CHAPTER 3: INTERNAL - Through physical safeguards and

access controls, internal controls help

CONTROL SYSTEM secure assets such as inventory, equipment,
ME LURVE AUDIT (≧ᗜ≦) and intellectual property.
Learning outcomes: - Safeguarding assets is crucial for the
1. Fundamental concept of company's financial health and its ability to
internal control operate effectively.
2. Importance of internal control 3. **Detect and Deter Fraud and Error:
3. Documentation of internal control **
4. Strength and weakness of internal - Internal controls include
control mechanisms for detecting irregularities,
5. Management letter unauthorized activities, and potential fraud.
Fundamental concept of internal control - By promoting a culture of ethical
1. definition of internal control behaviour and implementing monitoring
2. importance processes, internal controls deter individuals
3. types of internal control from engaging in fraudulent or erroneous
4. management responsibilities activities.
- This detection capability is essential
for maintaining the financial integrity of the
DEFINITION OF INTERNAL organization.
CONTROL
A process comprising an interconnected
web of policies, procedures, attitudes, and 4. **Timely Preparation of Financial
actions that work together to provide Information: **
reasonable assurance concerning the - Internal controls streamline financial
achievement of set objectives such as the processes, ensuring that information is
production of reliable financial reports, prepared in a timely manner.
reliability of information and efficiency and - Well-designed controls facilitate the
effectiveness of operations. efficient flow of financial data, contributing
IMPORTANCE OF INTERNAL to timely reporting cycles and regulatory
CONTROL TO COMPANY compliance.
1. **Ensure the Integrity, Relevance,
and Reliability of Information: ** - Timely financial information is
- Internal controls establish checks critical for decision-making, both internally
and balances to verify the accuracy and and externally.
reliability of information used for decision-
making.
- By ensuring the integrity of data, 5. **Accuracy and Completeness
internal controls contribute to the of Accounting Records: **
trustworthiness and relevance of - Internal controls establish
information within the organization. procedures to verify the accuracy and
completeness of accounting records.
- This is vital for making informed - Through reconciliations, reviews,
strategic decisions, complying with and validation processes, internal controls
reporting requirements, and maintaining the help eliminate errors and ensure that
confidence of stakeholders. financial records are complete and reliable.
2. **Safeguard the Entity's Assets: ** - Accurate accounting records are
- Internal controls implement fundamental for producing reliable financial
measures to protect the company's assets statements and meeting regulatory
from misappropriation, theft, or misuse. requirements.
 - Definition: a set of standards,
process, procedures, and structures that
6. **Maintain Efficient and Effective provide the basis to carry out internal
Use of Resources: ** control across the company.
- Internal controls contribute to - Main idea: Reflects the overall
operational efficiency by establishing attitudes of top management, directors, and
guidelines and procedures for resource owners of a company
utilization. about internal control and its importance of
- Through performance monitoring the company.
and optimization measures, internal controls - Importance: management
help ensure that resources are used reinforces expectations at the various level
effectively to achieve organizational goals. of the organization
- This efficiency is crucial for cost - Its sets the tone of a company.
management, productivity, and overall - Influencing the control
organizational sustainability. consciousness of its people.
- 4 Basic areas:

In summary, internal controls are integral to i) The integrity and ethical values;
the overall governance and success of a essential elements of the control
company by addressing various aspects environment, affecting the design,
such as information integrity, asset administration, and
protection, fraud prevention, timely monitoring of the components.
reporting, accurate record-keeping, and ii) Commitment to competence;
efficient resource utilization. management must specify the competence
TYPES OF INTERNAL CONTROL level for a particular job and translate it into
the required level of knowledge and skills.
1. Preventive control (proactive Competence refers to the necessary
control) knowledge and skills to accomplish a
- Build to avoid errors or specific task according to job description.
any irregularities from happening. iii) Participation of board directors and
- Example: audit committee; their participation
- Segregation of duties significantly influence the control
Duties and responsibilities are segregated to consciousness of the company.
reduce risks and errors for certain events. iv) The organizational structure and
- Safeguarding of assets assignment of authority; defines how
Different departments may have different authority and responsibility are delegated
security levels to access certain parts of the and monitored.
building in the organization, or different
level of staff have different levels of access
into the company’s information system. 2. Risk assessment
2. Detective control - Define: the possibility that and event
- Find and allocate errors after they will occur and adversely affect the
have occurred. achievement of objectives
- Example: management analyses on - Risk assessment for financial
identifying unexpected results/losses on reporting is the company’s identification of
productions or reconciliations on actual and analysis of risks relevant to the
outcome and forecasted result. preparations of
5 ELEMENTS OF INTERNAL financial statements in conformity with
CONTROL applicable accounting standards.
1. Control environment
- Risk assessment forms the basis for - Regulators set at least an annual
determining how the risks will be review of effectiveness of the organisation’s
managed. internal control system.

