6-1

Lessons 5 & 6a Learning Outcomes

At the end of this lesson, students should be able to:
Chapter 6: Internal • Define the internal control system
• Describe the role of internal control to prevent and detect material
Control in a misstatements
Financial • Describe the five components of the COSO Framework
Statement Audit: • Describe management responsibility for the system of internal
control
Management
Responsibility for
the Internal
Control System
© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

Sections The Audit Process

Section Title • Consider the preconditions for an audit

• Understand the entity and its environment
Planning • Develop an audit strategy and an audit plan
1 Introduction and Overview Phase

2 The Effect of IT on Internal Control • Decide whether to test internal controls or not
• Perform tests of controls
3 Management Responsibility: The COSO Framework Testing • Perform substantive tests of transactions and balances
Phase • Assess the likelihood of material misstatement

4 Compensating Controls
• Review the presentation and disclosure assertions
• Determine whether the financial statements are prepared in accordance with the applicable financial
reporting framework
Decision • Issue audit report
Phase • Communicate with the audit committee

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

 6-2

Section 1 Internal Control

• Management is responsible to design and maintain a system

of internal control that provides reasonable assurance that:
 assets and records are safeguarded; and
Introduction and Overview  the entity’s information system generates reliable
information for decision-making.
• Management is responsible for the entity’s system of
internal control
• Management develops internal control to prevent and detect
misstatements in the financial statements

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

Internal Control (Cont’d) Internal Control (Cont’d)

• Management is responsible for preparing financial • Management designs the processes to provide reasonable
statements in accordance with applicable financial reporting assurance that the financial statements are prepared in
accordance with the applicable financial reporting framework
framework
and develop controls related to:
• Management use the internal control function as one of the
• Segregation of duties;
principal method to fulfill this responsibility
• Procedures to authorize transactions;
• Requirements for documentation;
• Physical controls over assets; and
• Independent reconciliations /independent checks on
performance

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

 6-3

Internal Control (Cont’d) Internal Control (Cont’d)

• The auditor needs assurance about: • The auditor uses to obtain an understanding
of the entity’s internal control. These procedures help the auditors to:
 How well the assets and records of the entity are
- identify key controls;
safeguarded, and
- recognise the types of potential misstatements that are likely to arise;
 the reliability of the data generated by the information and
system.
- design tests of controls and substantive procedures
• The auditor’s understanding of the internal control is a major factor in
determining the overall audit strategy. The auditor has a responsibility
to:
(1) obtain an understanding of internal control and
(2) assess control risk.

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

Definition of the System of Definition of the System of

Internal Control
• A system of internal control is designed and carried out by those
charged with governance in the entity, management and other
personnel to provide reasonable assurance about the achievement
of the entity’s objectives in the following:
– Reliability, timeliness and transparency of internal and external,
non-financial and financial reporting;
– Effectiveness and efficiency of operations, including
safeguarding of assets; and
– Compliance of applicable laws and regulations
Internal Control (ISA 315)
• Internal control is the process designed, implemented and
maintained by those charged with governance, management and
other personnel to provide reasonable assurance about the
achievement of an entity’s objectives with regard to reliability of
financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations. The term
“controls” refers to any aspects of one or more of the components
of internal control (ISA315 para 4(c) (Revised) – Identifying and
Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment)

