Luận văn factors affecting the assessment of internal control in the audit of financial statement at small companies in viet nam

Currently, in the process of auditing financial statements, the evaluation of the internal control system still faces many difficultics and is affected by many factors inside and outsid

SUPERVISOR: MA, Doctor of Business Administration, Ngo Tri Trung

SYUDLNT: Bui Dinh Son

STUDENT ID: 15071521

COHORT: Bui Dinh Son

MAJOR: Accounting, Auditing and Analyzing

Hanoi -2019

LETTER OF DECLARATION

I hereby declare that the Graduation Project entitled “Factors affecting the assessment of internal control in the audit of financial statements at small companies in Vietnam” is the results of my own research and has never been published in any work of others During the implementation process of this project, have seriously taken research ethics; all findings

of this project are results of my own research and surveys: all references in this project are clearly cited according to regulations

I take full responsibility for the fidelity of the number and data and other contents of my

ABSTRACT

Currently, the annual audit of financial statements becomes more and more common for businesses Bul the identification of Caclors affecting the audil process has not becn widely exploited, especially at smal] companies Iherefore, in this study, | have sought to identify the factors affecting the assessment of intemal control in auditing financial statements at small companies, in order tp contribute a differen, perspective lo the audil work

In this thesis, I apply the qualitative research method and use questionnaire related to

internal control evalualsow tn the auditing of financial statements ta explore and describe the

outstanding influence factors Besides, the random sample selection among auditors helps to

make the answers more objective and diverse With the survey results obtained from the

audilor’s responses, {he assessment of internal control in small companics is influenced by many factors, mainly in internal factors and the process conduct audits

The ideniified influencing factors will contribute lo some praclical experience in the audit

work as well as novice auditors Thercby, understanding these factors will lumit the

inadequacies and increase the quality of the audit of financial statements when auditing

small companies Finally, ts topic has coutribuled a part of ihe view lo research lopics

related to internal control audits and has become a material that can be useful to other researchers

Keywords: Imtemal control assessment, small companies, intemal factors, the process conduct audits

ACKNOWLEDGEMENT

The essential of the topic

According to Vietnam General Statistics Office 2017, our country has more than 518 thousand operating enterprises, of which small and medium enerprises account for about

98.1% In which, small businesses are 114.1, accounts for 22% [1] This shows that the

small and medium enterprises plays important role and is an indispensable part of the

nalional economy, conlribuling to the suc

industrialization and modernization process ‘his growth in numbers of small companies

has led to increased demand for an effective risk management as well as sophisticated

corporale governance Every business orgariyalion is subject to some kind of risks

depending upon several factors such as the products and services it sell, the market in which

it functions, the sources through which it is financed, and the way it utilizes its resources

Hence, 1 is important to coordinale every aspect of a business organization in an effective

way, especially the internal control system in the business In other words, a good corporate internal control has now become an integral segment of risk management framework about

operation and misstatements

ful implementation of the country's

Similar to audits, internal control is a key determinant of the audited financial statements of

comparnes Currently, in the process of auditing financial statements, the evaluation of the

internal control system still faces many difficultics and is affected by many factors inside and outside the enterpriseln particular, understanding Internal Control and Assessing

Control Risk is a decisive factor for planning the audit and building effective audit

approaches In addition, the assessment of internal control is also affected by other factors

both inside and outside the enterprise Besides, internal control is becoming more and more

complex when relying on the information system and the personnel operating it or the

indusiry speuific characteristics of companies also binder (he assessinent of control internal

‘These issues are even more evident in small businesses, where the intemal control system

has many design and implementation issues

Being aware of the importance and urgency of this issue, | chose the topic "Studying the factors affecting the assessment of internal control in auditing financial statements at small companies" for tuy thesis

Object and scope of the study

- Object: actors arising and affecting the assessment of the intemal control system in auditing financial statement (non- financial institutions)

- Scope: The entire audit process and procedures relate to the infernal control assessment for auditing of financial stalemuonis al small companies

Research purposes and objectives of the study

- Research purpose: Lxplore, analyze and evaluate the factors affecting the assessment of internal control in the audit of financial statements at small companies The research focuses

on the following ixsues

— Leam and assess the status of imtemal control system in auditing financial statements at small companies

Proposing, solutions to avoid or overcome the factors that adversely affect the process of ass

The thesis uses qualitative research methods, includes surveys, in-depth interviews with

audilors, collecting data, and analysis of the factors affecting the evaluation of the ifernal

control system in the audit of financial statements

The structure af the topic

In addition to the abstract, preface, abbreviations, list of table, references and appendices in the thesis inehude the following chaplors

Chapter]: Introduction

Chapter2: Literature review

Chapter3: Data and method

Chapter4: Findings

Chapter5: Solution

CHAPTIER 1: INTRODUCTION .- "— -

1.2 Related scientific topics and the relevant thesis

GENERAL THEORY OF [NEERNAL, CONTROL "—

2.1.1 Definition of internal conttrol chinh nreeuưen

2.3 Internal control system according to COSO 2013 - - 14

2.2.2 The mherent limitations of the internat control system are most evident 1 stoall

2.3 Concept of anditing financial statements

2.3.2 The internal control assessment in the audit of financial statements 24 2.3.3 The process of assessment intemal controls in the audit of financial statements

6

CHAPTER 3: DATA & METHOD - - - 36 3.1 Research method

4.1 The influcncing factors come from the characteristics of small companies

4.3.2 The process of assessing control risks and designing control trials 49

43.4 Reassess control isks and đesign substantive †est 54

5.1 Solutions for internal control assessment in auditing financial statements 58

5.2 Solutions for thesis

TABLE OF NOTATIONS AND ABBREVIATIONS

CORO The ‘Committee of Sponsoring

Organizations of the Treadway

Commission’

VAS ‘Vietnam accounting standards

LIST OF TABLE

'Table 4.3: 'The impact level of misstatement in the previous year viet teen en BS Table 4.4: The importance of evaluating internal control at small companies compared to

