“Year of the Consolidation of the Grau Sea”

Peruvian University of Los Andes

FACULTY OF ADMINISTRATIVE AND ACCOUNTING

SCIENCES

ACADEMIC PROFESSIONAL SCHOOL OF ACCOUNTING AND FINANCE

RISK ASSESSMENT AND INTERNAL CONTROL

AUTHORS:

CONDOR HUARANGA ROCIO PILAR

LLIHUA SALDAÑA KELI ROCIO

LUIS PABLO NELIDA SOLEDAD

RIOS PALOMINO MARIELA EDITH

2016
 SUMMARY

In this monograph, the description of the risk assessment and internal

control is carried out, showing the different risks that the auditor must
evaluate and develop in the audit program.

The objective of this monograph is to show the risks that are presented
according to International Auditing Standard 6 and to inform all interested
parties about the content of said standard, which is risk assessment and
internal control.

The method used for the development of this monographic work, Chapter
I, is descriptive, because it describes the general aspects of risk
assessment and internal control such as definition, components, and
relationship of risks.

Yo
We dedicate this work to our parents, for
their unconditional support, and to the
teachers of the accounting faculty, for their
teaching, patience and perseverance
during our academic training.

II
 INTRODUCTION

This monograph presents the topic of Risk Assessment and Internal

Control, which is a standard that helps the auditor evaluate and develop
the audit program.

The objective of this monograph is to understand the different evaluation

risks that different companies may incur.

The monographic work was prepared using the descriptive method, for
chapter I.

Hoping that this monograph will provide information on risk assessment

and internal control.

The problems that could be solved in this monographic work are, first of
all, to have a clearer idea of how to detect and know what type of risk it is,
whether it is inherent, control or detection, in order to be able to take the
necessary measures to cover them and reduce their degree of risk.

In this regard, the content of the monographic work on risk assessment

and internal control is detailed below, the structure of which is as follows:

Chapter I, includes the theoretical framework of risk assessment and

internal control, as well as the definition of the different types of risks,
components, relationship, importance, and structure.

Finally, it concludes with conclusions and bibliography. Thus providing

greater consistency and support to the present monographic work.

III

INDEX

SUMMARY
Yo
DEDICATION II
INTRODUCTION III

Page

CHAPTER I
THEORETICAL FRAMEWORK
RISK ASSESSMENT AND INTERNAL CONTROL

1.1 CONCEPT…………………………………………………………………..7
1.2 INHERENT RISK………………………………………..………….…7
1.2.1 CONCEPT…………………………………………………………..7
1.2.2 RISK ASSESSMENT …….………………………………….8
1.2.2.1 At the financial statement
level…………………………….8
1.2.2.2 Account balance level and type of transactions…...9

1.3 ACCOUNTING AND INTERNAL CONTROL SYSTEMS

IMPORTANCE………………………………………………..……...……10
1.3.1 ACCOUNTING SYSTEM…………………………………...10
1.3.1.1 Definition………………………………………………...10
1.3.1.2 Operations to Identify……………………………….10
1.3.2 DEFINITION – INTERNAL CONTROL SYSTEM…………...11
1.3.2.1 Components…………………………………………....11
1.3.3 OBJECTIVES OF INTERNAL CONTROLS RELATED TO
ACCOUNTING SYSTEMS...13
1.3.4 INHERENT LIMITATION OF INTERNAL CONTROLS14
1.3.5 UNDERSTANDING ACCOUNTING AND INTERNAL CONTROL
SYSTEMS………………………………………………15
1.3.5.1 Evaluation Criteria…………………………………15
1.3.5.2 Understanding Systems Supplements……….16

1.4 CONTROL RISK………………………………………………….….17

1.4.1 DEFINITION………………………………………………………...17
 1.4.2 PRELIMINARY EVALUATION…………………………………..
….17
1.4.3 DOCUMENTATION OF UNDERSTANDING AND
EVALUATION18
1.4.4 CONTROL
TESTS………………………………………………………....19
1.4.4.1 Evaluation Factors……………………………….…21
1.4.5 QUALITY AND TIMELINESS OF AUDIT
EVIDENCE……………………………………………………………
……..22
14.5.1 Factors to consider…………………………………….23
1.4.6 FINAL EVALUATION……………………………………………..24

