Risk Assessment and Internal Control – CA Final Audit Question Bank

Risk Assessment and Internal Control – CA Final Audit Question Bank is designed strictly as per the latest syllabus and exam pattern.

Risk Assessment and Internal Control – CA Final Audit Question Bank

Audit Risk

Question 1.
Write short note on: Audit Risk
Answer:
Audit Risk:
As per SA 200 “Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing”, audit risk is a function of the risks of material misstatement and detection risk.

Audit risk may be defined as the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated. Thus, it is the risk that the auditor may fail to express an appropriate opinion in an audit assignment.

An auditor may consider audit risk both at overall level as well as at the level of individual account balances or classes of transactions. At overall level the auditor applies their professional judgment to determine the extent of risk which he considers to be an acceptable level. At account balance level, audit risk refers to the risk that error in monetary terms exists beyond a tolerable error limit in the account balances or class of transaction which the auditor fails to detect.

Audit Risk has three components: Inherent Risk, Control Risk and Detection Risk. Inherent Risk and Control Risk are collectively known as Risk of Material Misstatement.

Inherent Risk is the susceptibility of an account balance or class of transaction to a material misstatement, assuming that there were no internal controls.

Control Risk is the risk that material misstatement will not be prevented or detected and corrected on a timely basis by the internal control system.

Detection Risk is the risk that the substantive procedures performed by the auditor fails to detect material misstatement.

Question 2.
In the audit planning process of X Ltd., you would like to consider audit risk at the financial state-ment level. What are the factors can influence your decision? [May 10 (3 Marks)]
Or
Write Short note on: Evaluation of Inherent Risk at the Level of Financial Statements. [May 14 (4 Marks)]
Or
Explain the concept of Audit Risk at the Level of Financial Statements.
Answer:
Factors to be evaluated to assess inherent risk at the level of financial statements:

1. Integrity of management
2. Management’s experience and knowledge and changes in management during the period.
3. Unusual pressures on management.
4. The nature of the entity’s business.
5. Factors affecting the industry in which the entity operates.

Question 3.
As the auditor of a large multi locational company, in the planning process, you are requested to identify the inherent audit risk at the account balance and class of transaction level. [May 13 (4 Marks)]
Or
Describe how you would identify the inherent risk at the account balance and class of transaction level in the planning process of the audit of a large multi-locational company. [Nov. 14 (4 Marks)]
Answer:
Identifying inherent risk at the account balance and class of transaction level:
To evaluate the inherent risk at the account balance and transaction level, auditor should evaluate the following factors:

1. Quality of the accounting system.
2. Susceptibility of Financial statements to misstatement.
3. The complexity of underlying transactions and other events which might require using the work of an expert.
4. The degree of judgment involved in determining account balances.
5. Susceptibility of assets to loss or misappropriation.
6. The completion of unusual and complex transactions, particularly at or near period end.
7. Transactions not subjected to ordinary processing.

“ICAI Examiner Comments”
Question not clearly understood by majority of candidates and answered in general manner, In fact, most of the candidates showed lack of understanding of the topic on inherent risk and discussed control risk and detection risk which was not required in the question.

Question 4.
Write short note on: Factors relevant in evaluation of inherent risk.
Answer:
Factors to be evaluated to assess inherent risk at the level of financial statements:

1. Integrity of management
2. Management’s experience and knowledge and changes in management during the period.
3. Unusual pressures on management.
4. The nature of the entity’s business.
5. Factors affecting the industry in which the entity operates.

Identifying inherent risk at the account balance and class of transaction level:
To evaluate the inherent risk at the account balance and transaction level, auditor should evaluate the following factors:

1. Quality of the accounting system.
2. Susceptibility of Financial statements to misstatement.
3. The complexity of underlying transactions and other events which might require using the work of an expert.
4. The degree of judgment involved in determining account balances.
5. Susceptibility of assets to loss or misappropriation.
6. The completion of unusual and complex transactions, particularly at or near period end.
7. Transactions not subjected to ordinary processing.

Question 5.
While commencing the statutory audit of B Company Limited, the auditor undertook the risk assessment and found that the detection risk relating to certain class of transactions cannot be reduced to acceptance level. Explain.   [May 17 (5 Marks)]
Answer:
Assessment of Risk and Acceptable Level:
SA315‘TdentifyingandAssessingtheRiskofMaterialMisstatementThroughUnderstandingthe Entity and its Environment” and SA 3 3 0 “The Auditor’s Responses to Assessed Risks” establishes standards on the procedures to be followed to obtain an understanding of the accounting and internal control systems and on audit risk and its components.

