Article - Int Control 1

t
os
SAMMY FUNG
HK1210
rP
MATTHEW LEE
INTERNAL CONTROL REVIEW: THE

PRACTICAL APPROACH
A series of corporate accounting scandals in the 2000s enlightened organizations on the
importance of an effective internal control system.1 A sound internal control system did not
yo
only help organizations satisfy their legal and compliance obligations. It also provided
assurance that an organization could achieve its objectives and reduce financial losses through
timely response to internal and external risks, failures and weaknesses.
As organizations varied in their origins, structures, and processes, there was no one-size-fits-
all model or framework that consultants could adopt when evaluating the effectiveness of
internal controls. The role of a consultant was to apply models and frameworks with flexibility
op
and exercise independent judgment.
P Consulting was a global internal control consulting firm.2 It helped clients conduct internal
control assessments, from understanding their needs and setting project objectives, confirming
the scope of the assessment, evaluating the design and operating effectiveness of internal
controls, keeping track of deficiencies to reporting the results. Throughout the cycle, P
Consulting adopted a wide variety of methodologies, including interviewing management and
tC
employees, reviewing internal documentations, and sampling.
As a consultant of P Consulting, your supervisor, Daniel, has assigned you to “Project TM.”
You needed to advise your client Toy Maniac (TM), a toy seller, on the design and effectiveness
of its internal controls.
No
1 The corporate accounting scandals included the Enron scandal in 2001, where there were instances of fraud by its executives and
employees and inflation of earnings reports by keeping huge debts off balance sheets, and the WorldCom scandal in or around
2002, where assets and revenues were inflated and line costs were underreported.
2 The author of this case would like to thank Protiviti Hong Kong Co. Limited (Protiviti HK), a member of Protiviti Inc. (Protiviti),
for sharing its experience in performing internal control reviews. Protiviti HK is a consulting firm that offers business solutions
in technology, business process, risk, compliance and internal audit. Its mission is to team with clients to protect and enhance
enterprise values by identifying, anticipating and solving critical business issues. As of December 2018, Protiviti had more than
70 offices in over 20 countries. It had more than 3,600 professionals worldwide and served over 60% of the Fortune 1000®
companies and 35% of the Fortune Global 500® companies.
Matthew Lee prepared this case under the supervision of Dr. Sammy Fung for class discussion. This case is not intended to show
Do
effective or ineffective handling of decision or business processes. This discussion, opinions and facts in this case are fictional.
Cases are written in the past tense, this is not meant to imply that all practices, organizations, people, places or fact mentioned in
the case no longer occur, exist or apply.
© 2019 by The Asia Case Research Centre, The University of Hong Kong. No part of this publication may be digitized, photocopied
or otherwise reproduced, posted or transmitted in any form or by any means without the permission of The University of Hong
Kong.
Ref. 19/641C
Last edited: 16 September 2019
This document is authorized for educator review use only by ROSE MAE LANGOT, HE OTHER until Apr 2021. Copying or posting is an infringement of copyright.
Permissions@hbsp.harvard.edu or 617.783.7860
19/641C Internal Control Review: The Practical Approach
Purpose of Internal Controls
t
os
Internal controls, being practices, polices or procedures established within an organization to
create values or minimize risks, were critical to the operation and succession of an organization
irrespective of its size, legal and ownership form and industry.
An effective internal control system could help organizations increase accountability and
prevent incidents which might ruin their financial performance, such as shoddy financial
rP
reporting, unethical business practice, theft and fraud.
Further, some organizations were mandated under legal and regulatory requirements to satisfy
certain internal control standards. US companies had to follow the requirements on internal
controls over financial reporting stipulated in the Sarbanes-Oxley Act (SOX) of 2002.3 In Hong
Kong,4 directors of listed companies were required to (1) oversee the issuer’s risk management
and internal control systems on an ongoing basis; (2) ensure that a review of the effectiveness
of the issuer’s and its subsidiaries’ risk management and internal control systems has been
yo
conducted at least annually; and (iii) report to shareholders that it has done so in its corporate
governance report.5
Review Process
On the first day of your assignment, your supervisor, Daniel, introduced you to the process of
internal control review, which consisted of six main stages [see Exhibit 1].
op
Stage 1: Understanding Client’s Needs and Setting Project Objectives
Before accepting an engagement, consultants should first confirm the needs and objectives of
potential clients. They should be cautious that clients’ objectives might differ across clients’
countries, nature of businesses and cost constraints. Clients’ objectives could range from
supporting listing applications, satisfying legal or regulatory requirements, building sound
tC
internal control systems to tackling specific problems. Western corporations usually viewed
internal controls as essential to long-term business success because they helped monitor
performances and mitigate risks, whereas the majority of East Asian companies, in particular,
traditional family businesses and small- to medium-sized enterprises, implemented internal
controls to satisfy their compliance requirements.
Stage 2: Confirming the Scope of Assessment

Before the commencement of substantive review work, consultants should prepare an
No
engagement letter to set the scope of the review.
P Consulting recognized that an effective internal control system should comprise of both well-
designed and functioning entity-level controls and process-level controls. Entity-level controls
were those implemented across an organization. For instance, an organization should have in
place a policy for conflicts of interests. On the other hand, process level controls were controls
for specific division, operating unit, function or process. For instance, an organization’s public
relations department should have guidelines on external communication.
Do
3 The SOX was passed by the US Congress following the corporate accounting scandals. See note 1 above.
4 Listed companies in Hong Kong were required to act in accordance with the Corporate Governance Code (Code) published by
the Stock Exchange of Hong Kong Limited in Appendix 14 of the Main Board Listing Rules and Appendix 15 of the Growth
Enterprise Market Listing Rules.
5 See Principle C.2.1 of the Code.
If a client asked for an entity-wide review, the consulting project covered a review of both
t
entity-level and selected process-level controls. The selection of processes for review depended
os
on the significance and degree of risk of such processes, considered in light of the industry,
location, and size of the client. P Consulting was frequently asked to review processes including
revenue and receivables, service delivery and cost management, financial reporting, fixed assets,
treasury management, human resources and payroll management.
Alternatively, clients might limit the scope of the review to the controls of a specific division,
rP
operating unit, function or process.
Stage 3: Evaluating the Design of Internal Controls

