The study of entity’s risk assessment process comprises the risk assessment relating to reliability of financial statements.

(a) What risks have been identified by the management?
(b) Significance of each risk
(c) Likelihood of occurrence
(d) Actions to manage the risks
(e) What risks have not been identified? For example, if the management has not identified the risk that suppliers may be paid for goods not supplied, the auditor should extend substantive procedures in this area.

Examples of circumstances when risks may arise are:

(i) New personnel may not understand operations of internal control (if there is change in staff).
(ii) Repaid growth may result in breakdown of controls.
(iii) New accounting pronouncement may not be applied effectively in initial stages.
(iv) New technology may affect operations of controls.

The understanding of information system involves

(a) Classes of transactions
(b) Procedures by which the transactions are:

– initiated
– recorded
– processed
– reported in financial statements

(c) Related books of accounts and records
(d) Events and conditions other than transactions
(e) Non-standard journal entries for example, consolidation adjustments, sale of scrap, assets disposal, allowance for obsolescence and bad debts.
(f) Accountability of assets, liabilities and records.
(g) Resolve incorrect processing of transactions.
(h) System override and by pass controls
(i) Checklist for presentation and disclosures in accordance with IFRS
G) Measure the value of transactions in accordance with IFRS
(k) Accounting system manuals.


Only those control activities are to be considered that are significant. Also when multiple control activities attain the same objective, the auditor need not consider each of such activities. Example of control activities include:

(a) Authorization
(b) Performance reviews
(c) Information processing
(d) Physical controls

(a) Authorization

All transactions should be approved in accordance with management’s authorization

(b) Performance reviews

– Comparison of actual data with budget
– Comparison of current period with last period
– Comparison of entity’s data with companies in the same industry
– Comparison of financial data with non financ data

(c) Information processing

Control activities relating to information processing include:

– Checking arithmetical accuracy of documents and records
– Control accounts and trial balances
– Comparison of internal data with external data
– Review of reconciliations
– IT controls (refer to paragraph 4.1 of text)

(d) Physical controls

– Comparison of results of cash, inventories and investments with physical records
– Restricting physical access to assets and records.

(e) Segregation of duties

No one person should be involved in all the stages of a transaction.

Following duties should be segregated:
– approval
– recording
– custody of assets


Management is not only responsible for designing and implementing a system of control. It has also a responsibility for maintaining internal control system and monitor on an ongoing basis. Monitoring involves obtaining reasonable assurance that the controls are operating as intended.

Internal audit function is important for regular monitoring of controls.

Discuss the concept of risk assessment at financial statement leveI.
Financial statement assertions.

(a) Risk assessment at financial statement level
Risk assessment at financial statement level has a pervasive effect on financial statements as a whole. Such risks arise from:

(a) Weak control environment
(b) Concerns about the integrity of management
(c) Incompetent management particularly the finance department
(d) Declining business trends
(e) Inability to obtain sufficient and appropriate audit evidences where the accounts are not auditable.

(b) Financial statement assertions
Assertions used by the auditor are:

(a) Assertions about classes of transactions and events for the period under audit:
(i) Occurrence – validity and authorization
(ii) Completeness – all transactions have been recorded
(iii) Accuracy – transactions have been recorded correctly a to amounts
(iv) Cut off – transactions have been recorded correctly as to period.
(v) Classification – transactions have been recorded correctly as to account.

(b) Assertions about account balances at end of period:
(i) Existence – assets, liabilities and equity exist
(ii) Right and obligations – the entity holds or controls right to assets, and liabilities are the obligations of entity.
(iii) Completeness – there are no unrecorded assets, liabilities arid equity.
(iv) Valuation and disclosure – assets,.liabilities and equities are stated at appropriate amounts and any valuation of allocation are appropriately recorded

(c) Assertions about presentation and disclosure:
(i) Occurrence and rights and obligations – disclosed transactions and events have occurred pertain to entity.
(ii) Completeness – all required disclosures have been made.
(iii) Classification and understandability – Financial and other information is appropriately presented and clearly expressed.
(iv) Accuracy and valuation – financial and other information are disclosed fairly at appropriate amounts.

What could be possible risks for completeness assertion of cash sales.

Possible risks that may affect completion assertion of cash sales are:
(a) Cash sales invoices may not be prepared
(b) The data is lost or transferred inaccurately to computer system.
(c) Cash sales are not recorded in cash book and cash is stolen.
(d) Cash sales invoices prepared but cash is not received.

