ASSIGNMENT

ON
AUDITING
Submitted to:

MAM. AQSA ALTAF

Submitted by:

M UHAMMAD T ABBASUM

MAF-10-24

M.Sc (A & F)

2nd Semester

DEPARTMENT OF COMMERCE
BAHAUDDIN ZAKARIYA UNIVERSITY
MULTAN
 CONTENTS

Roles and responsibilities in internal control

Limitations

Describing Internal Controls

Objective Categorization

Activity Categorization

Control Precision

Fraud and Internal Control

Internal Controls and Improvement

Continuous Controls Monitoring

 INTERNAL CONTROL SYSTEM
“An accounting procedure or system designed to promote efficiency or assure
the implementation of a policy or safeguard assets or avoid fraud and error
etc”.

 Inventory Control - Supervision of the supply and storage and

accessibility of items in order to insure an adequate supply without
excessive oversupply.
 Control - The activity of managing or exerting control over something;
"the control of the mob by the police was admirable."
 Management Control - An internal control performed by one or more
managers.
 Quality Control - Maintenance of standards of quality of manufactured
goods.
 Accounting - A system that provides quantitative information about
finances.

In accounting and auditing, internal control is defined as a process affected by an

organization's structure, work and authority flows, people and management
information systems, designed to help the organization accomplish specific goals
or objectives. It is a means by which an organization's resources are directed,
monitored, and measured. It plays an important role in preventing and detecting
frauds and protecting the organization's resources, both physical (e.g., machinery
and property) and intangible (e.g., reputation or intellectual property such as
trademarks).

At the organizational level, internal control objectives relate to the reliability of

financial reporting, timely feedback on the achievement of operational or strategic
goals, and compliance with laws and regulations. At the specific transaction level,
internal control refers to the actions taken to achieve a specific objective (e.g., how
to ensure the organization's payments to third parties are for valid services
rendered.) Internal control procedures reduce process variation, leading to more
predictable outcomes. Internal control is a key element of the Foreign Corrupt
Practices Act (FCPA) of 1977 and the Sarbanes-Oxley Act of 2002, which
required improvements in internal control in United States public corporations.
Internal controls within business entities are also referred to as operational
controls.

Internal controls have existed from ancient times. In Hellenistic Egypt there was a
dual administration, with one set of bureaucrats charged with collecting taxes and
another with supervising them. In the Republic of China, the Control Yuan, one
of the five branches of government, is an investigatory agency that monitors the
other branches of government.

ROLES AND RESPONSIBILITIES IN INTERNAL CONTROL

According to the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Framework, everyone in an organization has responsibility
for internal control to some extent. Virtually all employees produce information
used in the internal control system or take other actions needed to affect control.
Also, all personnel should be responsible for communicating upward problems in
operations, noncompliance with the code of conduct, or other policy violations or
illegal actions. Each major entity in corporate governance has a particular role to
play:

Management: The Chief Executive Officer (the top manager) of the

organization has overall responsibility for designing and implementing effective
internal control. More than any other individual, the chief executive sets the "tone
at the top" that affects integrity and ethics and other factors of a positive control
environment. In a large company, the chief executive fulfills this duty by providing
leadership and direction to senior managers and reviewing the way they're
controlling the business. Senior managers, in turn, assign responsibility for
establishment of more specific internal control policies and procedures to
personnel responsible for the unit's functions. In a smaller entity, the influence of
the chief executive, often an owner-manager is usually more direct. In any event, in
a cascading responsibility, a manager is effectively a chief executive of his or her
sphere of responsibility. Of particular significance are financial officers and their
staffs, whose control activities cut across, as well as up and down, the operating
and other units of an enterprise.

Board of Directors: Management is accountable to the board of directors,

which provides governance, guidance and oversight. Effective board members are
objective, capable and inquisitive. They also have a knowledge of the entity's
activities and environment, and commit the time necessary to fulfill their board
responsibilities. Management may be in a position to override controls and ignore
or stifle communications from subordinates, enabling a dishonest management
which intentionally misrepresents results to cover its tracks. A strong, active board,
particularly when coupled with effective upward communications channels and
capable financial, legal and internal audit functions, is often best able to identify
and correct such a problem.

Auditors: The internal auditor and external auditors of the organization also
measure the effectiveness of internal control through their efforts. They assess
whether the controls are properly designed, implemented and working effectively,
and make recommendations on how to improve internal control. They may also
review Information Technology Controls, which relate to the IT systems of the
organization. There are laws and regulations on internal control related to financial
reporting in a number of jurisdictions. In the U.S. these regulations are specifically
established by Sections 404 and 302 of the Sarbanes-Oxley Act. Guidance on
auditing these controls is specified in PCAOB Auditing Standard No. 5 and SEC
guidance, further discussed in SOX 404 Top Down Risk Assessment. To provide
reasonable assurance that internal controls involved in the financial reporting
process are effective, they are tested by the external auditor (the organization's
public accountants), who are required to opine on the internal controls of the
company and the reliability of its financial reporting.