1.5 RELATIONSHIP BETWEEN INHERENT RISK AND CONTROL

ASSESSMENTS…………..……………………………………………….24

1.6 DETECTION RISK…….……..…………………………………...24

1.6.1 Definition…………………………………………………………..24
1.6.2 Risk Level…………………………………………..
……………………..25
1.6.3 Substantive Procedures………………………..……………25
1.6.4 Relationship between types of
risk……………………………….26

1.7 AUDIT RISK IN SMALL BUSINESS…………..…27

1.8 COMMUNICATION OF
WEAKNESSES………………………………...28

ANNEX…………………………………………………………………….29

CONCLUSIONS…………………………………………………………………
……...…....30

BIBLIOGRAPHIC REFERENCES…………………………….……….…..31
 8

CHAPTER I
THEORETICAL FRAMEWORK
RISK ASSESSMENT AND INTERNAL CONTROL

1.1 CONCEPT.-

The auditor should obtain an understanding of the accounting and

internal control systems sufficient to plan the audit and develop an
effective audit approach. The auditor should use professional
judgment to assess audit risk and design audit procedures to ensure
that risk is reduced to an acceptably low level.

“Audit risk” means the risk that the auditor will give an inappropriate
audit opinion when the financial statements are materially misstated.
Audit risk has three components: inherent risk, control risk and
detection risk.

1.2 INHERENT RISK

1.2.1 CONCEPT
It is the susceptibility of the balance of an account or class of
transactions to a misstatement that could be material,
individually or when aggregated with misstatements in other
accounts or classes, assuming that there were no related
internal controls.

1.2.2 RISK ASSESSMENT

 9

In developing the overall audit plan, the auditor should assess

the inherent risk at the financial statement level. In developing
the audit program, the auditor should relate such assessment at
the assertion level to material account balances and classes of
transactions, or assume that the inherent risk is high for the
assertion.

In assessing inherent risk, the auditor uses professional

judgment to evaluate, examples of which are:

1.2.2.1 AT THE FINANCIAL STATEMENT LEVEL

 The integrity of the administration.

 The experience and knowledge of management

and changes in management during the period, for
example, inexperience of management, may affect
the preparation of the entity's financial statements.

 Unusual pressures on management, for example,

circumstances that might predispose management
to misrepresent the financial statements, such as
an industry experiencing a large number of
business failures or an entity lacking sufficient
capital to continue operations.

 The nature of the entity's business, for example,

the potential for technological obsolescence of its
products and services, the complexity of its capital
structure, the importance of related parties, and the
number of locations and geographic spread of its
production facilities.

 Factors affecting the industry in which the entity

operates, for example, economic and competitive
conditions as identified by financial trends and
ratios, and changes in technology, consumer
 10

demand, and accounting practices common to the

industry.

1.2.2.2 AT ACCOUNT BALANCE LEVEL AND

TRANSACTION TYPE

 Accounts in the financial statements that are likely

to be susceptible to misstatement, for example,
accounts that required adjustment in the prior
period or that involve a high degree of estimation.

 The complexity of underlying transactions and

other events that might require the use of an
expert's work.

 The degree of judgment involved in determining

account balances.

 Susceptibility of assets to loss or misappropriation,

for example, assets that are highly desirable and
mobile such as cash.

 The completion of unusual and complex

transactions, particularly at or near the end of the
period.

 Transactions not subject to ordinary processing.

1.3 ACCOUNTING AND INTERNAL CONTROL SYSTEMS

1.3.1 ACCOUNTING SYSTEM.-

1.3.1.1 DEFINITION
It means the series of tasks and records of an entity
through which transactions are processed as a means
 11

of maintaining financial records. Such systems

identify, collect, analyze, calculate, classify, record,
summarize, and report transactions and other events.
1.3.1.2 OPERATIONS TO BE IDENTIFIED
The auditor should obtain an understanding of the
accounting system sufficient to identify and
understand:
 The main classes of transactions in the entity's
operations;
 How such transactions are initiated;
 Important accounting records, supporting
documents and accounts in the financial
statements; and
 The accounting and financial reporting process,
from the initiation of major transactions and
other events to their inclusion in the financial
statements.

