CHAPTER ONE

Introduction

1|Page
1.1 INTRODUCTION
Most of the companies have computer-based accounting systems. The main area of
analysis in this written report is to ensure a full and complete understanding of the
controls in a computer-based environment, whether there is an impact on the
assessment of risks, and the subsequent control procedures. This is very useful in
auditing the computer based environment. The procedures regarding the risk
assessment will involve the use of computer-assisted audit techniques (CAATs).

Within a computer environment there are two main categories of controls:

• General controls;
• Application controls.

The general controls include all policies and procedures that relate to applications and
support the effective functioning of application controls. These apply to mainframe,
mini-frame and end-user environments.
The general controls purposes are to:
 Maintain the information integrity and data security;
 Control over the following:
i. Software acquisition, changing and maintenance;
ii. Network operations;
iii. Access security;
iv. Applications acquisition, development, and maintenance.

Types of general controls:

Controls over application development: over the system design and program
writing, good documentation, testing procedures (e.g. use of test data to identify
program code errors, pilot running and parallel running of old and new systems), as
well as segregation of duties so that operators are not involved in program
development;
• Controls over program changes: are performed in order to ensure no unauthorized
amendments and that changes are adequately tested, e.g. password protection of
programs, comparison of production programs to controlled copies and approval of
changes by users;

2|Page
• Controls over installation and maintenance of system software: – many of the
controls mentioned above are relevant, e.g. authorization of changes, good
documentation, access controls and segregation of duties.

The computer environment is tidily linked to the ‘end-user environment’ and refers to
the situation in which the users of the computer systems are involved in all stages of
the system development. In this respect we can mention that the end-user environment
is related to:

Administrative controls: these are controls over ‘data centre and network
operations’ and ‘access security’. These include controls that:
1. prevent or detect errors during program execution, e.g. procedure manuals,
libraries of programs, job scheduling, training and supervision; all these
prevent errors such as using wrong data files or wrong versions of production
programs;
2. prevent unauthorized amendments to data files, e.g. authorization of jobs prior
to processing, back up and physical protection of files and access controls
such as passwords ensure the continuity of operations, e.g. testing of back-up
procedures, protection against fire and floods, virus checks, use of read only
memory, maintenance of programs loggs.

System development controls: these type of controls cover the areas of system
software acquisition development and maintenance, program changing and
application system acquisition, development and maintenance. The ‘system software’
refers to the operating system, database management systems and other software that
increases the efficiency of processing. Application software refers to particular
applications such as sales or wages. The controls over the development and
maintenance of both types of software are similar and include:
Application controls
The procedures used within the application controls are manual or automated. These
operate at a business process level and apply to the processing of transactions by
individual applications.
The application controls main characteristics are:
 preventive or detective in nature;
 designed to ensure the integrity of the accounting records;

3|Page
  relating to procedures used to initiate, record, process and report transactions
or other financial data;
 helping ensure that transactions occurred are authorized, complete and
accurately recorded and processed.
The application controls apply generally to data processing tasks such as sales,
purchases and wages procedures. These are divided into the following categories:

Input controls: document counts, batch control totals, manual scrutiny of documents
to ensure they have been authorized. A common example of programmed controls
over the accuracy and completeness of input are edit checks (data validation) when
the software checks the data fields included on transactions. This is done by
performing: o reasonability check, e.g. alphabetical characters in a sales invoice
number field;
 range check, e.g. no employee’s weekly wage is more than € 1,000;
 check digit, e.g. an extra character added to the account reference field on a
purchase invoice to detect mistakes such as transposition errors during input;
 when data is input via a keyboard, the software will often display a screen
message if any of the above checks reveal an anomaly, e.g. ‘Supplier account
number does not exist’.
Processing controls: e.g. a run-to-run control i.e. the totals from one processing run,
plus the input totals from the second processing, should equal the result from the
second processing run. Example: the beginning balances on the payables ledger plus
the purchases invoices (processing run 1) less the cheques issued (processing run 2)
should equal the closing balances on the purchases ledger.
Output controls: batch processing matches input to output, therefore this is also a
control over processing and output. Other examples of output controls include the
controlled resubmission of rejected transactions or the review of exception reports
(e.g. the wages exception report showing employees being paid more than € 500).
Master files and standing data controls: for example a one-for-one checking of
changes to master files, e.g. customer price changes are checked to an authorized list.
A regular printout of master files such as the wages master file could be forwarded
monthly to the personnel department to ensure employees listed have personnel
records.

4|Page
1.2 Objectives of the Study
Broad Objective: The broad objectives are Internal Control System in a
Computerized Accounting Environment.

Specific Objectives:
 Define an accounting system and describe its implementation.
 Define internal control.
 Identify the principles of internal control.
 Explain the applications of internal control principles to cash receipts.
 Apply computerized accounting to the revenue and collection cycle.
 Journalize and post transactions in a manual accounting system that uses
subsidiary ledgers and special journals.

1.3 Methodology of the Study

Both primary and secondary data have been used here in this study for making the
report fruitful. As my related topic is more narrative I have used the primary source as
the main of information.
1.3.1 Study Design
A study design provides guidelines, logical and systematic plan for the detailed study.
It specified the objectives of the study. The methodology and techniques to be
adopted for achieving the objectives. It constitutes the blue print for the collection,
measurement and analysis of the data.

