CHAP 5: INTRODUCTION TO INTERNAL CONTROL Flashcards
Định nghĩa internal control
The process designed, implemented and maintained bythose charged with governance, management and other personnel, toprovide reasonable assurance about the achievement of an entity’sobjectives with regard to reliability of financial reporting, effectivenessand efficiency of operations, and compliance with applicable laws andregulations (ISA (UK) 315).
Sự khác nhau giữ governance và management?
governance: responsible for strategic oversight
management: responsible for conduct entity operations
người làm 2 nvu này thường thì là cùng 1 người, là company director
Tại sao phải làm internal control
- Minimising the company’s business risks
- Ensuring the continuing effective functioning of the company
- Ensuring the company complies with relevant laws and
regulations
3 limitation của internal control
- Human element: a human being makes a mistake implementing a control
including intention of the people using them => control might be ineffective. * * * * Collusion: Staff members may want to override or avoid controls in order to
defraud, colluding in fraud (two or more people working together in secret) * * - Unusual transactions: Internal control are generally designed to deal with
what normally or routinely happens in a business => standard controls may not
be relevant to the unusual transaction
Tại sao small company thường gặp vấn đề về internal control hơn large company
Small companies may have particular problems in implementing effective
internal control systems because have fewer employees than larger companies
5 component of internal control
1, control environment
2,entity risk assessment process
3,entity process to monitor system of internal control
4,information system and communication
5,control activity
auditor có quan tâm đến các internal control k lqian đến FS k?
Không
Định nghĩa control environment
: includes the governance and management functionsand the attitudes, awareness and actions of those charged with governanceand management concerning the entity’s internal control and its importancein the entity.v
board of director gồm những bộ phận nào?
1, executive director ( tvien tham gia điều hành: CEO,CFO)
2, non-executive director( tvien k tham gia điều hành)
Như thế nào là 1 strong control environment ?
- Directors set the tone by taking controls seriously and rigorously applyingthem then other staff members will be encouraged to do the same.
- Individuals have the competence to perform their roles
- Authority and responsibility will be assigned to appropriate levels and staff
will be made aware of their specific responsibilities and how these affect the
organisation as a whole. - Policies will be in place to promote best practice in recruitment, training,
promotion and compensation so that employees feel valued.
Định nghĩa audit committee
A subcommittee( 1 phần) of the board of directors responsible for overseeing ( giám sát) an entity’s internal control structure, financial reporting and compliance with relevant
laws and regulations. Audit committee is comprised of non-executive directors ( k gồm executive directors)
Nhiệm vụ của audit committee ở các UK listed company under UK governance code
- to review the integrity of the FSs of the company and formal announcements
- to review the company’s internal financial controls and the company’s risk
management systems (unless there is a separate risk management committee) - to monitor and review the effectiveness of the company’s internal audit function (if
relevant) - to make recommendations to the board in relation to the external auditor * to monitor the independence of the external auditor
- to implement policy on the provision of non-audit services by the external auditor
Ai là người identify business risk
management thuộc bộ phận nào identify risk bộ phận đó
định nghĩa business risk
A risk resulting from significant conditions, events,
circumstances, actions or inactions that could adversely affect an entity’s
ability to achieve its objectives and execute its strategies, or from the setting
of inappropriate objectives and strategies.
Entity’s risk assessment process là j
Entity’s risk assessment process: is an iterative process for identifying and
analysing risks to achieving the entity’s objectives, and forms the basis for
how management or those charged with governance determine the risks to be
managed
How to minimise business risk
Internal controls are implemented to minimise risk, which includes not only
risks relating to financial reporting but also the entity’s operational and
compliance risks.
Why assurance provider need to interest in business risk
- Assurance providers are interested in business risk because issues which pose
threats to the business may in some cases also be a risk of the financial
statements being misstated. - Not all business risks have a direct impact on the financial statements
- Identifying business risks that management have identified will assist auditors in
identifying audit risks
Nguyên nhân gây business risk
- changes in operating environment – regulatory, economic or operating changes
- new personnel – may have a different focus / understanding of internal control
- new or revamped information system
- rapid growth can strain controls and increase the risk of control breakdown
- new technology
- new business models, products, or activities
- corporate restructurings may be accompanied by staff reductions and changes in supervision
and segregation of duties, which may increase risk - expanded foreign operations may carry new risks, eg, from foreign currency transactions
- new accounting pronouncements
- use of IT (vd trong sách)
Entity risk assessment process
1, Identify relevant business risk
2,Estimate the significant of the risk
3,Assess the likelihood of occurence(tần suất risk)
4,Decide upon action( internal control,insurance, change in operation)
Lưu ý:B1: management phụ trách bộ phận nào identify business risk ở bộ phận ý
B3: Nếu tần suất risk lớn thì sẽ đến bước 4
nếu các risk là significant, tần suất bé thường các cty sẽ mua ensuarance để bản đảm, risk chung chung tần suất nhiều thì decide các action, còn cái risk k to thì bỏ qua
5 type of control activities
- Authorisation and approvals: Approval of transactions/documents.