LIMITATIONS
Internal control can provide reasonable, not absolute, assurance that the objectives
of an organization will be met. The concept of reasonable assurance implies a high
degree of assurance, constrained by the costs and benefits of establishing
incremental control procedures.
Effective internal control implies the organization generates reliable financial
reporting and substantially complies with the laws and regulations that apply to it.
However, whether an organization achieves operational and strategic objectives
may depend on factors outside the enterprise, such as competition or technological
innovation. These factors are outside the scope of internal control; therefore,
effective internal control provides only timely information or feedback on progress
towards the achievement of operational and strategic objectives, but cannot
guarantee their achievement.

DESCRIBING INTERNAL CONTROLS

Internal controls may be described in terms of: a) the objective they pertain to; and
b) the nature of the control activity itself.

Objective Categorization

Internal control activities are designed to provide reasonable assurance that

particular objectives are achieved, or related progress understood. The specific
target used to determine whether a control is operating effectively is called the
control objective. Control objectives fall under several detailed categories; in
financial auditing, they relate to particular financial statement assertions. But
broader frameworks are helpful to also capture operational and compliance aspects:

1. Existence (Validity): Only valid or authorized transactions are processed

(i.e., no invalid transactions)
2. Occurrence (Cutoff): Transactions occurred during the correct period or
were processed timely.
3. Completeness: All transactions are processed that should be (i.e., no
omissions)
4. Valuation: Transactions are calculated using an appropriate methodology or
are computationally accurate.
5. Rights & Obligations: Assets represent the rights of the company, and
liabilities its obligations, as of a given date.
6. Presentation & Disclosure (Classification): Components of financial
statements (or other reporting) are properly classified (by type or account)
and described.
7. Reasonableness-transactions or results appear reasonable relative to other
data or trends.

For example, a control objective for the accounts payable function may be stated
as: "Payments are made only for authorized products and services received." This
is a validity objective. A typical control procedure designed to achieve this
objective is: "The accounts payable system compares the purchase order, receiving
record, and vendor invoice prior to authorizing payment." Multiple controls may be
applicable to achieve a given control objective with a reasonable level of
assurance.

Management is responsible for implementing appropriate controls that apply to

transactions in their areas of responsibility. Internal auditors perform their audits to
evaluate whether the controls are designed and implemented effectively to address
the relevant objectives.

Activity Categorization

Control activities may also be explained by the type or nature of activity. These
include (but are not limited to):

• Segregation of Duties - separating authorization, custody, and record

keeping roles of fraud or error by one person.
• Authorization of transactions - review of particular transactions by an
appropriate person.
• Retention of records - maintaining documentation to substantiate
transactions.
• Supervision or monitoring of operations - observation or review of ongoing
operational activity.
• Physical safeguards - usage of cameras, locks, physical barriers, etc. to
protect property, such as merchandise inventory.
• Top-level reviews-analysis of actual results versus organizational goals or
plans, periodic and regular operational reviews, metrics, and other key
performance indicators (KPIs).
• IT Security - usage of passwords, access logs, etc. to ensure access
restricted to authorized personnel.
• Top level reviews-Management review of reports comparing actual
performance versus plans, goals, and established objectives.
• Controls over information processing-A variety of control activities are
used in information processing. Examples include edit checks of data
entered, accounting for transactions in numerical sequences, comparing file
totals with control accounts, and controlling access to data, files and
programs.

CONTROL PRECISION
Control precision describes the alignment or correlation between a particular
control procedure and a given control objective or risk. A control with direct
impact on the achievement of an objective (or mitigation of a risk) is said to be
more precise than one with indirect impact on the objective or risk. Precision is
distinct from sufficiency; that is, multiple controls with varying degrees of
precision may be involved in achieving a control objective or mitigating a risk.

Precision is an important factor in performing a SOX 404 Top down risk

assessment. After identifying specific financial reporting material misstatement
risks, management and the external auditors are required to identify and test
controls that mitigate the risks. This involves making judgments regarding both
precision and sufficiency of controls required to mitigate the risks.

Risks and controls may be entity-level or assertion-level under the PCAOB

guidance. Entity-level controls are identified to address entity-level risks.
However, a combination of entity-level and assertion-level controls are typically
identified to address assertion-level risks. The PCAOB set forth a three-level
hierarchy for considering the precision of entity-level controls. Later guidance by
the PCAOB regarding small public firms provided several factors to consider in
assessing precision.

FRAUD AND INTERNAL CONTROL

Internal control plays an important role in the prevention and detection of fraud.
Under the Sarbanes-Oxley Act, companies are required to perform a fraud risk
assessment and assess related controls. This typically involves identifying
scenarios in which theft or loss could occur and determining if existing control
procedures effectively manages the risk to an acceptable level. The risk that senior
management might override important financial controls to manipulate financial
reporting is also a key area of focus in fraud risk assessment. The AICPA, IIA, and
ACFE also sponsored a guide published during 2008 that includes a framework for
helping organizations manage their fraud risk.

INTERNAL CONTROLS AND IMPROVEMENT

If the internal control system is implemented only to prevent fraud and comply
with laws and regulations, then an important opportunity is missed. The same
internal controls can also be used to systematically improve businesses, particularly
in regard to effectiveness and efficiency.

CONTINUOUS CONTROLS MONITORING

Advances in technology and data analysis have led to the development of
numerous tools which can automatically evaluate the effectiveness of internal
controls. Used in conjunction with continuous auditing, continuous controls
monitoring provides assurance on financial information flowing through the
business processes.