1.3.2 Sources of Data

The data used to furnish this report has been collected from the Primary sources &
secondary sources.
1.3.3 Secondary Sources
 Web site
 Textbooks, Academic journal and professional journal.
 Annual report of the company
1.3.4 Data Collection Instrument
Different types of computer software are used for reporting the gathered information
from analysis, such as Microsoft Word, Microsoft Excel and Data are analyzed using
my own judgment.

5|Page
1.4 Limitations of the Study
1. To collect information I faced difficulty because of the excessive nature of

confidentiality mentioned by the officials of the company.

2. Available data also could not be verified. In most cases, I did not have any

option to furnish data with the verification.

3. The study was limited by the availability of the data.

4. Some of the supplied information was contradictory.

5. To protect the organizational loss in regard of maintaining confidentiality,

some parts of the report are not in depth.

6|Page
CHAPTER TWO
Literature Review

7|Page
2.1 Literature Review
Examining the literature concerned with the effectiveness evaluation of CAIS
control systems conclude the rareness of available studies in this particular area
of
research. One reason for this is that this area of research is relatively new. Also,
most of the studies in this field are conducted on a micro level and connected
with
consolidated studies from the fields of business management, computer
science, and sometimes engineering and they are usually in the form of reports
or descriptive studies, and rarely empirical ones. Starting with the text books,
Romeny and Steinbart (1999) listed twelve points of general controls that
should exist in the CS in order to achieve its goals effectively; these twelve
controls are:
1. Developing security plans.
2. Segregation of duties within the system function.
3. Project development controls.
4. Physical access controls.
5. Logical access controls.
6. Data storage controls.
7. Data transmission controls.
8. Documentation standards
9. Minimizing system downtime.
10. Disaster recovery plans.
11. Protection of personal computer and client/server networks.
12. Internal controls.

They provided an empirical justification for each control and specified the
threats that control procedure could prevent, which gives creditability and
greater chances to find these controls in practice. Furthermore, Boockholdt
,(1999),
mentiond four categories of general controls as follows:

8|Page
- Data center operation controls. This includes Data Backup Procedures,
Contingency Plans (DRP) and Segregation of Duties.
- System software acquisition and maintenance controls.
- Access security controls.
- Application system development and maintenance controls. These controls
are;
formal review and authorization of each new system, Adequate documentation
for
manual and programmed procedures, A plan for testing each new system
adequately and authorization and documentation for change to existing systems
Boockholdt (1999) classified the system software acquisition and maintenance
controls into two main sections:

Fixed Responsibilities
A) Network administration. Selecting and updating network communication
software.
B) PC help center. Answering user’s questions on personal computers,
scheduling maintenance.
C) Database Administration. Selecting and updating software, limiting
access to data, maintaining efficiency.

A) Screen applicants. Technical knowledge becomes outdated quickly.

B) Information systems steering committee. Review software acquisition
decisions.
C) Standard PC configurations. Software and hardware the organization
approves to support.
Generally, both Romeny and Steinbart ,(1999) and Boockholdt, (1999) have
similar points but with different classifications for the main groups, and
sometimes
different naming for the same detailed procedure (e.g. Contingency Plan
instead of

9|Page
Disaster Recovery Plan - DRP). The current study depends mainly on
Romeny’s categorization, and formulates a detailed procedure list for each
category.
In the following section we preview the available peer reviewed studies,
starting with the ones that cover partial areas of CS evaluation and ending with
those that
cover this area in more comprehensive views.
Jacob & Weiner ,(1997) carried out a theoretical study in which they listed
eleven points to build effective Disaster Recovery Plan (DRP). These points
according to Jacob et. al. study ensure building a comprehensive DRP, respond
to the worst-case scenario and enable organizations to recover their operations
quickly.
These points are:
1. Define mission critical company functions & establish a hierarchy of
operational importance.
2. List the critical personnel and their job function.
3. List equipment needs of critical persons.
4. Determine a site relocation contingency.
5. Establish a recovery even task list.
6. Document current computer data backup methods and frequencies.
7. Identify those hard copy documents which are vital to the company and
not able to be re-created electronically, and provide solutions to
eliminate susceptibility to loss of such documents.
8. Identify mission critical items vital to company operations which would
be required in the event of disaster emergency.
9. Form an internal emergency response (“crises”) committee with
employees assigned to specific crises functions.
10. Create a crises management “media kit”.
11. Create a systematic schedule for updating the plan.

10 | P a g e
Warigon ,(1998) conducted a theoretical study in which he clarified a group of
protective measures that should exist to safeguard data warehouses. These
measures can be illustrated as follows:
- The Human wall: A proper number of computer security staff should
exist.
- User Access Classification: Data warehouses (DW) users should be
classified as General Access Users, Limited Access Users or Unlimited
Access users.
- Access Controls: End-users can access only the data or programs for
which they have legitimate privilege.
- Integrity Controls: These controls include well designed and tested
Disaster recovery plans.