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014


Management’s Legal
Responsibility
• Sec246, CA2016 requires directors of a public company or a
subsidiary of a public company to have in place a system of internal
control that will provide a reasonable assurance that:
– The company’s assets are safeguarded against loss from
unauthorised use or disposition and to give a proper account of
the assets; and
– All transactions are properly authorised and that they are
recorded to enable the preparation of true and fair view of the
financial statements of the company
• Penalty: 3 years imprisonment or RM1 million fine or both
© McGraw-Hill Education 2014
MCCG2017 Principle B: Effective
Audit and Risk Management
II. Risk Management and Internal Control Framework
• Proper risk management and internal controls are important aspects
of a company’s governance, management and operations.
• Risk management focuses on identifying threats and opportunities
• Internal controls helps counter threats and takes advantage of
opportunities
• Proper risk management and internal control assist companies in
making informed decisions about the level of risk that they want to
take and implement the necessary controls to effectively pursue
their objectives.
• Successful companies integrate effective governance structures and
processes with performance-focused risk management and internal
control at every level of the company and across all operations
© McGraw-Hill Education 2014
6-4
Malaysian Code of Corporate
Governance 2017
• Amongst the responsibilities of the board of directors is ensuring a
sound framework for internal controls and risk management exist
in a company
• Internal controls are important for risk management
• Read slides of Lecture 2 (reproduced in the next 4 slides)
© McGraw-Hill Education 2014
MCCG 2017 Principle B: Effective Audit and
Risk Management (Cont’d)
II. Risk Management and Internal Control Framework (Cont’d)
• The board of directors is responsible for the company’s risk
management and internal control systems. It should set
appropriate policies on internal control and seek assurance
that the systems are functioning effectively.
• The board must also ensure that the system of internal control
manages risks and forms part of its corporate culture.
Intended Outcome
9.0 Companies make informed decisions about the level of risk they want to
take and implement necessary controls to pursue their objectives.
The board is provided with reasonable assurance that adverse impact arising
from a foreseeable future or situation on the company’s objectives is
mitigated and managed.
© McGraw-Hill Education 2014
 6-5

MCCG 2017 Principle B: Effective MCCG 2017Principle B: Effective

Audit and Risk Management (Cont’d) Audit and Risk Management (Cont’d)

II. Risk Management and Internal Control Framework (Cont’d) II. Risk Management and Internal Control Framework (Cont’d)

Practice:
9.1 The board should establish an effective risk management and
internal control framework.
9.2 The board should disclose the features of its risk
management and internal control framework, and the adequacy
and effectiveness of this framework.
9.3 The board establishes a Risk Management Committee, which
comprises a majority of independent directors, to oversee the
company’s risk management framework and policies.
Guidance:
9.1 The board should determine the company’s level of risk
tolerance and actively identify, assess and monitor key business
risks to safeguard shareholders’ investments and the company’s
assets. Internal controls are important for risk management and
the board should be committed to articulating, implementing
and reviewing the company’s internal control framework.

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

MCCG 2017 Principle B: Effective

Audit and Risk Management (Cont’d)
Section 2

II. Risk Management and Internal Control Framework (Cont’d)

Guidance:
9.2 The board should, in its disclosure include:
• A discussion on how key risk areas such as finance, operations, regulatory The Effect of Information Technology on
compliance, reputation, cyber security and sustainability were evaluated
and the controls in place to mitigate or manage those risks. Internal Control
• In addition, it should state if the risk management framework adopted by
the company is based on an internationally recognised risk management
framework.
• Whether it has conducted an annual review and periodic testing of the
company’s internal control and risk management framework. This include
any insights it has gained from the review and any changes made to its
internal control and risk management framework arising from the review.
Where information is commercially sensitive and may give rise to
competitive risk, disclosure in general terms is acceptable.
© McGraw-Hill Education 2014 © McGraw-Hill Education 2014
 6-6

The Effect of Information The Effect of Information Technology

Technology on Internal Control on Internal Control (Cont’d)
• IT affects the way transactions are initiated, authorised, recorded,
• Entity’s mix of manual and automated controls varies with the
processed and reported
nature and complexity of the entity’s use of IT.
• Controls in IT comprised a combination of:
• The next slide shows the benefits and risks of using IT for an entity’s
– Independent automated controls; and internal control
– Manual controls • The risks to internal control vary depending on the nature and
• Manual controls often used information produced by IT, and they characteristics of the entity’s information system
are often used to monitor the functioning of, and errors and
exceptions identified by, automated controls
• Controls in information systems use a combination of automated
controls built into the computer programs and manual controls

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

The Effect of Information Technology

on Internal Control (Cont’d) Section 3
Table 6–1 Potential Benefits and Risks to an Entity’s
Internal Control from IT

Management Responsibility:
The COSO Framework

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

 6-7

COSO’s Internal Control:

The COSO Framework Integrated Framework Definition
• The Committee of Sponsoring Organisations of the Treadway
Commission (COSO) developed the most widely used internal
control framework Objectives of a system of
• A system of internal controls should consist of five (5) components Internal control

