Anda di halaman 1dari 13

INTERNAL AUDIT AND CONTROL

MF0013
1. Distinguish between secretarial audit and cost audit. Write the
advantages and disadvantages of continuous and periodical audit.
Secretarial audit:
1. Secretarial audit may be called as legal audit.
2. A company registered under the Companys Act, 1956 has to comply with
various provisions of the Act. A company secretary ensures that the
workings of the company are in accordance with the provisions of the Act
and other applicable law.
3. The Companies Act has made Secretarial audit mandatory for companies
having paid up share capital of rupees two crores or more by a whole time
secretary. He should be a member of the Institute of Company Secretaries
of India.
4. In terms of section 233A of the Companies Act, the Central Government is
empowered to order a special audit of the accounts of a company for a
specified period where it is of the opinion that: The affairs of the Company
are not being managed in accordance with sound business principles or
prudent commercial principles; or Any company is being managed in a
manner likely to cause serious injury or damage to the interest s of the
trade ,industry or business to which it pertains; or That the financial
position of any company is such as to endanger its solvency.
5. Special audit under the Act is conducted by professionally qualified
Accountants in the same manner as any company audit with the main
difference that the special auditor submits his report to the central
Government instead of shareholders as in the case of a company auditor
in the normal course.
Cost audit:
1. Cost audit is the verification of the correctness of cost accounts based on
cost accounting principles.
2. Cost accounts are related to the cost of goods produced or service provided
by the enterprises. As per the Companies Act, Cost audit is compulsory
only for some specified companies.
3. According to amended section 233B of the Companies Act, the Central
Government may, if it feels necessary, by an order direct that an audit of
the cost records kept by a company under section 209(1)(d) shall be
conducted by a cost auditor within the meaning of the Cost and Works
Accountants Act, 1959 in such manner as may be specified in the order.
4. Cost audit being in the nature of efficiency audit is very beneficial to
society at large.

Advantage and disadvantage of continuous & Periodical Audit :1. A continuous audit is basically a perpetual audit, where auditor and his
staff constantly engaged in checking the accounts throughout the year.
[a]Advantages of continuous audit is error are rectified at the point of commit
itself not day or months later. Done in a single session.
[b]Quality control is higher.
[c]But its at a overhead of cost and time.
[d]Resources need to be assigned for continuous audit.
[e]Sometimes its obtrusive to normal work.
2. Periodical or Annual audit is done at the end of the financial year (or a
particular time) when finalization of accounts has been completed and
books of accounts closed. A Balance Sheet audit is mainly concerned with
the verification of items appearing in the Balance Sheet such as share
capital, reserve and surplus, current liabilities, fixed assets, current assets,
investments etc in detail.
[a]it happens only after particular duration.
[b]its cost effective.
[c]its used for business reporting, annual reports, balance sheets.
[d]asset, share capital, book value, investments and liabilities are audited.
[e]it can not be used for short term quality control.
[f]checking is test check only because one can not go through all transaction
over a period of time.
[g]suitable for large organizations.

2. Write the characteristics of internal check system. Explain the


essentials of effective internal auditing.
According to the Guidance note on terms used in Financial Statements issued
by The Institute of Chartered Accountants of India, Internal Check means: A
system of allocation of responsibility, division of work and method of recording
transactions, whereby the work of an employee or group of employee is checked
continuously by correlating it with the work of others. An essential feature is that
no one employee or group of employees has exclusive control over any
transaction or group of transactions.
Internal check is an important process of internal control system. Under the
system of internal check, it is ensured that the job performed by one employee
gets checked, automatically by another employee. No employee, alone, allowed
handling transactions from beginning to end.
Example: When you visit a bank branch to encash a cheque. First, you produce
the cheque to the counter, where the official concerned issue a token and enters

