Page 1 of 8
MF0013 – Internal Audit and Control
Q1. Discuss, in brief, the advantages and limitations of auditing.
Ans. Advantages of Financial Audit
1. Statutory financial audit gives the owners of a company and other stakeholders the
assurance that annual financial reports give true and rational view about the company’s
2. Tax audit viz., the audit of financials of the company based on which taxable income
is determined and tax paid is mandatory. Tax auditor’s report has to be filed with the tax
3. Internal financial audit assists the CEO and his team of operating managers regularly
and much more frequently in understanding the financial performance of the company
and taking corrective actions necessary.
4. Financial audit is an invaluable tool for prevention and early detection of fraud and
5. Audited financial report together with the auditors’ report is necessary for a company
in sourcing funds from banks and other financial institutions.
6. The audited balance sheet of a company read with the auditor’s report is often the
base document for valuation of companies in case mergers, acquisitions or outright
Limitations of Financial Audit
1. It is a post-mortem: The annual statutory audit is not a concurrent activity, but starts
only after the year is over. Naturally, the auditor has to rely on explanations given to
him by the accountant for activities that happened quite a while ago. The essential truth
behind some of the figures may therefore still remain undiscovered.
2. It is a test check: The auditor cannot examine all the transactions given the time and
cost constraints. He applies test checks using statistical sampling techniques. The
inherent weaknesses of such methods carry an element of uncertainty or risk. Thus,
auditing only reduces and does not eliminate the possibilities of erroror fraud.
3. Inherent limitations of internal control system: An auditor largely relies on the
internal controls of the enterprise as he cannot check everything. Internal controls are
the inbuilt checks and balances in the company’s accounting and administration.
(a) Certain levels of management may override control and make exceptions to
(b) Persons operating the internal control and employees or outside parties may collude
and render the controls ineffective.
Page 2 of 8
Q2. Explain the key objectives of a good internal audit system.
Write down the essentials for effective internal auditing.
Ans. The key objectives of a good internal audit system are:
1. Evaluation of accounting controls: Ensuring that the checks and balances in the
accounting processes are effective and provide the required accounting controls.
2. Compliance with policies and procedures: Verifying compliance with the policies
and procedures laid down for key activities and reporting acts of omission and
For example, if a purchase order for capital equipment of any value requires the
Purchase department to get at least 3 quotes, internal audit have to check if this rule has
been followed in all cases, and report exceptions.
3. Protection and optimal utilisation of business assets: Ensuring physical
availability and usefulness of fixed assets as per company’s records, and checking
utilisation of major assets vis-à-vis plan.
For example, a piece of equipment purchased has not been installed within a reasonable
period of time. The auditor will check and report on the justification for the asset not
having been put to use.
4. Testing the reliability of Management Information Systems (MIS): Reviewing
the management reporting structure and the utility of reports flowing out of the system.
Essentials for Effective Internal Auditing
Appropriate organisational status: The internal auditor should ideally report
to the CEO and the Board of the company, and should not be brought under a
Functional Head like the CFO.
Independence: Internal auditors must have independence at work. This
facilitates them to offer impartial and unbiased opinion and advice.
Technical competence: The internal audit team should be professionally
qualified, well-experienced and adequately trained.
Professional approach: The internal auditor should exercise due professional
care in fulfilling his responsibilities. His professionalism should be evidenced
by the existence of audit manuals, clear audit programs and neatly filed working
papers for each job.
Reporting and follow-up: Audit findings must first be reported to the auditee
and together with the auditee’s response the findings should be reported to top
management, preferably with a recommended solution. Action agreed by the
auditee should be followed up and its closure duly.
Page 3 of 8
Q3. List the required qualifications of an internal auditor. Describe the role of
internal auditor in the company’s management.
Ans. Qualifications of Internal Auditor
When appointing an internal auditor, the management of a company looks for the
a. Necessary expertise to evaluate business control systems, especially financial and
accounting controls: This is the crux of the internal audit function as the focus is
always on financial performance and viability of the enterprise.
b. Basic knowledge of the technology and commercial practices adopted by the
business, since he is expected to evaluate the operational performance of the
c. Thorough knowledge of management theories and best-in-class practices.
d. Excellent interpersonal skills: The auditors may at times have to comment
adversely on the work of their own colleagues. They should be able to do this in an
acceptable manner and yet produce the intended result.
e. Unbiased reporting and strong professional approach.
f. Unimpeachable integrity and the highest ethical standards.
