PART 1 LESSON 10

INTERNAL CONTROL & ETHICS

LESSON 10 INTERNAL CONTROL

CONTENT
1. Meaning
2. Objectives
3. Evaluation
4. Components
5. Types
6. Limitations
7. Procedure
8. Structure
9. Legal Aspects of Internal Control
10. Internal Audit
11. Ethical Guidelines for Management Accountants

RukshiCA 1
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS

Internal Control
It provides a reasonable assurance to achieve the objectives of the organization.
Increases efficiency and ensures polices are implemented. It is the integration of
organization policies and attitudes. Assurance is provided to meet the entity’s objectives.
It includes:
 Effectiveness and efficiency in organizations operations
 Compliance with laws and regulations
 Reliability, complete and accurate financial information
 Safeguard of assets
Internal control helps in detecting fraud and organization resources. Resources are
directed monitored and measured. Internal control if it is assigned towards business entity
it is called as business controls.

Objectives of Internal Control

1. Internal control is ensured to meet the organization goal sand objectives.
2. Maintenance of documents adheres to the laws and regulations.
3. Use of resources is effective and also enhances the safety of assets,
4. Proper documentation enables reliable information to the auditors.

Evaluation of Internal Control

 It helps to certain the controls and procedures of the objectives.
 Decides the nature of audit procedure which to be expanded and which to be
curtailed.
 Identifies management assertion to check whether the transaction is complete
 Recommend the ways to improve internal control
 Helps in detection of error and other material misstatements
Components of Internal Control
Internal control consists of five components such as
 Control environment.
 Risk assessment.

RukshiCA 2
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
 Information and communication.
 Control activities.
 Monitoring.
1. Control environment
Influence the control consciousness of people. It is the foundation of all the other
elements of internal control. Includes
 Ethical values,
 Leadership philosophy,
 Operating style,
 Polices and Procedures.
Assigns authority and responsibility to organize and develop its people.
2. Risk assessment
Identification and management of risk in achieving the objectives. Changing
economic and operating scenarios enables the organization to identify risk. Risk
assessment should be done at all levels in the organization for an effective internal
control system. Associate the risk pertaining to the financial statements in compliance
with the GAAP.
3. Information and communication
Proper information should be identified and organized for the organization
responsibilities. Clear and unambiguous message about the responsibilities should
flow from the top to bottom level management. Information should be clear stating
the nature of activity that is to be performed. It contains both operational and
financial information.
4. Control activities
Activities like polices and procedures that are caused out by the management. It
ensures about the action taken to achieve the risky objectives. It includes various
activities such as verification, reconciliations, and reviews of operating performance
and safeguarding of assets. They include establishing a policy and taking necessary
procedures to implement the policy. Activities should be implemented consciously
and thoughtfully.

RukshiCA 3
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS

5. Monitoring
Internal control polices and procedures should be monitored. Supervisory
activities are to be taken for the ongoing performance of the internal control system.
Monitoring of the policies should be done over time. It should be monitored in
reference to the changing environment scenario. Result in identifying the internal
control which is relevant and adhere to the objective.

Types of internal controls

Internal Controls are of two types they are
1. Internal Accounting Controls
2. Administrative Accounting Controls
1. Internal accounting controls
They are Guidelines and procedures relating to fair presentation of the books of
records and accounts. It gives a reasonable assurance that
• Transactions are transacted based on the accounting principles and standards.
• Liabilities have been identified and properly accounted.
• Accounting transaction meets all the legislative and legal requirements.

2. Administrative accounting controls

The accounting transactions are processed in accordance with the management’s
responsibilities and authorization. It ensures for effective segregation of duties.
• Proper maintenance of assets
• Safeguard of assets.
• Transactions to be authorized properly.
• Data inputs in conformity with the internal control procedures.

