2. AUD390 AUDITING DIA
INTERNAL CONTROL
SYSTEM (ICS)
INTERNAL CONTROL
SYSTEM (ICS)
Fundamental
Concepts
Documenting The
Understanding Of
Ic & Control Risk
Importance
Of Internal
Control (Ic)
Communication
Of IC Related
Matters
Components
Of ICS
3. AUD390 AUDITING DIA
ï A system of internal controls consists of
policies & procedures to provide management
with reasonable assurance that the company
achieves its objectives & goals.
ï These policies & procedures are called
controls, and they normally considered as
entityâs internal control
4. ï A set of policies are principles, rules, and guidelines
formulated or adopted by an organization to reach
its long-term goals and typically published in a
booklet or other form that is widely accessible.
ï Procedures are the specific methods employed to
express policies in action in day-to-day operations
of the organization. Together, policies and
procedures ensure that a point of view held by the
governing body of an organization is translated into
steps that result in an outcome compatible with
that view.
AUD390 AUDITING DIA
5. ï Three objectives in designing internal control
systems:
ïĄreliability of financial reporting
ïĄeffectiveness & efficiency of operations
ïĄcompliance with laws & regulations
AUD390 AUDITING DIA
6. ï Limitations of IC
ïĄ Human error
ïĄ Management override of IC
ïĄ Cost contraints
ïą Cost of entityâs ICS should note exceed
that are expected to derived
ïĄ Lack of personal quality among employee
ïą Collusion âan act of 2 or more employees
to steel assets or mistake recordsâ
AUD390 AUDITING DIA
7. ï AI400 Risk Assessment & Internal Control
ï The Cadbury Report
ï The Sarbanes Oxley 2002 Report
ï The Coso Report
AUD390 AUDITING DIA
8. AUD390 AUDITING DIA
CONTROL ENVIRONMENT
RISK ASSESSMENT
CONTROL ACTIVITIES
INFORMATION &
COMMUNICATION
MONITORING
9. ï Definition:
Actions, policies & procedures that reflect the
overall attitudes of top management, directors, &
owners of an entity about its IC & its importance
ï Subcomponents:-
ïĄ Integrity & ethical values
ïĄ Commitment to competence
ïĄ BOD or AC participation
ïĄ Managementâs philosophy & operating style
ïĄ Organizational structure
ïĄ Assignment of authority & responsibility
ïĄ HR policies & practices
AUD390 AUDITING DIA
10. AUD390 AUDITING DIA
ïŹ Definition:
Managementâs identification & analysis of risks
relevant to the preparation of fin stat in
accordance with accounting standard i.e. FRS
ïŹ Risk assessment process
â Identify factors affecting risks
â Assess significance of risks & likelihood of
occurrence
â Determine actions necessary to manage risks
11. AUD390 AUDITING DIA
ïŹ Definition:
Policies & procedures that management has
established to meet its objectives for financial
reporting
ïŹ Types of specific control activities:-
â Adequate separation of duties
â Proper authorization of transactions & activities
â Adequate documents & records
â Physical control over assets & records
â Independent checks on performance
12. AUD390 AUDITING DIA
ïŹ Definition:
Method used to initiate, records, process & report
an entityâs transactions & to maintain
accountability for related assets
13. AUD390 AUDITING DIA
ïŹ Definition:
Managementâs ongoing & periodic assessment of
the quality of IC performance to determine
whether controls are operating as intended and
are modified when necessary
ïŹ Monitoring mechanism:
â Studies of existing IC
â Internal Audit Reports
14. AUD390 AUDITING DIA
â Exception reporting on control activities
â Reports from Regulatory such as BNM, SC,
Bursa Malaysia
â Feedback from operating personnel
â Complaints from customers
15. AUD390 AUDITING DIA
Phase 1: Obtain & document understanding
of IC; Design & Operation
Phase 2: Assess control risk
Phase 3: Design, perform & evaluate
tests of controls
Phase 4: Decide planned detections
risk & substantive tests
16. AUD390 AUDITING DIA
ïŹ Purpose:
â To obtains an understanding of the entityâs IC
through
ïŹ Gathering evidence about the design of IC
ïŹ Observed whether the IC have been placed
in operations
ïŹ Methods in gathering evidence:
i. Narratives
ii. Flowcharts
iii. Internal Control Questionnaire
17. AUD390 AUDITING DIA
ïŹ Methods to evaluate whether the designed
controls are actually placed in operations:
i. Update & evaluate Auditorâs previous
experience with the entity
ii. Make inquiries of client personnel
iii. Examine documents & records
iv. Observe entity activities & operations
v. Perform walkthrough of the accounting
system
18. AUD390 AUDITING DIA
ïŹ Definition ~ A written description of a clientâs IC
ïŹ A proper narrative of any ICS include 4
characteristics
i. The origin of every documents & records in the
system
ii. All processing that takes place
iii. The disposition of every document and records
in the system
iv. An indication of the controls relevant to the
assessment of control risk
19. AUD390 AUDITING DIA
ïŹ Definition ~ A diagram of the clientâs documents
and their sequential flow in the organization
ïŹ Advantages:
â It provides a concise overview of the clientâs
system
