Abstract

Auditing is best known as the activity of evaluation financial statements whether those
statements are recorded with the correct amount or not. This activity also evaluates the internal
control of a company as to make sure the organization works accordingly to the standards set
by their management. The reports on the financial statements done by the auditor is really
important to an organization as the users of financial statements such as investor, lender,
supplier and so forth will consider the reports as well in order to have any business-relation
with the company. A good report will have a good impression from the users. This research is
focused on the responsibility of external auditors and management in a financial statement
audit, and the internal control and its implication to the audit. The results of our findings will
be explained later in this written report.
 1) INTRODUCTION

As we know, auditor is responsible to audit the financial statements of an organization.

They just can provide reasonable assurance to conclude the reports on financial statements
instead of absolute assurance due to the nature being of a human; vulnerable to make mistake.
Thus, to reduce any misstatement occurred, the management and auditors are
responsible to do their work accordingly. Management as an example, need to ensure the
internal control of the organization is well-function correspondingly with the guidelines. The
auditor also need to evaluate the internal control based on the Standard Operating Procedures
(SOP) set up by the management.
So what is internal control? Internal control are the mechanisms, rules and procedures
implemented by a company to ensure the integrity of financial and accounting information,
promote accountability and prevent fraud. Before doing audit, the auditor need to test a
company’s internal control to determine the substantive test that they need to do further. The
stronger the internal control, the lesser the substantive test that they need to make as the auditor
can rely on the information given by the client. So the workload would be a bit light and lesser.
We can see here the importance to have good internal control systems in order to help
auditor do their job efficiently and effectively.

Motivations and aims for the research

This research was conducted to enhance the knowledge about what is actually auditors
are doing by interviewing the respondents among the real auditors. Instead of learning the
subject, Principles of Auditing theoretically in the class, we can have a clear view about the
audit industry from the respondents and also can make some preparations in order to involve
in the industry.

Research Questions

1. What is the responsibility of external auditors and management in financial statement

audit?
2. Why the internal control is essential for the external auditors?
3. How internal control gives implication to audit?
Research Method

This research was conducted by using the qualitative method instead of quantitative
method. The technique used was interview. Each person in the team members need to interview
a respondent among auditors from any big companies in Malaysia (if possible). As we are in
the team of five members, we need to interview five auditors regarding to this research.

The first respondent is from KPMG and he already have experience in audit industry
for five (5) years. He currently works as a finance manager at ZB Security Services Sdn. Bhd.
This interview was conducted at ZB Security Service Office. The second respondent is from
Faridah & Co. and she currently works as the auditor for the company since five (5) years ago.
This interview was conducted at Faridah & Co. Office.

The third respondent is from HML & Co. which already experiencing in audit industry
for one (1) year yet still being an auditor until now. The interview was conducted at Bandar
Utama Restaurant. Next, the fourth respondent is from PwC. She is a Certified Public
Accountant and started to be an auditor since last year, Year 2017. The interview was
conducted at San Francisco Coffee Café. The fifth respondent yet our last respondent is from
BDO and already have experience in audit industry for two (2) years. The interview was
conducted at WP Hotel Café.

Significance of Research

This research was conducted to expose the readers and students conducting it of how
internal control really plays out in the auditing field and to know the depth of reliance by an
auditor on the internal control of an organization in auditing a company.

Structure of research

This research was conducted first by analysing a few articles that falls under the themes
being researched. Then interview sessions were conducted to source information from auditors.
Then the information was cross analysed between the auditors and also under different themes.
A conclusion of what we were able to learn from the research findings and discussion were
made at the end of the research.
 2) LITERATURE REVIEW

Article 1: Understanding the Relation between Financial Reporting Quality and Audit
Quality

From the article, we can define the Financial Reporting Quality and Audit Quality.
Financial Reporting Quality can be defined as those that are more complete, neutral and free
from error and provide more useful predictive or confirmatory information about the
company’s underlying economic position and performance. Meanwhile, Quality Audit is
defined as one that provides a greater level of assurance that the auditors obtain sufficient
appropriate evidence that the financial statements represent the firm’s underlying economics.
Apart from that, we can know that both literatures share same determinants by using
Bonner Framework which are person characteristics, task and environment characteristics.
Last but not least, based on the determinants stated, we can prove that financial
reporting quality and audit quality have impact on each other. Firstly, we can learn that the first
determinant of audit quality which is audit expertise and incentives give impact to the financial
reporting quality. The more expert the auditors, the higher the reporting quality that can be led.
However, incentives such as higher non-audit fees can give lower impact on the report. In
addition, the environment characteristic for instance quality of governance and investor base
also give impact to the quality of financial reporting.
Furthermore, the first determinants of financial reporting quality which is preparer
characteristic such as management’s incentives give impact to the audit quality. Besides, task
characteristic which is financial reporting complexity led to the lower audit quality. Moreover,
quality of financial reporting system such as deficiencies in internal controls and a firm’s use
of information technology give effect to the audit quality. Lastly, environment characteristic,
for instance corporate governance can influence the audit quality. For example, when the
auditors believe that CEO has influence over the audit committee, they are more likely to
overlook the adjustments.

Article 2: Internal Control Weaknesses and Financial Reporting Fraud

The article is about whether and how disclosed internal control weaknesses can be
linked to future revelations of fraud in financial reporting. The analysis and study were done
due to a few reasons. The first reason is due to the contrariness of the idea that strong internal
controls can reduce fraud risk. Some says that internal controls can deter management from
committing fraud. On the other hand, some argue that management can override internal
controls. Secondly, there is no empirical or actual evidence that connects weakness in internal
control with a higher risk of unrevealed accounting fraud. Sarbanes-Oxley Act (SOX) is
supposed to reduce fraud and initiate audit. However, some argue that it does not differentiate
between errors and fraud. They conclude that the link between internal control weaknesses and
accounting fraud is caused by errors, not by intended manipulation. Thirdly, even if robust
internal controls can decrease financial reporting fraud by managers, it is uncertain that
material weaknesses disclosed would be linked with future revelations of fraud by top
management.
From this study, we can know that internal control weaknesses are significantly
associated with future revelations of fraud in financial reporting in both statistically and
economically. The most crucial part in minimising the fraud committed by the management
level is to identify the weakness in internal control. Fraud prediction models should also be
implemented to control the internal control weaknesses. In an audit, the internal control opinion
issued by the auditor indicates a higher probability that managers are committing an unrevealed
fraud. Besides, SOX Section 404(b) is also important to serve as an early warning system for
future fraud revelation. Hence, internal controls especially entity-level controls can reduce the
risk of material misstatement due to fraud.

Article 3: The Effects of the Internal Control Opinion and Use of Audit Data Analytics
on Perceptions of Audit Quality, Assurance, and Auditor Negligence

This article is basically to examine whether the auditors’ methodology and internal
control opinion affect the audit quality. Auditors methodology is regarding data analytics and
internal control financial reporting which is we called it as ICFR.
This study and analysis were studying because of two types of audit quality. Firstly, in
order to increase the quality of financial statements of the audit, most of the standard setters
and practitioner audit suggested to use the ADA techniques. In ADA techniques, it is can test
all of the transaction (full proportion) rather than take a sample. On the other hand, ADA can
be created by any forms and it is can be revolutionize for time, nature and audit testing follow
by the extent. However, ADA is not only give a good side but it is also give a bad side which
is can’t increase the actual level of assurance provided by the audits. Meanwhile, in the other
situation, many of the current auditing standards only requires the auditors that can collect
evidence by using the sampling techniques. That’s why most of the practitioner auditors
encourage and focus in ADA uses. Hence, it is very important to check whether the ADA’s
technique can improve the audit quality and this enhancement can decrease the carelessness of
auditors.
Secondly, it is about audit acknowledge in order to make sure that internal control
financial reporting (ICFR) and presentation of financial statements are operating in effective.
The audit quality can be improved when the auditors provide the assessment regarding the
ICFR to inform whether it is operating effectiveness. Basically it is to know about level of
substantive testing and material misstatement that might be happen in the financial statement.
Other than that, ICFR also can provide the information to the financial statement users
regarding auditors work and the quality of financial statement. If there is an adverse result, it
is shows that there have weaknesses in the company’s system of internal control and material
misstatement in financial statement.
From this study, it can be said that ADA’s technique is better than sampling technique
as most of the practitioner auditors encourage to use it. It is an easy technique for the auditors
since they can use the full proportion of transaction rather than sampling. Next, the assessment
of ICFR are very important in order to know about the company’s system internal control
weaknesses and material misstatement in financial statement.
 3) METHODOLOGY

