ADVANCED AUDITING

TOPIC:
Explain how the following risk factors affect the course of internal control system-

(i) Changes in operating environment

(ii) New personnel
(iii) New or revamped information systems
(iv) Rapid growth
(v) New technology
(vi) New business models, products or activities
(vii) Corporate restructuring
(viii) Expanded foreign operations
(ix) New accounting pronouncements
INTRODUCTION:
Internal control system is vital for any kind of organisation to establish certain set of standards
and to ensure whether these standards, laws and regulations are being efficiently met or not. If a
company doesn’t have any proper system to control the internal activities, the chances of frauds
can increase to a great extent.

For example, in any organisation say a private sector bank, the branch manager has been
assigned the responsibility of buying the assets for the office and he is the only person who deals
with the seller/dealer, negotiates the price, gets it delivered, payments, and also recording the
transactions. This will increase the chance of the manager to get a personal benefit through this.
So to prevent this, the bank assigns different persons for different roles like for example, the
accounts person will look over the accounting transactions of the asset, the clerk would be
responsible for delivery, the manager would negotiate the price and get it approved from its
senior( say divisional manager).

What we want to convey is that the internal control system implies that no activity, task or
responsibility is assigned to a single person, rather it is assigned to different persons so that work
done by one person can be checked by the another person.

Therefore, a formal definition of internal control is the process designed to ensure reliable
financial reporting, effective and efficient operations, and compliance with applicable laws and
regulations. Safeguarding assets against theft and unauthorized use, acquisition, or disposal is
also part of internal control.

Internal control is vital in any organisation to ensure:

1. Effectiveness and efficiency of operations

2. Reliability of financial reporting
3. Compliance with applicable laws and regulations.

OBJECTIVES OF INTERNAL CONTROL

Internal control is of fundamental importance to both- the company as well as the auditor,
because the management has to ensure that the activities in the organisation are being carried out
in a fair manner, and to the auditor because before he can plan the tests he intends to carry out in
his audit programme, he must decide the extent to which he intends to rely on the system of
internal control. But before depending upon the internal control system of the organisation, the
auditor should ensure that the following objectives of internal control as per SA- 400 are
achieved by the organisation:

Proper Authorization
Transactions are executed with management’s general and specific authorization.

Prompt Recording of Transactions

All the transactions are promptly recorded in the correct amount in the appropriate accounts and
in the accounting period in which executed so as to permit preparation of financial information
within a framework of recognized accounting policies and to maintain accountability of assets.

Restricted Access to Assets

Access to assets is permitted only in accordance with management’s authorization.

Actions against Deviations

The recorded accountability for assets is compared with the existing assets at reasonable intervals
and appropriate action is taken with regard to any differences.

COMPONENTS OF INTERNAL CONTROL SYSTEM

I. CONTROL ENVIRONMENT:

The control environment consists of the governance and management functions and the
attitudes, awareness and actions of the management about the internal control. Auditors may
obtain an understanding of the control environments through the following elements.
1. Communication and enforcement of integrity and ethical values
It is important for the management to create and maintain honest, legal and ethical
culture, and to communicate the entity’s ethical and behavioral standards to its employees
through policy statements and codes of conduct, etc.

2. Commitment to competence
It is important that the management recruits competent staff who possess the required
knowledge and skills at competent level to accomplish tasks.         

3. Participation by those charged with governance

An entity’s control consciousness is influenced significantly by those charged with
governance; therefore, their independence from management, experience and stature,
extent of their involvement, as well as the appropriateness of their actions are extremely
important.

4. Management’s philosophy and operating style

Management’s philosophy and operating style consists of a broad range of characteristics,
such as management’s attitude to response to business risks, financial reporting,
information processing, and accounting functions and personnel, etc. For example, does
the management apply aggressive approach where alternative accounting principles or
estimates are available?  These management’s philosophy and operating style provide a
picture to auditors about the management’s attitude about the internal control.

5. Organisational structure
The organizational structure provides the framework on how the entity’s activities are
planned, implemented, controlled and reviewed.

6. Assignment of authority and responsibility

With the established organizational structure or framework, key areas of authority and
reporting lines should then be defined. The assignment of authority and responsibility
include the personnel that make appropriate policies and assign resources to staff to carry
out the duties. Auditors may perceive the implementation of internal controls through the
understanding of the organizational structure and the reporting relationships.

7. Human resources policies and practices

Human resources policies and practices generally refer to recruitment, orientation,
training, evaluation, counseling, promotion, compensation and remedial actions. For
example, an entity should establish policies to recruit individuals based on their
educational background, previous work experience, and other relevant attributes. Next,
classroom and on-the-job training should be provided to the newly recruited staff.
Appropriate training is also available to existing staff to keep themselves updated. 
Performance evaluation should be conducted periodically to review the staff performance
 and provide comments and feedback to staff on how to improve themselves and further
develop their potential and promote to the next level by accepting more responsibilities
and, in turn, receiving competitive compensation and benefits.

II. ENTITY’S RISK ASSESSMENT PROCESS

Auditors should assess whether the entity has a process to identify the business risks
relevant to financial reporting objectives, estimate the significance of them, assess the
likelihood of the risks occurrence, and decide actions to address the risks. If auditors
have identified such risks, then auditors should evaluate the reasons why the risk
assessment process failed to identify the risks, determine whether there is significant
deficiency in internal controls in identifying the risks, and discuss with the
management.