1.3.2 DEFINITION – INTERNAL CONTROL SYSTEM.-

means all policies and procedures (internal controls) adapted

by the management of an entity to help achieve management's
objective of ensuring, as far as practicable, the orderly and
efficient conduct of its business, including adherence to
management policies, the safeguarding of assets, the
prevention and detection of fraud and error, the accuracy and
completeness of accounting records, and the timely preparation
of reliable financial information.

1.3.2.1 COMPONENTS

The internal control system goes beyond those

matters that are directly related to the functions of the
accounting system and includes:
 12

A. The control environment.-

It is the global attitude, awareness and actions of
directors and management regarding the internal
control system and its importance in the entity.
The control environment has an effect on the
effectiveness of specific control procedures. A
strong control environment, for example, one with
strict budgetary controls and an effective internal
audit function, can greatly complement specific
control procedures. However, a strong
environment does not, by itself, ensure the
effectiveness of the internal control system.
The auditor should obtain sufficient understanding
of the control environment to assess the attitudes,
awareness and actions of directors and
management regarding internal controls and their
importance to the entity.

Factors reflected in the control environment

include:

 The role of the board of directors and its

committees.

 Philosophy and operating style of

administration.

 Organizational structure of the entity and

methods of assigning authority and
responsibility.

 Management control system including the

internal audit function, personnel policies, and
segregation of duties procedures.

B. Control procedures.-
 13

These are the policies and procedures in addition to the

control environment that management has established to
achieve the entity's specific objectives.

The auditor should obtain sufficient understanding of the

control procedures to develop the audit plan. In obtaining
this understanding the auditor would consider the
knowledge about the presence or absence of control
procedures obtained from the understanding of the
control environment and the accounting system to
determine whether any additional understanding of
control procedures is necessary. Since control
procedures are integrated with the control environment
and the accounting system, as the auditor gains an
understanding of the control environment and the
accounting system, he or she is likely to gain some
knowledge of control procedures as well; for example, by
gaining an understanding of the cash accounting system,
the auditor typically becomes aware of whether bank
accounts are reconciled. Ordinarily, the development of
the overall audit plan does not require an understanding
of control procedures for each financial statement
assertion in each account and class of transaction.

Specific control procedures include:

 Report, review and approve reconciliations

 Check the arithmetic accuracy of the records

 Control the applications and environment of

computer information systems, for example, by
establishing controls over:

- changes to computer programs

- access to data files

 14

 Maintain and review control accounts and trial

balances.

 Approve and control documents.

 Compare internal data with external sources of

information.

 Compare the results of cash, securities and

inventory accounts with the accounting records.

 Limit direct physical access to assets and records

 Compare and analyze financial results with

budgeted amounts.

1.3.3 OBJECTIVES OF INTERNAL CONTROLS RELATED TO

ACCOUNTING SYSTEMS.-

Transactions are executed in accordance with general or

specific authorization from the administration.

All transactions and other events are promptly recorded at

the right time, in the appropriate accounts and in the
appropriate accounting period, so as to enable the
preparation of financial statements in accordance with an
identified financial reporting framework.

Access to assets and records is permitted only in

accordance with management authorization.

Recorded assets are compared with existing assets at

reasonable intervals and appropriate action is taken
regarding any differences.

1.3.4 INHERENT LIMITATIONS OF INTERNAL CONTROLS.-

Accounting and internal control systems cannot provide

management with conclusive evidence that objectives have
been achieved because of inherent limitations. Such limitations
include:
 15

 The usual management requirement that the cost of

internal control does not exceed the benefits expected to
be derived.

 Most internal controls tend to be directed at non-routine

transactions.