Data Collection Method

Our group used interview as our data extraction and collection method. We find this
method the most appropriate due to the nature of this research where we are required to
understand the audit topics and theories on how it is practiced in the real world. Since it
comprises and emphasizes on the practical element, the best way to derive the information is
from a stakeholder that have been in the audit environment and has been exposed to all the
related queries we have. Therefore, we have chosen 5 auditors that have experienced the audit
field to be the subject of our study since they fit the criteria where they have been exposed to
all the audit related situation and have been able to provide the best answers for our queries
based on their understanding of the audit field. The auditors were interviewed with a six key
themes to obtain as much insight as possible to help us understand more about the topics we
are set to research on.

Data Analysis Method

The qualitative data collected above was analysed using a thematic approach. The
purpose of using a thematic approach was because this research was conducted to answer two
main topics which are the responsibility of external auditors and management in financial
statement audit and the internal control and its implication to audit. Therefore, it was only
appropriate to analyse the data collected using this method to ensure the data was able to answer
the questions derived from the two topic. The thematic approach was done by classifying the
data obtained from the interview session to six different themes that are related to the two main
topic. This enables us to analyse the data better because we can compare the data derived under
each theme between different auditors and highlight the difference and commonalities in the
opinion of the respective auditors of that particular theme.
 4) RESULTS/FINDINGS AND DISCUSSION

a. The roles of the auditor in evaluating internal control

Based on this theme, all the auditors agreed that the evaluation of the internal control
is an important step prior any auditing activities that will be implemented.
A1 & A5 said, in order to evaluate the internal control, we must understand the
organization. Normally the auditor requires a set of policies and the standard operating
procedure (SOP), which is the guideline that is set by the top management to make sure the
overall organization are going well and under control. If the employees follow the SOP, then
we know that there is a sufficient control. The sufficient the internal control test, the lesser the
substantive test needed. If there is any contradiction between their work and the guidelines,
auditor can give a recommendation on how the top management can improve the system. Both
A2 & A4 said that we need to design audit procedures which are appropriate to clarify our audit
and the balances of transactions are not misstated. A2 also agreed with A1 & A5 which is to
obtain an understanding of the organisation. Based on this understanding we can design the
audit procedures that are appropriate to see what are the ways to audit the account balances.
The understanding of control helps us to understand what is going on in the organisation.
Furthermore, we need to maintain a high level of scepticism towards the management
because the management usually have a high tendency to cover up any fraud or mistakes that
they have done, said A3. Moreover, A4 said that we need to evaluate the internal control to
have the reliance before proceed with audit.

b. Management’s responsibilities in establishing internal control

For this theme, all the auditors that we interviewed share the same opinion which they said
that the management is fully responsible to establish the internal control. A1 and A5 said that
establishing internal control is important in order to get the operations of the organisation to be
effective, efficient and make the financial statement to be reliable and fair view. Moreover, it
is needed to make sure that it complies with certain laws and regulations. Then, A2 stated that
the management has the responsibility to ensure that the internal control is robust in order to
generate information used in preparing financial statement that are free from material
misstatement. As for A3 and A4, they said that management is responsible to establish internal
control because they are the one who needs to ensure that the organisation run smoothly and
what they are doing in daily processes are reliable.
 In addition, A1 and A5 suggest that the management needs to consistently apply the internal
control procedure, so that the objectives set up are being met and they can know about the
internal control effectiveness. Last but not least, A2 and A3 said that the auditor is responsible
to identify and tell the client what is lacking and also recommend any improvement that need
to be made.
From all the information given by the auditors, I can say that the management of the
organisation is fully responsible to establish the internal control as it is one of the most
important element in the organisation.

c. The usage of internal control components

In this part, all of the auditors are followed five COSO framework which are consists with
control environment, risk assessment, information and communication, monitoring and control
activities. As for A4, she said that all of the internal control components are important to
implement in audit work. Each of the company have different ways to implement it. For control
environment, A5 and A1 have the same views which they were focusing more on procedures
and policy in order to get the reflected of the management attitude on the internal control.
Besides, A1 also mentioned that they also can know about the commitment of management
and the organisation based on the policies they are used. Next, for control activities, A3 talked
about software which is they have to ensure that the password is not too generic. For an example
of password like abcd123 is too simple and anyone can enter by using those password, so we
need to ensure that the password is secured.

As for information and communication, A1 said that it is includes the quality of the
information and the effectiveness of the communication. Some information is not useful;
therefore, it will make the report become useless. This concept is called garbage in, garbage
out (GIGO) which is the quality of output is determined by the quality of the input. Then, A2
stated that they will check document and all information and evaluate whether they are
functioning properly or not. The function of this controls actually to evaluate the controls
whether it’s correctly put it in the place and to ensure they have the quality of information. For
monitoring, A1 stated that it is an ongoing monitoring or we called it as continuous process.
During the process, A1 recommended that we need to give evaluation and deficiencies so that
the management knows.

From all of this information, we can say that the usage of internal controls components
is very useful in order to make the audit work going smoothly as we can see from the
information and communication. It is very important to check our first step to make sure that
we provide a quality information so it can prevent our financial statement become useless. Even
though it is depending on how the company implement the internal control components, but
they have to make sure that the framework remains the same.

d. Method to evaluate internal control

Under this theme we have provided the interviewed auditors with three choices namely
flowcharts, narratives and internal control questionnaires(ICQ) to know which method will be
their primary choice in evaluating the internal control of the organisation being audited.
A1 told us that choices vary according to the availability of standard operating
procedure, SOP, in the company because SOP signals good internal control in the company.
Flowcharts are sufficient for the company with SOP while narratives are required for the one
without, to gain a better understanding of how things operate in the organisation. A5 shares the
similar view with A1 where it agrees on the usage of narratives and flowcharts depends on the
situation. A3, however opines that flowcharts are simple and narratives are detailed so it
depends on the need of the auditor on how much information about the internal control they
need and they availability of time because preparation of the narratives consume more time.
A4 suggests that both narratives and flowchart are needed because the narratives are prepared
by observing and inquiring the implementation of the internal control and therefore provide a
comprehensive understanding of the internal control in the company and only then the
flowcharts can be made.
As for the ICQs, A1 prefers it to be answered by the auditors while asking the questions
to the staff to evaluate the staffs interest and commitment in answering it while A3 and A5
regards ICQs is a useless tool because staff will answer it only for the sake of completing it,
making the information from ICQs not reliable. A2 posit to us that ICQs supplement the
preparation of the narratives by providing more data from the respondents.
From these information, I have learnt that flowcharts and narratives are the most
common tool for auditors to evaluate the internal control of a company. Flowcharts are suitable
when the company already have sufficient control and provides a simple overview while
narratives are suited to be used in companies that have less to no internal controls to provide a
more comprehensive understanding for the auditor.
As for the ICQs, even when the auditors concur that it can be used to gain additional
information to help prepare the flowcharts and the narratives, it is agreed to be not reliable
enough to be depended on evaluating the internal control of a company due to the nature of the
method in extracting data-questionnaires.

