Standard on Auditing-400 (SA-400)- "Risk Assessments and Internal Control"
Auditing and Assurance Standard (AAS) 06, "Risk Assessments and Internal Control"
The following is the text of the Auditing and Assurance Standard (AAS) 06*, "Risk Assessments and Internal Control", issued by the Council of the Institute of Chartered Accountants of India. This Standard should be read in conjunction with the "Preface to the Statements on Standard Auditing Practices", issued by the Institute.
Introduction of Standard on Auditing (SA) 400
1. The purpose of this Auditing and Assurance Standard (AAS) is to establish standards on the procedures to be followed to obtain an understanding of the accounting and internal control systems and on audit risk and its components: inherent risk, control risk and detection risk. The principles laid down in the other AASs, issued by the Institute of Chartered Accountants of India, would be applicable, to the extent practicable, to this AAS also. In this Standard, the term 'financial information' encompasses 'financial statements'. In some circumstances, specific legislations and regulations may require the auditor to undertake procedures additional to those set out in this AAS.
2. The auditor should obtain an understanding of the accounting and internal control systems sufficient to plan the audit and develop an effective audit approach. The auditor should use professional judgement to assess audit risk and to design audit procedures to ensure that it is
reduced to an acceptably low level.
3. "Audit risk" means the risk that the auditor gives an inappropriate audit opinion when the financial
statements are materially misstated. Audit risk has three components: inherent risk, control risk and
4. "Inherent risk" is the susceptibility of an account balance or class of transactions to misstatement
that could be material, either individually or when aggregated with misstatements in other balances or classes, assuming that there were no related internal controls.
5. "Control risk" is the risk that a misstatement, that could occur in an account balance or class of
transactions and that could be material, either individually or when aggregated with misstatements in
other balances or classes, will not be prevented or detected and corrected on a timely basis by the
accounting and internal control systems.
6. "Detection risk" is the risk that an auditor's substantive procedures will not detect a misstatement
that exists in an account balance or class of transactions that could be material, either individually or
when aggregated with misstatements in other balances or classes.
7. "Accounting System" means the series of tasks and records of an entity by which transactions are
processed as a means of maintaining financial records. Such systems identify, assemble, analyse,
calculate, classify, record, summarise and report transactions and other events.
8. "Internal Control System" means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. The internal audit function constitutes a separate component of internal control with the objective of determining whether other internal controls are well designed and properly operated.
9. The system of internal control must be under continuing supervision by management to determine
that it is functioning as prescribed and is modified, as appropriate, for changes in conditions. The internal control system extends beyond those matters which relate directly to the functions of the accounting system and comprises:
(a) "the control environment" which means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance in the entity. The control
environment has an effect on the effectiveness of the specific control procedures and provides the
background against which other controls are operated. A strong control environment, for example,
one with tight budgetary controls and an effective internal audit function, can significantly complement specific control procedures. However, a strong control environment does not, by itself,
ensure the effectiveness of the internal control system. Factors reflected in the control environment
♦ The entity's organisational structure and methods of assigning authority and responsibility
(including segregation of duties and supervisory functions).
♦ The function of the board of directors and its committees in the case of a company or the
corresponding governing body in case of any other entity.
♦ Management's philosophy and operating style.
♦ Management's control system including the internal audit function, personnel policies and
(b) "control procedures" which means those policies and procedures in addition to the control
environment which management has established to achieve the entity's specific objectives. Specific
control procedures include:
♦ Reporting and reviewing reconciliations.
♦ Checking the arithmetical accuracy of the records.
♦ Controlling applications and environment of computer information systems, for example, by
establishing controls over:
• changes to computer programs
• access to data files.
♦ Maintaining and reviewing control accounts and related subsidiary ledgers.
♦ Approving and controlling of documents.
♦ Comparing internal data with external sources of information.
♦ Comparing the results of physical verification of cash, fixed assets, investments and inventory with corresponding accounting records.
