Internal control ka objective kya hai?

Internal control ka objective ye hai ki it provides control in order for the business to achieve its object
IC is more than preventing something wrong happening in the company
It is about the controls that are in place to help the business achieve its objectives

Corporate Governance
Benefit
Lower external audit cost
Better internal business decision making as I have reliable information
Better control and information on company's assets
CG spells out the rules and procedures to be followed in making decisions for the corporation in order

Corporate governance is basic to internal control

CG provides the direction and control of the business
CG is the rules, law, policies, procedures and customs throuch which a business operates

Reponsibility of CG
BoD as well as management

Influence on CG
Primary direct stakeholder influencing corporate governance - BOD
The board makes the important decisions, like electing corporate officers, establishing executive com
regarding integrity, ethical values, and the accountability of the organization
Good corporate governance involves creating a set of transparent rules and controls so that the ince
aligned - goal congruence
The board of directors needs to make sure that the company’s CG policies incorporate not only the co
but also accountability, transparency, and ethical business practices.

Who are company's stakeholders?

All those who are affected by its actions: its board of directors, its shareholders, its management, its e
community, and the government

CG is a byproduct of VSPP
Values - TO WHICH AN ORG ADHERES
Strategies - TO ACHIEVE OBJECTIVES (SECTION B)
Policies - to establish BOUNDARIES OF BEHAVIOUR
Procedures - in conducting OPERATIONS

GOOD CG - YE THODA SA KAISE HAI NAI PATA?

That assures transparency and accountability between the different stakehokders of the company

Reason for having a good CG

Good governance is not just a good idea for a company—it is an absolute must
CG koi aise alag orgnaiztion me alag sa department nahi hai
CG exisits interconnected with internal control and risk management
What is agency problem
Agency issues arise from the fact that the owners of the corporation and the managers of the corpora
So, there concerns and priorities are different
Managers concerns include receiving inceased salary, bonuses and recognition
While, the shareholders’ wants the value of their investments in the corporation increase.
Thus, there is a conflict of the priorities of management and stakeholders

What is done to resolve the agency problem?

CG specifies the distribution of rights and responsibilities among the various parties with conflicting p
the agency problem and to bring about goal congruence

Two important things to remember here is

Incentives
given to the managers in order to achieve a high performance of the business - thus benefitting the sh
Monitoring Mechanism
Us acitivities ko control karne ko jo managers kar skate hai in order to benefits themselves and hamp
Corporate Governance is interrelated with risk assessment, risk management and internal

It is like business strategies --> risk assessment ---> risk management ---> internal control
1. The BoD and management must work towards setting of business strategies
2. In order to achieve those business strategies the managemebt and BoD needs to consider risk - yah
company me to risk hai hi
3. When the risk is assessed and identified the company must have the steps in place for risk identific
4. In order to have an effective risk management process, the company must have an effective intern
control system is necessary in order to communicate and manage risk.

Therefore, governance, risk management and internal control all rely on each other.

Internal Auditing and Governance

Internal audit is the “eyes and ears” of management - and thus has an important role in the governan
Internal audit is responsible for the following objectives; (financial koi objective nahi hai iska - like ye
statements)
Ethics and values
Organizational performance, management and accountability
Coordinating and communicating information between board, external and internal auditors, and
Communicating risk and control information to appropriate areas of the organization

Internal audit makes reccomendations so as to improve the governance

Principles of good
governance
Board Purpose

Board Responsibilities

Interaction

BoD should be independent

Expertise and Integrity

Leadership

Committees - COMPOSED
OF INDEPENDENT
DIRECTORS only

Meetings

Internal Audit

Compensation

Evaluation

Disclosure

Proxy Access
Kyuki governance majorly influence hota hai BoD se to jyadatar board ka hi kaam hai isme

Board ka kaam hai ki wo company ke stakeholders ke interest ke baare me soche - along woth interna
Major areas of responsibility should be:
- Monitoring the CEO and other senior executives
- Overseeing the corporation’s strategy and processes for managing the enterprise (ye to pata hi tha l
- Monitoring risks and internal controls (ye to pata hi tha last tab se)

In order to have a sound governance, there should be an effective interaction among the board, mana

An “independent” director has no current or prior "professional or personal ties" to the corpor
matlab no
Independent directors must be able and willing to be free from bias in their judgments
The vast majority of the directors should be independent in both fact and appearance.
Expertise - The directors should possess relevant business, industry, company, and governance exper
directors should receive detailed orientation and continuing education to assure they achieve and ma

Integrity - Have an unblemished records of integrity

BoD ka chair and CEO alag alag hone chahiye
If the roles are not separate, then the independent directors should appoint an independent lead direc
The lead director chairs should provide leadership for agenda setting, meetings, and executive sessio

The audit, compensation and governance committees

Ke paas charters or guidelines honi chahiye given by BOD
about their duties and responsibilities, and how they need to report to the Board
Each of these committees should be composed of independent directors only,

