1Chapter 10 Section 404 Audits of Internal Control and Control Risk

Review Questions

10-1 Management typically has three broad objectives in designing an effective internal control system. 1. Reliabilit of !inancial Reportin" Management is responsible for preparing financial statements for investors, creditors, and other users. Management has both a legal and professional responsibility to be sure that the information is fairly presented in accordance with reporting requirements such as GAAP. he objective of effective internal control over financial reporting is to fulfill these financial reporting responsibilities. $fficienc and $ffectiveness of %perations !ontrols within an organi"ation are meant to encourage efficient and effective use of its resources to optimi"e the company#s goals. An important objective of these controls is accurate financial and non$financial information about the entity#s operations for decision ma%ing. Co'pliance with (aws and Re"ulations &ection '(' of the &arbanes$)*ley Act requires all public companies to issue a report about the operating effectiveness of internal control over financial reporting. +n addition to the legal provisions of &ection '(', public, nonpublic, and not$for$profit organi"ations are required to follow many laws and regulations. &ome relate to accounting only indirectly, such as environmental protection and civil rights laws. )thers are closely related to accounting, such as income ta* regulations and fraud.

#.

&.

10-# Management designs systems of internal control to accomplish three categories of objectives, financial reporting, operations, and compliance with laws and regulations. he auditor#s focus in both the audit of financial statements and the audit of internal controls is on those controls related to the reliability of financial reporting plus those controls related to operations and to compliance with laws and regulations objectives that could materially affect financial reporting.

1($1

10-& &ection '(' requires management of all public companies to issue an internal control report that includes the following, A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting and An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company#s fiscal year.

10-4 Management#s assessment of internal control over financial reporting consists of two %ey components. -irst, management must evaluate the design of internal control over financial reporting. &econd, management must test the operating effectiveness of those controls. .hen evaluating the design of internal control over financial reporting, management evaluates whether the controls are designed to prevent or detect material misstatements in the financial statements. .hen testing the operating effectiveness of those controls, the objective is to determine whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. 10-) here are eight parts of the planning phase of audits, accept client and perform initial planning, understand the client#s business and industry, assess client business ris%, perform preliminary analytical procedures, set materiality and assess acceptable audit ris% and inherent ris%, understand internal control and assess control ris%, gather information to assess fraud ris%s, and develop an overall audit plan and audit program. /nderstanding internal control and assessing control ris% is therefore part si* of planning. )nly gathering information to assess fraud ris% and developing an overall audit plan and audit program follow understanding internal control and assessing control ris%. 10-* he second GAA& field wor% standard states 0 he auditor must obtain a sufficient understanding of the entity and its environment, including its internal controls, to assess the ris% of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing, and e*tent of further audit procedures.1 he auditor obtains the understanding of internal control to assess control ris% in every audit and that responsibility is the same for audits of both public and nonpublic companies. Auditors are primarily concerned about controls related to the reliability of financial reporting and controls over classes of transactions. 10-+ P!A)2 &tandard 3 requires that the auditor issue a report on the effectiveness of internal control over financial reporting. o e*press an opinion on internal controls, the auditor obtains an understanding of and performs tests of controls related to all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements. P!A)2 &tandard 3 requires the auditor#s independent assessment of the internal controls# design and operating effectiveness. 1($4

10-,

he si* transaction$related audit objectives are, 1. 4. 9. '. 3. :. 5ecorded transactions e*ist 6occurrence7. 8*isting transactions are recorded 6completeness7. 5ecorded transactions are stated at the correct amounts 6accuracy7. 5ecorded transactions are properly included in the master files and correctly summari"ed 6posting and summari"ation7. ransactions are properly classified 6classification7. ransactions are recorded on the correct dates 6timing7.

10-!)&)#s Internal Control Integrated Framework is the most widely accepted internal control framewor% in the /.&. he !)&) framewor% describes internal control as consisting of five components that management designs and implements to provide reasonable assurance that its control objectives will be met. 8ach component contains many controls, but auditors concentrate on those designed to prevent or detect material misstatements in the financial statements. 10-10 he !)&) Internal Control Integrated Framework consists of the following five components, 1. 4. 9. '. 3. !ontrol environment 5is% assessment !ontrol activities +nformation and communication Monitoring

10-11 he control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity. he control environment serves as the umbrella for the other four components. .ithout an effective control environment, the other four are unli%ely to result in effective internal control, regardless of their quality. he following are the most important subcomponents the control environment,

+ntegrity and ethical values !ommitment to competence 2oard of directors or audit committee participation Management;s philosophy and operating style )rgani"ational structure Assignment of authority and responsibility <uman resource policies and practices

1($9

10-1# +nternal control includes five categories of controls that management designs and implements to provide reasonable assurance that its control objectives will be met. hese are called the components internal control, and are,

he control environment 5is% assessment !ontrol activities +nformation and communication Monitoring

he control environment is the broadest of the five and deals primarily with the way management implements its attitude about internal controls. he other four components are closely related to the control environment. 5is% assessment is management;s identification and analysis of ris%s relevant to the preparation of financial statements in accordance with GAAP. o respond to this ris% assessment, management implements control activities and creates the accounting information and communication system to meet its objectives for financial reporting. -inally, management periodically assesses the quality of internal control performance to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions 6monitoring7. All five components are necessary for effectively designed and implemented internal control. 10-1& he five categories of control activities are,

Adequate separation of duties 8*ample, he following two functions are performed by different people, processing customer orders and billing of customers. Proper authori"ation of transactions and activities 8*ample, he granting of credit is authori"ed before shipment ta%es place. Adequate documents and records 8*ample, 5ecording of sales is supported by authori"ed shipping documents and approved customer orders. Physical control over assets and records 8*ample, A password is required before entry into the computeri"ed accounts receivable master file can be made. +ndependent chec%s on performance 8*ample, Accounts receivable master file contents are independently verified.