In evaluating the design and effectiveness of internal controls, P Consulting recommended
consultants to adopt the integrated framework developed by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO Framework) as the starting point. The
COSO Framework helped organizations design and implement internal control, broaden the
application of internal control in addressing operation and reporting objectives, and clarify the
yo
requirements for determining what constituted effective internal control.
The COSO Framework comprised five components (components), namely (1) control
environment, (2) risk assessment, (3) control activities, (4) information and communication,
and (5) monitoring activities. The components were collectively supported by 17 principles
(principles). Each of the principles was further supported by points of focus that represented
important characteristics associated with the principles (points of focus). The principles and the
op
points of focus were guidelines on whether each of the components, operating individually or
in an integrated manner, was effectively designed and implemented [see Exhibit 2].
Consultants should adopt the most suitable methodologies in collecting information from
clients. For example, it was common practice to arrange interviews with clients’ management
to identity clients’ entity level controls. Before the interviews, consultants should prepare an
interview plan. [see Exhibit 3]. Common questions included (1) whether there were any
tC
mechanisms in place to regularly communicate to management and employees the importance

of internal controls and to raise their level of understanding of controls, and (2) whether the risk
identification process was comprehensive and included all significant interactions internal to
the clients’ organizations and between the clients’ organizations and their relevant business
partners and outsourced service providers.
For process-level controls, P Consulting recommended consultants to understand clients’

business activities in each business process by interviewing the process owners and reviewing
No
existing documentation, including flow charts obtained from process owners or prepared based
on discussions with the stakeholders involved. The flow charts should be supplemented by
narratives that described the processes. Based on the flow charts and narratives, the risks of
each process could be identified. Consultants should then prepare a plan to test whether their
designs were suitable and adequate to address the risks they identified.
Stage 4: Evaluating the Operating Effectiveness of Internal Controls

After testing the design and sufficiency of internal controls, consultants had to further test
whether the internal controls were operating as intended, alone or in an integrated manner.
Do
P Consulting recognized that sampling was critical in testing the effectiveness of internal
controls because it was impossible to review all the entity’s records. It had a sampling guide to
assist consultants in determining the quantity and quality of samples to collect. In deciding on
a sample size, consultants should consider whether a control was primary or secondary, simple
or complex and other relevant factors. In general, the size of a sample increased when the
t
relative importance of the control and its complexity increased.
os
Throughout the testing process, consultants needed to properly manage the document trail and
record the results, including the test results and any exceptions noted.
Stage 5: Keeping Track of Deficiencies

Internal control deficiencies were shortcomings in components and principles that might reduce
rP
the likelihood an entity would achieve its control objectives.
P Consulting followed the COSO Framework in categorizing internal control deficiencies.

“Major deficiencies” existed when components and relevant principles were absent or non-
functioning or that they were not operating together, such that the likelihood of an entity in
achieving its objectives was severely reduced. Major deficiencies in one component could not
be mitigated to an acceptable level by the presence and functioning of another component.
Similarly, major deficiencies in a relevant principle could not be mitigated to an acceptable
yo
level by the presence and functioning of another principle.
Consultants had to (1) exercise independent judgment in assessing and categorizing the severity
of the deficiencies, (2) prepare a log to help clients keep track of the deficiencies, and (3) advise
clients on possible remediation plans.
Stage 6: Reporting the Review Results

