STATISTICS OF THE CHAPTER  -  Tentative Weightage of Chapter: 10 to 20 Marks 
IMPORTANCE OF THE CHAPTER  -  The Chapter helps in understanding the environment in which an auditor has to work i.e. the way in which an entity works.
SAs COVERED  -   SA 315, SA 610
   (1) Internal Control
   (2) Internal Check
   (3) Internal Audit
   (4) Computerised Information System Environment

(38) What do you understand by the term ‘internal control’?
► MEANING: As per SA 315 “Identifying and assessing the risk of material misstatement through understanding the entity and its environment”, internal control refers to:
   ⦁ the process designed, implemented and maintained
   ⦁ by those charged with governance, management and other personnel
   ⦁ to provide reasonable assurance about achievement of objectives with regard to
      ⦁ reliability of financial reporting,
      ⦁ effectiveness and efficiency of operations,
      ⦁ safeguarding of assets and
      ⦁ compliance with applicable laws and regulations.

(39) Explain internal control environment.
► MEANING: As per SA 315, the control environment includes:
   ⦁ the attitudes, awareness and actions of those charged with governance and management
   ⦁ concerning the entity’s internal control and
   ⦁ its importance in the entity.
   Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control.
1. Integrity & ethical values communicated and enforced: The effectiveness of controls is influenced by:
   ⦁ the integrity and ethical values of management and staff, and
   ⦁ the way entity’s policies are communicated and reinforced in practice.
2. Commitment to competence: All personnel need to possess and maintain a level of competence to accomplish their assigned duties. Management needs to identify appropriate knowledge and skills needed for various jobs and provide needed training.
3. Participation by those charged with governance: An entity’s controls are influenced significantly by those charged with governance. Some attributes of those charged with governance which may affect controls includes:
   ⦁ Their independence from management.
   ⦁ Their experience & extent of their involvement.
   ⦁ Their interaction with internal and external auditors.
4.  Management’s philosophy and operating style: The attitude and philosophy of management toward information systems, accounting functions, managing business risks, personnel functions and monitoring audits can have a profound effect on internal control.
5. Organizational structure: A good internal control environment requires that the agency’s organizational structure clearly define key areas of authority and responsibility and establish appropriate lines of reporting.
6. Delegation of authority and responsibility: The delegation of authority and responsibility should be done so as to ensure that all personnel understand the entity’s objectives and know how their individual actions interrelate and contribute to those objectives.
7. Human resource policies and practices: Human resource policies and practices also affect the control environment. This includes establishing appropriate practices for recruiting, training, counseling, promoting, compensating and disciplining personnel. It also includes providing a proper amount of supervision. Promotions based on periodic performance appraisals demonstrate entity’s commitment to advancement of qualified personnel to higher levels.

(40) What are the inherent limitations of internal control?
Internal control can provide only reasonable, not absolute, assurance that its objectives are achieved. This is because there are some inherent limitations of internal control, such as:
1. Cost Effectiveness: management’s consideration that a control be cost-effective.
2. Unusual transactions: most controls are not directed at transactions of unusual nature.
3. Human error: the potential for human error.
4. Collusion: the possibility of circumvention of controls through collusion with parties outside the entity or with employees of entity.
5. Override: the possibility that a person responsible for exercising control could abuse that authority, for example, a member of management overriding a control.

(41) What are the methods to review the internal control?
The auditor can use one of the following methods to review internal control system:

Audit Method to review internal Control

1. Narrative Records: A complete and exhaustive description of the system as found in operation by the auditor. Actual testing and observation are necessary before such a record can be developed.
·      Useful where no formal control system is in operation
·      Suitable for small business
·      It is difficult to understand the system in operation
·      It is difficult to identify weaknesses or gaps in the system
·      It   requires    constant   updation    due   to
reshuffling of manpower, etc.

2. Check List: A series of instructions and/or questions which a member of the auditing staff must follow and/or answer. On completion, he initials the space against the instruction. Answers to the instructions are usually Yes, No or Not Applicable. The complete check list is studied by the Principal/Manager/Senior to ascertain existence of internal control and evaluate its implementation and efficiency.
A few examples of check list instructions are given here under:
Are tenders called before placing orders?
Are the purchases made on the basis of a written order?
Is the purchase order form standardised?
Are purchase order forms pre-numbered?
·      Easy      to      fix      responsibility      for
observations in the course of audit
·      Simple to use
·      Evaluation by the principal helps in
locating weaknesses
·      Time consuming
·      Requires skill to prepare proper checklist

3. Questionnaire: A comprehensive series of questions concerning internal control. Generally questions are so framed that a ‘Yes’ answer denotes satisfactory position and a ‘No’ answer suggests weakness with a provision for an explanation of ‘No’ answers. The questionnaire is usually issued to the client and the client is requested to get it filled by the concerned executives and employees.

