Risk Assessment and Internal Control – CA Inter Audit Notes

Risk Assessment and Internal Control – CA Inter Audit Notes is designed strictly as per the latest syllabus and exam pattern.

Risk Assessment and Internal Control – CA Inter Auditing Notes

Question 1.
The assessment of risks is a matter of professional judgment. Explain stating clearly what is not included in Audit Risk? [MTP-Aug. 18]
Answer:
Assessment of Audit Risk:

Audit Risk is the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated. Thus, it is the risk that the auditor may fail to express an appropriate opinion in an audit assignment.
SA 315 “Identifying and Assessing Risk of Material Misstatements through understanding the Entity and its Environment” provides guidance on identifying and assessing the risks of material misstatements at the financial statement level and assertion levels.

Risks not forming part of Audit Risk:

Audit risk does not include the risk that the auditor might express an opinion that the financial statements are materially misstated when they are not. This risk is ordinarily insignificant.
Audit risk is a technical term related to the process of auditing; it does not refer to the auditor’s business risks such as loss from litigation, adverse publicity, or other events arising in connection with the audit of financial statements.

Question 2.
“Risk of material misstatement consists of two components” Explain clearly defining risk of material misstatement.
Answer:
Components of risk of material misstatements:
Audit Risk may be defined as the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated, Thus, it is the risk that the auditor may fail to express an appropriate opinion in an audit assignment. Audit Risk has three components: Inherent Risk, Control Risk and Detection Risk. Inherent Risk and Control Risk are collectively known as Risk of Material Misstatement.

SA 315 “Identifying and Assessing Risk of Material Misstatements through understanding the Entity and its Environment” provides guidance on identifying and assessing the risks of material misstatements at the financial statement level and assertion levels.

Inherent Risk:

Inherent Risk is the susceptibility of an account balance or class of transaction to a material misstatement, assuming that there were no internal controls.
To assess inherent risk, the auditor should evaluate numerous factors, having regard to his experience of the entity from previous audit engagements of the entity, controls established by management to compensate for a high level of inherent risk, and his knowledge of any significant changes which might have taken place since his last assessment.

Control Risk:

The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.
Control Risk is the risk that material misstatement will not be prevented or detected and corrected on a timely basis by the internal control system.

Question 3.
“The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement”. Explain. [RTP-Nov. 19]
Answer:
Risk of material misstatement:
Audit Risk may be defined as the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated, Thus, it is the risk that the auditor may fail to express an appropriate opinion in an audit assignment. Audit Risk has three components: Inherent Risk, Control Risk and Detection Risk. Inherent Risk and Control Risk are collectively known as Risk of Material Misstatement.

Question 4.
When auditor identifies deficiencies and report on internal controls, he determines the significant financial statement assertions that are affected by the ineffective controls in order to evaluate the effect on control risk assessments and strategy for the audit of the financial statements. Explain. [RTP-May 20]
Answer:
Control risk assessment when control deficiencies are identified:

When auditor identifies deficiencies and report on internal controls, he determines the significant financial statement assertions that are affected by the ineffective controls in order to evaluate the effect on control risk assessments and strategy for the audit of the financial statements.
When control deficiencies are identified and auditor identifies and tests more than one control for each relevant assertion, auditor evaluates control risk considering all of the controls, auditor has tested. If auditor determines that they support a ‘rely on controls’ risk assessment, or if compensating controls are identified, tested and evaluated to be effective, he may conclude that the ‘rely on controls’ is still appropriate. Otherwise we change our control risk assessment to ‘not rely on controls.’
When a deficiency relates to an ineffective control that is the only control identified for an assertion, he revises risk assessment to ‘not rely on controls’ for associated assertions, as no other controls have been identified that mitigate the risk related to the assertion. If the deficiency relates to one WCGW (what can go wrong] out of several WCGW’s, he can ‘rely on controls’ but performs additional substantive procedures to adequately address the risks related to the deficiency.

Question 5.
Discuss in brief the types of audit risk and inter relationship of components of audit risk. [Nov. 14 (4 Marks)]
Answer:
Types of Audit Risk:
Risk that the auditor may express an inappropriate audit opinion when the financial statements are materially misstated, is known as audit risk. It is a function of the risks of material misstatement and detection risk.
(i) Riskof Material Misstatements: The riskthat the financial statements are materially misstated prior to audit. This consists of two components: Inherent Risk and Control Risk.
(a) Inherent risk: The susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
(b) Control risk: The risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.

(ii) Detection Risk: The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
Relationship between Components of Audit Risk:
(a) Inherent Risk and Control Risk:
Management often reacts to inherent risk situations by designing accounting and internal control systems to prevent or detect and correct misstatements and therefore, in many cases, inherent risk and control risk are highly interrelated. In such situations, if the auditor attempts to assess inherent and control risks separately, there is a possibility of inappropriate risk assessment. As a result, audit risk may be more appropriately determined in such situations by making a combined assessment of Inherent and Control Risk as Risk of Material Misstatement (RMM).

(b) Relationship between RMM and Detection Risk:
There is an inverse relationship between detection risk and the combined level of inherent and control risks. When inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. When inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level.

Question 6.
Explain the inherent risk with reference to the relevant standard on auditing.
Or
Write short note on: Inherent Risk. [Nov. 12 (4 Marks)]
Answer:
Inherent risk:
SA 200 “Overall Objectives of Independent Auditor and Conduct of audit in accordance with Standards on Auditing” defines inherent risk as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
Standards on Auditing do not ordinarily refer to inherent risk separately, but rather to a combined assessment of inherent risk and control risk as “Risks of Material Misstatement”.

As per SA 315 “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment”, auditor is required to assess the risk of material misstatement be performing the following procedure:

Identify risks throughout the process of obtaining an understanding of the entity and its environment.
Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions.
Relate the identified risks to what can go wrong at the assertion level, and
Consider the likelihood of misstatement.

As per SA 330 “The Auditor’s Responses to Assessed Risks”, while designing the further audit procedures to be performed, the auditor shall consider the reasons for the assessment given to the risk of material misstatement at the assertion level for the likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance, or disclosure (i.e., the inherent risk] and obtain more persuasive audit evidence the higher the auditor’s assessment of risk.

Question 7.
Doing a statutory audit is full of risk. Narrate the factors which causes the risk.
Answer:
Factors causes the Audit Risk:
The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement (RMM] and detection risk. RMM comprises of Inherent Risk and Control risk.

Various factors which causes different types of risks are given below:
1. Inherent Risk: Inherent risk arises on account of nature of financial reporting & auditing. Entire process of auditing is based on the assessment of judgments made by the management of the entity as well as evaluation of internal controls.

2. Control Risk: Control Risk arises on account of Inherent limitations of internal control. Internal control can provide only reasonable, but not absolute, assurance on account of several inherent limitations such as potential for human error, possibility of circumstances of control through collusion, etc.

