Principles of Auditing (UEH)

3.1. Management Responsibility for Internal Control

Course tittle: Principles of Auditing
 Objectives: Internal control is designed and implemented to address business risks that
threaten any of entity’s objectives (compliance, operation, and reporting) (ISA 315).

Topic 3 – Part 2  Management roles:

o to develop a satisfactory internal control system,

o to maintain control over operations and accounting data,
Evaluation of Internal Control by Auditors o to adopt and supervise an appropriate internal control system.

 Level of assurance: Reasonable assurance (đảm bảo hợp lý)

Lecturer: Mai Đức Nghĩa

School of Accounting, UEH 3

Why does the system of IC only provide a Reasonable Assurance?

Topic 3. The Understanding and Assessing Internal Control by Auditors (Part 2)
Inherent limitations of internal control
Contents
 Internal control cannot assure a reliable financial report because it has inherent limitations.

 Inherent limitations arise because of:

3.1. Management responsibility for internal control
o Control breakdowns as a result of the actions of careless, fatigued (tiredness) or
3.2. Auditor responsibility to internal control deviant (abnormal) staff.
o The possibility of management override.
3.3. Evaluation of Internal Control by Auditors o Collusion: secret or illegal cooperation of employees.
o Faulty judgment in decision making.
o The existence of non-routine transactions for which internal controls were not
devised (designed).
o Cost-benefit analysis.
2 4
Principles of Auditing (UEH)

Review: Why Reasonable Assurance? 3.2. Auditor responsibility to internal control

Inherent limitations …  Auditor: The risk of material misstatement at the financial report level is affected by
auditor’s understanding of the control environment (ISA 315).
Breakdowns  errors vs mistakes

People Collusion  Auditor’s requirements:

Management override
o to obtain an understanding of internal control relevant to the audit.
Faulty judgment o to assess risk of material misstatement is affected by their understanding of the control
environment
o Assertion level: Auditor needs to consider control risk in their assessment of risk of material
misstatement
Non-routine transactions

Cost-benefit analysis 5 7

3.2. Auditor responsibility to internal control

What is Control risk?
It’s the basis of our preliminary
assessment of control risk;
 Control risk (Rủi ro kiểm soát): is the risk that a material misstatement could occur in an
And, it is our evaluations of the extent to
Why do you need to obtain assertion and not be prevented or detected on a timely basis by the entity’s internal
which controls may be replied on to
an understanding of our control.
assure the reliability of accounting
company’s internal records.
control?  If control risk is assessed at less than high, tests of control (TOC) need to be performed
to gain evidence that specific control activities have been effectively and consistently
applied throughout the period under audit.

 Tests of control will be discussed in 3.3.

6 8
Principles of Auditing (UEH)

3.3. Considering internal control in a Step 1: Obtain the understandings of internal control (IC)
financial report audit

 For every audit  An auditor must obtain What? How to understand?

sufficient understanding of internal control to
plan the audit and determine tests to be
performed.
 Steps of Internal Control Evaluation by Auditors
(Figure 1)
1. Obtain the understandings of
internal control (IC)
9 o Flowcharts.
 Understandings of all 5
components of IC
 Consider internal control for each business
cycle (sales, purchases, production…)
How to
document?
o IC questionnaires and checklists.
o Narrative memoranda — written
description of IC policies & procedures.
 An auditor gains an understanding of the control
environment by:
o Making inquiries of key management personnel (phỏng
vấn)
o Inspecting documented policies and procedures (thu
thập và nghiên cứu tài liệu)
o Observing activities and operations (quan sát)
o Considering past experience with the client
(kinh nghiệm kiểm toán trước đây)
11

2. Make preliminary Documenting the understanding of internal control

assessment
of control risk
Narratives Questionnaires Flowcharts
(Baûng töôøng thuaät) or checklists (Löu ñoà)
(Baûng caâu hoûi)

3. Performing
Tests of controls

4. Performing
Substantive
procedures

(Figure 1 (cont.)
Walk-through test
10 12
Principles of Auditing (UEH)

2. Make preliminary
assessment
Walk-through test of control risk

Walk-through test – involves tracing a few transactions through financial

3. Performing
reporting system Tests of controls

(Kỹ thuật kiểm tra từng bước của quy trình (Walk-through test): bao gồm kiểm tra
một vài giao dịch thông qua hệ thống lập báo cáo tài chính).
4. Performing
Substantive
procedures
13
(Figure 1 (cont.)
15

Example:
Typical
credit sales
flowchart

Preliminary assessment of control risk (Đánh giá ban đầu về rủi ro kiểm
soát): has been done based on the current understanding of internal control
and before conducting the test of control