â It helps in identifying inadequacies in the
system
â Easier to read
â Easier to update
ïŹ Refer Appendix Flowcharting Techniques Ch 6 of
Messier et al, 2006
ïŹ Refer Case Question 10.38 Ch 10
20. AUD390 AUDITING DIA
ïŹ Definition ~ A series of questions about the
controls in each audit areas as a means of
uncovering aspects of internal control that may be
inadequate
ïŹ It require a âyesâ or ânoâ response, where NO
indicating potential internal control deficiencies
ïŹ Refer Figure 10.3 Partial Internal Control
Questionnaire for Sales
21. AUD390 AUDITING DIA
Phase 1: Obtain & document understanding
of IC; Design & Operation
Phase 2: Assess control risk
Phase 3: Design, perform & evaluate
tests of controls
Phase 4: Decide planned detections
risk & substantive tests
22. AUD390 AUDITING DIA
ïŹ Definition:
A measure of the auditorâs expectation that IC will
neither prevent material misstatements from
occurring nor detect & correct them if they
occurred
ïŹ Control Risk Matrix
Definition: A methodology used to help the auditor
assess control risk by matching key internal
controls and IC deficiencies with transaction-
related audit objectives
ïŹ Refer Figure 10.4 Control Risk for Sintok Hardware
Sdn Bhd - Sales
23. AUD390 AUDITING DIA
Phase 1: Obtain & document understanding
of IC; Design & Operation
Phase 2: Assess control risk
Phase 3: Design, perform & evaluate
tests of controls
Phase 4: Decide planned detections
risk & substantive tests
24. AUD390 AUDITING DIA
ïŹ Definition ~ Audit procedures to test the
operating effectiveness of controls in support of
reduced assessed control risk
ïŹ 4 types of procedures involved:
i. Make inquiries of appropriate client personnel
ii. Examine documents, records & reports
iii. Observe control-related activities
iv. Re-perform client procedures
25. AUD390 AUDITING DIA
Phase 1: Obtain & document understanding
of IC; Design & Operation
Phase 2: Assess control risk
Phase 3: Design, perform & evaluate
tests of controls
Phase 4: Decide planned detections
risk & substantive tests
26. AUD390 AUDITING DIA
ïŹ Auditor will use the results of the control risk
assessment process (Phase 2) and test of controls
(Phase 3) to determine the planned detection
risk & related substantive test for the audit of
financial statements.
ïŹ What the process involves?
ï¶ Linking the control risk assessment to the
balance-related audit objectives for the
accounts affected by the major transaction
types
27. AUD390 AUDITING DIA
ï¶ The appropriate level of detection risk for each
balance-related audit objectives is decided
using the audit risk model.
ï¶ All covered and will be discussed in Topic 7 on
Audit Planning
28. ï Auditing Standards (ISA315 & ISA260) require
the auditor to communicate to those charged
with governance, as soon as practicable,
material weaknesses in the design or operation
of the accounting & internal control systems,
which have come to the auditorâs attention
1. Management Letter (ML)
An optional letter written by the auditor to a
clientâs management containing the auditorâs
recommendations for improving any aspects of
the clientâs business
AUD390 AUDITING DIA
29. âą Items should be included in the ML:
ï± A statement that the purpose of the audit
was to report on the fin stats & not to
provide assurance on IC
ï± A statement that the letter only discusses
weaknesses in IC which have come to the
auditorâs attention as a result of the
audit
ï± A statement of restriction on the
distribution of the report
AUD390 AUDITING DIA
30. 2. Directorâs Statement on IC
âą Under the Listing Requirements of Bursa
Malaysia Securities Berhad (Listing
Requirements)
ï± Listed Companies to include a Statement
on Internal Control in the annual reports
ï± Companyâs external auditors must review
the Statement on Internal Control &
report the result to the BOD
AUD390 AUDITING DIA
31. âą The Directorâs Statement on Internal Control
should incorporate the following aspects
ï± The Board should maintain a sound system of
IC to safeguard shareholdersâ investment &
the companyâs assets
ï± The Board should (inter alia)
ï¶ Identify the principal risks & ensure the
implementation of appropriate systems to
manage the risks;
AUD390 AUDITING DIA
32. ï¶ Review the adequacy & integrity of the
companyâs ICS & Management information
system, including systems for compliance
with applicable laws, regulations rules,
directives & guidelines
AUD390 AUDITING DIA
33. 1. Explain what is control environment and state 2 factors
affecting this component.
2. Identify a key internal control and possible substantive
test of transactions that could perform for each of the
following audit objectives
i. Sales made to existing customer (Existence)
ii. Existing sales transaction are recorded
(Completeness)
iii. Recorded sales are for amount of goods shipped and
are correctly billed and recorded (Accuracy)
3. State the audit objective (s) for the following tests
performed.
4. You decided to issue a Management Letter
i. Define Management Letter
ii. Briefly explain 2 purposes of Management Letter
AUD390 AUDITING DIA