CHAPTER 5 – PART 1:

INTERNAL CONTROL
AND TESTS OF CONTROLS
 Chapter 5: Introduction to internal control
Topic list

5.1. What is internal control?

5.2. Components of internal control

5.3. Information about controls

 5.1. INTRODUCTION TO INTERNAL CONTROL
5.1.1. What is internal control?

Definition duy trì và phát triển

The process designed, implemented and maintained by those

charged with governance, management, and other personnel to
provide reasonable assurance about the achievement of an entity's
objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations and compliance with
applicable laws and regulations.
 5.1. INTRODUCTION TO INTERNAL CONTROL

5.1.2. Reasons for internal controls

They include:

• minimising the company's business risks

• ensuring the continuing effective functioning of the company
• ensuring the company complies with relevant laws and
regulations
 5.1. INTRODUCTION TO INTERNAL CONTROL
5.1.2. Reasons for internal controls
Worked example: Fairfood Co
Fairfood Co is a food manufacturer. It is subject to a great number
of health and safety regulations and therefore must have
significant internal controls surrounding the food preparation areas.
If these controls were seriously breached, Fairfood Co would be
forced to cease operations. The primary objective of each internal
control might focus on a particular operation, for example, that all
personnel must wear protective clothing when operating
machinery however, the ultimate objective is to ensure the
operation of the company continues. If the protective clothing
wasn't worn and hair or other items, such as jewellery from staff,
fell into the food, the company might be forced to stop operating.
 5.1. INTRODUCTION TO INTERNAL CONTROL
5.1.3. Limitations of internal controls

Human Collusion Unusual transactions

• Makes a mistake, • Override or avoid • It is designed to

control might be controls in order to deal with what
ineffective. defraud the routinely happens
• Do not understand company. in a business
the importance of • Standard controls
the control, less may not be
inclined to adhere relevant to the
to it. unusual
• Number of transaction
employees
 5.1. INTRODUCTION TO INTERNAL CONTROL
5.1.3. Limitations of internal controls
Worked example: Large Co and Small Co
Large Co is a large company with sophisticated controls systems. In
respect of purchase ordering, an order is raised by a member of the
purchase team (who all have pre-set limits of the price they are
allowed to order up to) on the basis of a requisition note from the
relevant department, signed by the department manager. Before
the order is dispatched to the approved supplier, the purchase
manager approves the order. If the order is in excess of £30 million,
the purchasing director approves the order.
Small Co is a small company with limited controls systems. When
the stores manager needs the stores replacing he rings the
approved supplier and orders the goods. The annual cost of
purchases is £7 million.
5.1. INTRODUCTION TO INTERNAL CONTROL
Management and auditor responsibilities for internal
control
Management’s Responsibilities for Establishing Internal Control—
Management must establish and maintain the entity’s internal controls.
Internal control systems are designed with two concepts in mind:
– Reasonable Assurance—Management designs a system that provides
reasonable assurance considering the costs involved.
– Inherent Limitations—
• No system of internal controls can be completely effective
• Effectiveness depends on the competency and dependability of the employees
• Collusion is still possible

Copyright © 2017 Pearson Education, Inc. 11-8

5.1. INTRODUCTION TO INTERNAL CONTROL
Management and auditor responsibilities for
internal control (cont.)

Management’s Section 404 Reporting Responsibilities—

Section 404 of Sarbanes-Oxley requires management of all
public companies to issue an internal control report that
includes the following:
– Statement of responsibility
– An assessment of the effectiveness of internal control
over financial reporting as of the end of the fiscal year
Management must also identify the framework used for the
evaluation.
– Often COSO's 2013 Internal Control-Integrated
Framework.
Copyright ©2017 Pearson Education, Inc. 11-9
5.1. INTRODUCTION TO INTERNAL CONTROL
Management and auditor responsibilities for internal control
(cont.)
Management’s assessment of internal control over
financial reporting consists of two key aspects:
– Management must evaluate the design of internal
control.
– Management must test the operating effectiveness of
the controls.
The SEC requires management to include its report on
internal control in its annual Form 10-K report filed with the
SEC. An example of management’s report on internal control
that complies with Section 404 requirements is shown in the
following Figure.
Copyright ©2017 Pearson Education, Inc. 11-10
5.1. INTRODUCTION TO INTERNAL CONTROL

Copyright ©2017 Pearson Education, Inc. 11-11

5.1. INTRODUCTION TO INTERNAL CONTROL
Management and auditor responsibilities for internal
control (cont.)
Auditor Responsibilities for Understanding Internal Control
• Must obtain an understanding of internal control
relevant to the audit.
• Auditors are primarily concerned about:
– Controls over the reliability of financial reporting
– Controls over classes of transactions
Auditor Responsibilities for Reporting on Internal Control—
Section 404(b) of Sarbanes-Oxley requires that the auditor
report on the effectiveness of internal control over financial
reporting.