·      Chances     of     oversight/omission      is minimised
·      Can be reviewed on interim basis
·      More systematic approach
·      Easy to locate weaknesses
·      Time consuming
·      Total dependency on response of client

4. Flowchart: A graphic presentation of each part of the company’s system of internal control. It is the most concise way of recording the auditor’s review of the system. It minimises the amount of narrative explanation and gives bird’s eye view of the system.
·      Most concise way of review
·      Gives bird’s eye view of the system
·      Difficult to prepare flowchart with details of every aspect of the system
·      Detailed study may also be required in
various aspects/areas

(42) What do you understand by internal check?
► MEANING: Internal check refers to:
   ⦁ existence of checks on the day-to-day transaction.
   ⦁ which operate continuously as a part of the routine system.
   ⦁ whereby the work of one person is proved independently or is complementary to the work of another.
   ⦁ the object being the prevention or early detection of errors or fraud.
► It is a part of the overall internal control system. It implies involvement of more than one person  for completion of a job or transaction i.e. breaking of the line of responsibility.

(43) What factors should be considered while framing a system of internal check?
General considerations in framing a system of internal check are:
1. No independent control: No single person should have an independent control over any important aspect of the business.
2. Job Rotation: Duties of the staff members should be changed from time to time without any previous notice.
3. Leave policy: Staff members should be encouraged to go on leave at least once in a year.
4. Separation of custodial responsibilities: Persons having physical custody of assets must not be permitted to have access to the books of account.
5. Control over assets: Accounting control should exist for each important class of assets; in addition, these should be periodically inspected so as to establish their physical condition.
6. Mechanical devices: To prevent loss or misappropriation of cash, mechanical devices, such as the automatic cash register, should be employed.
7. Budgetary controls: Budgetary controls should be devised and major variances should be observed and reconciled.
8. Stock taking: For stock-taking, at the close of the year, trading activities should, if possible, be suspended. The task of stock-taking and evaluation should be done by staff belonging to several sections of the organisation and not only by stock section staff.
9. Division of powers: The financial and administrative powers should be distributed very judiciously among different officers and be reviewed periodically.
10. Periodic review: There should be periodical verification and testing of different sections of accounting records to ensure that they are accurate. Accounting procedures should be reviewed periodically even if they are well-designed and carefully installed.

(44) What do you understand by internal audit? Explain its objectives.
► MEANING: Internal Audit is
   ⦁ an independent management function,
⦁ which involves a continuous and critical appraisal of the functioning of an entity
⦁  with a view to:
⦁ suggest improvements thereto and
⦁ improve the overall governance mechanism of the entity,
⦁ including the entity’s risk management and internal control system.
► OBJECTIVES: The objects of internal audit can be stated as follows:
1. Verification: Verify accuracy & authenticity of accounting & statistical records presented to the management.
2. Authorisation: Ascertain that proper authority exists for every acquisition, retirement and disposal of assets.
3. Liabilities: Confirm that liabilities have been incurred only for the legitimate activities of the organisation.
4. Frauds: Facilitate the prevention and detection of frauds.
5. Assets Safety: Examine the protection afforded to assets and the uses to which they are put.
6. Special investigation: Make special investigations for management.
7. Ideas: Provide a channel whereby new ideas can be brought to the attention of management.
8. Internal control review: Review operation of internal control system and bring material weaknesses to management’s notice.

(45) Differentiate internal audit and internal check.
Internal Audit
Internal Check
Internal Audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and improve the overall governance mechanism of the entity, including the entity’s risk management and internal
control system.
Internal check refers to existence of checks on the day-to-day transaction which operate continuously as a part of the routine system, whereby the work of one person is proved independently or is complementary to the work of another, the object being the prevention or early detection of errors
or fraud.
Suggest improvements.
Minimise misstatements.
Specialised staff is assigined such Function.
It is performed by the ordinary staff
It is a separate function & separate
department is ensured its responsibility.
It is a part of internal control system &
operates as a built in device.
It is not so essential to have a separate
internal audit function.
It is essential to have internal check
over the transactions.

(46) What is the relationship between statutory & internal auditor? (SA 610)
Internal audit being an integral part of the system of internal control, it is obligatory for a statutory auditor to examine the scope and effectiveness of work carried out by internal auditor.

