LOGO

INTERNAL CONTROL

Assoc. Prof. Nguyen Thanh Hieu

School of Accounting & Auditing
1
LOGO
Chapter 1
Overview of Internal Control

1.1 Definition of Internal Control

1.2 Evolution of Internal Control

1.3 Limitation of Internal Control

1.4 Content of COSO Framework

1.5 Role of interested parties for internal control

2
Internal controls are meant to:
 Protect assets

 Ensure records are accurate

 Promote operational efficiency

 Encourage adherence to policies, rules, regulations,

and laws.
 Think about what YOU do

 You lock your home and your vehicle.

 You keep your ATM/debit card pin number separate
from your card.
 You review bills and credit card statements before
paying them.
 You don’t leave blank checks or cash just lying
around.
 You expect your children to ask permission before
they can do certain things.
Internal controls are usually
PREVENTIVE or
DETECTIVE

 Preventive - let’s stop an

unwanted outcome before it
happens.

Detective - let’s find the

problem before it grows.
 Examples of Preventive
Controls

 Reading and understanding applicable University Policy to

learn the right way to do something.
 The review and approval process for purchase orders or
requisitions to make sure they’re appropriate before the
purchase.
 The use of computer passwords to stop unauthorized
access.
 Examples of Detective
Controls

 Cash counts and bank reconciliations

 Reviewing payroll reports or, on a personal level, your pay
check or advice
 Comparing transactions on monthly management reports
to departmental source documents
 Monitoring expenditures against budgeted amounts
LOGO

INTERNAL
CONTROL
DEFINITION

8
LOGO

1.1. Definition (Cont.)

“Internal Control is the system designed, implemented

and maintained by those charged with governance,
management and other personnel, to provide reasonable
assurance about the achievement of an entity’s objectives
with regard to reliability of financial reporting, effectiveness
and efficiency of operations, and compliance with

applicable laws and regulations”

(ISA 315)
9
LOGO
1.1. Definition (Cont.)

“A system of internal control consists of policies and

procedures designed to provide management with
reasonable assurance that the company achieves its
objectives and goals”.
(Alvin et al., 2020)

10
LOGO

1.1. Definition (Cont.)

Internal control means establishment and implementation
of internal mechanism, policies, procedures, and
regulations conformable with law meant to prevent,
discover, and deal with the risks and meet the set
requirements.
(Accounting Law No. 88/2015/QH13/ Article 39)

11
LOGO

Each accounting unit must establish an internal

control system to meet the following requirements:
a) Its assets are protected from improper and
inefficient use;
b) The transactions are approved intra vires and
fully recorded as the basis for making and
presenting truthful and reasonable financial
statements.

12
LOGO
1.1. Definition (Cont.)

 Internal control is defined by COSO 2013 as follows:

Internal control is a process, effected by an entity’s

board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the
achievement of objectives relating to operations,
reporting, and compliance.
(COSO 2013 - Framework)

13
LOGO

1.1. Definition (Cont.)

This definition reflects certain fundamental concepts.
Internal control is:
Geared to the achievement of objectives in one or more categories—
operations, reporting, and compliance
A process consisting of ongoing tasks and activities—a means to an
end, not an end in itself
Effected by people—not merely about policy and procedure
manuals, systems, and forms, but about people and the actions they
take at every level of an organization to affect internal control
Able to provide reasonable assurance—but not absolute assurance,
to an entity’s senior management and board of directors
Adaptable to the entity structure—flexible in application for the entire
entity or for a particular subsidiary, division, operating unit, or business
process
14
LOGO

1.1. Definition (Cont.)

Objectives of Internal Control:
Operations Objectives—These pertain to effectiveness and
efficiency of the entity’s operations, including operational and financial
performance goals, and safeguarding assets against loss.
Reporting Objectives—These pertain to internal and external
financial and non-financial reporting and may encompass reliability,
timeliness, transparency, or other terms as set forth by regulators,
recognized standard setters, or the entity’s policies.
Compliance Objectives—These pertain to adherence to laws and
regulations to which the entity is subject.
15
LOGO
* Limitation of Internal Control
 Costs should not exceed benefit.
 Breakdowns that can occur because of human failures
such as simple errors
 Ability of management to override internal control

 Ability of management, other personnel, and/or third

parties to circumvent controls through collusion
 External events beyond the organization’s control

 Design to deal with what normally or routinely happens in a

business 16
LOGO

1.2 Evolution of Internal Control

17
LOGO

1.2. Evolution of Internal Control

The theoretical foundation for internal control

can mainly be found in the financial statement
audit, in the 1940s a first attempt at formalizing
an internal control concept was made in the US,
where from the beginning this concept focused
on getting organizations under control.
LOGO
1.2. Evolution (Cont.)