e. Experiences in evaluating internal control

Generally, the auditors mentioned that they have both good and bad experiences in
evaluating internal control.
For the bad experiences, A1 and A2 shared that they faced difficulties when one
subsidiary company didn’t follow the rules set by its parent company. Some small companies
also do not have a SOP as guideline and sufficient internal control. For A1, he faced problems
as there is lack of Purchase Order and its relevant records in the company. In order to complete
the job, he did the audit according to the checklist and give recommendations to the company.
As for A2, there is no proper documentation that shows that the controls are taking place.
Hence, she couldn’t obtain much information from the client and she need to interview the
clients in depth in order to find out what’s happening in the organisation. A2 also shared that
sometimes the clients are too busy with their own jobs, making it hard for her and her team to
schedule an appointment with the client, which causes the audit progress to be dragged. A4
mentioned that he met cases where what the client perceive in their procedure is not as the same
with what they have implemented. After his investigation, he found out that there is lack of
limit of authorities of the high management. In addition, A3 mentioned that sometimes auditors
will need to work in dangerous environments, such as doing physical stock count in the
warehouse.
As for the good experience, A3, A4 and A5 shared that they gain good cooperation
from the client's’ management side. For example, when A3 and A5 found that there is lack of
certain documents, the client will give cooperate by giving response quickly and providing the
documents needed in the shortest time. A4 also shared that his best experience is when the
clients really implemented the internal controls and they did everything accordingly, which
makes the auditors works smooth.
From all the insights shared by the auditors, I can say that the experience of the auditors
pretty much depends on their relationship with the clients. The biggest cause of the bad
experiences of auditors is due to the client is not giving full cooperation. On the other hand,
they shared that their best experience is also due to the efficiency of the clients in providing
necessary documents and assistance. Hence, it is important to have and maintain a good
relationship with the clients. A good relationship will not only make the client to be more
cooperative, but also make the audit work easier and more efficient.
f. Other lessons

Every auditor has different things that they want us to know more about. In general,
their opinions can be divided into two parts.

Firstly, they shared that auditors need to have strong basic in accounting. A1 shares that
is important to have strong accounting basics as every decision made will be reflected in
financial reports. Besides, learning risk management and controls such as detective control,
preventive control and corrective control are important for as auditor. In addition, A4 and A5
shared about the importance of validation of internal control because it affects the audit
workload. Hence, it is crucial to learn more about internal control audit and its effect to
financial reports. A2 also mentioned that we need to be aware of the accounting policies and
the reasonableness of the accounting estimated used by that company. Financial statements are
supposed to be done by the management of the companies. Sometimes, auditors are also
required to draft the financial statement to some small companies. However, the financial
statements will be reviewed and approved by the management and partners first.

Next, the auditors also mentioned that we need to be equipped with the latest
technologies and know more about current issues. A3 thinks that auditors need to be equipped
with latest technologies used by auditors in Malaysia, for example AXP software. A1 also
mentioned that auditors must be aware of any changes in the latest financial standards and
know about Companies Act 2016 which was just amended two years ago.
In conclusion, besides having strong basics in accounting, auditors also need to keep
themselves updated with latest technologies and current issues. This is because rules and
regulations always change with time. Same goes to technologies. By keeping ourselves
updated, we can do our audit work more efficiently and effectively.
 5) CONCLUSION

To summarize the whole research, it is said that this study answers the objectives of our
research. At the end of this research, we have a wider view about the auditors works and audit
industry. For instance, we learn that in every audit, it is important for the auditors to gain
understanding about the internal control of the organisation. This will lead them to understand
the risk of the material misstatement that might occur in that organisation.
From the research conducted, we know that internal control is one of the most important
part for auditors efficiently do their audit work. It is started with the management responsibility
to establish the internal control in order to make sure that the financial statement of the
company to be reliable and fair view. Next, the auditors need to evaluate the internal control to
help them make a good audit judgement. They can use various type of method such as
flowcharts, narratives and questionnaires. However, most of the auditors agree that flowcharts
and narratives are the most common tools to be used.
In a word, we conclude that an efficient and effective internal control will affect the
company’s financial statement to be reliable and fair view.
REFERENCES

Donelson, D. C., Ege, M. S., & McInnis, J. M. (2017). Internal Control Weaknesses and
Financial Reporting Fraud. A JOURNAL OF PRACTICE & THEORY,36(3), 45-69.
doi:10.2308/ajpt-51608

Gaynor, L. M., Kelton, A. S., Mercer, M., & Yohn, T. L. (2016). Understanding the Relation
between Financial Reporting Quality and Audit Quality. A JOURNAL OF PRACTICE
& THEORY,35(4), 1-22. doi:10.2308/ajpt-51453

PULLIAM, D. B., BROWN LIBURD, H. L., & SANDERSON, K. A. (2017). The Effects of
the Internal Control Opinion and Use of Audit Data Analytics on Perceptions of Audit
Quality, Assurance, and Auditor Negligence. Retrieved August, 2017, from
file:///C:/Users/End User/Downloads/The Effects of the Internal Control Opinion and
Use of Audit (2).pdf.
APPENDICES

i) Thematic analysis:

Themes/Audi A1 A2 A3 A4 A5
tor

a. The roles of Test if SOP is Start with Independent Ensure the Recommend
the auditor in followed and planning check on organization how can
evaluating test the need stage to managemen working improve
internal for evaluate IC. t’s internal efficiently system.
control improvement Design control. follow the Evaluate
of the current audit Maintain procedures management’
practices in procedures high level of that have s internal
the to clarify skepticism. been control to
organisation. the balances implemented. avoid fraud.
of
transactions
. Obtain
understandi
ng of
organisation
.

b. Think about Ensure to Enforce a System for Focus over

Management’ how to have a good daily financial
s safeguard robust internal transactions report and
responsibilitie their asset and internal control and compliance
s in apply to control system by procedures to with laws. Set
establishing internal environmen having make sure up guidelines
internal control. t to produce contact daily to follow by
control Provide one financial supervision processes are organizations.
section in statement such as reliable.
financial free from CCTV
statement that material camera.
 talked about misstateme Invest some
internal nt. amount of
control. money in
software.

c. The usage COSO Practical Ensure the Control Control

of internal framework. plan which classificatio environment environment,
control Control is we know n of are the focus in
components environment what information information, procedures.
is happens in in financial communicati Information
commitment financial statement on and and
of year. Pick done monitoring. communicati
organisation. samples and according All on, provide
Risk run through the components the
assessment, the control. guidelines. implemented information.
identify the and depends
risks. Control how we
activities, apply that.
policies in
management.
Information
and
communicati
on, quality of
information
and
communicati
on.
Monitoring,
give
evaluation.
d. Method to Different Flowchart Flowchart Get a Depending on
evaluate situation and easy to narrative the situation
internal different narratives understand understandin but prefer
control method: related to but general. g from flowchart
Narrative revenue Narratives inquiring and because it’s
when less cycles and detailed but observing on simple and
control, etc. ICQ time how they determines
flowchart helps in consuming. implement whether there
when have making the ICQ their internal is control.
the narratives. answered controls, then Narratives
company’s for the sake document a help when
SOP, ICQ of flowchart there’s little
need to be answering control. ICQ
answered by only, not not helpful,
auditor by effective. not answered
asking the honestly.
staffs

e. Subsidiary Busy clients Stock take Some Experiences

Experiences don’t have disrupt or count in companies dependent on
in evaluating SOP because information dangerous have good the auditor’s
internal it was a sharing conditions. implementati relationship
control family process, on of internal with the
company small control; some management.
before this. organisation didn’t
need to do implement it
interviews even when
since no they state
proper they have it.
controls Question top
management
how they
going to deal
 with the issue
that has
arisen, and
evaluate the
progress next
year.

