AUDITING AND ASSURANCE SERVICES IN MALAYSIA

TOPIC 4: INTERNAL CONTROL SYSTEMS

References: Chapter 10AUDITING AND ASSURANCE SERVICES IN MALAYSIA

LEARNING OUTCOMESAUD390 2014DEFINITION OF INTERNAL CONTROL OBJECTIVES, COMPONENTS AND LIMITATIONSIMPORTANCE OF INTERNAL CONTROL TO AUDITORS RELATIONSHIP OF INTERNAL CONTROL AND AUDIT EVIDENCE REVIEW AND DOCUMENTATION OF INTERNAL CONTROLTESTS OF CONTROLS FOR CLASSES OF TRANSACTIONSSTRENGTHS AND DEFICIENCIES OF INTERNAL CONTROL MANAGEMENT LETTER

2

OVERVIEWAUD390 2014A system of internal controls consists of policies & procedures to provide management with reasonable assurance that the company achieves its objectives & goals.These policies & procedures are called controls, and they normally considered as entitys internal control

ContAUD390 2014A set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible.Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.

AUD390 2014Three objectives in designing internal control systems:reliability of financial reportingeffectiveness & efficiency of operationscompliance with laws & regulationsCont

AUD390 2014Limitations of ICHuman errorManagement override of ICCost contraintsCost of entitys ICS should note exceed that are expected to derivedLack of personal quality among employeeCollusion an act of 2 or more employees to steel assets or mistake recordsCont

COMPONENTS OF ICSAUD390 2014

CONTROL ENVIRONMENTRISK ASSESSMENTCONTROL ACTIVITIESINFORMATION & COMMUNICATIONMONITORING

Control EnvironmentAUD390 2014Definition:Includes governance and managements overall attitude, awareness and actions regarding IC and its importance in the entity Auditors should consider: communication and enforcement of integrity and ethical valuescommitment to competenceparticipation by those charged with governancemanagements philosophy and operating styleorganisational structureassignment of authority and responsibilityhuman resource policies and practices.

Risk AssessmentAUD390 2014Definition:Managements identification & analysis of risks relevant to the preparation of fin stat in accordance with accounting standard i.e. FRSRisk assessment processIdentify factors affecting risksAssess significance of risks & likelihood of occurrenceDetermine actions necessary to manage risks

Control ActivitiesAUD390 2014Definition:Policies & procedures established by management in order to ensure that its directives are carried out Types of specific control activities:-Segregation (Separation) of dutiesAuthorisation of transactions and proceduresAdequate documented transactions and recordsPhysical controls over assets and recordsIndependent checks on performance

Information & CommunicationAUD390 2014Definition: Method used to initiate, records, process & report an entitys transactions & to maintain accountability for related assetsAn effective information system establishes the records and the methods that:Identify and record all valid transactions.Resolve incorrect processing of transactions.Process and account for system overrides.Transfer information from transaction processing systems to the general ledger.Capture information relevant to financial reporting for events and conditions other than transactions.Present the transactions and related disclosures properly in the financial report.

MonitoringAUD390 2014Definition:Managements ongoing & periodic assessment of the quality of IC performance to determine whether controls are operating as intended and are modified when necessaryMonitoring mechanism:Studies of existing ICInternal Audit ReportsReports from Regulatory such as BNM, SC, Bursa MalaysiaFeedback from operating personnelComplaints from customers

Obtain & Document Understanding of Internal ControlAUD390 2014Purpose:To obtains an understanding of the entitys IC throughGathering evidence about the design of ICObserved whether the IC have been placed in operationsMethods in gathering evidence:NarrativesFlowchartsInternal Control Questionnaire

NarrativesAUD390 2014Definition ~ A written description of a clients ICA proper narrative of any ICS include 4 characteristicsThe origin of every documents & records in the systemAll processing that takes placeThe disposition of every document and records in the systemAn indication of the controls relevant to the assessment of control risk

AUD390 2014

FlowchartsAUD390 2014Definition ~ A diagram of the clients documents and their sequential flow in the organizationAdvantages:It provides a concise overview of the clients systemIt helps in identifying inadequacies in the systemEasier to readEasier to update

AUD390 2014

Internal Control Questionnaire AUD390 2014Definition ~ A series of questions about the controls in each audit areas as a means of uncovering aspects of internal control that may be inadequateIt require a yes or no response, where NO indicating potential internal control deficiencies

Tests of ControlsAUD390 2014Definition ~ Audit procedures to test the operating effectiveness of controls in support of reduced assessed control risk4 types of procedures involved:Make inquiries of appropriate client personnelExamine documents, records & reportsObserve control-related activitiesRe-perform client procedures

COMMUNICATION OF INTERNAL CONTROL RELATED MATTERSAUD390 2014Auditing Standards (ISA315 & ISA260) require the auditor to communicate to those charged with governance, as soon as practicable, material weaknesses in the design or operation of the accounting & internal control systems, which have come to the auditors attention

Management Letter (ML)An optional letter written by the auditor to a clients management containing the auditors recommendations for improving any aspects of the clients business

ContAUD390 2014Items should be included in the ML:A statement that the purpose of the audit was to report on the fin stats & not to provide assurance on ICA statement that the letter only discusses weaknesses in IC which have come to the auditors attention as a result of the auditA statement of restriction on the distribution of the report

Cont AUD390 2014Directors Statement on Internal ControlUnder the Listing Requirements of Bursa Malaysia Securities Berhad (Listing Requirements) Listed Companies to include a Statement on Internal Control in the annual reportsCompanys external auditors must review the Statement on Internal Control & report the result to the BOD

ContAUD390 2014The Directors Statement on Internal Control should incorporate the following aspectsThe Board should maintain a sound system of IC to safeguard shareholders investment & the companys assetsThe Board should (inter alia)Identify the principal risks & ensure the implementation of appropriate systems to manage the risks;Review the adequacy & integrity of the companys ICS & Management information system, including systems for compliance with applicable laws, regulations rules, directives & guidelines

Tutorial QuestionsAUD390 2014Explain what is control environment and state 2 factors affecting this component.Identify a key internal control and possible substantive test of transactions that could perform for each of the following audit objectivesSales made to existing customer (Existence)Existing sales transaction are recorded (Completeness)Recorded sales are for amount of goods shipped and are correctly billed and recorded (Accuracy)State the audit objective (s) for the following tests performed.You decided to issue a Management LetterDefine Management LetterBriefly explain 2 purposes of Management Letter