You are on page 1of 10

Master of Business Administration- MBA Semester 3 MF0013 –Internal Audit and Control- 4 Credits (Book ID: B1733) (60 Marks) Name

Course Roll No LC Name LC code : : : : : BHOLA KUMAR GUPTA MBA 3RD SEM

511221484 ZITE 01904

Q1. Discuss in brief the advantages and limitations of auditing. Answer: Auditing is as old as accounting. The word ‘audit’ has been derived from the Latin word ‘audire’ meaning ‘to hear’, ‘listen’ or ‘give credence to’. In ancient times the person authorized to check the accounts of an estate did the job by hearing the business records from the record-keepers. There is historical evidence that household accounts of early rulers were kept by at least two persons, independently of one another, to keep a check on mistakes and misappropriations. In the Mauryan, Greek and Roman empires, there was a foolproof system of control over public revenue and expenditure. The International Auditing Practices Committee defines auditing as “the independent examination of financial information of any entity, whether profit-oriented or not and irrespective of its size, or legal form, when such an examination is conducted with a view to expressing an opinion thereon.” Advantages of Financial Audit: 1. Statutory financial audit gives the owners of a company and other stakeholders the assurance that annual financial reports give true and rational view about the company’s financial performance. 2. Tax audit viz., the audit of financials of the company based on which taxable income is determined and tax paid is mandatory. Tax auditor’s report has to be filed with the tax return. 3. Internal financial audit assists the CEO and his team of operating managers regularly and much more frequently in understanding the financial performance of the company and taking corrective actions necessary. 4. Financial audit is an invaluable tool for prevention and early detection of fraud and errors. 5. Audited financial report together with the auditors’ report is necessary for a company in sourcing funds from banks and other financial institutions.

Discuss the scope and objectives of internal audit. the the the has It should also be understood that audit of accounts does not guarantee the detection of all the errors. Naturally. the auditor has to rely on explanations given to him by the accountant for activities that happened quite a while ago. The audited balance sheet of a company read with the auditor’s report is often the base document for valuation of companies in case mergers. (c) There is also human error that may escape the controls Q2. auditing only reduces and does not eliminate the possibilities of erroror fraud. Inherent limitations of internal control system: An auditor largely relies on the internal controls of the enterprise as he cannot check everything. He applies test checks using statistical sampling techniques. Internal controls are the inbuilt checks and balances in the company’s accounting and administration. Answer: Internal audit: Internal audit is another type of general audit. The audit gives no assurance on the future viability of enterprise or the efficiency or effectiveness with which the management conducted the affairs of the enterprise. These conceptual restrictions arise due to following inherent limitations of auditing: 1. (b) Persons operating the internal control and employees or outside parties may collude and render the controls ineffective. Thus. The essential truth behind some of the figures may therefore still remain undiscovered. It is a test check: The auditor cannot examine all the transactions given the time and cost constraints. 2. It is a post-mortem: The annual statutory audit is not a concurrent activity. but starts only after the year is over. But these internal controls themselves are subject to some limitations: (a) Certain levels of management may override control and make exceptions to procedures. Limitations of Financial Audit: As per SA 200A issued by The Institute of Chartered Accountants of India.6. The preface to the standards and guidance notes on internal audit issued by the ICAI defines it as “an independent management function which involves a continuous and critical appraisal of the . objective of an audit is to express an opinion as to the true and fair view of financial statements. acquisitions or outright sales. 3. The inherent weaknesses of such methods carry an element of uncertainty or risk.

internal auditing provides value to governing bodies and senior management as an objective source of independent advice. risk management and management controls by providing insight and recommendations based on analyses and assessments of data and business processes. procedures and standing orders.function of the entity. To ascertain the reliability of accounting and other operational data. objective assurance and consulting activity designed to add value and improve an organization's operations. To verify whether company’s assets are accounted for and adequately guarded against losses. and governance processes. internal control is broadly defined as a process. effected by an entity's board of directors. role of internal auditor as an integral part of Answer: Internal auditing is an independent. comments and Internal audit should not stop with checking the financial records and statements but perform a critical evaluation of the activities that produce the financial results. 5. Explain the management. It helps an organization accomplish its objectives by bringing a systematic. To provide the management with objective analysis. management. To study and evaluate the coverage and effectiveness of accounting. 4. 6. control. To ascertain the degree of compliance with policies. With commitment to integrity and accountability. 3. Q3. The objective of internal audit is to suggest improvements to the function of the entity and add value to and strengthen the overall governance mechanism of the entity including its strategic risk management and internal control system. To review and report on the internal control systems installed.” The scope and objects of internal audit may be summarised as follows: 1. and other personnel. recommendations in the form of periodic internal audit reports. Under the COSO Framework. disciplined approach to evaluate and improve the effectiveness of risk management. designed to provide reasonable assurance regarding the achievement of the following core objectives for which all businesses strive: . Professionals called internal auditors are employed by organizations to perform the internal auditing activity. The Role Of Internal Auditor As An Integral Part Of Management: Internal auditing activity is primarily directed at evaluating internal control.[1] Internal auditing is a catalyst for improving an organization's governance. financial and operating controls. 2.