Data Encryption: This encryption is for the sensitive data in the DW to ensure
that the data is accessed on an authorized basis only.
Partitioning:
A mechanism should be developed to partition sensitive data into separate
tables, so that only authorized users can access these tables according to their
needs. Buttross and Ackers ,(1990) conducted a theoretical study in which they
discussed microcomputer security practice. In addition, Buttross and Ackers
study provided security controls checklist that could be used to help the internal
auditors in evaluating computer security. This helps in identifying security
weakness and correcting it. The checklist was designed for the small and
medium size companies. This checklist included four security controls
categories. Each category included several security controls elements. These
categories are:
- Organizational controls.
- Hardware controls.
- Software controls.
- Data and data integrity controls.
Dougan ,(1994) suggested an internal control checklist for computer systems.

11 | P a g e
This checklist could be used to check security controls in place; and to ensure
the
implemented security procedures are sufficient and effective to prevent
computer data losses. Dougan grouped his checklist into four main categories:
- Computer room site (physical access)
- Documentation.
- Maintenance.
- Protection.
Henry ,(1997) carried out a survey on 261 companies in the US, to determine
the nature of their accounting systems and security in use. Seven basic security
methods were presented in his study. These methods were encryption,
password access, backup of the data, viruses’ protection, and authorization for
system changes, physical system security and periodic audit. Henry’s study
results indicated that 80.3% of the companies backup their accounting systems,
74.4% of the companies secure their accounting systems with passwords,
where only 42.7% use antivirus in their systems. The results also revealed that
less than 6% of the companies use data encryption, lastly, 45% of companies
underwent some sort of periodic audit for their accounting information
systems. Another study, carried out by Qurashi & Siegel ,(1997), assured the
accountant’s responsibility to check the security of the computer system. The
researchers carried out a theoretical study to develop a security checklist. This
list covers the following four security controls groups, which are Client policy,
Software security, Hardware security and Data security.
Cerullo and Michael ,(1999) conducted a survey using a questionnaire of
twenty potential security and control mechanisms, which was circulated among
audit directors of two hundred fortune companies in the US. These mechanisms
were placed by Cerullo study in four categories, namely Client-based,
Network-based,
Server-based and Application-based.
Hardy et. al. (2000) examined information system (IS) managers' and
computerized information system (CIS) auditors' judgments of the relative

12 | P a g e
importance of elements of the internal control structure for EDI systems, using
the
analytic hierarchy process (AHP).
The data were collected by self administrated questionnaire by means of a mail
survey. The target population comprised IS managers and CIS internal auditors
from organizations which were members of Tradegate ECA, and CIS external
auditors from Big six accounting firms. The survey yielded 54 responses from
159
questionnaires mailed, of which 48 were useable.
The results indicate that there is a lack of consensus between IS managers and
CIS auditors in encryption techniques and operational security controls, and
this is require further investigation, for example in areas where IS managers
perceive controls to be less important than do CIS auditors, there may be a
weakness in control because the IS manager did not consider it worthwhile or
cost-effective enough to implement what the CIS auditor considers to be
sufficient control. The reverse may also be true, i.e., those unnecessary controls
have been implemented. If so, discontinuing the operation of the unnecessary
controls may result in cost savings.
Moscove and Stephan (2001) consider that e-business organizations should
maintain a group of control procedures to protect their systems form any
possible
threats, such procedures includes:
1. Physical access control procedures.
2. Password control procedures.
3. Data encryption such as public key encryption.
4. Disaster recovery plan (DRP).
5. Software-based security control, such as firewalls.
6. Intrusion detection software to detect unauthorized entrance into the system.
Abu Musa ,(2004) performed an empirical study to investigate the adequacy of
Security Controls implemented in the Egyptian banking industry (EBI), where

13 | P a g e
the respondents were restricted to the head of the computer department and the
head of
internal audit department. Abu Musa tried to check whether the applied
Security Controls in the EBI are adequate to protect against the perceived
security threats through self-administrated checklist.
The CAIS security checklist included eighty security procedures which were
categorized under the following ten groups.
1. Organizational information security controls.
2. Hardware and physical access security controls.
3. Software and electronic access security controls.
4. Data and data integrity security controls.
5. Off-line programs and data security controls.
6. Utility security Controls.
7. Bypassing of normal access security controls.
8. User programming security controls.
9. Division of duties.
10. Output security controls.

14 | P a g e
 CHAPTER THREE
Internal Control and Accounting
System of a Company

15 | P a g e
3.1 Company Overview
The Zealous Rent a car Company will be the largest company in the India. It will
provide a vast variety of vehicles to individuals, institutions, organizations and the
visitor though the India. It will provide luxurious vehicles to the people of India in all
provinces. Vehicles for special purposes shall also be provided, Such as on the
wedding ceremonies, tours etc.
The company will also provide online booking all over the major cities of India to
facilitate its customers. Company has large number braches all over India.
The company believes in providing best quality services to its customers.
Following Are the Major Strengths of the Company
Green Revolution: Zealous follows the international going green policies in
maintaining its cars. This strategy will be cost effective for its customers and it will be
Environment friendly as well.
Quality: Company meets its specifications and provides reliable, durable and
Aesthetic Vehicles, and Quality services.
Customizations: The Company provides customized accessories i.e. Music, Media,
Interior looks in accordance with the specifications of the customers.
Online Connectivity: Having provided the facility of online easy reservations and
booking all over the Major cities of India.
Marketing and Innovations: The Company’s aggressive marketing and its
innovative products and services attract customers and fulfill their quality standard
(Esteem Needs) needs.

3.2 Vision Statement

Our vision is to become the most popular rent a car company of India.

