RISK

ASSESSMEN
TS AND
INTERNAL
CONTROL
CHAPTER 5
I N T ER N A L CO N T RO L framework designed to ensure that the organization's
objectives are met effectively and efficiently!!!

”The process designed, implemented, and maintained by those charged with

governance, management and other personnel to provide reasonable assurance about
the achievement of the entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and
regulations.” - COSO

Components of Internal Control

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities

COSO FRAMEWORK
CONTROL ENVIRONMENT • sets the tone of the organization, influencing the
control consciousness of its people.
• It encompasses the integrity, ethical values, and
competence of the entity's personnel.

1. Business shows a commitment to integrity and ethical values.

2. Board of Directors shows independence from management and
exercises oversight of the development and performance of internal
controls.
3. Management sets up, with board oversight, structures, reporting lines,
and authorities and responsibilities in the pursuit of objectives.
4. Business shows a commitment to attract, develop, and retain
competent employees in alignment with objectives.
5. Business holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
 • Organizations must identify and analyze relevant risks to
achieving their objectives.
RISK ASSESSMENT • This process helps in understanding the potential events that
could impact the organization’s ability to achieve its goals.

1. BUSINESS SPECIFIES OBJECTIVES WITH ENOUGH CLARITY TO

ENABLE THE IDENTIFICATION AND ASSESSMENT OF RISKS
RELATING TO OBJECTIVES.
2. BUSINESS IDENTIFIES RISKS TO THE ACHIEVEMENT OF ITS
OBJECTIVES ACROSS THE ENTITY AND ANALYZES RISK AS A
BASIS FOR DETERMINING HOW THE RISKS ARE TO BE
MANAGED.
3. BUSINESS CONSIDERS THE POTENTIAL FOR FRAUD IN ASSESSING
RISKS TO THE ACHIEVEMENT OF OBJECTIVES.
4. BUSINESS IDENTIFIES AND ASSESSES CHANGES THAT COULD
SIGNIFICANTLY IMPACT THE SYSTEM OF INTERNAL CONTROLS.
 specific policies and procedures that organizations
CONTROL ACTIVITIES implement to mitigate risks and ensure that
objectives are achieved.
1. BUSINESS SELECTS AND DEVELOPS CONTROL ACTIVITIES THAT
CONTRIBUTE TO THE MITIGATION OF RISKS TO ACCEPTABLE
LEVELS.
* PERFORMANCE REVIEW
* PHYSICAL CONTROLS
* SEGREGATION OF DUTIES
* INFORMATION PROCESSING CONTROLS
2. BUSINESS SELECTS AND DEVELOPS GENERAL CONTROL
ACTIVITIES OVER TECHNOLOGY TO SUPPORT THE ACHIEVEMENT
OF OBJECTIVES.
3. BUSINESS SETS UP CONTROL ACTIVITIES THROUGH POLICIES
THAT ESTABLISH WHAT IS EXPECTED AND PROCEDURES THAT PUT
POLICIES INTO PLAY.
 ensure that relevant information flows

INFORMATION AND COMMUNICATION throughout the organization and that

stakeholders are informed about their
roles and responsibilities in maintaining
internal controls.
1. BUSINESS OBTAINS OR MAKES AND USES RELEVANT, QUALITY
INFORMATION TO SUPPORT THE FUNCTIONING OF INTERNAL
CONTROLS.
- IDENTIFY & RECORD VALID TRANSACTIONS
- CLASSIFY TRANSACTION CORRECTLY
- MEASURE THE VALUE OF TRANSACTION CORRECTLY
- RECORD TRANSACTIONS IN CORRECT PERIOD
- CORRECTLY PRESENT TRANSACTION & DISCLOSURES.
2. BUSINESS COMMUNICATES INFORMATION INTERNALLY.
COMMUNICATION INCLUDES OBJECTIVES AND RESPONSIBILITIES FOR
INTERNAL CONTROL, NEEDED TO SUPPORT THE FUNCTIONING OF
INTERNAL CONTROLS.
3. BUSINESS COMMUNICATES WITH EXTERNAL PARTIES REGARDING
ISSUES AFFECTING THE FUNCTIONING OF INTERNAL CONTROLS.
 • essential for ensuring that an organization’s internal
MONITORING ACTIVITIES
control system remains effective and responsive to
changing conditions.
• These activities involve ongoing assessments and
evaluations of the internal control components to ensure
1 . BUSINESS SELECTS, DEVELOPS, & PERFORMS
they are functioning as intended.

