Master of Business Administration- MBA Semester 3 MF0013 Internal Audit and Control- 4 Credits (Book ID: B1733) (60

Marks) Name Course Roll No LC Name LC code : : : : : BHOLA KUMAR GUPTA MBA 3RD SEM

511221484 ZITE 01904

Q1. Discuss in brief the advantages and limitations of auditing. Answer: Auditing is as old as accounting. The word audit has been derived from the Latin word audire meaning to hear, listen or give credence to. In ancient times the person authorized to check the accounts of an estate did the job by hearing the business records from the record-keepers. There is historical evidence that household accounts of early rulers were kept by at least two persons, independently of one another, to keep a check on mistakes and misappropriations. In the Mauryan, Greek and Roman empires, there was a foolproof system of control over public revenue and expenditure. The International Auditing Practices Committee defines auditing as the independent examination of financial information of any entity, whether profit-oriented or not and irrespective of its size, or legal form, when such an examination is conducted with a view to expressing an opinion thereon. Advantages of Financial Audit: 1. Statutory financial audit gives the owners of a company and other stakeholders the assurance that annual financial reports give true and rational view about the companys financial performance. 2. Tax audit viz., the audit of financials of the company based on which taxable income is determined and tax paid is mandatory. Tax auditors report has to be filed with the tax return. 3. Internal financial audit assists the CEO and his team of operating managers regularly and much more frequently in understanding the financial performance of the company and taking corrective actions necessary. 4. Financial audit is an invaluable tool for prevention and early detection of fraud and errors. 5. Audited financial report together with the auditors report is necessary for a company in sourcing funds from banks and other financial institutions.

6. The audited balance sheet of a company read with the auditors report is often the base document for valuation of companies in case mergers, acquisitions or outright sales. Limitations of Financial Audit: As per SA 200A issued by The Institute of Chartered Accountants of India, objective of an audit is to express an opinion as to the true and fair view of financial statements. The audit gives no assurance on the future viability of enterprise or the efficiency or effectiveness with which the management conducted the affairs of the enterprise. the the the has

It should also be understood that audit of accounts does not guarantee the detection of all the errors. These conceptual restrictions arise due to following inherent limitations of auditing: 1. It is a post-mortem: The annual statutory audit is not a concurrent activity, but starts only after the year is over. Naturally, the auditor has to rely on explanations given to him by the accountant for activities that happened quite a while ago. The essential truth behind some of the figures may therefore still remain undiscovered. 2. It is a test check: The auditor cannot examine all the transactions given the time and cost constraints. He applies test checks using statistical sampling techniques. The inherent weaknesses of such methods carry an element of uncertainty or risk. Thus, auditing only reduces and does not eliminate the possibilities of erroror fraud. 3. Inherent limitations of internal control system: An auditor largely relies on the internal controls of the enterprise as he cannot check everything. Internal controls are the inbuilt checks and balances in the companys accounting and administration. But these internal controls themselves are subject to some limitations: (a) Certain levels of management may override control and make exceptions to procedures. (b) Persons operating the internal control and employees or outside parties may collude and render the controls ineffective. (c) There is also human error that may escape the controls Q2. Discuss the scope and objectives of internal audit. Answer: Internal audit: Internal audit is another type of general audit. The preface to the standards and guidance notes on internal audit issued by the ICAI defines it as an independent management function which involves a continuous and critical appraisal of the

function of the entity. The objective of internal audit is to suggest improvements to the function of the entity and add value to and strengthen the overall governance mechanism of the entity including its strategic risk management and internal control system. The scope and objects of internal audit may be summarised as follows: 1. To study and evaluate the coverage and effectiveness of accounting, financial and operating controls. 2. To ascertain the degree of compliance with policies, procedures and standing orders. 3. To verify whether companys assets are accounted for and adequately guarded against losses. 4. To ascertain the reliability of accounting and other operational data. 5. To review and report on the internal control systems installed. 6. To provide the management with objective analysis, recommendations in the form of periodic internal audit reports. comments and

Internal audit should not stop with checking the financial records and statements but perform a critical evaluation of the activities that produce the financial results. Q3. Explain the management. role of internal auditor as an integral part of