3.3 Mission Statement

We will provide a vast variety of advanced and comfortable vehicles to middle and
elite class people of India. While working in a highly ethical manner, we will provide
an opportunity of growth to our employees. We will value our shareholders and
investors by using funds in most profitable manner.

16 | P a g e
3.4 Memorandum Of Association
The name of the company is “ZEALOUS Rent a Car Pvt. Ltd.”.
Registered office of the company will be situated in province of the Punjab at
Lahore.
The objective of the company is to provide vehicles on rent on daily, weekly,
monthly, and annual basis, to individuals, organizations, institutions, and
visitors all over India. Second hand vehicles would also be sold by the
company.
The liability of the shareholders is limited up to the nominal value of the
shares they have purchased, whether paid in full or not.
The share capital of the company is thirty billion (3,000,000,000) rupee,
divided into three hundred million (300,000,000) share of ten rupees each

3.5 Article Of Association

Members:
The members of the company with which it are proposed to be registered are
20. But the directors of the company my register other members as the
company required.
General meetings
Annual general meeting will be held every year after the close of the year. The
auxiliary meeting can be called by the directors. . The CEO the company will
be the chairman of the meeting. The quorum of the meeting will be 18
members, but the directors have the right to appoint any person as a chairman
of the meeting.
Procedure at general meetings
Every member will be provided by the initial information about the meeting
12 days prior of the meeting date. The information will consists of the agenda
of the meeting the time and place of the meeting and others as may be required
by the directors.
Votes of the members
Every member of the company will hold one voting right. Every member will
have one vote.

17 | P a g e
 Directors
The number of the first directors and the name of the first directors shall be
determined in writing by the subscribers of the memorandum of association,
so, however, that such number shall not in any case be less than as specified in
section 174 of company ordinance 1984.
Power and duties of the directors
The business of the company shall be managed by the directors, who may
exercise all such powers of the company as are not by ordinance required to be
exercised by the company in general meeting.
Chief Executive Officer
The CEO shall be appointed by the directors for such terms, at such
remuneration and upon such conditions as they may think fit.
The Seal
The director shall provide for the safe custody of the seal. It shall be used as
the signature of the company and is affixed on all necessary documents of the
company. Mr. Jawad Abbas the director of the company will be the custodian
of the seal.

3.6 Departments of the Company

1. The Sales and Marketing Department
2. Human Resource Department
3. Operations Department
4. Finance Department
5. Accounts Department
The Sales and Marketing Department
The head of this department would be the Marketing Manager.
He would be responsible for:
1. Marketing Research- To identify the changing needs of present and
potential customers
2. Developing New Products- As needed by the Industry (New Vehicles to be
purchased)
3. Advertising- To give a know how to the customers about our Products and
new features of old products
4. Setting Price in accordance with the industry needs and requirements
The following persons will work under the marketing manager
Assistant Marketing Manager for Customer Servicing
Assistant Marketing Manager for Disseminator

18 | P a g e
Finance Department
The CFO would the head of this department.
He would be responsible for:
Arranging the credit Policy – To what extent the credit is allowed to the
customers
Making contracts for getting loans
Mobilizing the additional funds
Setting the safety Margin on Inventories
Making in time payments to the Creditors
The following persons will work under the CFO
1. Finance manager
2. Manager Taxation
3. Manager of planning and budget
Finance Manager
It would be responsible for:
Approving fund up to Rs.40,000
Keeping the record of payment of fund to each department
Financial Forecasting
One assistant mangers and one clerk will help him in his work.
Manager Taxation
He would be responsible for:
making tax returns
keeping record of about deferred tax
paying sales tax
dealing with property tax
Two persons will help him in his work.
Manager of Planning and Budget
He would be responsible for:
Preparing annual budgets of different departments with the involvement of
their representatives
keeping the record of matching their actual record with the estimated
keep the fuel average of each vehicle estimated
keeping the repair and maintenance expense estimated

Two Assistant Managers:

They will assist the manager of planning and budget in his duties in such a way:
 Getting information from other departments

19 | P a g e
  On the site investigation to gather data for estimation
 Inspection of inventory for budget preparation.
Accounts Department
The CAO would the head of this department.
He would be responsible for:
Forming policies about Maintenance of Accounts
Approval of Purchase orders
Communicating with higher management
Motivating subordinates
The following persons will work under the CAO:
Accountant Manager
Financial Reporting Manager
Special Reporting Manager
Accounts Manager
Maintaining books of accounts in accordance with the Company’s Ordinance
1984
Recording the transactions in the general Journal
Keeping proper record of vouchers
Recording adjustment entries
The two assistants will help him in his work.
Financial Reporting Manager
Preparation of financial statements in self decrypted form
Providing the notes along with the financial statements
The two assistants will help him in his work.

Special Reporting Manager

Presenting fair interim reports to top management
Preparing special reports for the decision makers to assist in their decision
making process. Such as: number of products supplied by one vendor and the
vendor providing the same product
Analyzing accounting record

The two assistants will help him in his work.