♦ Restricting direct access to assets, records and information.
♦ Comparing and analysing the financial results with corresponding budgeted figures.
10. In the audit of financial statements, the auditor is concerned only with those policies and
procedures within the accounting and internal control systems that are relevant to the assertions made in the financial statements. The understanding of relevant aspects of the accounting and internal control systems, together with the inherent and control risk assessments and other considerations, will enable the auditor to:
(a) assess the adequacy of the accounting system as a basis for preparing the financial statements;
(b) identify the types of potential material misstatements that could occur in the financial statements;
(c) consider factors that affect the risk of material misstatements; and
(d) develop an appropriate audit plan and determine the nature, timing and extent of his audit procedures.
11. When developing the audit approach, the auditor considers the preliminary assessment of control
risk (in conjunction with the assessment of inherent risk) to determine the appropriate detection risk that may be accepted by the auditor for the assertions made in the financial statements and to determine the nature, timing and extent of substantive procedures for such assertions.
Inherent Risk of Standard on Auditing (SA) 400
12. In developing the overall audit plan, the auditor should assess inherent risk at the level of
financial statements. In developing the audit programme, the auditor should relate such assessment to material account balances and classes of transactions at the level of assertions made in the financial statements, or assume that inherent risk is high for the assertion, taking into account factors relevant both to the financial statements as a whole and to the specific assertions. When the auditor makes an assessment that the inherent risk is not high, he should document the reasons for such assessment.
13. To assess inherent risk, the auditor would use professional judgement to evaluate numerous
factors, having regard to his experience of the entity from previous audit engagements of the entity, any controls established by management to compensate for a high level of inherent risk, and his knowledge of any significant changes which might have taken place since his last assessment. Examples of such factors are:
At the Level of Financial Statements
♦ The integrity of the management.
♦ Management's experience and knowledge and changes in management during the period, for example, the inexperience of management may affect the preparation of the financial statements of
♦ Unusual pressures on management, for example, circumstances that might predispose management to misstate the financial statements, such as the industry experiencing a large number
of business failures or an entity that lacks sufficient capital to continue operations.
♦ The nature of the entity's business, for example, the potential for technological obsolescence of its products and services, the complexity of its capital structure, the significance of related parties and the number of locations and geographical spread of its production facilities.
♦ Factors affecting the industry in which the entity operates, for example, economic and competitive conditions as indicated by financial trends and ratios, and changes in technology, consumer demand and accounting practices common to the industry.
At the Level of Account Balance and Class of Transactions
♦ Quality of the accounting system.
♦ Financial statements are likely to be susceptible to misstatement, for example, accounts which
required adjustment in the prior period or which involve a high degree of estimation.
♦ The complexity of underlying transactions and other events which might require using the work of an expert.
♦ The degree of judgement involved in determining account balances.
♦ Susceptibility of assets to loss or misappropriation, for example, assets which are highly desirable
and movable such as cash.
♦ The completion of unusual and complex transactions, particularly, at or near period end.
♦ Transactions not subjected to ordinary processing.
Accounting and Internal Control Systems of Standard on Auditing (SA) 400
Accounting and Internal Control Systems
14. Internal controls relating to the accounting system are concerned with achieving the following
♦ Transactions are executed in accordance with management's general or specific authorisation.
♦ All transactions and other events are promptly recorded in the correct amount, in the appropriate
accounts and in the proper accounting period so as to permit preparation of financial statements in accordance with the applicable accounting standards, other recognised accounting policies and practices and relevant statutory requirements, if any, and to maintain accountability for assets.
♦ Assets and records are safeguarded from unauthorised access, use or disposition.
♦ Recorded assets are compared with the existing assets at reasonable intervals and appropriate
action is taken with regard to any differences.
