RUBIATUL ADAWIYAH BINTI MOHD ASHARI (264831)

INTERNAL CONTROL SYSTEM

8.0 Introduction

An auditor would assess a client’s internal control to assert that the controls compiled by the
management are effective and if there is derivative from procedures. This is called a test of control.
An internal control system embraces the control environment and internal control procedures.

8.1 Fundamental Concepts

Purpose of Internal Control (IC) is that it should be able to provide reasonable assurance that the
organization can meet its objectives.

 The system of internal control is defined as the actions taken by the board and management
to manage risk and increase the likelihood that established goals will be achieved (Statement
of Risk Management and Internal Control by Bursa Malaysia, 2012)
 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines
internal control as process, effected by the board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the organization’s
objectives.

Importance of Internal Concept System

A system of IC is an important mechanism for an organization to remain functional and operational.

 In small entity such as small enterprise, the employees and process flow are still manageable
by the manager
 Large organization can’t do same like small entity because there is large number of
employees and more complex organizational structure and business flow.
 A sound IC will actually help the organization to exert control over their business process to
remain functional and operational.

Key benefits:

 Risk management
 Achieving higher standard in business process among peers
 Compliance with laws and regulation such as Bursa Malaysia/ Securities Commission
Malaysia
 Have better communication with employees

Preventive
control/Proactive Control:
build to avoid errors or any
irregularities from
happening.
Types of Internal Control
Detective control: find or
allocate errors after they
have occurred.
Segregation of Duties –
duties or segregation are
segregated to reduced risk
and errors for certain event.
Safeguarding Assets –
different department may
have different security
levels to access certain part
of building in organization.
Element of Internal Control

(a) Control Environment  Demonstrates commitments to integrity &

ethical values
 Exercises oversight responsibility
 Establishes structure, authority & responsibility
 Demonstrates commitment to competence
 Enforces accountability

(b) Risk Assessment  Specifies suitable objectivities

 Identify and analyses risk
 Assesses fraud risk
 Identifies and analyses significant change

(c) Control Activities  Selects & develops control activities

 Selects & develops general control over
technology
 Deploys through policies & procedures

(d) Information and  Uses relevant information

Communication  Communication internally
 Communication externally

(e) Monitoring  Conduct ongoing and/or separate evaluation

 Evaluates & communicates deficiencies

Responsibilities

 BOD maintain a sound of IC system.

 Suggest to have a least an annual review of the effectiveness of the organization of the
organization’s IC system (regulators).

8.2 Importance of Internal Control to Auditors

External auditors are required to conduct an audit on IC over financial reporting for large companies.
This would be useful when they are preparing for audit planning to include into their analytical
procedures/test of control on the client’s IC.

Relationship between Internal Control and Audit Evidence

ISA 500 – Audit Evidence is known as information used by the auditor in arriving at the conclusions
on which the auditor’s opinion is based. Audit evidence includes both information contained on
the accounting records underlying the financial statements and other information.

Para A49 of ISA 500 – information produced by the entity that is used for performing audit
procedures needs to be sufficiently complete & accurate in order for the external auditors to
obtain reliable audit evidence.

8.3 Review and Documentation of Internal Control System

IC documentation may exists in various form, from flowchart to organization’s policy & procedure
manuals. A widely used method to document & evaluate control is a system flowchart. The
accounting system flowchart shows the flow of information & documents & provides narration of
related procedures.

Requirement by Regulators

 In Malaysia, listed companies are required to follow the Listing Requirements by the Bursa
Malaysia in order for them to be listed in the Malaysian capital market.

 Among the requirements related to internal control is stated in Chapter 15 of the listing
requirement.

. Chapter 15, para 15.26 (b) it mentions of additional statements by the Board of Directors to be
included in the annual report; which is, to issue a statement about the state of risk management and
internal control of the listed issuer as a group
 This is further stated in the Malaysian Code of Corporate Governance (MCCG) 2012, under
Principle 6, Recognize and Manage Risks.

– As stated in Recommendation 6.1, the BOD should establish a sound framework to

manage risks.

– It is expected that the board should establish a sound risk management

framework and internal control system within the organization.

 In order to further aid good corporate governance, Bursa Malaysia issued the Statement on
Internal Control-Guidance for Directors of Public Listed Companies. This was first issued in
December 2000. These are further illustrated in Table 4.2.

Cyber Threat to Internal Control

 Recent computer malware that spread across 150 countries

 Taking over user’s files & demanding a minimum USD300 (MYR1,300) to restore
 Cyber security is pivotal in large organization as attack can cause massive damage
 Implication is data losses, disruption of operating and leaked information
 Effective cyber security should be considered when assessing risk & formulating risk
management procedures

8.4 Communicating with Those Charged with Governance

A deficiency in the IC system would suggest that there exists a disruption in the financial reporting
process.
ISA 265, para 6 – These deficiency in IC might arise from design/operation, such that they do not
allow management/employees to perform their function & duties effectively, so as to
prevent/detect any misstatement on a timely basis

Public Company Oversight Board (PCAOB) – deficiency in design exists when a control necessary to
meet the control objective is missing/an existing control is not properly designed. Subsequently,
even if the control operates as designated, the control objectives would not meet.
 deficiency in operation exists when
a control does not operate as
this deficiency has to be
designated/when the person
communicated to those charged this wloud usually take place after
performing the control does not
with governance, i.e. the the completion of audit
process the necessary
management & BOD
authority/competence to control
effectively

letter content management

the latter shall attest to the acknowledgements of thier
external audtors would prepare a
accurancy of the financial statement responsibilities for the design &
management represent letter,
that company/client had implementation of control to
which aould sign by senior
submmited to the external auditors prevent fraud involving the
management of company
for an audit management that would affect
company, detail of employees/FS

SUMMARY

Internal Control
System

Importance of Review and Communicating

Fundamental Internal Control to Documentation of with Those
Concept Auditors Internal Control Charged with
System Governance

Relationship
Importance of between Internal Requirement by Cyber Threat to
Types of Internal Element of
Internal Control Responsibilities Control and Audit Regulators Internal Control
Control Internal Control
System Evidence