Master of Business Administration – MBA Semester – 3

Internal Audit & Control Set - I

Q No. 1 :- Explain the feature of Internal controls in a computerized environment

Answer: Internal control is then, all those policies, procedures, rules, systems laid down
by the Management to achieve the goals of the business. The institute of Chartered
Accounts of India defines internal control as follows:

“Internal control is the plan of the organization, all the methods and procedures adopted
by the management of an entity, to assist in achieving management’s objective of
ensuring, as far as practicable, the orderly and efficient conduct of its business.”

Features of Internal Controls in a Computerized Environment

Now the businesses are conducted through use of Information Technology. Most of the
processes or functions of management are conducted through use of computers. We know
that various functions of the management for which measures of internal controls that can
be implemented but these are suitable mostly when the operations are manual. The extent
and nature of internal controls for each of these functions substantially change due to
adoption of Information Technology.

Since the internal control system in a computerized environment is substantially different

than in a manual system, the Management or the evaluator of such internal control like
internal auditor has to study and understand the features of such internal controls.

Some of the problem areas associated with a computerized information system are:

1. Consistency in operations:

The computer programs are known to be accurate and consistent in their performance.
This feature of computers is regarded by most of us as a useful feature. But this feature
has a negative side also. If a program has been written wrongly the computer will go on
executing that program even though it is wrong. Imagine a program written in your
company that calculates worker’s salary wrongly. If nobody notices the mistake the
computer will go on repeating the mistake month after month when the salaries are
calculated.

2.Lack of transaction trails:

Some computer information systems are so designed that a complete transaction trail
(how a transaction has been processed) might exist for only a short period of time or only
in computer readable form. Where a complex application system performs a large
number of processing steps, there may not be a complete trail of how the particular
transaction has been processed. Accordingly, errors embedded in an application’s
program logic may be difficult to detect on a timely basis by manual (user) procedures.
 • For example, in a bank the details of individual customers’ transactions might be
destroyed after a period of say, one year, thus denying the Management the
evidence of such transaction.

3.Lack of segregation of functions:

It is understood that segregation of duties is an important feature of internal control. This

feature enables the organization in preventing or detecting frauds or errors. But in a
computerized environment it becomes difficult to segregate duties at times. Thus
employees become empowered and misuse their powers.

• For example, in a computerized system the Bank Teller may enter the payment
details in the customer-ledger in the computer and make the payment to customer
on latter’s presentation of a cheque. Thus his power is more in such environment
than in a manual system, which can be misused by him.

5. Potential for errors and irregularities:

The potential for human error in the development, maintenance and execution of
computer information systems may be greater than in manual systems. This is because
individuals have more knowledge and access to computerized information. Sitting in
remote corner of the world you can access the information and get unauthorized access to
any other person’s say bank accounts or credit cards. You may even alter or destroy the
data.

• For example, a bank clerk might guess his supervisor‘s password and transfer
huge amounts to different accounts within seconds which he could not have done
in a manual system.

In addition, decreased human involvement in handling transactions processed by

computers can reduce the potential for observing errors and irregularities.

• For example, in a bank the officials usually do not re-check or become skeptic
about the interest amount calculated by a computer. Hence when the interest rate
is wrongly fed into the computers it goes undetected for months together.
• Similarly errors or irregularities occurring during the design or modification of
application programs or systems software can remain undetected for long periods
of time.

6. System generated transactions:

Computer information systems may include the capability to initiate or cause the
execution of certain types of transactions, automatically. The authorization of these
transactions or procedures may not be documented in the same way as that in a manual
system, and management’s authorisation of these transactions may be implicit in its
acceptance of the software.

• For example in a bank, the credit of interest to individual account of customers

may be system-generated so that at the end of the month the computer
automatically calculates the interest and credits it to individual accounts.
7. Potential for increased management supervision:

Computer information systems can offer management a variety of analytical tools that
may be used to review and supervise the operations of the entity. The availability of these
analytical tools, if used, may serve to enhance the entire internal control structure.