10-14 &eparation of operational responsibility from record %eeping is intended to reduce the li%elihood of operational personnel biasing the results of their performance by incorrectly recording information.

1($'

10-14 .continued/ &eparation of the custody of assets from accounting for these assets is intended to prevent misappropriation of assets. .hen one person performs both functions, the possibility of that person;s disposal of the asset for personal gain and adjustment of the records to relieve himself or herself of responsibility for the asset without detection increases. 10-1) An e*ample of a physical control the client can use to protect each of the following assets or records is, 1. 4. 9. Petty cash should be %ept loc%ed in a fireproof safe. !ash received by retail cler%s should be entered into a cash register to record all cash received. Accounts receivable records should be stored in a loc%ed, fireproof safe. Adequate bac%up copies of computeri"ed records should be maintained and access to the master files should be restricted via passwords. 5aw material inventory should be retained in a loc%ed storeroom with a reliable and competent employee controlling access. Perishable tools should be stored in a loc%ed storeroom under control of a reliable employee. Manufacturing equipment should be %ept in an area protected by burglar alarms and fire alarms and %ept loc%ed when not in use. Mar%etable securities should be stored in a safety deposit vault.

'. 3. :. =.

10-1* +ndependent chec%s on performance are internal control activities designed for the continuous internal verification of other controls. 8*amples of independent chec%s include,

Preparation of the monthly ban% reconciliation by an individual with no responsibility for recording transactions or handling cash. 5ecomputing inventory e*tensions for a listing of inventory by someone who did not originally do the e*tensions. he preparation of the sales journal by one person and the accounts receivable master file by a different person, and a reconciliation of the control account to the master file. he counting of inventory by two different count teams. he e*istence of an effective internal audit staff.

10-1+ As illustrated by -igure 1($9, there are four phases in the process of understanding internal control and assessing control ris%. +n the first phase the auditor obtains an understanding of internal controls, which includes an understanding of their design and whether they have been implemented. >e*t the auditor must ma%e a preliminary assessment of control ris% 6phase 47 and perform tests of controls 6phase 97. he auditor uses the results of tests of controls to assess control ris% and to ultimately decide planned detection ris% and substantive tests for the audit of financial statements, which is phase '.

1($3

10-1, .hen obtaining an understanding of internal control, the auditor must assess two aspects about those controls. -irst, the auditor must gather evidence about the design of internal controls. &econd, the auditor must gather evidence about whether those controls have been implemented. 10-1- +n a wal%through of internal control, the auditor selects one or a few documents for the initiation of a transaction type and traces them through the entire accounting process. At each stage of processing, the auditor ma%es inquiries and observes current activities, in addition to e*amining completed documentation for the transaction or transactions selected. hus, the auditor combines observation, documentation, and inquiry to conduct a wal%through of internal control. P!A)2 &tandard 3 requires the auditor to perform at least one wal%through for each major class of transactions. 10-#0 A %ey control is a control that is e*pected to have the greatest effect on meeting the transaction$related audit objectives. A control deficiency represents a deficiency in the design or operation of controls that does not permit company personnel to prevent or detect misstatements on a timely basis. A design deficiency e*ists if a necessary control is missing or not properly designed. An operation deficiency e*ists if a well designed control does not operate as designed or when the person performing the control is insufficiently qualified or authori"ed. 10-#1 A significant deficiency e*ists if one or more control deficiencies e*ist that, is less severe than a material wea%ness, but is important enough to merit attention by those responsible for oversight of the company#s financial reporting. A material wea%ness e*ists if a significant deficiency, by itself, or in combination with other significant deficiencies, results in a reasonable possibility that internal control will not prevent or detect material financial statement misstatements. he presence of one significant deficiency that is not deemed to be a material wea%ness may not affect the auditor#s report. +n that instance, the auditor#s report on internal control over financial reporting would contain an unqualified opinion. <owever, if the deficiency is deemed to be a material wea%ness, the auditor must e*press an adverse opinion on the effectiveness of internal control over financial reporting. 10-## he most important internal control deficiency which permitted the defalcation to occur was the failure to adequately segregate the accounting responsibility of recording billings in the sales journal from the custodial responsibility of receiving the cash. 5egardless of how trustworthy ?ames appeared, no employee should be given the combined duties of custody of assets and accounting for those assets. 10-#& Maier is correct in her belief that internal controls frequently do not function in the manner they are supposed to. <owever, regardless of this, her approach ignores the value of beginning the understanding of internal control by preparing or reviewing a rough flowchart. )btaining an early understanding of the

