Principles 

of Auditing

Course tittle: Principles of Auditing Definition of internal control

“Internal control is a process, effected by an entity’s board of directors,

management, and other personnel, designed to provide reasonable
Topic 3 – Part 1 assurance regarding the achievement of objectives relating to operations,
reporting, and compliance”
Review on Internal Control

Lecturer: Mai Đức Nghĩa

School of Accounting, UEH

1 Mai Ñöùc Nghóa 3

Contents Definition of internal control

Review on internal control •• Geared to the achievement of objectives (Operations, Reporting and Compliance)
 A process consisting of ongoing tasks and activities—it is a means to an end, not an
 Definition end in itself
 Components •• Effected by people—it is not merely about policy and procedure manuals, systems,
and forms, but about people and the actions they take at every level of an organization to
effect internal control
Limitations of internal control •• Able to provide reasonable assurance, not absolute assurance, to an entity’s senior
management and board of directors
•• Adaptable to the entity structure—flexible in application
How?

Process People Reasonable Objectives

assurance

Mai Ñöùc Nghóa 2 Mai Ñöùc Nghóa 4

Principles of Auditing

Geared to the achievement of objectives Internal control (COSO)

 •• Operations Objectives—These pertain to effectiveness and efficiency of the entity’s

operations, including operational and financial performance goals, and safeguarding assets
against loss.

 •• Reporting Objectives—These pertain to internal and external financial and non-financial

reporting and may encompass reliability, timeliness, transparency, or other terms as set
forth by regulators, standard setters, or the entity’s policies.

 •• Compliance Objectives—These pertain to adherence to laws and regulations to which the

entity is subject.

Mai Ñöùc Nghóa 5 Mai Ñöùc Nghóa 7

A process 5 components and 17 principles of internal control

 Internal control is not one event or circumstance, but a dynamic and Control Environment 1.
2.
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
3. Establishes structure, authority and responsibility
iterative process. 4. Demonstrates commitment to competence
5. Enforces accountability

 Internal control consists of policies and procedures. These policies reflect Risk Assessment
6.
7.
Specifies suitable objectives
Identifies and analyzes risk
8. Assesses fraud risk
management or board statements of what should be done. 9. Identifies and analyzes significant change

Control Activities 10. Selects and develops control activities

 •• Internal control is integrated with business processes •• 11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & 13. Uses relevant information

Communication 14. Communicates internally
15. Communicates externally

Monitoring Activities 16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

Mai Ñöùc Nghóa 6 Mai Ñöùc Nghóa 8

Principles of Auditing

Summary Control Environment

03
01

05

17

Mai Ñöùc Nghóa 9 Mai Ñöùc Nghóa 11

Control Environment Control Environment

The control environment is the set of standards, processes,
and structures that provide the basis for carrying out internal
control across the organization. The board of directors and
senior management establish the tone at the top regarding the
importance of internal control and expected standards of
conduct.
There are five principles relating to Control Environment:
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Mai Ñöùc Nghóa 10 Mai Ñöùc Nghóa 12

Principles of Auditing

Board of Directors Philosophy and style of management

Mỹ: Phạt 2,3 tỷ đồng nếu doanh nghiệp không có nữ giới trong hội đồng
quản trị

Theo luật mới ban hành và có hiệu lực gần đây của bang California, Mỹ các công ty đại chúng
hoạt động tại bang này sẽ phải thay đổi cơ cấu tổ chức của hội đồng quản trị. Cụ thể, từ nay cho
tới trước khi kết thúc năm 2019, hội đồng quản trị phải có ít nhất một thành viên là nữ giới, nếu
không, công ty sẽ bị phạt 100.000 USD và nếu tái phạm sẽ bị phạt mỗi lần 300.000 USD.

Điều luật trên còn yêu cầu đến hết năm 2021, con số này phải tăng lên hai thành viên nữ đối với
công ty có năm thành viên trong hội đồng quản trị và ba thành viên nữ đối với công ty có từ sáu
thành viên hội đồng quản trị trở lên.
California là một trong những bang đầu tiên của Mỹ áp dụng luật đưa nữ giới vào ban điều hành
doanh nghiệp trong khi quy định này đã được thực hiện khá phổ biến tại châu Âu từ trước.

