Internal Control

Chapter 1: Overview of Internal Control
1. Definition of Internal Control
- Reason for an internal control system: to meet the following requirements:

+ Its assets are protected from improper and inefficient use
+ The transactions are approved intra vires and fully recorded as the basis for making and
presenting truthful and reasonable financial statements
→ Internal control is a process, effected by an entity’s board of directors, management, and other personnel
designed to provide reasonable assurance regarding the achievement of objectives relating to operations,
reporting, and compliance.
- Objectives of Internal Control:

+ Operations objectives → effectiveness and efficiency of the entity’s operations (including operational and
financial performance goals, and sasfeguarding assets against loss)
+ Reporting objectives → internal and external financial and non-financial reporting (reliability, timeliness,
transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’ policies)
+ Compliance objectives → adherence to laws and regulations to which the entity is subjected.
2. Limitation of Internal Control

- Cost should not exceed benefits
- Breakdowns because of human failures (simple errors)
- Ability of management to override internal control
- Ability of management, other personnel, and/or third parties to circumvent controls through
collusion (phá vỡ các biện pháp kiểm soát thông qua thông đồng)
- External events beyond the organisation’s control
- Design to deal with what normally or routinely happens in a business
3. COSO Framework
- Executive summary
+ Internal control helps entities achieve important objectives and sustain and improve performance.
+ COSO Framework enables organisations to effectively and efficiently develop systems of internal
control that adapt to changing business and operating environments, mitigate risks to acceptable levels,
and support sound decision making and governance of the organisation.
+ The Framcework assists management, BOD, external stakeholders, and others iterating with the
entity in their respective duties regarding internal control without being overly prescriptive.
- COSO framework and Implementation Guide

+ COSO Framwork: Definition, Effectiveness, Components, and Principles
→ instruct management and BOD at all levels of the organization to: design, implement, and evaluate the
effectiveness of internal control.
+ Implementation Guide: Glossary, Note for small business, and Summary of changes of the
COSO 2013 Report compared to the COSO 1992
- Effectiveness of Internal Control

+ Each of five components and relevant principles is present and functioning
Present → the determination that the components and relevant principles exist in the design and
implementation of the system of internal control to achieve specified objectives.
Functioning → the determination that the components anf relevant principles continue to exist in the
operations and conduct of the system of internal control to achieve specified objectives.
+ The five components operate together in an integrated manner.
- Internal control over financial reporting for external stakeholders:

+ Greater confidence in the BOD’s oversight of internal control systems
+ Greater confidence regarding to the achievement of entity objectives
+ Greater confidence in the organisation’ ability to identify, analyze, and respond to risk and
changes in the business and operating environments
+ Greater understanding of the requirement of an effective system of internal control
+ Greater understanding that through the use of judgement, management may be able to eliminate
ineffective, redundant, or inefficient controls.
4. Role of interested parties for Internal Control
4.1. The Board of Directors

- discuss with senior management the state of the entity’s system of internal control and provide
oversight as needed
- establish its policies and expectations of how members should provide oversight of the entity’s
internal control
- be apprised of the risks to the achievement of the entity’s objectives, the assessments of internal
control deficiencies, the management actions deployed to mitigate such risks and deficiencies, and
how management assesses the effectiveness of the entity’s system of internal control.
- challenge management and ask the tough questions, as necessary, and seek input and support
from internal auditors, external auditors, and others.
- Subcommittees of the board can often assist the board by addressing some of these oversight
activities.
4.2. Audit Committee

- strengthening the internal control structure and helping to ensure the maintenance of appropriate
accounting records
- facilitating appropriate communication channels between management, the board, external
auditors and internal auditors
- improving the quality of financial disclosures and the effectiveness of the audit function by
providing an independent review of these functions
- keeping the board fully informed about relevant accounting and auditing issues
- highlighting relevant important matters that require the board’s attention
- ensuring that an effective whistleblower system is in place within the corporation
4.3. Cotrol Board

- Support the Board of Directors in periodically evaluating internal control activities
- Identify and appropriately handle the risks of the enterprise
- Evaluate operation plan prepared by the Internal Controller and receive reports from the members
of Control Board
- Recommend to the Board of Directors or the General Meeting of Shareholders measures to
amend and improve the organizational structure of management and business activities of the
enterprise.
4.4. Internal Auditor

- review their internal audit plans
- perform on-going and periodic assessments about the design and operation of Internal Control and
any report on the entity’s system of internal control to Audit Committee
4.5. Senior Management

- responsible for designing and operating the entity’s internal controls
- assess the entity’s system of internal control in relation to the Framework, focusing on how the
organisation applies 17 principles in support of the components of internal control
- management performs an ongoing evaluation of the overall effectiveness of the entity’s system of
internal control
4.6. Other Management and Personnel

- consider how thay are conducting their responsibilities for performing internal control and discuss
with more senior personnel ideas for strengthening internal control.
- consider how existing controls affect the effectiveness of internal control.
4.7. Independent Auditor

- engaged to audit or xamine the effectiveness of the client’s internal control over financial reporting
in addition to auditing the entity’s financial statements.
- assess the entity’s system of internal control in relation to the Framework, focusing on how the
organisation has selected, developed, and deployed controls that affect the principles within the
components of internal control.
Chapter 2: Components of Internal Control
1. Overview of internal control framework
The control environment provides an atmosphere in which

people conduct their activities and carry out their control
responsibilities. It serves as the foundation for the other
components. Within this environment, management
assesses risks to the achievement of specified objectives.
Control activities are implemented to help ensure that
management directives to address the risks are carried out.
Meanwhile, relevant information is captured and
communicated throughout the organization. The entire
process is monitored and modified as conditions warrant.
- COSO defines 17 supporting principle representing the fundamental concepts associated with each
component of internal control
Control environment
Principle 1: The organisation demonstrates a commitment to integrity and ethical value.
Principle 2: The BODs demonstrates independence from management and exercises oversight of the
development and performance of internal control.
Principle 3: Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
Principle 4: The organisation demonstrates a commitment to attract, develop, and retain competent
individuals in alignment with objectives.
Principle 5: The organisation holds individuals accountable for their internal control responsibilities in
the pursuit of objectives.
Risk assessment
Principle 6: The organisation specifies objectives with sufficient clarity to enable the identification and
assessment ò risks relating to objectives.
Principle 7: The organisation identifies risks to the achievement of its objectives across the entity and
anlyzes risks as a basis for determining how the risks should be managed.
Principle 8: The organisation considers the potential for fraud in assessing risks to the achievement
of objectives
Principle 9: The organisation identifies and assesses changes that could significantly impact the
system of internal control.
Control Activities
Principle 10: The organisation selects and develops control activities that contribute to the mitigation of
risks to the achievement of objectives to acceptable levels.
Principle 11: The organisation selects and develops general control activities over technology to
support the achievement of objectives.
Principle 12: The organisation deploys control activities through policies that establish what is
expected and procedures that put policies into action.
Information and Communication
Principle 13: The organization obtains or generates and uses relevant, quality information to support
the functioning of internal control.
Principle 14: The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal control.
Principle 15: The organization communicates with external parties regarding matters affecting the
functioning of internal control.
Monitoring Activities
Principle 16: The organisation selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.
Principle 17: The organisation evaluates and communicates internal control deficiencies in a timely
manner to those parties responsible for taking corrective action, including senior
management and the BOD, as appropriate.
2. Describe 5 components of Internal Control
a. Control Environment:
- The control environment consists of the actions, policies,and procedures that reflect the overall attitudes
of top management, director, and owners of an entity about internal control and its important to the entity.
- The control environment has 5 underlying principles:
+ Integrity and ethical value
+ Borad of director or audit committee participation
+ Organisation structure
+ Commitment to competence
+ Accountability
- The control environment sets the tone of an organisation, influencing the control consciousness of its
people.
5 UNDERLYING PRINCIPLES
INTEGRITY AND ETHICAL VALUES

- The product of the entity’s ethical and behavioral standards, as well as how they are communicated
and reinforced in practice.
+ management’s actions to remove or reduce incentives and temptations that might prompt
personnel to engage in dishonest, illegal, or unethical acts.
+ the communication of entity values and behavioral standards to personnel through policy
statements, codes of conduct
BOARD OF DIRECTOR OR AUDIT COMMITTEE PARTICIPATION

