CHAP 5: INTRODUCTION TO INTERNAL CONTROL

& INFORMATION FLOWS

1. What is internal control?

 System of internal control: The system designed, implemented (triển khai) and maintained
by those charged with governance – directors (BODs), responsible for the strategic
oversight, management – responsible for the conduct of the entity’s operations and other
personnel, to provide reasonable assurance about the achievement of an entity's objectives -
compliance with laws & regulations, reliability of financial reporting, efficiency/
effectiveness of operations.
Company objectives Reasons for IC
 to ensure it reports its financial position  minimising the company's business risks
correctly to shareholders  ensuring the continuing effective
 to ensure that it operates effectively and functioning of the company
efficiently  ensuring the company complies with
 to ensure that it complies with relevant relevant laws and regulations
laws and regulations => hướng tới mục tiêu cuối cùng that the
=> The management will take the following company continues to operate. (For example,
steps: if the company failed to comply with relevant
 Step 1: Identify risks to these objectives laws and regulations, it might be forced to
not being fulfilled stop operations)
 Step 2: Implement internal controls to
mitigate (giảm thiểu) this risk
 Limitations of IC: human element, collusion (thông đồng) – override or avoid controls,
unusual transactions
2. Components of a system of I: comprises 5 components.
 The control environment: includes the governance and management functions and sets the
tone (văn hóa), attitudes, awareness… of an organisation, influencing the control
consciousness (ý thức) of its people.
+ COSO: Sub-elements for the auditor to consider: (Principles of CE)
 Integrity and ethical values
 Commitment to competence
 Participation Board of directors or audit committee
 Management’s philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Internal audit & HR
+ Principles of CE
Contents Details
Attitude and directors set the tone by taking controls seriously and applying them =>
viewpoint of BODs other staff be encouraged to do the same.
Human resource promote best practice in recruitment, training, promotion and compensation
policies => employees feel valued, ensure perform their roles.
Authority and will be assigned to appropriate levels and staff will be made aware of their
responsibility specific responsibilities
Role of CE important to the auditors in their risk assessment process. (If the CE is
strong, auditors will rely on the controls system in the entity than if it is
weak). CE is only one component of the overall system of IC.
 + Audit committees: is an important aspect of the CE => a sub-committee of the BOD
responsible for overseeing an entity’s IC structure, financial reporting and compliance with relevant
laws and regulations.
 It is comprised of non-executive directors. The audit committee roles:
o to review the integrity of the FSs and formal announcements relating to the
company's performance
o to review the company's internal financial controls and risk management systems
o to monitor and review the effectiveness of the company's internal audit function
o to make recommendations to the board in relation to the external auditor
o to monitor the independence of the external auditor
o to implement policy on the provision of non-audit services by the external auditor
=> The key issue for the audit committee is the financial statements and also has
responsibilities to supervising the risks and monitoring controls
 The entity's risk assessment process is an iterative (lặp đi lặp lại) process for identifying and
analysing risks to achieving the entity's objectives.
+ Principles of RE:
 Specifies suitable objectives
 Identify, analyze and respond to risk
 Assesses fraud risk
 Identifies and analyzes significant change
+ Risk can arise or change due to:
Potential changes Example
Changes in operating environment regulatory, economic or operating changes
New personnel (nhân sự mới thiếu kinh nghiệm)
New or revamped (cải tiến) infor system Hệ thống thông tin mới hoặc cải tiến
Rapid growth increase the risk of control breakdown
New tech change the risk associated with IC
New business models, products, or activities new risks - entity has little experience of the new
area
Corporate restructurings staff reductions and changes in supervision and
segregation of duties => increase risk
Expanded foreign operations may carry new risks, eg, from foreign currency
transactions
New accounting pronouncements Các quy định, hướng dẫn mới về kế toán
Use of IT - maintaining the integrity of data
- risks to the business strategy if does not
effectively support
- changes / interruptions in IT environment
+ RE process: identify relevant business risks => estimate the significance of the risks =>
assess the likelihood of occurance (khả năng xảy ra) => decide upon actions (IC, insurancesm
changes in operations) to address them.
 Control activities are the heart of the system of IC, comprising policies and procedures
which may prevent or detect and correct errors (auditor will concentrate on understanding,
eg. preventive, detective or corrective control)
+ Types of controls: manual control or automatic/computerized control (IC = both)
+ Auditor's approach: cách tiếp cận của KTV tuỳ vào mức độ tự động hoá của IC.
 Smaller or less phức tạp entities are more reliance on manual control systems.
  Manual control more appropriate where judgement is required eg, for large or unusual
transactions.
 Large number of similar transactions => well-designed and implemented IT systems
are likely to be more effective.
 IT controls come with both benefits and drawbacks. For instance:
o benefits: ability to consistently (nhất quán) process large volumes of data;
o drawback: incorrectly processing of data => error
 Type of control activity
o Authorisation and approvals: approval of transactions
o Reconciliations: compare 2 or more data elements
o Verifications: compare an item with a policy
o Physical or logical controls: physical security, authorisation for access to
programs/data, periodic counting and comparison with amount shown on
accounts
o Segregation of duties: assigning different individuals the responsibilities of
authorising, recording, custody
+ The ICs in a computerised environment include both manual procedures and computer
procedures => comprise two types of control:
o information processing controls: relating to the processing of information in IT
applications or manual information processes that directly address risks to the
integrity of information (ie, the completeness, accuracy and validity)
o general IT controls: Controls over the entity's IT processes that support the continued
proper operation of the IT environment, including the continued effective functioning
and the integrity of information
+ Examples of general IT controls:
 The information system & communication: financial reporting system, procedures and
records established to initiate, record, process and report entity transactions and to maintain
accountability.
+ The auditors will be interested in:
• the classes of transactions that are significant
• the procedures by which transactions are initiated, recorded, processed, corrected and
reported;
• the related accounting records and supporting information;
• how the information system captures events other than transactions that are significant to
the FSs; and
• the process of preparing the FSs.
=> involve the financial controller and/or director and the use of journals
=> The auditors will be interested in how this process links in with other internal controls and
whether that controls are overridden or ignored
 All control systems should be monitored.
+ entity review overall control system => it still meets its objectives, still operates effectively
and efficiently, and corrections are made on a timely basis.
+ smaller companies do not have internal audit => use of auditor feedback to ensure that
controls continue to operate efficiently.
3. Documenting the IC system:
 Narrative notes: simple IC systems, typed and explained each stage in detail
 Diagrams (flowcharts, organisation charts, family trees – record relationships and
reporting lines, records of related parties): excellent and comprehensive way of recording
systems but time consuming and difficult
 Questionaires and checklists: a series of questions to help the auditor assess the strength of
the system of controls
 CHAP 6: REVENUE SYSTEMS

