Internal Control – CS Professional Study Material

Chapter 13 Internal Control – CS Professional Governance, Risk Management, Compliances and Ethics Notes is designed strictly as per the latest syllabus and exam pattern.

Internal Control – Governance, Risk Management, Compliances and Ethics Study Material

Question 1.
Write short note on the following.
(i) COSO’s internal control framework (3 marks)
Answer:
COSOs Internal Control Framework:
Internal control consist of five interrelated components. These are derived’ from the way management runs a business, and are integrated with the management process.
The components are:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring.

Question 2.
Write short note on the following:
(i) Internal control (Dec 2013, 3 marks)
Answer:
Internal Control: Methods put in place by a company to ensure the integrity of financial and accounting information, meet operational and profitability targets and transmit management policies throughout the organization. Internal controls works best when they are applied to multiple divisions and deal with the interaction between the various business departments.

Question 3.
Write short note on the following:
COSO’s internal control framework (Dec 2014, 3 marks)

Question 4.
Prepare a Board note on ‘internal control’ highlighting the elements of sound internal control system for a company. (June 2012, 5 marks)
Answer:
Board of Directors
ABC Limited
Sub: Note on internal control.
A system of internal control is a proactive approach that balance the risk and control in the company which helps in exploiting business opportunities fully.
Internal control is defined as a process, effected by an organizations people and information technology (IT) systems, designed to help the organization accomplish specific goals or objectives.

It is a mean by which an organisations resources are directed, monitored and measured. It plays an important role in preventing and detecting fraud and protecting the organizations resources, both physical (i.e. machinery and property) and intangible(i.e. reputation or intellectual property such as trademarks)
An internal control system encompasses the policies, processes tasks, behaviours and other aspects of the company that taken together.

• Facilitates its effective and efficient operation by enabling it to respond appropriately to significant business operational, financial, compliance and other risks to achieve the company’s objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and insuring that liabilities are identified and managed.
• Helps to ensure the quality of external and internal reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organization.
• Helps to ensure compliance with applicable laws and regulations, and also internal policies with respect to conducting business.
  Sd.
  Company Secretary

Question 5.
Discuss in brief the following:
Internal control. [Old Syllabus] (June 2014, 3 marks)
Answer:
Internal Control: Methods put in place by a company to ensure the integrity of financial and accounting information, meet operational and profitability targets and transmit management policies throughout the organization. Internal controls work best when they are applied to multiple divisions and deal with the interaction between the various business departments.

Question 6.
Internal control is a way for management to run a business and is integrated within the management process. Comment. (Dec 2014, 3 marks)
Answer:
An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of the Company that taken together.

• Facilitates its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieve the Company’s objective. This included the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed;
• Helps to ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organization;
• Helps ensure compliance with applicable laws and regulations and also internal policies with respect to conducting business.
  Therefore, we say internal control is a way for management to run a business and is integrated within the management process.

Question 7.
Elucidate the following:
Internal control. (June 2015, 5 marks)
Answer:
Internal Control System: Internal Control is defined as a process, effected by an organisation’s people and information technology (IT) systems, designed to help the organisations to accomplish specific goals or objectives. It is a mean by which an organisation’s resources are directed, monitored and measured. It plays an important role in preventing and detecting fraud and protecting the organisation’s resources, both physical (i.e. machinery and property) and intangible (i.e. reputation or intellectual property such as trademarks).

An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of the company that taken together.

• Facilitates its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieve the Company’s objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed.
• Helps to ensure the quality of external and internal reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organization.
• Helps ensure compliance with applicable laws and regulations, and also internal policies with respect to conducting business.

Question 8.
What do you understand by ‘internal control’? What are its components? (June 2016, 5 marks)
Answer:
Internal Control:
According to, the Institute of Chartered Accounts of England and Wales, the internal control is meant not only internal check and internal audit but the whole system of controls, financial and otherwise, established by the management in order to carry on the business of the company in an orderly manner, safeguarding its assets and secure as far as possible the accuracy and reliability of its records.