- The board of directors has responsibility to make sure management implements proper internal control.
+ An effective board of directors is independent of management, and its members stay involved in
and scrutinize management’s activities.
+ Although the board delegates responsibility for internal control to management, the board must
+ exercise oversight of the design and performance of controls.
+ An active and objective board can reduce the likelihood that management overrides existing
controls.
- The audit committee has responsibilities for:
+ oversight responsibility for financial reporting.
+ maintaining ongoing communication with both external and internal auditors.
ORGANISATION STRUCTURE
- The entity’s organizational structure defines the existing lines of responsibility and authority.
- The organisational structure can consist of the entity level, divisions, operating units, and functions
within those units, and controls operate at each of these levels
COMMITMENT TO COMPETENCE
→ management’s consideration of the competence levels for specific jobs and how those levels translate into
requisite skills and knowledge.
- If employees are competent and trustworthy, other controls can be absent, and reliable financial
statement will still result.
- Incompetent or dishonest people can reduce the system to a shambles
- Efficient people are able to perform at a high level even when there are few other controls to support
them. However, even competent and trustworthy people can have shortcomings.
ACCOUNTABILITY
- Management and the BODs are responsible for communicating expectations and holding individuals
accountable for internal control duties.
- The effectiveness of this process depends on the other subcomponents.
b. Risk Assessment
- Definition: A process for identifying and analyzing that may prevent the organisation from achieving its
objectives.
Step 1: Identify relevant business risks
Step 2: Estimate the significance of the risks
Step 3: Assess the likelihood of occurrence
Step 4: Decide upon (internal control, insurances, changes in operations) to address them
[RISK ASSESSMENT PROCESS]

- Objective Setting → in line with the mission and vision of an organisation.
+ 4 categories of objectives: strategic objective, operations objectives, reporting objectives,
compliance objective
+ For certain objectives these categories can overlap and different officers may be responsible for
their realization.
- Event Identification:
+ Risks can be defined as the probability that a critical event occurs and negatively affects the achievement
of objectives → identify critical events
+ Caused by external factors or by internal factors
- Risk Assessment involves estimation of the likelihood of a critical event occurring and the impact of the
occurrence of that event.
[INHERENT RISK, CONTROLLABLE RISK, AND RESIDUAL RISK]

- Controls: risk responses management takes to reduce the impact and/or likelihood of threats to
objective achievement.
- Risk appetite: the types and amount of risk, on a board level, an organisation is willing to accept in
pursuit of value.
- Acceptable variation in performance: the boundaries of acceptable outcomes related to achieving in a
business objective.
- Controllable risk:that portion of inherent risk that management can directly influence and reduce
through day-to-day business activities.
- Residual risk: the portion of inherent risk that remains after mitigating all controllable risks.
[RISK RESPONSE]
- Acceptance: No action is taken to decrease risk impact or likelihood
- Avoidance: A decision is made to exist or divest of the activities giving rise to the risk.
Example: Existing a product line →decide not to expand to a new geographical market or selling a division
- Pursuit: Exploit the risk if taking such a risk is advantageous tot he organisation or is necessary to
achieve a particular business objective.
- Reduction: Action is taken to reduce the risk impact, likelihood, or both. This involves a myriad of
everyday business decisions, such as implementing controls.
- Sharing: The risk impact or likelihood is reduced by transferring or otherwise sharing a portion of the risk.
Common technique include purchasing insurance products, engaging in hedging transactions, or
outsourcing an activity.
c. Control Activities:
- The policies and procedures that help ensure that necessary actions are taken to address the risks to the
achievement of the entity’s objectives.
TYPES OF CONTROL
Entity – level Controls: A control that operates across an entire entity and, as such, is not bound by, or
associated with, individual processes.
Process – level Controls: A control that operates across an entire entity and, as such, is not bound by,
or associated with, individual processes.
Transaction – level Controls: An activity that reduces risk relative to a group or variety of operational-
level tasks or transactions within an organisation
Key control: An activity designed to reduce risk associated with a critical business objective
Secondary control: An activity designed to either reduce risk associated with business objectives that
are not critical to the organization’s survival or success or serve as a backup to a key control.
Compensating control: An activity that, if key controls do not fully operate effectively, may help to
reduce the related risk. A compensating control will not, by itself, reduce risk to an acceptable level.
Preventive control is designed to deter unintended events from occurring in the first place.
Detective control is designed to discover undesirable events that have already occurred. A detective
control must occur timely (before the undesirable event has had an unacceptably negative impact on the
organisation) to be considered effective.
TYPE OF CONTROL ACTIVITY
ADEQUATE SEPARATION OF DUTIES

There are four general guidelines for adequate separation of duties to prevent both fraud and errors:
+ Separation of the custody of assets from accounting
+ Separation of the authorization of transactions from the custody of related assets
+ Separation of operational responsibility from record-keeping responsibility
+ Separation of IT duties from the user departments
PROPER AUTHORIZATION OF TRANSACTIONS AND ACTIVITIES (establishment of

responsibilities)
-General authorization, management establishes policies and subordinates are instructed to implement
these general authorizations by approving all transactions within the limits set by the policy. (include the
issuance of fixed price lists for the sale of products, credit limits for customers, and fixed reorder points
for making acquisitions.)
- Specific authorization applies to individual transactions. For certain transactions, management
prefers to authorize each transaction
ADEQUATE DOCUMENTS AND RECORDS

- Prenumbered consecutively
- Prepared at the time a transaction takes place
- Designed for multiple use
- Constructed to encourage correct preparation
PHYSICAL CONTROL OVER ASSETSS AND RECORDS

- Television monitors and garment sensors to deter theft
- Safers, vaults, and safety deposit boxes for cash and business papers
- Time clocks for recording time worked
- Alarms to prevent break-ins
- Computer facilitities with pass key access or firgering or eyeball scans
- Locked warehouses and storage cabinets for inventories and records
INDEPENDENT CHECKS ON PERFORMANCE (independent internal verification)

- Records periodically verified by an employee who is independent
- Discrepancies reported to management
d. Information & Communication

- This relates to recording transactions, matching internal with external documents, confirmations from/to
third paries, communication of procedures and tasks, accountability and formal management reports.
- Information should meet certain quality criteria to facilitate proper control.
- Relevant, accurate, and timely information must be available to individuals at all levels of an organisation
to run business effectively.
- Information must be provides to specific personnel as appropriate to support achievement of their
operating, reporting, and compliance responsibilities
- Purpose of an entity’s accounting information and communications system: To initiate, record, process,
and report the entity’s transactions and to maintain accountability for related assets.
→ the important of using relevant, quality information that is communicated both internally and externally to support
the proper functioning of internal controls.
- Communication with external parties are also important and can provide critical information on the
functioning of controls.
- There are many ways to communicate:
+ hardcopy forms of communication: manuals, memoranda, bulletin boards
+ face-to-face meetings or electronically throught emails, video conferencing, electronic bulletin
boards
e. Monitoring
- As COSO indicates:
+ Monitoring activities consist of ongoing evaluations built into business processes at different
levels of the entity [that] provide timely information. Separate evaluations, conducted periodically, will vary
in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and
other management considerations.
+ Findings are evaluated against criteria established by regulators, standard-setting bodies or
management and the BODs, and deficiencies are communicated to management and the BODs as
appropriate.
- Monitoring activities are performed concurrently with those operations on an ongoing basis. With
effective ongoing monitoring activities, couples with accurate and dependable risk assessments, the
frequency of separate evaluations may be reduced
[EFFECTIVENESS OF MONITORING]
The first layer: The everyday activities performed by management of a given area as described above
The second layer: A separate (nonindependent) evaluation of the area’s internal controls performed by
management on a regular basis to ensure that any deficiencies that exist are indentified and resolved
timely.
The third layer: An independent assessment by an outside area or function, frequently the internal audit
function, performed to validate the results ( accuracy and reliability) of management’s self-assessment of
the effectiveness of controls in their area. This layered approach provides the organisation with a higher
level of confidence that the system of internal controls remains effective and helps ensure internal
control deficiencies are identified and addressed timely.
- There are 2 different methods for monitoring:

+ Embedding monitoring activities into processes performed during day-to-day business operations
allows monitoring activities to occur regularly, catching problems before they become unmanageable.
+ Separate evaluations lack this advantage due to the timing of their performance, which is later in
the process, and because they are performed less frequently.
+ Separate evaluations provide for a supplement look at the system of internal controls, catch
problems that might have been missed during ongoing monitoring activities, and evaluate the
effectiveness of the ongoing monitoring activities embedded in the day-to-day activities of the area.
→ both are needed for a robust monitoring process to exist.
- Management has primary responsibility for the effectiveness of the organisation’s system of internal
controls, including monitoring activities.
- Monitoring activities performed by subordinates in an organisation are much less effective than those
performed by superiors. In case that carry the risk of management override, board-level monitoring might
be necessary.
- The BODs is responsible for overseeing whether management has implemented an effective system of
internal controls. (understanding of the risks to the organization and understanding how management
mitigates those risks to an acceptable level)
[DEFICIENCY OF INTERNAL CONTROL]

- “a shortcoming in a component and relevant principle that reduces the likelihood that the entity can
achieve its objectives”
- Identified during the performances of eiter ongoing monitoring activities or separate evaluations.
- Deficiencies identified as a result of ongoing monnitoring activities and separated evaluations must be
reported timely to the appropriate parties within the organisation.
- Depending on the impact, a specific deficiency has on the potential effectiveness of the business’s
system, it should be reported to business unit management, senior management, and/ or the BODs.
3. Evaluating the system of Internal Control
- Management: putting in place adequately designed and effectively operating entity-level and activity-
level contros to mitigate risks associated with the achievement of business objective.
- Internal control: verifying that management has met its responsibility.
+ Management performs the primary assessment of internal controls using a formalized process
developed for that purpose.
+ The internal audit function then independently validates management’s results.
- A report is typically submitted to the audit committee by either senior management or the CAE outlining
the results of management’s assessment redarding the design adequacy and operating effectiveness of
the organisation’s system of the internal control.
Chapter 3: Internal Control over Purchasing and Payment cycle
1. Features of purchasing and payment sycle
[Placing orders for goods & services]

