You are on page 1of 24

Master of Business Administration - MBA Semester 3 Subject Code – MF0013 Subject Name – Internal Audit and Control 4 Credits

(Book ID: B1211) Assignment Set- 1

Q.1 Critically evaluate the qualities of an Auditor in the wake of recent scams Answer: An auditor renders a professional service to his client. He should not only possess the prescribed statutory qualifications but also certain personal qualities. Some of those personal qualities are mentioned below: 1.Common sense: According to Spicer and Pegler, ”the auditor should have a full share of that most valuable commodity-commonsense.” This is necessary to distinguish between important and not so important information. 2.Independence: Expression of opinion is a prime duty of an auditor. An influenced and biased person cannot form an independent opinion. Hence, independence in true sense is an utmost quality of an auditor. 3.Honesty and Integrity: Like any other professional viz. Doctors, Lawyers etc. auditor should possess a high moral character. In a way, he is a public servant. He must not knowingly, misinterpret any fact or sign any document under undue pressure. 4.Objectivity: Independence of an auditor depends on his ability to act with objectivity. For example, the auditor of XYZ Company believes that closing stock has not been properly valued but accepts a certificate from the management as to its valuation. In this case, the auditors “judgment lacks objectivity. 5.Communication: He should be able to communicate effectively, both orally and in writing. Particularly in the matter of report writing, he should be able to convey his message clearly and unambiguously. 6.Tactfulness: He should be firm, yet diplomatic with his client and staff. He should be tactful enough to obtain necessary written as well as oral evidence from his client, so that he can form a reasonable opinion. 7.Awareness of latest developments: An auditor should keep his knowledge up to date related to his audit work likes changes in laws, changes in professional standards, latest development in technical guidelines etc.

Q.2 What is social audit? Is social audit taken seriously by the corporate world? Give examples of corporates undertaking social audit. Answer: Social audit

The social audit is also called social responsibility audit. A business organization exists in society. Hence, it owes certain responsibilities toward society at large. As Lord Denning has observed: The directors of a great company should owe a duty to those who are employed by the company to see that their conditions of service are proper. They should owe a duty to the customers, to the people to whom the goods are supplied, a public duty perhaps, not to expect excessive prices. They should owe a duty also to the community in which they live, not to make the place of production hideous or a nuisance to those who live around. Social audit is mainly concerned with social accounting. It may be noted that social accounting is still in early stage and so social audit also. Social audit also called Social Responsibility Audit is mainly concerned with social accounting. A continuous audit is basically a perpetual audit, where auditors and his staff constantly engaged in checking the accounts throughout the year. Annual audit is done at the end of the financial year when finalization of accounts has been completed and books of accounts closed. A Balance Sheet audit is mainly concerned with the verifications of items appearing in the Balance Sheet such as share capital, reserve and surplus, current liabilities, fixed assets, current assets, investments etc in detail. Q.3 Explain the Code of Ethics for Internal Auditor. Explain them in context with blacklisting Price Waterhouse Coopers in Satyam Scam. Answer: Code of Ethics for Internal Auditor In his book “Practical Guide for Internal Audit” R.S. Adukia has scholarly explained about the code of ethics for internal auditor which is as follows: “This code of ethics sets the minimum requirements for the performance and conduct of internal auditors. This code applies to all internal auditors but does not supersede or replace the requirement on individual to comply with ethical codes issued by professional institutes of which they are members or student members and any organizational codes of ethics or conduct.” There are four main principles: 1. Integrity: The internal auditor should demonstrate integrity in all aspects of their work. Their integrity establishes an environment of trust, which provides the basis for reliance on all activities carried out by the internal auditors. 2. Objectivity: Objectivity is a state of mind that has regard to all considerations relevant to the activity or process being examined without being unduly influenced by personal interest or the views of others. Internal auditors should display professional objectivity when providing opinions, assessments and recommendations. 3. Confidentiality: Internal auditors must safeguard the information they receive in carrying out their duties. There must not be any unauthorized disclosure of information unless there is a legal or professional requirement to do so.

4. Competency: The internal auditor should make use of his/her knowledge, skills and practical experience necessary for auditor‟s activity performance. They should not accept or perform work that they are not competent to undertake, unless they have received adequate training and support to carry out the work to an appropriate standard. Achieving compliance with code of ethics i) Security integrity: The internal auditor should: a) Perform his/her job honestly, diligently and with responsibility. b) Perform his/her profession in harmony with the acts and other generally binding regulations. c) Avoid any illegal activity and performing any activity discrediting the internal auditor‟s profession. d) Respect the legal and ethical objectives of the organizations. e) Take care that his/her integrity should not be compromised. ii) Objectivity: The internal auditor should: a) Avoid taking part in activities or relations which may damage, or might be understood as damaging his/her unbiased assessment including activities or relations which may be in conflict with public interests. b) Avoid accepting anything that may damage or might be understood as damaging his/her objective professional assessment. c) Protect his/her objectivity against political influence. d) Disclose all substantial facts known to him/her that being undisclosed might misrepresent the conclusions on activities or events assessed. iii) Observing Confidentiality: The internal auditor should: a) Be careful when using and protecting information he/she gathered when auditing. b) Avoid disclosing and making use of the information obtained during the auditor‟s activities performance in order to damage the interests of other person or organization. c) Avoid making use of the information obtained during the auditor‟s activities for personal enrichment or in a way which would be in conflict with the law or which would damage legitimate and ethical interests of the organization. iv) Demonstrating Competence: a) It is a pre-requisite that all internal audit staff is aware of and understands: 1. The organization‟s aims objectives, risks and governance arrangements. 2. The purpose, risks and issues affecting the service area to be audited. 3. The terms of reference for the audit assignment so that there is a proper appreciation of the parameters within which the review be conducted.

