Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

Question-01: Why Internal check in necessary? Choose an organization of your choice and find out how internal checks are put in place.? Answer: In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives.[1] It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the SarbanesOxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls. Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual administration, with one set of bureaucrats charged with collecting taxes and another with supervising them.[2] In the Republic of China, the Control one of the five branches of government, is an investigatory agency that monitors the other branches of government. Definitions There are many definitions of internal control, as it affects the various constituencies (stakeholders) of an organization in various ways and at different levels of aggregation. Under the COSO Internal Control-Integrated Framework, a widely-used framework in the United States, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations. COSO defines internal control as having five components:

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 1 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

1. Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. 2. Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed 3. Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities 4. Control Activities-the policies and procedures that help ensure management directives are carried out. 5. Monitoring-processes used to assess the quality of internal control performance over time. The COSO definition relates to the aggregate control system of the organization, which is composed of many individual control procedures. Discrete control procedures, or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A controls impact...may be entitywide or specific to an account balance, class of transactions or application. Controls have unique characteristics for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives)."[3] Context More generally, setting objectives, budgets, plans and other expectations establish criteria for control. Control itself exists to keep performance or a state of affairs within what is expected, allowed or accepted. Control built within a process is internal in nature. It takes place with a combination of interrelated components - such as social environment effecting behavior of employees, information necessary in control, and policies and procedures. Internal control structure is a plan determining how internal control consists of these elements.[4] The concepts of corporate governance also heavily rely on the necessity of internal controls. Internal controls help ensure that processes operate as designed and that risk responses (risk treatments) in risk management are carried out. In addition, there needs to be in place circumstances ensuring that the aforementioned procedures will be performed as intended: right attitudes, integrity and competence, and monitoring by managers.

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 2 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

Roles and responsibilities in internal control According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play: Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise. Board of Directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem. Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. There are laws and regulations on internal control related to financial reporting in a number of jurisdictions. In the U.S. these regulations are specifically established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC guidance, further discussed in
=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 3 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

SOX 404 top-down risk assessment. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting. Limitations Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures. Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement. Describing Internal Controls Internal controls may be described in terms of: a) the objective they pertain to; and b) the nature of the control activity itself. Objective categorization Internal control activities are designed to provide reasonable assurance that particular objectives are achieved, or related progress understood. The specific target used to determine whether a control is operating effectively is called the control objective. Control objectives fall under several detailed categories; in financial auditing, they relate to particular financial statement assertions,[5] but broader frameworks are helpful to also capture operational and compliance aspects: 1. Existence (Validity): Only valid or authorized transactions are processed (i.e., no invalid transactions) 2. Occurrence (Cutoff): Transactions occurred during the correct period or were processed timely. 3. Completeness: All transactions are processed that should be (i.e., no omissions) 4. Valuation: Transactions are calculated using an appropriate methodology or are computationally accurate.

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 4 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

5. Rights & Obligations: Assets represent the rights of the company, and liabilities its obligations, as of a given date. 6. Presentation & Disclosure (Classification): Components of financial statements (or other reporting) are properly classified (by type or account) and described. 7. Reasonableness-transactions or results appears reasonable relative to other data or trends. For example, a control objective for the accounts payable function may be stated as: "Payments are made only for authorized products and services received." This is a validity objective. A typical control procedure designed to achieve this objective is: "The accounts payable system compares the purchase order, receiving record, and vendor invoice prior to authorizing payment." Multiple controls may be applicable to achieve a given control objective with a reasonable level of assurance. Management is responsible for implementing appropriate controls that apply to transactions in their areas of responsibility. Internal auditors perform their audits to evaluate whether the controls are designed and implemented effectively to address the relevant objectives. Activity categorization Control activities may also be explained by the type or nature of activity. These include (but are not limited to): Segregation of duties - separating authorization, custody, and record keeping roles of fraud or error by one person. Authorization of transactions - review of particular transactions by an appropriate person. Retention of records - maintaining documentation to substantiate transactions. Supervision or monitoring of operations - observation or review of ongoing operational activity. Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect property, such as merchandise inventory. Top-level reviews-analysis of actual results versus organizational goals or plans, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs). IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorized personnel. Top level reviews-Management review of reports comparing actual performance versus plans, goals, and established objectives. Controls over information processing-A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 5 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and programs. Control precision Control precision describes the alignment or correlation between a particular control procedure and a given control objective or risk. A control with direct impact on the achievement of an objective (or mitigation of a risk) is said to be more precise than one with indirect impact on the objective or risk. Precision is distinct from sufficiency; that is, multiple controls with varying degrees of precision may be involved in achieving a control objective or mitigating a risk. Precision is an important factor in performing a SOX 404 top-down risk assessment. After identifying specific financial reporting material misstatement risks, management and the external auditors are required to identify and test controls that mitigate the risks. This involves making judgments regarding both precision and sufficiency of controls required to mitigate the risks. Risks and controls may be entity-level or assertion-level under the PCAOB guidance. Entity-level controls are identified to address entity-level risks. However, a combination of entity-level and assertion-level controls are typically identified to address assertion-level risks. The PCAOB set forth a three-level hierarchy for considering the precision of entity-level controls.[6] Later guidance by the PCAOB regarding small public firms provided several factors to consider in assessing precision.[7] Fraud and internal control Internal control plays an important role in the prevention and detection of fraud.[8] Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess related controls.[9] This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level.[10] The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in fraud risk assessment.[11] The AICPA, IIA, and ACFE also sponsored a guide published during 2008 that includes a framework for helping organizations manage their fraud risk.[12]

