Chapter 6: Internal control and Internal audit​ ​ ​ ​ ​ 8/1

6.1. Internal control

6.1.1. The concept
-​ 3 main activities according to ICS
1. design based on risks (ICS: eliminate/mitigates risks)
2. implement => internal implement
3. maintain => efficiency + effectiveness of ICS (improve/add more
policies)
-​ 3 groups of ppl involved
​ 1. people charge with governance (BOD => design and. maintain)
​ 2. management (BOD/CEO) => implement
​ 3. other personnel => follow the given policies (1 bộ phận của
implement)
===> ICS là công cụ hỗ trợ các công ty đạt được các mục tiêu đề ra
-​ 3 objectives/purpose of ICS
​ 1. reliability of financial information (FSs; announcement related to FP
​ 2. effectiveness (hiệu quả) and efficiency (hiệu suất: thời gian/ chi phí
nhất) of operations
​ 3. compliance with applicable law and regulation
===> ICS giúp cho doanh nghiệp hoạt động liên tục (0 phá sản)
===> Ultimate objective: The company continue to operate
6.1.2. Components of internal control

6.1.2.1. The control environment (MT kiểm soát)

-​ bao gồm: thái độ, nhận thức, hành động của bạn quản lý doanh nghiệp của
kiểm soát nội bộ và tầm quan trọng của kiểm soát nội bộ
-​ def:
​ The control envir. includes the governance and management functions
and the attitudes, awareness and actions of those charged with governance
and management concerning the entity and internal control and its importance
in the entity.
-​ A strong control environment => management will ensure:
 ​ 1. Individuals have the competence to perform their roles:
* managers ⇒ quan tâm đến control environment ⇒ tuyển dụng cận trọng ⇒ tuyển
dụng đúng employee ⇒ employee hoàn thành tốt các nhiệm vụ được giao
* individuals: employees; staffs …; other personnel
* các cá nhân có đủ khả năng để thực hiện vai trò
​ ​ 2. staff will be made aware of their specific responsibilities and how
these affect the organization as a whole​
===> Staffs understand their contribution to the entity (hiểu đc sự đóng góp của bản
thân với đơn vị và với công ty)
​ ​ 3. Policies will be in place to promote best practice in recruitment,
training, promotion and compensation so that employees feel valued
===> Policies ensure that the employee feel valued (managers/policies được thiết
lập làm sao cho nvien cảm thấy có giá trị)
​ ​ 4. Authority and responsibility will be assigned to appropriate levels
===> Authority = Responsibility
-​ The audit committee ⇒ main purpose: reliability of financial information
6.1.2.2. The entity's risk assessment
-​ entity’s risk assessment process:
* nhận diện rủi ro kinh doanh (liên quan) đến FSs
-​ business risk: everything
1. risk related to the product: inappropriate design, low quality
2. risk comes from suppliers: low-quality input, high price
3. risk comes from customers: changes in trend
4. risk comes from competitors: price
5. risk comes from the government: changes in policies
6. risk comes from nature
-​ 4 steps process:
RECALL: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ 11/1
(1) Control environment?
​ - attitude
​ - awareness
​ - actions
⇒ those charged with the governance and management
(2) Risk assessment
​ ⇒ identify the buz.’s risk ⇒ FSs
​ ⇒ actions to control risks and the result there off
​ ​ 1. Identify
​ ​ 2. estimate the significance
​ ​ 3. assess the likelihood
​ ​ 4. actions to likelihood
​ + trong IC ⇒ chung (risk)
​ + trong audit ⇒ auditor (external) ⇒ buz risk to FSs
(3) The infor. system relevant to FSs
​ - financial reporting system
​ ​ 1. imitate: nhận diện
​ ​ 2. record: vào acc. book/ghi chép
​ ​ 3. process: xử lý
​ ​ 4. report: báo cáo
- maintain the accountability for related assets, liability, equity