20 | P a g e
3.7 Basic Information “QuickBooks Accounts”

Company Name : Zealous Rent a Car Private Limited

Company Head Office Address : 106 A, Model Town, India
Company Organized : Regular Private Company
Fiscal Year Starts : January
Accounting Method : Accrual based
Posting Method : Real Time
We Sel l : Services only
Sales Tax : No
Billing Statements : Yes (monthly)
Invoices : Yes
Cheques : Yes
Bank Account : Zealous Rent a Car (1-000-1788)

3.8 Charts of Accounts

ASSETS
Cash and Equivalents
Cash in hand
Cash at Bank
Cash in transit
Cash investments

Receivables
Account Receivables
Lease and rent accounts
Retail vehicles
Allowance for doubtful Receivables
Other receivables
Vehicles
Rental Vehicles
Driver training Vehicles

21 | P a g e
Prepaid expenses
Prepaid Expenses
Prepaid Rent
Prepaid Insurance on Vehicles
Life and Disability Insurance
Other prepaid

Fixed Assets
Land and Improvements
Building and Improvements
Computers
Laptops
Furniture and fixture
Company Vehicles
Other fixed assets

Accumulated Depreciation
Acc Dep. - Land and Improvements
Acc Dep. – Building and Improvements
Acc Dep. – Computers
Acc Dep. – Laptops
Acc Dep. – Furniture and fixture
Acc Dep. - Company Vehicles
Acc Dep. - Other fixed assets

Other Current Assets

Life & Disability and insurance
Vehicle insurance
Accounts Receivables
Markup Receivable

22 | P a g e
LIABILITIES
Accounts Payables
Trade Creditors
Customers Deposit
License and Registration Fee
Other Accounts Payables

Accrued Liabilities
Interest Payable
Salaries, Wages and Commission Payable
Insurance payable
Payroll Taxes Payable
Sales Tax Payable
Income Tax Payable
Other Taxes Payable
Employees Bonus Payable
Dividends Payable
Profit Sharing Payable
Other Payables

Other liabilities
Long term Debts
Notes payable of affiliated companies
Mortgage payable
Deferred Income Tax
Other liabilities

STOCKHODER’S EQUITY
Capital Stock
Additional paid in capital
Retained earnings
Dividends
Investments
Profit & Loss Current
23 | P a g e
3.9 Internal Controls
“Internal Controls are policies and procedures used as internal checks and balances over
an organization’s assets and financial statements”. These controls:
 Reduce the misuse of assets.
 Reduce the risk of misstatement of the financial statements.
 Help to determine fraud and errors.
 Help to provide effective and efficient operations.
 Help the organization maintain a good reputation.

The Five Components of Internal Controls:

 Control environment
 Information and communication
 Risk assessment
 Control activities
 Monitoring
Now, considering the above mentioned Internal Controls’ Components. We’ll design the
internal control for our “Zealous” Rent a Car Company.
1. Control Environment
 Ethics based environment shall be provided from the top management to the lower
management.
 Board of directors will provide proper direction.
 Structure of our rental company would be efficient.
 Proper methods shall be used in assigning duties and responsibilities
 All Employees hired by the company shall be accountable for their actions.

2. Information and Communication

It’s simply related to the flow of Information about the internal controls.
 Our board of directors provides Governance and guidance; create policies, rules
and regulations.
 CEO is responsible for controlling all activities; he will provide leadership,
direction to senior management.
 Senior management is responsible for implementing internal control policies and
procedures.

24 | P a g e
  All lower management and employees are also responsible for implementing
internal controls. Also they will communicate weaknesses in our system to
management.
3. Risk Assessment
It is related to the identification and management of risk those are faced by our rental
company.
The most common risks related to protecting our organization’s assets and preventing
misstatement of the organization’s financial statements. These risks occur due to
following events:
 When our rental business expands or grows to other cities.
 Hiring of new employees (Higher or lower management, especially in leadership).
 Launching new services and activities.
 If we change our internal environment.
4. Control Activities
These are the actions our company will take to deal with the risks we face in running our
business.
This includes:
 Insurance of Cars
 GPS system
 We’ll save our assets (cars) from loss or unauthorized use by implementing
controls to minimize opportunities for the employees or others to misuse them.
 Taking control the flow of information and accuracy of the transaction. We’ll
record day to day transactions on correct amounts, proper classification, specific
accounting periods and financial statements.
 Management would do accurate financial reporting of the organizational activities.
 We shall divide or separate duties by proper allocation of tasks, so that anyone
does not get the chance to commit errors or do fraud and then cover it up.
Especially when it comes to recording transactions, one individual can not control
all phases of the process (one who record transaction can’t directly involve in
actual cash handling). Also we’ll do job rotations time to time (change guards,
drivers).
 Also still some duties (management related) can’t be completely separated (as we
have low employee strength initially). So for solving this, we’ll reconcile the bank

25 | P a g e
 statements time to time, remove variances, reviewing reports and most important
is to compare physical inventory (tires, materials, tools, office equipment
inventory) with the accounting records.

5. Monitoring
Monitoring internal controls is a process that assesses the quality of the organization’s
internal controls over time. Deficiencies are reported and addressed.