- At the begining of this cycle
- Order should be approved by authorized people to ensure that goos & services are purchased for the
right purpose, avoiding over-buying/ under-buying or buying unnecessary items
- Companies normally set inventory levels to ensure business operations
- Once the order is approved → send the order to the supplier ⇒ a ligitimate document, an official offer of purchase.
[Receiving goods & service]

- The decisive stage of the purchase and payment cycle.
- Receiving the goods → check the condition, quantity, specifications and time.
- The Receiving Department of the company will make a Receiving Report when they receive goods &
services. Besides, the Inventory accountant will prepare Good Receipt Note and record in the accounting
books.
[Payment to supplier]
- The payment accountant will check the correctness of purchases and recording them in the journal,
details book of account 331 (comparing the purchase order and receiving report)
- Payment accountants will make payments to suppliers and record in accounting books.
2. Internal Control of purchasing and payment cycle
How to set up internal control for business cycle?
Define Objective of the cycle → Define Risks of the cycle → Design Internal Control procedures
for the cycle
[Placing orders for goods & services]
Control objectives Risks
Buy the right product to use Goods purchases in excess, not serving needs
Buy the right type and specification Goods that are not of the right type and specification
Optimal purchase quantity - Insufficient purchase

- Overbuying
Good quality Poor quality goods
Reasonable price - Unreasonable price

- Loss of discount
Purchasing transaction is true Purchasing transaction is fake
Internal Control Procedures

Separation of duties
a. Is it necessary to organize the purchasing department independent of the request department? Why?
b. Does the person in charge of purchasing need to be separate from the person approving the
purchase? Why?
c. Why do you need to review your purchase order? What risks can be controlled?
Checking documents
- Making purchase request form

a. What is the purpose of the purchase request? What are the elements of this document?
b. When is a purchase request not required?
+ Small purchase value
+ When the inventory is below the minimum, make a purchase without writing a purchasing request.
- Making “Purchase order”

a. What is the purpose of the purchase order?
Buy the right type, quantity, good quality; Reasonable price
b. What are the element of this document?
Date, supplier nam, product name, specification, code, quantity, unit price, deliver method, payment
method
Optimal purchase quantity
a. How to buy goods at the optimal price?

- Get quotes from at least 3 independent suppliers
- Choose the right time to buy to enjoy the discount
- Choose a reasonable purchase quantity to enjoy the discount
- Choose the payment time to enjoy the discount
b. How to optimize the quantity of goods purchased and stocked?

- Use the EOQ model to determine the optimal number of orders and the number of orders to place
each time
EOQ=√ ❑
a = Transaction costs incurred for each order
D = Demand for the period (year)
c = Cost holding inventory
- Use JIT system
Selecting suppliers
Risks: wrong suppliers; supplier has a relationship wit the purchasing staff to receive the commission
Control procedures:
- List the criteria for a good supplier
- Create a supplier profile
- Prepare and maintain supplier lists
- Evaluate suppliers regularly
- Signing long-term commitments
Ratio Analysis
- Compare actual - estimate, this period - previous period

- Gross profit ratio (Gross profit/ Rev)
- Product price
- Inventory turnover (COGS/ Avr Inv)
[Receiving goods & service]

Control Objectives Risks
Receive goods of the right type and specification Receive goods of the wrong type and specification
Receive goods in the right quantity Receive goods in the wrong quantity
Safe delivery Goods lost
Complete recording of import transactions Good in stock are not recorded
The receiving is real The import business is not real
- Separation of duties
- Authorization and approval
- Checking documents
- Custody of inventory
+ witnessed by the receiving department and the storekeeper
+ Goods must be stocked in a timely manner
+ Safe storage
+ Timely recording of receiving transactions
+ Periodic inventory and reconciliation with accounting books
[Payment to supplier]
Control Objectives Risks
Exact amount Wrong amount
Payables are real Payables are fake
Liabilities are fully recognized Liabilities are omitted
Record liabilities in the correct suppliers Record liabilities in the wrong suppliers
Keep track of debts that are due Payment are not made in the due date
Separation of duties
The account payable department should be organized independently from the purchasing, receiving,
and warehousing departments
Authorisation and approval

All payments must be approved by an authorized person of the accounting department
Control accountign books and documents

- Payment can only made when there are full original documents attached to the payment slip or
check
- Original documents must be checked for accuracy, validity and reasonableness before accepting
payment
- Completed payment vouchers must be fully archived.
Control accounting books and documents

- Open a detail supplier tracking book
- From the vendor list, build the vendor code. Cehck supplier number before recording accounts
payable
- Prepare a repor on the debt situation at the end of the period with analysis according to the
repayment term
Compare and deal with differences

- Periodically reconcile between purchasing, receiving and account payable departments to record
date differences.
- Compare between general ledger and detailed book of AP
- Reconciliation between Supplier statement with detailed tracking data
- Correct discrepancies with the appropriate forn
BASIC ACCOUNTS PAYABLE CONTROLS
a. Manually review for duplicate invoices

- A manual accounting system has no way to automatically verify a supplier’s invoice number
against the invoice number of invoices previously paid.
- The payable staff must compare each newly received supplier invoice against invoices in 2 files:
both those in the unpaid invoices file and those in the paid invoices file.
b. Conduct three-way match

The payable staff must compare the pricing and quantities listed on the supplier invoice to the
quantities actually received, as per receiving documents, and the price originally agreed to, as noted in the
company’s purchase order.
c. Store payable due date

- The company must pay its bills on time, which calls for proper filing of unpaid supplier invoices by
payment due date.
- Supplier can give the company a lower credit score or charge late fees.
⇒ unpaid invoices will be stored based on the dates when the company can take early-payment discounts
d. Check stock from locket cabinet

- Unused check stock should always be kept in a locked storage cabinet
- The range of check numbers used should be stored in a separate location and cross-checked gainst the check
numbers on the stored checks → verify that no checks have been removed from the locked locations.
e. Check signer compares voucher package to check

The check signer must compare the backup information attached to each check to check itself,
verifying the payee name, amount to be paid, and the due date.
→ spot unauthorized purchases, payments to the wrong parties, or payments being made either too early or
too late
→ a major control point for companies not using purchase orders, since the check signer represents the only
supervisory-level review of purchases.
f. Prenumber receiving reports

- Ensure that the items being paid for have actually been received, and in the correct quantities.
- Ensure that all receiving reports are being transferred to the account payable department y
prenumbering the receiving reports and tracking down any reports whose numbers are missing
g. Lock up blank receiving reports

If someone stole a blank receiving report, they could take the goods and still submit a completed
receiving report, resulting in undetected theft.
h. Prenumber purchase orders

- Purchase order provides the central authorization to pay
- If the purchasing system is paper-based, it makes sense to keep track of the stock of purchase
orders by prenumbering them
i. Lock up blank purchase orders

- Purchase order → a company’s official authorization to qcquire goods and services.
- Obtain blank purchase orders + fraudulently affix a company officier’ signature to it
→ obligate the company to a variety of purchases with relative impunity.
- Purchase orders are printed in advance → store in a locked cabinet
k. Maintain a register of unappropved supplier invoices

- A company issues new supplier invoices to those empowered to authorize the invoices
→ a significant chance that some invoices will be lost outside of the accounting department and will not be
paid
- Update a register of unapproved supplier invoices on a daily basis, adding invoices to the register
as they are sent out for approval and crossing them off the list upon their return.
- Any items remaining on the list after a predetermined time limit must be located.
Chapter 4: Internal Control over Sale and Collection cycle
1. Features of Sale and Cash Collection Cycle
- The final cycle of the business process, it not only evaluates the effectiveness of the previous
cycles but also evaluates the efficiency of the entire business process.
- An efficiency of sales and collection cycle means that capital is properly mobilized to set the stage
for production and for other cycles to be properly executed.
2. Controls over Billing

- The billing clerk verifies that a credit approval stamp has been placed on the sales order. If not, the clerk
notifies the credit department of the credit problem of customers.
- If the stamp exists, the clerk uses a three-part prenumbered invoice form to prepare an invoice and has a
second person review the invoice for errors.
+ One copy of the invoice is used to post the transaction to the accounts receivable ledger
+ Second copy is used to post the transaction to the sales journal.
+ The remaining copy of the invoice is mailed in an envelope marked “Address Correction
Requested,” so the billing staff will know if the customer’s address has changed.
[Review sales order for credit approval stamp]

- Reviewed by the credit department and received an approval stamp prior to being forwarded to the billing
department. → Spot few missing credit approval stamps
- Any such instance represent a control breach → the credit department should be notified of the problem at once
⇒ a detection control, since the billing clerk receives no paperwork until after a shipment is made
[Prenumber and account for sale invoices]

