Spring / February 2012

Master of Business Administration MBA Semester 3 MF0013 Internal Audit and Control - 4 Credits (Book ID: B1211) Assignment Set- 1 Note: Each Question carries 10 marks. Answer all the questions.

Q1. Explain the use of sampling technique in Internal Audit Ans: Now a day auditing is going to be tough as huge and bulky transactions are carried out by clients so the auditors have to be careful because there is a time limit for completing the audit assignments as well as they have to take care about quality also and prove their professional efficiency. In today's auditing environment, the auditor seldom performs audit tests on all items in an account balance or class of transactions for the purpose of evaluating some characteristic of the population. Consequently, the evidential matter obtained for an account balance or class of transaction is based upon the reasoning that the characteristics found in a representative sample of a population are reasonably accurate reflections of the characteristics to be found in the whole of that population. Determining whether or not a test of an account balance or class of transactions should include audit sampling depends on the objective to be achieved by the procedure. If the objective of testing the recorded amount of several items included in an inventory balance is to project the results of the test to the entire inventory balance, the auditor should use audit sampling. On the other hand, if the objective were to test for misstatement in only those few items without evaluating the characteristics of the inventory as a whole, the procedure would not involve sampling. The best way to prove efficiency as an auditor is only to perform the audit through sampling base. Not 100% audit. Considering the time constraints and other practical obstructions the auditors have to carry audit work on Sample Basis only. While selecting sample transaction auditors have to consider mainly the following things, which will be helpful in completing the audit assignment with quality and within the time frame. o o o Volume and value of the transactions carried out by the client. Internal Control in the company on its day to day transactions. Procedures adopted by client to complete the day to day transactions.

1

o o

Time lag in completion of work by each and every department involving other department help also. Determining the basic limits of transaction by its nature and value.

The best way in collection of sample data for audit purpose from client business is done through some techniques which are called Auditing techniques through sampling. There are five primary tasks that auditors undertake when performing audit sampling and testing procedures: 1. Preparation of Audit Testing Plan:The preparation of the audit testing plan includes the identification of the population to be tested, the definition of what comprises an exception, and the determination of the sample size. 2. Selection of the items to be tested:Consideration of one of the following methods of selection will determine which items in the population are to be selected for examination: A. Survey A survey is a technique for gathering specific information, through a questionnaire, from a group of transactions, representative of the larger transactions from client side. The responses to the questionnaire generated for transactions are analyzed and projected to the whole transaction trail. Surveys can be used both at the planning (for identifying issues or key concerns in an issue) as well as execution phases of performance audit (for providing necessary evidence). Surveys can collect quantitative information in order to estimate output (performance indicators) or evaluate processes in a project, e.g., assess how well a project is being monitored. Surveys often seek opinion, which is of use in assessing the beneficiary satisfaction/ quality of service provided in the project. Surveys provide a framework for gathering evidence when information required for addressing the audit objective cannot be gained from files and administrative records. Success of a survey depends both on skills and the environment in which the survey is done. If the sample is chosen incorrectly or there are a large number of non-responses or wrong responses, the results projected for the transactions may be erroneous. B. Sampling methods There are different ways in which a statistical sample can be selected. The most frequently used method is random selection where each item in the transactions has a equal chance of selection. Simple random sampling ensures that every transaction has an equal chance of selection. Though simple to administer, the underlying assumption is that the transaction is of same characteristics. In cases where the transaction is of not the same

Spring / February 2012 characteristics, a stratified sampling would be a better option. Here the transactions are sub-divided into same characteristics groups and then a random sampling is done on the groups, ensuring a better representative sample. Each sampling method has its practical use and limitation. The auditor uses his judgment in determining which kind of sampling is best suited to his audit job. It is advisable to take expert advice in judging the most suitable method. Some random sampling methods that are commonly used are Simple random sampling where each transaction has an equal chance of selection. This is useful when the nature of transactions is uniform. Stratified random sampling where the transactions are divided into strata and random sample is drawn from each stratum. Systematic sampling is done through getting sample transactions at equal intervals. Often it might be easier to draw systematic sample than random sample. Cluster sampling where the transactions are divided into clusters and transactions form each cluster are selected randomly. This is useful when the transactions can be easily divided into clusters. Probability proportional to size sampling which is a special case of cluster sampling where clusters are of different sizes; larger clusters have a higher chance of selection. Multi-stage sampling, which is sampling through a series of stages. This may combine the various single-stage sampling methods, e.g., simple, stratified, systematic, cluster sampling, at different stages. With volume of large transactions it is often useful to carry out sampling in two or more stages. At each stage of sampling a suitable method of selecting the sample could be used. Once the method of sampling is decided, it is essential to design the actual sample. 3. Performance of the audit procedures:Following selection of the items, the auditor performs the relevant audit procedure (s) on those items. Any exceptions (which, in the case of tests of control are control deviations and in the case of substantive procedures are misstatements) are noted for subsequent evaluation. 4. Evaluation of exceptions:The auditor evaluates the nature and extent of exceptions found in both the key items and other items selected for the purpose of estimating the actual level of exceptions that exist in the total population. This requires firstly: Qualitative evaluation of exceptions. Quantitative evaluation of exceptions.