Limitations of Internal Control

1. Unusual transactions are ignored.
2. Change in the degree of risk is not adaptable by the internal control.

RukshiCA 4
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
3. Management override of internal activities weakens the system.
4. Internal control system provides only reasonable assurance and not absolute
assurance.
5. If the staffs are inefficient then there is no chance of effective internal control.
6. Internal control provides only timely information of the objective, achievement
of the objective is not granted.
7. Human action is necessary in internal control. This leads to many errors in
processing
8. If the system adopted for effective control is inflexible then it may lead to
ineffective internal control evaluation.
9.
Internal Control Procedures
It is a procedure derived by the management giving the assurance that the
accounting objective of the organization is achieved. It helps to identify the risk of
material misstatement in the financial report. Accounting information may be different
for various organization but they do have a common objective of producing reliable
information at times. Accounting control system procedures provides complete, reliable
and valid information. Internal control whether it is general a specific control auditor first
gather effective and reliable evidence on the operating effectiveness of the control
procedure. Internal control procedures are of two types.
1. General control procedures.
2. Specific control procedures.
General control procedures
It provides assurance as to the overall completeness, validity and reliability of the
accounting objective. It also provides assurance about one or more application of internal
control that is best suited for a particular environment to operate effectively. Therefore it
is also called as environment controls.

Specific control procedures

RukshiCA 5
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
Designed to achieve specific accounting objectives of the organization. It checks
for accurate valid and reliability of the accounting information provided. They provide
assurance in respect to:
1. Data processing
Information related to input processing and output stages.
2. Accounting information system
Cash receipts, disbursements etc.
3. Control objective
To check for complete, valid and accurate information.
Operationally effective internal control procedure gives assurance that the accounting
information for specific procedure is achieved with completeness accuracy and
validity.

Categories of internal control procedures are

 Organizational independence
It exists when no one in an organization is in position to perform the duty
of detecting material misstatements or any fraud apart from his normal work of
duties. If organizational independence does not exist chance of fraud will be more.
Segregation of duty is an important function to be adopted. Segregation of the
following function such as accounting, authorization and operational function enables
the organization to achieve its goal. Person assigned the duties with the particular
function should perform only the one pertinent to him and not responsible for any
other function. Rotation of various functions and jobs is possible only with adequate
training and knowledge in all fields. If the organizational independence is ineffective
the auditor will have no control on the procedures performed by the organization.
 Supervision
Persons assigned with the responsible to perform any activity should be
supervised. The functions performed by him should be reviewed, corrected and
checked before submission. If the procedures carried out are not supervised then the
auditor will not have control over work done.
 Competence of Personnel

RukshiCA 6
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
Persons assigned with the responsibility should be competent in performing the
accounting, operational and financial procedures.

 Authorization
Set limit to authority. They should have certain limit in authorization of
transactions and other documents.
 Restricted access to resources
Persons who have access to resources only should be allowed to authorize
transactions. Unauthorized persons should not be allowed to use it.
 Information system development
Assurance on new and existing application software indicating that it is
functioning in an effective manner. Controls over system do include change,
maintenance and listing controls.

Internal control structure

Organization internal control structure minimizes the threat of risks in order to
meet its objective. It can only minimize the risk, it cannot structure minimizes the risks; it
cannot remove the risk completely. However the control structure minimizes the risk by
giving only reasonable assurance and not absolute assurance.
Components of internal control structure
1. Control environment.
2. Accounting system.
3. Control procedures.
1. Control environment
It is the control consciousness of the people. Foundation of all other internal
controls and structure.
Control environment factors of internal control structure do include.
 Management’s philosophy and operating style
Some organization takes risk in their new business whereas others may be
cautious or conservative. Their philosophy and operating style has a considerable
influence over the control activities.
RukshiCA 7
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
 New employees to the organization should be aware of their values and rules.
 Evaluation and promotion should be done effectively and with utmost
confidentiality
 Disciplinary actions should be maintained consistently.
 Information regarding the changes in tax and other accounting system should
be communicated properly as they influence the control environment.
 Integrity and ethical values
Organization should have collective integrity and ethical values. They should
develop a strong code of conduct and measure that it is followed by all shareholders.
Any code of conduct is out of date or the management does not take steps to
communicate it proper action is to be taken to correct the deficiency. Strong internal
audit function is one of the major components of control environment to impose
integrity and ethical value in the organization.
 Audit committee
Committee should be active and independent for a safe control environment. Polices,
procedures have to be set by the board which constitute the top level management for
an effective control environment.
 Commitment to Competence
Required competence levels are to be identified for various tasks. Employees
should have adequate abilities and skills to carry out the task. Assessment of their
ability should be done as and when needed.
 Human resources polices and procedures
It is an important element considered by the internal control system during
performance reviews of the people, polices and procedures

2. Accounting system
Internal control structure takes care of accounting. It identifies and evaluates
all the accounting transactions of the organization. Should check for the validity
completeness and accuracy of the accounting information. Internal control evaluates
for:

RukshiCA 8
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
 Monetary value – whether it is properly entered.
 To identify if there is any abnormal account balances.
 Verifies the submission of all financial transactions and books of accounts.