SA 315 and SA 330 require that the auditor should use professional judgment to assess risk of material misstatement and to design audit procedures to ensure that it is reduced to an acceptably low level.

Risk of Material Misstatements comprises of Inherent risk and Control Risk. “Detection risk” is the risk that an auditor’s substantive procedures will not detect a misstatement that exists in an account balance or class of transactions that could be material.

The higher the risk of material misstatement, the more audit evidence the auditor should obtain from the performance of substantive procedures. When both inherent and control risks are assessed as high, the auditor needs to consider whether substantive procedures can provide sufficient appropriate audit evidence to reduce detection risk, and therefore audit risk, to an acceptably low level.

The auditor should use his professional judgment to assess audit risk and to design audit procedures to ensure that it is reduced to an acceptably low level. If it cannot be reduced to an acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion as may be appropriate.

Question 6.
Compute the overall Audit Risk if looking to the nature of business there are chances that 40% bills of services provided would be defalcated, inquiring on the same matter management has assured that internal control can prevent such defalcation to 75%. At his part the Auditor assesses that the procedure he could apply in the remaining time to complete Audit gives him satisfaction level of detection of frauds & error to an extent of 60%. Analyse the Risk of Material Misstatement and find out the overall Audit Risk. [MTP-April 19, Oct. 20]
Answer:
Determination of Audit Risk:
As per SA-200, “Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing”, the Audit Risk is a risk that Auditor will issue an inappropriate opinion while Financial Statements are materially misstated.

Audit Risk is a function of two components: Risk of material Misstatement and Detection Risk, i.e. Audit Risk = Risk of material Misstatement × Detection Risk

Risk of Material Misstatement is anticipated risk that a material Misstatement may exist in Financial Statement before start of the Audit. It has two components Inherent risk and Control risk. The relationship can be defined as Risk of material Misstatement = Inherent risk × control risk

Inherent risk is the susceptibility of an assertion about account balance; class of transaction, disclosure towards misstatements which may be either individually or collectively with other Misstatement becomes material before considering any related internal control. Inherent Risk in the given case is 40%.

Control Risk is the risk that material misstatement will not be prevented or detected and corrected on a timely basis by the internal control system. Control risk in the given case is 25% (100% – 75%).

Risk of material Misstatement = 40% × 25 % = 10%

Detection risk is the risk that the substantive procedures performed by the auditor fails to detect material misstatement. Detection Risk in the given case is 100 – 60 = 40%

Overall Audit Risk = Risk of Material Misstatement × Detection Risk = 10 × 40% = 4%

Risk Based Audit

Question 7.
What are the General Steps in the conduct of Risk Based Audit?  [May 16 (4 Marks), RTP – Nov. 20]
Or
What are the main phases in the conduct of risk-based audit.   [May 17 (4 Marks)]
Or
ST Ltd. is a growing company and currently engaged in the business of manufacturing of tiles. The company is planning to expand and diversify its operations. The management has increased the focus on the internal controls to ensure better governance. The management had a discussion with the statutory auditors to ensure the steps required to be taken so that the statutory audit is risk based and focused on areas of greatest risk to the achievement of the company’s objectives. Please . advise the management and the auditor on the steps that should be taken for the same. [MTP-March 19, RTP-May 19]
Answer:
Steps to be followed while conducting Risk Based Audit:
Risk Based audit is an audit approach that analyzes audit risks, sets materiality thresholds based on audit risk analysis, and develops audit programmes that allocate a larger portion of audit resources to high-risk areas.

Stages in Risk Based Audit: –

1. Understanding the auditee operations: Auditor should understand the auditee operations in order to identify and prioritize the risks that impact audit of financial statements. Auditor should obtain understanding of the following:
   • Environment in which entity operates.
   • Framework of operations;
   • Operational performances;
   • Information process framework etc.
2. Determination of Residual Risk: Auditor should assess entity management strategies and controls so as to determine how the controls are designed within the entity.
3. Manage Residual Risk: It requires design and execution of a risk reduction approach so as to bring the residual audit risk to an acceptable level. More resources should be allocated to areas of high audit risks.
4. Reporting to Auditee: The auditor should communicate to the auditee immediately his significant observation w.r.t. following:
   • weaknesses in the internal control system,
   • deficiencies in the design and operation of internal controls that affect the organization’s ability to record, process, summarize and report financial data.