Answer: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.[1] Internal auditing is a catalyst for improving an organization's governance, risk management and management controls by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity. The Role Of Internal Auditor As An Integral Part Of Management: Internal auditing activity is primarily directed at evaluating internal control. Under the COSO Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following core objectives for which all businesses strive:

Effectiveness and efficiency of operations. Reliability of financial and management reporting. Compliance with laws and regulations. Safeguarding of Assets

Management is responsible for internal control, which comprises five critical components: the control environment; risk assessment; risk focused control activities; information and communication; and monitoring activities. Managers establish policies, processes, and practices in these five components of management control to help the organization achieve the four specific objectives listed above. Internal auditors perform audits to evaluate whether the five components of management control are present and operating effectively, and if not, provide recommendations for improvement. Role in risk management: Internal auditing professional standards require the function to evaluate the effectiveness of the organization's Risk management activities. Risk management is the process by which an organization identifies, analyzes, responds, gathers information about, and monitors strategic risks that could actually or potentially impact the organization's ability to achieve its mission and objectives. Under the COSO enterprise risk management (ERM) Framework, an organization's strategy, operations, reporting, and compliance objectives all have associated strategic business risks - the negative outcomes resulting from internal and external events that inhibit the organization's ability to achieve its objectives. Management assesses risk as part of the ordinary course of business activities such as strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, credit/lending practices, mergers and acquisitions, strategic partnerships, legislative changes, conducting business abroad, etc. Sarbanes-Oxley regulations require extensive risk assessment of financial reporting processes. Role in corporate governance: Internal auditing activity as it relates to corporate governance has in the past been generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. According to COSO's ERM framework, governance is the policies, processes and structures used by the organizations leadership to direct activities, achieve objectives, and protect the interests of diverse stakeholder groups in a manner consistent with ethical standards. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor. Q4. Explain the steps in internal audit planning. Answer: Stages in Internal Audit Planning The three steps through which planning of internal audit takes place are: Step 1: Understanding of the organisation, its business and its systems

The internal auditor should first acquire in-depth knowledge of the business and the organisation, to help him understand the events, transactions and practices that have a significant impact on the performance of the company. SA 300 issued by ICAI has very clearly narrated the different sources from where the auditor can obtain knowledge of business. The text mentioned below is based on SA 300 and suitably modified to suit our requirement. Some of the key sources of valuable information about the company are: The companys annual reports to shareholders. Minutes of meetings of important committees, shareholders and Board of directors. Reports of internal financial management for the current year and previous years including budgets. The previous years audit report, management letter* issued by statutory auditors, working papers and other relevant accounts closing files. The organisations policy and procedures manual Large and professionally run companies usually have a Finance and Accounting Procedures Manual (FAPM) and a Delegation of Authority Manual (DOA) which set out the organisations policies and procedures. Publications from the Institute of Chartered Accountants of India and other professional bodies about accounting, reporting and disclosure needs specific to the industry. Industry publications, trade journals, magazines, newspaper reports and textbooks. Reports on the state of the economy and its effect on the organizations business. Visits to different plants and branch offices of the organisation and discussions with key divisional and functional heads. The internal auditor should provide enough to questions raised about the previous years statutory audit report and management letter. He should also respond to matters that require attention which have been pointed out by the external auditor. These matters will definitely merit inclusion in the audit programme. *Management letter is a document given by statutory auditors on conclusion of the annual audit to the companys Board on aspects of the financial reporting, internal controls and other governance issues that need to be addressed by the management satisfactorily in the current year. These are not serious matters that need to be included by the auditors in the report or to qualify the audit report, but nevertheless deserve attention of the management. Discussion with divisional and functional heads might include the following subjects with regard to the concerned function/division: Organisational structure and activities. Statutory rules and regulations. Major internal and external developments over the last 12 months. Key financial and accounting issues including accounting and reporting standards. Activities in which directors or substantial owners of the entity are interested and value of such activities. Business facilities started and/or closed during the year.

Aspects of technology, lines of business, product mix, sales and distribution methods, etc.