3. Control procedures
It reduces the error in the system. Categories of control procedure.
 Segregation of duties
Each individual assigned the duty to carry out the required tasks.
 Documentation of Records
Internal control enables the control procedure to have a proper
documentation of the records for a reasonable assurance of the control
system objectives.
 Safeguard of assets
Safety of fixed assets is ensured. They take care of both fixed and floating
assets by having a fixed responsibility on both.
 Performance verification of the documents
It is done by internal auditors. Performance is maintained based on the
comparison of the accounts with books of assets.
 Authority
Authorization to individual to certify transaction. Necessary
documentation is necessary to avoid any material misstatements.

LEGAL ASPECTS OF INTERNAL CONTROL:

Foreign Corrupt Practices Act (FCPA)
It is an U.S. act formulated in 1977 and revised in the year 1988. It prohibits
bribery of foreign government officials for the purpose of obtaining or retaining business.
FCPA also formulate transparency in the accounting requirements. It makes a necessity
for companies to desire and maintain accounting system to have a tight control in the
position and disposal of assets. They also prohibit illegal payments. Any organization
found for violating the accounting transactions may be penalized for monetary fines.

RukshiCA 9
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS

Foreign corrupt practices act do include Persons such as

o Issuers: U.S. or foreign that is listed under the Securities and Exchange
Commission.
o Domestic concerns: Any individual an organization entity having their principle
business at duties states.
o Persons covering both individual and organization.
Corrupt payments can be avoided by
• Due Diligence
• Precautionary care to ensure that they have for a commercial relationship.
FCPA makes it illegal towards any corrupt payments to foreign parties. Payment
through intermediary is considered illegal. Foreign companies should maintain a written
code of conduct and ethics towards their foreign polices. They should abandon selling
goods directly to foreign companies.
• Proper accounting system is to be maintained as per the standards and principles
of GAAP.
• Books of account should reflect the requirement and it should be transparent.
• Any individual involved in corrupt practices is subject to a fine of $10,000 or
imprisonment of 5years or both.
There are some exceptional cases involved in anti bribery prohibition such as.
• Water supply, phone and power.
• Protecting perishable products.
• Loading cargo and unloading.
• Cross country transit of goods.
• Police protection

Penalties offered for violating FCPA are

 For Company’s → fine up to $2,000,000
Individual’s → fine up to $1, 00,000

RukshiCA 10
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
 SEC suspends the individual or organization from the security industry
for any violation of FCPA.
 Individuals or organization will be considered ineligible for export
licenses.
 They may be excluded from the business with the federal government.
FCPA overlooks the organization or any individual for any violations of the policy. Any
awareness of the people or employees towards the violation of act should promptly
report it to the regional management and legal department.

Sox:
 The Sarbanes Oxley act of 2002, a response to numerous financial
reporting scandals involving large public companies, contains provisions that
impose new responsibilities on public companies and their auditors. The act
applies to issuers of publicity traded securities subject to federal securities laws.

(a) The act requires that each member of the audit committee, including at least one
who is a financial expert, be an independent member of the issuer’s board of
compensation (other than for service on the board) from, the issuer.
 The audit committee must be directly responsible for appointing,
compensating, and overseeing the work of the public accounting firm
employed by the issuer. In addition, this audit firm must report directly to
the audit committee, not to management.
 Another function of the audit committee is to implement for the receipt,
retention, and treatment of complaints about accounting and auditing
matters.
 The audit committee also must be appropriately funded by the issuer and
may hire independent counsel or other advisors.
(b) Internal control report. Section 404 of the act requires management to establish
and document internal control procedures and to include in the annual report a
report on the company’s internal control over financial reporting.

RukshiCA 11
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
1) This report is to include
(a) A statement of management’s responsibility for internal control;
(b) Management’s assessment of the effectiveness of internal control
as of the end of the most recent fiscal year;
(c) Identification of the frame work used to evaluate the effectiveness
of internal control (such as the report of the committee of
sponsoring organizations);
(d) A statement about whether significant changes in control were
made after their evolution, including any corrective actions; and
(e) A statement that the external auditor has issued an attestation report
on management’s assessment.
o Because of this requirement, two audit opinions are
expressed: one on internal control and one on the financial
statements.