“ICAI Examiner Comments”
Candidates lacked conceptual knowledge of the topic and instead of explaining the steps in conducting Risk based audit, mentioned and explained types of risk.

Internal Control

Question 8.
Pasta Ltd., a manufacturing concern want to develop internal control system. You arc an expert in developing the internal control system, hereby called to brief about the same. In view of above, you are required to brief about internal control system and inherent limitations of the internal control?
Answer:
Internal Control System and its Inherent Limitations:
SA 315 “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment” defines internal control as the process designed, implemented and maintained by TCWG, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to

(a) reliability of financial reporting;
(b) effectiveness and efficiency of operations;
(c) safeguarding of assets; and
(d) compliance with applicable laws and regulations.

Inherent Limitations of Internal Control System:
(a) Management’s consideration that a control should be cost-effective.
(b) the fact that the most controls do not tend to be directed at transactions of unusual nature.
(c) Potential for human error.
(d) Possibility of circumvention of controls through collusion with parties outside the entity or with employees of entity.
(e) Possibility that a person responsible for exercising control could abuse that authority.
(f) Possibility that procedures may become inadequate due to changes in conditions and compliance with procedures may deteriorate.
(g) Manipulations by management with respect to transactions or estimates and judgments required in the preparation of financial statements.

Question 9.
XYZ Hospital Private Ltd. is engaged in running a hospital of 200 Beds since last 20 years. Revenue Track of the hospital for last 3 years is as under:
2017- 18 : ₹ 20 Crores
2018- 19 : ₹ 25 Crores
2019- 20 : ₹ 35 Crores
Hospital has its own Pharmacy, Laboratory, Blood Bank, Radiology & General Stores. Its management suspects that leakages/theft is happening in Pharmacy, Radiology, Laboratory and General Stores departments. It seeks advice of RST & Co., Internal Auditors of the Company, as to how it can Institute/Improve its Internal Control. In this context, Management wants to understand the concept of components of Internal Control Structure in detail. Advise. [MTP-Aug. 18]
Answer:
Key components of Internal Control Structure:
Internal Control structure in an organization is referred to as the policies and procedures established by the entity to provide reasonable assurance that the objectives are achieved.

The control structure in an organization basically has the following components:

1. Control Environment – Control environment covers the effect of various factors like management attitude; awareness and actions for establishing, enhancing or mitigating the effectiveness of specific policies and procedures.

2. Accounting System – Accounting system means the process by which transactions are processed for maintaining financial records. Accounting system identifies, assemble, analyze, calculate, classify, record, summarize and report transactions and other events.

3. Control Procedure – Policies and procedures means those policies and procedures in addition to the control environment and accounting systems which the management has established to achieve the entity’s specific objectives. Such Policies and Procedures cover the followings:

• Segregation of duties.
• Authorisation of Transactions.
• Adequacy of records and documents.
• Accountability and safeguarding of assets.
• Independent checks.

Question 10.
As auditor of Z Ltd., you would like to limit your examination of account balance tests. What are the control objectives you would like the accounting control system to achieve to suit your purpose? [May 10 (4 Marks)]
Answer:
Control Objectives:
The objectives of internal control systems are determined by the management, after considering the nature of business, scale of operations, the extent of professionalism of the management etc. The objectives of internal controls relating to the accounting system are:

1. Transactions are executed through general or specific management authorization.
2. All transactions are promptly recorded in an appropriate manner to permit the preparation of financial information and to maintain accountability of assets.
3. Assets and records are safeguarded from unauthorized access, use or disposition.
4. Assets are verified at reasonable intervals and appropriate action is taken with regard to the discrepancies.

Precisely, the control objectives ensure that the transactions processed are complete, valid and accurate. The basic accounting control objectives which are sought to be achieved by any accounting control system are:
(a) whether all transactions are recorded;
(b) whether recorded transactions are real;
(c) whether all recorded transactions are properly valued;
(d) whether all transactions are recorded timely;
(e) whether all transactions are properly posted;
(f) whether all transactions are properly classified and disclosed;
(g) whether all transactions are properly summarized.