Components of Internal Control:
(i) Internal Check: Internal check means an arrangement that a transaction is process by two or more persons and each one is independent and starts with when the predecessor has completed the task.

(ii) Internal Audit: Internal audit may be done by the own staff or by engaging any professional person outside of the organisation. The scope of the internal audit is determined by the management. Internal Auditor is required to submit its report to the management (who is appointing authority). The report should inter alia cover the points relating to the, adequacy of the internal check and control systems, adherence to the established management controls, maintenance of the records and reports on the financial accounting etc.

Question 9.
Answer the following in brief:
What are the three categories of objectives provided in COSO International Control Integrated Framework? (June 2017, 2 marks)
Answer:
The COSO Framework sets forth three categories of objectives, which allow organizations to focus on separate aspects of internal control. These are:

• Operations Objectives,
• Reporting and Objectives
• Compliance Objectives.

Question 10.
“Secretarial Audit is a process to check compliance with provisions of all applicable laws and rules/regulations/procedures.” Elaborate and discuss provisions of the Companies Act, 2013 with regard to Secretarial Audit. (Dec 2017, 5 marks)
Answer:
Secretarial Audit is a process to check compliance with the provisions of all applicable laws and rules/regulations/procedures; adherence to good governance practices with regard to the systems and processes of seeking and obtaining approvals of the Board and/or shareholders, as may be necessary, for the business and activities of the company, carrying out activities in a lawful manner and the maintenance of minutes and records relating to such approvals or decisions and implementation. Section 204 of Companies Act 2013 provides for Secretarial audit for bigger companies.

(1) Every listed company and a company belonging to other class of companies as may be prescribed shall annex with its Board’s report made in terms of sub-section (3) of section 134, a secretarial audit report, given by a company secretary in practice, in such form as may be prescribed. Rule 9 of Companies (Appointment and Remuneration of Managing Personnel) Rules, 2014 provides that for the purposes of sub-section (1) of section 204, the other class of companies shall be as under:

• every public company having a paid-up share capital of fifty crore rupees or more; or
• every public company having a turnover of two hundred fifty crore rupees or more.
• every company having outstanding loans or borrowings from banks; or public financial institutions of one hundred crore rupees or more.

(2) It shall be the duty of the company to give all assistance and facilities to the company secretary in practice, for auditing the secretarial and related records of the company.

(3) The Board of Directors, in their report made in terms of sub-section (3) of section 134, shall explain in full any qualification or observation or other remarks made by the company secretary in practice in his report under sub-section (1).

(4) If a company or any officer of the company or the company secretary in practice, contravenes the provisions of this section, the company, every officer of the company or the company secretary in practice, who is in default, Shall be punishable with fine which shall not be less than one lakh rupees but which may extend to five lakh rupees.

Question 11.
Apart from Statutory Audit, for some class of companies, Internal Audit is also mandatory. Which companies are required to have Internal Audit as per the provisions of the Companies Act, 2013? (June 2019, 5 marks)
Answer:
Section 138 of the Companies Act, 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 provides for the mandatory appointment of an internal auditor who shall either be a Chartered Accountant or a cost accountant, or such other professional as may be decided by the Board .to conduct internal audit of the functions and activities for classes of company given below:

• every listed company
• every unlisted public company having:
  • paid up share capital of 50 crore rupees or more during the preceding financial year; or
  • turnover of 200 crore rupees or more during the preceding financial year; or
  • outstanding loans or borrowings from banks or public financial institutions exceeding 100 crore rupees or more at any point of time during the preceding financial year; or
  • outstanding deposits of 25 crore rupees or more at any point of time during the preceding financial year: and
• every private company having:
  • turnover of 200 crore rupees or more during the preceding financial year; or
  • outstanding loans or borrowings from banks or public financial institutions exceeding 100 crore rupees or more at any point of time during the preceding financial year.