Internal Controls and Improvement

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 6 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed. The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.[13] Continuous Controls Monitoring Advances in technology and data analysis have led to the development of numerous tools which can automatically evaluate the effectiveness of internal controls. Used in conjunction with continuous auditing, continuous controls monitoring provides assurance on financial information flowing through the business processes.

Question 2: Detail the specific problems of electronic data process relating to Internal control.? Answer: Ans. In an EDP system, the following problems arise in the implementation of internal control : a) Separation of duties : In a manual system, separate individuals are responsible for initiating transactions, recording transactions, and custody of assets. As a basic control, separation of duties prevents of detects errors and irregularities. In a computer system, however, the traditional notion of separation of duties does not always apply. For example, as program may reconcile a vendor invoice against a receiving document and print a cheque for the amount owed to a creditor. Thus, this program is performing functions that in a manual systems would be considered incompatible. In a minicomputer and microcomputer environments, separation of incompatible functions may be even more difficult to achieve. Some minicomputers and microcomputers allow users to change programs and data easily; furthermore, they provide no record of these changes. If the minicomputer or microcomputer does not have an inbuilt capability to provide a secure record of changes. It may be difficult to determine whether incompatible functions have been performed by system users. b) Delegation of authority and responsibility : A clear line of authority and responsibility is an essential control in both manual and computer systems. In a computer system, however, delegating authority and responsibility in an
=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 7 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

unambiguous way may be difficult because some resources are shared among multiple users. For example, one of the objectives of using a database management system is to provide multiple users with access to the same data, thereby reducing the control problems that arise with maintaining redundant data. When multiples users have access to the same data and integrity of the data is somehow violated, it is not always easy to trace who is responsible for corrupting the data and who is responsible for identifying and correcting the error. Some organizations have attempted to overcome these problems by designating a single user as the owner of data. This user assumes ultimate responsibility for the integrity of the data. c) Competent and trustworthy personnel : The technology of data processing is now exceedingly complex much more complex than in the days of manual systems. Highly skilled personnel are needed to develop, modify. maintain and operate todays computer systems. Thus, the existence of competent and trustworthy personnel becomes even more important when computer systems are used to process an organizations data, since a relatively small number of individuals assume major responsibility for the integrity of the data. Unfortunately, assuring that an organization has competent and trustworthy data processing personnel has been a difficult task. Historically, well trained and experienced data processing personnel have been in short supply. Therefore, organizations sometimes have been forced to compromise in their choice of staff. Moreover, it Is not always easy for an organization to assess the competence and integrity of its EDP staff. High turnover in the data processing industry has been the norm, and the rapid evolution of technology inhibits managements ability to evaluate an employees skills. d) System of authorizations : Management issues two types of authorizations to execute transactions. General authorizations establish policies for the organization to follow. For example, a fixed price list is issued for personnel to use when products are sold. Specific authorizations apply to individual transactions : for example, acquisitions of major capital assets may have to be approved by the board of directors. In a manual system, auditors evaluate the adequacy of procedures for authorization by examining the work of employees. In a computer system, authorization procedures often are embedded within a computer program. For example, the order entry module in a sales system may determine the price to be charged to a customer. Thus, when evaluating the adequacy of authorization procedures, auditors have to examine not only the work of employees but also the veracity of program processing.

