Chapter 3 - Internal Control Framework-Student - Compatibility Mode

Chapter 3 - Framework of IC (UEH)
COSO’S INTEGRATED 3
FRAMEWORK OF
INTERNAL CONTROLS COSO Overview – Internal Control
Publications
Chapter 3
Auditing Dept. – School of Accounting – COB - UEH 1992 2006 2009 2013
Auditing Dept. – School of Accounting – COB - UEH
1 3
2 Contents 4 Project deliverable #1 – Internal

Control-Integrated Framework
(2013 Edition)
 Consists of three volumes:
 Integrated Control Framework (COSO Report 2013)
 Executive Summary
 Evaluation of Effectiveness of a system of internal  Framework and Appendices
control  Illustrative Tools for Assessing
Effectiveness of a System of
 Inherent limits of internal controls Internal Control
 Sets out:
 Definition of internal control
 Categories of objectives
 Components and principles of
internal control
 Requirements for effectiveness
Auditing Dept. – School of Accounting – COB - UEH Auditing Dept. – School of Accounting – COB - UEH
2 4
5 A. CONTROL ENVIRONMENT
The control environment is the set of standards,

processes, and structures that provide the basis for
carrying out internal control across the organization.
 The board of directors and senior management
establish the tone at the top regarding the importance of
internal control and expected standards of conduct.
Auditing Dept. – School of Accounting – COB - UEH 7
5 7
6 FIVE COMPONENTS – 17 8 Control Environment for the group as a whole

PRINCIPLES
Control Environment 1. The organization demonstrates a commitment to
Control Environment 1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
integrity and ethical values.
3. Establishes structure, authority and responsibility 2. The board of directors demonstrates independence
4. Demonstrates commitment to competence from management and exercises oversight of the
5. Enforces accountability development and performance of internal control.
6. Specifies suitable objectives
Risk Assessment 7. Identifies and analyzes risk
3. Management establishes, with board oversight,
8. Assesses fraud risk structures, reporting lines, and appropriate authorities
9. Identifies and analyzes significant change and responsibilities in the pursuit of objectives.
specific
Control Activities 10. Selects and develops control activities 4. The organization demonstrates a commitment to
11. Selects and develops general controls over technology cycle attract, develop, and retain competent individuals in
12. Deploys through policies and procedures alignment with objectives.
Information & 13. Uses relevant information
Communication 14. Communicates internally 5. The organization holds individuals accountable for
15. Communicates externally their internal control responsibilities in the pursuit of
objectives.
Monitoring Activities 16. Conducts
Auditing Dept. – School of Accounting ongoing and/or separate evaluations
– COB - UEH Auditing Dept. – School of Accounting – COB - UEH
17. Evaluates and communicates deficiencies
6 8
1. INTEGRITY AND ETHICAL VALUES

(1) Sets the tone at the Top
Integrity is an important ethical and moral principle. BODs and management at all levels demonstrate through
their directives, actions, behaviors the importance of
Morality helps people distinguish between right and integrity and ethical values.
wrong; it enables them to see the consequences of their
actions, and it motivates and direct them to do what is Top management:
right.  Develops and communicate the expectations of integrity and
ethical values through the entity’s mission and values statements,
 People that want to be respected should behave code of conduct, policies and practices, directives and guidelines,
ethically. actions and decisions of management of all levels and of BODs.
Enterprises that want to create and maintain a good  Leads by example and applied consistently lam guong
reputation as well as develop sustainably should adhere to Tone is impacted by the operating style and personal conduct of
ethical principles, in which integrity is the most important. management and BODs.
Auditing Dept. – School of Accounting – COB - UEH 9 Auditing Dept. – School of Accounting – COB - UEH 11
9 11
1. DEMONSTRATES A COMMITMENT (2) Establishes Standards of

