Lecture 3

Internal Control System

Learning Outcomes

 Describe objectives of effective internal

control
 Describe the importance of internal control
 State the definition of internal control
 Identify and describe the components of
internal control
 Identify and adopt the tools for documenting
the understanding of internal control
 Describe the purpose and details of
management letter
Internal control( ISA315)

The process designed, implemented and

maintained by those charged with governance,
management and other personnel to provide
reasonable assurance about the achievement of
an entity’s objectives with regard to
Reliability of financial reporting
Effectiveness and efficiency of operations,
 Compliance with applicable laws and
regulations
Prevention and detection of fraud and error
Internal Control - Objectives
Internal Control relevant to audit
 Internal Control Framework

COSO
5 components
ERIPM or CRIME

1. Control Environment (E)

2. Entity’s Risk Assessment Process (R)
3. Inform. and Communication System (I)
4. Control Procedures (P)
5. Monitoring (M)
Five Components of Internal
Control

Risk Control Information and

Monitoring
assessment activities communication
The Control Environment
 The Control Environment
Component of control environment

(a)Communication and enforcement of integrity and ethical values –

These are essential elements that influence the effectiveness of the
design, administration and monitoring of controls.

(b) Commitment to competence – Competence is knowledge and

skill that are necessary to accomplish the task. Matters such as
management’s consideration of the competence levels for particular
jobs and how those levels translate into requisite skills and
knowledge.

(c) Participation by those charged with governance – Attributes that

affect the effectiveness of those charged with governance such as:
• Their independence from management.
• Their experience and stature.
• The extent of their involvement and the information they receive,
and the scrutiny of activities.
 The Control Environment
 The appropriateness of their actions
 the degree to which difficult questions are raised and pursued with
management, and
 their interaction with internal and external auditors.

d) Management’s philosophy and operating style – Characteristics such

as management’s:
• Approach to taking and managing business risks.
• Attitudes and actions toward financial reporting.
• Attitudes toward information processing and accounting functions
and personnel.
That affect the quality of internal control

(e) Organizational structure – The framework within which an entity’s

activities for achieving its objectives are planned, executed, controlled,
and reviewed.
 The Control Environment

(f) Assignment of authority and responsibility – Matters such as

how
authority and responsibility for operating activities are assigned and
how reporting relationships and authorization hierarchies are
established.

(g) Human resource policies and practices – Policies and practices

that relate to, for example, recruitment, orientation, training,
evaluation, counseling, promotion, compensation, and remedial
actions
 Risk Assessment

•The entity’s risk assessment process includes how management

identifies business risks relevant to the preparation of financial
statements in accordance with the entity’s applicable financial
reporting framework, estimates their significance, assesses the
likelihood of their occurrence, and decides upon actions
to respond to and manage them

•Risks relevant to reliable financial reporting include external and internal

events, transactions or circumstances that may occur and adversely affect
an entity’s ability to initiate, record, process, and report financial
data consistent with the assertions of management in the
financial statements.
Risk Assessment
Risks can arise or change due to circumstances such as the
following
( Not exhaustive List):

Changes in operating environment. Changes in the regulatory or

operating environment can result in changes in competitive
pressures
and significantly different risks.

New personnel. New personnel may have a different focus on or

understanding of internal control.

New or revamped information systems. Significant and rapid

changes in information systems can change the risk relating to
internal control.

Rapid growth. Significant and rapid expansion of operations can

strain controls and increase the risk of a breakdown in controls.
Information System and Communication
 An information system consists of infrastructure (physical and
hardware components), software, people, procedures, and data. Many
information systems make extensive use of information technology
(IT).

 The information system relevant to financial reporting objectives, which

includes the financial reporting system, encompasses methods and
records that:
• Identify and record all valid transactions.
• Describe on a timely basis the transactions in sufficient detail to permit
proper classification of transactions for financial reporting.
• Measure the value of transactions in a manner that permits recording
their proper monetary value in the financial statements.
• Determine the time period in which transactions occurred to permit
recording of transactions in the proper accounting period.
• Present properly the transactions and related disclosures in the
financial
statements
Information System and
Communication

Communication, which involves providing an

understanding of individual roles and
responsibilities pertaining to internal control
over financial reporting, may take such forms
as policy manuals, accounting and financial
reporting manuals, and memoranda
Control Procedures/Activities

 Control procedures are policies and

procedures that help ensure the
managements’ directives are carried out.