3. Control activities
- Define: the action of policies and IMPORTANCE OF INTERNAL
procedures established in addition to those CONTROL TO AUDITOR
included in the four components. - It is impracticable for auditors to
- Main idea: help to ensure necessary perform audits of companies within the
action are taken. economic fee limitations without some
- The management directives are reliance on company’s internal control.
carried out not only to address risks but also - An effective internal control system
in the achievement of the company’s ensures the property and accuracy of
objectives. underlying accounting data; enable auditor
- Example: segregation of duties. to obtain reasonable
assurance.
4. Information and communication RELATIONSHIP BETWEEN
- Are procedures to provided, record, INTERNAL CONTROL AND AUDIT
process and report the company’s EVIDENCE
transactions and to maintain accountability - Audit evidence: information used by
for related assets and the auditor in arriving at the conclusions on
liabilities. which the auditor’s opinion is based.
- Information: are necessary for the - Evidence: financial statements and
company to carry out internal control other information.
responsibilities to support - ISA500 requires auditor to ensure
achievement of company’s objective. that information produced by entity that is
- Communication: continual, used as audit evidence needs to be
interactive process of providing, sufficiently complete and accurate to be
sharing, and obtaining the necessary reliable.
information. - Therefore, internal control system
must be efficient and effective so it can
5. Monitoring supply sufficient complete and accurate
- Define: an ongoing periodical audit evidence,
evaluation process that assesses the quality - A good ICS is when its fully
of internal control performance by complied and adhered by the entire
management organisation.
- Importance: to determine that
controls are present and operating as REVIEW AND
intended and that they are DOCUMENTATION OF INTERNAL
functioning and modified appropriately CONTROL SYSTEM.
according to changes in conditions. 1. Forms of Internal
- Evaluate & communicate any Control Documentation:
deficiency. - Internal control documentation can
take various forms, including flowcharts
MANAGEMENT RESPONSIBILITIES and the organization's policy and procedure
- It is board of director’s manuals.
responsibility to maintain a sound internal 2. Role of System Flowcharts:
control system. - System flowcharts are commonly
used to document and evaluate controls.
They illustrate the flow of information and
documents within an accounting system, policies, and procedures, depending on their
providing a visual representation of specific needs and preferences.
processes and transactions. In summary, internal control documentation
3. Purpose of Flowcharts: plays a crucial role in understanding,
- Flowcharts serve as pictorial evaluating, and improving organizational
representations of transaction flows within processes, with flowcharts serving as a
specific departments or divisions of an valuable tool for both visual representation
organization. They depict the movement of and analysis by auditors.
data, documents, and information related to 1. Requirement from the regulators
various procedures. 1. Regulatory Framework:
4. Examples of Flowcharts: - Malaysian listed companies are mandated
- Flowcharts can be specific to certain to follow the Listing Requirements by
processes, such as purchasing cycles or Bursa Malaysia to be listed in the Malaysian
credit control departments. For instance, a capital market.
purchasing flowchart might illustrate the
steps involved from the company to the 2. Listing Requirement Chapter 15:
supplier, showcasing the transactional
sequence. - Chapter 15 of the listing requirement
5. Supplemental Documentation: specifies the guidelines related to internal
- Flowcharts are often accompanied control. Para 15.26
by additional documentation that provides (b) requires the board of directors (BOD) to
detailed explanations of the processes. issue a statement in the annual report
These supplements offer a comprehensive regarding the state of risk management and
understanding of the procedures being internal control of the listed issuer as a
depicted. group.

