1. The purpose of this Auditing and Assurance Standard (AAS) is to establish standards on the procedures to be followed to obtain an understanding of the accounting and internal control systems and on audit risk and its components: inherent risk, control risk and detection risk. The principles laid down in the other AASs, issued by the Institute of Chartered Accountants of India, would be applicable, to the extent practicable, to this AAS also. In this Standard, the term 'financial information' encompasses 'financial statements'. In some circumstances, specific legislations and regulations may require the auditor to undertake procedures additional to those set out in this AAS.
2. The auditor should obtain an understanding of the accounting and internal control systems sufficient to plan the audit and develop an effective audit approach. The auditor should use professional judgement to assess audit risk and to design audit procedures to ensure that it is
reduced to an acceptably low level.
3. "Audit risk" means the risk that the auditor gives an inappropriate audit opinion when the financial
statements are materially misstated. Audit risk has three components: inherent risk, control risk and
4. "Inherent risk" is the susceptibility of an account balance or class of transactions to misstatement
that could be material, either individually or when aggregated with misstatements in other balances or classes, assuming that there were no related internal controls.
5. "Control risk" is the risk that a misstatement, that could occur in an account balance or class of
transactions and that could be material, either individually or when aggregated with misstatements in
other balances or classes, will not be prevented or detected and corrected on a timely basis by the
accounting and internal control systems.
6. "Detection risk" is the risk that an auditor's substantive procedures will not detect a misstatement
that exists in an account balance or class of transactions that could be material, either individually or
when aggregated with misstatements in other balances or classes.
7. "Accounting System" means the series of tasks and records of an entity by which transactions are
processed as a means of maintaining financial records. Such systems identify, assemble, analyse,
calculate, classify, record, summarise and report transactions and other events.
8. "Internal Control System" means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. The internal audit function constitutes a separate component of internal control with the objective of determining whether other internal controls are well designed and properly operated.
9. The system of internal control must be under continuing supervision by management to determine
that it is functioning as prescribed and is modified, as appropriate, for changes in conditions. The internal control system extends beyond those matters which relate directly to the functions of the accounting system and comprises:
(a) "the control environment" which means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance in the entity. The control
environment has an effect on the effectiveness of the specific control procedures and provides the
background against which other controls are operated. A strong control environment, for example,
one with tight budgetary controls and an effective internal audit function, can significantly complement specific control procedures. However, a strong control environment does not, by itself,
ensure the effectiveness of the internal control system. Factors reflected in the control environment
♦ The entity's organisational structure and methods of assigning authority and responsibility
(including segregation of duties and supervisory functions).
♦ The function of the board of directors and its committees in the case of a company or the
corresponding governing body in case of any other entity.
♦ Management's philosophy and operating style.
♦ Management's control system including the internal audit function, personnel policies and
(b) "control procedures" which means those policies and procedures in addition to the control
environment which management has established to achieve the entity's specific objectives. Specific
control procedures include:
♦ Reporting and reviewing reconciliations.
♦ Checking the arithmetical accuracy of the records.
♦ Controlling applications and environment of computer information systems, for example, by
establishing controls over:
• changes to computer programs
• access to data files.
♦ Maintaining and reviewing control accounts and related subsidiary ledgers.
♦ Approving and controlling of documents.
♦ Comparing internal data with external sources of information.
♦ Comparing the results of physical verification of cash, fixed assets, investments and inventory with corresponding accounting records.
♦ Restricting direct access to assets, records and information.
♦ Comparing and analysing the financial results with corresponding budgeted figures.
10. In the audit of financial statements, the auditor is concerned only with those policies and
procedures within the accounting and internal control systems that are relevant to the assertions made in the financial statements. The understanding of relevant aspects of the accounting and internal control systems, together with the inherent and control risk assessments and other considerations, will enable the auditor to:
(a) assess the adequacy of the accounting system as a basis for preparing the financial statements;
(b) identify the types of potential material misstatements that could occur in the financial statements;
(c) consider factors that affect the risk of material misstatements; and
(d) develop an appropriate audit plan and determine the nature, timing and extent of his audit procedures.
11. When developing the audit approach, the auditor considers the preliminary assessment of control
risk (in conjunction with the assessment of inherent risk) to determine the appropriate detection risk that may be accepted by the auditor for the assertions made in the financial statements and to determine the nature, timing and extent of substantive procedures for such assertions.