 The potential for human error due to carelessness,

distraction, errors in judgment, and failure to understand
instructions.

 The possibility of circumventing internal controls through

collusion by a member of management or an employee
with parties outside or within the entity.

 The possibility that a person responsible for exercising

internal control could abuse that responsibility, for
example, a member of management overriding an
internal control.

 The possibility that procedures may become inadequate

due to changes in conditions, and that compliance with
procedures may deteriorate.

1.3.5 UNDERSTANDING ACCOUNTING AND INTERNAL

CONTROL SYSTEMS.-

By obtaining an understanding of the accounting and internal

control systems to plan the audit, the auditor gains an
understanding of the design of the accounting and internal
control systems and their operation. For example, an auditor
may perform a “trace” test, that is, follow a few transactions
through the accounting system. When the transactions selected
are typical of transactions passing through the system, this
procedure may be treated as part of testing of controls. The
nature and extent of the trace tests performed by the auditor
are such that they alone would not provide sufficient
 16

appropriate audit evidence to support an assessment of control

risk that is less than high.

1.3.5.1 EVALUATION CRITERIA

The nature, timing and extent of the procedures
performed by the auditor to obtain an understanding of
the accounting and internal control systems will vary
depending on, among other things:

 The size and complexity of the entity and its

computing system.
 Considerations on relative importance.
 The type of internal controls involved.
 The nature of the entity's documentation of specific
internal controls.
 Auditor's assessment of inherent risk.

1.3.5.2 SUPPLEMENTS FOR UNDERSTANDING SYSTEMS

Ordinarily, the auditor's understanding of accounting
and internal control systems that is relevant to the
audit is obtained through prior experience with the
entity and is supplemented by:

 Inquiries with management, supervisory personnel,

and other appropriate personnel at various
organizational levels within the entity, along with
reference to documentation such as procedure
manuals, job descriptions, and flow charts.

 Inspection of documents and records produced by

accounting and internal control systems.

 Observation of the entity's activities and

operations, including observation of the
 17

organization of computer operations, management

personnel, and the nature of transaction
processing.

1.4 CONTROL RISK

1.4.1 DEFINITION
It is the risk that an erroneous statement that could occur in the
account balance or class of transactions and that could be of
relative importance individually or when aggregated with
erroneous statements in other balances or classes, is not
prevented or detected and corrected in a timely manner by the
accounting and internal control systems.

1.4.2 PRELIMINARY EVALUATION

It is the process of evaluating the effectiveness of an entity's
accounting and internal control systems in preventing or
detecting and correcting material misstatements. There will
always be some control risk due to the inherent limitations of
any accounting and internal control system.

After obtaining an understanding of the accounting and internal

control systems, the auditor should make a preliminary
assessment of control risk, at the assertion level, for each
material account balance or class of transactions.

The auditor ordinarily assesses control risk at a high level for

some or all assertions when:

 The entity's accounting and internal control systems are

not effective.
 18

 Evaluating the effectiveness of the entity's accounting

and internal control systems would not be efficient.

The preliminary assessment of control risk for a financial

statement assertion should be high unless the auditor:

 can identify internal controls relevant to the assertion that

are likely to prevent or detect and correct a material
misstatement; and
 plan to perform control tests to support the evaluation.

1.4.3 DOCUMENTATION OF UNDERSTANDING AND

EVALUATION

The auditor should document in the audit working papers:

The understanding gained from the entity's accounting

and internal control systems.

Control risk assessment. When control risk is assessed

as less than high, the auditor should also document the
basis for the conclusions.

Different techniques can be used to document information

relating to accounting and internal control systems. The
selection of a particular technique is a matter of judgment on the
part of the auditor. Common techniques, used alone or in
combination, include narrative descriptions, questionnaires,
checklists, and flowcharts. The form and extent of this
documentation is influenced by the size and complexity of the
entity and the nature of the entity's accounting and internal
control systems. Generally, the more complex the entity's
accounting and internal control systems and the more extensive
 19

the auditor's procedures, the more extensive the auditor's

documentation will need to be.