11-12
 5.2. COMPONENTS OF INTERNAL CONTROL

COSO’s Internal Control—Integrated Framework

Developed in 1992 and updated in 2013
The COSO Framework describes five components of internal
control: thành phần quan trọng nhất, BOD đóng vai trò quan trọng nhất, đưa ra những rule
1. Control environment tính trung thực, ethic value, đảm bảo môi trường kiểm soát doanh nghiệp hoạt động
hiệu quả. Phòng ban kiểm toán nội bộ, Risk Management quan trọng trong bộ phân.

2. Risk assessment BOD thực hiện risk assessment giống như kiểm toán

3. Control activities
4. Information and communication
5. Monitoring
 5.2. COMPONENTS OF INTERNAL CONTROL

The updated COSO framework includes a total of 17 broad

principles that provide guidance to support all three internal
control objectives:
• reporting,
• operations, and
• compliance.
As illustrated in below figure, COSO represents the direct
relationship between the three internal control objectives, the
five components of internal control, and the organizational
structure in the form of a cube.
5.2. COSO INTERNAL CONTROL
 5.2. COSO INTERNAL CONTROL

Internal control objectives:

1. Reliability of reporting. This objective relates to internal and
external financial reporting as well as nonfinancial reporting;
however, we focus our discussion on the reliability of
external financial reporting.
2. Efficiency and effectiveness of operations. Controls within a
company encourage efficient and effective use of its
resources to optimize the company’s goals.
3. Compliance with laws and regulations: nonpublic, and not-
for-prof it organizations are required to follow many laws and
regulations. Some relate to accounting only indirectly, such as
environmental protection and civil rights laws. Others are
closely related to accounting, such as income tax regulations
and antifraud legal provisions.
 5.2. COMPONENTS OF INTERNAL CONTROL
• Each particular control activity may also prevent an error
occurring (preventative control), or may identify that an error
has occurred and correct it (detective control). It is an important
part of understanding internal controls to be able to identify
what it is that each specific control actually does.
• The auditor will not waste time looking at company controls
that are not relevant to whether the financial statements are
true and fair, however important those controls might be to the
overall operating of the business; for example, control processes
over asset utilisation.
• The extent of reliance on internal control in an assurance
engagement will depend on the nature of the engagement and
the assurance provider's expectation of the effectiveness of
controls.
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.1. Control Environment

The Control Environment—Consists of the actions, policies,

and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about
internal control and its importance to the entity.
The Control Environment— Set a tone of an organization,
influencing the control consciousness of its people

Copyright ©2017 Pearson Education, Inc. 11-18

 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.1. Control environment
• The control environment has five underlying principles:
• Demonstrating a commitment to Integrity and Ethical Values
• Maintaining the independence of the board of directors from management and
their oversight of the entity’s internal control
• Establishing organizational structure, reporting lines, authority, and
responsibilities to pursue business objectives
• Demonstrating a commitment to attract, develop, and maintain competent
people
• Maintaining accountability for the execution of internal control responsibilities
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.1. Control environment

Festival Ltd, a diversified manufacturer, has three divisions that

operate throughout Australia. Festival has always allowed its divisions
to operate autonomously, with head office intervention occurring only
when planned results were not obtained. Head office management has
high integrity, but the board of directors and audit committee are not
very active. Festival has a policy of hiring very competent people and
has an ethical code of conduct, but there is little monitoring of
compliance by employees. Management is relatively conservative in
terms of accounting principles and practices, but employee
compensation packages depend largely on performance.

REQUIRED
• Evaluate the strengths and weaknesses of Festival’s control
environment.
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.1. Control environment
Audit committees
To review the integrity of the financial statements and
formal announcements relating to the company's
performance
To review the company's internal financial controls and the
company's risk management systems

To monitor and review the effectiveness of the company's

internal audit function

To make recommendations to the board in relation to the

external auditor
To monitor the independence of the external auditor

To implement policy on the provision of non-audit services

by the external auditor.
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.2. Risk assessment

Definitions
• Entity's risk assessment process: A component of internal
control that is the entity's process for identifying business risks
relevant to financial reporting objectives and deciding about
actions to address those risks, and the results thereof.