1($:

10-#& .continued/ client;s internal control will provide Maier with a basis for a decision about further audit procedures and sample si"es based on assessed control ris%. 2y not obtaining an understanding of internal control until later in the engagement, Maier ris%s performing either too much or too little wor%, or emphasi"ing the wrong areas during her audit. 10-#4 he e*tent of controls tested by auditors to e*press an opinion on internal controls for a public company is significantly greater than that tested solely to e*press an opinion on the financial statements. o e*press an opinion on internal controls for a public company, the auditor obtains an understanding of and performs tests of controls for all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements. +n contrast, the e*tent of controls tested by an auditor of a nonpublic company is dependent on the auditor#s assessment of control ris%. .henever the auditor assesses control ris% below ma*imum, the auditor must perform tests of controls to support that control ris% assessment. he auditor will not perform tests of controls when the auditor assesses control ris% at ma*imum. .hen control ris% is assessed below the ma*imum, the auditor designs and performs a combination of tests of controls and substantive procedures. hus, for a nonpublic company, the tests of controls vary based on the auditor#s assessment of control ris%. 10-#) here is a significant overlap between tests of controls and procedures to obtain an understanding of internal control. 2oth include inquiry, documentation, and observation. here are two primary differences in the application of these common procedures. -irst, in obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase. ests of controls, on the other hand, are applied only when the assessed control ris% has not been satisfied by the procedures to obtain an understanding. &econd, procedures to obtain an understanding are performed only on one or a few transactions or, in the case of observations, at a single point in time. ests of controls are performed on larger samples of transactions 6perhaps 4( to 1((7, and often observations are made at more than one point in time. 10-#* A/ 91@ indicates that reliance can be placed on controls that were tested in a prior year. !ontrols should be tested at least every three years, and whenever there is a significant change in the control. !ontinued reliance on the effectiveness of automated controls is appropriate if the auditor is satisfied that general controls over the computer applications are adequate to identify any changes to computeri"ed processes. 10-#+ .hen the auditor#s ris% assessment procedures identify significant ris%s, the auditor is required to test the operating effectiveness of controls that mitigate these ris%s in the current year audit, if the auditor plans to rely on those controls to support a control ris% assessment below 1((A. hus, tests of controls are

1($=

10-#+ .continued/ required in the current year audit for those controls the auditor plans to rely on to reduce control ris%. he greater the ris%, the more the audit evidence the auditor should obtain that controls are operating effectively. 10-#, he auditor may issue an unqualified opinion on internal control over financial reporting when two conditions are present,

there are no identified material wea%nessesB and there have been no restrictions on the scope of the auditor#s wor%.

A scope limitation is the condition that would cause the auditor to e*press a qualified opinion or a disclaimer of opinion on internal control over financial reporting. his type of opinion is issued when the auditor is unable to determine if there are material wea%nesses, due to a restriction on the scope of the audit of internal control over financial reporting or other circumstances where the auditor is unable to obtain sufficient evidence. 10-#- P!A)2 &tandard 3 requires that the audit of the financial statements and the audit of internal control over financial reporting be integrated. +n an integrated audit, the auditor must consider the results of audit procedures performed to issue the audit report on the financial statements when issuing the audit report on internal control. -or e*ample, if the auditor identifies a material misstatement in the financial statements that was not initially identified by the company#s internal controls, the auditor should consider this as at least a significant deficiency, if not a material wea%ness for purposes of reporting on internal control. +n such circumstances, the auditor#s report on the financial statements may be unqualified as long as management corrected the misstatement before issuing the financial statements. +n contrast, however, the auditor#s report on internal control must include an adverse opinion if the auditor concludes it is a material wea%ness. 0ultiple Choice Questions !ro' C1A $2a'inations a. a. a. 697 697 697 b. b. b. 697 647 6'7 c. c. c. 6'7 6'7 6'7 d. d. d. 6'7 647 647

10-&0 10-&1 10-&#

1($@

3iscussion Questions and 1roble's 1. a. b. c. d. e. 4. a. b. c. d. Adequate segregation of duties and proper authori"ation of transactions and activities. 5ecorded transactions e*ist. An unauthori"ed or invalid time card turned in by an e*isting employee. he time card may be for an employee who formerly wor%ed for the company or one who is temporarily laid off. An employee could be claiming too many hours by having a friend punch him or her in early, or by ma%ing manual changes on time cards. !hec% to see that all employees that are punched in one day are physically present.. Adequate documents and records. 8*isting transactions are recorded. A missing time card number never could be identified before preparation of payroll starts. An employee would not be paid for a time period. 6 he employee is almost certain to bring this to management;s attention.7 he primary benefit of the control would be to prevent misstatements for a short period of time and to prevent employee dissatisfaction from failure to pay them. )btain a list of company employees and ma%e sure that each one has received a paychec% for the time period in question. Proper authori"ation of transactions and activities. 5ecorded transactions e*ist. A paychec% cannot be processed for an invalid employee number. A fictitious payroll chec% could be processed for a fictitious employee if invalid employee numbers are included in the employee master file. +nclude test data transactions with invalid employee numbers in the data to be inputted into the payroll accounting system and determine that all invalid transactions are automatically rejected by the software application. Adequate separation of duties. 5ecorded transactions e*ist. A fictitious payroll chec% that is originated by the person both preparing the payroll chec%s and distributing the payroll chec%s. +f one person %ept a record of time, prepared the payroll, and distributed the chec%s, that person could add a none*istent employee to the payroll, process the information for the employee and deposit the paychec% in his or her own ban% account without detection.