reporting. an organization's strategy. governance is the policies. conducting business abroad. which comprises five critical components: the control environment. budgeting. The internal auditor is often considered one of the "four pillars" of corporate governance. and if not. the other pillars being the Board of Directors. gathers information about. analyzes.• • • • Effectiveness and efficiency of operations. and monitors strategic risks that could actually or potentially impact the organization's ability to achieve its mission and objectives. incentive payout structure. Role in risk management: Internal auditing professional standards require the function to evaluate the effectiveness of the organization's Risk management activities. Under the COSO enterprise risk management (ERM) Framework. achieve objectives. risk assessment. and protect the interests of diverse stakeholder groups in a manner consistent with ethical standards. Reliability of financial and management reporting. legislative changes. information and communication. and monitoring activities. Safeguarding of Assets Management is responsible for internal control. Risk management is the process by which an organization identifies. and compliance objectives all have associated strategic business risks . processes and structures used by the organization’s leadership to direct activities. mergers and acquisitions. According to COSO's ERM framework. etc. Internal auditors perform audits to evaluate whether the five components of management control are present and operating effectively. capital planning. credit/lending practices. Answer: Stages in Internal Audit Planning The three steps through which planning of internal audit takes place are: Step 1: Understanding of the organisation. Compliance with laws and regulations. and the external auditor. its business and its systems . hedging. responds. provide recommendations for improvement. strategic partnerships. accomplished primarily through participation in meetings and discussions with members of the Board of Directors. risk focused control activities. Role in corporate governance: Internal auditing activity as it relates to corporate governance has in the past been generally informal. Q4. management. operations. Sarbanes-Oxley regulations require extensive risk assessment of financial reporting processes. and practices in these five components of management control to help the organization achieve the four specific objectives listed above. processes. marketing planning.the negative outcomes resulting from internal and external events that inhibit the organization's ability to achieve its objectives. Explain the steps in internal audit planning. Management assesses risk as part of the ordinary course of business activities such as strategic planning. Managers establish policies.

• The organisation’s policy and procedures manual – Large and professionally run companies usually have a ‘Finance and Accounting Procedures Manual’ (FAPM) and a ‘Delegation of Authority Manual’ (DOA) which set out the organisation’s policies and procedures. • Minutes of meetings of important committees. *Management letter is a document given by statutory auditors on conclusion of the annual audit to the company’s Board on aspects of the financial reporting. • Reports on the state of the economy and its effect on the organization’s business. working papers and other relevant accounts closing files. • Industry publications. • Visits to different plants and branch offices of the organisation and discussions with key divisional and functional heads. shareholders and Board of directors. internal controls and other governance issues that need to be addressed by the management satisfactorily in the current year. • Reports of internal financial management for the current year and previous years including budgets. Some of the key sources of valuable information about the company are: • The company’s annual reports to shareholders. The text mentioned below is based on SA 300 and suitably modified to suit our requirement. The internal auditor should provide enough to questions raised about the previous year’s statutory audit report and management letter. These are not serious matters that need to be included by the auditors in the report or to qualify the audit report. but nevertheless deserve attention of the management. These matters will definitely merit inclusion in the audit programme. to help him understand the events. transactions and practices that have a significant impact on the performance of the company. Discussion with divisional and functional heads might include the following subjects with regard to the concerned function/division: • Organisational structure and activities. magazines. Major internal and external developments over the last 12 months. . SA 300 issued by ICAI has very clearly narrated the different sources from where the auditor can obtain knowledge of business. trade journals. Key financial and accounting issues including accounting and reporting standards. He should also respond to matters that require attention which have been pointed out by the external auditor. reporting and disclosure needs specific to the industry.The internal auditor should first acquire in-depth knowledge of the business and the organisation. Activities in which directors or substantial owners of the entity are interested and value of such activities. management letter* issued by statutory auditors. • The previous year’s audit report. newspaper reports and textbooks. Business facilities started and/or closed during the year. • • • • • Statutory rules and regulations. • Publications from the Institute of Chartered Accountants of India and other professional bodies about accounting.

