CHAP 5: INTRODUCTION TO INTERNAL CONTROL

Question 1

Định nghĩa internal control

Answer 1

The process designed, implemented and maintained bythose charged with governance, management and other personnel, toprovide reasonable assurance about the achievement of an entity’sobjectives with regard to reliability of financial reporting, effectivenessand efficiency of operations, and compliance with applicable laws andregulations (ISA (UK) 315).

Question 2

Sự khác nhau giữ governance và management?

Answer 2

governance: responsible for strategic oversight
management: responsible for conduct entity operations
người làm 2 nvu này thường thì là cùng 1 người, là company director

Question 3

Tại sao phải làm internal control

Answer 3

• Minimising the company’s business risks
• Ensuring the continuing effective functioning of the company
• Ensuring the company complies with relevant laws and
  regulations

Question 4

3 limitation của internal control

Answer 4

• Human element: a human being makes a mistake implementing a control
  including intention of the people using them => control might be ineffective. * * * * Collusion: Staff members may want to override or avoid controls in order to
  defraud, colluding in fraud (two or more people working together in secret) * *
• Unusual transactions: Internal control are generally designed to deal with
  what normally or routinely happens in a business => standard controls may not
  be relevant to the unusual transaction

Question 5

Tại sao small company thường gặp vấn đề về internal control hơn large company

Answer 5

Small companies may have particular problems in implementing effective
internal control systems because have fewer employees than larger companies

Question 6

5 component of internal control

Answer 6

1, control environment
2,entity risk assessment process
3,entity process to monitor system of internal control
4,information system and communication
5,control activity

Question 7

auditor có quan tâm đến các internal control k lqian đến FS k?

Answer 7

Không

Question 8

Định nghĩa control environment

Answer 8

: includes the governance and management functionsand the attitudes, awareness and actions of those charged with governanceand management concerning the entity’s internal control and its importancein the entity.v

Question 9

board of director gồm những bộ phận nào?

Answer 9

1, executive director ( tvien tham gia điều hành: CEO,CFO)
2, non-executive director( tvien k tham gia điều hành)

Question 10

Như thế nào là 1 strong control environment ?

Answer 10

• Directors set the tone by taking controls seriously and rigorously applyingthem then other staff members will be encouraged to do the same.
• Individuals have the competence to perform their roles
• Authority and responsibility will be assigned to appropriate levels and staff
  will be made aware of their specific responsibilities and how these affect the
  organisation as a whole.
• Policies will be in place to promote best practice in recruitment, training,
  promotion and compensation so that employees feel valued.

Question 11

Định nghĩa audit committee

Answer 11

A subcommittee( 1 phần) of the board of directors responsible for overseeing ( giám sát) an entity’s internal control structure, financial reporting and compliance with relevant
laws and regulations. Audit committee is comprised of non-executive directors ( k gồm executive directors)

Question 12

Nhiệm vụ của audit committee ở các UK listed company under UK governance code

Answer 12

• to review the integrity of the FSs of the company and formal announcements
• to review the company’s internal financial controls and the company’s risk
  management systems (unless there is a separate risk management committee)
• to monitor and review the effectiveness of the company’s internal audit function (if
  relevant)
• to make recommendations to the board in relation to the external auditor * to monitor the independence of the external auditor
• to implement policy on the provision of non-audit services by the external auditor

Question 13

Ai là người identify business risk

Answer 13

management thuộc bộ phận nào identify risk bộ phận đó

Question 14

định nghĩa business risk

Answer 14

A risk resulting from significant conditions, events,
circumstances, actions or inactions that could adversely affect an entity’s
ability to achieve its objectives and execute its strategies, or from the setting
of inappropriate objectives and strategies.

Question 15

Entity’s risk assessment process là j

Answer 15

Entity’s risk assessment process: is an iterative process for identifying and
analysing risks to achieving the entity’s objectives, and forms the basis for
how management or those charged with governance determine the risks to be
managed

Question 16

How to minimise business risk

Answer 16

Internal controls are implemented to minimise risk, which includes not only
risks relating to financial reporting but also the entity’s operational and
compliance risks.