10-&&

e. 9. a. b. c. d. e.

'.

a. b. c. d.

1($C

10-&& .continued/ e. Perform a surprise payoff in which the auditor accounts for all paychec%s and distributes them to the employees, who must provide identification in order to receive their chec%s. a. +ndependent chec% on performance. 5ecorded transactions are stated at the correct amounts. Mechanical errors of adding up the number of hours, calculating the gross payroll incorrectly, or calculating withholding incorrectly. Payroll chec%s incorrectly calculated could be paid to employees. 5echec% the amounts for gross payroll, withholding and net payroll. Adequate documents and records. 8*isting transactions are recorded. Preparation of a chec% for an inappropriate person, the distribution of that chec% to that person, and the recording of that chec% in the cash disbursements journal as a voided chec%. An employee who is supposed to void a chec% could record it as voided on the boo%s and cash the chec%. At month$end the amount of the chec% could be covered by adjusting the ban% reconciliation. est month$end ban% reconciliations in detail to determine that the account reconciles properly, that all supporting documents are proper, loo%ing especially for a chec% that cleared and was supposed to be voided, and that no alterations have been made to the ban% statement. Proper authori"ation of transactions and activities. 5ecorded transactions e*ist and recorded transactions are stated at the correct amounts. 2oth errors and fraud are li%ely to be prevented if competent trustworthy employees are hired. <iring honest employees minimi"es a li%elihood of fraud. <iring competent employees minimi"es the li%elihood of unintentional errors. &everal types of intentional misstatements could occur if a dishonest person is hired. &imilarly, several types of unintentional errors could occur if an incompetent person is hired. An e*amination of cancelled chec%s and supporting documents, including time cards and personnel records, is a test of the possibility of fraud. A test of the calculation of payroll is a test for an unintentional error caused by employees who are not competent.

3. b. c. d. e. :. a. b. c.

d.

e.

=.

a. b. c.

d. e.

1($1(

10-&& .continued/ @. a. b. c. d. e. Proper authori"ation of transactions and activities, and adequate documents and records. 5ecorded transactions e*ist. he preparation of an inappropriate payroll chec% for a former employee is prevented. A terminated employee could be continued on the payroll with someone else obtaining the paychec%. Perform a surprise payoff in which the auditor accounts for all paychec%s and distributes them to the employees, who must provide identification to receive their chec%s. Physical control over assets and records, and adequate segregation of duties. 5ecorded transactions e*ist. !hec%s prepared for none*istent employees or employees on vacation, or absent for other reasons are controlled and safeguarded. !hec%s could be lost which are intended for absent employees or a chec% could be ta%en by the person responsible for distributing the chec%s. 8*amine cancelled chec%s to ma%e certain that each chec% is properly endorsed, supported by a time card, and the person for whom the chec% is made out is still wor%ing for the company.

C.

a. b. c. d. e.

1(.

a.

Proper authori"ation of transactions and activities and adequate separation of duties. b.5ecorded transactions e*ist and recorded transactions are stated at the correct amounts. c. Preparation of a chec% for a fictitious employee or preparation of chec%s using an unapproved pay rate are prevented. d.A fictitious payroll chec% could be processed for a fictitious employee if those with record %eeping responsibilities are allowed to enter new employee numbers into the master file. Also, paychec%s to valid employees could be overstated if unauthori"ed personnel have the ability to ma%e changes to the pay rates in the master files. e.Attempt to access the on$line payroll master file using a password that is not allowed access to that master file.

1($11

10-&4

1.

a. b. c.

Adequate documents and records and independent chec%s on performance. ransactions are stated at the correct amounts. !hanges to the computer master file of prices are reviewed when the master file is updated. Adequate documents and records. 5ecorded transactions e*ist. 617 5equire that payments only be made on original invoices. 47 5equire a receiving report be attached to the vendor;s invoice before a payment is made. Adequate documents and records, and independent chec%s on performance. ransactions are recorded on the correct dates. !arefully coordinate the physical count of inventory on the last day of the year with the recording of sales to ma%e certain counted inventory has not been billed and billed inventory has not been counted. Proper authori"ation of transactions and adequate documents and records. 5ecorded transactions e*ist. +nclude a control in the accounts payable software that requires the input of a valid receiving report number before the software will process a payment on an accounts payable. Adequate documents and records, physical control over assets and records, and independent chec%s on performance. 5ecorded transactions e*ist. 17 -ence in the physical facilities and prohibit employees from par%ing inside the fencing. 47 5equire the accounting department to maintain perpetual inventory records and ta%e physical counts of actual sides of beef periodically. +ndependent chec%s on performance. 5ecorded transactions are stated at the correct amounts. !ounts by qualified personnel and independent chec%s on performance. Proper authori"ation of transactions and activities. ransactions are stated at the correct amounts. 17 Ma%e sure that the salesman has a current price list. 47 5equire independent approval of all transactions, including the price, before shipment is made. 1($14

4.

a. b. c.

