Master of Business Administration MBA Semester 3 MF0013 Internal Audit and Control 4 Credits (Book ID: B1211) Assignment

ent Set 1 (60 Marks) Q. 1 Critically evaluate the qualities of an Auditor in the wake of recent scams. Ans: - Qualities of an Auditor:An auditor renders a professional service to his client. He should not only possess the prescribed statutory qualifications but also certain personal qualities. Some of those personal qualities are mentioned below: 1. Common sense: According to Spicer and Pegler, the auditor should have a full share of that most valuable commodity-commonsense. This is necessary to distinguish between important and not so important information. 2. Independence: Expression of opinion is a prime duty of an auditor. An influenced and biased person cannot form an independent opinion. Hence, independence in true sense is an utmost quality of an auditor. 3. Honesty and Integrity: Like any other professional viz. Doctors, Lawyers etc. auditor should possess a high moral character. In a way, he is a public servant. He must not knowingly, misinterpret any fact or sign any document under undue pressure. 4. Objectivity: Independence of an auditor depends on his ability to act with objectivity. For example, the auditor of XYZ Company believes that closing stock has not been properly valued but accepts a certificate from the management as to its valuation. In this case, the auditors judgment lacks objectivity. 5. Communication: He should be able to communicate effectively, both orally and in writing. Particularly in the matter of report writing, he should be able to convey his message clearly and unambiguously. 6. Tactfulness: He should be firm, yet diplomatic with his client and staff. He should be tactful enough to obtain necessary written as well as oral evidence from his client, so that he can form a reasonable opinion. 7. Awareness of latest developments: An auditor should keep his knowledge up to date related to his audit work likes changes in laws, changes in professional standards, latest development in technical guidelines etc.

Q.2 What is social audit? Is social audit taken seriously by the corporate world? Give examples of corporate undertaking social audit. Ans:- Social Audit:The social audit is also called social responsibility audit. A business organization exists in society. Hence, it owes certain responsibilities toward society at large. As Lord Denning has observed: The directors of a great company should owe a duty to those who are employed by the company to see that their conditions of service are proper. They should owe a duty to the customers, to the people to whom the goods are supplied, a public duty perhaps, not to expect excessive prices. They should owe a duty also to the community in which they live, not to make the place of production hideous or a nuisance to those who live around. Social audit is mainly concerned with social accounting. It may be noted that social accounting is still in early stage and so social audit also. Importance of the Social Policy. The phenomenal growth of Socially Responsible Funds (now 20% of funds invested in the US), the growing difficulty to attract qualified employees, and the rise of nongovernmental organizations able to sue or boycott unethical businesses, demonstrate the vital importance for any business of a well designed Social Policy. The Ethics Policies will attract long-term investors, increase market shares for the ethical product, strengthen partnerships, and make the employees proud. The Labor Policies will attract and keep a qualified workforce, and increase productivity, while opening new markets (ethnic minority customers are sensitive to the anti-discrimination policies in the work place). The Environmental Policies will attract customers interested in the protection of the environment, and investors who fear the risks linked to bad environmental practices, while sometimes reducing the costs with cost-effective modifications of production processes. As for most other components of the Social Policy, serious Environmental Policies will attract Socially Responsible Funds and a qualified workforce (nobody likes polluters!). The Human Rights Policies, also, will attract Socially Responsible Funds and a qualified workforce. Its most important role, however, is defensive: to prevent boycotts or campaigns of protest that could seriously tarnish the reputation of the company accused of practicing (or being an accomplice of) human rights abuses, and the resulting falling stock prices, loss of market shares, and low-moral work force. The Community Policies will not only create roots in a local base for the company, it will also increase the productivity of the work force involved in the projects (by developing their leadership and customer service skills, building pride and loyalty with the feeling of being useful).

The Society (or Extra-Community) Policies boost not only the products linked with the policy but also the image of the company. Cause Related Marketing is extremely appreciated by customers because it makes them feel good (allowing them to support charities without spending their time or money), as long as the charities are well chosen and the percentage is not too small (or the ceiling too low). The Compliance Policies are part of the Social Policy for two reasons. First, by complying with the law, the co. demonstrates it is socially responsible. More importantly, Compliances Policies often go beyond the legal requirements, in order to show concerns for social matters (health, labor, environment, etc.). In many cases, companies build their social image by doing only slightly more than what is required by the law. Creation of a Social Policy. Most companies (if not all) already have elements of Social Policy. Often, these are independent pieces of regulation and practices. Most of the time, they are not part of a unique strategy, they are not managed by powerful senior executives, they are not reviewed before any business decisions are made, and they are not used in ways that would produce their full benefits. The first step is to have an Independent Social Audit, either Defensive (to prevent lawsuits and boycotts), or Productive (to increase productivity, market shares and long term investment). The audit will identify the stakeholders; clarify the components of a Social Policy that would address the concerns of these stakeholders at either the Defensive or Productive level, or make recommendations on the necessary measures to build the Social Policy. The company must be totally involved in the Audit. The Independent Social Audit is neither an inspection (for which the company would dissimulate important pieces) nor is it a situation where the Auditor brings his "one size fits all" solutions. The Auditor is only the coach of a team, composed of senior executives of the company who are working at gathering the information and finding solutions. The Auditor provides the directions, merges the information to create a whole picture of the social situation, and gives advice on the method used by the company to build its Social Policy and on its different aspects. Ultimately, it is the leadership of a company who builds its Social Policy, and then decides on the best way to run the policy (for instance, nomination of a person or creation of a department dedicated to Social Policy issues). Scope of a Social Audit The identification of the stakeholders is generally the first task of an audit. However, a Social Auditor does not study each group of stakeholders separately. Stakeholders have to be considered as a whole, because their concerns are not limited to the defense of their immediate interest. As a result, the Social Auditor will work on the components of a company's Social Policy (Ethics, Labor, Environmental,

Community, Human Rights, etc.), and for each subject, the Social Auditor will analyze the expectations of all stakeholders. The scope of the audit generally includes the following policies: Ethics: values the company vows to respect. Policies include the pledge not to participate in (nor engage in business with people involved in) a series of activities that are deemed offensive. This list of unacceptable activities often includes exploitation of children, unethical treatment of animals, damage to the environment, and dealings with undemocratic regimes or with "bad guy" industries (fur, tobacco, guns, etc.). Labor: creation of a working environment allowing all employees to develop their potential. Policies include training, career planning, remunerations and advantages, rewards linked to merit, balance between work and family life, as well as mechanisms that ensure non-discrimination and non-harassment. Environment: monitoring and reduction of the damage caused to the environment. For instance, policies of reduction of emissions and waste. Human Rights: making sure the company does not violate human rights nor appears as supporting human rights violators. Community: investment in its local community. Policies include partnerships with voluntary local organizations, with financial donations, donations in kind (computers for education, food and clothes for the poor), and employees involvement. The company may initiate or participate to a major project such as the regeneration of a poor neighborhood plagued with unemployment, poverty, low education and racial tensions. Society: investment or partnership beyond the community. For instance, Cause Related Marketing (partnership with a charity to market a product while giving a small percentage of the sales to the charity). Compliance: Identification of all legal obligations and of the means to comply. Policies must deal with changing rules related to its work force (Labor), its products (Health, Environment, Intellectual property, specific regulations), its administration (Business, Tax), its dealings (supplier and customer liability, Criminal actions).

