MF0013 Internal Audit and Control

Q1. Discuss in brief the advantages and limitations of auditing.

Ans.

Advantages of Financial Audit 1. Statutory financial audit gives the owners of a company and other stakeholders the
assurance that annual financial reports give true and rational view about the companys

financial performance.
2. Tax audit viz., the audit of financials of the company based on which taxable income

is determined and tax paid is mandatory. Tax auditors report has to be filed with the tax return. 3. Internal financial audit assists the CEO and his team of operating managers regularly and much more frequently in understanding the financial performance of the company and taking corrective actions necessary. 4. Financial audit is an invaluable tool for prevention and early detection of fraud and errors. 5. Audited financial report together with the auditors report is necessary for a company in sourcing funds from banks and other financial institutions. 6. The audited balance sheet of a company read with the auditors report is often the base document for valuation of companies in case mergers, acquisitions or outright sales. Limitations of Financial Audit As per SA 200A issued by The Institute of Chartered Accountants of India, the objective of an audit is to express an opinion as to the true and fair view of the financial statements. The audit gives no assurance on the future viability of the enterprise or the efficiency or effectiveness with which the management has conducted the affairs of the enterprise. It should also be understood that audit of accounts does not guarantee the detection of all the errors. These conceptual restrictions arise due to following inherent limitations of auditing: 1. It is a post-mortem: The annual statutory audit is not a concurrent activity, but starts only after the year is over. Naturally, the auditor has to rely on explanations given to him by the accountant for activities that happened quite a while ago. The essential truth behind some of the figures may therefore stil remain undiscovered.

1|P a ge

MF0013 Internal Audit and Control

2. It is a test check: The auditor cannot examine all the transactions given the time and cost constraints. He applies test checks using statistical sampling techniques. The inherent weaknesses of such methods carry an element of uncertainty or risk. Thus, auditing only reduces and does not eliminate the possibilities of erroror fraud. 3. Inherent limitations of internal control system: An auditor largely relies on the internal controls of the enterprise as he cannot check everything. Internal controls are the inbuilt checks and balances in the companys accounting and administration. But these internal controls themselves are subject to some limitations: (a) Certain levels of management may override control and make exceptions to procedures. (b) Persons operating the internal control and employees or outside parties may collude and render the controls ineffective. (c) There is also human error that may escape the controls.

Q2. Discuss the scope and objectives of internal audit.

Ans. Management Audit as a Subset of Internal Audit Internal audit is audit with clear management and operations focus. It is therefore increasingly believed that internal audit should not only verify financial records, calculations and clerical operations but also appraise operations and management functions for their efficacy and efficiency. Rather than go for a separate management audit or operations audit, it is seen that better results can be achieved with re-orientation of internal auditing to include management audit. To quote Shekhar and Shekhar in Auditing (pp. 105): ________ that under contemporary practices, a wide range of activities is being done by the internal audit department. These activities may broadly be classified as financial and operational audits. Under financial audit the following activities may be included: 1. A continuous review of internal accounting control; 2. The scrutiny of reports and statements, financial or operating, as prepared for management purposes; 3. The ascertainment of the extent to which the assets of the organization are accounted for and safeguarded from losses or damages;
2|P a ge

MF0013 Internal Audit and Control

4. The examination of balance sheet items, tests of balances and transactions as to their authenticity through appropriate tests; etc. Under operational audit following activities may be included: 1. The study and assessment of operating practices to promote increased efficiency and economy; 2. The carrying out of audits to determine whether operating objectives, targets and associated control procedures are properly instituted and the degree to which the desired results are achieved; 3. The examination and the ascertainment of the extent to which established policies, plans and procedures are complied with; 4. The assessment of budgetary standard setting; 5. The assessment of the level of performance in successfully discharging duties and responsibilities assigned. Objectives Historical y, internal audit was conceived as a precursor to the annual statutory audit, and comprised of document-level checking of accounting records to give comfort to external auditors who did not have time for baselevel vouching. Over the years, the function has become far more versatile, going beyond accounting accuracy and venturing into areas of management audit. The key objectives of a good internal audit system are: 1. Evaluation of accounting controls: Ensuring that the checks and balances in the accounting processes are effective and provide the required accounting controls. 2. Compliance with policies and procedures: Verifying compliance with the policies and procedures laid down for key activities and reporting acts of omission and commission. For example, if a purchase order for capital equipment of any value requires the Purchase department to get at least 3 quotes, internal audit have to check if this rule has been followed in all cases, and report exceptions. 3. Protection and optimal utilisation of business assets: Ensuring physical availability and usefulness of fixed assets as per companys records, and checking utilisation of major assets vis--vis plan. For example, a piece of equipment purchased has not been