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 8 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

e) Adequate documents and records : In a manual system, adequate documents and records are necessary to provide an audit trail of activities within the system. In computer systems, documents may not be used to support the initiation, execution and recording of some transactions. For example, in an online order entry system customers orders received by telephone may be entered directly into the system. Similarly, some transactions may be activated automatically by a computer system : for example, an inventory replenishment program may initiate purchase orders when stock levels fall below a set amount. Thus, no visible audit or management trail may be available to trace the transaction. The absence of a visible audit trail is not a problem for the auditor provided that systems have been designed to maintain a record of all events and there is a means of accessing these records. In a well designed computer systems. Audit trails are often more extensive than those maintained in manual systems. Unfortunately, not all computer systems are well designed. Some minicomputer and microcomputer software packages for example, provide inadequate access controls and logging facilities to ensure preservation of an accurate and complete audit trail. When this situation is coupled with a decreased ability to separate incompatible functions, serious control problems can arise. f) Physical control over assets and records : Physical control over access to assets and records is critical in both manual systems and computer systems. Computer systems differ from manual systems, however, in the way they concentrate the data processing assets and records of an organization. For example, in a manual system, a person wishing to perpetrate a fraud may be maintained at a single site the data processing installation. Thus, the perpetrator does not have to go to physically distance locations to execute the fraud. This concentration of data processing assets and records also increases the loss that can arise from computer abuse or a disaster. For example, a fire that destroys a computer room may result in the loss of all major master files in an organization. If the organization does not have suitable backup, it may be unable to continue operations. g) Adequate management supervision : In a manual system, management supervision of employee activities is relatively straight forward because managers and employees are often at the same physical location. In computer systems, however, data communications may be used to enable employees to be closer to the customers they service. Thus, supervision of employees may have to be carried out remotely. Supervisory controls must be built into the computer system to compensate for the controls that usually can be exercised through observation and inquiry.
=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 9 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

h) Comparing recorded accountability with assets : Periodically, data and the assets that the data purports to represent should be compared to determine whether incompleteness or inaccuracies in the data exist or shortages in the assets have occurred. In a manual system, independent staff prepares the basic data used for comparison purposes. In a computer system, however, programs are used to prepare this data. For example, programs may sort an inventory file by warehouse location and prepare counts by inventory item at different warehouses. If unauthorized modifications occur to the programs or data files that the programs use, an irregularity may not be discovered.

Question 3 Explain the principal considerations in internal control on: a. Purchases and creditors b. Fixed assets Answer: a. Purchases and creditors Basic considerations for having an effective internal control system for Purchase and creditors are as follows : The procedure for issuing purchase requisitions should be specified. Where tenders are invited, the procedure for opening and acceptance thereof should be laid down. The preparation and authorization of purchase orders should be under a senior manager. Predetermine guidelines should exist for inspection of goods received, especially with regard to quantity and quality. Documents showing the receipt and acceptance of goods should also be send to the accounts department. The goods receipt documents should be cross checked with final purchase order. An authorize official from the accounts department should be made responsible for checking suppliers invoices, documents regarding purchase returns, purchase records, payments to suppliers, maintenance of ledger accounts and reconciliation of statements sent by suppliers. Before payments are made to suppliers, payment documents duly authorized by a senior official, showing that the goods have been received as specified in the purchase order should be verified by the accounts department.

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 10 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

Adequate procedures should be established with regard to purchase returns, discounts on account of inferior quality of goods, and other similar adjustments. Lawful policies and procedures should be implemented with regard to purchases from the companies under the same group and from the employees. The accounts of various suppliers should be confirmed periodically from statements received from them.

b. Fixed assets Basic considerations for having an effective internal control system for Fixed Assets are as follows : Payments for fixed assets should be made only after authorization of the top management. Capital expenditure budget should be prepared regularly. Fixed assets registers should be maintained showing brief particulars of all items. Fixed assets should be physically verified periodically. Serial numbers should be allotted to each item for easy identification. Proper accounting records should be maintained for expenditure during the construction period distinguishing carefully between capital and revenue expenditure. Sale, scrapping, or write off of fixed assets should be allowed only under proper authorization of the top management. The receipts from such disposals should be properly accounted for. Depreciation rates should be properly authorized.

