Factors affecting the assessment of internal control in the audit of financial statement at small companies in viet nam

Currently, in the process of auditing financial statements, the evaluation of the internal control system still faces many difficulties and is affected by many factors inside and outside

VIETNAM NATIONAL UNIVIVERSITY, HA NOI

SUPERVISOR: MA, Doctor of Business Administration, Ngo Tri Trung

STUDENT: Bui Dinh Son

STUDENT ID: 15071521

COHORT: Bui Dinh Son

MAJOR: Accounting, Auditing and Analyzing

Hanoi -2019

ABSTRACT

Currently, the annual audit of financial statements becomes more and more common for businesses But the identification of factors affecting the audit process has not been widely exploited, especially at small companies Therefore, in this study, I have sought to identify the factors affecting the assessment of internal control in auditing financial statements at small companies, in order to contribute a different perspective to the audit work

In this thesis, I apply the qualitative research method and use questionnaire related to internal control evaluation in the auditing of financial statements to explore and describe the outstanding influence factors Besides, the random sample selection among auditors helps to make the answers more objective and diverse With the survey results obtained from the auditor's responses, the assessment of internal control in small companies is influenced by many factors, mainly in internal factors and the process conduct audits

The identified influencing factors will contribute to some practical experience in the audit work as well as novice auditors Thereby, understanding these factors will limit the inadequacies and increase the quality of the audit of financial statements when auditing small companies Finally, this topic has contributed a part of the view to research topics related to internal control audits and has become a material that can be useful to other researchers

Keywords: Internal control assessment, small companies, internal factors, the process conduct audits

ACKNOWLEDGEMENT

The essential of the topic

According to Vietnam General Statistics Office 2017, our country has more than 518 thousand operating enterprises, of which small and medium enterprises account for about 98.1% In which, small businesses are 114.1, accounts for 22% [1] This shows that the small and medium enterprises plays important role and is an indispensable part of the national economy, contributing to the successful implementation of the country's industrialization and modernization process This growth in numbers of small companies has led to increased demand for an effective risk management as well as sophisticated corporate governance Every business organization is subject to some kind of risks depending upon several factors such as the products and services it sell, the market in which

it functions, the sources through which it is financed, and the way it utilizes its resources Hence, it is important to coordinate every aspect of a business organization in an effective way, especially the internal control system in the business In other words, a good corporate internal control has now become an integral segment of risk management framework about

operation and misstatements

Similar to audits, internal control is a key determinant of the audited financial statements of companies Currently, in the process of auditing financial statements, the evaluation of the internal control system still faces many difficulties and is affected by many factors inside and outside the enterpriseIn particular, understanding Internal Control and Assessing Control Risk is a decisive factor for planning the audit and building effective audit approaches In addition, the assessment of internal control is also affected by other factors both inside and outside the enterprise Besides, internal control is becoming more and more complex when relying on the information system and the personnel operating it or the industry specific characteristics of companies also hinder the assessment of control internal These issues are even more evident in small businesses, where the internal control system has many design and implementation issues

Being aware of the importance and urgency of this issue, I chose the topic "Studying the factors affecting the assessment of internal control in auditing financial statements at small companies" for my thesis

Object and scope of the study

- Object: Factors arising and affecting the assessment of the internal control system in auditing financial statement (non- financial institutions)

- Scope: The entire audit process and procedures relate to the internal control assessment

for auditing of financial statements at small companies

Research purposes and objectives of the study

- Research purpose: Explore, analyze and evaluate the factors affecting the assessment of

internal control in the audit of financial statements at small companies The research focuses

on the following issues:

+ Learn and assess the status of internal control system in auditing financial statements at small companies

+ Proposing solutions to avoid or overcome the factors that adversely affect the process of assessment the internal control system in financial statement audits

The structure of the topic

In addition to the abstract, preface, abbreviations, list of table, references and appendices in the thesis include the following chapters:

Chapter1: Introduction

Chapter2: Literature review

Chapter3: Data and method

Chapter4: Findings

Chapter5: Solution

TABLE OF CONTENT

LETTER OF DECLARATION 2

ABSTRACT 3

ACKNOWLEDGEMENT 4

TABLE OF CONTENT 6

TABLE OF NOTATIONS AND ABBREVIATIONS 8

LIST OF TABLE 9

LIST OF CHARTS AND FIGURE 10

CHAPTER 1: INTRODUCTION 11

OVERVIEW OF RESEARCH TOPIC 11

1 Studies on internal control systems in Vietnam 11

1.1 The audit curriculum in Economics University 11

1.2 Related scientific topics and the relevant thesis 11

CHAPTER 2: LITERATURE REVIEW 13

GENERAL THEORY OF INTERNAL CONTROL 13

2.1 Concept of internal control 13

2.1.1 Definition of internal control 13

2.1.2 Nature of the internal control system 13

2.3 Internal control system according to COSO 2013 14

2.2 Internal control in the small organizations 17

2.2.1 Concept of a small company 17

2.2.2 The inherent limitations of the internal control system are most evident in small and medium-sized companies 19

2.3 Concept of auditing financial statements 22

2.3.1 Auditing financial statements 22

2.3.2 The internal control assessment in the audit of financial statements 24

2.3.3 The process of assessment internal controls in the audit of financial statements according to Vietnam standard on auditing 27

CHAPTER 3: DATA & METHOD 36

3.1 Research method 36

CHAPTER 4: FINDINGS 40

4.1 The influencing factors come from the characteristics of small companies 40

4.2 According to COSO framework 45

4.3 The audit process 46

4.3.1 The process of acquiring an understanding of the auditor's internal control system at a small-scale firm 47

4.3.2 The process of assessing control risks and designing control trials 49

4.3.3 The process of performing control testing 51

4.3.4 Reassess control risks and design substantive test 54

CHAPTER 5: SOLUTIONS 55

5.1 Solutions for internal control assessment in auditing financial statements 55

5.2 Solutions for thesis 55

REFFERENCE 57

APPENDIX 59

TABLE OF NOTATIONS AND ABBREVIATIONS

Organizations of the Treadway Commission'