3

5. Comparison of tolerable level with estimated actual level:The formation of a conclusion on the work performed requires a comparison of the tolerable level of exceptions with the actual level of exceptions estimated by the auditor as part of the quantitative analysis of exceptions.

Q2. Discuss, in brief, the advantages and limitations of auditing. Ans: Advantages of Auditing A. General 1. Unbiased professional opinion 2. Acts as a moral check on employees 3. Highlighting of weakness in the internal control system 4. Enables timely tax assessments and quick disposal of tax returns. 5. Financial assistance made easier. 6. Solutions to trade disputes and labour disputes 7. Enables sanctioning of license by Govt. 8. Enables early settlement of Insurance claims B. From the point of view of partnership Firms 1. Mutual settlement of Accounts among the partners 2. Protects the interest of minors and non-resident partners 3. Determination of goodwill at the time of admission, retirement and death. 4. Determination of purchase consideration at the time of Amalgamation, Limitation of Audit 1) Excessive dependence in ICS which suffers from inherent weakness 2) Application of test check makes it less reliable 3) It only enables formation of overall opinion about state of health of entity and does not give assurance about the future viability of entity or the effectiveness of management by owners. 4) Audit evidence is more persuasive in nature rather than conclusive in nature Q3. Discuss the main scope and objects of internal audit? Ans: Audit Objectives and Scope The objective of this audit was to conduct a thorough program audit on all aspects related to the Western Diversification Program life cycle. As such, the auditors examined key internal processes and controls as well as

Spring / February 2012 compliance to the Financial Administration Act, WDP Conditions, and Treasury Board Policies with respect to: Terms and

Program Design- Review program Terms and Conditions, financial and performance reporting at the program level, review and document approval authorities, as well as controls and processes. Program Operations - Review controls required to ensure due diligence; review and approve applications in a complete and appropriate manner and provide persuasive assessments based on relevant documentation to support decisions to approve assistance. Review controls required to ensure responsible fund management, and to ensure that resources are used efficiently and that payments and repayments occur in a timely manner. Review and Evaluation - Review findings of past audit and evaluation reports and assess the status of actions taken as a result of past studies. The scope of the audit included an examination of all activities related to WDP and its sub-components, including the management control framework in place at departmental headquarters and at the four regional offices. The Liaison Office in Ottawa was excluded from the scope of this audit as it is not involved in the direct delivery of the WDP. Audit Methodology and Approach In accordance with the audit objectives and the Government of Canada Internal Audit Standards, the audit was carried out in three phases: the planning phase, the conduct phase, and the reporting phase. During the planning phase, the auditors proceeded with a thorough review of documents provided by the department, and of the Treasury Board Secretariat of Canada policies to gain an understanding of the overall legislative and policy framework, as well as the processes relevant to the audit scope. Preliminary interviews were conducted with departmental corporate and regional personnel to gain greater knowledge of management controls and processes in place for the WDP, and to identify key risks associated with the delivery of the program. The purpose of the planning phase was to develop a Risk-Based Audit Program that provides a basis for the orderly, efficient, and cost effective conduct of the audit as well as a criteria base for assessment. During the conduct phase, the audit team visited, as per the scope of the audit, headquarters in Edmonton, and the four regional offices. From these visits, the audit team selected documents; conducted interviews, performed project file reviews, and debriefed management on preliminary findings. Findings for each line of enquiry were summarized and referenced on fact sheets. Facts sheets were prepared for each region and for headquarters and then grouped to reflect audit findings at the program level. Key Audit Risks The audit program was designed to test management's controls that have been developed to mitigate the following key risks associated with the

5

Western Diversification Program: o o o o o o The WDP authorities are not renewed on time and expire; Inadequate due diligence is conducted on projects; There is a lack of clarity over eligibility criteria and assessment against the criteria; Ineligible expenses are funded; Non-compliance to Treasury Board policies or the Financial Administration Act; and Non-compliance with the Treasury Board authorities for the WDP.

Q4. As a senior audit assistant of M/s. Asutosh Associates, you are in charge of internal audit team of M/s Rajesh Technologies involved in the manufacture of plastic tubes. From the information you obtained you find the company is facing liquidity problem for the last two years. You are required to prepare working paper indicating the internal audit problems you would expect to face and how you plan to overcome them. Ans: Get management support by ensuring you all know why internal audits are required and Eliminate: Lack of support from Senior Management Not enough time for internal audit preparation Difficult auditees Time taken to write up the audit results Lets deal with each of these. Management Support It is the Audit Managers job to ensure that senior management understand the importance of internal auditing and compliance requirements. The following tips might help. Communicate the cost of audit observations and the greater cost of not responding to them. Explain the regulatory effect of the nonconforming process. Have a member of management shadow an audit. Communicate savings (in time and money). Ensure management know that internal audits lower business risks and help improve systems and processes to find, reduce waste and save money Preparation.