3|P a ge

MF0013 Internal Audit and Control

installed within a reasonable period of time. The auditor wil check and report on the justification for the asset not having been put to use. 4. Testing the reliability of Management Information Systems (MIS): Reviewing the management reporting structure and the utility of reports flowing out of the system. Internal audit is often considered a part of the finance function of the enterprise since the technical expertise required to do the audit function is available only with the Finance & Accounts professionals. While this is natural, it may be a short-sighted approach. The internal auditor should be free to review and if necessary investigate all management areas, and by making him report to finance this freedom might be compromised. The following extract from the internal audit manual of a public undertaking gives a good idea of the role envisaged for the function and the scope of its activity. Internal audit has to ensure that the accounts are maintained correctly by the accounts department and that the rules, regulations and orders having financial bearing and issued by the competent authorities are observed by al departments. For this purpose, internal audit scrutinizes the accounts with reference to the related documents like purchase orders, receipt vouchers, issue vouchers, cash vouchers, payrolls, adjustment memos, sale invoices, journal entries etc. Internal audit has to review all transactions from the angle of financial propriety and suggest methods of executive action for effecting economy and for safeguarding against fraud, misappropriation or other losses. The emphasis is upon prevention; but where irregularities are detected internal audit should promptly report them to the higher authorities and ensure action is taken promptly. Internal audit has the responsibility of appraising the efficiency of accounting procedures as well as the actual performance of the accounts staff. Internal audit has to undertake special investigations and reviews as may be required from time to time and on the instructions of the Chief Finance Officer. Internal audit is entrusted with the responsibility of conducting physical verification of stores, raw materials, finished products and movable assets.

4|P a ge

MF0013 Internal Audit and Control

Internal audit should check the accuracy of monthly journal entries prepared by various sections before these are passed on to the central accounts section for incorporation in the main and sub-ledgers. Internal audit also has the duty of constantly examining and improving the system of internal checks and controls.

Q3. Explain the role of internal auditor as an integral part of management.

Ans. Role of Internal Auditor in the Companys Management The internal auditor can play a significant role in enhancing the effectiveness of managerial processes in a company, as shown in Figure 4.2.

5|P a ge

MF0013 Internal Audit and Control

Role of Internal Auditor : The specific contributions that an internal auditor can make include: 1. Review of internal control systems: The internal auditor should review the internal control systems of the organisation. He should determine whether the existing control systems are appropriate and commensurate with the objectives, size, etc. of the organisation. For example a small company cannot afford a separate credit control department and so it wil need strong controls in the sales accounting process to minimize customer payment default. 2. Review of safeguards for assets: The auditor should regularly review the adequacy of insurance covers for fixed assets and complete accounting of all transactions relating to fixed assets, etc. 3. Review of compliance with policies, plans, procedures and regulations: The internal auditor should include a regular checklist of compliances by different functions of laid down procedural requirements. When a non-observance is spotted, he should inquire and ascertain the reason for the deviation, and report the event together with the Proposed solution. 4. Review of organisation structure: A well-designed organization structure is the basic requirement for the smooth functioning of any organisation. Organisation structure defines the authorities and responsibilities of executives. The internal auditor should evaluate the organisation structure from the following dimensions: a. Simplicity and lack of ambiguity. b. Clear definition of authority and responsibility at each level. c. Balance of power, to ensure there is no undue dominance of any function. d. Balance of responsibility, to ensure proper unity of command and span of control. e. Effective communication of the organisation chart to all concerned. 5. Review of deployment of resources: The internal auditor reviews utilisation of resources deployed for the business men, machines, money, materials and management to identify deviations both by way of excessive use of resources and resources that are under-utilised. He would be able to do this vis--vis the planned

6|P a ge

MF0013 Internal Audit and Control

capacities and resources, and should include in his report significant trends and happenings. 6. Review of reliability of information: The Management Reporting and Information System (MRIS) of the company is an important aspect to be reviewed by the internal auditor. The content, format, frequency and timeliness of key management reports should be evaluated by discussions with the functional mangers receiving the reports as well aswith the finance manager who is usually the provider of the reports. The objective of this review is to see to what extent the information flow has helped in taking good decisions. 7. Review of achievement of company objectives: While the reviews in the foregoing paragraphs are centred on the management processes, the managers are essential y hired to deliver results and achieve the targets set for them. The internal auditor therefore reviews the final results achieved vis--vis planned results. As they say, the proof of the pudding is in the eating, and if for instance the company has underperformed, audit can make it clear whether the failure to achieve was for internal reasons or external factors beyond managements control.

Q4. Explain the steps in internal audit planning.

Ans. Stages in Internal Audit Planning The three steps through which planning of internal audit takes place are: 1. Understanding of the organisation, its business and its systems. 2. Developing the overall plan. 3. Preparing the audit programme.

