Master of Business Administration- MBA Semester 3 MF0013 Internal Audit and Control Q1.

. Discuss, in brief, the advantages and limitations of auditing. Ans: Advantages of Financial Audit 1. Statutory financial audit gives the owners of a company and other stakeholders the assurance that annual financial reports give true and rational view about the companys financial performance. 2. Tax audit viz., the audit of financials of the company based on which taxable income is determined and tax paid is mandatory. Tax auditors report has to be filed with the tax return. 3. Internal financial audit assists the CEO and his team of operating managers regularly and much more frequently in understanding the financial performance of the company and taking corrective actions necessary. 4. Financial audit is an invaluable tool for prevention and early detection of fraud and errors. 5. Audited financial report together with the auditors report is necessary for a company in sourcing funds from banks and other financial institutions. 6. The audited balance sheet of a company read with the auditors report is often the base document for valuation of companies in case mergers, acquisitions or outright sales. Limitations of Financial Audit 1. It is a post-mortem: The annual statutory audit is not a concurrent activity, but starts only after the year is over. Naturally, the auditor has to rely on explanations given to him by the accountant for activities that happened quite a while ago. The essential truth behind some of the figures may therefore still remain undiscovered. 2. It is a test check: The auditor cannot examine all the transactions given the time and cost constraints. He applies test checks using statistical sampling techniques. The inherent weaknesses of such methods carry an element of uncertainty or risk. Thus, auditing only reduces and does not eliminate the possibilities of error or fraud. 3. Inherent limitations of internal control system: An auditor largely relies on the internal controls of the enterprise as he cannot check everything. Internal controls are the inbuilt checks and balances in the companys accounting and administration. But these internal controls themselves are subject to some limitations: (a) Certain levels of management may override control and make exceptions to procedures. (b) Persons operating the internal control and employees or outside parties may collude and render the controls ineffective. (c) There is also human error that may escape the controls.

Q2. Explain the key objectives of a good internal audit system. Write down the essentials for effective internal auditing. Ans: The objectives of a good internal audit system: 1. Evaluation of accounting controls: Ensuring that the checks and balances in the accounting processes are effective and provide the required accounting controls. 2. Compliance with policies and procedures: Verifying compliance with the policies and procedures laid down for key activities and reporting acts of omission and commission. internal audit have to check if this rule has been followed in all cases, and report exceptions. 3. Protection and optimal utilization of business assets: Ensuring physical availability and usefulness of fixed assets as per companys records, and checking utilization of major assets vis--vis plan. For ex: a piece of equipment purchased has not been installed within a reasonable period of time. The auditor will check and report on the justification for the asset not having been put to use. 4. Testing the reliability of Management Information Systems: Reviewing the management reporting structure and the utility of reports flowing out of the system. Internal audit is often considered a part of the finance function of the enterprise since the technical expertise required to do the audit function is available only with the Finance & Accounts professionals. While this is natural, it may be a short-sighted approach. Essentials for Effective Internal Auditing: 1. Appropriate organizational status: The internal auditor should ideally report to the CEO and the Board of the company, and should not be brought under a Functional Head like the CFO. This is regardless of whether internal audit is entrusted to an outside audit firm or done by a department of the company. The internal auditor should also be able to directly communicate with the external auditor. 2. Independence: Internal auditors must have independence at work. This facilitates them to offer impartial and unbiased opinion and advice. 3. Technical competence: The internal audit team should be professionally qualified, wellexperienced and adequately trained. 4. Professional approach: The internal auditor should exercise due professional care in fulfilling his responsibilities. His professionalism should be evidenced by the existence of audit manuals, clear audit programs and neatly filed working papers for each job. 5. Reporting and follow-up: Audit findings must first be reported to the auditee and together with the auditees response the findings should be reported to top management, preferably with a recommended solution. Action agreed by the auditee should be followed up and its closure duly reported.