3.10 Internal Control and Accounting System Design

Internal control, as defined in accounting and auditing, is a process for assuring
achievement of an organization’s objectives in operational effectiveness and
efficiency, reliable financial reporting, and compliance with laws, regulations and
policies. A broad concept, internal control involves everything that controls risks
to an organization.
It is a means by which an organization’s resources are directed, monitored, and
measured. It plays an important role in detecting and preventing fraud and
protecting the organization’s resources, both physical (e.g., machinery and
property) and intangible (e.g., reputation or intellectual property such as
trademarks).
At the organizational level, internal control objectives relate to the reliability of
financial reporting, timely feedback on the achievement of operational or strategic
goals, and compliance with laws and regulations. At the specific transaction level,
internal control refers to the actions taken to achieve a specific objective (e.g., how
to ensure the organization’s payments to third parties are for valid services
rendered.) Internal control procedures reduce process variation, leading to more
predictable outcomes. Internal control is a key element of the Foreign Corrupt
Practices Act(FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required
improvements in internal control in United States public corporations. Internal
controls within business entities are also referred to as operational controls.

26 | P a g e
Internal control plays an important role in the prevention and detection of
fraud. Under the Sarbanes-Oxley Act, companies are required to perform a fraud
risk assessment and assess related controls. This typically involves identifying
scenarios in which theft or loss could occur and determining if existing control
procedures effectively manage the risk to an acceptable level. The risk that senior
management might override important financial controls to manipulate financial
reporting is also a key area of focus in fraud risk assessment. The AICPA, IIA, and
ACFE also sponsored a guide published during 2008 that includes a framework for
helping organizations manage their fraud risk.

Controls can be evaluated and improved to make a business operation run more
effectively and efficiently. For example, automating controls that are manual in
nature can save costs and improve transaction processing. If the internal control
system is thought of by executives as only a means of preventing fraud and
complying with laws and regulations, an important opportunity may be missed.
Internal controls can also be used to systematically improve businesses,
particularly in regard to effectiveness and efficiency.

3.11 Internal Control Responsibility

Internal control is the general responsibility of all members in an organization.
However, the following three groups have specific responsibilities regarding the
internal control structure.
 Management holds ultimate responsibility for establishing and maintaining
an effective internal control structure. Through leadership and example,
management demonstrates ethical behavior and integrity within the
company.
 The board of directors provides guidance to management. Because board
members have a working knowledge of the functions of the company, they
help shield the company from managers who try to override some control
procedures for dishonest purposes. Often, an efficient board that has access
to the company’s internal auditors can discover such fraud.

27 | P a g e
  Auditors within the organization evaluate the effectiveness of the internal
control structure and determine whether company policies and procedures
are being followed. All employees are part of a communications network
that enables an internal control structure to work effectively.

3.12 Computer Controls

Computerized financial records require the same internal control principles of
separation of duties and control over access as a manual accounting system. The
exact control steps depend on whether a company is using mainframe computers
and minicomputers or microcomputers.
In a personal computer environment, the following controls can be useful:
 Require computer users to have tight control over storage of programs and
data. Just as one person maintains custody over a certain set of records in a
manual system, in a computer system one person maintains custody over
certain information (such as the accounts receivable subsidiary ledger).
Make backup copies that are retained in a different secured location.
 Require passwords (kept secret) to gain entry into data files maintained on
the hard disk.
 In situations where a local area network (LAN) links the personal
computers into one system, permit only certain computers and persons in
the network to have access to some data files (the accounting records, for
example).
 Computerized accounting systems do not lessen the need for internal
control. In fact, access to a computer by an unauthorized person could result
in significant theft in less time than with a manual system.
3.13 Principles of Internal Control
Measures vary with
Size and nature of the business.
Management’s control philosophy.

28 | P a g e
ESTABLISHMENT OF RESPONSIBILITY
Control is most effective when only one person is responsible for a given task.
SEGREGATON OF DUTIES
Related duties, including physical custody and record keeping, should be assigned
to different individuals.
DOCUMENTATION PROCEDURES
Companies should use prenumbered documents for all documents should be
accounted for.

INDEPENDENT INTERNAL VERIFICATION

1. Records periodically verified by an employee who is independent.
2. Discrepancies reported to management.

29 | P a g e
OTHER CONTROLS
1. Bond employees.
2. Rotate employees’ duties and require vacations.
3. Conduct background checks.

Internal Control over Cash Receipts

30 | P a g e
 CHAPTER FOUR
Basic Accounting System

31 | P a g e
4.1 Objectives of Internal Control
To provide reasonable assurance that:
 Assets are safeguarded and used for business purposes.
 Business information is accurate.
 Employees comply with laws and regulations.

4.2 Elements of Internal Control

 Control environment
 Risk assessment
 Control procedures
 Monitoring
 Information and communication

32 | P a g e
Control Procedures
 Competent Personnel
 Rotating Duties
 Mandatory Vacations
 Separating Responsibilities for Related Operations
 Separating Operations, Custody of Assets, and Accounting
 Proofs and Security Measures

Clues to Potential Problems

Warning signs with regard to people:
1. Abrupt changes in lifestyle.
2. Close social relationships with suppliers.
3. Refusing to take a vacation.
4. Frequent borrowing from other employees.
5. Excessive use of alcohol or drugs.

Warning signs from the accounting system:

 Missing documents or gaps in transaction numbers.
 An unusual increase in customer refunds.
 Differences between daily cash receipts and bank deposits.
 Sudden increase in slow payments.
 Backlog in recording transactions.

