Course: Auditing (481) Semester: Spring, 2011 Level: B.A/B.com ASSIGNMENT No. 1 Q.

1Define auditing; discuss its importance and different kinds of auditing techniques. The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation. Audits in accounting Audits are performed to ascertain the validity and reliability of information; also to provide an assessment of a system's internal control. The goal of an audit is to express an opinion on the person / organization / system (etc.) in question, under evaluation based on work done on a test basis. Due to practical constraints, an audit seeks to provide only reasonable assurance that the statements are free from material error. Hence, statistical sampling is often adopted in audits. In the case of financial audits, a set of financial statements are said to be true and fair when they are free of material misstatements - a concept influenced by both quantitative (numerical) and qualitative factors. Auditing is a vital part of accounting. Traditionally, audits were mainly associated with gaining information about financial systems and the financial records of a company or a business (see financial audit). However, recent auditing has begun to include non-financial subject areas, such as safety, security, information systems performance, and environmental concerns. With nonprofit organizations and government agencies, there has been an increasing need for performance audits, examining their success in satisfying mission objectives. As a result, there are now audit professionals who specialize in security audits, information systems audits, and environmental audits. In cost accounting, it is a process for verifying the cost of manufacturing or producing of any article, on the basis of accounts measuring the use of material, labour or other items of cost. In simple words the term, cost audit, means a systematic and accurate verification of the cost accounts and records, and checking for adherence to the cost accounting objectives. According to the Institute of Cost and Management Accountants of Pakistan, a cost audit is "an examination of cost accounting records and verification of facts to ascertain that the cost of the product has been arrived at, in accordance with principles of cost accounting." An audit must adhere to generally accepted standards established by governing bodies. These standards assure third parties or external users that they can rely upon the auditor's opinion on the fairness of financial statements, or other subjects on which the auditor expresses an opinion. The Definition for Auditing and Assurance Standard (AAS) 1 by ICAI - "Auditing is the independent examination of financial information of any entity, whether profit oriented or not, and irrespective of its size or legal form, when such an examination is conducted with a view to expressing an opinion thereon." Auditing technique Auditing technique is defined as any technique used by auditors to determine deviations from actual accounting and controls established by a business or organization as well as uncovering problems in established processes and controls. Auditing techniques can be used to aid organizations by uncovering errors in business practices and providing a means of correction. Some businesses have used irregular accounting methods to hide certain monetary transactions and non-compliant behavior which has been uncovered by the use of varied auditing techniques. Other businesses have found new ways to save money and streamline business practices through various auditing techniques which have found waste in certain processes. Auditing techniques can be used to uncover these issues in order to ensure ethical business practices and to minimize waste or possible oversights within an organization. The applied techniques can determine if any income is hidden or improperly categorized or reported; transactions are being completed between the organization and regulated or prohibited persons, groups, or countries; uncovering of environmental waste discrepancies; finding of data inconsistencies; or any other business practice that can be considered as a process error, oversight, or violation of ethics, regulations, and laws. Audit procedures 1. Ascertainment the arithmetical accuracy of the books of account by checking posting, casting, cross casting, carry forwards, opening and closing balances etc. 2. Examining the documentary evidences and the authority in support of the transaction 3. Checking the validity of transaction with reference to a. Rules and regulations governing the constitution and management of the organization. b. Well recognized accounting principles and practices e.g, distinction between capital and revenue, accrual system of accounting, valuation principles etc.