LIST OF TABLE

Table 4.1: Internal and External factors……… 37 Table 4.2: Influence level of industry factors……… 38 Table 4.3: The impact level of misstatement in the previous year……… 38 Table 4.4: The importance of evaluating internal control at small companies compared to large companies ……… 39 Table 4.5: The existence of internal control and COSO (unit: 10%)……… 40 Table 4.6: The level of dependence of internal control on the information system……….40 Table 4.7: Influence level of changes and updates of information systems on the assessment

of internal control ……… 41 Table 4.8: The frequency of updates or changes information systems related to internal control systems……… 41 Table: 4.9: Influence factors from COSO ……… 43 Table 4.10: Frequency of applying the methods when understanding the internal control system of the auditor at small companies ……… 45 Table 4.11: The subjectivity and judgment of the auditor in assessing the control risks of frauds and errors based on the design of the internal control system……… 47

Table 4.12: Number of material misstatements of the items relevant to the critical business

cycle……… 47 Table 4.13: The level of control risk is often found in small companies ……….48 Table 4.14: Level of effectiveness on the design side (detecting and preventing correcting discovered errors)……… 49

Table 4.15: Level of effectiveness in terms of implementation (effective in the period)….49

Table 4.16: The effectiveness of methods in control testing at small companies……… 50 Table 4.17: Frequency of using “walk through test”………50

LIST OF CHARTS AND FIGURE

Diagram 2.1: Process of auditing financial statements………23 Diagram 2.2: Process of assessment internal control system……….26 Figure 4.1: The importance of evaluating internal control at small companies compared to large companies………39 Figure 4.2: The frequency of updates or changes information systems related to internal control systems……….42 Figure4.3: Set of question 1……….44 Figure 4.4: Set of question 2 ……… 46

CHAPTER 1: INTRODUCTION

OVERVIEW OF RESEARCH TOPIC

1 Studies on internal control systems in Vietnam

1.1 The audit curriculum in Economics University

In Vietnam, the theory of examination and evaluation of internal control system in the auditing of financial statements is firstly presented in the textbook of audit theory, financial audit curriculum of Universities of Economics In the auditing curriculum that the internal control system is approached as a part of the work of auditors, it is necessary to learn and evaluate to make an appropriate and effective overall audit plan and audit program Internal control systems and control risks can be presented in a separate chapter or presented with other basic concepts in auditing The textbook "Auditing and Assurance Services" of international school edited by (Arens, Elder, & Beasley) presented the process of evaluating the internal control system in auditing financial statements Basically, the content and process of internal control evaluation researched and presented in the audit curriculum of universities of economic sectors are relatively consistent with each other

1.2 Related scientific topics and the relevant thesis

Scientific project "Improving the quality of research and evaluation of the internal control system of State economic groups in the audit process conducted by the State Audit", by Prof Dr Ngo The Chi and Dr Pham Tien Hung co-chaired the implementation in 2013 The thesis generalized theoretical issues on the characteristics of the State economic group and the internal control system of the State Economic Group as a basis for the public research and evaluation of internal control system implemented by the State Audit The thesis approaches the internal control system from the perspective of evaluating internal control systems to serve audit activities when conducting the audit process at State Economic Groups Internal control system is only content in the topic The main content of the topic is to focus on research, identify objectives, subjects, content, criteria for research and evaluation of internal control systems of State Economic Groups as well as building research processes and evaluate the internal control system of State economic groups Therefore, the internal control system presented in the topic is not very comprehensive in terms of setting up and operating to deal with the risks of businesses [2]

Through surveys and researches at major universities (National Economics University, Finance Academy, Banking Academy, Commercial University, etc.) and the dissertation publications Students on websites at the National Library and University Libraries, so far

there have been many research dissertations on the internal control system towards the approach of auditing process in an enterprise or an industry In particular, the internal control evaluation stage is a part of it In general, in terms of the research on internal control evaluation process from the perspective of an audit of financial statements, most dissertation topics have not clarified the factors that need to be focused on, have images directly and indirectly influence the assessment of internal control In practical terms, the access and evaluation of the internal control system in auditing financial statements in small companies or industries is still limited and has not received much attention

From the previous related topics and received the above comments, the author found that the approach and research of the topic "factors affecting the assessment of internal control

in the audit of financial statements at small companies "is completely new and necessary

CHAPTER 2: LITERATURE REVIEW

GENERAL THEORY OF INTERNAL CONTROL

2.1 Concept of internal control

2.1.1 Definition of internal control

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies A broad concept, internal control involves everything that controls risks to an organization

It is a means by which an organization's resources are directed, monitored, and measured It plays an important role in detecting and preventing fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks)

At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations At the specific transaction level, internal controls refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization's payments to third parties are for valid services rendered.) Internal control procedures reduce process variation, leading to more predictable outcomes Internal control

is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required improvements in internal control in United States public corporations Internal controls within business entities are also referred to as operational controls [3]

2.1.2 Nature of the internal control system

According to the standards of Vietnam Audit, from the perspective of auditors (Auditing Standard No 315): Internal control is the process established by the Board of Directors, the Board of Directors and other individuals in the unit design, implement and maintain to create a reasonable assurance about the entity's ability to achieve its objectives in ensuring the reliability of financial statements, ensuring efficiency, performance, and compliance Relevant laws and regulations