3. Detection Risk: Detection risk arises on account of judgment on part of auditor, test nature of audit and nature of audit evidences collected. The auditor’s work involves exercise of judgment in many areas like deciding the extent of audit procedures and assessing the reasonableness of the judgments and estimates made by management in preparing the financial statements. The auditor normally relies upon persuasive evidence rather than conclusive evidence. Even in circumstances where conclusive evidence is available, the cost of obtaining such an evidence may far exceed the benefits.

Question 8.
Discuss the following: Weaknesses in the design of the internal control system and non-compliance with identified control procedures amongst other conditions or events which increase the risk of fraud or error.
Or
Mention briefly the conditions or events, which increase the risk of fraud or error leading to material misstatements in financial statements.
Answer:
Conditions or events which increase the risk of fraud or error:
While planning and performing an audit, the auditor should consider the risk of material misstatements that may be caused due to fraud or error.

Various conditions and events that may increase risk of fraud or error are:

Weaknesses in the design of internal control system and non-compliance with the laid down control procedures.
Doubts about the integrity or competence of the management.
Unusual pressures within the entity.
Unusual transactions such as transactions with related parties, excessive payment for certain services to lawyers, etc.
Problems in obtaining sufficient and appropriate audit evidence, e.g., inadequate documentation, significant differences between the figures as per the accounting records and confirmation received from third parties, etc.

Question 9.
What factors are to be considered by an auditor while making control risk assessments? [Nov. 20 (3 Marks)]
Answer:
Factors to be considered while making control risk assessments:
While making control risk assessments, auditor shall consider the followings:

The control environment’s influence over internal control. A control environment that supports the prevention, and detection and correction, of material misstatements allows greater confidence in the reliability of internal control and audit evidence generated within the entity. However, it does not guarantee the effectiveness of specific controls.
Evaluations of the related IT processes that support application and IT-dependent manual controls.
Testing approach over significant class of transactions and disclosure processes.
Expectation of the operating effectiveness of controls based on the understanding of entity’s processes.

Question 10.
“Risk of material misstatement at the assertion level for classes of transactions, account balances and disclosures need to be considered”. Explain stating the different categories of assertions used by the auditor.
Answer:
Assertions used by auditor about account balances at the period end:

SA 315 “Identifying and Assessing Risk of Material Misstatements through understanding the Entity and its Environment” requires the auditor to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels.
Risks of material misstatement at the assertion level for classes of transactions, account balances, and disclosures need to be considered because such consideration directly assists in determining the nature, timing, and extent of further audit procedures at the assertion level necessary to obtain sufficient appropriate audit evidence.

Assertions used by auditor with respect to transactions occurred during the year are:

Occurrence – transactions that have been recorded have occurred during the year.
Completeness – transactions have been recorded completely.
Accuracy – transactions have been recorded accurately.
Cut-off – transactions have been recorded in correct accounting period.
Classification – transactions have been properly classified into capital and revenue.

Assertions used by auditor with respect to account balances at the period end are:

Existence – assets and liabilities shown in the balance sheet exists.
Rights and obligations – rights of the entity have been shown as assets and the obligations have been shown as liabilities.
Completeness – assets and liabilities have been recorded completely.
Valuation and allocation – assets and liabilities are included in the financial statements at appropriate amounts and any allocation adjustments are appropriately recorded.

Assertions used by auditor with respect to Presentation and Disclosure are:

Occurrence and Rights and obligations – disclosed transactions have occurred and belong to the entity.
Completeness – disclosures in the financial statements are complete.
Classification and understandability – financial information is appropriately presented and disclosures are clearly expressed.
Accuracy and Valuation – financial and other information are disclosed fairly and at appropriate amounts.

Question 11.
Write short note on: Assertion about balance at the end of the reporting period. [May 13 (4 Marks)]
Or
Discuss the following: The assertions used by auditor to consider potential misstatements about account balances at the period end. [Nov. 15 [5 Marks)]
Answer:
Assertions used by auditor about account balances at the period end:

SA 315 “Identifying and Assessing Risk of Material Misstatements through understanding the Entity and its Environment” requires the auditor to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels.
Risks of material misstatement atthe assertion level for classes of transactions, account balances, and disclosures need to be considered because such consideration directly assists in determining the nature, timing, and extent of further audit procedures at the assertion level necessary to obtain sufficient appropriate audit evidence.

Assertions used by auditor with respect to account balances at the period end are:

Existence – assets and liabilities shown in the balance sheet exists.
Rights and obligations – rights of the entity have been shown as assets and the obligations have been shown as liabilities.
Completeness – assets and liabilities have been recorded completely.
Valuation and allocation – assets and liabilities are included in the financial statements at appropriate amounts and any allocation adjustments are appropriately recorded.

Question 12.
In the context of SA 315, state the assertions used by auditor to consider the different types of potential mis-statements that may occur w.r.t. classes of transactions and events for period under audit. [Nov. 17 (4 Marks)]
Answer:
Assertions used by auditor to consider the potential misstatement:

Occurrence – transactions that have been recorded have occurred during the year.
Completeness – transactions have been recorded completely.
Accuracy – transactions have been recorded accurately.
Cut-off – transactions have been recorded in correct accounting period.
Classification – transactions have been properly classified into capital and revenue.

Question 13.
Write short note on: Assertions used by auditor to consider potential misstatements about presentation and disclosure at the period end.
Answer:
Assertions used by auditor to consider the potential misstatement about presentation and disclosure:

Occurrence and Rights and obligations – disclosed transactions have occurred and belong to the entity.
Completeness – disclosures in the financial statements are complete.
Classification and understandability – financial information is appropriately presented and disclosures are clearly expressed.
Accuracy and Valuation – financial and other information are disclosed fairly and at appropriate amounts.

Question 14.
The auditor shall identify and assess the risks of material misstatement at both levels to provide a basis for designing and performing further audit procedures. For the purpose of Identifying and assessing the risks of material misstatement the auditor shall Identify risks, assess the identified risks, relate the identified risks and consider the likelihood of misstatement.
Explain the above in detail. [MTP-Oct. 18]
Or
For the purpose of Identifying and assessing the risks of material misstatement, the auditor shall identify risks throughout the process of obtaining an understanding of the entity and its environment. Explain in detail along with other relevant points. [RTP-Nov. 20]
Answer:
Identifying and assessing the risks of material misstatement:
The auditor shall identify and assess the risks of material misstatement at:
(A) the financial statement level
(B) the assertion level for classes of transactions, account balances, and disclosures to provide a basis for designing and performing further audit procedures

For the purpose of Identifying and assessing the risks of material misstatement, the auditor shall:
(a) Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances, and disclosures in the financial statements;
(b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions;
(c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test; and
(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is of a magnitude that could result in a material misstatement.

Question 15.
Discuss what is included in risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls. [RTP-May 18]
Answer:
Risk Assessment procedure:
SA 315 “Identifying and Assessing Risk of Material Misstatements through understanding the Entity and its Environment” defines the term Risk Assessment procedure as audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels.

Risk Assessment Procedure includes the following:
(a) Inquiries of management, and of others within the entity: Much of the information is obtained by the auditor’s through inquiry from management and others. However, the auditor may also obtain information, or a differentperspective in identifying risks of material misstatement, through inquiries of others within the entity and other employees with different levels of authority.
(b) Analytical procedures: Analytical procedures may help identify the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have audit implications.
(c) Observation and inspection: Observation and inspection may support inquiries of management and others, and may also provide information about the entity and its environment.