Question 12.
(i) Internal check and internal control are two frequently used terms in risk management and compliance. Explain the meaning of Internal Check and Internal Control and also mention how these two are different from each other. (5 marks)
(ii) Explain the scope of “Administrative Control”. (June 2019, 5 marks)
Answer:
(i) Internal check may be referred to as a system of instituting checks on the day- to-day transactions which operate continuously as a part of routine system whereby the work of one person is complementary to the work of another, the object being the prevention or early detection of errors or fraud. The objective of such allocation of duties is that no single individual has ah exclusive control over any one transaction or group of transactions.

Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and. policies. It is a means by which an organization’s resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization’s resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).

Internal check

Internal control

Internal check refers to the way of allocating responsibility, segregation of work, where work of the sub-ordinates is checked by the immediate supervisors to verify that the work is carried out according to the company policies and guidelines. Scope of internal check is narrower compared to internal control. Internal checks are implemented at all organizational levels such as tactical and operational level.

Internal control is the system implemented by a company to ensure the integrity of financial and accounting information and that the company is progressing towards fulfilling its profitability and operational objectives in a successful manner. Internal control is a broader aspect in which internal check play a vital role. Internal controls are designed and documented at the corporate management level.

(ii) A number of controls falling under operational controls can also be administrative controls. Examples of operational controls are: quality control, works standards, periodic reporting, policy appraisal etc.
Administrative controls are very wide in their scope. They inctude all other managerial controls concerned with decision-making process. They are concerned with the authorisation of transactions and include anything from plan of organisation to procedures, record keeping, distribution of authority and the process of decision-making. They include controls such as time and motion studies, quality control through inspection, performance budgeting, responsibility accounting and performance evaluation etc.

Administrative controls have an indirect relationship with financial records and the auditor may evaluate only those administrative controls which have a bearing on the financial records.
Thus, administrative controls are those which help in improving the efficiency, productivity and not necessarily recorded under the accounting systems. Works standards, quality control, methods study and motion study are examples of administrative control.

Question 13.
Elucidate principles on Internal Control enunciated by Committee of Sponsoring Organizations of the Treadway Commission (COSO). (Dec 2019, 5 marks)
Answer:
COSO is the abbreviation of The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO’s (original framework, which identified five components of internal control, became widely adopted for use in assessing the effectiveness of internal controls. Its more recently updated framework identifies 17 principles mapped to the original components. These Principles are as under:
Component 1: Control Environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Component 2: Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Component 3: Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures

Component 4: Information & Communication
13. Uses relevant information
14. Communicates internally
15. Communicates externally

Component 5: Monitoring Activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

Question 14.
Why the Information System is the most essential component of Internal Control ? (Dec 2019, 5 marks)
Answer:
An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Many information systems make extensive use of information technology (IT).
The information system relevant to financial reporting objectives, which includes the financial reporting system, encompasses methods and records that:

• Identify and record all valid transactions.
• Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
• Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
• Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
• Present properly the transactions and related disclosures in the financial statements.

The quality of system-generated information affects management’s ability to make appropriate decisions in managing and controlling the entity’s activities and to prepare reliable financial reports.

Communication, which involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting, may take such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.

Question 15.
“Internal control can help an entity in achieving its objectives but it is not a panacea.” Discuss. (Dec 2020, 5 marks)
Answer:
In a business entity the internal control should be adequate to cover all the key and sensitive areas of the organization. No one person should be allowed to complete, one set of transactions. The control mechanism once established should be reviewed periodically in order to assess the lacunas ; and to remove the same. The password sharing should be strictly prohibited and stringent action should be taken against the erring staff. The efficacy of the internal control mechanism depends when the employees accepts this philosophy in the true letter and spirit.

A good and efficient Internal control system can assist in the following ways:

• help an entity achieve its performance and profitability targets, and prevent loss of resources.
• help ensure reliable financial reporting.
• help ensure that the enterprise complies with laws and regulations, avoiding damage to its reputation and other consequences.
• In sum, it can help an entity get to where it wants to go, and avoid pitfalls and surprises along the way.