Ôn eee ene tisvee ees corcietns ter eeventtotaieinsuininan anes ed® Table 4.5: The exislence of internal control and COSO (unit: 10%) - 40 Table 4.6: The level of dependence of internal control on the information system 40

Table 4.7: Influence level of changes and updates of information systems on the assessment

‘Table 4.8: ‘I'he frequency of updates or changes information systems related to internal

Table: 4.9: Influence factors rom COSO dees " „8

Table 4.10: Frequency of applying the methods when understanding the internal control

system of the auditor at small compaies con cà cà sec cea.48 'Table 4.11: The subjectivity and judsment of the auditor in assessing the control risks of frauds and errors based on the design of the intemal control system AT

LIST OF CHARTS AND FIGURE

Diagram 2.1: Process of auditing financial statements 23 Diagram 2.2: Process of assossment internal conroÌ systet c.c 26

Figure 4.1: ‘The importance of evaluating internal control at small companies compared to

CHAPTER 1: INTRODUCTION

OVERVIEW OF RESEARCH TOPIC

1 Studies on internal control systems in Vietnam

1.1 The audit curriculum in Economics University

Tn Vietnam, the theory of examination and evaluation of intemal control system im the

auditing of financial statements is firstly presented in the textbook of audit theory, financial

audit curriculum of Universities of Economics In the auditing curriculum that the internal

control system is approached as a part of the work of auditors, it is necessary to learn and

evaluale lo make ant appropriate and effective overal? audil plan and audit program Internal

control systems and control risks can be presented in a separate chapter or presented with

other basic concepts in audiling The texthook "Auditing and Assurance Services" of

international school edited by (Arens, Elder, & Beasley) presented the process of evaluating the intemal control system in auditing financial statements Basically, the content and

process of internal control evaluation researched and presented in the audit curriculum of

universilios of ceonomis scotors arc relalively consistent with cach other

1.2 Related scientific topics and the relevant thesis

Scientific project “Improving the quality of research and evaluation of the internal control

system of Stale economic groups in the audif process conducted by the State Audit", by

Prof Dr Ngo The Chi and Dr Pham Tien Ilimg co-chaired the implementation in 2013

The thesis generahzed theoretical issues on the characteristics of (he Stale economic group

and the internal control system of the State Economic Group as a basis for the public research and evaluation of internal contro! system implemented by the State Audit ‘The

thesis approaches the intemal control system from the perspective of evaluating intemal control systems to serve audit activities when conducting the audit process at State

Lconomic Groups Internal control system is only content in the topic The main content of

the topic is ta focus on research, identify objectives, subjects, content, criteria for research

and evaluation of internal control sysloms of State Economie Groups as well as building

research processes and evaluate the internal control system of State economic groups Therefore, the internal control system presented in the topic is not very comprehensive in texms of setting up and operating to deal with the risks of businesses |2]

Through surveys and researches at major universities (National Economics University, Finance Academy, Banking Academy, Commercial University, cle.) and the dissertation publications Students on websites at the National Library and University Libraries, so far

H

there have been many research dissertations on the internal control system towards the

approach of auditing process im an erferprise or an industry Tn particular, the internal control evaluation stage is a part of it In general, in terms of the research on internal control evaluation process from the perspective of an audit of financial statements, most dissertation Lopies have nol clarified the factors thal need to be focused on, have images directly and indirectly influence the assessment of internal control In practical terms, the access and evaluation of the internal control system in auditing financial statements in small

companies or industries is still limited and has not received much attention

From the previous related topics and received the above comments, the author found that the approach and resvarch of the topic "factors affecting the assessment of intemal control

in the audit of financial statements at small companies "is completely new and necessary

CHAPTER 2: LITERATURE REVIEW

GENERAL THEORY OF INTERNAL CONTROL

2.1 Concept of internal control

2.1.1 Definition of internal control

Internal control, as defined by accounting and auditing, is a provers for assuring of ant

organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies A broad concept, intemal

control involves everything that controls risks to an organization

It is a means by which an organization's resources are directed, monitored, and measured It

plays an imporlanl role in detecting and preventing Faud and protecting lhe organization's

resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks)

Al the organizational level, internal control objcolives relate to the rebability of financial reporting, timely feedback on the achievement of operational or strategic goals, and

compliance with laws and regulations At the specific transaclion level, internal controls

refers to the actions taken to achieve a specific objective (eg., how to onsure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes Intemal control

is a key clement of the Forcign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes—

Oxley Act of 2002, which required improvements in internal control in United States public

corporations Internal controls within business entities are also referred to as operational

controls [3]

z Nature of the internal control system

According to the standards of Vietnam Audit, from the perspective of auditors (Auditing

Standard No 315): Internal control 1s the process established by the Board of Dirceters, the Board of Directors and other individuals in the unit design, implement and maintain to

create a reasonable assurance about the entity's ability to achieve its objectives in ensuring the reliability of financial statements, ensuring efficiency, performance, and compliance Relevant laws and regulations

According to COSO (Commitlce of Sponsoring Organization) “Iuternal control is a process governed by the manager, the board and the employees of the unit, it is set up to provide a reasonable assurance to achieve the goals”

13

Intemal control system is understood as a system of control processes, policies and procedures logether with technical means designed 10 control internal activities of the enterprise, ensuring that the enterprise strictly complies with objectives, ensure the reliability of financial statements, comply with the law

