assignment of mf0004 internal audit & control 1
DESCRIPTION
AssignmentTRANSCRIPT
MBA –III SEMESTER
MF0004 – INTERNAL AUDIT AND CONTROL- 2 CREDITS
(BOOK ID 0770)
ASSIGNMENT SET -1 (30 MARKS)
Note: Answer all the questions. Each question carries 10 marks.
1. Explain the principles of Internal Control.
Principles of Internal Control
If internal controls are built without bothering about the business processesinvolved, they result in hindrance to business processes rather than aiding itin preventing, detecting or correcting unlawful events.
Information System Audit and Control Association (ISACA) of USA has evolved a set of principles to be followed in designing internal controls,Particularly when the controls are through use of Information Technology.None the less, these principles are equally applicable in manual process ofInternal controls.
These principles are:a) EFFECTIVENESSControls should help in providing information being relevant and pertinent tothe business process as well as being delivered in a timely, correct,consistent and usable manner.For example, report of cheques of customers deposited by us butdishonoured and returned by customers should be reported to the FinanceManager as well as to the Marketing Manager immediately so that fastaction of recovery as well as stoppage of further sales occurs. If these kindsof information are received after a long delay, no effective steps can be taken to avoid the losses.E.g. While studying for this Course if you do not get the required text books,study materials in time or without proper contents, even if you have a goal tocomplete the Course, you may not be able to do so.
b) EFFICIENCYControls should achieve the optimal (most productive and economical) use
of resources. E.g. Think of a rule where three executives have to sign a payment cheque in a company. It consumes a lot of extra executive- time and administration- time and results in avoidable losses. It does not make much difference, instead, if two executives are designated to sign cheques. E.g. when you are studying for this Course, you read the study- materialLoudly and learn by heart even if it does not make sense to you. Though itLooks as if you were studying hard to an outsider, your method of studying isAn inefficient way of study. Instead, you can read the material and note down the important points and then ruminate on them to understand the subject.
c) CONFIDENTIALITYInternal controls should result in the protection of sensitive information fromunauthorized disclosure. As one of the objectives of internal controls is toSafeguard the assets; it is important that persons not authorized to receiveAny information or exercise an authority should not be permitted to do so.E.g. If the controls set up by you do not prohibit outsiders from enteringyour company’s premises without your permission, there is all the possibilitythat the unwanted outsiders later may create problems for you.E.g. If in your company, the printouts of various sales reports are later soldas scrap papers instead of shredding them, your competitors might getvaluable information out of them.
d) INTEGRITYInternal controls should achieve the accuracy and completeness ofinformation as well as to its validity in accordance with business values andexpectations.E.g. The Reports generated by your system should provide you all the information to make decisions. A Sales report might not disclose you theperson who is in charge of a particular territory or product. You will not beable to make decisions immediately based on the report. You might requireinformation about the Executive who heads that particular territory orproduct. E.g. The Reports generated by your system should provide you all the information to make decisions. A Sales report might not disclose you theperson who is in charge of a particular territory or product. You will not beable to make decisions immediately based on the report. You might requireinformation about the Executive who heads that particular territory orProduct. E.g. In your case, if you studied only a few units of the Course and appear for exams, you might not pass as the information possessed by you is incomplete. Same thing happens if you do not have accurate
information about various important aspects of your Course.
e) AVAILABILITYInternal controls should process the information which should be madeavailable when required by the business process now and in the future.Thus the safeguarding of necessary resources and associated capabilitiesBecomes important. E.g. You may have to save data in CDs or floppies for future use. Back-ups may have to be taken.E.g. In your case, if you have studied hardly for the exams, just before theExams you should be able to recall important points in the Subject. It meansYou should have made a check-list of important points. If you have not doneSo and if you are not able to recall also, then it becomes very difficult for youTo answer the questions in the exams.