Apart from helping to establish the overall audit plan, knowledge of the auditees business is important to help the auditor in identifying areas that need special consideration, assessing the rationality of accounting estimates and management representations, and evaluating the correctness of accounting policies and internal control systems. Step 2: Development of an overall internal audit plan In this stage the internal auditor develops the top-level audit plan, which is only a broad summary of the scope and objectives of the audit and does not get into details. The overall plan should consider the following matters: Is there a statutory requirement for internal audit? If yes, what are the specific needs of the relevant statute? What are the terms of engagement and managements charter for the internal audit? What should be the content, format, timing and frequency of audit reports and other communication required by operational management, the Board and the statutory auditors? What are the cost/time limitations on the internal audit activity imposed by management? From the inferences gained in step 1, are there areas that need in-depth examination, in the nature of an investigation? How should the auditor set materiality levels for reporting alerts? How should the internal audit functions cost/benefit quantification and reporting be planned and executed? What are the sensitive areas that need to be handled delicately and in strict confidence? (Some areas are managerial remuneration in private companies, activities in which director is interested, matters of ethics, human relations or gender bias, etc.) What is the extent of reliance that can be placed on accounting controls and internal control? The overall audit plan should be documented by the internal auditor. The method and extent of the documentation varies depending on the audits size and complication. An effective planning tool is the time schedule which budgets the weeks for the various audit areas. Stage 3: Preparing the audit programme 1. After having completed the overall plan in stage 2 and getting it prima facie approved, the internal auditor proceeds to fill out the details and convert it into a full-fledged audit programme. 2. The overall plan, as seen in 5.4.2, covers two dimensions of internal audit work viz., functions to be audited and the number of days allotted. We now have to give two more dimensions the audit team should take charge of each functional audit, and the precise dates. 3. As explained earlier, teams are chosen for audits depending upon the skillsets needed for the particular job, and magnitude of work involved. 4. Dates are concluded in consultation with the concerned functional heads. It is vital for the internal auditor to get the dates accepted by the concerned

managers in the function. It is not sufficient to get dates approved at the top management level. The programme should be seen as beneficial as much to the auditee as to the company. 5. The programme should have adequate provisions for unexpected activities or events that might upset the schedule. For instance, if a functional audit brings up serious issues that need to be investigated it may throw all subsequent audits out of gear unless resource and time buffers are built into the programme. 6. It is also important for the auditor to complete the schedule of audits as programmed and not allow omissions or delays. So if he finds that dates are difficult to get from a functional head or manager he may have to seek general manager-level authority to insist on getting their time and completing the audit. Q5.Explain internal control system in banks. Answer: Internal control system in banks Different factors influence the internal control structure of any organisation: size, complexity and risk profile of its operations. In this regard an effective internal control system for a bank should consider the following aspects: 1. Control environment: Control environment is the foundation of an internal control system. It includes and reflects the factors that influence the control consciousness of its people. As per Auditing and Assurance Standard 6 issued by ICAI (AAS6), control environment is the overall attitude, awareness and actions of directors and management about the internal control system and its importance in the entity. Factors reflected in the control environment include: a) Organisational structure of the entity and means of assigning authority and responsibility (including segregation of duties and supervisory functions) b) The function performed by the board of directors and its committees in any company or any similar governing body in any other entity. c) The philosophy of management. d) Systems of management control that includes internal audit, personnel policies, etc. 2. Risk recognition and assessment: To be effective, an internal control system should recognise and continually assess all material risks internal and external, controllable and uncontrollablethat could affect the achievement of the banks objectives. The bank faces various risks at different levels credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk, etc. The management must identify, measure and analyse these risks.. 3. Control activities: Control activities are management actions to ensure that the personnel are following the banks established policies and procedures. Specific control procedures include: e) Reporting and reviewing reconciliations. f) Checking arithmetical accuracy of the records. g) Controlling applications and environment of computer information environment systems. h) Maintaining and reviewing control accounts and related subsidiary ledgers. i) Ensuring approval and control of documents.