Invoices should always be created using prenumbered forms, so the billing staff can track the
sequence of invoices more easily and will not issue the same invoice number to multiple customers.
[Proofread invoices]
- Problem: Complex invoices → difficult to create error-free invoice
- Solution: Assign a sencond person to be the invoice proofreader. This person has not created the invoice
and so has an independent view of the situation and can provide a more objective view of invoice
accuracy.
(may not necessary for small-dollar or simplified invoices)
[Segregation of duties for billing and collections]

More difficult for a collection person to fraudulently access incoming customer payments and alter
in voices and credit memos to hide the missing funds
[Verifying contract terms prior to invoicing]

This approach ensures that invoiced amount match the terms set forth in the agreement of contracts
[Monitor customer complaints anouut improper invoices]

- There are continuing problems with the accuracy of issued invoices → solution: To include an accounting
manager’s phone number on the standard invoice form and encourage customers to call if they have problems
- Call the person creating the invoice → likely to ignore or cover up the complaint.
[Identify all address changes of customers to the billing staff]

- Problem: The changes of customer’s address lead to obstacles in the cash collection process
- To prevent this, the company’s mailroom staff should identify all returned invoices directly to the
accounting staff, which should assign a high priority to contact with customer to send the correct address,
updating the customer address file, and reissuing the invoice.
[Reconcile goods shipped to goods billed]

There should be a continual comparison of billings to the shipping documents.
→ reduces the likelihood that a shipment is made without a corresponding invoice being issued.
3. Controls for Collections
- The most common type of control: a supervisory review to take the next collection steps
- It is necessary to assign account ownership to specific collections and sale staff, and to prevent these
people from having any cash recordation function
- If there are negotiated payment settlements with customers, then a supervisor should review and
approve them.
- If an account must be sent to a collection agency, then not only should this transfer require supervisory
approval, but the company should ensure that the agency is properly bonded.
- If all else fails, the company may attempt to sue the customer, but should first dete if the customer has
sufficient assets to pay any debts.
- If the company can not collect cash from customers, there should be supervisory approval of each write-
off, documentation of the approval, and restricted access to the credit-writing function in the
accounting software.
- It is useful to conduct a review of the reasons why each major account write-off occurred, with the intent
of altering the system to reduce the risk of similar write-offs occurring in the future.
[Assign account ownership]

- Clearly define responsibility for who collects every customer account. → prevent delayed payments.
- Account ownership can be limited to a specific collections person, but should also include the salesperson who
originally made the sale → doubling the potential amount of collection effort.
[Periodically reassign account responsibility]

- Collections personnel can become too familiar with a long-standing set of customers, resulting in:
+ high degree of identification with customer problems that they allow more slack in making
payments.
+ Increase the risk of collusion between customers and the collections staff.
- To avoid these problems, periodically reassign account responsibility to different collections personnel.
This does not have to be a bulk reassignment at one time (which might seriously affect collection
efficiencies); instead, consider a rolling reassignment on a continual basis
[Segregate the cash recording and write-off functions]

If the same person is able to record cash receipts and write off receivable balances, then it is
possible to misappropriation of cash and then write off the related receivable.
[Require approval of special payment plans]

- It is possible that the collections staff may allow overdue customers to use alternative payment plans,
such as extended payments or the return of merchandise => a supervisor should authorize these plans.
- To keep excessive authorization from unduly restricting collection, give the collection staff some
preauthorized, such as automatically allowing an extra two months for payments
[Require approval to send to collection agency]

- Collection agencies are usually paid in the vicinity of one third of all collected amounts, so the cost of
referring accounts to them is considerable.
- To keep an excessive proportion of receivables from being sent to collection, have a supervisor approve
them in advance.
[Verify collection agency]

- A collection agency usually requires a customer to send payment to the agency, which then extracts its
fee from the payment and forwards the remaining funds to the company.
- This arrangement puts the company at risk of not being paid by the collection agency.
→ verify each year that the collection agency is fully confirmed to collected amount.
[Prescreen customers before initiating legal action]

- Initiating legal action against a customer is an enormously expensive and prolonged undertaking. In
addition, even if the court awards a substantial settlement, there may not be enough assets to collect.
→ always prescreen a customer’s financial circumstances before initiating a legal action. This can include a review
of all judgments and tax liens already filed against it, as well as outstanding debt. A frequent result is the decision to
avoid legal action.
[Require approval to write off balances]

A lazy collections person could write off a large amount of receivables, rather than attempt to collect them.
→ require a supervisor to sign off on all proposed write-offs.
( allow small-balance write-offs without supervisory approval.)
[Maintain ledger of a write-off account]

- The collections staff could make a fictitious supervisor’s signature on write-off approval forms.
→ the authorizing supervisor should maintain a ledger and documents of all write-offs account approved and keep it
in a secure location.
- There should also be a monthly or quarterly review process that compares the contents of the log to
actual recorded credits.
[Restrict access to receivable credits]

Employees could record unauthorized credits in the accounts receivable subledger, thereby
eliminating open receivables.
→ lock down access to the screen in the accounts receivable subledger that allows access to the creation of
credits.
[Conduct bad-debt analysis]

- It is possible that large receivable write-offs could have been prevented through an adjustment of the
underlying credit-granting policies and procedures.
- It is useful to conduct a formal postmortem analysis on larger write-offs, to discuss what systemic
changes or new controls can be implemented to reduce the likelihood of their reoccurrence.
4. Other Internal Control approach
[Internal control of receiving orders and approving sales]
Control Risks Control Procedures

Objectives
Enough stock/ Not enough stock/ - Reviewing customer orders before accepting.
goods for goods for delivery - Checking if the goods are still available for sale.
delivery - Update with warehouse and production department to
confirm availability of products.
Ensure the Legal disputes - Review customer orders before accepting

legality of the - Confirm phone orders
transaction - Confirm and notify customers whose orders have been
accepted.
Sell to Customers are fake - All sales transactions must make a Sales Order.
customers who Fail to collect from - Sales orders (on credit) must be reviewed by an
can repay the customers independent credit department;
debt Late payment from - Make a profile of the customer's financial ability (credit limit
customers approval)
- Assessing customer's reputation: analyzing debt age
- Sale provisions to new customers
- Have a clear credit policy.
Selling at the Selling at the wrong - Reconcile customer orders with company’s price list
right price price - Approve sale prices, including shipping fees, discounts,
rebates and payment terms.
- Update new prices timely
- Independent control over the execution of sales at the
specified price.
[Internal control of goods delivery]
Control Risks Control procedures

objective
Delivery with the Delivery with the - Organize the delivery department independent from the
right quantity wrong quantity and warehouse department, the sales department.
and type type - Make a Good Dispatched Note/Issuing Note
- Make Delivery Note
- Delivery note must be made on the basis of Approved Sales
Orders
- Delivery note must be approved.
- The customer signs on the delivery note when receiving the
goods
Timely delivery Late delivery or - Check inventory before accepting orders

according to delivery to the - Track orders not yet delivered
order wrong address
requirements
* Control vouchers, documents:

- Requires “Good dispatched note” (issues by sale department)
→ GDN must be get of 5 signatures:
+ Maker
+ Head of the department: sign to check that the sale is correct, sold in full, sold on time, for the
right amount.
+ Director: sign to approve the sale
+ Storekeeper: confirm the release of warehouse
+ Customer: sign to confirm receipt of correct and complete goods
- Stock release note: 4 copies
+ 1 original copy is kept at the Sales Department to track revenue and receivables
+ 1 copy of the Storekeeper to keep as evidence of goods released
+ 1 copy for Accounting Department to track revenue, liabilities, inventory
+ 1 copy to Customer keeps as a basis for reconciliation at customer's warehouse
[Internal control of issuing invoice]

objectives
Invoice for Omit issuing invoice - Periodic reconciliation between shipping department and
delivered cases for delivered cases invoicing department.
- Make a report on the cases of disparity between the two
parties.
- Send monthly debt status notices to customers.
Invoicing Invoicing incorrectly - Control procedures: - Invoices made on the basis of Delivery
correctly Notes, Sales Orders and Purchase Orders;
- Use the Approved Price List;
- Independently check the calculation of the invoice before
sending;
- Send notice of debt situation to customers.
[Internal control Accounts Receivable]

objectives
Full tracking of Unable to - Accounting for Accounts receivable is organized

AR understand the independently from the collection department;
situation of - Organize a detailed accounting books systems and make a
receivables summary table at the end of the period;
- Compare the accountant's report with the credit department's
report;
- Periodically, compare debts amount with customers.
Detailed tracking Fail to tracking of - Periodic reports on the situation of receivables;

of each each customer for - Analysis of the average number of days of debt collection;
customer details - Analysis of overdue debt ratio.
- Issue specific policies for early payment;
Collect A/R on Fail to collect A/R

time on time
Making Not making

adequate and adequate and
appropriate appropriate
provision for bad provision for bad
debt debts
[Internal control collecting cash]

objectives
Full recovery of Collected amount - Cashier must be independent from accountants;

