Internal Control

Chapter 1
OVERVIEW OF
INTERNAL CONTROL SYSTEM
Auditing Department- SOA-UEH
2023 1

CONTENTS
1. Definition of internal controls
2. The evolution of internal controls
3. COSO report drafting process
4. COSO Report 1992 & 2013
5. The effectiveness of the internal control system
6. Internal control and management process
7. Responsibility for internal controls

Pham Thi Ngoc Bich – SOA – UEH 1

Internal Control

1. WHAT IS INTERNAL CTROL?

Control Internal

1. DEFINITION
Control
A measure, procedure, policy or way to mitigate and
decrease
manage risks

Internal
Within or in relation to the structure of an
organization.

Pham Thi Ngoc Bich – SOA – UEH 2

Internal Control

1. DEFINITION
(COSO Report)

CONTROL:
Internal control is a process, effected by an entity’s
-prevent board of directors, management, and other personnel, staff
-reduce designed to provide reasonable assurance regarding the
-detect and achievement of objectives in the following categories:
correct in time
 Operations effectiveness and efficiency (profitability, market, customers, reputation)
 Reporting reliableness/ fairness MISSTATED due to ERROR/FRAUD

 Compliance wils laws and relivant regulations

obey

EFFECTIVE: achievement of the obj expected --> AUDITOR

EFFICIENCY: relationship bw input and output/ achievement of the objective
expected with a very reasonable(cheap) inputs) --> MANAGER

1. DEFINITION
PROCESS

Board of Operations
Directors

Internal
Managers Control Reporting

system
Employees Compliance

PEOPLE OBJECTIVES
REASONABLE
ASSURANCE

Pham Thi Ngoc Bich – SOA – UEH 3

Internal Control

history

2. THE EVOLUTION OF INTERNAL CONTROLS

1. Early stage

2. Formation stage

3.Development stage

4. Modern stage

EARLY STAGE- FORMATION STAGE- AICPA

defined
Internal
DEVELOPMENT STAGE control system

Internal control Guaranteed the

about Accounting exactly of
accounting data
(1936)

Protect
Protect assets
moneys(1900) (1929) Efficient of
operations
(1949)

Encourage
Auditing
COSO Report to comply to the policy of Internal
manager control about
(1992)
(1949) Management

Pham Thi Ngoc Bich – SOA – UEH 4

Internal Control

ORGANIZATION STRUCTURE
OF COSO
COSO Treadway
Commission
The Committee of
Sponsoring
The National Commission
Organizations of the
on Fraudulent Financial
Treadway Commission
Reporting

AICPA AAA IIA FEI IMA

American Institute American Accounting Institute of Internal Financial Executives Institute of Management
of CPA Association Auditors Institute Accountants

COSO REPORT ON
INTERNAL CONTROL
• In 1992, the COSO Report was issued. Components of
internal control include: control environment, risk
assessment, control activities, information and
communication, and monitoring.

• The outstanding feature of the COSO report is a broad

and governance vision, in which internal control is no
longer just an issue related to financial statements but
is extended to other areas of operation and compliance

10

Pham Thi Ngoc Bich – SOA – UEH 5

Internal Control

2.4 MODERN PHASE

ERM
Internal control Enterprise Risk
Management
for smaller Framework
publicly traded
The Committee of Sponsoring Organizations
companies of the Treadway Commission

Basel Committee on CoBIT®

Banking Supervision Control Objectives
Framework for Internal for Information and
Control System in Related Technology
Banking Organizations
ISACA (Information System Audit and
Control Association)

11

2.4 MODERN PHASE

Governance development
In 2001, the Enterprise Risk Management Framework
(ERM) was formed on the basis of the 1992 COSO
Report. This report issued in 2004.
ERM consists of 8 elements: internal environment, goal
setting, event identification, risk assessment, risk
response, control activities, communication and
monitoring.
ERM system
Enterprise Risk
Management
Framework
The Committee of Sponsoring Organizations of
the Treadway Commission
12

Pham Thi Ngoc Bich – SOA – UEH 6

Internal Control

ERM AND INTERNAL CONTROLS

Strategy
Broader goals,
CORPORATE
towards the
GOVERNANCE ERM development
strategy of the
unit
INTERNAL
ERM is a part of
CONTROL
CORPORATE
SYSTEM
GOVERNANCE

13

OBJECTIVES OF ERM
Unit objectives can be divided into four categories:

 Strategy
 Operation
 Reporting
 Compliance

14

Pham Thi Ngoc Bich – SOA – UEH 7

Internal Control

ERM LEVEL
ERM looks at the entity's activities on all levels:
 Entity
Division
 Business Unit
 Subsidiary

15

COMPONENTS OF ERM
8 components:
1. Internal environment
2. Goal Setting
3. Identify events
4. Risk assessment
5. Dealing with risks
6. Control activities
7. Information and communication
8. Monitor

16

Pham Thi Ngoc Bich – SOA – UEH 8

Internal Control

2.4 MODERN PHASE

Small business development
How to apply internal control in smaller publicly traded
companies was issued in 2006.