When the audit is scheduled follow this tried and tested process: As soon as the audit date is agreed, schedule time in your calendar (& the auditees calendar.) Make time in your work schedule for preparation. Prepare an audit plan: how long in each department, who needs to be there. Read the procedures and write up checklists dont rely on your

Spring / February 2012 memory. Read the previous audit report and note the nonconformities that were raised. DONT let other tasks interfere so close your office door or all your best intensions go out the window. Remember auditees will spot a lack of preparation especially if you read their procedures during interviews or ask irrelevant questions. PREPARATION and TIME MANGEMENT are they key pre audit steps. Difficult Auditees Be positive, be prepared, ask open questions, and be appreciative of their time. Communication skills are paramount and where auditees give yes/no answers then frame your questions to start with: How do you .. Tell me .. What does this . Where can I find .. Can you show me .. Never be frightened to stop an internal audit if an auditee is being negative or overly aggressive report back immediately to your Audit Manager but NEVER RAISE YOUR VOICE OR GET INTO AN ARGUMENT WITH AN AUDITEE! Request training: Communications and Internal Auditing, Understand cultural differences. Explain to the auditee the benefits to the company. Ask open-ended questions. Always stop an internal audit during difficult situations with auditees. Dont pretend you know something when you dont. Be realistic in the time you are auditing no auditee wants their whole day take up! Audit Reports. Well done, the audit preparation is complete and a successful audit has now taken place .now to write it all up. This is one of the least-liked tasks, so try these techniques: Complete the internal audit report with 5 days of the audit (ideally within 24 hours if you can!) Schedule time in your calendar for report writing Use a standard internal audit report format Link it to the checklist but remember the checklist is a stand-alone quality record Write clear, audit nonconformities ensuring the auditee can understand them too! Thank the auditee for their time and courtesy Identify any improvements and associated cost savings Ensure Management have a copy of the audit report

Remember the key to a successful audit is everyone knowing that the internal audit process is designed to help the business find issues before they become a major issue or a client complaint.

7

Q5. Detail the specific problems of electronic data process relating to internal control. Ans: Electronic data processing is the function of planning, recording, managing and reporting business transactions by the use of computers and related peripherals. In EDP data is first taken from source documents such as invoices, revenue receipts, payment vouchers, written checks etc. There after data inputs to the computer where it is entered via the keyboard or other data entry peripherals. The entered data is then processed according to the accounting package in use; since there are different structures of modules used in sundry accounting application software, processing of the same data may differ from one package to another. As I said earlier that reporting is one of processing features, then it is apparent or undoubted that types of reports produced by different packages may vary from one system or package to another. For example some system may provide almost all basic financial reports such as The trial balance, The statement of financial position commonly known as the balance sheet, The statement of financial performance which is commonly known as the statement of income and expenditure or the profit and loss account, The statement of cash flows, The statement of changes in equity

These types of packages offering almost all financial reports may be said to be compatible to all types of financial processing needs and are really expensive and used in many business and non-business entities. Turning to other packages that don't offer all statements we can see that they have specific and limited applications that range from business to nonbusiness, some give only the trial balance leaving the rest of the report to be prepared by the accountant. Others give all other statement except the cash flows statement. These problem calls for the need to have the so called system analyst in organizations. These professionals have the responsibility of studying the need of the organization as refers to electronic processing data issues. They do this by doing a so called feasibility study which will be facilitated by communication with top financial executives of the organization. Electronic data processing has merits and demerits to the society and the professionals. The following are some of the advantages and disadvantages that may be observed in everyday life of our businesses. Advantages Fast and instant services in financial institution or banks as compared to manual data processing, as formally it used to be harder to get even your saving or current statement from the bank. Records of Retired civil servants were not easily and readily available in the past and caused much disturbances to old people who had served in the government for many years; whereas in modern electronic data processing such services are performed very fast and the retiree are free from the former troubles. Performance in manufacturing industries and related works have improved due

Spring / February 2012 to inventory automated systems which controls purchases and stocks so that there is no idle cash tied into unnecessary stock pile ups. Disadvantages The electronic data processing systems have decreased vacancies for accountants as one person can perform the tasks that could have been done by five people. For example by entering a transaction where purchases have been bought by cash or on credit, stock will automatically be adjusted, total purchases also will be adjusted bank account if it is by cash also will be adjusted, Creditors total amount will be adjusted if the purchase was on credit and finally the financial statements i.e. financial position statement and financial performance statement and cash flows if purchase was by cash will automatically be adjusted. These are just few of activities that will be done after a simple entry of the transaction in the system by one accountant. Electronic data processing requires more expertise and therefore a lot of money is required to be invested in IT so that the organization can run smoothly. It is not possible to use electronic data processing without computers and where there is no steady supply of power.