Q. 3 Explain the Code of Ethics for Internal Auditor. Explain them in context with blacklisting Price Waterhouse Coopers in Satyam Scam. Ans:- Code of Ethics for Internal Auditor In his book Practical Guide for Internal Audit R.S. Adukia has scholarly explained about the code of ethics for internal auditor which is as follows:

This code of ethics sets the minimum requirements for the performance and conduct of internal auditors. This code applies to all internal auditors but does not supersede or replace the requirement on individual to comply with ethical codes issued by professional institutes of which they are members or student members and any organizational codes of ethics or conduct. There are four main principles: 1. Integrity: The internal auditor should demonstrate integrity in all aspects of their work. Their integrity establishes an environment of trust, which provides the basis for reliance on all activities carried out by the internal auditors. 2. Objectivity: Objectivity is a state of mind that has regard to all considerations relevant to the activity or process being examined without being unduly influenced by personal interest or the views of others. Internal auditors should display professional objectivity when providing opinions, assessments and recommendations. 3. Confidentiality: Internal auditors must safeguard the information they receive in carrying out their duties. There must not be any unauthorized disclosure of information unless there is a legal or professional requirement to do so. 4. Competency: The internal auditor should make use of his/her knowledge, skills and practical experience necessary for auditors activity performance. They should not accept or perform work that they are not competent to undertake, unless they have received adequate training and support to carry out the work to an appropriate standard. Achieving compliance with code of ethics i) Security integrity: The internal auditor should: a) Perform his/her job honestly, diligently and with responsibility. b) Perform his/her profession in harmony with the acts and other generally binding regulations. c) Avoid any illegal activity and performing any activity discrediting the internal auditors profession. d) Respect the legal and ethical objectives of the organizations. e) Take care that his/her integrity should not be compromised. ii) Objectivity: The internal auditor should:

a) Avoid taking part in activities or relations which may damage, or might be understood as damaging his/her unbiased assessment including activities or relations which may be in conflict with public interests. b) Avoid accepting anything that may damage or might be understood as damaging his/her objective professional assessment. c) Protect his/her objectivity against political influence. d) Disclose all substantial facts known to him/her that being undisclosed might misrepresent the conclusions on activities or events assessed. iii) Observing Confidentiality: The internal auditor should: a) Be careful when using and protecting information he/she gathered when auditing. b) Avoid disclosing and making use of the information obtained during the auditors activities performance in order to damage the interests of other person or organization. c) Avoid making use of the information obtained during the auditors activities for personal enrichment or in a way which would be in conflict with the law or which would damage legitimate and ethical interests of the organization. iv) Demonstrating Competence: a) It is a pre-requisite that all internal audit staff is aware of and understand: 1. The organizations aims objectives, risks and governance arrangements. 2. The purpose, risks and issues affecting the service area to be audited. 3. The terms of reference for the audit assignment so that there is a proper appreciation of the parameters within which the review be conducted. 4. The relevant legislation and other regulatory arrangement that relate to the service area to be audited. b) The internal auditor should keep educating himself constantly in order to have a good command of internal audit techniques and auditor standards necessary for obtaining, examining and evaluating the information. v) Maintaining Audit Independence: Internal auditors should be independent of the activities they audit. Internal auditors are considered independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. This is achieved through organizational status and objectivity. Independence stands for an internal auditor being able to take a stand and report on materiality issues, uninfluenced by any favors coercion or undue influence.

Satyams auditors:So what were the auditors, PricewaterhouseCoopers, doing? There was no cash within the company's banks and yet the auditors went ahead and signed on the balance sheets saying that the money was there. Not just the cash, even they even signed off on the non-existent interest that accrued on the non-existent bank balance! Auditors do bank reconciliation to check whether the money has indeed come or not. They check bank statements and certificates. So was this a total lapse in supervision or were the bank statements forged? No one knows yet. The cops have already raided the PwC office in Hyderabad, but details of what they have found are yet to emerge. The company officials said they relied on data from the reputed auditors. But PricewaterhouseCoopers, stung by this insinuation hit back at Satyam. In a statement to the media, the firm said: The audits were conducted by Price Waterhouse in accordance with applicable auditing standards and were supported by appropriate audit evidence. Given our obligations for client confidentiality, it is not possible for us to comment upon the alleged irregularities. Price Waterhouse will fully meet its obligations to cooperate with the regulators and others. (Extracted from Rediffmail.com). Q.4 As a senior audit assistant of M/s. Asutosh Associates, you are in charge of internal audit team of M/s Rajesh Technologies involved in the manufacture of plastic tubes. From the information you obtained you find the company is facing liquidity problem for the last two years. You are required to prepare working paper indicating the internal audit problems you would expect to face and how you plan to overcome them. Ans:- There have been many accounting scandals over the years which resulted in more traders showing interest in learning how to analyze a company's financial statements. When companies do declare bankruptcy, it is usually because they cannot pay their debts. So lets take a look at the importance of corporate debt and go over how an investor can analyze a companys liquidity. Economic theory says that the mix of debt and equity in a companys capital structure is irrelevant, that the value of a firm should be independent of its debt ratio. In the real world, companies and investors have to worry about things like taxes and the risk of default, so a company's capital structure can be relevant to its long-term survival. Long -term creditors can also put restrictions on the company such as preventing it from taking on additional debt or paying higher dividends. Most public companies have at least some debt, and the biggest reason to take on debt is to leverage the

equity (much like buying stock on margin). Return on equity is very important to investors. But the greater the proportion of debt to equity on the balance sheet, the higher the business risk. Since a lot of corporate debt tends to be short-term, there can be a real risk to the company if investors lose confidence in it. It is not unlike a run on a bank, where liabilities (loans) have a longer duration than their assets (deposits). If everyone suddenly wants their money now, the bank will not be able to meet the demand and be forced to close. That is why it is important to look at a companys debt and liquidity. Liquidity in the option markets refers to the volume of contracts changing hands in a day. There is lots of liquidity in the options of companies such as IBM and Microsoft, since there are many buyers and sellers. However, liquidity means something very different at the company level. Here we are referring to whether or not the company has, or can generate, enough cash to keep operating if they had to pay off short-term debt quickly. Banks use liquidity analysis to assess the risk of a company not being able to repay them in the short term. Agencies rate a companys debt according to the perceived threat of default. Still, crises periodically seem to emerge from almost nowhere to cause the sudden collapse of companies that seemed solid only weeks before. Once investors lose confidence, as companies such as Enron, Qwest and WorldCom learned, liquidity can mean the difference between survival and death. That is why investors should always take a little time to check debt and liquidity ratios before entering any trading position. Most investors are familiar with the corporate bond market. When a ratings agency such as Moodys or Standard and Poors downgrades a companys debt, this certainly causes the companys bond holders some distress, as the value of the bonds will drop. Still, since corporate bonds are primarily long-term debt, this is not usually the source of liquidity problems (unless a large amount just happens to be nearing expiration). No, it is usually a companys short-term debt that gets them in trouble. When a company runs into financial problems, their debt rating is usually quickly downgraded. Investors demand a higher premium to lend to the company. If they lose confidence altogether they will simply refuse to lend at any price. If the company does not have liquid assets available, even temporary cash flow problems can quickly become life threatening. Of course, the banks most companies up in the short term. Before investors will buy commercial paper, they usually require a commercial paper back-up facility with a bank. This gives them a bit more security that they will be paid. However, this facility is not meant to be used, and drawing on it is an admission the company

is having severe liquidity problems. This is what happened to Qwest about two years ago. When Qwest had trouble borrowing in the commercial paper markets, they had to draw down their $4 billion credit line with banks. It was a stop-gap measure that put off a financial reckoning for a few months, but credit agencies responded by cutting the rating on its outstanding bonds to near junk status. $4 billion is a lot of money to come up with in short time. By comparison, their market capitalization was $16.4 billion at the time, they had annual revenue of about $20 billion, and a loss of $4 billion the previous year. So one of the first ratios an investor should look at is the companys debt to its total capital. Total capital is all their debt plus equity. This ratio should be compared with what is normal in their industry and not simply against all other businesses. The next thing to look at is a company's ability to meet its debt payments. This is measured by a ratio called times interest earned. Times interest earned is a companys earnings divided by their total interest cost. For the earnings number you could choose to use EBIT (earnings before interest and taxes), or the more aggressive EBITDA (which adds back the non-cash costs of depreciation and amortization). Even if you are not looking at looking at a companys financials, other investors certainly are. Below is a table I put together that have some of these key numbers and compares Qwest at that time of their financial problems with the other baby bells of the time: SBC Communications (Whose symbol was SBC, and is now AT&T), Verizon (Symbol: VZ), and Bell South (Symbol: BLS). Numbers are in billions of dollars. Company Q SBC VZ BLS Total Debt 24.8 26.1 63.9 20.1 Equity 6.1 32.3 31.6 18.6 Earnings -4.0 7.2 0.6 2.5 Times Interest Earned -0.67 5.51 1.98 3.15