• For example, the inter-branch transactions of a company get reconciled within

days these days due to reports being generated by the computers and fast
management action on such reports. In the manual system such reconciliation
used to take months together

8. Vulnerabilities

Computerized systems are prone to different types of vulnerabilities (threats) which can
create havoc if not controlled properly.

• For examples, vulnerabilities like virus, hacking, create lot of harm to information
systems and business might lose substantially. Those who are using computers for
business should know about the possibility of such attacks and take preventive
steps.

Thus we can see that though these features of internal control in a computerized
environment provide advantages to any business, sometimes they also give scope to
many risks.

Scope of internal controls in a computerized environment

Due to aforesaid features of computerized environment, internal controls require

additional features such as the following in such environment.

Access Controls

As we have discussed earlier, in a computerized system the authorization or

segregation cannot be done by orally or in writing unlike in a manual case. It should be
done through the machine. Thus the persons accessing the computers in a company are
provided access as to the computers so that they can open the computer and get the
information. However the extent of information that they can access and use is to be
decided by the System Administrator i.e. the person who controls the computers and the
information system. Therefore the following internal control measures are used
invariably in computers.

• Identification of the users of the computers by the computers through User Ids
which are to be assigned by the System.
• Authentication of the users to allow them Access to the computers through
various techniques like Passwords, PIN (Personal Identification Number), Smart
Cards, Biometric devices like finger prints, retina scan etc.
• The extent of access to information should decided by the Administrator by
having Access Control Policies. For example, information can be classified as
Top Secret, Secret, Classified or Unclassified.
Physical and logical assets control:

The access to physical assets assumes different proportion in a computerized

environment. Imagine a company having huge database of its customers’ information at a
particular date center. If a hacker attacks such date centre the possibility of loss is huge
due to loss of information. Entire business may come to a standstill. Thus the control over
physical assets in a computerized environment includes safeguarding information and
logical assets like software, programs etc. some control feature in this regard are as
follows

• Use of firewalls and intrusion detection systems.

• Use of antivirus programs and applications.
• Physical access control, develop a feature to prevents unauthorized person
entering the date centre and destroying or altering the information (like password
entry etc. at the main door of data centre).
• Steps are to be taken to prevent or at least detect attempts of theft of data
information during the transmission through various communication channels.
• System development controls.

****
Q. No. 2: Explain the meaning of fraud. What are the components of fraud ?

Ans. Meaning of fraud:

Oxford Advanced.” Learner’s Dictionary defines fraud as” an act of deceiving illegally in
order to make money or obtain goods

“The practice of deception or artifice with the intention of cheating or injuring

another is fraud” – as defined in Kohler’s Dictionary of Accountants.

A particular difficulty is distinguishing fraud from losses due to incompetence,

procedural lapses, accidents, mismanagement, wrong decisions, or business risks. All
these may not be treated as fraud as the persons committing these acts usually manage to
escape by proving that they had no intention to defraud. For example due to
mismanagement by a Board of Directors of a company, the company goes into
bankruptcy. The shareholders lose their money. But it is very difficult for the
shareholders to prove that the Board cheated them, they can only prove that the Board
was negligent. But in reality the Board of Directors might have intentionally mismanaged
the company for serving their ulterior motive.

Fraud is an economic offence. General economic offenses also include criminal acts other
than fraud like money laundering, financing of criminal or anti-national activities,
corruption, bribery, kickbacks, and so on. We are not discussing these types of offences
when we are talking of fraud in this unit.

Luckily, fraud falls into typical similar types that share common characteristics, means,
and methods. Just as a house theft can occur anywhere, a fraud often consists of many
instances or incidents involving repeated transgressions using the same method.

Fraud instances can be similar in content and appearance but usually aren’t identical. A
fraud need not meet all of these characteristics.

Thus the term “fraud” refers to an intentional act by one or more individuals among
management, those charged with governance, employees, or third parties, involving the
use of deception to obtain an unjust or illegal advantage.

Although fraud is a broad legal concept, we are more concerned with fraudulent acts that
cause a material misstatement in the financial statements. However misstatement of the
financial statements may not be the objective of some frauds.
To understand what actually happens when a fraud occurs, we have to study the
components of a fraud.