Question 16.
Obtaining an understanding of the entity and its environment, including the entity’s internal control, is a continuous, dynamic process of gathering, updating and analysing information throughout the audit. Analyse and explain giving examples. [RTP-May 20]
Answer:
Understanding of the Entity – a continuous process:
Obtaining an understanding of the entity and its environment, including the entity’s internal control, is a continuous, dynamic process of gathering, updating and analysing information throughout the audit. The understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment throughout the audit, for example, when:

Assessing risks of material misstatement of the financial statements;
Determining materiality in accordance with SA 320;
Considering the appropriateness of the selection and application of accounting policies;
Identifying areas where special audit consideration may be necessary, for example, related party transactions, the appropriateness of management’s use of the going concern assumption, or considering the business purpose of transactions;
Developing expectations for use when performing analytical procedures;
Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the appropriateness of assumptions and of management’s oral and written representations.

Question 17.
The auditor may exercise his judgment to identify which risks are significant risks. Explain the above in the context of SA 315. [May 15 (6 Marks)]
Or
As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk.
In exercising judgment as to which risks are significant risks, state the factors which shall be considered by the auditor.
Explain the above in context of SA-315. [RTP-May 18]
Answer:
Identification of significant risks:
As per SA 315 “Identifying and Assessing Risk of Material Misstatements through understanding the Entity and its Environment” the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk. In exercising this judgment, the auditor shall exclude the effects of identified controls related to the risk.

In exercising judgment as to which risks are significant risks, the auditor shall consider the following:

Whether the risk is a risk of fraud;
Whether the risk is related to recent significant economic, accounting, or other developments;
The complexity of transactions;
Whether the risk involves significant transactions with related parties;
The degree of subjectivity in the measurement of financial information; and
Whether the risk involves significant unusual transactions.

Question 18.
Name the assertions for the following audit procedures:
1. Year-end inventory verification.
2. Depreciation has been properly charged on all assets.
3. The title deeds of the lands disclosed in the balance sheet are held in the name of the company.
4. All liabilities are properly recorded in the financial statements.
5. Related party transactions are shown properly. [May 18 (5 Marks)]
Answer:
Name of Assertions for different audit procedures:
1. Existence and Condition
2. Allocation and Valuation
3. Ownership and Rights and obligations
4. Completeness
5. Presentation and Disclosure

Question 19.
State assertions that are implied in the extract of financial statement given below:

	(₹)	(₹)
Plant & Machinery (at Cost)		4,00,000
Less: Depreciation:
Up to Previous year	1,40,000
For the year	26,000	1,66,000
		2,34,000

(i) Indicate assertions in respect of transactions and events for the period relating to Fixed Assets.
(ii) State specific assertions relating to the above extract of financial statement. [MTP-April 19]
Answer:
(i) Assertions in respect of transactions and events for the period:
While making control risk assessments, auditor shall consider the followings:

The control environment’s influence over internal control. A control environment that supports the prevention, and detection and correction, of material misstatements allows greater confidence in the reliability of internal control and audit evidence generated within the entity. However, it does not guarantee the effectiveness of specific controls.
Evaluations of the related IT processes that support application and IT-dependent manual controls.
Testing approach over significant class of transactions and disclosure processes.
Expectation of the operating effectiveness of controls based on the understanding of entity’s processes.

(ii) Specific assertions:

the firm owns the plant and machinery;
the historical cost of plant and machinery is ₹ 4 lacs;
the plant and machinery physically exist;
the asset is being utilised in the business of the company productively;
total charge of depreciation on this asset is ₹ 1,66,000 to date on which ₹ 26,000 relates to the year in respect of which the accounts are drawn up; and
the amount of depreciation has been calculated on recognised basis and the calculation is correct.

Question 20.
The risks of material misstatement may exist at the financial statement level and assertion level. Explain the two levels. [RTP-Nov. 20]
Answer:
Risk of Material Misstatement:
The risks of material misstatement may exist at two levels:
(i) The overall financial statement level: Risks of material misstatement at the overall financial statement level refer to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions.
(ii) The assertion level for classes of transactions, account balances, and disclosures: Risks of material misstatement at the assertion level are assessed in order to determine the nature, timing, and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion on the financial statements at an acceptably low level of audit risk.

Question 21.
Much of the information obtained by the auditor’s inquiries is obtained from management and those responsible for financial reporting. However, the auditor may also obtain information, or a different perspective in identifying risks of material misstatement, through inquiries of others within the entity and other employees with different levels of authority.
Explain with the help of examples. [RTP-Nov. 20]
Answer:
Inquiries of management, and of others within the entity:
Much of the information is obtained by the auditor’s through inquiry from management and others. However, the auditor may also obtain information, or a different perspective in identifying risks of material misstatement, through inquiries of others within the entity and other employees with different levels of authority.

For example:
1. Inquiries directed towards TCWG may help the auditor understand the environment in which the financial statements are prepared.
2. Inquiries directed toward internal audit personnel may provide information about internal audit procedures performed during the year relating to the design and effectiveness of the entity’s internal control and whether management has satisfactorily responded to findings from those procedures.
3. Inquiries of employees involved in initiating, processing or recording complex or unusual transactions may help the auditor to evaluate the appropriateness of the selection and application of certain accounting policies.
4. Inquiries directed toward in-house legal counsel may provide information about such matters as litigation, compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the entity.
5. Inquiries directed towards marketing or sales personnel may provide information about changes in the entity’s marketing strategies, sales trends, or contractual arrangements with its customers.

Question 22.
Analytical procedures performed as risk assessment procedures may identify aspects of the entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. Explain in detail. [RTP-Nov. 20]
Answer:
Use of Analytical Procedures as Risk Assessment Procedures:

Analytical procedures performed as risk assessment procedures may identify aspects of the entity of which the auditor was unaware and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks. Analytical procedures performed as risk assessment procedures may include both financial and non-financial information, for example, the relationship between sales and square footage of selling space or volume of goods sold.
Analytical procedures may help identify the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have audit implications.
Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material misstatement due to fraud.
However, when such analytical procedures use data aggregated at a high level, the results of those analytical procedures only provide a broad initial indication about whether a material misstatement may exist. Accordingly, in such cases, consideration of other information that has been gathered when identifying the risks of material misstatement together with the results of such analytical procedures may assist the auditor in understanding and evaluating the results of the analytical procedures.

Question 23.
Explain the concept of Internal Control. Also state the objectives of internal Control.
Answer:
Internal Control:
SA 315 “Identifying and Assessing the Risk of Material Misstatement through Understanding the Entity and its environment” defines internal control as the process designed, implemented and maintained by TCWG, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to

reliability of financial reporting,
effectiveness and efficiency of operations,
safeguarding of assets, and
compliance with applicable laws and regulations.

