CHAP 5: INTRODUCTION TO INTERNAL CONTROL Flashcards
Định nghĩa internal control
The process designed, implemented and maintained bythose charged with governance, management and other personnel, toprovide reasonable assurance about the achievement of an entity’sobjectives with regard to reliability of financial reporting, effectivenessand efficiency of operations, and compliance with applicable laws andregulations (ISA (UK) 315).
Sự khác nhau giữ governance và management?
governance: responsible for strategic oversight
management: responsible for conduct entity operations
người làm 2 nvu này thường thì là cùng 1 người, là company director
Tại sao phải làm internal control
- Minimising the company’s business risks
- Ensuring the continuing effective functioning of the company
- Ensuring the company complies with relevant laws and
regulations
3 limitation của internal control
- Human element: a human being makes a mistake implementing a control
including intention of the people using them => control might be ineffective. * * * * Collusion: Staff members may want to override or avoid controls in order to
defraud, colluding in fraud (two or more people working together in secret) * * - Unusual transactions: Internal control are generally designed to deal with
what normally or routinely happens in a business => standard controls may not
be relevant to the unusual transaction
Tại sao small company thường gặp vấn đề về internal control hơn large company
Small companies may have particular problems in implementing effective
internal control systems because have fewer employees than larger companies
5 component of internal control
1, control environment
2,entity risk assessment process
3,entity process to monitor system of internal control
4,information system and communication
5,control activity
auditor có quan tâm đến các internal control k lqian đến FS k?
Không
Định nghĩa control environment
: includes the governance and management functionsand the attitudes, awareness and actions of those charged with governanceand management concerning the entity’s internal control and its importancein the entity.v
board of director gồm những bộ phận nào?
1, executive director ( tvien tham gia điều hành: CEO,CFO)
2, non-executive director( tvien k tham gia điều hành)
Như thế nào là 1 strong control environment ?
- Directors set the tone by taking controls seriously and rigorously applyingthem then other staff members will be encouraged to do the same.
- Individuals have the competence to perform their roles
- Authority and responsibility will be assigned to appropriate levels and staff
will be made aware of their specific responsibilities and how these affect the
organisation as a whole. - Policies will be in place to promote best practice in recruitment, training,
promotion and compensation so that employees feel valued.
Định nghĩa audit committee
A subcommittee( 1 phần) of the board of directors responsible for overseeing ( giám sát) an entity’s internal control structure, financial reporting and compliance with relevant
laws and regulations. Audit committee is comprised of non-executive directors ( k gồm executive directors)
Nhiệm vụ của audit committee ở các UK listed company under UK governance code
- to review the integrity of the FSs of the company and formal announcements
- to review the company’s internal financial controls and the company’s risk
management systems (unless there is a separate risk management committee) - to monitor and review the effectiveness of the company’s internal audit function (if
relevant) - to make recommendations to the board in relation to the external auditor * to monitor the independence of the external auditor
- to implement policy on the provision of non-audit services by the external auditor
Ai là người identify business risk
management thuộc bộ phận nào identify risk bộ phận đó
định nghĩa business risk
A risk resulting from significant conditions, events,
circumstances, actions or inactions that could adversely affect an entity’s
ability to achieve its objectives and execute its strategies, or from the setting
of inappropriate objectives and strategies.
Entity’s risk assessment process là j
Entity’s risk assessment process: is an iterative process for identifying and
analysing risks to achieving the entity’s objectives, and forms the basis for
how management or those charged with governance determine the risks to be
managed
How to minimise business risk
Internal controls are implemented to minimise risk, which includes not only
risks relating to financial reporting but also the entity’s operational and
compliance risks.
Why assurance provider need to interest in business risk
- Assurance providers are interested in business risk because issues which pose
threats to the business may in some cases also be a risk of the financial
statements being misstated. - Not all business risks have a direct impact on the financial statements
- Identifying business risks that management have identified will assist auditors in
identifying audit risks
Nguyên nhân gây business risk
- changes in operating environment – regulatory, economic or operating changes
- new personnel – may have a different focus / understanding of internal control
- new or revamped information system
- rapid growth can strain controls and increase the risk of control breakdown
- new technology
- new business models, products, or activities
- corporate restructurings may be accompanied by staff reductions and changes in supervision
and segregation of duties, which may increase risk - expanded foreign operations may carry new risks, eg, from foreign currency transactions
- new accounting pronouncements
- use of IT (vd trong sách)
Entity risk assessment process
1, Identify relevant business risk
2,Estimate the significant of the risk
3,Assess the likelihood of occurence(tần suất risk)
4,Decide upon action( internal control,insurance, change in operation)
Lưu ý:B1: management phụ trách bộ phận nào identify business risk ở bộ phận ý
B3: Nếu tần suất risk lớn thì sẽ đến bước 4
nếu các risk là significant, tần suất bé thường các cty sẽ mua ensuarance để bản đảm, risk chung chung tần suất nhiều thì decide các action, còn cái risk k to thì bỏ qua
5 type of control activities
- Authorisation and approvals: Approval of transactions/documents.