Role of Internal Auditor in the Company’s Management
1. Review of internal control systems: The internal auditor should review the
internal control systems of the organisation. He should determine whether the existing
control systems are appropriate and commensurate with the objectives, size, etc. of
the organisation. For example a small company cannot afford a separate credit control
department and so it will need strong controls in the sales accounting process to
minimise customer payment default.
2. Review of safeguards for assets: The auditor should regularly review the
adequacy of insurance covers for fixed assets and complete accounting of all
transactions relating to fixed assets, etc.
3. Review of compliance with policies, plans, procedures and regulations: The
internal auditor should include a regular checklist of compliances by different
functions of laid down procedural requirements. When a non-observance is spotted,
he should inquire and ascertain the reason for the deviation, and report the event
together with the proposed solution.
4. Review of organisation structure: A well-designed organisation structure is the
basic requirement for the smooth functioning of any organisation. Organisation
structure defines the authorities and responsibilities of executives. The internal
auditor should evaluate the organisation structure from the following dimensions:
a. Simplicity and lack of ambiguity.
Page 4 of 8
b. Clear definition of authority and responsibility at each level.
c. Balance of power, to ensure there is no undue dominance of any function.
d. Balance of responsibility, to ensure proper unity of command and span of control.
e. Effective communication of the organisation chart to all concerned.
5. Review of deployment of resources: The internal auditor reviews utilisation of
resources deployed for the business – men, machines, money, materials and
management – to identify deviations both by way of excessive use of resources and
resources that are under-utilised. He would be able to do this vis-à-vis the planned
capacities and resources, and should include in his report significant trends and
6. Review of reliability of information: The Management Reporting and
Information System (MRIS) of the company is an important aspect to be reviewed by
the internal auditor. The content, format, frequency and timeliness of key
management reports should be evaluated by discussions with the functional mangers
receiving the reports as well as with the finance manager who is usually the provider
of the reports. The objective of this review is to see to what extent the information
flow has helped in taking good decisions.
7. Review of achievement of company objectives: While the reviews in the
foregoing paragraphs are centred on the management processes, the managers are
essentially hired to deliver results and achieve the targets set for them. The internal
auditor therefore reviews the final results achieved vis-à-vis planned results. As they
say, the proof of the pudding is in the eating, and if for instance the company has
under-performed, audit can make it clear whether the failure to achieve was for
internal reasons or external factors beyond management’s control.
Page 5 of 8
Q4. Explain the basic principles of governing internal control.
Ans. Basic Principles Governing Internal Control
The basic principles governing internal control are as follows:
1. A proper system, preferably in writing, must be implemented so that origination,
recording and accounting of business transactions take place in a standardised way.
2. The authority and responsibility of every official should be fixed.
3. Accounting entries should not be allowed without a supporting document.
4. No person should handle a transaction end to end: the work of a person should
be checked automatically by another person in the same or another department.
5. Responsibility for the custody and control of assets should be segregated from
the responsibility of accounting for the assets.
6. As far as possible controls should be built into the functions themselves. For
example the objective of reducing credit risk and minimising collection period can
be met through controls in the accounting and sales system instead of having a
separate credit control function.
7. Every internal control should be established after a cost-benefit analysis.
8. Books of accounts should be maintained up to date.
9. The entity must have a system of rotation of duties among employees.
Employees should be encouraged to take leave as per their roster, especially
employees handling cash.
10. The system should have inbuilt verification system from independent records.
For example verification of bank balances from bank statement, comparison of
purchase ledger account with supplier statement, etc.
11. The system should facilitate cross-functional physical verification of assets: for
example cash verification by Purchase official or inventory test-check by Accounts
12. A reliable and accurate Management Information System (MIS) should be in
Page 6 of 8
Q5. Discuss the specific problems of Electronic Data Processing (EDP)
relating to internal control.
Ans. The implementation of internal control in an EDP system, give rise to the
(a) Separation of duties: The responsibility for initiating transactions, recording
transactions and custody of assets, lies with separate individuals in a manual
system. This is a basic control necessity for any organisation.
(b) Delegation of authority and responsibility: An essential characteristic of
internal control is a clear line of authority and responsibility. However, in a
computer system the delegation of authority and responsibility in a clear way may
be difficult because multiple users may share some resources.
(c) Competent and trustworthy personnel: Data processing technology is much
more complex today as compared to the days of manual systems. Personnel who
are highly skilled are required to develop, modify, operate and maintain computer
(d) System of authorisations: There are two types of authorisations to execute
transactions, issued by management. Policies that an organisation follows are
established by general authorisations.
