggregated with other misstatements in other
balances or classes, will not be prevented, or 

 detected and corrected, on a timely basis, by the accounting and internal control
systems. 


3. “Detection risk” is the risk that an auditor’s substantive procedures will not detect
a misstatement that exists in an account 

balance or class of transactions that could be material, individually or when
aggregated with misstatements in other balances or classes. 


The acceptable level of detection risk is a function of the desired level of overall audit
risk and the assessed levels of inherent risk and control risk. Hence, detection risk can
be changed at the discretion of the auditor. However, it should be emphasized that the
auditor’s preliminary assessments of inherent risk and control risk may change as the
audit work continues.

Audit risk and its components may be assessed in quantitative or non-quantitative

terms.

An audit conducted in accordance with PSAs provides only reasonable, not absolute,
assurance that the financial statements are free of material misstatement, whether
caused by error or fraud.

Inherent risk, which is the susceptibility of an assertion to material misstatement in the

absence of related controls, exists independently of the audit. Some assertions and
related account balances and classes of transactions have greater level of inherent risk
than others. For example, account balances resulting from complex calculations such
as those for retirement benefits and finance leases have a higher risk of misstatement.

An auditor assesses control risk by considering internal control. There exists an inverse
relationship between control risk and detection risk – that is, the greater (lower) the
assessed level of control risk, the lower (greater) the acceptable level of detection risk.
The acceptable level of detection risk, in turn, affects substantive testing. As the
acceptable level of detection risk decreases, the auditor changes the nature, timing, and
extent of substantive tests to increase the assurance they provide. Therefore, there is
an inverse relationship between the acceptable level of detection risk and substantive
testing.

According to the standard, the auditor should consider the assessed levels of inherent
and control risks in determining the nature, timing, and extent of substantive procedures
required to reduce audit risk to an acceptable level.

The opinion paragraph of the auditor’s report explicitly refers to materiality. By stating
that the financial statements are presented fairly, in all material respects, in conformity
with an applicable financial reporting framework, the auditor is of the opinion that the
financial statements are not materially misstated.
The standard states that regardless of the assessed levels of inherent and control risks,
the auditor should perform some substantive procedures for material account balances
and classes of transactions.

PSA 315 states that internal control is designed and implemented to achieve the entity’s
objectives with regard to:

Reliability of financial reporting; 


Effectiveness and efficiency of operations; and 


Compliance with applicable laws and regulations 


The five components of internal control are:

The control environment 


The entity’s risk assessment process 


The information system, including the related business processes relevant to

financial reporting, and communication. 


Control activities 


Monitoring of controls

The use of IT allows an entity to:

Consistently apply predefined business rules and perform complex

calculations in processing large volumes of transactions 

and data 


Enhance the timeliness, availability, and accuracy of information 


Facilitate the additional analysis of information 


 Enhance the ability to monitor the performance of the entity’s activities and its
policies and procedures; 


Reduce the risk that control will be circumvented; and 


Enhance the ability to achieve effective segregation of duties by

implementing security controls in applications, databases and 

operating systems. 

PSA 315 states that when obtaining an understanding of controls that are
relevant to the audit, the auditor shall evaluate the design of those controls and
determine whether they have been implemented. 

Evaluating the design of a control involves considering whether the control,
individually or in combination with other controls, is capable of effectively
preventing, or detecting and correcting, material misstatements. Implementation of
a control means that the control exists and the entity is using it. 

Risk assessment procedures to obtain an understanding of controls relevant to
the audit include the following: 


Inquiry of entity personnel 


Observing the application of specific controls 


Inspecting documents and reports 


Tracing transactions through the information system to financial reporting


As defined in the standard, tests of controls are audit procedures designed to
evaluate the operating effectiveness of controls in 

preventing, or detecting and correcting, material misstatemetns at the assertion
level. 

PSA 315 states that the control environment includes the governance and
management functions and attitudes, awareness, and actions of those charged
with governance and management concerning the entity’s internal control and its
importance in the entity. The control environment sets the tone of the
organization, influencing the control consciousness of its people. 


The control environment component of internal control encompasses the following

elements:
 a. Communication and enforcement of integrity and ethical values. 


b. Commitment to competence 


c. Participation by those charged with governance 


d. Management’s philosophy and operating style 


e. Organizational structure 


f. Assignment of authority and responsibility 


g. Human resource policies and practices 


An important element of the control environment component of internal control is human

resource policies and practices. This is
relativetorecruitment,orientation,training,evaluating,counseling,promoting,compensating,
andremedialactions. Theobjectivesof internal control cannot be achieved without
sufficient competent personnel who will operate the system.

Controls that are relevant to a financial statement audit pertain to the entity’s objective
of preparing financial statements for external purposes and the management of risk that
may give rise to a material misstatement in those financial statements.

PSA 315 states that the entity’s risk assessment process forms the basis for how
management determines the risks to be managed.

It is important to note that for financial reporting purposes, an entity’s risk assessment
process includes how management identifies risks relevant to the preparation of
financial statements, estimates their significance, asseses the likelihood of their
occurence, and decides upon actions to manage them.