Reliability of Effectiveness and Compliance

Financial Efficiency of with Laws and
Reporting Operations Regulations

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

Purpose of COSO’s Controls Relevant to the Audit

Framework
Controls are relevant to
• Purpose of COSO’s framework: an audit when they
– Help management better control the organisation; and help to prevent, or
detect and correct, Objectives
– To provide those charged with governance with an ability to material misstatements
oversee internal control in the financial
statements
• An effective system of internal control allows management to focus
on operations and financial performance goals, while maintaining
compliance with relevant laws, and minimising surprises Reliability of Effectiveness and Compliance
Financial Efficiency of with Laws and
Reporting Operations Regulations

Generally, internal controls pertaining to the preparation of

financial statements for external purposes are relevant to an
audit.
© McGraw-Hill Education 2014 © McGraw-Hill Education 2014
 6-8

Controls Relevant to the Audit 5 Components of Internal

(Cont’d) Control

Objectives
Control Entity’s Risk Control
Environment Assessment Activities

Reliability of Effectiveness and Compliance

Financial Efficiency of with Laws and Information
Reporting Operations Regulations Monitoring
and
Activities
Communication
Controls relating to operations and compliance objectives may be
relevant when they relate to data the auditor uses to apply
auditing procedures.
© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

5 Components of Internal Components of Internal

Control (Cont’d) Control
Table 6–2 Components of Internal Control Figure 6–1 The Relationship of the Objectives of Internal
Control to the Five Components of Internal Control
Objectives
(what an
entity is
striving to Structure of
achieve) Entity (the
operating
units)

Components
(what the
entity need to
do to meet its
objectives)

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

 6-9

COSO Framework (Revised Components of Internal Control

2013) Structure – COSO Framework 2013
• Each component includes principles that represent fundamental Components Description of Component Component Elements / Underlying
concepts underlying the effectiveness of each component Principles
• An entity can achieve effective internal control by applying all 17 1. Control The set of standards, 1) The organisation demonstrates a
principles environment processes and structures commitment to integrity and
that provide the basis for ethical values
• The COSO Framework sets forth the requirements for an effective carrying out internal control 2) Those charged with governance
system of internal control across the organisation. The demonstrate independence from
board of directors and management and exercise
• An effective system provides reasonable assurance that the risk of senior management oversight of the development
not achieving an entity objective is reduced to an acceptable level establish the tone at the top and performance of internal
regarding the importance of control
• For a control system to be considered effective, each of the 5 internal control and
components and relevant principles must be present and expected standards of
functioning, and the 5 components must operate together in an conduct
integrated manner

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

Components of Internal Control Structure – Components of Internal Control Structure

COSO Framework 2013 (Cont’d) – COSO Framework 2013 (Cont’d)

Components Description of Component Component Elements / Underlying

Components Description of Component Component Elements / Underlying
Principles
Principles
1. Control 3) Management establishes, with
environment those charged with governance 1. Control 5) The organisation holds
(cont’d) oversight, structures, reporting environment individuals accountable for their
lines, and appropriate authorities (cont’d) internal control responsibilities in
and responsibilities in the pursuit the pursuit of objectives
of objectives
4) The organisation demonstrates a
commitment to attract, develop
and retain competent individuals
in alignment with objectives

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

 6-10

Components of Internal Control Structure Components of Internal Control Structure

– COSO Framework 2013 (Cont’d) – COSO Framework 2013 (Cont’d)

Components Description of Component Component Elements / Underlying Components Description of Component Component Elements / Underlying
Principles Principles
2. The entity’s risk • Risk assessment involves a 6) The organisation specifies 2. The entity’s • Management considers 8) The organisation considers the
assessment dynamic and iterative objectives with sufficient clarity to risk assessment possible changes in the potential for fraud in assessing
process process for identifying and enable the identification and process (cont’d) external environment risks to the achievement of
analysing risks to achieve assessment of risks relating to and within its own objectives
the entity’s objectives, objectives business model that may 9) The organisation identifies and
forming a basis for 7) The organisation identifies risks to impede its ability to assesses changes that could
determining how risks the achievement of its objectives achieve its objectives significantly impact the system
should be managed. across the entity and analyses of internal control
risks as a basis for determining
how the risks should be managed

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

Components of Internal Control Structure Components of Internal Control Structure

