ASSIGNMENT 3

AUD589

Name : Annastasia Luyah Anak Henry

Matrix number : 2016263132

Group : AC2204C

Lecturer : Dr Siti Noor Hayati Binti Mohamed Zawawi

Ouestion :

1) Explain the components of internal control. Who is responsible for its implementation
and monitoring?
2) Describe the limitations of internal control.
3) Explain the advantages and disadvantages of each of the method that are used by auditors
to document understanding of internal controls.
4) How are weaknesses of the internal controls are communicate to the management and
discuss in details.
5) Describe the audit program, differentiate between the standard and customized audit
program. Discuss the advantages and disadvantages.
6) Describe the audit procedure related to confirmation.
Question 1
The first component of internal control is control environment. The control environment
is to set of standards, processes and structures that provide the basis for carrying out internal
control across the organization. The board of directors and senior management establish the tone
at the top regarding the importance of internal control and expected standards of conduct. There
are few principle underlying in the control environment where the organization demonstrate a
commitment to integrity and ethical values. This is where the integrity and ethical values are the
product of the entity’s ethical and behavior standards, as well on how the management
communicated and reinforced in practiced. The second principle is commitment and competence
where competence define as the knowledge and skills necessary to accomplish the task. Next are
Board of Director or Audit committee participation as it is the essential effective corporate
governance because of the ultimate power to make sure management implement proper internal
control and also financial reporting processes.

Second component of internal control is risk assessment. Risk assessment involves a

dynamic and iterative process for identifying and analyzing risk to achieve entity’s objectives,
forming a basis for determining how risk should be managed. Therefore, management must
considers possible changes in the external environment and within the business model that can
interrupt its ability to achieve the objectives. Once management identifies a risk, it will estimate
the significance of that risk and develop specific actions that need to be taken to reduce the risk.
Management access risk as part of designing and operating internal control that ill minimize
fraud and errors and auditor will access risk to decide the evidence needed in the audit.

The third component would be control activities where it is the actions established by
policies and procedure that help to ensure that management directive to mitigate risk to the
achievement of objectives that are carried out. Control activities are performed at all level of
entity and at various stage of business processes and over the technology environment.
Generally, control activities will fall into five types which are adequate separation of duties to
prevent fraud and error, proper authorization of transactions and activities where every
transaction must be properly authorized if controls are to be satisfactory. Next types are adequate
documents and records where document and records are been records upon which transaction are
enter and summarized , physical control over assets and records where assets and record must be
protected as it can be stolen.

Next components are information and communication. This relate to information are
necessary for the entity carry out internal control responsibilities in support of achievement of its
objectives. However, communication occurs both internally and externally that will provide
organization with information that they needed to carry out day-to-day internal control activities.
Thus, communication enables personnel to understand the internal control responsibilities and
their importance to achieve its objectives. Transaction-related to audit objectives must satisfied
occurrence, completeness, accuracy, posting and summarization, classification and also timing.

The last component of internal control is monitoring. Monitoring of control may be

ongoing evaluation, separate evaluation or some combination of both to determine that controls
are operating as intended and that they are modified as appropriate for changes in conditions and
that are used to ascertain whether each of the five components of internal control including
controls to effect the principles within each component are present and functioning.
Question 2

An internal control should be design and operated to provide reasonable assurance to an

entity so that their can achieve the objectives. This is where that the cost of an entity’s internal
control system should not exceed the benefits which are expected to be derived. However, the
effectiveness of any internal control system is subject to certain limitations including
management override of internal control, personnel errors or mistakes and collision.

The first limitation is management override of internal control. In some cases, an entity’s
controls may be overridden by management. For instance, a senior-level manager may require a
lower-level employee to record the entries of accounting the records that are not consistent with
the substance of the transaction and that violate the entity’s controls. Thus, the lower-level
employee may record the transaction even though it violates the entity’s controls as the lower-
level employee might afraid of losing their job. Therefore, the auditor is particularly concerned
when senior management is involved in such activities as it raises serious questions about
management’s integrity. Unfortunately, violations in control activities by senior management are
difficult to detect with normal audit procedures.

Second limitation is human errors or mistake. The internal control system is only as
effective as the personnel who implement and perform the controls. Breakdowns in internal
control can occur because of human failures such as simple errors or mistakes. For examples,
error may occurs in maintaining or monitoring automated controls. If IT personnel do not
completely understand how a revenue system should process sale transaction, then they may
make software programming errors in modifying or updating the system.