In a manual system, auditors evaluate the adequacy of procedures for
authorisation by examining the work of employees. However, in a computer
system, a particular program may often have authorisation procedures embedded
within. For example, the order entry module in a sales system may determine the
price to be charged to a customer.
(e) Adequate documents and records: A manual system requires adequate
documents and records if it is to provide an audit trail of activities within the
system. On the other hand, in computer systems, documents may not be used to
support the initiation, execution and recording of certain transactions.
(f) Physical control over assets and records: It is critical for internal control to
have physical control over assets and access to records. Computer systems differ
from manual systems in the way they concentrate the data processing assets and
records at one location. For example in a manual system records are at their
locations of origin, but in an EDP system they may be maintained at the data
processing installation and a person does not have to coordinate different
locations to execute a fraud.
(g) Adequate management supervision: Management supervision of employee
activities is relatively straightforward in a manual system. This is because
employees and managers are often at the same physical location.
(h) Comparing recorded accountability with assets: To assess if shortages in
the assets have occurred or inaccuracies or incompleteness exist, a periodical
comparison between assets and the data that is a record of those assets must be
Page 7 of 8
Q6. Explain the factors for having the effective internal control system for a
Ans. Internal control system in banks
Different factors influence the internal control structure of any organisation: size,
complexity and risk profile of its operations. In this regard an effective internal
control system for a bank should consider the following aspects:
1. Control environment: Control environment is the foundation of an internal
control system. It includes and reflects the factors that influence the control
consciousness of its people. As per Auditing and Assurance Standard 6 issued by
ICAI (AAS6), control environment is the overall attitude, awareness and actions
of directors and management about the internal control system and its
importance in the entity. Factors reflected in the control environment include:
a) Organisational structure of the entity and means of assigning authority and
responsibility (including segregation of duties and supervisory functions)
b) The function performed by the board of directors and its committees in any
company or any similar governing body in any other entity.
c) The philosophy of management.
d) Systems of management control that includes internal audit, personnel
2. Risk recognition and assessment: To be effective, an internal control system
should recognise and continually assess all material risks –internal and external,
controllable and uncontrollable–that could affect the achievement of the bank’s
objectives. The bank faces various risks at different levels – credit risk, country
and transfer risk, market risk, interest rate risk, liquidity risk, operational risk,
legal risk, etc. The management must identify, measure and analyse these risks.
3. Control activities: Control activities are management actions to ensure that
the personnel are following the bank’s established policies and procedures.
Specific control procedures include:
e) Reporting and reviewing reconciliations.
f) Checking arithmetical accuracy of the records.
g) Controlling applications and environment of computer information
h) Maintaining and reviewing control accounts and related subsidiary ledgers.
i) Ensuring approval and control of documents.
j) Comparing internal data with relevant external information.
Page 8 of 8
k) Comparing the results of physical verification of cash, fixed assets,
investments and inventory with corresponding accounting records.
l) Restricting access to assets, records and information.
m) Comparing and analysing results with corresponding budgets
4. Segregation and rotation of duties: Authorities and responsibilities of every
department should be clearly defined based on the policies of the management,
preferably in writing. There should not be any scope of
duplication of jobs, duties and assignments. The entity must have a system of
rotation of duties among employees.
5. Authorisation of transactions: Banks usually prescribe well-set systems of
approval and authorisation, both generally applicable and specific to some
transactions. As public money is often involved, it is vital that authority levels
are not breached. For example an industrial advance sanction may require zonal
office clearance, while renewal of the advance may be within the authority of a
6. Accountability for assets: To ensure accountability and safeguarding of
assets, it is important that complete records are maintained and access is limited
to the authorised personnel only. Every access and every user should be
documented. Periodic checking of actual assets with records and identifying
discrepancies must be mandated.
7. Accounting, information and communication systems: A comprehensive
system of accounting, financial reporting (both management and statutory) and
non-financial analysis and reporting with clear content, format and frequency
should be in place. Banks usually adopt the following procedures to meet this
a) All records are maintained as prescribed with transaction-level details.
b) A unique code number is assigned to each branch and that number should be
mentioned in all important documents.
c) All inter office transactions are reconciled methodically during accounts
8. Monitoring activities: A full-fledged monitoring system should be in place to
assess the effectiveness of internal controls continually. Monitoring is done
internally as well as externally. For internal monitoring or self-assessment the
review functions are delegated to the staff at different levels. Monitoring
activities are integrated to the daily activities as well as undertaken as specified