Q6. Explain the principal considerations in internal control on: a. Purchases and creditors b. Fixed assets Ans: a. Purchases and creditors Basic considerations for having an effective internal control system for Purchase and creditors are as follows: The procedure for issuing purchase requisitions should be specified. Where ten d e rs are in v i ted , the procedure f o r opening and acceptance thereof should be laid down. The preparation and authorization of purchase orders should be under a senior manager. Predetermine guidelines should exist for inspection of goods received, especially with regard to quantity and quality. Documents showing the receipt and acceptance of goods should also be send to the accounts department. The goods receipt documents should be cross checked with final purchase order. An authorize official from the accounts department should be made responsible for checking suppliers invoices, documents regarding purchase returns, purchase records, payments to suppliers, maintenance of ledger accounts and reconciliation of statements sent by suppliers. Before payments are made to suppliers, payment documents duly authorized by a senior official, showing that the goods have been received as specified in the Purchase order should be verified by the accounts department. Adequate procedures should be established with regard to

9

purchase returns, discounts on account of inferior quality of goods, and other similar adjustments. Lawful policies and procedures should be implemented with regard to purchases from the companies under the same group and from the employees. The accounts of various suppliers should be confirmed periodically from statements received from them.

b. Fixed assets Basic considerations for having an effective internal control system for Fixed Assets are as follows: Payments for fixed assets should be made only after authorization of the top management. Capital expenditure budget should be prepared regularly. Fixed assets registers should be maintained showing brief particulars of all items. Fixed assets should be physically verified periodically. Serial numbers should be allotted to each item for easy identification. Proper accounting records should be maintained for expenditure during the construction period distinguishing carefully between capital and revenue Expenditure. Sale, scrapping, or write off of fixed assets should be allowed only under proper authorization of the top management. The receipts from such disposals should be properly accounted for. Depreciation rates should be properly authorized. Master of Business Administration- MBA Semester 3 MF0013 Internal Audit and Control - 4 Credits (Book ID: B1211) Assignment Set- 2) Note: Each Question carries 10 marks. Answer all the questions.

Q1. Lehman Brothers Holding filed for Chapter 11 bankruptcy protection following the massive exodus of most of its clients, drastic losses in its stock and devaluation of its assets. In context with this case, examine internal control and risk assessment system. Ans: The nature and extent of the procedures performed by the auditor to obtain an understanding of the accounting and internal control systems generally depend on: o o Nature of policies or kind of procedures, Changes in operating environment,

Spring / February 2012 o o o Size and complexity of the business, Way of documentation of business operations, Auditors assessment of inherent risk.

The auditor should make a study of internal control relevant for his audit. Although most controls related to audit are relevant for financial reporting but all controls relevant for financial reporting may not be relevant for audit. It is the judgment of auditor to decide whether a control individually or in combination with other is relevant for audit or not. Auditor normally classified audit risk for assessment into control risk and inherent risk. Control risk signifies that a material misstatement could occur but would not be prevented or detected by internal control system. Inherent risk signifies the chances that recording of transactions have been done either erroneously or under the influence of management fraudulent activity. Assessment of control risk Assessing control risk is the process of evaluating the effectiveness of an entitys accounting an internal control systems in preventing or detecting material mis-statements in the financial statements. After having a basic idea of the accounting and internal control system, the auditor should make an initial assessment of control risk for the appropriate assertions in the financial statements.When planning the audit approach, the auditor should consider the initial assessment of control risk to determine the appropriate detection risk to accept for the financial statement assertions. Some of the procedures performed to obtain understanding of the accounting and internal control systems may not have been specifically planned as tests of control but they may provide evidence about the effectiveness of both the design and operation of policies and procedures relevant to certain assertions and, consequently, serve as tests of control e.g. in obtaining understanding of the system pertaining to cash, the auditor may have obtained evidence about the effectiveness of bank reconciliation process through inquiry and observation. Relationship between the assessments of inherent and control risks: In many cases, inherent risk and control risk are highly interrelated. Also management often reacts to inherent risk situations by designing accounting and internal control systems to prevent and detect misstatements in such situations, if the auditor attempts separately to assess inherent and control risk when they are highly interrelated, there is a possibility of inappropriate risk assessment. As a result, audit risk may be more appropriately determined in such situation by making a combined assessment.