4. The relevant legislation and other regulatory arrangement that relate to the service area to be audited. b) The internal auditor should keep educating himself constantly in order to have a good command of internal audit techniques and auditor standards necessary for obtaining, examining and evaluating the information. v) Maintaining Audit Independence: Internal auditors should be independent of the activities they audit. Internal auditors are considered independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. This is achieved through organizational status and objectivity. Independence stands for an internal auditor being able to take a stand and report on materiality issues, uninfluenced by any favour coercions or undue influence.

Q.4 As a senior audit assistant of M/s. Asutosh Associates, you are in charge of internal audit team of M/s Rajesh Technologies involved in the manufacture of plastic tubes. From the information you obtained you find the company is facing liquidity problem for the last two years. You are required to prepare working paper indicating the internal audit problems you would expect to face and how you plan to overcome them. Answer: As a senior audit assistant of M/s. Asutosh Associates, I need to prepare working paper indicating the internal audit problems are as follows: Summary of problem area Planning Points

i) Company is facing liquidity problem due ( i) Detailed study of inventory management to poor working capital management especially in the area of inventory recording, especially in inventory management area. inventory movement, inventory valuation method, internal control system of inventory etc. ( ii) Meerut plant produces all spare parts, (ii) Both the plant i.e. Meerut as well as whereas Dehradun plan produce less Dehradun should be visited by audit team. Internal control system should be reviewed by audit team. (iii) Level of inventory should be verified at both the plants (iv) Various ratio analysis particularly related to inventory should be conducted as compared on month to month basis. Some of the important ratios to be considered are inventory turnover ratio, inventory holding period, raw material inventory turnover ratio, work in progress (WIP) turnover ratio etc. ( v) Whether the company is following ABC analysis technique to inventory control. In ACB analysis, inventory is categorized according to relative importance for the purpose of monitoring and control

(vi) Some of the general problem areas should be specifically checked like:(a) The purchase department in order to benefit from the economics of scale, indulges in bulk buying, which may cause an overstocking of raw materials.(b) The production department‟s focus is on output maximization through improved operational efficiency for which un-interrupted production is pre-requisite. Therefore, the production department would always want sufficient inventory of WIP so that interruption at some stage in the production line does not affect its output i.e. finished goods.(c) The marketing department with its objectives to maximize sales, would focus on maximizing investment in the finished goods inventory, as it enables the firm to exploit any sudden increasing demand. These individual goals of different departments should be analyze carefully and problem areas should be identified (vii) After completion of internal audit arrange a discussion with management regarding problem areas and suggests them suitable means

Q.5 Explain the use of Sampling technique in Internal audit [SA500]. Answer: Use of Sampling Techniques in Internal Audit SA 500:„Audit Evidence‟ issued by the Institutes of Chartered Accountant of India says:“ The audit evidence should, in total, enable the auditor to form an opinion on the financial information. In forming such an opinion, the auditor does not normally examine all the information that is available to him because he can reach a conclusion about an account balance, class of transactions or a control by way of judgmental or statistical sampling procedures.” Statistical sampling technique is a well-accepted audit technique now-a day. Statistical sampling in auditing means forming an opinion about a group of items on the basis of examination of a few of the items. Statistical sampling techniques add scientific flavour to old, generally accepted by auditing professional, of „test checking‟. Statistical sampling techniques are based on the probability theory. The Institute of Chartered Accountants of India has issued SA 530: “Audit sampling “which is mandatory in nature and applicable to all kinds of audit.” The following is the text of SA 530 modified as per our requirement:

Introduction 1. The purpose of this standard is to establish standards on the design and selection of an audit sample and the evaluation of the sample results. This standard applies to statistical and non-statistical sampling methods. Either method, when properly, applied can provide sufficient appropriate evidence. 2. When using either statistical or non statistical sampling methods, the auditor should design and select an audit sample. Perform audit procedures thereon, and evaluate sample results so as to provide sufficient appropriate audit evidence. 3. Auditing sampling means the application of audit procedure to less than 100% of an item within an account balance or class of transactions to enable the auditor to obtain and evaluate audit evidence about some characteristics of the items selected in order to form or assist in forming a conclusion concerning the population. 4. It is important to recognize that certain testing procedures do not come within the definition of sampling. Tests performed on 100% of the items within a population do not involve sampling, likewise, applying audit procedures to all items within a population which have a particular characteristics (for example all items over a certain amount)does not qualify as audit sampling with respect to the portion of the population examined, nor with regard to the population as a whole, since the items were not selected from the total population on a basis that was expected to be representative. Design of the sample 5. When designing an audit sample, the auditor should consider the specific audit objectives, the population from which the auditor wishes to sample, and the sample size. Audit objectives 6. The auditor would first consider the specific audit objectives to be achieved and the audit procedures which are likely to best achieve those objectives. Consideration of the nature of the audit evidence sought and possible error conditions or other characteristics relating to that audit evidence will assist the auditor in defining what constitutes an error and what population to use for sampling. For example, when performing tests of control over an entity‟s purchasing procedures, the auditor will be concerned with matters such as whether an invoice was clerically checked and properly approved on the other hand, when performing substantive procedures on invoice processed during the period, the auditor will be concerned with matters such as the proper reflection of the monetary amounts of such invoices in the financial statements. Population 7. The population is the entire set of data from which the auditor wishes to sample in order to reach a conclusion. The auditor will need to determine that the population from which the sample is drawn is appropriate to the specific objective. For example, if the auditors objective were to test for overstatement of accounts receivable, the population could be defined as the accounts receivable listing, on the other hand, when testing for understatement of accounts payable, the population would not be accounts payable listing, but rather subsequent disbursements, unpaid invoices, suppliers statements, unmatched receiving reports or other populations that would provide audit evidence of understatement of accounts payable. 8. The individual items that make up the population are known as sampling units. The population can be provided into sampling units in a variety of ways, for example, if the auditor‟s objectives were to test the validity of accounts receivable, the Sampling unit could be defined as customer balance or individual customer invoices. The auditor defines the