Nguồn: http://cafebiz.vn/my-phat-23-ty-dong-neu-doanh-nghiep-khong-co-nu-gioi-trong-hoi-dong-
quan-tri-20181008144255968.chn
Mai Ñöùc Nghóa 13 Mai Ñöùc Nghóa 15

Philosophy and style of management

Mai Ñöùc Nghóa 14 Mai Ñöùc Nghóa 16

Principles of Auditing

Risk Assessment How to manage risks

 Risk assessment involves a dynamic and iterative process for identifying
and analyzing risks to achieving the entity’s objectives, forming a basis
for determining how risks should be managed.
Get out of situation
 There are four principles relating to Risk Assessment: Avoid

6. The organization specifies objectives with sufficient clarity to enable the identification Institute controls

and assessment of risks relating to objectives. Reduce

7. The organization identifies risks to the achievement of its objectives across the entity
and analyzes risks as a basis for determining how the risks should be managed. Partner with others
Share
8. The organization considers the potential for fraud in assessing risks to the achievement
of objectives.
Monitor
9. The organization identifies and assesses changes that could significantly impact the Accept
system of internal control.

Mai Ñöùc Nghóa 17 Mai Ñöùc Nghóa 19

How to assess risks Control Activities

Control activities are the actions established by policies and
Khaû naêng procedures to help ensure that management directives to
(xaùc suaát) mitigate risks to the achievement of objectives are carried out.
xaûy ra ruûi ro
Control activities are performed at all levels of the entity and at
various stages within business processes, and over the
Phaân technology environment.
tích ruûi ro
Möùc ñoä aûnh
höôûng cuûa ruûi
ro ñeán vieäc
ñaït ñöôïc muïc
tieâu

Mai Ñöùc Nghóa 18 Mai Ñöùc Nghóa 20

Principles of Auditing

Control Activities Information and Communication

There are three principles relating to Control Activities:
10. The organization selects and develops control activities that contribute
to the mitigation of risks to the achievement of objectives to acceptable
levels.
11. The organization selects and develops general control activities over
technology to support the achievement of objectives.
12. The organization deploys control activities through policies that
establish what is expected and procedures that put policies into action.
 Information is necessary for the entity to carry out internal control responsibilities in support of
achievement of its objectives.
 Communication occurs both internally and externally and provides the organization with the
information needed to carry out dayto- day internal control activities. Communication enables
personnel to understand internal control responsibilities and their importance to the achievement of
objectives.
 There are three principles relating to Information and Communication:
13. The organization obtains or generates and uses relevant, quality information to support the
functioning of other components of internal control.
14. The organization internally communicates information, including objectives and responsibilities for
internal control, necessary to support the functioning of other components of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of
other components of internal control.

Mai Ñöùc Nghóa 21 Mai Ñöùc Nghóa 23

Control Activities INTERNAL COMMUNICATION

Main control activities:
 Segregation of duties (phaân chia traùch nhieäm)
 Aproval (xeùt duyeät/pheâ chuaån)
 General control over technology (Kieåm soaùt chung ñoái vôùi coâng ngheä)
 Reconciliation (Chænh hôïp)
 Physical controls (Kieåm soaùt vaät chaát)
 Management Review (Phaân tích raø soaùt)

Mai Ñöùc Nghóa 22 Mai Ñöùc Nghóa 24

Principles of Auditing

EXTERNAL COMMUNICATION Monitoring Activities at VIETCOMBANK

Customers

1
External auditors Suppliers
7 2

Partners 6 3 Tax offices

Journals 5 4 Investigators

Mai Ñöùc Nghóa 25 Mai Ñöùc Nghóa 27

Monitoring Activities Limitations of Internal Control

 Ongoing evaluations, separate evaluations, or some combination of the two are used
to ascertain whether each of the five components of internal control, including controls
to effect the principles within each component, are present and functioning. Findings
are evaluated and deficiencies are communicated in a timely manner, with serious
matters reported to senior management and to the board.
 There are two principles relating to Monitoring Activities:
16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present
and functioning.
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
Mai Ñöùc Nghóa
 Limitations of internal control do exist and may result from the:
• Suitability of objectives established as a precondition to internal
control
• Reality that human judgment in decision making can be faulty
• Breakdowns that can occur because of human failures such as errors
• Ability of management to override internal control
• Ability of management, other personnel, and/or third parties to
circumvent controls through collusion
 These limitations are the reasons that internal control provides
reasonable but not absolute assurance.
26 Mai Ñöùc Nghóa 28