According to COSO (Committee of Sponsoring Organization) “Internal control is a process governed by the manager, the board and the employees of the unit, it is set up to provide a reasonable assurance to achieve the goals”

Internal control system is understood as a system of control processes, policies and procedures together with technical means designed to control internal activities of the enterprise, ensuring that the enterprise strictly complies with objectives, ensure the reliability of financial statements, comply with the law

Effective internal control system is the basis to ensure the success of the unit in general and businesses in particular The design and operation of adequate and appropriate control procedures is a mechanism to ensure the realization of the objectives: safeguarding the assets of the enterprise, ensuring the reliability of information, ensuring compliance, legal regimes, ensuring operational efficiency and management performance With the development in the awareness of internal control in accordance with the requirements set out in practice, the role of the internal control system is not only limited to ensuring the traditional goals, but also has an impact use organizational support and create added value for the unit, even helping businesses move towards non-material values, such as integrity and ethical values However, when the system does not exist or has weaknesses, the performance and results of the business will be seriously affected Therefore, it is important

to be aware and identify the possible limitations within the system itself These limitations depend on factors: the effectiveness of the types of internal control, the internal control cannot guarantee that mistakes are prevented, corrected and detected promptly, outdated control procedures, out of control; lack of manager attention

In accordance with International Standard on Auditing (ISA) No 400, there are 3 factors that need to be considered:

- Firstly, internal control system is a set of processes, policies and procedures to control all activities of the unit such as controlling investment activities, controlling fixed assets, controlling sales cycle

- Secondly, internal control system includes technical facilities for control such as information systems, data processing software

- Finally, internal control system is designed and operated by humans to ensure that enterprises meet the objectives [4]

2.3 Internal control system according to COSO 2013

2.3.1 Components

According to COSO 2013, the components of internal control systems was kept unchanged compared to the 1992 report, including 5 components: Control environment, risk assessment, Control activity, Information & Communication (communication and

information system) and Monitoring (monitoring of controls) These components are similar

to those specified in the Vietnam Standard on Auditing No 315

The control environment represents the culture of internal controls at the organization For

example, this objective seeks to determine if the organization has a culture of discipline and compliance or a culture of lax policies and procedures This culture often begins with the actions of executive management, so a control related to the Board reviewing CEO performance would add to the control environment

The risk assessment is an activity whereby all of the activities and associated risks in an

organization are looked at and each considered on a spectrum of either low risk or high risk Likelihood of occurrence is also considered to determine which risks faced by an organization should be addressed first A risk assessment may identify cash handling or billing as risks that need to be audited

Control activities are those procedures and internal controls put in place to mitigate risks,

particularly those that management considered too risky during the risk assessment These are activities that management, their staff, and internal auditors test to ensure compliance For example, if the risk identified in the risk assessment is cash handling, a control activity might be having two people involved in cash payments

Information and communication is how management communicates the culture of

compliance and the specific policies individuals need to follow Information and communication are central parts of a strong culture of discipline An example of this would

be requiring that new or amended policies be sent out to everyone in the company so they are aware of the change

Finally, monitoring activities are activities managers use to monitor processes or internal

controls within the organization For example, if a purchasing manager gets a weekly report

of all purchases that were greater than $5,000, they would be performing a monitoring activity [5]

The control environment represents the culture of internal controls at the organization For example, this objective seeks to determine if the organization has a culture of discipline and compliance or a culture of lax policies and procedures This culture often begins with the actions of executive management, so a control related to the Board reviewing CEO performance would add to the control environment

The risk assessment is an activity whereby all of the activities and associated risks in an organization are looked at and each considered on a spectrum of either low risk or high risk

Likelihood of occurrence is also considered to determine which risks faced by an organization should be addressed first A risk assessment may identify cash handling or billing as risks that need to be audited

Control activities are those procedures and internal controls put in place to mitigate risks, particularly those that management considered too risky during the risk assessment These are activities that management, their staff, and internal auditors test to ensure compliance For example, if the risk identified in the risk assessment is cash handling, a control activity might be having two people involved in cash payments

Information and communication is how management communicates the culture of compliance and the specific policies individuals need to follow Information and communication are central parts of a strong culture of discipline An example of this would

be requiring that new or amended policies be sent out to everyone in the company so they are aware of the change

Finally, monitoring activities are activities managers use to monitor processes or internal controls within the organization For example, if a purchasing manager gets a weekly report

of all purchases that were greater than $5,000, they would be performing a monitoring activity [6]

2.3.2 The role of internal control in financial reporting

- The goal of Internal Control 2013 is maintained by COSO compared to the 1992 report:

+ Objective of effectiveness and efficiency of activities

+ Objectives of the reliability of financial statements

+ Objectives of legal compliance [4]

- Internal control of financial statements is an important internal management mechanism to provide internal inspection and limit personal profit (Jensen 1993; Bushman and Smith 2001; Acharya et al., 2011) Therefore, the internal control system is considered the first line of defense in protecting the quality of accounting information at the unit (Wang and Huang, 2013) Internal control of financial statements is ineffective, creating favorable conditions for making false accounting data, thereby reducing the accuracy and quality of financial statements (Gao & Jia, 2015) The entity's reporting system cannot be useful, if it

is based on unreliable and inaccurate transaction records (Elmaleh, 2012) In other words, the lack of appropriate internal control procedures makes the financial management of an organization encounter risks, including inaccurate financial statements / loss of assets of the

entity; The loss and mismanagement of the organization's essential documents due to abuse

of employee rights; Financial books contain many errors and unreliability, which lose the integrity of the organization; Do not implement accounting policies in accordance with the requirements of financial statements presentation (Amaka, 2012) The effective operation of the internal control system will provide a guarantee for the management of the reliability of the accounting data used, in creating information to support the decision making of the head

of the application (Amaka, 2012;Saôer and Oluió, 2013) Therefore, the effective internal control system is a decisive factor for the preparation of quality financial statements because of the ability to prevent procedural errors, measure, distort income, as well as limit potential risks in operation (Doyle et al., 2007; Brown et al., 2008)