 CAUSES OF RISK (Main Topic)

The following risk factors can affect the course of internal control system:

1. CHANGES IN OPERATING ENVIRONMENT

If there is any change in the business environment of the business, that may be
social, political change, economical change etc., this may have an adverse impact
on the business. Let us take an example of the current situation due to Covid-19,
many businesses were immediately shut, without even getting much time to make
arrangements for their business activities. Now those in charge of internal control,
would have gone through a difficult time to access the financial reports as some
businesses still depend on paper work on some level and it was almost impossible
to access the documents during lockdown.

2. NEW PERSONNEL
The human resource department must ensure that the employees hired are
competent enough and they must be provided with adequate training so that their
chances of omission and errors are reduced to a certain extent. It is quite seen that
the new personnel tends to make mistakes in their initial days and the internal
auditors or the employees in charge of internal control find it difficult to look for
those.

3. NEW OR REVAMPED INFORMATION SYSTEM

When a company deploys a new information system, it has to provide adequate
training to its staff so that they become experts on that and make fewer mistakes.
Without training, the chances of risk become much higher. For example, at an
insurance company, a new system cisco was enforced without providing much
 training to its staff. The staff members, who earlier could make 8-10 policies in an
hour could make only 1-2 in an hour in their initial days, which increased the
workload, stress, chances of errors and many more difficulties for them. So the
point is, when a new information system is developed in an organisation, it is the
duty of that organization to provide adequate training to its staff members, so that
chances of missing any relevant transactions are decreased.

4. RAPID GROWTH
A company going through a rapidly growing phase has an increased chance of not
having an efficient control system. For example, the pharmaceutical companies,
the sanitizer or masks producers during the corona period, they have an immense
sale of their products. It becomes quite difficult for them to maintain records of
each and every transaction, where they cannot even have adequate staff during
social distancing, how will they keep their financial information up to date.

5. NEW TECHNOLOGY
Similar to adaptation of new information system, when a company adopts new
technology, it becomes quite difficult for some employees, especially those aged
to learn new technology at their age which increases the chances for wrong
information or omission of important information in the books of accounts.

6. NEW BUSINESS MODELS, PRODUCTS OR ACTIVITIES

When a company launches a new product or service, there comes a lot of work it
has to manage along with. The added finance, selling expenses, marketing etc
makes difficult to incorporate internal control in the business and increases the
chances of risk.

7. CORPORATE RESTRUCTURING
A company going through complete restructuring, increases the chances of risk for
errors in financial statements, as the company has a lot of work going on. The
entire structure of the company changes, and it need an adequate amount of time
to gain back its controls.

8. EXPANDING FOREIGN OPERATIONS

The companies dealing in foreign operations are more difficult to handle for the
purpose of internal control for a simple reason that they have to operate with
different foreign currencies, different taxation policies by different governments
etc.

9. NEW ACCOUNTING PRONOUNCEMENTS

 Whenever a new accounting policy comes up, it takes a little time for the
businesses to adapt that. For example, when Goods and Service Tax (GST) came
up on July 1st, 2017, many businesses were not even aware of what it actually was.
So the chances of risk of errors in taxation accounting were much more than ever
before.

III. CONTROL ACTIVITIES

Auditors should obtain a sufficient understanding of control activities relevant to the audit in
order to assess the risks of material misstatement at the assertion level, and to design further
audit procedures to respond to those risks. Control activities, such as proper authorisation of
transactions and activities, performance reviews, information processing, physical control
over assets and records, and segregation of duties, are policies and procedures that address the
risks to achieve the management directives are carried out.

IV. INFORMATION SYSTEM AND COMMUNICATION

Auditors should also obtain an understanding of the information system, including the
related business processes, relevant to financial reporting, including the following
areas:

 The classes of transactions in the entity’s operations that are significant to the
financial statements. The procedures that transactions are initiated, recorded,
processed, corrected as necessary, transferred to the general ledger and reported in the
financial statements.

 How the information system captures events and conditions that are significant to
the financial statements.

 The financial reporting process used to prepare the entity’s financial statements.

 Controls surrounding journal entries.

 Understand how the entity communicates financial reporting roles, responsibilities

and significant matters to those charged with governance and external – regulatory
authorities.

V. MONITORING OF CONTROLS
In addition, auditors should obtain an understanding of major types of activities that
the entity uses to monitor internal controls relevant to financial reporting and how the
entity initiates corrective actions to its controls. For instance, auditors should obtain
an understanding of the sources and reliability of the information that the entity used
 in monitoring the activities. Sources of information include internal auditor report,
and report from regulators.

ADVANTAGES & DISADVANTAGES OF INTERNAL CONTROL

CHARACTERISICS OF AN EFFECTIVE INTERNAL CONTROL SYSTEM

A good internal control system is the one where the plan of organisation, the organizational
structure is properly defined and each employee is fully aware if his/her responsibilities an to
whom he has to report. It ensures that that no task is performed by the one outside of his/her
capacity.

When there is proper record of transactions made by a company, it becomes really difficult for an
employee or anyone in the organisation to omit or show false records, as the transaction made by
one is checked by another peson.

Internal control puts a sense of fear in the minds of employees that their activities and the
transactions made by them will be checked by some other person, may be from the same
department or from different department, which ensures sound practices.

Internal control is done by the person(s) possessing good educational qualification. A company
may appoint an internal auditor who can be Chartered Accountant or a Cost Accountant.
e
r
u
d
o
ti
h
A
g
O
f
p
&
S
n
s
P
y
t
i
l
a
Q
c
REFERENCES:
1. Fundamentals of Auditing, S.K. Basu
2. Principles and techniques of auditing, S. K. Basu
3. ISA 315 (Revised), Identifying and Assessing the
Risks of Material Misstatement Through
Understanding the Entity and Its Environment