Sie sind auf Seite 1von 25

SET - 1

1. Write a note on the following: a. Internal Audit b. Code of ethics for internal auditor Answer: a. Internal Audit The Governing Body of each agency is responsible for establishing the internal audit function and the head of internal audit is primarily accountable to the Governing Body. The head of internal audit will report to the Audit Committee on their function, and to the chief executive (or to an officer nominated by the chief executive) for administrative purposes such as for authorisation of expenditure and approval of travel and leave. Guideline The governing body is responsible for determining the need for and scope of internal audit activity. It may delegate this responsibility to the Audit Committee. The head of internal audit ideally would have no executive or managerial powers, authorities, functions or duties except those relating to the management of the internal audit function. The head of internal audit should be responsible to an individual in the organisation with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications and appropriate action on engagement recommendations. Each agency must establish an internal audit function where it is cost effective to do so. Guideline An internal audit function should be established, unless the costs of such a function outweigh the benefits to be derived. This may be the case where size, risks, complexity, geographical distribution or materiality do not justify the associated cost. In determining the need for an internal audit function, consider: the size and scale of the organisation; the organisations complexity / diversity; the organisations overall risk profile; the history of past issues and incidents; cost benefit; and the existence of alternative mechanisms to provide adequate assurance on compliance and the operation of internal controls.

If an internal audit function is not warranted the governing body must take alternative steps to obtain an appropriate level of assurance from an equivalent function. Alternative in-house
1|Page

assurance activities and / or compliance functions that are sufficiently robust and rigorous may be regarded as an equivalent function. The need for an internal audit function should be reviewed annually. b. Code of ethics for internal auditor In his book Practical Guide for Internal Audit R.S. Adukia has scholarly explained about the code of ethics for internal auditor which is as follows: This code of ethics sets the minimum requirements for the performance and conduct of internal auditors. This code applies to all internal auditors but does not supersede or replace the requirement on individual to comply with ethical codes issued by professional institutes of which they are members or student members and any organizational codes of ethics or conduct. There are four main principles: 1. Integrity The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. 2. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. 3. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. 4. Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. Achieving compliance with code of ethics i) Security integrity: The internal auditor should: a) Perform his/her job honestly, diligently and with responsibility. b) Perform his/her profession in harmony with the acts and other generally binding regulations. c) Avoid any illegal activity and performing any activity discrediting the internal auditors profession. d) Respect the legal and ethical objectives of the organizations. e) Take care that his/her integrity should not be compromised.
2|Page

ii) Objectivity: The internal auditor should: a) Avoid taking part in activities or relations which may damage, or might be understood as damaging his/her unbiased assessment including activities or relations which may be in conflict with public interests. b) Avoid accepting anything that may damage or might be understood as damaging his/her objective professional assessment. c) Protect his/her objectivity against political influence. d) Disclose all substantial facts known to him/her that being undisclosed might misrepresent the conclusions on activities or events assessed. iii) Observing Confidentiality: The internal auditor should: a) Be careful when using and protecting information he/she gathered when auditing. b) Avoid disclosing and making use of the information obtained during the auditors activities performance in order to damage the interests of other person or organization. c) Avoid making use of the information obtained during the auditors activities for personal enrichment or in a way which would be in conflict with the law or which would damage legitimate and ethical interests of the organization. iv) Demonstrating Competence: a) It is a pre-requisite that all internal audit staff is aware of and understand: 1. The organizations aims objectives, risks and governance arrangements. 2. The purpose, risks and issues affecting the service area to be audited. 3. The terms of reference for the audit assignment so that there is a proper appreciation of the parameters within which the review be conducted. 4. The relevant legislation and other regulatory arrangement that relate to the service area to be audited. b) The internal auditor should keep educating himself constantly in order to have a good command of internal audit techniques and auditor standards necessary for obtaining, examining and evaluating the information. v) Maintaining Audit Independence: Internal auditors should be independent of the activities they audit. Internal auditors are considered independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. This is achieved through organizational status and objectivity. Independence stands for an internal auditor being able to take a stand and report on materiality issues, uninfluenced by any favors coercion or undue influence. 2. Comment on An auditor is a watch dog and not a blood hound. Answer: Auditor is Watchdog, not a Blood Hound

3|Page

The word Audit is derived from the Latin word Audire which means to hear. When any person starts the business then various transactions which are related to cash and bank arises in the business. At the time of making the accountancy then auditing is appointed to check the accounts. It is the responsibility to find true and fair value of the business. In most audits, fraud risk will be one of several risks that are evaluated as part of the business processes under audit. If fraud is suspected, the internal auditor may be asked to perform a forensic audit specifically to detect fraud, he says. Under todays investor confidence legislation, such as Sarbanes-Oxley and Ontario Bill 198, management must have a robust antifraud program to safeguard assets and minimize the risk of fraudulent financial reporting.