Inherent Limitations of Internal Controls
15. Accounting and internal control systems can provide only reasonable, but not absolute, assurance that the objectives stated above are achieved. This is because the internal control systems are subject to some inherent limitations, such as:
♦ Management's consideration that the cost of an internal control does not exceed the expected
benefits to be derived.
♦ The fact that most internal controls do not tend to be directed at transactions of unusual nature.
♦ The potential for human error, such as, due to carelessness, distraction, mistakes of judgement and the misunderstanding of instructions.
♦ The possibility of circumvention of internal controls through the collusion with employees or with
parties outside the entity.
♦ The possibility that a person responsible for exercising an internal control could abuse that responsibility, for example, a member of management overriding an internal control.
♦ The possibility that procedures may become inadequate due to changes in conditions and compliance with procedures may deteriorate.
♦ Manipulations by management with respect to transactions or estimates and judgements required in the preparation of financial statements.
Understanding the Accounting and Internal Control Systems
16. When obtaining an understanding of the accounting and internal control systems to plan the audit, the auditor obtains a knowledge of the design of the accounting and internal control systems, and their operation. For example, an auditor may perform a "walk-through" test, that is, tracing a few transactions through the accounting system. When the transactions selected are typical of those transactions that pass through the system, this procedure may be treated as part of the tests of control. The nature and extent of walk-through tests performed by the auditor are such that they alone would not provide sufficient appropriate audit evidence to support a control risk assessment which is less than high.
17. The nature, timing and extent of the procedures performed by the auditor to obtain an
understanding of the accounting and internal control systems will vary with, among other things:
♦ The size and complexity of the entity and of its information system.
♦ Materiality considerations.
♦ The type of internal controls involved.
♦ The nature of the entity's documentation of specific internal controls.
♦ The auditor's assessment of inherent risk.
18. Ordinarily, the auditor's understanding of the accounting and internal control systems significant to the audit is obtained through previous experience with the entity and is supplemented by:
(a) inquiries of appropriate management, supervisory and other personnel at various organisational
levels within the entity, together with reference to documentation, such as procedures manuals, job
descriptions, systems descriptions and flow charts;
(b) inspection of documents and records produced by the accounting and internal control systems; and
(c) observation of the entity's activities and operations, including observation of the organisation of
computer operations, personnel performing control procedures and the nature of transaction processing.
19. The auditor should obtain an understanding of the accounting system sufficient to identify and understand:
(a) major classes of transactions in the entity's operations;
(b) how such transactions are initiated;
(c) significant accounting records, supporting documents and specific accounts in the financial
(d) the accounting and financial reporting process, from the initiation of significant transactions
and other events to their inclusion in the financial statements.
20. The auditor should obtain an understanding of the control environment sufficient to assess management's attitudes, awareness and actions regarding internal controls and their importance
in the entity. Such an understanding would also help the auditor to make a preliminary assessment of
the adequacy of the accounting and internal control systems as a basis for the preparation of the financial statements, and of the likely nature, timing and extent of audit procedures.
21. The auditor should obtain an understanding of the control procedures sufficient to develop
the audit plan. In obtaining this understanding, the auditor would consider knowledge about the
presence or absence of control procedures obtained from the understanding of the control environment and accounting system in determining whether any additional understanding of control procedures is necessary. Because control procedures are integrated with the control environment and the accounting system, as the auditor obtains an understanding of the control environment and the accounting system, some knowledge about control procedures is also likely to be obtained, for example, in obtaining an understanding of the accounting system pertaining to cash, the auditor ordinarily becomes aware of whether bank accounts are reconciled regularly. Ordinarily, development of the overall audit plan does not require an understanding of control procedures for every financial statement assertion in each account balance and transaction class.
Last edited by AAS; 27-07-2010 at 12:57 PM.
Control Risk of of Standard on Auditing (SA) 400
22. After obtaining an understanding of the accounting system and internal control system, the auditor should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions.