While internal control as such is inherently useful and help organisation in many ways yet it is not a panacea as it also has its limitations such as:

• Internal control cannot change an inherently poor manager into a good one.
• Internal control cannot ensure success, or even survival in case of shifts in government policy or programs, competitors’ actions or economic conditions, since these are beyond the management’s control.
• An internal control system, no matter how well conceived and operated, can provide only reasonable– not absolute-assurance to management and the board regarding achievement of an entity’s objectives.
• The likelihood of achievement is affected by limitations inherent in all internal control systems.
• Controls can be circumvented by the collusion of two or more people, and management has the ability to override the system.
• Another limiting factor is that the design of an internal control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs.

Question 16.
You are the Company Secretary of Super Chef Ltd. Shirley, the newly appointed CEO of Super Chef Ltd. is not clear about the concept of internal control and her role and responsibilities with regard to internal controls of the company. She approaches you to understand the same. Prepare a short note to brief Shirley on Internal control and her role and responsibilities in this regard. (Dec 2020, 5 marks)
Answer:
The Committee of Sponsoring Organizations of the Treadway Commission > (COSO) defines Internal Control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
According to COSO an organization needs to focus on separate aspects of internal control for achievement of the following objectives:

• Effectiveness and efficiency of the entities operations.
• Reliability, limitations and transparency of financial reporting.
• Compliance with applicable laws and regulations.

The chief executive officer is ultimately responsible and should assume “ownership” of the system. More than any other individual, the chief executive sets the “tone at the top” that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfils this duty by providing leadership and direction to senior managers and reviewing the way they’re controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific, internal control policies and procedures to personnel responsible for the unit’s functions. In a smaller entity, the influence of the chief executive, often an owner-manager is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise. .

Question 17.
“Risk can arise or change due to circumstances.” Comment and point out the circumstances which result into risks for an entity. (Dec 2020, 5 marks)
Answer:
Risks can arise or change due to circumstances such as the following:

• Changes in operating environment
• New personnel
• New or revamped information systems
• Rapid growth
• New technology
• New business models, products, or activities
• Corporate restructurings
• Expanded foreign operations
• New accounting pronouncements

Question 18.
“Internal check refers to allocation of duties in a scientific way so that no one is responsible for all phases of the transactions.” Explain the essential features of Internal check in the light of above statement. (Dec 2020, 5 marks)
Answer:
Essential features of internal check are given hereunder:

1. There should be proper division of work and responsibilities.
2. The duties of each person should be properly defined so as to fix definite responsibilities of each individual.
3. Possibilities of giving absolute control to anybody should not be left out unchecked.
4. Too much confidence on a person should be avoided.
5. The duties of staff should be rotated and one person should not be allowed to occupy a particular area of operation for long.
6. Necessary safeguards should be provided so as to avoid collusion of thoughts which quite often leads to commission of fraud.
7. The person handling cash, stock, securities should be given compulsory leave so as to prevent their having uninterrupted control.
8. Physical inventory of fixed assets and stocks should be taken periodically.
9. Assets should be protected from unauthorised use.
10. To prevent loss or misappropriation of cash, mechanical devices such as the automatic cash register, should be employed.
11. The financial and administrative powers should be distributed very judiciously among different officers and the manner in which these are actually exercised should be reviewed periodically.
12. Accounting procedures should be laid down for periodical verification and testing of different sections of accounting records to ensure that they are accurate.

