You are on page 1of 12



(BOOK ID 0770)


Note: Answer all the questions. Each question carries 10 marks.

1. Explain the principles of Internal Control.

Principles of Internal Control

If internal controls are built without bothering about the business processes
involved, they result in hindrance to business processes rather than aiding it
in preventing, detecting or correcting unlawful events.

Information System Audit and Control Association (ISACA) of USA has

evolved a set of principles to be followed in designing internal controls,
Particularly when the controls are through use of Information Technology.
None the less, these principles are equally applicable in manual process of
Internal controls.

These principles are:

Controls should help in providing information being relevant and pertinent to
the business process as well as being delivered in a timely, correct,
consistent and usable manner.
For example, report of cheques of customers deposited by us but
dishonoured and returned by customers should be reported to the Finance
Manager as well as to the Marketing Manager immediately so that fast
action of recovery as well as stoppage of further sales occurs. If these kinds
of information are received after a long delay, no effective steps can
be taken to avoid the losses.
E.g. While studying for this Course if you do not get the required text books,
study materials in time or without proper contents, even if you have a goal to
complete the Course, you may not be able to do so.

Controls should achieve the optimal (most productive and economical) use
of resources. E.g. Think of a rule where three executives have to sign a
payment cheque in a company. It consumes a lot of extra executive- time and
administration- time and results in avoidable losses. It does not make much
difference, instead, if two executives are designated to sign cheques. E.g.
when you are studying for this Course, you read the study- material
Loudly and learn by heart even if it does not make sense to you. Though it
Looks as if you were studying hard to an outsider, your method of studying is
An inefficient way of study. Instead, you can read the material and note
down the important points and then ruminate on them to understand
the subject.

Internal controls should result in the protection of sensitive information from
unauthorized disclosure. As one of the objectives of internal controls is to
Safeguard the assets; it is important that persons not authorized to receive
Any information or exercise an authority should not be permitted to do so.
E.g. If the controls set up by you do not prohibit outsiders from entering
your company’s premises without your permission, there is all the possibility
that the unwanted outsiders later may create problems for you.
E.g. If in your company, the printouts of various sales reports are later sold
as scrap papers instead of shredding them, your competitors might get
valuable information out of them.

Internal controls should achieve the accuracy and completeness of
information as well as to its validity in accordance with business values and
E.g. The Reports generated by your system should provide you all the
information to make decisions. A Sales report might not disclose you the
person who is in charge of a particular territory or product. You will not be
able to make decisions immediately based on the report. You might require
information about the Executive who heads that particular territory or
product. E.g. The Reports generated by your system should provide you all
the information to make decisions. A Sales report might not disclose you the
person who is in charge of a particular territory or product. You will not be
able to make decisions immediately based on the report. You might require
information about the Executive who heads that particular territory or
Product. E.g. In your case, if you studied only a few units of the Course and
appear for exams, you might not pass as the information possessed by
you is incomplete. Same thing happens if you do not have accurate
information about various important aspects of your Course.

Internal controls should process the information which should be made
available when required by the business process now and in the future.
Thus the safeguarding of necessary resources and associated capabilities
Becomes important. E.g. You may have to save data in CDs or floppies for
future use. Back-ups may have to be taken.
E.g. In your case, if you have studied hardly for the exams, just before the
Exams you should be able to recall important points in the Subject. It means
You should have made a check-list of important points. If you have not done
So and if you are not able to recall also, then it becomes very difficult for you
To answer the questions in the exams.

We have already studied that internal controls should achieve compliance
With those laws, regulations and contractual arrangements which the
Business process is subject to. Compliance also should be achieved with
Reference to various policies of the management.
E.g. If remuneration is being paid by your company, the internal controls set
Up by the company should also include rules as to various deductions to be
Made from salary like Provident Fund, Income Tax. If no attention is paid by
Your company in this regard, there would be non-compliance of the rules of
Acts pertaining to Provident Fund or Income Tax. And such non-compliance
Would ultimately result in penalties, additional time and resources wasted by
Your company leading to losses.
E.g. In your case, even if you studied methodically and understood
everything, if you have not complied the rules of the University as to
Appearing for exams like applying within the due date, paying the prescribed
Fees in the prescribed mode etc, you might not be able to appear for exams.