op
In this last stage, consultants needed to present their findings during a final meeting with clients
and publish the deliverables as agreed under the engagement, for example, an internal control
review report.
Project TM
tC
You scheduled a preliminary meeting with Andy, who was in charge of TM’s compliance.
Before the meeting, your supervisor gave you a brief introduction to the background of TM and
its subsidiary, Gadgets Collect (GC, together with TM, the Group).
TM was a limited company incorporated in Hong Kong in 1998 and had been listed on the
Hong Kong stock exchange since 2018. Its mission was to deliver high-quality, safe,
and innovative toys. TM had a strong reputation among toy-selling companies in Hong Kong.
While it was ranked only 15th in revenue generation, TM was famous for the novel design of
No
its toys. This was not surprising, because 20 of its 50 employees were research and development
(R&D) staff. Its “Super Hero Toy Gun” series was very popular among teenagers and young
adults. Rather than using rubber bullets, the toy guns emitted laser beams. Players had to shoot
targets on their computer screens and upon accumulating certain scores, they could redeem
them for upgraded accessories.
During the first 10 years of its operation, TM did all the design, manufacturing, marketing and
distribution of its products. In 2004, TM acquired 80% of the shares of GC, a Hong
Kongincorporated company that owned and operated several manufacturing plants in the
Do
mainland China (PRC) because of the rising costs of operating its own factory. GC was by then
the seventh-largest toy manufacturing company in Hong Kong and had over 20 toy companies
as its customers. After the share acquisition, GC terminated most of these contracts and became
the exclusive manufacturer for TM.
In addition, with a view that the conventional way of distribution through physical stores had
t
become too costly and unpopular, TM started selling its toys through its own and third party
distributors’ websites last year.
os
Review of the Entity-Level Controls of the Group
At the meeting, you and your team members collected the following information from Andy.
Group Structure and Governance
rP
Andy first presented to you a Group structure chart [see Exhibit 4]. TM had one executive
director, four nonexecutive directors, and no independent nonexecutive director. Richard
Namkong, the executive director and chairman of the board, was also the chief executive officer
(CEO) of TM and a director of GC. TM did not have a nomination committee. The directors
met irregularly, and no proper record of the meeting minutes was kept. It had no company
secretary to facilitate information flow within the board. After reviewing it, you discovered that
the structure chart did not show any indication that it had been approved.
yo
TM did not have an internal audit function to review its materials controls. The directors, who
had graduated with engineering degrees, relied on the departments to report internal control
issues when drafting the corporate governance report. They performed random checks and
reviewed internal control deficiencies that the departments reported. They had considered
outsourcing the internal audit function, but did not because of cost constraints. During the last
random check, the directors discovered that their finance department recorded expenses on
receipt of invoices, not when they were incurred.
op
TM had a knowledge management team that analyzed internal and external data. One
significant data source was retail customers’ feedback. Customers were asked to rate their
satisfaction with the toys on a scale of 1 to 5—5 being highly satisfied; 4, very satisfied; 3,
fairly satisfied; 2, satisfied; and 1, unsatisfied. TM was proud that 99% of its customers were
satisfied with its toys. In recognition of their contributions, members of the knowledge
management team received bonuses based on customer satisfaction.
tC
Andy explained that TM did not have the resources to hold regular staff trainings and expected
staff to understand TM’s mission and vision on their own. Its code of conduct and employee
handbook, despite being incorporated into the template employment contracts, were not
accessible through the internet and had last been updated three years earlier.
Human Resources
No
You then asked Andy to explain TM’s human resource policies and supporting structure.
According to Andy, this part of the business had been relatively unstructured until recently,
when an unexpectedly high turnover of R&D and warehouse staff forced TM to revisit its
human resources function. The first thing TM did was to establish a remuneration committee
to review its remuneration packages.
TM also started reimbursing its warehouse staff for transportation and meal expenses. Its
intranet allowed warehouse staff to submit their claims and would automatically generate an
expense report. TM required the warehouse staff to upload a soft copy of the receipts onto the
Do
system. Andy said that as a demonstration of trust in its employees, they were not required to
submit the original receipts. Depending on the amount claimed, an expense report might require
prior approval by the finance department.
Relationship with GC
t
Next, you asked Andy for a copy of the signed contract between TM and GC. Andy responded
os
that as GC was the manufacturer for almost all TM’s toys, TM considered that a supplier code
of conduct or signed contract was unnecessary.
Andy then proudly told you that the stock management systems of TM and GC were integrated.
When toys were delivered from GC to TM, the system automatically recorded a deduction in
GC’s stock and an addition to TM’s stock. Andy nevertheless reluctantly told you that the
rP
system did not record the serial numbers of toys being delivered. Every month, staff from TM’s
sales department took a stock count at its warehouse. If there were any discrepancies between
the stock count and the system record, the staff reported them to the manager of the sales
department, who had the discretion to write off that amount.
Policies
Andy acknowledged that TM did not have a policy to address the risks in relation to its online
yo
platforms and admitted there had been an incident that involved a clerk in TM’s IT department.
The clerk, Buzz, had logged into TM’s account in a distributor’s website and used the platform
to make an unauthorized sale of three toy cars he owned. Buzz provided the payment instruction
that the purchasers should transfer the payment to Buzz’s personal bank account. The incident
was discovered two weeks later, when Rex, hotline staff of TM, received a call enquiring about
the toy cars. TM did not have a whistle-blowing policy, and Rex did not know who he should
report the incident to. He shared it on TM’s public gossip page on a social media website. After
op
reading the page, Andy contacted the distributor, checked the log-in records, and was able to
trace Buzz’s actions. At that juncture Andy set up a disciplinary board. After a two-week
investigation, the disciplinary board considered the incident a minor one and gave Buzz a verbal
warning.
You looked at the public gossip page Andy mentioned and found anonymous posts saying that
(1) Richard Namkong owned 25% of the shares in TM’s largest distributor, and (2) some toy
tC
samples from GC were lost for no reason. Andy acknowledged that he had read the posts, but
there had been no follow-up action.
You asked Andy for copies of TM’s data privacy policy and anticorruption policy. Andy
acknowledged that no data privacy policy was in place, yet TM was cautious in disclosing
customers’ personal data to marketing firms. Andy confidently told you that TM did not receive
any profit from such disclosure. Andy also said that since employees had agreed to conform to
No
all applicable laws and regulations in their employment contracts, he considered an

