3.1.

Management Responsibility for Internal Control

Course tittle: Principles of Auditing
v Objectives: Internal control is designed and implemented to address business
risks that threaten any of entity’s objectives (compliance, operation, and reporting)
(ISA 315).

Topic 3 – Part 2 v Management roles:

o to initially achieve a satisfactory internal control,

o to maintain control over operations and accounting data,
Internal Control o to adopt, maintain and supervise an appropriate internal control system.

v Level of assurance: Reasonable assurance (đảm bảo hợp lý)

Lecturer: Nguyễn Hoàng Tố Loan

Auditing Department, School of Accounting, UEH 3

Why does the system of IC only provide a Reasonable Assurance?

3. The Understanding and Assessing Internal Control by Auditors
Inherent limitations of internal control
Contents
v Internal control cannot assure a reliable financial report because it has inherent
limitations.

3.1. Management responsibility for internal control v Inherent limitations arise because of:

3.2. Audit strategy and internal control o Control breakdowns as a result of the actions of careless, fatigued
(tiredness) or deviant (abnormal) staff.
3.3. Steps of Internal Control Evaluation by Auditors o The possibility of management override.
o Collusion: secret or illegal cooperation of employees.
o Faulty judgment in decision making.
o The existence of non-routine transactions for which internal controls were
not devised (designed).
2 o Cost-benefit analysis. 4
Review: Why Reasonable Assurance? 3.2. Audit strategy and internal control
Inherent limitations … v Auditor: The risk of material misstatement at the financial report level is
affected by auditor’s understanding of the control environment (ISA 315).
Breakdowns à errors vs mistakes

People Collusion è Auditor’s requirements:

Management override
o to obtain an understanding of internal control relevant to the audit.
Faulty judgment o to assess risk of material misstatement is affected by their understanding of the
control environment
o Assertion level: Auditor needs to consider control risk in their assessment of risk of
material misstatement
Non-routine transactions

Cost-benefit analysis 5 7

3.2. Audit strategy and internal control

What is Control risk?
It’s the basis of our preliminary
assessment of control risk;
v Control risk (Rủi ro kiểm soát): is the risk that a material misstatement could
And, it is our evaluations of the extent to
Why do you need to obtain which controls may be replied on to
occur in an assertion and not be prevented or detected on a timely basis by the
an understanding of our entity’s internal control.
assure the accuracy and reliability of
company’s internal accounting records.
control? v If control risk is assessed at less than high, tests of control (TOC) need to be
performed to gain evidence that specific control activities have been effectively
and consistently applied throughout the period under audit.

v Tests of control will be discussed in 3.3.

6 8
 3.3. Considering internal Step 1: Obtain the understandings of internal control (IC)
control in a financial report
audit
v For every audit è An auditor must What? How to understand?
obtain sufficient understanding of
internal control to plan the audit and v Understandings of all 5 v An auditor gains an understanding of the control
determine tests to be performed. components of IC environment by:
v Consider internal control for each
business process o Making inquiries of key management personnel
è Steps of Internal Control Evaluation by Auditors (phỏng vấn)
(Figure 1) How to o Inspecting documented policies and
document? procedures (thu thập và nghiên cứu tài liệu)
o Observing activities and operations (quan sát)
1. Obtain the o IC questionnaires and checklists. o Considering past experience with the client
understandings of o Narrative memoranda — written (kinh nghiệm kiểm toán trước đây)
internal control (IC) description of IC policies & procedures.
9 o Flowcharts. 11

2. Make Documenting the understanding of internal control

preliminary
assessment
Narratives Questionnaires Flowcharts
of control risk or checklists
(Baûng töôøng thuaät) (Löu ñoà)
(Baûng caâu hoûi)

3. Performing
Tests of
controls

4. Performing
Substantive
procedures

(Figure 1 (cont.)
Walk-through
10 12
Example:
Typical (1) Assessment of control risk as HIGH
credit sales
flowchart
HIGH control risk
v The auditor may assess control risk as high because the
entity’s internal control policies and procedures in the area:

Ø Are poor and do not support less than a high assessment

Ø May be effective, but the audit tests would be more time-consuming

than performing direct substantive tests. (No cost-effective)

Ø Do not pertain to the particular assertion.