Lastly is collision where the effectiveness of segregation of duties lies in individuals

performing only their assigned tasks or in the performance of one person being checked by
another. There is always a risk that collusion between individuals will destroy the effectiveness
of segregation of duties. In other hand, collusion is cited as major reason for fraud within the
companies. For instance, an individual who receives cash receipts from customers can collude
with the one who records those receipts in the customers’ records to steal cash from entity.
 Question 3

Methods Advantages Disadvantages

They are simple to record where when after This methods may be too
discussion with company, the discussion will be cumbersome especially if the system
easily written up as notes. Next, as the notes are is complex. Thus this method can
Narrative simple to record, this may facilitate the make it more difficult to identify
understanding of all members of the teams missing internal controls as the notes
especially to junior members who might think the record the detail but do not identify
alternative methods too complex. control exceptions clearly.
This method is easily and quick to prepare However, it can be easy for the
which mean that they are a cost effective method company to overstate the level of the
for recording system. Besides, questionnaire ensure controls present as they are asked a
that all controls present within the system are being series of questions relating to
consider and record and therefore, missing controls potential controls. Additional,
Questionnaires
or deficiencies are highlighted. Next, questionnaire without careful tailoring of the
are simple to complete and thus any members of questionnaire to make its company
the team can complete it and they are easy to use specific, there is a risk that controls
and understand. may be misunderstood and unusual
control missed.
Flowcharts provide a concise overview of the The flowchart should be drawn
clients system, which help the auditors to identify with a template and ruler or with
control and deficiencies in the client system. It can software otherwise it will become a
enhance auditor’s evaluation and annual updating messy flowchart and hard to read.
of a chart is relatively easy with addition or Sometimes, control weaknesses does
Flow Chart
deletion of symbols and lines. Next, the result of not always stand out.
flowchart is easy to evaluate and very informative
description and flowcharts shows the various duties
performed by one individual or group also provide
graphic evidence of any conflict responsibilities.
Question 4

A weakness in internal control exists when the design or operation of control does not
allow management or employees in the normal course of performing their assigned functions, to
prevent or detect and correct misstatements. A weakness in design exist when a control
necessary to meet the control objective is missing or when an existing control is not properly
designed and therefore even if the control operates as designed, the control objectives would not
be met. In the other hand, a weakness in operation will occur when a properly designed control
does not operates a designed or when the person performing the control does not possess the
necessary authority or competence to perform the control efficiency.

Therefore, any weaknesses should be communicated, in writing to the management. The

written communication is best made by the report release date where it is the date the auditor
grants the entity permission to use the auditor’s report in relation with the financial statement.
For some reason, early communication to the management may be important because of their
relative significance and the urgency for corrective follow-up action. The existence of material
weaknesses may already be known to the management and can be represent a conscious decision
by the management to accept the risk related to the weakness due to cost and other consideration.

This is where the management is responsible to make decision concerning cost to be

incurred and related to the benefits. Addition, auditor’s responsibility is to communicate
significant weaknesses exist regardless to the management’s decision. If other matters are
communicate orally, therefore auditor should document the communication.

Conclusion, management is responsible for the weakness of the internal control to take
action and internal auditor can only suggest it.
Question 5

Audit program is a set of policies and procedure that dictate how an evaluation of a
business is done. This generally involve specific instruction as to what and how much evidence
must be collected and evaluated as well as who will collect and analyze the data and when this
should be done. In relation, audit program is use to guiding audit staff and audit work whereas
provide evidence of proper planning and recording of audit work to be done. Audit programs are
important because they standardize the data collection and evaluation process by setting out list
of steps to be followed and data to be collected. Additionally, having a program can make sure
that any problems are discovered promptly and reported to the correct person.

Standard Audit Program is where some auditors prepare a standard audit program
or make use of what may be called uniform work papers. This type of preprinted audit program
is provided to the audit staff who are expected to conduct the audit strictly according to the
standard instruction. Tailored audit programs are different from standardized audit programs in
that they cater audit procedures to match specific needs of the auditing entity. These audit
programs are "tailored" to reference specific areas such as business procedures, legal documents
and assets.

Meanwhile advantages of audit program is where the auditor can judge the efficiency of
his audit team by holding of an audit program. In this context, he is in a position to know the
progress of the work where he can see at any time that what part of the work has been completed
and what remains to be done. Next, distribution of work where audit program is very useful in
distributing the audit work properly among the members the audit team according to their talent.

However audit program has certain disadvantages. One of the disadvantages is the
auditor’s task becomes mechanical and as a result initiative and efficiency are adversely affected.
Next, there is always a tendency to speed up the work to complete it within the required time
schedule.
Question 6

Audit procedure are the processes the auditors perform to obtain audit evidences which
enable them to make conclusion on the audit objective set and express their opinion. Auditors
normally prepare audit procedures at planning stage when they had identified audit objective,
audit scope and risk. Audit procedure is design so that auditors can detect all kind of risk that
they identified and ensure that the require audit evidence are obtained sufficiently and
appropriately. However, audit procedures might be different from client to client and period to
period due to different client’s financial statement might have different risks.

One of audit procedure is confirmation where it is the process of obtaining and evaluating
a direct communication from a third party in respond to request from information about a
particular item affecting financial statement assertions. Process of confirmation includes
selecting items for which confirmation are to be requested, designing the confirmation request,
obtaining the response from third party and evaluate the information provide by third party about
audit objectives including the reliability of that information.

The auditor uses the audit risk assessment in determine the audit procedures to be applied
include confirmation as confirmation is undertaken to obtain evidence from third parties about
financial statement assertion made by the management where audit evidence is more reliable
when it is obtained from independent sources outside the entity.