Question 17

Why assurance provider need to interest in business risk

Answer 17

• Assurance providers are interested in business risk because issues which pose
  threats to the business may in some cases also be a risk of the financial
  statements being misstated.
• Not all business risks have a direct impact on the financial statements
• Identifying business risks that management have identified will assist auditors in
  identifying audit risks

Question 18

Nguyên nhân gây business risk

Answer 18

• changes in operating environment – regulatory, economic or operating changes
• new personnel – may have a different focus / understanding of internal control
• new or revamped information system
• rapid growth can strain controls and increase the risk of control breakdown
• new technology
• new business models, products, or activities
• corporate restructurings may be accompanied by staff reductions and changes in supervision
  and segregation of duties, which may increase risk
• expanded foreign operations may carry new risks, eg, from foreign currency transactions
• new accounting pronouncements
• use of IT (vd trong sách)

Question 19

Entity risk assessment process

Answer 19

1, Identify relevant business risk
2,Estimate the significant of the risk
3,Assess the likelihood of occurence(tần suất risk)
4,Decide upon action( internal control,insurance, change in operation)
Lưu ý:B1: management phụ trách bộ phận nào identify business risk ở bộ phận ý
B3: Nếu tần suất risk lớn thì sẽ đến bước 4
nếu các risk là significant, tần suất bé thường các cty sẽ mua ensuarance để bản đảm, risk chung chung tần suất nhiều thì decide các action, còn cái risk k to thì bỏ qua

Question 20

5 type of control activities

Answer 20

• Authorisation and approvals: Approval of transactions/documents.
• Reconciliations: Compare two or more data elements.
• Verifications: Comparing an item with a policy.
• Physical or logical controls:
  o Physical security of assets;
  o Authorisation for access, to computer programs, and data files;
  o Periodic counting and comparison with amount shown on accounts.
• Segregation of duties: Assigning different individuals the responsibilities of authorising transactions, recording transactions and maintaining custody of assets.

Question 21

Phân biệt general IT control vs information processing control

Answer 21

• general IT control :Controls over the entity’s IT processes
  that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information in the entity’s information system.
• information processing control : Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (ie, the completeness, accuracy and validity of transactions and other information)

Question 22

Example of General IT control

Answer 22

 Development of computer applications
* Standards over systems design, programming and documentation
* Full testing procedures using test data (see Chapter 11)
* Approval by computer users and management
* Segregation of duties so that those responsible for design are not responsible
for testing
* Installation procedures so that data is not corrupted in transition
* Training of staff in new procedures and availability of adequate documentation22Examples of General IT Controls (cont.)
 Prevention or detection of unauthorised changes to programs
* Segregation of duties
* Full records of program changes
* Password protection of programs so that access is limited to computer operations staff
* Restricted access to central computer by locked doors, keypads
* Maintenance of program logs
* Virus checks on software: use of anti-virus software and policy prohibiting use of nonauthorised programs or files
* Back-up copies of programs being taken and stored in other locations
* Control copies of programs being preserved and regularly compared with actual
programs
* Stricter controls over certain programs (utility programs) by use of read only memory
 Testing and documentation of program changes
* Complete testing procedures
* Documentation standards
* Approval of changes by computer users and management
* Training of staff using programs
 Controls to prevent wrong programs or files being used
* Operation controls over programs
* Libraries of programs
* Proper job scheduling
 Controls to prevent unauthorized amendments to data files
* Such as passwords to prevent unauthorised entry, built in controls to permit changes Controls to ensure continuity of operations
* Storing extra copies of programs and data files off-site
* Protection of equipment against fire and other hazards
* Back-up power sources
* Emergency procedures
* Disaster recovery procedures eg, availability of back-up computer facilities
* Maintenance agreements and insurance

Question 23

Example of f Information processing controls in a Computer application

Answer 23

 Controls over input: completeness
* Manual or programmed agreement of control totals
* Document counts
* One-for-one checking of processed output to source documents
* Programmed matching of input to an expected input control file
* Procedures over resubmission of rejected
 Controls over input: accuracy
* Programs to check data fields (for example value, reference number, date) on
input transactions for plausibility:
- digit verification (eg, reference numbers are as expected)
- reasonableness test (eg, VAT to total value)
- existence checks (eg, customer name)
- character checks (no unexpected characters used in reference)
- necessary information (no transaction passed with missing information)
- permitted range (no transaction processed over a certain value)
* Manual scrutiny of output and reconciliation to source
* Agreement of control totals (manual/programmed)
 Controls over input: authorisation
Manual checks to ensure information input was:
* authorised
* input by authorised personnel
 Controls over processing
* Similar controls to input must be completed when input is completed, for example, batch reconciliations
* Screen warnings can prevent people logging out before processing is complete
 Controls over master files and standing data
* One to one checking of master files to source documents (such as payroll master files
to individual employee personal files)
* Cyclical reviews of all master files and standing data
* Record counts (number of documents processed) and hash totals (for example, the total of all the payroll numbers) used when master files are used to ensure no deletions
* Controls over the deletion of accounts that have no current balance

Question 24

How to testing information processing control

Answer 24

 Manual controls exercised by the user
* The auditors may decide to limit tests of control to these manual controls.
 Controls over system output
* Such controls may be tested by examining the system’s output using either manual
procedures or computer assisted audit techniques ( CAATs)
 Programmed control procedures
* The auditor may consider performing tests of control by using CAATs