2) The external auditor must attest to and report on management’s assessment.

a. The auditor must evaluate whether the structure and procedures
i. Include records accurately and fairly reflecting the firm’
transactions.
ii. Provide reasonable assurance that transactions are recorded so as
to permit statements to be prepared in accordance with GAAP.
b. The auditor’s report also must describe any material weaknesses in
internal controls.
[Link] evolution is not to be the subject of an engagement but be in
conjunction with the audit of the financial statements.

 Sarbanes – Oxley section 302, Corporate responsibility for financial

reports
 REGULATIONS REQUIRED – the SEC shall require, for each company filling
periodic reports under the securities exchange act of 1934, that the principal

RukshiCA 12
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
executive officer or officers and the principal financial officer or officers, or
persons performing similar functions, certify in each annual or quarterly report
filed or submitted under act that—
1) The singing officer has reviewed the report;
2) Based on the officer’s knowledge, the rep[ort does not contain any untrue
statement of a material fact or omit to state a material fact necessary in
order to make the statements made, in light of the circumstances under
which such statements were made not misdealing;
3) Based on such officer’s knowledge the financial statements and other
financial information included in the report, fairly present in all material
respects the financial condition and results of operations of the issuer as of
and for, the periods presented in the report;
4) The singing officers—
A. Are responsible for establishing and maintain internal controls;
B. Have designed such internal controls to ensure that material
information relating to the issuer and its consolidated subsidiaries
is made known to such officers by others within those entities,
particularly during the period in which the periodic reports are being
prepared;
C. Have evaluated the effectiveness of the issuer’s internal controls as
of a date within 90 days prior to the report; and
D. Have represented in the report their conclusions about the effectives of
their internal controls based on their evaluation as of hat date;

5) The singing officers have disclosed to the issuer’s auditors and the audit
committee of the board of directors (or persons fulfilling the equivalent
function)—
a. All significant deficiencies in the design or operation of internal
controls which could adversely affect the issuer’s ability to record,
process, summarize and report financial data and have identified

RukshiCA 13
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
for the issuer’s auditors any material weaknesses in internal
control; and
b. Any fraud, whether or not material , that involves management or
other employees who have a significant role in the issuer’s internal
controls; and
6) The signing officers have indicated In the report whether or not were
significant changes in internal controls or in other factors that could
significantly affect internal controls subsequent to the date of their evolution,
including any corrective actions with regard to significant deficiencies and material
weaknesses.
 Foreign rein corporations have no effect- nothing in this section 302 shall be
interpreted or applied in any way to allow any issuer to lessen the legal force of
the statement required under this section 302, by an issuer having reincorporated
or having engaged in any other transaction that resulted in the transfer of the
corporate domicile or officers of the issuer from inside the united states to outside
of the united states.

 PCAOB was vested with the authority to promulgate standards for the practice
of auditing. PCAOB auditing standards 2 (issued in 2004) required that an audit
of internal control be integrated with the audit of the financial statements.
Although auditors are allowed to issue separate reports on the audits of financial
statements and internal controls, in practice they superseded by PCAOB
auditing standards5, which had similar requirements.

 STANDARD NO.5 IS PRINCIPLES – based. It is designed to increase

the likelihood that material weaknesses in internal control will be found before
they result in material misstatement of a company’s financial statements and, at
the same3 time. Eliminate procedures that are unnecessary.
[Link] final standard also focuses the auditor on the procedures necessary to
perform a high quality audit tailored to the company’s facts and circumstances.

RukshiCA 14
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
The new standard is more risk – based and scalable, which will better meet the
needs of investors, public companies and auditors alike.
b. The new auditing standard, by focusing the auditor’s attention on those
matters that are most important to effective internal control, presents
another significant opportunity to strengthen the financial reporting process.

 THE BOARD’S NEW STANDARD IS DESIGNED TO

ACHIEVE FOUR OBJECTIVES;
a. Focus the internal control audit on the most important matters.

1. The new standard focuses auditors on those areas that present the greatest
risk that a company’s internal control will fall to prevent or direct a material misstatement
in the financial statements. It dose so by incorporating certain best practices designed to
focus the scope of the audit on identifying material weaknesses in internal control ,
before they result in material misstatements of financial statements, such as using a
top – down (risk – based) approach to plan the audit. It also emphasizes the importance of
auditing higher risk areas, such as the financial statement closing process and controls
designed to prevent fraud by management.