1.4.4 Control tests

Control tests are performed to obtain audit evidence about the

effectiveness of:

The design of the accounting and internal control

systems, that is, whether they are adequately designed to
prevent or detect and correct material misstatements;
and
The operation of internal controls throughout the period.

Some of the procedures to obtain an understanding of the

accounting and internal control systems may not have been
specifically planned as tests of control but may provide audit
evidence about the effectiveness of the design and operation of
internal controls relevant to certain assertions and,
consequently, serve as tests of control. For example, in gaining
an understanding of the accounting and internal control systems
relating to cash, the auditor may have obtained audit evidence
about the effectiveness of the bank reconciliation process
through inquiry and observation.

When the auditor concludes that the procedures performed to

obtain an understanding of the accounting and internal control
systems also provide audit evidence about the adequacy of
design and operating effectiveness of the policies and
procedures relevant to a particular financial statement assertion,
the auditor may use that audit evidence, provided it is sufficient,
to support an assessment of control risk at a level less than
high.
 20

The auditor should obtain audit evidence through tests of

controls to support any assessment of control risk that is less
than high. The lower the control risk assessment, the more
support the auditor should obtain that the accounting and
internal control systems are adequately designed and operating
effectively. When obtaining audit evidence about the effective
operation of internal controls, the auditor considers how they
were applied, the consistency with which they were applied
during the period, and by whom they were applied. The effective
operating concept recognizes that some deviations may have
occurred. Deviations from established controls may be caused
by factors such as changes in key personnel, significant
seasonal fluctuations in transaction volume, and human error.
When deviations are detected, the auditor makes specific
inquiries regarding these matters, particularly the scheduling of
personnel changes in key internal control functions. The auditor
then ensures that the tests of control appropriately cover that
period of fluctuation change.
In a computer information systems environment, the objectives
of control testing do not change from those in a manual
environment; however, some audit procedures may change.
The auditor may find it necessary, or may prefer, to use
computer-assisted audit techniques. The use of such
techniques, for example, file interrogation tools or audit test
data, may be appropriate when accounting and internal control
systems do not provide visible evidence documenting the
performance of internal controls that are programmed into a
computerized accounting system. Based on the results of the
tests of control, the auditor should evaluate whether internal
controls are designed and operating as contemplated in the
preliminary assessment of control risk; the assessment of
deviations may result in the auditor concluding that the
assessed level of control risk needs to be revised. In such cases
 21

the auditor would modify the nature, timing and extent of the
planned substantive procedures.

1.4.4.1 EVALUATION FACTORS

Control tests may include:

 Inspecting documents that support transactions

and other events to gain audit evidence that
internal controls have operated appropriately, for
example, verifying that a transaction has been
authorized.
 Investigations into, and observation of, internal
controls that leave no audit trail, for example,
determining who actually performs each function,
not merely who is supposed to perform it.
 Reconstruction of the performance of internal
controls, for example, the reconciliation of bank
accounts, to ensure that they were correctly
performed by the entity.

1.4.5 QUALITY AND TIMELINESS OF AUDIT EVIDENCE

Certain types of audit evidence obtained by the auditor are more

reliable than others. Ordinarily, the auditor's observation
provides more reliable audit evidence than merely making
inquiries; for example, the auditor might obtain audit evidence
about the appropriate segregation of duties by observing the
individual performing a control procedure or by making inquiries
of appropriate personnel. However, audit evidence obtained by
some control tests, such as observation, pertains only to the
point in time when the procedure was applied. The auditor may
therefore decide to supplement these procedures with other
 22

control tests capable of providing audit evidence over other time

periods.
In determining the appropriate audit evidence to support a
conclusion about control risk, the auditor may consider audit
evidence obtained in previous audits. In a continuing
engagement, the auditor will be aware of the accounting and
internal control systems through work previously performed but
will need to update the knowledge acquired and consider the
need to obtain additional audit evidence of any changes in
control. Before relying on procedures performed in previous
audits, the auditor should obtain audit evidence that supports
this reliance. The auditor should have evidence about the
nature, timing and extent of any changes in the entity's
accounting and internal control systems as such procedures
were performed and should assess their impact on the reliance
the auditor intends to place on them. The longer the time since
such procedures were performed, the less security they may
result from.
The auditor should consider whether internal controls were in
use throughout the period. If substantially different controls were
used at different times during the period, the auditor should
consider each separately. A failure of internal controls for a
specific portion of the period requires separate consideration of
the nature, timing and extent of audit procedures to be applied
to transactions and other events in that period.