Components of fraud:

FRAUD occurs when all of the following elements exist:

• An individual or an organization intentionally makes an untrue

representation about an important fact or event. For example an employee
claims a traveling expense of Rs.10,000 which in reality he has not spent.
• The untrue representation is believed by the victim (the person or
organization to whom the representation has been made). For example, in the
above case the company (finance manager) believes the claim by the
employee.
• The victim relies upon and acts upon the untrue representation. For
example, in the above case the finance manager sanctions the traveling
expense bill of the employee.
• The victim suffers loss of money and/or property as a result of relying
upon and acting upon the untrue representation. For example, ultimately
company suffers a loss due to bogus expenditure.
Q. No. 3: In symptoms of fraud what risk factors relate to the economic and regulatory
environment ?

Ans.

Symptoms of Frauds

The fact that fraud is usually concealed can make it very difficult to detect. Nevertheless,
the Management may identify events or conditions that provide an opportunity , a motive
or a means to commit fraud, or indicate that fraud may already have occurred. Such
events or conditions are referred to as “ fraud risk factors” or symptoms of fraud.

A. Symptoms Relating to possibility of Fraudulent Financial Reporting by

Management

They may be grouped in the following three categories:

1. Management’s Characteristics and Influence over the Control Environment.

2. Industry Conditions.
3. Operating Characteristics and Financial Stability.

For each of these three categories, examples of fraud risk factors are provided here.

1. Fraud Risk Factors Relating to Management’s Characteristics and Influence over

the Control Environment

a) These fraud risk factors pertain to management’s abilities, pressures, style, and
attitude relating to internal control and the financial reporting process. For example:

• A significant portion of management’s remuneration is represented by bonuses,

stock options or other incentives, the value of which is dependant upon the entity
achieving unduly aggressive targets like huge revenue, profits.
• There is excessive interest by management in maintaining or increasing the
entity’s share price or earnings trend through the use of unusually aggressive
accounting practices.
• Management commits to equity-analysts, creditors and other third parties to
achieving what appear to be unduly aggressive or clearly unrealistic forecasts.
• Management has an interest in pursuing inappropriate means to minimize reported
earnings for tax-motivated reasons.
b) There is a failure by management to display and communicate an appropriate attitude
regarding internal control and the financial reporting process. Specific indicators might
include the following:

• Management does not effectively communicate and support the entity’s values or
ethics, or management communicates inappropriate values or ethics.
• Management is dominated by a single person or a small group of persons.
• Management does not monitor significant internal controls adequately.
• Management fails to correct known weaknesses in internal control on a timely
basis.
• Management sets unduly aggressive financial targets and expectations for
executives.
• Management displays a significant disregard for regulatory authorities.
• Management continues to employ ineffective accounting, information technology
or internal auditing staff.
• Non-financial managers participate excessively in, or are preoccupied with, the
selection of accounting principles or the determination of significant estimates.
• There is a high turnover of management, consultants or board- members.
• There is a strained relationship between management and the current or
predecessor auditor. Specific indicators might include the following:

-Frequent disputes with the current or a predecessor auditor on accounting,

auditing or reporting matters.

-Unreasonable demands on the auditor, including unreasonable time constraints

regarding the completion of the audit or the issuance of the auditor’s report.

-Formal or informal restrictions on the auditor that inappropriately limit the

auditor’s access to people or information, or limit the auditor’s ability to
communicate effectively with those charged with governance.

-Domineering management behavior in dealing with the auditor, especially

involving attempts to influence the scope of the auditor’s work.

• There is a history of securities law violations, or claims against the entity or its
management alleging fraud or violations of securities laws.
• The corporate governance structure is weak or ineffective, which may be
evidenced by, for example:

-A lack of members who are independent of management.

-Little attention being paid to financial reporting matters and to the accounting
and internal control systems by those charged with governance.

2. Fraud Risk Factors Relating to Industry Conditions

These fraud risk factors involve the economic and regulatory environment in which the
entity operates.