What analytical procedures can be performed to verify completeness of
cash sales.

Multiple number of units sold with unit sales price.
Compare cash sales of current year with last year (after adjustment for price increase).
Compare cash sales with budgeted cash sales.

Explain how the auditor should update his understanding obtained last year relating to internal control system.

1. Review last year’s working paper me.
2. Ascertain the system from client’s system manual.
3. Inquire from client’s staff any changes since previous year.
4. Record changes since previous year.
5. Perform walk-through test selecting a few transactions relating to each class of transactions, till final reporting in financial statements. The ‘objective is to confirm the understanding obtained from inquiry and study of system’s manual.

Why the auditor should obtain understanding of the entity’s business and its environment?

Understanding of the entity’s business and its environment assists the auditor in assessing inherent risk at assertion level and at the level of financial statements as whole.

The assessment of inherent risk along with control risk is useful to determine timing, nature and extent of substantive procedures.

Design a suitable system of internal controls for fixed assets in case of medium size manufacturing company.

1. A long term budget for fixed assets should be prepared in accordance with corporate objectives.
2. The budget should be reviewed for feasibility.
3. Assumptions for computation of internal rate of return, payback period and return on investments should be reviewed.
4. The budget should be approved by Board of Directors.
5. Goods received notes should be raised for acquisition of fixed assets.
6. The non current assets register should be updated.
7. Supplier’s invoice should be approved.
8. Arithmetical accuracy of suppliers’ invoice should be checked.
9. The budget should be updated.
10. The equipment should be tested for proper operation.
11. Physical assets should be regularly compared with records.
12. . Disposals of fixed assets should be checked for authorization.

Why the auditor should obtain understanding of the entity and its environment?

Some of the reasons for obtaining understanding of the entity and its environment are:

a) Assessment of inherent risk
b) Adequate planning is not possible without obtaining understanding of the business.
c) Design and implement audit strategy
d) Knowledge of business will be useful to assess validity of going concern, particularly knowledge of following aspects is useful:

(i) Severe competition
(ii) Heavy dependence on a few customers
(iii) Inadequate working capital
(iv) Frequent industry failures
(v) Overtrading

(e) Approaching the audit from view point of businessmen will be appreciated by the client if the auditor is concerned about the client’s problems. Such approach needs in depth knowledge of the client’s business and the industry in which client is engaged. For example, useful information about latest developments in industry may be provided to client. Also the knowledge of the business is used to assist the client in achieving its objectives of efficient and effective operations.

(f) Knowledge about related parties.
(g) Risk assessment if the company trades through e-commerce.
(h) Unusual fluctuations in trend and ratios may be indicative of material misstatement.
(i) Knowledge of business will enhance understanding of the transactions and their business rationale.

The auditor need not study all internal controls of an entity. Give examples of internal controls relevant to auditor.

Internal control objectives include reliability of financial statement effective and efficient operations and controls over compliance with laws and regulations. The external auditor is concerned only with those controls that aff reliability of financial statements. Moreover, only key controls need studied.

Examples of controls relevant to audit include:

(a) Controls over completeness and accuracy of data
(b) Authorization of transaction
(c) Only valid transactions are recorded
(d) Transactions are recorded correctly as to account, amount period
(e) Safeguarding of assets
(f) Reconciliations
(g) IT controls
(h) Segregation of duties

One of the characteristics of control environment is management philosophy and operating style.

Explain your understanding of “management philosophy and operating style”.

Management philosophy and operating style implies:

– Importance given by management to policies and procedures
– Awareness of management as regards reliability of financial statements
– Management’s approach to business risks.

How the monitoring of internal controls is performed by the client?

1. Internal audit
2. Monthly financial statements
3. Monthly operations reports
4. Management letter issued by external auditors

Explain with example, difference between internal control questionnaire (ICQ) and internal controls evaluation questionnaire (ICEQ).

Innternal control questionnaire is simply a list of question in order to ascertain what controls exist.

Internal control evaluatior questionnaire assists in evaluating whether the systern can prevent, correct and detect material misstatements.


ICO – purchases and payables
Are purchase order issued for all purchases?
ICEO – purchases and payables
Can unauthorized purchases be made?

Discuss internal controls with reference to small entities.

1. Lack of segregation of duties
2. Active involvement of owner / manager
3. Some controls are not established because of cost vs benefit relationship.

Posted on November 3, 2015 in Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Share the Story

Back to Top