Effective internal contro! system is the basis to ensure the success of the unit in general and businesses in particular The design and operation of adequate and appropriate control

procedures is a mechanism Lo ensure the realizalion of the objectives: safeguarding the

assets of the onterprise, onsuring the reliability of information, onsuring compliance, legal regimes, ensuring operational efficiency and management performance With the development in the awarcness of ilernal control in accordance with the requirements sel out in practice, the role of the internal control system is not only Limited to ensuring the traditional goals, but also has an impact use organizational support and create added value

for the unit, even helping businesses move towards non-material values, such as integrity

and cthical values However, when the system does not exist or has weaknesses, the

performance and results of the business will be seriously affected Therefore, it is important

to be aware and identify the possible fimitations within the system ilself These limilations

depend on factors: the ctfectiveness of the types of internal control, the internal contiol

cannot guarantee that mistakes are prevented, corrected and detected promptly, outdated

control procedures, out of control, lack of manager attention

In accordance with Intemational Standard on Auditing (ISA) No 400, there are 3 factors that need to be considered:

- Virstly, internal control system is a set of processes, policies and procedures to control all activities of the mit such as controlling investment activities, controlling fixed assets, controlling sales oyele

- Secondly, internal control system inchides technical facilities for control such as information aysloms, data processing software

- Finally, internal control system is designed and operated by humans Lo ensure that

enterprises meet the objectives [4[

2.3 Internal control system according to COSO 2013

2.3.1 Components

According to COSO 2013, the components of intemal control systems was kept unchanged

compared to the 1992 reporl, including $ components: Control environment, risk

assessment, Control activity, Information & Communication (communication and

14

information system) and Monitoring (monitoring of controls) These components are similar

to Those specified in the Vietnam Slandard on Audit No 315

The control environment represents the culture of internal controls at the organization For

example, his objective socks to determine if the organization has a cullure of discipline and compliance or a culture of fax policies and procedures ‘This culture often begins with the

actions of executive management sa a control related to the Board reviewing CLO

performance would add to the control environment

The risk assessment is an activity whereby all of the activities and associated risks in an organization are looked al and cach considered ona spectrum of either low risk or high risk Likelihood of occurrence is also considered to determine which risks faced by an organization should be addressed first A risk assessment may identify cash handling or billing as risks that need to be audited

Control activities are those procedures and internal controls put in place to mitigate risks, particularly those thal mamagement considered loo risky during the risk assessment These

are aclivities that management, their staff, and internal auditors test to ensure compliance

For example, if the risk identified in the risk assessment is cash handling, a control activity might be having two people involved in cash payments

Information and communication is how management communicates the culture of compliance and the specific policies individuals need to follow Information and communication are contral parts of a strong culture of discipline An cxaiple of this would

be requiring that new or amended policies be sent out to everyone in the company so they are aware of the change

Finally, monitoring, activities are activities managers use ta monitor processes or internal

controls within the organization For example, if a purchasing manager gels a weekly report

of all purchases that were greater than $5,000, they would be performing a monitoring activity [ST

‘rhe control environment represents the culture of internal controls at the organization For example, this objective seeks to determine if the organization has a culture of discipline and compliance or a culture of lax policies and procedures This culture often begins with the actions of executive management, so a control related to the Board reviewing CEO performance would add to the control environment

The risk assessment is an activity whereby all of the activities and associated risks in an organization are looked at and each considered on a spectrum of either low risk or high risk,

15

Likelihood of occurrence is also considered to determine which risks faced by an orgenization should be addressed first A risk assessment may idontily cash handling or

billing as risks that need to be audited

Control activitics are those procedures and internal controls put in place to mitigate risks, particularly those that management considered too risky during the risk assessment ‘These are activities that management, their staff, and internal auditors test to ensure compliance For example, if the risk identified in the risk assessment is cash handliryg, 2 control activity might be having two poople involved in cash payments

Tafonnalion and communication is how management communicates the culture of

compliance and the specific policies individuals need to follow Information and communication are central parts of a strong culture of discipline An example of this would

be requiring that new or amended policies be sent out to everyone in the company so they

are aware of the change

Finally, morrtoring activities are activities managers use lo monitor processes or infernal

controls within the organization For example, if a purchasing manager gets a weekly report

of all purchases that were greater than $5,000, they would be performing a monitoring

activity [6]

2.3.7 The role of internal control in financial reporting

~The goal of Internal Control 2013 is maintained by COSO compared to the 1992 report:

Objective of effectiveness and efficiency of activities

Objectives of the reliability of financial statements

— Objectives of legal compliance [4]

- Tnlernal control of financial statements is an important interval management mrechamsrn to

provide internal inspection and limit personal profit Jensen 1993, Bushman and Smith 2001; Acharya et al, 2011) Therefore, the internal control system is considered the first

line of defense im prolecting the qualily of accounting imformation al the uit (Wang and

Huang, 2013) Internal control of financial statements is ineffective, creating favorable

conditions for making false accounting data, thereby reducing the accuracy and quality of

Financial statements (Gao & Tia, 2015) The enlily's reporting system carmot be useful, if iL

is based on unreliable and maccurate transaction records (Hlmaleh, 2012) In other words,

the lack of appropriate internal control procedures makes the financial management of an

organization encounter risks, including inaccurate financial statements / loss of assets of the

16

entity, The loss and mismanagement of the organization's essential dacuments due to abuse

of omployce rights, Financial books contain many errors and unreliability, which lose the integrity of the organization; Do not implement accounting policies in accordance with the requirements of financial statements presentation (Amaka, 2012) The effective operation of the internal control system will provide a guarantos for the waragement of Ihe reliability of the accounting data used, in creating information to support the decision making of the head

of the application (Amaka, 2012:Sader and Cluié, 2013) Therefore, the effective internal

control system is a decisive factor for the preparation of quality financial statements

because of the ability to prevent procedural orrors, measure, distort income, as well as limit

potential risks in operation (Doyle et al, 2007; Brown et al, 2008)

2.2 Internal control in the small organizations

2.2.1 Concept of a small company

A small or small enterprise / individual is also referred to as a subsidiary or subsidiary

(parent-clild relaliouship) as an enterprise, usually a private enterprise with a number of

