Professional Documents
Culture Documents
8.0 Introduction
An auditor would assess a client’s internal control to assert that the controls compiled by the
management are effective and if there is derivative from procedures. This is called a test of control.
An internal control system embraces the control environment and internal control procedures.
Purpose of Internal Control (IC) is that it should be able to provide reasonable assurance that the
organization can meet its objectives.
The system of internal control is defined as the actions taken by the board and management
to manage risk and increase the likelihood that established goals will be achieved (Statement
of Risk Management and Internal Control by Bursa Malaysia, 2012)
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines
internal control as process, effected by the board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the organization’s
objectives.
In small entity such as small enterprise, the employees and process flow are still manageable
by the manager
Large organization can’t do same like small entity because there is large number of
employees and more complex organizational structure and business flow.
A sound IC will actually help the organization to exert control over their business process to
remain functional and operational.
Key benefits:
Risk management
Achieving higher standard in business process among peers
Compliance with laws and regulation such as Bursa Malaysia/ Securities Commission
Malaysia
Have better communication with employees
Segregation of Duties –
duties or segregation are
segregated to reduced risk
Preventive and errors for certain event.
control/Proactive Control:
build to avoid errors or any
irregularities from Safeguarding Assets –
happening. different department may
Types of Internal Control have different security
levels to access certain part
Detective control: find or of building in organization.
allocate errors after they
have occurred.
Element of Internal Control
Responsibilities
External auditors are required to conduct an audit on IC over financial reporting for large companies.
This would be useful when they are preparing for audit planning to include into their analytical
procedures/test of control on the client’s IC.
ISA 500 – Audit Evidence is known as information used by the auditor in arriving at the conclusions
on which the auditor’s opinion is based. Audit evidence includes both information contained on
the accounting records underlying the financial statements and other information.
Para A49 of ISA 500 – information produced by the entity that is used for performing audit
procedures needs to be sufficiently complete & accurate in order for the external auditors to
obtain reliable audit evidence.
Requirement by Regulators
In Malaysia, listed companies are required to follow the Listing Requirements by the Bursa
Malaysia in order for them to be listed in the Malaysian capital market.
Among the requirements related to internal control is stated in Chapter 15 of the listing
requirement.
. Chapter 15, para 15.26 (b) it mentions of additional statements by the Board of Directors to be
included in the annual report; which is, to issue a statement about the state of risk management and
internal control of the listed issuer as a group
This is further stated in the Malaysian Code of Corporate Governance (MCCG) 2012, under
Principle 6, Recognize and Manage Risks.
In order to further aid good corporate governance, Bursa Malaysia issued the Statement on
Internal Control-Guidance for Directors of Public Listed Companies. This was first issued in
December 2000. These are further illustrated in Table 4.2.
A deficiency in the IC system would suggest that there exists a disruption in the financial reporting
process.
ISA 265, para 6 – These deficiency in IC might arise from design/operation, such that they do not
allow management/employees to perform their function & duties effectively, so as to
prevent/detect any misstatement on a timely basis
Public Company Oversight Board (PCAOB) – deficiency in design exists when a control necessary to
meet the control objective is missing/an existing control is not properly designed. Subsequently,
even if the control operates as designated, the control objectives would not meet.
deficiency in operation exists when
a control does not operate as
this deficiency has to be
designated/when the person
communicated to those charged this wloud usually take place after
performing the control does not
with governance, i.e. the the completion of audit
process the necessary
management & BOD
authority/competence to control
effectively
SUMMARY
Internal Control
System
Relationship
Importance of between Internal Requirement by Cyber Threat to
Types of Internal Element of
Internal Control Responsibilities Control and Audit Regulators Internal Control
Control Internal Control
System Evidence