Master of Business Administration - Semester 3 MF 0013: INTERNAL AUDIT AND CONTROL (4 credits) (Book ID: B1211) Assignment Set-

2 (60 Marks)

Q1. Write a note on the following: a. Internal audit b. Statutory audit Ans. (a) Internal audit: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organizations effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity. The scope of internal auditing within an organization is broad and may involve topics such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations. Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds. (b) Statutory audit: Statutory Audit is Audit of Books of Accounts according to requirements of any Statute to ensure true and fair view of the accounts as well as compliance with any special requirements of the statute under which audit is undertaken. In simple terms statutory audit in India is equated with Audit under the Companies Act. Every company incorporated under the companies act is required to get its accounts audited by a Chartered Accountant in Practice to ensure true and fair view of the accounts. Further, the auditor has to ensure compliance with various provisions of the Companies Act. Statutory Audit ensures reliability of annual accounts of the company for various consumers of Accounts of the Company like government, shareholders, debtors, creditors, bankers etc.

YASHDEEP GUPTA

581112528

Q2. Differentiate internal audit and internal check. Ans. The main points of distinction between internal audit and internal check are as follows: a) Definition: Internal audit is a specific appraisal activity of operations, financial or otherwise and related records thereof. Internal check is an arrangement of jobs in such a manner that the work of each employee is checked by another and no employee is in charge of any work completely from beginning to end. b) Purpose: The main purpose of internal audit is to find errors and frauds. The main purpose of internal check is the prevention of errors and frauds. c) Personnel: As internal check is an inbuilt process of internal control no separate personnel are required for the job. Whereas, for internal audit separate staffs are required to conduct the job. d) Timing: Internal check is a continuous process. It begins the moment a transaction start and finishes after all aspects are recorded. Internal Audit is a post mortem appraisal system and starts after the completion of recording of transactions. Q3. Describe internal audit tests. Ans. Audit tests are extensively used by the auditors during their audit work of any kind like statutory audit, internal audit, government audit etc. Audit is basically an opinion forming exercise. The auditors are supposed to form an opinion about the financial statements, books of accounts and internal control systems of the organization. For this he has to collect audit evidence through detailed audit programmes and procedures. Before determining audit procedures, the auditor needs to satisfy himself that the internal control system as exists in the enterprise is actually working effectively. For this he does a number of tests which is called audit tests. With the help of audit tests, auditor saves his time and cost for the enterprises. Some of the important audit tests viz. compliance tests, depth tests and rotational tests are discussed below: Compliance tests Compliance tests are tests applied to check that the internal control procedures as laid down are actually followed in practice. For example, through enquiry, internal auditor comes to know that Bank Reconciliation Statement is prepared by an official, who is independent of cash and Bank department. This is an important evidence of an internal control procedure but forming an opinion, the internal auditor should satisfy himself through compliance test that it is actually followed in practice. In a nutshell, we can say that compliance tests are tests which auditor carries out to establish the actual compliance of internal control system. Depth tests A depth test implies a detailed and thorough examination of transactions from their origin to the conclusion. This test includes the thorough examination of the various documents and records created at each stage for a particular transaction to check the existence and implementation of a specific internal control procedure.

YASHDEEP GUPTA

581112528

For example verification of cash receipts (including from debtors) can be done in depth by checking the following documents and records: a) Prelist of cash receipts b) Statement of remittance advice c) Ledger of customer account d) Sales ledger e) Bank statements f) Bank deposit slips g) The invoices issued to the customers etc. It is not necessary that the above procedure should be followed in the sequence suggested above. But, important point is that every aspects of the transaction should be checked. It is worth mentioning here that Depth Tests is widely accepted practice in contemporary auditing. Rotational tests Rotational tests usually related to either various areas of audit or various units of the enterprises. Auditor keeping in view his time constraint conducts his audit on rotation basis. That means suppose, the organization has 40 branches all over India. In this situation, it will be practically difficult for the auditor to visit all the 40 branches of business organization. It is normal for the auditor to arrange his visits in such a way that with 4 years (i.e. 10 branches every year) he can visit all the branches. This is called rotational tests. However, in choosing 10 branches for visits the auditor should follow random basis. Q4. Develop an internal control scheme for Banks. Ans. Internal control structure of any organization depends upon the size, complexity and risk profile of its operation. However, the basic principles underlying any internal control process is same that is it is efficient and effective and helps in achieving its desired objectives. The basic components of an effective internal control system of a bank are discussed as below: I) Control Environment: This is the underlying foundation for the success of all the other elements of the internal control. As per Auditing and Assurance Standard 6 issued by ICAI (AAS6), the control environment means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance in the entity. The control environment has an effect on the effectiveness of the specific control procedures and provides the background against which other controls are operated. Factors reflected in the control environment include: a) The entitys organizational structure and methods of assigning authority and responsibility (including segregation of duties and supervisory functions). b) The function of the board of directors and its committees in the case of a company of the corresponding governing body in case of any other entity. c) Managements philosophy and operating style. d) Managements control system including the internal audit function, personnel policies and procedures.