2. At the same time, if provides auditors a range of alternatives for

addressing lower risk areas, such as by more clearly demonstrating how to calibrate the
nature, timing, and extent of testing based on risk, as well as how to incorporate
knowledge accumulated in previous year’s audits into the auditors’ assessment of risk
and use the work performed by companies, own personnel, when appropriate.

b. Eliminate procedures that are unnecessary to achieve the intended benefits.

1. The board examined every area of the internal control audit to determine
whether the previous standard encouraged auditors to perform procedures
that are not necessary to achieve the intended benefits of the audit. As a

RukshiCA 15
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
result, the new standard does not include the previous standard’s detailed
requirements to evaluate management’s own evolution process and
clarifies that an internal control audit does not require an opinion on the
adequacy of management’s process
2. As another example, the new standard refocuses the multi – location
direction on risk rather than coverage by removing the requirement that
auditors test a “large portion” of the company’s operations or
financial position.
c. Make the audit clearly scalable to fit the size and the complexity of any
company
In coordination with the board’s ongoing project to develop guidance for
auditors of smaller, less complex companies, standard 5 explains how to
tailor internal control audits to fit the size and complexity of the company
being audited. Standard 5 does so by including notes throughout the
standard on how to apply the principles in the standard to smaller, less
complex companies, and by including a discussion of the relevant attributes
of smaller less complex companies as well as less complex units of larger
companies.
d. Simplify the text of the standard
1. The board’s new standard is shorter and easier to read. This is in part because it
uses simpler terms to describe procedures and definitions. It is also because the
standard has been streamlined and reorganized to begin with the audit itself, to
move definitions and background information to appendices, and to avoid
duplication by cross – referencing existing concepts and requirements that
appear elsewhere in the board’s standards and relevant laws and SEC rules.
2. For example, the new standard eliminates the previous standard’s discussion of
materiality, thus clarifying that the auditor’s evolution of materiality for
purposes of an internal control audit is based on the same longstanding
principles applicable to financial statement audits.
3. Also in order to better coordinate the new final standard and the SEC’s new
rules and management guidance, the standard conforms certain terms to the

RukshiCA 16
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
SEC’s rules and guidance, such as the definition of material “weakness” and use
of the term “entity – level controls” instead of “company – level controls”.

 AUDIT APPROACHES
a. Essentially there are four different audit approaches:
1. the substantive procedures approach
2. the balance approach
3. the systems – based approach
4. The risk – based approach.
b. The substantive procedures approach is also referred to as the
vouching approach or the direct verification approach. In this approach, audit
resources are targeted on testing large volumes of transactions and account
balances without particular focus on specified areas of the financial statements.
[Link] the balance sheet approach, substantive procedures are focused on
balance sheet accounts. With only limited procedures being carried out on income
statement/profit and loss account. The justification for this approach is the notion
that if the relevant management assertions for all balance sheet accounts are tested
and verified, then the income figure reported for the accounting period will not be
materially misstated.
d. The systems – based approach requires auditors to assess the
effectiveness of the internal control, and then to direct substantive procedures
primarily to those areas where it is considered that systems objectives will not be
met. Reduced testing is carried out in those areas where it is considered systems
objectives will be met.
[Link] the risk – based approach, audit resources are directed towards those areas
of the financial statements that may contain misstatements (either by error or
omission) as a consequence of the risks faced by the business.

1. Under a risk – based approach, every audit assignment presents a different

challenge to n auditor, with no tow audits being the same. For example, no

RukshiCA 17
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
two entities are the same in terms of business sector, location, size,
employees, governance issues, ethos, and complexity of operations. There is
no one single approach to auditing that ensures the performance of a perfect
audit. However, it is generally accepted that for most entities, the risk –
based audit approach will minimize the possibility of audit objectives not
being met.
2. Auditors are required to make risk assessments of material misstatements
at the financial statement and assertion levels, based on an appropriate
understanding of the entity and its environment. Including internal controls.
As the auditor is required to focus on the entity and its environment when
making risk assessments this is known as the ‘top down’ approach to
identifying risks. The word ‘top’ refers to the day – to – day operations of
the entity and the environment in which it operates; ‘down’ refers to the
financial statements of the entity.
3. In summary, this approach requires auditors to identify the key day-to-day
risks faced by a business, to consider the impact these risks could have on
the financial statements, and then to plan their audit procedures accordingly.
For this reason, the approach is often referred to as the business risk
approach. When adopting this approach, to facilitate the identification of
risks and the assessment of their effect on the financial statements, risks are
categorized as financial risks, such as cash flow risks, compliance risks,
compliance risks, such as breaching of laws and regulations risk and
operational risks, such as loss of key employee risk and loss of data risk.