Internal control
for smaller
publicly traded
companies

17

2.4 MODERN PHASE

Development in the direction of information technology
In 1996, CoBIT was issued by ISACA.
CoBIT emphasizes control in the computer information
system (CIS), which includes the areas of planning and
organization, acquisition and deployment, distribution
and support, and monitoring.

CoBIT®
Control Objectives
for Information and
Related Technology

ISACA (Information System Audit and

Control Association)

18

Pham Thi Ngoc Bich – SOA – UEH 9

Internal Control

2.4 MODERN PHASE

Development towards independent audit
SAS 78 (1995): Review of internal control in the audit of
financial statements (adapted to SAS 55). The
definitions and factors of internal control in the COSO
report (1992) have been included in this standard.
SAS 94 (2001): The influence of information technology
on the consideration of internal control in the audit of
financial statements.

19

2.4 MODERN PHASE

ISA 315 - Understanding the business, operating
environment, and risk assessment of material
misstatement - Definition of internal control based on
COSO 1992 definition.
- Elements of internal control based on the 1992
COSO Report.
ISA 265 reporting of internal control deficiencies
identified the auditor's concern and reported the
detected internal control deficiencies.

20

Pham Thi Ngoc Bich – SOA – UEH 10

Internal Control

2.4 MODERN PHASE

Developing in the direction of internal audit
The Association of Internal Auditors (IIA) defines the
objectives of internal control to include:
-Reliability and truthfulness of information.
- Comply with policies, plans, procedures, laws and
regulations.
-Property protection.
-Effective and economical use of resources.
-Complete goals and objectives for activities or programs.

21

2.4 MODERN PHASE

Develop in the direction of specializing in specific
professions
Basel Committee (1998) report on banking supervision,
elements of Internal control:
Managerial oversight and control culture,
Risk recognition and assessment, Basle
Control activities Report
Framework for
Division of responsibility, Internal Control
System in Banking
Information and communication, Organisations
Basle Committee on Banking
Monitor and correct errors. Supervision

22

Pham Thi Ngoc Bich – SOA – UEH 11

Internal Control

2.4 MODERN PHASE

Guidance on monitoring the internal control system

COSO issued Guidelines on Monitoring Internal Control
Systems (2009), based on the 1992 COSO framework, to
help organizations self-monitor the quality of their
internal control systems.

23

3. COSO REPORT
DEVELOPMENT PROCESS
Collect Seminars Complete
documents Draft

Interview Draft report

Send Testing in
questionnaire reality

24

Pham Thi Ngoc Bich – SOA – UEH 12

Internal Control

Project timetable

Assess & Survey Public Exposure,

Design & Build Finalize
Stakeholders Assess & Refine

2010 2011 2012 2013

4. COSO REPORT

26

Pham Thi Ngoc Bich – SOA – UEH 13

Internal Control

STRUCTURE OF COSO REPORT

(1992)
Part 1: Executive Summary

Part 2: Framework

Part 3: Reporting to external parties

Part 4: Evaluation Tools

27

STRUCTURE OF COSO REPORT

(2013)

Part 1: Executive Summary

Part 2: Framework and Appendices

Part 3: Illustrative Tools for Assessing Effectiveness of

a system of Internal control

28

Pham Thi Ngoc Bich – SOA – UEH 14

Internal Control

1992 & 2013 COSO FRAMEWORKS

Components of the internal control

Control environment

Risk assessment

Control Activities

Information and communication

Monitoring Activities
29

30

Pham Thi Ngoc Bich – SOA – UEH 15

Internal Control

Why update what works – The Framework has become the most
widely adopted control framework worldwide.

Original COSO’s Internal Control–Integrated Framework (1992 Edition)

Framework

Expand operations and Articulate principles to

Refresh Reflect changes in business
reporting objectives facilitate effective internal
Objectives & operating environments
control

Enhancements Updates
Broadens Application Clarifies Requirements
Context

Updated
Framework COSO’s Internal Control–Integrated Framework (2013 Edition)

The COSO 2013 Framework

The 2013 Framework focuses on five integrated components of internal control:
control environment, risk assessment, control activities, information and
communication, and monitoring activities. The updated 2013 Framework:
•Clarifies the application of the 2013 Framework in today’s environment with the
various business models, technology, and related risks.
•Codifies criteria that can be used in developing and evaluating the effectiveness of
systems of internal control – making explicit 17 principles, each with points of
focus.
• Expands reporting objectives to support internal, financial and nonfinancial
reporting, and operational and compliance objectives.
•Emphasizes the need for judgment in evaluating whether a company achieves
effective internal control.
•Focuses on accountability for internal control throughout the organization starting
at the board level and senior management.
•Explicitly considers IT controls and identifies the need for fraud risk consideration
not limited to financial statements but also within compliance and operations.
32

Pham Thi Ngoc Bich – SOA – UEH 16

Internal Control

RELATIONSHIP B/W OBJECTIVES AND

COMPONENTS

- Vertical relationship
- Horizontal relationship
- Internal control related to each department, each activity
of the organization and the whole organization in
general.