f) COMPLIANCEWe have already studied that internal controls should achieve complianceWith those laws, regulations and contractual arrangements which theBusiness process is subject to. Compliance also should be achieved withReference to various policies of the management.E.g. If remuneration is being paid by your company, the internal controls setUp by the company should also include rules as to various deductions to beMade from salary like Provident Fund, Income Tax. If no attention is paid byYour company in this regard, there would be non-compliance of the rules ofActs pertaining to Provident Fund or Income Tax. And such non-complianceWould ultimately result in penalties, additional time and resources wasted byYour company leading to losses.E.g. In your case, even if you studied methodically and understoodeverything, if you have not complied the rules of the University as toAppearing for exams like applying within the due date, paying the prescribedFees in the prescribed mode etc, you might not be able to appear for exams.
g) RELIABILITYInternal Controls should aim at the provision of appropriate information forManagement to operate the entity and to exercise its financial andCompliance reporting responsibilities.For example, the data provided as to sales should contain information as toCorrect rate of Excise duty or VAT. If the controls set up by you do not detectwrong rate of Excise duty or VAT being applied, later your company will have to face problems.
E.g. when you are studying for exams, the text books you study should beThose that are prescribed by the University. If you rely on ‘notes’ or ‘guides’Prepared by others, later you may repent that none of the questions fromThese appeared in the exam! Thus any set of rules, procedures or policies have to be evolved by anorganization keeping all the above principles in mind so that they do not become redundant later.
2. What is a flow chart? Explain the different types of flow charts
Flow ChartFlow chart is a graphic presentation of each area of a company’s internal control system. Use of flow chart symbols which are standardized is made here. Some symbols are provided here below (More symbols are available in MS Word (WinWord) under the Menu ‘Auto-shapes’) = Process
= Decision
= Data
= Document
= Manual OperationFlow Charts can be of different types as follows:Control Flow chartsData flow diagramsProcess flow chartsLinear Responsibility Charts
3. Describe access control and Physical and logical assets control.
Access ControlsAs we have discussed earlier, in a computerized system the authorization orSegregation cannot be done by orally or in writing unlike in a manual case. ItShould be done through the machine. Thus the persons accessing theComputers in a company are provided access as to the computers so thatThey can open the computer and get the information. However the extent ofInformation that they can access and use is to be decided by the SystemAdministrator i.e. The person who controls the computers and the
Information system. Therefore the following internal control measures are used invariably in computers.Identification of the users of the computers by the computers throughUser Ids which are to be assigned by the System.Authentication of the users to allow them Access to the computersThrough various techniques like Passwords, PIN (Personal IdentificationNumber), Smart Cards, Biometric devices like finger prints, retina scanEtc.The extent of access to information should decided by the AdministratorBy having Access Control Policies. For example, information can beClassified as Top Secret, Secret, Classified or Unclassified.Physical and logical assets control:The access to physical assets assumes different proportion in aComputerized environment. Imagine a company having huge database of itsCustomers’ information at a particular data center. If a hacker attacks suchData center the possibility of loss is huge due to loss of information. EntireBusiness may come to a stand still. Thus the control over physical assets inA computerized environment includes safeguarding information and logicalAssets like software, programmes etc. Some control features in this regardAre:Use of firewalls and Intrusion detection systemsFirewalls do not permit access to outsiders who are not authorized toDo so. Similarly it does not allow insiders to send information toOutsiders. Both these features save a company from attempt toAttack the computer through virus, hacking etc. or misuse of valuableInformation by insiders.Intrusion detection Systems warn the Controllers of the computers thatanother person or system is trying to attack the System so that theControllers can take preventive action.Use of anti- virus programs and applicationsViruses, worms, Trojans, spy-wares, logic bombs etc. are threats toInformation system. These try to delete, modify or misuseinformation as well as system which results in huge loss to aBusiness firm. For example, due to virus attack the computers mayNot work for a specified duration in company. This results in loss ofBusiness, reputation and waste of human resources (employeesSitting idle). The solution to this problem is installing Anti virusSoftware and updating it frequently. Such programs detect virus,Worms, Trojans etc. and prevent them from attacking the system.Physical access controls as to persons entering the premises where
Computers are kept has to be established. Use of smart cards, biometricDevices, guards at the entrance etc can be made. For example in somesoftware companies fingerprints are to be identified by the systemBefore the employee or any other person has to enter the data center.This feature prevents unauthorized persons entering the data center andDestroying or altering the information.Computers are prone to threats like variations in electric supply,Influence of magnetic fields etc. For example if you take a powerfulMagnet near a computer the data inside the Hard disk may be destroyedOr altered. Hence it is important that adequate control is taken to seeThose events do not happen. Energy variation should be preventedThrough installing Uninterrupted Power Supply (UPS) units. TheMaintenance of UPS also becomes important because if UPS fails theSystem fails. Data or information are usually communicated through variousCommunication channels like telecommunication, satellites etc.Possibility of theft of information, modification to data during suchTransmission exists. Steps are to be taken to prevent or at least detectSuch attempt to attack.