You can see that Qwest at the time had a substantially higher amount of debt relative to their equity. Their times interest earned number looks particularly bad. Investors clearly recognized that Qwest was a substantially more risky investment with a worse financial outlook compared to its peers. Below is a price chart that compares the financial performance of these four companies for the period March 2001- March 2002:

Investors should also take a look at a company's current ratio and the quick ratio. The current ratio is a measurement of cash resources relative to the shortterm level of obligations. It is calculated by dividing all current assets by all current liabilities. Current assets include cash and equivalents, marketable securities, accounts receivables, inventory, and prepaid expenses. Current liabilities include all debt due within a year. This ratio gives you a sense of a company's ability to meet all short-term liabilities with liquid assets, should it need to. A ratio of 1 implies adequate current assets to cover current liabilities, and the higher above 1, the better (Qwest had a current ratio of 0.6). The quick ratio is a little more conservative measure of liquidity than the current ratio, since it subtracts inventory from current assets. A healthy company should have a quick ratio of at least 1.0 (Qwest had a quick ratio of 0.5). An even more conservative ratio would be the cash ratio, which is the sum of cash and marketable securities divided by current liabilities, but I would rarely loof at this myself. It requires more work to dig out and calculate, while the other ratios are easily found on any decent financial website. As you can see, both ratios for Qwest were well under 1. Does this mean you should look for this in other companies and immediately enter short positions (like buying puts) on them? Not Necessarily. All the Baby Bells (Bell South, SBC Communications, and Verizon) had similar current and quick ratios of between 0.4 and 0.7. The key in this industry is investor confidence, and these companies could go on like this indefinitely as long as investors retain their confidence in them. What does this mean over the long-term investors? First, you would have made more money over the past five years choosing one of the other baby bells. The chart below compares the growth of $10,000 during the prior time period for the four companies:

The other thing you will notice is that Quest has exhibited much more price volatility than its peers, and obviously got caught up in the tech and telecom bubble more than any of its peers. If you got out at the height of the bubble you obviously would have made more. But if, like most investors, you continued to hold on through the collapse of that bubble you would have lost about two-thirds of your original investment. Just as no option strategy works in every market and situation, there is no one financial number or ratio that can give you all the information you need. Hopefully this article has convinced you the importance of at least looking a companys debt and liquidity situation before you consider entering any position.

Q.5 Explain the use of Sampling technique in Internal audit [SA500]. Ans:- Use of Sampling Techniques in Internal Audit SA500:Audit Evidence issued by the Institutes of Chartered Accountant of India says: The audit evidence should, in total, enable the auditor to form an opinion on the financial information. In forming such an opinion, the auditor does not normally examine all the information that is available to him because he can reach a conclusion about an account balance, class of transactions or a control by way of judgmental or statistical sampling procedures. Statistical sampling technique is a well accepted audit techniques now-a-days. Statistical sampling in auditing means forming an opinion about a group of items on the basis of examination of a few of the items. Statistical sampling technique add scientific flavor to old, generally accepted by auditing professional, of test checking. Statistical sampling techniques are based on the probability theory. The Institute of Chartered Accountants of India has issued SA 530: Audit sampling which is mandatory in nature and applicable to all kinds of audit. The following is the text of SA 530 modified as per our requirement:

Introduction 1. The purpose of this standard is to establish standards on the design and selection of an audit sample and the evaluation of the sample results. This standard applies to statistical and non-statistical sampling methods. Either method, when properly, applied can provide sufficient appropriate evidence. 2. When using either statistical or non statistical sampling methods, the auditor should design and select an audit sample. Perform audit procedures thereon, and evaluate sample results so as to provide sufficient appropriate audit evidence. 3. Auditing sampling means the application of audit procedure to less than 100% of an item within an account balance or class of transactions to enable the auditor to obtain and evaluate audit evidence about some characteristics of the items selected in order to form or assist in forming a conclusion concerning the population. 4. It is important to recognize that certain testing procedures do not come within the definition of sampling. Tests performed on 100% of the items within a population do not involve sampling, likewise, applying audit procedures to all items within a population which have a particular characteristics (for example all items over a certain amount) does not qualify as audit sampling with respect to the portion of the population examined, nor with regard to the population as a whole, since the items were not selected from the total population on a basis that was expected to be representative. Design of the sample 5. When designing an audit sample, the auditor should consider the specific audit objectives, the population from which the auditor wishes to sample, and the sample size. Audit objectives 6. The auditor would first consider the specific audit objectives to be achieved and the audit procedures which are likely to best achieve those objectives. Consideration of the nature of the audit evidence sought and possible error conditions or other characteristics relating to that audit evidence will assist the auditor in defining what constitutes an error and what population to use for sampling. For example, when performing tests of control over an entitys purchasing procedures, the auditor will be concerned with matters such as whether an invoice was clerically checked and properly approved on the other hand, when performing substantive procedures on invoice processed during the period, the auditor will be concerned with matters such as the proper reflection of the monetary amounts of such invoices in the financial statements. Population

7. The population is the entire set of data from which the auditor wishes to sample in order to reach a conclusion. The auditor will need to determine that the population from which the sample is drawn is appropriate to the specific objective. For example, if the auditors objective were to test for overstatement of accounts receivable, the population could be defined as the accounts receivable listing, on the other hand, when testing for understatement of accounts payable, the population would not be accounts payable listing, but rather subsequent disbursements, unpaid invoices, suppliers statements, unmatched receiving reports or other populations that would provide audit evidence of understatement of accounts payable. 8. The individual items that make up the population are known as sampling units. The population can be provided into sampling units in a variety of ways, for example, if the auditors objectives were to test the validity of accounts receivable, the Sampling unit could be defined as customer balance or individual customer invoices. The auditor defines the sampling unit in order to obtain an efficient and effective sample to achieve the particular audit objectives. Stratification 9. To assist in the efficient and effective design of the sample stratification may be appropriate. Stratification is the process of dividing a population into sub population, each of which is a group of sampling units, which have similar characteristics (often monetary value). The strata need to be explicitly defined so that each sampling unit can belong to only one stratum. This process reduces the variability of the items within each stratum. Stratification therefore, enables the auditor to direct audit efforts towards the items which for example, contain the greatest potential monetary error. For example, the auditor may direct attention to larger value items for accounts receivable to detect overstated material misstatements. In addition, stratification may result in a smaller sample size. Sample size 10. When determining the sample size, the auditor should consider sampling risk, the tolerable error, and the expected error. Examples of some factors affecting sample size are contained. Sampling risk 11. Sampling risk arises from the possibility that the auditors conclusion, based on a sample, may be different from the conclusion that would be reached if the entire population were subjected to the same audit procedure. 12. The auditor is faced with sampling risk in both tests of control and substantive procedures as follows: (a) Tests of Control:

i) Risk of Under Reliance: The risk that, although the sample result does not supports the auditors assessment of control risk, the actual compliance rate would support such an assessment. ii) Risk of Over Reliance: The risk that, although the sample result supports the auditors assessment to control risk, the actual compliance rate would not support such an assessment. (b) Substantive Procedures: i) Risk of Incorrect Rejection: The risk that, although the sample result supports the conclusion that a recorded account balance or class of transactions is materially mis-stated, in fact it is not materially mis-stated. ii) Risk of Incorrect Acceptance: The risk that, although the sample result supports the conclusion that a recorded account balance or class of transactions is not materially mis-stated, in fact it is materially mis-stated. 13. The risk of under reliance and the risk of incorrect rejection affect audit efficiency as they would ordinarily lead to additional work being performed by the auditor, or the entity, which would establish that the initial conclusions were incorrect. The risk of over reliance and the risk of incorrect acceptance affect audit effectiveness and are more likely to lead to an erroneous opinion on the financial statements that either the risk of under reliance or the risk of incorrect rejection. 14. Sample size is affected by the level of sampling risk the auditor is willing to accept from the results of the sample. The lower the risk the auditor is willing to accept, the greater the sample size will need to be. Tolerable error 15. Tolerable error is the maximum error in the population that the auditor would be willing to accept and still concludes that the result from the sample has achieved audit objective. Tolerable error is considered during the planning stage and, for substantive procedures, is related to the auditors judgment about materiality. The smaller the tolerable error, the greater the sample size will need to be. 16. In tests of control, the tolerable error is the maximum rate of deviation from a prescribed control procedure that the auditor would be willing to accept, based on the preliminary assessment of control risk, in substantive procedures, the tolerable error is the maximum monetary error in an account balance or class of transactions that the auditor would be willing to accept so that when the results of all audit procedures are considered, the auditor is able to conclude, with reasonable assurance, that the financial statements are not materially mis-stated. Expected error

17. If the auditor expects error to be present in the population, a larger sample than when no error is expected ordinarily needs to be examined to conclude that the actual error in the population is not greater than the planned tolerable error. Smaller sample sizes are justified when the population is expected to be error free. In determining the expected error in a population, the auditor would consider such matters as error levels identified in previous audits, changes in the entitys procedures, and evidence available from other procedures.

Selection of the sample 18. The auditor should select sample items in such a way that the sample can be expected to be representative of the population. This requires that all items in the population have an opportunity of being selected. 19. While there are a number selection methods, three methods commonly used are: (a) Random selection which ensures that all items in the population have an equal chance of selection, for example by use of random number tables. (b) Systematic selection, which involves selecting items using a constant interval between selections, the first interval having a random start. The interval might be based on certain number of items (for example, every 20th voucher number) or on monetary totals (for example, every Rs. 1000 increase in the cumulative value of the population). When using systematic selection, the auditor would need to determine that the population is not structured in such a manner that the sampling interval corresponds with a particular patter in the population. For example, if in a population of branch sales, a particular branchs sales occur only as every 100th item and the sampling interval selected is 50, the result would be that the auditor would have selected all, or none, of the sales of that particular branch. (c) Haphazard selection, which may be an acceptable alternative to random selection, provided that auditor attempts to draw a representative sample from the entire population with no intention to either include or exclude specific units. When the auditor uses this method, care needs to be taken to guard against making a selection that is biased, for example, towards items which are easily located, as they may not be representative. Evaluation of sample results 20. Having carried out, on each sample item, those audit procedures that are appropriate to the particular audit objective, the auditor should:

(a) Analyze any errors detected in the sample. (b) Project the errors found in the sample. (c) Reassess the sampling risk. Analyze of errors in the sample 21. In analyzing the errors detected in the sample, the auditor will first need to determine that an item in question is in fact an error. In designing that sample, the auditor will have defined those conditions that constitute an error by reference to the audit objectives. For example, in a substantive procedure relating to the recording of accounts receivable, a misposting between customer accounts does not affect the total accounts receivable. Therefore, it may be inappropriate to consider this an error is evaluating the sample results of this particular procedure, even though it may have an effect on other areas of the audit such as the assessment of doubtful accounts. 22. When the expected audit evidence regarding a specific sample item cannot be obtained, the auditor may be able to obtain sufficient appropriate audit evidence through performing alternative procedures. For example, if a positive account receivable confirmation has been requested and no reply was received, the auditor may be able to obtain sufficient appropriate audit evidence that eh receivables is valid by reviewing subsequent payments from the customer. If the auditor does not, or is unable to perform satisfactory alternative procedures, or if the procedures performed do not enable the auditor to obtain sufficient appropriate audit evidence the item would be treated as an error. 23. The auditor would also consider the qualitative aspects of the errors. These include the nature and cause of the error and the possible effect of the error on other phase of the audit. 24. In analyzing the errors discovered, the auditor may observe that many have a common feature, for example, type for transaction, location, product line, or period of time. In such circumstances, the auditor may decide to identify all items in the population which possess the common feature, thereby producing a sub-population, and extent audit procedures in this area. The auditor would than perform a separate analysis based on the items examine for each sub population. Projection of errors 25. The auditor projects the error results of the sample to the population from which the sample was selected. There are several acceptable methods of projecting error results. However, in all the cases, the method of projection will need to be consistent with the method used to select the sampling unit. When projecting error results, the auditor needs to keep in mind the qualitative aspects of the errors

found. When the population has been divided into sub-population, the projection of errors is done separately for each sub-population and the results are combined. Reassessing sampling risk 26. The auditor needs to consider whether errors in the population might exceed the tolerable error. To accomplish this, the auditor compares the projected population error to the tolerable error taking into account the results of other audit procedures relevant to the specific control or financial statement assertion. The projected population error used for this comparison in the case of substantive procedures is net of adjustments made by the entity. When the projected error exceeds tolerable error, the auditor reassesses the sampling risk and if that risk is unacceptable, would consider extending the audit procedure or performing alternative audit procedures. Effective date 27. This statement on Standard Auditing Practices becomes operative for all audits relating to accounting periods beginning on or after April 1, 1998.

Q.6 What factors influence the internal control environment? Give examples for each factors. Ans:- Introduction This paper on Business Environment and Internal Control Factors (BEICFs) is one in a series of industry position papers by the AMA Group1 on business practices affecting the implementation of AMA in the United States. It is intended to help initiate a dialogue between the industry and the regulatory community on this aspect of the implementation of the AMA. Background BEICFs are risk measures used in the management and measurement of operational risks. They are one of four elements identified in Basel II, Pillar 1 that AMA institutions must consider in estimating their minimum capital requirement operational risk. The other three are internal loss data, external loss data and scenario analysis. The U.S. Rule for Risk Based Capital Standards: Advanced Capital Adequacy Framework, published in the Federal Register on December 7, 2007, suggests that they are forward-looking indicators of the risk profile. The Basel Framework goes a bit further and discusses them as a way of achieving the alignment of risk management to capital, and of providing some immediacy in

capital estimates. Beyond that however, there appears to be no precise generally accepted regulatory definition of BEICFs yet. Industry Practices A recent RMA survey of AMAG members indicates that most use BEICFs for risk management purposes and that almost all of them consider BEICFs as at most an indirect input into their models for capital estimation purposes. Many firms, including about two thirds of the core firms surveyed, use BEICFs to make ex-post adjustments to their capital estimation calculations. Whether they are positive or negative, these adjustments are typically kept within percentage limits, because of the uncertainty that exists about the relationship between future losses and BEICF values. About half of core and a number of opt-in firms use BEICFs to allocate capital among business units. For 1 The Advanced Measurement Approaches Group (AMAG) was formed in 2005 by the RMA at the suggestion of the U.S. Inter-Agency Working Group on Operational Risk. The RMA the Risk Management Association -is a member-driven professional association whose purpose is to advance the use of sound risk management principles in the financial services industry. The purpose of the AMAG is to share industry views on aspects of AMA implementation with the U.S. financial services federal regulatory agencies. The Group consists of senior operational risk management professionals working at financial service organizations throughout the United States. The AMAG is open to any financial institution regulated in the United States that is either mandated, opting in, or considering opting in to Basel II. A senior officer responsible for operational risk management represents each member institution on the AMAG. Of the twenty or so US financial service institutions that are currently viewed as mandatory or opt-in Basel II institutions, sixteen were members of the AMAG at the time of this Survey, and there were thirteen members as of the time of this writing. The names of AMAG members that agree with this Industry Position Paper are shown in Attachment 2. Their institutions are listed for identification purposes. This paper does not necessarily represent the views of RMAs institutional membership at large, nor the views of the individual financial service firms whose staff have participated in the AMAG.Support for the AMAG is provided by RMA and Operational Risk Advisors LLC. capital estimation purposes, Risk Control Self Assessment (RCSA) results are the most commonly applied BEICFs,followed by audit scores, statistics on regulatory exam issues and other key risk indicators, in that order. Industry Positions Position 1: BEICFs are defined as measures that track changes in the operational risk in the business environment and changes in the effectiveness of a firms controls. The environment is defined to include both the internal and external circumstances of the firms businesses, and controls are defined as processes that the firm has in place to reduce or eliminate its operational risks.