Auditor is Watchdog, not a Blood Hound Case: Kingston cotton mills company (1986) An auditor is not bound to be detective and to work with their suspicion, that there is something wrong. He is a watchdog not a blood hound. He is justified in believing tried servant of the company and is entitled to rely upon their representation provides he takes reasonable care

4|Page

Auditor is Watchdog, not a Blood Hound it means as the dog always think about the owner as it the same way an auditor always think about the owner of the company. It is the responsibility to find true and fair value of the business and gives all the details (errors and frauds) of all the business. But this task is so difficult because people tried who arise fraud in the company gives wrong information to the company.

Duty of the auditor is not harm to the other person. He is always sincere, systematic, honest, truthful, and tactful. An auditor has a professional knowledge and expert in own field. In case of any unwanted situation. The remedial action has to come from the owner of the entity. He has to discharge his responsibility by informing about the irregularity found in the audit.

3. List out the factors that influence the control environment prescribed by SA 400: Risk assessment and internal control. Answer: 42. The level of detection risk relates directly to the auditor's substantive procedures. The auditor's control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk, and therefore audit risk, to an acceptably low level. Some detection risk would always be present even if auditors were to examine 100 percent of the account balances or class of transactions because, for example, most audit evidence is persuasive rather than conclusive. 43. The auditor should consider the assessed levels of inherent and control risks in determining the nature, timing and extent of substantive procedures required to reduce audit risk to an acceptably low level. In this regard the auditor would consider: (a) the nature of substantive procedures, for example, using tests directed toward independent parties outside the entity rather than tests directed toward parties or documentation within the entity, or using tests of details for a particular audit objective in addition to analytical procedures; (b) The timing of substantive procedures, for example, performing them at period end rather than at an earlier date; and
5|Page

(c) the extent of substantive procedures, for example, using a larger sample size. 44. There is an inverse relationship between detection risk and the combined level of inherent and control risks. For example, when inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. On the other hand, when inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level. Refer to the Appendix to this SAP for an illustration of the interrelationship of the components of audit risk. 45. While tests of control and substantive procedures are distinguishable as to their purpose, the results of either type of procedure may contribute to the purpose of the other. Misstatements discovered in conducting substantive procedures may cause the auditor to modify the previous assessment of control risk. Refer to the Appendix to this SAP for an illustration of the interrelationship of the components of audit risk. 46. The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need for the auditor to perform any substantive procedures. Regardless of the assessed levels of inherent and control risks, the auditor should perform some substantive procedures for material account balances and classes of transactions. 47. The auditor's assessment of the components of audit risk may change during the course of an audit, for example, information may come to the auditor's attention when performing substantive procedures that differs significantly from the information on which the auditor originally assessed inherent and control risks. In such cases, the auditor would modify the planned substantive procedures based on a revision of the assessed levels of inherent and control risks. 48. The higher the assessment of inherent and control risks, the more audit evidence the auditor should obtain from the performance of substantive procedures. When both inherent and control risks are assessed as high, the auditor needs to consider whether substantive procedures can provide sufficient appropriate audit evidence to reduce detection risk, and therefore audit risk, to an acceptably low level. When the auditor determines that detection risk regarding a financial statement assertion for a material account balance or class of transactions cannot be reduced to an acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion as may be appropriate.

4. If you are an internal auditor of a branch of an insurance company, how do you prepare internal control scheme. Answer: Internal Control Schemes A professional accountant often asks to formulate schemes of internal control in various functional areas of an organization. Drafting a scheme of internal control is similar to drafting an internal control questionnaire. Knowledge of detail business process is vital in both cases.
6|Page