Question 19.
You are newly appointed as the Company Secretary of ABC Pvt Ltd. Rama, who is the CEO of the Company, is not clear on concept and applicability of internal audit to your company. She approaches you to understand the same. Prepare a short note to brief Rama on concept and applicability of internal audit as per the provisions of Companies Act, 2013 to your company. (Aug 2021, 5 marks)
Answer:
According to Institute of Internal Auditors “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Applicability of Internal Audit:
As per Section 138 of the Companies Act, 2013 and Companies (Accounts). Rules, 2016, the following class of companies shall be required to appoint an internal auditor:-
(a) every listed company

(b) every unlisted public company having

• paid up share capital of fifty crore rupees or more during the preceding financial year; or
• turnover of two hundred crore rupees or more during the preceding financial year; or
• outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point, of time during the preceding financial year; or
• outstanding deposits of twenty-five crore rupees or more at any point of time during the preceding financial year; and

(c) every private company having

1. turnover of two hundred crore rupees or more during the preceding financial year; or
2. outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees or more at any point of time during the preceding financial year.

An Internal Auditor may be either an individual or a partnership firm or a body corporate. An internal auditor can be a chartered accountant or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company. The internal auditor may or may not be an employee of the company. The Audit Committee of the company or the Board shall, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity and methodology for conducting the internal audit.

Question 20.
Administrative Controls have an indirect relationship with financial records. Do you agree with this statement? (Aug 2020, 5 marks)
Answer:
Administrative Controls have an indirect relationship with financial records. Operational controls are those which help in improving the efficiency and productivity of an organisation and not necessarily enter the accounting systems.

A number of controls falling under operational controls can also be. administrative controls. Examples of such controls are quality control, work standards, periodic reporting, policy appraisal etc. The administrative controls are very wide in their scope and they include all other managerial controls concerned with decision making process. They are concerned with the authorization of transactions and include anything from plan of organization to procedures, record keeping, distribution of authority and the process of decision making. They include controls such as time and motion studies, quality control through inspection, performance budgeting, responsibility accounting and performance evaluation. Accounting controls pertain purely to the accounting system which enter finally in the preparation of financial statements and information which are subject to the expression of opinion by the auditors.

Whereas operational controls which can also be termed as administrative controls have an indirect relationship with financial records and the auditor may evaluate only those administrative controls which have a bearing on the financial records.

Question 21.
Explain the meaning of internal control and internal audit.and also mention how these two are different from each other. (Aug 2021, 5 marks)
Answer:
The term internal control is defined as a system or plan of accounting and financial organization within a business comprising all the methods and measures necessary for safeguarding its assets, checking the accuracy of its accounting data or otherwise substantiating its financial statements, and policing previously adopted rules; procedures and policies as to compliance and effectiveness. Internal control is not necessarily a control over finance only. Its scope is wider as it covers the control of the whole management system.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The scope of internal auditing is broad. It may involve topics such as an organisation’s governance, risk management and management controls over efficiency of operations, reliability of financial and management reporting and compliance with laws and regulations.

Differences between Internal Control and Internal Audit:

Basis	Internal Control	Internal Audit
Meaning	Internal Control means the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.	Internal auditing means an audit on behalf of management to ensure the adequacy and effectiveness of internal controls, accuracy and timeliness of financial and other records and reports and adherence to the laid down policies and procedures by each unit of the organization.
Verification	It is a self-balancing mechanism implemented by the management, so as to ensure that the entire work process is divisible in parts, so that not a single person may have the access to complete the entire process	The entire work process/system is checked and reviewed by the internal auditor.
Reporting	It is a mechanism introduced by the management.	Internal auditor submit its report to the management.
What it is?	It is a system introduced by the management.	It is an activity done by the internal auditor.
When it is done?	Internal Control is a policy decision by the management and is a continuous process.	Its periodicity may be yearly or half yearly or quarterly, as decided by the management.
Purpose	Formulation and circulation of management principles and policies and effective and speedy execution thereof with the help of internal checking and internal audit activities.	Detecting andTeporting errors and frauds and irregularities regarding assets committed, if any detection and prevention activity.
Scope	Wider in scope than internal audit.	Limited to a continuous internal system of checking financial and non-financial operations and reporting to internal top management.