sampling unit in order to obtain an efficient and effective sample to achieve the particular audit objectives.

Stratification 9. To assist in the efficient and effective design of the sample stratification may be appropriate. Stratification is the process of dividing a population into sub population, each of which is a group of sampling units, which have similar characteristics (often monetary value). The strata need to be explicitly defined so that each sampling unit can belong to only one stratum. This process reduces the variability of the items within each stratum. Stratification therefore, enables the auditor to direct audit efforts towards the items which for example, contain the greatest potential monetary error. For example, the auditor may direct attention to larger value items for accounts receivable to detect overstated material misstatements. In addition, stratification may result in a smaller sample size. Sample size 10. When determining the sample size, the auditor should consider sampling risk, the tolerable error, and the expected error. Examples of some factors affecting sample size are contained in Table. Sampling risk 11. Sampling risk arises from the possibility that the auditor‟s conclusion, based on as ample, may be different from the conclusion that would be reached if the entire population were subjected to the same audit procedure. 12. The auditor is faced with sampling risk in both tests of control and substantive procedures as follows: (a) Tests of Control: i) Risk of Under Reliance: The risk that, although the sample result does not supports the auditor‟s assessment of control risk, the actual compliance rate would support such an assessment. ii) Risk of Over Reliance: The risk that, although the sample result supports the auditor‟s assessment to control risk, the actual compliance rate would not support such an assessment. (b) Substantive Procedures: i) Risk of Incorrect Rejection: The risk that, although the sample result supports the conclusion that a recorded account balance or class of transactions is materially mis-stated, in fact it is not materially mis-stated. ii) Risk of Incorrect Acceptance: The risk that, although the sample result supports the conclusion that a recorded account balance or class of transactions is not materially isstated, in fact it is materially mis-stated. 13. The risk of under reliance and the risk of incorrect rejection affect audit efficiency as they would ordinarily lead to additional work being performed by the auditor, or the entity, which would establish that the initial conclusions were incorrect. The risk of over reliance and the risk of incorrect acceptance affect audit effectiveness and are more likely to lead to an erroneous opinion on the financial statements that either the risk of under reliance or the risk of incorrect rejection.

14. Sample size is affected by the level of sampling risk the auditor is willing to accept from the results of the sample. The lower the risk the auditor is willing to accept, the greater the sample size will need to be. Tolerable error 15. Tolerable error is the maximum error in the population that the auditor would be willing to accept and still concludes that the result from the sample has achieved audit objective. Tolerable error is considered during the planning stage and, for substantive procedures, is related to the auditor‟s judgment about materiality. The smaller the tolerable error, the greater the sample size will need to be. 16. In tests of control, the tolerable error is the maximum rate of deviation from a prescribed control procedure that the auditor would be willing to accept, based on the preliminary assessment of control risk, in substantive procedures, the tolerable error is the maximum monetary error in an account balance or class of transactions that the auditor would be willing to accept so that when the results of all audit procedures are considered, the auditor is able to conclude, with reasonable assurance, that the financial statements are not materially mis-stated. Expected error 17. If the auditor expects error to be present in the population, a larger sample than when no error is expected ordinarily needs to be examined to conclude that the actual error in the population is not greater than the planned tolerable error. Smaller sample sizes are justified when the population is expected to be error free. In determining the expected error in a population, the auditor would consider such matters as error levels identified in previous audits, changes in the entity‟s procedures, and evidence available from other procedures. Selection of the sample 18. The auditor should select sample items in such a way that the sample can be expected to be representative of the population. This requires that all items in the population have an opportunity of being selected. 19. While there are number selection methods, three methods commonly used are: (a) Random selection which ensures that all items in the population have an equal chance of selection, for example by use of random number tables. (b) Systematic selection, which involves selecting items using a constant interval between selections, the first interval having a random start. The interval might be based on certain number of items (for example, every 20th voucher number) or on monetary totals (for example, every Rs. 1000 increase in the cumulative value of the population).When using systematic selection, the auditor would need to determine that the population is not structured in such a manner that the sampling interval corresponds with a particular patter in the population. For example, if in a population of branch sales, a particular branch‟s sales occur only as every 100th item and the sampling interval selected is 50, the result would be that the auditor would have selected all, or none, of the sales of that particular branch. (c) Haphazard selection, which may be an acceptable alternative to random selection, provided that auditor attempts to draw a representative sample from the entire population with no intention to either include or exclude specific units. When the auditor uses this method, care needs to be taken to guard against making a selection that is biased, for example, towards items which are easily located, as they may not be representative. Evaluation of sample results