Operations, small staff and relatively low volume in sales Some of the smail businesses are

usually owned by corporations, partnerships, or private busiuesses

> In Vietnam

On March 11, 2018, the Government issued Deere 39/2018 / Goversmuent Decree, guiding the Law on Supporting Small and Medium Enterprises to replace Decree 56/2009 / Government Decree on ume 30, 2009

Accordingly, the criteria for identifying small and medium-sized enterprises under Decree

39/2018 / ND-CP are as follows:

According to Article 6, criteria for identifying small and medium-sized enterprises

Small and medium-sized enterprises are classified according to size, including microenterprises, microenterprises,

1 Micro enterprises in the fields of agricullure, forestry, fisheries and industry and construction have an average number of employees participating in social insurance, with

an annual number of not more than 10 and an annual iumover of no more than VND 3 billion or the total capital of not more than VND 3 billion Micro enterprises in the field of commerce and services have an average number of employees participating in social insurance of no mare than 10 people per year and total annual revenue of not more than 10 billion dong or total capital of not more than 3 billion dong

17

2 Small enterprises in the fields of agriculture, forestry fishery and industry and construction have an average umber of employees participating in social insurance, not exceeding 100 people and the total annual revenue does not exceed 50 billion dong or the total capital source does not exceed 20 billion dong, but it is not a micro enterprise as

prescribed in Clause 1 of thos Article Stall businesses in the field of commerce and

services have an average number of employees participating in social insurance of no more than 50 people and total annual revenue of no more than VND 100 billion or total capital of

no more than VND 50 billion, but is not a micro enterprise as stipulated in clause 1 of this

Anticle

3 Medium-sized enterprises in (he Ïields of agriculire, [oresry, lshery and industry nnd construction, with an annual average number of laborers participating in social insurance of

no more than 200 and a total annual turnover of not more than 200 billion dong or the total

capital source does not exceed 100 billion dong, but it is not a small enterprise, a micro

enlorprise as prescribed in Clauses } and 2 of this Article Medium-sized enterprises in (he field of commerce and services have an annual average number of employees participating

in social insurance of ne more than 100 and tolal annual revenue of not more than VNT2 300

billion or total capital of not more than VND 100 billion, but is not a micro-cnterprise or a

small enterprise as prescribed in Clause ] and Clause 2 of this Article

According to Article 7, the areas of operation of small and medium-sized enterprises are determined

The operation arcas of small and medium-sized enterprises are determined based on the provisions of the law on the system of economic sectors and the provisions of specialized laws In the case of activities in many fields, small and medium-sized enterprises are determined based on the field with the highest revenue The highest revenue field is not available, small and medium-sized enterprises are determined based on the areas with the highest labor use

According to Article 8, the average number of employees participating in social insurance

of small and medium-sized enterprises is determined armually

1 The mumber of employees participating in social insurance is the total number of employees managed, used and paid by the enterprise for participation in social insurance

umder the law on social insurance

2 The average number of employees participating in social insurance is calculated by the total number of cmployces participating in social insurance of the year divided by the

18

number of months in the year and determined on the voucher of payment of social insurance

of the previous year adjoining enlorprises to social insurance agencies

In case an enterprise operates less than Ol year, the average mumber of employees participating mm social insurance is calculated by the total nunber of eimployces participaling

in social insurance of the operating months divided by the munber of operating months

According to Articte 9, the tolal capital of small and medium-sized enterprises is determined

The total capilal source is delermined in the balance sheel shown in the finanwial siaterers,

of the preceding year that the enterprise submits to the tax administration agency Lf an enterprise operates for less than 01 year, the total capital shall be determined in the

enterprise's balance sheel at the end of the quarter preceding the lime when the enterprise

rogistered to reecive support contents,

Accoriling to Article 10, lhe total revenue of small and medium-sized enterprises is determined

Total revenue of the year is the lotal tumover of goods sale and service provision of

enterprises and is determined on the financial statements of the precoding ycar that enterprises submit to tax administration agencies In case an enterprise has operated for less than 1 year or more than 1 ycar but has nol generated any revenue, it shall base on the criteria of the total capital source specified in Article 9 of this Decree to identify small and

medium-sized enterprises

> ‘The role of small enterprises in the cent economy

Small and medium enterprises are a common economic type in he ceonmmics of most countries, always accounting for a high proportion, a major part of creating the gross national product, contributing to the liberation and development of health production,

contributing to socio-economic development, economic growth and participating in

effective settlement of social issues such as job creation, hunger eradication aud poverty reduction Thanks to the small organization Compact and flexible operation, diverse, rich, dynamic present in most business lines [7]

2.2.2 The inherent limitations of the internal control system are most cvident in small and medium-sized companies

An effective internal control system can only minimize violations but cannot guarantee

risks, frauds and exrors do not occur ‘he inherent limitations of internal control stem from

the following reasons

19

- Internal control system implemented by people: The relationship between benefits and

cols,

- Intemal contro! system does not cover unforeseen risks

- In summary, intemal control provides a reasonable assurance, not an absolute guarantee of the objectives to be achieved Internal control can only prevent and detect errors and frauds

but carmol guz

also exist certain risks The problem is that the manager has identified, assessed and limited them to an acceptable level

antee thal they will nol accur, Therefore, an efleclive internal control system

> The li

tions DETC in small companies according to COSO framework

For most small businesses, when they mention COSO or the titermal control system, they

often find it difficult to visualize the theory from the practical application to each type of

their business, from which leading to problems in their management and control systems

Control environment

The realities of small businesses today are part-time work, employees who do many things

in an isregular manner, the job descriptions of employees are unclear and constantly changing, businesses are mostly operate and "operate" based on personal feelings and experience, bul nirely follow the rules and principles of right and wrong

Managers cannot immediately set up a complete and complete management system, they camol force their employees to follow a specific set of principles because basically, themselves ‘They are not able to build a system of principles, complete and effective processes Meanwhile, a series of issues that come with preat risks that the board of direolors and management levels must always consider business clhics, employee performance, frauds in the process of doing business, job

- | office worker selling and managing the warehouse at the same time?