Question 22.
Define compliance. What is the difference between compliance and conformance? (Dec 2022, 5 marks)
Answer:
OECD defines compliance as the act of adhering to, and the ability to demonstrate adherence to mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies.
The International Compliance Association has defined the term compliance as the ability to act according to an order, set of rules or request. Compliance mainly operates at two levels:

• Level 1 – compliance with the external rules that are imposed upon an organisation as a whole
• Level 2 – compliance with internal systems of control that are imposed to achieve compliance with the externally imposed rules.

The difference between compliance and conformances as below:

Compliance	Conformance
Forced adherence to a law, regulation, rule, process or practice.	Voluntary adherence to a standard, rule, specification, requirement, design, process or practice.
Applies to laws and regulations that one has no option but to follow or face penalties. Such regulations may potentially be productive for society but don’t necessarily contribute to an organization’s goals	Applies to strategies and plans that are adopted to be more productive or to improve quality.

Question 23.
Define internal audit. What are the main aspects of internal auditing? (Dec 2021, 5 marks)
Answer:
Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The main aspects of internal auditing are:

• Review, appraisal and evaluation of the soundness, adequacy and application of financial, accounting and other operating controls.
• Ascertaining the achievement of management objectives and compliance with established plans, policies and procedures.
• Ascertaining the adequacy and reliability of management information and control systems.
• Ensuring proper safeguards for assets – their utilization and accounting thereof.
• Identifying the areas of cost reduction, coupled with increased production, improved productivity and improved systems.
• Ascertaining the integrity of management data in an organisation.
• Detection and prevention of fraud and error. –
• Ascertaining the quality of performance and undertaking ‘value for money’ exercises.
• Undertaking special reviews and assignments directed by management to ensure economical and efficient use of resources.
• Compliance with statutory laws and rules including adherence to the Companies (Auditors’ Report) Order to avoid adverse comments from the statutory auditors.
• To provide for a channel of communicating new ideas to the top management.

Question 24.
“Internal control is a part of the internal check system.” Discuss. (Dec 2021, 5 marks)
Answer:
According to Standard on Auditing (SA) 315, internal control is the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

Internal check refers to allocation of duties in such a manner that the work of one person is checked by another while that other is performing his own duties in a normal way. In other words, it may be referred to as a system of instituting checks on the day to-day transactions which operate continuously as a part of routine system whereby the work of one person is complementary to the work of another, the object being the prevention or early detection of errors or fraud. The objective of such allocation of duties is that no single individual has an exclusive control over any one transaction or group of transactions.

Thus, internal check is a part of the overall internal control system and a method of division of work with the objective of prevention or early detection of errors or fraud. Hence, it is not correct to say that internal control is part of the internal check system.

Question 25.
State in brief, the components of internal control under the framework of the Committee of Sponsoring Organizations (COSO). (Dec 2021, 5 Marks)
Answer:
A system of internal control has five components under the Committee of Sponsoring Organizations (COSO) framework which are as follows:
1. Control environment:

• Exercise integrity and ethical values.
• Use the board of directors and audit committee.
• Make a commitment to competence.
• Create organizational structure.
• Facilitate management’s philosophy and operating style.
• Utilize human resources policies and procedures.
• Issue assignment of authority and responsibility.

2. Risk assessment:

• Incorporate process-level objectives.
• Create company wide objectives.
• Perform risk identification and analysis.
• Manage change.

3. Control activities:

• Conduct application change management.
• Improve security (application and network).
• Follow policies and procedures.
• Plan business continuity/backups.
• Perform outsourcing.

4. Information and communication:

• Measure quality of information.
• Measure effectiveness of communication.

5. Monitoring:

• Perform ongoing monitoring.
• Conduct separate evaluations.
• Report deficiencies.

