Internal Controls (UEH) - Chapter 1

CONTENTS
1. Definition of internal controls
2. Developmental process
3. COSO report drafting process
4. COSO Report 1992 & 2013
5. The effectiveness of internal controls
Chapter 1 6. Internal control and management process
OVERVIEW OF 7. Responsibilities for internal controls
INTERNAL CONTROL
Auditing Department- SOA-UEH
2023 1 2

1 2

DEFINITION 1. DEFINITION
Control Control
It is a mean to reduce the factors that adversely affect
the operation of an object.

Internal Internal
The existence or location within or in relation to the
structure of an organization.

3 4

3 4

1
Internal Controls (UEH) - Chapter 1

1. DEFINITION 1. DEFINITION
Internal control is a process, effected by an entity’s board
PROCESS
of directors, management, and other personnel, designed
to provide reasonable assurance regarding the Board of
Operations
Directors
achievement of objectives relating to operations,
reporting, and compliance. Internal
Managers Control Reporting
(COSO Report)

HUMAN Employees Compliance OBJECTIVES

REASONABLE
ASSURANCE

5 6

5 6

OBJECTIVES 2. HISTORY AND DEVELOPMENTAL PROCESS

1. Early stage
Operations Objectives – related to the effectiveness and efficiency of the 
entity’s operations, including operational and financial performance 
goals, and safeguarding assets against loss. 2. Formation stage
Reporting Objectives – related to internal and external financial and non‐
financial reporting to stakeholders, which would encompass reliability,  3.Development stage
timeliness, transparency, or other terms as established by regulators, 
standard setters, or the entity’s policies. 4. Modern stage
Compliance Objectives – related to adhering to laws and regulations that 
the entity must follow.

7 8

7 8

2
Internal Controls (UEH) - Chapter 1

AICPA
EARLY STAGE- FORMATION STAGE- defined ORGANIZATION STRUCTURE
Internal
DEVELOPMENT STAGE control system OF COSO
Internal control Guaranteed the COSO Treadway
over accounting exactly of Commission
accounting data The Committee of
(1936) Sponsoring
The National Commission
Organizations of the on Fraudulent Financial
Protect Treadway Commission
Protect Reporting
assets
moneys(1900) (1929) Efficiency of
operations
(1949)

Encourage AICPA AAA IIA FEI IMA

Auditing
COSO Report to comply to the policy of Internal
(1992) manager control over
(1949) management American Institute American Accounting Institute of Internal Financial Executives Institute of Management
of CPA Association Auditors Institute Accountants

9 10

9 10

COSO REPORT ON 2.4 MODERN STAGE

INTERNAL CONTROL
ERM
• In 1992, the COSO Report was issued. Components of Internal control Enterprise Risk
Management
internal control include control environment, risk for smaller Framework
assessment, control activities, information and publicly traded
The Committee of Sponsoring Organizations
communication, and monitoring. companies of the Treadway Commission

• The outstanding feature of the COSO report is a broad Basel Committee on CoBIT®
and governance vision, in which internal control is no Banking Supervision Control Objectives
longer just an issue related to financial statements but Framework for Internal for Information and
Control System in Related Technology
is extended to other areas of operation and compliance Banking Organizations
ISACA (Information System Audit and
Control Association)

11 12

11 12

3
Internal Controls (UEH) - Chapter 1

2.4 MODERN STAGE ERM AND INTERNAL CONTROLS

Governance development
In 2001, the Enterprise Risk Management Framework Strategy
(ERM) was formed on the basis of the 1992 COSO Broader goals,
Report. This report issued in 2004. towards the
ERM (2017) replaced ERM (2004) ERM development
strategy of the
unit
ERM system
INTERNAL
Enterprise Risk
CONTROL
Management
Framework SYSTEM
The Committee of Sponsoring Organizations of
the Treadway Commission
13 14

13 14

2.4 MODERN STAGE 2.4 MODERN STAGE

Small business development Development in the direction of information technology
How to apply internal control in smaller publicly traded In 1996, CoBIT was issued by ISACA.
companies was issued in 2006. CoBIT emphasizes control in the computer information
system (CIS), which includes the areas of planning and
organization, acquisition and deployment, distribution
and support, and monitoring.