AR are - Day-end reconciliation between cashier and accountant;
misappropriated - Receipts must be recorded immediately
- The proceeds must be deposited in the bank
- Enough customers to pay by bank transfer
- Send monthly debt situation notices to customers
- Investigate the feedbacks
Collect the right Collect the wrong

people amount of AR
Timely collection Overdue AR
[Internal control sale returns and allowance]
Control objectives Risks Control procedures

Item returned is correct Item returned is incorrect - Use separate documents for
goods return operations;
Correctly record returned goods Wrongly record AR - Regulations for reviewers to
so as not to falsify debts return goods and implementation
procedures
[Internal control making provision for bad debt and write off bad debts]
Control objectives Risk Control procedures
Ensuring that Provisions and write-offs of - Make a debt age analysis table
provisions and write- uncollectible receivables are - There are clear regulations on the method of
offs of uncollectible hishonest and unreasonable making provision for bad debts;
receivables are honest - There are clear regulations on procedures
and reasonable for reviewing and writing off uncollectible
receivables.
5. Frauds and procedures to deal with
Frauds Control procedures
Sales review (selling at low prices, giving incorrect - Developing sales and credit policies;
trade discounts, selling to customers who cannot - Separation of sellers and reviewers / price
pay) changes, discounts
Embezzled sales proceeds - Surveillance staff / camera

- Log in/out on the vending machine;
- Hotline
Lapping technique - Reconcile debts regularly;

- Accounts receivable accountants are not entitled
to write off receivables.
Chapter 5: Internal Control over personnel and payroll cycle
1. Overview of payroll cycle
- A considerable source of fraudulent activity, especially in regard to the creation of ghost employees
whose pay is siphoned into the bank accounts of the perpetrators, overstated reported hour worked.
- An area requiring such a large volume of data collection nd conversion that there is a high risk of errors
being made inadvertently.
[BASIC PROCESS FLOW OF PAYROLL CYCLE]

- Control are used to ensure that submitted timecards are complete, accurate, and authorized
→ payroll payment and tax remittance calculations have been made properly.
- A key control is for the payroll staff to verify against the current employee list that timecards have been
received from all employees, which can rectify an exceedingly common problem.
- Next, The payroll staff obtains supervisory approval that the hours submitted on the timecards are correct
and authorized, which uncovers inappropriate overtime claims. Once the timecards are compiled, the
payroll staff next uses submitted employee change forms and a variety of pay and deduction requests to
calculate the total amount to be paid.
- Following the initial pay calculation, a second person should verify calculations, after which paychecks
are cut and payroll taxes deposited.
- An additional control is to hand paychecks directly to employees, verifying the identity of the recipients.
- Finally, the accounting staff should match the manually generated payroll register to all supporting
documents prior to creating a payroll entry in the general ledger.
⇒ ensures that all employees are paid the correct amount and that pay is issued to valid employees.
[FUNCTIONS OF DEPARTMENTS]
Department/ Factory Payroll accountant

- Timekeeping, tracking working time - Calculating salary, bonus
- Confirm working time, service completed - Making salary payment table,
- Approve sick leave, maternity leave, bonus and other payable
accidents labor, stop working - Record in accounting book
HR Department
→ - Payment salary, bonus and related
payments
- Recruiting, hiring employees
- Prepare reports on personnel situation
- Make a personnel book
- Make a personnel profile
- Issuing salary calculation policies
[Control activities] - Issue series of documents for recording salary

- For workers: use the job tracking sheet to determine the amount of work one in each day/ week
- For office staff: it is necessary to make a salary estimate for each month per job. Make periodic reports
on the work done.
- Prepare a salary slip for each individual on the basis of an updated personnel file and transfer it to a
competent person for approval.
- Prepare a summary table of salary transferred to the accounting department for recording
- Besides, some additional documents according to Circular No.200: Working time table, Individual
timesheets, Payroll table, Payroll slip, Payment slip, Payment order via bank,...
2. Internal control objectives
a. Ensure that all transactions are recorded.

- All valid employee payments should be recorded from attendance documents, sign-on registers, ID card
and sensing equipment.
- Wages payments are reconciled to the wages control account at regular intervals.
- Transactions not recorded could be detected by employees advising pay staff accordingly.
b. Record only transactions that are valid.

- All hours spent on jobs are recorded by the supervisor.
- The Internal controls on employee hiring and the supervision of staff working should detect and protect
against the initiation off invalid labour charge.
c. Authorise only valid transactions.

- Production activities are approved by managers.
- Factory supervisors should not accept production orders without the correct authority.
- All overtime is approved with overtime authorizations signed by the head of department.
d. Calculation correctly and protect records from incorrect calculations and errors recording.
- Normal procedure for each pay period includes making regular wage rate checks on each department in
the payroll.
- This is achieved by checking wage rates and charge-out rates used in payroll calculations with the
calculations for previous payrolls.
e. Classify entries correctly in accordance with the various charts of accounts of categorizing
requirements.
- This is verified by comparing job costs charged against each job with estimates, or by comparing
budgeted charges for indirect and overhead categories with the accounting manual.
→ ensures that labour times and charges of each employee are allocated to the correct labour work in process or
indirect overhead control accounts.
f. Record transactions in a timely manner so as to minimize errrors caused by a delay between the
transaction and its recording.
This ensures that labour dissections are as accurate as possible and that labour resources are
effectively and efficiently used.
g. Include all transactions in the relevant subsidiary ledger and correctly post them to the relevant
ledger account.
The normal levels of labour activities can be confirmed against payroll and clearing accounts in the
cost ledgers (all charges for labour hours to production in the work in process, finished goods and relevant
factory overhead control accounts)
3. Risks in payroll cycle

- Salary policy hinders operations
- The recruitment, salary payment, reward… are not in accordance with the policy of the unit and the law
- The salaries and bonuses are “understatement”
- Error in calculating salary and bonus
- Not update HR data
- Insufficient number of existing employees in the salary period;
- Incorrect title, position, rank, department, etc.
- Failure to promptly update personnel changes (retired employees, new employees, transferred
employees, employees with salary increase/reduction, etc.)
- Time attendance risks (time attendance is incomplete, inaccurate, late)
- Payroll risk (incomplete, inaccurate, late calculation)
- Employee's salary and bonus are misappropriated
- Financial statements and reports on personnel, salaries are not honest and reasonable.
4. Control activities
- Policy/ Procedure ⇒ Purpose: to compile time sheets, process pay changes, manually calculate wages and tax
due, create paychecks, deposit taxes, and create journal entries.
- Obtain Time sheets (Payroll Clerk)

+ Check off the receipts against the current employee list, and contact the factory manager of each
location from which no time sheets have been received or for missing individual timesheets
+ Verify that all timesheets contains a supervisor’s approval signature. Supervisors must circle and
initial all OT hours to indicate their authorization. If all approval has not occurred, return the time sheets to
the supervisors for their immediate review and approval.
- Review Time Sheets (Payroll Clerk)

+ Add up the time on all time sheets, circling those time punches that have no clock-ins or clock-
outs.
+ Review the time sheets for special work codes. If any time has been charged to family leave, jury
duty, personal holiday, sick leave, unpaid leave, or vacation, circle those items.
+ Create a master review list of all employee names whose time sheets contain circled items.
+ Distribute all time sheets with circled items to supervisors, who must complete missing
information and initial next to each circled item to indicate their approval.
+ Upon receipt of the reviewed time sheets from the supervisors, verify that all circled items have
been addressed, and then check off the time sheets on the master review list.
- Review Employee Change Requests (Payroll Clerk)

+ Assemble all employee change forms and deduction authorization forms received since the last
payroll was processed.
+ Verify that all change requests have been authorized correctly
- Calculate Wages and Taxes Due (Payroll Clerk and Payroll Clerk #2)
+ Calculate gross pay based on the most recent authorized pay rate for each employee.
+ Calculate pretax deductions, such as 401(k) and flexible spending account deductions. Verify
that deduction goals have not been exceeded.
+ Using the appropriate IRS tax table, calculate all taxes for employees.
+ Calculate after-tax deductions based on authorized documents. Verify that deduction goals have
not been exceeded
- Review Wage and Tax Calculations (Payroll Clerk #2)

+ Review all pay calculations made by the first payroll clerk, focusing on the following items:
• Employee deductions are correct.
• Deductions do not exceed deduction goals.
• Pay rates are accurate.
• The correct start dates are used for changes in pay rates.
• Taxes are based on the correct number of employee deductions.
+ Review all possible errors with the first payroll clerk.
+ Once all errors are corrected, sign off on the calculations and return all payroll documents to the
first payroll clerk
- Create Payroll Register (Payroll Clerk)

+ Itemize in the payroll register who was paid, their gross pay, tax deductions, and net pay.
+ Have the payroll manager compare the checks to the payroll register to ensure that all
information was transferred correctly.
+ Initial and date all payroll change and deduction authorization forms to indicate that they were
used in the payroll calculations, and file them in the employee payroll files
- Create Paychecks (Payroll Clerk #2)