Q3. List the required qualifications of an internal auditor. Describe the role of internal auditor in the companys management. Ans: When appointing an internal auditor, the management of a company looks for the following attributes: a. Necessary expertise to evaluate business control systems, especially financial and accounting controls: This is the crux of the internal audit function as the focus is always on financial performance and viability of the enterprise. b. Basic knowledge of the technology and commercial practices adopted by the business, since he is expected to evaluate the operational performance of the enterprise. c. Thorough knowledge of management theories and best-in-class practices. d. Excellent interpersonal skills: The auditors may at times have to comment adversely on the work of their own colleagues. They should be able to do this in an acceptable manner and yet produce the intended result. e. Unbiased reporting and strong professional approach. f. Unimpeachable integrity and the highest ethical standards. The internal auditor can play a significant role in enhancing the effectiveness of managerial processes in a company, the specific contributions that an internal auditor can make include: 1. Review of internal control systems: The internal auditor should review the internal control systems of the organization. He should determine whether the existing control systems are appropriate and commensurate with the objectives, size, etc. of the organization. For example a small company cannot afford a separate credit control department and so it will need strong controls in the sales accounting process to minimize customer payment default. 2. Review of safeguards for assets: The auditor should regularly review the adequacy of insurance covers for fixed assets and complete accounting of all transactions relating to fixed assets, etc. 3. Review of compliance with policies, plans, procedures and regulations: The internal auditor should include a regular checklist of compliances by different functions of laid down procedural requirements. When a non-observance is spotted, he should inquire and ascertain the reason for the deviation. 4. Review of organization structure: A well-designed organization structure is the basic requirement for the smooth functioning of any organization. Organization structure defines the authorities and responsibilities of executives. The internal auditor should evaluate the organization structure from the following dimensions: a. Simplicity and lack of ambiguity. b. Clear definition of authority and responsibility at each level. c. Balance of power, to ensure there is no undue dominance of any function. 5. Review of deployment of resources: The internal auditor reviews utilization of resources deployed for the business men, machines, money, materials and management to identify deviations both by way of excessive use of resources and resources that are under-utilized.

Q4.Explain the basic principles of governing internal control Ans: The basic principles governing internal control are as follows: 1. A proper system, preferably in writing, must be implemented so that origination, recording and accounting of business transactions take place in a standardized way. 2. The authority and responsibility of every official should be fixed. 3. Accounting entries should not be allowed without a supporting document. 4. No person should handle a transaction end to end: the work of a person should be checked automatically by another person in the same or another department. 5. Responsibility for the custody and control of assets should be segregated from the responsibility of accounting for the assets. 6. As far as possible controls should be built into the functions themselves. For example the objective of reducing credit risk and minimizing collection period can be met through controls in the accounting and sales system instead of having a separate credit control function. 7. Every internal control should be established after a cost-benefit analysis. 8. Books of accounts should be maintained up to date. 9. The entity must have a system of rotation of duties among employees. Employees should be encouraged to take leave as per their roster, especially employees handling cash. 10. The system should have inbuilt verification system from independent records. For example verification of bank balances from bank statement, comparison of purchase ledger account with supplier statement, etc. 11. The system should facilitate cross-functional physical verification of assets: for example cash verification by Purchase official or inventory test-check by Accounts staff. 12. A reliable and accurate Management Information System (MIS) should be in place. Important: The attitude of top management plays a key role in establishment of effective internal control. The auditors will find deficiencies in the system but it is the management who has to take corrective action, and if they do not, the controls would not have served their purpose.