Preliminary Assessment of Control Risk
23. The preliminary assessment of control risk is the process of evaluating the likely effectiveness of an entity's accounting and internal control systems in preventing or detecting and correcting material
misstatements. The preliminary assessment of control risk is based on the assumption that the controls operate generally as described and that they operate effectively throughout the period of intended reliance. There will always be some control risk because of the inherent limitations of any accounting and internal control system.
24. The auditor ordinarily assesses control risk at a high level for some or all assertions when:
(a) the entity's accounting and internal control systems are not effective; or
(b) evaluating the effectiveness of the entity's accounting and internal control systems would not be
In the above circumstances, the auditor would obtain sufficient appropriate audit evidence from substantive procedures and from any audit work carried out in the preparation of financial statements.
25. The preliminary assessment of control risk for a financial statement assertion should be high unless the auditor:
(a) is able to identify internal controls relevant to the assertion which are likely to prevent or detect and correct a material misstatement; and
(b) plans to perform tests of control to support the assessment.
Documentation of Understanding and Assessment of Control Risk
26. The auditor should document in the audit working papers:
(a) the understanding obtained of the entity's accounting and internal control systems; and
(b) the assessment of control risk.
When control risk is assessed at less than high, the auditor would also document the basis for the
27. Different techniques may be used to document information relating to accounting and internal
control systems. Selection of a particular technique is a matter for the auditor's judgement. Common
techniques, used alone or in combination, are narrative descriptions, questionnaires, check lists and flow charts. The form and extent of this documentation is influenced by the size and complexity of the entity and the nature of the entity's accounting and internal control systems. Generally, the more complex the entity's accounting and internal control systems and the more extensive the auditor's procedures, the more extensive the auditor's documentation will need to be.
Tests of Control
28. Tests of control are performed to obtain audit evidence about the effectiveness of the:
(a) design of the accounting and internal control systems, that is, whether they are suitably designed to prevent or detect and correct material misstatements; and
(b) operation of the internal controls throughout the period.
Tests of control include tests of elements of the control environment where strengths in the control
environment are used by auditors to reduce control risk.
29. Some of the procedures performed to obtain the understanding of the accounting and internal control systems may not have been specifically planned as tests of control but may provide audit evidence about the effectiveness of the design and operation of internal controls relevant to certain assertions and, consequently, serve as tests of control. For example, in obtaining the understanding of the accounting and internal control systems pertaining to cash, the auditor may have obtained audit evidence about the effectiveness of the bank reconciliation process through inquiry and observation.
30. When the auditor concludes that procedures performed to obtain the understanding of the accounting and internal control systems also provide audit evidence about the suitability of design and operating effectiveness of policies and procedures relevant to a particular financial statement assertion, the auditor may use that audit evidence, provided it is sufficient to support a control risk assessment at less than a high level.
31. Tests of control may include:
♦ Inspection of documents supporting transactions and other events to gain audit evidence that
internal controls have operated properly, for example, verifying that a transaction has been authorised.
♦ Inquiries about, and observation of, internal controls which leave no audit trail, for example, determining who actually performs each function and not merely who is supposed to perform it.
♦ Re-performance of internal controls, for example, reconciliation of bank accounts, to ensure they
were correctly performed by the entity.
♦ Testing of internal control operating on specific computerised applications or over the overall information technology function, for example, access or program change controls.
32. The auditor should obtain audit evidence through tests of control to support any assessment of control risk which is less than high. The lower the assessment of control risk, the more evidence the auditor should obtain that accounting and internal control systems are suitably designed and operating effectively.
33. When obtaining audit evidence about the effective operation of internal controls, the auditor
considers how they were applied, the consistency with which they were applied during the period and by whom they were applied. The concept of effective operation recognises that some deviations may have occurred. Deviations from prescribed controls may be caused by such factors as changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. When deviations are detected the auditor makes specific inquiries regarding these matters, particularly, the timing of staff changes in key internal control functions. The auditor then ensures that the tests of control appropriately cover such a period of change or fluctuation.