Ye important lag ra hai - Each committee should have access to independent outside advis
Board and its committees ko jarur milna chaiye extended period of time ke liye aur regular basis pe m
Saare resources, unrestricted access to the information and personnel milne chaiye unko apne duties
In all public companies, there should be an internal audit committee to maintain full time internal aud
This comittee should report to Chief Audit Executive
INTERNAL AUDIT REPORT SHOULD BE PROVIDED TO THE EXTERNAL STAKEHOLDERS to describe the in
The compensation committee and full board should decide the compensation amount and mix (e.g
directors. Committee ko bohot ache se evaluate karna chahiye short term incentive plan, agar attract
to compnay fuss ho jaegi
Board ke paas koi to process hona chaiye taaki wo CEO ka executives ka other directors ko evaluate k
Ye evaluation jo hai wo shareholder ke hit me hi hai - The evaluation process should be a catalyst for

Board aur company ki activities must be shown and communicated with the shareholders in a teimley
shareholders should be communicated about M&A, financial performace, compensation, insider tradin
The board should have a process for shareholders to nominate director candidates, including access
ownership stakes.
Just Read this - nothing hard
Just remember State Statute here
U.S. corporations are formed under authority of state statutes. Application for a charter must be ma
where it intends to transact business but it may be formed in one state, while at the same time have
to have its principal place of business located in a different state from its incorporation files with the o
corporation in that state. The corporation will owe state income tax, state franchise tax, state sales ta
every state where it is licensed as a foreign corporation.

Har state ki requirment different hoti hai but mostly har state ko "Article of Incorporation" hume d
The components of article of incorporation consists of:
The name of the corporation - cannot be the same as, or deceptively similar to, the name of any other
The length of the corporation’s life, which is usually perpetual (meaning forever).
Its purpose and the nature of its business.
The authorized number of shares of capital stock that can be issued with a description of the vario
Provision for amending the articles of incorporation.
Whether or not existing shareholders have the first right to buy new shares.
The names and addresses of the incorporators, whose powers terminate upon filing.
The names and addresses of the members of the initial board of directors, whose powers c
The name and address of the corporation’s registered agent for receiving service of proce
YE jo hai AOI - ye basic cheeze hai - operations se related nahi hai - Basic cheeze for a company
Incorporators
The persons who sign the articles of incorporation are called the incorporators
Incorporators’ services end with the filing of the articles of incorporation, and the initial board of direc
Incorporators need to be above 18 and citizens of the US

A corporation is usually recognized as a legal entity as soon as the articles of incorporatio

After the article of incorporation is signed and established, the following steps needed to be taken up
Directors are appointed
Incorporatos resign
Completion of organizational structure
Adopt bylaws, a legal document setting forth key rules and regulations governing the corporat
requirements for annual meetings of shareholders
Specifications regarding what constitutes a quorum at a shareholders’ meeting
what constitutes a majority vote on the part of shareholders
Methods of calling special shareholders’ meetings
How directors are to be elected by the shareholders and the number of directors and the length o
How officers are to be elected by the board of directors
How the shares of the corporation shall be represented
Specifications for payments of dividends
How the bylaws can be amended
Elect officers.
Authorize establishment of the corporate bank account, designate the bank, and designate by name t
Consider for ratification any contracts entered into before incorporation.
Approve the form of certificate that will represent shares of the company’s stock.
IT IS VERY IMPORTANT TO NOTE THAT - Corporate bylaws cover details concerning a corpo
board meetings. Articles of incorporation contain basic information , such as the
important legal and tax documents on behalf of the corporation.
AOI AND BYLAWS ALAG CHEEZE HAI - DO NOT CONFUSE AND MAKE THEM ONE

Amending AOI
Most state corporation laws permit amendment of the articles of incorporation
Any amendment to the articles of incorporation must be something that could have been included in t
The board of directors usually adopts a resolution containing the proposed amendment, and then the
After shareholder approval, the articles of amendment are filed with the state authorities. The amend
BUT, if the board wants to change the registered agent - changing the registere
approval
BOD = protection of the shareholders or owners of the company
BOD ensures that the company is operated in the best interest of the shareholder
The board’s responsibility is to provide governance, guidance and oversight to the management of th

Responsibilities
Selecting and overseeing management. The board of directors elects the officers of the company
Because it elects the company’s management, the board determines what it expects from manageme
Top-level strategic objective-setting and strategic planning.
Because of its oversight responsibility, the board is closely involved with the company’s internal
Board members need to be familiar with the company’s activities and environment
they need to commit the time required to fulfill their board responsibilities, even though they may be
Board members should investigate any issues they consider important - They must be willing to ask
They must have access to the necessary resources to do investigations and must have unrestricted co
and its legal counsel
Independent - as BOD is responsible for questioning and scrutinizing management’s activities, it is im

Most boards of directors carry out their duties through committees. Committees of the board of direct
oversight responsibilities. One of the committees whose membership is prescribed by SEC regulations
All of the committees of the board of directors are important parts of the company’s internal contro
The responsibilities of the audit committee are particularly critical.
The requirements for serving on an audit committee of a publicly-held company have been formalized

Really interesting
Good read - According to the NYSE, the audit committee of the board of directors of a corporation “sta
The audit committee of the BOD is made up of members of the BOD who are charged with overseeing
their responsibilities as members of the larger board.