Compensating control—a control else -where in the system that offsets the
absence of a necessary control

(Figure 1 (cont.)
14 16
Principles of Auditing (UEH)

Step 2: Assessing control risk

After obtaining an understanding of the five components of internal control (step 1),
Assertions
 the auditor assesses control risk for the assertions (Cơ sở dẫn liệu) in the related
account balances, transaction classes and disclosures. *Assertions—Representations by management, explicit or otherwise, that are
embodied in the financial statements, as used by the auditor to consider the different
types of potential misstatements that may occur.
Then, the auditor must decide whether to assess
control risk for a particular assertion as Assertions Các cơ sở dẫn liệu
Existence Sự hiện hữu
Occurrence Sự phát sinh
HIGH or as LESS THAN HIGH Completeness Sự đầy đủ
Accuracy Sự chính xác
Cut-off Sự đúng kỳ
Classification Sự phân loại
Presentation Sự trình bày
Valuation and allocation Sự đánh giá và phân bổ
17 Rights and obligations Quyền và nghĩa vụ 19

(1) Assessment of control risk as HIGH

Assertions (Cơ sở dẫn liệu)
*Assertions—Representations by management, explicit or otherwise, that are
embodied in the financial statements, as used by the auditor to consider the different
types of potential misstatements that may occur.
Cơ sở dẫn liệu: Là các khẳng định của Ban Giám đốc đơn vị được kiểm toán một cách trực tiếp hoặc dưới
hình thức khác về các khoản mục và thông tin trình bày trong báo cáo tài chính và được kiểm toán viên sử
dụng để xem xét các loại sai sót có thể xảy ra.
HIGH control risk
 The auditor may assess control risk as high because the
entity’s internal control policies and procedures in the area:
 Are poor and do not support less than a high assessment
 May be effective, but the audit tests would be more time-consuming than
performing direct substantive tests. (No cost-effective)

 Do not pertain to the particular assertion.

The auditor will not undertake test of controls (TOCs)

 Perform additional substantive audit procedures (Sub-tests)

20
18 (refer to Figure 1)
Principles of Auditing (UEH)

(2) Assessment of control risk Step 3: Performing Tests of controls (TOCs)

as LESS THAN HIGH
The auditor may decide to assess control risk as Less than HIGH control risk
When? How to perform TOCs?
less than high when:
o it improves audit efficiency (cost-effective)
o CR is assessed “at less than a  Method used by auditor is dependent on whether a
o substantive audit procedures alone cannot provide sufficient evidence at the
high” documentary audit trail (dấu vết) exists.
assertion level (thử nghiệm cơ bản không đủ chứng minh o Substantive procedures alone is
not sufficient If audit trail does exist:
Eg.: routine recording of significant classes of transactions, such as revenue or purchases. (These
systems are often highly automated with little or no manual controls) o Inspect documentation (kiểm tra tài liệu) associated
with the transaction for evidence of the control.

Where no audit trail exists:

Auditor performs tests of controls (TOC) o Observation (quan sát)
to evaluate the effectiveness of these control activities o Inquiry of the control (phỏng vấn)
21 o Re-performance (thực hiện lại) 23
(refer to Figure 1)

Relationship between TOCs and assertions

TEST OF CONTROL  Auditor is required to assess risk of material misstatement at the
assertion level for classes of transactions, account balances and
disclosures.

Test of control – An audit procedure designed to evaluate the operating effectiveness of Eg. 1: Control objectives for sales system
controls in preventing, or detecting and correcting material misstatement at assertion
level  Controls are in place to ensure that:
– Occurrence — all sales recorded are bona fide transactions for merchandise
Thử nghiệm kiểm soát: Là thủ tục kiểm toán được thiết kế nhằm đánh giá tính hữu actually shipped to customers.
hiệu của hoạt động kiểm soát trong việc ngăn ngừa, hoặc phát hiện và sửa chữa các – Completeness — all sales shipped are invoiced
sai sót trọng yếu ở cấp độ cơ sở dẫn liệu. and recorded in accounting records.
– Accuracy — invoices have been recorded correctly
as to amount and summarised correctly.
– Cut-off — invoices have been recorded in correct period.
– Classification — sales classified in accordance with written policies.
24
22
Principles of Auditing (UEH)