However, when a scheme of internal control is drafted the various statements are given in the form of instructions whereas in an internal control questionnaire, the auditor asks specific questions from the client. For example, a scheme of internal control over fixed asset may state the following: A written approval from the General Manager of the plant must be taken before selling or transfer of any fixed assets. A specific question in the internal control questionnaire in this regard may be: Has a written approval from the General Manager of the plant taken before selling or transfer of any fixed assets. In formulating schemes of internal control or drafting an internal control questionnaire the following important points should be kept in mind: i. Understanding various stages of a transaction: Understanding of various stages of a transaction is very important to formulate a scheme of internal control or drafting an internal control questionnaire. Each job or transactions passes through various tasks. Detail knowledge of these tasks and their links with other tasks are very crucial for formulating a scheme of internal control or drafting an internal control questionnaire. ii. Distribution of duties: This is vital for formulating a scheme of internal control or drafting an internal control questionnaire. The duties should be divided in such a way that no person alone handles a transaction completely from beginning to end and the work of every person is in the ordinary course checked by another person in the same or another department. iii. Rotation of duties: There are various advantages of rotating employees on different job periodically. Firstly, it ensures that no employee can have a vested interest in his job. If the clerk processing purchase orders is changed every six months, the suppliers will find it difficult to develop permanent contacts. Secondly, each employee will keep his work up to date because he knows that somebody else will check his work. Thirdly, work does not suffer due to absence of any employee because another person with required experience is always available. iv. Review: An internal control scheme should provide for a periodic review of the system to ensure that the prescribed scheme is being followed as far as practicable. Many organizations entrust internal audit departments the responsibility for periodic review of the system including the controls.

5. Explain the appraisal of accounting system and related internal control. Answer: Appraisal of Accounting Systems and related Internal Control Though the scope, objectives and general approach of Auditing, does not change in a computerized environment but the extent of audit procedures and nature of programme definitely get affected. Hence an auditor must have a clear understanding of clients accounting system and related internal control. An appraisal of accounting system and a depth study of internal control surrounding accounting system will guide him to form an opinion about his extent of audit.
7|Page

Auditor, before undertaking detailed audit tests, must satisfy himself about the inputs and output of accounting system. He should keep in mind the principle of Garbage in Garbage out that means wrong input will always give wrong output. Hence, auditor must satisfy himself that the inputs given to the accounting system are correct, the accounting system itself is correct and outputs are satisfying the need of the organization. A review of the accounting system and internal controls may be comprehensive in a first-time audit or in a complex computer system. The review in a recurring audit or of a relatively simple EDP system will normally require less time. Since computer applications can more easily modified during design and development than after implementation, auditor should consider commencing the audit review during system development. This will provide an opportunity to identify and design, audit procedures, including the Computer Assisted Audit Techniques (CAATs), before the new application is operational. The auditor should review the accounting system to gain an understanding of the overall control environment and the flow of transactions. Such a review generally includes a survey of the organization, management, personnel and nature of transactions. If the auditor wishes to rely on internal controls in conducting the audit, he should also identify and make a preliminary appraisal of those controls on which it might be effective and efficient to rely in conducting the audit. The auditor should specially focus on EDP organization structure. He should verify whether the structure is in the line of the following guidelines: The care must be taken to ensure adequate separation of duties within the EDP function. Moreover, EDP should be separate from user departments, and EDP personnel should not initiate transactions. Separation within the EDP function should include at least the following employees: 1. EDP Manager: is in overall charge of the data processing activity. 2. Systems Analysts: Design new systems and modify existing systems in accordance, with the information needs of the users. 3. Programmers: Write and test programs based on the system design and/or modification. 4. Computer Operators: Process transactions through the system in accordance with the operator instructions for the application being updated. 5. Input Preparation Group: Converts input data to a machine readable form. 6. Librarian: Maintains custody over master files and programs. Permits access only on the basis of proper authority.

8|Page

7. Data Control Group: Distributes output, monitors reprocessing of errors, and compares input with output on a test basis. Ensure that the EDP manager reports to a sufficiently high level to ensure the necessary breadth of computer application within the entity. Reporting to only the chief accountant or the sales manager, for example, might restrict computing goals and prevent maximum usage of EDP capabilities.

6. Mention some of the general EDP controls. Answer: General Controls These controls apply to a wide range of expressions that systematically threaten the integrity of all applications processed within the Computer Based Information System (CBIS). Following are the sub divisions of general controls: OPERATING SYSTEM CONTROLS Operating System allows users to share and access common computer resources. It's the computers control program. If OSs integrity is compromised, controls within individual accounting applications may be neutralized. Since the OS is common to all users, the larger the computer facility, the greater the scale of potential damage. Tasks performed by Oss Translating high level languages into machine level languages Allocating computer resources to users Job Scheduling and multiprogramming Control Objectives To perform the above mentioned tasks reliably and consistently, the OS should achieve following control objectives. 1. The OS should protect itself from users and user applications. 2. The OS must protect users from each other (hacking). 3. The OS must protect users from themselves (one module of an application may destroy another module of the same program). 4. The OS should be protected from itself. 5. The OS should be protected from its environment (shutting down the system in the event of power failure or other mishaps so that it can recover later) Operating System Security (Security Components in OS) Log on Procedure
9|Page

Log on procedures is used to restrict access to the system. It's the first line of defense against unauthorized access. When a user initiates a process, he or she is presented with a dialogue box requesting user ID and password. Access is granted only if a matching User ID and password is submitted.