2.2 Internal control in the small organizations

2.2.1 Concept of a small company

A small or small enterprise / individual is also referred to as a subsidiary or subsidiary (parent-child relationship) as an enterprise, usually a private enterprise with a number of operations, small staff and relatively low volume in sales Some of the small businesses are usually owned by corporations, partnerships, or private businesses

 In Vietnam

On March 11, 2018, the Government issued Decree 39/2018 / Government Decree, guiding the Law on Supporting Small and Medium Enterprises to replace Decree 56/2009 / Government Decree on June 30, 2009

Accordingly, the criteria for identifying small and medium-sized enterprises under Decree 39/2018 / ND-CP are as follows:

According to Article 6, criteria for identifying small and medium-sized enterprises

Small and medium-sized enterprises are classified according to size, including microenterprises, microenterprises

1 Micro enterprises in the fields of agriculture, forestry, fisheries and industry and construction have an average number of employees participating in social insurance, with

an annual number of not more than 10 and an annual turnover of no more than VND 3 billion or the total capital of not more than VND 3 billion Micro enterprises in the field of commerce and services have an average number of employees participating in social insurance of no more than 10 people per year and total annual revenue of not more than 10 billion dong or total capital of not more than 3 billion dong

2 Small enterprises in the fields of agriculture, forestry, fishery and industry and construction have an average number of employees participating in social insurance, not exceeding 100 people and the total annual revenue does not exceed 50 billion dong or the total capital source does not exceed 20 billion dong, but it is not a micro enterprise as prescribed in Clause 1 of this Article Small businesses in the field of commerce and services have an average number of employees participating in social insurance of no more than 50 people and total annual revenue of no more than VND 100 billion or total capital of

no more than VND 50 billion, but is not a micro enterprise as stipulated in clause 1 of this Article

3 Medium-sized enterprises in the fields of agriculture, forestry, fishery and industry and construction, with an annual average number of laborers participating in social insurance of

no more than 200 and a total annual turnover of not more than 200 billion dong or the total capital source does not exceed 100 billion dong, but it is not a small enterprise, a micro enterprise as prescribed in Clauses 1 and 2 of this Article Medium-sized enterprises in the field of commerce and services have an annual average number of employees participating

in social insurance of no more than 100 and total annual revenue of not more than VND 300 billion or total capital of not more than VND 100 billion, but is not a micro-enterprise or a small enterprise as prescribed in Clause 1 and Clause 2 of this Article

According to Article 7, the areas of operation of small and medium-sized enterprises are

determined

The operation areas of small and medium-sized enterprises are determined based on the provisions of the law on the system of economic sectors and the provisions of specialized laws In the case of activities in many fields, small and medium-sized enterprises are determined based on the field with the highest revenue The highest revenue field is not available, small and medium-sized enterprises are determined based on the areas with the highest labor use

According to Article 8, the average number of employees participating in social insurance

of small and medium-sized enterprises is determined annually

1 The number of employees participating in social insurance is the total number of employees managed, used and paid by the enterprise for participation in social insurance under the law on social insurance

2 The average number of employees participating in social insurance is calculated by the total number of employees participating in social insurance of the year divided by the

number of months in the year and determined on the voucher of payment of social insurance

of the previous year adjoining enterprises to social insurance agencies

In case an enterprise operates less than 01 year, the average number of employees participating in social insurance is calculated by the total number of employees participating

in social insurance of the operating months divided by the number of operating months

According to Article 9, the total capital of small and medium-sized enterprises is

determined

The total capital source is determined in the balance sheet shown in the financial statements

of the preceding year that the enterprise submits to the tax administration agency If an enterprise operates for less than 01 year, the total capital shall be determined in the enterprise's balance sheet at the end of the quarter preceding the time when the enterprise registered to receive support contents

According to Article 10, the total revenue of small and medium-sized enterprises is

determined

Total revenue of the year is the total turnover of goods sale and service provision of enterprises and is determined on the financial statements of the preceding year that enterprises submit to tax administration agencies In case an enterprise has operated for less than 1 year or more than 1 year but has not generated any revenue, it shall base on the criteria of the total capital source specified in Article 9 of this Decree to identify small and medium-sized enterprises

 The role of small enterprises in the current economy

Small and medium enterprises are a common economic type in the economies of most countries, always accounting for a high proportion, a major part of creating the gross national product, contributing to the liberation and development of health production, contributing to socio-economic development, economic growth and participating in effective settlement of social issues such as job creation, hunger eradication and poverty reduction Thanks to the small organization Compact and flexible operation, diverse, rich, dynamic present in most business lines [7]

2.2.2 The inherent limitations of the internal control system are most evident in small and medium-sized companies

An effective internal control system can only minimize violations but cannot guarantee risks, frauds and errors do not occur The inherent limitations of internal control stem from

the following reasons:

- Internal control system implemented by people: The relationship between benefits and costs

- Internal control system does not cover unforeseen risks

- In summary, internal control provides a reasonable assurance, not an absolute guarantee of the objectives to be achieved Internal control can only prevent and detect errors and frauds but cannot guarantee that they will not occur Therefore, an effective internal control system also exist certain risks The problem is that the manager has identified, assessed and limited them to an acceptable level

 The limitations of IC in small companies according to COSO framework

For most small businesses, when they mention COSO or the internal control system, they often find it difficult to visualize the theory from the practical application to each type of their business, from which leading to problems in their management and control systems

Control environment

The realities of small businesses today are part-time work, employees who do many things

in an irregular manner, the job descriptions of employees are unclear and constantly changing, businesses are mostly operate and "operate" based on personal feelings and experience, but rarely follow the rules and principles of right and wrong

Managers cannot immediately set up a complete and complete management system, they cannot force their employees to follow a specific set of principles because basically, themselves They are not able to build a system of principles, complete and effective processes Meanwhile, a series of issues that come with great risks that the board of directors and management levels must always consider: business ethics, employee performance, frauds in the process of doing business, job…

- 1 office worker selling and managing the warehouse at the same time?