Sarbanes-Oxley Act of 2002:

increased the qualifications required for members of audit committees
It increased the authority of audit committees

The exchanges added to the SABRANES OXLEY that:

Audit committee will oversee the accounting and financial reporting processes of the issuer and audit
If no such committee exists with respect to an issuer, the entire board of directors of the issuer is the

Below are the requirements and responsibilities of the audit comittee - and these are highly regulated

Requirements
the New York Stock Exchange and other stock exchanges states that for listing requirement the comp
Sabranes oxley has no minimum threshold but if the corporation does not form an audit committee, th
All members of the audit committee must be independent - This requirement means that the mem
members and on any committee of the board.
The NYSE requires a five-year “cooling-off” period for former employees of the listed company or o
NYSE states that one member must be a financial expert.
There is no such requirement in the sabranes oxley - but it states that if there is no financial expert in
The members of the AC must be financial literate. If they are not financial literate then they must be fi

Responsibility
The audit committee is responsible for selecting and nominating the external auditor, approving audit
Discussing with the auditors matters required under GAAP auditing standards, and reviewing the audi
The NYSE requires the audit committee to assist board oversight of
the integrity of the listed company's financial statements
the listed company's compliance with legal and regulatory requirements
the independent auditor's qualifications and independence
prepare an audit committee report as required by the SEC to be included in the listed company's
Shall make the rules pertaining to:
Complaints: received by the issuer re- garding accounting, internal accounting controls, or auditin
Agar koi insider complaint karta hia about questionable accounting methods
NYSE requires:
To review the annual and quarterly financial statements and the MD&A
To meet periodically and separately with management and with internal auditors and independen
Review with the independent auditor any audit problems and any significant disagreements with
The audit committee is to set clear hiring policies for employees or former employees of t
subconsciously when seeking a job with a company they audit.
Monitor the internal control fucntions of the company
Authority of the Audit Committee
Can investigate any matter
To engage independent counsel and other advisers, as it determines necessary to carry out its duties

Funding of the Audit Committee

PDF se padh le pata nhai kya likha hai

Responsibility of CEO
By the BOD
Can be extensive or can be limited - depends on the BOD
Shud not chair BOD - The board’s responsibilities include monitoring the CEO, and if the CEO were to

Election of Directors (padh le normal hai)

The shareholders elect the members of the board of directors. Usually, each share of stock is allowed
The length of the directors’ term of office is set in the corporate bylaws. The term is usually one year,
each annual shareholders’ meeting. Holding staggered elections provides for continuity on the board
Who cares about Internal Controls?
Investors
To help them understand management's performace
Financial reliability of the company

Regulatory Bodies
The companies have a potential to make illegal payments to the others in order to get their transactio
Internal control helps in curbing such activities of the company

External Auditor
If the company has a strong internal control the external audito can perform their dutoes efficiently

Customers
the customers are interested ina strong internal control because a strong internal control can help in c

Limit and direct employees’ authority and discretion

So, there has been a huge increase in the number of large orgzanitions.
With a strong internal controls, the company limits/ reduces the dicreti

Internal control define

As you know a strong internal control helps the company in achievinng its objectives
What objective? - operations, reporting, and compliance

Operations
This relates to the efficiency and effectivness of the operations of the company
this decides the resources used by the company efficienctly and effectively
Include operational and financial performance goals and safeguarding of assets against loss
Risk tolerance - the company in the operation objective setting must specify the risk tolerance of the
The risk tolerance will answer the variance of the planned objective with what is achieved

Financial Reporting
Internal and external financial and non financial reporting
Reproting kya honi chahiye - time pe, transparent, expalanatory,
External reporting objectives are driven by rules set by regulators and standard-setters external to th
Internal reporting objectives are driven by reporting requirements established by management and th

Compliance
It is the minimum expected behavior or boundaries the company must follow
It is the laws and rules, etc that the company must follow
If the company is public, then financial reporting is also a part of compliance - falls under financial reo
Company compliance karti hai rules and legislations se - wo uska ek status in minds of customers and
 V V V V V V V V V V IMP
The three categories address different needs and they may be the direct responsibilities of different m
possibly more than one of the three categories.

The three categories of objectives are distinct, but they do overlap. Therefore, a specific control o
of ensuring reliable external financial reporting in accordance with accounting standards also concern
held corporations, complying with the SEC’s reporting requirements in accordance with that body’s re
Fundamentals
Purpose
The purpose of internal control is the achievement of company's O, C and R objectives
The focus is on achieving objectives.

On going process
Internal control is an ongoing process
It is not something that can be done once and be completed. It is a journey, not a destination. It consi

People
Internal control is effected (accomplished) by people.
It is something that must be put into effect by people—it is not policies and procedures. People are loc
staff.
Simply writing policy manuals that call for internal control procedures is not enough. To be effective, p

Flexible
Adaptable and flexible
Adapted by the whole organization or just the subsidiary

Reasonable assurance only (NOT A GUARRANTEE OR ABSOLUTE ASSURANCE)

Internal control procedures can provide reasonable assurance only—not absolute assurance and not a
will be achieved in the three named areas.
V V V V V V Imp next two points - This statement reflects the fundamental concepts that
(1) the cost of an internal control system should not exceed the expected benefi
(2) the overall impact of a control procedure should not hinder operating efficien

Importance of objectives

Kyuki IC ka kaam hai to provide reasonable assurance that the company will be able to meet the O C
Setting objectives is a part of the strategy process by the BOD and Management
IC cannot set objectives

Who is responsible for IC?