Internal Audit
It is an activity to achieve the objective of the organization. Internal audit is
performed by internal auditors for performing internal audit activity in the organization.
Objectives of the organization are achieved through systematic approach in order to
evaluate the effectiveness of the organization with regard to risk management and other
control process.
Internal auditing helps to

RukshiCA 18
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
• Verify the internal control and financial records.
• Increases the efficiency and effectiveness of the operations.
• Management system designed to ensure that it is in compliance with the rules
and regulations polices and procedures of the organization.
• Reliability and integrity of the financial information is reviewed.
• Enhance a positive relationship with the internal auditor, agency staff and audit
committee.
Objective of internal audit
1. Reasonable assurance to the managerial stating that the financial statements and
records are reliable and accurate.
2. Appraise the economy and efficiency of resource utilization.
3. Assist members for successful performance of the responsibilities by giving them
pertinent information about the activities.
4. Control cost is effective and promoted at a reasonable cost.
5. Detects fraud from the organization.
6. Audit efforts are coordinated through internal audit.
7. Operational procedures of existing internal control are evaluated and also give
necessary guidance for new internal control polices.
8. Ensure safety of assets.

Scope of internal audit

1. Checks for adequacy of the financial operations in relation to business risk.
2. Weaknesses identified should be used by having a constant follow up actions.
3. Company’s corporate governance, risk management should be properly overseen.
4. Any issues relating to internal control can be solved by producing consulting
services.
5. Review of the internal audit to be done by another internal audit function a by an
internal auditors.

Authority and Responsibilities of Internal Auditing

RukshiCA 19
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
Internal audit conducts a board and comprehensive program of audits to
accomplish the audit objectives. They review all the financial records of the organization
and checks for compliance with the code of conduct and ethical standards. Information
which is obtained from such control activities is confidential. Various internal activities
are coordinated in order to achieve the audit objectives of the organization. Audit
committee meetings are conducted regularly to present the audit services. Internal audit
staff does not have direct control over the reviewing of activities.
 Independence
Internal auditor should be independent of the control activities they audit. They
should not be under the pressure of any individual or separate department. Independence
in auditing implies in providing impartial and activated judgment of the control activities.

 Management
Internal audit should detect, investigate and prevent any fraud from the
management. Responsibility of the management also relies upon safeguarding of assets.
Objective of the management can be accomplished by
a. Installing effective accounting system
b. Employees are in with the relevant codes of conduct
c. To meet the legal requirements of the organization.
 Compliance
Ensure in compliance with the polices, procedures, laws and regulations
 Safeguarding of assets
Safeguard assets in order to protect it from any theft, loss or any illegal activity.
 Due professional care
It calls for the application of the care and skill of a reasonably prudent and
competent internal auditor in the same or similar circumstances.

Types of internal audit

1. Financial audit

RukshiCA 20
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
Review of all financial records to check whether the assets and liabilities
are properly recorded. Information obtained from financial audit is normally used
in decision-making process. It ensures that the funds are properly secured and
maintained. Financial audit do include activities such as.
 Risk assessment.
 Financial analysis of cash flow statement.
 Compliance.
They verify the revenues, sales, bank deposits, loans and advances and
other assets. The financial statements is assessed to find out the accuracy of the
financial statements and operations
2. Operational audit
It is review of department operating procedure and internal controls. It
covers the evaluation of internal control, compliance with the laws and regulation,
reliability and integrity of information, effective and efficient use of resources.
Operational audit information is gathered from past history, operating standards,
operating reports and from senior management.
3. Compliance audit
Programs and other audit measurement comply with the rules, regulations,
polices and procedures. Certain established criteria should be set by the
organization against which the policies and procedures can be measured.
4. Environmental audit
It is the review of the activities operation and regulations to meet the
environmental requirements. Team is engaged to have a comprehensive
examination of the plant or factory to see whether it complies with the
environmental requirements. It also assesses the environmental risk associated
with the operations. Environmental audit programs do have number of
characteristics. They require adequate allocations resources & hire and train
employees.
5. Fraud audit