 One of the first published definitions of internal control can be

found in the 1949 research report of the Committee on Auditing
Procedure of the American Institute of Certified Public
Accountants (AICPA), followed by many adjustments and
refinements.
 Management's role in internal control was explicitly discussed for
the first in the Statement on Auditing Standards No. 1, issued by
the AICPA in 1972
 In 1983, the Institute of Internal Auditors published a very broad
definition of internal control
 In 1985, the Treadway Commission was established to examine
the causes of fraudulent financial reporting by leading
organizations of which some went bankrupt entirely unexpectedly
and auditors had apparently not been able to discover this in time
LOGO

1.2. Evolution (Cont.)

 In 1992 the cooperation of five US regulatory institutes (AICPA, AAA,

FEI, IMA, IIA) resulted in the report of the Committee of Sponsoring
Organizations of the Treadway Commission (COSO report).
 This report was prepared based on recommendations of the Treadway
Commission to have management report on the effectiveness of its
internal controls, to create greater management awareness that the
control environment, the audit committee, codes of conduct and the
internal audit are important elements in an internal control system, and
to arrive at a consensus as to the various internal control concepts and
definitions that were in use until that time. The COSO report provided a
broad definition of internal control that is currently still authoritative.
LOGO
1.2. Evolution (Cont.)
Over time and internationally the definition of internal control as
provided in the COSO report has gained wide support. This support
has only increased with the recent enactment of the Sarbanes-Oxley
Act since this Act primarily adopts the COSO definition of internal
control.

In 2004, It extensively discusses risk management. Informally this

report is known as the COSO II report, but we will refer to this report
as the ERM COSO report to indicate that it does not deal with just
internal control, but with Enterprise Risk Management (ERM), of
which internal control is a part.
LOGO
ERM - COSO
LOGO
1.2. Evolution (Cont.)
- Reasons for a new COSO framework (2013)
Address significant changes to the business
environment and associated risks => updated and
enhanced and clarified Framework
Codify criteria to use development and assessment of
systems of internal control => added principles and
points of focus.
Increase focus on operations, compliance and non-
financial reporting objectives => Expanded internal and
non-financial reporting guidance.
=> COSO updated Internal Control—Integrated
Framework (Framework) in 2013
LOGO
1.2. Evolution (Cont.)
Internal Control in Information Technology Enterprises
Originally published in 1996, COBIT helped financial auditors better
navigate their IT environment growth.
ISACA released a more comprehensive version in 1998. It enveloped
areas beyond audit controls. The third and fourth versions, released in the
2000s, added further management guidelines around cyber security.
The fifth COBIT version came in 2013 and brought along tools,
objectives, and best practices universally applicable to all IT operations in
enterprises.
ISACA then updated COBIT 5 to COBIT 2019. It is the latest version.
This COBIT version is more comprehensive, flexible, and suitable for all
enterprises, irrespective of their immediate goals or size.
COBIT® 2019 Framework: Introduction and Methodology (the “Work”)
primarily as an educational resource for enterprise governance of
information and technology (EGIT), assurance, risk and security
professionals.
LOGO
1.2. Evolution (Cont.)
- Internal Control related to Independent Audit

• International standard on auditing 315 (ISA 315) “Identifying and

assessing the risks of material misstatement through understanding the
entity and its environment”– refers to definition of Internal Control and
relationship with performing audit engagement.

• International standard on auditing 265 (ISA 265) “Communicating

deficiencies in internal control to those charged with governance and
management” refers to determination of whether deficiencies in Internal
control have been identified, significant deficiencies in internal control,
communication of deficiencies in internal control.
LOGO
1.2. Evolution (Cont.)
- Internal Control in Bank Organizations

Basel Committe on Banking Supervision (BCBS) published Framework

for Internal Control System in Banking Organisations. These report
included Basel I (1998), Basel II (2004) and Basel III (2012) which are a
set of international banking regulations developed by the Bank for
International Settlements in order to promote stability in the international
financial system.
LOGO
1.3. Content of COSO
framework (2013)

27
LOGO

1.3. COSO framework (2013)

1 Executive summary

2 COSO framework & Implementation Guide

3 Evaluation Effectiveness of Internal Control

4 Internal Control over financial reporting for

external stakeholders

28
LOGO

1.3.1. Executive Summary

29
LOGO
1.3.2. COSO Framework and
Implementation Guide
- COSO Framework:
+ Definition of Internal Control
+ Effectiveness of Internal Control
+ Components of Internal Control
+ Principles of Internal Control
 Instruct management and boards of directors at all levels of the
organization to: design, implement and evaluate the effectiveness of
internal control.