33

At all levels of the

The COSO “cube” organization

5 integrated
components

34
34

Pham Thi Ngoc Bich – SOA – UEH 17

Internal Control

5. THE EFFECTIVENESS OF
INTERNAL CONTROL SYSTEM
An internal control system is effective if it meets the
following three criteria:
Understand to what extent the organization's
operational goals are being achieved,
The financial statements are being prepared and
presented reliably,
Laws and regulations are being followed.

35

5. THE EFFECTIVENESS OF
INTERNAL CONTROL SYSTEM
In addition to the above three criteria, further evaluation
is required:
Do the five components of the system of internal
control and related control principles exist and operate
effectively in practice?
At the same time, do the 5 parts work synchronously
and rhythmically as a unified whole?

36

Pham Thi Ngoc Bich – SOA – UEH 18

Internal Control

6. INTERNAL CONTROLS AND

MANAGEMENT PROCESS
Manager's activities Internal control
Set goals on a unit-wide level
Strategic planning
Building elements of the control environment 
Set goals at the departmental level
Building elements of the control environment
Set goals at the departmental level
Risk identification and analysis 
Risk management
Carrying out control activities 
Information collection and communication 
Monitor 
Corrective actions (correction of errors)
37

7. RESPONSIBILITIES FOR
INTERNAL CONTROLS
1. Board of Directors
2. Audit Committee (Board of
Supervisors)
3. Manager
4. Internal auditors
5. Staff
6. Outside parties

38

Pham Thi Ngoc Bich – SOA – UEH 19

Internal Control

BOARD OF DIRECTORS
Participate in developing, approving and monitoring the
implementation of the mission, vision and strategy of the
unit
Monitor the performance of managers, including
building and effectively operating an internal control
system
Play an important role in defining expectations of
honesty and ethical values, transparency and
accountability

39

***
BOARD OF DIRECTORS
Requirements for members of the Board of Directors:
Independent, competent and questionable
Understanding the operations and operating
environment of the entity and dedicating enough time to
carry out its administrative responsibilities
Use resources as necessary to investigate issues that
arise and have open, unlimited communication with
employees, internal auditors, independent auditors, legal
consultants, etc.

40

Pham Thi Ngoc Bich – SOA – UEH 20

Internal Control

AUDIT COMMITTEE
As a committee under the Board of Directors, the
members are selected by the Board of Directors
All members of this Committee are not on the Board of
Directors (non-executive members)
At least one member is a finance or accounting expert.

41

AUDIT COMMITTEE
Check annual financial statements
Select an independent auditing company; work and
discuss directly with the independent auditors about
issues arising in the audit including weaknesses of the
internal control system.
Detect and take appropriate actions in case the Board of
Directors goes beyond the internal control system

42

Pham Thi Ngoc Bich – SOA – UEH 21

Internal Control

MANAGERS
Responsible for the design, construction and operation
of an effective internal control system at the unit
Being the decisive factor, building a solid foundation
for the control environment and other parts of the
internal control system

43

MANAGERS

 Participate in setting goals and strategies

 Define integrity expectations, competence, key
policies and information requirements
 Identify and deal with risks (internal and external) as
well as develop mechanisms to identify and select
countermeasures
 Design control activities
 Assessment of internal control system deficiencies

44

Pham Thi Ngoc Bich – SOA – UEH 22

Internal Control

INTERNAL AUDITOR
Through the services provided to the divisions in the
unit, contributing to increase the effectiveness of the
internal control system
Evaluate the effectiveness of the internal control
system, under the supervision of the system.

45

EMPLOYEES

Internal control concerns the responsibilities of every

member of an entity through its day-to-day operations
Employees contribute to the risk assessment or
monitoring process.
The main employee is the person who operates the
internal control system at the unit.

46

Pham Thi Ngoc Bich – SOA – UEH 23

Internal Control

OTHERS
External auditors (such as independent auditors, public
auditors)
Legislators or Regulators
Customers and suppliers can also provide useful
information through their dealings with the organization.
Others outside the organization such as financial analysts,
the media, etc.

47

48

Pham Thi Ngoc Bich – SOA – UEH 24