Objectives of Internal Control:
(a) Transactions are executed in accordance with managements general or specific authorization;
(b) All transactions are promptly recorded in the correct amount in the appropriate accounts and in the accounting period in which executed so as to permit preparation of financial information within a framework of recognized accounting policies and practices and relevant statutory requirements, if any, and to maintain accountability for assets;
(c) Assets are safeguarded from unauthorised access, use or disposition; and
(d) The recorded assets are compared with the existing assets at reasonable intervals and appropriate action is taken with regard to any differences.

Question 24.
Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include controls relating to both financial reporting and operations objectives. Explain stating clearly the objectives of Internal Control. [RTP-May 20]
Answer:
Internal Control over safeguarding of assets:
Internal control over safeguarding of assets against unauthorised acquisition, use, or disposition may include controls relating to both financial reporting and operations objectives. The auditor’s consideration of such controls is generally limited to those relevant to the reliability of financial j reporting. For example, use of access controls, such as passwords, that limit access to the data and programs that process cash disbursements maybe relevant to a financial statement audit. Conversely safeguarding controls relating to operations objectives, such as controls to prevent the excessive use of materials in production, generally are not relevant to a financial statement audit.

Question 25.
Explain inherent limitations of Internal control system. [Nov. 13 (8 Marks), May 15 (5 Marks)]
Or
Internal Control System can provide only reasonable but not absolute assurance that its objective relating to prevention and detection of errors/frauds, safeguarding of assets etc., are achieved. Briefly explain the inherent limitations that the system suffers.
Or
Briefly discuss the limitations of internal control. [May 18 (6 Marks), MTP-April 19]
Answer:
Inherent Limitations of Internal Control:
(a) Management’s consideration that a control should be cost-effective.
(b) The fact that the most controls do not tend to be directed at transactions of unusual nature,
(c) Potential for human error.
(d) Possibility of circumvention of controls through collusion with parties outside the entity or with employees of entity.
(e) Possibility that a person responsible for exercising control could abuse that authority.
(f) Possibility that procedures may become inadequate due to changes in conditions and compliance with procedures may deteriorate.
(g) Manipulations by management with respect to transactions or estimates and judgments required in the preparation of financial statements.

Question 26.
What is Internal Control. Explain various components of internal control.
Or
The division of internal control into five components provides a useful framework for auditors to consider how different aspects of an entity’s internal control may affect the audit. Mention those components of internal control. [MTP-Oct. 20]
Answer:
Meaning of internal control:
Internal Control may be defined as the process designed, implemented and maintained by TCWG, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to:

reliability of financial reporting,
effectiveness and efficiency of operations,
safeguarding of assets, and
compliance with applicable laws and regulations.

Components of internal control: It includes the followings:
(a) Control Environment: The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity. The control environment sets the tone of an organization, influencing the control consciousness of its people.

(b) Risk Assessment Process: The entity’s risk assessment process forms the basis for how management determines the risks to be managed. If that process is appropriate to the circumstances, including the nature, size and complexity of the entity, it assists the auditor in identifying risks of material misstatement. Whether the entity’s risk assessment process is appropriate to the circumstances is a matter of judgment.

(c) Information System: The information system relevant to financial reporting objectives, which includes the accounting system, consists ofthe procedures and records designed and established to:

Initiate, record, process, and report entity transactions;
Resolve incorrect processing of transactions;
Process and account for system overrides or bypasses to controls;
Transfer information from transaction processing systems to the general ledger;
Capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortisation of assets; and
Ensure information required to be disclosed by the applicable FRF is accumulated, recorded, processed, summarized and appropriately reported in the F.S.

(d) Control Activities relevant to Audit: Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organisational and functional levels.

(e) Monitoring of Controls: Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It involves assessing the effectiveness of controls on a timely basis and taking necessary corrective actions.

Question 27.
“The auditor shall obtain an understanding of the control environment” Explain stating what is included in control environment.
Or
The auditor of XYZ Ltd, engaged in FMCG (Fast Moving Consumable Goods) obtains an understanding of the control environment. As part of obtaining this understanding, the auditor evaluates whether:
(i) Management has created and maintained a culture of honesty and ethical behaviour; and
(ii) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control.
Advise what is included in control environment. Also explain the elements of control environment. [MTP-March 18, RTP-May 18, MTP-Aug. 18, March 19, May 20 JITP – Nov. 19]
Answer:
Elements of Control Environment:
The control environment includes

the governance and management functions and
the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity.

The control environment sets the tone of an organization, influencing the control consciousness of its people.
Control environment includes the following elements:
(1) Communication and enforcement of integrity and ethical values: These are essential elements that influence the effectiveness of the design, administration and monitoring of controls.

(2) Commitment to competence: Matters such as management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.

(3) Participation by those charged with governance: Attributes ofthose charged with governance such as:

Their independence from management.
Their experience and stature.
The extent of their involvement and the information they receive, and the scrutiny of activities.
The appropriateness of their actions, including the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external auditors.

(4) Management’s philosophy and operating style: Characteristics such as management’s:

Approach to taking and managing business risks.
Attitudes and actions toward financial reporting.
Attitudes toward information processing and accounting functions and personnel.

(5) Organisational structure: The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled, and reviewed.

(6) Assignment of authority and responsibility: Matters such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established.

(7) Human resource policies and practices: Policies and practices that relate to, for example, recruitment, orientation, training, evaluation, counselling, promotion, compensation, and remedial actions.

Question 28.
“The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting” Explain.
Or
The auditor shall obtain an understanding of major activities that the entity uses to monitor internal control over financial reporting.
Discuss “Monitoring of control” as a component of Internal control. [Nov. 20 (4 Marks)]
Answer:
Monitoring of controls:
Auditor shall obtain an understanding of the major activities that the entity uses to monitor internal
control over financial reporting. Following point merit consideration in this regard:
(a) Monitoring of controls is a process to assess the effectiveness of internal control performance over time.
(b) It involves assessing the effectiveness of controls on a timely basis and taking necessary corrective actions.
(c) Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities.
(d) Management’s monitoring activities may also include using information from communications from external parties such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement.
(e) Management’s monitoring of control is often accomplished by management’s or the owner-manager’s close involvement in operations.

Question 29.
Write a short note on: Narrative record. [Nov. 17 (4 Marks)]
Answer:
Narrative record:
It is a complete and exhaustive description of the system as found in operation by the auditor. Actual testing and observation are necessary before such a record can be developed.
It may be recommended in cases where no formal control system in operation and would be more suited to small business.

Disadvantages of narrative records are:

To comprehend the system in operation is quite difficult.
To identify weaknesses or gaps in the system
To incorporate changes arising on account of reshuffling of manpower, etc.

Question 30.
What is check list? Give few examples of check list instruction.
Answer:
Check List:
Check List is a series of instructions and/or questions which a member of the auditing staff must follow and/or answer. This is an on the job requirement and instructions are framed having regard to the desirable elements of control.
A few examples of check list instructions are:

Are tenders invited before placing orders?
Is the purchase order from standardized?
Are purchase order forms pre-numbered?
Are inventory control accounts maintained by appropriate persons?

