Compiled By:

Md. Mahedi Hasan FCA CPFA

Adjunct Faculty
Department of Accounting and Information Systems
Bangladesh University of Professionals (BUP)
 A business risk approach allows the auditor to:

• Identify threats faced by the organisation.

• Recognises that most business risks will

eventually have an effect on the financial
statements.

Business risk • Increase the chances of identifying risks of

material misstatements in the financial
assessment reports

Categories of business risk:

✓ Financial risk
✓ Operational risk
✓ Compliance risk
 Risk assessment procedures
Enquiries: Management, staff, internal auditors, company bankers, legal
advisors.
Analytical procedures: Provide a broad indication of the likelihood of
possible errors.
Observations and inspections: Inspection of manuals, visiting business
premises, observing procedures taking place.
 Management responsibility

Management must establish and maintain the entity's control structure, which
aids management by ensuring:
• irregularities are prevented or detected and corrected; assets are safeguarded;
• financial records are accurately reflected;
• adherence to management policies;
• operational efficiency is promoted that prevents; and unnecessary duplication of
effort.
Because of its inherent limitations, an internal control structure cannot be regarded as
completely effective, regardless of the care taken in its design and implementation.
Auditor responsibility

ISA 315 para 12 states that:

• The auditor shall obtain an understanding of internal
control relevant to the audit
• The auditor’s understanding of the internal control is then used to
plan the audit and to determine the nature, timing and extent of tests
to be performed.
• The above has to be done in the context of the internal control
structure as defined in ISA 315.
What is Internal Control?

INTERNAL CONTROLS are the integration

of the activities, plans, attitudes, policies
and efforts of the people of an
organization working together to provide
reasonable assurance that the
organization will achieve its mission.
Objectives – Internal Controls

• Effectiveness
Operations • Efficiency
• Safeguarding assets
• Reliability
Reporting • Timeliness
• Transparency

Compliance • With regulatory environment

Internal Controls are
• Built into operations
Continuous • Not one single event
• Dynamic

• “Only you can prevent

Effected by people forest fires”

Able to provide • Not absolute assurance

reasonable assurance
• To the entire entity or to a
Adaptable particular division,
business process, etc.
It’s Not All About the Cash
• Internal controls are most commonly associated with
money and accountability. However, internal controls
should be associated with tasks all of us perform everyday.

• Following are examples of what can go wrong with

everyday tasks, and controls to prevent the problems from
developing.
Internal Control and Everyday Tasks

Telephone Calls

What can go wrong:

➢ Unauthorized calls
➢ No one to answer telephones
➢ Wrong information given

Internal Controls:
➢ Utilize voice mail
➢ Provide staff with training, reference materials and
updated information
➢ Policy on telephone use
Internal Control and Everyday Tasks
Data Entry

What can go wrong:

➢ Erroneous Entries
➢ Unauthorized entries and overrides
➢ Data not up-to-date
Internal Controls:
➢ Provide staff with data entry training and reference
manuals; proof data reports against actual records
➢ Use passwords, change passwords periodically, test
access privileges periodically
➢ Ensure all transactions are authorized
 Supplies and Equipment

What can go wrong:

➢ Theft or misuse
Internal ➢ Running out of supplies
➢ Equipment breakdown
Control and Internal Controls:
Everyday ➢ Secure storage area; perform periodic
inventories for equipment; follow
Tasks procedures for surplus equipment
➢ Provide training on use of equipment
➢ Follow manufacturers’ recommended
maintenance schedules
➢ Periodically check supply levels
 • Financial misstatements
• Business loss
• Loss of funds or materials
Risks of Weak •
•
Incorrect or untimely management information
Fraud or collusion
Internal Controls •
•
Tarnished reputation with the public
Program Sustainability compromised
• Missed goals
 The Committee of Sponsoring Organizations of the
Treadway Commission (COSO)

Formed in 1985 to sponsor a Commission to examine

fraudulent financial reporting. A joint initiative of five
private sector organizations.

About COSO Sponsors:

• American Accounting Association
• American Institute of Certified Public Accountants
• Financial Executives International
• Institute of Management Accountants
• The Institute of Internal Auditors
 Control environment

Risk assessment processes

The internal
Information system
control system
(Five components)
Control activities

Monitoring controls
 1. Control Environment

❑ The set of standards, processes, ➢ The Board and Senior

and structures that provide the Management - and you!
basis for carrying out internal • Establish tone at the top
control
• Establish expected standards
❑ Comprises integrity and ethical of conduct and reinforce
values of the organization expectations
➢ Parameters enable the Board to
carry out its governance oversight
responsibilities
The Control Environment should
ensure controls are in place,
covering areas such as:
• Hiring practices
As part of our regular
• Training programs business processes, we
• Whistleblower policies should continually monitor
• Code of Ethics and update the Control
Environment for dynamic
• Clear lines of responsibility and authority changes
• Etc.
 2. Risk Assessment

❑Involves a dynamic and iterative ➢ The Board and Senior Management (and you!)
process for identifying and assessing ✓ Establish objectives linked at different levels of the
risks entity
➢ Must take holistic approach – look at the full
❑Risk: the possibility that an event will organization
occur and adversely affect the ➢ Apply internal control to achieve multiple
achievement of objectives. objectives
▪ Prevent domino effects, e.g., weakness in
financial reporting that jeopardizes
operations
✓ Establish risk tolerances

➢ Increasingly important when resources are constrained

Risk Strategies

Mitigation
Transfer
Avoidance Improve controls to
Shift responsibility to an
Do not proceed! reduce
external party
likelihood/impact