20. Having carried out, on each sample item, those audit procedures that are appropriate to the particular audit objective, the auditor should: (a) Analyze any errors detected in the sample. (b) Project the errors found in the sample. (c) Reassess the sampling risk. Analyze of errors in the sample 21. In analyzing the errors detected in the sample, the auditor will first need to determine that an item in question is in fact an error. In designing that sample, the auditor will have defined those conditions that constitute an error by reference to the audit objectives. For example, in a substantive procedure relating to the recording of accounts receivable, a mis posting between customer accounts does not affect the total accounts receivable. Therefore, it may be inappropriate to consider this an error is evaluating the sample results of this particular procedure, even though it may have an effect on other areas of the audit such as the assessment of doubtful accounts. 22. When the expected audit evidence regarding a specific sample item cannot be obtained, the auditor may be able to obtain sufficient appropriate audit evidence through performing alternative procedures. For example, if a positive account receivable confirmation has been requested and no reply was received, the auditor may be able to obtain sufficient appropriate audit evidence that eh receivables is valid by reviewing subsequent payments from the customer. If the auditor does not, or is unable to perform satisfactory alternative procedures, or if the procedures performed do not enable the auditor to obtain sufficient appropriate audit evidence the item would be treated as an error. 23. The auditor would also consider the qualitative aspects of the errors. These include the nature and cause of the error and the possible effect of the error on other phase of the audit. 24. In analyzing the errors discovered, the auditor may observe that many have a common feature, for example, type for transaction, location, product line, or period of time. In such circumstances, the auditor may decide to identify all items in the population which possess the common feature, thereby producing a sub-population, and extent audit procedures in this area. The auditor would than perform a separate analysis based on the items examined for each sub population. Projection of errors 25. The auditor projects the error results of the sample to the population from which the sample was selected. There are several acceptable methods of projecting error results. However, in all the cases, the method of projection will need to be consistent with the method used to select the sampling unit. When projecting error results, the auditor needs to keep in mind the qualitative aspects of the errors found. When the population has been divided into sub-population, the projection of errors is done separately for each subpopulation and the results are combined. Reassessing sampling risk 26. The auditor needs to consider whether errors in the population might exceed the tolerable error. To accomplish this, the auditor compares the projected population error to the tolerable error taking into account the results of other audit procedures relevant to the specific control or financial statement assertion. The projected population error used for this comparison in the case of substantive procedures is net of adjustments made by the entity. When the projected error exceeds tolerable error, the auditor reassesses the sampling risk

and if that risk is unacceptable, would consider extending the audit procedure or performing alternative audit procedures. Effective date 27. This statement on Standard Auditing Practices becomes operative for all audits relating to accounting periods beginning on or after April 1, 1998.

Q.6 What factors influence the internal control environment? Give examples for each factor. Answer: The environment in which internal control operates has an impact on the effectiveness of the specific control procedures. A strong control environment, for example, one with tight budgetary controls and an effective internal audit function, can significantly complement specific control procedures. However, a strong environment does not, by itself, ensure the effectiveness of the overall system of internal control. The system of internal control must be under continuing supervision by management to determine that it is functioning as prescribed and is modified as appropriate for changes in conditions. The whole internal control environment may change from those in a manual setting. The nature of the audit evidence changes when information is a manual setting. The nature of the audit evidence changes when information is readable only by electronic means. The use of computer assisted audit techniques may result in the performance of audit tests by the computer which were previously done manually. In addition, these techniques may enable the auditor to carry out audit procedures that were hitherto impracticable. As new systems are acquired or developed he can determine whether data can be accumulated and stored in a manner that will facilitate later audit. Through maximum utilization of computer assisted audit techniques, the internal auditor may not only improve the quality of audits, but also sharpen his capabilities to perform special reviews for management thus provide better service. The internal control environment may be affected by: a) Organizational Structures: The organizational structure of an entity serves as a framework for the direction and control of its activities. An effective‟s structure provides for the communication of the delegation of authority and the scope of responsibilities. It should be designed, insofar as practicable, to preclude an individual from overriding the control system and should provide for the segregation of incompatible functions. Functions are incompatible if their combination may permit the

commitment of concealment of fraud or error. Functions that typically are segregated are access to assets, authorization of transactions, execution thereof, and record-keeping. b) Management Supervision: Management is responsible for devising and maintaining the system of internal control. In carrying out its supervisory responsibility, management should review the adequacy of internal control on a regular basis to ensure that all significant controls are operating effectively. When an entity has an internal audit system, management may entrust to it some of its supervisor functions, especially with respect to the review of internal control. c) Personnel: The proper functioning of any system depends on the competence and integrity of those operating it. The qualifications, selection and training as well as the personal characteristics of the personnel involved are important features in establishing and maintaining a system of internal control.