anticorruption policy unnecessary.
Threatened Litigation
Andy mentioned another incident that TM considered “alarming”.
Several months earlier, a former director of TM had purchased a “Super Hero” toy gun from
TM for his five-year-old nephew at a discounted price. His nephew aimed the gun at his three-
year-old sister, and the laser hurt her eyes. The nephew’s mother was enraged and threw the
Do
toy gun at the manager of TM’s quality-control department, who suffered physical injuries.
This incident caused the media to further question why TM could legally sell “offensive
weapons.” The directors of TM did not know how to react but said, “The reason for the accident
was still under investigation.” TM had no risk management policies or procedures for
communicating with the media. As a series of litigations was likely to follow, the accountants
of TM advised the directors to make a provision for litigation expenses. The directors disagreed,
as this would adversely impact TM’s financial performance. However, to assist TM in facing
t
the crisis, one director agreed to make a loan to TM on terms more favorable than those on the
os
market. Such a loan was not evidenced by any written agreement.
Financial Performance
The Group had had poor financial performance the previous year. At the forefront, the demand
for toys decreased as online games became more popular. TM’s new products duplicated
previous ones, partly due to the departure of some of its key R&D staff.
rP
Moreover, TM’s internal records revealed three incidents that took place during the previous
financial year.
First, one of TM’s junior staff stole three boxes of “Super Hero” sixth-generation toy gun
prototypes and disappeared. The product would have been ready for a market launch in half a
year. Andy said that TM had not reported the theft to the police because it did not want to
become a news headline.
yo
Second, a competitor sued TM for patent infringement. However, according to Andy, without
a legal department, TM had difficulty in responding promptly.
Third, there were rumors that because of increasing land and operation costs in the PRC, as a
cost-saving measure, GC had hired casual workers who were high school students in rural areas
in the PRC. Andy explained that even if this were true, the measure should be temporary, and
op
workers should have given their consent.
The directors of TM worried that (1) the actual performance of TM deviated significantly from
its operations and financial performance goals; (2) they had not conducted any risk analyses or
made any contingency plans; and (3) their bonuses for the year were correlated to TM’s
performance. They instructed the accounts department not to consolidate GC’s accounts when
preparing the Group’s financial statements.
tC
Your team members documented their observations of TM’s control environment in a table [see
Exhibit 5]. The table, though incomplete, highlighted some of the deficiencies in the design of
the controls in the “Deficiency description” column.
After several rounds of discussion with your team members, you classified the deficiencies as
“major deficiencies” and suggested that TM take immediate remedial actions.
No
Review of the Process-Level Controls of the Group

After reviewing the entity-level controls, you and your team members reviewed selected
process-level controls of the Group.
One of the processes selected was GC’s acquisition of fixed assets. As GC was a manufacturing
company, with “property, plant and equipment” accounting for a huge portion of its total assets,
any misstatement in the financial statements would pose a high risk.
During an interview, the senior officer of GC described the acquisition process:

Do
(1) GC categorized its fixed assets depending on their nature and use. GC’s operation
manager allocated a portion of the budget for procurement of each category of fixed
assets each year. After receiving a purchase request form, the procurement and logistic
team checked the form to ensure that the requested items were within the approved
t
budget amount.
os
(2) If the acquired fixed assets were invoiced, the accounts department checked the
delivery note against the supplier invoice, purchase request form, and purchase order.
(3) The accounts department input the journal entries in the warehouse system (W System).
Such entries were yet to be posted and were called journal vouchers.
(4) The warehouse staff generated two identical barcode labels with a five-digit number,
one being affixed to the fixed assets and the other on the delivery note.
rP
(5) At the end of each month, the senior officer or finance manager checked and approved
the journal vouchers and posted them on the W System.
(6) The procurement and logistic team also checked the fixed assets delivered on the
purchase order log sheet against the delivery note.
(7) Semiannually, GC accountants prepared journal entries to add those fixed assets
delivered but with an invoice not yet received.
(8) The senior officer signed off on the journal voucher and posted the journal entries after
performing a three-way match for details against the delivery notes and the purchase
yo
order log sheets.
After the interview, your team members prepared the process flow chart [see Exhibit 6]. Your
team found the following deficiencies in the effectiveness of the design of the controls:
(i) No signature from a department head was required on the purchase request form; hence,
the procurement might not have been duly authorized.
(ii) The procurement and logistic team was not required to consider whether the fixed
op
assets were correctly categorized before checking against the budget amount.
(iii) The W System was not password protected. Persons other than the senior officer,
finance manager, or staff of the accounts department could access it. Journal vouchers
could be altered, and no audit trail was kept.
(iv) A fixed assets register was not maintained, leading to increased risk of misstating the
fixed assets balance, depreciation expenses, and profit or loss on disposal in the
tC
financial statements.
Further, your team developed plans to test the operating effectiveness of each control. For
instance, to check whether GC’s senior officer or finance manager did a detailed check against
supporting documents before posting and signing off on the journal vouchers, your team
obtained the journal list for the acquisition of fixed assets generated from the W System for a
certain period. Afterwards, your team selected 25 journal entries from the journal list and
obtained the journal vouchers, delivery notes, purchase orders, purchase requisitions and
No
approved supplier invoices. The team also checked whether the senior officer or finance
manager signed the journal vouchers and whether the details on the journal vouchers, such as
the description of the fixed assets and the quantity and amount, matched the supporting
documents.
Your team discovered that:
(i) Barcodes for two pieces of machinery were different from their delivery notes.
(ii) Accountants of GC wrongly prepared journal entries to add those fixed assets on a lease
Do
and depreciated such assets.

(iii) Some journal vouchers were not signed by the senior officer or finance manager.
The Way Forward
t
You were to attend another interview with TM. After reviewing your work, Daniel asked you
os
to address the following issues before the interview:
(1) Review the observations of your team members on the control environment of the
Group [as documented in Exhibit 5] and state your other observations, if any.
(2) Analyze the (i) risk assessment, (ii) control activities, (iii) information and
rP
communication, and (iv) monitoring activities of the Group (other components). You
were to use the table in Exhibit 2 as the template to analyze the design effectiveness
of each of the other components. You were also to note any questions or additional
information that you needed for your assessment.
(3) Prepare a list of other processes of the Group, controls of which should be tested. For
example, you might wish to test the payment and revenue cycles. You were advised to
consider the significance of such processes and the impact of the failure of such
yo
controls on the Group.
(4) “F/S assertions (financial statement assertions)” referred to claims made by an