the token number on the back of the cheque and in the token book. The cheque
is then send to the ledger clerk, who verify the balance in your account and
makes debit entry therein. The cheque then sent to an officer, who verify your
signature on the cheque with bank records and if it tallies then he sends the
cheque to the cashier to make payment. The cashier make the payment against
the token handed over to you and records it in his cash register. This is an
excellent example of internal check. Here arrangement is such that the job of
one employee is automatically checked by other.
We can summarize some characteristics of internal check as below:
1.Proper segregation of duties: roles are defined as per the hardware
assembly line to speed up produce and also limited knowledge person can also
execute the things fairly simple because of limited responsibility.
2.Automatic checking of job: quality check are provided at the atomic nature
of task itself.
3.Multiple recording of same transactions: each endpoint records the
transaction.
4.Rotation of jobs: in-order to remove dependency and concentration of
expertise jobs are rotated.
5.Prevention of errors and frauds: quality measure and proper transaction
logging is done at the endpoints.
6.Separation of custodial and recording functions
3. The audit firm follows certain policies and procedures. Explain the
quality control
policies adopted by an audit firm.
The quality control policies and procedures applicable to a firm's accounting and
auditing practice should encompass the following elements:
[a]Independence: Policies and procedures should be established to provide the
firm with reasonable assurance that personnel maintain independence (in fact
and in appearance) in all required circumstances.
[b]Integrity: The audit firm or any of its partners can not be subjected to bribes,
intimidating & other gains. They must keep the work ethics, honesty, client
confidentiality on top of everything.
[c]Objectivity: objectivity is lucid state of mind, true grit and clarity of thoughts
which adds value to the services rendered.
[d]Personnel Management: A firm's quality control system depends heavily on
the proficiency of its personnel. In making assignments, the nature and extent of
supervision to be provided should be considered. Generally, the more able and
experienced the personnel assigned to a particular engagement, the less direct

supervision is needed. The quality of a firm's work ultimately depends on the


integrity, objectivity, intelligence, competence, experience, and motivation of
personnel who perform, supervise, and review the work. Thus, a firm's personnel
management policies and procedures factor into maintaining such quality.
[e]Acceptance and Continuance of Clients and Engagements: Policies and
procedures should be established for deciding whether to accept or continue a
client relationship and whether to perform a specific engagement for that client.
Such policies and procedures should provide the firm with reasonable assurance
that the likelihood of association with a client whose management lacks integrity
is minimized. Establishing such policies and procedures does not imply that a
firm vouches for the integrity or reliability of a client, nor does it imply that a firm
has a duty to any person or entity but itself with respect to the acceptance,
rejection, or retention of clients. However, prudence suggests that a firm be
selective in determining its client relationships and the professional services it
will provide.
[f]Engagement Performance:Policies and procedures should be established to
provide the firm with reasonable assurance that the work performed by
engagement personnel meets applicable professional standards, regulatory
requirements, and the firm's standards of quality.
[g]Monitoring: Policies and procedures should be established to provide the
firm with reasonable assurance & monitoring. Monitoring involves an ongoing
consideration and evaluation of the
[a] Relevance and adequacy of the firm's policies and procedures.
[b] Appropriateness of the firm's guidance materials and any practice aids.
[c] Effectiveness of professional development activities.
[d] Compliance with the firm's policies and procedures. When monitoring, the
effects of the firm's management philosophy and the environment in which the
firm practices and its clients operate should be considered.
4. Explain the basic principles of governing internal control?
In accounting and auditing, internal control is defined as a process
effected by an organization's structure, work and authority flows,
people
and
management information systems, designed to help the
organization accomplish specific goals or objectives.[1] It is a means
by which an organization's resources are directed, monitored, and
measured.
COSO defines internal control as having five
components:
1. Control Environment-sets the tone for the organization, influencing the
control consciousness of its people. It is the foundation for all other
components of internal control.

2. Risk Assessment-the identification and analysis of relevant risks


to the
Achievement of objectives, forming a basis for how the risks should be
managed
3. Information a n d Communication-systems o r processes that support
the identification, capture, and exchange of information in a form and
time frame that enable people to carry out their responsibilities
4.
Control Activities-the policies and procedures that
help
ensure
management directives are carried out.
5. Monitoring-processes used to assess the quality of internal control
performance over time.
Context
More generally, setting objectives, budgets, plans and other expectations establish
criteria for control. Control itself exists to keep performance or a state of affairs
within what is expected, allowed or accepted. Control built within a process is
internal in nature. It takes place with a combination of interrelated components such as social environment effecting behaviour of employees, information
necessary in control, and policies and procedures. Internal control structure is a plan
determining how internal control consists of these elements.
The concepts of corporate governance also heavily rely on the necessity of internal
controls. Internal controls help ensure that processes operate as designed and that
risk responses (risk treatments) in risk management are carried out. In
addition, there needs to be in place circumstances ensuring that the
aforementioned procedures will be performed as intended: right attitudes,
integrity and competence, and monitoring by managers.
Roles and responsibilities in
internal control
According to the COSO Framework, everyone in an organization has
responsibility for internal control to some extent. Virtually all employees
produce information used in the internal control system or take other actions
needed to affect control. Also, all personnel should be responsible for
communicating upward problems in operations, noncompliance with the
code of conduct, or other policy violations or illegal actions. Each major
entity in corporate governance has a particular role to play:
Management: The Chief Executive Officer (the top manager) of the
organization has overall responsibility for designing and implementing
effective internal control. More than any other individual, the chief executive
sets the "tone at the top" that affects integrity and ethics and other factors of
a positive control environment. In a large company, the chief executive fulfills
this duty by providing leadership and direction to senior managers and
reviewing the way they're controlling the business. Senior managers, in turn,
assign responsibility for establishment of more specific internal control
policies and procedures to personnel responsible for the unit's functions. In a
smaller entity, the influence of the chief executive, often an owner-manager,
is usually more direct. In any event, in a cascading responsibility, a manager
is effectively a chief executive of his or her sphere of responsibility. Of
particular significance are financial officers and their staffs, whose control
activities cut across, as well as up and down, the operating and other units of
an enterprise.