ONGOING AND OR SEPARATE EVALUATIONS TO

DETERMINE WHETHER THE COMPONENTS OF
INTERNAL CONTROLS ARE INSTALLED AND
FUNCTIONING.
2. BUSINESS EVALUATES AND COMMUNICATES
INTERNAL CONTROL PROBLEMS IN A TIMELY
MANNER TO PARTIES RESPONSIBLE FOR TAKING
CORRECTIVE ACTION. PARTIES INCLUDE SENIOR
MANAGEMENT AND THE BOARD OF DIRECTORS AS
APPROPRIATE.
AUDIT RISK
Audit risk is the risk that an auditor issues an incorrect opinion on
the financial statements. Examples of inappropriate audit opinions
include the following:
Issuing an unqualified audit report where a
qualification is reasonably justified;
Issuing a qualified audit opinion where no
qualification is necessary;
Failing to emphasize a significant matter in the
audit report
AUDIT RISK MODEL
AAR = IR x CR x PDR

Acceptable
Audit Risk Inherent Risk
Control Risk

Planned Detection Risk

 TYPES OF AUDIT RISK
Inherent Risk:
The risk involved in the nature of business / transaction.
Example, transactions involving exchange of cash may have higher IR than
transactions involving settlement by cheques.

Control Risk:
The risk that a misstatement could occur but may not be detected and corrected or
prevented by the entity's internal control mechanism.
Example, control risk assessment may be higher in an entity where
separation of duties is not well defined.

Planned Detection Risk:

It is the probability that the audit procedures may fail to detect existence of
a material error or fraud.
INHERENT RISK
The risk involved because of the:
Nature of business / Transaction

Rapid tech. advancement

Ex: Inventories
Transactions involving exchange of cash
may have higher IR than transactions
than involving settlement by cheques.
complex calculations, estimates.
INHERENT RISK
 CONTROL RISK
The risk that the entity/ client’s internal control will not
detect misstatement.
Detection Risk
The risk that an auditor will not detect a misstatement.

CR depends on the strength or weakness of the

internal control procedures.
DR is either due to sampling error or human factors.
TYPES OF AUDIT RISK
AAR = IR x CR x DR

Company specific risk

Assessed by the auditor controlled by auditor
No control by auditor

IR x CR = RMM (risk of material misstatement)

RMM can be high
RMM can be low
SOLVE FOR DETECTION
RISK:

AR = IR x CR x DR

DR = AR
IR x CR
ANALYTICAL PROCEDURES
are a type of audit procedure that involves evaluating financial
information through analysis of plausible relationships among both
financial and non-financial data.

These procedures are used to identify any unusual transactions or

trends that may indicate potential misstatements in the financial
statements.
PURPOSE OF ANALYTICAL
PROCEDURES

They help auditors gain a better understanding of the client's

business and the significant transactions and events that have
occurred since the prior audit.

used to identify areas that may represent specific risks relevant to

the audit, including unusual transactions or relationships that
warrant further investigation.
TYPES OF ANALYTICAL
PROCEDURES

Comparative Analysis
Comparing current financial data with prior periods (e.g., year-over-
year comparisons) or with industry benchmarks to identify trends or
anomalies.

Ratio Analysis
Calculating financial ratios (e.g., gross margin, current ratio) to
assess the financial health and performance of the company.
Ratios can help identify unusual fluctuations or relationships.
STEPS IN PERFORMING ANALYTICAL PROCEDURES
1. Develop Expectations
Based on the auditor's understanding of the business, develop expectations for
account balances or ratios.
2. Compare Expectations to Recorded Amounts
Compare the expectations to the actual recorded amounts in the financial
statements.
3. Investigate Differences
If significant differences arise, investigate the reasons behind these
discrepancies. This may involve discussions with management or further detailed
testing.
4. Document Findings
Document the analytical procedures performed, the expectations developed, and
the conclusions drawn from the analysis.
WHEN TO USE ANALYTICAL
PROCEDURES

Planning Stage
During the planning phase of the audit to help identify areas of
higher risk and to design an effective audit strategy.

Final Review
At the conclusion of the audit to assess whether the financial
statements are consistent with the auditor's understanding of the
entity.