Question 11.
As an auditor, during your interim visit at Marathon Ltd. you observed that internal controls were not in use throughout the period covered under audit. What are the controls objectives you would like to consider to achieve your purpose? [May 15 (6 Marks)]
Answer:
Control Objectives to be considered for Audit Purpose:
The objectives of internal control systems are determined by the management, after considering the nature of business, scale of operations, the extent of professionalism of the management etc. Auditor’s knowledge about the existence of control activities assists the auditor in determining whether it is necessary to devote additional attention to obtaining an understanding of control activities.

To ensure whether the internal controls were in use throughout the period or not, the auditor may consider the following control objectives:

1. Existence and effective implementation of policies and procedures so as to ensure orderly and efficient conduct of business.
2. Safeguarding of assets.
3. Prevention and detection of frauds and errors.
4. Accuracy and completeness of the accounting records.
5. Timely preparation of reliable financial information.
6. Compliance with applicable laws and regulations.
7. Verification of assets at reasonable intervals.
8. Proper authorization of transactions.
9. Monitoring of accounting/financial controls.
10. Reviews of performance.
11.  Segregation of duties.

“ICAI Examiner Comments”
Most of the candidates could not describe the control objectives as required in the question.

Question 12.
In the use of standardized Internal Control Questionnaire (ICQ), certain basic assumptions about elements of a good internal control system are taken into account. List down few such assumptions. [Nov. 18-New Syllabus (4 Marks)]
Answer:
Assumptions presumed about elements of good control while using standardized internal control questionnaire:

1. Certain procedures in general used by most business concerns are essential in achieving reliable internal control. For example, deposits into bank of the entire receipts of a day or daily balancing of the cash book and ledgers or periodic reconciliation with the control accounts
2. Extensive division of duties and responsibilities within the organisation.
3. Separation of accounting function with the custodial function.
4. No single person is entrusted with the responsibility of completing a transaction all by himself.
5. There should always be evidence to identify the person who has done the work whether involving authorisation, implementation or checking.
6. The work performed by each one is expected to come under review of another in the usual course of routine.
7. There is proper documentation and recording of the transactions.

“ICAI Examiner Comments”
Examinees failed to point out the basic assumptions about elements of good control in case of standardized internal control questionnaire.

Question 13.
Explain briefly the Flow Chart technique for evaluation of the Internal Control system. [Nov. 09 (4 Marks)]
Answer:
Flow Chart Technique for evaluation of Internal Control System:

1. It is a graphic presentation of internal controls in the organisation and is normally drawn up to show the controls in each section or sub-section.
2. It provides the most concise and comprehensive way for reviewing the internal controls and the evaluator’s findings.
3. A flowchart is a diagram full with lines and symbols and if judicious use of them can be made, it is probably an effective way of presenting the state of internal controls in the client’s organisation.
4. A properly drawn up flow chart can provide a neat visual picture of the whole activities of the section or department involving flow of documents and activities. More specifically it can show-
   • at what point a document is raised internally or received from external sources;
   • the number of copies in which a document is raised or received;
   • the intermediate stages set sequentially through which the document and the activity pass;
   • distribution of the documents to various sections, department or operations;
   • checking authorisation and matching at relevant stages;
   • filing of the documents; and
   • final disposal by sending out or destruction.

Question 14.
Briefly discuss the compliance procedures and their use in evaluation of internal controls.
Answer:
Compliance Procedures:
Compliance procedures are tests designed to obtain reasonable assurance that those internal controls on which audit reliance is to be placed are in effect. Obtaining audit evidence from compliance procedures is intended to reasonably assure the auditor in respect of the following assertions:

• Existence – that the internal control exists.
• Effectiveness – that the internal control is operating effectively.
• Continuity – that the internal control has so operated throughout the period of intended reliance.

Compliance procedures (also known as Tests of control) may include:
(a) Inspection of documents supporting transactions and other events to gain audit evidence that internal controls have operated properly.
(b) Inquiries about and observation of internal controls which leave no audit trail.
(c) Re-performance of internal controls.

