1. Auditing and Assurance Standard (AAS) 6, “Risk Assessments and Internal Control” establishes standards on the procedures to be followed to obtain an understanding of the accounting and internal control systems and on audit risk and its components: inherent risk, control risk and detection risk. As per this Standard, the auditor should obtain an understanding of the accounting and internal control
systems sufficient to plan the audit and develop an effective audit approach. The auditor should use professional judgement to assess audit risk and to design audit procedures to ensure that it is reduced to an acceptably low level. “Audit risk” means the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated. Audit risk has three components: inherent risk, control risk and detection risk. “Inherent risk” is the susceptibility of an account balance or class of transactions to misstatement that could be material, either individually or when aggregated with misstatements in other balances or classes, assuming that there were no related internal controls. To assess To assess inherent risk, the auditor would use professional judgement to evaluate numerous factors, having regard to his experience of the entity from previous audit engagements of the entity, any controls established by
management to compensate for a high level of inherent risk, and his knowledge of any significant changes which might have taken place since his last assessment. Examples of such factors are:
At the Level of Financial Statements
- The integrity of the management.
- Management’s experience and knowledge and changes in management during the period, for example, the inexperience of management may affect the preparation of the financial statements of the entity.
- Unusual pressures on management, for example, circumstances that might predispose management to misstate the financial statements, such as the industry experiencing a large number of business failures or an entity that lacks sufficient capital to continue operations.
- The nature of the entity’s business, for example, the potential for technological obsolescence of its products and services, the complexity of its capital structure, the significance of related parties and the number of locations and geographical spread of its production facilities.
- Factors affecting the industry in which the entity operates, for example, economic and competitive conditions as indicated by financial trends and ratios, and changes in technology, consumer demand and accounting practices common to the industry.
At the Level of Account Balance and Class of Transactions
- Quality of the accounting system.
- Financial statements are likely to be susceptible to misstatement, for example, accounts which required adjustment in the prior period or which involve a high degree of estimation.
- The complexity of underlying transactions and other events which might require using the work of an expert.
- The degree of judgement involved in determining account balances.
- Susceptibility of assets to loss or misappropriation, for example, assets which are highly desirable and movable such as cash.
- The completion of unusual and complex transactions, particularly, at or near period end.
- Transactions not subjected to ordinary processing.
5. “Control Risk” is the risk that a misstatement, that could occur in an account balance or class of transactions and that could be material, either individually or when aggregated with misstatements in other balances or classes, will not be prevented or detected and corrected on a timely basis by the accounting and internal control systems.
After obtaining an understanding of the accounting system and internal control system, the auditor should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions.
Preliminary Assessment of Control Risk
The preliminary assessment of control risk is the process of evaluating the likely effectiveness of an entity’s accounting and internal control systems in preventing or detecting and correcting material misstatements. The preliminary assessment of control risk is based on the assumption that the controls operate generally as described and that they operate effectively throughout the period of intended
reliance. There will always be some control risk because of the inherent limitations of any accounting and internal control system.
The auditor ordinarily assesses control risk at a high level for some or all assertions when:
- the entity’s accounting and internal control systems are not effective; or
- evaluating the effectiveness of the entity’s accounting and internal control systems would not be efficient.
In the above circumstances, the auditor would obtain sufficient appropriate audit evidence from substantive procedures and from any audit work carried out in the preparation of financial statements.
The preliminary assessment of control risk for a financial statement assertion should be high unless the auditor:
- is able to identify internal controls relevant to the assertion which are likely to prevent or detect and correct a material misstatement; and
- plans to perform tests of control to support the assessment.