The business environment is the internal and external circumstances of a firms businesses that can materially affect its operational risk profile. This includes: the quality and availability of the firms people, vendors, and other resources; the complexity and riskiness of the businesses, the products they deliver and the processes they use to deliver them; the degree of automation of the product process and the firms capacity for automation; the legal and regulatory environment for the businesses; and the evolution of the firms markets, including the diversity and sophistication of its customers and counterparties, the liquidity of capital markets it trades in and the reliability of the infrastructure that supports those markets.

Internal controls are the detective and preventive processes the firm has in place to reduce the frequency or the severity of operational risk losses or to eliminate altogether the chance of operational risk events. Controls operate by reducing the exposures created by the business environment, by detecting causes, by preventing specific individual risks from arising and by mitigating their effects when they do arise. They can be specific like the confirmation process after a trade or the due diligence before a new hire, or general like a risk and control self assessment process used to detect and assess risks. They can be manual, like the supervisory end-of-day review of a traders tickets, partially automatic, like the sign-off often required at certain steps in loan processing by software before the process can proceed, or fully automatic, like many software and building access controls. Controls, however, do not include such things as: insurance an asset with contingent worth; risk indicators, which may be used in a control but, are not themselves processes; or business processes which contribute directly to the delivery of services to customers. Many risk management processes that support trade-offs of risk and return are not controls. An example might be the use of a screening system that enhances transaction risk management. The system does not enforce a particular behavior so much as enable improved decision making about risk. Factors are leading measures or indicators of change in the environment or in control effectiveness. Although past losses are an indicator of future losses, loss data are excluded from factors in the context of capital estimation to avoid doublecounting, because those data are always taken into account in the other three elements. Otherwise many kinds of objective and subjective measures can be used as factors, including such things as:

measures of business expansion, such as numbers of new products and increases in gross and net revenues; the number of customer complaints; the number of audit points and other measures tracking regulatory and policy compliance and progress in closing any gaps in existing practices; outputs from risk and control self assessments, including indicators reflecting the emergence of new risks, the effectiveness of existing controls, control gaps, and progress in closing them; and other risk indicators, including general indicators like staff turnover and specific ones like peak capacity utilization in a trading system.

Position 2: BEICFs are more useful for risk management than measurement. The Basel Framework and U.S. Rule (see Attachment 1) leave the impression that BEICFs are primarily of value in the context of capital estimation. All AMAG member firms believe that the main value of BEICFs is as tools for managing operational risk. Some firms include BEICFs in risk reporting on changing conditions and control effectiveness; use them to set thresholds determined by policy; to benchmark one units performance against anothers; to define triggers for escalation; and in balanced scorecards for performance evaluation. Firms use BEICFs to characterize and report on the dynamics of the business environment and on the state of their internal controls. BEICFs add value in risk management by providing definition and specificity to policy on risk appetite and tolerance, and by prompting line manager responses to signals of critical changes in the business environment and internal control effectiveness. Investment in the development of additional BEICFs should usually be driven by where they are likely to make the largest impact on management, as opposed to capital estimation. Position 3: Firms need flexibility to tailor their choice of BEICFs, depending on availability, applicability, usefulness, purpose and integration. Availability and applicability of BEICFs will depend on such things as the business profile, process architecture, degree of automation and the rate of change in external circumstances in other words, the business environment. The usefulness of individual measures will depend on: the level in the organization of the manager who is using them; the risk appetite and tolerance of the organization; the management style; and the relevance of available measures to understanding the business environment and controls. In reporting, the usefulness will also depend on

the extent to which measures are supplemented by descriptive information and analysis on, for example, causality. A firm's choice of BEICFs will also depend on the purpose for which they are being used and the manner in which they are integrated into the AMA framework. This includes how they are included in the management reporting process, and whether they are used as a direct or indirect input (the latter, typically through scenario analysis) into the capital model. Other important considerations include providing information that is useful for line of business risk management, appropriately balancing effectiveness with efficiency, and leveraging existing sources of information. Position 4: BEICFs should play a secondary role in capital estimation. If it is ever possible to establish significant statistical relationships with future loss distributions, BEICFs may become more useful in capital estimation. Until then, their use should remain secondary to internal and external loss data and scenario analysis. For capital estimation, they should be an input into scenario analysis or into a global adjustment to a calculated capital estimate reflecting considerations not otherwise taken into account. In the latter case, it may well make sense to continue the current practice of the majority of AMAG firms and limit their overall effect to an increase or a decrease of some specified amount such as 5%, 10%, 20% or 30%.

Master of Business Administration MBA Semester 3 MF0013 Internal Audit and Control 4 Credits (Book ID: B1211) Assignment Set 2 (60 Marks) Q. 1 Why Internal check is necessary? Choose an organization of your choice and find out how internal checks are put in place.

Ans:Internal check:Internal check is an important process of internal control system. Under the system of internal check, it is ensure that the job performed by one employee gets checked, automatically by another employee. No employee, alone, allowed handling transactions from beginning to end. Example: Please recall what happens when you visited a bank branch to encash a cheque. First, you produce the cheque to a counter, where the official concerned issued you a token and enters the token numbers on the back of the cheque and in the token book. The cheque is then send to the ledger clerk, who verify the balance in your account and makes debit entry therein. The cheque then sent to an officer, who verify your signature on the cheque with bank records, and if it tallies then he sends the cheque to the cashier to make payment. The cashier makes the payment against the token handed over to you and records it in his cash register. This is an excellent example of internal check. Here arrangement is such that the job of one employee is automatically checked by other. From the above discussion, we can summarize some characteristics of internal check: 1. Proper segregation of duties 2. Automatic checking of job 3. Multiple recording of same transactions 4. Rotation of jobs 5. Prevention of errors and frauds 6. Separation of custodial and recording functions. Let us understand the concept of internal check with a practical example of a medium sized manufacturing company regarding its purchases. Purchases should be supervised by and organized by a separate department called purchase department or procurement department. The department should be headed by a qualified and trained senior officer. The department should maintain a list of approved suppliers with whom orders for making purchases are regularly placed. The purchase process should invariably be start with the placing of a requisition duly authorized by a senior official to the purchase department.

Each department of the company should have a book of requisition slips bearing serial numbers. The purchase department should maintain a register of books of requisition slips issued to different departments. The purchase department should keep a separate record of requisition forms received from different departments.