(d) Testing of internal controls operating on specific computerised applications.
The auditors’ objective in studying and evaluating internal controls is to establish the reliance he can place thereon in determining the nature, timing and extent of his substantive auditing procedures. Based on the results of his compliance procedures, the auditor evaluates whether the internal controls are adequate for his purpose.

If based on the results of the compliance procedures, the auditor concludes that it is not appropriate to rely on a particular internal control to the degree previously contemplated, he should ascertain whether there is another control which would satisfy his purpose and on which he might rely (after applying appropriate compliance procedures). Alternatively, he may modify the nature, timing or the extent of his substantive audit procedures.

Question 15.
“Surprise Checks” help the auditors to ascertain whether the internal control system is operating effectively in a company or not. Discuss.
Answer:
Importance of Surprise check in ascertain operating effectiveness of internal control:
SA 315 “Identifying and Assessing the Risk of Material Misstatement through Understanding the Entity and its Environment” requires the auditor to obtain an understanding of the entity and its environment including internal control. SA 330 “The Auditor’s Responses to Assessed Risks” requires the auditor to design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of internal controls.

The understanding of the internal control system can be obtained in several ways including inspection of documents and making inquiries of management and TCWG, observation of activities, etc. In this context, surprise checks intend to ascertain whether the system of internal control is operating effectively and whether the accounting and other records are prepared concurrently and kept up-to-date.

Surprise checks are a useful method of determining whether or not errors exist and where they exist, to bring the matter promptly to the attention of the management so that corrective action is taken immediately.

As per the ICAI Recommendations, Surprise checks are a part of the normal audit and the results of such checks are important primarily to the auditor himself in deciding the scope of his audit and submitting his report thereon.

The need for and frequency of surprise checks is a matter to be decided having regard to the circumstances of each audit. It would depend upon the extent to which the auditor considers the internal control system as adequate, the nature of the clients’ transaction, the locations from which he operates and the relative importance of items like cash, investments, stores etc.

However, wherever feasible a surprise check should be made at least once in the course of an audit.

If this surprise check reveals any weaknesses in the system of internal control or any fraud or error or the fact that any book or register has not been properly maintained or kept up-to-date, the auditor should communicate the same to the management and ensure that action is taken on the matters communicated by him. It does not necessarily follow that all or any of the matters communicated to the management should form part of the auditor’s report on the accounts.

Conclusion: “Surprise checks” help the auditors, during the course of their, audit, to ascertain whether the internal control is operating effectively in a company or not.

Question 16.
A newly qualified professional has received his first appointment as auditor of a large company and is very much concerned about the effectiveness of internal control and wants to assess and evaluate the control environment as part of his audit program. Towards achieving his objective, he seeks your help in knowing the Standard Operating Procedures (SOPs) of assessment and evaluation of control. [May 19 – New Syllabus (5 Marks)]
Answer:
Standard Operating Procedures (SOPs) of assessment and evaluation of control:
1. Enterprise Risk Management: Organization having robust processes to identify & mitigate risks across the entity & its periodical review will assist in early identification of weaknesses in internal control and taking effective control measures. In such entities, surprises of failures in controls is likely to be few.

2. Segregation of Job Responsibilities: Segregation of duties is an important element of control which ensures that no two commercial activities should be conducted by the same person.

3. Job Rotation in Sensitive Areas: In key commercial functions, job rotation is regularly followed to avoid degeneration of controls.

4. Documents of delegation of Financial Powers: Document on delegation of powers allows controls to be clearly operated without being dependant on individuals.

5. IT based Controls: In an IT Environment, it is much easier to embed controls through the system instead of being human dependant. The failure rate for IT embedded controls is likely to be low, is likely to have better audit trail & is thus easier to monitor.

Question 17.
Y Co. Ltd. has five entertainment centers to provide recreational facilities for public especially for children and youngsters at 5 different locations in the peripheral of 200 kilometers. Collections are made in cash. Specify the adequate system towards collection of money. [Nov. 11 (6 Marks), MTP – April 18]
Answer:
System towards collection of money:
(a) Printing of tickets: Tickets should be serially numbered and pre-printed Serial numbers should not be repeated during a reasonable period, say a month or year depending on the turnover.

(b) Sale of Tickets: Tickets should be sold from the Central ticket office at each of the 5 centers, preferably through machines.

(c) Reconciliation of daily cash: Cash collection at each office should be reconciled with the number of tickets sold.