TO INTEGRITY AND ETHICAL VALUES. Conduct
Standards of Conduct:
Point of focus:  Establishes what is right and wrong
show statements of CEO, top M.  Provides guidance for navigating what lies in between
(1)Sets the tone at the Top  Reflects legal and regulatory requirements; moral, social,
environmental principles of responsible conduct; and various
show the content of stakeholders’ expectations.
(2)Establishes Standards of Conduct code of conduct and
Top management establish Standards of Conduct and
core value
mechanisms for the entity to understand and adhere it.
(3)Evaluates adherences of Standards of Conduct
Integrity and ethical values are core messages in the
entity’s communications and training.
(4)Address deviations in a timely manner
10 12
(3) & (4) Adherence and (1) Authorities and responsibilities

Deviations
Processes are in place to evaluate the performance of  BODs often maintains the oversight responsibility
individuals and teams against the entity’s expected  The board has the authority to hire as well as terminate,
standards of conduct. and establish succession planning for CEO or
- Define set of indicators President.
- Establish continual and periodic compliance procedures  The board is responsible for providing oversight and
constructive challenge to management.
- Identify, analyze and report business conduct issues to
senior management and BODs (direct reporting lines, HR  While BODs retains oversight responsibility, CEO and
functions, and hotlines). senior management bear direct responsibility for
Deviations are identified and remedied in a timely and developing and implementing the IC system.
consistent manner.
hdqt doc lap voi ban dieu hanh
13 15
-> percentage of independence
(so nguoi doc lap)
-> co the khuyen nghi gia tang
tinh doc lap
2. EXERCISES OVERSIGHT (2)&(3) Independence and relevant
RESPONSIBILITY expertise -> female percentage
-> gian lan ??
Point of focus:  BODs is independent from management (board
independence and size); and
(1)Establishes oversight responsibilities  The board demonstrates relevant skills and expertise in
carrying out its oversight responsibilities (board
composition). so nam kinh nghiem, bang cap, trinh do -> should
(2)Applies relevant expertise
relevant with the industry the company is in
 The board should be actively engaged at all times and
be prepared to question and scrutinize management’s
(3)Operates independently
activities, present alternative views, and have the
courage to act in the face of obvious or suspected
(4)Provide oversight for IC system wrongdoings. tham gia toan tgian : moi cuoc hop co bao nhieu
thanh vien tham du (annual report)
14 16 -> show list of resolution (danh sach nghi quyet cac

BOD ban hanh)
(4) Oversight for IC system 4. DEMONSTRATES COMMITMENT

TO COMPETENCE tuyen dung, dao tao, thang tien/khen thuong/ky luat
-> training activities (how many, what are they)
Point of focus: -> promotion (job advertisement for ANY position)
-> career path (5 nam o dau)
-> discipline (ky luat)
 BODs retains oversight responsibility for (1)Establishes policies and practices
management’s design, implementation, and conduct of -> giai thuong ma nhan vien/cty da dat dc (nvien lam
viec tot nhat nam)
IC through each of the five components
(2)Evaluates competence and address
shortcomings
(3)Attracts, develops, and retains individuals
(4)Plans and prepares for succession

17 19
3. ESTABLISHES STRUCTURE, 5. ENFORCES ACCOUNTABILITY

AUTHORITY AND RESPONSIBILITY -> show responsibilities of BOD, audit committee, CEO...
(dieu le cty)
Point of focus: so do to chuc va quan ly cong ty : Point of focus: -> clip gioi thieu ve cty
Directors under CEO (VNmilk does not have BOS) (1)Enforces accountability through structures,
authorities and responsibilities
(1)Considers all structures of the entity
(2)Establishes performance measures, incentives
and rewards
(2)Establishes reporting lines (3)Evaluates performance measures, incentives
and rewards for ongoing relevance
(3)Defines, assigns, and limits authorities and (4)Considers excessive pressures
responsibilities (5)Evaluates performance and rewards or
disciplines individuals
18 20
B. RISK ASSESSMENT 23 Risk Assessment - Principles
break obj into smaller ones