Question 26.
(i) “A trusted employee who has easy access to a business’s finances may abuse his authority by stealing company funds.” Considering the statement, narrate any 10 points to be worth noted for a variety of internal control techniques in your organisation. (June 2022, 5 marks)
(ii) As a Company Secretary of the Company, you are asked by the management to provide inputs on Internal Control to be observed by the Audit Committee mandatorily in terms of Regulation 18 of SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015. State any five information which are to be mandatorily reviewed by the Audit Committee in this regard. (June 2022, 5 marks)
(iii) State any five points/sub-points which are incorporated in the compliance certificate which shall be furnished by CEO and CFO of a company in terms of Regulation 17 of SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015. (June 2022, 5 marks)

Question 27.
You are a company secretary of a listed company. The company has borrowings from the Banks/FIs worth ₹ 75 crores, which is in the form of Term Loan and Working Capital Finance. You noticed that the company is not having Vigil Mechanism in place. Suggest the suitable strategy to the Board for establishment of Vigil Mechanism in the company quoting the relevant provisions of the Companies Act, 2013 and SEBI (LODR) Regulations, 2015. (June 2019, 5 marks)
Answer:
Section 177 (9) of the Companies Act, 2013 Provides that every listed company or such class or classes of companies, as may be prescribed, shall establish a vigil mechanism/whistle blower policy for directors and employees to report genuine concerns in such manner as may be prescribed. Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014 provides that every listed company and the companies belonging to the following class or classes shall establish a vigil mechanism for their directors and employees to report their genuine concerns or grievances:
(a) the Companies which accept deposits from the public
(b) the Companies which have borrowed money from banks and public financial institutions in excess of fifty crore rupees.
Regulation 22 of SEBI (LODR) Regulations, 2015 provides that every listed entity shall establish a vigil mechanism for directors and employees to report concerns about unethical behaviour, actual or suspected fraud or violation of the listed entity code of conduct or ethics policy.

Since the company is a listed company, it should establish vigil mechanism as per both Section 177(9) of the Companies Act, 2013 and SEBI (LODR) Regulations, 2015 with following provisions:

• The audit committee shall oversee the vigil mechanism/whistle blower policy through the committee and if any of the members of the committee have a conflict of interest in a given case, they should remise themselves and the others on the committee would deal with the matter on hand.
• The vigil mechanism shall provide for adequate safeguards against victimisation of employees and directors who avail of the vigil mechanism and also provide for direct access to the Chairperson of the Audit Committee or the director nominated to play the role of Audit Committee, as the case may be, in exceptional cases.
• In case of repeated frivolous complaints being filed by a director or an employee, the audit committee or the director nominated to play the role of audit committee may take suitable action against the concerned director or employee including reprimand.
• The details of establishment of such mechanism shall be disclosed by the listed entity on its website and in the Board’s report.

Internal Control Notes

Steps for Internal Control

• Identify the key areas where the internal control mechanism is to be established.
• Every work flow should be so documented that it is not complete if another person has not checked it out.
• The other person’s role should start when the first person’s role comes to an end.
• Establish the surprise check mechanism where the money matters are involved.
• Reporting of the non-adherence of key compliance areas.
• Review mechanism of the control units.
• Establishment of Vigil Mechanism

COSO:
COSO is the abbreviation of, The Committee of Sponsoring Organizations of the Treadway Commission (COSO). It is a joint initiative of the five private sector organizations (American Accounting Association, American Institute of CPA, Financial Executives International, The Association of Accountants and Financial Professionals in Business and The Institute of Internal Auditors) and is dedicated to providing thought leadership through t the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

Internal control:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
What Internal Control Can Do

• Internal control can help an entity achieve its performance and profitability targets, and prevent loss of resources.
• It can help ensure reliable financial reporting.
• It can help ensure that the enterprise complies with laws and regulations, avoiding damage to its reputation and other consequences.
• In sum, it can help an entity get to where it wants to go, and avoid pitfalls and surprises along the way.

Internal Auditors:
Internal auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness. Because of organizational position and authority in an entity, an internal audit function often plays a significant monitoring role.

Internal Check:
Internal check is an arrangement of as duties allocated in such a way that the work of one clerk is automatically checked by another while internal audit is an independent review of operations and records undertaken by the staff specially appointed for the purpose.