(d) Banking of daily cash collection: Daily collection should be deposited in the bank on next working day of the bank. Till that time, the cash should be in the custody of properly authorized person.

(e) Cancellation of Entrance ticket: Entrance tickets should be cancelled at the entrance gate when public enters the centre.

(f) Advance booking: If advance booking of facility is made available, the system should ensure that all advance booked tickets are paid for.

(g) Discounts and free pass: The discount policy should be such that the concessional rates should be properly authorized and signed forms for such authorization should be preserved.

(h) Surprise checks: Internal audit system should carry out periodic surprise checks for cash counts, daily banking, reconciliation and stock of unsold tickets etc.

Question 18.
During the course of his audit, the auditor noticed material weaknesses in the internal control system and he wishes to communicate the same to the management. You are required to elucidate the important points the auditor should keep in mind while drafting the letter of weaknesses in internal control system. [Nov. 15 (4 Marks), MTP-Oct. 18, May 20 RTP-Nov. 18, May 20]
Answer:
Points to be considered while drafting letter of weaknesses:
As per SA 265, “Communicating Deficiencies in Internal Control to Those who Charged with Governance and Management”, the auditor shall include in the written communication of significant deficiencies in internal control :

(a) A description of the deficiencies and an explanation of their potential effects; and
(b) Sufficient information to enable those charged with governance and management to understand the context of the communication.

This communication should be, preferably, in writing through a letter of weakness. Important points with regard to such a letter are as follows:
(a) It lists down the area of weaknesses in the internal control system and recommends suggestions for improvement.

(b) It should clearly indicate that this letter covers only weaknesses which have come to the attention of the auditor during his evaluation of internal control for the purpose of determining nature, timing and extent of further audit procedures.

(c) Letter should clearly indicate that his examination of internal control has not been designed to determine the adequacy of internal control for management.

(d) This letter serves as a significant means for management and governing body for the purpose of improving the system and its strict implementation.

(e) The letter may also serve to minimize legal liability in the event of a major defalcation or other loss resulting from a weakness in internal control.

“ICAI Examiner Comments”
Examinees failed to point out the important points to be included in letter of weakness.

Question 19.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework includes 17 principles representing the fundamental concepts associates with its five components. List these principles.
Answer:
Principles representing fundamental concepts associated with five components of Internal Control:

Committee of Sponsoring Organizations of theTreadway Commission (COSO) framework includes 17 principles representing the fundamental concepts associates with its five components. These components and the associates principles are:

Components	Principles
Control Environ­ment	1.    Demonstrates commitment to integrity and ethical values 2.    Exercises oversight responsibility 3.    Establishes structure, authority, and responsibility 4.     Demonstrates commitment to competence 5.    Enforces accountability
Risk Assessment	6.    Specifies suitable objectives 7.    Identifies and analyses risk 8.    Assesses fraud risk 9.    Identifies and analyses significant change
Control Activities	10.    Selects and develops control activities 11.    Selects and develops general controls over technology 12.    Deploys through policies and procedures
Monitoring	13.     Uses relevant information 14.    Communicates internally 15.    Communicates externally
Information and Communication	16.     Conducts ongoing and/or separate evaluations 17.     Evaluates and communicate deficiencies ‘

Question 20.
Write a short note on: Control Objectives for Information and Related Technology (CoBIT) Framework.
Answer:
Control Objectives for Information and Related Technology (CoBIT) Framework:
Control Objectives for Information and Related Technology commonly known as CoBIT, is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. It is meant to be a supportive tool for managers and allows bridging the crucial gap between technical issues, business risks and control requirements.

Business managers are equipped with a model to deliver value to the organization and practice better risk management practices associated with the IT processes. ‘

It is a control model that guarantees the integrity of the information system. Today, COBIT is used globally by all managers who are responsible for the IT business processes. It is a thoroughly recognized guideline that can be applied to any organization across industries.

Overall, CoBIT ensures quality, control and reliability of information systems in organization, which is also the most important aspect of every modern business.

Internal Check

Question 21.
Write short note on: Objectives of Internal Check System. [May 14 (4 Marks)]
Answer:
Objectives of Internal Check System:

1. To detect error and frauds with ease.
2. To avoid and minimize the possibility of commission of errors and fraud.
3. To increase the efficiency of the staff working within the organization.
4. To locate the responsibility area or the stages where actual fraud and error occurs.
5. To protect the integrity of the business by ensuring that accounts are always subject to proper scrutiny and check.
6. To prevent and avoid the misappropriation or embezzlement of cash and falsification of accounts.