Access Tokens If the log on attempt is successful, the OS creates an access token that contains key information about the user like user ID, password, user privileges etc. The information in the access token is used to approve all actions attempted by the user during the session.

Access Control Lists It contains information that defines the access privileges for all valid users of the resource

Discretionary Access Control The system administrator determines who is granted access to specific resource and maintains the access control list. In distributed system resources may be controlled by end users and in this case they may be granted discretionary access control which allows them to grant access privileges to other users.

Threats to OS Integrity OS control objectives are sometimes not achieved due to lows in the OS that are exploited accidently or intentionally. Accidental Threats These include hardware failures that cause the OS to crash, errors in user application. Such failures may cause memory to be dumped to disks which may result in unintentional disclosure of sensitive information.

Intentional Threats Such threats include attempts to illegally access data or violate user privacy for financial gain. Sources of such threats are: 1. Privileged personnel who abuse his authority. 2. Individuals who browse the OS to identify and exploit security flaws. 3. Users who insert computer Viruses or other Malware applications.
10 | P a g e

Controlling Access Privileges Privileges determine which directories, files, applications and other resources an individual or group may access. Privileges should be carefully administered and closely monitored for compliance with organizational policy and principles of internal control.

Various Methods Password Control: A password is a secret code entered by the user to gain access to system, application etc. Reusable Passwords: The user defines a password to the system once and then uses it to gain future access. The quality of the security provided by a reusable password depends on the quality of the password. One-time Passwords: Here the users password changes continuously. To gain access the user must provide both a secret reusable PIN and the current one time only password for that point in time.

Controlling Against Viruses and Other Destructive Programs (Malware) Virus A virus is a destructive program that attaches itself to a legitimate program to penetrate the OS. It destroys application programs, data files and the OS. A virus may attack in a variety of ways: 1. Replicating itself over and over within the main memory thus destroying whatever data / programs resident are in memory. 2. Spreading through the network to other systems. A virus commonly attach itself to following types of files: 1. .exe /.com / .ovl program files 2. Boot sector of a disk 3. A device driver program Worm A Worm is a program that burrows into the computers memory and replicates itself into areas of idle memory. The main difference between a virus and a worm is that the replicated worm modules remain in contact with the original worm that controls their growth. The replicated virus modules grow independently of the initial virus.

Logic Bomb It's a virus / worm that is triggered by some predetermined event like a particular date. E.g. Michelangelo Virus.
11 | P a g e

Back Door (Trap Door) It's a software program that allows unauthorized access to a system without going through the normal (front door) log on procedure. Such back doors are usually created by the programmers.

Trojan Horse Trojan horse is a program that captures the user IDs and passwords from unsuspecting users by mimicking normal log on procedures of the OS. When the user enters his ID and password the Trojan horse stores a copy of the same in a secret file.

Ways to Control Threats From Malware 1. Purchase software only from reputed vendors 2. Examine all software updates for viruses before installing 3. Conduct educational programs to raise user awareness 4. Test all new application software with anti-virus software. 5. Routinely make backup copies of key files 6. Use anti-virus software which scans the system for possible virus infections. Controlling Audit Trails Audit trails are logs that can be designed to record activity at the system, application and user level. They provide an important detective control to help accomplish security policy objectives. An effective audit policy will capture al significant events without cluttering the log with trivial activity. Audit Trail Objectives / Uses Detecting Unauthorized Access Real-time detection a. To protect the system from outsiders who are attempting to breach system controls, and b. To report changes in system performance that may indicate infestation by a virus or worm After-the Fact detection: such trails are used to determine if unauthorized access was accomplished or attempted and failed.

Facilitating Reconstruction of Events Audit trails can be used to reconstruct the steps that led to events such as system failures, security violations or application processing errors.

12 | P a g e

Promoting Personal Accountability Audit trails can be used to monitor activity at the lowest level of detail. This is a preventive control that can be used to influence behavior.

Implementing an Audit Trail Audit trails can be used to measure the potential damage and financial loss caused by security violations. It also provides valuable evidence for assessing the adequacies of controls in place.