General IT controls are policies and procedures that relate to many applications and
support the effective functioning of application controls. General IT controls commonly
include controls over the following:

a. Data center and network operations 


 b. Access security 


c. Program change 


Process

Applicationcontrolsrelatetoproceduresusedtoinitiate,record,processandreporttransaction
sorotherfinancialdata. Manualfollow- up of exception reports is an example of application
controls.

According to the standard, ongoing monitoring activities are built into the normal recurring
activities of an entity and include regular management supervisory activities, such as
reviewing the purchasing function.

Conrol activities are the policies and procedures that help ensure management
directives are carried out. They are intended to ensure that necessary actions are taken
to address risks that threaten the achievements of the entity’s objectives. Control
activities have various objectives and are applied at various organizational and
functional levels. Specific control activities include those that relate to:

Authorization 


Performance reviews 


Information processing 


Physical controls 


Segregation of duties 

An internal audit function is part of the monitoring component of internal control. 

According to PSA 315, “Internal control is the process designed, implemented
and maintained by those charged with governance, management and other
personnel to provide reasonable assurance about the achievement of the entity’s
objectives with regard to realiability of financial reporting, effectiveness and
efficiency of operations, and compliance with applicable laws and regulations. 

An effective internal control system reduces the need for management to spend
time reviewing exception reports on a day-to-day basis. An entity’s internal
control system, if working effectively, should prevent as well as detect and correct
exceptions. 

Controls that are relevant to an audit pertain to the entity’s objective of preparing
financial statements for external purposes that are fairly presented in accordance
 with an applicable financial reporting framework. 

Because of inherent limitations of any system of internal control, even the most
effective internal control cannot guarantee the elimination of employee fraud. 

Internal controls should be designed to prevent, or detect and correct, material
errors or fraud within a timely period by employees in the normal course of their
assigned duties. 

The cost-benefit relationship is a primary criterion in designing internal control –
that is, the cost of a control should not exceed its benefits. Because it is
impossible to precisely measure the costs and benefits of internal control, both
quantitative and qualitative estimates and judgments are used by management to
evaluate the relationship. 

A proper segregation of duties requires that one person should not be
responsible for all phases of a transaction: authorization, recording, and
custodianship of the related assets. Separate individuals should perform these
incompatible duties to reduce the opportunity for any person to be in a position to
both perpetrate and conceal errors or fraud in the normal course of his/her
duties. 

The performance of incompatible functions is not an inherent limitation of internal
control but a failure to segregate functional responsibilities properly. 


The auditor should obtain an understanding of the information system relevant to

financial reporting to understand:

a. The classes of transactions which are significant to the financial statements 


b. The procedures – within both IT (Information Technology) and manual systems –

by which those transactions are initiated, 

recorded, processed, and reported in the financial statements 


c. The accounting records and supporting documents for those transactions 


d. How the information system captures events and conditions, other than classes
of transactions, that are significant to the 

financial statements 


e. The financial reporting process used to prepare the entity’s financial statements,
including significant accounting estimates and 

disclosures. 


Understanding the entity’s internal control system is a matter that should be considered
by an auditor in developing the overall audit strategy.
PSA 315 states that the auditor’s understanding of internal control may raise doubts
about the auditability of an entity’s financial statements.

Concerns about the integrity of the entity’s management may be so serious as to cause
the auditor to conclude that the risk of management representation in the financial
statements is such that an audit cannot be conducted.

Also, concerns about the condition and reliability of an entity’s records may cause the
auditor to conclude that it is unlikely that sufficient appropriate audit evidence will be
available to support an unqualified opinion on the financial statements. In such
circumstances, the auditor considers a qualification or disclaimer of opinion, but in some
cases, the auditor’s only recourse may be to withdraw from the engagement.

The auditor should obtain a sufficient understanding of internal control to assess the
risks of material misstatement. The understanding includes knowledge about the design
of relevant controls and whether they have been implemented, i.e., whether they have
been placed in operation. Though the auditor may become aware of material
weaknesses in internal control, he/she is not required to search for such internal control
weakness or deficiencies. A financial statement audit is not designed to determine the
adequacy of internal control for management purposes.

Under PSA 330 (The Auditor’s Responses to Assessed Risks), the auditor should
perform tests of controls when his/her assessment of risks of material misstatement at
the assertion level includes an expectation that controls are operating effectively or
when substantive procedures alone do not provide sufficient appropriate evidence to
reduce the risks of material misstatement at the assertion level.

The auditor performs tests of controls to obtain assurance about the operating
effectiveness of controls. Testing the operating effectiveness of controls includes
obtaining audit evidence about:

1. How controls were applied at relevant times during the period under audit, 


2. The consistency with which they were applied, and 


3. By whom or by what means they were applied. 


Determining why controls were applied relates more to obtaining an understanding of

internal control than testing the effectiveness of controls.

The auditor is required to document in the audit working papers the understanding
obtained of the entity’s internal control and the assessment of control risk. When control
risk is assessed at less than maximum, the auditor should also document the basis for
the conclusion.
“If you want something you’ve never had before, then you’ve got to do
something you’ve never done before.”