Board of Directors: Management is accountable to the board of


directors, which provides governance, guidance and oversight. Effective
board members are objective, capable and inquisitive. They also have a
knowledge of the entity's activities and environment, and commit the
time necessary to fulfil their board responsibilities. Management may be in
a position to override controls and ignore or stifle communications from
subordinates, enabling a dishonest management which intentionally
misrepresents results to cover its tracks. A strong, active board, particularly
when coupled with effective upward communications channels and capable
financial, legal and internal audit functions, is often best able to identify and
correct such a problem.
Auditors: The internal auditors and external auditors of the organization
also measure the effectiveness of internal control through their efforts. They
assess whether the controls are properly designed, implemented and
working effectively, and make recommendations
on
how to
improve
internal control. They may also review Information technology controls,
which relate to the IT systems of the organization. There are laws and
regulations on internal control related to financial reporting in a number of
jurisdictions. In the U.S. these regulations are specifically established by
Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on auditing these
controls is specified in PCAOB Auditing Standard No. 5 and SEC guidance,
further discussed in
SOX 404 top-down risk assessment. To provide reasonable assurance that
internal controls involved in the financial reporting process are effective, they
are tested by the external auditor (the organization's public accountants),
who are required to opine on the internal controls of the company and the
reliability of its financial reporting.
Limitations : Internal control can provide reasonable, not absolute,
assurance that the objectives of an organization will be met. The concept of
reasonable assurance implies a high degree of assurance, constrained by the
costs and benefits of establishing incremental control procedures.
Effective internal control implies the organization generates reliable
financial reporting and substantially complies with the laws and regulations
that apply to it. However, whether an organization achieves operational and
strategic objectives may depend on factors outside the enterprise, such
as competition or technological innovation. These factors are outside the
scope of internal control; therefore, effective internal control provides only
timely information or feedback on progress towards the achievement of
operational and strategic objectives, but cannot guarantee their
achievement.
Describing Internal Controls
Internal controls may be described in terms of: a) the objective they pertain
to; and b)
the nature of the control
activity itself.
Objective categorization
Internal control activities are designed to provide reasonable assurance that

particular objectives are achieved, or related progress understood. The specific


target used to determine whether a control is operating effectively is called the
control objective. Control objectives fall under several detailed categories; in
financial auditing, they relate to particular financial statement assertions, but
broader frameworks are helpful to also capture operational and compliance
aspects:
1. Existence (Validity): Only valid or authorized transactions are processed
(i.e., no invalid transactions)
2. Occurrence ( Cut off): Transactions occurred during the correct period or
were processed timely.
3. Completeness: All transactions are processed that should be (i.e., no
omissions)
4. Valuation: Transactions are calculated using an appropriate
methodology or are computationally accurate.

5.

Rights & Obligations: Assets represent the rights of the company, and
liabilities its obligations, as of a given date.
6.
Presentation & Disclosure (Classification): Components of financial
statements (or other reporting) are properly classified (by type or
account) and described.
7. Reasonableness-transactions or result appears reasonable relative to
other data or trends.
For example, a control objective for the accounts payable function may be
stated as: "Payments are made only for authorized products and services
received." This is a validity objective. A typical control procedure designed
to achieve this objective is: "The accounts payable system compares the
purchase order, receiving record, and vendor invoice prior to authorizing
payment." Multiple controls may be applicable to achieve a given control
objective with a reasonable level of assurance.
Management is responsible for implementing appropriate controls that apply
to transactions in their areas of responsibility. Internal auditors perform their
audits to evaluate whether the controls are designed and implemented
effectively to address the relevant objectives.
Activity categorization
Control activities may also be explained by the type or nature of activity. These
include
(but are not limited to):
Segregation of duties - separating authorization, custody, and record
keeping roles of fraud or error by one person.
Authorization of transactions - review of particular transactions by an
appropriate person.
Retention of records - maintaining documentation to substantiate
transactions.
Supervision or monitoring of operations - observation or review of
on-going operational activity.
Physical safeguards - usage of cameras, locks, physical barriers, etc.
to protect property, such as merchandise inventory.
Top-level reviews-analysis of actual results versus organizational goals
or plans, periodic and regular operational reviews, metrics, and other
key performance indicators (KPIs).
IT Security - usage of passwords, access logs, etc. to ensure access
restricted to authorized personnel.
Top level reviews-Management review of reports comparing actual
performance versus plans, goals, and established objectives.
Controls over information processing-A variety of control activities are used
in information processing. Examples include edit checks of data entered,
accounting for transactions in numerical sequences, comparing file
totals with control accounts, and controlling access to data, files and
programs.
Control precision
Control precision describes the alignment or correlation between a
particular control procedure and a given control objective or risk. A control

