CA Inter Audit 2026: Risk Assessment & Internal Control (SA 315, 320, 330)

For CA Inter Audit 2026, Risk Assessment and Internal Control is an important topic because ICAI frequently asks theory, MCQ, and case-based questions from audit risk concepts. This chapter helps students understand how auditors identify risks and form audit opinions on financial statements, making it highly relevant for both exams and practical auditing.

Audit risk arises when financial statements contain material misstatements. It is divided into inherent risk, control risk, and detection risk. While auditors cannot control inherent or control risk, they can reduce detection risk through proper audit planning, strong internal controls, and effective audit procedures.

Risk Assessment & Internal Control

Risk Assessment and Internal Control form the backbone of the audit process in CA Inter Audit. This chapter explains how auditors identify, evaluate, and respond to risks that may lead to material misstatements in financial statements. 

It primarily focuses on Audit Risk and its components—Risk of Material Misstatement (RoMM) and Detection Risk—along with the role of internal controls in reducing business and reporting risks.

Understanding Audit Risk

Audit Risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. It is crucial for auditors to manage this risk effectively.

However, it is not Audit Risk if the financial statements are not materially misstated, but the auditor incorrectly concludes they are. This risk is a matter of professional judgment and requires the auditor's training, knowledge, and experience for assessment.

• Audit Risk is a product of two primary components:

• Audit Risk = RoMM × Detection Risk

The auditor can control Detection Risk by adjusting audit procedures, but cannot control Inherent Risk or Control Risk as these exist within the entity.

Risk of Material Misstatement (RoMM)

RoMM is the susceptibility of financial statements to material misstatement that could exist before considering any internal controls or audit procedures. It represents the risk that a material misstatement exists even before the audit begins.

RoMM itself comprises two components:

RoMM = Inherent Risk × Control Risk

Levels of RoMM

RoMM can exist at two distinct levels within an entity's financial statements:

Inherent Risk

Inherent Risk is the susceptibility of an assertion to a material misstatement, assuming no related internal controls. This risk arises from the nature of the transaction or account itself.

Examples of Inherent Risk include:

• Complex calculations or accounting issues.

• Rapid technology development leading to inventory obsolescence.

• Industry-specific business failures.

• Complex accounting standards that are difficult to apply.

Control Risk

Control Risk is the risk that a material misstatement will not be prevented, detected, or corrected (Memory Tip: Think PDC - Prevent, Detect, Correct) by the entity's internal controls on a timely basis. This implies that internal controls exist but are ineffective.

There is an inverse relationship between the effectiveness of internal controls and Control Risk: effective controls reduce Control Risk, while ineffective controls increase it.

Inherent Risk vs. Control Risk

Detection Risk

Detection Risk is the risk that the auditor's procedures will not detect a material misstatement that exists and could be material, either individually or in aggregate. This risk is directly within the auditor's control.

Detection Risk is categorized into two types:

Sampling Risk

Sampling Risk is the risk that the auditor's conclusion, based on a sample, may differ from the conclusion if the entire population were subjected to the same audit procedure. This occurs when the selected sample is not representative of the population.

Non-Sampling Risk

Non-Sampling Risk is any aspect of Detection Risk that is not due to sampling. It includes risks arising from human error, misinterpretation of audit evidence, or the application of inappropriate audit procedures.

Sampling Risk vs. Non-Sampling Risk

Relationship between RoMM and Detection Risk

An inverse relationship exists between RoMM and Detection Risk.

• If RoMM is assessed as high (meaning a high chance of misstatements existing), the auditor needs to keep Detection Risk low by performing more extensive and rigorous audit procedures.

• Conversely, if RoMM is low, a higher Detection Risk may be acceptable, allowing for less extensive procedures.

Understanding Misstatements

A Misstatement is a difference between the Amount, Classification, Presentation, or Disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure required for the item to be in accordance with the applicable Financial Reporting Framework (FRF). Misstatements can arise from either error or fraud.

Common Examples of Misstatements

Misstatements can occur across various financial statement elements:

• P&L Related:

• Treating a capital expenditure as a revenue expenditure.

• Booking fictitious expenses.

• An abnormal increase in Gross Profit (GP) margin due to overstated sales/closing stock or understated direct expenses.

• Balance Sheet Related:

• Not writing off irrecoverable debtors.

• Overstating or understating inventory valuation.

• Disclosure Related:

• Inadequate or incorrect disclosures as required by the FRF (e.g., Schedule III for "Other Income" requiring separate disclosure of interest income, dividend income, and gains/losses on investment sales).

• Applying inappropriate accounting policies or estimates.

• Recognising dividend income net of TDS (e.g., ₹1.8 lakh instead of ₹2 lakh total) is a misstatement, as income should generally be recognised gross of TDS.