Chapter 2:

INTERNAL CONTROL

PhD. Nguyen Thi Mai Huong

1
 Learning objectives
CL02
• Explain the benefits and factors affect internal control
• Explain main audit terminologies and audit procedures
CL03
• Understand internal control to assess risks of material
misstatement, audit risk to focus the audit on
significant areas

2
 Learning materials
Textbook
[1] Alvin A. Arens, Mark S Beasley, Randal J Elder. (2020). Auditing
and Assurance services – an integrated approach (17th ed.). Pearson
Education.
Other materials
[2] Bộ môn Kiểm toán – Đại học kinh tế TP.HCM. (2019). Kiểm toán.
NXB Lao Động Xã Hội.
[3] Trần Thị Hải Vân & cộng sự. (2016). Tài liệu câu hỏi và Bài tập
Kiểm toán căn bản. Đại học Ngân hàng TP.HCM (Lưu hành nội bộ).

3
 Requirements

Students are presumed to have read all the necessary

materials, and
Prepare for questions:
1. What is internal control?
2. The components of internal control?
3. E x p l a i n t h e p r o c e s s o f i n t e r n a l c o n t r o l
assessment
 Content
2.1. Internal control (IC)
2.1.1. Definition
2.1.2. The components of an IC system
2.2. Internal control assessment
2.2.1. The need for IC assessment
2.2.2. Methods to obtain an understanding of IC
2.2.3. Test of control
2.3. Communicating deficiencies in internal control

5
 2.1. Internal control (IC)

2.1.1. Definition
2.1.2. The components of an IC system

Khoa KTKT - Bộ môn Kiểm toán 6

 2.1.1. Definition

I nte r n a l co nt ro l i s d ef i n e d i n t h e 2 0 1 3 CO S O
Framework * as “a process, affected by an entity’s
board of directors, management, and other personnel,
designed to provide reasonable assurance regarding
the achievement of objectives relating to operations,
reporting, and compliance.”
*COSO’s Internal Control—Integrated Framework was first developed in 1992 and
has become the most widely accepted internal control framework in the United
States and the world.

7
 2.1.1. Definition
Internal control is defined as a process affected by an entity's
board of directors, management and other personnel,
designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
1. Effectiveness and efficiency of operations.
2. Reliability of financial reporting.
3. Compliance with applicable laws and regulations.
(ISA 315)

8
 Reasonable assurance

An effective IC can only provide a reasonable assurance

in achieving organization's objectives.

This is due to the limitations of IC :

• The potential for human error
• Collusion between employees
• The possibility of controls being by-passed or
overridden by management
• The costs of control not outweighing their benefits

9
2.1.2. The components of an IC system

Control environment

Risk assessment

Control activities

Information & Communication

Monitoring of controls
10
11
5 components and 17 principles of internal control

12
 a. Control environment

The control environment consists of the actions, policies,

and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about
internal control and its importance to the entity
The control environment sets the tone of an organization,
influencing the control consciousness of its people.

13
a. Control environment

14
 The elements of IC environment
• Communication and enforcement of integrity and ethical
values
• Commitment to competence
• Participation by those charged with governance
• Management's philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and practices

15
Participation by those charged with governance

• Independence from management and ability to

evaluate management’s performance;
• The understanding of the organization’s business
transactions;
• Evaluation of the appropriateness of financial
statements in accordance with applicable reporting
frameworks

16
 Management's philosophy and operating style

• Approach to taking and managing business risks;

• Attitudes and actions towards financial reporting;
• Attitudes towards information processing and
accounting functions and personnel.

17
 Assignment of authority and responsibility

• How authority and responsibility for operating

activities are assigned;
• How reporting relationships and authorization
hierarchies are established

18
 Human resource policies and practices

… I n c l u d e s re c r u i t m e nt , o r i e ntat i o n , t ra i n i n g ,
evaluating, counseling, promoting, compensation and
remedial actions

Good human resource policies :

ü Can overcome the weakness of control
activities
ü Is an indicator of a good IC environment
ü But cannot replace the control activities
completely
19
 b. Entity's risk assessment process

Risk identification

Estimating the
significance

Assessing the
likelihood

Entity's risk assessment

process will form the basis on Actions
which the management
decide the risks to be
managed
20
Situations where the risks could be high:
§ Changes in business environment
§ New personnel
§ New or amended information system
§ High growth
§ New technology
§ New products or business models
§ Organisational restructuring
§ Expanding overseas
§ Applying new accounting standards

21
c. Control activities
Control activities are the actions established by the policies
and procedures to help ensure that management directives
to mitigate risks to the achievement of objectives are carried
out.
The control activities generally fall into the following five
types:
i. Adequate separation of duties
ii. Proper authorization of transactions and activities
iii. Adequate documents and records
iv. Physical control over assets and records
v. Independent checks on performance

22
 i. Adequate separation of duties
Segregation implies a number of people being involved in the
accounting process.