BOD
Oversees IC
Oversee me kya kya aata hai?
advice and direction to management
constructively challenging management
approving policies and major transactions
monitoring management’s activities
The board and senior management establish the tone for the organization concerning the importa
CEO
The CEO is ultimately responsible for the internal control system and the “tone at the top.”
The CEO should provide leadership and direction to the senior managers and review the way they are

Senior Managers
Delegate responsibility for establishment of specific internal control policies and procedures to person

Financial Officers
Financial officers and their staffs are central to the exercise of control, as their activities cut acros
However, all management personnel are involved, especially in controlling their own units’ activities.

Internal Auditors - monitoring role

Monitoring role
Monitor karte hai IC set by the departments

Management
The primary responsibility for establishing and maintaining internal control rests with management

All employees
Bottom Up - Virtually all employees are involved in internal control, because all employees produce in
systems into effect
Furthermore, all employees are responsible for letting their managers know if they become aware of p

External parties
External parties provide information that is useful to effective internal control. - However, external pa
1. Control environment
Ethics and integrity
Independence of board from management
Proper talent
Organizational structure, reproting lines and delegation of authority
Accountability of individuals

2. Risk Assessment
Clarity of objectives and objectives must be assessed
Risk analysis and assessment
Possiblity of fraud - director's oversight of IC important
Assessment of chnages that will affect the IC of the organization

3. Control Actions (to minimize risk or bring risk in acceptable levels)

Control activities to minimize/ mitigate risk are thought of here
Control activities for controls over technology are thought of here
Control activities which were thought of in above two steps are deployed through policies
and procedures - RESPONSIBILITY AND ACCOUNTABLITY of the people who are
performing the control activities

4. Information and communication

Relevant and timely information communication to relevant parties - internal external
financial non financial
Timlely internal communication regarding IC - top down and bottom up information
communication
Communication with external parties - shareholders are external parties - regarding the
IC - both incoming and outgoing communication

5. Monitoring Activities
Separate and ongoing evaluations
Evaluate IC deficiencies and taking corrective actions
Effective internal control:

Provides reasonable assurance regarding achievement of an entity’s objectives

BY KEEPING THE RISK IN TOLERANCE or ACCEPTABLE LIMIT
Requires each of the five components to be working and operating together in an
integrated manner

What happens when the effective internal control is there in the organization
1. The senior management and BOD have reasonable assurance that operations
are managed effectively and efficiently
2. Prepares reports in conformity with applicable rules, regulations, and standards
or with the entity’s specified reporting objectives.
3. Complies with all applicable laws and regulations.
Transaction Control Objectives: AACVPPS
Authorization
Completeness - All valid transactions are included in the accounting records.
Accuracy - accurate, are consistent with the originating transaction data, are correctly classified, and
Validity - are lawful, and have been executed in accordance with management’s authorization
Physical safeguards and security. Access to physical assets and information systems are con- trolled a
Error handling. Errors detected at any point in processing are promptly corrected and reported to the
Segregation of duties. Duties are assigned in a manner that ensures that no one person is in a positio

Transaction Control Activities

Authorization and approvals
Authorization confirms that an event is valid and is an economic event
Authorization generally is in the form of an approval by a higher level of management
It can also be about automatic approval - like automatically approving for payment in the tolerance lim

Verifications
Items are compared with one another or an item is compared with a policy, and if the items do not ma

Physical controls
physical access restricted to authorized personnel and are periodically counted and compared with am

Standing data - Information held on file in a computer for long-term use because it does not often cha
Controls over standing data
Standing data, such as in a master file containing prices or inventory items, is often used in the proce
Controls need to be put into place over the process of populating, updating, and maintaining the accu

Reconciliations
Reconciliations compare two or more data elements and, if differences are found, action is taken to m
For example, bank account balance is compared with the balance in the bank account according to in
Invebtory reconcilliations

Supervisory Control
Determine whether other transaction control activities are being performed completely, accurately, an
For example, a supervisor may review a bank reconciliation performed by an accounting clerk to chec
on the statement and whether reconciling items have been followed up and corrected and an appropr
Physical safegurading of assets

Proper control activities should be in pace in order to safeguard the assets from unauthorized acquisition, loss d

NOTE: Loss arising due to ineffeicient allocation, waste, inefficiencies and poor business decisions is not because

Seggregation of duties
Different people must always perform the following four functions of related activities:
Authorizing a transaction
Recoring a transaction
Physical custody of the asset
Reconciliation

Example:
Inventory control and purchase:
Authorization: Purchasing Manager
Recording: Receiving department
Physical Custody: Warehouse department

Reconciliations: Inventory Control personnel perform physical inventory counts and tells it to accounting departm
Accounting Department personnel #1 reconciles physical inventory counts to inventory on hand record
Accounting Department personnel #2 adjusts inventory on hand records to the physical inventory count
Accounting Department personnel #3 prepares the journal entry to adjust inventory in the general ledger to the

Accounts Payable
Authorization: The Accounts Payable Manager approves payments after reviewing the purchase order, receiving
Recording: Accounts Payable personnel record payments
Physical Custody: The Treasurer’s Office has custody of blank check stock and prepares checks for suppliers.
Reconciliations: Accounting Department personnel reconcile vendor accounts payable records to accounts paya