 Risk assessment involves a dynamic and Risk Assessment 6. The organization specifies objectives with
iterative process for identifying and analyzing p102 VIE sufficient clarity to enable the identification and
risks to achieving the entity’s objectives, forming assessment of risks relating to objectives.
a basis for determining how risks should be
managed. 7. The organization identifies risks to the
achievement of its objectives across the entity
 Management considers possible changes in the and analyzes risks as a basis for determining
external environment and within its own business how the risks should be managed.
model that may impede its ability to achieve its spends
8. The organization considers the potential for
objectives. time/resources fraud in assessing risks to the achievement of
to deal w frauds objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.
21 23
INTERNAL CONTROL
22 24
Objectives Objectives Objectives Objectives
Objectives
Entity - wide Explicit Operations Financial
Compliance
Controls Non-
Activity-level Implicit
financial
Risks
Reporting
22 24
Entity-wide objectives .6 SPECIFIES SUITABLE OBJECTIVES

Top management has established entity-wide objectives.
Include broad statements of what an entity desires to
Operations objectives
achieve and are supported by related strategic plans;
Reporting objectives
Communicated to employees and BODs;
- External financial reporting
Related to and consistent with the entity’s strategies;
- External non-financial reporting
Entity-wide objectives, strategic plans and current
- Internal reporting
conditions are the basis for developing business plans
and budgets. Compliance objectives
25 27
Activity-level objectives
(1) Operations objectives
Flow from and are linked with entity-wide objectives Reflects management’s choices (e.g., providing
customers with a broad range of products at prices
Consistent with each other
consistently lower than its competitors
Frequently stated as goals with specific targets and
deadlines for all significant business processes Considers tolerances for risk
(Operations, Marketing, Sales, Procurement, HR; Includes operations and financial performance goals
Inbound, outbound, …) (e.g., increasing net income by 5% the following year)
Management has identified what activity-level Forms a basis for committing of resources.
objectives are important (critical success factors) to
achieve entity-wide level.
26 28
(2) Reporting objectives Complementary or conflicting

 Pertain to the preparation of reports that encompass objectives
reliability, timeliness, transparency and other terms as set
forth by regulators, standard-setting bodies, or by the entity’s An operations objective can be complementary and
policies. reinforcing a compliance or reporting objective; but
- External financial reporting complies with applicable
accounting standards, considers materiality, and reflects the
entity’s activities. A compliance objective sometimes prevents an
- External non-financial reporting complies with laws, rules,
operations objective.
regulations, standards and frameworks; considers precision,
and reflects the entity’s activities.
- Internal reporting complies with management’s choice,
considers precision, and reflects the entity’s activities.
29 31
(3) Compliance objectives Achievement of objectives
 Operations objectives:
Reflects external laws and regulations - Do not based on external requirements.
- The achievement may change due to changes in the
external environment.
Considers tolerances for risk  Compliance and Reporting objectives:

- Based on external requirements.
- The achievement is largely under the entity’s control.
30 32
"nhng ri ro qtrong" -> pickup
7. IDENTIFIES AND ANALYZES 7. IDENTIFIES AND ANALYZES

RISKS using 7S, PEST, SWOT, 5forces (EXTERNAL RISKS)
or risk pulled out from annual report (INTERNAL RISKS -> steps)
RISKS -- possibility (likelihood_25/50/75) of the risks
potential impacts/effects (minor/moderate/medium)
2. Analyzes the identified risks:
1. Identifies risks steps in cycles : sale/cash... Estimates the significance of risks identified; and
-> late delivery, wrong deli Assesses the likelihood of their occurring.
2. Analyzes the risks identified -> wrong record when accepting order
2. Determines how to respond to risks identified
3. Determines how to respond to risks identified and and analyzed
analyzed Considers how the risks should be managed and
whether to accept, avoid, reduce or share the risks.
nhóm extreme risks -> set priorities/resources first
extreme
33 35
7. IDENTIFIES AND ANALYZES

36 Specify objectives
RISKS ctrinh ánh giá ri ro, ánh giá gian lân.
1. Identifies risks:
Identify risks
Identifies risks at the entity, subsidiary, division,
operating unit, functional level relevant to the
achievement of objectives (entity-wide and activity- Estimate the significance of risks
level);
Considers both external and internal factors and The entity’s risk tolerance
their impact on the achievement of objectives
Puts into place effective risk identification Yes Accept the No
mechanisms that involve appropriate level of No action risks 1
management.
34 36
1 Risk Identification: Entity-level