+ Remove a sufficient number of blank payroll checks from the locked storage cabinet for all
employees to be paid. Note the check numbers removed on a tracking sheet, which is stored in a separate
locked cabinet.
+ Transfer gross pay, deductions, and net pay information from the payroll register to the checks,
and copy the same information onto the remittance advices attached to each check.
+ Record in the payroll register, next to the pay information for each employee, the check number
of the check used to pay him or her.
+ Take the payroll register and completed checks to an authorized check signer, who compares the
payroll register entries to the checks and signs the checks.
+ Store the signed checks in the company safe until pay day.
- Deposit Withheld Taxes (Payroll Clerk #2)

+ Remove a blank Form 8109 from the IRS-supplied booklet.
+ On the form, enter the month in which the corporate tax year ends, the dollar amount being
remitted (source is the tax total on the payroll register), and contact information, and darken the square
next to the type of tax being paid.
+ Create a check for the amount of the remittance.
+ Take the completed Form 8109 and check payment to the local bank and obtain a receipt for the
payment.
+ File the tax payment receipt by date.
+ Send the payroll register to the general ledger accountant
- Create and Post Journal Entries (General Ledger Clerk and Controller)
+ The general ledger accountant summarizes the payroll register into a journal entry on the
corporate journal entry form.
+ The controller reviews the journal entry form and initials it to indicate approval.
+ The general ledger accountant records the journal entry in the general ledger.
+ The general ledger accountant staples the journal entry form to the payroll register and files it by
date.
- Issue Checks (Paymaster)

+ Divide the paychecks into groups by department.
+ Go to each department and hand out paychecks to all employees showing a proper form of
picture identification.
+ Upon receipt of a paycheck, each employee signs for it next to his or her name on the employee
register.
+ If employees are not available, highlight their names on the employee register, and store both the
register and unissued checks in the company safe.
[Some additional degree of control over the process]
- Continually review all outstanding advances.

+ Employees who require advances are sometimes in a precarious financial position and must be
issued constant reminders to ensure that the funds are paid back in a timely manner.
+ A simple control point is to have a policy that requires the company to automatically deduct all
advances from the next employee paycheck, thereby greatly reducing the work of tracking advances.
- Require approval of all advance payments to employees.

+ When employees request an advance for any reason → require formal signed approval from their
immediate supervisors. The reason is that an advance is essentially a small short-term loan, which would also require
management approval.
+ The accounts payable supervisor or staff should be allowed to authorize advances only when
they are in very small amounts.
- Limit access to payroll change authorization forms.

When the payroll clerk receives a signed payroll change authorization, he or she should store it in a
locked cabinet until used to calculate payroll. By doing so, no one (except the payroll clerk) has an
opportunity to modify the authorization document.
- Payroll manager verifies payroll register entry.

The payroll clerk can both calculate paychecks and record this information in the payroll register,
as long as the payroll manager verifies that all information was transferred correctly to the payroll register.
- Require approval of all negative deductions.

A negative deduction from a paycheck is essentially a cash payment to an employee. Though
this type of deduction is needed to offset prior deductions that may have been too high, it can be abused
to increase a person’s pay artificially.
→ all negative deductions should be reviewed by a manager.
- Audit pay deductions.

+ It is useful to audit the deductions taken from employee paychecks, since these can be altered
downward to effectively yield an increased rate of pay.
+ This audit should include a review of the amount and timing of garnishment payments, to ensure
that these deductions are being made as required by court orders.
- Look for paychecks having no tax or other deductions.

+ A paycheck that has no tax deductions or personal deductions is more likely to be a check issued
for a ghost employee, where the perpetrator wants to receive the maximum amount of cash.
+ The easiest way to spot these checks is to create a custom report that runs automatically with
each payroll and that itemizes only checks of this nature.
- Issue lists of paychecks issued to department supervisors.

+ It is quite useful to give supervisors a list of paychecks issued to everyone in their departments
from time to time ( to spot payments being made to employees who are no longer working there)
+ It is also a good control over any payroll clerk who may be trying to defraud the company by
delaying termination paperwork and then pocketing the paychecks produced in the interim.
- Compare the addresses on employee paychecks.

If payroll staff members are creating additional ghost employees and having the resulting
paychecks mailed to their home addresses, then a simple comparison of addresses for all check recipients
will reveal duplicate addresses.
- Compare pay records to employee files.

+ A good detective control is to see if an employee human resources file exists for each check
payment, on the grounds that these files typically are maintained by someone other than the payroll clerk
and so represent a good independent verification of the existence of an employee.
+ If there is no employee file, payments probably are being made to a ghost employee.
- Prohibit payment of wages in cash

Additional opportunities for the funds to be stolen when pay in cash
→ better not to allow cash payment
- Have employees sign for paychecks received

This is not as necessary as would be case if payments were in cash.
- Review paychecks for double endorsements

If a payroll clerk has continued to issue checks to a terminated employee and is pocketing the
checks, the cashed checks should contain a forged signature for the departed employee as well as a
second signature for the account name into which the check is deposited.
- Review uncashed payroll checks

If checks have not been cashed, it is possible that they were created through some flaw in the
payroll system that sent a check to a nonexistent employee.
→ An attempt should be made to contact these employees to see if there is a problem.
- Independently verify tax remittances

Given the large penalties associated with late or incorrect tax remittances, some companies protect
themselves by having an additional person calculate the amount of taxes remitted, and the timing and
manner of remittances, to be doubly sure that remittances are handled correctly.
- Reconcile the payroll bank account

+ The payroll bank account always should be promptly reconciled → discrepancies between payments made
and the totals listed in the payroll register will be noted, indicating the presence of fraud.
+ An earlier control that described how to match the payroll register to authorizing documents could
be negated by false entries in the payroll register. The bank reconciliation will highlight any such false
entries. This reconciliation should be conducted by someone not otherwise involved in the payroll process.
- Compare the payroll salary budget to actual expenditures.

+ A very high-level control over the reasonableness of the payroll expense is to compare it to the
budgeted expense, department by department.
+ As long as the budget was designed roughly to mirror actual operations (as opposed to a stretch
budget that is designed to be quite difficult to attain), this can be a reasonable indicator of problems with
the payroll calculations. It is especially good for indicating the presence of ghost employees, since they will
not be listed in the budget.
- Outsource payroll processing.

A supplier of payroll processing services is responsible for remitting payroll taxes, which removes a
considerable responsibility from the company → outsourcing payroll is in itself a control point.
Chapter 6: Internal Control over tangible fixed assets
1. Overview of fixed assets
- Physical or tangible iterms that a company owns and uses in its business operations to provide services
and goods to its customers and help drive income
- These assets provide the owner long-term financial benefits. It is expected that a business will keep and
use fixed assets for a minimum of one year
- The value of fixed assets decline as they are used and age (except for land), so they can be depreciated.
At the end of their lifecycle, fixed assets are often converted into cash.
- Depreciation is found on the balance sheet, cash flow statement, and income statement.
- It is common for a business to lease fixed assets. While the business does not own that asset, leased
assets act as fixed assets.
- Fixed assets life cycle:
Procurements → Registering assets → Adjusting assets → Transfering assets → Depreciation → Disposal
2. Control objectives with fixed assets
[Operation] [Report] [Compliance]

- Achieve business and growth goals - Reliable reporting Compliance with the law
- The relationship between costs and - The items in the financial and rules and regulations
statements are presented
income from the property brings
honestly and resonably
3. Control procedures with fixed assets
* Documents and forms:

- The department wishing to buy fixed assets will make a request to buy assets and this form must be
signed and approved by the head of the division.
- Proposals should be based on a plan developed at the beginning of the year and only authorized
persons in each department can approve the procurement.
- This procedure is to deal with a fairly common mistake of offering to buy property when the need is not
really necessary.
- For fixed assets of great value, it is necessary to include an estimate and explanation, including
calculation of investment efficiency, time to recover capital, etc.
[GENERAL CONTROL PROCEDURES]

- Develop an investment plan for tangible fixed assets
- Separation of responsibility
- Prepare documents and forms
- Control the process
- Independent testing of the implementation
- Physical control
- Ratio analysis
+ Ratio: Sales/ FA; Sales/ TA → efficientcy
+ Subject to misinterpretation based on age and NBV of assets in comparisons to other companies
⇒ If ratio is lower than industry or falling over several periods, it can indicate:
+ Presence of non-operating assets
+ Idle assets (unproductive)
+ Fraudulent overstatement of fixed assets (WorldCom)
+ Falling demand, failed products
* FIXED ASSET FRAUD
- Red flags of fixed asset frauds
+ Adding to assets while competitors are reducing capital tied up in assets
+ Increasing fixed assets that do not result in increased sales, capacity, or efficiencies
+ Abandoned or unused fixed assets included in the fixed-asset accounts
+ Assets acquired from a related party
+ Basis for allocation of fixed assets in a merger is not supported through proper documentation
and/or valuations
- Forensic Accounting Investigativve Techniques (Kĩ thuật kế toán điều tra)
+ Recording inventory manufacturing costs, research and development costs, maintenance
expenses, interest expenses, start-up costs, or other operating expenses as property and equipment
+ Buying personal assets for the ownermanager or an executive to own and then recording them
as company assets
+ Understating depreciation
+ Not removing disposed assets from the books
+ Failing to write down impaired assets
[CONTROL PROCEDURES IN EACH STAGE]

a. Approval to buy fixed assets
- The Chief Accountant/Financial Director needs to review if the Fixed Asset Request Form is consistent
with the approved plan and budget.
- If the Request Form differs from the plan, requires an explanation from the department.
- If there is an objective and legitimate reason, the project should be re-evaluated and this change must be
reviewed by the Board of Directors
- If due to subjective reasons, it can be refused.
b. Supplier selection process