organization's management regarding its financial statements. The assertions formed a
theoretical basis from which external auditors developed a set of audit procedures. A
control risk might challenge the validity of financial statement assertion. For instance,
if “received fixed assets did not represent fixed assets acquired by the GC,” the
assertions in relation to “existence and occurrence” and “rights and obligations” would
op
be wrong. To reduce this risk, senior officer or finance officer would have to review
documents such as the delivery notes, purchase orders and purchase requisition, and
supplier invoice before approving the journal vouchers and posting them.
Consider risks other than “received fixed assets may not represent fixed assets acquired
by the GC” during its fixed assets acquisition process, and how such risks could impact
tC
any financial statement assertions.
In your view, were there major deficiencies in the Group’s entity-level and process-level
controls? How would your team proceed to further test such controls’ reliability? What
mitigating actions would you suggest?
No
Do
19/641C
s t
Internal Control Review: The Practical Approach
EXHIBIT 1: INTERNAL CONTROL REVIEW PROCESS
Po
r
Stage 1 Stage 2 Stage 3
Understanding the client’s needs and setting Confirming the scope of assessment Evaluating the design of internal controls
project objectives
o
Objective: to confine the scope of the internal Objective: to identify key corporate- and process-
Objective: to understand client’s background, control review, to agree on the framework and level controls within the client’s entity, to assess
objectives and constraints approach to be adopted and the timeline for the the adequacy and effectiveness of the design of
review, to set any assumptions and limitations on the internal controls
y
Approach: discussion with management, the review
research on legal and regulatory requirements, Approach: interviews, documents review (e.g.,
background search (e.g., know your customer, Approach: discussion with management, operation manuals, code of conduct), site visits
p
conflicts check) formation of a working team
Output: flow charts, narratives, test plans, gap
Output: internal control review proposal, Output: signed engagement letter, team contact analysis
o
confidentiality agreement list, project plan
C
Stage 4 Stage 5 Stage 6
Evaluating the operating effectiveness of Keeping track of deficiencies Reporting the review results
internal controls
t
Objective: to assist and monitor client’s Objective: to communicate assessment results to
Objective: to test whether designed internal remediation of internal control deficiencies, to management and key stakeholders
controls are operating as intended define remediation stages, to test the internal
o
controls after remediation Approach: presentation to management and key
Approach: inquiry, inspection, observation, and stakeholders
re-performance Approach: formation of remediation plans,
management’s confirmation and test of remediated Output: internal controls review report
N
Output: test plans, gap analyses, test controls
methodologies, and results databases
Output: deficiency log, remediation plans, and
deficiency remediation status
D o 10
This document is authorized for educator review use only by ROSE MAE LANGOT, HE OTHER until Apr 2021. Copying or posting is an infringement of copyright. Permissions@hbsp.harvard.edu or 617.783.7860
s t
EXHIBIT 2: PRO FORMA REVIEW TOOL (ADAPTED FROM THE COSO FRAMEWORK)
Po
r
Control Environment
Description of current
operating
Point of Focus in place /
Control Unit or Location
Operating effectiveness
Deficiency description
Design effectiveness
o
Deficiency severity
Point of Focus
effectiveness
Deficiency #
addressed?
Comments
Control #
Principle
y
controls
Control
p
P1. Demonstrated a 1 Set the tone at the top
commitment to integrity
and ethical values 2 Established standards of conduct
o
3 Evaluated adherence to standards of
conduct
4 Addressed deviations in a timely manner
P2. Board exercised 5 Established oversight responsibilities
oversight responsibility 6 Applied relevant expertise
C
over internal control 7 Operated independently
8 Provided oversight of the system of
internal control including control
t
environment, risk assessment, control
activities, information and
communication, and monitoring activities
P3. Management 9 Considered all structures of the entity
o
established structures, 10 Established reporting lines
authorities and 11 Defined, assigned and limited authorities
responsibilities and responsibilities
P4. Demonstrated 12 Established policies and practices
N
commitment to 13 Evaluated competence and addressed
competence shortcomings