37 39
risks
Sharing Avoidance Reduction
PEST Analysis
Determine actions to respond to No + P – Political
the risk, and select and develop + E – Economic
associated controls activities. + S – Social
ONGOING + T – Technological
No
PROCESS
External And natural environment and foreign operations
No Residual Risk factors
No action exceeding risk The 5 Forces model - Michael Porter :
tolerance? - Bargaining power of suppliers
- Bargaining power of buyers
Yes - Rivalry among existing competitors
Revisit and revise the - Threat of substitute products or Services
response/actions as well as - Threat of new entrants
Auditing Dept. – School of Accounting – COB - UEH associated control activities Auditing Dept. – School of Accounting – COB - UEH
37 39
Risk Identification: Entity-level risks

38 40
- Infrastructure
- Management Structure: a change in
management responsibilities
- Personnel: the quality of personnel hired
Risk Risk Internal - Access to Assets
Risk Analysis
Identification Response factors - Technology: A disruption of IS processing
38 40
Risk Identification: Transaction – Risk Response

43
level risks
A risk response is a management’s action to
Risks should be identified and analyzed in every business manage the risk identified and assessed in order to
process as follows: ensure residual risk not exceeding the level of risk
Purchasing/Procurement acceptance.
 Acceptance: No action is taken
Sales deny all objectives
 Avoidance: get rid of the activities giving rise to
Production/Manufacturing risk
control activities set up
Marketing  Reduction: Action is taken to reduce risk
Finance  Sharing: reducing risk by transferring or sharing a
portion of the risk (e.g., buying insurance,
R&D
forming joint-ventures, …)
....
41 43
show (ANY FRAUDS, can be

irrelevant w the assigned cyc;e
8. ASSESSES FRAUD RISK- frauds already happened,
42 Risk analysis - ctrinh phong chong tham nhung,
Point of focus: phong chong gian lan
 Assessment of the likelihood of the risk occurring
and estimation of its impact (1)Considers various types of fraud
 Level of management: the entity puts in place
effective risk assessment mechanisms that (2)Assess Incentive and Pressures
involve appropriate level of management with
expertise.
(3)Assess Opportunities
 Significant risk: likelihood of risk occurring and
impact, velocity or speed of impact, persistence
(4)Assess Attitude and Rationalizations
or duration of time of impact.
 Inherent and Residual risk: Mgt should consider
both.
42 44
(1)Changes in the external

45 Types of fraud environment
policy : do not sale to Changing regulatory and economic environment
Fraudulent reporting cus who has AR>
but CEO makes sale
Corruption excutive accept the Changing physical environment like natural
Misappropriation of assets order disasters, diseases, …
Management Override
45 47
9. IDENTIFIES AND ANALYZES (1)Changes in business model

SIGNIFICANT CHANGE
Point of focus: Entering new business lines
Significant acquisition or divestitures
(1)Assesses changes in the external environment
Foreign operations
(2)Assesses changes in business model Rapid Growth
New technology
(3)Assesses changes in leadership (changing
significant personnel)
46 48
C. CONTROL ACTIVITIES 51 Control Activities - principles
hiep hoi goi y cac control act hang quy'
Control Activities 10. The organization selects and develops control

activities that contribute to the mitigation of risks
12. control act is to the achievement of objectives to acceptable
specified into levels.
control policies 11. The organization selects and develops general
and control control activities over technology to support the
procedures achievement of objectives.
12. The organization deploys control activities
through policies that establish what is expected
and procedures that put policies into place.
. c policies : set out the obj of controls