- 1 sales admin officer cum treasurer position’?

20

- | HR manager has recruited and paid?

Hach risk has different levels of the influence ‘The level you want to control in the present time depends on the level of risk that businesses rated themselves as high or low Ilowever, not only small and medium cuterprises, but also larger enterprises must always be in the state of anticipating and dealmg with many different types of risks such as irrecoverable debts, inventories, management, messy arrangement, can lead to theft or embezzlement, many personnel bul the efficiency level of the job is not high

Control acti

ies

Control activities usually refer to the Company's processes, such as sales processes,

purchasing processes, inventory management processes, etc

Each business can offer many processes, and in the process will need many basic control paints (key controls) Small and medium-sized businesses usually need to focus on basic

contol pomis to be able to handle current risks and avoid custentl losses

In the case of an organizational chart being a warehouse controlled by the sales department, where the sales clerk is also the store keeper, the control may be applied through control activitics such as: adding cross-checking procedures for warchousing and ex-warchousing, Can perform regular inventory / unscheduled inventory with the participation of an independent party (can oulxouree also be an employee of another departinent)

Contral activities will also depend on the personnel that the business has, as well as the

capabilities of the human resources that SME has the most effective way Fach business

will consider and make the best plan for its business, based on the available resources and the desire to control of each business owner

Information and communication

Most of the reports that small businesses need are simple and the thinking process should be

simple Businesses are stereotyped and rigidly based on available report templates, the information will be fragmented and hard to Link, especially when the enterprise software

system is very simple, even unavailable Start with the nece

and casy to do, the simple indicators, casy to sec and analyze from the department

Wy Teports, easy to understand

A simple oxample of a management report for a business with 4-5 colffce shops is

— Report the results of production and business of each store and the total number of the whole company

Balance sheet of the Company

— Analyze the cost structure of each store and corporation

— Compare costs of adjacent months

Analyze the sales of each store and company, analyze the top 5/10 best-selling items

Monitoring

Small businesses, the monitoring supervision must also be extremely simple, do not think a lot about outsourcing the audit, or making internal control rooms, recruiting internal control personnel First of all internal monitoring, The mutual supervision of the departments should be strictly applied, and the sole of the supervisor / manager is also very important, Tn addition, control personnel will assist with ad hoc inspections, for example, performing the following procedures:

— Management for mexpected fund checking

— Managing for unscheduled inventory, checking a lew unexpected items (or cant aulhorize inspection personnel to check)

— Independent inspootion department (for example, taking a technical party to participate in inventory at the same warehouse)

— Hire aulitors lo participatc int stocklaking atthe end of the year

Therefore, small companies need a way to save money bul still be effective, meeting the

requirements that businesses desire When the business grows to a certain extent, the owner will consider recruiting and developing the internal control, auditing and control

departments such as COSO [8]

2.3 Concept of auditing financial statements

2.3.1 Auditing financial statements

A financial statement audit is dhe examimation of an entity's financial slalements and

accompanying disclosures by an independent auditor ‘he result of this examination is a report by the auditor, attesting to the faimess of presentation of the financial statements and

telaled disclosures The auchtor's reporl must accompany the financial slalements when they

are issued to the intended recipients

The purpose of a financial slatement audil is to add credibility to the reporied financial position and performance of a business ‘The Securities and Exchange Commission requires

2

that all entities that are publicly held must file annual reports with it that are audited Similarly, lenders typically require an audit of the [nancial slalements of any entily lo which they lend funds Suppliers may also require audited financial statements before they will be willing to extend trade credit (though usually only when the amount of requested credit is substantial)

Audits have become increasingly common as the complexity of the two primary accounting frameworks, Generally Accepled Accounting Principles and Tuternational Financial Reporting Standards, have increased, and because there have been an ongoing scries of disclosures of fraudulent reporting by major companies The purpose of a financial statement audil is lo add credibility to the reported financial position and performance of a business

‘the Securities and Kxchange Commission requires that all entities that are publicly held must file annual reports with it that are audited Similarly, lenders typically require an audit

of the financial statements of any entity to which they lend funds Suppliers may also roquire audited financial statements before they will be willing to extend trade credit (though usually only when the amount of requested credit is substantial)

Audits have become inereasingly common as the complexity of the two primary accounting frameworks, Generally Accepted Accounting Principles and Intemational linancial Reporting Standards, have increased, and because there have been an ongoing series of disclosure of fraudulent reporting by major companies [91]

> The effect of the internal control system on the audit work

In every enterprise, the inspection and control fimetion always occupies an important

position and is implemented by managers through internal control systems Managers

design and operate the internal control system to run every employee, every activity, and

internal contro! is not limited to financial and accounting functions but also covers other

functions such as administration, manufacturing Therefore, before performing audits for

clicnit companies, auditors always perform resvarch and evaluate the internal contral system

of customers In accordance with Auditing Standard No 400, the auditer must have

sufficienl knowledge of the accounting system and the imertal control system of the

customer to make an appropriate and cffective overall audit plan and audit program The auditor shall use his or her professional judgment to assess the audit risk and identify accounting procedures to reduce the risk of accounting losses ta an acceptable level

Control risk is the possibility of a material error on the financial statements that the internal

control system cannot prevent and detect The more effective intemal control system, the

lower the risk of control is Based on the determination of the level of risk, the auditor will determine appropriate audit, methods

If the internal control system operates effectively, the risk of control is low The auditor will apply the compliance audit mothod On the coulrary, if the internal control system is weak, the risk of control is high ‘he auditor will apply the basic audit method ‘The evaluation of the intemal control system also helps with proper audit planning If the

inlernal conlrol system is effective, the risk of control will be low The amount of audit

evidence collected will be less, thereby ostablishing appropriate audit time and cost At the

same time, through the research and evaluation of the intemal control system, the auditor

ear identily the strengths and weaknesses of (he imlermal audil and delormime the center [or the audit [10]

