1.1. Internal Control comprises the plan and all the co-ordinate methods and measures adopted within an organisation with the express objectives of :-
2.1. In recent years, the relevance and objectives of Internal Accounting Controls, have expanded far beyond the traditional ambit of protection against theft and fraud, well into the areas of effectiveness, accountability and operational efficiency of the organisation
2.2. Hence the need for evaluation of the system of internal control , while conducting the audit of the accounts of Government organisations, whether the nature of their operations be commercial or civil.
3.1. Viewed in the Indian context, the Government in consultation with the Institute of Chartered Accountants of India, issued the Manufacturing and Other Companies (Auditors' Report) Order, 1975, (Order) for rationalisation of the requirements for such evaluation. The revised Order considerably enhances the reporting responsibilities of the Auditor while reporting upon the adequacy and reasonableness of the procedures as also the financial health of the Company. It is significant to state in this context that the Order is supplemental to the directions given by the Comptroller and Auditor General of India (CAG) under the Companies Act, in respect of Government Companies with regard to which matters specified in the Order would constitute an integral part of the Auditor's Report submitted , and reply to the questionnaire issued by the CAG would continue to be submitted as hitherto. The Order applies to every Company engaged or proposed to engage in one or more of the following activities :-
3.2 The National Audit Office of the United Kingdom, in collaboration with the Overseas Development Administration, in its Manual entitled " A Guide to Certification Audit" emphasises the evaluation of internal control procedures during Systems Based Audit (SBA). In the United States of America, the introduction of the Foreign Corrupt Practices Act of 1977 (FCPA) requires the corporate management to maintain a system of internal accounting controls, sufficient to provide reasonable assurances for the proper execution of transactions and effecting accountability. Thus, the world over, the need for internal controls has received considerable impetus and there has admittedly been a conscious and significant increase in the necessity for ensuring the existence of effective internal controls.
3.3 A system of internal control recognises the basic principle that it should be as difficult as is practical and feasible, for individuals to be dishonest or careless. Such a premise is indeed not based on a cynicai view of human nature in general, but rather on the realistic assumption that there could be a few persons who would be dishonest or careless if it is easy for them to be so. Further, apart from the prevention and detection of fraud, internal controls should reflect the strength of the overall accounting environment in an organisation as also the accuracy of its financial and operational records.
4.1. The two dimensions of internal controls are
4.2 From the above it is clear that in an audit engagement the distinction between the two types of controls requires considerable dexterity as the two are very often inter-related. Needless to say that the distinction should not be artificially made and administrative controls generally have a nexus with the accounting controls even if the linkage is indirect.
4.3 Scope Of Review
4.3.1. Naturally therefore, the scope and objectives of the Statutory Auditor, would vary and depend upon both the size and structure of the entity as also the requirements of the Management. Normally, however, the Statutory Auditor operates in one or more of the following areas.
4.3.2. Thus, before an evaluation is undertaken the auditor should determine :-
- independent financial audits,
- special systems study engagements.
The Statement on Standard Auditing Practices (SAP) pertaining to the "Study and Evaluation of the Accounting System and Related Internal Controls in connection with an Audit", defines the inter-relationship between the Statutory Auditor and internal control.
6.2 "The System of Internal Control is the plan of organization and all the methods and procedures adopted by the Management of an entity to assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient conduct of business, including adherence to Management policies, the safeguarding of assets, prevention and detection of fraud and error, the accuracy and completeness of the accounting records and the timely preparation of reliable financial information. The system of internal control extends beyond those matters which relate directly to the functions of the accounting system. The internal audit functions constitute a separate component of internal control established with the objective of determining whether other internal controls are well designed and properly operated".
7.1. It would be necessary at this stage , to make a distinction between the concepts of 'control environment' and 'control procedures'. The control environment refers to the overall attitude, awareness and actions of the Management regarding control and its role and importance in the entity.
7.2. Factors reflected in the control environment include:-
7.2.1. A strong control environment (e.g. one with tight budgetary controls and an effective audit function) can significantly complement specific controls. However, this by itself does not ensure the overall effectiveness of the system of internal control. Hence arises the necessity for 'control procedures'.
7.3. Control Procedures
7.3.1. Control procedures encompass policies and procedures established by the Management, in order to provide for the attainment of certain objectives. These could include the existence of systems for:-
8.1. The challenges faced by the Auditor are considerable in an environment where the use of the computer in data processing operations is on the increase. Thus it is possible that while in a manual system, incompatible functions such as the authority to initiate and execute a transaction and the recording of the transaction , are assigned to different departments or to different individuals within the accounting department, in a computerised environment, these incompatible functions may be consolidated within the EDP department. Therefore the need arises for alternative controls including:-
9.1 Evaluation of internal control systems can be done in a variety of ways. It would be reasonable to expect that the desired degree of documentation would be in proportion with the size and activities of the organisation. The following are the general methods adopted:-
The adoption of any of the above methods, does not preclude the use of one or more methods in connection.
10.1 Evaluation of Internal Controls by the questionnaire methods (used in conjunction with other methods.) is a convenient and efficient medium for documented evidence of such review having actually taken place.
10.2 A standard Internal Control Questionnaire has therefore, been presented by the Research Committee of Chartered Accountants of India. The questions are so framed that most of the answers can be given by "Yes" or "No" or "Not applicable". Affirmative answers generally indicate good internal controls while negative answers indicate weaknesses. In such cases, it would be advisable to add explanatory note. The arrears of coverage by the questionnaire relate to :-
Sample questions on some of the above mentioned areas could include :-
11.1. The Auditors may obtain answers on separate sheets , duly indexed against the questions to which they relate. Inevitably a standard format for a questionnaire may not be feasible for universal applicability as individual variations may be required. The following methods could be adopted:-
12.1. As can be seen from the nature of the above sample questions, the objective of the auditor is to formulate an opinion on the existence, effectiveness and adequacy of internal controls and whether these are designed as far as possible, to ensure the completeness and accuracy of records as also to safeguard the assets. The auditor cannot rely on the controls of the auditee , for the prevention and detection of fraud and errors. Therefore he is bound to obtain some degree of assurance through his own substantive testing . The quantum would depend on the effectiveness of the internal controls for preventing and detecting material errors.
13.1. The Systems Control Evaluation (SCE) based on the questions and answers exercise illustrated above, is thus designed to identify the controls in the system which would satisfy the general audit objectives (prevent or detect the various types of material errors). Having identified the controls, the auditor assesses the adequacy of the process. He would necessarily be required to adopt a critical approach attempting to envisage situations in which they might fail to operate and consequently result in the occurrence of an error or fraud. Further, the auditor should also consider how promptly errors could be identified and the their impact on the financial statements, in the event of their remaining undetected Such evaluation should necessarily cover the entire operation of controls for the entire accounting period. This should be borne in mind while conducting Compliance Testing. Having completed this evaluation, the auditor should then formulate his assessment based upon the suggested guidelines and'categorise the assessment of internal controls.
14.1. It is generally accepted that internal control procedures can provide reasonable and in no case, absolute assurance, that the objectives of such controls relating to accounting systems are achieved. This could be due to the possible existence of certain inherent limitations including :-
However, despite the existence of certain possible inherent weaknesses that would exist in almost every system, howsoever perfect in design, the corrective action taken for rectification by the Management and its periodic assessment through the Systems Control Evaluation method adopted in Systems Based Audit, enables the fulfillment of the principal objectives of establishing and effectively operating Internal Control Procedures.