- 1 sales admin officer cum treasurer position?

- 1 HR manager has recruited and paid?

Each risk has different levels of the influence The level you want to control in the present time depends on the level of risk that businesses rated themselves as high or low However, not only small and medium enterprises, but also larger enterprises must always be in the state of anticipating and dealing with many different types of risks such as irrecoverable debts, inventories, management, messy arrangement, can lead to theft or embezzlement, many personnel but the efficiency level of the job is not high

In the case of an organizational chart being a warehouse controlled by the sales department, where the sales clerk is also the store keeper, the control may be applied through control activities such as: adding cross-checking procedures for warehousing and ex-warehousing Can perform regular inventory / unscheduled inventory with the participation of an independent party (can outsource also be an employee of another department)

Control activities will also depend on the personnel that the business has, as well as the capabilities of the human resources that SME has the most effective way Each business will consider and make the best plan for its business, based on the available resources and the desire to control of each business owner

Information and communication

Most of the reports that small businesses need are simple and the thinking process should be simple Businesses are stereotyped and rigidly based on available report templates, the information will be fragmented and hard to link, especially when the enterprise software system is very simple, even unavailable Start with the necessary reports, easy to understand and easy to do, the simple indicators, easy to see and analyze from the department

A simple example of a management report for a business with 4-5 coffee shops is:

+ Report the results of production and business of each store and the total number of the whole company

+ Balance sheet of the Company

+ Analyze the cost structure of each store and corporation

+ Compare costs of adjacent months

+ Analyze the sales of each store and company, analyze the top 5/10 best-selling items

Monitoring

Small businesses, the monitoring supervision must also be extremely simple, do not think a lot about outsourcing the audit, or making internal control rooms, recruiting internal control personnel First of all internal monitoring, The mutual supervision of the departments should be strictly applied, and the role of the supervisor / manager is also very important In addition, control personnel will assist with ad hoc inspections, for example, performing the

following procedures:

+ Management for unexpected fund checking

+ Managing for unscheduled inventory, checking a few unexpected items (or can authorize inspection personnel to check)

+ Independent inspection department (for example, taking a technical party to participate in inventory at the same warehouse)

+ Hire auditors to participate in stocktaking at the end of the year

Therefore, small companies need a way to save money but still be effective, meeting the requirements that businesses desire When the business grows to a certain extent, the owner will consider recruiting and developing the internal control, auditing and control departments such as COSO [8]

2.3 Concept of auditing financial statements

2.3.1 Auditing financial statements

A financial statement audit is the examination of an entity's financial statements and accompanying disclosures by an independent auditor The result of this examination is a report by the auditor, attesting to the fairness of presentation of the financial statements and related disclosures The auditor's report must accompany the financial statements when they are issued to the intended recipients

The purpose of a financial statement audit is to add credibility to the reported financial position and performance of a business The Securities and Exchange Commission requires

that all entities that are publicly held must file annual reports with it that are audited Similarly, lenders typically require an audit of the financial statements of any entity to which they lend funds Suppliers may also require audited financial statements before they will be willing to extend trade credit (though usually only when the amount of requested credit is substantial)

Audits have become increasingly common as the complexity of the two primary accounting frameworks, Generally Accepted Accounting Principles and International Financial Reporting Standards, have increased, and because there have been an ongoing series of disclosures of fraudulent reporting by major companies.The purpose of a financial statement audit is to add credibility to the reported financial position and performance of a business The Securities and Exchange Commission requires that all entities that are publicly held must file annual reports with it that are audited Similarly, lenders typically require an audit

of the financial statements of any entity to which they lend funds Suppliers may also require audited financial statements before they will be willing to extend trade credit (though usually only when the amount of requested credit is substantial)

Audits have become increasingly common as the complexity of the two primary accounting frameworks, Generally Accepted Accounting Principles and International Financial Reporting Standards, have increased, and because there have been an ongoing series of disclosure of fraudulent reporting by major companies [9]

 The effect of the internal control system on the audit work

In every enterprise, the inspection and control function always occupies an important position and is implemented by managers through internal control systems Managers design and operate the internal control system to run every employee, every activity, and internal control is not limited to financial and accounting functions but also covers other functions such as administration, manufacturing Therefore, before performing audits for client companies, auditors always perform research and evaluate the internal control system

of customers In accordance with Auditing Standard No 400, the auditor must have sufficient knowledge of the accounting system and the internal control system of the customer to make an appropriate and effective overall audit plan and audit program The auditor shall use his or her professional judgment to assess the audit risk and identify accounting procedures to reduce the risk of accounting losses to an acceptable level

Control risk is the possibility of a material error on the financial statements that the internal control system cannot prevent and detect The more effective internal control system, the

lower the risk of control is Based on the determination of the level of risk, the auditor will determine appropriate audit methods

If the internal control system operates effectively, the risk of control is low The auditor will apply the compliance audit method On the contrary, if the internal control system is weak, the risk of control is high The auditor will apply the basic audit method The evaluation of the internal control system also helps with proper audit planning If the internal control system is effective, the risk of control will be low The amount of audit evidence collected will be less, thereby establishing appropriate audit time and cost At the same time, through the research and evaluation of the internal control system, the auditor can identify the strengths and weaknesses of the internal audit and determine the center for the audit [10]