f. Other Learn risk Draft Software Importance Learn more

lessons management, financial used by of validation about internal
detective statement auditors in of internal control audit
control, for small Malaysia control and its effect
preventive companies such as AXP because it to financial
control and and Solutions affects the reports.
corrective evaluate the software. audit
control going workload.
concern of
the
business.
 ii) Transcript
A1

A1 Assalamualaikum, I am Nur Izzati Binti Muin, student of Bachelor in Accounting from Universiti Malaya. Thank
you for your time in participating in my interview session. Actually, this interview is part of my coursework for
Auditing Principles course. First of all, can you please tell me a little bit about yourself such as your current work
and how many years that you work as an auditor.
Auditor My name is Mohammad Firdaus Bin Abdul Wahid, I graduated from International Islamic University Malaysia in
Bachelor of Accounting in 2008. I have been working as an auditor at KPMG for more than 1 year and I joined an
internal audit for about 4 years. After that I joined the management team and right now I am doing the finance
works as a Finance Manager at ZB Security Services Sdn Bhd for about 3 years.
A1 Can I know why you change from working as an auditor to a finance manager?
Auditor First of all, when you being an auditor, you learnt a lot. You learnt about the risk management, internal control,
how to prepare the financial statement and how to tackle the problem. In external audit, we more focus on the
financial auditing but in internal audit, we focus on internal control and risk management. After accumulating
experiences in those auditing background, I think it is time to change from the audit line to the finance line
because it is my core competencies. The experience from the audit line is actually helping me to change to the
different position.
A1 So your experiences in auditing really help you to do your job as a finance manager?
Auditor Yes, the experiences help me a lot. It is very useful. When you graduated, I advise you to work as an auditor first
to gain experiences. You will learn a lot on how you want to audit the firm, how big the gap in one organisation
with the current standard. This will really help you when you join accounting or finance line.
A1 So I proceed with the main questions. For the first question, can you please explain to me, what are the roles of
the auditor in evaluating internal control of any organisation?
Auditor My point of view in the roles of an auditor is a bit wider. When we talk about financial statement audit, normally
before we do our works, we have to do the internal control check.
A1 Do you mean that we need to understand the organisation?
Auditor Yes, we have to understand the organisation. Before we go for an audit, normally the auditor requires a set of
policies and the standard operating procedure (SPO). This is a guideline that is set by the top management on how
to do their work and what are the policies or standards for the workers. All the external auditors will check
whether the current practices are according to the SPO based on their checklist. If the employees follow the SPO,
then we know that there is a sufficient control. After that, auditor needs to do the substantive testing, but before
proceed we need to do the internal control test. If the internal control test is sufficient, then the sample for
substantive test is less. In other words, if the test is insufficient, auditor needs to select larger sample.
Auditor However, the role of internal audit is actually to determine whether there is a systematic approach and need for
improvement of the current practices in the organisation. With the test of control, we can recommend the
management what they need to improve. We can give consultancy to the management on how to improve on
certain things and also how to safeguard their assets.
A1 You as a person who have experiences in external and internal auditing, can I know whether there is any
difference between the role of internal and external auditor?
Auditor External auditor is focus more on the auditing the financial statement. They only focus on the financial side of the
company. Meanwhile, internal auditor not only covers the financial side, they cover the operating side such as
raw materials, work in process and finished goods. They are a little bit different but both are concern about the
internal control because it is one of the most important aspects in an organisation.
Auditor Before set up an organisation, the management is responsible to establish the internal control because they have
the objectives to get the operation to be effective, efficient and also want their financial statement to be true and
fair view and comply with certain laws and regulations. The management must think about how to safeguard their
assets and not only to gain profits. They need to consistently apply the internal control, so that all the objectives
set up are being met and have to access whether the internal control that being set up is effective.
Auditor Other than that, management of public listed companies are responsible to provide one section in their financial
statement that talked about the internal control which known as the statement of risk management and internal
control.
A1 Next, when you do your audit work, what are the components of internal control that you have been
implemented?
Auditor The best component is actually from the COSO Framework which consists of 5 components. The first component
is control environment which is the commitment of the management and the structure of the organisation and
policies and procedures used.
Auditor Secondly is the risk assessment. The audit work will be tough when the risk is high. This means that higher risk
requires more jobs. On the other hand, if the risk is low, the audit work will be lowered. The auditors need to
identify the risks and understand the report from the risk department before do their audit works.
Auditor The third component is control activities which are the policies, procedures and any change in management. Next
is information and communication which includes the quality of the information and the effectiveness of the
communication. If the information entered is not useful, the report will be useless. This concept is called garbage
in, garbage out (GIGO). It defines that the quality of output is determined by the quality of the input. Last but not
least is monitoring. It is a continuous process or an ongoing monitoring. During this process we need to give
evaluation and deficiencies so that the management knows.
Auditor All the 5 components of COSO Framework are very important and very helpful because it is like a 360 report
which it reports everything.
A1 Are the COSO Framework only applied to The Big 4 Companies?
Auditor The one who uses the COSO Framework is the listed and multinational companies but not the SMEs.
A1 The fourth question is, to evaluate the internal control of an organisation, usually we use narratives, flowcharts
and questionnaires. Which one do you think is the most useful?
Auditor Based on my experiences, there is no most suitable method. For narrative, it is usually being used when there is
no control or insufficient of control in the organisation. This is because we want to know how they do their
works. So, auditor will interview them one by one from the lower level to the top level. Meanwhile, flowchart is
being used when we already have the company’s SOP. It also can determine whether there is a control or not.
Last method is the internal control questionnaires which is the external auditor’s checklist. The questionnaires
need to be answered by the auditor to prevent the auditees from lying while answering them.
Auditor All methods are useful depend on the situation and sometimes the 2 methods complement each other because we
need to make sure that the internal control is sufficient. It is not only about which method is the most useful but
which method can give the correct information that help to assist the management to give fair and true view
report.
A1 Can you share with me your experiences when evaluating the internal control of an organization?
Auditor I have a bad experience in auditing one company which is the subsidiary of the listed company. Supposedly, the
subsidiary needs to follow the set of rule set by the parent company, but it is not because the subsidiary is
previously a family company. During the audit work, I found that the company does not have the SOP. When I
want to audit their sales, there was no purchase order (PO) and records. There was only a simple PO for me to
refer and it was hard to do the audit works. To complete the works, I do the audit according to the checklist and
write my recommendation.
A1 For the last question, is there any other area from internal control and the roles of auditors and management in
financial statement audit that you want me to know or learn?
Auditor There are many things that you can learn. When we talk about internal control, it also has connection with the risk
management because risk management is also one of the important parts before doing an audit work. Other than
that, you need to know the type of the internal control whether preventive control (what are the control that you
have before it happens), detective control (how to detect if something goes wrong) and corrective control (how to
correct if thing goes wrong and what are the ways to rectify the issues).
Auditor In addition, one of the most important things about financial statement audit is the accounting standard. You need
to have a very strong basic in the accounting theory because every decision made will be reflected in the financial
report. Moreover, you need to know the GAAP and the laws and regulation such as the new Companies Act
2016(amendment).
A1 Thank you for making your time in this interview session and the information that you give. The information are
very valuable and help me in understanding auditor’s work more.