MBA –III SEMESTER
MF0004 – INTERNAL AUDIT AND CONTROL- 2 CREDITS
(BOOK ID 0770)
ASSIGNMENT SET -2 (30 MARKS)
Note: Answer all the questions. Each question carries 10 marks.
1. Explain the objectives and key sections of SOX
Objectives of SOX:Provides confidence and trust to investors and public in the post-Enronera.Requires management accountability --focus on rapid identification &correction of internal control weaknesses along with additional financialdisclosure requirements.Holds external auditors to higher attestation standards.Key Sections of SOX:Section 302 requires the CEO (Chief Executive Officer) and CFO(Chief
Financial Officer) of a Company to sign on a quarterly basis onfinancial statements of that quarter, attesting fairness and internalcontrol effectiveness. They also must report any significant changes ininternal controls since their last evaluation.Section 404 requires a separate management report on internal controleffectiveness and audit by the organization’s external financial statementauditor.Section 906 is related to Sections 302 and 404, and requires that CEOsand CFOs ensure all financial reporting (including annual and periodicreports) fairly presents, in all material respects, the financial conditionand results of operations of the issuer. It also provides for significantcriminal penalties for non-compliance.Section 201 prohibits a registered public accounting firm fromperforming both audit and non-audit services.Section 301 requires an audit committee to establish “whistleblower”procedures to allow the confidential and anonymous submission ofconcerns regarding questionable accounting or auditing matters.Section 409 requires disclosure to the public on rapid and current basisadditional information concerning material changes in the financialcondition or operations of the issuer.
2a. Bring out the importance of financial audit to companies.
Importance of Financial AuditLegal necessity of financial auditIn many countries, auditors are now established as a separate profession,requiring government licensing.In the United States, private audits are usually performed by Certified PublicAccountants; auditing of the Federal Government's accounts is conductedby Congress' Government Accountability Office (GAO).The Internal Revenue Service periodically audits individual and corporate tax returns. The Public Company Accounting Oversight Board (established 2002) registers and regulates accountants and accounting firms that act as auditors.In India the Companies Act requires that every company get its financial statements audited and approved by its shareholders every year.Only members of ICAI i.e. Chartered Accountants are qualified to undertakesuch company audits.Income tax Act 1961 stipulates that tax audit is to be undertaken byChartered Accountants under certain circumstances by every kind of
businesses whether corporate or non-corporate.Thus financial audit has become mandatory for many institutions.Importance of financial audit to companies:Financial Audit is required and important in many ways:a) To meet the needs of diverse stakeholders
Financial statements are ordinarily prepared and presented annually andare directed toward the common information needs of a wide range of users.Some such users are:1. Shareholders2. Investors/Stock Exchanges3. Financial institutions4. Government5. General PublicMany of these users rely on the financial statements as their major source ofinformation because they do not have the power to obtain additionalinformation to meet their specific information needs.The objective of an audit of financial statements is to enable the auditor toexpress an opinion whether the financial statements are prepared inaccordance with an identified financial reporting framework (like AccountingStandards).Thus auditor’s opinion enhances the credibility of financial statements by providing a high, but not absolute, level of assurance.b) Goal conflict in companiesWe have already studied in earlier Units how goal conflict might result in weakness in internal controls. Managers may try to cash on immediate opportunities by neglecting long term health of the Company.In these situations audit is a guard or control that tries to prevent suchtendency of the directors/managers of the business to neglect the long termgoals of the Company.c) Prevention of frauds and errorsThe audit is generally aimed at preventing frauds or errors. An organizationwere audit is regularly conducted is less-prone to fraud.Though audit does not guarantee fraud-free or error-free financialstatements, it at least minimizes the chance of future frauds. Because, if theaccounts are audited every year, the person who intends to commit fraudmay become apprehensive of committing such fraud lest he might be caughtby auditors.Further, as we shall see later in internal audit the job of auditor is mainly toprevent or detect frauds or errors. Thus audit helps in strengthening internal