- Reconciliations: Compare two or more data elements.
- Verifications: Comparing an item with a policy.
- Physical or logical controls:
o Physical security of assets;
o Authorisation for access, to computer programs, and data files;
o Periodic counting and comparison with amount shown on accounts. - Segregation of duties: Assigning different individuals the responsibilities of authorising transactions, recording transactions and maintaining custody of assets.
Phân biệt general IT control vs information processing control
- general IT control :Controls over the entity’s IT processes
that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information in the entity’s information system. - information processing control : Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (ie, the completeness, accuracy and validity of transactions and other information)
Example of General IT control
Development of computer applications
* Standards over systems design, programming and documentation
* Full testing procedures using test data (see Chapter 11)
* Approval by computer users and management
* Segregation of duties so that those responsible for design are not responsible
for testing
* Installation procedures so that data is not corrupted in transition
* Training of staff in new procedures and availability of adequate documentation22Examples of General IT Controls (cont.)
Prevention or detection of unauthorised changes to programs
* Segregation of duties
* Full records of program changes
* Password protection of programs so that access is limited to computer operations staff
* Restricted access to central computer by locked doors, keypads
* Maintenance of program logs
* Virus checks on software: use of anti-virus software and policy prohibiting use of nonauthorised programs or files
* Back-up copies of programs being taken and stored in other locations
* Control copies of programs being preserved and regularly compared with actual
programs
* Stricter controls over certain programs (utility programs) by use of read only memory
Testing and documentation of program changes
* Complete testing procedures
* Documentation standards
* Approval of changes by computer users and management
* Training of staff using programs
Controls to prevent wrong programs or files being used
* Operation controls over programs
* Libraries of programs
* Proper job scheduling
Controls to prevent unauthorized amendments to data files
* Such as passwords to prevent unauthorised entry, built in controls to permit changes Controls to ensure continuity of operations
* Storing extra copies of programs and data files off-site
* Protection of equipment against fire and other hazards
* Back-up power sources
* Emergency procedures
* Disaster recovery procedures eg, availability of back-up computer facilities
* Maintenance agreements and insurance
Example of f Information processing controls in a Computer application
Controls over input: completeness
* Manual or programmed agreement of control totals
* Document counts
* One-for-one checking of processed output to source documents
* Programmed matching of input to an expected input control file
* Procedures over resubmission of rejected
Controls over input: accuracy
* Programs to check data fields (for example value, reference number, date) on
input transactions for plausibility:
- digit verification (eg, reference numbers are as expected)
- reasonableness test (eg, VAT to total value)
- existence checks (eg, customer name)
- character checks (no unexpected characters used in reference)
- necessary information (no transaction passed with missing information)
- permitted range (no transaction processed over a certain value)
* Manual scrutiny of output and reconciliation to source
* Agreement of control totals (manual/programmed)
Controls over input: authorisation
Manual checks to ensure information input was:
* authorised
* input by authorised personnel
Controls over processing
* Similar controls to input must be completed when input is completed, for example, batch reconciliations
* Screen warnings can prevent people logging out before processing is complete
Controls over master files and standing data
* One to one checking of master files to source documents (such as payroll master files
to individual employee personal files)
* Cyclical reviews of all master files and standing data
* Record counts (number of documents processed) and hash totals (for example, the total of all the payroll numbers) used when master files are used to ensure no deletions
* Controls over the deletion of accounts that have no current balance
How to testing information processing control
Manual controls exercised by the user
* The auditors may decide to limit tests of control to these manual controls.
Controls over system output
* Such controls may be tested by examining the system’s output using either manual
procedures or computer assisted audit techniques ( CAATs)
Programmed control procedures
* The auditor may consider performing tests of control by using CAATs
6 loại cyber security risks
- Human threats: Hackers may be able to get into the organisation’s internal network,
either to steal data or to damage the system. Political terrorism is a major risk in the era of
cyber-terrorism. - Fraud: The theft of funds by dishonest use of a computer system.