+ 3. Malaysian Code of Corporate

Governance (MCCG) 2012:
6. Auditor's Utilization of Flowcharts: - Principle 6 of MCCG 2012
- Auditors utilize system flowcharts to emphasizes the recognition and
gain insights into business processes. By management of risks.
studying these visual representations, Recommendation 6.1 states that the BOD
auditors can identify risks, controls, should establish a robust framework for
deficiencies, and inefficiencies within the managing risks. This includes the
organization's operations. establishment of a sound risk management
7. Identification of Improvements: framework and internal control system.
- System flowcharts not only help
auditors assess the existing controls but also 4. Role of Internal Audit:
enable them to suggest improvements. - The more recent MCCG 2017
Auditors can provide valuable highlights the vital role of the internal audit
recommendations for enhancing the function in assisting the company to achieve
efficiency and effectiveness of the its objectives and enhance the effectiveness
documented processes. of risk management, internal control, and
8. Variability in Control governance processes.
Documentation:
- The nature of the organization 5. Bursa Malaysia's Statement on
influences the form of control Internal Control:
documentation. While some organizations - Bursa Malaysia issued the Statement
rely on flowcharts, others may document on Internal Control, providing guidance for
controls through written guidelines, directors of public listed companies. This
statement serves as a tool to aid good
corporate governance, outlining essential 3. Implications of Cyber Threats:
practices related to internal control within - The implications of cyber threats
these organizations. include data losses, operational

These regulations and guidelines disruptions, and leakage of sensitive

collectively underscore the importance of information.
robust internal control systems, risk - Such attacks pose a serious risk to
management frameworks, and governance the integrity, confidentiality, and availability
of company data and systems.
processes in Malaysian listed companies,
ensuring transparency, accountability, and 4. Relevance to Internal Control:
adherence to best practices in corporate - Effective cybersecurity measures are
governance. crucial components of internal control.
- Protection of company systems,
2. Review of the system networks, and data in cyberspace is
3. Cyber threat to internal control The essential to safeguard against cyber threats.
section highlights the significant cyber - When assessing risks and
threats faced by organizations in the age of formulating risk management procedures,
the Internet. It discusses the real-world organizations must consider cybersecurity
example of a global computer as a critical aspect of their internal control
malware attack that framework.
affected multiple countries
and businesses, The section underscores the imperative for
emphasizing the potential organizations to prioritize cybersecurity
consequences such attacks can have on within their internal control processes,
large organizations. emphasizing the potential financial and
operational consequences of cyber threats
Key Points: and the importance of proactive risk
management strategies.
1. Global Impact of Cyber Threats:
- The internet has created a modern
society but also exposed businesses to COMMUNICATION WITH THOSE
various cyber threats. CHARGED WITH GOVERNANCE
- An example is cited where a This section outlines the process of
computer malware spread across 150 communicating deficiencies in the internal
countries, affecting institutions like the control system to those charged with
National Health Service in the UK, FedEx governance, including management and the
in the US, and companies in Spain. Board of Directors. It provides definitions
of deficiencies in internal control, both in
2. Business Disruptions and Financial design and operation, as per standards set
Losses: by ISA 265 and the Public Company
- Cyberattacks can lead to production Accounting Oversight Board (PCAOB).
and operational stoppages, causing Key Points:
significant disruptions in business activities.
- Financial losses can be substantial, 1. Deficiencies in Internal Control:
potentially involving millions of dollars, - Deficiencies in internal control can
especially in large organizations where arise from design or operation issues,
numerous computer devices are connected preventing effective performance of
to the internet.
functions and duties, leading to potential Strength: Internal controls help mitigate
misstatements in financial reporting. risks associated with financial
2. Deficiency in Design vs. Deficiency misstatements, fraud, and errors. Well-
in Operation: designed controls can prevent or detect
- A deficiency in design occurs when these issues in a timely manner.
a necessary control is missing or not Reliability of Financial Information:
properly designed, even if it operates as Strength: Effective internal controls
intended. contribute to the reliability of financial
- A deficiency in operation happens information. They provide assurance to
when a control doesn't operate as designed auditors that the financial statements are
or when the person performing the control accurate and reflect the true financial
lacks the authority or competence to do so position of the company.
effectively. Compliance with Regulations:
Strength: Internal controls assist in ensuring
compliance with laws and regulations. This
3. Communication to Those Charged is crucial for avoiding legal issues and
with Governance: maintaining the company's reputation.
- Deficiencies in internal control must be Efficiency and Effectiveness:
communicated to those charged with
governance, such as management and the
Board of Directors. This communication Strength: Controls are designed not only for
occurs after the audit is completed. financial reporting but also for operational
4. Management Representation Letter: efficiency. Strong internal controls can
- After identifying deficiencies, enhance the efficiency and effectiveness of
external auditors prepare a management business operations.
representation letter. Management Oversight:
- The letter includes management's Strength: Internal controls promote
acknowledgment of their responsibility for management oversight. They help
control design and implementation to
prevent and detect fraud, disclosure of any management monitor and evaluate the
knowledge or suspicion of fraud affecting performance of various processes, making it
the company, and details of employees with easier to identify areas for improvement.
significant roles in internal control or Decision-Making Support:
fraud's potential impact on financial Strength: Well-implemented controls can
statements. provide reliable and timely information to
In essence, this section highlights the support decision-making processes,
importance of transparent enabling management to make informed
communication between auditors and and strategic decisions.
Weaknesses:
those charged with governance regarding Human Factor:
deficiencies in internal control. The process Weakness: Controls are only as effective as
involves identifying, the people implementing them. If there is a
documenting, and addressing these lack of understanding or adherence to
deficiencies to ensure accurate financial controls by employees, the system becomes
reporting and adherence to regulatory vulnerable.
standards. Costs of Implementation:
STRENGTH AND WEAKNESS OF Weakness: Implementing and maintaining
INTERNAL CONTROL strong internal controls can be costly. Small
Strengths: and medium-sized enterprises may find it
Risk Mitigation:
challenging to allocate resources for robust - **Timing: ** To be effective, it
control systems. should be sent as soon as the audit work is
Complexity: completed.
Weakness: Overly complex control systems 2. **Content and Objectives of the
can be difficult to understand and Management Letter: **
implement. Employees may struggle to - **Content: ** It includes comments on
comply with intricate procedures, leading to accounting records, systems, controls, and
lapses in control effectiveness. constructive suggestions for improvement.