j) Comparing internal data with relevant external information. k) Comparing the results of physical verification of cash, fixed assets, investments and inventory with corresponding accounting records. l) Restricting access to assets, records and information. m) Comparing and analysing results with corresponding budgets 4. Segregation and rotation of duties: Authorities and responsibilities of every department should be clearly defined based on the policies of the management, preferably in writing. There should not be any scope of duplication of jobs, duties and assignments. The entity must have a system of rotation of duties among employees. 5. Authorization of transactions: Banks usually prescribe well-set systems of approval and authorization, both generally applicable and specific to some transactions. As public money is often involved, it is vital that authority levels are not breached. For example an industrial advance sanction may require zonal office clearance, while renewal of the advance may be within the authority of a branch head. 6. Accountability for assets: To ensure accountability and safeguarding of assets, it is important that complete records are maintained and access is limited to the authorised personnel only. Every access and every user should be documented. Periodic checking of actual assets with records and identifying discrepancies must be mandated. 7. Accounting, information and communication systems: A comprehensive system of accounting, financial reporting (both management and statutory) and non-financial analysis and reporting with clear content, format and frequency should be in place. Banks usually adopt the following procedures to meet this need: a) All records are maintained as prescribed with transaction-level details. b) A unique code number is assigned to each branch and that number should be mentioned in all important documents. c) All inter office transactions are reconciled methodically during accounts closing. d) Accounts are closed and financials reported as per strictly laid down schedules 8. Monitoring activities: A full-fledged monitoring system should be in place to assess the effectiveness of internal controls continually. Monitoring is done internally as well as externally. Q6. Explain Computer Assisted Audit Techniques (CAATs) Answer: Computer Assisted Audit Techniques (CAATs) An auditor uses CAATs to carry out audit procedures while auditing through the computer. Some of these techniques are: 1. Test Data Approach Under this approach transaction data (test data) prepared by auditor is processed by the clients processing system under the control of auditor. The auditor plants certain errors in data along with correct transactions. The results of the processing are compared with the predetermined output by him.

If errors are detected by the computer for follow-up and corrections, this indicates that all the application and general controls are functioning properly. The major disadvantage of this approach is the difficulty in designing test data. The auditor must be technically proficient in designing erroneous data. He should assure himself that the programmes being tested are actually the same as the ones used by the client. 2. Integrated Test Data Approach Under integrated test data approach, the auditor creates a fictitious entity (e.g. fictitious customer and vendor accounts) within the clients actual data. Hypothetical data for fictitious transactions are integrated with actual client data and processed. These are subsequently removed from records of the client by manually reversing journal entries or through programme commands and then the financial reports are compiled. Advantages: Thisprovides assurance that the programs being tested by the auditor have actually been used by the client. Itcan also be precisely targeted for specific procedures within the programmes. Disadvantages: Thereis the risk that fictitious transactions impact actual results. Well-laid frauds may be difficult to detect. This approach has a high initial cost. 3. Generalised Audit Software (GAS): In the above approaches the auditor is required to prepare input data or create programs. In case of generalised audit software, audit programmes are designed by computer manufacturers, software professionals and large firms of auditors. The functions which can be performed through GAS are as follows: (a) Examination and review of records based on auditors criteria: The computer can scan the records and point out the exceptions to the criteria established by auditor. For example, software can be designed to scan accounts receivable balances for amounts exceeding the credit limit. (b) Selecting and printing audit samples: The computer can be used to select and print audit samples using statistical or judgmentalsampling techniques. For example receivable accounts may be selected for confirmation using random sampling tables and the computer might be used to print the confirmation letters. (c) Testing calculations and making computations: GAS helps the auditor to test the accuracy of computations in clients data files with greater speed as compared to a manual system. For example, the auditor can calculate the doubtful debts to sales ratio for the present year and compare it with the past years to ensure reasonableness of doubtful debts provision for the year under audit. (d) Comparing data on separate files: An auditor can compare data on separate files to determine whether compatible information is in agreement. Differences, if any, should be reconciled and investigated. Examples include comparing paid vouchers to cash disbursement through cheques and purchases of inventory as per stock records to creditors file. (e) Summarising data and performing analysis: The auditor summarises and reorganises client data for his purposes. This can be done faster with the help of GAS. For example, he may want to determine the chances of recovery of debtors by looking at the ageing schedule or summarise inventory turnover statistics to determine slow-moving items.

(f) Comparing audit data with clients records: Audited data must be converted to machine-readable form and compared with the information in client records. For example, comments made by the auditor of inventory on hand may be compared with the quantity shown in the perpetual inventory records or stock verification sheets of the client. Use of generalised audit software can greatly assist the auditor in performing compliance substantive tests. Its effectiveness depends upon availability of client data, auditors ingenuity and the strength of clients internal controls.