YASHDEEP GUPTA

581112528

II) Risk Recognition and Assessment: An effective internal control system requires that all material risks, internal and external, controllable and uncontrollable, that could affect the achievement of the banks objectives, are recognized and continually assessed. Management must identify, measure and analyze the various kind of risks faced by the bank at all levels including credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk, reputation risk etc. This risk assessment process helps the management to be aware of the risks faced by the bank and determine the internal controls required to manage these risks. Risks are not static phenomenon and keep on changing with time and circumstances. In order to ensure that the system of internal controls that address the risks faced by the banks is effective, the management needs to continuously evaluate its risk profile. III) Control Activities: Control activities are the policies and procedure that ensure that bank personnel are following the management directives for achieving the banks objectives. Control activities are basic tools through which management ensures that its internal control objectives are realized by controlling the risks assessed as above. As per AAS 6, internal control system includes control procedures which are the policies and procedures in addition to the control environment which management has established to achieve the entitys specific objectives. Specific control procedures include: a) Reporting and reviewing reconciliations. b) Checking the arithmetical accuracy of the records. c) Controlling applications and environment of computer information environment systems. d) Maintaining and reviewing control accounts and related subsidiary ledgers. e) Approving and controlling of documents. f) Comparing internal data with external sources of information. g) Comparing the results of physical verification of cash, fixed assets, investments and inventory with corresponding accounting records. h) Restricting direct access to assets, records and information. i) Comparing and analyzing the financial results with corresponding budgeted figures. IV) Segregation and Rotation of Duties: This is the primary control activity to ensure that frauds and errors are prevented or detected, as the case may be, in a timely manner. Segregation and rotation of duties reduces a persons opportunity to commit fraud and ensure detection of errors and mistakes. V) Authorization of Transactions: Banks usually follow a system of approvals and authorization to execute specified kind of transactions in accordance with prescribed conditions. Authorization may be general and applicable to all transactions or specified for a single transaction. Thus it is necessary to ensure that the authorizations are made by persons acting within their scope of authority. VI) Accountability for a Safeguarding of Assets: This accountability and safeguarding of assets can be ensured by maintaining adequate records and limiting access. Access to assets should be limited to authorized personnel and there should be documentation for any access or use. Access is not limited to physical access but also includes indirect access by way of preparing documents for their acquisition or disposal. Periodic checking of actual assets with records also helps to ensure that there has been no fraud, violation etc. VII) Accounting, Information and Communication Systems: An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance

YASHDEEP GUPTA

581112528

data, as well as external market information about events and conditions that are relevant to decision making information should be reliable timely accessible and provided in a consistent format. Banks usually follow the following procedures to achieve these objectives: a) All records are maintained in the prescribed books and registers only which ensure that all requisite particulars of a transaction are adequately recorded. b) Each branch is assigned a unique code number which is required to e specified in all the important documents. c) All books are balanced periodically and confirmed by an official. d) All inter office transactions are reconciled within a specified time-frame. VIII) Monitoring Activities: The overall effectiveness of the banks internal controls should be monitored on an ongoing basis. Management should ensure that the internal control systems are functioning properly and are suitable in light of changing circumstances. This assessment should be an ongoing basis to institute preventive and corrective measures in a timely manner. Monitoring can be done both internally and externally. Internal monitoring or self-assessment is done by delegating review functions to the staff at different levels. Monitoring activities are integrated as a part of daily activities as well as undertaken as specified periodic evaluations. For a transparent and fair review of banks internal control system help of external agencies should be taken. Banks usually have an elaborate, well organized system of internal audit which is carried on by a separate department in the bank or by firms of Chartered Accountants. Banks also have their own vigilance department to investigate matters relating to fraud, misappropriation etc. Additionally, there are also periodic RBI inspections. Q5. Discuss the role of internal auditor as a part of management. Ans. Management is an arts and science of conducting the affairs of an organization in such a manner that its goals and objectives are achieved through optimum utilization of available resources. For optimum utilization of available resources, management should quantify its objectives through budget and targets. The role of internal auditors should be to constantly review and monitor the policies, procedures, budget and targets of the organization. Deviations, if any, should be immediately reported to the appropriate authority. The role of internal auditor as a part of management is as follows: I) Review of Internal Control System: The internal auditor should review the internal control system of the organization. He should determine whether the existing control system is appropriate and adequate keeping in view the objectives of the organization. Review of Safeguards for Assets: The main concern of management is to establish that all assets of companies are adequately protected against any damage or loss of any kind. Here an Internal Auditor can play a very important role by reviewing the means used for safeguarding assets against losses mainly fire, theft, damage due to improper use etc. Proper accounting of all assets should be ensured.

II)

YASHDEEP GUPTA

581112528

III)

Review of Compliance with Policies, Plans, Procedures and Regulations: Every company has its own policies, plants, procedures and regulations for conducting various managerial and non managerial functions. In this context, internal auditor should verify that: (a) There is an adequate system by which the policies and plants are communicated to all concerned, and (b) There is proper compliance of policies, plants, procedures and regulation by all. If he found any deviation he should cover this in his report with suitable recommendation.

IV)

Review of Organization Structure: The internal auditor should examine organization chart to find out whether the structure is simple and economical and that no functions enjoys an undue dominance over the others. He should see whether the lines of authority and responsibility are clearly defined and communicated to all the organizational levels. The internal auditor should examine the reasonableness of the span of control of each executive (the number of sub-ordinate that an executive controls). Unity of commands is another area which should be examined by internal auditors. Unity of commands means each executive should report to only one superior. Review of Utilization of Resources: Optimum utilization of resources is the prime task of the management. For this, management develops operating standards, budgets, and norms to measure and control the use of resources. Internal auditor should compare the standards with actual, and try to find out the deviations therein. Reasons for deviations should also be established. As a part of evaluating resources utilization, identifying the facilities which are underutilized is an important function of the internal auditor. Review of Reliability of Information: Accurate and reliable management information system is must for the effective managerial decisions. Internal auditor should regularly evaluate the reliability and accuracy of financial and operating information of the organization. He should also check the format and design used for receiving and sending management information. He should talk to users about their opinion about the reliability and accuracy of the information. Review of Achievements of Goals and Objectives: Achievement of goals and objectives are the ultimate thing for which managers are paid for. Budgets and targets are quantified objectives of managers of different department. Internal auditor should review the contribution of every department towards achievement of objectives. The internal auditor serves as medium through whom the top management get reports of its accomplishment of objectives.

V)

VI)

VII)

Q6. Explain the problems encountered in an Electronic Data Processing Environment. Ans. In an EDP system, the following problems arise in the implementation of internal control: (a) Separation of duties: In a manual system, separate individuals are responsible for initiating transactions, recording transactions, and custody of assets. As a basic control, separation of duties prevents or detects errors and irregularities. In a computer system, however, the