- **Objectives: **
Inherent Limitations: - Identify control weaknesses for the
Weakness: No system of internal control purpose of determining substantive tests and
can provide absolute assurance. There will offering constructive suggestions for
always be inherent limitations, and improvements.
sophisticated fraud schemes can sometimes - Communicate matters impacting
bypass even well-designed controls. future audits.
- Highlight areas for potential
Over-Reliance on Automated Systems: efficiency or effectiveness improvements.
Weakness: As businesses increasingly rely
on automated systems, there is a risk of
over-reliance. If these systems fail or are 3. **Communication of Reportable
manipulated, there may be significant Conditions: **
consequences for internal control - **Significant Deficiencies: **
effectiveness. Reportable conditions are significant
Adaptability to Changes: deficiencies in internal control that could
Weakness: Control systems may not be adversely affect the organization's ability to
sufficiently adaptable to changes in the record, process, summarize, and report
business environment, such as technological financial data.
advancements or changes in the regulatory - **Timing: ** Management should
landscape. be made aware of material weaknesses as
It's important for auditors to assess both the soon as practical and at an appropriate level
strengths and weaknesses of internal of responsibility.
controls to provide meaningful assurance
about the reliability of financial statements
and the effectiveness of internal control 4. **Information Included in the
systems. This assessment helps auditors Communication: **
identify areas of risk and tailor their audit - **Description of Deficiencies: **
procedures accordingly. Provide a description of the deficiencies and
MANAGEMENT LETTER explain their potential effects.
1. **Purpose of Management Letter: - **Context Explanation: ** Include
** sufficient information to help those charged
- **Objective: ** The Management with governance and management
Letter serves to communicate deficiencies understand the context of the
in internal control identified during the communication.
audit to those charged with governance and - **Audit Purpose Clarification: **
management. Clarify that the audit's purpose was to
- **Delivery: ** It is delivered to the express an opinion on the financial
board of directors along with the audit statements, and the assessment of internal
report. control was for designing appropriate audit
procedures, not to express an opinion on
internal control effectiveness.

- **Limited Scope: ** Specify that

the reported deficiencies are limited to those
identified during the audit and deemed of
sufficient importance for reporting.
5. **Importance of Auditor-Client
Interaction: **
- **Response from Client: ** It is
crucial for the auditor to obtain a response
from the client on each item in the
Management Letter, including a note of the
actions to be taken.
6. **Value Addition to Audit: **
- **Not Mandatory but Valuable: **
While the Management Letter is not
required, its production is recommended as
it adds value to the audit process.
In summary, the Management Letter is a
crucial communication tool in the audit
process. It serves to highlight deficiencies,
offer constructive suggestions, and facilitate
improvement in internal controls and
operational efficiency. The timing of
delivery contributes in communication, and
client responsiveness contribute to the
effectiveness of the Management Letter in
enhancing the overall audit process.