A2
A2 Good afternoon Ms Alicia. My name is Keat Yin and I’m a third-year accounting student from UM. We are
required to complete our Audit Principles assignment, which is we have to interview an auditor. Before we start
the interview session, can you please introduce yourself, and share with us how many years have you been in
audit and what do you usually do on daily basis.
Auditor Good afternoon. My name is Alicia and I’m a senior associate. I’ve been in the audit profession for almost 2
years. What do we do on daily basis is we go to the clients’ place and complete the audit paper? In my role, I
have to lead some of my juniors, and report to my senior-in-charge, and sometimes to my manager.
A2 Alright. Moving on, we actually need your consent to proceed with the interview, and you may stop the interview
session whenever you want. Thanks for signing the consent form just now, and we also need your permission to
have our voices recorded. The voice recording is just for our assignment purpose and we will submit it to our
lecturer for reference purpose. The objective of this interview is to know about the responsibilities of external
 auditors and management in the financial statement audit, and also the internal control and the implications
towards audit. So, my first question is, can you please explain to me what are the roles of an auditor in evaluating
internal control of an organisation?
Auditor In every audit, we will start off with a planning stage. The planning stage is more on the evaluation of internal
control of an organisation. This is to let us to understand the risk of material misstatement that might possibility
occur in that organisation. We also have to design audit procedures which are appropriate to clarify our audit and
the balances of transactions are not misstated. In general, we are here to obtain an understanding of the
organisation. Based on this understanding we will then design audit procedures that are appropriate to see what
are the ways to audit the account balances. The understanding of control helps us to understand what is going on
in the organisation.
A2 May I know how long will it take from the planning stage until the end of the engagement with a client?
Auditor If it’s an engagement with a listed company, it can take about 6 months. If it’s just one company, in one-month
time we will be able to finish all the jobs. However, if there is a large number of auditors involved, it usually take
longer times as there are various companies in that group that we have to audit.
A2 Means you not only need to audit one companies, but also its subsidiaries as well?
Auditor If it’s just one job, for instance, if it’s a local company with only one organisation, that will take about one month.
However, if it’s a group of company, for example IOI Corporation Berhad, and there are any companies in it, then
we will have to audit the subsidiaries and also do a group consolidation to review the consolidation papers of the
client. All these processes will take up to 6 months or more.
A2 Wow that’s a really long time. Alright, we will proceed to the second question. What is your view towards the
management’s responsibility on establishing an organisation’s internal control?
Auditor We suppose all the directors are fully responsible to ensure that the internal control of the company is robust. The
robust internal control is use to generate information to produce the financial statement which are free from
material misstatement. It is their responsibility and they have to do the disclosure in financial report in the audited
financial statement. So in the audited financial statement, it will be in the directors’ report. It’s their responsibility
to have a robust internal control environment in the company.
A2 So based on your experience in audit for these few years, do you think did most of the management actually did
this responsibility well?
Auditor I would say that I think quarterly review are always important to review the internal control. Part of our job is to
identify and tell the client about what is lacking and then to find out how to improve the weaknesses in the
internal control.
A2 Okay. We will proceed into the next question; can you please tell me what are the components of the internal
control that have been use or implemented in your audit work?
Auditor Whenever we start an engagement, we will start with a very practical plan. If it’s not a first time client, we will
have the past year audit work papers and we will always take that as reference. With that. we will understand
what is going on with that company and update it with what happens in the current financial year. Means we will
interview the client again to know what are the controls that are in place, we will check and document all
information and evaluate whether they are functioning properly. After that, of course we will pick up samples and
run through the control. Assuming the accounts executive will prepare the bank reconciliation, then the accounts
payable will preview with the bank reconciliation> So once we understand those, that these controls are in place.
We will ensure that the bank balance is correct. We will verify that these controls are actually done or not which
is to take in verification to evaluate the controls whether it’s correctly put in place or not. Then we will take the
bank reconciliation to check if the finance manager has actually review it an whether they have authorised and
sign on the bank reconciliation.
A2 I see. In order to evaluate the internal control, the auditors usually use narrative, flowchart and Internal Control
Questionnaires (ICQ). May I know which one is the most suitable for you and why?
Auditor I would say all of them because all of them helps us to understand the controls in the company better. In our work
papers we will always have a flowchart and the narratives which is the control relating to the revenue cycle and
so on. And to come out with the narratives we will need an internal control questionnaire to help us understand
the organisation and its controls that are used.
A2 Can you please share with me some of your experiences, no matter good or bad, when evaluating the internal
control of an organisation?
Auditor We can start with the bad one. What I think is sometimes the clients are very busy with their own jobs. This
makes us difficult to schedule an interview with them to better understand their company. Sometimes the auditor
couldn’t get much information in an interview and can’t understand the client much because they don’t have the
properly documented internal controls. Some of the clients may not necessarily do an internal control in their
daily operations, then we really have to dig out and ask them and try to find out what are the controls that are in.
This usually occurs in the smaller organisations, assuming they have a transaction, but they don’t have a proper
documentation to show that the controls are in place. We have to interview them and access what are the controls
 that are in place. However, if in in bigger organisations, they will have the SOP, and they know that they are
supposed to check the executives’ work and there is segregation of duties. They will have plans and policies to
avoid the management override certain things. Hence, in a bigger organisation, it’s more straight forward whereas
for smaller organisations, the interview with the clients might be a little bit difficult so it will be more time
consuming to find out what are the controls do they have. I think sometimes the client will also lack of internal
controls, then it’s our responsibility as an auditor to provide recommendations. Usually we do this by issuing the
management letter.
A2 But from what I know, usually giving recommendations is under the consulting or advisory part right?
Auditor Well, it’s actually also part of audit but it will be very simple. For instance, if the client has a lot of outstanding
receivables, this will be a lack in controls relating to the trade receivables. Maybe they don’t have a proper policy
to impair their trade receivables. If we see a long outstanding payable, then we will want to recommend them
perhaps they should have a control or policy in place to evaluate when trade receivables should be impaired like
after maybe 3 months. They should come out with a policy. So we will recommend it and they are supposed to
reply their cause of action like what cause of action they will take. If they don’t do the policy in place to collect or
to impair the trade receivables within a period, we will reflect better on the performance on the company and the
balances in the trade receivables will be more appropriately stated because of the impairment if there is an
impairment.
A2 Alright, I’ll go out of the interview questions a bit. Do you actually enjoy audit life?
Auditor I actually do. It is very interesting. You get to see different companies. So far in my 2 years at the firm, I’ve been
auditing different companies in different industries. So I get to see what goes on in that company and how they
run businesses differently. For instance, I’ve done companies in retail industry and one of the unique accounting
item is the region of exams cost because they are in retail and they have various 15.40 and they have to restore it.
I think it is interesting as I saw that in the retail industry. Right now I’m doing a trading company and they deal
with financial instruments. So I got to learn about the double entries and I find it interesting to learn how the
company manages its sales in foreign currencies. So it’s very interesting to see many businesses to see how they
manages a business and what kind of controls are in place, how the accounts are like, what ae the risk or
possibilities involved in the company.
A2 So we can actually learn a lot of things though auditing right? May I know in your opinion, is there any downside
of auditing?
Auditor Well I guess the only downside is the fact that the working hours will be very long.
A2 Is it a norm for auditors to work overtime?
Auditor Yup it is. I’m currently auditing a trading company and my partner is really strict. So we will be going back at
11pm every day. But in the morning we can go in at 9.30am so it’s not as strict as the commercial firms where the
staffs need to clock in by 8.30am. We are more flexible and can come to work a little bit late.
A2 It’s not easy to stay in the office to work from morning until sunset.
Auditor Well, one can always do 3 years in audit. It is a really good stepping stone definitely. You get to see the whole
picture of the company and what goes on in it.
A2 Yup I saw a lot of my seniors worked as auditors for around 3 years, and after that they will move to the other
fields for example tax, advisory and so on.
Auditor Yes, you can even start up your own business.
A2 Looks like auditing is a good field to kick start your career and gain experiences. By the way, is there any other
areas from internal control and the roles of auditors and management in financial statement audit that you would
like to share about?
Auditor Perhaps I can share with you generally what we do and an auditor is. Because first and foremost is to assess the
risk of material misstatements due to fraud error. To form the audit procedures and to obtain the audit evidence
that is sufficient and appropriate to provide basis for opinions. The final product is the opinions formed. Of
course the auditor’s report is always sign off by our partner. But we will be the ones that are doing it. Actually
generally the clients are supposed to do up their financial statement but it is also quite common that the auditor
will draft it to them if the clients are incompatible which happens sometimes, but of course it is not common in
the listed companies. But for the small companies the auditors actually have to draft the accounts, but it subject to
the approval of the management as well as our partner which will review the financial statements. Finally, he will
sign off once he is agreeable to everything. Other than that, we also need to evaluate the accounting policies used
and the reasonableness of the accounting estimates and the disclosures made by the directors. We also look into
going concern. It seems to be important area relating to financial statements. We will always enquire and confirm
whether they should be going concern and whether a company can operate in a going concern basis. Usually if
it’s loss making and in net tangible liability position, then we would see that whether the company have going
concern issue and we will disclose that in the auditor’s report. If the client has really appropriate evidence, then it
is not a big issue. For instance, a subsidiary of a listed company, if the holding company and the group is doing
 well, and they are going to provide financial support to these loss making subsidiaries, then this company will not
have any concern issue.
A2 I think that’s all for our interview today. So once again thank you for your time to attend this interview session.
I’m sure that the insights that you’ve shared just now will be valuable for us no matter in our assignment or for
me to pursue audit as my future career. So thanks you once again for spending your time with me.
Auditor No problem.