9.

a. b. c.

'.

a. b. c.

3.

a. b. c.

:.

a. b. c. a. b. c.

=.

1($19

10-&4 .continued/ @. a. b. c. Adequate separation of duties. 5ecorded transactions e*ist. 5estrict the accounts payable cler% from being able to ma%e changes to the approved vendor master file. )nly allow purchasing personnel to input changes to that master file.

10-&) he criteria for dividing duties is to %eep all asset custody duties with one person 6!ooper7. Document preparation and recording is done by the other person 6&mith7. Miller will perform independent verification. he two most important independent verification duties are the ban% reconciliation and reconciling the accounts receivable master file with the control account, therefore they are assigned to Miller. he duties should be divided among the three as follows, 5obert &mith, ?ames !ooper, 2ill Miller, 10-&* a. 1 E 4 13
E

9 E ' 1@

= 3

C E :

1( E @

E E

14 11

1' 19

1:

1=

b. c.

d.

he auditor#s understanding of internal control is used in assessing control ris% in the planning phase of the audit. his helps determine planned detection ris% and the e*tent of evidence to gather on the audit engagement. o assess control ris% below the ma*imum, the auditor must gain an understanding of the controls and obtain evidence of their operating effectiveness by performing tests of controls. +n deciding whether to see% a further reduction in assessed control ris%, the auditor must consider whether the controls are li%ely to be effective to support the reduced assessed level of control ris%, and whether it would be cost$beneficial to perform additional tests of controls to support the reduced control ris% assessment. he auditor must document the understanding of internal control including wal%throughs of the controls, the results of the tests of controls, and the assessed level of control ris%. he si"e of a company has a significant effect on the nature of the controls li%ely to e*ist. A small company has difficulty establishing adequate separation of duties and justifying an internal audit staff. <owever, a major type of control available in a small company is the %nowledge and concern of the top operating person, who is frequently an owner$manager. <is or her ability to understand and the entire operation of the company is potentially a significant compensating control. he owner$manager;s interest in the organi"ation and close relationship with the personnel enable him or her to evaluate the competence of the employees and the effectiveness of internal controls.

10-&+

a.

1($1'

10-&+ .continued/ .hile some of the five control activities are unavailable in a small company, especially adequate segregation of duties, it is still possible for a small company to have proper authori"ation of transactions and activities, adequate documents and records, physical controls over assets and records, and, to a limited degree, independent chec%s on performance. b. Phersen and !ollier ta%e opposite and e*treme views as to the credence to be given internal control in a small firm. Phersen seems to treat a small firm in the same manner as he would a large firm, which is inefficient. 2ecause many types of controls are usually lac%ing in a small firm, especially one that is a nonpublic company, assessed control ris% should be increased and more e*tensive substantive tests must be used. 2ecause assessed control ris% is higher, less emphasis is needed to identify the internal controls. !ollier is not meeting the standards of the profession 6&A& 1(C7 in that she completely ignores the possibility of a severe deficiency in the system. &he must obtain an understanding of internal control to determine whether it is possible to conduct an audit at all. Auditing standards require, at a minimum, an understanding of internal control 6&A& 1(C7. he auditor must understand the control environment and the flow of transactions. +t is not necessary, however, for the auditor to prepare flowcharts or internal control questionnaires. he auditor of a nonpublic company is required to provide a written report about significant deficiencies or material wea%nesses to those charged with governance, which may be common on many small audit clients. !ollier#s approach is not acceptable when auditing a public company. !ollier must obtain an understanding of internal controls over financial reporting and perform tests of controls to determine whether %ey controls over financial reporting are operating effectively. hose procedures must provide !ollier a basis to e*press an opinion about internal controls over financial reporting. .hile Pherson#s approach includes procedures similar to those that would be performed to obtain an understanding of internal controls, if Pherson is auditing a public company, he may need to e*pand those procedures to ensure that enough information is obtained about the design and placed in operation status of internal controls over financial reporting. -urthermore, Pherson must perform tests of %ey controls over financial reporting to provide a basis for e*pressing an opinion on internal controls over financial reporting.

c.

d.

1($13

10-&,

1.

a.

&upplying the receiving department with the purchase order is regarded as a deficiency in that the department may be less careful in chec%ing goods than they would be if they were wor%ing without a record of the quantities that should be received. he failure to have the store%eeper receipt for the materials when they are sent to him or her from the receiving department or to tie in the items placed in storage with the acquisition constitutes a deficiency in control in that responsibility for shortages cannot be conclusively placed on either receiving or stores. he receiving department might, in collusion with a vendor, report receipts of materials that were never received. Also, either the receiving department or the stores department might fraudulently convert some of the materials and because of the lac% of a record of responsibility, the company would be unable to determine which department was responsible. his deficiency increases the li%elihood of obsolete inventory and the possibility of theft of shipments larger than the amount ordered. he failure to isolate responsibility for shortages also increases the li%elihood of obsolescence in that employees are li%ely to be less concerned when they are not held accountable. 2ecause the company cannot isolate responsibility, it might also encourage receiving or stores to ta%e goods.

b.

c.