- Based on the approved fixed asset purchase proposal form and on the supplier selection policy, the
purchasing department will consult the prices at many suppliers or bidding organizations.
- The selection of a supplier usually needs to simultaneously satisfy the following criteria:
+ There is no beneficial relationship between the purchasing department and the selected supplier.
+ The selected price criterion must be the most reasonable price compared to other suppliers.
+ For assets of great value, capital construction investment projects, it is recommended to choose
the form of public bidding to select the supplier with the best price and highest quality.
c. Place an order
- Based on the Fixed Asset Request Form and the selected supplier, the asset purchasing department
will make a Purchase Order.
- Purchase orders must be pre-numbered and must include all important information such as: date of
order, quantity, property specifications, price, supplier and payment terms.
- Each purchase order should be made in four copies, one to the supplier, one to the purchasing
department and one to the relevant department such as the receiving department and one save.
d. Receiving fixed assets

- When receiving the property, based on the purchase order, the purchasing department and the
department requiring the purchase of fixed assets jointly check the specifications, quantity, and technical
requirements to see if they are correct as ordered in order to receive the assets. product and accept the
supplier's invoice for payment.
- After receiving the property, the asset purchasing department makes a record of fixed asset delivery.
- The minutes of the delivery and receipt of fixed assets are made in three copies
+ one copy is kept by the asset purchasing department
+one copy is kept by the property receiving party
+ one copy is attached to the copy of the Fixed Asset Request Form.
- Then these two documents together with the copy of the Purchase Order and the original invoice are
transferred to the accounting department.
e. Recognition of fixed assets

- After completing the purchase and transferring the assets to the required department, the accountant
records the asset purchase and keeps track of the usage.
- Risks that may arise during this period are misrecording of fixed assets, misclassification of assets, and
miscalculation of depreciation; does not manage assets by location of use and falsifies performance
evaluation results.
- To minimize the above errors, the accounting department needs to fully and accurately keep information
about fixed assets in detailed books and fixed asset cards.
+ The making of fixed assets books and cards at this stage is to avoid errors in not timely recording fixed
assets, leading to uncontrollable amount of actual assets and depreciation of used assets, distorting costs →
profit/loss that is not true to reality.
- The information that needs to be recorded on the detail book and fixed asset card includes asset name,
type, used part, historical cost, code number, location, date of purchase/liquidation, supplier or
manufacturer, value added or changed, accumulated depreciation, data in the detailed book must be
periodically reconciled with the general ledger.
- If it is an asset that is difficult to distinguish, in addition to recording it in the books, it is necessary to label
these assets. Labels need to be made of durable materials.
- The copy of the fixed asset card should be sent to the administrative department and the asset use
department to monitor and preserve the assets.
- To avoid misrecording, an employee should be arranged to independently check information such as
name, code, original price, place of use...
- Records of fixed assets are the basis for the management, calculation and allocation of depreciation.
+ If unauthorized access to this document is obtained, it may result in a modification of the
depreciation rate (to change the segment's operating results), or a change in the location of assets to
conceal the property theft
→ must set up a password to limit access to files containing information about assets
f. Assign responsibility for asset management

- It is necessary to assign responsibility to the head of the relevant department for the management and
use of the property.
- It is best to include asset management as an indicator to assess the ability and performance of the
manager.
- For internally moved assets, documentation is required to reflect the transfer of the assets and needs to
be approved by the responsible person.
- To manage assets well, it is necessary to use a combination of other measures such as:
+ Limited access to assets & have security guards to avoid illegal movement of assets out of the
unit or to another place
+ Install a camera system or alarm system to monitor and detect property theft
g. Physical count of assets

- When taking inventory, it is necessary to compare the actual quantity with the list of fixed assets to detect
lost assets.
- Inventory can detect assets that are no longer usable, damaged assets.
- If there is an internal audit department, there should be a plan to examine the assets, compare the actual
assets with the books on the books, and review the efficiency and effectiveness of the asset's use.
- If the number of assets is large, the internal audit can select a sample to test, the ideal way to sample is
to test 20% of assets representing 80% of the total cost of assets.
h. Calculate and record depreciation of fixed assets

- Accountants should make sure that the depreciation method and depreciation period are selected in
accordance with the situation of using fixed assets. The usual control procedures are:
+ Check for correct type recognition
+ Check the fixed asset registration data on the software and accounting books to see if the assets
are listed correctly according to the asset classification.
+ Calculate proper depreciation
- Determine the number of years used to depreciate fixed assets based on the provisions of the law and
policy on fixed assets of the unit. .
+ Set when to start depreciation for the asset.
+ Select a depreciation method that should be used consistently throughout its useful life, and
should only be changed when this method is no longer suitable.
+ Store depreciation information
→ This information is kept in the records of each relevant fixed asset
i. Repair and upgrade fixed assets

- Repair of fixed assets is divided into two types: regular repair (also called minor repair) and major repair.
+ Regular repair of fixed assets in order to maintain production capacity and normal use of assets.
+ Major repair of fixed assets is the repair of assets with heavy damage, so the repair time is long,
the repair techniques are complicated, and the property has to stop working. Due to the large costs
incurred, an appropriate cost allocation method must be used to avoid price fluctuations.
- When there is a request for major repair or property maintenance, the property management department
makes a property repair and maintenance note signed by the head of the department and sends it to the
technical maintenance department of the unit.
- The maintenance department checks and confirms the assets to be repaired, maintained, tools, tools,
spare parts needed for the repair, estimated costs incurred. Then, this form is sent to the Chief
Accountant/Financial Director for approval.
- After the correction, the relevant documents are transferred to the accountant. Based on the asset repair
and maintenance note, the minutes of delivery and receipt of the completed major repair fixed assets and
other documents (if any), the accountants record the expenses in the accounting books.
k. Disposal
- The risk in this stage is that employees sell assets below market value, liquidate assets that are still
usable, or documents and records related to liquidated assets are not transferred to the accountant.
⇒ accountants continue to depreciate the liquidated assets and do not record any decrease in assets.
- To avoid this situation, it is necessary to have regulations on procedures for asset liquidation. The usual
procedures are:
+ Periodic reviews → Periodic asset use reviews the actual useful lives of assets can vary, and differ from
initial estimates. This review should be conducted at least once a year. The review board should have representatives
from the accounting department, the purchasing department, and the asset use department.
+ An asset usability matrix (this is quite simple forvassets used in production) and should be
specified as one of the contents ofvthe periodic report of the user. Management is a report on the use of
assets.
⇒ help managers decide to dispose of assets that are no longer usable or are no longer useful.
- In addition, if the asset has expired or is damaged too badly, the cost of upgrading is too large, the unit
should liquidate the asset.
*Issuing procedures for liquidation of fixed assets

- The department that needs to liquidate assets needs to make a written request for asset liquidation.
- The unit should issue a policy on liquidation of fixed assets, clearly specifying the reviewer and
liquidation conditions.
- The method of determining the recoverable value to prevent the above-mentioned violations.
- When liquidating, it is necessary to set up a review board for the above-mentioned contents. The
establishment of a liquidation council helps to avoid that an individual can collude with outsiders to sell
fixed assets at low prices, or misjudge the value of assets.
[The procedure for liquidation of fixed assets]

- Step 1: Summarize information on liquidation of fixed assets
The sales department prepares a fixed asset transfer note (attached to the minutes of fixed asset
liquidation) which clearly states the liquidation value of the property, information about the buyer, and the
form of payment.
- Step 2: Issue the invoice and deliver the property to the buyer
+ The salesperson makes an invoice fot the sale of fixed assets based on the information on the
Fixed Asset Relocation slip. Invoice attached to the Chief Accountant/ Financial Director and the Director
for signature. Then, this document will be forwarded to the accounting department.
+ The invoicing officer sends the invoice to the sales department to deliver the property and invoice
to the buyer, ask the buyer to sign for it, and forward it to the accounts payable accountant.
+ The accounting records a decrease in fixed
assets, income from sale of assets as well as
receivables.
- Step 3: Update fixed asset records
The general accountant shall, based on the
fixed asset transfer note and the fixed asset liquidation
record, check the fixed asset data recorded on the
fixed asset card, the ledger, and then save it in the file
of that fixed asset.
*The common schemes are as follows:

+ Fictitious fixed assets
+ Misunderstanding fixed assets costs
+ Understating assets
+ Captitalizing unrelated cost of assets
[Other approach in internal control for fixed asset]

- Obtain funding approval through the annual budgeting process
- Require a signed capital investment approval form prior to purchase
- Use prenumbered acquisition and disposal forms
- Assign responsibility for assets
- Conduct regular asset disposition reviews
- Segregate responsibilities related to fixed assets
+ Fixed asset acquisition
+ Fixed asset transaction recording
+ Custody of the fixed asset
+ Fixed asset disposal
+ Reconciliation of physical assets to accounting records
- Restrict access to the fixed asset master file
- Restrict facility access
- Install an alarm system to detect RFID-tagged assets (Radio Frequency Identification)
- Reconciliation fixed asset additions with capital expenditure authorizations
- Conduct a periodic fixed asset audit
- Test for asset impairment
[CONTROL PROCEDURES FOR FRAUDS (if any)]
4. Frauds and common mistakes with fixed assets
Stage Fraud and common errors
Investment decision on - Improper investment leads to waste or financial imbalance

fixed assets - Purchased for individuals but charged to the asseets of the unit
- Buy fixed assets at a price higher than the market price
Use of fixed asset - Improper purposes, wasteful use reduces efficiency.