Question 31.
Explain briefly technique of “Internal Control Questionnaire” to facilitate the accumulation of information necessary for proper evaluation of internal control. [Nov. 10 (4 Marks)]
Or
Write short note on: Internal Control Questionnaire. [May 13 (4 Marks)]
Answer:
Internal Control Questionnaire:
It is a set of questions designed to provide a thorough view of the state of internal control in an organisation.
The questions are generally prepared in sections of distinct control areas like: purchase and creditors, sales & debtors, inventories, cash & bank, etc.

Evaluation through internal control questionnaire now forms an important part of any properly organised audit with the following purposes:

Identification of weaknesses in the internal control system
Selection of samples in rational manner.
Suitable modifications in audit programmes.

Question 32.
Write short note on: Use of Flow Charts in evaluation of internal Control. [Nov. 13, May 16 (4 Marks)]
Or
A Flow Chart is a graphic presentation of each part of the company’s system of internal control. Explain elaborating each and every aspect about flow chart. [RTP-Nov. 18]
Answer:
Uses of flow charts in evaluation of internal control:
Flowchart is a graphic presentation of internal controls in the organisation and is normally drawn up to show the controls in each section or sub-section. It provides the most concise and comprehensive way for reviewing the internal controls and the evaluator’s findings.

A flow chart is a diagram full with lines and symbols and if judicious use of them can be made, it is probably an effective way of presenting the state of internal controls in the client’s organisation. A properly drawn up flow chart can provide a neat visual picture of the whole activities of the section or department involving flow of documents and activities.

More specifically it can show –

at what point a document is raised internally or received from external sources;
the number of copies in which a document is raised or received;
the intermediate stages set sequentially through which the document and the activity pass;
distribution of the documents to various sections, department or operations;
checking authorisation and matching at relevant stages;
filing of the documents; and
final disposal by sending out or destruction.

Question 33.
Why tests of controls are performed? Also explain what does they include. [Nov. 15 (4 Marks)]
Answer:
Tests of controls:
After assimilating internal control system, the auditor needs to examine whether and how far the same is actually in operation. For this purpose, auditor may perform tests of control. Tests of control are performed to obtain audit evidence about the effectiveness of the:

design of the accounting and internal control systems, that is, whether they are suitably designed to prevent or detect and correct material misstatements; and
operation of the internal controls throughout the period.
Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk.

Tests of control may include:
(a) Inspection of documents supporting transactions and other events to gain audit evidence that internal controls have operated properly.
(b) Inquiries about and observation of internal controls which leave no audit trail.
(c) Re-performance of internal controls.
(d) Testing of internal controls operating on specific computerized applications.

Question 34.
It has been suggested thatactual operation of the internal control should be tested by the application of procedural tests and examination in depth. Explain with the help of example in respect of the procedure for sales. [RTP-May 20J
Answer:
Testing of Internal Control System:
It has been suggested that actual operation of the internal control should be tested by the application of procedural tests and examination in depth. Procedural tests simply mean testing of the compliance with the procedures laid down by the management in respect of initiation, authorisation, recording and documentation of transaction at each stage through which it flows.

For example, the procedure for sales requires the following:
1. Before acceptance of any order the position of inventory of the relevant article should be known to ascertain whether the order can be executed in time.
2. An advice under the authorisation of the sales manager should be sent to the party placing the order, internal reference number, and the acceptance of the order. This advice should be prepared on a standardised form and copy thereof should be forwarded to inventory section to enable it to prepare for the execution of the order in time.
3. The credit period allowed to the party should be the normal credit period. For any special credit period a special authorisation of the sales manager would be necessary.
4. The rate at which the order has been accepted and other terms about transport, insurance, etc., should be clearly specified.
5. Before deciding upon the credit period, a reference should be made to the credit department to know the creditworthiness of the party and particularly whether the party has honoured its commitments in the past.

Question 35.
“A satisfactory control environment may help reduce the risk of fraud but is not an absolute deterrent for fraud”. Explain. [May 17 (5 Marks), RTP-May 18]
Or
The existence of a satisfactory control environment can be a positive factor when the auditor assesses the risks of material misstatement. Analyse and explain. [RTP-May 19]
Answer:
Impact of satisfactory control environment:

The existence of a satisfactory control environment work as a positive factor when the auditor assesses the RMM.
But at the same time, it is to be kept in mind that a satisfactory control environment is not an absolute deterrent to fraud. Deficiencies in the control environment may undermine the effectiveness of controls, in particular in relation to fraud.
As per SA 330, the control environment also influences the nature, timing, and extent of the auditor’s further procedures.
The control environment initself does notprevent, or detectand correct, a material misstatement. It may, however, influence the auditor’s evaluation of the effectiveness of other controls (for example, the monitoring of controls and the operation of specific control activities) and thereby, the auditor’s assessment of the risks of material misstatement.

Question 36.
So far as the auditor is concerned, the examination and evaluation of the internal control system is an indispensable part of the overall audit programme. The auditor needs reasonable assurance that the accounting system is adequate and that all the accounting information which should be recorded has in fact been recorded. Internal control normally contributes to such assurance. Explain stating clearly the benefits of evaluation of internal control to the auditor. [RTP-May 19]
Answer:
Benefits of Evaluation of Internal Control to Auditor:
The review of internal controls will enable the auditor to know:

whether errors and frauds are likely to be located in the ordinary course of operations of the business;
whether an adequate internal control system is in use and operating as planned by the management;
whether an effective internal auditing department is operating;
whether any administrative control has a bearing on his work (for example, if the control over worker recruitment and enrolment is weak, there is a likelihood of dummy names being included in the wages sheet and this is relevant for the auditor];
whether the controls adequately safeguard the assets;
how far and how adequately the management is discharging its function in so far as correct recording of transactions is concerned;
how reliable the reports, records and the certificates to the management can be;
the extent and the depth of the examination that he needs to carry out in the different areas of accounting;
what would be appropriate audit technique and the audit procedure in the given circumstances;
what are the areas where control is weak and where it is excessive; and
whether some worthwhile suggestions can be given to improve the control system.

Question 37.
While obtaining audit evidence about the effective operation of internal controls, the auditor considers how they were applied, the consistency with which they were applied during the period and by whom they were applied. The concept of effective operation recognises that some deviations may have occurred. Analyse and Explain. [RTP-Nov. 18]
Or
Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. Analyse and Explain. [RTP-Nov. 19]
Answer:
Deviations from internal controls:
As per SA 330 “Responses to Assessed Risks”, while obtaining audit evidence about the effective operation of internal controls, the auditor considers how they were applied, the consistency with which they were applied during the period and by whom they were applied. The concept of effective operation recognises that some deviations may have occurred.

Deviations from prescribed controls may be caused by such factors as

changes in key personnel,
significant seasonal fluctuations in volume of transactions and
human error.

When deviations are detected the auditor makes specific inquiries regarding these matters, particularly, the timing of staff changes in key internal control functions. The auditor then ensures that the tests of control appropriately cover such a period of change or fluctuation.

Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk.
The evaluation of deviations may result in the auditor concluding that the assessed level of control risk needs to be revised. In such cases, the auditor would modify the nature, timing and extent of planned substantive procedures.
Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained by the auditor, the auditor should consider whether the assessment of control risk is confirmed.
It has been suggested that actual operation of the internal control should be tested by the application of procedural tests and examination in depth. Procedural tests simply mean testing of the compliance with the procedures laid down by the management in respect of initiation, authorisation, recording and documentation of transaction at each stage through which it flows.

Question 38.
The auditor can formulate his entire audit programme only after he has had a satisfactory understanding of the internal control systems and their actual operation. Analyse and explain. [RTP-Nov. 18]
Or
The extent and the nature of the audit programme is substantially influenced by the internal control system in operation. Analyse and explain. [RTP-Nov. 19]
Answer:
Requirement of Understanding of Internal Control to formulate entire audit programme:

The auditor can formulate his entire audit programme only after he has had a satisfactory understanding of the internal control systems and their actual operation. If he does not care to study this aspect, it is very likely that his audit programme may become unwieldy and unnecessarily heavy and the object of the audit may be altogether lost in the mass of entries and vouchers.
Review of the internal control system will provide the auditor enough time to assimilate the controls and implications and will enable him to be more objective in the framing of the audit programme.
Auditor will also be in a position to bring to the notice of the management the weaknesses of the system and to suggest measures for improvement.
A proper understanding of the internal control system in its content and working also enables an auditor to decide upon the appropriate audit procedure to be applied in different areas to be covered in the audit programme.
In a situation where the internal controls are considered weak in some areas, the auditor might choose an auditing procedure or test that otherwise might not be required; he might extend certain tests to cover a large number of transactions or other items than he otherwise would examine and at times he may perform additional tests to bring him the necessary satisfaction.

Question 39.
What are the specific risks related to internal controls in an IT Environment? [May 16 (5 Marks)]
Or
The auditor should understand and consider the risks that may arise from the use of information technology (IT) Systems. [May 18 (4 Marks)]
IT poses specific risks to an entity’s internal control. Explain. [RTP-May 19]
Or
Which are specific risks to the company’s internal control having IT environment? [May 19 (4 Marks)]
Answer:
Risk to internal control imposed by IT:
As per SA 315, “Identifying and Assessing Risk of Material Misstatement through understanding the Entity and its Environment” IT also poses specific risks to an entity’s internal control, including, for example:
(a) Reliance on systems or programs that are inaccurately processing data, processing inaccurate data or both
(b) Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions, or inaccurate recording of transactions. Particular risk may arise when multiple users access a common database.
(c) The possibility of IT personnel gaining access beyond those necessary to perform their assigned duties thereby breaking down segregation of duties.
(d) Unauthorised changes to data in Master files.
(e) Unauthorised changes to systems or programs.
(f) Failure to make necessary changes to systems or programs.
(g) In appropriate manual intervention
(h) Potential loss of data or inability to access data as required.

Question 40.
Write short note on: Provisions for applicability of internal audit as per Companies Act, 2013. [May 16 (4 Marks)]
Answer:
Provisions for applicability of internal audit:
As per section 138 of Companies Act, 2013 such class or classes of companies as maybe prescribed shall be required to appoint an internal auditor.
As per Rule 13 of Companies [Accounts) Rules, 2014, following companies must appoint Internal Auditor:
(1) Every listed company;

(2) Every unlisted public company having-

paid up share capital of 50 crore rupees or more during the preceding financial year; or
turnover of 200 crore rupees or more during the preceding financial year; or
outstanding loans or borrowings from banks or public financial institutions exceeding 100 crore rupees or more at any point of time during the preceding financial year; or
outstanding deposits of 25 crore rupees or more at any point of time during the preceding financial year; and

(3) Every private company having-

turnover of 200 crore rupees or more during the preceding financial year; or
outstanding loans or borrowings from banks or public financial institutions exceeding 100 crore rupees or more at any point of time during the preceding financial year.

Question 41.
JKT (P) Ltd. having ₹ 40 lacs paid up capital, ₹ 9.50 crores reserves and turnover of last three consecutive financial years, immediately preceding the financial year under audit, being ₹ 49 crores, ₹ 145 crores and ₹ 260 crores, hut does not have any internal audit system. In view of the management, internal audit system is not mandatory. Comment.
Answer:
Applicability of provisions of internal audit:
As per section 138 of the Companies Act, 2013, read with rule 13 of Companies (Accounts) Rules, 2014 every private company shall be required to appoint an internal auditor or a firm of internal auditors, having

turnover of two hundred crore rupees or more during the preceding financial year; or
outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year:

In the instant case, JKT (P) Ltd. is having turnover of ₹ 260 crores during the preceding financial year which is more than two hundred crore rupees. Hence, the Company has the statutory liability to appoint an Internal Auditor and mandatorily conduct internal audit.

Question 42.
“MMJ Ltd., an unlisted public company, did not appoint any internal auditor for the financial year ending on 31st March, 2021. The company had paid up capital of ₹ 20 crores and reserves of ₹ 25 crores. Its turnover for the preceding 3 years were ₹ 75 crores for the year ended 31st March, 2020, ₹ 150 crores for March, 2019 and ₹ 190 crores for March, 2018. The company had availed term loan from the bank of ₹ 130 crores. The outstanding balance of the term loan as on 31st March, 2020 is ₹ 90 crores.”
As an auditor of the company, how would you deal with the above? [Nov. 18 (5 Marks)]
Answer:
Applicability of Provisions of Internal Audit:
As per section 138 of the Companies Act, 2013, read with rule 13 of Companies (Accounts) Rules, 2014 every unlisted public company having-

paid up share capital of 50 crore rupees or more during the preceding financial year; or
turnover of 200 crore rupees or more during the preceding financial year; or
outstanding loans or borrowings from banks or public financial institutions exceeding 100 crore rupees or more at any point of time during the preceding financial year; or
outstanding deposits of 25 crore rupees or more at any point of time during the preceding financial year shall be required to appoint an internal auditor or a firm of internal auditors, In the instant case, company is an unlisted public company. Paid up capital of the company is less than ₹ 50 crores. Turnover for the immediate preceding financial year was ₹ 75 crores, which is lower than ₹ 200 Crores. The company had availed term loan from the bank of ₹ 130 crores. The outstanding balance of the term loan as on 31st March, 2020 is ₹ 90 crores.

Conclusion: As the company is having outstanding loan exceeding ? 100 crore at the time when loan was availed during the immediate preceding year, company has the statutory liability to appoint an Internal Auditor and mandatorily conduct internal audit. Statutory Auditor need to state the fact in his report as to non-compliance of Sec. 138

Question 43.
Explain the meaning, objectives and scope of internal audit functions as per SA 610. Also discuss who can be appointed as Internal Auditor? [RTP-May 19]
Answer:
Meaning of Internal Audit Function:
SA 610 “Using the Work of Internal Auditor” internal audit function is a function of an entity that performs assurance & consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes.
Objective and Scope of Internal Audit Function as per SA 610:
The objectives and scope of internal audit functions typically include assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance processes, risk management and internal control.
1. Activities Relating to Governance: Internal audit function may assess the governance process in its accomplishment of objectives on ethics and values, accountability and communicating risk to appropriate areas of the organization.