- Deliberate sabotage: For example, commercial espionage, malicious damage or industrial
action. - Viruses and other corruptions: These can spread through the network to all of the
organisation’s computers. - Malware: This term is used for hostile or intrusive software such as worms, trojan horses,
spyware and other malicious programs. - Denial of Service (DoS) attack: A denial of service attack is characterised by an attempt by attackers to prevent legitimate users of a service from using
4 cách phòng ngừa cyber security risks
The ICAEW published an updated Audit Insights: Cyber Security (2014) which makes recommendations to businesses, including:
* Communication – between businesses, using networks to share understanding and ideas
* Organisational structures – entities need to allocate responsibility and accountability for cyber security
* Accountability – ensure that the Board takes cyber risks seriously and are committed to maintaining and improving security across the business
* Continuous improvement – cyber security is an ongoing process, therefore,
organisations need to ensure continuous development within the business and across the industry
Sự khác biệt giữa IT control và manual control
- Smaller or less sophisticated entities likely to reliance on manual control
- IT control is able to consistently process large volumes data but when processing data incorrectly will affect whole population
-Manual control appropriate where judgement is required, for large or unusual transactions but when a large number of similar transactions is process, IT control is more effective
Định nghĩa Information system and communication
Information system and communication: includes the financial reporting system, and consists of the procedures and records established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity
The auditors will be interested in cái j ở trong Information system and communication
The auditors will be interested in:
* Classes of transactions that are significant to the entity’s financial statements;
* Procedures by which transactions are initiated, recorded, processed, corrected andreported;
* Related accounting records and supporting information;
* How the information system captures events other than transactions that are significant to the financial statements; and
* Process of preparing the financial statements
Ngoài ra auditor còn quan tâm how this process link with other internal control và liệu control có bị overriden hay ignored k
Monitoring of controls
Monitoring of controls
* An entity should review its overall control system to ensure that it still meets its objectives, still operates effectively and efficiently, and that necessary corrections to the system are made on a timely basis.
* The internal auditors may, as part of their monitoring of controls, have found control weaknesses that the external auditor should be aware of.
*Công việc monitoring này thường là của internal auditor tuy nhiên, In smaller companies that do not have an internal audit function, the company may make use of auditor feedback(management report) to ensure that controls continue to operate efficiently
How auditor obtain information about internal control
The auditor will need to be able to understand and document an entity’s internal controls.
This will be a requirement as part of the assurance process and can be completed in anumber of ways:
- Enquiry of:
* Directors, financial staff, staff operating the systems.
* Internal control questionnaires (ICQs) may be used and provide simple, easy to followquestions.
- Inspection of:
* Board minutes, procedure manuals, previous year’s audit files, narrative notes takenfollowing discussion with key members of the client staff.
Observation of:
* Staff carrying out controls,
- Performing ‘walk through’ tests of processes
What is walk-through procedure? Phân biệt walk-through procedure với test of control
Definition: A procedure that involves tracing a few transactions through the financial reporting system.
* Walk-through procedures would normally be performed near the start of the fieldwork stage of the audit.
* They involve tracing transactions from the very beginning to the very end, in order to confirm that the auditor has correctly understood how the controls are supposed to operate.
* Walk-through procedures aim to test the auditor’s understanding and are not
tests of controls, nó là quá trình đi thực tiễn ở công ty khách hàng xem hoạt động công ty khách hàng có thực sự effective không để chốt xem có nên thực hiện test of control không
3 type of recording control activities, sắp xếp từ mức độ record cho các control đơn giản đến phức tạp
1, Narrative notes:
These are good for things like:
* short notes on simple systems
* background information
They are less good when things get more complex when diagrams tend to take
over.
2,Questionnaires and checklists:
* good as aide memories to ensure you have all the bases covered
but
* can lead to a mechanical approach so that an important extra question is never asked
* tick boxes often get ticked whether the brain is engaged or not
( vì là sẵn có nên tiện nhưng trong nhiều th thì có thể thiếu các extra information cần thiết mà mình k phát hiện được vì mình quá dựa dẫm vào cái sẵn có)
3, Diagrams:
These include:
* flowcharts
* organization charts
* family trees
* records of related parties