/se a FblindF copy of the purchase order or a separate receiving report without a copy of the purchase order. /se perpetual inventory records to hold the store%eeper accountable. he store%eeper should also initial the receiving report or purchase order when he or she receives the goods.

4.

a.

b.

he payroll chec%s should not be returned to the computer department supervisor but should be distributed by persons independent of those having a part in generating the payroll data. here is a lac% of internal verification of the hours, rates, e*tensions or employees by above. Padding of payroll with fictitious names and e*tracting the chec%s made out to such names when they are returned after they have been signed. here may be misstatements in hours, rates, e*tensions, and the e*istence of nonwor%ing employees.

1($1:

10-&, .continued/ c.

<ave the chec%s handed out by an independent person and not returned to &trode. +nternal verification of that information by .ebber or someone else.

9.

a.

b. c.

he ban% statement and cancelled chec%s should not be reconciled by the manager, but should be sent by the ban% directly to the home office, where the reconciliations should be made against the manager;s report of cash disbursements. he manager may draw chec%s to herself or others for personal purposes and omit them from her list of cash disbursements or inflate other reported disbursement amounts. <ave all ban% statements sent directly to the home office and have !ooper report directly to the home office by use of a list of cash disbursements and all supporting documentation.

10-&he following are deficiencies of internal control, by transaction$related audit objective. Occurrence he receiving report is not sent to the stores department. A copy of the receiving report should be sent from the receiving room directly to the stores department with the materials received. he stores department, after verifying the accuracy of the receiving report, should indicate approval on that copy and send it to the accounts payable department. he copy sent to accounts payable will serve as proof that the materials ordered were received by the company and are in the user department. he controller should not be responsible for cash disbursements. he cash disbursement function should be the responsibility of the treasurer, not the controller, so as to provide proper segregation of duties between the custody of assets and the recording of transactions. he purchase requisition is not approved. he purchase requisition should be approved by a responsible person in the stores department. he approval should be indicated on the purchase requisition after the approver is satisfied that it was properly prepared based on a need to replace stores or the proper request from a user department. Preliminary review should be made before preparing purchase orders. Prior to preparation of the purchase order, the purchase office should review the company;s need for the specific materials requisitioned and approve the request.

1($1=

10-&- .continued/ Completeness Purchase orders and purchase requisitions should not be combined and filed with the unmatched purchase requisitions, in the stores department. A separate file should be maintained for the combined and matched documents. he unmatched purchase requisitions file can serve as a control over merchandise requisitioned but not yet ordered. here is no indication of control over vouchers in the accounts payable department. A record of all vouchers submitted to the cashier should be maintained in the accounts payable department, and a copy of the vouchers should be filed in an alphabetical vendor reference file. here is no indication of any control over prenumbered documents. All prenumbered documents should be accounted for. Accuracy Purchase requisitions and purchase orders are not compared in the stores department. Although purchase orders are attached to purchase requisitions in the stores department, there is no indication that any comparison is made of the two documents. Prior to attaching the purchase order to the purchase requisition the requisitioner;s functions should include a chec% that, a. b. c. d. Prices are reasonableB he quality of the materials ordered is acceptableB Delivery dates are in accordance with company needsB All pertinent data on the purchase order and purchase requisition 6e.g., quantities, specifications, delivery dates, etc.7 are in agreement.

2ecause the requisitioner will be charged for the materials ordered, the requisitioner is the logical person to perform these steps. 1. he purchase office does not review the invoice prior to processing approval. he purchase office should review the vendor;s invoice for overall accuracy and completeness, verifying quantity, prices, specifications, terms, dates, etc., and if the invoice is in agreement with the purchase order, receiving report, and purchase requisition, the purchase office should clearly indicate on the invoice that it is approved for payment processing. he approved invoice should be sent to the accounts payable department.

1($1@

10-&- .continued/ 4. he copy of the purchase order sent to the receiving room generally should not show quantities ordered, thus forcing the department to count goods received. +n addition to counting the merchandise received from the vendor, the receiving department personnel should e*amine the condition and quality of the merchandise upon receipt. here is no indication of control over dollar amounts on vouchers. Accounts payable personnel should prepare and maintain control sheets on the dollar amounts of vouchers. &uch sheets should be sent to departments posting transactions to the general ledger and master files.

9.

>ote, !lassification, timing, and posting and summari"ation are not applicable. 5ecording in journals is not included in the flowcharts. 10-40 1. >o testing is required in the December 91, 4((C audit because the auditor has determined that the automated control has not been changed since the prior year. he auditor obtains reasonable assurance that the automated control has not been changed due to the strong controls over + security and software program changes. hus, the auditor should consider the e*tent of testing of + security and software changes that might be necessary in the current year audit due to the auditor#s reliance on them to prevent changes to the underlying automated reconciliation control. esting is required in the December 91, 4((C audit because the underlying control is performed by a person and is not automated. 2ecause the control is manually performed, there is a ris% that the operation of the control may not be consistent with the design or the control may not have been performed. hus, the auditor should test the control#s operating effectiveness in the current year#s audit. esting is required in the December 91, 4((C audit because the control is designed to mitigate a significant ris%. !ontrols that mitigate significant ris%s must be tested each year. esting is required in the December 91, 4((C audit because the client made changes to the software system during the current year. >o testing is required in the December 91, 4((C audit because the auditor has determined that the automated control has not been changed since the prior year. he auditor obtains reasonable assurance that the automated control has not been changed due to the strong controls over + security and software program changes. hus, the auditor should consider the e*tent of testing of + security and software changes that might be necessary in the current year audit due to the auditor#s reliance on them to prevent changes to the underlying automated reconciliation control.