Example of linking objectives to control policies and tests Example of linking control objectives
of controls for sales to control policies to tests of controls: cash receipts
Special control Common control Tests of controls
Special control Common control Test of controls
objectives policies and
objectives policies and
procedures
procedures
• Occurrence — all • Policy of authorisation • Select sample of sales
sales recorded are of credit and terms transactions from
• Occurrence — recorded • Cash receipts matched • Select a sample of
bona fide (actual) • Evidence of quantities sales journal (daily
cash receipts are for to specific sales entries in cash receipts
transactions for shipped reconciled to activity report), check
collection of receivables invoices in posting to journal and review
merchandise actually quantities invoiced for authorisation and
resulting from sales to accounts receivable evidence that they were
shipped • Monthly statements trace to shipping
customers of the entity. master file. matched to specific
to customers. mailed to customers document file
sales invoices.
and queries followed • Inspect reconciliation
up of shipments to
invoices 25 27

Step 4: Performing Substantive Tests (sub-tests)

Eg. 2: Control objectives for cash receipt system
 Substantive procedure (substantive test):
An audit procedure designed to detect material misstatement at
 Controls are in place to ensure that:
assertion level.
– Occurrence — recorded cash receipts are for collection of receivables
resulting from sales to customers of the entity.  There are 2 types of substantive tests:
– Completeness — all cash receipts are recorded and deposited. o Substantive analytical procedures
– Accuracy — cash receipts have been recorded correctly as to amount. o Tests of details (of classes of transactions, account balances and disclosures)
– Cut-off — cash receipts have been recorded in correct period.
– Classification — cash receipts are classified in accordance with  Thử nghiệm cơ bản: Là thủ tục kiểm toán được thiết kế nhằm phát hiện các sai sót trọng yếu ở cấp
company policy. độ cơ sở dẫn liệu.
 Các thử nghiệm cơ bản bao gồm:
- Thủ tục phân tích cơ bản.
- Kiểm tra chi tiết (các nhóm giao dịch, số dư tài khoản và thông tin thuyết minh);
26 28
Principles of Auditing (UEH)

2. Make 2.30. Dưới đây là các thủ tục kiểm soát được thiết lập trong một công ty:
preliminary
assessment
of control risk a. Nhân viên bảo vệ giám sát xem các nhân viên khi ra, vào công ty có
thực hiện đúng quy định về quẹt thẻ trên máy chấm công không
b. Để xét duyệt thanh toán cho nhà cung cấp, hóa đơn phải kèm theo đơn
đặt hàng và báo cáo nhận hàng.
3. Performing c. Trước khi giao hóa đơn cho khách hàng, một nhân viên kiểm tra đơn
Tests of giá, số lượng hàng và số tổng cộng của tất cả các hóa đơn bán hàng có
controls giá trị từ 5 triệu đồng trở lên, sau đó ký nháy vào liên hóa đơn bán hàng
lưu giữ tại công ty.
Yêu cầu:
4. Performing
Substantive Hãy trình bày những thử nghiệm kiểm soát mà kiểm toán viên có thể thực
procedures hiện đối với mỗi thủ tục kiểm soát nêu trên.
31
(Figure 1 (cont.)
29

Group discussions:
2.30 Sách bài tập Kiểm toán
1. Please differentiate Tests of controls and Control activities. Thủ tục kiểm soát (control procedure) Thử nghiệm kiểm soát (TOC)
Give examples. a) Nhân viên bảo vệ giám sát xem các công nhân Kiểm toán viên (KTV) quan sát,
khi ra, vào công ty có thực hiện đúng quy định phỏng vấn nhân viên bảo vệ về việc
về quẹt thẻ trên máy chấm công không giám sát công nhân ra, vào công ty
b) Để xét duyệt thanh toán cho nhà cung cấp, hóa
đơn phải kèm theo đơn đặt hàng và báo cáo
nhận hàng.

c) Trước khi giao hóa đơn cho khách hàng, một

nhân viên kiểm tra đơn giá, số lượng hàng và
số tổng cộng của tất cả các hóa đơn bán hàng
có giá trị từ 5 triệu đồng trở lên, sau đó ký nháy
30 vào liên hóa đơn bán hàng lưu giữ tại công ty. 32
Principles of Auditing (UEH)

Group discussions:

2. Please differentiate Tests of controls and Substantive Tests

Give examples.

33

TOC and Substantive Test for account receivable

 Examine documents related

account receivable to make
TEST OF CONTROL sure it has been approved
/authorized properly or done
within the sale policy

Substantive analytical test  Tính soá voøng quay nôï

phaûi thu hoaëc soá ngaøy
SUBSTANTIVE thu tieàn bình quaân
TEST
(Receivable Turnover Ratio)

Test of detail  Send confirmation letters

 Test the cut-off of sale transaction
 Test of making provision for
doubtful debts