7|P a ge

MF0013 Internal Audit and Control

Steps in Internal Audit Planning Step 1: Understanding of the organisation, its business and its systems The internal auditor should first acquire in-depth knowledge of the business and the organisation, to help him understand the events, transactions and practices that have a significant impact on the performance of the company. SA 300 issued by ICAI has very clearly narrated the different sources from where the auditor can obtain knowledge of business. The text mentioned below is based on SA 300 and suitably modified to suit our requirement. Some of the key sources of valuable information about the company are: The companys annual reports to shareholders. Minutes of meetings of important committees, shareholders and Board of directors. Reports of internal financial management for the current year and previous years including budgets. The previous years audit report, management letter* issued by statutory auditors, working papers and other relevant accounts closing files. The organisations policy and procedures manual Large and professionally run companies usually have a Finance and Accounting Procedures Manual (FAPM) and a Delegation of Authority Manual (DOA) which set out the organisations policies and procedures. Publications from the Institute of Chartered Accountants of India and other professional bodies about accounting, reporting and disclosure needs specific to the industry.
8|P a ge

MF0013 Internal Audit and Control

Industry publications, trade journals, magazines, newspaper reports and textbooks. Reports on the state of the economy and its effect on the organizations business. Visits to different plants and branch offices of the organisation and discussions with key divisional and functional heads. The internal auditor should provide enough to questions raised about the previous years statutory audit report and management letter. He should also respond to matters that require attention which have been pointed out by the external auditor. These matters wil definitely merit inclusion in the audit programme. *Management letter is a document given by statutory auditors on Conclusion of the annual audit to the companys Board on aspects of the financial reporting, internal controls and other governance issues that need to be addressed by the management satisfactorily in the current year. These are not serious matters that need to be included by the auditors in the report or to qualify the audit report, but nevertheless deserve attention of the management .Discussion with divisional and functional heads might include the following subjects with regard to the concerned function/division: Organisational structure and activities. Statutory rules and regulations. Major internal and external developments over the last 12 months. Key financial and accounting issues including accounting and reporting standards. Activities in which directors or substantial owners of the entity are interested and value of such activities. Business facilities started and/or closed during the year. Aspects of technology, lines of business, product mix, sales and distribution methods, etc. Apart from helping to establish the overall audit plan, knowledge of the auditees business is important to help the auditor in identifying areas that need special consideration, assessing the rationality of accounting estimates and management representations, and evaluating the correctness of accounting policies and internal control systems.

9|P a ge

MF0013 Internal Audit and Control

Q5.Explain internal control system in banks

Ans. 1 Internal control system in banks Different factors influence the internal control structure of any organisation: size, complexity and risk profile of its operations. In this regard an effective internal control system for a bank should consider the following aspects: 1. Control environment: Control environment is the foundation of an internal control system. It includes and reflects the factors that influence the control consciousness of its people. As per Auditing and Assurance Standard 6 issued by ICAI (AAS6), control environment is the overall attitude, awareness and actions of directors and management about the internal control system and its importance in the entity. Factors reflected in the control environment include: a) Organisational structure of the entity and means of assigning authority and responsibility (including segregation of duties and supervisory functions) b) The function performed by the board of directors and its committees in any company or any similar governing body in any other entity. c) The philosophy of management. d) Systems of management control that includes internal audit, personnel policies, etc. 2. Risk recognition and assessment: To be effective, an internal control system should recognise and continually assess all material risks internal and external, controllable and uncontrol ablethat could affect the achievement of the banks objectives. The bank faces various risks at different levels credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk, etc. The management must identify, measure and analyse these risks. This risk assessment process will help in making the management aware of the risks faced by the bank and determine the internal controls required to manage these risks. It must also be noted that risks are not static phenomena and so management should continuously evaluate and update its risk profile. 3. Control activities: Control activities are management actions to ensure that the personnel are following the banks established policies and procedures. Specific control procedures include:
10 | P a g e

MF0013 Internal Audit and Control

e) Reporting and reviewing reconciliations. f) Checking arithmetical accuracy of the records. g) Controlling applications and environment of computer information environment systems. h) Maintaining and reviewing control accounts and related subsidiary ledgers. i) Ensuring approval and control of documents. j) Comparing internal data with relevant external information. k) Comparing the results of physical verification of cash, fixed assets, investments and inventory with corresponding accounting records. l) Restricting access to assets, records and information. m) Comparing and analysing results with corresponding budgets 4. Segregation and rotation of duties: Authorities and responsibilities of every department should be clearly defined based on the policies of the management, preferably in writing. There should not be any scope of duplication of jobs, duties and assignments. The entity must have a system of rotation of duties among employees. 5. Authorisation of transactions: Banks usual y prescribe well-set systems of approval and authorisation, both generally applicable and specific to some transactions. As public money is often involved, it is vital that authority levels are not breached. For example an industrial advance sanction may require zonal office clearance, while renewal of the advance may be within the authority of a branch head. 6. Accountability for assets: To ensure accountability and safeguarding of assets, it is important that complete records are maintained and access is limited to the authorised personnel only. Every access and every user should be documented. Periodic checking of actual assets with records and identifying discrepancies must be mandated. 7. Accounting, information and communication systems: A comprehensive system of accounting, financial reporting (both management and statutory) and non-financial analysis and reporting with clear content, format and frequency should be in place. Banks usually adopt the following procedures to meet this need: a) Al records are maintained as prescribed with transaction-level details. b) A unique code number is assigned to each branch and that number should be mentioned in all important documents.
11 | P a g e