11

The auditor, in forming his opinion on financial information, needs reasonable assurance that transactions are properly recorded in the accounting records and that transactions have not been omitted. Internal controls, even if fairly simple and unsophisticated, may contribute to the reasonable assurance the auditor seeks. The auditors control risk assessments, together with the inherent risk assessment, influences the nature, timing and extent to substantive procedures to be performed to reduce detection risk to an acceptable level. The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need for the auditor to perform any substantive procedure for significant account balance and transaction classes. Consequently, regardless of the assessed levels of inherent and control risks the auditor should perform some substantive procedures. The higher the assessment of inherent and control risk, the more assurance the auditor must obtain from the performance of substantive procedures. When both inherent and control risks are assessed at a high level, the auditor should also consider whether substantive procedures will provided sufficient assurance to reduce detection risk to an acceptable level. When the auditor determines that detection risk cannot be reduced to an acceptable level, he should either qualify or disclaim the opinion or, if this if not practicable, withdraw from the engagement. Q2. Describe internal audit tests. Ans: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organization's effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity. The scope of internal auditing within an organization is broad and may involve topics such as the efficiency of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations. Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds. Identify control procedures used to ensure each key risk and transaction type is

Spring / February 2012 properly controlled and monitored. Develop and execute a risk-based sampling and testing approach to determine whether the most important controls are operating as intended. Report problems identified and negotiate action plans with management to address the problems. Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose. Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated. By analysing and recommending business improvements in critical areas, auditors help the organization meet its objectives. In addition to assessing business processes, specialists called Information Technology (IT) Auditors review information technology controls. Internal audit reports Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans; and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's": Condition: What is the particular problem identified? Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark. Cause: Why did the problem occur? Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding? Corrective action: What should management do about the finding? What have they agreed to do and by when? The recommendations in an internal audit report are designed to help the organization achieve its goals, which may relate to operations, financial reporting or legal/regulatory compliance. They may relate to effectiveness (i.e., whether goals were met or compliance with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs). Audit findings and recommendations also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements. Measuring the internal audit function The measurement of the internal audit function can involve a balanced scorecard approach. Internal audit functions are primarily evaluated based on the quality of counsel and information provided to the Audit Committee and top management. However, this is primarily qualitative and therefore difficult

13

to measure. "Customer surveys" sent to key managers after each audit engagement or report can be used to measure performance, with an annual survey to the Audit Committee. Scoring on dimensions such as professionalism, quality of counsel, timeliness of work product, utility of meetings, and quality of status updates are typical with such surveys. Understanding the expectations of senior management and the audit committee represent important steps in developing a performance measurement process, as well as how such measures help align the audit function with organizational priorities. Reporting of critical findings The Chief Audit Executive (CAE) typically reports the most critical issues to the Audit Committee quarterly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the company. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgment to select appropriate issues for the Audit Committee's attention and to describe them in the proper context. Q3. Explain the basic principles governing internal control. Ans: In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives.[1] It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organizations resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the SarbanesOxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls. Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual administration, with one set of bureaucrats charged with collecting taxes and another with supervising them. In the Republic of China, the Control one of the five branches of government is an investigatory agency that monitors the other branches of government.

Spring / February 2012 Definitions There are many definitions of internal control, as it affects the various constituencies (Stakeholders) of an organization in various ways and at different levels of aggregation. Under the COSO Internal Control-Integrated Framework, a widely-used framework in the United States, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations. COSO defines internal control as having five components: 1. Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. 2. Risk Assessment-the identification and analysis of relevant risks to the Achievement of objectives, forming a basis for how the risks should be managed 3. Information a n d Communication-systems o r processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities 4. Control Activities-the policies and procedures that help ensure management directives are carried out. 5. Monitoring-processes used to assess the quality of internal control performance over time. The COSO definition relates to the aggregate control system of the organization, which is composed of many individual control procedures. Discrete control procedures, or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A controls impact...may be entity- wide or specific to an account balance, class of transactions or application. Controls have unique characteristics for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives)." Context More generally, setting objectives, budgets, plans and other expectations establish criteria for control. Control itself exists to keep performance or a state of affairs within what is expected, allowed or accepted. Control built within a process is

15

internal in nature. It takes place with a combination of interrelated components such as social environment effecting behaviour of employees, information necessary in control, and policies and procedures. Internal control structure is a plan determining how internal control consists of these elements. The concepts of corporate governance also heavily rely on the necessity of internal controls. Internal controls help ensure that processes operate as designed and that risk responses (risk treatments) in risk management are carried out. In addition, there needs to be in place circumstances ensuring that the aforementioned procedures will be performed as intended: right attitudes, integrity and competence, and monitoring by managers. Roles and responsibilities internal control in

According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play: Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise. Board of Directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfil their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem. Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and

Spring / February 2012 working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. There are laws and regulations on internal control related to financial reporting in a number of jurisdictions. In the U.S. these regulations are specifically established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC guidance, further discussed in SOX 404 top-down risk assessment. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting. Limitations Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures. Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement. Describing Internal Controls Internal controls may be described in terms of: a) the objective they pertain to; and b) the nature of the control activity itself. Objective categorization Internal control activities are designed to provide reasonable assurance that particular objectives are achieved, or related progress understood. The specific target used to determine whether a control is operating effectively is called the control objective. Control objectives fall under several detailed categories; in financial auditing, they relate to particular financial statement assertions, but broader frameworks are helpful to also capture operational and compliance aspects: 1. Existence (Validity): Only valid or authorized transactions are processed (i.e., no invalid transactions) 2. Occurrence ( Cut off): Transactions occurred during the correct period or were processed timely.

