MF0013 INTERNAL AUDIT & CONTROL

Q-1
Define and explain the term auditing. Personal qualities of an auditor are important for the
successful conduct of audit. Comment
Ans.-1
Comprehensive definition of auditing given by the Institute of Chartered Accountants of India is as
follows:
Auditing is a systematic and independent examination of data, statements, records, operations and
performance (financial or otherwise) of an enterprise for a stated purpose. In any auditing situation, the
auditor perceives and recognizes the propositions before him for examination, collects evidence,
evaluates the same and on this basis, formulates their judgment which is communicated through the audit
report.
This definition has described Auditing comprehensively and covers the following essential features:
1. Auditing is a systematic examination of data (financial or otherwise) by an independent expert called
an auditor.
2. The stated objective of the auditor is to express an opinion on the truth and fairness of the financial
statements.
3. Before expressing their opinion, the auditor has to collect necessary evidence on the proposition placed
before him and evaluate it on the basis of his professional knowledge and skill.
4. The auditor expresses their opinion through a report called the auditors report primarily addressed to
the owners of the business.
Apart from the professional qualification required of an auditor by law, he must have certain
personal qualities without which he may not be able to perform his duties satisfactorily. These are:
1. Common sense: According to Spicer and Pegler the auditor should have a full share of that most
valuable assetcommon sense. The Satyam case demonstrates this aspect vividly, because application of
common sense would have raised the question: why was the company sitting on such a huge pile of cash
year after year?
2. Independence: An influenced or biased person cannot form an independent opinion. Thus, a direct or
indirect interest in the results of the company under his audit may prevent an auditor from functioning
independently.
3. Honesty and Integrity: An auditor is answerable to owners of a business who have no say in its
management, and so must have unimpeachable integrity.For example, the auditor of XYZ Company
believes that closing stock has not been properly valued but accepts a certificate from the management as
to its valuation. This is plain dishonesty.
4. Objectivity: An auditor should not allow subjective judgment to cloud his opinion, which should as far
as possible be based on facts.
5. Communication: He should be able to communicate effectively, both orally and in writing. Particularly
in the matter of report writing, he should be able to convey his message clearly and unambiguously.

6. Tactfulness: He should be firm, yet diplomatic with his client and staff. Discovering the truth from a
mass of facts and figures requires a great deal of tact.
7. Awareness of latest developments: An auditor should keep up to date with changes in laws, changes in
professional standards, developments in technical guidelines etc.

Q-2
Write the key objectives of a good internal audit system. Narrate the points of dissimilarities
between external audit and internal audit.
Ans.-2
The key objectives of a good internal audit system are:
1. Evaluation of accounting controls: Ensuring that the checks and balances in the accounting processes
are effective and provide the required accounting controls.
2. Compliance with policies and procedures: Verifying compliance with the policies and procedures
laid down for key activities and reporting acts of omission and commission.
For example, if a purchase order for capital equipment of any value requires the Purchase department to
get at least 3 quotes, internal audit have to check if this rule has been followed in all cases, and report
exceptions.
3. Protection and optimal utilisation of business assets: Ensuring physical availability and usefulness
of fixed assets as per companys records, and checking utilisation of major assets vis--vis plan.
For example, a piece of equipment purchased has not been installed within a reasonable period of time.
The auditor will check and report on the justification for the asset not having been put to use.
4. Testing the reliability of Management Information Systems (MIS): Reviewing the management
reporting structure and the utility of reports flowing out of the system.
Internal audit is often considered a part of the finance function of the enterprise since the technical
expertise required to do the audit function is available only with the Finance & Accounts professionals.
While this is natural, it may be a short-sighted approach. The internal auditor should be free to review and
if necessary investigate all management areas, and by making him report to finance this freedom might be
compromised.
Points of dissimilarity:
1. Statutory status: External audit is usually mandated by law. But internal audit is not mandatory expect
for companies to which Companies (Auditors Report) Order, 2003 applies.
2. Independence: The statutory auditor is independent of the organisation which appoints him. But the
internal auditor is an employee of the organisation reporting to a Divisional or Functional Head (usually
Finance) and so his freedom might be limited. Even if an outside firm or person is appointed as an