Master of Business Administration - MBA Semester 3 Subject Code – MF0013 Subject Name – Internal Audit and Control 4 Credits (Book ID: B1211) Assignment Set- 2

Q.1 Why Internal check in necessary? Choose an organization of your choice and find out how internal checks are put in place. Answer: In accounting and auditing, internal control is defined as a process affected by an organization‟s structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.)Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational control. Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual administration, with one set of bureaucrats charged with collecting taxes and another with supervising them. In the Republic of China, the Control one of the five branches of government, is an investigatory agency that monitors the other branches of government. Definitions There are many definitions of internal control, as it affects the various constituencies (stakeholders) of an organization in various ways and at different levels of aggregation. Under the COSO Internal Control-Integrated Framework, a widely-used framework in the United States, internal control is broadly defined as a process, effected by an entity‟s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations. COSO defines internal control as having five components: 1. Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.

2. Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed 3. Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enables people to carry out their responsibilities 4. Control Activities-the policies and procedures that help ensure management directives are carried out. 5. Monitoring-processes used to assess the quality of internal control performance over time. The COSO definition relates to the aggregate control system of the organization, which is composed of many individual control procedures. Discrete control procedures or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A control‟s impact...may be entity-wide or specific to an account balance, class of transactions or application. Controls have unique characteristics – for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives)." Context More generally, setting objectives, budgets, plans and other expectations establish criteria for control. Control itself exists to keep performance or a state of affairs within what is expected, allowed or accepted. Control built within a process is internal in nature. It takes place with a combination of interrelated components - such as social environment effecting behaviour of employees, information necessary in control, and policies and procedures. Internal control structure is a plan determining how internal control consists of these elements. The concepts of corporate governance also heavily rely on the necessity of internal controls. Internal controls help ensure that processes operate as designed and that risk responses (risk treatments) in risk management are carried out. In addition, there needs to be in place circumstances ensuring that the aforementioned procedures will be performed as intended: right attitudes, integrity and competence, and monitoring by managers. Roles and responsibilities in internal control According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play: Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way

they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise. Board of Directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have knowledge of the entity's activities and environment, and commit the time necessary to fulfil their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem. Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. There are laws and regulations on internal control related to financial reporting in a number of jurisdictions. In the U.S. these regulations are specifically established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC guidance, further discussed in SOX 404 top-down risk assessment. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting. Limitations Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures. Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement. Describing Internal Controls Internal controls may be described in terms of: a) the objective they pertain to; and b)the nature of the control activity itself. Objective categorization Internal control activities are designed to provide reasonable assurance that particular objectives are achieved, or related progress understood. The specific target used to

determine whether a control is operating effectively is called the control objective .Control objectives fall under several detailed categories; in financial auditing, they relate to particular financial statement assertions, but broader frameworks are helpful to also capture operational and compliance aspects: 1. Existence (Validity): Only valid or authorized transactions are processed (i.e., no invalid transactions) 2. Occurrence (Cut-off): Transactions occurred during the correct period or were processed timely. 3. Completeness: All transactions are processed that should be (i.e., no omissions) 4. Valuation: Transactions are calculated using an appropriate methodology or are computationally accurate. 5. Rights & Obligations: Assets represent the rights of the company, and liabilities its obligations, as of a given date. 6. Presentation & Disclosure (Classification): Components of financial statements (or other reporting) are properly classified (by type or account) and described. 7. Reasonableness-transactions or results appear reasonable relative to other data or trends. For example, a control objective for the accounts payable function may be stated as:"Payments are made only for authorized products and services received." This is a validity objective. A typical control procedure designed to achieve this objective is: "The accounts payable system compares the purchase order, receiving record, and vendor invoice prior to authorizing payment." Multiple controls may be applicable to achieve a given control objective with a reasonable level of assurance. Management is responsible for implementing appropriate controls that apply to transactions in their areas of responsibility. Internal auditors perform their audits to evaluate whether the controls are designed and implemented effectively to address the relevant objectives. Activity categorization  Control activities may also be explained by the type or nature of activity. These include(but are not limited to):      Segregation of duties - separating authorization, custody, and record keeping roles of fraud or error by one person. Authorization of transactions - review of particular transactions by an appropriate person. Retention of records - maintaining documentation to substantiate transactions. Supervision or monitoring of operations - observation or review of on-going operational activity. Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect property, such as merchandise inventory.

Top-level reviews-analysis of actual results versus organizational goals or plans, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs). IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorized personnel. Top level reviews-Management review of reports comparing actual performance versus plans, goals, and established objectives. Controls over information processing-A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and programs.

  

Control precision Control precision describes the alignment or correlation between a particular control procedure and a given control objective or risk. A control with direct impact on the achievement of an objective (or mitigation of a risk) is said to be more precise than one with indirect impact on the objective or risk. Precision is distinct from sufficiency; that is, multiple controls with varying degrees of precision may be involved in achieving a control objective or mitigating a risk. Precision is an important factor in performing a SOX 404 top-down risk assessment. After identifying specific financial reporting material misstatement risks, management and the external auditors are required to identify and test controls that mitigate the risks. This involves making judgments regarding both precision and sufficiency of controls required to mitigate the risks. Risks and controls may be entity-level or assertion-level under the PCAOB guidance. Entitylevel controls are identified to address entity-level risks. However, a combination of entitylevel and assertion-level controls are typically identified to address assertion-level risks. The PCAOB set forth a three-level hierarchy for considering the precision of entity-level controls. Later guidance by the PCAOB regarding small public firms provided several factors to consider in assessing precision. Fraud and internal control Internal control plays an important role in the prevention and detection of fraud. Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in fraud risk assessment. The AICPA, IIA, and ACFE also sponsored a guide published during 2008 that includes a framework for helping organizations manage their fraud risk. Internal Controls and Improvement If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed. The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.