. c procedures : set out the specific measures to get the c obj
49 51
can present control act corresponding w risk assessment
C. CONTROL ACTIVITIES Types of Control activities

check student id is a preventive and detective controls
-> check fingerprint
Control activities are the actions established by policies Preventive versus detective controls
and procedures to help ensure that management directives Compensating controls ks bù p / ks sa cha
to mitigate risks to the achievement of objectives are Manual versus automated controls k can co su canthiep cua con nguoi
carried out.
Controls with audit trails and without audit trails
Control activities are performed at all levels of the entity
and at various stages within business processes, and over General versus application controls
the technology environment.
. entity level control for accessing, maintenance system and
. receiving sale order . department level
. making sale order . activity level (production, marketing,...)
. delivery of sale order
. receiving cash
50 o dau co rui ro, o do co cac hoat dong kiem soat 52

53 Compensating controls Segregation of duties
 Controls are designed to detect and compensate for Duties should be divided or segregated among
the lack or deficiency of desired controls. different people to reduce the risk of error or
inappropriate of fraudulent actions.
 E.g., Bank reconciliation
Entails generally dividing the responsibility of
recording, authorizing and approving transactions,
and handling the related assets.
Separation among the following functions:
tach biet chuc nang phe chuan va bao
 Approval and custody of assets quan/duy tri ( nhap kho/xuat kho)
 Recording/book-keeping and custody of assets
Approval and recording -> search for approved document and show them to
cashier -> cashier xuat tien
53 55
Authorizations and Approvals

Types of transaction control activities
there are hundreds of control activities
 Segregation of duties -> different from industries to industries Authorization is the delegation of authority that
 Authorizations and Approvals may be general or specific.
General authorization: Giving a department
 Verifications k can phan do phys/auto
-> ghi phu hop voi nhung risks da neu
permission to expend funds from an approved
 Physical controls budget
 Controls over standing data (IT) Specific authorization: requiring the signature or
 Reconciliations electronic approval of a transaction by a person
with approval authority
 Supervisory controls
Approval is to affirm that a transaction is valid.
54 56
57 Approval/Authorization Physical controls

Requirements:
 Written policies and procedures Measures to deter or prevent unauthorized access

to equipment, inventories, securities, cash and
 Limits to authority other sensitive assets.
 Supporting documentation
 Question unusual items
 No "rubber stamps"
 No signing of blank forms
57 59
Verifications versus Reconciliations: Physical controls

60
safes, locks and guards
Verifications compare 2 or more items with each

Restricted physical access
other or compare an item with a policy, and
perform a follow-up action when they do not
match. Periodical count cash count, stock count, ITA/TA count
chnh hp
Reconciliations: compare 2 or more data elements
and, if differences are identified, action is taken to
Security Alarms, EAS
bring the data into agreement. E.g., Bank, AR and
Surveillance Cameras
AP reconciliations with the bank, the clients and
the suppliers. Information Security
58 60
Controls over standing data General Controls

master files
 Standing data such as the price mater file, is often used  Govern the design, security, and use of
computer programs and the security of data files
to support the processing of transactions within a in general throughout the entity’s IT
business process. infrastructure.
 Apply to all computerized applications and
 Controls over the processes to populate, update, and consist of a combination of hardware, software,
maintain the accuracy, completeness, and validity of this and manual procedures that create an overall
control environment to IT.
data.
 Include software controls, physical hardware
 There are: controls, computer operations controls, data
security controls, controls over the systems
General controls implementation process, and administrative
Application controls controls.
61 63
General and Application Controls

62 Application controls
 General controls  Are specific controls unique to each
computerized application, such as payroll,
revenue, expenditure, inventory cycles.
Application
 Include both automated and manual
Controls procedures that ensure that only authorized
Revenue Expenditure
data are completely and accurately processed
by that application.
Inventories  Can be classified as
Payrolls
(1) input controls,
(2) processing controls, and
(3) output controls
62 64
Supervisory controls
65 67 Information & Communication
 Assess whether other transaction control
activities are being performed
completely, accurately, and according to
the policy and procedures.
Information & 13. The organization obtains or generates and uses
 are typically performed by the manager of Communication relevant, quality information to support the
functioning of internal control.
a business process or executive team 14. The organization internally communicates
truyen thong
members. information, including objectives and
ben trong
responsibilities for internal control, necessary to
 Some types of supervisory controls: support the functioning of internal control.
 Review and double check over high 15. The organization communicates with external
truyen thong
risk transactions parties regarding matters affecting the
ben ngoai
functioning of internal control.
 Employee performance reviews
 Budget vs actual analysis
65 67
D. INFORMATION AND 13. GENERATES AND USES RELEVANT,