2.3.2 The internal control assessment in the audit of financial statements

The work of assessment the internal control system is carried out in 2 stages: planning audit and conduct audits

Audit planning stage:

The finding and preliminary evaluation of internal control systems must be carried out in all financial statements audits The objective of the research work at this stage is to provide the auditor and the auditor with a general view of the operation and operation of the internal control system of the customer, from which Preliminary prices on internal control systems and control risks This is also the basis for selecting the method of conducting the audit

Audit phase: The auditor will only perform an audit of the internal control system during

the period of performance If during the period of planning the auditing risk is assessed it is

not high or the auditor hopes to reduce the control risk

The objective of evaluating the internal control system in this paragraph is to re-evaluate whether the control risk is truly as the auditor's initial judgment is and is therefore the basis for strengthening or reducing the basic test [10]

 Diagram 2.1 : Process of auditing financial statements

Audit

Planning

Phase

Assess, control and handle audit risks

- Selecting an audit team

- Making audit contracts

Reach customers and sign audit contracts

Strategic audit planning (for large scale customers, complex nature, large

geographical areas or multi-year financial statements audits)

Planning the overall audit

- Collecting basic information, information on legal obligations of customers

- Research on internal control systems and control risk assessment (*)

Setting up detailed audit program

Audit conclusion and financial statements:

- Making a summary of audit results

- Collect explanatory letters from the company board of directors

- Reviewing events after the release of financial statements

- Complete the audit records

- Evaluating the results and quality of the audit

Activities after auditing:

- Evaluating the results and quality of the audit

- Settlement of events arising after the date of signing the audit

According to Vietnam Standard on Auditing No 300

- Strategic planning: Auditor learns preliminary information about customers through the mass media, through audit records, through their predecessors In this step, the technician performs the following tasks:

+ Assessment of control and risk handling of the audit: The evaluation of the internal control system to verify the existence of the internal control system and the basis for determining the scope of performing basic tests on the balance and business of clients This

is done through the following steps: Gathering knowledge about the internal control system

of the customer; Initial assessment of control risk; Perform control tests and make evaluation tables of internal control systems

Questions to assess the accounting system, taxes, applicable accounting policies, cycles + Making discussion and signing the audit contract: after accepting customers, the two parties discuss and sign the audit contract

+ Selection of auditing staff: The selected auditing staff is experienced and highly qualified auditors

- Overall plan (detailing the risk zoning, specific instructions for accounting work) In the overall audit planning stage, it is divided into the following small steps:

+ Collect customer base information: Including information about management system, industry and business activities, accounting process

+ Procedures for analyzing material and risky assessments and assessments: The auditor provides preliminary analysis on materiality and auditing risks Evaluate and highlight material and risks for each part of operation, items to prepare for the audit program [11] According to Vietnam Standard, auditing 400, risk assessment and internal control: “Audit risk (AR) is the risk that auditors and the Auditing Company make inappropriate comments when the financial statements have been audited with material errors " Risk assessment Audit through three-part evaluation: Potential Risk (IR), Control Risk (CR) and Detection Risk (DR) based on the relationship reflected in the tissue The following image:

DR = AR / IR * CR

- Auditing program: Based on the overall plan, the auditor builds a specific audit program for each audit part During the course of the audit, auditors will be subject to the audit process and may only change it under special circumstances

- Identify and allocate material items: The determination of material importance of the Company is based on two dimensions: the size and importance of financial information After identifying significant items, the auditors shall make material allocation to each item

as a basis for the audit

Conduct audits

The audit phase is the main state consisting of 2 steps:

+ Internal controls testing

Participate in evaluating the effectiveness of the control apparatus in the company, concentrating on such areas as proper authorization, the safeguarding of assets, and the segregation of duties This can involve an array of tests conducted on a sampling of transactions to determine the degree of control effectiveness A high level of effectiveness allows the auditors to scale back some of their later audit procedures If the controls are ineffective (i.e., there is a high risk of material misstatement), then the auditors must use other procedures to examine the financial statements There are a variety of risk assessment questionnaires available that can assist with internal controls testing

+ Substantive test

The next step is to perform procedures to analyze and check details of the balances as well

as perform additional detailed tests Analytical procedures used to check the general reasonableness of transactions and balances Detailed checking of balances is the specific procedure that needs to be done to check for monetary errors in financial statements

End of audit stage

After performing the test of control and substantive test, obtaining sufficient audit evidence, having sufficient grounds to make comments on the audited financial statements of the audited unit, the auditor will gather the working documents and audit evidence into the audit records and the stage of the completed audit

Before preparing the auditor's report, the auditor should perform necessary tasks such as: reviewing contingent liabilities, examining events occurring after the balance sheet date, reviewing operation assumptions continuous and overall review of the audit result

2.3.3 The process of assessment internal controls in the audit of financial

statements according to Vietnam standard on auditing

 Diagram 2.2 Process of assessment internal control system

2.3.3.1 Learn about the unit's internal control system

In this stage, the auditor learns about the entity's internal control on two main aspects: the design of internal control including the design of control regulations and the design of the control apparatus; Continuous and effective operation of internal audit

Understanding of internal control is performed during the audit planning stage, in which the technician must learn about the design and operation of the internal control system by each component to:

• Evaluating whether there are audited financial statements

The technician must collect information about the integrity of the Board of Directors with the nature and scope of accounting records to be satisfied that the evidence is sufficiently appropriate and available to prove the balances on the financial statements

• To identify and assess potential violations

• To decide on the appropriate level of control risk that affects the identified risk, thereby influencing the decision on the amount of audit evidence to collect