2.3.2 The internal control assessment in the audit of financial statements

The work of assessmeut the inlernal control system is carried oul in 2 slages: planing audit

and conduct audits

Audit planning stage:

The finding and preliminary evaluation of internal controt systems must be carried out in all

Tinaneial slalemenls auchis The objective of the rescarch work at this stage is to provide the auditor and the auditor with a general view of the operation and operation of the internal control system of the customer, from which Preliminary prices on internal contral systems

and control risks This is also the basis for selecting the method of conducting the audi

Audit phase: The auditor will only perform an audit of the internal control system during

the poriod of performance If during the period of plarming the audiling risk is assessed il is

not high or the auditor hopes to reduce the control risk

The objective of evaluating the internal control system in (his paragraph is to re-evaluate

whether the control risk is truly as the auditor's initial judgment is and is therefore the basis for strengthening or reducing the basic test [10]

> Diagram 2.1: Process af auditing financial statements

- Selecting an andit team

- Making audit contracts

contracts

Slrategic auuit planning (for large scale customers, complex nalue, lage

geographical areas or multi-year financial statements andits)

Planning - Coliccling basic information, informulion on legal the overall | obligations of customers

Resnit evaluation

Audit conclusion and financial statements:

- Making a summary of audit revulls

- Collect explanatory letters from the company board of directors

- Reviewing events after the release of financial statements

- Complete the audit records

Evaluating the results and quality of the audit

Activities after anditing:

~ Evaluating lhe results and qualily of Une audi

25

According to Victnam Standard on Auditing No 300

- Strategic planning: Auditor learns preliminary information about customers through the mass media, through audit records, through their predecessors In this step, the technician performs the following tasks:

Assessment of control and risk handling, of the audit: The evaluation of the internal contrel system to verily the existence of (he internal control system and the basis for determining the scope of performing basic tests on the balanve and business of clients This

is done through the following steps: Gathering knowledge about the internal control system

of the customer; Tritial assessment of control risk; Perform control tests and make evaluation tables of internal control systems

Questions to assess the accounting syslem, taxes, applicable accounLing policies, cycles

Making discussion and signing the audit contract: after accepting customers, the two

parties discuss and sign the audit, contract

— Selection of auditing staff: The selected auditing staff is experienced and highly qualified

Vvilies, accounhing process

Procedures for analyzing material and risky assessments and assessments: The auditor provides preliminary analysis on malcrialily and auditing visks Evahmle and highlight material and risks for eavh part of operation, items to prepare for the audit program [11]

According lo Vietnan Standard, auditing 400, tisk assessinent and intemal control: “Audit

risk (AR) is the risk that auditors and the Auditing Company make inappropriate comments

when the financial statements have been audited with material errors ” Risk assessment Audi through three-part evaluation: Poteraal Risk (TR), Controt Risk (CR) and Detection

Risk (DR) based on the relationship retlected in the tissue The following image:

- Auditing program: Based on the overall plan, the auditor builds a specific audit program

for each audil part During the courss of the audil, auditors will be subject to the audit

process and may only change it under special circumstances

26

- Identify and allocate material items: The determination of material importance of the Company is based on two dimensions: the

After identifying significant items, the auditors shall make material allocation to each item

as a basis for the audit,

ive and imporlanee of firmmeial information

Conduct audits

The audit phase is the main state comsisting of 2 steps

+ Internal controls testing

Participate in evaluating the effectiveness of the control apparatus in the company, concentrating on such areas as proper authorization, the safeguarding of assets, and the segregation of duties This can involve an array of tests conducted on a sampling of transactions to determine the degree of control effectiveness, A high level of effectiveness allows the auditors to scale back some of their later audit procedures If the controls are inelfeetive (ic, there is a high risk of malerial misstatement), then the auditors must use other procedures to examine the financial statements, ‘here are a variety of risk assessment questionnaires available that can assist with internal controls testing,

+ Substantive test

The next siợp is to perform procedures lo analyze and check details of the balances as well

as perform additional detailed tests Analytical procedures used to check the general

reasonableness of transactions and balances Detailed checking of balances is the specific

procedure that needs to be done to check for monetary errors in financial statements

End of audit stage

After performing the test of control and substantive test, obtaining sufficient audit evidence,

having sufficient grounds to make comments on the audited financial statements of the

audited umit, the auditor will gather the working documents and audit evidence into the

audit records and the stage of the completed audit

Refore preparing the auditor's report, the auditor should perform 1

reviewing contingent liabilities, examining events ocowring after the balance sheet date, reviewing operation assumptions continuous and overall review of the audit result

ary (asks such as:

the audit of financial

2.3.3 The process of assessment internal controls i

statcments according to Victnam standard on auditing

tà bị)

> Diagram 2.2 Process of assessment internal control system

Understand the entity's internal control system for audit

planning

Control risk assessment and design of control tests

Perform control tests

Reassess risks and design substantive test

2.3.3.1 Learn about the unit's internal control system

In this stage, the auditor learns about the entity's internal control on two main aspects: the design of internal control including the design of control regulations and the design of the control apparatus; Continuous and effective operation of internal audit

Understanding of internal control is performed during the audit planning stage, in which the

technician must lea about the design and operation of the internal control system by each

component to:

+ Evaluating whether there are audited financial statements

The technician must collect information about the integrity of the Board of Directors with the nature and scope of accounting records to be satisfied that the evidence is sufficiently appropriate and available to prove the balances on the financial statements

* To identify and assess potential violations

* To decide on the appropriate level of control risk that affects the identified risk, thereby influencing the decision on the amount of audit evidence to collect

* To plan the design of appropriate surveys

~ Initial assessment of control risk to plan items on the financial statements

28

- Perform control tests

- Set up evaluation sheet of intemal control system

+ Approach lo the business eycle: According to Uhis method, the auditor considers control policies and procedures to each business cycle (financial investment cycle, spending cycle, and cycle production, revenue cycle)