 Generally, control activities that may be

relevant to an audit may be categorized as
policies and procedures that pertain to the
following:
 Control Procedure
 Performance reviews. These control activities include reviews and
analyses of actual performance versus budgets, forecasts, and
prior period performance; relating different sets of data (operating
or financial) to one another

 Information processing Control. A variety of controls are used to

check accuracy, completeness and authorization in processing of
transaction

 Physical Control. Controls that encompass:

• The physical security of assets, including adequate safeguards
such as secured facilities over access to assets and records.
• The authorization for access to computer programs and data
files.
• The periodic counting and comparison with amounts shown on
control records (for example, comparing the results of cash,
security and inventory counts with accounting records).
Control Procedure
 Segregation of duties. Assigning different people
the responsibilities of authorizing transactions,
recording transactions, and maintaining custody of
assets.

Segregation of duties is intended to reduce the

opportunities to allow any person to be in a
position to both perpetrate and conceal errors or
fraud in the normal course of the person’s duties
 Example of Information
Processing Control (Sales)
 Sales recorded only with  Sales invoices
approved customer order reconciled to daily
and shipping documents sales report
 Accounting for numerical  Daily billing of goods
sequences of sales invoices shipped
 Monthly customer  Proper procedures for
statements authorizing credit and
 Complaints handled shipment of goods
independently  Authorized price list
 Shipping documents and specified terms of
matched to sales invoices trade and customer
order
 Sales invoices agreed
to shipping document
for product type and
quantity
Examples of Segregation of duty
 Separate the custody of assets from the
recording associated with the assets
(custody: cash collection; and recording:
cash book).
 Separate the authorizing of transactions
from the custody of assets related to the
authorization function (authorizing:
authorized signatory for cheque; and
custody: keeping of cheque book).
 Separate the authorizing of transactions
from the recording associated with the
authorization functions (authorizing:
cheque payment; and recording: bank
book).
Monitoring
The Effect of Entity Size
on Internal Controls

 Medium or small entities may not have

the resources to adopt adequate controls
systems.
 Hence, there tends to be limited internal
controls with the potential for owner/
management to override control
procedures.
 However, medium or small entity may use
alternative approaches that may not
adversely affect their internal control
 The Effect of Entity Size
on Internal Controls
 Large Entities  Medium/Small Entities
 Written Code of  Verbal Code of Conduct
Conduct  Alternatively, emphasizes
on integrity and ethical
 Formal risk behavior
assessment,  Informal risk assessment,
control procedures control procedures and
and information information and
and communication components
communication  Alternatively, owner-
manager’s involvement in
components. day to day operations can
provide a highly effective
 Segregation of control and communication
duties  Low segregation of duties
 Alternatively, can be offset
by strong owner- manager
supervisory controls and
direct personal knowledge
Inherent Limitation of
Internal Control

 Human error
Carelessness, distraction, mistakes of
judgment and misunderstanding of
instruction

 Collusion
Collaboration between employee to commit
fraud

 Management Override
. Management may override internal
control, abuse of power
Audit Risk Model
Internal Control
- The Auditor’s Perspective( ISA315)

 Assessing control risk is the process to

evaluating effectiveness of internal
control.
In order to assess the control risk, auditor
are required to perform the following:
 Preliminary review , gathering
information , understanding and
preliminary evaluation of internal control
 Identify specific control to be relied upon
 Perform test of control
 Conclude on achieved level of control risk
Internal Control
- The Auditor’s Perspective( ISA315)
Internal Control
- The Auditor’s Perspective( ISA315)

 Evaluating the design of a control involves

considering whether the control, individually or in
combination with other controls, is capable of
effectively preventing, or detecting and
correcting, material misstatements.
 Operation of a control means that the control
exists and that the entity is using the control.
 Procedures to obtain audit evidence about the
design and operation of relevant controls may
include:
 Inquiring of entity personnel
 Observing the application of specific controls.
 Inspecting documents and reports
Internal Control
- The Auditor’s Perspective( ISA315)

 Auditor can set control risk as maximum (substantive

strategy) or lower level (Reliance Strategy).
 If the auditor decide use the reliance strategy, the
auditor should perform the following 3 steps