1.4.5.1 FACTORS TO CONSIDER

The auditor may decide to perform some tests of control

during an interim visit before the end of the period.
However, the auditor cannot rely on the results of such
tests without considering the need to obtain additional
 23

audit evidence relating to the remainder of the period.

Factors you will need to consider include:

The results of the provisional tests.

The extension of the remaining period
If changes have occurred in the accounting and
internal control systems during a remaining
period.
The nature and amount of transactions and other
events and the balances involved.
The control environment, especially supervisory
controls.
The substantive procedures that the auditor plans
to perform.

1.4.6 FINAL EVALUATION

Prior to concluding the audit, based on the results of substantive

procedures and other audit evidence obtained by the auditor,
the auditor should consider whether the assessment of control
risk is confirmed.

1.5 RELATIONSHIP BETWEEN INHERENT RISK AND CONTROL

ASSESSMENTS.

Management often reacts to inherent risk situations by designing

accounting and internal control systems to prevent or detect and
correct misstatements and therefore, in many cases, inherent risk and
control risk are highly interrelated. In these situations, if the auditor
decides to assess inherent and control risks separately, there is a
possibility of an inappropriate risk assessment. As a result, audit risk
may be more appropriately determined in such situations by making a
combined assessment.
 24

1.6 DETECTION RISK.-

1.6.1 DEFINITION.-
It is the risk that an auditor's substantive procedures will not
detect a misstatement that exists in an account balance or class
of transactions that could be material, individually or when
aggregated with misstatements in other balances or classes.

1.6.2 RISK LEVEL.-

The level of detection risk is directly related to the auditor's
substantive procedures. The auditor's assessment of control
risk, together with the assessment of inherent risk, influences
the nature, timing and extent of substantive procedures that
should be performed to reduce detection risk, and therefore
audit risk, to an acceptably low level. Some detection risk would
always be present even if an auditor examined 100 percent of
an account balance or class of transactions because, for
example, most audit evidence is persuasive rather than
conclusive.

1.6.3 SUBSTANTIVE PROCEDURES.-

The auditor should consider the assessed levels of inherent and
control risks when determining the nature, timing and extent of
substantive procedures required to reduce audit risk to an
acceptable level. In this regard, the auditor would consider:
The nature of the substantive procedures, for example,
using tests directed at independent parties outside the
entity rather than tests directed at parties or
documentation within the entity, or using tests of details
for a particular audit objective in addition to analytical
procedures.
 25

The opportunity for substantive proceedings, for example,

by performing them at the end of the period rather than at
an earlier date.
The scope of substantive procedures, for example, using
a larger sample size.
1.6.4 RELATIONSHIP BETWEEN TYPES OF RISK.-

There is an inverse relationship between detection risk and the

combined level of inherent and control risks. For example, when
inherent and control risks are high, acceptable detection risk
needs to be low to reduce audit risk to an acceptably low level.
On the other hand, when inherent and control risks are low, an
auditor may accept a higher detection risk and still reduce audit
risk to an acceptably low level.