17

3. Completeness: All transactions are processed that should be (i.e., no omissions) 4. Valuation: Transactions are calculated using an appropriate methodology or are computationally accurate. 5. Rights & Obligations: Assets represent the rights of the company, and liabilities its obligations, as of a given date. 6. Presentation & Disclosure (Classification): Components of financial statements (or other reporting) are properly classified (by type or account) and described. 7. Reasonableness-transactions or result appears reasonable relative to other data or trends. For example, a control objective for the accounts payable function may be stated as: "Payments are made only for authorized products and services received." This is a validity objective. A typical control procedure designed to achieve this objective is: "The accounts payable system compares the purchase order, receiving record, and vendor invoice prior to authorizing payment." Multiple controls may be applicable to achieve a given control objective with a reasonable level of assurance. Management is responsible for implementing appropriate controls that apply to transactions in their areas of responsibility. Internal auditors perform their audits to evaluate whether the controls are designed and implemented effectively to address the relevant objectives. Activity categorization Control activities may also be explained by the type or nature of activity. These include (but are not limited to): Segregation of duties - separating authorization, custody, and record keeping roles of fraud or error by one person. Authorization of transactions - review of particular transactions by an appropriate person. Retention of records - maintaining documentation to substantiate transactions. Supervision or monitoring of operations - observation or review of on-going operational activity. Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect property, such as merchandise inventory. Top-level reviews-analysis of actual results versus organizational goals or plans, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs). IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorized personnel. Top level reviews-Management review of reports comparing actual performance versus plans, goals, and established objectives. Controls over information processing-A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and

Spring / February 2012 programs. Control precision Control precision describes the alignment or correlation between a particular control procedure and a given control objective or risk. A control with direct impact on the achievement of an objective (or mitigation of a risk) is said to be more precise than one with indirect impact on the objective or risk. Precision is distinct from sufficiency; that is, multiple controls with varying degrees of precision may be involved in achieving a control objective or mitigating a risk. Precision is an important factor in performing a SOX 404 top-down risk assessment. After identifying specific financial reporting material misstatement risks, management and the external auditors are required to identify and test controls that mitigate the risks. This involves making judgments regarding both precision and sufficiency of controls required to mitigate the risks. Risks and controls may be entity-level or assertion-level under the PCAOB guidance. Entity-level controls are identified to address entity-level risks. However, a combination of entity-level and assertion-level controls are typically identified to address assertion-level risks. The PCAOB set forth a three-level hierarchy for considering the precision of entity-level controls. Later guidance by the PCAOB regarding small public firms provided several factors to consider in assessing precision. Fraud and internal control Internal control plays an important role in the prevention and detection of fraud. Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in fraud risk assessment. The AICPA, IIA, and ACFE also sponsored a guide published during 2008 that includes a framework for helping organizations manage their fraud risk. Internal Controls and Improvement If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed. The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency. Continuous Controls Monitoring Advances in technology and data analysis have led to the development of numerous tools which can automatically evaluate the effectiveness of internal controls. Used in conjunction with continuous auditing,

19

continuous controls monitoring provides assurance on financial information flowing through the business processes. Q4. Discuss the advantages and disadvantages of internal check. Ans: Internal check is an organization of the system of account under which the work of one person is automatically checked by another, with a view to prevent and detect the errors and frauds. Under such a system, it is not possible to commit errors & frauds without the collusion between to or more people. OBJECTIVE OF INTERNAL CHECK: To minimize the possibility of error, fraud and irregularity. To prevent the misappropriation of cash and goods To allocate duties and responsibility to every clerk in the organization so that, he may be held responsibility for their particular fraud & errors. To ensure an accurate recording of all business transaction. To enhance the efficiency of the clerk in the organization. To exercise moral influence over the staff member. To prepare final account with an ease and efficiency.

PRINCIPLE OF INTERNAL CHECK: It should be allocated among the staff of the business according the duties, responsibility and rights in such a, there is no room for interference. No single person should have an independent control over all important aspect of the business. The duties among the staff of the business should be changed from time to time so that no staff should be engaged in a particular job for a long time. Every member of the staff should be encouraged to go on leave at least once in a year this will help in detecting the concealed fraud. An efficient system of internal check should provide for an automatic checking of the work of an assistant by other. The division of work should not be much expensive. Self-balancing system should be invariably used. The financial and administrative power should be assigned very judiciously to different officer. Person having physically custody of asset must not be permitted to have an access to the books of account.