Identify specific control that will be relied upon

 Auditor should consider the control that have
pervasive effect to all assertion

Test of Control
 The procedures to evaluate the operating
effectiveness of controls in support of a reduced
assessed control risk
Internal Control
- The Auditor’s Perspective( ISA315)

 Tracing transactions through the information

system relevant to financial reporting

Conclude on achieved level of control risk

 The conclusion result from this step referred to as
achieved level of control risk
 Auditor use achieved level of control risk and
assessed level of inherent risk to determine the
detection risk
 The level of detection risk is used to assess the
nature, extent, timing of audit procedure.
 Methods Used in documenting
the internal control system

Narrative

Flowchart
Internal
control
Procedures manual questionnaire
and Organization Chart
Methods Used in documenting
the internal control system
 Narrative-The understanding of internal
control may be documented in a
memorandum, appropriate if entity has
simple internal control
 Flowchart-Provide a diagrammatic
representation or ‘picture’ of the entity’s
accounting system
 ICQ-It contains questions about the important
factors or characteristics of the five internal
control
 Procedure manuals and organization chart-
procedure manual to document entity’s
policies and procedures
 Interim Audit

Interim Test of Control

•Auditormight test internal control at an interim period

because the assertion being tested is not significant, control
have been effective in prior years, or it may be efficient to
conduct the test at that time. For instance, staff may be less
busy and it minimize overtime needed at year end.

•If
control are found not operating effectively, auditor will
have sufficient time to reassess the control risk and modify
audit plan

•It
also give sufficient time for the auditor to inform
management on the likely misstatement
 Interim Audit

If the auditor obtains audit evidence about the operating

effectiveness of controls during an interim period, the
auditor shall:

(a) Obtain audit evidence about significant changes to

those controls subsequent to the interim period; and

(b) Determine the additional audit evidence to be obtained

for the remaining period.

In determine the additional audit procedure required to

perform in the remaining period, factor such as significance
of risk of assessment at the assertion level, significant
change after the testing, the length of remaining period, the
extent of the auditor reliance of the control should be
considered.
ISA265 Communication deficiencies in
internal control to those charged with
governance and management/ Management
letter

 The auditor shall determine whether, on the basis of the

audit work performed, the auditor has identified one or
more deficiencies in internal control.

 If the auditor has identified one or more deficiencies in

internal control, the auditor shall determine, on the
basis of the audit work performed, whether, individually
or in combination, they constitute significant
deficiencies
 The auditor shall communicate in writing significant
deficiencies in internal control identified during the audit
to those charged with governance on a timely basis
( Management Letter)
Significance deficiency
Examples of matters that the auditor may consider in
determining whether a deficiency or combination of
deficiencies in internal control constitutes a significant
deficiency include:
• The likelihood of the deficiencies leading to material
misstatements in the financial statements in the future.
• The susceptibility to loss or fraud of the related asset or
liability.
• The subjectivity and complexity of determining
estimated amounts, such as fair value accounting
estimates.
• The financial statement amounts exposed to the
deficiencies.
• The volume of activity that has occurred or could occur in
the account balance or class of transactions exposed to the
deficiency or deficiencies.
Management letter
 The auditor shall include in the written communication of
significant deficiencies in internal control/ Management letter
 (a) A description of the deficiencies and an explanation of their
potential effects; and
 (b) Sufficient information to enable those charged with
governance and management to understand the context of the
communication. In particular, the auditor shall explain that
(i) The purpose of the audit was for the auditor to express an
opinion on the financial statements;
(ii) The audit included consideration of internal control relevant
to the preparation of the financial statements in order to design
audit procedures that are appropriate in the circumstances,
but not for the purpose of expressing an opinion on the
effectiveness of internal control; and
(iii) The matters being reported are limited to those
deficiencies that the auditor has identified during the audit and
that the auditor has concluded are of sufficient importance to
merit being reported to those charged with governance.
Directors’ statement on
Internal Control
 As part of the CG disclosure, the directors of
public listed entities in Malaysia are required
under Listing requirements of Bursa Malaysia to
include a Statement on Internal control in their
annual reports to the shareholders.
 The listing requirements also stipulate that
company’s external auditors must review the
Statement on IC and report to the BOD
 The auditor is not to form opinion on the
effectiveness of the company risk and control
procedure but to assess whether the statement
reflect the process the director adopted in
reviewing the adequacy and integrity of company
internal control.
End of Lecture