Impact: Reduce the risk of fraud and errors

Segregation should take place in various ways:
• Segregation of function: segregation of carrying out of a
traction, recording that transaction and maintaining custody
of assets that arise from the transaction.
• Segregation of various steps in carrying out a transaction
• The carrying out of various accounting operations should be
segregated

23
 i. Adequate separation of duties

• Separation of the Custody of Assets from Accounting

• Separation of the Authorization of Transactions from the Custody of
Related Assets
• Separation of Operational Responsibility from Record-Keeping
Responsibility
• Separation of IT Duties from User Departments

24
ii. Proper authorization of transactions and activities
• Tr a n s a c t i o n s s h o u l d b e a p p r o v e d b y a n
appropriate person before being carried out.
• Authorization may be general or specific
• General authorization means approval for general
policies for transactions being carried out.
• Specific authorization relates to individual
transactions.
• An organization should combine these two types of
authorization.

25
iii. Adequate documents and records

26
iv. Independent checks on performance

27
v. Physical control over assets and records

-Physical security
-Limiting access to computer
programme and data files;
-Limiting physical access to
assets and records …

28
 d. Information system

The information system relevant to financial

reporting, includes relevant business process, and
information Exchange

The quality of information generated from the

information system will influence management’s
decisions in relation to management and
controlling business activities and reliable financial
reporting

29
 d. Information system

Information is necessary for the entity to carry out internal

control responsibilities in support of the achievement of its
objectives.
Communication occurs both internally and externally and
provides the organization with the information needed to carry
out day-to-day internal control activities. Communication
enables personnel to understand internal control
responsibilities and their importance to the achievement of
objectives

Khoa KTKT - Bộ môn Kiểm toán 30

 d. Information system

• General IT controls are policies and

procedures that relate to many applications
General and support the effective functioning of
controls
application controls
• Including: controls over data centre, system
software and access security

• Application controls are either manual or

automated and typically operate at the business
Application
process level and apply to the processing of
controls
transactions
• Ensure the security of accounting data

Khoa KTKT - Bộ môn Kiểm toán 31

 e. Monitoring of controls

Monitoring ensures that internal control continues to operate

effectively. This process involves assessment by appropriate
personnel of the design and operation of controls on a suitably
timely basis, and the taking of necessary actions. It applies to all
activities within an organization, and sometimes to outside
contractors as well.

§ Ongoing evaluations are built into the routine operations and are
performed on a real-time basis.
§ A separate evaluation is conducted periodically by objective
management personnel, internal audit, and external parties. The
scope and frequency of separate evaluations is a matter of
management judgment
32
2.2. Internal control assessment

2.2.1. The need for assessment of internal control

2.2.2. Methods to obtain and document an understanding
of internal control
2.2.3. Tests of controls

33
 2.2.1. The need for assessment of IC

ISA 315:
• The auditor should obtain an understanding of the
entity’s IC that is relevant to the audit

• The auditor should also evaluate the design of those

controls and determine whether they have been
implemented

34
 Auditor’s responsibility

The auditor shall obtain an understanding of whether the

entity has a process for:
• Identifying business risks relevant to financial reporting
objectives
• Estimating the significance of the risks
• Assessing the likelihood of their occurrence
• Deciding upon actions to address those risks

35
36
2.2.2. Methods to obtain and document an understanding
of internal control
a. Narrative notes b. Questionnaires c. Flowcharts

Yes
?
No
a. Narrative notes

Is a written document to describe the entity’s IC, includes:

§ The origination of all books and documents in the system
§ The processes
§ The flow of each document
§ Necessary control activities
a. Narrative notes

Advantages:
§ Simple to use, suitable for recording of simple
internal control system.
Disadvantages:
§ Not suitable for entities whose internal control
systems are in a complex structure
b. Flowcharts

A flowchart is a type of diagram that represents a workflow or

process, showing the steps and their order by connecting
them with arrows.