QUALITY INFORMATION
COMMUNICATION
 Information is necessary for the entity to carry out IC
responsibilities to support the achievement of its Points of focus:
objectives.
Identify information requirements
 Communication is the continual, iterative process of
providing, sharing, and obtaining necessary information. Capture internal and external sources of data
Internal communication: the means by which Process relevant data into information
information is disseminated throughout the entity,
flowing up, down, and across the entity. Maintain quality throughout processing
External communication: includes inbound Consider costs and benefits
communication of relevant external info and providing
info for external parties in response to requirements and
expectations.
66 68
No 10. -> show which system(s) is(/are) used -> ERP, MISA, FAST, Oracle...
Information quality 15. COMMUNICATES EXTERNALLY
-> show tiktok/fb/yt/fanpage accounts
 Accessible: easy to obtain by those who need it -> show dai su thuong hieu
Point of focus -> show tv shows/competitions sponsored
 Correct: accurate and complete Communicate to external parties
 Current: updated
 Protected: Access to sensitive info is restricted to
Enable inbound communications
authorized persons. Communicate with BODs
 Retained: Available over an extended period of time
Provide separate communication lines: whistle-
 Sufficient: enough info at the right level of detail blower hotlines
relevant to info requirement
 Timely: available when needed. Select relevant methods of communication
 Valid: Obtained from authorized sources
 Verifiable: Supported by evidence
69 71
14. COMMUNICATES INTERNALLY E. MORNITORING ACTIVITIES

72
should communicate, sharing information

Point of focus
Communicate IC info  Evaluate the quality of IC Internal controls are
Communicate with BODs over time present and performed
 Assess whether each of the properly?
Provide separate communication lines: whistle- 5 components and relevant
blower hotlines principles is present and
Select relevant methods of communication functioning.
 There are: ongoing and
No 14 -> whether company has communication channel (zalo, email, viber, cloud) separate evaluations.
-> top-down, bottom-up, peer topeer
70 72
danh gia dinh ky
73 Monitoring Activities Separate evaluation

Monitoring activities are NOT built into
danh gia thuong xuyen va danh gia dinh ky
business processes and performed
Monitoring Activities 16. The organization selects, develops, and
periodically.
performs ongoing and/or separate evaluations
to ascertain whether the components of internal Are usually performed by internal auditors,
control are present and functioning. external auditors to take a fresh look
17. The organization evaluates and communicates
internal control deficiencies in a timely manner . kiem toan noi bo
to those parties responsible for taking corrective . kiem toan doc lap
action, including senior management and the
board of directors, as appropriate. . ctrinh danh gia doc lap -> show hiring EY/in contrat w boston to evaluate
IC
-> có phòng ktnb hay k, phòng ã thc hin bao nhiêu cuc ktnb

cty chua co cai nao thi danh gia yeu va kien nghi thanh lap/thuc hien
73 75
HOW TO EVALUATE THE

Ongoing evaluation 76 EFFECTIVENESS OF INTERNAL
Monitoring activities are built into business CONTROLS
processes and performed on a real-time basis,
react to changing conditions.
Achievement of Objectives
Are performed by line operating and
functional managers Relevant principles
Component operating together
E.g., monthly or periodical meetings with line
operating and functional managers; review of
performance reports
74 76
Evaluating tools and methods 79 Inherent limits of internal

controls
trang 147-150 danh gia IC sys
Tools: checklist, questionaire, and flowcharts.  Human errors
 Collusion -> collide (v) : thông d-ô'ng -> maybe tht két
Methods: ex : natural disaster, virus is implanted in the
 Unusual situations purchased acc system, spies from other companies
- Benchmark with other companies (known for  Management override
effectiveness of internal controls).  The cost-benefit analysis quy dinh chia cho 3 nguoi phu trach -> tot
- Service from consulting agencies. nhung chia tien cho 3 nguoi -> cho 1 nguoi va chap nhan
thuê ngoài nguy co gian lan cao hon
77 79
Documented evaluations
• Depends on the size and complexity of each

business
80
IT’S END – WE MADE IT
• Large enterprises always have policy manuals
• Small businesses often pay little attention to

documentation
78 80

Chapter 3 - Internal Control Framework-Student - Compatibility Mode

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 3 - Internal Control Framework-Student - Compatibility Mode