Upon receipt of a requisition, the purchase department should send inquiry letter to the listed suppliers for quotation of the price, fright and delivery terms. After examination of the terms quoted by suppliers, the purchase department should place an order with the supplier selected by it. It should also send copies of the order to the Accounts Department, stores department and the department which has made the requisition. In case an order has been placed with a supplier other than the one who had quoted the lowest price, the reason for the same should be recorded. The procedure relating to receipt, inspection, acceptance and transfer of the goods to concerned departments, should be clearly laid down. Receipt of goods should be recorded in the Goods Received (or Inward) Register. The person in charge of receiving the goods should prepare a Goods Received Note (or Materials Received Report) and send a copy thereof to the Accounts department and to the department upon whose requisition the good have been ordered. Goods received should be inspected to see that they are exactly as ordered. This should be dome with the assistance of the inspection department and the department which has requisitions the goods. The final inspection report should send to Accounts department. Wherever possible, goods received note and goods inspection note may be combined. Upon receipt of the suppliers invoice, the purchase (or the Accounts) department should check it with the order and the goods received/ inspection note to ensure that the rate, discount, quality and quantity of the goods are exactly as earlier agreed. After due checking, necessary particulars of the purchase should be recorded in the purchase register and the number of the purchase order should be marked on the invoice.

The Accounts department should not make payment to the supplier unless the invoice has been passed for payment by an authorized person after due verification. In case any advance sum has been paid to the supplier against the order, it should be adjusted from the total amount of the bill and only the net amount should be paid to him. Goods received should also be entered in respective stores ledgers. From there, the relevant entries should be passed in the stock (bin) card. In case any goods are rejected on account of being defective or for any other reason, they should be returned to the supplier and not entered either in the stores ledger or the bin cards. For the goods returned to the suppliers, credit note should be obtained from him (against a debit note prepared in his name) failing which a debit entry should be passed in his individual account. Where only a part of the goods are returned to the supplier as being defective, the items to be entered on the bin cards or stores ledger should be those actually accepted, and the goods received note should be prepared accordingly. In such a case, either the bill is passed only for the value of goods actually accepted, or a fresh bill is demanded from the suppliers. In such a case, as also where the supplier has overcharged in respect of any of the items, a credit note may also be obtained from him. All incoming credit notes should be numbered and stamped the same way as invoices. These should also check with the advice note covering the return of rejected goods to the supplier.

Q.2 Detail the specific problems of electronic data process relating to Internal control. Ans: - Specific Problems of Electronic Data Process relating to Internal Control In an EDP system, the following problems arise in the implementation of internal control: (a) Separation of duties: In a manual system, separate individuals are responsible for initiating transactions, recording transactions, and custody of assets. As a basic control, separation of duties prevents or detects errors and irregularities. In a computer system, however, the traditional notion of separation of duties does not always apply. For example, a program may reconcile a vendor invoice against a receiving document and print a cheque for the amount owed to a creditor. Thus,

this program is performing functions that in a manual systems would be considered incompatible. In a minicomputer and microcomputer environments, separation of incompatible functions may be even more difficult to achieve. Some minicomputers and microcomputers allow users to change programs and data easily; furthermore, they provide no record of these changes. If the minicomputer or micro computer does not have an inbuilt capability to provide a secure record of changes, it may be difficult to determine whether incompatible functions have been performed by system users. (b) Delegation of authority and responsibility: A clear line of authority and responsibility is an essential control in both manual and computer systems. In a computer system, however, delegating authority and responsibility in an unambiguous way may be difficult because some resources are shared among multiple users. For example, one of the objectives of using a database management system is to provide multiple users with access to the same data, thereby reducing the control problems that arise with maintaining redundant data. When multiples users have access to the same data and integrity of the data is somehow violated, it is not always easy to trace who is responsible for corrupting the data and who is responsible for identifying and correcting the error. Some organizations have attempted to overcome these problems by designating a single user as the owner of data. This user assumes ultimate responsibility for the integrity of the data. (c) Competent and trustworthy personnel: The technology of data processing is now exceedingly complex much more complex than in the days of manual systems. Highly skilled personnel are needed to develop, modify, maintain and operate todays computer systems. Thus, the existence of competent and trustworthy personnel becomes even more important when computer systems are used to process an organizations data, since a relatively small number of individuals assume major responsibility for the integrity of the data. Unfortunately, assuring that an organization has competent and trustworthy data processing personnel has been a difficult task. Historically, well trained and experienced data processing personnel have been in short supply. Therefore, organizations sometimes have been forced to compromise in their choice of staff. Moreover, it is not always easy for an organization to assess the competence and integrity of its EDP staff. High turnover in the data processing industry has been the norm, and the rapid evolution of technology inhibits managements ability to evaluate an employees skills. (d) System of authorizations: Management issues two types of authorizations to execute transactions. General authorizations establish policies for the organization to follow. For example, a fixed price list is issued for personnel to use when products are sold. Specific authorizations apply to individual transactions: for example,

acquisitions of major capital assets may have to be approved by the board of directors. In a manual system, auditors evaluate the adequacy of procedures for authorization by examining the work of employees. In a computer system, authorization procedures often are embedded within a computer program. For example, the order entry module in a sales system may determine the price to be charged to a customer. Thus, when evaluating the adequacy of authorization procedures, auditors have to examine not only the work of employees but also the veracity of program processing. (e) Adequate documents and records: In a manual system, adequate documents and records are necessary to provide an audit trail of activities within the system. In computer systems, documents may not be used to support the initiation, execution and recording of some transactions. For example, in an online order entry system customers orders received by telephone may be entered directly into the system. Similarly, some transactions may be activated automatically by a computer system: for example, an inventory replenishment program may initiate purchase orders when stock levels fall below a set amount. Thus, no visible audit or management trail may be available to trace the transaction. The absence of a visible audit trail is not a problem for the auditor provided that systems have been designed to maintain a record of all events and there is a means of accessing these records. In a well designed computer systems. Audit trails are often more extensive than those maintained in manual systems. Unfortunately, not all computer systems are well designed. Some minicomputer and microcomputer software packages for example, provide inadequate access controls and logging facilities to ensure preservation of an accurate and complete audit trail. When this situation is coupled with a decreased ability to separate incompatible functions, serious control problems can arise. (f) Physical control over assets and records: Physical control over access to assets and records is critical in both manual systems and computer systems. Computer systems differ from manual systems, however, in the way they concentrate the data processing assets and records of an organization. For example, in a manual system, a person wishing to perpetrate a fraud may be maintained at a single site the data processing installation. Thus, the perpetrator does not have to go to physically distance locations to execute the fraud. This concentration of data processing assets and records also increases the loss that can arise from computer abuse or a disaster. For example, a fire that destroys a computer room may result in the loss of all major master files in an organization. If the organization does not have suitable backup, it may be unable to continue operations.

(g) Adequate management supervision: In a manual system, management supervision of employee activities is relatively straight forward because managers and employees are often at the same physical location. In computer systems, however, data communications may be used to enable employees to be closer to the customers they service. Thus, supervision of employees may have to be carried out remotely. Supervisory controls must be built into the computer system to compensate for the controls that usually can be exercised through observation and inquiry. (h) Comparing recorded accountability with assets: Periodically, data and the assets that the data purports to represent should be compared to determine whether incompleteness or inaccuracies in the data exist or shortages in the assets have occurred. In a manual system, independent staff prepares the basic data used for comparison purposes. In a computer system, however, programs are used to prepare this data. For example, programs may sort an inventory file by warehouse location and prepare counts by inventory item at different warehouses. If unauthorized modifications occur to the programs or data files that the programs use, an irregularity may not be discovered.

Q.3 Explain the principal considerations in internal control on: a. Purchases and creditors b. Fixed assets Ans:- a. Purchase and Creditors:Basic considerations for having an effective internal control system for Purchase and Creditors are as follows: 1. The procedure for issuing purchase requisitions should be specified. 2. Where tenders are invited, the procedure for opening and acceptance thereof should be laid down. 3. The preparation and authorization of purchase orders should be under a senior manager. 4. Predetermine guidelines should exist for inspection of goods received, especially with regard to quantity and quality. 5. Documents showing the receipt and acceptance of goods should also be send to the accounts department. 6. The goods receipt documents should be cross checked with final purchase orders.