Credit Sales

Authorization:
Sales manager approves sales
Credit Manager approves credit terms and conditions
Accounts Receivable Manager approves invoices, write-offs of delinquent accounts, and sales returns for credit.
Recording: Billing Department personnel invoice customers
Accounts Receivable personnel record receivables and record write-offs of delinquent accounts after approval fr
Physical Custody: Warehouse personnel have custody of inventory until sold. Inventory is released to the Shippi
Reconciliations: Accounting Department personnel reconcile the accounts receivable journal to accounts receiva

Cash collections
Authorization: Accounts recievable manager authorizes the cash collection from customer to their payments acc
Recording: Accounts recievable personnel will record the reciept of the cash from the customer
Physical Custody: of cash will be in custody of the cashier. Two Cashiers’ Department employees should receive
Reconciliations: Ofcorse accounting department (AR department and accounting department are separate)
Payroll processing (VVVVV imp)
Authorization: The Human Resources Department approves new employees to be added to the payroll and their
and notifies the Payroll Department of terminated employees.

Recording:
Record keeping: Payroll Department personnel #1 adds new employees to the payroll and deletes terminated e
Payroll Department personnel #2 makes changes to employee information and deductions, calculates wages pa
deductions to be used in compiling the journal entry to record the payroll and to prepare payroll tax returns

The personnel in the Payroll Department who calculate the wages and those who are able to modify the employ
Custody: Blank check ki custody tresaurer office ke paas hai
Reconciliation:Reconciliation: Accounting Department personnel reconcile the payroll system to the general ledg
statement.
If a person who receives cash also prepares the deposit slip to deposit the cash in the company's account, that p
deposit slip) that will be used to record the transaction

A utility company with a large investment in repair vehicles would most likely implement which internal control
Two options were looking fit for this:

Maintaining the vehicles in a secured location with release and return approved by a custodian is a preventive c
Periodically taking a physical inventory and reconciling the results with the accounting records is an important d
above

Meaning of transposition - the transfer of any term of an equation from one side over to the other side with a co
When a difference can be divided evenly by 9, a transposition error may have occurred during data input where
transactions exactly equal to the amount of the discrepancy or transactions equal to half of the discrepancy. In t
Access to records and documents
Checks should be stored in a locked area and access to them should be limited to personnel who have responsibility
The checks should be pre-numbered
The check numbers should be recorded in a log as they are used
Any checks discovered missing should be promptly reported to supervisory personnel.

Purchase orders should also be pre-numbered, numbers logged as used, and access to them similarly re- stricted.
Corporate credit cards should be kept in a locked cabinet and access to them controlled

Access to assets
When cash must be stored until it can be deposited, it should be kept in a locked, fireproof file cabinet or safe und
personnel who have responsibility for preparing checks, subject to authorization and approvals by other individuals

s to them similarly re- stricted.

, fireproof file cabinet or safe under controlled access.

s by other individuals
External auditors perform audit functions for
Public, private, government and Not for profit orgs.

Services
To provide an opinion as to whether the financial statements of the organization have been prepared correctly,

Two organizations in the US oversees external audit process

American Institute of CPAs - AICPA
PCAOB
There functions are similar, but PCAOB requires additonal quality confirmations from the external auditor of a pu

Opinion of the external auditor (only responsiblties)

1. Financial statements - An opinion on whether the financial statements present fairly the financial position of t
are in conformity with the applicable financial reporting framework. The opinion should also include an iden
2. Internal controls - An opinion on the effectiveness of the company’s internal control over financial reporting

What is NOT their responsibility?

Sirf ye dekhna hai ki financial statements fairly presented hai na accounting standards se; and internal controls
Opinion ye nahi dena ki kaha improvements ho sakti hai
In its capacity as auditor, the independent auditor has no responsibility to make recommendations or suggestion
The independent auditor has no responsibility to follow up any audit findings from the previous year

Four types of Audit Opinions

Unqualified - rsults are clean - yes they are fairly presented

Qualified - meaning that the financial statements do not present a true and fair picture, but this does not means
2. HOWEVER, it does prevent the auditor from issuing an unqualified opinion.
3. Say, 1-2 elements of financial statements were not fairly presented
4. The scope of external audit was restricted due to some restrictions
5. The external auditor states that except of these itesm , the financial statements are fairly presented in all ma
with generally accepted accounting principles.
Adverse - that there are many erors and non compliance with the GAAP satandards and principals that in the au
Adverse opinions are seldom issued because most companies change their accounting upon the instructions of t
present a fair and true picture.
Disclaimer - A disclaimer of opinion is used when the auditor has not been able to gather enough information on

Note: External auditors will never use the term "correct"

Rather, an audit report will say that the "financial statements present fairly, in all material respects, the financia
Fairly presents also does not mean that the statements are 100% accurate - but there are no material errors or

An auditor gives the company a list of accounting adjustments a company need to make, if the company makes
If the company makes all of the adjustments except one or two - then it is a qualified adjustment
If a company does not mke a lot of those adjustments then adverse
So the company is generally told by the auditor that these are the financial statements that the auditor thinks a
Critical Audit Matters
The PCAOB requires the auditor to include a determination of Critical Audit Matters (CAM) in the audit report:
A critical audit matter is any matter arising from the audit of the financial statements that 1. relates to accounts
auditor's judgement