Continuous Controls Monitoring Advances in technology and data analysis have led to the development of numerous tools which can automatically evaluate the effectiveness of internal controls. Used in conjunction with continuous auditing, continuous controls monitoring provides assurance on financial information flowing through the business processes. Q.2 Detail the specific problems of electronic data process relating to Internal control Answer: In an EDP system, the following problems arise in the implementation of internal control : a)Separation of duties :In a manual system, separate individuals are responsible for initiating transactions, recording transactions, and custody of assets. As a basic control, separation of duties prevents of detects errors and irregularities. In a computer system, however, the traditional notion of separation of duties does not always apply. For example, as program may reconcile a vendor invoice against a receiving document and print a cheque for the amount owed to accreditor. Thus, this program is performing functions that in a manual systems would be considered incompatible. In a minicomputer and microcomputer environments, separation of incompatible functions may be even more difficult to achieve. Some minicomputers and microcomputers allow users to change programs and data easily; furthermore, they provide no record of these changes. If the minicomputer or microcomputer does not have an inbuilt capability to provide a secure record of changes. It may be difficult to determine whether incompatible functions have been performed by system users. b)Delegation of authority and responsibility :A clear line of authority and responsibility is an essential control in both manual and computer systems. In a computer system, however, delegating authority and responsibility in an unambiguous way may be difficult because some resources are shared among multiple users. For example, one of the objectives of using a database management system is to provide multiple users with access to the same data, thereby reducing the control problems that arise with maintaining redundant data. When multiples users have access to the same data and integrity of the data is somehow violated, it is not always easy to trace who is responsible for corrupting the data and who is responsible for identifying and correcting the error. Some organizations have attempted to overcome these problems by designating a single user as the owner of data. This user assumes ultimate responsibility for the integrity of the data. c)Competent and trustworthy personnel :The technology of data processing is now exceedingly complex much more complex than in the days of manual systems. Highly skilled personnel are needed to develop, modify. maintain and operate today‟s computer systems. Thus, the existence of competent and trustworthy personnel becomes even more important when computer systems are used to process an organization‟s data, since a relatively small number of individuals assume major responsibility for the integrity of the data. Unfortunately, assuring that an organization has competent and trustworthy data processing personnel has been a difficult task. Historically, well trained and experienced data processing personnel have been in short supply. Therefore, organizations sometimes have been forced to compromise in their choice of staff. Moreover, it Is not always easy for an organization to assess the competence and integrity of its EDP staff. High turnover in the data processing industry has been the norm, and the rapid evolution of technology inhibits management‟s ability to evaluate an employee‟s skills.

d)System of authorizations :Management issues two types of authorizations to execute transactions. General authorizations establish policies for the organization to follow. For example, a fixed price list is issued for personnel to use when products are sold. Specific authorizations apply to individual transactions : for example, acquisitions of major capital assets may have to be approved by the board of directors. In a manual system, auditors evaluate the adequacy of procedures for authorization by examining the work of employees. In a computer system, authorization procedures often are embedded within a computer program. For example, the order entry module in a sales system may determine the price to be charged to a customer. Thus, when evaluating the adequacy of authorization procedures, auditors have to examine not only the work of employees but also the veracity of program processing. e)Adequate documents and records :In a manual system, adequate documents and records are necessary to provide an audit trail of activities within the system. In computer systems, documents may not be used to support the initiation, execution and recording of some transactions. For example, in an online order entry system customer orders received by telephone may be entered directly into the system. Similarly, some transactions may be activated automatically by a computer system: for example, an inventory replenishment program may initiate purchase orders when stock levels fall below a set amount. Thus, no visible audit or management trail may be available to trace the transaction. The absence of a visible audit trail is not a problem for the auditor provided that systems have been designed to maintain a record of all events and there is a means of accessing these records. In a well designed computer systems. Audit trails are often more extensive than those maintained in manual systems. Unfortunately, not all computer systems are well designed. Some minicomputer and microcomputer software packages for example, provide inadequate access controls and logging facilities to ensure preservation of an accurate and complete audit trail. When this situation is coupled with a decreased ability to separate incompatible functions, serious control problems can arise. f)Physical control over assets and records :Physical control over access to assets and records is critical in both manual systems and computer systems. Computer systems differ from manual systems, however, in the way they concentrate the data processing assets and records of an organization. For example, in a manual system, a person wishing to perpetrate a fraud may be maintained at a single site the data processing installation. Thus, the perpetrator does not have to go to physically distance locations to execute the fraud. This concentration of data processing assets and records also increases the loss that can arise from computer abuse or a disaster. For example, a fire that destroys a computer room may result in the loss of all major master files in an organization. If the organization does not have suitable backup, it may be unable to continue operations. g)Adequate management supervision :In a manual system, management supervision of employee activities is relatively straight forward because managers and employees are often at the same physical location. In computer systems, however, data communications may be used to enable employees to be closer to the customers they service. Thus, supervision of employees may have to be carried out remotely. Supervisory controls must be built into the computer system to compensate for the controls that usually can be exercised through observation and inquiry. h)Comparing recorded accountability with assets :Periodically, data and the assets that the data purports to represent should be compared to determinewhether incompleteness or inaccuracies in the data exist or shortages in the assets have occurred. In a manual system,