33 | P a g e
4.3 MANUAL ACCOUNTING SYSTEMS

Special Journals

34 | P a g e
 CHAPTER FIVE
Accounting in Computerized Environment

35 | P a g e
5.1 Accounting in Computerized Environment
 Significance of computerized accounting system
 Codification and grouping of accounts
 Maintaining the hierarchy of ledgers
 Prepackaged accounting software

5.2 Definition of Computerized Accounting.

Computer information system environment exists when one or more computer(s)
of any type or size is (are) involved in the processing of financial information,
including quantitative data, of significance to the audit, whether those computers
are operated by the entity or by a third party.

5.3 Business Applications of Computers

 Inventory control
 Production planning
 Budgeting and Variance analysis
 Plant capacity utilization
 Quality control
 Market research
 Purchase accounting
 Sales accounting
 Payroll accounting
 Information management, etc.
A computerized accounting environment will therefore have the following
salient features:
1.Fast, Powerful, Simple and Integrated:
Computerized accounting is designed to automate and integrate all the business
operations, such as sales, finance, purchase, inventory and manufacturing.

36 | P a g e
2. Complete Visibility & Scalability:
With Computerized accounting the company will have greater visibility into the
day-to-day business operations and access to vital information. Computerized
accounting adapts to the current and future needs of the business, irrespective of its
size or style.
3. Customized:
Computerized accounting allows the company to enter data in a variety of ways
which makes work a pleasure. Adapting to the specific business needs is possible.
Hence, a software can be tailor-made accordingly to the need of the business.
4. For quick decision making & improved Business Performance:
Computerized accounting is a highly integrated application that transforms the
business processes with its performance enhancing features which encompass
accounting, inventory, reporting and statutory processes.
Role / Benefits / Advantages
 Speeding up the process
 Automation of ledger posting, Trial balance and subsidiary ledger
 Accuracy
 Reduced error
 Eliminating duplication of work
 Immediate availability of information
 Easy access
 Flexibility
 Better quality of work, clean and neat
 Scalable
 Lower operating cost
 Improved efficiency
 Relieves employee monotony
 Facilitates standardization
 Minimization of frauds

37 | P a g e
5.4 Limitations / Disadvantages
 Security / Integrity / Virus / Hacking
 May lead to unemployment
 High cost of installation
 Requires special skills for operation
 Frequent repairs
 Frequent power failures

Features of A/cg Software

 On-screen input and print outs
 Automatic updating
 Automatic stock adjustments
 Integration of database with the accounting programme
 Automatic calculation of payroll

5.5 Codification and Grouping of Accounts

Coding System
• Codification refers to allotting code numbers to accounts in a hierarchical
structure
• Accounts are first systematically grouped into Major Heads such as:
–Assets
–Liabilities
–Revenue Receipts
–Capital Receipts
–Revenue Expenditure
–Capital Expenditure, etc.
The sub-groups or Minor Heads could be ‘Cash’ or ‘Receivables’ or ‘Payables and so on.

38 | P a g e
The major heads, sub-heads and detailed heads together constitute a 4-tier structure
• The detailed head is often termed as an object classification for control
purposes. Ex:
–Salaries
–Office Expenses
–Salesman Expenses
–Workshop Overhead, etc.
• The classification system should be approved by the top management and
auditor before coding and computerization

5.6 Maintaining the Hierarchy of Ledgers

Accounting master files are created with codes and description of accounts
• In a hierarchical coded system reports can be generated based on codes
• General ledger, Debtors ledger and Creditors ledger are automatically
created by any standard software
• At the time of creation, some of the account heads are indicated to the
system as cash, bank, debtors and creditors
• The system then automatically posts sales to debtors a/c and purchases to
creditors a/c

5.7 Prepackaged Accounting Software

 Maintained by using a spread sheet package,
 Pre-Packaged Accounting Software
 Customized Accounting Software
 ERP

39 | P a g e
Prepackaged Software
• Prepackaged software are generic accounting systems purchased from the
market rather than developed in-house (ex: Tally accounting s/w)
• These s/w are easy to use, relatively inexpensive and readily available
• The installation of these s/w are very simple
• A network version is generally available which works on client-server
architecture
• User manuals guide the user on how to use the s/w
• Vendor provides regular updates

40 | P a g e
 CHAPTER 6
Findings Recommendations and
Conclusion

41 | P a g e
6.1 Findings
Risk assessment procedures using computer techniques
The computer-assisted risk assessments techniques are related to controls that are
characterized by the application of control and audit procedures using the computer as an
audit tool. These are known as CAATs and are normally placed in three main categories:
1. Audit software: computer programs used by the auditor to interrogate a client’s
computer files mainly for substantive testing. These can be further categorized into:
a. Package programs (generalized audit software): these are pre-prepared programs for
which the auditor will specify detailed requirements. These are written to be used on
different types of computer systems, therefore the auditor will be able to perform data
processing function which include reading computer files, selecting information and
performing calculations.
b. Purpose-written programs: these perform specific functions based on auditor’s
choices. The auditor may have no option but to have this software developed, since
package programs cannot be adapted to the client’s system (however, this can be
costly).
c. Enquiry programs: these are programs that are part of the client’s system, often used
to sort and print data and can be adapted for audit purposes, e.g. accounting software
which may have search facilities on some modules, or that could be used for audit
purposes such as searching for all customers with credit balances (on the customers’
module) or all inventory items exceeding a specified value (on the inventory module).
Using this audit software, you can scrutinize large volumes of data and present results
that can then be investigated further. The software consists of program logic needed to
perform most of the functions required in case of an audit, such as:
• sample selection;
• reporting exceptional items;
• files comparison;
• analyzing, summarizing and stratifying data.
For example, this software can be used to determine which of the following functions you
wish to use, and select the criteria. Example: review and audit the property plant &
equipments process:

42 | P a g e
 • Select a random sample of additions from the fixed asset master file. This
allows you to trace the sample back to contracts and invoices to confirm
existence.
• Report all additions more that are more expensive than €1,000.
• Compare fixed assets register from the beginning of the month with the
one the end of the month in order to trace the disposals during the month.
• Trace the disposals identified back to evidence, such as sales invoice and
disposal minute.
• Assess the reasonability of the depreciation expenses.
2. Data testing: consists of techniques used in conducting control procedures by entering
data as a sample of transactions, into an entity’s computer system and compare the results
obtained with pre-defined results. The prime objective is to test the operation of
application controls. In this respect it is ideal to arrange for the dummy data to be
processed, fact that might include many error conditions. This is done in order to ensure
that the client’s application controls can identify particular problems. Examples of errors
that might occur:
 supplier account codes that do not exist;
 sales invoices that contain addition errors;
 employees earning in excess of a certain limit;
 submitting data with incorrect batch control totals. The data without errors will
also be included to ensure that the ‘correct’ transactions are properly processed.
The data test can be used ‘live’, during the client’s normal production run, but the main
disadvantage with this choice is represented by the danger of corrupting the client’s
master files. In order to avoid this, it is useful to use an integrated facility test. The
alternative is to perform a special run outside normal processing, using copies of the
client’s master files. In this case, the danger of corrupting the client’s files is avoided,
however the level of assurance is lower that if the normal production programs have been
used.

3. Other techniques There is an increasing number of other techniques that can be used.
The main ones are:
Integrated test facility: the technique runs data test live; it involves the establishment of
dummy records, such as departments or customer accounts to which the dummy data can

43 | P a g e
be processed. These can then be ignored when the client records are printed out, and
reversed out afterwards.

Embedded audit facilities (embedded audit monitor): requires the auditor’s own program
code to be embedded into the client’s application software. The embedded code is
designed to perform audit functions and can be switched on at selected times or activated
each time the application program is used. Embedded facilities can be used to:
Gather and store information relating to transactions at the time of processing for
subsequent audit review. The selected transactions are written to audit files for
subsequent examination, often called system control and review file.

44 | P a g e
6.2 Recommendations
Impact of computer-based systems on the general approach
The fact that systems are computer-based does not alter the key stages of the review
process. This explains why references to the computer-based systems have been
subsumed into the following:

(i) Planning: represents one of the characteristics of the review and control process that
needs to be considered in developing the overall strategy.

(ii) Risk assessment: the application allows to identify the information system as one of
the five components of internal control. It is required to obtain an understanding of the
information system, including the procedures within both IT and manual systems. In other
words, if s/he relies on internal control in assessing risk at an assertion level, s/he needs to
understand and test the controls, whether these are manual or automated.

(iii) Testing: this stage is very important irrespective of the accounting system (any other
internal reporting system), therefore it is useful to design the compliance and substantive
tests that reflect the strengths and weaknesses of the system. When testing a computer
information system, the it is likely to use a mix of manual and computer-assisted review
and monitoring tests. ‘Round the machine’ vs. ‘through the machine ’ approaches to
testing.

45 | P a g e
6.3 Conclusion
During the past recent years, the computer assisted risk assessments techniques
was developed especially for large companies in various fields of activities such as
banking, financial companies or retail stores. These are increasingly growing in
importance and are helping in achieving a true and fair view over the financial
results and mitigate the risks that might occur. The assessment of the key controls
will determine the level of internal testing. If these are programmed controls, you
will need to ‘review through the computer’ and use CAATs to ensure controls are
operating effectively.

46 | P a g e
 References:

1. AICPA, Auditing Standards Board. “SAS No. 94: The Effect of Information
Technology on the Auditor’s Consideration of Internal Control in a Financial
Statement Audit”. April 2001
2. Berenson M., Levine D and Krehbiel T. "Basic Business Statistics, Concepts and
Applications" 8th edition, 2001.
3. Boritz J. Efrim. “IS practitioners' views on core concepts of information integrity”
International Journal of Accounting Information Systems ; Vol. 6 Issue 4, p260-
279, 20p , Dec2005.
4. Boockholdt J., “Accounting Information Systems, Transaction Processing and
Controls”, 5th Edition, McGRAW-HILL Publisher, pp. 433-444, 1999.
5. Boynton W.,Johnson R. and Kell W.," Modern Auditing ",John Wiley & Sons Inc.
, Seventh edition, p322,400,401, 2001.
6. Buttross T. and Ackers M.D, “A Time-saving Approach to Microcomputer
Security”, Journal of accounting and EDP, Vol. 6, pp.31-35, 1990.
7. http://www.barclaysimpson.com/document_uploaded/Introduction%20to%
20Computer%20Audit.pdf
8. http://www.deloitte.com/view/en_GR/gr/services/enterprise-risk-services/it-
control-assurance/information-systems-and-controls-audit/index.htm
4. www.accaglobal.com
5. www.google.com
6. www.zealous rentacar.com

47 | P a g e