Going concern opinion (easy just read once)

- The auditor must also evaluate whether substantial doubt exists about The company’s ability to continue as a
company will no longer be in existence by The time The auditor does The next annual audit. Some of The factor
financing, and work stoppages. The auditor also considers external issues, like legal proceedings and The loss o
- If The auditor is not satisfied by management’s plans to overcome The problems and remain in business and h
explanatory paragraph to The opinion describing The problem.
- doubt about The company’s ability to stay in business does not prevent The auditor’s opinion from being unqua
operations and cash flows of The company, in conformity with generally accepted accounting principles, and The
- However, If in the auditor’s opinion The company’s disclosures with respect to its ability to continue as a going
accounting principles exists. The departure from generally accepted accounting principles may result in either a

Internal Control Opinion

The audit of internal control over financial reporting should be integrated with the audit of the financial stateme
The internal control framework used by the independent auditor in attesting to and reporting on the effectivene
its assessment of the effectiveness of its ICFR

Reviews and Compilations

Done for are unaudited financial statements or other unaudited financial information used by nonpublic entities

Review
A review report consists of a statement that the accountant has reviewed the financial statements; that a review
of company management; that a review is substantially less in scope than an audit, the objective of whic
not express such an opinion.

Complialtion
A compilation is simply a formatted financial statement presenting the assertions of management without perfo
A compilation is less in scope than a review and significantly less in scope than a full audit, and it provides no as

Audit risk
The risk that the audit opinion is incorrect, When we say that the opinion is correct and it is not. In such situation
have not detected and gave a unqualified opiion

Inherent risk - no internal control - that there is a mistake there

When there are no internal control - just like they are inherent to a particular area - due to the complexity of an
inherent risk due to low complexity.

Control Risk - after internal control

The risk that even after internal control the material misstatement is not detected. This is the client area and th
risk
Detetction Risk -
Now the statements has reached to the auditor, and the auditor missed the material mistatement after the audi
Information systems characteristics
Availability
Confidential - must be confidential and must not be avialble to unauthorized people
Intergrity - reliable and accurate

Threat to Information system

Input Manipulation
Program manipulation - the codes that run behind the websistes
Hardware can be stolen
Virus and trojan Horses can infect a system
Unautjorized persons getting access to the system
Data theft
Data alterations
Facilities where systems are physically present must be safeguarded

General Control
IT Systems means all electronic data processing, information, recordkeeping, communications, teleco
all computer programs, software, databases, firmware, hardware and related documentation) and Inte
Potential for fraud is always present in organizations and is a serious problem
The concentration of data storage creates exposure, as well
The potential for fraud is further increased because of the fact that programs are used for the process
Fraud can potentially be committed within the program itself
To further complicate the situation, audit trails exists only for a short period of time and they are dele

Audit trail
An audit trail is a paper or electronic record that shows a step-by-step documented history of a tran
It enables an auditor or other examiner to trace the transaction from the general ledger back to the so
The existence of an audit trail means that an amount appearing in a general ledger account can be ve
The audit trail must include all of the documentary evidence for each transaction and the control te
properly authorized and properly processed
When an audit trail is absent, the reliability of an accounting information system is questionable

Objectives of Systems Control

It is actually same as of that of Internal control of an organization
1. Operations - efficiency and effectives of operations and use of resporces as inputs in order to achie
2. Financial reporting - accuracy and credibility of accouting data
3. Compliance - Assuring compliance with all laws and regulations and adherence to managerial polici
4. Safeguarding assets.
Effective system controls are the first line of defense against events such as these incidents an
Part 1 of GC - General Controls Segregation of duties and supervision
GC are controls that safeguard the overall integrity of the system
General controls refers to the control environment where transaction processing takes place
GC are designed to make sure that the company's control environment is stable and well managed. A

General controls - organization and operation of the computer facilities and resources
Adminstrative controls - segregation of duties
Accounting jaise authorization, recording, custodian and reconciliation jaisa hai waisa yaha nahi hai
The segregation of duties are:
Separate IT people from people of other departments (IT people and IT users)
IT ke personnel - IT ke users ke and jinko IT department support karta hai us se alag hone chahiye
People who design, program and maintain the system should be different from the users of systems

Separate Responsibilities within the Information Systems Department (within IT departme

Resp of personnel within the IT department bhi segregated honi chahiye
Kisike paas unlimited access hai system ki, data ki, programs ki - he can execute the fraud easily
THEREFORE, effective segregation of duties is through seperating the AUTHORITY and RES

Following are some of the various positions within a computer system, the responsibilities of each, an
Systems analysts - that the current system of the organization is meeting the needs of the compan
software or data files. These people designs systems for application prgrammers using flows charts et
App Programmers: write a code/program for a computer program - These people write test and deb
controls. For example, if a bank programmer were allowed access to actual live data and had borrow
they should work with copies of records only and should not have the authority, opportunity, or ability
change production programs. They should submit changes to the change control unit for p
Computer operators - Who run the programs on a computer. A computer operator is a role in I
REAL WORK OF PROCESSING THE DATA. They should not be able to modify the programs.
Their job responsibilities should be rotated so no one operator is always overseeing the running of the
Most important segregation of duties - programmer and operators

Transaction authorization: ONLY BY USERS - No personnel in the Information Systems group shou
the input has been authorized and that the proper batch control totals have been prepared.