13 | P a g e

SET - 2
1. Write a note on the following: a. Internal audit b. Statutory audit Answer: a. Internal Audit The Governing Body of each agency is responsible for establishing the internal audit function and the head of internal audit is primarily accountable to the Governing Body. The head of internal audit will report to the Audit Committee on their function, and to the chief executive (or to an officer nominated by the chief executive) for administrative purposes such as for authorisation of expenditure and approval of travel and leave. Guideline The governing body is responsible for determining the need for and scope of internal audit activity. It may delegate this responsibility to the Audit Committee. The head of internal audit ideally would have no executive or managerial powers, authorities, functions or duties except those relating to the management of the internal audit function. The head of internal audit should be responsible to an individual in the organisation with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications and appropriate action on engagement recommendations. Each agency must establish an internal audit function where it is cost effective to do so. Guideline An internal audit function should be established, unless the costs of such a function outweigh the benefits to be derived. This may be the case where size, risks, complexity, geographical distribution or materiality do not justify the associated cost. In determining the need for an internal audit function, consider: the size and scale of the organisation; the organisations complexity / diversity; the organisations overall risk profile; the history of past issues and incidents; cost benefit; and the existence of alternative mechanisms to provide adequate assurance on compliance and the operation of internal controls.

If an internal audit function is not warranted the governing body must take alternative steps to obtain an appropriate level of assurance from an equivalent function. Alternative in-house

14 | P a g e

assurance activities and / or compliance functions that are sufficiently robust and rigorous may be regarded as an equivalent function. The need for an internal audit function should be reviewed annually. b. Statutory audit An audit which is made mandatory under any law is called Statutory Audit or External Audit. The scope of statutory audit cannot be restricted. Various details such as scope of audit, qualifications of an auditor, his rights, duties and liabilities are fixed by the concerned law. Some such examples are: 1. The Companies Act, 1956 covering audit of limited companies. 2. The Banking Regulation Act, 1949 applicable to audit of banking companies. 3. The Insurance Act, 1938 governing audit of insurance companies. 4. The Electricity (Supply) Act, 1948 Governing Audit of Electricity Boards/Companies. 5. Cooperative Societies Act and Public and Charitable Trust Act of various states dealing with audit of these entities. Features Certain features of the statutory audit may be noted as follows: 1. As the statutory audit is being prescribed by law, the shareholders/ owners of the enterprise cannot make it optional. 2. Statutory audit is conducted by a person properly qualified and competent under the law applicable to the enterprise. 3. The rights, duties and liabilities of a statutory auditor cannot be curtailed by the shareholders/owners of the enterprise. 4. The statutory auditor is a representative of shareholders/owners of the enterprise. Statutory audit is of great value to the persons and agencies associated with the enterprise. It safeguards the interests of the public against defalcations and scams. Standards on auditing (SA) 200A: objectives and scope of an audit of financial statements (relevant portion only) You are aware that the Institute of Chartered Accountants of India (ICAI) has issued a number of Standards on Auditing (please refer Unit-1). Here we are discussing relevant portion of SA 200A.
15 | P a g e

Objective of audit of financial statements: The objective of an audit of financial statements is to enable an auditor to express an opinion as to the truthfulness and fairness of financial statements. Relationship of auditors opinion with propriety of business conduct: The auditors opinion helps to establish reliability of the financial statements. SA 200A has specifically pointed out that:

The user, however, should not assume that the auditors opinion is an assurance as to future viability of the enterprise or the efficiency or the effectiveness with which the management has conducted the affairs of the enterprise. Thus, the auditor does not give opinion on the propriety of business conduct or its future prospects. However, as per requirements of SA 570 Going concern, the auditor should evaluate whether the going concern concept is applicable to the circumstances of the entity and whether it will continue for a foreseeable future i.e. a period not exceeding one year after balance sheet. Responsibility for the preparation of financial statements: The primary responsibility for the preparation of financial statements is that of the management of the enterprise and it includes: Maintenance of adequate accounting records and internal controls; The selection and application of accounting policies; and The safeguarding of the assets of the enterprise.

Factors affecting the scope of audit: While determining the scope of audit of financial statements, the auditor should consider factors such as terms of engagement, the requirements of relevant legislation and the pronouncements of ICAI. The terms of engagement cannot restrict the scope of an audit that is prescribed by legislation or by the pronouncements of ICAI.

Scope of audit: Coverage of all relevant aspects The auditors work should cover all material items at individual level or at group level. He should satisfy himself that the information contained in underlying accounting records and source data is reliable and sufficient for preparation of financial statements. The auditor should also decide whether the relevant information is properly disclosed in financial statements. There may be limitations on the scope of audit. Depending upon its materiality and pervasiveness, the auditor should express a qualified opinion or disclaimer of opinion.