internal auditor, independence may not be assured as he is appointed by the management and has no legal
authority.
3. Scope: The scope of an external audit is well-defined by the statute that mandates the audit. A limited
amount of interpretative changes may be possible, but mostly it is the beaten track. The scope of internal
audit is determined by the management and may be expanded or restricted depending upon the
peculiarities of the particular situation being audited.
4. For example, statutory audit must compulsorily comment on physical verification of inventories being
done once a year, close to the year-end. But internal audit may choose continuous verification as the
appropriate method for the company.
5. Responsibility: The responsibility of external auditor is mainly towards the shareholders who have
appointed him, and other external stakeholders of the company. The internal auditor is responsible
directly to the internal management and to the board. He is also answerable to the external auditor and
must share his audit findings with him.
6. Powers: The external auditor has statutory powers under the Companies Act and related statutes. The
internal auditor is given his terms of reference and powers by the management. His powers depend upon
the requirements of the management.
7. Submission of reports: The external auditor submits his report to the owners or shareholders. The
internal auditor submits his report to the management.
8. Periodicity: External audit is conducted periodically usually once a year. Internal audit is done
throughout the year on the basis of a time-bound program.
Q-3
Give the role of internal auditor in the Companys Management. List down the duties of auditor
Under Section 581ZG.

Ans.-3
The specific contributions that an internal auditor can make include:
1. Review of internal control systems: The internal auditor should review the internal control systems of
the organisation. He should determine whether the existing control systems are appropriate and
commensurate with the objectives, size, etc. of the organisation. For example a small company cannot
afford a separate credit control department and so it will need strong controls in the sales accounting
process to minimise customer payment default.
2. Review of safeguards for assets: The auditor should regularly review the adequacy of insurance
covers for fixed assets and complete accounting of all transactions relating to fixed assets, etc.
3. Review of compliance with policies, plans, procedures and regulations: The internal auditor should
include a regular checklist of compliances by different functions of laid down procedural requirements.
When a non-observance is spotted, he should inquire and ascertain the reason for the deviation, and report
the event together with the proposed solution.

4. Review of organisation structure: A well-designed organisation structure is the basic requirement for
the smooth functioning of any organisation. Organisation structure defines the authorities and
responsibilities of executives.
5. Review of deployment of resources: The internal auditor reviews utilisation of resources deployed for
the business men, machines, money, materials and management to identify deviations both by way of
excessive use of resources and resources that are under-utilised. He would be able to do this vis--vis the
planned capacities and resources, and should include in his report significant trends and happenings.
6. Review of reliability of information: The Management Reporting and Information System (MRIS) of
the company is an important aspect to be reviewed by the internal auditor. The content, format, frequency
and timeliness of key management reports should be evaluated by discussions with the functional
mangers receiving the reports as well as with the finance manager who is usually the provider of the
reports. The objective of this review is to see to what extent the information flow has helped in taking
good decisions.
7. Review of achievement of company objectives: While the reviews in the foregoing paragraphs are
centred on the management processes, the managers are essentially hired to deliver results and achieve
the targets set for them. The internal auditor therefore reviews the final results achieved vis--vis planned
results. As they say, the proof of the pudding is in the eating, and if for instance the company has underperformed, audit can make it clear whether the failure to achieve was for internal reasons or external
factors beyond managements control.
Duties of auditor under Sec. 581ZG
Without prejudice to the provisional contained in Section 227, the internal auditor shall report on the
following additional matters relating to the producer company, namely:
1. The amount of due along with particulars of bad debts if any.
2. The verification of cash balance and securities.
3. The details of assets and liabilities.
4. All transactions which appear to be contrary to the provisions of this part.
5. The loans given by the producer company to the directors.
6. The donations or subscription given by the producer company.
7. Any other matter as may be considered necessary by the auditor.
Q-4:
The effectiveness of the internal control system can be ensured if the important aspects of the
companys operations are kept in mind. Explain the characteristics of an effective internal control
system. Write the elements of internal control.
Ans.-4:
Characteristics of an Effective Internal Control System
The effectiveness of the internal control system can be ensured if the following aspects of the companys
operations are kept in mind and done properly:

1. How the organisation structure is planned: For strong internal controls, the organisation structure
should have the following features:
Freedom of operation at every level of the hierarchy, subject to overall company guidelines and
achievement of companys overall objectives.
Clear demarcation between the performance of the activity and its recording, especially in matters
involving money handling and fixed assets.
Elements of Internal Control
An entitys internal control system is much more than the entitys record-keeping procedure.
1. Control environment: Control environment is the basis of an internal control system. It includes and
reflects the factors that influence the control consciousness of its people. SA400: Risk Assessment and
Internal Control issued by the ICAI mentions the following aspects of the control environment:

Factors
a.

Organisation
structure

Examples
a.

b.

Board
of b.
Directors
and
their committees

c.

Managements
c.
philosophy and
operating style

d.

Management
control system

d.

Segregation
of
incompatible
functions helps in
fixing
accountability
A board which is
independent of
management or
an effective audit
committee
indicates strong
internal control
environment
Management
should not adopt
policies
that
encourage
company
personnel
to
manipulate data
A
competent
internal
audit
department and
clear-cut hiring,

training,
promoting
and
compensating
policies
for
employees show
strong
control
environment

2. Risk assessment: Assessing control risk is the process of evaluating the effectiveness of an entitys
accounting and internal control systems in preventing or detecting material mistakes in financial
statements. After understanding the accounting and internal control system, the auditor makes a
preliminary assessment of control risk for the relevant assertions in the financial statements. An entitys
ability to properly record, process, summarise and report financial data may be affected by the following
risks:

(a) Changes in the operating environment (e.g. increased competition)

(b) New personnel
(c) New Information Systems
(d) Rapid growth
(e) New technology
(f) New lines, products, or activities
(g) Corporate restructuring
(h) Foreign operations.
(i) Changes in accounting methods.
3. Control activities: The following actions can help address the risks listed above:
P Performance reviews (review of actual against plan)
I Information processing (checks of accuracy, completeness,
authorisation)
P Physical control (physical security)
S Segregation of duties
4. Information and communication: The accounting system should record, process, summarise and
report transactions and in order to maintain correctness of related assets and liabilities, it must identify
and record all transactions at proper values and with least delay. It must communicate the disclosures
required by law in respect of the financial report.
5. Monitoring and supervision: Monitoring and supervision involves continuously assessing the quality
of internal control performance over time. Management should ensure that internal control system, as
planned, functions properly and modifications needed, if any, are done on a timely basis.

Q-5
Describe general EDP controls. Explain the appraisal of accounting system and
related internal control.
Ans-5
General EDP Control
(a) Organisational and operational controls
relate to plan of the organisation and operation of EDP activities;
emphasise segregation of EDP department from source and user departments; and
also lays stress on segregation of functions within the EDP department.
(b) System development and documentation control
are designed to monitor, design, test and document the system and programmes constituting each
application;
include:
(i) Participation by user groups and accounting and internal auditing staff in system design;
(ii) Joint system testing and approval by user department and EDP personnel; and
(iii) Documentation creation and maintenance.
(c) Hardware controls
are built into computer equipment by the manufacturer to detect equipment failure. Some key
hardware controls are echo check, parity check, dual read and read after write.
(d) Access controls
to prevent unauthorised use of data files, programmes and their support documentation and computer
hardware, access must be limited to authorised individuals.
some types of control are use of passwords, locked doors, appointment of librarian etc.
(e) Data and procedural controls
aim at controlling daily computer operations, minimising processing errors and assuring continuity of
operations in the event of physical disaster or computer failure
Appraisal of Accounting Systems and Related Internal Control
Though the scope, objectives and approach to auditing do not change in a computerised environment, the
extent of audit procedures and nature of audit programme definitely get affected. Hence an auditor must
have a clear understanding of the clients accounting system and related internal control. An appraisal of
accounting system and in-depth study of internal control surrounding accounting system will guide him to
form an opinion about the extent of audit.
An example is the practice of posting journals in the system without a supporting document or without a
hard copy of the entry duly authorised. If the company follows this practice and if journal entries for large
values are seen throughout the year in the books with no back papers, the audit will have to be far more
elaborate.