Two types of flow charts:

• Horizontal flow chart: highlights the participation of
people/functions in a process
• Vertical flowchart: highlights the order of steps in a
process
 Example of flowchart
Goods received
and GRN generated
GRN: Goods received note

GRN

Check and update

the store card

Store card Checked GRN

N
b. Flowcharts

Advantages:
Flowcharts are fairly easy to follow and to review and can
help auditors to highlight the salient points of control
and any weaknesses in the system.

Disadvantages:
Time-consuming
c. Questionnaires

Is a list of questions on internal control system to ask

whether controls exist which meet specific control
objectives (ICQs) or to determine whether there are
controls which prevent or detect specified errors or
omissions (ICEQs)

Yes
No?
44
c. Questionnaires

Advantages:
• If drafted thoroughly, they can ensure all controls are
considered
• They are quick to prepare
• They are easy to use and control

Disadvantages:
• They may not include unusual controls, which are
nevertheless effective in particular circumstances.
2.2.3. Tests of Controls
Audit evidence is used as the basis for the auditor to provide
an audit opinion. Audit evidence is obtained through:
• Risk assessment;
• Carrying out further audit procedures which include :
(i) Control test
(ii) Substantive test
2.2.3. Tests of Controls
An audit procedure designed to evaluate the operating
effectiveness of controls in preventing, or detecting and
correcting, material misstatements at the assertion level
The auditor shall also obtain evidence as to:
1. How the controls were applied at relevant times during
the period under audit
2. The consistency with which they were applied; and
3. By whom or by what means they were applied?

47
Internal control evaluation

Understanding of IC system

Control risk assessment

Test of controls

Control risk re-assessment

48
 2.2.3. Tests of Controls

The nature of a test of control can be:

• Inspection
• Observation
• Inquiry
• Re-performance

Khoa KTKT - Bộ môn Kiểm toán 49

 Control test – Inspection

Inspection of documents supporting controls or events to

gain audit evidence that internal controls have operated
properly, e.g. verifying that a transaction has been
authorized.
 Control test – Observation

Auditors will consider the manner in which the control is

being operated.

O b s e r vat i o n p ro v i d e s a u d i t e v i d e n c e a b o u t t h e
performance of a process or procedure but is limited to
the point in time at which the observation takes place and
by the fact that the act of being observed may affect how
the process or procedure is performed.
 Control test – Re-performance

Re-performance is the auditor ’s independent

exe c u t i o n o f c o nt ro l s t h at we re o r i g i n a l l y
performed as part of the entity’s internal control
 Control test - Inquiries

Inquiry consists of seeking information of knowledgeable

persons, both financial and nonfinancial, throughout the
entity or outside the entity.

Inquiry is used extensively throughout the audit and often

is complementary to performing other audit procedures

Inquiries may range from formal written inquiries to

informal oral inquiries. Evaluating responses to inquiries is
an integral part of the inquiry process.
2.3. Communicating deficiencies in internal control

The auditor shall communicate in writing significant

deficiencies in internal control identified during the audit
to those charged with governance on a timely basis.

(ISA 265)

54
55
 2.3. Communicating deficiencies in internal control

A description of the deficiencies and an explanation of their potential

effects
Sufficient information enables those charged with governance and
management to understand the context of the communication. In
particular, the auditor shall explain :
üThe purpose of the audit
üThe extent to which audit procedures are carried out in relation to
the internal control system
üIdentified significant deficiencies

56
 2.3. Communicating deficiencies in internal control

• Deficiency in internal control:

(i) A control is designed, implemented, or operated in such a way that
it is unable to prevent, or detect and correct, misstatements in the
financial statements on a timely basis; or
(ii) A control necessary to prevent, or detect and correct,
misstatements in the financial statements on a timely basis is missing.
• Significant deficiency in internal control – A deficiency or combination
of deficiencies in internal control that, in the auditor’s professional
judgment, is of sufficient importance to merit the attention of those
charged with governance.

57
Indicators of significant deficiencies in internal control

• Ineffective internal control environment

• Absence of a risk assessment process
• Ineffective entity risk assessment process
• Restatement of previously issued financial statements
• Evidence of management’s inability to oversee the
preparation of the financial statements
• Etc..

58
59