14 Attracted, developed and retained
individuals
15 Planned and prepared for succession
o
P5. Enforced 16 Enforced accountability through
accountability structures and responsibilities
17 Established performance measures,
incentives and rewards
D 11
s t
18 Evaluates performance measures,
incentives and rewards for ongoing
relevance
Po
r
19 Considered excessive pressures
20 Evaluated performance and rewards or
disciplines
o
Overall Effectiveness of the Component Comments
Design effectiveness?
Operating effectiveness?
Risk Assessment
y
operating
p
Deficiency severity
Point of Focus
effectiveness
Deficiency #
addressed?
o
Comments
Control #
Principle
controls
Control
C
P6. Specified suitable
objectives
- Specified suitable 21a Reflected management’s choices
t
objectives
22a Considered tolerance for risk
23 Included operations and financial
o
performance goals
24 Formed a basis for committing of
resources
- External financing 21b Complied with applicable accounting
reporting objectives standards
N
22b Considered materiality
25 Reflected entity activities
- External non-financial 21c Complied with externally established
reporting objectives standards and framework
o
22c Considered the required level of
precision
25 Reflected entity activities
D 12
s t
- Internal reporting
objectives
21a
22c
Reflected management’s choices
Considered the required level of
Po
r
precision
- Compliance objectives 21d Reflected external laws and regulations
22a Considered tolerances for risk
o
P7. Identified and analyzed 26 Included entity, subsidiary, division,
risks operating unit and functional levels
27 Analyzed internal and external factors
28 Involved appropriate level of
y
management
29 Estimated significance of risks identified
30 Determined how to respond to risks
p
P8. Assessed fraud risk 31 Considered various types of fraud
32 Assessed incentives and pressures
33 Assessed opportunities
34 Assessed attitudes and rationalizations
o
P9. Identified and analyzed 35 Assessed changes in the external
significant change environment
36 Assessed changes in the business model
37 Assessed changes in leadership
C
t
Control Activities
operating
o
Deficiency severity
Point of Focus
effectiveness
Deficiency #
N addressed?
Comments
Control #
Principle
controls
Control
o
P10. Selected and 38 Integrated with risk assessment
developed control activities
39 Considered entity-specific factors
40 Determined relevant business processes
D 13
s t
41
42
Evaluated a mix of control activity types
Considered at what level activities were
applied
Po
r
43 Addressed segregation of duties
P11. Selected and 44 Determined dependency between the
developed general controls use of technology in business processes
o
over technology and technology general controls
45 Established relevant technology
infrastructure control activities
46 Established relevant security
management process control activities
y
47 Established relevant technology
acquisition, development and
maintenance process control activities
p
P12. Management 48 Established policies and procedures to
established structures, support deployment of management’s
authorities and directives
responsibilities 49 Established responsibility and
o
accountability for executing policies and
procedures
50 Performed in a timely manner
51 Took corrective action
C
52 Performed using competent personnel
53 Reassessed policies and procedures
t
Information and Communication
o Description of current
operating
Deficiency severity
N
Point of Focus
effectiveness
Deficiency #
addressed?
Comments
Control #
Principle
controls
Control
D o 54 Identified information requirements
14
s t
P13. Used relevant
information
55
56
Captured internal and external sources of
data
Processed relevant data into information
Po
r
57 Maintained quality throughout
processing
58 Considered costs and benefits
o
P14. Communicated 59 Communicated internal control
internally information
60 Communicated with the board of
directors
61 Provided separate communication lines
y
62 Selected relevant method of
communication
P.15 Communicated 63 Communicated to external parties
p
externally 64 Enabled inbound communications
65 Communicated with the board of
directors
66 Provided separate communication lines
o
67 Selected relevant method of
communication
C
Monitoring Activities
t Description of current
operating
Deficiency severity
o
Point of Focus
effectiveness
Deficiency #
addressed?
Comments
Control #
controls
Principle
Control
P16. Conducted ongoing
and/or separate
68
N
Considered a mix of ongoing and
separate evaluations
o
evaluations 69 Considered rate of change
70 Established baseline understanding
71 Used knowledgeable personnel
72 Integrated with business processes
D 15
19/641C
s t
P17. Evaluated and