A3
A3 Hello Mr. Yughan, good evening.
Auditor Good evening.
A3 Today I'm coming from University Malaya. My name is Puven and I'm currently studying, currently in my third
year of undergraduate studies, undertaking BACC majoring in accounts in university Malaya. Right? So we are
taking one subject called the audit principles. And therefore, we are required to have this interview session to
enable the proceeds of this interview to be used in our written report so that we can know more about how things
are from an auditor like you who have seen things in real life, right? Rather than us that we have only studied it
based on the theories and whatsoever, right. So that is why we have the interview today. So Mr. Yughan, How,
how long have you been in this audit field? And how do you think audit field is for you?
Auditor Well, for me, I've been around one year plus in this audit field. And if you ask me, the audit field is quite
interesting, because you will be getting a lot of scenarios, a lot of cases each and every day, and it will be very
interesting to solve or to audit the companies.
A3 Okay, thank you, sir. But I've also heard that the audit work can be very hectic, you need to work long hours, is
that true?
Auditor Well, it depends. If you're able to finish your work, very smart, very tidy. And very effectively, then I'm positive
that you don't have to work long hours. And even though if you're going to work long hours, it's a benefit for you
also, because you'll be learning a lot of things in that way.
A3 Oh, I see. Thanks Sir. So before we proceed with this interview session, I just need to inform user then I will be
recording this whole session throughout the entire session. I hope you're okay with that.
Auditor Yeah, sure go on.
A3 All right. So, so the theme of today's interview is that the importance of internal control and what role does
auditor play in evaluating these internal control, right, sir, but before that, can you please explain to me like what
is internal control in your audit field?
Auditor Well internal control is where we check the managements, their internal control is where the management
implements a system within the organization to avoid any frauds, or any intentional or unintentional material or
immaterial misstatement also.
A3 Alright sir, thanks for that explanation. So let's just proceed with the first question, right? Which is that from an
auditor’s perspective, how do you think and what do you think are the roles of an auditor in evaluating the
internal control of a company, any organization?
Auditor The auditor's role in evaluating the internal control in any organization is that they need to have an independent
check on the management's internal control because the management may have a higher tendency to cover up
with a high level of scepticism. So, let me just rephrase that again. So, auditor's role in evaluating the internal
control is where we make an independent check on the management's internal control, because the management
will usually have a high tendency to cover up any fraud or any mistakes that they have done. So, we need to have
maintain a high level of scepticism towards the management
A3 Alright sir, like, but is the evaluation process always the same thing for any organization?
Auditor Well, they said, there are some types, different types of internal control that exist and different types of
organization requires a different set of internal controls, for an example a medium or small size enterprise may
not require any form of internal control while a large huge corporation or even a public listed companies will
need to have an internal control in order to avoid any frauds that could or may happen during a day to day basis.
A3 Is it due to the large volume of transactions they have and that's why they need to have the internal control in
bigger companies?
Auditor Yeah, because large volume of transaction we may result in higher tendency or risk in fraud because employees
may be tempted to make a fraud or because they might think that they will not be caught me that if there is no
internal control implemented.
A3 Alright, sir. Thanks for the explanation. Okay, let's just proceed with the second question, right. We just like so a
lot of perspectives from the people is that auditor should be the sole person that need to be responsible in ensuring
that efficiency of the internal control. So do you think auditor has the most responsibility? And can you explain
more about like whether or not management has a responsibility as well? Or do they have more responsibility
 compared to the auditor because they are the ones that are actually in charge of the internal control in that
company. So please explain the management's responsibility in establishing internal control, sir?
Auditor Well, first and foremost, the management has the primary role and responsibility in implementing the internal
controls, because they are the ones who need to ensure that the organization runs moving smoothly on a day to
day business. And second of all, regarding the audits responsibility on the internal controls auditor's do have a
certain level of responsibility which we will be recommending the types or we will recommend any
improvements that needs to be made in the internal control and more over there is also there is also an act for
Sarbanes. So let me explain more on why the management should be more responsible in implementing good
internal control system within the organization if we look at some recent scandals that had a happened like the
Enron scandal, also, if they had a very good internal control system, which they had implemented, they could
have easily avoided the scandal and also the directors would be held liable more ,more earlier and more easier to
find out the mistakes and the fraud that have been done by the directors. And also there are also some acts like the
Sarbanes Oxley Act, which states that the CEO must sign the financial statements of the auditor's report, which
shows that the directors and the org The organization plays a huge role on implementing the internal control
system. And also the fact that the auditor reports should food should be fully prepared by the management using
the data that has been collected through the Internal Control System shows, also shows that the management
plays a huge part in implementing a good internal control system.
A3 Isn't the report prepared by the auditor?
Auditor That is a misconception, around, most people have, because usually, the auditor's report should be prepared by the
client by the organization itself, where the auditors will only prepare like a four page on the on their opinion
towards the truth and fairness of the auditor report has been prepared by the organization which the data they
collected from the effective internal control system.
A3 Oh, I see. So the management is the one that will prepare the whole report and the auditor only has like four
pages in it. So that is why the management has a higher responsibility in making sure the internal control is good,
right? So like, what can be the management's responsibility what can they do to ensure that they are good internal
controls in place?
Auditor Well, there are various types of internal controls that they could implement depends on the organization depends
on the business that they are in, for an example, the management must enforce a good internal control system by
maybe having a constant supervision, maybe like they could have a CCTV camera installed in the premises, they
could also have implement or invest some amount of money in a software which authorization, which authorizes
a certain transaction For an example, let's say someone needs to get a payment voucher. So they will need to have
a proper software in order to issue an invoice or payment voucher to the employee, so that no employees can
make fraud by simply issuing any amount or any money that the one we don't being liable towards the company
A3 So they need to ensure that not only that internal controls are in place, but it is also been practiced by the people
and the management need to enforce it, Sir?
Auditor Yeah.
A3 Okay. Thanks for the long explanation and enlightened by the explanation. Also let's proceed with the third
question, right? Which is, can you please tell me what are the components of internal control that has been
implement mended or used in your audit work like things that you have been, you have been, you have seen those
things when you're doing your audit work sir, what are the type of internal controls?
Auditor Well, depends on the companies that I'm auditing, for an example, if the company is heavily based on non-current
assets. So we need to ensure that the motor vehicles or the computers, software are correctly has been, correctly
have been registered in the non-current asset register and also we need to ensure that those assets are correctly
recognized as company’s asset and not a director's asset. And for some other internal controls, let's say they have
implemented a software in their company. So for the software, they need to ensure that the password that they
using in order to access the system is not a too generic password. for an example of password like abcd123 is to
generic and anyone can enter those passwords and log in and change any critical information. So we need to
ensure that the password itself first and foremost is secure. And also we need to ensure that the client or the
management is able to classify, has the correct skills and knowledge in order to classify asset. So based on my
experience, let's say they have that there's two companies which shares a certain expense, we need to ensure that
the accountant is able to apportion those expenses accordingly, according to the criteria that has been set by the
company itself. For example, let's say company A fulfils the criteria which states that it has fulfilled those criteria.
So those expenses should be a apportioned accordingly to the company.
A3 Okay, so this is like an internal control that helps ensure the classification of information in the financial
statement will be done according to the guidelines.
Auditor Yeah.
A3 Okay. Alright, sir thanks. And moving on to the fourth question. In order to evaluate the internal control of an
organization. The auditors normally use narratives, flow chart and Internal Control questionnaires. so which of
these methods is the most useful for you sir, like which one do you always use?
Auditor Well, for me, I always use the flowchart, but based on my experience I think all those three methods have its own
pros and cons. For an example flowchart is easy to understand, easy to be drawn it shows a simple overview on
the management internal control system but it only gives an overall picture of the internal control system it
doesn't give you a detailed information regarding the internal control while the narratives, it takes too much time
in writing, but it can be more comprehensive and much more easy to understand for the other audit team
members. While the ICQ, internal control questionnaires, could be useless. But it's an old method. And frankly,
not much for the auditor's still using the internal control questionnaire.
A3 So why is it useless, Sir?
Auditor Because the internal control questionnaire is only we give the questionnaire to the client where they just need to
answer yes or no. But most clients because they will be quite not cooperative. Some clients are not that
cooperative. So they will just for the for the sake of doing it, maybe just tick it whatever they want. Not even
understanding the questionnaire itself. So for me, I think the best is flowchart it's simple and it can be easily
understood by anyone.
A3 Okay sir. So in your one year experience, can you please share with me your experience, good or bad when
evaluating the internal controls and organization?
Auditor Well, they are some good experience while they are some bad experience the good experience when you get a full
cooperation from the management side, the for an example, if you're lacking of certain invoices, or you're lacking
on or you don't understand a certain transaction or you have some queries that you need to ask to the client, the
client will be responding very quickly, very effectively and very efficiently towards you, they will reply to you as
soon as possible and also and they will give a full cooperation while for the bad experience. Let's say for the best
experience that I have encountered while I was taking, doing stock count or stock take at one of our client's
warehouses, they are some safety concerns that clients do not recognize. Although the client knows every year
that we as an auditor will be coming and doing the stock takes it is sometimes it's very dangerous to count. But
that's the job of an auditor, you need to risk your life.
A3 Well, that's a big statement sir. Okay. All right. So the next question will be like this, this out of your out of the
question, the ordinary course that we are going on I'm just asking like, Are there any other areas from internal
control and the roles of auditor and management in a financial statement audit that you want me to learn more?
Auditor Well, there are, you. Well, for me, I'm really interested on what the future technology could do in implementing
an effective internal control and also in changing the way of weak audit internal control. For you, you can take
your time and try to study or learn more about the real time progress in the internal control audit segment.
Auditor Yeah, and also you can also look into some newer technology that is being created to assist or auditors. For an
example in Malaysia, some generic software that's been used, that's been really quite helpful for the auditors are
the AXP software, you can take a look into it and get to know more about it, because those kind of software's is
the ones you're going to learn more in when you're going to work or during your internship.
A3 Okay. Alright sir, thanks for all those responses and I'm really grateful and I appreciate the time you have spent
for this interview session. Thank you sir again and I will ensure that this information will be valuable and I will
use it to the most I can I mean not only for my assignment right I will try to use it in my future auditing field.
Auditor Well I'm expecting an essay from you afterwards.
A3 Alright Okay sir. So haha. Ok. So I will learn more about the issues that you have highlighted just now and I will
possibly be good auditor one day. Again, thank you sir.
Auditor You are welcome. Bye.

