Professional Documents
Culture Documents
Answer: Internal control is then, all those policies, procedures, rules, systems laid down
by the Management to achieve the goals of the business. The institute of Chartered
Accounts of India defines internal control as follows:
“Internal control is the plan of the organization, all the methods and procedures adopted
by the management of an entity, to assist in achieving management’s objective of
ensuring, as far as practicable, the orderly and efficient conduct of its business.”
Now the businesses are conducted through use of Information Technology. Most of the
processes or functions of management are conducted through use of computers. We know
that various functions of the management for which measures of internal controls that can
be implemented but these are suitable mostly when the operations are manual. The extent
and nature of internal controls for each of these functions substantially change due to
adoption of Information Technology.
Some of the problem areas associated with a computerized information system are:
1. Consistency in operations:
The computer programs are known to be accurate and consistent in their performance.
This feature of computers is regarded by most of us as a useful feature. But this feature
has a negative side also. If a program has been written wrongly the computer will go on
executing that program even though it is wrong. Imagine a program written in your
company that calculates worker’s salary wrongly. If nobody notices the mistake the
computer will go on repeating the mistake month after month when the salaries are
calculated.
Some computer information systems are so designed that a complete transaction trail
(how a transaction has been processed) might exist for only a short period of time or only
in computer readable form. Where a complex application system performs a large
number of processing steps, there may not be a complete trail of how the particular
transaction has been processed. Accordingly, errors embedded in an application’s
program logic may be difficult to detect on a timely basis by manual (user) procedures.
• For example, in a bank the details of individual customers’ transactions might be
destroyed after a period of say, one year, thus denying the Management the
evidence of such transaction.
• For example, in a computerized system the Bank Teller may enter the payment
details in the customer-ledger in the computer and make the payment to customer
on latter’s presentation of a cheque. Thus his power is more in such environment
than in a manual system, which can be misused by him.
The potential for human error in the development, maintenance and execution of
computer information systems may be greater than in manual systems. This is because
individuals have more knowledge and access to computerized information. Sitting in
remote corner of the world you can access the information and get unauthorized access to
any other person’s say bank accounts or credit cards. You may even alter or destroy the
data.
• For example, a bank clerk might guess his supervisor‘s password and transfer
huge amounts to different accounts within seconds which he could not have done
in a manual system.
• For example, in a bank the officials usually do not re-check or become skeptic
about the interest amount calculated by a computer. Hence when the interest rate
is wrongly fed into the computers it goes undetected for months together.
• Similarly errors or irregularities occurring during the design or modification of
application programs or systems software can remain undetected for long periods
of time.
Computer information systems may include the capability to initiate or cause the
execution of certain types of transactions, automatically. The authorization of these
transactions or procedures may not be documented in the same way as that in a manual
system, and management’s authorisation of these transactions may be implicit in its
acceptance of the software.
Computer information systems can offer management a variety of analytical tools that
may be used to review and supervise the operations of the entity. The availability of these
analytical tools, if used, may serve to enhance the entire internal control structure.
8. Vulnerabilities
Computerized systems are prone to different types of vulnerabilities (threats) which can
create havoc if not controlled properly.
• For examples, vulnerabilities like virus, hacking, create lot of harm to information
systems and business might lose substantially. Those who are using computers for
business should know about the possibility of such attacks and take preventive
steps.
Thus we can see that though these features of internal control in a computerized
environment provide advantages to any business, sometimes they also give scope to
many risks.
Access Controls
• Identification of the users of the computers by the computers through User Ids
which are to be assigned by the System.
• Authentication of the users to allow them Access to the computers through
various techniques like Passwords, PIN (Personal Identification Number), Smart
Cards, Biometric devices like finger prints, retina scan etc.
• The extent of access to information should decided by the Administrator by
having Access Control Policies. For example, information can be classified as
Top Secret, Secret, Classified or Unclassified.
Physical and logical assets control:
****
Q. No. 2: Explain the meaning of fraud. What are the components of fraud ?
Oxford Advanced.” Learner’s Dictionary defines fraud as” an act of deceiving illegally in
order to make money or obtain goods
Fraud is an economic offence. General economic offenses also include criminal acts other
than fraud like money laundering, financing of criminal or anti-national activities,
corruption, bribery, kickbacks, and so on. We are not discussing these types of offences
when we are talking of fraud in this unit.