The auditor will not undertake test of controls (TOCs)

à Perform additional substantive audit procedures (Sub-tests)

15
(refer to Figure 1)
13

Step 2: Assessing control risk (2) Assessment of control risk

After obtaining an understanding of the five components of internal control (step 1),
à the auditor assesses control risk for the assertions (Cơ sở dẫn liệu) in the
related account balances, transaction classes and disclosures.
Then, the auditor must decide whether to assess
control risk for a particular assertion as
HIGH or as LESS THAN HIGH
as LESS THAN HIGH
Less than HIGH control risk
The auditor may decide to assess control risk as
less than high when:
o it improves audit efficiency (cost-effective)
o substantive audit procedures alone cannot provide sufficient evidence
at the assertion level (thử nghiệm cơ bản không đủ chứng minh
Eg.: routine recording of significant classes of transactions, such as revenue or
purchases. (These systems are often highly automated with little or no manual controls)

Auditor performs tests of controls (TOC)

to evaluate the effectiveness of these control activities
14 16
(refer to Figure 1)
Step 3: Performing Tests of controls (TOCs) Example of linking objectives to control policies and tests
of controls for sales

When?
o CR is assessed “at less
than a high”
o Substantive procedures
alone is not sufficient
How to perform TOCs? Special control Common control Tests of controls
objectives policies and
procedures
è Method used by auditor is dependent on whether a
documentary audit trail (dấu vết) exists. • Occurrence — all • Policy of authorisation • Select sample of sales
sales recorded are of credit and terms transactions from
If audit trail does exist: bona fide (actual) sales journal (daily
• Evidence of quantities
transactions for shipped reconciled to activity report), check
o Inspect documentation (kiểm tra tài liệu) associated
merchandise actually quantities invoiced for authorisation and
with the transaction for evidence of the control.
shipped trace to shipping
• Monthly statements
Where no audit trail exists: to customers. document file
mailed to customers
and queries followed • Inspect reconciliation
o Observation (quan sát)
up of shipments to
o Inquiry of the control (phỏng vấn)
o Re-performance (thực hiện lại) 17
invoices 19

Relationship between TOCs and assertions

Eg. 2: Control objectives for cash receipt system
v Auditor is required to assess risk of material misstatement at the
assertion level for classes of transactions, account balances and
disclosures. è Controls are in place to ensure that:

Eg. 1: Control objectives for sales system – Occurrence — recorded cash receipts are for collection of receivables
è Controls are in place to ensure that: resulting from sales to customers of the entity.
– Occurrence — all sales recorded are bona fide transactions for merchandise – Completeness — all cash receipts are recorded and deposited.
actually shipped to customers. – Accuracy — cash receipts have been recorded correctly as to amount.
– Completeness — all sales shipped are invoiced – Cut-off — cash receipts have been recorded in correct period.
and recorded in accounting records.
– Classification — cash receipts are classified in accordance with
– Accuracy — invoices have been recorded correctly company policy.
as to amount and summarised correctly.
– Cut-off — invoices have been recorded in correct period.
– Classification — sales classified in accordance with written policies.
18 20
Example of linking control objectives Group discussions:
to control policies to tests of controls: cash receipts

Special control Common control Test of controls

objectives policies and 1. Please differentiate Tests of controls and Control activities.
procedures Give examples.

• Occurrence — recorded • Cash receipts matched • Select a sample of 2. Please differentiate Tests of controls and Substantive Tests
cash receipts are for to specific sales entries in cash receipts Give examples.
collection of receivables invoices in posting to journal and review
resulting from sales to accounts receivable evidence that they were
customers of the entity. master file. matched to specific
sales invoices.

21 23

Step 4: Performing Substantive Tests (sub-tests) Group discussions:

v Substantive tests (substantive procedures) are used to provide

reasonable assurance of validity and propriety (appropriateness) of
financial report or identify of monetary errors/misstatements.

v There are 2 types of substantive tests:

o Analytical procedures (thủ tục phân tích)
o Tests of details of balances and transactions

22 24