TOPIC 8:

INTERNAL
BKAA2013 CONTROL SYSTEM
Audit and
Assurance I
CHE AHMAD ET AL.
(2018)
CHAPTER 4
 After studying this chapter, you
should be able to:

Explain the meaning of internal

control and its importance

Learning Identify internal control

Outcomes effectiveness

Discuss the disclosure requirement

for the internal control system

Identify areas of concern in internal

control
 An auditor would assess a
client’s internal control to assert
that the controls compiled by the
management and if there is
deviation from procedures.

Introduction This is called test of control.

An internal control system

embraces the control
environment and internal control
procedures.
 The system of internal control is
defined as the actions taken by the
board and management to manage
risk and increase the likelihood that
established goals will be achieved
(Statement of Risk Management and
Internal Control by Bursa Malaysia,
2012)
Fundamental
Concepts The Committee of Sponsoring
Organizations of the Treadway
Commission (COSO) defines internal
control as process, effected by the
board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
organization’s objectives.
Fundamental Concepts
(cont.)
Importance of Internal Control
■ A system of internal control is an important mechanism for
an organization to remain functional and operational.
■ In a small entity such as small enterprise, the employees
and process flow are still manageable by the manager.
■ That is not the case in a large organization where the
number of employees is large, and there is a more complex
organizational structure and business flow.
■ A sound internal control system will actually help the
organization to exert control over their business process to
remain functional and operational.
 Among the key benefits that would be
beneficial to an organization would be:

the risk management,

Fundamental achieving higher standards in business

Concepts process among peers,
(cont.)
compliance with laws and regulations,
such as to Bursa Malaysia or Securities
Commission Malaysia, and
have better communication with
employees.
 Types of Internal
Control
• There are two types of control:
Fundamental
Concepts (1) Preventive controls
(cont.)
(2) Detective controls
Fundamental Concepts (cont.)

■ (a) Preventive controls are built to avoid errors or any irregularities from
happening. These are also known as proactive controls because they help
to ensure the organization’s objectives are achieved. Some examples of
preventive controls are:
– Segregation of duties: Duties and responsibilities are segregated to
reduce risks and errors for certain events.
– Safeguarding assets: Different departments may have different
security level to access certain parts of the building in the
organization, or different level of staff have different levels of
access into the company’s information system.
 (B) DETECTIVE CONTROLS
ARE DESIGNED TO FIND OR
ALLOCATE ERRORS AFTER
THEY HAVE OCCURRED.

Fundamental
Concepts
(cont.) FOR EXAMPLE MANAGEMENT
ANALYSES ON IDENTIFYING
UNEXPECTED RESULTS OR
LOSSES ON PRODUCTIONS, OR
RECONCILIATIONS ON ACTUAL
OUTCOME AND FORECASTED
RESULTS. ALL THESE REQUIRE
CORRECTIVE ACTION.
 ELEMENTS OF INTERNAL INTERNAL CONTROL CONSISTS
CONTROL OF FIVE COMPONENTS, AS
SUGGESTED BY THE COSO
Fundamental INTERNAL CONTROL,
INTEGRATED FRAMEWORK
(2013).
Concepts
(cont.)

UNDER EACH CONTROL THERE ARE 17 PRINCIPLES

COMPONENT THERE ARE UNDER THE INTERNAL
PRINCIPLES THAT MAY GUIDE CONTROL ELEMENTS.
THE AUDITORS, AS SHOWN IN
TABLE 4.1.
 Responsibilities

Fundamental It is the board of director

(BOD)’s responsibility to
Concepts maintain a sound internal
(cont.) control system.

Regulators should have at

least an annual review of
the effectiveness of the
organization’s internal
control system.
IMPORTANCE OF INTERNAL CONTROL ON
AUDITORS
 External auditors (EA) are required to conduct
an audit on internal controls over financial
reporting for large companies.

Importance They would likely request some information

from the internal auditor on internal control of
of Internal the client.
Control to This would be useful when they are preparing
Auditors for audit planning to include into their
analytical procedures or test of control on the
(cont.) client’s internal control.

The EA’s reliance on the work of internal

auditors, may allow the external auditor to
complete their work in less than the amount
they need to actually would need to perform.
Importance of Internal
Control to Auditors (cont.)
Relationship of Internal Control and Audit
Evidence
■ According to ISA 500 - Audit evidence:
– audit evidence is known as information used
by the auditor in arriving at the conclusions
on which the auditor’s opinion is based.
– Audit evidence includes both information
contained in the accounting records
underlying the financial statements and other
information.
Importance of Internal Control to
Auditors (cont.)
■ Para A49 of ISA 500 mentions that
– Information produced by the entity that is used for
performing audit procedures needs to be sufficiently
complete and accurate in order for external auditor to
obtain reliable audit evidence.
– Internal control supplements to audit evidence by
ensuring that internal control are fully complied with and
adhered to.