- Implementation Guide:
Glossary
Note for small businesses
Summary of changes of the COSO 2013 Report compared to the
COSO 1992

30
LOGO

1.3.3. Effective Internal Control

The Framework sets forth the requirements for an effective system of internal
control.
 Each of the five components and relevant principles is present and
functioning. “Present” refers to the determination that the components
and relevant principles exist in the design and implementation of the
system of internal control to achieve specified objectives. “Functioning”
refers to the determination that the components and relevant principles
continue to exist in the operations and conduct of the system of internal
control to achieve specified objectives.
 The five components operate together in an integrated manner.
“Operating together” refers to the determination that all five components
collectively reduce, to an acceptable level, the risk of not achieving an
objective. Components should not be considered discretely; instead,
they operate together as an integrated system. Components are
interdependent with a multitude of interrelationships and linkages among
them, particularly the manner in which principles interact within and
across components.
31
LOGO

1.3.4. Internal control over over

External Financial Reporting
For external stakeholders of an entity and others that interact with the
entity, application of this Framework provides:
Greater confidence in the board of directors’ oversight of internal
control systems
Greater confidence regarding the achievement of entity objectives
Greater confidence in the organization’s ability to identify, analyze,
and respond to risk and changes in the business and operating
environments
Greater understanding of the requirement of an effective system of
internal control
Greater understanding that through the use of judgment,
management may be able to eliminate ineffective, redundant, or
inefficient controls
32
LOGO

1.3.5. Important changes in the COSO 2013

report compared to the 1992 COSO report
 A principles-based approach that provides flexibility and allows for
judgment in designing, implementing, and conducting internal control—
principles that can be applied at the entity, operating, and functional levels
 Requirements for an effective system of internal control by considering
how components and principles are present and functioning and how
components operate together
 An opportunity to expand the application of internal control beyond
financial reporting to other forms of reporting, operations, and compliance
objectives
 An effective system of internal control demands more than rigorous
adherence to poli- cies and procedures: it requires the use of judgment.
Management and boards of direc- tors1 use judgment to determine how
much control is enough. Management and other personnel use judgment
every day to select, develop, and deploy controls across the entity.
33
LOGO

1.3.6. Components and Principles

Control environment:
Principle 1: The organization demonstrates a commitment to integrity
and ethical values.
Principle 2: The board of directors demonstrates independence from
management and exercises oversight of the development and
performance of internal control.
Principle 3: Management establishes, with board oversight, structures,
reporting lines, and appropriate authorities and responsibilities in the
pursuit of objectives.
Principle 4: The organization demonstrates a commitment to attract,
develop, and retain competent individuals in alignment with objectives.
Principle 5: The organization holds individuals accountable for their
internal control responsibilities in the pursuit of objectives.

34
LOGO
1.3.6. Components and Principle
Risk assessment
Principle 6: The organization specifies objectives with sufficient
clarity to enable the identification and assessment of risks relating
to objectives.
Principle 7: The organization identifies risks to the achievement of
its objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed.
Principle 8: The organization considers the potential for fraud in
assessing risks to the achievement of objectives.
Principle 9: The organization identifies and assesses changes that
could significantly impact the system of internal control.

35
LOGO
1.3.6. Components and Principle
Control Activities
Principle 10: The organization selects and develops control
activities that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels.

Principle 11: The organization selects and develops general

control activities over technology to support the achievement
of objectives.

Principle 12: The organization deploys control activities

through policies that establish what is expected and
procedures that put policies into action.

36
LOGO
1.3.6. Components and Principle
Information and Communication
Principle 13: The organization obtains or generates and uses
relevant, quality information to support the functioning of internal
control.

Principle 14: The organization internally communicates

information, including objectives and responsibilities for internal
control, necessary to support the functioning of internal control.

Principle 15: The organization communicates with external parties

regarding matters affecting the functioning of internal control.

37
LOGO

1.3.6. Components and Principle

Monitoring Activities
Principle 16: The organization selects, develops, and performs ongoing
and/or separate evaluations to ascertain whether the components of
internal control are present and functioning.