‘This method allows the technician to divide the transactions and account balances into clear

categories (cycles) and then the auditor can gain an understanding of how control is

performed for the relevarit critsria base to cach business type and account balance in that

cycle

Procedures for gaining writien undersianding of infernal central systems

& The method of application:

Similar to the stage of understanding customers’ business activities, the methods that auditors often apply when understanding the internal audit system:

- Based on the auditor's previous experience with the customer:

Moat audits of a company are porformed armually by ani audit Gir As a result, auditors

usually start the audit with a large amount of information about the client’s internal control

system gathered from previous audits Because control systems often change frequently,

information can be updated and carried aver to the current year

- Interviewing employees of the client company

This work helps the auditor to collect initial information (for new customers) or capture

changes in the internal control system of customers (for annual customers) to update

Update information for the aucht in the current year

- Review manuals on procedures and regimes of client companies:

29

Through research and discussion with customers about this document, the auditor is able to understand the procedures and regimes relaicd to internal control applied in the client

company

- Check completed documents and books:

Through this audit, the auditor can see the application of procedures and regimes on the

chert com

any

- Observe the activities and operational processes of the client company

‘this work reinforces an understanding of the knowledge about the actual use of internal control procedures and regimes at the client company

‘To describe the internal control system, the auditor uses one of three methods or all of the

following three methods depending on the characteristics of the entity being audited and the

sive of the audit: drawing {lowehurls; sel up questionnaires on intertal control, wake @

report on intemal control

- Quoslionnaire on intemal conlrol system This lable prescris questions according to the 7

detailed objectives of the internal control system for the internal control system Questions

are designed as “yes” or "no" answers and "no" answers will show weaknesses of intemal

control

The advantage of this tool is that it is built-in so that the auditor can proceed quickly and do

nol miss imporianl issues But due io the overall design, the questionnaire may not be

suitable for all types of businesses

Tn fact, Ihe auditors are ofien used a combination of these two forms io give auditors the

optimal image of the intemal control system Flowcharts (including horizontal and vertical flow charts) help the auditor to more accurately comment on the control procedures that apply to the activities and easily indicate which additional control procedures are needed

In the meantime, the questionnaire or the internal control narrative provides additional

analysis of controls Lo help dhe auditor 1o beter understand internal control

The combination of questionnaires with flowcharts or narrative tables will help the auditor better understand the mternal control system of clients

2.3.3.2 Control risk assessment

30

Contral risk assessment is part of the process of understanding the assessment of intemal control systems, accounting systems of customers Therefore, in arder to assess the risk of control during the preparation of the financial statements auditmg plan, the auditor must

collect information about the design and operation of the internal control systems of the

enterprise to make the initial assessments on control nsk for the assertion of the underlying economic and account balances

Tn fact, the fevel of control risk is uever vero (0} because the internal control system always

has its inherent disadvantages When evaluating the internal control system, the auditor

must leam and research the internal control system of the customer Control risk assessment

work is usually cvaluated by the auditor through the following slops

First step: Gathering insights on the customer's internal control system

Understanding the internal control system helps the auditors on the one hand assess whether

to accept the financial statements audit; and through the inquiry process will give the

auditor a basis [or making an assessment of the level of control risk To acecss the chent’s

internal control system, the auditor will use two common approaches: the item-based

approach and the business process approach

‘Techniques commonly applied by technicians to understand intemal control systems and assess customer control risks:

— Based on the experience of the auditors and interview information from customers;

Reviewing the manual on procedures and regimes at the unit:

Check the accounting records of the unit, through checking auditors will know

information on how lo apply the policy regime of Uhe unit;

— Closely monitoring the operational situation of the unit in order to strengthen the

understanding of practical knowledge as well as the use of internal control procedures and

regimes at the unit,

Affer secking information about the internal control systern, the auditor proceeds to describe

in detail the information on working papers for control risk assessment

The second step: initial assessment of control risks planning for each item on the

financial statements

Control risk will be audited and evalunted through initial information collected about the accounting system and the internal control system of the customer The auditor will assess

31

the control risk at a low level if the auditor finds that the intemal control system of the cuslomer operates and operates effectively and viee versa “Au initial as

risk is the evaluation of the effectiveness of the entity's imternal control and accounting system in preventing or detecting and correcting material misstatements Control risk is not complelely chminated duc to the potential Innitation of accounting system and internal control system” [4, p 89]

essment of control

Control risk assessments are usually performed sequentially through the following steps

Firstly, identify the specific control objectives under which the control risk assessment

process is applicd: the auditor apphes the objcelives of the trúernal control system to assess

the control risks for each item business section

Secondly, identify specific control processes: the auditor's focus is on analyzing the specific control processes that are oxpected to affect the satisfaction of audit objectives that are highly effective :

— Thirdly, assess the disadvantages of the internal control system: the disadvantages of the internal control system occur when there is “absence" of the internal control system The

ineffective operation of the internal control system will increase the possibility of

significant errors in the financial statements of customers

— Fourthly, assessing control risk: afler completing the name steps, the auditor will assess the client's control risk ‘The auditor may assess the risk of qualitative control (using three levels: Iligh, Low, Medium) or quantitatively (using a percentage) [12]

Third step: Gathering evidence of the existence of control regulations and procedures

to reduce the basis of balances and transactions

According to the Vietnam Standard on Auditing 400, paragraph 37, “Auditors must collect

sufficient appropriate audit evidence to prove that the assessment of control risk is not at a

high level"[4, p.93] Therefore, the auditor will perform audit procedures to reduce the basic

tests that must be performed ‘he auditor uses a test of control to gather sufficient evidence

as a basis to prove the aperation of the internal control system and the accounting system is

effective in two aspects: design (detection, deterrence, prevention) prevent from correcting

dolected cmors); and implementation (effective during the period)