Internal Controls should aim at the provision of appropriate information for
Management to operate the entity and to exercise its financial and
Compliance reporting responsibilities.
For example, the data provided as to sales should contain information as to
Correct rate of Excise duty or VAT. If the controls set up by you do not
wrong rate of Excise duty or VAT being applied, later your company
will have to face problems.
E.g. when you are studying for exams, the text books you study should be
Those that are prescribed by the University. If you rely on ‘notes’ or ‘guides’
Prepared by others, later you may repent that none of the questions from
These appeared in the exam!
Thus any set of rules, procedures or policies have to be evolved by an
organization keeping all the above principles in mind so that they do
not become redundant later.

2. What is a flow chart? Explain the different types of flow charts

Flow Chart
Flow chart is a graphic presentation of each area of a company’s internal
control system. Use of flow chart symbols which are standardized is made
here. Some symbols are provided here below (More symbols are available in
MS Word (WinWord) under the Menu ‘Auto-shapes’)

= Process

= Decision

= Data

= Document

= Manual Operation
Flow Charts can be of different types as follows:
Control Flow charts
Data flow diagrams
Process flow charts
Linear Responsibility Charts

3. Describe access control and Physical and logical assets control.

Access Controls
As we have discussed earlier, in a computerized system the authorization or
Segregation cannot be done by orally or in writing unlike in a manual case. It
Should be done through the machine. Thus the persons accessing the
Computers in a company are provided access as to the computers so that
They can open the computer and get the information. However the extent of
Information that they can access and use is to be decided by the System
Administrator i.e. The person who controls the computers and the
Information system. Therefore the following internal control measures are
used invariably in computers.
Identification of the users of the computers by the computers through
User Ids which are to be assigned by the System.
Authentication of the users to allow them Access to the computers
Through various techniques like Passwords, PIN (Personal Identification
Number), Smart Cards, Biometric devices like finger prints, retina scan
The extent of access to information should decided by the Administrator
By having Access Control Policies. For example, information can be
Classified as Top Secret, Secret, Classified or Unclassified.
Physical and logical assets control:
The access to physical assets assumes different proportion in a
Computerized environment. Imagine a company having huge database of its
Customers’ information at a particular data center. If a hacker attacks such
Data center the possibility of loss is huge due to loss of information. Entire
Business may come to a stand still. Thus the control over physical assets in
A computerized environment includes safeguarding information and logical
Assets like software, programmes etc. Some control features in this regard
Use of firewalls and Intrusion detection systems
Firewalls do not permit access to outsiders who are not authorized to
Do so. Similarly it does not allow insiders to send information to
Outsiders. Both these features save a company from attempt to
Attack the computer through virus, hacking etc. or misuse of valuable
Information by insiders.
Intrusion detection Systems warn the Controllers of the computers that
another person or system is trying to attack the System so that the
Controllers can take preventive action.
Use of anti- virus programs and applications
Viruses, worms, Trojans, spy-wares, logic bombs etc. are threats to
Information system. These try to delete, modify or misuse
information as well as system which results in huge loss to a
Business firm. For example, due to virus attack the computers may
Not work for a specified duration in company. This results in loss of
Business, reputation and waste of human resources (employees
Sitting idle). The solution to this problem is installing Anti virus
Software and updating it frequently. Such programs detect virus,
Worms, Trojans etc. and prevent them from attacking the system.
Physical access controls as to persons entering the premises where
Computers are kept has to be established. Use of smart cards, biometric
Devices, guards at the entrance etc can be made. For example in some
software companies fingerprints are to be identified by the system
Before the employee or any other person has to enter the data center.
This feature prevents unauthorized persons entering the data center and
Destroying or altering the information.
Computers are prone to threats like variations in electric supply,
Influence of magnetic fields etc. For example if you take a powerful
Magnet near a computer the data inside the Hard disk may be destroyed
Or altered. Hence it is important that adequate control is taken to see
Those events do not happen. Energy variation should be prevented
Through installing Uninterrupted Power Supply (UPS) units. The
Maintenance of UPS also becomes important because if UPS fails the
System fails. Data or information are usually communicated through various
Communication channels like telecommunication, satellites etc.
Possibility of theft of information, modification to data during such
Transmission exists. Steps are to be taken to prevent or at least detect
Such attempt to attack.