7. An authorize official from the accounts department should be made responsible for checking suppliers invoices, documents regarding purchase returns, purchase records, payments to suppliers, maintenance of ledger accounts and reconciliation of statements sent by suppliers. 8. Before payments are made to suppliers, payment documents duly authorized by a senior official, showing that the goods have been received as specified in the purchase order should be verified by the accounts department. 9. Adequate procedures should be established with regard to purchase returns, discounts on account of inferior quality of goods, and other similar adjustments. 10. Lawful policies and procedures should be implemented with regard to purchases from the companies under the same group and from the employees. 11. The accounts of various suppliers should be confirmed periodically from statements received from them. b. Fixed Assets:Basic considerations for having an effective internal control system for Fixed Assets are as follows: 1. Payments for fixed assets should be made only after authorization of the top management. 2. Capital expenditure budget should be prepared regularly. 3. Fixed assets registers should be maintained showing brief particulars of all items. 4. Fixed assets should be physically verified periodically. Serial numbers should be allotted to each item for easy identification. 5. Proper accounting records should be maintained for expenditure during the construction period distinguishing carefully between capital and revenue expenditure. 6. Sale, scrapping, or write off of fixed assets should be allowed only under proper authorization of the top management. The receipts from such disposals should be properly accounted for. 7. Depreciation rates should be properly authorized. Q.4 Explain the steps of evaluating internal control systems using flow chart. Ans:-

Introduction:- The flow charting technique is an important technique for evaluation of the internal control system. It is a graphic presentation of internal controls in the organization and is normally drawn up to show the controls in each section or sub section. As distinct from a narrative form, it provides the most concise and comprehensive way for reviewing the internal controls and the evaluators findings. In a flow chart, narratives, though cannot perhaps be totally banished are reduced to the minimum and by that process, it can successfully bring the whole control structure, especially the essential parts thereof, in a condensed but meaningful manner. It gives a birds eye view of the system and is drawn up as a result of the auditors review thereof. It should, however, not be understood that details are not reflected in a flow chart. Every detail relevant from the control point of view and the details about how an operation is performed can be included in the flow chart. Essentially a flow chart is a diagram full with lines and symbols and, if judicious use of them can be made, it is probably the most effective way of presenting the state of internal controls in the clients organization. A properly drawn up flow chart can provide a neat visual picture of the whole activities of the section or department involving flow of documents and activities. More specifically it can show: a) At what point a document is raised internally or received from external sources. b) The number of copies in which a document is raised or received. c) The intermediate stages set sequentially through which the document and the activity passes. d) Distribution of the document to various section department or operations. e) Checking authorization and matching at relevant stages. f) Filing of the documents g) Final disposal by sending out or destruction. As a matter of fact a very sound knowledge of internal control requirements is imperative for adopting flow charting technique for evaluation of internal controls, also it demands a highly analytical mind to be able to see clearly the inter division of a job and the appropriate control at relevant points. A flow chart is normally a horizontal one in which documents and activities are shown to flow horizontally from section to section and the concerned sections are shown as the vertical column head; in appropriate cases an individual also may be shown as the vertical column head. Care should be taken to see that the first column head is devoted to the section or the individual wherefrom a transaction originates and the placements of other column heads should be in the order of the actual flow of the transaction. It has been stated earlier that a flow chart is a symbolic representation the flow of activity and related documents through the section from origin to conclusion. These can be sales, purchases, wages, production

etc. Each one of the main functions is to be linked with related functions for making a complete course. Purchase is to be linked with sundry creditors and payments; sales with sundry debtors and collection. For actual drawing of the flow chart, the auditor has to formulate his symbols to reflect the flow and the connected details. There should be a direction of movement for the activity and documents, at several stages new documents may be added, documents may be matched, annexed or destroyed; there may be points for checking the documents. This will depend upon the details that the auditor can get from the section head or by a process of verification on the basis of the rough flow chart. Skinner an Anderson in their book Analytical Auditing has suggested the following symbols for the use of auditors: Sometimes, it is necessary to briefly narrate some aspects of flow or control on the flow chart. Those which could be entered on the chart itself, without making it cumbersome, should be recorded in the chart. For example, if the billing section makes the calculation of the sales tax payable by customer, this is a relevant fact and it can be expressed by entering S.T. Calculation alongside the document. It will not make the chart less intelligible. But if the requirement for narration is slightly bigger, to effectively supplement the information on the flow chart, the narration should be given at the bottom of the chart by making the exact position of the chart needing the narration by an asterisk or some other suitable symbol, which in turn should be corresponded at the bottom. For example, on a flow chart on production you may have to narrate how production orders are initiated. This will be slightly bigger narration and it should be provided at the bottom. The keying symbol should be placed by the side of the document and the narration at the bottom. It should, however, be remembered that wherever it is possible to obviate the use of narration, it should be so done and, when it is unavoidable, necessary use of keyed narration should be made. Generally, a questionnaire is also is also enclosed with a flow chart, incorporating questions, the answers to which are to be looked into from the flow chart. In fact, the questionnaire is a guide for the study of a control system through flow charts.

Q.5 Lehman Brothers Holding filed for Chapter 11 bankruptcy protection following the massive exodus of most of its clients, drastic losses in its stock and devaluation of its assets. In context with this case, examine internal control and risk assessment system. Ans:- Introduction:-

Lehman Brothers Holdings Inc. was a global financial services firm which, until declaring bankruptcy in 2008, participated in business in investment banking, equity and fixed-income sales, research and trading, investment management, private equity, and private banking. It was a primary dealer in the U.S. Treasury securities market. Its primary subsidiaries included Lehman Brothers Inc., Neuberger Berman Inc., Aurora Loan Services, Inc., SIB Mortgage Corporation, Lehman Brothers Bank, FSB, Eagle Energy Partners, and the Crossroads Group. The firm's worldwide headquarters were in New York City, with regional headquarters in London and Tokyo, as well as offices located throughout the world. On September 15, 2008, the firm filed for Chapter 11 bankruptcy protection following the massive exodus of most of its clients, drastic losses in its stock, and devaluation of its assets by credit rating agencies. The filing marked the largest bankruptcy in U.S. history. The following day, the British bank Barclays announced its agreement to purchase, subject to regulatory approval, Lehman's North American investment-banking and trading divisions along with its New York headquarters building. On September 20, 2008, a revised version of that agreement was approved by Judge James Peck. During the week of September 22, 2008, Nomura Holdings announced that it would acquire Lehman Brothers' franchise in the Asia Pacific region, including Japan, Hong Kong and Australia. as well as, Lehman Brothers' investment banking and equities businesses in Europe and the Middle East. The deal became effective on 13th October 2008. Lehman Brothers' investment management business, including Neuberger Berman, was sold to its management on December 3, 2008. Creditors of Lehman Brothers Holdings Inc. retain a 49% common equity interest in the firm, now known as Neuberger Berman Group LLC. It is the fourth largest private employee-controlled asset management firm globally, behind Fidelity Investments, The Capital Group Companies and Wellington Management Company. A March 2010 report by the court-appointed examiner indicated that Lehman executives regularly used cosmetic accounting gimmicks at the end of each quarter to make its finances appear less shaky than they really were. This practice was a type of repurchase agreement that temporarily removed securities from the company's balance sheet. However, unlike typical repurchase agreements, these deals were described by Lehman as the outright sale of securities and created "a materially misleading picture of the firms financial condition in late 2007 and 2008." On March 11, 2010, Jenner & Block, a court-appointed examiner, published the results of its year-long investigation into the finances of Lehman Brothers. This report revealed that Lehman Brothers used an accounting procedure termed repo 105 to temporarily exchange $50 billion of assets into cash just before publishing its

