MF0004 Internal Audit Control 1
MF0004 Internal Audit Control 1
MF0004 Internal Audit Control 1
If internal controls are built without bothering about the business processes
involved, they result in hindrance to business processes rather than aiding it
in preventing, detecting or correcting unlawful events.
b) EFFICIENCY
Controls should achieve the optimal (most productive and economical) use
of resources. E.g. Think of a rule where three executives have to sign a
payment cheque in a company. It consumes a lot of extra executive- time and
administration- time and results in avoidable losses. It does not make much
difference, instead, if two executives are designated to sign cheques. E.g.
when you are studying for this Course, you read the study- material
Loudly and learn by heart even if it does not make sense to you. Though it
Looks as if you were studying hard to an outsider, your method of studying is
An inefficient way of study. Instead, you can read the material and note
down the important points and then ruminate on them to understand
the subject.
c) CONFIDENTIALITY
Internal controls should result in the protection of sensitive information from
unauthorized disclosure. As one of the objectives of internal controls is to
Safeguard the assets; it is important that persons not authorized to receive
Any information or exercise an authority should not be permitted to do so.
E.g. If the controls set up by you do not prohibit outsiders from entering
your company’s premises without your permission, there is all the possibility
that the unwanted outsiders later may create problems for you.
E.g. If in your company, the printouts of various sales reports are later sold
as scrap papers instead of shredding them, your competitors might get
valuable information out of them.
d) INTEGRITY
Internal controls should achieve the accuracy and completeness of
information as well as to its validity in accordance with business values and
expectations.
E.g. The Reports generated by your system should provide you all the
information to make decisions. A Sales report might not disclose you the
person who is in charge of a particular territory or product. You will not be
able to make decisions immediately based on the report. You might require
information about the Executive who heads that particular territory or
product. E.g. The Reports generated by your system should provide you all
the information to make decisions. A Sales report might not disclose you the
person who is in charge of a particular territory or product. You will not be
able to make decisions immediately based on the report. You might require
information about the Executive who heads that particular territory or
Product. E.g. In your case, if you studied only a few units of the Course and
appear for exams, you might not pass as the information possessed by
you is incomplete. Same thing happens if you do not have accurate
information about various important aspects of your Course.
e) AVAILABILITY
Internal controls should process the information which should be made
available when required by the business process now and in the future.
Thus the safeguarding of necessary resources and associated capabilities
Becomes important. E.g. You may have to save data in CDs or floppies for
future use. Back-ups may have to be taken.
E.g. In your case, if you have studied hardly for the exams, just before the
Exams you should be able to recall important points in the Subject. It means
You should have made a check-list of important points. If you have not done
So and if you are not able to recall also, then it becomes very difficult for you
To answer the questions in the exams.
f) COMPLIANCE
We have already studied that internal controls should achieve compliance
With those laws, regulations and contractual arrangements which the
Business process is subject to. Compliance also should be achieved with
Reference to various policies of the management.
E.g. If remuneration is being paid by your company, the internal controls set
Up by the company should also include rules as to various deductions to be
Made from salary like Provident Fund, Income Tax. If no attention is paid by
Your company in this regard, there would be non-compliance of the rules of
Acts pertaining to Provident Fund or Income Tax. And such non-compliance
Would ultimately result in penalties, additional time and resources wasted by
Your company leading to losses.
E.g. In your case, even if you studied methodically and understood
everything, if you have not complied the rules of the University as to
Appearing for exams like applying within the due date, paying the prescribed
Fees in the prescribed mode etc, you might not be able to appear for exams.
g) RELIABILITY
Internal Controls should aim at the provision of appropriate information for
Management to operate the entity and to exercise its financial and
Compliance reporting responsibilities.
For example, the data provided as to sales should contain information as to
Correct rate of Excise duty or VAT. If the controls set up by you do not
detect
wrong rate of Excise duty or VAT being applied, later your company
will have to face problems.
E.g. when you are studying for exams, the text books you study should be
Those that are prescribed by the University. If you rely on ‘notes’ or ‘guides’
Prepared by others, later you may repent that none of the questions from
These appeared in the exam!
Thus any set of rules, procedures or policies have to be evolved by an
organization keeping all the above principles in mind so that they do
not become redundant later.
Flow Chart
Flow chart is a graphic presentation of each area of a company’s internal
control system. Use of flow chart symbols which are standardized is made
here. Some symbols are provided here below (More symbols are available in
MS Word (WinWord) under the Menu ‘Auto-shapes’)
= Process
= Decision
= Data
= Document
= Manual Operation
Flow Charts can be of different types as follows:
Control Flow charts
Data flow diagrams
Process flow charts
Linear Responsibility Charts
Access Controls
As we have discussed earlier, in a computerized system the authorization or
Segregation cannot be done by orally or in writing unlike in a manual case. It
Should be done through the machine. Thus the persons accessing the
Computers in a company are provided access as to the computers so that
They can open the computer and get the information. However the extent of
Information that they can access and use is to be decided by the System
Administrator i.e. The person who controls the computers and the
Information system. Therefore the following internal control measures are
used invariably in computers.