Limitations of audit: Absolute certainty in auditing is rarely attainable because (a) the audit work involves judgment, and (b) the nature of evidence is persuasive which enables the auditor to draw only reasonable conclusions there from.
16 | P a g e

There is always an unavoidable risk that some material misstatement may remain undiscovered in an audit.

Future viability: The auditors opinion on financial statements is not an assurance on future viability of the business.

2. Differentiate internal audit and internal check. Answer: Internal audit system is a critical evaluation of the functioning of various departments of enterprise. Internal audit implies an audit of books of account by the employees of the organization itself. Internal audit is done by separate department known as internal audit department. Its staff may or may not have required professional qualifications. An internal auditor has to see that there is no wastage and the business is carried on efficiently. For example, when purchasing furniture, whether tenders were invited or not. When waste material was sold, whether that was sold by auction or by inviting tenders, and to the highest bidders. Difference between internal audit and internal check. Following are the main differences between internal check system and internal audit system: 1. Way of checking In internal check system work is automatically checked whereas in internal audit system work is checked specially. 2. Cost involvement in internal check system checking is done when the work is being done. Mistake can be checked at an early stage in internal check system. 3. Thrust of system Thrust of internal check system is to prevent the errors and whereas the thrust of internal audit system is to detect the errors and frauds. 4. Time of checking In internal check system checking is done when the work is being done whereas in internal audit system work is checked after it is done. Mistakes can be checked at an early stage in internal check system. Thus combining these two systems, the purpose of prevention and detection of errors and frauds can be achieved.

3. Describe internal audit tests.


17 | P a g e

Answer: Internal Audit Tests Audit tests are extensively used by the auditors during their audit work of any kind likes statutory audit, internal audit, government audit etc. Audit is basically an opinion forming exercise. The auditors are supposed to form an opinion about the financial statements, books of accounts and internal control system of the organization. For this he has to collect audit evidence through detailed audit programmes and procedures (discuss earlier in details). Before determining audit procedures, the auditor needs to satisfy himself that the internal control system as exists in the enterprise is actually working effectively. For this he does a number of tests which is called audit tests. With the help of audit tests, auditor saves his time and cost for the enterprises. Some of the important audit tests viz. compliance tests, depth tests and rotational tests are discussed below: Compliance tests Compliance tests are tests applied to check that the internal control procedures as laid down are actually followed in practice. For example, through enquiry, internal auditor comes to know that Bank Reconciliation Statement is prepared by an official, who is independent of cash and Bank department. This is an important evidence of an internal control procedure but forming an opinion, the internal auditor should satisfy himself through compliance test that it is actually followed in practice. In a nutshell, we can say that compliance tests are tests which auditor carries out to establish the actual compliance of internal control system. Depth tests A depth test implies a detailed and thorough examination of transactions from their origin to the conclusion. This test includes the thorough examination of the various documents and records created at each stage for a particular transaction to check the existence and implementation of a specific internal control procedure. For example verification of cash receipts (including from debtors) can be done in depth by checking the following documents and records: (a) Prelist of cash receipts (b) Statement of remittance advice (c) Ledger of customer account (d) Sales ledger (e) Bank statements
18 | P a g e

(f) Bank deposit slips (g) The invoices issued to the customers etc. It is not necessary that the above procedure should be followed in the sequence suggested above. But, important point is that every aspects of the transaction should be checked. It is worth mentioning here that Depth Tests is widely accepted practice in contemporary auditing. Rotational tests Rotational tests usually related to either various areas of audit or various units of the enterprises. Auditor keeping in view his time constraint conducts his audit on rotation basis. That means suppose, the organization has 40 branches all over India. In this situation, it will be practically difficult for the auditor to visit all the 40 branches of business organization. It is normal for the auditor to arrange his visits in such a way that within 4 years (i.e. 10 branches every year) he can visit all the branches. This is called rotational tests. However, in choosing 10 branches for visits the auditor should follow random basis.

4. Develop an internal control scheme for Banks. Answer: Internal control system for banks Internal control structure of any organization depends upon the size, complexity and risk profile of its operation. However, the basic principles underlying any internal control process is same that is it is efficient and effective and helps in achieving its desired objectives. The basic components of an effective internal control system of a bank are discussed as below: 1. Control Environment: This is the underlying foundation for the success of all the other elements of the internal control. As per Auditing and Assurance Standard 6 issued by ICAI (AAS6), the control environment means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance in the entity. The control environment has an effect on the effectiveness of the specific control procedures and provides the background against which other controls are operated. Factors reflected in the control environment include: (a) The entitys organizational structure and methods of assigning authority and responsibility (including segregation of duties and supervisory functions). (b) The function of the board of directors and its committees in the case of a company or the corresponding governing body in case of any other entity. (c) Managements philosophy and operating style.