(BOOK ID 0770)


Note: Answer all the questions. Each question carries 10 marks.

1. Explain the objectives and key sections of SOX

Objectives of SOX:
Provides confidence and trust to investors and public in the post-Enron
Requires management accountability --focus on rapid identification &
correction of internal control weaknesses along with additional financial
disclosure requirements.
Holds external auditors to higher attestation standards.
Key Sections of SOX:
Section 302 requires the CEO (Chief Executive Officer) and CFO(Chief
Financial Officer) of a Company to sign on a quarterly basis on
financial statements of that quarter, attesting fairness and internal
control effectiveness. They also must report any significant changes in
internal controls since their last evaluation.
Section 404 requires a separate management report on internal control
effectiveness and audit by the organization’s external financial statement
Section 906 is related to Sections 302 and 404, and requires that CEOs
and CFOs ensure all financial reporting (including annual and periodic
reports) fairly presents, in all material respects, the financial condition
and results of operations of the issuer. It also provides for significant
criminal penalties for non-compliance.
Section 201 prohibits a registered public accounting firm from
performing both audit and non-audit services.
Section 301 requires an audit committee to establish “whistleblower”
procedures to allow the confidential and anonymous submission of
concerns regarding questionable accounting or auditing matters.
Section 409 requires disclosure to the public on rapid and current basis
additional information concerning material changes in the financial
condition or operations of the issuer.

2a. Bring out the importance of financial audit to companies.

Importance of Financial Audit

Legal necessity of financial audit
In many countries, auditors are now established as a separate profession,
requiring government licensing.
In the United States, private audits are usually performed by Certified Public
Accountants; auditing of the Federal Government's accounts is conducted
by Congress' Government Accountability Office (GAO).
The Internal Revenue Service periodically audits individual and
corporate tax returns. The Public Company Accounting Oversight Board
(established 2002) registers and regulates accountants and accounting firms
that act as auditors.
In India the Companies Act requires that every company get its
financial statements audited and approved by its shareholders every year.
Only members of ICAI i.e. Chartered Accountants are qualified to undertake
such company audits.
Income tax Act 1961 stipulates that tax audit is to be undertaken by
Chartered Accountants under certain circumstances by every kind of
businesses whether corporate or non-corporate.
Thus financial audit has become mandatory for many institutions.
Importance of financial audit to companies:
Financial Audit is required and important in many ways:
a) To meet the needs of diverse stakeholders