MF0013 Internal Audit and Control

c) Al inter office transactions are reconciled methodically during accounts closing. d) Accounts are closed and financials reported as per strictly laid down schedules 8. Monitoring activities: A full-fledged monitoring system should be in place to assess the effectiveness of internal controls continually. Monitoring is done internal y as well as externally. For internal monitoring or self-assessment the review functions are delegated to the staff at different levels. Monitoring activities are integrated to the daily activities as well as undertaken as specified periodic evaluations. For a transparent and fair review of banks internal control system help of external agencies should be taken. Banks usual y follow a wellplanned and organised system for internal audit which is either carried out by a separate department in the bank or by external professionals. They also have their own vigilance department for investigating matters related to fraud, misappropriation, etc. Moreover, periodic RBI inspections are also conducted.

Q6. Explain Computer Assisted Audit Techniques (CAATs).

Ans. Computer Assisted Audit Techniques (CAATs) An auditor uses CAATs to carry out audit procedures while auditing through the computer. Some of these techniques are: 1. Test Data Approach Under this approach transaction data (test data) prepared by auditor is processed by the clients processing system under the control of auditor. The auditor plants certain errors in data along with correct transactions. The results of the processing are compared with the predetermined output by him. If errors are detected by the computer for follow-up and corrections, this indicates that all the application and general controls are functioning properly. The major disadvantage of this approach is the difficulty in designing test data. The auditor must be technically proficient in designing erroneous data. He should assure himself that the programmes being tested are actual y the same as the ones used by the client. 2. Integrated Test Data Approach Under integrated test data approach, the auditor creates a fictitious entity (e.g. fictitious customer and vendor accounts) within the clients actual data.

12 | P a g e

MF0013 Internal Audit and Control

Hypothetical data for fictitious transactions are integrated with actual client data and processed. These are subsequently removed from records of the client by manual y reversing journal entries or through programme commands and then the financial reports are compiled. Advantages: This provides assurance that the programs being tested by the auditor have actual y been used by the client. Itcan also be precisely targeted for specific procedures within the programmes. Disadvantages: Thereis the risk that fictitious transactions impact actual results. Wel laid frauds may be difficult to detect. This approach has a high initial cost. 3. Generalised Audit Software (GAS): In the above approaches the auditor is required to prepare input data or create programs. In case of generalized audit software, audit programmes are designed by computer manufacturers, software professionals and large firms of auditors. The functions which can be performed through GAS are as follows: (a) Examination and review of records based on auditors criteria: The computer can scan the records and point out the exceptions to the criteria established by auditor. For example, software can be designed to scan accounts receivable balances for amounts exceeding the credit limit. (b) Selecting and printing audit samples: The computer can be used to select and print audit samples using statistical or judgmental sampling techniques. For example receivable accounts may be selected for confirmation using random sampling tables and the computer might be used to print the confirmation letters. (c) Testing calculations and making computations: GAS helps the auditor to test the accuracy of computations in clients data files with greater speed as compared to a manual system. For example, the auditor can calculate the doubtful debts to sales ratio for the present year and compare it with the past years to ensure reasonableness of doubtful debts provision for the year under audit. (d) Comparing data on separate files: An auditor can compare data on separate files to determine whether compatible information is in agreement. Differences, if any, should be reconciled and investigated. Examples include comparing paid vouchers to cash

13 | P a g e

MF0013 Internal Audit and Control

disbursement through cheques and purchases of inventory as per tock records to creditors file. (e) Summarising data and performing analysis: The auditor summarises and reorganises client data for his purposes. This can be done faster with the help of GAS. For example, he may want to determine the chances of recovery of debtors by looking at the ageing schedule or summarise inventory turnover statistics to determine slowmoving items. (f) Comparing audit data with clients records: Audited data must be converted to machine-readable form and compared with the information in client records. For example, comments made by the auditor of inventory on hand may be compared with the quantity shown in the perpetual inventory records or stock verification sheets of the client. Use of generalised audit software can greatly assist the auditor in performing compliance substantive tests. Its effectiveness depends upon availability of client data, auditors ingenuity and the strength of clients internal controls.

14 | P a g e