73
74
75
Adjusted scope and frequency
Objectively evaluated
Assessed results
Po
r
communicated deficiencies 76 Communicated deficiencies
77 Monitored corrective actions
o
Overall Effectiveness of the Internal Control System Comments
y
Are the components operating
together in an integrated manner?
Conclusion on overall
p
effectiveness of internal control
system?
C o
o t
N
D o 16
19/641C
s t
EXHIBIT 3: PRO FORMA INTERVIEW PLAN (EXTRACT)
Po
r
Work step Work done Gap
1. Control Environment
1. Inquire management if formalized and comprehensive code of conduct or ethics manual has been developed, communicated and made available to all employees,
o
including senior management and supporting departments. Obtain the code of conduct or ethics manual. The code should include but not limited to the following:
(a) Communications or message from senior management that set the tone at the top and defined the importance of ethics and compliance for all employees;
(b) Ethical standards;
(c) Responsibilities of employee and management;
(d) Conflict of interest policies and procedures (for example anti-corruption policy);
(e) Directors’ dealings in securities;
y
(f) Confidential and proprietary information;
(g) Defined list and definition of unacceptable behaviors (for example gifts, kickbacks, gratuities, money laundering and relationship with vendors);
(h) Compliance with relevant laws, rules and regulations;
p
(i) Independent reporting channels (for example ethics and whistle-blower hotline); and
(j) Investigation and disciplinary policies and procedures.
2. Inquire how management communicated the standard of code of conduct or ethics and conflict of interest policy to all level of employees (for example employee handbook,
o
emails, intranet and posters), and whether management required all employees to provide periodic written confirmation of their understanding and compliance with the code.
Obtain evidence that the communication program has been effective and inspect one sample of written confirmation signed by the employee, if any.
3. Inquire management as to whether policies and procedures have been developed with regard to the provisions set out in Appendix 14 of the Listing Rules – Code on
Corporate Governance Practices. Obtain and verify the following areas have been covered:
(a) Directors;
C
(b) Remuneration of directors and senior management;
(c) Accountability and audit;
(d) Delegation by the board; and
t
(e) Communication with shareholders.
4. Obtain the Group’s organization chart and assess whether description of each business function or unit and its responsibilities have been properly documented. Evaluate
whether the organization chart was current and has been properly approved by appropriate level of management.
5. Inquire and understand the reporting relationship and the related reporting process with the holding entity in placed. Ascertain whether the current reporting process
o
enabled the holding entity to perform proper assessment on the subsidiaries’ financial positions and prospects timely and adequately.
6. Inquire management if the entity has established policies specifying the obligations and duties of the chairman and directors of the entity (including non-executive directors
and independent non-executive directors). Inquire management if the entity has established the following:
(a) Audit committee (compulsory);
N
(b) Remuneration Committee (compulsory);
(c) Nomination Committee (compulsory); and
(d) Disclosure Committee (recommended best practice).
7. Obtain documentary support (for example formal meeting minutes) that appropriate meetings have been held between committees and the board as well as audit
committees meetings with external and internal auditors to determine whether issues arising from audit have been discussed and solved.
o
8. Inquire the procedures in place for the proper declaration of interest of directors. Obtain evidence of such procedures being properly performed.
9. Inquire management whether the entity has established a comprehensive job description manual with detailed description of the job’s roles and responsibilities, authorities
and reporting relationships for senior management. Evaluate whether the manual has been periodically reviewed, updated and approved by management. Job descriptions
should also cover duties relating to internal control matters.
D 17
19/641C
s t
Po
10. Inquire management whether the entity has established appropriate authorization rules (for example payment authorization and contract signing approval matrix) for
important decision making and approval processes. Obtain a copy of such authorization rules and check whether it has covered the following:
(a) Definition/list of critical matters;
r
(b) Access and use of important information (including financial information and confidential information);
(c) Financial accounting, approval of financial report and authorization of significant transactions; and
(d) Approval policy for expenditures over certain monetary amount(s).
o
2. Risk Assessment
1. Inquire management whether the entity has developed a risk management framework including the existence of written risk management policies and procedures. Review
any policies, procedures and reports. Evaluate whether the entity has adopted a formal risk management process which covered:
(a) the entity’s business objectives;
(b) risk identification to identify the risk factors that prevent the achievement of business objectives (including financial, operation and compliance risks);
y
(c) risk assessment to evaluate and prioritize the risk factors; and
(d) actions places to mitigate the risk factors
2. Inquire management if there has been any business contingency plan or disaster recovery plan. Obtain a copy of such plan. Review the coverage.
p
3. Inquire management whether the entity has set up an anti-fraud program for reporting irregularities, wrong doings or frauds (for example whistle-blowing program).
4. Inquire how reported cases have been handled, investigated and resolved. Verify that action plans were developed to prevent future occurrences.
3. Monitoring
1. Inquire management whether there has been internal audit function. Obtain a copy of the internal audit charter (if any) and check whether it covered the purposes,
o
authorities, roles and responsibilities and reporting structures of the internal audit function. Check to see if the roles and responsibilities of the internal audit function have
been independent from management functions. Check if the internal audit charter and audit plan have been formally approved by the audit committee.
2. Inquire management if the entity has established procedures to enable reported irregularities, including internal controls issues, to be investigated and followed up timely.
Obtain two samples (if any) of irregularities reported or complaint letters and check if follow-up actions have been made and documented.
C
3. Inquire if any lawsuit was currently going on or took place in the past. Enquire the procedures and review necessary documentations in handling the lawsuits. (Pay
attention to the mechanism and disclosure to management and the board about the lawsuit and the adverse impact)
4. Information & Communication
t
1. Inquire relevant management to understand the entity’s communication mechanism (including policies and procedures) to enable directors, committees and management
to obtain and disseminate sensitive information within the organization.
2. Inquire management the type of channels commonly used to communicate information within the organization (for example training, meetings, memos, emails, intranets
and newsletters). Consider whether these channels have been appropriate for the size and nature of the business.
o
3. Inquire relevant management to understand whether the entity has set up a formal communication mechanism such as an investor relation program (including policies
and procedures). Communication policies and procedures should at least cover but not limited to the following:
(a) Communication with external parties (for examples investors, vendors, customers, competitors, media and professional bodies);
(b) Monitoring and handling of price-sensitive and confidential information;
N
(c) Distribution of interim and annual reports and publication of results;
(d) Responding to enquiries from regulatory authorities; and
(e) Monitoring and handling of information leakage.
D o 18
19/641C
s t
EXHIBIT 4: GROUP STRUCTURE CHART
Po
o Executive Director
Richard Namkong (CEO) r
Toy Maniac
(TM)
py Non-executive directors
Susan Blakes, Andy Tang,
Carmen Chan, Goofy Gin
80%
C o
t
Directors
Gadgets Collect
Richard Namkong (CEO),
(GC)
Charles Bond, Clery Smith,
o
Ingrid Lai, Toby Lee
N
D o 19
19/641C
s t
EXHIBIT 5: CONTROL ENVIRONMENT OF TM (EXTRACT)
Po
r
o
Point of Focus
y
Principle
controls
P1. Demonstrated a
commitment to integrity
and ethical values
1
2
Set the tone at the top
Established standards of conduct

