RISK ASSESMENT AND INTERNAL CONTROL SA 400

Objective
Para 7.1 The objective of this SA is to prescribed on the procedures to be followed to
obtain an understanding of accounting and internal control system and on audit risk. The
auditor should design audit procedure to ensure that it is reduce to an acceptable low
level.

What is audit risk?

7.2 Audit risk means the risk that the auditor gives an inappropriate opinion when the
financial statements are materially mis-stated.

Types of Audit Risk

7.3 Total audit risk can be divided into three risks:
• Inherent Risk
• Control risk
• Detection risk
7.3-1 Inherent risk - The risk is that there will be material error in accounting process
when there are no related controls. For example, closely held companies may present
more inherent risk with respect to understatement of income due to tax minimization
incentive and publicly held companies may pose more inherent risk with respect to
overstatement of income due to incentive plan based on income to top management.

7.3.2 Control Risk – Risk assessment that internal control structure will fail to detect
error equal to the tolerable error.
Example- Whenever an employee goes on tour the traveling advance given to him
and amount is debited / classified as staff advance. When the employee comes
back from tour, he submits the traveling expenses bill and advance is adjusted. All
advances given to staff other than traveling advance to staff advance like car
advance, festival advance etc. In this system of internal control of traveling
advance there is possibility expense if employee does not submit/forgets to submit
the traveling bill and, therefore, there is risk that traveling expense of a particular
period may be understand materially. It is kind of control risk because internal
control system may fail to detect the understatement of traveling expense.

7.3.3 Detection risk – Detection risk is the risk that substantive test of details will fail to
detect error equal to adequate limit.

Developing audit program for inherent risk

7.4 The following points should be considered for assessing the inherent risk and
developing audit plan for inherent risk :
• Inherent risk should be assessed at financial statement level and not at the
transaction level or for a period less than financial statement period. For example
– Rs. 2 lakhs was wrongly debited to Mr. A (Debtor) instead of Mr. B (Debtor).
Such error may be material
• Previous experience of the auditor of the entity from previous audit engagement.
 • Any control established by the management to compensate for a high level
inherent risk.
• Any significant change as compared to previous year affecting degree of inherent
risk.
• The integrity of the management.
• Management experience and knowledge.
• Unusual pressure on management.
• Nature of entity business.
• Factors affecting the industry to which entity belongs.

7.4-1 Audit objective – Audit objective in this situation ensure accuracy of the securities,
pricing, completeness and validity. Audit procedure for inherent risk volatility of price
suggests a year-end pricing test, low activity expectation and excellent record keeping
procedures justify observing the control of securities at a time prior to year-end review
activity and consider the need for year-end count, keep abreast of development in general
business environment and environment within which the client operates.

7.4.2 Documentations of inherent risk- When the auditor makes an assessment that
inherent risk is not high, he should document the reasons for such assessments.

Preliminary assessment of control risk

7.5 Preliminary assessment of control risk is the process of evaluating the likely
effectiveness of an entity’s accounting system and internal control system in
preventing and detection and correcting material misstatement.
7.5-1 Accounting system- Auditor should understand the entity’s accounting system in
force. Like:
• Major class of transaction
• How the transaction are initiated
• Accounting record maintained
• Accounting and financial reporting process.

7.5-2 Internal control- It is a plan of orgnisation and procedure and records concerned
with safeguarding the assets against loss from unintentional. Or international errors
irregularities and ensuring the reliability of financial records for external reporting
purpose. Internal control:
• General controls
• Specific Controls
• Preventive control
• Detective control

7.5-3 Understanding of control environment- The auditor should obtain an understanding

of control environments. Such understanding will help the auditor to make
preliminary assessment of adequacy of accounting and internal control system as a
basis of preparation of financial statement level.
7.5-4 Test of control – It is the process of obtaining the evidence that accounting and
internal control system designed by the management is working effectively through out
the year and the auditor performs test of control by-
• Inspection of document
• Inquiries
• Reconciliation
• Access or program change control in computrised accounting.

7.5.5 Control risk, accounting system and internal control – The auditor ordinarily
assesses control risk at high level if entity’s accounting system and internal
control re not operating effectively.

7.5.6 Documentation of control risk – The auditor should document in the audit
working papers. If assessment based on substantive of control risk is less than
high, the auditor should also document the basis of such conclusion.

7.5.7 Final assessment of control risk – Before the conclusion of audit, The auditor
should make final assessment based on substantive test that control risk earlier by
preliminary assessment is confirmed, if not, the control risk needs to be revised
and therefore the auditor should modify the nature, timing and extent of his
planned substantive procedure.

Relationship between Inherent risk and control risk

7.6 Generally, the management tries to restrict the inherent risk by designing
appropriate accounting system and internal control. Therefore, in many cases
inherent risk and control risk re highly interrelated because both are linked to
accounting and internal control. Therefore, the auditor should determine audit risk
more appropriately by making combined assessment.

Detection risk
7.7 There is a positive relationship between detection risk and substantive procedure.
Some detection risk would always be present even if an auditor examines 100 %
transaction, because most audit evidence are persuasive and not conclusive.

7.7-1 Audit procedure and detection risk – While developing audit program for detection
risk, an auditor should consider like following :
• Assessed level of inherent risk
• Nature, and timing of substantive procedure
• Extent of substantive procedure

7.7.2 Relationship between detection risk and combined inherent and control risk –
There is a inverse relationship between detection risk and combined level of
inherent and control risk. E.g. If inherent and control risk high, acceptable
detection risk needs to be low to reduce the control audit risk to acceptable low
level.
 However, the sufficiently low level of assessed inherent risk and control risk
cannot eliminate the need for the auditor to perform any substantive procedure. In
other words, regardless of the assessed level of inherent and control risk, the
auditor should perform some substantive procedures. The higher the assessment
of inherent and control risk the more audit evidence the auditor should obtain by
performance of substantive procedure.

7.7.3 Detection risk and auditor’s report – When the auditor determines that detection
risk regarding financial assertion for material account balance or transaction
cannot be reduced to acceptable level, the auditor should express a qualified
opinion or a disclaimer of opinion as appropriate.

Audit risk in small business

7.8 In small business, the accounting procedures are performed by few persons who may
be also performing operating and custodial responsibilities. There may not be clear cut
division of duties and responsibilities, in such a situation control risk is at very high level
and not to reduce the audit risk and an auditors has to perform extensive substantive
procedure to get audit evidence and assurance that financial statements are fairly
presented.

Communication of weakness in internal control

7.9 The auditor should make management aware at appropriate level of responsibility of
material weakness in the design or operation of accounting and internal control system,
which has come to his attention.