4. covers two dimensions of internal audit work viz. An effective planning tool is the time schedule which budgets the weeks for the various audit areas. as seen in 5. timing and frequency of audit reports and other communication required by operational management. product mix. which is only a broad summary of the scope and objectives of the audit and does not get into details. We now have to give two more dimensions – the audit team should take charge of each functional audit. format. and magnitude of work involved. functions to be audited and the number of days allotted. lines of business.) • What is the extent of reliance that can be placed on accounting controls and internal control? • The overall audit plan should be documented by the internal auditor.. the Board and the statutory auditors? • What are the cost/time limitations on the internal audit activity imposed by management? • From the inferences gained in step 1. matters of ethics. teams are chosen for audits depending upon the skillsets needed for the particular job. Dates are concluded in consultation with the concerned functional heads. The overall plan should consider the following matters: • Is there a statutory requirement for internal audit? If yes. etc. etc. what are the specific needs of the relevant statute? • What are the terms of engagement and management’s charter for the internal audit? • What should be the content. in the nature of an investigation? • How should the auditor set materiality levels for reporting alerts? • How should the internal audit function’s cost/benefit quantification and reporting be planned and executed? • What are the sensitive areas that need to be handled delicately and in strict confidence? (Some areas are managerial remuneration in private companies. the internal auditor proceeds to fill out the details and convert it into a full-fledged audit programme. are there areas that need in-depth examination. As explained earlier. Apart from helping to establish the overall audit plan. activities in which director is interested. knowledge of the auditee’s business is important to help the auditor in identifying areas that need special consideration. 2. Stage 3: Preparing the audit programme 1. The method and extent of the documentation varies depending on the audit’s size and complication. The overall plan. and evaluating the correctness of accounting policies and internal control systems. Step 2: Development of an overall internal audit plan In this stage the internal auditor develops the top-level audit plan.• Aspects of technology. human relations or gender bias. 3.4. sales and distribution methods. and the precise dates. assessing the rationality of accounting estimates and management representations. After having completed the overall plan in stage 2 and getting it prima facie approved.2. It is vital for the internal auditor to get the dates accepted by the concerned .

g) Controlling applications and environment of computer information environment systems. h) Maintaining and reviewing control accounts and related subsidiary ledgers. awareness and actions of directors and management about the internal control system and its importance in the entity.Explain internal control system in banks. an internal control system should recognise and continually assess all material risks –internal and external. liquidity risk.managers in the function. For instance. personnel policies. Risk recognition and assessment: To be effective. interest rate risk. etc. It is not sufficient to get dates approved at the top management level. Q5. i) Ensuring approval and control of documents. Control environment: Control environment is the foundation of an internal control system. 2. complexity and risk profile of its operations. As per Auditing and Assurance Standard 6 issued by ICAI (AAS6). controllable and uncontrollable–that could affect the achievement of the bank’s objectives. In this regard an effective internal control system for a bank should consider the following aspects: 1. 5. The programme should have adequate provisions for unexpected activities or events that might upset the schedule. legal risk. The management must identify. It includes and reflects the factors that influence the control consciousness of its people. operational risk. The bank faces various risks at different levels – credit risk. f) Checking arithmetical accuracy of the records. control environment is the overall attitude. 3. etc. c) The philosophy of management. Specific control procedures include: e) Reporting and reviewing reconciliations. Answer: Internal control system in banks Different factors influence the internal control structure of any organisation: size. measure and analyse these risks. The programme should be seen as beneficial as much to the auditee as to the company. d) Systems of management control that includes internal audit. if a functional audit brings up serious issues that need to be investigated it may throw all subsequent audits out of gear unless resource and time buffers are built into the programme. market risk. It is also important for the auditor to complete the schedule of audits as programmed and not allow omissions or delays. So if he finds that dates are difficult to get from a functional head or manager he may have to seek general manager-level authority to insist on getting their time and completing the audit. Control activities: Control activities are management actions to ensure that the personnel are following the bank’s established policies and procedures. 6. . country and transfer risk. Factors reflected in the control environment include: a) Organisational structure of the entity and means of assigning authority and responsibility (including segregation of duties and supervisory functions) b) The function performed by the board of directors and its committees in any company or any similar governing body in any other entity..