⦁ If after his examination the statutory auditor is satisfied that the internal audit has been efficient and effective, he may decide to curtail his audit programme by dispensing with some of the detailed checking already carried out by the Internal Audit Department.
⦁ He, at times, also decides to entrust certain items of work to the internal auditor.
⦁ It is desirable that the external auditor be kept informed of any significant matter that comes to the internal auditor's attention and which he believes may affect the work of the external auditor. Similarly, the external auditor should ordinarily inform the internal auditor of any significant matters which may affect his work.
⦁ The report of the external auditor is his sole responsibility, and that responsibility is not by any means reduced because of the reliance he places on the internal auditor’s work.

(47) How should an external auditor evaluate internal audit function?
External auditor’s evaluation of internal audit function will assist him in determining the extent of reliance to be placed upon work of internal auditor. The important aspects to be considered in this context are:
1. Organisational Status: Whether internal audit function is outsourced or within the entity itself, if internal auditor reports to the management and is there any constraints or restrictions placed upon his work by management.
2. Scope of Function: Ascertain the nature and depth of coverage of internal audit and the extent of consideration of internal audit recommendations by management.
3. Technical Competence: Review experience & professional qualifications of persons undertaking internal audit, to ascertain if they have adequate technical training & proficiency.
4. Due Professional Care: Ascertain whether internal audit work is properly planned, supervised, reviewed and documented. An example of the exercise of due professional care by the internal auditor is the existence of adequate audit manuals, audit programmes, and working papers.

(48) What are the characteristics of CIS environment?
1) Concentration of functions and knowledge: Certain data processing personnel may be the only ones with a detailed knowledge of data sourcing, processing, distribution and output.
2) Concentration of programs and data: Programs & data are often concentrated in one computer located centrally (common server).
3) Absence of input documents: data may be entered directly into the computer system without supporting documents. (e.g. credit limit approval).
4) Lack of visible transaction trail: certain data may be maintained on computer files only and that too only for a limited period of time.
5) Lack of visible output: certain transactions or results of processing may not be printed and be in form of files readable only by computer.
6) Ease of access to data and computer programs: data and computer programs may be accessed and altered by computers at remote locations.
7) Consistency of performance: Functions are consistently performed in the way they are programmed and are potentially more reliable than manual systems.
8) Programmed control procedures: the internal control procedures may be embedded with the computer programs.(e.g. access by use of passwords only)
9) Single transaction update of multiple or data base computer files: single input to the accounting system may automatically update all records associated with the transaction.
10) Systems generated transactions: certain transactions may be initiated by system itself (e.g., TDS may be deducted automatically).
11) Vulnerability of data and program storage media: Large volumes of data and computer programs may be stored on portable media, which are prone to theft, or accidental destruction like virus attack.

(49) Write a note on internal control in CIS environment.
The internal controls over computer processing include both manual procedures and computerized procedures. These may be classified into:
1. General CIS controls: i.e. the overall controls affecting the CIS environment
2. CIS Application controls: i.e. the specific controls over the accounting applications
1. GENERAL CIS CONTROLS: It establishes overall control over the CIS activities and provides reasonable assurance that overall objectives of internal control are achieved. It may include
1. Organization and management controls
   To establish an organizational framework over CIS activities, including:
   ⦁ Policies and procedures relating to control functions.
   ⦁ Appropriate segregation of incompatible functions.
2.Application systems development and maintenance controls
   To provide reasonable assurance that systems are developed and maintained in an authorized and efficient manner. They also typically are designed to establish control over:
   ⦁ Implementation and documentation of new or revised systems.
   ⦁ Changes to application systems.
   ⦁ Acquisition of application systems from third parties.
3.Computer operation controls To control operation of systems & provide reasonable assurance that:
   ⦁ The systems are used for authorized purposes by authorized personnel only.
   ⦁ Only authorized programs are used.
4.Systems software controls
   ⦁ To provide reasonable assurance that system software is acquired or developed in an authorized and efficient manner, including restriction of
access to systems software and documentation to authorized personnel.
5.Data entry and program controls
   To provide reasonable assurance that:
   ⦁ Only authorised transactions are entered in system
   ⦁ Access to data and programs is restricted to authorized personnel.
   ⦁ There is offsite back-up of data and recovery procedures in event of disaster.