34. In a computer information systems environment, the objectives of tests of control do not change
from those in a manual environment; however, some audit procedures may change. The auditor may find it necessary, or may prefer, to use computer-assisted audit techniques. The use of such techniques, for example, file interrogation tools or audit test data, may be appropriate when the accounting and internal control systems provide no visible evidence documenting the performance of internal controls which are programmed into a computerised accounting system.
35. Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. The evaluation of deviations may result in the auditor concluding that the assessed level of control risk needs to be revised. In such cases, the auditor would modify the nature, timing and extent of planned substantive procedures.
Quality and Timeliness of Audit Evidence
36. Certain types of audit evidence obtained by the auditor are more reliable than others. Ordinarily,
the auditor's observation provides more reliable audit evidence than merely making inquiries, for example, the auditor might obtain audit evidence about the proper segregation of duties by observing the individual who applies a control procedure or by making inquiries of appropriate personnel. However, audit evidence obtained by some tests of control, such as observation, pertains only to the point in time at which the procedure was applied. The auditor may decide, therefore, to supplement these procedures with other tests of control capable of providing audit evidence about other periods of time.
37. In determining the appropriate audit evidence to support a conclusion about control risk, the auditor may consider the audit evidence obtained in prior audits. In a continuing engagement, the auditor will be aware of the accounting and internal control systems through work carried out previously but will need to update the knowledge gained and consider the need to obtain further audit evidence of any changes in control. Before relying on procedures performed in prior audits, the auditor should obtain audit evidence which supports this reliance. The auditor would obtain audit evidence as to the nature, timing and extent of any changes in the entity's accounting and internal control systems since such procedures were performed and assess their impact on the auditor's intended reliance. The longer the time elapsed since the performance of such procedures the less assurance that may result.
38. The auditor should consider whether the internal controls were in use throughout the period. If substantially different controls were used at different times during the period, the auditor would consider each separately. A breakdown in internal controls for a specific portion of the period requires separate consideration of the nature, timing and extent of the audit procedures to be applied to the transactions and other events of that period.
39. The auditor may decide to perform some tests of control during an interim visit in advance of the
period end. However, the auditor cannot rely on the results of such tests without considering the need to obtain further audit evidence relating to the remainder of the period. Factors to be considered include:
♦ The results of the interim tests.
♦ The length of the remaining period.
♦ Whether any changes have occurred in the accounting and internal control systems during the
♦ The nature and amount of the transactions and other events and the balances involved.
♦ The control environment, especially supervisory controls.
♦ The nature, timing and extent of substantive procedures which the auditor plans to carry out.
Final Assessment of Control Risk
40. Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained by the auditor, the auditor should consider whether the assessment of control risk is confirmed. In case of deviations from the prescribed accounting and internal control systems, the auditor would make specific inquiries to consider their implications. Where, on the basis of such inquiries, the auditor concludes that the deviations are such that the preliminary assessment of control risk is not supported, he would amend the same unless the audit evidence obtained from other tests of control supports that assessment. Where the auditor concludes that the assessed level of control risk needs to be revised, he would modify the nature, timing and extent of his planned substantive procedures.
Relationship Between the Assessments of Inherent and Control Risks of Standard on Auditing (SA) 400
Relationship Between the Assessments of Inherent and Control Risks
41. Management often reacts to inherent risk situations by designing accounting and internal control
systems to prevent or detect and correct misstatements and therefore, in many cases, inherent risk and control risk are highly interrelated. In such situations, if the auditor attempts to assess inherent and control risks separately, there is a possibility of inappropriate risk assessment. As a result, audit risk may be more appropriately determined in such situations by making a combined assessment.
Detection Risk of Standard on Auditing (SA) 400 Risk assessments and Internal control
42. The level of detection risk relates directly to the auditor's substantive procedures. The auditor's
control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk, and therefore audit risk, to an acceptably low level. Some detection risk would always be present even if an auditor were to examine 100 percent of the account balances or class of transactions because, for example, most audit evidence is persuasive rather than conclusive.