6.1.2.4. Control activities

-​ Def: control act. are the policies and procedures that help ensure that
management directives are carried out
-​ control act. may be manual or if relevant, where processes are computerised,
then there may also be a computer - specific control act.
-​ 5 types of control activities
(1) authorization (and approval)/ proper authorization
⇒ ủy quyền
⇒ phê duyệt
- authorization has 2 types
​ + general authorization (UQ chung) ⇒ example: price list
​ ⇒ bán dựa theo bảng giá chung/ theo quy định của công ty
​ ​ ​ + specific authorization (UQ cá thể)
​ ​ ​ ⇒ specific person
​ ​ ​ ⇒ phải cần sự chấp nhận của người khác (manager)
​ ​ ​ + approval ⇒ signature (phê duyệt) thuộc specific authorization
​ (2) segregation of duties (p/c trách nhiệm)/ adequate segregation of duties
​ ​ authorization _ recording _ custody of asset
- 4 principles of separation of duties
​ 1. separation of authorization from custody of related assets
(bảo quản tài sản):
 ​ ⇒ if one person has authorization of a transaction and also
custody responsibility related assets
​ ⇒ he/she can make/approve the transaction and get the
personal gain (of related asset)
​ * embezzlement: tham ô/biển thủ
​ 2. separation of operation from book-keeping function
​ ⇒ recording/accounting
​ ⇒ decrease the fraud of overstating the operational
performance
​ 3. separation of custody of asset from the book-keeping function
​ 4. (new) separation information technology from the user
department
​ (3) performance review/independent check/review
​ ​ - review and analysis of actual performance versus budgets, forecasts,
and prior period performance
​ ​ - relating different sets of data to one another
​ ​ ….
​ *budget ⇒ kế hoạch
​ (4) information processing/adequate documents and records
​ ​ - pre numbered consecutive documents/records ⇒ ensure the
completeness of the transaction takes place (cut-off)…
​ ​ - designed for diverse use
​ ​ ….
​ (5) physical controls (physical asset infor.)
​ ​ - warehouse/lock/camera/security guards
​ ​ - authorization for access to computer programs n. data files
​ ​ - periodic acct and comparison with amt shown on control acc.
​ ​ ….
6.1.2.5. Monitoring of control
⇒ ensure that:
​ - the CS still meet its objectives
​ - the CS still operate effectively and efficiency
​ - necessary corrections to system are made a timely basis

RECALL:
⇒ Based on risks assessment
​ 1. segregation/separation of duties
​ 2. authorization
​ 3. performance review/ independent check
​ 4. information processing/ adequate documents n. records
​ 5. physical control

6.1.3. Limitation of internal control

1. Human element ⇒ 2 limitation
⇒ mang tính chất vô ý (unintentional)
- Hiểu >< 0 implement đc ⇒ mistake
- quan điểm ⇒ less importance ⇒ 0 đc thực hiện
- the ppl who perform the control act. make a mistake in implementing
process
- ppl do not understand the importance of the control so they do not
implement the control act
2. Collusion (có chủ đích) ⇒ thông đồng
- two/more ppl (working tgt) ⇒ make fraud
- two/more ppl work with each other to make the fraud and then create
documents, records (acct. books) to cover this fraud
3. Unusual transactions
- bất thường/ 0 thường xuyên
- cost/exp
+ internal controls are generally designed to deal with normal and
routine transactions in a buz.
+ the management thinks that the cost of implementing an internal
control system for unusual transactions can outweigh the result of the relevant
risks.
6.2. Internal audit (kiểm toán nội bộ)
- An appraisal (thẩm định/xác minh) activity establish/provided as a services to the
entity ⇒ phục vụ cho nội bộ công ty
- functions (kiểm tra và xác minh)
⇒ monitoring (internal control systems)
Internal audit External audit

Reason (mục đích) It helps the entity get an It helps the entity get a true
adequate and effective and fair view of financial
internal control system statement

Reporting to BOD n CEO Mainly for shareholders

Related to Internal control system Financial statement

Relationship with Employees/staff of the entity independence auditor

the comp./ auditor ⇒ ảnh hưởng ⇒
independence
⇒ the entity can hide independence auditor to perform internal audit
6.2.2. Internal audit function
⇒ key roles
​ - monitoring the internal control system when it perform its function
⇒ 2 aspects of this function
- ensure policies are adequate
- ensure policies work effectively
⇒ RISK: the internal audit function has a two-fold role in relation to risk management
​ - monitoring the company’s overall risk management policy to ensure it
operate effectively
​ - monitoring the strategies implemented to ensure that they continue to
operate effectively

Chapter 7: Audit …

​ ​ ​