ADVATAGES OF INTERNAL CHECK: Proper Division of Work. Efficiency and Economy Early Detection of Error and frauds Minimization of Error and Frauds Moral Influence on Staff Early Preparation of Final Account

Spring / February 2012 Increased Profitability Convince to Auditor

DISADVATAGES OF INTERNAL CHECK: Decreased in Quality of Work Complacency among High Officials Costly for the Small Business Create Confusion Chance of Collusions Q5. Explain the appraisal of accounting system and related internal control. Ans: 1. Definition of Internal Control

Internal Control comprises the plan and all the co-ordinate methods and measures adopted within an organisation with the express objectives of: Safeguarding the assets of the organisation , Verifying the accuracy and reliability of its accounting data, Promoting operational efficiency, Fostering and encouraging adherence to the prescribed managerial policies. 2. Objectives and Relevance

In recent years, the relevance and objectives of Internal Accounting Controls, have expanded far beyond the traditional ambit of protection against theft and fraud, well into the areas of effectiveness, accountability and operational efficiency of the organisation Hence the need for evaluation of the system of internal control , while conducting the audit of the accounts of Government organisations, whether the nature of their operations be commercial or civil. 3. Increasing Awareness in The International Context

A system of internal control recognises the basic principle that it should be as difficult as is practical and feasible, for individuals to be dishonest or careless. Such a premise is indeed not based on a cynical view of human nature in general, but rather on the realistic assumption that there could be a few persons who would be dishonest or careless if it is easy for them to be so. Further, apart from the prevention and detection of fraud, internal controls should reflect the strength of the overall accounting environment in an organisation as also the accuracy of its financial and operational records. 4. Two Dimensions of Internal Control

Administrative controls, which include but are not limited to the plan of

21

organization and records that are concerned with the decision processes leading to the Management's authorization of transactions. Accounting controls comprise the plan of organization , procedures and records that are concerned with safeguarding of assets and the reliability of financial records designed to provide reasonable assurance that the transactions are recorded and executed in accordance with the general and /or specific authorization of the Management, recording of transactions to ensure the preparation of financial statements in conformity with the generally accepted accounting principles and any other criteria applicable to such statements, proper maintenance of account of assets, Management's authorization of access to assets and accountability for the physical verification of assets Scope of Review Naturally therefore, the scope and objectives of the Statutory Auditor, would vary and depend upon both the size and structure of the entity as also the requirements of the Management. Normally, however, the Statutory Auditor operates in one or more of the following areas. Review of the Accounting Systems and the related internal controls. Thus while the adequacy of the accounting systems is the responsibility of the Management, the Statutory Auditor is usually assigned the specific responsibility for reviewing the accounting systems and the related internal controls, as also monitoring their operations. Review of financial and operating information including identification, measurement, and classification and reporting such information specifically enquiring into individual items including detailed testing of transactions, procedures and balances. Examination of the economy, efficiency and effectiveness of operations including nonfinancial controls. Thus, before an evaluation is undertaken the auditor should determine:The degree of reliance that can be placed on the various systems and procedures in existence. The nature, extent and timing of substantive audit tests to be applied. In this process due to factors including the limitations of time, the volume of transactions and magnitude of operations the Auditor can conduct:Selective Verification in areas where he finds that internal control is effective. Detailed or comprehensive verification of transactions in areas where the internal control is weak. Internal control investigation and evaluation is most relevant in the context of independent financial audits, special systems study engagements. 5. Advantages of Internal Control Evaluation

Enables an Auditor to restrict his detailed examination in areas where internal controls is satisfactory, and intensifying the scrutiny in areas where the controls are weak. Resultantly, the time available to the auditor is more gainfully employed.

Spring / February 2012 Highlights areas of weakness in the operating systems, for suitable remedial action to be taken by the Management. Facilitates acquisition of an in-depth knowledge and understanding of the systems and procedures, actually in operation. Enables the Statutory Auditor in the determination of the degree of effectiveness of Internal Audit in the auditee organization. Enables Government Audit to review the comprehensiveness in specific terms, of the evaluation conducted, both by the Internal Audit Wing as also by the Statutory Auditor of the organization. 6. Inter-Relationship between Audit and Internal Controls

The Statement on Standard Auditing Practices (SAP) pertaining to the "Study and Evaluation of the Accounting System and Related Internal Controls in connection with an Audit", defines the inter-relationship between the Statutory Auditor and internal control. "The System of Internal Control is the plan of organization and all the methods and procedures adopted by the Management of an entity to assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient conduct of business, including adherence to Management policies, the safeguarding of assets, prevention and detection of fraud and error, the accuracy and completeness of the accounting records and the timely preparation of reliable financial information. The system of internal control extends beyond those matters which relate directly to the functions of the accounting system. The internal audit functions constitute a separate component of internal control established with the objective of determining whether other internal controls are well designed and properly operated". Control procedures encompass policies and procedures established by the Management, in order to provide for the attainment of certain objectives. These could include the existence of systems for: An effective system of reconciliation of Books of Accounts. Check of the arithmetical accuracy of the records. Controls over computer applications and environment. Maintenance of control accounts and Trial Balances. Approval and control of balances. Comparison of results of cash, security and inventory checks with accounting records. Limiting direct physical access to assets and records. Comparison of budgetary estimates with actual estimates Physical verification of assets and a system of safeguarding the assets. Appropriate action taken with regard to any differences and discrepancies. Distribution and proper allocation of functional responsibilities. System of operation of accounting procedures for ascertainment of accurate of accurate and reliable accounting data. Existence of an effective system for the efficient operation of the asset and a well regulated system for safeguarding of assets.