mission.
o p
(Keys: “E” means effective and “I” means ineffective”)
TM defined its core values, vision and
Code of conduct and employee handbook

were in place.
E
I
I
I
TM failed to communicate to its staff the core values,
vision and mission of TM.
Code of conduct and employee handbook were not
readily available to staff.
Lack of supplier’s code of conduct.
C
3 Evaluated adherence to standards of - I I More evaluation on standards of conduct should be
conduct conducted, for example, conduct when using social
media platforms.
t
4 Addressed deviations in a timely Investigation was promptly conducted. I I Lack of whistle-blowing system or policy.
manner
P2. Board exercised 5 Established oversight responsibilities Information to be obtained.
o
oversight responsibility 6 Applied relevant expertise Information to be obtained.
over internal control 7 Operated independently - I I Lack of independent non-executive director.
Roles of chairman and CEO were not separated.
Potential conflict of interest arising out of Richard
Namkong’s shareholding in distributor of TM.
N
8 Provided oversight of the system of - I I Lack on risk management policies.
internal control including control
environment, risk assessment, control
activities, information and
communication, and monitoring
o
activities
P3. Management 9 Considered all structures of the entity Information to be obtained.
established structures, 10 Established reporting lines - I I Lack of clear reporting lines for incidents. Employees
were unclear of reporting processes.
D 20
19/641C
s t
authorities and
responsibilities
11 Defined, assigned and limited
authorities and responsibilities
- I I
Po
Lack of limitations in accessing TM’s accounts.
r
P4. Demonstrated 12 Established policies and practices - I I Lack of policies for businesses processes.
commitment to Lack of policies on conflict of interest.
competence 13 Evaluated competence and Remuneration committee was set up after E E
addressed shortcomings resignation of R&D talents.
o
14 Attracted, developed and retained - I I Lack of a nomination committee.
individuals
15 Planned and prepared for succession Information to be obtained.
P5. Enforced 16 Enforced accountability through Disciplinary board was in place. E I Verbal warning was inadequate to reflect the severity of
y
accountability structures and responsibilities the misconduct.
17 Established performance measures, Information to be obtained.
incentives and rewards
p
18 Evaluates performance measures, TM established a remuneration committee E E -
incentives and rewards for ongoing to review the remuneration package of
relevance R&D talents.
19 Considered excessive pressures Information to be obtained.
o
20 Evaluated performance and rewards Disciplinary board was in place. I I No consistent disciplinary policies.
or disciplines
Design effectiveness? INEFFECTIVE MATERIAL DEFICIENCIES WERE FOUND.
C
Operating effectiveness? INEFFECTIVE MATERIAL DEFICIENCIES WERE FOUND.
o t
N
D o 21
19/641C
s t
EXHIBIT 6: PROCESS FLOW CHART (FIXED ASSETS ACQUISITION) OF GC
Po
r
Entity / Location GC / PRC
Process 3. Fixed asset
Sub-process 3.1 Acquiring fixed assets
o
Process owners Mr. Zi CHAN, Senior Officer
Date prepared
Date sign-off
Step
1
Start
Process Flow
py 
Narrative
Procurement and logistic team checked the
purchase request form to ensure that the
o
requested items were within the approved
budget amount
 Any exceptions of purchase request were not
Procurement and logistic team staff processed, and the forms were returned to
C
Purchase the corresponding user department.
Check the purchase request form requisition
against budget
o t
N
D o 22
19/641C
s t
2 
Po
For invoiced fixed assets acquired,
accounting assistant of the accounts
r
Purchase requisition department matched the details among the
Accounting assistant following supporting documents:
Purchase order o Obtained from accounts department
o
Match delivery note with supporting – procurement and logistics
documents  Supplier invoice
Delivery note
 Purchase requisition form
 Purchase order
y
Supplier invoice o Obtained from warehouse
 Delivery note
p
3  Accounting assistant input the journal entries
of additions in W System (yet to be posted)
Accounting assistant
Manual based on supporting documents, that is:
o
W System journal o supplier invoice;
Input additions in W System and
voucher o purchase requisition form;
prepare manual journal vouchers
o purchase order; and
o delivery note.
C
4  Warehouse staff generated a set of two
identical barcode labels with a sequential five-
t
Warehouse staff digit number from the barcode system:
Delivery note with o One was affixed on the fixed asset;
barcode o The other was affixed on the delivery
Affix barcode to fixed assets
o
note.
 For fixed assets being kept in the warehouse,
warehouse staff recorded the fixed assets in
and out using the barcode system.
N
D o 23
19/641C
s t
5 
Po
As at month end closing, senior officer or
finance manager posted and signed off the
r
manual journal vouchers after checking and
approving the addition details against
Senior officer or Finance manager
supporting documents, that is:
o
W System o supplier invoice;
Check journal voucher and post
o purchase requisition form;
journal entries
o purchase order; and
o delivery note.
y
 Senior officer or finance manager posted the
journal vouchers in the W System.
6  For month end closing, assistant of the
p
procurement and logistic team checked the
received fixed assets in the purchase order
o
Assistant of procurement and logistic log sheet (that is, items filled I with supplier
team delivery note number) against the delivery
Purchase order log notes received to ensure all fixed assets were
Scrutinize any fixed assets received sheet included in the purchase order log sheet.
C
but not yet processed
o t
N
D o 24
19/641C
s t
NO
Po
r
Interim /
Annual closing
7
YES
Accounts officer
y o  For interim/annual financial closing, accounts

officer prepared another fixed asset additions
journal entries to include those fixed assets
p
Manual delivered (with delivery notes received) but
journal invoice not yet received, if any, according to
Prepare manual journal vouchers W System voucher
o
the delivered items listed in purchase order
and input journal entries
log sheet.
8  Senior officer signed off the manual journal
C
voucher and posted the journal entries after
performing three-way matching for details
against supporting documents.
t
Senior officer
W System
Check and post journal entries
END
N o End
D o 25

Article - Int Control 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Article - Int Control 1

Uploaded by

Copyright:

Available Formats

t

INTERNAL CONTROL REVIEW: THE

employees, reviewing internal documentations, and sampling.

Last edited: 16 September 2019

Purpose of Internal Controls

Stage 2: Confirming the Scope of Assessment

engagement letter to set the scope of the review.

Stage 3: Evaluating the Design of Internal Controls

mechanisms in place to regularly communicate to management and employees the importance

For process-level controls, P Consulting recommended consultants to understand clients’

Stage 4: Evaluating the Operating Effectiveness of Internal Controls

Stage 5: Keeping Track of Deficiencies

P Consulting followed the COSO Framework in categorizing internal control deficiencies.

Stage 6: Reporting the Review Results

Group Structure and Governance

all applicable laws and regulations in their employment contracts, he considered an

Review of the Process-Level Controls of the Group

During an interview, the senior officer of GC described the acquisition process:

Your team discovered that:

and depreciated such assets.

The Way Forward

(4) “F/S assertions (financial statement assertions)” referred to claims made by an

any financial statement assertions.

EXHIBIT 1: INTERNAL CONTROL REVIEW PROCESS

Information and Communication

D o 54 Identified information requirements

P17. Evaluated and

Overall Effectiveness of the Internal Control System Comments

EXHIBIT 3: PRO FORMA INTERVIEW PLAN (EXTRACT)

EXHIBIT 4: GROUP STRUCTURE CHART

EXHIBIT 5: CONTROL ENVIRONMENT OF TM (EXTRACT)

Established standards of conduct

TM defined its core values, vision and

Code of conduct and employee handbook

EXHIBIT 6: PROCESS FLOW CHART (FIXED ASSETS ACQUISITION) OF GC

y o  For interim/annual financial closing, accounts

8  Senior officer signed off the manual journal

You might also like