• Business risk: A risk resulting from significant conditions, events,

circumstances, actions or inactions that could adversely affect
an entity's ability to achieve its objectives and execute its
strategies, or from the setting of inappropriate objectives and
strategies
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.2. Risk assessment

Every entity faces a variety of risks from external and internal

sources. Risk is defined as the possibility that an event will occur
and adversely affect the achievement of objectives.
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.2. Risk assessment

Identify Estimate
Assess the Decide
relevant the
likelihood of upon
business significance
occurrence actions
risks of the risks
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.2. Risk assessment
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.3. Control activities

• Control activities are the policies and

procedures that help ensure that
management directives are carried out.

• Control activities may be manual or

computer-specific control activities.
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.3. Control activities

Control activities are the actions taken by management, the board,

and other parties to mitigate risk and increase the likelihood that
established objectives and Segregation of Duties goals will be
achieved.
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.3. Control activities
Authorisation • Approval of transactions/documents cho ra kết quả đầu ra hợp lệ

• Review and analysis of actual performance versus budgets,

forecasts and prior period performance
Performance • Relating different sets of data (operating or financial) to one
reviews another
• Comparing internal data with external sources of information
• Review of functional or activity performance

Information • Controls to check the accuracy, completeness and authorisation of

processing transactions

• Physical security of assets

• Authorisation for access to computer programs and data files
Physical controls
• Periodic counting and comparison with amount shown on control
accounts

• Assigning different individuals the responsibilities of authorising

Segregation of
transactions, recording transactions and maintaining custody of
duties
assets
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.3. Control activities
Information processing controls

• General controls: Policies and procedures that relate to many

applications and support the effective function of application
controls by helping to ensure the continued proper operation of
information systems.
• Application controls: Manual or automated procedures that
typically operate at a business process level. Application controls
can be preventative or detective in nature and are designed to
ensure the integrity of the accounting records. Accordingly,
application controls relate to procedures used to initiate,
record, process and report transactions or other financial data.
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.3. Control activities
Information processing controls - General controls
Development of computer applications

Prevention or detection of unauthorised changes to

programs

Testing and documentation of program changes

General controls
Controls to prevent wrong programs or files being
used

Controls to prevent unauthorized amendments to

data files

Controls to ensure continuity of operations

 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.3. Control activities
Information processing controls - Application controls
Completeness

Controls over input: Accuracy

Controls over
Application controls Authorisation
processing

Controls over master

files and standing data
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.3. Control activities

Copyright ©2017 Pearson Education, Inc. 11-32

 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.3. Control activities
Cyber security risks Communication is a key barrier
to common understanding and
discussion.

Organisational structures need

to define responsibility and
accountability for cyber security
Cyber security
Board-level accountability for
cyber risks needs to be
determined

Non-executive directors and

audit committees also need to
play a part
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.4. Information and Communication

Definitions
• Information system relevant to financial reporting: A
component of internal control that includes the financial
reporting system, and consists of the procedures and records
established to initiate, record, process and report entity
transactions (as well as events and conditions) and to maintain
accountability for the related assets, liabilities and equity.
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.4. Information and Communication

The information system relevant to financial reporting

The auditors will be interested in:

• the classes of transactions that are significant to the entity's

financial statements
• the procedures by which transactions are initiated, recorded,
processed, corrected and reported
• the related accounting records and supporting information
• how the information system captures events other than
transactions that are significant to the financial statements
• the process of preparing the financial statements
 5.2. COSO INTERNAL CONTROL – COMPONENTS
5.2.5. Monitoring Activities

Involves ongoing or periodic assessment of the quality of internal

control by management. In larger companies, the internal audit
department is essential for this function.
5.2. 5.2. COSO INTERNAL CONTROL –
COMPONENTS - SUMMARY

Copyright ©2017 Pearson Education, Inc. 11-37

 5.3. INFORMATION ABOUT INTERNAL CONTROL

• Manuals of control activities

• Copies of internal controls policies
• Minutes of meetings of the risk assessment group.
• Talking to the people involved with internal control at all stages
• Observation
 5.3. INFORMATION ABOUT INTERNAL CONTROL
Recording of controls

• narrative notes
• questionnaires/checklists; and
• diagrams.
 5.3. INFORMATION ABOUT INTERNAL CONTROL
Recording of controls

Walk-through procedure: A procedure that involves tracing a few

transactions through the financial reporting system.

Walk-through procedures aim to test the auditor's understanding,

and are not tests of controls.
Interactive Questions
Interactive Questions
Interactive Questions