Page 1 of 11

4. Ensuring that information disclosure is adequate in annual financial statements and that it conveys the real picture about the asset, liabilities and operation results. 5. Verification of existence, owernership and title and value of the assets and determination of the extent and nature of liabilities. 6. Determination of significant accounting ratios and evaluating the accounts to locate areas showing departure from the expected state of affairs. Q.2 Define internal control system; highlight its objectives. Also explain how internal control system differs from internal check. In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. [1] It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks). At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations. At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes. Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the SarbanesOxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls. Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual administration, with one set of bureaucrats charged with collecting taxes and another with supervising them.[3] In the Republic of China, the Control Yuan ( Jinch Yan), one of the five branches of government, is an investigatory agency that monitors the other branches of government. Definitions There are many definitions of internal control, as it affects the various constituencies (stakeholders) of an organization in various ways and at different levels of aggregation. Under the COSO Internal Control-Integrated Framework, a widely-used framework in the United States, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations. COSO defines internal control as having five components: 1. Control Environment-sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. 2. Risk Assessment-the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed 3. Information and Communication-systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities 4. Control Activities-the policies and procedures that help ensure management directives are carried out. 5. Monitoring-processes used to assess the quality of internal control performance over time. The COSO definition relates to the aggregate control system of the organization, which is composed of many individual control procedures. Discrete control procedures, or controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective. A control may exist within a designated function or activity in a process. A controls impact...may be entity-wide or specific to an account balance, class of transactions or application. Controls have unique characteristics for example, they can be: automated or manual; reconciliations; segregation of duties; review and approval authorizations; safeguarding and accountability of assets; preventing or detecting error or fraud. Controls within a process may consist of financial reporting controls and operational controls (that is, those designed to achieve operational objectives)." Context More generally, setting objectives, budgets, plans and other expectations establish criteria for control. Control itself exists to keep performance or a state of affairs within what is expected, allowed or accepted. Control built within a process is internal in nature. It takes place with a combination of interrelated components - such as social environment effecting behavior of employees, information necessary in

Page 2 of 11

control, and policies and procedures. Internal control structure is a plan determining how internal control consists of these elements. The concepts of corporate governance also heavily rely on the necessity of internal controls. Internal controls help ensure that processes operate as designed and that risk responses (risk treatments) in risk management are carried out. In addition, there needs to be in place circumstances ensuring that the aforementioned procedures will be performed as intended: right attitudes, integrity and competence, and monitoring by managers. Roles and responsibilities in internal control According to the COSO Framework, everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to affect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions. Each major entity in corporate governance has a particular role to play: Management: The Chief Executive Officer (the top manager) of the organization has overall responsibility for designing and implementing effective internal control. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an ownermanager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise. Board of Directors: Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem. Auditors: The internal auditors and external auditors of the organization also measure the effectiveness of internal control through their efforts. They assess whether the controls are properly designed, implemented and working effectively, and make recommendations on how to improve internal control. They may also review Information technology controls, which relate to the IT systems of the organization. There are laws and regulations on internal control related to financial reporting in a number of jurisdictions. In the U.S. these regulations are specifically established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC guidance, further discussed in SOX 404 top-down risk assessment. To provide reasonable assurance that internal controls involved in the financial reporting process are effective, they are tested by the external auditor (the organization's public accountants), who are required to opine on the internal controls of the company and the reliability of its financial reporting. Limitations Internal control can provide reasonable, not absolute, assurance that the objectives of an organization will be met. The concept of reasonable assurance implies a high degree of assurance, constrained by the costs and benefits of establishing incremental control procedures. Effective internal control implies the organization generates reliable financial reporting and substantially complies with the laws and regulations that apply to it. However, whether an organization achieves operational and strategic objectives may depend on factors outside the enterprise, such as competition or technological innovation. These factors are outside the scope of internal control; therefore, effective internal control provides only timely information or feedback on progress towards the achievement of operational and strategic objectives, but cannot guarantee their achievement. Describing Internal Controls Internal controls may be described in terms of: a) the objective they pertain to; and b) the nature of the control activity itself. Objective categorization Internal control activities are designed to provide reasonable assurance that particular objectives are achieved, or related progress understood. The specific target used to determine whether a control is operating effectively is called the control objective. Control objectives fall under several detailed categories;
Page 3 of 11