Principle 17: The organization evaluates and communicates internal

control deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the board of
directors, as appropriate.

38
Who is Responsible for
Internal Control?

EVERYONE
LOGO
1.5. Roles of the interested parties for
Internal Control
 The Board of Directors
 Audit Committee
 Control Board
 Internal Auditor
 Senior Management
 Other Management and Personnel
 Independent Auditor

40
LOGO
1.5. Roles of the interested parties
for Internal Control

41
LOGO
1.5. Roles of the interested parties
for Internal Control

42
LOGO
1.5. Roles of the interested parties for
Internal Control (Vinamilk)

43
LOGO
1.5. Roles of the interested parties for
Internal Control

44
LOGO
The Board of Directors

 The board should discuss with senior management the state of the
entity’s internal control and provide oversight as needed.
 The board needs to establish its policies and expectations of how
members should provide oversight of the entity’s internal control.
 The board should be apprised of the risks to the achievement of the
entity’s objectives, the assessments of internal control deficiencies,
the management actions deployed to mitigate such risks and
deficiencies, and how management assesses the effectiveness of
internal control.
 The board should challenge management and ask the tough
questions, as necessary, and seek input and support from internal
auditors, external auditors, and others.
 Subcommittees of the board often can assist the board by
addressing some of these oversight activities.

45
LOGO

Audit Committee
An audit committee undertaking good practice will provide benefits to
the board and the entity by:
strengthening the internal control structure and helping to ensure the
maintenance of appropriate accounting records
facilitating appropriate communication channels between
management, the board, external auditors and internal auditors
improving the quality of financial disclosures and the effectiveness of
the audit function by providing an independent review of these
functions
keeping the board fully informed about relevant accounting and
auditing issues
highlighting relevant important matters that require the board’s
attention

46
LOGO
Internal Auditors

 Internal auditors should review their internal

audit plans.
 Internal auditors perform on-going and periodic
assessment about the design and operation of
Internal Control and any report on the internal
control to Audit Committee.

47
LOGO
Senior Management

 Senior management is responsible for designing and operating the

entity's internal controls
 Senior management should assess the internal control in relation to
the Framework, focusing on how the organization applies the
seventeen principles in support of the components of internal control
 Management performs an ongoing evaluation of the overall
effectiveness of internal control

48
LOGO
Other Management and Personnel

 conducting their responsibilities for performing

internal control and discuss with more senior
personnel ideas for strengthening internal
control.
 Be aware of existing controls affect the
effectiveness of internal control

49
LOGO
Independent Auditors

 Independent auditor is engaged to audit or examine

the effectiveness of the client’s internal control over
financial reporting in addition to auditing the entity’s
financial statements.
 Auditors can assess the entity’s system of internal
control in relation to the Framework, focusing on
how the organization has selected, developed, and
deployed controls

50
LOGO

51
LOGO
EXCERCISES AND DISCUSSION

 CASE # 1. Bern Fly Rod Company

Bern Fly Rod Company is a s mall manufacturer of
High quality graphite fly-fishing rods. It sells its products to fly-
fishing shops throughout the United States and Canada. Bern
began as a small company with four salespeople, all family
members of the owner. Because of the high popularity and
recent growth of fly-fishing, Bern now employs a seasonal,
nonfamily, sales force of 16.The salespeople travel around the
country giving fly casting demonstrations of their new models
to fly-fishing shops. When the fishing season ends in October,
the temporary salespeople are laid off until the following
spring.

52
LOGO
EXCERCISES AND DISCUSSION

 CASE # 1. Bern Fly Rod Company (Cont.)

Once the salesperson takes an order, it is sent directly to the cash
disbursement department, where commission is calculated and
promptly paid. Sales staff compensation is tied directly to
their sales (orders taken) figures. The order is then sent to the
billing department, where the sale is recorded, and finally to
the shipping department for delivery to the customer. Sales
staff are also compensated for travel expenses.

53
LOGO
EXCERCISES AND DISCUSSION

 CASE # 1. Bern Fly Rod Company (Cont.)

Each week they submit a hard-copy spreadsheet of expenses
incurred to the cash disbursements clerk. The clerk
immediately writes a check to the salesperson for the amount
indicated in the spreadsheet. Bern’s financial statements for
the December year-end reflect an unprecedented jump in sales
for the month of October (35 percent higher than the same
period in the previous year). On the other hand, the statements
show a high rate of product returns in the months of
November and December, which virtually offset the jump in
sales.