YASHDEEP GUPTA

581112528

traditional notion of separation of duties does not always apply. For example, a program may reconcile a vendor invoice against a receiving document and print a cheque for the amount owed to a creditor. Thus, this program is performing functions that in a manual systems would be considered incompatible. In a minicomputer and microcomputer environments, separation of incompatible functions may be even more difficult to achieve. Some minicomputers and microcomputers allow users to change programs and data easily; furthermore, they provide no record of these changes. If the minicomputer or micro computer does not have an inbuilt capability to provide a secure record of changes, it may be difficult to determine whether incompatible functions have been performed by system users. (b) Delegation of authority and responsibility: A clear line of authority and responsibility is an essential control in both manual and computer systems. In a computer system, however, delegating authority and responsibility in an unambiguous way may be difficult because some resources are shared among multiple users. For example, one of the objectives of using a database management system is to provide multiple users with access to the same data, thereby reducing the control problems that arise with maintain redundant data. When multiples users have access to the same data and integrity of the data is somehow violated, it is not always easy to trace who is responsible for corrupting the data and who is responsible for identifying and correcting the error. Some organizations have attempted to overcome these problems by designating a single user as the owner of data. This user assumes ultimate responsibility for the integrity of the data. (c) Competent and trustworthy personnel: The technology of data processing is not exceedingly complex much more complex than in the days of manual systems. Highly skilled personnel are needed to develop, modify, maintain and operate todays computer systems. Thus, the existence of competent and trustworthy personnel becomes even more important when computer systems are used to process an organizations data, since a relatively small number of individuals assume major responsibility for the integrity of the data. Unfortunately, assuring that an organization has competent and trustworthy data processing personnel has been a difficult task. Historically, well trained and experienced data processing personnel have been in short supply. Therefore, organizations sometimes have been forced to compromise in their choice of staff. Moreover, it is not always easy for an organization to assess the competence and integrity of its EDP staff. High turnover in the data processing industry has been the norm, and the rapid evolution of technology inhibits managements ability to evaluate an employees skills. (d) System of authorizations: Management issues two types of authorizations to execute transactions. General authorizations establish policies for the organization to follow. For example, a fixed price list is issued for personnel to use when products are sole. Specific authorizations apply to individual transactions: for example, acquisitions of major capital assets may have to be approved by the board of directors. In a manual system, auditors evaluate the adequacy of procedures for authorization by examining the work of employees. In a computer system, authorization procedures often are

YASHDEEP GUPTA

581112528

embedded within a computer program. For example, the order entry module in a sales system may determine the price to be charged to a customer. Thus, when evaluating the adequacy of authorization procedures, auditors have to examine not only the work of employees but also the veracity of program processing. (e) Adequate documents and records: In a manual system, adequate documents and records are necessary to provide an audit trail of activities within the system. In computer systems, documents may not be used to support the initiation, execution and execution and recording of some transactions. The absence of a visible audit train is not a problem for the auditor provided that systems have been designed to maintain a record of all events and there is a means of accessing these records. In a well designed computer systems. Audit trails are often more extensive than those maintained in manual systems. Unfortunately, not all computer systems are well designed. Some minicomputer and microcomputer software packages for example, provide inadequate access controls and logging facilities to ensure preservation of an accurate and complete audit trail. When this situation is coupled with a decreased ability to separate incompatible functions, serious control problems can arise. (f) Physical control over assets and records: Physical control over access to assets and records is critical in both manual systems and computer systems. Computer systems differ from manual systems, however, in the way they concentrate the data processing assets and records of an organization. This concentration of data processing assets and records also increases the loss that can arise from computer abuse or a disaster. For example, a fire that destroys a computer room may result in the loss of all major master files in an organization. If the organization does not have suitable backup, it may be unable to continue operations. (g) Adequate management supervision: In a manual system, management supervision of employee activities is relatively straight forward because managers and employees are often at the same physical location. In computer systems, however, data communications may be used to enable employees to be closer to the customers they service. Thus, supervision of employees may have to be carried out remotely. Supervisory controls must be built into the computer system to compensate for the controls that usually can be exercised through observation and inquiry. (h) Comparing recorded accountability with assets: Periodically, data and the assets that the data purports to represent should be compared to determine whether incompleteness or inaccuracies in the data exist or shortages in the assets have occurred. In a manual system, independent staff prepares the basic data used for comparison purposes. In a computer system, however, programs are used to prepare this data. For example, programs may sort an inventory file by warehouse location and prepare count by inventory item at different warehouses. If unauthorized modifications occur to the programs or data files that the programs use, an irregularity may not be discovered.

YASHDEEP GUPTA

581112528