2. CIS APPLICATION CONTROLS: It establishes specific control procedures over the accounting applications to provide reasonable assurance that all transactions are authorized, recorded and processed completely, accurately and on a timely basis. CIS application controls include:

1. Controls over input
   To provide reasonable assurance that:
   ⦁ Transactions are properly authorized before being processed.
   ⦁ Transactions are accurately converted into machine readable form.
   ⦁ Incorrect transactions are rejected, corrected and resubmitted on a timely basis.
2. Controls over processing and computer data files
   To provide reasonable assurance that:
   ⦁ All transactions are properly processed by the computer.
   ⦁ Transactions are not lost, added, duplicated or improperly changed.
   ⦁ Processing errors are identified and corrected on a timely basis.
3. Controls over output
   To provide reasonable assurance that:
   ⦁ Results of processing are accurate.
   ⦁ Access to output is restricted to authorized personnel.
   ⦁ Output is provided to appropriate authorized personnel on timely basis.

(50) Write a note on audit trail in CIS environment.
► MEANING: Audit trail refers to tracing the transactions from source document to the summarized total in accounting reports & vice versa. It is the way of relating the original input with the final output on a one-to-one basis. It is the tracing of all the stages through which a particular business transaction passes in the records.
► AUDIT TRAIL IN CIS ENVIRONMENT: In a CIS environment audit trail is generally difficult to maintain, due to following reasons:
   ⦁ Lack of documentary evidence for input data.
   ⦁ Increase in speed & ease by which data is processed.
   ⦁ System generated or automatic transactions with no visible authorization.
   ⦁ Programmed control procedures e.g. checking customer’s credit limit.
   ⦁ Lack of visible output data, due to increased use of on-screen enquiry.
   ⦁ The auditor may use CAATs to overcome loss of audit trail, by testing:
        ⦁ the logic & controls existing within the system
        ⦁ the record produced by the system
        Use of CAAT may enhance the effectiveness of the audit.
   ⦁ Arranging for special printouts containing additional information, as required by auditor
   ⦁ Clerical recreation (manually calculating figures which have been generated by system)

(51) What are the benefits of using CAATs?
Due to certain limitations of the CIS organizational structure the use of CAATs may be required, to improve the effectiveness and efficiency of audit procedures in following ways:
   1. Cost saving: Some transactions may be tested more effectively for a similar level of cost by using the computer to examine all or a greater number of transactions.
   2. Time saving: More data can be checked in lesser time by using CAATs
   3. Examination in depth: CAATs may permit detailed examination of selected transactions
   4. Audit trail: CAATs may effectively help in auditing even in the lack of audit trail.
   5. Sampling: It helps in selecting appropriate samples by use of audit softwares.

(52) What are the various approaches to audit in CIS environment?
The auditor must plan whether to use the computer to assist the a udit or to audit without using the computer. The two approaches are commonly called:
1) Auditing around the computer and
2) Auditing through the computer
   ⦁ Auditing around the computer involves arriving at an audit opinion by examining controls for computer installation and input & output only for application systems.
   ⦁ The computer is viewed as a black box and is used majorly to take printouts.
   ⦁ This approach is useful in either of the following situations:
      a. The system is simple and batch oriented.
      b. The system uses generalized software that is well-tested and used widely
   ⦁ Advantages of auditing around the computer:
      a. The primary advantage of this approach is simplicity.
      b. Little technical knowledge of computers is required to perform the audit.
   ⦁ Disadvantages of auditing around the computer:
      a. It is not suitable for large organizations with complex operations.
      b. The auditor cannot assess if the system is upgraded or not.
   ⦁ Under this approach audit is largely carried on with the assistance of computers.
   ⦁ It can be used in the following circumstances:
      a Application system processes large volumes of input & produces large volumes of output.
      b. Significant parts of internal control system are embodied in the computer system itself.
      c. The logic of the system is complex.
      d. There is elimination or reduction of printouts.
      e. The system uses online real time file updating.
   ⦁ CAATs may be used for auditing through the computer
   ⦁ Advantages of auditing through the computer:
      a. The auditor has increased power to effectively test a computer system.
      b. The range and capability of tests that can be performed increases
   ⦁ Disadvantages of auditing through the computer:
      a. It involves high costs.
      b. Extensive technical expertise is needed when systems are complex.

Practical Questions - Chapter 4: Internal Control

Question No. 1: A senior assistant of X & Co. chartered accountants drew up his audit programme without evaluating internal controls of T Ltd. When the partner asked him for the reason, he stated that the controls were developed by the General Manager (Finance) of T Ltd. who is a chartered accountant and had written a few books on Internal Control and therefore there was no need to review the said area.

Question No. 2: State whether true or false:
a. Auditor should not communicate the weaknesses in internal control system to the management as he audits only financial statements.
b. The overall objective and scope of an audit does not change in a CIS environment.
c. Statutory auditor should completely rely on work of internal auditor.
d. Performing audit in CIS environment is always simpler since the trial balance always tallies.