54
LOGO
EXCERCISES AND DISCUSSION

 CASE # 1. Bern Fly Rod Company (Cont.)

Furthermore, travel expenses for the period ending
October 31 were disproportionately high compared
with previous months.
 Required
Analyze Bern’s situation and assess any potential
internal control issues and exposures. Discuss some
preventive measures this firm may wish to implement.

55
LOGO

Question # 1
Internal control is a process designed to provide reasonable assurance
regarding the achievement of which objective?
A.Effectiveness and efficiency of operations
B.Reliability of financial reporting
C.Compliance with applicable laws and regulations
D.All of the above

Valdosta State
56 University
LOGO

Question #2
Who is responsible for internal controls?

A. Upper management
B. Accountants and Auditors
C. Supervisors
D. All employees

Valdosta State
57 University
LOGO

Question #3
Control activities can be defined as:
A.A means to an end
B.Authorized procedures
C.The particular category in which a control is placed
D.The actions of people to help ensure that management directives
necessary to address risks are carried out

Valdosta State
58 University
LOGO

Question #4
Your department has been struggling to implement the monitoring
component of the COSO framework. Which of the following is NOT correct
in how the department can implement the monitoring component?
A.Monitoring can be an ongoing process.
B.Monitoring can be conducted as a separate evaluation.
C.An adequate internal audit staff can reduce external audit costs.
D.The independent auditor can serve as part of the control environment.

Valdosta State
59 University
LOGO
MC Questions

5. The overall attitude and awareness of a firm’s top

management
and board of directors concerning the importance of
internal
control is often reflected in its

A.Computer-based controls.
B.System of segregation of duties.
C.Control environment.
D.Safeguards over access to assets.

60
LOGO
MC QUESTIONS

6. Management can expect various benefits to follow from

implementing a system of strong internal control. Which of the
following benefits is least likely to occur?
a. reduction of cost of an external audit
b. prevention of employee collusion to commit fraud
c. availability of reliable data for decision-making purposes
d. some assurance of compliance with the Foreign Corrupt
Practices Act of 1977
e. some assurance that important documents and records are
protected

61
LOGO
MC QUESTIONS
7. Which of the following situations is NOT a segregation of duties violation?
a. The treasurer has the authority to sign checks but gives the signature block to
the assistant treasurer to run the check-signing machine.
b. The warehouse clerk, who has custodial responsibility over inventory in the
warehouse, selects the vendor and authorizes purchases when inventories are low.
c. The sales manager has the responsibility to approve credit and the authority to
write off accounts.
d. The department time clerk is given the undistributed payroll checks to mail to
absent employees.
e. The accounting clerk who shares the recordkeeping responsibility for the accounts
receivable subsidiary ledger performs the monthly reconciliation of the subsidiary ledger
and the control account

62
LOGO
MC QUESTIONS

8. The underlying assumption of reasonable assurance regarding

implementation of internal control means that
a. auditor is reasonably assured that fraud has not occurred in the period.
b. auditors are reasonably assured that employee carelessness can weaken
an internal control structure.
c. implementation of the control procedure should not have a significant
adverse effect on efficiency or profitability.
d. management assertions about control effectiveness should provide
auditors with reasonable assurance.
e. a control applies reasonably well to all forms of computer technology.

63
LOGO
MC QUESTIONS

9. Providing timely information about transactions in sufficient

detail to permit proper classification and financial reporting is an
example of
a. the control environment.
b. risk assessment.
c. information and communication.
d. monitoring

64
LOGO
MC QUESTIONS

10. Ensuring that all material transactions processed by the

information system are valid and in accordance with
management’s objectives is an example of
a. transaction authorization.
b. supervision.
c. accounting records.
d. independent verification

65
LOGO
MC QUESTIONS

11. The control procedure designed to restrict what portions of an information system
an employee can access and what actions he or she can perform is called ________.
a. authentication (Incorrect. Authentication is the process of verifying a user’s identity
to
decide whether or not to grant that person access.)
▶ b. authorization (Correct. Authorization is the process of controlling what actions—
read,
write, delete, etc.—a user is permitted to perform.)
c. intrusion prevention (Incorrect. Intrusion prevention systems monitor patterns in
network traffic to identify and stop attacks.)
d. intrusion detection (Incorrect. Intrusion detection is a detective control that
identifies
when an attack has occurred.)

66
LOGO