19 | P a g e

(d) Managements control system including the internal audit function, personnel policies and procedures. 2. Risk Recognition and Assessment: An effective internal control system requires that all material risks, internal and external, controllable and uncontrollable, that could affect the achievement of the banks objectives, are recognized and continually assessed. Management must identify, measure and analyze the various kind of risks faced by the bank at all levels including credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk, reputation risk etc. This risk assessment process helps the management to be aware of the risks faced by the bank and determine the internal controls required to manage these risks. Risks are not static phenomenon and keep on changing with time and circumstances. In order to ensure that the system of internal controls that address the risks faced by the banks is effective, the management needs to continuously evaluate its risk profile. 3. Control Activities: Control activities are the policies and procedure that ensure that bank personnel are following the management directives for achieving the banks objectives. Control activities are basic tools through which management ensures that its internal control objectives are realized by controlling the risks assessed as above. As per AAS 6, internal control system includes control procedures which are the policies and procedures in addition to the control environment which management has established to achieve the entitys specific objectives. Specific control procedures include: (a) Reporting and reviewing reconciliations. (b) Checking the arithmetical accuracy of the records. (c) Controlling applications and environment of computer information environment systems. (d) Maintaining and reviewing control accounts and related subsidiary ledgers. (e) Approving and controlling of documents. (f) Comparing internal data with external sources of information. (g) Comparing the results of physical verification of cash, fixed assets, investments and inventory with corresponding accounting records. (h) Restricting direct access to assets, records and information. (i) Comparing and analyzing the financial results with corresponding budgeted figures. 4. Segregation and Rotation of Duties: This is the primary control activity to ensure that frauds and errors are prevented or detected, as the case may be, in a timely manner. Segregation and rotation of duties reduces a persons opportunity to commit fraud and ensure detection of errors and mistakes. For example the official at the cash counter should not be responsible for maintaining records about cash receipts and payment.
20 | P a g e

5. Authorization of Transactions: Banks usually follow a system of approvals and authorization to execute specified kind of transactions in accordance with prescribed conditions. Authorization may be general and applicable to all transactions or specified for a single transaction. Thus it is necessary to ensure that the authorizations are made by persons acting within their scope of authority. For example management can make a rule that all credit transactions over a specified limit should be passed through and authorization by a higher level official. 6. Accountability for a Safeguarding of Assets: The accountability and safeguarding of assets can be ensured by maintaining adequate records and limiting access. Access to assets should be limited to authorized personnel and there should be documentation for any access or use. Access is not limited to physical access but also includes indirect access by way of preparing documents for their acquisition or disposal. Periodic checking of actual assets with records also helps to ensure that there has been no fraud, violation etc. 7. Accounting, Information and Communication Systems: An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making information should be reliable timely accessible and provided in a consistent format. Banks usually follow the following procedures to achieve these objectives: (a) All records are maintained in the prescribed books and registers only which ensure that all requisite particulars of a transaction are adequately recorded. (b) Each Branch is assigned a unique code number which is required to be specified in all the important documents. (c) All books are balanced periodically and confirmed by an official. (d) All inter office transactions are reconciled within a specified time-frame. 8. Monitoring Activities: The overall effectiveness of the banks internal controls should be monitored on an ongoing basis. Management should ensure that the internal control systems are functioning properly and are suitable in light of changing circumstances. This assessment should be an ongoing basis to institute preventive and corrective measures in a timely manner. Monitoring can be done both internally and externally. Internal monitoring or self-assessment is done by delegating review functions to the staff at different levels. Monitoring activities are integrated as a part of daily activities as well as undertaken as specified periodic evaluations. For a transparent and fair review of banks internal control system help of external agencies should be taken. Banks usually have an elaborate, well organized system of internal audit which is carried on by a separate department in the bank or by firms of Chartered Accountants. Banks also have their own vigilance department to investigate matters relating to fraud, misappropriation etc. Additionally, there are also periodic RBI inspections.