– COSO Framework 2013 (Cont’d) – COSO Framework 2013 (Cont’d)

Components Description of Component Component Elements / Underlying Components Description of Component Component Elements / Underlying
Principles Principles
3. Control • These are the actions 10) The organisation selects and 3. Control • Control activities are 12) The organisation deploys control
activities established by policies develops control activities that activities (cont’d) performed at all levels of activities though policies that
and procedures to help contribute to the mitigation of the entity and at various establish what is expected and
ensure that risks to the achievement of stages within business procedures that put policies into
management directives objectives to acceptable levels processes, and over the action
to mitigate risks to the 11) The organisation selects and technology environment
achievement of develops general control • Control activities include:
objectives are carried activities over technology to  adequate
out. support the achievement of segregation of
objectives duties,
 proper authorisation
of transactions and
activities,

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014


Components of Internal Control Structure
– COSO Framework 2013 (Cont’d)
Components Description of Component
3. Control  adequate
activities (cont’d) documents and
records,
 physical control over
assets and records,
and
 independent checks
on performance
Components of Internal Control Structure
– COSO Framework 2013 (Cont’d)
Components Description of Component
4. Information and • Communication occurs 15) The organisation communicates
communication both internally and
(Cont’d) externally and provides
the organisation with the
information needed to
carry out day-to-day
internal control activities.
Communication enables
personnel to understand
internal control
responsibilities and their
importance to the
achievement of
objectives
Component Elements / Underlying
Principles
© McGraw-Hill Education 2014
Component Elements / Underlying
Principles
with external parties regarding
matters affecting the functioning
of other components of internal
control
© McGraw-Hill Education 2014
Components of Internal Control Structure
– COSO Framework 2013 (Cont’d)
Components Description of Component
4. Information and • Information is necessary
communication for the entity to carry out
internal control
responsibilities in support
of achievement of its
objectives.
Components of Internal Control Structure
– COSO Framework 2013 (Cont’d)
Components Description of Component
5. Monitoring of • Ongoing evaluations,
controls separate evaluations or
some combination of the
two are used to ascertain
whether each of the 5
components of internal
control, including
controls to effect the
principles within each
component, are present
and functioning.
6-11
Component Elements / Underlying
Principles
13) The organisation obtains or
generates and uses relevant,
quality information to support the
functioning of other components
of internal control
14) The organisation internally
communicates information,
including objectives and
responsibilities for internal
control, necessary to support the
functioning of other components
of internal control
© McGraw-Hill Education 2014
Component Elements / Underlying
Principles
16) The organisation selects,
develops and performs ongoing
and/or separate evaluations to
ascertain whether the
components of internal control
are present and functioning
17) The organisation evaluates and
communicates internal control
deficiencies in a timely manner
to those parties responsible for
taking corrective action,
including senior management
and those charged with
governance, as appropriate
© McGraw-Hill Education 2014
 6-12

Components of Internal Control Structure Component 2: The Entity’s

– COSO Framework 2013 (Cont’d) Risk Assessment Process
The entity’s risk assessment process should consider external and
Components Description of Component Component Elements / Underlying
internal events and circumstances that may arise and adversely affect
Principles
the entity’s ability to initiate, record, process and report financial data
5. Monitoring of • Findings are evaluated consistent with management’s financial statement assertions.
controls (cont’d) and deficiencies are
communicated in a
timely manner, with Business risk can arise or change due to the following circumstances:
serious matters reported
to senior management
and those charged with Changes in the New or revamped
New personnel
governance operating information systems
environment Rapid growth
New technology

New accounting
Corporate pronouncements New business models,
restructuring International growth
products or activities

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

Section 4 Compensating Controls

• Companies may decide that implementing a particular control is

not cost effective (e.g. small companies). Companies must then
design compensating controls for their systems
Management Responsibility: • Management uses compensating controls to offset the risk in
another procedure
Compensating Controls

© McGraw-Hill Education 2014 © McGraw-Hill Education 2014

 6-13

Learning Outcomes

At the end of this lesson, students should be able to:

 Define the internal control system
 Describe the role of internal control to prevent and detect material
misstatements
 Describe the five components of the COSO Framework
 Describe management responsibility for the system of internal
control

© McGraw-Hill Education 2014