Before undertaking detailed audit, the auditor must satisfy himself about the input and output of the
accounting system. He should remember the acronym GIGO (garbage in garbage out) meaning wrong
input can give only wrong output. So he must satisfy himself that the input given to the accounting system
are correct, the accounting system itself is correct and outputs satisfy the needs of the organisation.
A review of the accounting system and internal controls may be comprehensive in a first-time audit or in
a complex computer system. The review in a recurring audit or for a relatively simple EDP system will
require less time.
Since computer applications can be more easily modified during design and development than after
implementation, auditor should consider commencing the audit review during system development. This
will provide an opportunity to identify and design audit procedures including the Computer Assisted
Audit Techniques (CAATs), before the new application is operational.
The auditor should review the accounting system to gain understanding of the overall control
environment and the flow of transactions. Such a review generally includes a survey of the organisation,
management, personnel and nature of transactions. If the auditor wishes to rely on internal controls
inconducting the audit, he should identify and make a preliminary appraisal of those controls that can be
depended upon while conducting the audit.

Q-6
Explain the internal control systems in insurance companies. Write down about the reporting
internal control weaknesses.
Ans.-6
Internal control system in insurance companies
Insurance companies pay special attention to internal control procedures with regard to receipts and
payments, acceptance of policy covers, calculation of premiums, granting of loans, buying and selling of
investments, payment of commission to agents, and expenses of management. An effective internal
control system of an insurance company should ensure the following:
a) Cash and cheques received are deposited in the account of the insurance company without delay.
Normally, the internal control procedures provide that each branch maintains two separate bank accounts
one for collection of premiums and the other for disbursement of expenses.
b) Cash and cheque payments are made under proper authority and are adequately documented.
c) Policy covers are accepted only on the basis of a proper evaluation of the circumstances involved as
per set norms, and exceptions are duly authorised.
d) Premiums are calculated according to the degree of risk and the conditions specified in the policy.
e) Cover notes are issued in respect of all risks assumed and all cover notes are properly accounted for.
All cover notes should have pre-printed running serial numbers for each class of business and there
should be adequate control over the issue of stationery comprising cover notes, policy documents, stamps,
etc.
f) Commissions to agents are calculated as per the norms laid down and proper controls exist over the
accounts of the agents.
g) Proper controls exist on the expenses of management.
h) Adequate procedures exist regarding the acceptance of claims especially with regard to the assessment
of loss and the insurers liability thereon.

i) Clear reporting lines are drawn and implemented between the branch and the divisional office.
Reporting Internal Control Weaknesses
The inadequacies and weaknesses in the internal control system are communicated by a letter commonly
referred to as management letter. Points of inadequacies and weaknesses are noted first on a study of the
control system itself. Then in the course of audit, points of deviation from the prescribed system and nonimplementation of procedures are also noted. The management letter is compiled and issued,
incorporating these points.
The management letter is in three sections:
1. executive summary
2. points to be addressed from the current internal control review, and
3. points from previous reviews that have not been attended to.
The format has 4 columns:
1. activity/function
2. point to be addressed
3. response by concerned manager, and
4. action to be taken as agreed
The major points that have serious repercussions are normally presented in the Executive summary and
help top management to focus on the big issues.
It should be appreciated that issuing the management letter does not absolve the auditor from his duty to
mention the shortcomings in the auditors report by way of qualification where the defects are material
and their impact on the result significant. It should also be clarified by the auditor that the points brought
up in the management letter are only weaknesses, etc. found by the auditor and there could be other
defects too, which were not discovered.