Identification of the users of the computers by the computers through
User Ids which are to be assigned by the System.
Authentication of the users to allow them Access to the computers
Through various techniques like Passwords, PIN (Personal Identification
Number), Smart Cards, Biometric devices like finger prints, retina scan
Etc.
The extent of access to information should decided by the Administrator
By having Access Control Policies. For example, information can be
Classified as Top Secret, Secret, Classified or Unclassified.
Physical and logical assets control:
The access to physical assets assumes different proportion in a
Computerized environment. Imagine a company having huge database of its
Customers’ information at a particular data center. If a hacker attacks such
Data center the possibility of loss is huge due to loss of information. Entire
Business may come to a stand still. Thus the control over physical assets in
A computerized environment includes safeguarding information and logical
Assets like software, programmes etc. Some control features in this regard
Are:
Use of firewalls and Intrusion detection systems
Firewalls do not permit access to outsiders who are not authorized to
Do so. Similarly it does not allow insiders to send information to
Outsiders. Both these features save a company from attempt to
Attack the computer through virus, hacking etc. or misuse of valuable
Information by insiders.
Intrusion detection Systems warn the Controllers of the computers that
another person or system is trying to attack the System so that the
Controllers can take preventive action.
Use of anti- virus programs and applications
Viruses, worms, Trojans, spy-wares, logic bombs etc. are threats to
Information system. These try to delete, modify or misuse
information as well as system which results in huge loss to a
Business firm. For example, due to virus attack the computers may
Not work for a specified duration in company. This results in loss of
Business, reputation and waste of human resources (employees
Sitting idle). The solution to this problem is installing Anti virus
Software and updating it frequently. Such programs detect virus,
Worms, Trojans etc. and prevent them from attacking the system.
Physical access controls as to persons entering the premises where
Computers are kept has to be established. Use of smart cards, biometric
Devices, guards at the entrance etc can be made. For example in some
software companies fingerprints are to be identified by the system
Before the employee or any other person has to enter the data center.
This feature prevents unauthorized persons entering the data center and
Destroying or altering the information.
Computers are prone to threats like variations in electric supply,
Influence of magnetic fields etc. For example if you take a powerful
Magnet near a computer the data inside the Hard disk may be destroyed
Or altered. Hence it is important that adequate control is taken to see
Those events do not happen. Energy variation should be prevented
Through installing Uninterrupted Power Supply (UPS) units. The
Maintenance of UPS also becomes important because if UPS fails the
System fails. Data or information are usually communicated through various
Communication channels like telecommunication, satellites etc.
Possibility of theft of information, modification to data during such
Transmission exists. Steps are to be taken to prevent or at least detect
Such attempt to attack.
(BOOK ID 0770)
Objectives of SOX:
Provides confidence and trust to investors and public in the post-Enron
era.
Requires management accountability --focus on rapid identification &
correction of internal control weaknesses along with additional financial
disclosure requirements.
Holds external auditors to higher attestation standards.
Key Sections of SOX:
Section 302 requires the CEO (Chief Executive Officer) and CFO(Chief
Financial Officer) of a Company to sign on a quarterly basis on
financial statements of that quarter, attesting fairness and internal
control effectiveness. They also must report any significant changes in
internal controls since their last evaluation.
Section 404 requires a separate management report on internal control
effectiveness and audit by the organization’s external financial statement
auditor.
Section 906 is related to Sections 302 and 404, and requires that CEOs
and CFOs ensure all financial reporting (including annual and periodic
reports) fairly presents, in all material respects, the financial condition
and results of operations of the issuer. It also provides for significant
criminal penalties for non-compliance.
Section 201 prohibits a registered public accounting firm from
performing both audit and non-audit services.
Section 301 requires an audit committee to establish “whistleblower”
procedures to allow the confidential and anonymous submission of
concerns regarding questionable accounting or auditing matters.
Section 409 requires disclosure to the public on rapid and current basis
additional information concerning material changes in the financial
condition or operations of the issuer.
Responsibility of auditors
Internal Auditors are also responsible for frauds and errors in that they have
to check for their existence and suggest better internal controls.
External auditors though not primarily responsible to detect frauds and
errors, are still responsible to take care to verify the strength of internal
control to prevent and detect frauds, existence of symptoms of fraud.
Hence indirectly they are also responsible for controlling frauds.
Thus it is important to note here that internal controls are very important in
detecting frauds and errors of any kind. Those who are establishing internal
controls should have sufficient knowledge of different types of frauds
or symptoms frauds that might occur in particular business.