Controlling tests include: eh

field observation interviews, rechecking the implementation of internal control procedures Control risk assessment during the audit planning, process helps the auditor collect evidence

king docimnents of arising ecouomie operations,

conducting

32

about the existence of the client's internal control system to localize risks and design audit procedures accordingly

- Final step: make a final assessment of control risks and make an evaluation of the

internal control system

Based on the three steps above, the auditor will make a final assessment of control risk and redesign control tests aller the internal control system cvalualion lable is completed The level of control risk will be changed by the auditor if after performing control tests that the auditor is unable to prove the existence or ineffective operation of the intemal control

system Tf the control Lests show the auditor thal the internal control sysiem is existing and

operates as effectively as the initial assessment, the level of control risk will not be revised

by the auditor [12]

2.3.3.3 Perform test of control

The control lest is only performed aller understanding the internal control system and is

considered valid At that tume, control tests were conducted to collect audit evidence about

the design and operation of the intemal control system According to VSA 400 standard

about: "Risk assessment and internal control": “Auditors must collect sufficient appropriate

audit evidence to prove that the assessment of control risk is not at a high level In assessing the low risk of port control, the port auditors must prove that the statistical and auditing

system is approprialely designed and effective ”

- During this period, the test of control is usually conducted by the Audit in accordance with the audit objectives of existence, completeness, rights and obligations, ratification,

accuracy, timeliness, presentation and disclosure

- Control tests may be performed through the following major methods:

~ Interview method: according to this method, the auditor presents questions and receives answers from those who are responsible in the internal control apparatus of the enterprise

‘Thereby, the auditor can grasp the reality of the work they have done as well as the things that they are interested in the contro! process Auditing companies often design standard questions for interviews, which are considered for the collection of information for each specific ubjeclive of the interual contrul system There are (wo commonly used lypes of questions: "closed-ended questions" and "open-ended questions." "Closed questions" are intended to confirm a specific issue the business has implemented "Open-ended questions" are designed to make room for the room user still clearor, more detailed and more flexible than the problems they made during the internal control process

33

Practical observation method: for control procedures that leave "iraces" on accounting documents, the auditor tay apply the observation method to collet evidence

—Re-implementation method: according to this method, the auditor checks on the basis of

repealing the avlivilics of a corlain person i the imternal control apparatus lo show the

extent of the person's performance change to the assigned job ‘This inspection aims to give

an opinion on the effectiveness of the self-contral of a part, a certain stage of work by each

assigned employee In carrying out (his method, the auditor should take care to identify

reasonable bounds of the process by which errors or frauds may arise

—Method of checking documents: The examination of documents can be carried out in lwo:

directions: Checking oil marks from beginning, to end and vice versa,

* Checking (rom begining to end, also known as checking from details to synthesis: this is the inspection according to the rotation ordor of the accounting process for a specific economic operation Accordingly, the test is perform from the original documents to the

notes on ihe detailed

punting books, the account numbers and reflect the combined

figures on the financial statements ‘The purpose of this examination is to assess the extent

to which these economic transactions are fully reflected

* Checking in reverse or tapered is called checking from summary to detail: according to this method, the check is made from the aggregate figures on the financial statements, the ledger of accounts and the original vouchers of economic operations incurred, The purpose

of this check is to determine whether the data reflected in the finanvial statements and the account number is real

In order to carry out control tests effectively, depending on each specific case, technicians can apply appropriate testing methods Ilowever, each method has its inherent

disadvanlages, so Las uecessary fo combine many chfferent measures lo ensure the most

chjcctive audit conclusions

2.3.3.4 Reassess control risks and adjust substantive tests

Lstablish an evaluation of the internal control system, which usually reflects the following

information

- Intemal audit objectives for each item or operational cycle

- Information describing the situation of internal control collected by the auditor

- The nature and importance of the respective risks

34

- Principles of designing and operating control procedures

- Kvaluating internal control for each item or business cycle

On the basis of the results obtained by the controlled tests, the auditor conducted the risk assessment ‘'he level of control risk assessment is divided into 3 levels: low, medium and high On that basis, revising the audit program (substantive tests section)

Extending basie tests mm those areas where the control risk is assessed to be higher than expected, and limiting the substantive testing on parts with lower control risk or control risk

in accordance with the original plan

35

CHAPTER 3: DATA & METHOD

3.1 Research method

Qualitative research is an approach that seeks to describe and analyze the cultural and

behavioral characteristics of people and groups of people from a researcher's perspective

Qualitative research provides comprehensive information on the characteristics of the social

environment where the stucly is conducted Social life is seen as a series of closely linked events that need to be adequately described in order to reflect real life

Qualitative research is based on a flexible and dialectical research strategy ‘his method allows discovering important topics that researchers may not have covered before In qualitative research, some research questions and information collection methods are prepared in advance, but they can be adjusted accordingly as new information appears during the collection process That is one of the basic differences between qualitative and quantitative methods [13]

Qualitative research method of in-depth interviews was applied:

— Structured or systematic interview: A method of interviewing all subjects the same

questions Information obtained by this method may include both numbers and measurable

dala These mothods are considered to be part of the qualilative research because they help

to describe and analyze the cultural and behavioral characteristics of the study subjects

These methods aim to identify and identify cultural categories through the study of "cultural

norms" i an individual's thinking, find oul what they lhink and know about lhe world

around them and how they organize this information

+ Survey quustions can use cither a closed-ended or open-ended formal Lo calles! answers from individuals And we can use them to gather feedback from a host of different audiences, including your customers colleagues, prospects, friends, and family [13]

The topic is approached by inductive method

— Observe the real world

Search for a pattem to chserve

— Generalizing what is happening

In inductive, there is no close relationship between reasons and results In inductive, we draw a conclusion from one or more specific evidences actually support these conclusions

Data were collected by using non-empirical methods

36