While tests of control and substantive procedures are

distinguishable as to their purpose, the results of either type of
procedure may contribute to the purpose of the other.
Misstatements discovered while performing substantive
procedures may cause the auditor to modify the previous
assessment of control risk.
The assessed levels of inherent and control risks cannot be
sufficiently low to eliminate the need for the auditor to perform
any substantive procedures. Regardless of the assessed levels
of inherent and control risks, the auditor should perform some
substantive procedures for material account balances and
classes of transactions.
The auditor's assessment of the components of audit risk may
change during the course of an audit, for example, information
may come to the auditor's attention when performing
substantive procedures that differs significantly from the
information on which the auditor originally assessed inherent
and control risks. In such cases, the auditor would modify the
 26

planned substantive procedures based on a review of the

assessed levels of inherent and control risks.
The higher the assessment of inherent and control risks, the
more audit evidence the auditor should obtain of substantive
procedure performance. When both inherent risk and control
risk are assessed as high, the auditor needs to consider
whether substantive procedures can appropriately provide
sufficient audit evidence to reduce detection risk, and therefore
audit risk, to an acceptably low level. When the auditor
determines that detection risk with respect to a financial
statement assertion for a material account balance or class of
transactions cannot be reduced to an acceptably low level, the
auditor should express a qualified opinion or a disclaimer of
opinion.

1.7 AUDIT RISK IN SMALL BUSINESS

The auditor needs to obtain the same level of assurance in expressing

an unqualified opinion on the financial statements of both small and
large entities. However, many internal controls that would be relevant
to large entities are not practical in small business. For example, in
small businesses, accounting procedures may be developed by a few
individuals who may have both operating and custodial
responsibilities, and therefore segregation of duties would be lacking
or severely limited. Inadequate segregation of duties can, in some
cases, be overridden by a strong management control system in which
there are supervisory controls by the owner/manager because of
direct personal knowledge of the entity and involvement in its
transactions. In circumstances where segregation of duties is limited
and audit evidence of supervisory controls is lacking, the audit
evidence necessary to support the auditor's opinion on the financial
statements may have to be obtained entirely through the performance
of substantive procedures.
 27

1.8 COMMUNICATION OF WEAKNESSES

As a result of gaining an understanding of the accounting and internal

control systems and testing of controls, the auditor may become aware
of weaknesses in the systems.

The auditor should bring to the attention of management, as soon as

practicable and at an appropriate level of responsibility, material
weaknesses in the design or operation of the accounting and internal
control systems that have come to the auditor's attention.
Communication of material weaknesses to management would
ordinarily be in writing. However, if the auditor judges that oral
communication is appropriate, such communication would be
documented in the audit working papers. It is important to indicate in
the communication that only weaknesses that have come to the
auditor's attention as a result of the audit have been reported and that
the examination has not been designed to determine the adequacy of
internal control for management purposes.

EXHIBIT
 28

ILLUSTRATION OF THE INTERRELATIONSHIP OF AUDIT RISK

COMPONENTS

The following table shows how the acceptable level of detection risk can
vary, based on assessments of inherent and control risks.

The auditor's assessment of risk is:

High Average Low
The auditor's High The lowest Lower Average
assessment of Average Lower Average Higher
inherent risk Low Higher Higher The lowest

The shaded areas in this table refer to the risk of detection.

There is an inverse relationship between detection risk and the combined

level of inherent and control risks. For example, when inherent and control
risks are high, acceptable levels of detection risk need to be low to reduce
audit risk to an acceptably low level. On the other hand, when inherent
and control risks are low, an auditor may accept a higher detection risk
and still reduce audit risk to an acceptably low level.

CONCLUSIONS

The auditor should obtain an understanding of the accounting and internal

control systems sufficient to plan the audit and develop an effective audit
 29

approach. The auditor should use professional judgment to assess audit

risk and design audit procedures to ensure that risk is reduced to an
acceptably low level.

The risk that the auditor will give an inappropriate audit opinion when the
financial statements are materially misstated.

The auditor should assess risk at the financial statement level. In

developing the audit program, the auditor should relate such assessment at
the assertion level to material account balances and classes of
transactions.

In developing the audit approach, the auditor considers the preliminary

assessment of control risk to determine the appropriate detection risk to
accept for the financial statement assertions and to determine the nature,
timing, and extent of substantive procedures for those assertions.

BIBLIOGRAPHIC REFERENCES

VIRTUAL STANDARD

 International Standard on Auditing (ISA) 6 - Edi-Ábaco Cía.

Corporation Ltda.
30