in financial auditing, they relate to particular financial statement assertions but broader frameworks are helpful to also capture operational and compliance aspects: 1. Existence (Validity): Only valid or authorized transactions are processed (i.e., no invalid transactions) 2. Occurrence (Cutoff): Transactions occurred during the correct period or were processed timely. 3. Completeness: All transactions are processed that should be (i.e., no omissions) 4. Valuation: Transactions are calculated using an appropriate methodology or are computationally accurate. 5. Rights & Obligations: Assets represent the rights of the company, and liabilities its obligations, as of a given date. 6. Presentation & Disclosure (Classification): Components of financial statements (or other reporting) are properly classified (by type or account) and described. 7. Reasonableness-transactions or results appears reasonable relative to other data or trends. For example, a control objective for the accounts payable function may be stated as: "Payments are made only for authorized products and services received." This is a validity objective. A typical control procedure designed to achieve this objective is: "The accounts payable system compares the purchase order, receiving record, and vendor invoice prior to authorizing payment." Multiple controls may be applicable to achieve a given control objective with a reasonable level of assurance. Management is responsible for implementing appropriate controls that apply to transactions in their areas of responsibility. Internal auditors perform their audits to evaluate whether the controls are designed and implemented effectively to address the relevant objectives. Activity categorization Control activities may also be explained by the type or nature of activity. These include (but are not limited to): Segregation of duties - separating authorization, custody, and record keeping roles of fraud or error by one person. Authorization of transactions - review of particular transactions by an appropriate person. Retention of records - maintaining documentation to substantiate transactions. Supervision or monitoring of operations - observation or review of ongoing operational activity. Physical safeguards - usage of cameras, locks, physical barriers, etc. to protect property, such as merchandise inventory. Top-level reviews-analysis of actual results versus organizational goals or plans, periodic and regular operational reviews, metrics, and other key performance indicators (KPIs). IT Security - usage of passwords, access logs, etc. to ensure access restricted to authorized personnel. Top level reviews-Management review of reports comparing actual performance versus plans, goals, and established objectives. Controls over information processing-A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts, and controlling access to data, files and programs. Control precision Control precision describes the alignment or correlation between a particular control procedure and a given control objective or risk. A control with direct impact on the achievement of an objective (or mitigation of a risk) is said to be more precise than one with indirect impact on the objective or risk. Precision is distinct from sufficiency; that is, multiple controls with varying degrees of precision may be involved in achieving a control objective or mitigating a risk. Precision is an important factor in performing a SOX 404 top-down risk assessment. After identifying specific financial reporting material misstatement risks, management and the external auditors are required to identify and test controls that mitigate the risks. This involves making judgments regarding both precision and sufficiency of controls required to mitigate the risks. Risks and controls may be entity-level or assertion-level under the PCAOB guidance. Entity-level controls are identified to address entity-level risks. However, a combination of entity-level and assertion-level controls are typically identified to address assertion-level risks. The PCAOB set forth a three-level hierarchy for considering the precision of entity-level controls. Later guidance by the PCAOB regarding small public firms provided several factors to consider in assessing precision. Fraud and internal control Internal control plays an important role in the prevention and detection of fraud. Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control
Page 4 of 11

procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in fraud risk assessment. The AICPA, IIA, and ACFE also sponsored a guide published during 2008 that includes a framework for helping organizations manage their fraud risk. Internal Controls and Improvement If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed. The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency. Continuous Controls Monitoring Advances in technology and data analysis have led to the development of numerous tools which can automatically evaluate the effectiveness of internal controls. Used in conjunction with continuous auditing, continuous controls monitoring provides assurance on financial information flowing through the business processes. Q.3 Explain internal audit. Also discuss major functions and responsibilities of internal auditor. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organizations effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity. The scope of internal auditing within an organization is broad and may involve topics such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations. Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds. Publicly-traded corporations typically have an internal auditing department, led by a Chief Audit Executive ("CAE") who generally reports to the Audit Committee of the Board of Directors, with administrative reporting to the Chief Executive Officer. The profession is unregulated, though there are a number of international standard setting bodies (IIA, IAASB, ISACA... Cf. paragraph standard setting below). Other definitions The definition above (first sentence of this page) is in essence the IIA's definition. A similar definition has been developed by the accounting profession and adopted by the government auditors: the ISA 610 and the INTOSAIs standard ("ISSAI") 1003 define the Internal audit function as "An appraisal activity established or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control." History of internal auditing The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting and public accounting professions. With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law. Standard setting bodies and/or auditors' associations The profession is unregulated, though there are a number of international and national standard setting bodies. And in addition to institutes/boards that work on internal auditing in the large sense, there are specialized bodies which target a particular type of internal auditing. International standard setting bodies and/or auditors' associations The Institute of Internal Auditors ("IIA") has established Standards for the Professional Practice of Internal Auditing[3] and has over 150,000 members representing 165 countries, including approximately 65,000 Certified Internal Auditors. The IFAC's IAASB is the independent standard setting body which issue external auditing, review, other assurance related services and quality control standards to be applied by the global external

Page 5 of 11

auditing profession. Some standards target the internal auditing practices, cf. the International Standards on Auditing 40X and 610. The IRCA International Register of Certificated Auditors, formed in 1984, is a division of the Chartered Quality Institute. Based in the UK it claims 14,750 members in 150 countries. National/Local internal audit bodies The associations/institutes below are affiliated with the IIA (non exhaustive list): European Confederation of Institutes of Internal Auditing (ECIIA) UK and Ireland: the internal audit profession is represented by the Chartered Institute of Internal Auditors[6]. France: IFACI Germany: DIIR Specialized audit associations and other institutions IS auditing: ISACA Anti-fraud auditing: ACFE Environmental auditing: INTOSAI's Working Group on Environmental Auditing (WGEA); Environmental Auditors Registration Association, Regional Institute of Environmental Technology (According to their website, EARA is the leading UK membership organisation dedicated to the promotion of the goal of sustainable development.); The Institute of Environmental Management And Assessment in UK, now maintains the Environmental Auditors Register of the erstwhile EARA... etc. Associations and institutions related to some aspects of internal auditing: Risk Management: Federation of European Risk Management Associations (FERMA), etc. Quality auditing: Cf. International Organization for Standardization and its related national standards organizations. Internal Audit qualifications IIA: Certified Internal Auditor (CIA); Certification in Control Self-Assessment (CCSA); Certified Government Auditing Professional (CGAP) for Government performance auditing and Government Auditors; Certified Financial Services Auditor (CFSA). ISACA: Certified Information Systems Auditor (CISA); Certified in the Governance of Enterprise IT (CGEIT); Certified in Risk and Information Systems Control. CIIA Chartered Institute of Internal Auditors: IACert, PIIA, CMIIA... Organizational independence To perform their role effectively, internal auditors require organizational independence from management, to enable unrestricted evaluation of management activities and personnel. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit activity is the entity charged with oversight of management's activities. This is typically the Audit Committee, a subcommittee of the Board of Directors. To provide independence, most Chief Audit Executives report to the Chairperson of the Audit Committee and can only be replaced with the concurrence of that individual. According to the Institute of Internal Auditors, the Internal Auditor's obligation of Independence refers to: 1) The reporting line or status of the CAE The Chief Audit Executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity (IIA standard 1110). Organizational independence is effectively achieved when the chief audit executive reports functionally to the board (IIA practice advisory 1110A1). The board is a governing body, such as the board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee to whom the chief audit executive may functionally report (IIA Glossary). 2) Attitude of auditors, procedures of the internal audit department. The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results (IIA practice advisory 1110A1). 3) Communication right. The chief audit executive must communicate and interact directly with the Board of Directors (IIA standard 1111). According to Mautz R.K. & Sharaf H.A, American Accounting Association,[8] there are three main ways in which the auditors independence can manifest itself: Programming independence, Investigative independence, reporting independence. For more detail, see the wikipage Auditor independence which deals with the independence of the external auditors. The European Union is strongly in favor of "Audit committees and an effective internal control system" (8th EU Company Law Directive on Statutory Audit). This 8th Directive states that "Each public-interest entity shall have an audit committee" which inter alia shall "monitor the effectiveness of the company's
Page 6 of 11