Data control group - come in peridodically and do review and tests of input procedures, monitor the
for correcting errors relating to programs or systems- The data control group receives user input, logs
corrected
The group personnel also maintain registers of computer access codes and coordinate security contro
They must keep the computer accounts and access authorizations current at all times - Jaise mera acc
They should be organizationally independent of computer operations
System control personnel, not computer operators, should be responsible for detecting an
Data conversion operator: Should only convert data and nothing else. They should have no access
Librarians (as name suggests) saare documents, saare data apne paas rakhta hai. Sirf unhi ko acc
The librarian maintains records of all usage, and those records should be reviewed regularly by the da
Only authorized people should be able to call program vendor technical support departments. If vend
for fixing problems only to employees who are authorized to receive such instructions.
The database administrator controls access to various files, making program changes, and making sou
The location of any off-site storage facilities should be known by as few people as possible.
No Information Systems personnel should have access to any assets that are accounted for in the com
2. Part 2 of GC - General Opertating Procesures
Policies and procedures should be established formally
Accountabilities and responsibilities should be clearly specified.
Procedures should be documented and kept up to date for all IT operations
Personnel should be trained in their jobs
Assigned duties should be rotated periodically for key processing functions.
Should provide policies to be followed in system and program development and changes
REMEMBER SYSTEM AND PROGRAM - Har jagah use hua wa hai

3.1 Software controls

Monitor use of S/W
Prevents unauthorized access
System software control - overall control functions for the application programs.
Program control - prevents unauthorized access

3.2. Hardware controls

(PDF - only imo things here)
A defined backup procedure should be in place, and the usability of the backups should be verified reg
Insurance is a last resort

Malfunctioning of computer hardware

Parity check - alteration of bits within bytes due to equipment malfunction
Echo check - data sent is identical to data received

Computer controls under hardware controls

Checkpoint - Checkpoint control procedures are performed several times per hour, and during that tim
Roll back - agar system fail ho gaya to system will revert back to the last saved data
Routing procedures protect against transactions routed to the wrong computer network system addre
Message safeguarding - saves the whole or part of a message from being los

Business continuity planning and disaster recovery are also pa

3.3 Access Controls - Logical and Physical
Logical Controls for s/w - unauthorized access, change, or destruc- tion.
Logical Controls for h/w - theft, unauthorized use and damage
PDF

Data Security control

Subset of logical access
Prevent unauthorized use of data
Data files can be controlled more easily in batch systems than in online input and real-time systems b
Data files that are maintained offline should be secured in locked storage areas with tight controls for
storage device

File and storage security are also part of data securtiy control
read-only file
Labeling the contents of discs
Database Management Systems use lockout procedures to prevent two applications from updating th
The librarian’s function is particularly critical HERE
Logical security also includes Internet security (firewalls) and virus protection procedures.

Physical Security (read pdf)

PDC - App control focuses on preventing, detecting and correcting errors in a transaction - as they flow from IPO - im
Application control is like specific controls in an individual application in a computer system - like app for accnts reci
Objectives
1. Accuracy of data (input)
2. Completeness of data (input)
3. Validity of data (input)
4. proper processing of data (processing)
5. Output is accurate and complete (Output)
6. Now I P O is done, we need report to track progress of data from input to storage to output.
3 Categories
Data Observation - Correct the data before adding the data into the system
Data Transcribing - data is correctly being entered into the system
Edit Checks - check validity of the data after the data has been entered in the system

Input data - (remember these 3 things)

1. Data being enter have MANAGEMENT AUTHORIZATION
2. Are ACCURATE AND COMPLETE
3. Are in machine sensible form
Input stage is the stage where the maxium errors can occur due to maximum human presence here
Input stage also tells us that the data have not been lost, suppressed, added, or changed in any manner - due to

Data Observation - Correct the data before adding the data into the system
Feedback mechanism - sales person customer se hi feedback le ra hai ki jo usne order dia hai wo ek baar wo
Dual observation - two or more employees sees the data to be input
Point of sale devices - automating with no human inteference decreases input error substanitally - like barcod
Preprinted forms such as demand drafts or forms for submissiong where the data is already printed
Batch control - so the Tx are grouped in bacthes and are linked to a proxy total to check that data is not lost d
as total sales revenue in a batch of billings. The application recalculates the batch total and compares it with the
Batch control totals do not work as well with real-time systems, because input is entered at remote
Batch control totals can also be calculated and used for non-financial fields in transactions. For inst
Transaction trails should be created by the system that show the date, terminal ID, and individual responsible

Data Transcription - checking the data while inputting the data

IMP - SOURCE DOCUMENTS should be formatted in a way to assist in the process of input
Format checks - data is being input under the correct format / mode - like date under the date field, text under n
Preformatted form hona chahiye in the format of database terminal - like if an imput required is date and the for