2. Activities Relating to Risk Management: Internal audit function may assist the entity by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and internal control (including effectiveness of the financial reporting process).

3. Activities Relating to Internal Control:
(a) Evaluation of internal control: Internal audit function may be assigned specific responsibility for reviewing controls, evaluating their operation and recommending improvements thereto.
(b) Examination of financial and operating information: Internal audit function may be assigned to review the means used to identify, recognize, measure, classify and report financial and operating information, and to make specific inquiry into individual items, including detailed testing of transactions, balances and procedures.
(c) Review of operating activities: The internal audit function may be assigned to review the economy, efficiency and effectiveness of operating activities, including non-financial activities of an entity.
(d) Review of compliance with laws and regulations: Internal audit function may be assigned to review compliance with laws, regulations and other external requirements, and with management policies and directives and other internal requirements.

Persons who can be appointed as internal auditor:
As per Sec. 138 of Companies Act, 2013 read with Rule 13 of Companies (Accounts) Rules, 2014, internal auditor shall either be a chartered accountant (Whether in Practice or not) or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company. Internal Auditor may or may not be an employee of the company.

Question 44.
Board of Directors of MN Ltd. wants to appoint CA B, a practicing Chartered Accountant, as an internal auditor of the company as they believe that they could not appoint any other person as an internal auditor other than practicing chartered accountant.
Examine the correctness of the statement of Board of Directors of MN Ltd. with respect to provision of Companies Act, 2013. [Nov. 19 (3 Marks)]
Answer:
Eligibility to be appointed as internal auditor:

As per Sec. 138 ofthe Companies Act, 2013, internal auditor shall either be a chartered accountant (Whether in Practice or not) or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company.
Internal Auditor may or may not be an employee of the company.
Hence, the statements that Board of Directors of MN Ltd. wants to appoint CA B, a practicing Chartered Accountant, as an internal auditor of the company as they believe that they could not appoint any other person as an internal auditor other than practicing chartered accountant, is not correct.

Question 45.
Write a short note on: Meaning of internal financial control and auditor’s responsibilities thereon.
Answer:
Meaning of internal financial control:
Sec. 134(5)(e) of Companies Act, 2013 defines the term Internal Financial Control as the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including

adherence to company’s policies,
the safeguarding of its assets,
the prevention and detection of frauds and errors,
the accuracy and completeness of the accounting records, and
the timely preparation of reliable financial information.

Rule 8(5)(v/z7) of the Companies (Accounts] Rules, 2014 requires that the director’s report should contain details in respect of adequacy of internal financial controls with reference to the financial reporting.
Auditor’s Responsibilities w.r.t. Internal Financial Control:
Clause (/) of Sec. 143(3) of Companies Act, 2013 requires the company auditor to report whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls.
Auditor is required to express an opinion on the effectiveness of the company’s internal financial controls over financial reporting. It is carried out along with an audit of the financial statements.

Question 46.
Auditor’s reporting on internal financial controls is a requirement specified in the Act and, therefore, will apply only in case of reporting on financial statements prepared under the Act and reported under section 143. Explain stating clearly the auditor’s responsibility for reporting on internal financial controls over financial reporting. [RTP-Nov. 18]
Answer:
Auditors’ Responsibility for Reporting on Internal Financial Controls over Financial Reporting in India
Sec. 143(3)(z) of the Companies Act, 2013 requires the auditors’ report to state whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls.

It may be noted that auditor’s reporting on internal financial controls is a requirement specified in the Act and, therefore, will apply only in case of reporting on financial statements prepared under the Act and reported under section 143. Accordingly, reporting on internal financial controls will not be applicable with respect to interim financial statements, such as quarterly or half-yearly financial statements, unless such reporting is required under any other law or regulation.

Objectives of an auditor in an audit of internal financial controls over financial reporting: The auditor’s objective in an audit of internal financial controls over financial reporting is, “to express an opinion on the effectiveness of the company’s internal financial controls over financial reporting.” It is carried out along with an audit of the financial statements.

Objective Type Questions (True/False, Correct/Incorrect)

Question 1.
SA 315 has a purpose to establish standards to form procedures to be followed to have an understanding of the entity and its environment.
Answer:
Statement is True. SA 315 ”Identifying and Assessing the Risk of Material Misstatements through Understanding the Entity and its Environment” deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control.

Question 2.
The scope of work of an internal auditor may extend even beyond the financial accounting. [MTP-Oct. 19]
Answer:
Statement is correct.
As per SA 610 “Using the Work of Internal Auditor” the scope of internal audit function may include:

Monitoring of internal control
Examination of financial & operating information
Review of operating activities
Review of compliance with laws & regulations
Risk management
Governance

Question 3.
Risk of material misstatement may be defined as the risk that the financial statements are materially misstated subsequent to audit.
Answer:
Statement is incorrect.

Risk of material misstatements is the risk that the financial statements may be materially misstated prior to audit.
It consists of two components – Inherent risk and control risk.

Question 4.
Internal control can provide absolute assurance.
Answer:
Statement is incorrect.
Internal control can provide only reasonable but not absolute assurance that its objective relating to prevention and detection of errors/frauds, safeguarding of assets etc., are achieved. This is because it suffers from some inherent limitations.

Question 5.
Inherent and control risk, and detection risk have same meaning. [Nov. 13 (2 Marks)]
Answer:
Statement is incorrect.

Inherent and control risk constitutes risk of material misstatements which occurs when related internal controls do not exists or when exists, are ineffective.
Detection risk occurs due to nature of test checking procedures followed by the auditor while carrying out the audit.

Question 6.
“Maintenance of internal control system is responsibility of auditor. [May 14 (2 Marks)]
Answer:
Statement is incorrect.

Maintenance of internal control system is the responsibility of the management.
Auditor evaluates the internal control system for the purpose of determining nature, timing & extent of audit procedures.

Question 7.
As per section 138 of the Companies Act, 2013 private companies are not required to appoint internal auditors. [May 15(2 Marks)]
Answer:
Statement is incorrect.
As per Rule 13 of Companies (Accounts) Rules, 2014, every private company having turnover of ₹ 200 Cr. or more during the preceding financial year; or outstanding loans or borrowings from banks or public financial institutions exceeding ₹ 100 Cr. or more at any point of time during the preceding financial year must appoint internal auditor.

Question 8.
Internal control questionnaires are a good source of identifying weakness in internal control system. [May 16 (2 Marks)]
Answer:
Statement is correct.

Internal control questionnaire is a set of questions designed to provide a thorough view of the state of internal control in an organisation.
Evaluation through internal control questionnaire now forms an important part of any properly organised audit with the purpose of identification of weaknesses in the internal control system.

Question 9.
The use of computer facilities by a small enterprise may increase the control risk.
Answer:
Statement is correct.
The use of computer facilities by a small entity may have the effect of increasing control risk. For example, it is common for users to be able to perform two or more of the following functions in the accounting system:

Initiating and authorizing source documents.
Entering data into the system.
Operating the computer.
Changing programs and data files.
Using or distributing output.
Modifying the operating systems.