- Incorrect capacity.
- Personal purposes (abuse)
- Stealing fixed assets.
Record information about - Inaccurate and timely recording of fixed assets:

fixed assets + Recording assets that do not meet the conditions to become fixed
assets.
+ Misrecording information about cost, useful time.
- Fixed assets have been put into use but have not been updated in the
books.
- Choosing an inappropriate depreciation method, estimating the useful life
of fixed assets incorrectly.
- Failure to timely record maintenance and repair costs leads to incorrect
accounting of costs.
- Do not estimate risks, do not buy insurance for fixed assets of great value.
- Loss of fixed assets due to no periodic inventory.
Disposal - Do not write off liquidated fixed assets.

- Selling at low price.
- Appropriating money for liquidation of fixed assets.
Chapter 7: Internal Control over Cash
1. Definition and features of cash
a. Definition:
- Cash consists of coins, currency (paper money), checks, money orders, and money on hand or on
deposit in a bank or similar depository.
- Companies report cash in two different statements: the balance sheet and the statement of cash flows.
+ The balance sheet reports the amount of cash available at a given point in time.
+ The statement of cash flows shows the sources and uses of cash during a period of time.
b. Features:
- Cash is the one asset that is readily convertible into other type of asset.
+ It is easily concealed and transported, and highly desired
⇒ Cash is the asset most susceptible to fraudulent activates
- Because of the large volume of cash transactions, numerous errors may occur in executing and
recording them
2. Apply internal control principles to cash
[Cash receipt control]

- Establishment of responsibility: Only designated personnel are authorized to handle cash receipts
(cashiers)
- Documentation procedures: Use remittance advice (mail receipts), cash register tapes or computer
records, and deposit slips
- Segregation of duties: Different individuals receive cash, record cash receipts, and hold cash
- Human resource controls: Bond personnel who handle cash; require employees to take vacations;
conduct background checks
- Physical controls: Store cash in safe and bank vaults; limit access to storage areas; use cash registers
- Independent internal verification: Supervisors count cash receipts daily; assistant treasurer compares
total receipts to bank deposits daily
* Important internal control principle - Segregation of record-keeping from physical custody
MAIL RECEIPTS
- Mail receipts should be opened by two mail clerks, a list prepared, and each check endorsed “For
Deposit Only.”
- Each mail clerk signs the list to establish responsibility for the data.
- Original copy of the list, along with the checks, is sent to the cashier’s department.
- Copy of the list is sent to the accounting department for recording. Clerks also keep a copy.
[Cash disbursement controls]

- Generally, internal control over cash disbursements is more effective when companies pay by check or
electronic funds transfer (EFT) rather than by cash.
- One exception is payments for incidental amounts that are paid out of petty cash.
+ Establishment of responsibility: Only designated personnel are authorized to sign checks
(treasurer) and approve vendors
+ Documentation procedures: Use prenumbered checks and account for them in sequence; each
check must have an approve invoice; required employees to use corporate credi cards for reimbursable
expenses; stamp invoice “paid”
+ Segregation of duties: Different individuals approve and make payments; check signers do not
record disbursements
+ Human resource controls: Bond personnel who handle cash; require employees to take
vacations; conduct background checks
+ Physical controls: Store blank checks in safe with limit access; print check amounts by machine
in indelible ink
+ Independent internal verification: compare checks to invoices; reconcile bank statement monthly
VOUCHER SYSTEM CONTROLS
- A network of approvals by authorized individuals, acting independently, to ensure all disbursements by
check are proper.
- A voucher is an authorization form prepared for each expenditure in a voucher system.
PETTY CASH FUND
Petty Cash Fund - Used to pay small amounts. Ethic notes:

Involes: Internal control over a pretty cash fund is
- establishing the fund, strengthened by:
- making payments from the fund, and - having a supervisor make surprise counts of the
- replenishing the fund. fund to confirm whether the paid petty casg
receipts and fund cash equal the imprest amount
- canceling or mutilating the paid petty cash
receipts so they cannot be submitted for
reimbursement
How employees steal

Occupational fraud is using your own occupation for personal gain through the misuse or misapplication
of the company’s resources or assets. This type of fraud is one of three types:
1. Asset misappropriation (such as theft of cash on hand, fraudulent disbursements, false refunds,
ghost employees, personal purchases, and fictitious employees).
→ This fraud is the most common but the least costly.
2. Corruption, such as bribery, illegal gratuities, and economic extortion.
→ This fraud generally falls in the middle between asset misappropriation and financial statement fraud as regards
frequency and cost.
3. Financial statement fraud, such as fictitious revenues, concealed liabilities and expenses, improper
disclosures, and improper asset values.
→ This fraud occurs less frequently than other types of fraud but it is the most costly.
3. Identify the control features of bank account

- The use of a bank contributes significantly to good internal control over cash.
+ Minimizes the amount of currency on hand.
+ Creates a double record of bank transactions.
+ Bank reconciliation.
- Making bank deposits: Authorized employee should make deposit
- Writing checks: Written order signed by depositor directing bank to pay a specified sum of money to a
designated recipient.
- Bank statements:
+ DEBIT MEMORANDUM: Bank service charge & NSF (not sufficient funds).
+ CREDIT MEMORANDUM Collect notes receivable & Interest earned.
- Reconciling the Bank Account: Reconcile balance per books and balance per bank to their “correct” or
“true” balance.
- Electronic Funds Transfer (EFT) System
+ Disbursement systems that uses wire, telephone, or computers to transfer cash balances
between locations.
+ EFT transfers normally result in better internal control since no cash or checks are handled by
company employees.

Internal Control

Uploaded by

Copyright:

Available Formats

Internal Control

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Control

Uploaded by

Copyright:

Available Formats

Chapter 1: Overview of Internal Control

1. Definition of Internal Control

- Reason for an internal control system: to meet the following requirements:

- Objectives of Internal Control:

2. Limitation of Internal Control

- COSO framework and Implementation Guide

- Effectiveness of Internal Control

- Internal control over financial reporting for external stakeholders:

4. Role of interested parties for Internal Control

4.1. The Board of Directors

4.2. Audit Committee

4.3. Cotrol Board

4.4. Internal Auditor

4.5. Senior Management

4.6. Other Management and Personnel

4.7. Independent Auditor

The control environment provides an atmosphere in which

Principle 1: The organisation demonstrates a commitment to integrity and ethical value.

2. Describe 5 components of Internal Control

INTEGRITY AND ETHICAL VALUES

BOARD OF DIRECTOR OR AUDIT COMMITTEE PARTICIPATION

[RISK ASSESSMENT PROCESS]

[INHERENT RISK, CONTROLLABLE RISK, AND RESIDUAL RISK]

TYPE OF CONTROL ACTIVITY

ADEQUATE SEPARATION OF DUTIES

PROPER AUTHORIZATION OF TRANSACTIONS AND ACTIVITIES (establishment of

ADEQUATE DOCUMENTS AND RECORDS

PHYSICAL CONTROL OVER ASSETSS AND RECORDS

INDEPENDENT CHECKS ON PERFORMANCE (independent internal verification)

d. Information & Communication

- There are 2 different methods for monitoring:

[DEFICIENCY OF INTERNAL CONTROL]

3. Evaluating the system of Internal Control

[Placing orders for goods & services]

[Receiving goods & service]

2. Internal Control of purchasing and payment cycle

How to set up internal control for business cycle?

[Placing orders for goods & services]

Control objectives Risks

Optimal purchase quantity - Insufficient purchase

Good quality Poor quality goods

Reasonable price - Unreasonable price

Purchasing transaction is true Purchasing transaction is fake

Internal Control Procedures

- Making purchase request form

- Making “Purchase order”

Optimal purchase quantity

a. How to buy goods at the optimal price?

b. How to optimize the quantity of goods purchased and stocked?

- Compare actual - estimate, this period - previous period

[Receiving goods & service]

Safe delivery Goods lost

Complete recording of import transactions Good in stock are not recorded

The receiving is real The import business is not real

Internal Control Procedures

- Authorization and approval

Control Objectives Risks

Exact amount Wrong amount

Payables are real Payables are fake

Liabilities are fully recognized Liabilities are omitted