CoBIT®
Internal control Control Objectives
for smaller for Information and
publicly traded Related Technology

companies ISACA (Information System Audit and

Control Association)

15 16

15 16

4
Internal Controls (UEH) - Chapter 1

2.4 MODERN STAGE 2.4 MODERN STAGE

Development towards independent audit
SAS 78 (1995): Review of internal control in the audit of
financial statements (adapted to SAS 55). The
definitions and factors of internal control in the COSO
report (1992) have been included in this standard.
SAS 94 (2001): The influence of information technology
on the consideration of internal control in the audit of
financial statements.
ISA 315 - Understanding the business, operating
environment, and risk assessment of material
misstatement - Definition of internal control based on
COSO 1992 definition.
- Elements of internal control based on the 1992
COSO Report.
ISA 265 reporting of internal control deficiencies
identified the auditor's concern and reported the
detected internal control deficiencies.

17 18

17 18

2.4 MODERN STAGE 2.4 MODERN STAGE

Developing in the direction of internal audit Develop in the direction of specializing in specific
professions
The Association of Internal Auditors (IIA) defines the
objectives of internal control to include: Basel Committee (1998) report on banking supervision,
elements of Internal control:
-Reliability and truthfulness of information.
Managerial oversight and control culture,
- Comply with policies, plans, procedures, laws and
regulations. Risk recognition and assessment, Basle
-Property protection. Control activities Report
Framework for
-Effective and economical use of resources. Division of responsibility, Internal Control
System in Banking
Information and communication, Organisations
-Complete goals and objectives for activities or programs. Basle Committee on Banking
Monitor and correct errors. Supervision

19 20

19 20

5
Internal Controls (UEH) - Chapter 1

2.4 MODERN STAGE 3. COSO REPORT

DEVELOPMENT PROCESS
Guidance on monitoring the internal control system
Collect Seminars Complete
COSO issued Guidelines on Monitoring Internal Control documents Draft
Systems (2009), based on the 1992 COSO framework, to
help organizations self-monitor the quality of their
internal control systems.
Interview Draft report

Send Testing in
questionnaire reality

21 22

21 22

4. COSO REPORT STRUCTURE OF COSO REPORT

(1992)
Part 1: Executive Summary

Part 2: Framework of internal control

Part 3: Reporting to an external users

Part 4: Internal control system assessment tool

23 24

23 24

6
Internal Controls (UEH) - Chapter 1

STRUCTURE OF COSO REPORT FRAMEWORK COSO REPORT

(2013) 1992 & 2013
Components of the internal control
 Internal Control – Integrated Framework Executive Summary
 Internal Control – Integrated Framework and Appendices
 Internal Control – Integrated Framework Internal Control over External
Control environment
Financial Reporting: A Compendium of Approaches and Examples
 Internal Control – Integrated Framework Illustrative Tools for Assessing Risk assessment
Effectiveness of a System of Internal Control

Control Activities

Information and communication

Monitoring Activities
25 26

25 26

The COSO 2013 Framework

The 2013 Framework focuses on five integrated components of internal control:
control environment, risk assessment, control activities, information and
communication, and monitoring activities. The updated 2013 Framework:
•Clarifies the application of the 2013 Framework in today’s environment with the
various business models, technology, and related risks.
•Codifies criteria that can be used in developing and evaluating the effectiveness of
systems of internal control – making explicit 17 principles, each with points of
focus.
• Expands reporting objectives to support internal, financial and nonfinancial
reporting, and operational and compliance objectives.
•Emphasizes the need for judgment in evaluating whether a company achieves
effective internal control.
•Focuses on accountability for internal control throughout the organization starting
at the board level and senior management.
•Explicitly considers IT controls and identifies the need for fraud risk consideration
not limited to financial statements but also within compliance and operations.
27 28

27 28

7
Internal Controls (UEH) - Chapter 1

RELATIONSHIP BETWEEN OBJECTIVES AND

PARTS OF INTERNAL CONTROL SYSTEM

- Vertical relationship At all levels of the

The COSO “cube” organization
- Horizontal relationship
- Internal control related to each department, each activity 5 integrated
of the organization and the whole organization in components
general.