4.

9. '. 3.

1($1C

10-41 -ollowing are the appropriate reporting formats for the five independent situations, I43$1$43$45 SI56A5I%4 1. A11R%1RIA5$ A63I5 R$1%R5 Adverse

R$AS%4 !%R R$1%R5 he presence of a material misstatement not detected by the company#s internal controls is considered at least a significant deficiency, if not a material wea%ness for purposes of reporting on internal controls. he auditor#s inability to obtain any evidence about the operating effectiveness of internal controls represents a scope limitation. he detection of a deficiency that will not prevent or detect a material misstatement in the financial statements meets the definition of a material wea%ness, which requires an adverse opinion. he control deficiency was remediated and the auditor was able to obtain sufficient competent evidence that the new control operates effectively. hus, an unqualified opinion on internal control is appropriate. 2ecause the auditor does not believe the significant deficiency in internal control is a material wea%ness, the auditor#s report would contain an unqualified opinion.

4.

Gualified or disclaimer

9.

Adverse

'.

/nqualified

3.

/nqualified

1($4(

7 Case 10-4# a. Sales

5RA4SAC5I%4R$(A5$3 A63I5 %89$C5I:$ )ccurrence

C%45R%( &upervisor approves all invoices. Accounts receivable cler% has no access to cash. Monthly statements are sent to customers. &upervisor approves all credit. !ash register is at the front of the store. &ales cler%s handle no cash. &ales cler%s summari"e daily sales, which determine their commission. his summary is compared daily to total sales. &ales transactions are used to update perpetuals and monthly physical inventory is ta%en.

!ompleteness

Accuracy

)wner sets all prices. &upervisor rechec%s all calculations. Accountant reconciles all computer totals to sales staff summary totals and supervisor;s sales summary. Monthly statements are sent to customers.

Posting and summari"ation

!omputer is used to update records. Monthly statements are sent. he aged trial balance is compared to the general ledger.

!lassification iming

>one &ales transactions are recorded daily.

1($41

10-4# .continued/ b. Cash Receipts

5RA4SAC5I%4R$(A5$3 A63I5 %89$C5I:$ )ccurrence

C%45R%( Monthly ban% reconciliation is prepared. Accounts receivable cler% compares duplicate deposit slip from ban% to sales and cash receipts journal. !ash register is used for cash sales. !ash collected on receivables is prelisted. &upervisor deposits money in a loc%ed bo*.

!ompleteness

Accuracy

&upervisor recaps cash sales and compares totals to the cash receipts tapes. Monthly ban% reconciliation prepared. Accounts receivable cler% compares duplicate deposit slip from ban% to cash sales and cash receipts journal. Monthly statements are sent to customers.

Posting and summari"ation

!omputer is used to update records. Monthly statements are sent. he aged trial balance is compared to the general ledger.

!lassification iming

>one

!ash is deposited daily.

1($44

10-4# .continued/ c. Sales and Cash Receipts Deficiencies &upervisor enters all sales in the cash register, recaps sales and cash, and compares the totals to the tapes. &he also receives all invoices from sales cler%s. 6 his deficiency is offset by the daily summary form prepared by sales cler%s and used to calculate sales cler%s; commissions.7 Hac% of accounting for a numerical sequence of sales invoices. 6Partially offset by control totals used by comparing sales cler%s; and supervisor;s control totals.7 >o internal verification of %ey entry for customer name, date, and sales classifications on either cash receipts or sales. here is no internal verification of general totals, posting to accounts receivable master file, or posting to the general ledger. here is a lac% of internal verification of all of the accounting wor% done by the accounts receivable cler%. Inte"rated Case Application

10-4& 1I44AC($ 0A46!AC56RI4;<1AR5 III -ollowing are control ris% matrices and related notes that are used to direct a discussion of the requirements of the case. +t should be understood that judgment is a critical element in this case, and accordingly, there often is no single right answer. !omputer$prepared matrices using 8*cel 6P1('9.*ls7 are contained on the !ompanion .ebsite and on the +nstructor#s 5esource !D$5)M, which is available upon request. hey are essentially the same as the matrices on the ne*t two pages.

1($49

10-4& .continued/ 1I44AC($ 0A46!AC56RI4; - 1art III Control Risk 0atri2 = Ac>uisitions
5ransaction-Related Audit %b?ective Recorded ac>uisitions are for "oods and services received .occurrence/. ! ! ! ! ! ! ! ! ! ! ! ! ! $2istin" ac>uisition transactions are recorded .co'plete-ness/. Recorded ac>uisition transactions are stated at the correct a'ounts .accurac /. Recorded ac>uisition transactions are properl included in the 'aster files@ and are properl su''ariAed .postin" and su''ariAation/.