internal control, internal audit where applicable, and risk management systems". The European Confederation of Institutes of Internal Auditing (ECIIA) and Federation of European Risk Management Associations (FERMA) also support the independence of Internal Auditing. Their guidance on the 8th EU Company Law Directive states The head of internal audit reports periodically to the board or the audit committee and to senior management on the internal audit activitys purpose, authority, responsibility and performance relative to its plan. The main reporting line is to the audit committee. Regarding public institutions, the same principle of independence of internal audit applies; cf. INTOSAIs standard GOV9140 "Internal auditor independence in the public sector endorsed in 2010, article 9.32.[ The CAE should report ... to those charged with governance for strategic direction, reinforcement, and accountability. Those charged with governance (e.g. the audit committee) should safeguard the independence by approving the internal audit charter and (where applicable) the mandate." The independence of the Internal Audit is applied by most international institutions: for instance, the European Commission audit is accountable to the Audit Progress Committee; the IBRD Auditor General reports to the president and to the audit committee comprising eight of the 24 executive directors; The IMFs internal audit is overseen by the External Audit Committee (three members, all external and with the accounting and financial expertise required); The OSCEs Office of Internal Oversight reports to the Secretariat General and the Permanent Council...Role in internal control Internal auditing activity is primarily directed at improving internal control. Under the COSO Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories: Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with laws and regulations. Management is responsible for internal control. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement. In the United States, internal auditors may assist management with compliance with the Sarbanes-Oxley Act (SOX). Role in risk management Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's Risk management processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives. Under the COSO enterprise risk management (ERM) Framework, risks fall under strategic, operational, financial reporting, and legal/regulatory categories. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, and credit/lending practices. Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help identify emerging risks. In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose. Internal auditors may help companies establish and maintain Enterprise Risk Management processes.[13][14] Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment. In these latter two areas, internal auditors typically are part of the risk assessment team in an advisory role. Role in corporate governance Internal auditing activity as it relates to corporate governance is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage, and monitor the organization's resources, strategies and policies towards the achievement of the organizations objectives. The internal auditor is often considered one of the

Page 7 of 11

"four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor. A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating carefully with the external auditor and management to ensure the Committee receives effective information. Nature of the internal audit activity Based on a risk assessment of the organization, internal auditors, management and oversight Boards determine where to focus internal auditing efforts (the focus prioritization is part of the annual/multi-year audit planning; usually, the audit plan is proposed by the Chief Internal Audit (sometimes with several options or alternatives) to the approval of the Audit Committee or Board of Directors). Internal auditing activity is generally conducted as one or more discrete assignments. A typical internal audit assignment [17] involves the following steps: 1. Establish and communicate the scope and objectives for the audit to appropriate management. 2. Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary. 3. Describe the key risks facing the business activities within the scope of the audit. 4. Identify control procedures used to ensure each key risk and transaction type is properly controlled and monitored. 5. Develop and execute a risk-based sampling and testing approach to determine whether the most important controls are operating as intended. 6. Report problems identified and negotiate action plans with management to address the problems. 7. Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a followup database for this purpose. Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated. By analyzing and recommending business improvements in critical areas, auditors help the organization meet its objectives. In addition to assessing business processes, specialists called Information Technology (IT) Auditors review information technology controls. Internal audit reports Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans; and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's": 1. Condition: What is the particular problem identified? 2. Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark. 3. Cause: Why did the problem occur? 4. Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding? 5. Corrective action: What should management do about the finding? What have they agreed to do and by when? The recommendations in an internal audit report are designed to help the organization achieve its goals, which may relate to operations, financial reporting or legal/regulatory compliance. They may relate to effectiveness (i.e., whether goals were met or compliance with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs). Audit findings and recommendations also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements. Developing the plan of engagements Internal auditing standards require the development of a plan of audit engagements (assignments) based on a risk assessment, updated at least annually. The input of senior management and the Board is typically included in this process. Many departments update their plan of engagements throughout the year as risks or organizational priorities change.