- Reconciliations: Compare two or more data elements.
- Verifications: Comparing an item with a policy.
- Physical or logical controls:
o Physical security of assets;
o Authorisation for access, to computer programs, and data files;
o Periodic counting and comparison with amount shown on accounts. - Segregation of duties: Assigning different individuals the responsibilities of authorising transactions, recording transactions and maintaining custody of assets.
Phân biệt general IT control vs information processing control
- general IT control :Controls over the entity’s IT processes
that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information in the entity’s information system. - information processing control : Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (ie, the completeness, accuracy and validity of transactions and other information)
Example of General IT control
Development of computer applications
* Standards over systems design, programming and documentation
* Full testing procedures using test data (see Chapter 11)
* Approval by computer users and management
* Segregation of duties so that those responsible for design are not responsible
for testing
* Installation procedures so that data is not corrupted in transition
* Training of staff in new procedures and availability of adequate documentation22Examples of General IT Controls (cont.)
Prevention or detection of unauthorised changes to programs
* Segregation of duties
* Full records of program changes
* Password protection of programs so that access is limited to computer operations staff
* Restricted access to central computer by locked doors, keypads
* Maintenance of program logs
* Virus checks on software: use of anti-virus software and policy prohibiting use of nonauthorised programs or files
* Back-up copies of programs being taken and stored in other locations
* Control copies of programs being preserved and regularly compared with actual
programs
* Stricter controls over certain programs (utility programs) by use of read only memory
Testing and documentation of program changes
* Complete testing procedures
* Documentation standards
* Approval of changes by computer users and management
* Training of staff using programs
Controls to prevent wrong programs or files being used
* Operation controls over programs
* Libraries of programs
* Proper job scheduling
Controls to prevent unauthorized amendments to data files
* Such as passwords to prevent unauthorised entry, built in controls to permit changes Controls to ensure continuity of operations
* Storing extra copies of programs and data files off-site
* Protection of equipment against fire and other hazards
* Back-up power sources
* Emergency procedures
* Disaster recovery procedures eg, availability of back-up computer facilities
* Maintenance agreements and insurance
Example of f Information processing controls in a Computer application
Controls over input: completeness
* Manual or programmed agreement of control totals
* Document counts
* One-for-one checking of processed output to source documents
* Programmed matching of input to an expected input control file
* Procedures over resubmission of rejected
Controls over input: accuracy
* Programs to check data fields (for example value, reference number, date) on
input transactions for plausibility:
- digit verification (eg, reference numbers are as expected)
- reasonableness test (eg, VAT to total value)
- existence checks (eg, customer name)
- character checks (no unexpected characters used in reference)
- necessary information (no transaction passed with missing information)
- permitted range (no transaction processed over a certain value)
* Manual scrutiny of output and reconciliation to source
* Agreement of control totals (manual/programmed)
Controls over input: authorisation
Manual checks to ensure information input was:
* authorised
* input by authorised personnel
Controls over processing
* Similar controls to input must be completed when input is completed, for example, batch reconciliations
* Screen warnings can prevent people logging out before processing is complete
Controls over master files and standing data
* One to one checking of master files to source documents (such as payroll master files
to individual employee personal files)
* Cyclical reviews of all master files and standing data
* Record counts (number of documents processed) and hash totals (for example, the total of all the payroll numbers) used when master files are used to ensure no deletions
* Controls over the deletion of accounts that have no current balance
How to testing information processing control
Manual controls exercised by the user
* The auditors may decide to limit tests of control to these manual controls.
Controls over system output
* Such controls may be tested by examining the system’s output using either manual
procedures or computer assisted audit techniques ( CAATs)
Programmed control procedures
* The auditor may consider performing tests of control by using CAATs