controls and thereby reduces frauds and errors.d) Helps in effective decision-makingBecause audit is based on Standards, there will be uniformity and quality inthe financial statements over the long run. Thus comparison between twosets of audited financial statements is more meaningful than between twonon- audited financial statements.This ultimately helps in effective decision-making by managers of thesebusinesses as well as by any other stakeholders.
b. How does audit help in preventing frauds and errors?
Responsibility of auditorsInternal Auditors are also responsible for frauds and errors in that they haveto check for their existence and suggest better internal controls.External auditors though not primarily responsible to detect frauds anderrors, are still responsible to take care to verify the strength of internal control to prevent and detect frauds, existence of symptoms of fraud. Hence indirectly they are also responsible for controlling frauds.Thus it is important to note here that internal controls are very important indetecting frauds and errors of any kind. Those who are establishing internalcontrols should have sufficient knowledge of different types of frauds or symptoms frauds that might occur in particular business.
3. What are the mandatory standards of ICAI?
Types of Standards issued by ICAIAuditing and Assurance Standards issued by the ICAI include the followingStandards:Auditing and Assurance Standards(AAS)Statements on AuditingGeneral Clarifications on AASGuidance NotesTechnical GuidesEach of them has different scope and authority attached to them.Authority Attached to StandardsAuthority attached to AAS, Statements on Auditing and GeneralClarifications on AASAuditing and Assurance Standards, Statements on Auditing and GeneralClarifications on AAS are mandatory in nature.AAS codify the existing best practices in the area of auditing. AASs are critical for the proper discharge of functions as auditor. Statements on
Audit are issued for compliance by Members. General Clarifications to AAS are also issued in matters where doubts exist.Accordingly, while discharging their attest function, it will be the duty of themembers of the ICAI to ensure that these are followed in the audit offinancial information covered by their audit reports.The nature of these Standards requires members to exercise professionaljudgment in applying them, for example, a member may judge it necessaryto depart from an essential procedure laid down in these Standards toachieve more effectively the objective of the engagement.If, for any reason, a member has not been able to perform an audit inaccordance with such Standards, his report should draw attention to thematerial departures there from.Authority Attached to Guidance NotesGuidance Notes are designed primarily to provide guidance to memberson matters which may arise in the course of their professional work andon which they may desire assistance in resolving issues which may posedifficulty.Guidance Notes are recommendatory in nature. A member shouldordinarily follow recommendations in a Guidance Note except where heis satisfied that in the circumstances of the case, it may not benecessary to do so.If the recommendations in a Guidance Note have not been followed, themember should consider whether keeping in view the circumstances ofthe case, a disclosure in his report is necessary.Technical Guides, Studies and Other Papers Published by ASBAASB may also publish Technical Guides, Studies and Other papers.Technical Guides are ordinarily aimed at imparting broad knowledge about aparticular aspect or an industry to the members.Studies and other papers are aimed at promoting discussion or debate orcreating awareness on issues relating to quality control, auditing, assuranceand related service, affecting the profession.They do not establish any basic principles or essential procedures to be followed in audit, assurance or related services engagements.