Page 8 of 11

This effort helps ensure the audit activity is aligned with the organizations objectives, by answering two key questions: First, what goals is the organization trying to accomplish in the upcoming period? Second, how can the Internal Audit Department assist the organization in achieving these goals? Internal auditors often conduct a series of interviews of senior management to identify potential engagements. Changes in people, processes, or systems often generate audit project ideas. Various documents are reviewed, such as strategic plans, financial reports, consulting studies, etc. Further, the results of prior audits and resolution of open issues are considered. For example, automated programs such as NEMEA Compliance Center can collect responses, produce and write standardized compliance reports for an organization seeking or issuing compliance rules. Even if a business area is important, prior audit work and the nature and status of open issues may render further audit effort unnecessary. If the organization has a formal enterprise risk management (ERM) program, the risks identified therein help limit the amount of separate risk assessment performed by Internal Audit. The preliminary plan of engagements is documented and prioritized. Audit resources and expertise are then considered and a final plan is presented to senior management and the Audit Committee. The presentations vary based on the needs of the stakeholders and may include the following: Summary of key goals, risks and corresponding major audits, to illustrate alignment; Analyses of audit effort along a variety of dimensions (e.g., by business segment, COSO objective category, IT, Sarbanes-Oxley, vs. prior year, etc.) along with commentary regarding changes; Brief description of critical potential audit engagements identified; Audit engagements requested but not planned for execution due to prioritization and resources; Required co-sourcing effort, typically where outside expertise is required or during peak periods; Coordination with other risk functions, such as legal, compliance or insurance, to ensure coverage of key organizational risks; Update on audit staffing levels, experience and certification; and Appendix materials, such as planning approach, assumptions (e.g., days per auditor and staffing level) and brief descriptions of all planned audits and related prioritization. Q.4 What steps an auditor should consider, while auditing subsidiary books of a company. Major roles and responsibilities of internal audit function are summarized as below: Evaluates and provides reasonable assurance that risk management, control, and governance systems are functioning as intended and will enable the organizations objectives and goals to be met reports risk management issues and internal controls deficiencies identified directly to the audit committee and provides recommendations for improving the organizations operations, in terms of both efficient and effective performance evaluates information security and associated risk exposures evaluates regulatory compliance program with consultation from legal counsel evaluates the organizations readiness in case of business interruption maintains open communication with management and the audit committee teams with other internal and external resources as appropriate engages in continuous education and staff development provides support to the company's anti-fraud programs. Reporting Structure of Internal Audit Function Existing corporate governance regulations do not address the interaction between the audit committee and the internal audit function, or the responsibilities of the function.In most companies, the internal auditor traditionally reported to either the Chief Financial Officer or the Chief Risk Officer, though other may have existed in some companies. Today, the internal auditor may either report directly to the Audit Committee, or the Audit Committee will have a role in hiring, firing, evaluating and compensating the Chief Audit Officer. The Audit Committees increasing role with regard to the internal audit is being undertaken to help ensure the internal auditors "independence" and objectivity.The relationship between the Audit Committee and the internal audit function should be clearly defined and addressed in the Audit Committees charter. Organizational Governance - Guidance for Internal Auditors By providing assurance on the risk management, control, and governance processes within an organization, internal auditing is one of the key cornerstones of effective organizational governance. The guidance was issued by IIA and it was designed to help internal auditing in its assurance and advisory role with regard to specific aspects of organizational governance. This guidance is available at The Institute of Internal Auditors ("IIA"): Internal Audit Reporting Relationships Serving Two Masters This report is based on research developed under the leadership of The IIA Research Foundation and the Research Department of The Institute of Internal Auditors. It reviews the reporting relationships of the chief audit executive as an integral part of the governance process. Sample Internal Audit Department Charter The purpose, authority, and responsibility of the internal audit activity should be defined in a charter. Internal Auditor Duties and Responsibilities