Creation
Acceptance Seek risk activities
Accept the risk! strategically to
maximize opportunities
 3. Control Activities

Types:
❑The actions established through ➢ Preventive, detective and corrective
policies and procedures that help ➢ Compensating
ensure management’s directives to ➢ Manual and automated
mitigate risks are carried out.
❑Performed at all levels within the
Examples:
entity
✓ Approvals & Authorizations
✓ Embedded verifications
✓ Reconciliations
✓ Independent Reviews
✓ Asset security
✓ Segregation of duties
Preventive Control
Prevents the occurrence of
a negative event in a
proactive manner

Examples:
• Approval for purchase >
BDT 5,000
• Passwords for access to
Banner Detective Control
• Petty cash held in Detect the occurrence of a negative event
lockbox after the fact in a reactive manner
• Security and
surveillance systems Examples:
• Pre-numbered checks • Supervisor review & approval
• Report run showing user activity
• Reconcile petty cash
• Physical inventory count
• Review missing/voided checks
Compensating
Control
Require action to be
taken by employees,
e.g.,
• Obtain supervisor’s
approval for
overtime
• Reconcile bank Built into network
accounts infrastructure and
Manual software
• Match receiving to
Control applications, e.g.,
POs
• Passwords
Automated • Data entry
Control validation checks
• Batch controls
 4. Information and Communication

❑ Information is necessary to carry out internal

control responsibilities to support achievement of
objectives

❑ Communication: the continual, iterative process Key: To communicate the right information to the
of providing, sharing, and obtaining necessary right people at the right time
information

❑ Internal and external

❑ Information should be timely, accessible, and
allow for successful control actions
Information & Communication

Things to communicate:
• Initiatives
• Goals
• Changes
• Opportunities
• Feedback
• Questions
• Answers
• Policies
• Procedures
• Standards
• Expectations
 5. Monitoring Activities

❑ Evaluations used to ascertain whether components of Findings are evaluated against

internal control are present and functioning relevant criteria

❑ Ongoing evaluations:
✓ Built into business processes
✓ Provide timely information Deficiencies are communicated
to the Board and Sr.
❑ Separate evaluations: Management
✓ Conducted periodically
✓ Vary in scope and frequency
• Dependent on assessment of risks,
effectiveness of ongoing evaluations, other
management considerations
Testing Control Processes

• Identify
• transactions to be tested
• key controls
• applicable standards to test the transactions
(i.e., criteria to judge compliance
effectiveness)
• Determine
• appropriate type of testing
• extent of testing
• Create test plan
• Conduct tests for effectiveness
• Document testing and results
• Assess test results
• Communicate findings, recommendations
Limitations of Internal Control
Even an effective system of internal control can experience a failure.
Limitations may result from:
• Suitability to established objectives
• Reality that human judgment in decision making can be faulty and subject to bias
• Breakdowns that can occur because of human failures such as simple errors
• Ability of management to override internal control
• Ability of management, other personnel, and/or third parties to circumvent controls through
collusion
• External events beyond the Company’s control

Again, internal control provides reasonable, not absolute, assurance of

achieving objectives.
How can you
incorporate
internal controls
within your current
processes?
 First, must …

Document the process!

Determining • Pick a method that suits the process:

Flowchart/Narrative or Both
Where Controls • Identify process owner and activity owners
• Identify the key inputs, activities, outputs, and
are Needed risk points
• Identify policies that impact the process
• Identify standards that may specify mandatory
controls
Common Basic Internal Control Principles

Establish Responsibility
• Assign each task to only one person

Segregate Duties
• Don’t make one employee responsible for all parts of a process

Restrict Access
• Don’t provide access to systems, information, assets, etc. unless needed to complete
assigned responsibilities

Document Procedures and Transactions

• Prepare documents to show that activities have occurred

Independently verify
• Check others’ work
 Issues can include:
• Identifying the types of potential misstatements that may
occur
example: where to look for potential errors and fraud

• Understanding factors that affect the risk of

Understanding material misstatement
internal control example: revenue recognition issues in some entities
• Designing further audit procedures
example: assess adequacy of risk assessment
procedures and plan tests of controls.

•Testing general and application controls in

computerized systems.
 Procedures to obtain an understanding

Procedures can include:

• reviewing previous experience
with the entity being audited
• inquiries of management, supervisory
and staff personnel inspection of
documents and records

• observation of the entity’s activities and

operations

• transaction walk-through reviews to

confirm documented understanding
 • Internal Control Questionnaire (ICQ)
Consists of a series of questions about accounting
and control policies and procedures the auditor
feels are necessary to prevent material
misstatements in the financial statements.

• Flow chart
Documenting Is a schematic diagram that uses standardised
symbols, interconnecting flow lines and
the annotations to portray the steps involved in
processing information through the information
system.
understanding • Narrative memoranda
May be used to supplement other forms of
documentation by summarising the auditor’s
overall understanding of the information system
or specific control policies or procedures.
 ISA 315 paragraph 25:

• The auditor shall identify and assess the risks

of material misstatement at the financial
Preliminary report level, and the assertion level for
classes of transactions, account balances and
assessment of disclosures.

Control Risk Purpose of preliminary assessment

• Assessment to obtain a reasonable

understanding of controls in place decide on
appropriate audit strategy so as to design a
detailed audit program.
 Use professional judgement to
assess the control environment.

Process of
assessing Assess the design effectiveness of
control procedures and their
control risk ability to prevent or correct
misstatements.

Assess whether controls were

effectively applied throughout the
period under audit.