29 30
30

29 30

5. THE EFFECTIVENESS OF 6. INTERNAL CONTROLS AND

INTERNAL CONTROL SYSTEM MANAGEMENT PROCESS
Manager's activities Internal control
Set goals on a unit-wide level
To conclude that your system of internal control is effective:
Strategic planning
•The five components of internal control and all 17 relevant principles must be:
Building elements of the control environment 
-Present and functioning Set goals at the departmental level
-Operating together in an integrated manner Building elements of the control environment
Set goals at the departmental level
Risk identification and analysis 
Risk management
Carrying out control activities 
Information collection and communication 
Monitor 
Corrective actions (correction of errors)
31 32

31 32

8
Internal Controls (UEH) - Chapter 1

7. RESPONSIBILITIES FOR BOARD OF DIRECTORS

INTERNAL CONTROLS Approve and monitor:
1. Board of Directors Policies regarding the mission, vision and strategy of
2. Board of Supervisors/Audit Committee organization
3. Management Risk management strategy (developed by management)
4. Internal auditors  Development and effectively functioning of an internal
5. Staff control system
6. Outside parties Play an important role in defining expectations of
honesty and ethical values, transparency and
accountability

33 34

33 34

(source: Annual Report of FPT 2021)

BOARD OF DIRECTORS
Requirements for members of the Board of Directors:
Independent, competent and questionable
Understanding the operations and operating
environment of the entity and dedicating enough time to
carry out its administrative responsibilities
Use resources as necessary to investigate issues that
arise and have open, unlimited communication with
employees, internal auditors, independent auditors, legal
consultants, etc.

35 36

35 36

9
Internal Controls (UEH) - Chapter 1

Board of Supervisors
• Supervise the Board of Directors, and CEO in the management and 
administration of the company

• Review, test and evaluate the effectiveness and efficiency of the company's 
internal control, risk management and early warning systems

(source: Annual Report of FPT 2021)

37 38

37 38

AUDIT COMMITTEE
As a committee under the Board of Directors, with
members (at least 2) are selected by the Board of
Directors
The Chairman of the Audit Committee must be an
independent member of the Board of Directors.
Committee members must be non‐executive Board
members
Review of internal control and risk management (Source: Annual Report of VNM 2021)
systems

39 40

39 40

10
Internal Controls (UEH) - Chapter 1

AUDIT COMMITTEE MANAGEMENT

Check annual financial statements
Select an independent auditing company; work and
discuss directly with the independent auditors about
issues arising in the audit including weaknesses of the
internal control system.
Detect and take appropriate actions in case the Board of
Directors goes beyond the internal control system
Responsible for the development and function of an
effective internal control
Being the decisive factor, building a solid foundation
for the control environment and other parts of the
internal control

41 42

41 42

MANAGERS

 Participate in setting goals and strategies

 Define integrity expectations, competence, key
policies and information requirements
 Identify and deal with risks (internal and external) as
well as develop mechanisms to identify and select
countermeasures

(source: Annual Report of FPT 2021)

43 44

43 44

11
Internal Controls (UEH) - Chapter 1

Section 404 of the Sarbanes-Oxley Act

INTERNAL AUDITOR
Section 404 of the Sarbanes-Oxley Act requires public companies' annual reports to
include the company's own assessment of internal control over financial reporting,
and an auditor's attestation. Evaluate the effectiveness of the internal control
(a) Rules Required. Each annual report shall contain an internal control report, which shall Suggest measures to increase the effectiveness of the
internal control
(1) state the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the
effectiveness of the internal control structure and procedures of the issuer for financial
reporting.

(b) Internal Control Evaluation and Reporting. With respect to the internal control
assessment required by subsection (a), each registered public accounting firm that prepares
or issues the audit report for the issuer shall attest to, and report on, the assessment made by
the management of the issuer.

45 46

45 46

EMPLOYEE

Internal control concerns the responsibilities of every

member of an entity through its day-to-day operations
Employees contribute to the risk assessment or
monitoring process.
The main employee is the person who operates the
internal control system at the unit.

(Source: Annual Report of VNM 2021)

47 48

47 48

12
Internal Controls (UEH) - Chapter 1

OTHERS
External auditors (such as independent auditors, public
auditors)
Legislators or Regulators
Customers and suppliers can also provide useful
information through their dealings with the organization.
Others outside the organization such as financial analysts,
the media, etc.

49 50

49 50

13