independent staff prepares the basic data used for comparison purposes. In a computer system, however, programs are used to prepare this data. For example, programs may sort an inventory file by warehouse location and prepare counts by inventory item at different warehouses. If unauthorized modifications occur to the programs or data files that the programs use, an irregularity may not be discovered. Q.3 Explain the principal considerations in internal control on: a. Purchases and creditors b. Fixed assets Answer: a. Purchases and creditors Basic considerations for having an effective internal control system for Purchase and creditors are as follows :        The procedure for issuing purchase requisitions should be specified. Where tenders are invited, the procedure for opening and acceptance thereof should be laid down. The preparation and authorization of purchase orders should be under a senior manager. Predetermine guidelines should exist for inspection of goods received, especially with regard to quantity and quality. Documents showing the receipt and acceptance of goods should also be send to the accounts department. The goods receipt documents should be cross checked with final purchase order. An authorize official from the accounts department should be made responsible for checking suppliers‟ invoices, documents regarding purchase returns, purchase records, payments to suppliers, maintenance of ledger accounts and reconciliation of statements sent by suppliers. Before payments are made to suppliers, payment documents duly authorized by a senior official, showing that the goods have been received as specified in the purchase order should be verified by the accounts department. Adequate procedures should be established with regard to purchase returns, discounts on account of inferior quality of goods, and other similar adjustments. Lawful policies and procedures should be implemented with regard to purchases from the companies under the same group and from the employees. The accounts of various suppliers should be confirmed periodically from statements received from them.

   

b. Fixed assets Basic considerations for having an effective internal control system for Fixed Assets are as follows :      Payments for fixed assets should be made only after authorization of the top management. Capital expenditure budget should be prepared regularly. Fixed assets registers should be maintained showing brief particulars of all items. Fixed assets should be physically verified periodically. Serial numbers should be allotted to each item for easy identification. Proper accounting records should be maintained for expenditure during the construction period distinguishing carefully between capital and revenue expenditure.

 

Sale, scrapping, or write off of fixed assets should be allowed only under proper authorization of the top management. The receipts from such disposals should be properly accounted for. Depreciation rates should be properly authorized.

Q.4 Explain the steps of evaluating internal control system using flow chart Answer: The different steps undertaken by the auditor for evaluating the system of internal control has been illustrated through Figure: 11.1 (adapted from „Contemporary Audit „by Kamal Gupta) below:

Study and Evaluation of Internal Controls an Illustration

Now, let us discuss the steps of evaluating internal control system which are as follows: i) Understanding the system: At first the auditor should understand the internal control system with the purpose to have an idea of the flow of transactions and the various controls procedures. This will help him to pinpoint those internal controls on which he might base in doing his audit. To understand the internal control system, it may be useful to choose a few transactions through the system. The auditor should also ascertain whether the internal controls were effective and efficient throughout the period under audit. Organization charts, procedure manuals, job description, and flow charts etc. are some of the tools to have an idea about internal controls system. The auditor can also discuss with different officials of organization. Sometimes, he may have to rely on direct observations and inquiry only. The auditor should, especially in the case of first audit, maintain a detailed written record of his observations on the internal controls system. ii) Test through compliance procedures: Having reviewed the system, the auditor may select the specific controls on which he intends to rely and which, therefore, need to be tested through compliance procedures. He may decide not to rely on certain internal controls which are defective in design, or reliance on which may not be cost effective. It is important to test the application of internal controls in practice. For example, an auditor may take up a few sales bills at random and examine all the related documents right from the order of the customer to the payment received from the customer. At each stage, the auditor would see whether the transaction has taken place as stipulated in the flow chart or in the procedure manual. Thus, if the flow chart prescribes that the detail terms and condition of each order of customer has to be verified by a particular manager, the auditor should examine whether or not this has been done in practice. The objective of compliance tests is to provide a fair confidence to the auditor that the internal controls procedures are being effective as prescribed. The auditor should carry out such tests in case of all procedures on which audit reliance is intended to be placed. Tests of compliance are concerned primarily with the following questions: - Were the necessary procedures complied with? - How were they complied with? - By whom they were complied with? iii) Evaluating the system: Based on his observation during the tests made by him, the auditor has to make an estimate of how far he can depend on various internal controls. Normally, he should have a reasonable confidence that the system is such that the errors and fraud can be discovered automatically. He has to ascertain whether the control procedures as designed to implement are in practice and competent in preventing or detecting material errors and fraud in the accounting system. This is essentially a question of individual judgment in a particular situation. If he finds certain errors or weaknesses in the system, he should try to evaluate the impact of the same on various transactions. Let us suppose he finds weaknesses in the system of maintaining debtors‟ ledger. Since this is a material item, he should ask for independent confirmations from the debtors. Thus, the auditor‟s evaluation of internal control system will determine the nature, timing and extent of his substantive procedures.

Q.5 Lehman Brothers Holding filed for Chapter 11 bankruptcy protection following the massive exodus of most of its clients, drastic losses in its stock and devaluation of its

assets. In context with this case, examine internal control and risk assessment system. Answer: The nature and extent of the procedures performed by the auditor to obtain an understanding of the accounting and internal control systems generally depend on :      Nature of policies or kind of procedures, Changes in operating environment, Size and complexity of the business, Way of documentation of business operations, Auditor‟s assessment of inherent risk.