Uploaded by

Copyright:

Available Formats

Chapter 3 - Framework of IC (UEH)

Auditing Dept. – School of Accounting – COB - UEH

2 Contents 4 Project deliverable #1 – Internal

The control environment is the set of standards,

Auditing Dept. – School of Accounting – COB - UEH

Auditing Dept. – School of Accounting – COB - UEH 7

6 FIVE COMPONENTS – 17 8 Control Environment for the group as a whole

1. INTEGRITY AND ETHICAL VALUES

1. DEMONSTRATES A COMMITMENT (2) Establishes Standards of

(3) & (4) Adherence and (1) Authorities and responsibilities

14 16 -> show list of resolution (danh sach nghi quyet cac

(4) Oversight for IC system 4. DEMONSTRATES COMMITMENT

(3)Attracts, develops, and retains individuals

(4)Plans and prepares for succession

3. ESTABLISHES STRUCTURE, 5. ENFORCES ACCOUNTABILITY

B. RISK ASSESSMENT 23 Risk Assessment - Principles

break obj into smaller ones

Auditing Dept. – School of Accounting – COB - UEH 21

Entity-wide objectives .6 SPECIFIES SUITABLE OBJECTIVES

(2) Reporting objectives Complementary or conflicting

(3) Compliance objectives Achievement of objectives

Considers tolerances for risk  Compliance and Reporting objectives:

"nhng ri ro qtrong" -> pickup

7. IDENTIFIES AND ANALYZES 7. IDENTIFIES AND ANALYZES

7. IDENTIFIES AND ANALYZES

Auditing Dept. – School of Accounting – COB - UEH

Auditing Dept. – School of Accounting – COB - UEH 34

1 Risk Identification: Entity-level

Risk Identification: Entity-level risks

Risk Identification: Transaction – Risk Response

Auditing Dept. – School of Accounting – COB - UEH 41

show (ANY FRAUDS, can be

Auditing Dept. – School of Accounting – COB - UEH 44

(1)Changes in the external

Auditing Dept. – School of Accounting – COB - UEH

Auditing Dept. – School of Accounting – COB - UEH 47

9. IDENTIFIES AND ANALYZES (1)Changes in business model

C. CONTROL ACTIVITIES 51 Control Activities - principles

hiep hoi goi y cac control act hang quy'

Control Activities 10. The organization selects and develops control

. c policies : set out the obj of controls

Auditing Dept. – School of Accounting – COB - UEH 49

can present control act corresponding w risk assessment

C. CONTROL ACTIVITIES Types of Control activities

50 o dau co rui ro, o do co cac hoat dong kiem soat 52

53 Compensating controls Segregation of duties

Authorizations and Approvals

57 Approval/Authorization Physical controls

 Written policies and procedures Measures to deter or prevent unauthorized access

Auditing Dept. – School of Accounting – COB - UEH

Auditing Dept. – School of Accounting – COB - UEH 59

Verifications versus Reconciliations: Physical controls

Verifications compare 2 or more items with each

Auditing Dept. – School of Accounting – COB - UEH

Auditing Dept. – School of Accounting – COB - UEH 58

Controls over standing data General Controls

General and Application Controls

Auditing Dept. – School of Accounting – COB - UEH

Auditing Dept. – School of Accounting – COB - UEH 64

Auditing Dept. – School of Accounting – COB - UEH

D. INFORMATION AND 13. GENERATES AND USES RELEVANT,

14. COMMUNICATES INTERNALLY E. MORNITORING ACTIVITIES