Question 22.
The Auditor of S Limited has just commenced the statutory audit. What should be considerations for the effectiveness of a system of internal check? [Nov. 13 (4 Marks)]
Or
State the considerations on which effectiveness of an efficient system of internal check depends. [Nov. 16 (4 Marks)]
Answer:
Considerations for effectiveness of a system of internal check:

1. No single person should have an independent control over any important aspect of the business.
2. The duties of members of the staff should be changed from time to time without any previous notice so that the same officer or subordinate does not, without a break, perform the same function for a considerable length of time.
3. Every member of the staff should be encouraged to go on leave at least once in a year.
4. Persons having physical custody of assets must not be permitted to have access to the books of account.
5. To prevent loss or misappropriation of cash, mechanical devices, such as the automatic cash register, should be employed.
6. Budgetary control would enable the management to review from time to time the progress of trading activities.
7. The financial and administrative powers should be distributed very judiciously among different officers and the manner in which these are actually exercised should be reviewed periodically.
8. Procedures should be laid down for periodical verification and testing of different sections of accounting records to ensure that they are accurate.
9. Accounting procedures should be reviewed periodically, for, even well-designed and carefully installed procedures, in course of time, cease to be effective.

Question 23.
New life Hospital is a multi-specialty hospital which has been facing a lot of pilferage and troubles regarding their inventory maintenance and control. On investigation into the matter it was found that the person in charge of inventory inflow and outflow from the store house is also responsible for purchases and maintaining inventory records. According to you, which basic system control has been violated? Also list down the other general conditions pertaining to such system which needs to be maintained and checked by the management. [Nov. 15 (4 Marks), RTP – May 20]
Answer:
Deficiencies in Internal Control System:
An organisation is required to segregate the responsibilities of its employees in such a manner that no single person should have an independent control over any important aspect of the business. In the present case, person in charge of inventory is not only responsible for inflow and outflow of inventory from store house but also responsible for purchase and maintaining inventory records. So in this case, one of the essential of internal check system that independent and complete control should not be given to a single person has been violated.

“ICAI Examiner Comments”
Examinees did not discuss the general conditions pertaining to the internal check system. The answers were general. Many examinees applied internal control instead of internal check. Also, some examinees wrote about stock audit.

Question 24.
BSF Limited is engaged in the business of trading leather goods. You are the internal auditor of the company for the year 2020-21. In order to review internal controls of the Sales Department of the company, you visited the Department and noticed the work division as follows:

1. An officer was handling the sales ledger and cash receipts.
2. Another official was handling dispatch of goods and issuance of Delivery challans.
3. One more officer was there to handle customer/debtor accounts and issue of receipts.

As an internal auditor, you are required to briefly discuss the general condition pertaining to the internal check system prevalent in internal control system. Do you think that there was proper division of work in BSF Limited? If not, why? [MTP-Oct. 19, RTP-Nov. 19]
Answer:
General Conditions pertaining to internal check:

Considerations for effectiveness of a system of internal check:

1. No single person should have an independent control over any important aspect of the business.
2. The duties of members of the staff should be changed from time to time without any previous notice so that the same officer or subordinate does not, without a break, perform the same function for a considerable length of time.
3. Every member of the staff should be encouraged to go on leave at least once in a year.
4. Persons having physical custody of assets must not be permitted to have access to the books of account.
5. To prevent loss or misappropriation of cash, mechanical devices, such as the automatic cash register, should be employed.
6. Budgetary control would enable the management to review from time to time the progress of trading activities.
7. The financial and administrative powers should be distributed very judiciously among different officers and the manner in which these are actually exercised should be reviewed periodically.
8. Procedures should be laid down for periodical verification and testing of different sections of accounting records to ensure that they are accurate.
9. Accounting procedures should be reviewed periodically, for, even well-designed and carefully installed procedures, in course of time, cease to be effective.

In the given scenario, Company has not done proper division of work as:

1. the receipts of cash should not be handled by the official handling sales ledger and
2. delivery challans should be verified by an authorised official other than the officer handling despatch of goods.