Q5. Discuss the specific problems of Electronic Data Processing (EDP) relating to internal control. Ans: implementation of internal control in an EDP system, give rise to the following problems: (a) Separation of duties: The responsibility for initiating transactions, recording transactions and custody of assets, lies with separate individuals in a manual system. This is a basic control necessity for any organization. However, in a computer system the traditional idea of separation of duties is not always applicable. (b) Delegation of authority and responsibility: An essential characteristic of internal control is a clear line of authority and responsibility. However, in a computer system the delegation of authority and responsibility in a clear way may be difficult because multiple users may share some resources. (c) Competent and trustworthy personnel: Data processing technology is much more complex today as compared to the days of manual systems. Personnel who are highly skilled are required to develop, modify, operate and maintain computer systems today. As only a relatively small number of individuals are responsible for the integrity of data, it is crucial for trustworthy and competent personnel to exist. (d) System of authorizations: There are two types of authorizations to execute transactions, issued by management. Policies that an organization follows are established by general authorizations. For example, a fixed price list issued for personnel to use when products are sold is an example for general authorization. Specific authorizations on the other hand, apply to individual transactions such as acquisitions of major capital assets that may have to be approved by the Managing Director. (e) Adequate documents and records: A manual system requires adequate documents and records if it is to provide an audit trail of activities within the system. On the other hand, in computer systems, documents may not be used to support the initiation, execution and recording of certain transactions. An online order entry system is an example. Here, a customers order received over the telephone may be directly entered into the system without any supporting documents. (f) Physical control over assets and records: It is critical for internal control to have physical control over assets and access to records. Computer systems differ from manual systems in the way they concentrate the data processing assets and records at one location. (g) Adequate management supervision: Management supervision of employee activities is relatively straightforward in a manual system. This is because employees and managers are often at the same physical location. In computer systems data communication may be used to enable employees to be closer to the customers they service. Hence employee supervision may have to be done remotely. (h) Comparing recorded accountability with assets: To assess if shortages in the assets have occurred or inaccuracies or incompleteness exist, a periodical comparison between assets and the data that is a record of those assets must be done. While independent staff prepares the basic data used for comparison purposes in a manual system, computer systems use programmes to do the same.

Q6.Explain the factors for having the effective internal control system for a bank. Ans: For Effective internal control system a bank should consider the following aspects: 1. Control environment: Control environment is the foundation of an internal control system. It includes and reflects the factors that influence the control consciousness of its people. As per Auditing and Assurance Standard 6 issued by ICAI (AAS6), control environment is the overall attitude, awareness and actions of directors and management about the internal control system and its importance in the entity. 2. Risk recognition and assessment: To be effective, an internal control system should recognize and continually assess all material risks internal and external, controllable and uncontrollablethat could affect the achievement of the banks objectives. The bank faces various risks at different levels credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk, etc. 3. Control activities: Control activities are management actions to ensure that the personnel are following the banks established policies and procedures. Specific control procedures include: a) Reporting and reviewing reconciliations. b) Checking arithmetical accuracy of the records. c) Maintaining and reviewing control accounts and related subsidiary ledgers. 4. Segregation and rotation of duties: Authorities and responsibilities of every department should be clearly defined based on the policies of the management, preferably in writing. There should not be any scope of duplication of jobs, duties and assignments. The entity must have a system of rotation of duties among employees. 5. Authorization of transactions: Banks usually prescribe well-set systems of approval and authorization, both generally applicable and specific to some transactions. As public money is often involved, it is vital that authority levels are not breached. 6. Accountability for assets: To ensure accountability and safeguarding of assets, it is important that complete records are maintained and access is limited to the authorized personnel only. Every access and every user should be documented. Periodic checking of actual assets with records and identifying discrepancies must be mandated. 7. Accounting, information and communication systems: A comprehensive system of accounting, financial reporting (both management and statutory) and non-financial analysis and reporting with clear content, format and frequency should be in place. 8. Monitoring activities: A full-fledged monitoring system should be in place to assess the effectiveness of internal controls continually. Monitoring is done internally as well as externally. For internal monitoring or self-assessment the review functions are delegated to the staff at different levels. Monitoring activities are integrated to the daily activities as well as undertaken as specified periodic evaluations.