15
Review and Documentation of
Internal Control System
This accounting system
Flowcharts are pictorial
A widely used method to flowchart shows the flow
representation of the flow
document and evaluate of information and
of the transactions for a
control is a system documents, and provides
specified department or
flowchart. narration of related
division.
procedures.

There may be many

departments or divisions,
and these are usually
supplemented by other
documentation to describe
the processes.
 Flowchart is used to describe the flow of
activity through a process together with the
identified and relevant documentation related to
Review and that process.

Documentation of
Internal Control
System (cont.)

System flowcharts may assist auditors better to

understand business processes, identify risks,
controls, deficiencies and inefficiencies, and
suggest further recommendations for
improvements.
Review and Documentation of
Internal Control System (cont.)
Requirement by Regulators
■ In Malaysia, listed companies are required to follow the Listing
Requirements by the Bursa Malaysia in order for them to be listed in the
Malaysian capital market.
■ Among the requirements related to internal control is stated in Chapter 15
of the listing requirement.
– Chapter 15, para 15.26 (b) it mentions of additional statements by
the Board of Directors to be included in the annual report; which
is, to issue a statement about the state of risk management and
internal control of the listed issuer as a group.
Review and Documentation of
Internal Control System (cont.)
■ This is further stated in the Malaysian Code of Corporate Governance
(MCCG) 2012, under Principle 6, Recognize and Manage Risks.
– As stated in Recommendation 6.1, the BOD should establish a sound
framework to manage risks.
– It is expected that the board should establish a sound risk management
framework and internal control system within the organization.
■ In order to further aid good corporate governance, Bursa Malaysia issued the
Statement on Internal Control-Guidance for Directors of Public Listed
Companies. This was first issued in December 2000. These are further
illustrated in Table 4.2.
 REVIEW AND DOCUMENTATION OF
INTERNAL CONTROL SYSTEM (CONT.)
 The internet has created a
modern society and
environment, but also opened-
up the gates to potential
Review and threats.
Documentation of
Internal Control
System (cont.) The implication of these
threats or attacks include data
losses, disruption of
operations and leaked
information.
Cyber security is pivotal in
large organizations as attacks
can cause massive damage and
might involve millions of
losses in costs.
Effective cyber security
should be considered when
assessing risks faced by
organization as it is part and
parcel of the company’s risk
management.
Communicating with Those
Charged with Governance
In an instance when internal
control is not met, there exists
deficiency in the internal control
system.
According to ISA 265, para 6 this
situation arises from design or
operation, such that they do not
allow management or employees
to perform their functions and
duties effectively, so as to prevent
or detect any misstatements on a
timely basis.
 Communicating with Those Charged
with Governance (cont.)
A deficiency in internal control system
would suggest that there exists a disruption
in the financial reporting process.
This deficiency might arise from deficiency
in design or deficiency in operation, such
as;
the design or operation of a control that does not allow the
management or employees to perform their functions and
duties effectively, to prevent or detect any misstatements
on a timely basis.
Communicating with Those Charged
with Governance (cont.)

ACCORDING TO PCAOB A EVEN FF THE CONTROL DEFICIENCY IN OPERATION

DEFICIENCY IN DESIGN OPERATES AS DESIGNED, THE EXISTS WHEN A CONTROL DOES
EXISTS WHEN A CONTROL CONTROL OBJECTIVES WOULD NOT OPERATE AS DESIGNED, OR
NECESSARY TO MEET THE NOT BE MET. WHEN THE PERSON
CONTROL OBJECTIVE IS PERFORMING THE CONTROL
MISSING, OR AN EXISTING DOES NOT POSSESS THE
CONTROL IS NOT PROPERLY NECESSARY AUTHORITY OR
DESIGNED. COMPETENCE TO PERFORM
THE CONTROL EFFECTIVELY.
 Communicating with Those Charged
with Governance (cont.)

Therefore this deficiency has to be
communicated to those charged with
governance, i.e. the management and
the board of directors. Usually this
would take place after the completion
of the audit.
The external auditors would then The letter shall attest to the accuracy
prepare a management representation of the financial statements that the
letter, which would be signed by company or client had submitted to
senior management of the company. the external auditors for the audit.
Communicating with Those Charged
with Governance (cont.)
■ Among the contents of this letter are;
– the management’s acknowledgement of their responsibility for the
design and implementation of controls to prevent and detect fraud,
– any knowledge of fraud or suspected fraud that would affect the
company involving the management,
– details of employees that have significant roles in internal control, or
– where fraud could have a significant effect on the financial
statements.