Question 4: Explain the steps of evaluating internal control system using flow chart. Answer: The different steps undertaken by the auditor for evaluating the system of internal control has been illustrated through Figure: 11.1 (adapted from Contemporary Audit by Kamal Gupta) below:

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 11 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

Study and Evaluation of Internal Controls an Illustration Now, let us discuss the steps of evaluating internal control system which are as follows: i) Understanding the system: At first the auditor should understand the internal control system with the purpose to have an idea of the flow of transactions and the various controls procedures. This will help him to pinpoint those internal controls on which he might base in doing his audit. To understand the internal control system, it may be useful to choose a few transactions through the system. The auditor should also ascertain whether the internal controls were effective and efficient throughout the period under audit.

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 12 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

Organization charts, procedure manuals, job description, and flow charts etc. are some of the tools to have an idea about internal controls system. The auditor can also discuss with different officials of organization. Sometimes, he may have to rely on direct observations and inquiry only. The auditor should, especially in the case of first audit, maintain a detailed written record of his observations on the internal controls system. ii) Test through compliance procedures: Having reviewed the system, the auditor may select the specific controls on which he intends to rely and which, therefore, need to be tested through compliance procedures. He may decide not to rely on certain internal controls which are defective in design, or reliance on which may not be cost effective. It is important to test the application of internal controls in practice. For example, an auditor may take up a few sales bills at random and examine all the related documents right from the order of the customer to the payment received from the customer. At each stage, the auditor would see whether the transaction has taken place as stipulated in the flow chart or in the procedure manual. Thus, if the flow chart prescribes that the detail terms and condition of each order of customer has to be verified by a particular manager, the auditor should examine whether or not this has been done in practice. The objective of compliance tests is to provide a fair confidence to the auditor that the internal controls procedures are being effective as prescribed. The auditor should carry out such tests in case of all procedures on which audit reliance is intended to be placed. Tests of compliance are concerned primarily with the following questions: - Were the necessary procedures complied with? - How were they complied with? - By whom they were complied with? iii) Evaluating the system: Based on his observation during the tests made by him, the auditor has to make an estimate of how far he can depend on various internal controls. Normally, he should have a reasonable confidence that the system is such that the errors and fraud can be discovered automatically. He has to ascertain whether the control procedures as designed to implement are in practice and competent in preventing or detecting material errors and fraud in the accounting system. This is essentially a question of individual judgment in a particular situation. If he finds certain errors or weaknesses in the system, he should try to evaluate the impact of the same on various transactions. Let us suppose he finds weaknesses in the system of maintaining debtors ledger. Since this is a material item, he should ask for independent confirmations from the debtors. Thus, the auditors evaluation of internal

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 13 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

control system will determine the nature, timing and extent of his substantive procedures.

Question 5:- Lehman Brothers Holding filed for Chapter 11 bankruptcy protection following the massive exodus of most of its clients, drastic losses in its stock and devaluation of its assets. In context with this case, examine internal control and risk assessment system. Answer: The nature and extent of the procedures performed by the auditor to obtain an understanding of the accounting and internal control systems generally depend on : Nature of policies or kind of procedures, Changes in operating environment, Size and complexity of the business, Way of documentation of business operations, Auditors assessment of inherent risk.

The auditor should make a study of internal control relevant for his audit. Although most controls related to audit are relevant for financial reporting but all controls relevant for financial reporting may not be relevant for audit. It is the judgment of auditor to decide whether a control individually or in combination with other is relevant for audit or not. Auditor normally classified audit risk for assessment into control risk and inherent risk. Control risk signifies that a material misstatement could occur but would not be prevented or detected by internal control system. Inherent risk signifies the chances that recording of transactions have been done either erroneously or under the influence of management fraudulent activity. Assessment of control risk Assessing control risk is the process of evaluating the effectiveness of an entitys accounting an internal control systems in preventing or detecting material mis-

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 14 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