Luckily, fraud falls into typical similar types that share common characteristics, means,
and methods. Just as a house theft can occur anywhere, a fraud often consists of many
instances or incidents involving repeated transgressions using the same method.
Fraud instances can be similar in content and appearance but usually aren’t identical. A
fraud need not meet all of these characteristics.
Thus the term “fraud” refers to an intentional act by one or more individuals among
management, those charged with governance, employees, or third parties, involving the
use of deception to obtain an unjust or illegal advantage.
Although fraud is a broad legal concept, we are more concerned with fraudulent acts that
cause a material misstatement in the financial statements. However misstatement of the
financial statements may not be the objective of some frauds.
To understand what actually happens when a fraud occurs, we have to study the
components of a fraud.
Components of fraud:
Ans.
Symptoms of Frauds
The fact that fraud is usually concealed can make it very difficult to detect. Nevertheless,
the Management may identify events or conditions that provide an opportunity , a motive
or a means to commit fraud, or indicate that fraud may already have occurred. Such
events or conditions are referred to as “ fraud risk factors” or symptoms of fraud.
For each of these three categories, examples of fraud risk factors are provided here.
a) These fraud risk factors pertain to management’s abilities, pressures, style, and
attitude relating to internal control and the financial reporting process. For example:
• Management does not effectively communicate and support the entity’s values or
ethics, or management communicates inappropriate values or ethics.
• Management is dominated by a single person or a small group of persons.
• Management does not monitor significant internal controls adequately.
• Management fails to correct known weaknesses in internal control on a timely
basis.
• Management sets unduly aggressive financial targets and expectations for
executives.
• Management displays a significant disregard for regulatory authorities.
• Management continues to employ ineffective accounting, information technology
or internal auditing staff.
• Non-financial managers participate excessively in, or are preoccupied with, the
selection of accounting principles or the determination of significant estimates.
• There is a high turnover of management, consultants or board- members.
• There is a strained relationship between management and the current or
predecessor auditor. Specific indicators might include the following:
• There is a history of securities law violations, or claims against the entity or its
management alleging fraud or violations of securities laws.
• The corporate governance structure is weak or ineffective, which may be
evidenced by, for example:
-Little attention being paid to financial reporting matters and to the accounting
and internal control systems by those charged with governance.
These fraud risk factors involve the economic and regulatory environment in which the
entity operates.
These fraud risk factors pertain to the nature and complexity of the entity and its
transactions, the entity’s financial condition, and its profitability.
• Inability to generate cash flows from operations while reporting earnings and
earnings growth.
• Significant pressure to obtain additional capital necessary to stay competitive,
considering the financial position of the entity (including a need for funds to
finance major research and development or capital expenditures).
• Assets, liabilities, revenues or expenses based on significant estimates that
involve unusually subjective judgments or uncertainties, or that are subject to
potential significant change in the near term in a manner that may have a
financially disruptive effect on the entity (for example, the ultimate recoverability
of account-receivables).
• Significant related- party transactions which are not in the ordinary course of
business. For example huge advances to a sister-concern without any reason.
• Significant, unusual or highly complex transactions (especially those close to
year-end) that pose difficult questions concerning substance over form.
• Significant bank accounts or subsidiary or branch operations in Tax-haven
jurisdictions for which there appears to be no clear business justification.
• An overly complex organizational structure involving numerous or unusual legal
entities, managerial lines of authority or contractual arrangements without
apparent business purpose.
• Difficulty in determining the organization or person (or persons) controlling the
entity.
• Unusually rapid growth or profitability, especially compared with that of other
companies in the same industry.
• Especially high vulnerability to changes in interest rates.
• Unusually high dependence on debt, a marginal ability to meet debt repayment
requirements, or debt covenants that are difficult to maintain.
• Unrealistically aggressive sales or profitability incentive programs.
• A threat of imminent bankruptcy, foreclosure or hostile takeover.
• Adverse consequences on significant pending transactions (such as a business
combination or contract award) if poor financial results are reported.
• A poor or deteriorating financial position when management has personally
guaranteed significant debts of the entity.
1. A company has shown ‘cash in hand ‘of Rs. 50000 in its Balance Sheet. The
assertions by management are:
2. A company shows VAT payment of Rs. 25000 in its Profit & Loss Account. The
assertions are:
The auditor gathers evidence to find out whether the Assertions made
are true or fair.
--x--