financial statements. The action could be seen to implicate both Ernst & Young, the bank's accountancy firm and Richard S. Fuld, Jr, the former CEO. This could potentially lead to Ernst & Young being found guilty of financial malpractice and Fuld facing time in prison. In Unit 11, you have learned how to evaluate internal control system. In this we will discuss about various dimensions of internal control. Risk Assessment is an important dimension of internal control system. SA 315, Identifying and Assessing the Risk of Material Misstatement Trough Understanding the Entity and its Environment, states that: The objectives of the auditor to identify and assess the risks of material misstatement, whether due to fraud and error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entitys internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. This will help the auditor to reduce the risk of material misstatement to an acceptably low level. Obviously, you are thinking, what is risk? In simple term risk is the variability of actual happening from the expected happening associated with a given event. In financial world, risk is the variability of the actual return from the expected return associated with a given asset. Auditing is primarily related to forming an opinion on financial statements of an enterprise. For forming an opinion, auditor has to rely on the accuracy and reliability of financial data and the effectiveness of internal control system. Naturally that means he is taking a risk. In this unit, we will discuss how auditors assess those risks. In this unit, we will also discuss the internal control system applied in Bank and Insurance companies. Banking and Insurance companies by nature entails a huge amount of risk and resultantly, internal control systems in context of these organizations have special importance for sound business operations. Internal Control and Risk Assessment:- The nature and extent of the procedures performed by the auditor to obtain an understanding of the accounting and internal control systems generally depend on: Nature of policies or kind of procedures, Changes in operating environment, Size and complexity of the business, Way of documentation of business operations, Auditors assessment of inherent risk.

The auditor should make a study of internal control relevant for his audit. Although most controls related to audit are relevant for financial reporting but all controls

relevant for financial reporting may not be relevant for audit. It is the judgment of auditor to decide whether a control individually or in combination with other is relevant for audit or not. Auditor normally classified audit risk for assessment into control risk and inherent risk. Control risk signifies that a material misstatement could occur but would not be prevented or detected by internal control system. Inherent risk signifies the chances that recording of transactions have been done either erroneously or under the influence of management fraudulent activity. Assessment of control risk Assessing control risk is the process of evaluating the effectiveness of an entitys accounting and internal control systems in preventing or detecting material misstatements in the financial statements. After having a basic idea of the accounting and internal control system, the auditor should make an initial assessment of control risk for the appropriate assertions in the financial statements. When planning the audit approach, the auditor should consider the initial assessment of control risk (in conjunction with his assessment of inherent risk) to determine the appropriate detection risk to accept for the financial statement assertions. Some of the procedures performed to obtain understanding of the accounting and internal control systems may not have been specifically planned as tests of control but they may provide evidence about the effectiveness of both the design and operation of policies and procedures relevant to certain assertions and, consequently, serve as tests of control (e.g. in obtaining understanding of the system pertaining to cash, the auditor may have obtained evidence about the effectiveness of bank reconciliation process through inquiry and observation). Relationship between the assessments of inherent and control risks: In many cases, inherent risk and control risk are highly interrelated. Also management often reacts to inherent risk situations by designing accounting and internal control systems to prevent and detect mis- statements in such situations, if the auditor attempts separately to assess inherent and control risk when they are highly interrelated, there is a possibility of inappropriate risk assessment. As a result, audit risk may be more appropriately determined in such situation by making a combined assessment. The auditor, in forming his opinion on financial information, needs reasonable assurance that transactions are properly recorded in the accounting records and that transactions have not been omitted. Internal controls, even if fairly simple and unsophisticated, may contribute to the reasonable assurance the auditor seeks. The auditors control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk to an acceptable level. The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need for the auditor to perform any substantive procedure for significant account balance and transaction classes. Consequently, regardless of the assessed levels of inherent and control risks the auditor should perform some substantive procedures. The higher the assessment of inherent and control risk, the more assurance the auditor must

obtain from the performance of substantive procedures. When both inherent and control risks are assessed at a high level, the auditor should also consider whether substantive procedures will provided sufficient assurance to reduce detection risk to an acceptable level. When the auditor determines that detection risk cannot be reduced to an acceptable level, he should either qualify or disclaim the opinion or, if this is not practicable, withdraw from the engagement. Q. 6 Explain the importance of working papers. Ans:- Important Working Papers :According to SA 230, Documentation, issued by the Institute of Chartered Accountants of India, audit working papers consists of: (a) Evidence obtained during the audit examination; (b) Details of the methods and procedures followed by the auditor during such examination; and (c) Conclusions reached by him as regards the objects of the audit. Working papers are the documents based on which the auditor expresses his knowledge of accounting principles and procedures as applied in the preparation of reports, statements and analysis of business information. To form his opinion as regards the informations in the financial statements the auditor has to select, analyze and examine adequate evidence which stands the test of logic and veracity. The evidence may be physical or documentary; and in the form of books of account, records, or the system of internal control operated by the enterprise under audit. The working papers serve as the proof of how the relevant evidence was obtained, analyzed, examined and pieced together to reach reasonably logical and verifiable conclusions. The following are various important working papers: Audit programme Schedule of debtors and creditors, fixed assets, investments etc. Certificates of officials with regard to bad debts. Correspondence with debtors, customers, bankers, creditors etc. and confirmations obtained from them. Certificate as regards quantity and value of stock in trade. Certificate from an authorized official with regard to inclusion of all outstanding assets and liabilities in the final accounts.

Adjustments entries in the journal Particulars of investments, depreciation etc. Trial balance Copies or excerpts from the minutes of the meetings of Board of directors, and shareholders. Copies or excerpts of significant contract, leases etc. Draft of audit report and the final copy.

The importance of working papers is due to following reasons: Planning, organization, control and review of audit work: Working papers provide a means of planning, organizing, controlling, administering and review of the work. They are the supporting evidence that the audit was conducted as per the generally accepted, auditing standards and practices. Basis of auditors opinion: Working papers are the basic documents for the report of the auditor. They also provide a proof that generally accepted auditing standards and practices have been duly followed in the conduct of work. If the validity of the auditors opinion, assertion or recommendation as to the financial statements is later questioned, working papers can be produced as an evidence to establish the said opinion or assertion. The auditor should therefore ensure that the working papers are conclusive and complete in every respect, leaving no question raised therein unanswered. Division of labor: Working papers help in appropriate division of work among the audit staff, in the sense that different working papers may be made the responsibility of different audit clerks under the supervision of a senior clerk or the auditor himself. The progress of the work can thus be effectively monitored even where the audit work extends to different offices or branches of monitored. Even where the audit work extends to different offices or branches of the client, the audit programmes may be divided into so many parts, or separate audit programmes may be prepared for each place, and then working papers prepared at each place may be compiled at the central office to have an overall view of the work. Use as permanent record: Working papers constitute a permanent record of auditing procedure employed, and the financial records examined. The client can make use of these, in case his own records are lost. Bridge between original transactions and financial statements: Working papers provide an important link between original transactions and the financial statements. This is because an auditors work mostly consists in tracing the business transactions, though on a sample basis, from the original records to the financial statements, and vice versa. Working papers also constitute the basis for making rectification and adjustment entries.

Basis for review and revision of internal controls: Internal control questionnaires form part of the working papers. Comments as to the working of the internal control system will also be found in working papers relating to audit tests in respect of each aspect of the enterprise. Thus, working papers facilitate an in-depth review of the internal control system, which forms the basis of recommending suitable changes therein. Basis for evaluation and training of audit staff: Working papers provide a means to test whether the auditor and his staff have done their jobs as per the required standards. They serve as an index to the auditors ability to plan and organize the audit, because at each stage of audit, he has to take decision as to the nature of evidence to be obtained and the tests to which evidence should be subjected. Review of the past years working papers and reports submitted by senior audit clerks can also be used as a basis to provide the required training to the staff. Basis for further work: In the course of his examination, the auditor may come across certain situations or conditions in the pattern of management of the clients business which, though not directly connected with his work and, therefore, being outside the purview of his report, may nevertheless be useful in future planning. Thus, the notes and analysis prepared by the auditor as part of his working papers may also prove useful to the client in several other areas.