• To plan the design of appropriate surveys

- Initial assessment of control risk to plan items on the financial statements

Understand the entity's internal control system for audit

planning

Control risk assessment and design of control tests

Perform control tests

Reassess risks and design substantive test

- Perform control tests

- Set up evaluation sheet of internal control system

• Approach to the business cycle: According to this method, the auditor considers control policies and procedures to each business cycle (financial investment cycle, spending cycle, and cycle production, revenue cycle)

This method allows the technician to divide the transactions and account balances into clear categories (cycles) and then the auditor can gain an understanding of how control is performed for the relevant criteria base to each business type and account balance in that cycle

Procedures for gaining written understanding of internal control systems:

 The method of application:

Similar to the stage of understanding customers' business activities, the methods that auditors often apply when understanding the internal audit system:

- Based on the auditor's previous experience with the customer:

Most audits of a company are performed annually by an audit firm As a result, auditors usually start the audit with a large amount of information about the client's internal control system gathered from previous audits Because control systems often change frequently, information can be updated and carried over to the current year

- Interviewing employees of the client company:

This work helps the auditor to collect initial information (for new customers) or capture changes in the internal control system of customers (for annual customers) to update Update information for the audit in the current year

- Review manuals on procedures and regimes of client companies:

Through research and discussion with customers about this document, the auditor is able to understand the procedures and regimes related to internal control applied in the client company

- Check completed documents and books:

Through this audit, the auditor can see the application of procedures and regimes on the client company

- Observe the activities and operational processes of the client company:

This work reinforces an understanding of the knowledge about the actual use of internal control procedures and regimes at the client company

To describe the internal control system, the auditor uses one of three methods or all of the following three methods depending on the characteristics of the entity being audited and the size of the audit: drawing flowcharts; set up questionnaires on internal control; make a report on internal control

- Questionnaire on internal control system: This table presents questions according to the 7 detailed objectives of the internal control system for the internal control system Questions are designed as "yes" or "no" answers and "no" answers will show weaknesses of internal control

The advantage of this tool is that it is built-in so that the auditor can proceed quickly and do not miss important issues But due to the overall design, the questionnaire may not be suitable for all types of businesses

In fact, the auditors are often used a combination of these two forms to give auditors the optimal image of the internal control system Flowcharts (including horizontal and vertical flow charts) help the auditor to more accurately comment on the control procedures that apply to the activities and easily indicate which additional control procedures are needed

In the meantime, the questionnaire or the internal control narrative provides additional analysis of controls to help the auditor to better understand internal control

The combination of questionnaires with flowcharts or narrative tables will help the auditor better understand the internal control system of clients

2.3.3.2 Control risk assessment

Control risk assessment is part of the process of understanding the assessment of internal control systems, accounting systems of customers Therefore, in order to assess the risk of control during the preparation of the financial statements auditing plan, the auditor must collect information about the design and operation of the internal control systems of the enterprise to make the initial assessments on control risk for the assertion of the underlying economic and account balances

In fact, the level of control risk is never zero (0) because the internal control system always has its inherent disadvantages When evaluating the internal control system, the auditor must learn and research the internal control system of the customer Control risk assessment work is usually evaluated by the auditor through the following steps:

First step: Gathering insights on the customer's internal control system

Understanding the internal control system helps the auditors on the one hand assess whether

to accept the financial statements audit; and through the inquiry process will give the

auditor a basis for making an assessment of the level of control risk To access the client's internal control system, the auditor will use two common approaches: the item-based

approach and the business process approach

Techniques commonly applied by technicians to understand internal control systems and assess customer control risks:

+ Based on the experience of the auditors and interview information from customers;

+ Reviewing the manual on procedures and regimes at the unit;

+ Check the accounting records of the unit, through checking auditors will know

information on how to apply the policy regime of the unit;

+ Closely monitoring the operational situation of the unit in order to strengthen the

understanding of practical knowledge as well as the use of internal control procedures and regimes at the unit;

After seeking information about the internal control system, the auditor proceeds to describe

in detail the information on working papers for control risk assessment

The second step: initial assessment of control risks planning for each item on the

financial statements

Control risk will be audited and evaluated through initial information collected about the accounting system and the internal control system of the customer The auditor will assess

the control risk at a low level if the auditor finds that the internal control system of the customer operates and operates effectively and vice versa “An initial assessment of control risk is the evaluation of the effectiveness of the entity's internal control and accounting system in preventing or detecting and correcting material misstatements Control risk is not completely eliminated due to the potential limitation of accounting system and internal control system” [4, p 89]

Control risk assessments are usually performed sequentially through the following steps: + Firstly, identify the specific control objectives under which the control risk assessment process is applied: the auditor applies the objectives of the internal control system to assess the control risks for each item business section

+ Secondly, identify specific control processes: the auditor's focus is on analyzing the specific control processes that are expected to affect the satisfaction of audit objectives that are highly effective ;

+ Thirdly, assess the disadvantages of the internal control system: the disadvantages of the internal control system occur when there is "absence" of the internal control system The ineffective operation of the internal control system will increase the possibility of significant errors in the financial statements of customers

+ Fourthly, assessing control risk: after completing the name steps, the auditor will assess the client's control risk The auditor may assess the risk of qualitative control (using three levels: High, Low, Medium) or quantitatively (using a percentage) [12]

Third step: Gathering evidence of the existence of control regulations and procedures

to reduce the basis of balances and transactions

According to the Vietnam Standard on Auditing 400, paragraph 37, “Auditors must collect sufficient appropriate audit evidence to prove that the assessment of control risk is not at a high level”[4, p.93] Therefore, the auditor will perform audit procedures to reduce the basic tests that must be performed The auditor uses a test of control to gather sufficient evidence

as a basis to prove the operation of the internal control system and the accounting system is effective in two aspects: design (detection, deterrence, prevention) prevent from correcting detected errors); and implementation (effective during the period)