Question 25

6 loại cyber security risks

Answer 25

• Human threats: Hackers may be able to get into the organisation’s internal network,
  either to steal data or to damage the system. Political terrorism is a major risk in the era of
  cyber-terrorism.
• Fraud: The theft of funds by dishonest use of a computer system.
• Deliberate sabotage: For example, commercial espionage, malicious damage or industrial
  action.
• Viruses and other corruptions: These can spread through the network to all of the
  organisation’s computers.
• Malware: This term is used for hostile or intrusive software such as worms, trojan horses,
  spyware and other malicious programs.
• Denial of Service (DoS) attack: A denial of service attack is characterised by an attempt by attackers to prevent legitimate users of a service from using

Question 26

4 cách phòng ngừa cyber security risks

Answer 26

The ICAEW published an updated Audit Insights: Cyber Security (2014) which makes recommendations to businesses, including:
* Communication – between businesses, using networks to share understanding and ideas
* Organisational structures – entities need to allocate responsibility and accountability for cyber security
* Accountability – ensure that the Board takes cyber risks seriously and are committed to maintaining and improving security across the business
* Continuous improvement – cyber security is an ongoing process, therefore,
organisations need to ensure continuous development within the business and across the industry

Question 27

Sự khác biệt giữa IT control và manual control

Answer 27

• Smaller or less sophisticated entities likely to reliance on manual control
• IT control is able to consistently process large volumes data but when processing data incorrectly will affect whole population
  -Manual control appropriate where judgement is required, for large or unusual transactions but when a large number of similar transactions is process, IT control is more effective

Question 28

Định nghĩa Information system and communication

Answer 28

Information system and communication: includes the financial reporting system, and consists of the procedures and records established to initiate, record, process and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities and equity

Question 29

The auditors will be interested in cái j ở trong Information system and communication

Answer 29

The auditors will be interested in:
* Classes of transactions that are significant to the entity’s financial statements;
* Procedures by which transactions are initiated, recorded, processed, corrected andreported;
* Related accounting records and supporting information;
* How the information system captures events other than transactions that are significant to the financial statements; and
* Process of preparing the financial statements
Ngoài ra auditor còn quan tâm how this process link with other internal control và liệu control có bị overriden hay ignored k

Question 30

Monitoring of controls

Answer 30

Monitoring of controls
* An entity should review its overall control system to ensure that it still meets its objectives, still operates effectively and efficiently, and that necessary corrections to the system are made on a timely basis.
* The internal auditors may, as part of their monitoring of controls, have found control weaknesses that the external auditor should be aware of.
*Công việc monitoring này thường là của internal auditor tuy nhiên, In smaller companies that do not have an internal audit function, the company may make use of auditor feedback(management report) to ensure that controls continue to operate efficiently

Question 31

How auditor obtain information about internal control

Answer 31

The auditor will need to be able to understand and document an entity’s internal controls.
This will be a requirement as part of the assurance process and can be completed in anumber of ways:
- Enquiry of:
* Directors, financial staff, staff operating the systems.
* Internal control questionnaires (ICQs) may be used and provide simple, easy to followquestions.
- Inspection of:
* Board minutes, procedure manuals, previous year’s audit files, narrative notes takenfollowing discussion with key members of the client staff.
Observation of:
* Staff carrying out controls,
- Performing ‘walk through’ tests of processes

Question 32

What is walk-through procedure? Phân biệt walk-through procedure với test of control

Answer 32

Definition: A procedure that involves tracing a few transactions through the financial reporting system.
* Walk-through procedures would normally be performed near the start of the fieldwork stage of the audit.
* They involve tracing transactions from the very beginning to the very end, in order to confirm that the auditor has correctly understood how the controls are supposed to operate.
* Walk-through procedures aim to test the auditor’s understanding and are not
tests of controls, nó là quá trình đi thực tiễn ở công ty khách hàng xem hoạt động công ty khách hàng có thực sự effective không để chốt xem có nên thực hiện test of control không

Question 33

3 type of recording control activities, sắp xếp từ mức độ record cho các control đơn giản đến phức tạp

Answer 33

1, Narrative notes:
These are good for things like:
* short notes on simple systems
* background information
They are less good when things get more complex when diagrams tend to take
over.
2,Questionnaires and checklists:
* good as aide memories to ensure you have all the bases covered
but
* can lead to a mechanical approach so that an important extra question is never asked
* tick boxes often get ticked whether the brain is engaged or not
( vì là sẵn có nên tiện nhưng trong nhiều th thì có thể thiếu các extra information cần thiết mà mình k phát hiện được vì mình quá dựa dẫm vào cái sẵn có)
3, Diagrams:
These include:
* flowcharts
* organization charts
* family trees
* records of related parties