In the United States of America, the SEC and the PCAOB have worked together to make the internal control provisions related to SOX section 404 more effective and more cost efficient. The Institute of Chartered Accountants of India has issued Standard on Auditing (SA 315), Identifying and Assessing the Risk of Material Misstatement through understanding the Entity and its Environment which provides guidance on auditor’s responsibility to identify and assess the risk of material misstatement in the financial statement, through understanding the entity & its environment, including the entity’s internal controls.

When performing an engagement in accordance with this auditing standard, the auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. The auditor is expected to obtain an understanding of internal controls relevant to auditing which in most of the cases are likely to relate to the financial reporting. The auditor is also supposed to obtain an understanding on whether the entity has a process for identifying business risks relevant
to financial reporting objectives. Further in understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from its information technology framework and applications.

The auditor shall evaluate the design of financial reporting controls and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel. The auditor shall communicate material weaknesses in internal control identified during the audit on a timely basis to management at an appropriate level of responsibility, and, as required by SA 260 (Revised), “Communication with Those Charged with Governance”, with those charged with governance (unless all of those charged with governance are involved in managing the entity).