with direct impact on the achievement of an objective (or mitigation of a


risk) is said to be more precise than one with indirect impact on the
objective or risk. Precision is distinct from sufficiency; that is, multiple
controls with varying degrees of precision may be involved in achieving a
control objective or mitigating a risk.
Precision is an important factor in performing a SOX 404 top-down risk
assessment. After identifying specific financial reporting material
misstatement risks, management and the external auditors are required to
identify and test controls that mitigate the risks. This involves making
judgments regarding both precision and sufficiency of controls required to
mitigate the risks.
Risks and controls may be entity-level or assertion-level under the PCAOB
guidance. Entity-level controls are identified to address entity-level
risks. However, a combination of entity-level and assertion-level controls
are typically identified to address assertion-level risks. The PCAOB set forth
a three-level hierarchy for considering the precision of entity-level controls.
Later guidance by the PCAOB regarding small public firms provided
several factors to consider in assessing precision.
Fraud and internal control
Internal control plays an important role in the prevention and detection
of fraud. Under the Sarbanes - Oxley Act, companies are required to
perform a fraud risk assessment and assess related controls. This typically
involves identifying scenarios in which theft or loss could occur and
determining if existing control procedures effectively manage the risk to an
acceptable level. The risk that senior management might override
important financial controls to manipulate financial reporting is also a key
area of focus in fraud risk assessment.
The AICPA, IIA, and ACFE also sponsored a guide published during
2008 that includes a framework for helping organizations manage their
fraud risk.
Internal Controls and Improvement
If the internal control system is implemented only to prevent fraud and
comply with laws and regulations, then an important opportunity is missed.
The same internal controls can also be used to systematically improve
businesses, particularly in regard to effectiveness and efficiency.
Continuous Controls Monitoring
Advances in technology and data analysis have led to the development
of numerous tools which can automatically evaluate the effectiveness of
internal controls. Used in conjunction
with
continuous
auditing,
continuous
controls
monitoring
provides assurance on financial
information flowing through the business processes.

5. Discuss the specific problems of Electronic Data Processing (EDP)


relating to internal control.
Electronic data processing is the function of planning, recording, managing and
reporting business transactions by the use of computers and related peripherals.
In EDP data is first taken from source documents such as invoices, revenue

receipts, payment vouchers, written checks etc. There after data inputs to the
computer where it is entered via the keyboard or other data entry peripherals.
The entered data is then processed according to the accounting package in use;
since there are different structures of modules used in sundry accounting
application software, processing of the same data may differ from one package
to another. Reporting is one of processing features, then it is apparent or
undoubted that types of reports produced by different packages may vary from
one system or package to another. For example some system may provide
almost all basic financial reports such as
The trial balance,
The statement of financial position commonly known as the balance sheet,
The statement of financial performance which is commonly known as the
statement of income and expenditure or the profit and loss account,
The statement of cash flows,
The statement of changes in equity
These types of packages offering almost all financial reports may be said to be
compatible to all types of financial processing needs and are really expensive
and used in many business and non-business entities.
Turning to other packages that don't offer all statements we can see that they
have specific and limited applications that range from business to non-business,
some give only the trial balance leaving the rest of the report to be prepared by
the accountant. Others give all other statement except the cash flows statement.
These problem calls for the need to have the so called system analyst in
organizations. These professionals have the responsibility of studying the need of
the organization as refers to electronic processing data issues. They do this by
doing a so called feasibility study which will be facilitated by communication with
top financial executives of the organization.
Advantages
Fast and instant services in financial institution or banks as compared to
manual data processing, as formally it used to be harder to get even your
saving or current statement from the bank.
Records of Retired civil servants were not easily and readily available in the
past and caused much disturbances to old people who had served in the
government for many years; whereas in modern electronic data processing
such services are performed very fast and the retiree are free from the
former troubles.