1. Ordering:
 It is vital that all orders are accurately recorded and detail to provide users with the
information required to process valid transactions.
 Key risks: accept customers who are a poor credit risk => not fulling orders
 Key controls: authorising credit terms, ensuring orders are matched with production &
delivery
 Risk and control objectives:
 Orders may be taken from who are not able to pay => only supplied to one with good
credit ratings
 Orders may be taken from who are unlikely to pay for a long time => encouraged to
pay immediately
 Orders are not recorded properly, not fulfilled, lost => recorded correctly and fulfilled
 Controls:

 Tests of control: depend on the exact nature of the control and the business
2. Despatch and invoicing
 Goods despatched must have invoices, invoices must be complete, accurate
 Key risks: despatching goods but not invoicing them
 Control to mitigate that risk => matching despatch records to invoices (đối chiếu)

3. Recording:
 Accuracy and completeness is important in insuring that the financial records reflect the
finanial activities of the business
 Key risks: fail to record sales => payment is not remember
 Controls: various methods of prompting payment
4.Cash collection:
 A risk is that cash is misappropriated before recording and/or banking.
 Segregation of duties is very important
 The risks relating to cash and the controls that have been implemented to mitigate these risks
must be tested as part of the audit.
 Most businesses will settle amounts owed to suppliers by bank transfer or BACS payments.
 Retail organisations and small businesses may still have significant amounts of cash on site
CHAP 7: PURCHASE SYSTEM
1. Purchase ordering:
 Monitor purchases carefully => maintain the required amount of INV, ensure that the best
price is achieved, buying a large amount of items => higher discounts => have bad effect
on the cash flow
 Key risks: purchases for personal use/ not made on the most advantageous terms
 Authorisation is therefore an important control

2. Goods received and recording invoices

 All orders must be checked and verified for quantity and quality => prevent delays
 Goods received record = Goods received note
 Risks: accept goods not ordered or invoices for poor quality goods
 Controls include matching goods received with orders
3. Payment
 Need to be verified for accuracy, confirm the business is paying valid purchase invoices
 Invoices should be checked back to the original orders and goods received, any shortfalls in
items received must be reflected in the invoice
 Payments might be made to the wrong person and should be authorised
 CHAP 8: EMPLOYEE COSTS
1. Calculating wages and salaries
 Valid employees should be paid for the work that they have performed
 Directors ensure that salaries are calculated accurately
 Key risk: paying employees too much
 Key control: authorisation (time records or of changes to the payroll)

2. Recording of wages and salaries and deductions

 Risk: not recording wages => incorrect payments
 The payroll should be prepared, checked and authorised
3. Payment of wages and salaries
 Risk: payments are made incorrectly => authorisation should prevent this