21 | P a g e

5. Discuss the role of internal auditor as a part of management. Answer: Role of Internal Auditor as a Part of Management Management is an art and science of conducting the affairs of an organization in such a manner that its goals and objectives are achieved through optimum utilization of available resources. For optimum utilization of available resources, management should quantify its objectives through budget and targets. The role of internal auditors should be to constantly review and monitor the policies, procedures, budget and targets of the organization. Deviations, if any, should be immediately reported to the appropriate authority. The role of internal auditor has been depicted in Figure

Let us discuss the role of internal auditor in the perspective of Figure: 1. Review of Internal Control System: The internal auditor should review the internal control system of the organization. He should determine whether the existing control system is appropriate and adequate keeping in view the objectives of the organization. For example, having a separate credit control department in a smaller size company is not justified, if the objective of customer payment default risk, can be minimized through control in built in the accounting and sales system.
22 | P a g e

2. Review of Safeguards for Assets: The main concern of management is to establish that all assets of companies are adequately protected against any damage or loss of any kind. Here an Internal Auditor can play a very important role by reviewing the means used for safeguarding assets against losses mainly fire, theft, damage due to improper use etc. Proper accounting of all assets should be ensured. 3. Review of Compliance with Policies, Plans, Procedures and Regulations: Every company has its own policies, plans, procedures and regulations for conducting various managerial and non managerial functions. In this context, internal auditor should verify that: a) There is an adequate system by which the policies and plans are communicated to all concerned, and b) There is proper compliance of policies, plans, procedures and regulation by all. If he found any deviation he should cover this in his report with suitable recommendation. 4. Review of Organization Structure: A well designed organization structure is the basic requirement for the smooth functioning of any organization. Organization structure defines the authorities and responsibilities of executives. The internal auditor should examine organization chart to find out whether the structure is simple and economical and that no functions enjoys an undue dominance over the others. He should see whether the lines of authority and responsibility are clearly defined and communicated to all the organizational levels. The internal auditor should examine the reasonableness of the span of control of each executive (the number of sub-ordinate that an executive controls). Unity of commands is another area which should be examined by internal auditors. Unity of commands means each executive should report to only one superior. 5. Review of Utilization of Resources: Optimum utilization of resources is the prime task of the management. For this, management develops operating standards, budgets, and norms to measure and control the use of resources. Internal auditor should compare the standards with actual, and try to find out the deviations therein. Reasons for deviations should also be established. As a part of evaluating resources utilization, identifying the facilities which are underutilized is an important function of the internal auditor. 6. Review of Reliability of Information: Accurate and reliable management information system is must for the effective managerial decisions. Internal auditor should regularly evaluate the reliability and accuracy of financial and operating information of the organization. He should also check the format and design used for receiving and sending management information. He should talk to users about their opinion about the reliability and accuracy of the information. 7. Review of Achievements of Goals and Objectives: Achievement of goals and objectives are the ultimate thing for which managers are paid for. Budgets and targets are quantified objectives of managers of different department. Internal auditor should review the contribution of every department towards achievement of objectives. The internal auditor serves as medium through whom the top management get reports of its accomplishment of objectives.

23 | P a g e

6. Explain the problems encountered in an Electronic Data Processing Environment. Answer: Problems Encountered in an Electronic Data Processing Environment Among the problems encountered in an EDP environment, the following are important: 1. The usual controls based on proper segregation of incompatible functions may be absent or may be less effective in an EDP environment. This is because the number of persons involved in the processing of financial information in an EDP environment is comparatively small. Moreover, the need for a centralized data processing function means that certain data processing personnel may be the only ones with a detailed knowledge of the source of the data, how it is used and the distribution and the use of output. This may also mean that they are familiar with the internal controls operating and hence may be in a position to alter the programs or data during processing or while stored. These factors increase the possibilities for manipulation. 2. Poor security for master files- they may be tempered with or lost. 3. Transactions and master file data are often concentrated either in one computer installation located centrally or in a number of installations distributed throughout the enterprise. Computer programs which provide the ability to obtain access to and alter such data are likely to be stored at the same location as the data. This increases the possibilities for unauthorized access to, and alteration of, programs and data. 4. Vulnerability of data and program storage media magnetic discs or tapes on which large volume of data are stored while using EDP methods are vulnerable to theft, loss or intentional or accidental destruction. 5. Poor facilities in case of misfortunes e.g. fire, breakdowns etc. 6. Lack of control over computer service personnel. The common weaknesses mentioned above related to the organizational structure of an EDP environment. In addition, system characteristics which result from the nature of EDP processing include the following: 1. There is every possibility for the audit trail to get obscured by the loss of visibility of the accounting records, and the increased amalgamation and summarization of data by computer programs. On the other hand, in a manual system it is possible to follow a transaction through the system by examining source documents, records, files and reports. 2. Data may be entered directly into the computer system without supporting documents. 3. Computerized data may not be retained for as long as manually prepared accounting data.

24 | P a g e

4. Through the use of remote terminals, it may be possible for unauthorized access to, and alteration of, program and data by persons inside or outside the enterprise.

25 | P a g e

Das könnte Ihnen auch gefallen