43. The auditor should consider the assessed levels of inherent and control risks in determining the nature, timing and extent of substantive procedures required to reduce audit risk to an acceptably low level. In this regard the auditor would consider:
(a) the nature of substantive procedures, for example, using tests directed toward independent parties outside the entity rather than tests directed toward parties or documentation within the entity, or using tests of details for a particular audit objective in addition to analytical procedures;
(b) the timing of substantive procedures, for example, performing them at period end rather than at an earlier date; and
(c) the extent of substantive procedures, for example, using a larger sample size.
44. There is an inverse relationship between detection risk and the combined level of inherent and
control risks. For example, when inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. On the other hand, when inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level. Refer to the Appendix to this SAP for an illustration of the interrelationship of the components of audit risk.
45. While tests of control and substantive procedures are distinguishable as to their purpose, the
results of either type of procedure may contribute to the purpose of the other. Misstatements discovered in conducting substantive procedures may cause the auditor to modify the previous assessment of control risk. Refer to the Appendix to this SAP for an illustration of the interrelationship of the components of audit risk.
46. The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need for the auditor to perform any substantive procedures. Regardless of the assessed levels of inherent and control risks, the auditor should perform some substantive procedures for material account
balances and classes of transactions.
47. The auditor's assessment of the components of audit risk may change during the course of an
audit, for example, information may come to the auditor's attention when performing substantive procedures that differs significantly from the information on which the auditor originally assessed inherent and control risks. In such cases, the auditor would modify the planned substantive procedures based on a revision of the assessed levels of inherent and control risks.
48. The higher the assessment of inherent and control risks, the more audit evidence the auditor should obtain from the performance of substantive procedures. When both inherent and control risks are assessed as high, the auditor needs to consider whether substantive procedures can provide sufficient appropriate audit evidence to reduce detection risk, and therefore audit risk, to an acceptably low level. When the auditor determines that detection risk regarding a financial statement
assertion for a material account balance or class of transactions cannot be reduced to an acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion as may
Audit Risk in the Small Business of Standard on auditing (SA) 400
Audit Risk in the Small Business
49. The auditor needs to obtain the same level of assurance in order to express an unqualified opinion on the financial statements of both small and large entities. However, many internal controls which would be relevant to large entities are not practical in the small business. For example, in small businesses, accounting procedures may be performed by a few persons who may have both operating and custodial responsibilities, and therefore segregation of duties may be missing or severely limited. Inadequate segregation of duties may, in some cases, be offset by a strong management control system in which owner/manager supervisory controls exist because of direct personal knowledge of the entity and involvement in transactions. In circumstances where segregation of duties is limited and audit evidence of supervisory controls is lacking, the audit evidence necessary to support the auditor's opinion on the financial statements may have to be obtained entirely through the performance of substantive procedures.
Communication of Weaknesses of Standard on Auditing (SA) 400 Risk Assessments and Internal Control
Communication of Weaknesses
50. As a result of obtaining an understanding of the accounting and internal control systems and tests of control, the auditor may become aware of weaknesses in the systems. The auditor should make management aware, as soon as practical and at an appropriate level of responsibility, of material weaknesses in the design or operation of the accounting and internal control systems, which
have come to the auditor's attention. The communication to management of material weaknesses
would ordinarily be in writing. However, if the auditor judges that oral communication is appropriate, such communication would be documented in the audit working papers. It is important to indicate in the communication that only weaknesses which have come to the auditor's attention as a result of the audit have been reported and that the examination has not been designed to determine the adequacy of internal control for management purposes.
Effective Date of Standard on Auditing (SA) 400 Risk Assessments and Internal control
51. This Auditing and Assurance Standard becomes operative for all audits related to accounting periods beginning on or after 1st April, 2002.
Tags for this Thread