RukshiCA 21
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
It encourages detection and prevention of fraud in the transaction. Person
conducting fraud audit should identify the source of evidence, areas of fraud
opportunity etc. They locate the accounting regulations, code of conduct and other
exceptions. Fraud detection may be reactive and proactive. Reactive auditing
responds complaints, suspension and managements intuition. Proactive auditing
ensures controls through periodic audits and intelligence gathering.
6. Quality audit
It is an independent examination of the quality related activities to comply
with the quality standards. It helps to achieve a quality based corporate culture. It
focuses on system and processes rather than outcomes.
7. Performance audit
It involves in determining the management objectives that lead to
effectiveness and efficiency. Performance audit helps to determine the key
performance indicator to use and control objectives that is to be achieved.
8. Information system audit
Information system audit object is to determine the safety of assets,
integrity of data to achieve organizational goals and objectives. It helps to prevent
and detect fraud.
Information system helps to
 Review the system to ensure security
 Organizational reviews so as to achieve the organizational goals
 Technological reviews to ensure security and controls.
9. Grant audit
They focus mainly on the compliance of the financial system with specific
grant agreements. It helps to review the funds based on grants given and received.
• It receives the reporting requirement and determines if it satisfies the
process that is required for the requirements.
• Amount of grant received and deposited is reviewed
• If any funds are unused it ensures that it is returned to the grant agency.
10. Due diligence

RukshiCA 22
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
It investigates and evaluates the management philosophy prior to the
commencement of the business. Due diligence is the entire process that covers the
investment analysis and investigation of the investment undertaken. Results that
are obtained from investigation and analysis are developed in a report called as
due diligence report. Risk identified may be asked by the investor to eliminate or
weaken the risk. Investigation of the report done in the basis of
 Media reports
 Legal and regulating issues.

Internal controls on an accounting information system

Computerized information of internal control minimizes the chance of risk
and fraud. Internal control system depends on the integrity compulsory and confidentially
of the control activities for information system.

General control
They cover the entire information system they include planning, management, system
software acquisition and integrity of the information system. It ensures for correct date
file processing, auditing to the personalized standards and back up of files taken for to
present any disaster. If also ensures for physical security and measures to reduce the risk
of vandalism and destruction of networks. General control may be:
 Data center
Control over operating activities and back up and recovery procedure.
 Access security controls
Protect the system from unauthorized access and hackers. Firewall security is
provided to restrict access to assets and other networks.
 System software controls
It includes control over maintenance acquisition and development of the software.
 Application system development
It proceeds with safe development systems and modification of existing systems.

RukshiCA 23
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
Application controls
They include computer program, access, and other activities for budgets and
processing. They check the accuracy, validity and reliability of the accounting
information.

Application controls are:

 Inputs controls
 Processing controls
 Output controls
It ensures for the accuracy and conceptacles of the data processed. They detect and
prevent any errors or regalities. It checks for the security of the system and ensures that
the process data are in an efficient manner. Electronic data interchange and expert
system are the applications of the control.
Input control
Ensure for complete and accurate recording of transactions only by authorized
users. Examples are fold checks, error listings and sequence checks.
Processing controls
Completeness and accuracy of processing of authorized transactions. Example: run
controls, concurrency controls and audit tracks.
Output controls
Ensures the completeness and accuracy of the results obtained. Example: file
changes and distribution register.

Administrative controls
They ensure the proper organization and processing of data. Administrative controls are
Division of duties
Duties are assigned to different persons. Control is divided to different persons according
their capabilities. This is done in order to eliminate fraud and to make the organization
independent of all activities.

Files control

RukshiCA 24
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
Fraud and errors can be eliminated using file control. This can be done by.
• Procedure for issuing and return of files.
• Labeling and indexing.
• Back up copies of files.
• Skilled personal to maintain file control.
Operation controls
It determines the nature and procedure of the work system. Therefore they should be
controlled. It can be
• Maintenance of attendance
• Proper record for rotation of shifts
• Computer logs
Proper maintenance of the operation control helps the auditor to detect any fraud or error.
System development controls
Relate to design and implementation of the system. Various system development controls
are.
Standardization
Standards are laid down for the proper operation of the system. It includes complete
documentation. It helps the auditor to spot out any error and also advises any
improvement on the system that it works.
Testing
It tests the system thoroughly before it is operational. It tests the system and validates
for any error or fraud. Bench marks in testing can be compared with that of the
previous benchmark to check for any tampering of data.
Management involvement
Management involved in the system to have a feasibility study n preparation of
budget. They involve finding out whether the system is reliable and cost effective.
Training
Staffs should be properly trained to run the system. Trained staff helps to reduce the
number of errors.
Processing of old and new system

RukshiCA 25
 PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
Comparison of old with the new system helps, to find out any fraud or error with the
new or existing system.