The auditor should make a study of internal control relevant for his audit. Although most controls related to audit are relevant for financial reporting but all controls relevant for financial reporting may not be relevant for audit. It is the judgment of auditor to decide whether a control individually or in combination with other is relevant for audit or not. Auditor normally classified audit risk for assessment into control risk and inherent risk. Control risk signifies that a material misstatement could occur but would not be prevented or detected by internal control system. Inherent risk signifies the chances that recording of transactions have been done either erroneously or under the influence of management fraudulent activity. Assessment of control risk Assessing control risk is the process of evaluating the effectiveness of an entity‟s accounting an internal control system in preventing or detecting material mis-statements in the financial statements. After having a basic idea of the accounting and internal control system, the auditor should make an initial assessment of control risk for the appropriate assertions in the financial statements. When planning the audit approach, the auditor should consider the initial assessment of control risk to determine the appropriate detection risk to accept for the financial statement assertions. Some of the procedures performed to obtain understanding of the accounting and internal control systems may not have been specifically planned as tests of control but they may provide evidence about the effectiveness of both the design and operation of policies and procedures relevant to certain assertions and, consequently, serve as tests of control e.g. in obtaining understanding of the system pertaining to cash, the auditor may have obtained evidence about the effectiveness of bank reconciliation process through inquiry and observation.

Relationship between the assessments of inherent and control risks: In many cases, inherent risk and control risk are highly interrelated. Also management often reacts to inherent risk situations by designing accounting and internal control systems to prevent and detect mis-statements in such situations, if the auditor attempts separately to assess inherent and control risk when they are highly interrelated, there is a possibility of inappropriate risk assessment. As a result, audit risk may be more appropriately determined in such situation by making a combined assessment. The auditor, in forming his opinion on financial information, needs reasonable assurance that transactions are properly recorded in the accounting records and that transactions have not been omitted. Internal controls, even if fairly simple and unsophisticated, may contribute to the reasonable assurance the auditor seeks. The auditor‟s control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent to substantive procedures to be performed to reduce detection risk to an acceptable level. The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need for the auditor to perform any substantive procedure for significant account balance and transaction classes. Consequently, regardless of the assessed levels of inherent and control risks the auditor should perform some substantive procedures. The higher the assessment of inherent and control risk, the more assurance the auditor must obtain from the performance of substantive procedures. When both inherent and control risks are assessed at a high level, the auditor should also consider whether substantive procedures will provided sufficient assurance to reduce detection risk to an acceptable level. When the auditor determines that detection risk cannot be reduced to an acceptable level, he should either qualify or disclaim the opinion or, if this if not practicable, withdraw from the engagement. Q.6 Explain the importance of working papers. Answer: The importance of working papers is due to following reasons :  Planning, organization, control and review of audit work: Working papers provided means of planning, organizing, controlling, administering and review of the work. They are the supporting evidence that the audit was conducted as per the generally accepted, auditing standards and practices. Basis of auditor’s opinion: Working papers are the basic documents for the report of the auditor. They also provide a proof that generally accepted auditing standards and practices have been duly followed in the conduct of work. If the validity of the auditor‟s opinion, assertion or recommendation as to the financial statements is later questioned, working papers can be produced as an evidence to establish the said opinion or assertion. The auditor should therefore ensure that the working papers are conclusive and complete in every respect, leaving no question raised therein unanswered. Division of labour: Working papers help in appropriate division of work among the audit stag, in the sense that different working papers may be made the responsibility of different audit clerks under the supervision of a senior clerk or the auditor himself. The progress of the work can thus be effectively monitored even where the audit work extends to different offices or branches of monitored. Even where the audit work extends to different offices or branches of the client, the audit programmes may

be divided into so many parts, or separate audit programmes may be prepared for each place, and then working papers prepared at each place may be complied at the central office to have an overall view of the work.  Use as permanent record: Working papers constitute a permanent record of auditing procedure employed, and the financial records examined. The client can make use of these, in case his own records are lost. Bridge between original transactions and financial statements: Working papers provide an important link between original transactions and the financial statements. This is because an auditor‟s work mostly consists in tracing the business transactions, though on a sample basis, from the original records to the financial statements, and vice versa. Working papers also constitute the basis for making rectification and adjustment entries. Basis for review and revision of internal controls: Internal control questionnaires form part of the working papers. Comments as to the working of the internal control system will also be found in working papers relating to audit tests in respect of each aspect of the enterprise. Thus, working papers facilitate an in-depth review of the internal control system, which forms the basis of recommending suitable changes therein. Basis for evaluation and training of audit staff: Working papers provide a means to test whether the auditor and his staff have done their jobs as per the required standards. They serve as an index to the auditor‟s ability to plan and organize the audit, because at teach stage of audit, he has to take decision as to the nature of evidence to be obtained and the tests to which evidence should be subjected. Review of the past year‟s working papers and reports submitted by senior audit clerks can also be used as a basis to provide the required training to the staff.

Basis for further work: In the course of his examination, the auditor may come across certain situations or conditions in the pattern of management of the client‟s business which, though not directly connected with his work and, therefore, being outside the purview of his report, may nevertheless be useful in future planning. Thus, the notes and analysis prepared by the auditor as part of his working papers may also prove useful to the client in several other areas E(Rj) = Required return E(Rj) = Expected return E(Rm) = Expected return for market index Rf= Risk free return Bj= Beta (normally determines past performance) j= Potential merger partner (target company)