Edit Checks
Completeness - Name and Last Name - if only name then the data is incomplete. Under age, only numericals a
Limit Checks - which ensure that only data within predefined limits will be accepted by the system - age shoul
Validity checks - as in the deisred outcomes me se hi data pick hona chaiye - like yes, no, may be - it will not t
an acceptable set of characteristics
Overflow checks - data entered is not above the capacity fo the field - say only 10 digits for phone number
Check digits - A check digit is a number that is a part of an account or other type of number. The check digit is
be incorrect, and the system will generate an error message and refuse to accept the input. Checks Transpositio
Key verification - If an input is done twice and and comparing the two results. Like enter password and re-ente
Hash total - not the monetary totals but tagging thre proxy total to non monetayr information. This is just for c
Format checks - as stated above
Reasonableness checks - Compare input with other information in existing records and historical information
so it is a candidate of verification
Numerical checks - fields allowing only numerical data
Processing Controls
Gives us the reasonable assurance that the processing of data has been done correctly and no data is lost or ma
Overlaps with general Controls
Can be divided into:
Data Access Controls: Like input controls and helps control the input of data and its accuracy
Data Manipulation Controls: System ne theek se process kia hai na data

Data Acees Controls

Transmital Documents - are used to control movement of data from the source to the processing point or from o
Batch Control - Same as input controls
Hash Control - same as input controls
Record Count - Number of record are checked twice - one at imput one at priocessing

Data Manipulation - That the data is processed properly by the machine

Software and system documentation - that the processing softwares are complete and thorough for the data ma
Erorr testing compilers - to make sure that there are no programming language errors
User acceptance testing - Application processing is meeting the user requirements
Test Data - can be used to test a computer program.
System testing - many computer applications are interrelated, output of one system is used as input of other - S

Read the below once - self explanatory

Batch balancing is comparing the items actually processed against a predetermined control total
Cross-footing compares the sum of the individual components to a total.
A zero-balance check is used when a sum should be zero. All of the numbers are added together and the total is compared
Run-to-run totals are output control totals from one process used as input control totals over subsequent processing.
Computer programs are error tested by using a compiler, which checks for programming language errors.
Output Controls
Activity, or proof, listings that document processing activity provide detailed information about all changes to m
went along with the input and processing functions in order to confirm that all of the transactions were processe
Transaction trails should be available for tracing the contents of any individual transaction record backward or f
Output totals should be reconciled with input and processing totals - ofcorse. And if the differneces have occurre
A suspense account is used as a control total for items awaiting further processing, such as a file of back- ordere

Output control also includes review of the processing and error logs by the control group to determine whether
violated some detective control and need to be inves- tigated, such as a list of all past-due accounts sent to the
Upstream resubmission is the resubmission of corrected error transactions as if they were new transac- tions, so

Printed Output Controls

Forms control: Control over physical forms of things like blank check (form is not the form jo tu soch ri hai - pape
Read only:
Checks should be kept under lock and key, and only authorized persons should be permitted access.

However, another control is needed with checks, because checks are pre-numbered. The preprinted check numb
numbers on the checks are sequential; the system-generated numbers also are sequential. The starting system
physical check number of each check in the check run does not match its check number in the system, an inves
number of the first check printed does not match the preprinted number on the first check in the stack to be pri

Distribution of report: (authorized recievers) Output control also concerns report distribution. For example, a pay
distribution procedures should be documented along with an authorized distribution list specify- ing authorized r
distributed to each person on the list. For a confidential report, it is preferable to have a representative pick the
the reports. The employee’s supervisor should make random checks on the report distribution.
Shredding: Confidential reports should be shredded when they are no longer needed.
Risk Assessment and control initiatives

A company’s reaction to a possible internal control failure should be a function of both the likelihood of a failure

All else being equal, preventive controls are usually preferred because preventing unethical activity is more cos
cost benefit analysis, and if preventive measures are costlier than detective measures then we need to see wha
analysis is recommended
During an audit, an auditor assesses the adequacy of internal controls. An auditor considers what to audit and th
The purpose of separating the functions is PREVENTION and NOT MINIMIZING
Human resource department - The Human Resources Department approves new employees to be added to the
employees’ paychecks, and notifies the Payroll Department of terminated employees.
Collusion is an internal limitation of interanl controls
The Accounts Payable Department prepares a voucher from a vendor’s invoice only after examining supporting
Cashier prepares a deposit slip and deposit the money to bank - this is okay. As it is a custodian function only.
A controller oversees an organization's daily accounting operations, including the accounting, payroll, accounts
Fidelity insurance - A fidelity bond is a form of business insurance that offers an employer protection against los
against monetary or physical losses.
Payroll preparation and payment to employees should be segregated because they are incompatible recordkeep
A lockbox system for collecting cash receipts from a customer is a safeguarding control that limits access to an
Effective internal control reduces the need for reviewing exceptions reports on a day to day basis - An exception
expectations, usually in a negative direction. Also called variances.
Paychecks should not be distributed by supervisors because an unscrupulous person could terminate an employ
An accounting control is concerned with the safeguarding of assets and the reliability of financial records, where

Question types
Question asks for prevention - 3 options talk about detection and one talks about prevention
ARCR - This is a common one
Whenever they ask about limitation of IC - look for collusion options in the question
Things not considered as IC can be general business functions of the company - waste inefficiency and delayed
Treasurer ke paas generally custodian functions hote hai cash ke stocks certificates ke
Likelihood Impact Control Initiatives
High High Adjust the strategy to avoid failures
Implement internal controls to prevent or
High Low
detect the failure
Low High Sharing/ Insurance
Accept the risk of the failure and not do
Low Low
anything