Financial statements are ordinarily prepared and presented annually and

are directed toward the common information needs of a wide range of users.
Some such users are:
1. Shareholders
2. Investors/Stock Exchanges
3. Financial institutions
4. Government
5. General Public
Many of these users rely on the financial statements as their major source of
information because they do not have the power to obtain additional
information to meet their specific information needs.
The objective of an audit of financial statements is to enable the auditor to
express an opinion whether the financial statements are prepared in
accordance with an identified financial reporting framework (like Accounting
Thus auditor’s opinion enhances the credibility of financial statements
by providing a high, but not absolute, level of assurance.
b) Goal conflict in companies
We have already studied in earlier Units how goal conflict might result
in weakness in internal controls. Managers may try to cash on
immediate opportunities by neglecting long term health of the Company.
In these situations audit is a guard or control that tries to prevent such
tendency of the directors/managers of the business to neglect the long term
goals of the Company.
c) Prevention of frauds and errors
The audit is generally aimed at preventing frauds or errors. An organization
were audit is regularly conducted is less-prone to fraud.
Though audit does not guarantee fraud-free or error-free financial
statements, it at least minimizes the chance of future frauds. Because, if the
accounts are audited every year, the person who intends to commit fraud
may become apprehensive of committing such fraud lest he might be caught
by auditors.
Further, as we shall see later in internal audit the job of auditor is mainly to
prevent or detect frauds or errors. Thus audit helps in strengthening internal
controls and thereby reduces frauds and errors.
d) Helps in effective decision-making
Because audit is based on Standards, there will be uniformity and quality in
the financial statements over the long run. Thus comparison between two
sets of audited financial statements is more meaningful than between two
non- audited financial statements.
This ultimately helps in effective decision-making by managers of these
businesses as well as by any other stakeholders.

b. How does audit help in preventing frauds and errors?

Responsibility of auditors
Internal Auditors are also responsible for frauds and errors in that they have
to check for their existence and suggest better internal controls.
External auditors though not primarily responsible to detect frauds and
errors, are still responsible to take care to verify the strength of internal
control to prevent and detect frauds, existence of symptoms of fraud.
Hence indirectly they are also responsible for controlling frauds.
Thus it is important to note here that internal controls are very important in
detecting frauds and errors of any kind. Those who are establishing internal
controls should have sufficient knowledge of different types of frauds
or symptoms frauds that might occur in particular business.

3. What are the mandatory standards of ICAI?

Types of Standards issued by ICAI

Auditing and Assurance Standards issued by the ICAI include the following
Auditing and Assurance Standards(AAS)
Statements on Auditing
General Clarifications on AAS
Guidance Notes
Technical Guides
Each of them has different scope and authority attached to them.
Authority Attached to Standards
Authority attached to AAS, Statements on Auditing and General
Clarifications on AAS
Auditing and Assurance Standards, Statements on Auditing and General
Clarifications on AAS are mandatory in nature.
AAS codify the existing best practices in the area of auditing. AASs
are critical for the proper discharge of functions as auditor. Statements on
Audit are issued for compliance by Members. General Clarifications to
AAS are also issued in matters where doubts exist.
Accordingly, while discharging their attest function, it will be the duty of the
members of the ICAI to ensure that these are followed in the audit of
financial information covered by their audit reports.
The nature of these Standards requires members to exercise professional
judgment in applying them, for example, a member may judge it necessary
to depart from an essential procedure laid down in these Standards to
achieve more effectively the objective of the engagement.
If, for any reason, a member has not been able to perform an audit in
accordance with such Standards, his report should draw attention to the
material departures there from.
Authority Attached to Guidance Notes
Guidance Notes are designed primarily to provide guidance to members
on matters which may arise in the course of their professional work and
on which they may desire assistance in resolving issues which may pose
Guidance Notes are recommendatory in nature. A member should
ordinarily follow recommendations in a Guidance Note except where he
is satisfied that in the circumstances of the case, it may not be
necessary to do so.
If the recommendations in a Guidance Note have not been followed, the
member should consider whether keeping in view the circumstances of
the case, a disclosure in his report is necessary.
Technical Guides, Studies and Other Papers Published by ASB
AASB may also publish Technical Guides, Studies and Other papers.
Technical Guides are ordinarily aimed at imparting broad knowledge about a
particular aspect or an industry to the members.
Studies and other papers are aimed at promoting discussion or debate or
creating awareness on issues relating to quality control, auditing, assurance
and related service, affecting the profession.
They do not establish any basic principles or essential procedures to
be followed in audit, assurance or related services engagements.