Page 9 of 11

 Works with the University President and Audit Committee in planning and organising the activities of Internal Audit including: preparing an annual audit plan which fulfils the responsibility of Internal Audit, scheduling and assigning work to meet completion dates, and estimating resource needs. Confers with Company management and the Audit Committee on policies, programmes, and activities of the Internal Audit Service; makes recommendations regarding specific areas of responsibility. Develops and updates audit programmes and checklists; plans and monitors audit work schedules; and develops and recommends implementation of forms, systems, and procedures to carry out responsibilities and accomplish goals of the Internal Audit Service. Ensures that accepted accounting and audit principles and policies are followed, and evaluates the adequacy and effectiveness of internal accounting procedures and operating systems and controls. Meets with Company management at all levels and the Audit Committee of the Board of Directors, as necessary, to discuss audit plans and results and make recommendations to resolve audit findings requiring corrective action Ensures maintenance of high standards and quality of audit projects by: review and approval of audit programs and time budgets, implementation of policies and establishment of procedures covering the scope of audits, review and evaluation of work papers of completed projects to be certain that adequate documentation has been gathered and that the work papers document and provide an adequate basis for reporting, and review of draft audit reports in connection with work papers to assure full and complete reporting in a professional manner prior to approval by the University President and Audit Committee. Coordinates coverage with external auditors. Coordinates coverage with other members of the EOLAS group in terms of university compliance and risk management. Confers, advises, initiates, and coordinates with other departments about policies and procedures. Develops hypotheses and accounting and statistical tests to determine if desired program results and benefits are being achieved. Identifies and analyses causes of uneconomic and inefficient practices in assigned areas of responsibility. Assesses alternatives, which might yield desired results. Assures follow up of audit findings to ensure adequacy and timeliness of correction. Presents findings and recommendations concerning activities audited to the University President and Audit Committee. Coordinates audit activities with other departments to secure resources needed to evaluate programs and conduct audits. Participates in development of Internal Audit's annual budget and monitors subsequent expenditures. Develops professional capability through on-the-job training and staff training programs. Performs special audit-related projects as assigned. Performs other duties as assigned. Q.5 What is the mechanism, which enables you as an auditor to see that all necessary adjustments carried out at the year end are incorporated in the final trail balance? Accounting Training: The Accounting Cycle The final accounting trial balance lists the balance sheet accounts, or real accounts, after the closing entry process is completed. The balances in each account are then carried forward into the next reporting period.

Sunny Sunglasses Shop produced the below trial balance for the month of January.Sunny Sunglasses Shop Trial Balance January 31, 2010

Page 10 of 11

Accounting Trial Balance Since each of the income statement accounts were closed, only balance sheet accounts now appear in the above accounting trial balance. These accounts are carried forward into February, the next reporting period. The retained earnings account now shows the balance from net income for January that was transferred to retained earnings as a result of the closing entries in the last section. Since this was the first month of operations, the retained earnings balance equals the net income for January. The retained earnings account continues to accumulate net income (or losses) during the life of the business, less any amount distributed to the owners. The Purpose of the Final Trial Balance The final trial balance serves two main purposes: 1. It verifies the equality of the debits and credits after the closing entry process in the accounting cycle. 2. It provides a listing of each account balance that is carried forward into the next reporting period.

Page 11 of 11