Controlling tests include: checking documents of arising economic operations, conducting field observation interviews, rechecking the implementation of internal control procedures Control risk assessment during the audit planning process helps the auditor collect evidence

about the existence of the client's internal control system to localize risks and design audit procedures accordingly

- Final step: make a final assessment of control risks and make an evaluation of the internal control system

Based on the three steps above, the auditor will make a final assessment of control risk and redesign control tests after the internal control system evaluation table is completed The level of control risk will be changed by the auditor if after performing control tests that the auditor is unable to prove the existence or ineffective operation of the internal control system If the control tests show the auditor that the internal control system is existing and operates as effectively as the initial assessment, the level of control risk will not be revised

by the auditor.[12]

2.3.3.3 Perform test of control

The control test is only performed after understanding the internal control system and is considered valid At that time, control tests were conducted to collect audit evidence about the design and operation of the internal control system According to VSA 400 standard about: "Risk assessment and internal control": "Auditors must collect sufficient appropriate audit evidence to prove that the assessment of control risk is not at a high level In assessing the low risk of port control, the port auditors must prove that the statistical and auditing system is appropriately designed and effective ”

- During this period, the test of control is usually conducted by the Audit in accordance with the audit objectives of existence, completeness, rights and obligations, ratification,

accuracy, timeliness, presentation and disclosure

- Control tests may be performed through the following major methods:

+ Interview method: according to this method, the auditor presents questions and receives

answers from those who are responsible in the internal control apparatus of the enterprise Thereby, the auditor can grasp the reality of the work they have done as well as the things that they are interested in the control process Auditing companies often design standard questions for interviews, which are considered for the collection of information for each specific objective of the internal control system There are two commonly used types of questions: "closed-ended questions" and "open-ended questions." "Closed questions" are intended to confirm a specific issue the business has implemented "Open-ended questions" are designed to make room for the room user still clearer, more detailed and more flexible than the problems they made during the internal control process

+Practical observation method: for control procedures that leave "traces" on accounting

documents, the auditor may apply the observation method to collect evidence

+Re-implementation method: according to this method, the auditor checks on the basis of

repeating the activities of a certain person in the internal control apparatus to show the extent of the person's performance change to the assigned job This inspection aims to give

an opinion on the effectiveness of the self-control of a part, a certain stage of work by each assigned employee In carrying out this method, the auditor should take care to identify reasonable bounds of the process by which errors or frauds may arise

+Method of checking documents: The examination of documents can be carried out in two

directions: Checking oil marks from beginning to end and vice versa

* Checking from beginning to end, also known as checking from details to synthesis: this is the inspection according to the rotation order of the accounting process for a specific economic operation Accordingly, the test is perform from the original documents to the notes on the detailed accounting books, the account numbers and reflect the combined figures on the financial statements The purpose of this examination is to assess the extent

to which these economic transactions are fully reflected

* Checking in reverse or tapered is called checking from summary to detail: according to this method, the check is made from the aggregate figures on the financial statements, the ledger of accounts and the original vouchers of economic operations incurred The purpose

of this check is to determine whether the data reflected in the financial statements and the account number is real

In order to carry out control tests effectively, depending on each specific case, technicians can apply appropriate testing methods However, each method has its inherent disadvantages, so it is necessary to combine many different measures to ensure the most objective audit conclusions

2.3.3.4 Reassess control risks and adjust substantive tests

Establish an evaluation of the internal control system, which usually reflects the following information

- Internal audit objectives for each item or operational cycle

- Information describing the situation of internal control collected by the auditor

- The nature and importance of the respective risks

- Principles of designing and operating control procedures

- Evaluating internal control for each item or business cycle

On the basis of the results obtained by the controlled tests, the auditor conducted the risk assessment The level of control risk assessment is divided into 3 levels: low, medium and high On that basis, revising the audit program (substantive tests section):

Extending basic tests in those areas where the control risk is assessed to be higher than expected, and limiting the substantive testing on parts with lower control risk or control risk

in accordance with the original plan

CHAPTER 3: DATA & METHOD

3.1 Research method

Qualitative research is an approach that seeks to describe and analyze the cultural and

behavioral characteristics of people and groups of people from a researcher's perspective Qualitative research provides comprehensive information on the characteristics of the social environment where the study is conducted Social life is seen as a series of closely linked events that need to be adequately described in order to reflect real life

Qualitative research is based on a flexible and dialectical research strategy This method allows discovering important topics that researchers may not have covered before In qualitative research, some research questions and information collection methods are prepared in advance, but they can be adjusted accordingly as new information appears during the collection process That is one of the basic differences between qualitative and quantitative methods [13]

Qualitative research method of in-depth interviews was applied:

+ Structured or systematic interview: A method of interviewing all subjects the same questions Information obtained by this method may include both numbers and measurable data These methods are considered to be part of the qualitative research because they help

to describe and analyze the cultural and behavioral characteristics of the study subjects These methods aim to identify and identify cultural categories through the study of "cultural norms" in an individual's thinking, find out what they think and know about the world around them and how they organize this information

+ Survey questions can use either a closed-ended or open-ended format to collect answers

from individuals And we can use them to gather feedback from a host of different audiences, including your customers, colleagues, prospects, friends, and family.[13]

The topic is approached by inductive method

+ Observe the real world

+ Search for a pattern to observe

+ Generalizing what is happening

In inductive, there is no close relationship between reasons and results In inductive, we draw a conclusion from one or more specific evidences actually support these conclusions

Data were collected by using non-empirical methods