Performance in manufacturing industries and related works have improved


due to inventory automated systems which controls purchases and stocks so
that there is no idle cash tied into unnecessary stock pile ups.
Disadvantages
The electronic data processing systems have decreased vacancies for
accountants as one person can perform the tasks that could have been done
by five people. For example by entering a transaction where purchases have
been bought by cash or on credit, stock will automatically be adjusted, total
purchases also will be adjusted bank account if it is by cash also will be
adjusted, Creditors total amount will be adjusted if the purchase was on
credit and finally the financial statements i.e. financial position statement
and financial performance statement and cash flows if purchase was by cash
will automatically be adjusted. These are just few of activities that will be
done after a simple entry of the transaction in the system by one accountant.
Electronic data processing requires more expertise and therefore a lot of
money is required to be invested in IT so that the organization can run
smoothly.
It is not possible to use electronic data processing without computers and
where there is no steady supply of power.
6. Explain the factors for having the effective internal control system
for a bank.
Internal control system in banks
Different factors influence the internal control structure of any organisation (e.g.
Bank): size, complexity and risk profile of its operations. In this regard an
effective internal control system for a bank should consider the following
aspects:
1. Control environment: Control environment is the foundation of an internal
control system. It includes and reflects the factors that influence the control
consciousness of its people. As per Auditing and Assurance Standard 6 issued by
ICAI (AAS6), control environment is the overall attitude, awareness and actions of
directors and management about the internal control system and its importance
in the entity. Factors reflected in the control environment include:
a) Organizational structure of the entity and means of assigning authority and
responsibility (including segregation of duties and supervisory functions)
b) The function performed by the board of directors and its committees in any
company or any similar governing body in any other entity.
c) The philosophy of management.
d) Systems of management control that includes internal audit, personnel
policies, etc.

2. Risk recognition and assessment: To be effective, an internal control


system should recognize and continually assess all material risks internal
and external, controllable and uncontrollablethat could affect the
achievement of the banks objectives. The bank faces various risks at
different levels credit risk, country and transfer risk, market risk, interest
rate risk, liquidity risk, operational risk, legal risk, etc. The management
must identify, measure and analyze these risks.
3. Control activities: Control activities are management actions to ensure that
the personnel are following the banks established policies and procedures.
Specific control procedures include:
e) Reporting and reviewing reconciliations.
f) Checking arithmetical accuracy of the records.
g) Controlling applications and environment of computer information
environment systems.
h) Maintaining and reviewing control accounts and related subsidiary ledgers.
i) Ensuring approval and control of documents.
j) Comparing internal data with relevant external information.
k) Comparing the results of physical verification of cash, fixed assets,
investments and inventory with corresponding accounting records.
l) Restricting access to assets, records and information.
m) Comparing and analysing results with corresponding budgets
4. Segregation and rotation of duties: Authorities and responsibilities of
every department should be clearly defined based on the policies of the
management, preferably in writing. There should not be any scope of
duplication of jobs, duties and assignments. The entity must have a system of
rotation of duties among employees.
5. Authorisation of transactions: Banks usually prescribe well-set systems
of approval and authorisation, both generally applicable and specific to
some transactions. As public money is often involved, it is vital that
authority levels are not breached. For example an industrial advance
sanction may require zonal office clearance, while renewal of the advance
may be within the authority of a branch head.
6. Accountability for assets: To ensure accountability and safeguarding of
assets, it is important that complete records are maintained and access is limited
to the authorised personnel only. Every access and every user should be
documented. Periodic checking of actual assets with records and identifying
discrepancies must be mandated.

7. Accounting, information and communication systems: A comprehensive


system of accounting, financial reporting (both management and statutory) and
non-financial analysis and reporting with clear content, format and frequency
should be in place. Banks usually adopt the following procedures to meet this
need:
a) All records are maintained as prescribed with transaction-level details.
b) A unique code number is assigned to each branch and that number should be
mentioned in all important documents.
c) All inter office transactions are reconciled methodically during accounts
closing.
8. Monitoring activities: A full-fledged monitoring system should be in place to
assess the effectiveness of internal controls continually. Monitoring is done
internally as well as externally. For internal monitoring or self-assessment the
review functions are delegated to the staff at different levels. Monitoring
activities are integrated to the daily activities as well as undertaken as specified
periodic evaluations.