A4

A4 Hi, Assalamualaikum. Are you Miss Liyanie?

Auditor Waalaikumussalam, yes I am. You must be Siti Masyitah right?
A4 Yeah, I am Siti Masyitah. Just call me Siti.
Auditor Okay Siti, so how’s your study so far? You are third year student right?
A4 Yes, I’m the third year student. Alhamdulillah so far so good though I feel a bit tough actually but yeah it’s a
norm hehe.
Auditor Yeah it’s norm. Just don’t give up and don’t despair, the rainbow will come after the rain.
A4 Yes, sure. So how’s your work then? Is it fun working in the industry?
Auditor Yeah, I’m really in love with my current job as an external auditor. It’s fun to be an auditor actually. And it will
be more fun working with PwC.
A4 Wow! Sounds like you want to promote your company.
Auditor Haha, of course. But frankly speaking, PwC has best working environment. I learn a lot from here as we are
trained from the scratch. You should apply for internship here.
 A4 Wow! Sure, I will try to apply. So, can we start our interview session now?
Auditor Yeah, sure 
A4 So, for the first question, can you please explain to me what are the roles of the auditor in evaluating internal
control of any organization?
Auditor As an auditor, we have to evaluate the internal control of the organization because it is essential for the
organization to have the internal control and we should evaluate the internal control so that we can have the
reliance before we proceed with the auditing of the financial statements. Other than that, we also want to ensure
that the procedures that have been implemented in the organization is working effectively and efficiently as the
procedures.
A4 So next, how about the management responsibilities on establishing the internal control?
Auditor I would say that management is fully responsible in establishing internal control. They need to have the internal
control systems for the daily transactions and procedures of their businesses because if they are not responsible,
how are we gonna make sure that what they have done during their daily processes are reliable? Okay?
A4 Can you please tell me what are the components of internal control that have been used or implemented in your
audit work?
Auditor The components of the internal control that have been implemented in my audit work, I would say the control
environment are the information, communication and monitoring. I would say that everything in the components
of the internal control are implemented in my audit work. It is just how we apply that. It would be different for
each organization that I have been through. But, the framework that we have been used is all same and yeah, that
is the guideline on how we evaluate the internal control of an organization.
A4 In order to evaluate the internal control of an organization, the auditor normally uses narratives, flowcharts and
internal control questionnaires (ICQ). Which one of these methods is the most useful for you and please explain?
Auditor So among those three methods, I would say that we normally start with the narrative. So we would go and inquire
the clients about their internal control systems and about their procedures. We should gain understanding about
their internal control and other than gaining understanding, we also have to evaluate on how effective and
efficient their internal control to their business’ processes. After gaining narrative understanding from inquiring
and observing on how they implement their internal controls, we did some flowchart in our documentation. So
that, we could understand better on how everything flows from start to the end of the process. Do you need any
examples from me?
A4 Yes, sure.
Auditor So for example, if I need an understanding on purchasing and payables of a client’s company, normally I would
start with inquiring the client about their processes, on how they would start their raising of P/O, their 3-way
matching until their payment method. That is how I go and talk with my client first. After that, I would sit down
and make flowchart of the processes; so that I could understand better. Other than that, I would get a sample of
their transaction and validate it according to what they have explained to me earlier. If it is not according to what
they have explained, I would gain more understanding on that and investigate further. That is how I did my audit
work.
A4 Can you please share with me your experience whether it is good or bad when evaluating the internal control of
an organization?
Auditor So, in evaluating the internal control of an organization, I would say that I have both experiences. So the good
one is that you would be surprised that there is company that really implemented the internal control and they did
everything accordingly but do not be surprised if there is a company that would not really implemented the
internal control even though they have stated it in their standard of procedures but they did not really implement
that. I have a client before, what they perceive in their procedure is not as the same with what they have
implemented. So I have checked their approval and yes, it is not based on the limit of authorities; which leads me
to further investigate. When I investigate, it would involve the high management which are managers, so we
would discuss with them on how they gonna response to the internal control matter that arises. The management
should give suggestions on what they gonna do with it and we need to document on everything that they have
said and evaluate again next year when we come back to the same client.
A4 Oh I see. So any other areas from internal control and the roles of auditors and management in the financial
statement audit that you want me to learn or know?
Auditor So, the internal control is important to be validated; I mean to the external auditors because we gonna rely a lot on
the internal control in term of our testing. Before we do auditing in financial statements, we have to validate and
evaluate the internal control systems first because we want to reduce our work load. Because our work load is
normally in auditing the financial statements would depend on the internal control. Let say, we are putting high
reliance in the internal control, we have lesser work to do in auditing the financial statements. So it is an
important process in audit; we need to understand and validate everything, so that we can do our work efficiently.
I think that’s all from me.
A4 Thank you for your time.
 A5