statements in the financial statements. After having a basic idea of the accounting and internal control system, the auditor should make an initial assessment of control risk for the appropriate assertions in the financial statements. When planning the audit approach, the auditor should consider the initial assessment of control risk to determine the appropriate detection risk to accept for the financial statement assertions. Some of the procedures performed to obtain understanding of the accounting and internal control systems may not have been specifically planned as tests of control but they may provide evidence about the effectiveness of both the design and operation of policies and procedures relevant to certain assertions and, consequently, serve as tests of control e.g. in obtaining understanding of the system pertaining to cash, the auditor may have obtained evidence about the effectiveness of bank reconciliation process through inquiry and observation. Relationship between the assessments of inherent and control risks : In many cases, inherent risk and control risk are highly interrelated. Also management often reacts to inherent risk situations by designing accounting and internal control systems to prevent and detect mis-statements in such situations, if the auditor attempts separately to assess inherent and control risk when they are highly interrelated, there is a possibility of inappropriate risk assessment. As a result, audit risk may be more appropriately determined in such situation by making a combined assessment. The auditor, in forming his opinion on financial information, needs reasonable assurance that transactions are properly recorded in the accounting records and that transactions have not been omitted. Internal controls, even if fairly simple and unsophisticated, may contribute to the reasonable assurance the auditor seeks. The auditors control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent to substantive procedures to be performed to reduce detection risk to an acceptable level. The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the need for the auditor to perform any substantive procedure for significant account balance and transaction classes. Consequently, regardless of the assessed levels of inherent and control risks the auditor should perform some substantive procedures. The higher the assessment of inherent and control risk, the more assurance the auditor must obtain from the performance of substantive procedures. When both inherent and control risks are assessed at a high level, the auditor should also consider whether substantive procedures will provided sufficient assurance to reduce detection
=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 15 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

risk to an acceptable level. When the auditor determines that detection risk cannot be reduced to an acceptable level, he should either qualify or disclaim the opinion or, if this if not practicable, withdraw from the engagement.

Question 6: Explain the importance of working papers. Answer: The importance of working papers is due to following reasons : Planning, organization, control and review of audit work : Working papers provide a means of planning, organizing, controlling, administering and review of the work. They are the supporting evidence that the audit was conducted as per the generally accepted, auditing standards and practices. Basis of auditors opinion : Working papers are the basic documents for the report of the auditor. They also provide a proof that generally accepted auditing standards and practices have been duly followed in the conduct of work. If the validity of the auditors opinion, assertion or recommendation as to the financial statements is later questioned, working papers can be produced as an evidence to establish the said opinion or assertion. The auditor should therefore ensure that the working papers are conclusive and complete in every respect, leaving no question raised therein unanswered. Division of labor : Working papers help in appropriate division of work among the audit stag, in the sense that different working papers may be made the responsibility of different audit clerks under the supervision of a senior clerk or the auditor himself. The progress of the work can thus be effectively monitored even where the audit work extends to different offices or branches of monitored. Even where the audit work extends to different offices or branches of the client, the audit programmes may be divided into so many parts, or separate audit programmes may be prepared for each place, and then working papers prepared at each place may be complied at the central office to have an overall view of the work. Use as permanent record : Working papers constitute a permanent record of auditing procedure employed, and the financial records examined. The client can make use of these, in case his own records are lost.

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 16 of 17

Sikkim Manipal University

- MBA -

MF 0013 Internal Audit and Control

=========================================================== Semester: 3 - Assignment Set: 2 =======================================================

Bridge between original transactions and financial statements : Working papers provide an important link between original transactions and the financial statements. This is because an auditors work mostly consists in tracing the business transactions, though on a sample basis, from the original records to the financial statements, and vice versa. Working papers also constitute the basis for making rectification and adjustment entries. Basis for review and revision of internal controls : Internal control questionnaires form part of the working papers. Comments as to the working of the internal control system will also be found in working papers relating to audit tests in respect of each aspect of the enterprise. Thus, working papers facilitate an in-depth review of the internal control system, which forms the basis of recommending suitable changes therein. Basis for evaluation and training of audit staff : Working papers provide a means to test whether the auditor and his staff have done their jobs as per the required standards. They serve as an index to the auditors ability to plan and organize the audit, because at teach stage of audit, he has to take decision as to the nature of evidence to be obtained and the tests to which evidence should be subjected. Review of the past years working papers and reports submitted by senior audit clerks can also be used as a basis to provide the required training to the staff.

Basis for further work : In the course of his examination, the auditor may come across certain situations or conditions in the pattern of management of the clients business which, though not directly connected with his work and, therefore, being outside the purview of his report, may nevertheless be useful in future planning. Thus, the notes and analysis prepared by the auditor as part of his working papers may also prove useful to the client in several other areas E(Rj ) = Required return E(Rj ) = Expected return E(Rm) = Expected return for market index Rf = Risk free return Bj = Beta (normally determines past performance) j = Potential merger partner (target company)

=========================================================== PANKAJ CHOUREY Reg. No. 521036344 Page 17 of 17