Question 10.
There is no relation between inherent risk, control risk and detection risk. [Nov. 17 (2 Marks), MTP-Oct. 19]
Answer:
Statement is incorrect.

Inherent risk and control risk are collectively known as risk of material misstatements.
There is an inverse relationship between detection risk and the combined level of inherent and control risks.

When inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. When inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level.

Question 11.
The assessment of risks is a matter capable of precise measurement. [MTP-March 18, March 19, RTP – Nov. 19]
Answer:
Statement is incorrect.

The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit.
It is a matter of professional judgment, rather than a matter capable of precise measurement.

Question 12.
Control risk is the susceptibility of an account balance or class of transactions to misstatement that could be material either individually or, when aggregated with misstatements in other balances or classes, assuming that there were no related internal controls. [RTP-May 18]
Answer:
Statement is incorrect.
Susceptibility of an account balance or class of transactions to misstatement that could be material either individually or, when aggregated with misstatements in other balances or classes, assuming that there were no related internal controls is known as Inherent Risk.

Question 13.
The term “internal audit” is defined as the “checks on day to day transactions which operate continuously as part of the routine system whereby the work of one person is proved independently or is complementary to the work of another, the object being the prevention or early detection of errors or fraud”. [RTP-May 18]
Answer:
Statement is incorrect.

Scope of Standards on Internal Audit, defines the term internal audit as an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system.
Checks on day to day transactions which operate continuously as part of the routine system whereby the work of one person is proved independently or is complementary to the work of another, the object being the prevention or early detection of errors or fraud is known as internal check.

Question 14.
Few members of the Board of Directors oppose the appointment of Mr. N, an employee of the company, as an Internal Auditor, stating that Mr. N, is not a Chartered Accountant and further he is an employee of the company [May 18 (2 Marks), MTP April 19]
Answer:
Statement is incorrect.

As per Sec. 138 of Companies Act, 2013 read with Rule 13 of Companies (Accounts) Rules, 2014, Internal Auditor shall either be a chartered accountant (Whether in Practice or not) or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company.
Internal Auditor may or may not be an employee of the company.

Question 15.
Inquiry alone is sufficient to test the operating effectiveness of controls. [May 18 (2 Marks)]
Answer:
Statement is incorrect.
Operating effectiveness of internal controls may be tested through the following:
(a) Inspection of documents supporting transactions and other events to gain audit evidence that internal controls have operated properly.
(h) Inquiries about and observation of internal controls which leave no audit trail.
(c) Re-performance of internal controls.
(d) Testing of internal controls operating on specific computerised applications.

Question 16.
The assessment of risks is a matter of professional judgment.
Answer:
Statement is correct.

The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement.
The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit.

Question 17.
When the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk, the auditor shall not perform substantive procedures that are specifically responsive to that risk. [RTP-May 19]
Answer:
Statement is incorrect.

When the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk, the auditor shall perform substantive procedures that are specifically responsive to that risk.
When the approach to a significant risk consists only of substantive procedures, those procedures shall include tests of details.

Question 18.
The SAs ordinarily refer to inherent risk and control risk separately. [RTP-May 19]
Answer:
Statement is incorrect.

The SAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement”.
However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques and practical considerations.

Question 19.
Satisfactory Control environment is not an absolute deterrent to fraud. [May 19 (2 Marks)]
Answer:
Statement is correct.

The existence of a satisfactory control environment work as a positive factor when the auditor assesses the Risk of Material Misstatements.
But at the same time, it is to be kept in mind that a satisfactory control environment is not an absolute deterrent to fraud. Deficiencies in the control environment may undermine the effectiveness of controls, in particular in relation to fraud.

Question 20.
The auditor’s reporting on internal financial control will be applicable with respect to interim financial statements. [Nov. 19 (2 Marks)]
Answer:
Statement is incorrect.

Clause (1) of Sec. 143(3) of Companies Act, 2013 requires the company auditor to report whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls.
It may be noted that auditor’s reporting on internal financial controls is a requirement specified in the Act and, therefore, will apply only in case of reporting on financial statements prepared under the Act and reported under Section 143.
Accordingly, reporting on internal financial controls will not be applicable with respect to interim financial statements, such as quarterly or half-yearly financial statements, unless such reporting is required under any other law or regulation.

Question 21.
For an auditor, the Risk assessment procedure provides sufficient appropriate audit evidence to base the audit opinion. [Nov. 19 (2 Marks)]
Answer:
Statement is incorrect.

The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels.
Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion.

Question 22.
Risk assessment procedures are not performed to obtain an understanding of the entity and its environment. [RTP-May 20]
Answer:
Statement is incorrect.
Risk assessment procedures refer to the audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels.

Question 23.
Assertions refer to the representations by the auditor to consider the different types ofthe potential misstatements that may occur. [MTP-Oct. 20]
Answer:
Statement is incorrect.
Assertions refer to representations by management that are embodied in the financial statements as used by the auditor to consider the different types of the potential misstatements that may occur.

Question 24.
One of the directors of Very Fresh Fruits Limited was of the opinion that internal auditor to be appointed must be an employee of Very Fresh Fruits Limited. [MTP-Oct. 20]
Answer:
Statement is incorrect.

As per Sec. 138, the internal auditor shall either be a Chartered Accountant or a Cost Accountant (whether engaged in practice or not), or such other professional as maybe decided by the Board to conduct internal audit of the functions and activities ofthe companies.
The internal auditor may or may not be an employee of the company.

Question 25.
When we are designing audit procedures to address an inherent risk or “what can go wrong”, we consider the nature of the risk of material misstatement. [RTP-Nov. 20]
Answer:
Statement is correct.

When audit procedures are designed to address an inherent risk or “what can go wrong”, auditor consider the nature of the risk of material misstatement in order to determine if a substantive analytical procedure can be used to obtain audit evidence.
When inherent risk is higher, auditor may design tests of details to address the higher inherent risk. When significant risks have been identified, audit evidence obtained solely from substantive analytical procedures is unlikely to be sufficient.

Question 26.
In considering the qualitative aspects of the entity’s accounting practices, the auditor may not become aware of possible bias in management’s judgments. [RTP-Nov. 20]
Answer:
Statement is incorrect.

In considering the qualitative aspects of the entity’s accounting practices, the auditor may become aware of possible bias in management’s judgments.
The auditor may conclude that lack of neutrality together with uncorrected misstatements causes the financial statements to be materially misstated.

Question 27.
Risks of material misstatement may be greater for significant judgmental matters that require the development of accounting estimates. [Nov. 20 (2 Marks)]
Answer:
Statement is correct.
Risks of material misstatement may be greater for significant judgmental matters that require the development of accounting estimates, arising from matters such as the following:

Accounting principles for accounting estimates or revenue recognition maybe subjectto differing interpretation.
Required judgment may be subjective or complex, or require assumptions about the effects of future events, for example, judgment about fair value.

Risk Assessment and Internal Control – CA Inter Auditing Notes

Leave a Comment Cancel Reply