A5 Assalamualaikum, good morning Encik Ridhwan. Well! I am Nurin Afiqah from University of Malaya and I am
taking accounting course. It’s really nice to meet you. First of all, thank you for making your time to participate
in my interview today. Before we start our session, I would like to know a bit of your background and what is the
causes that make you decide to become as an auditor.
Auditor Okay firstly I am Muhammad Ridhwan Abdullah. I have an experience in this audit firms more than 5 years.
Before this, I am as managing partner in this firm but now I am able to bearing a position as an auditor. As you
ask me about the causes that make me follow this path is I am very interesting towards accounting, taxes and
audit. That is actually the main reason why I involved into this firm. Even it is just a small firm but it can give a
big impact.
A5 Wow! It is very interesting to hear about that. Okay Encik Ridhwan. First and foremost, I am glad to inform you
that this interview session for my coursework which is an Auditing Principle. Let me clear everything first, the
purpose I am doing this interview is to know about the real life as an auditor whether it is related with the internal
control or maybe the process during the audit and so on. It is look very complicated when I am learning about
auditing process because the auditors need to make sure everything is right and clear even the small things. That’s
why I am here to know more about it.
Auditor Actually the real life as an auditor is not as complicated as you thing. It is undeniable to say that working as an
auditor is a bit challenging but still enjoy it because you will meet a lot of people, cases and others. Somehow
like, if you want to become auditors you have to become smart, not hard working.
A5 What did you mean with smart and not hard working?
Auditor When you become as an auditor, bear in your mind that you have to work efficiently. Do not give a lot of
pressures into yours and being smart even it is very challenging. You have to manage your time, you work and so
on. Hence, you will feel becoming as an auditor one of the interested employment not a burden one.
A5 Oh I see, now I am more clears about it. Thank you for that! Now I would like to ask you, actually what are the
roles of the auditor in evaluating internal control of any organisation. Can you explain more about it?
Auditor Evaluating internal control in the organisation is very important. Somehow like we have to know and understand
about the organisation. The first important part is top management. As we know right? Management is a group
that has to make sure all of organisation going well and under control. Basically, management has set up the
guidelines that need to be followed by the organisations. Auditor need to evaluate whether all of the system
following by the organisation are follow the standard operating procedures or not. If not, auditor can give a
recommendation on how the top management can improve the system. This thing need to be evaluated before the
auditor proceed into the financial of statement. We are not only focusing to evaluate the internal control of
organisation but we also focus on evaluate the management’s internal control to make sure there is no fraud or
mistake happen.
A5 When we are talking about fraud or mistake, from your past experience is there any fraud that is happen during
the auditing?
Auditor I am never experience in any fraud. If about mistake, yeah there’s a lot of mistake happen. One of the causes is
because the accountant put in the number wrongly. It is just a simple mistake happen and not related a big
mistake or fraud.
A5 Okay, alright Encik Ridhwan. Thank you for your explanation and sharing about your experience. So, let us move
into the next question. How about the management responsibilities on establishing the internal control?
Auditor Well, I am very sure that management is fully responsible on establish the internal control. As I said before from
the previous question, top management has to make sure the organisations are going well and under control.
Management is the one who are very important in taking the responsible to establish the internal control. It is to
make sure that the objective to make an operations become efficient, the financial statement is reliably and the
most part is all of this things are following the rules and regulation. Management should consistently apply the
internal control procedures, so that they can know about the internal control effectiveness. Talking about internal
control effectiveness, management should more focusing on the internal control over financial reporting whether
compliance with the financial laws and regulations.
 A5 Ohhh okay. Thank you for the explanation. Next question is can you please tell me what are the components of
internal control that have been used or implemented in your audit work?
Auditor Interesting question. Yeah talking about the components of internal control, actually there are five components
from that. I am just focusing on control environment and information and communication. So, the first one is
control environment. Basically control environment we just focusing on concern in policy and procedures. Which
mean that from it, we can get the reflected of the attitude of management about internal control and it is
important. For example, how the management encouraged the employees to achieve their objectives and target.
The next one is information and communication. Talking about this point, it would be different for the
organisation. The way they provide the information and communicate is totally different. Some of the information
is not useful. Just to make it clear, most of the company may be different, but the frameworks that they are use are
same.
A5 Oh I see. Alright Encik Ridhwan, thank you. So I would to proceed to the next question, in order to evaluate the
internal control of an organization, the auditor normally uses narratives, flowcharts and internal control
questionnaires. Which one of these methods is the most useful for you and please explained?
Auditor Actually I do not know which one of the methods is the most useful. Some of the methods are very useful but
depends on the situation. For me, among all of the three methods, I am more preferred using the flowchart
because it is can determine whether there is a control or not. I am the one who very simple human that is why I
am choose flowchart because it can give you a clear overview of overall management’s internal control. When
talking about narrative, it is quite useful because we can know and understanding more about their internal
control and how their efficiency control towards the business. In clear words, we can know how they do their
works. But sometimes auditors use it when there is insufficient in their control or maybe there is no control.
A5 What do you think about the internal control questionnaires (ICQ)?
Auditor For me, from the internal control questionnaires auditors can’t see the clear overview. I mean, because it is just a
questionnaire. Some of the clients may not honest in answering those. Let say if I give you one questionnaire, for
sure you just tick anything that you think are reliable right?
A5 Ohh, I get it know. Okay now, can you please share with me your experience when evaluating the internal control
of an organization?
Auditor There are lots of experiences. I mean from the bad sides and also from the good sides. It is depending on how you
get along with the management. That is why most of the auditors, before they decide to audit some company they
would have to check about the company annual reports. It is just as a guarantee that a company is free from the
fraud and so on. From my experience, I was in a good relationship with their management. That is why when I
am needed some information or transaction, the person in charge will respond quickly. It is normally actually
when auditors doing an audit, there are a lot of transaction and so on will be missing.
A5 Wow, I am glad to hear that. So any other areas from internal control and the roles of auditors and management in
the financial statement audit that you want me to learn or know?
Auditor Try to take your time and learn more about the internal control audit. Actually there are lots of thing that you can
learn. As you an accounting student, I am very sure that you have a knowledge regarding the financial report. It is
because any decision that we take can affect the financial report. The main thing in audit is you have to
understand everything so that you can do your work efficiently. Get to know more about the internal control audit
and so on because this is your time to learn more about that.
A5 Alright Encik Ridhwan. Thank you for spent your time for making this interview session succeeds. I am really
appreciated for all of your information and knowledge. Thank you again for making me more understand
regarding the auditor real life. Last, have a nice day.
Interview Questions:

1) Can you please explain to me, what are the roles of the auditor in evaluating internal
control of any organisation?

2) How about the management’s responsibilities on establishing internal control?

3) Can you please tell me, what are the components of internal control that have been
used/implemented in your audit work?

4) In order to evaluate the internal control of an organization, the auditor normally uses
narratives, flowcharts and internal control questionnaires (ICQ). Which one of these methods
is the most useful for you? Please explain.

5) Can you please share with me your experience (good/bad) when evaluating the internal
control of an organization?

6) Any other areas from internal control and the roles of auditors and management in a
financial statement audit that you want me to learn/know?