d) Accounts are closed and financials reported as per strictly laid down schedules 8. Monitoring activities: A full-fledged monitoring system should be in place to assess the effectiveness of internal controls continually. while renewal of the advance may be within the authority of a branch head. fixed assets. 7. records and information. Explain Computer Assisted Audit Techniques (CAATs) Answer: Computer Assisted Audit Techniques (CAATs) An auditor uses CAATs to carry out audit procedures while auditing through the computer. investments and inventory with corresponding accounting records. 5. it is important that complete records are maintained and access is limited to the authorised personnel only. duties and assignments. Segregation and rotation of duties: Authorities and responsibilities of every department should be clearly defined based on the policies of the management. Banks usually adopt the following procedures to meet this need: a) All records are maintained as prescribed with transaction-level details. . There should not be any scope of duplication of jobs. financial reporting (both management and statutory) and non-financial analysis and reporting with clear content. both generally applicable and specific to some transactions. Some of these techniques are: 1. Q6. Monitoring is done internally as well as externally. m) Comparing and analysing results with corresponding budgets 4. The entity must have a system of rotation of duties among employees. Test Data Approach • Under this approach transaction data (test data) prepared by auditor is processed by the client’s processing system under the control of auditor. Every access and every user should be documented. Accountability for assets: To ensure accountability and safeguarding of assets. • The results of the processing are compared with the predetermined output by him. c) All inter office transactions are reconciled methodically during accounts closing. As public money is often involved. format and frequency should be in place. preferably in writing. Authorization of transactions: Banks usually prescribe well-set systems of approval and authorization. For example an industrial advance sanction may require zonal office clearance. Accounting. it is vital that authority levels are not breached. information and communication systems: A comprehensive system of accounting. b) A unique code number is assigned to each branch and that number should be mentioned in all important documents. • The auditor plants certain errors in data along with correct transactions.j) Comparing internal data with relevant external information. k) Comparing the results of physical verification of cash. Periodic checking of actual assets with records and identifying discrepancies must be mandated. 6. l) Restricting access to assets.

(e) Summarising data and performing analysis: The auditor summarises and reorganises client data for his purposes. He should assure himself that the programmes being tested are actually the same as the ones used by the client. the auditor creates a fictitious entity (e. this indicates that all the application and general controls are functioning properly. if any. This can be done faster with the help of GAS. • . For example receivable accounts may be selected for confirmation using random sampling tables and the computer might be used to print the confirmation letters. • Hypothetical data for fictitious transactions are integrated with actual client data and processed. The functions which can be performed through GAS are as follows: (a) Examination and review of records based on auditor’s criteria: The computer can scan the records and point out the exceptions to the criteria established by auditor. The auditor must be technically proficient in designing erroneous data. fictitious customer and vendor accounts) within the client’s actual data. In case of generalised audit software. (c) Testing calculations and making computations: GAS helps the auditor to test the accuracy of computations in client’s data files with greater speed as compared to a manual system. • The major disadvantage of this approach is the difficulty in designing test data. For example. he may want to determine the chances of recovery of debtors by looking at the ageing schedule or summarise inventory turnover statistics to determine slow-moving items. Differences. For example. audit programmes are designed by computer manufacturers. This approach has a high initial cost. Integrated Test Data Approach • Under integrated test data approach. Generalised Audit Software (GAS): In the above approaches the auditor is required to prepare input data or create programs. (b) Selecting and printing audit samples: The computer can be used to select and print audit samples using statistical or judgmentalsampling techniques. 3. software professionals and large firms of auditors. Itcan also be precisely targeted for specific procedures within the programmes.If errors are detected by the computer for follow-up and corrections. software can be designed to scan accounts receivable balances for amounts exceeding the credit limit.g. (d) Comparing data on separate files: An auditor can compare data on separate files to determine whether compatible information is in agreement. • Disadvantages: Thereis the risk that fictitious transactions impact actual results. should be reconciled and investigated. For example. Examples include comparing paid vouchers to cash disbursement through cheques and purchases of inventory as per stock records to creditors file. These are subsequently removed from records of the client by manually reversing journal entries or through programme commands and then the financial reports are compiled. Well-laid frauds may be difficult to detect. the auditor can calculate the doubtful debts to sales ratio for the present year and compare it with the past years to ensure reasonableness of doubtful debts provision for the year under audit. • Advantages: Thisprovides assurance that the programs being tested by the auditor have actually been used by the client. 2.

Use of generalised audit software can greatly assist the auditor in performing compliance substantive tests.(f) Comparing audit data with client’s records: Audited data must be converted to machine-readable form and compared with the information in client records. comments made by the auditor of inventory on hand may be compared with the quantity shown in the perpetual inventory records or stock verification sheets of the client. . auditor’s ingenuity and the strength of client’s internal controls. For example. Its effectiveness depends upon availability of client data.