23

System of managerial review of the work allocated to various individuals in the organisation.

Q6. Explain SAP-6 in brief. Ans: SAP 6 through version 4.6c consisted of various applications on top of SAP Basis, SAP's set of middleware programs and tools. When SAP 6 Enterprise was launched in 2002, all applications were built on top of the SAP Web Application Server. Extension sets were used to deliver new features and keep the core as stable as possible. The Web Application Server contained all the capabilities of SAP Basis. As a result of marketing changes and changes in the industry, other versions of SAP have been released that address these changes. The first edition of my SAP ERP was launched in 2003 and bundled previously separate products, including SAP 6 Enterprise, SAP Strategic Enterprise Management (SEM) and extension sets. The SAP Web Application Server was wrapped into Net Weaver, which was also introduced in 2003. A complete architecture change took place with the introduction of my SAP ERP edition 2004. 6 Enterprise was replaced with the introduction of ERP Central Component (SAP ECC). The SAP Business Warehouse, SAP Strategic Enterprise Management and Internet Transaction Server were also merged into SAP ECC, allowing users to run them under one instance. Architectural changes were also made to support enterprise services architecture to transition customers to a services-oriented architecture. SAP HANA which is a combination of In-memory software and hardware can improve data processing at extremely high speeds. Implementation SAP ERP consists of several modules including: utilities for marketing and sales, field service, product design and development, production and inventory control, human resources, finance and accounting. SAP ERP collects and combines data from the separate modules to provide the company or organization with enterprise resource planning. Although there can be major benefits for customers of SAP ERP, the implementation and training costs are expensive. Many companies experience problems when implementing SAP ERP software, such as: failing to specify their operation objectives, absence of a strong commitment or positive approach to change, failing to deal with organizational differences, failing to plan the change to SAP ERP properly, inadequate testing. All these factors can mean the difference between having a successful implementation of SAP ERP or an unsuccessful one. If SAP ERP is implemented correctly an enterprise can go from its old calculations system to a fully integrated software package. Potential benefits include: efficient business process, inventory reduction, and lead time reduction. An article in the IEEE Transaction on Engineering Management journal

Spring / February 2012 reports an industrial case in which the senior management successfully dealt with a troubled SAP 6 implementation in an international fast moving consumer goods (FMCG) company during 2001 and 2002. Deployment and maintenance costs SAP ERP systems effectively implemented can have cost benefits. Integration is the key in this process. "Generally, a company's level of data integration is highest when the company uses one vendor to supply all of its modules." An out-of-box software package has some level of integration but it depends on the expertise of the company to install the system and how the package allows the users to integrate the different modules. It is estimated that "for a Fortune 500 company, software, hardware, and consulting costs can easily exceed $100 million (around $50 million to $500 million). Large companies can also spend $50 million to $100 million on upgrades. Full implementation of all modules can take years," which also adds to the end price. Midsized companies (fewer than 1,000 employees) are more likely to spend around $10 million to $20 million at most, and small companies are not likely to have the need for a fully integrated SAP ERP system unless they have the likelihood of becoming midsized and then the same data applies as would a midsized company. Independent studies have shown that deployment and maintenance costs of a SAP solution can greatly vary depending on the organization. For example, some point out that because of the rigid model imposed by SAP tools, a lot of customization code to adapt to the business process may have to be developed and maintained some others pointed out that a return on investment could only be obtained when there was both a sufficient number of users and sufficient frequency of use. Deploying SAP itself can also involve a lot of time and resources. Security Communications SAP systems - including client systems - communicate with each other using SAP-specific protocols (e.g., RFC and DIAG) and the http and https protocols. These systems do not have encrypted communications out of the box; however, SAP does provide a free toolkit for server-to-server communications. With the recent acquisition of relevant parts of SECUDE, SAP can now provide cryptography libraries with SAP ERP for Secure Network Communications and Secure Socket Layer. ERP advantages and disadvantages Advantages Allows easier global integration (barriers of currency exchange rates, language, and culture can be bridged automatically) Updates only need to be done once to be implemented company-wide Provides real-time information, reducing the possibility of redundancy errors May create a more efficient work environment for employees Vendors have past knowledge and expertise on how to best build and implement a system

25

Disadvantages Locked into relationship by contract and manageability with vendor - a contract can hold a company to the vendor until it expires and it can be unprofitable to switch vendors if switching costs are too high Inflexibility - vendor packages may not fit a company's business model well and customization can be expensive Return on Investment may take too long to be profitable Implementations have a risk of project failure