• New accounting, statutory or regulatory requirements that could impair the

financial stability or profitability of the entity.
 • A high degree of competition or market saturation, accompanied by declining
margins.
• A declining industry with increasing business failures and significant declines in
customer demand.
• Rapid changes in the industry, such as high vulnerability to rapidly changing
technology or rapid product obsolescence.

3. Fraud Risk Factors Relating to Operating Characteristics and Financial Stability

These fraud risk factors pertain to the nature and complexity of the entity and its
transactions, the entity’s financial condition, and its profitability.

• Inability to generate cash flows from operations while reporting earnings and
earnings growth.
• Significant pressure to obtain additional capital necessary to stay competitive,
considering the financial position of the entity (including a need for funds to
finance major research and development or capital expenditures).
• Assets, liabilities, revenues or expenses based on significant estimates that
involve unusually subjective judgments or uncertainties, or that are subject to
potential significant change in the near term in a manner that may have a
financially disruptive effect on the entity (for example, the ultimate recoverability
of account-receivables).
• Significant related- party transactions which are not in the ordinary course of
business. For example huge advances to a sister-concern without any reason.
• Significant, unusual or highly complex transactions (especially those close to
year-end) that pose difficult questions concerning substance over form.
• Significant bank accounts or subsidiary or branch operations in Tax-haven
jurisdictions for which there appears to be no clear business justification.
• An overly complex organizational structure involving numerous or unusual legal
entities, managerial lines of authority or contractual arrangements without
apparent business purpose.
• Difficulty in determining the organization or person (or persons) controlling the
entity.
• Unusually rapid growth or profitability, especially compared with that of other
companies in the same industry.
• Especially high vulnerability to changes in interest rates.
• Unusually high dependence on debt, a marginal ability to meet debt repayment
requirements, or debt covenants that are difficult to maintain.
• Unrealistically aggressive sales or profitability incentive programs.
• A threat of imminent bankruptcy, foreclosure or hostile takeover.
• Adverse consequences on significant pending transactions (such as a business
combination or contract award) if poor financial results are reported.
• A poor or deteriorating financial position when management has personally
guaranteed significant debts of the entity.

Completeness That there are no unrecorded assets, liabilities or transactions.

 E.g. There are no other fixed assets or loans other than those stated in
the financial statements.
That an asset or liability is recorded at an appropriate carrying value.
Valuation
E.g. .The value of Building or Machinery shown, depreciation
calculated and deducted there- from is correct.
That a transaction is recorded in the proper amount and revenue or
expense is allocated to the proper period.

Measurement E.g.: Amount of depreciation charged, commission calculated and

paid are correct.

E.g. Provision made for Taxation is correct

An item is disclosed, classified, and described in accordance with
recognized accounting policies and practices and relevant statutory
Presentation and requirements, if any.
Disclosure
E.g.: The manner of disclosure of fixed asset by way of Gross Block,
Net Block etc is correct and is as per Companies Act provisions.

Table 9.2: Table Showing the Assertions by Management as to Items in Financial

Statements

Some more examples for such assertions are as follows:

1. A company has shown ‘cash in hand ‘of Rs. 50000 in its Balance Sheet. The
assertions by management are:

• The amount of cash in hand existed as on Balance Sheet date.

• The Company had the right to use that cash. (No other person had the right to use
it).
• The cash was identified and measured by sorting it out to different
denominations(say 50 numbers of Rs. 1000 currency notes )
• No other cash existed with the Company (completeness assertion).

2. A company shows VAT payment of Rs. 25000 in its Profit & Loss Account. The
assertions are:

• The company has made the transaction of payment of VAT (occurrence).

• The amount paid is correct (valuation).
• The calculation (measurement) of VAT is correct.
• The company had an obligation to make such payment.
• The payment of VAT has been correctly shown as expense in the Profit & Loss
Account (presentation).

(The students are advised to study in similar manner regarding such

assertions as to various items of –assets, liabilities, income and
expenditure that are normally included in a financial statement.)
Thus if the assertions made by management are proved correct, the
job of auditor is over. Hence auditors will have to find evidence to
prove or disprove these assertions while doing his audit.

The auditor gathers evidence to find out whether the Assertions made
are true or fair.

--x--