Procedural controls
They are the controls that are set on the day to day running of the system they may be
 Input controls
 Processing controls
 Output controls

Input controls
They are placed in the input data. They may be
 Validating check
 Authorization procedures
They check the data entry for completeness and information.
Processing controls
They check the data duty the processing stage. Processing control may be of two types
Validation tests
File checks
Validation checks for the validation of data. They do include
• Check digit verification
• Check files size and code
File checks check for the integrity of the file data they include Arithmetic validation of
one file with the other record file
 Output controls
Ensure completeness and accuracy over the output file printed. Control procedures are
• Output given only to authorized persons
• Output verified against input data fed in

RukshiCA 26
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
• Feed back system so as to ensure that any error occurred is
reported

Ethical Guidelines for Management Accountants:

The Institute of Management Accountants prescribes Ethical Guidelines to the
Management Accountants which is reproduced below:

Members of IMA shall behave ethically. A commitment to ethical professional practice

includes overarching principles that express our values, and standards that guide our
conduct.

PRINCIPLES
IMA's overarching ethical principles include: Honesty, Fairness, Objectivity, and
Responsibility. Members shall act in accordance with these principles and shall
encourage others within their organizations to adhere to them.

STANDARDS
A member's failure to comply with the following standards may result in disciplinary
action.

[Link]
Each member has a responsibility to:

1. Maintain an appropriate level of professional expertise by continually developing

knowledge and skills.
2. Perform professional duties in accordance with relevant laws, regulations, and
technical standards.
3. Provide decision support information and recommendations that are accurate,
clear, concise, and timely.
4. Recognize and communicate professional limitations or other constraints that
would preclude responsible judgment or successful performance of an activity.

RukshiCA 27
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
[Link]
Each member has a responsibility to:

1. Keep information confidential except when disclosure is authorized or legally

required.
2. Inform all relevant parties regarding appropriate use of confidential information.
Monitor subordinates' activities to ensure compliance.
3. Refrain from using confidential information for unethical or illegal advantage.

[Link]
Each member has a responsibility to:

1. Mitigate actual conflicts of interest; regularly communicate with business

associates to avoid apparent conflicts of interest. Advise all parties of any
potential conflicts.
2. Refrain from engaging in any conduct that would prejudice carrying out duties
ethically.
3. Abstain from engaging in or supporting any activity that might discredit the
profession.

[Link]
Each member has a responsibility to:

1. Communicate information fairly and objectively.

2. Disclose all relevant information that could reasonably be expected to influence
an intended user's understanding of the reports, analyses, or recommendations.
3. Disclose delays or deficiencies in information, timeliness, processing, or internal
controls in conformance with organization policy and/or applicable law.

RESOLUTION OF ETHICAL CONFLICT

In applying the Standards of Ethical Professional Practice, you may encounter problems
identifying unethical behavior or resolving an ethical conflict. When faced with ethical

RukshiCA 28
PART 1 LESSON 10
INTERNAL CONTROL & ETHICS
issues, you should follow your organization's established policies on the resolution of
such conflict. If these policies do not resolve the ethical conflict, you should consider the
following courses of action:

1. Discuss the issue with your immediate supervisor except when it appears that the
supervisor is involved. In that case, present the issue to the next level. If you
cannot achieve a satisfactory resolution, submit the issue to the next management
level. If your immediate superior is the chief executive officer or equivalent, the
acceptable reviewing authority may be a group such as the audit committee,
executive committee, board of directors, board of trustees, or owners. Contact
with levels above the immediate superior should be initiated only with your
superior's knowledge, assuming he or she is not involved. Communication of such
problems to authorities or individuals not employed or engaged by the
organization is not considered appropriate, unless you believe there is a clear
violation of the law.
2. Clarify relevant ethical issues by initiating a confidential discussion with an IMA
Ethics Counselor or other impartial advisor to obtain a better understanding of
possible courses of action.
3. Consult your own attorney as to legal obligations and rights concerning the ethical
conflict

RukshiCA 29