Internal Controls 1. 5equired use of P) and receiving report with chec% of completeness 4. Proper approval 9. &egregation of functions '. !ancellation of documents 3. Prenumbering of documents with accounting for sequence :. +nternal verification of documentsIrecords =. /se of chart of accounts @. Procedures requiring prompt processing C. Monthly reconciliation of AIP master file with general ledger Assessed control ris%

Ac>uisition transactions are properl classified .classification/.

Ac>uisition transactions are recorded on the correct dates .ti'in"/.

1($49

! How How How How How How

10-4& .continued/ 1I44AC($ 0A46!AC56RI4; - 1art III Control 0atri2 - Cash 3isburse'ents
5ransaction-Related Audit %b?ectives Recorded cash disburse'ents are for "oods and services actuall received .occurrence/. ! ! ! ! ! ! $2istin" cash disburse'ent transactions are recorded .co'pleteness/. Recorded cash disburse'ent transactions are stated at the correct a'ounts .accurac /. Recorded cash disburse'ent transactions are properl included in the 'aster file and are properl su''ariAed .postin" and su''ariAation/.

Internal Controls 1. 4. &egregation of functions 5eview of support, signing of chec%s by authori"ed person Prenumbered chec%sB accounted for /se of chart of accounts Procedures for prompt recording Monthly reconciliation of AIP master file with GIH

Cash Cash disburse'ent disburse'ent transactions transactions are properl are recorded classified on the correct .classification/. dates .ti'in"/.

1($4'

9. '. 3. :.

Deficiencies 1. 4. Hac% of an independent ban% reconciliation 6Done by reasurer7 Hac% of internal verification of documentation pac%age by cash disbursements cler%. Hac% of internal verification of %ey entry into cash disbursements file. D D D

9.

Assessed control ris%

Medium

Medium

<igh

How

How

How

10-4& .continued/ 4otes to 10-4&@ 1art III 1. he purpose of Part +++ is to, 6a7 have the students develop specific transaction$related audit objectives for a cycle, 6b7 obtain controls from a flowchart description, 6c7 relate controls to objectives, 6d7 evaluate a set of controls as a system. !ontrol is quite good for acquisitions. +f misstatements in acquisitions occur, they will result from the incorrect application of controls, not their absence. his demonstrates the inherent deficiencies in any control system. +t e*plains the reasons why some misstatements were found last year. <owever, they were not material. +t also indicates the need for tests of controls and substantive tests of details of balances andIor transactions. !ontrols for cash disbursements are not nearly as good, given the three deficiencies. his provides an opportunity to discuss both fraud and errors. Given the deficiencies, there is potential for fraud in cash. +t is appropriate to use the matrices to consider whether all controls shown are important to both the client and to the auditor. +s it necessary to have all controls 6e.g., prenumbering of requisitions7J Are the controls costly 6e.g., internal verification of all acquisitions7J &hould all controls be tested 6e.g., cancellation of documents7J

4.

9.

Internet 1roble' SolutionB 3isclosure of 0aterial Ceaknesses in Internal Control over !inancial Reportin"

10-1 &ection '(' of the &arbanes$)*ley Act of 4((4 requires management of a public company to issue a report on internal control over financial reporting 6+!-57 as of the end of the company#s fiscal year. Many companies have reported that their +!-5 was operating effectively, while others have reported that such controls were not effective in design or operation. !ompanies issue their reports on +!-5 through filings with the &ecurities and 8*change !ommission 6&8!7. Kisit the &8! website Lhttp,IIwww.sec.govM to learn more and answer the following questions, 1. /se 8DGA5 to search for ri$Kalley !orporation 6 K!7 and Monarch &taffing +nc. -ind K!#s 1($N and Monarch#s 1($N&2 for the year ended 14$91$(:.

1($4:

Internet 1roble' 10-1 .continued/ AnswerB &tudents will find the filings for these companies on the &8!#s website. +nstructors may want to encourage students to use the 8DGA5 -ull$ e*t &earch option to identify these companies# filings more efficiently. 4. Did either company report material wea%nesses in +!-5J +f so, what were the wea%nessesJ AnswerB 2oth companies report material wea%nesses in +!-5 for the year ended 14$91$(:. K! reported deficiencies 0related to controls over the accounting for comple* transactions to ensure such transactions are recorded as necessary to permit preparation of financial statements and disclosures in accordance with generally accepted accounting principles. &uch transactions included,

Proved and unproved properties, Hoans guaranteed with restricted common stoc%, Deferred income ta*es, Discontinued operations from the sale of our interest in ri$ .estern 5esources, and &hare$based payment arrangements1

Monarch &taffing reported deficiencies as follows, 0.e did not maintain a sufficient complement of personnel with an appropriate level of accounting %nowledge, e*perience, and training in the application of /.&. generally accepted accounting principles commensurate with our e*isting financial reporting requirements and the requirements we face as a public company. Accordingly, management has concluded that this control deficiency constitutes a material wea%ness, and that it contributed to the following material wea%ness. .e did not maintain effective controls with respect to reviewing and authori"ing related party transactions. &pecifically, our control procedures did not prevent the !ompany from ma%ing payments on behalf of other related parties. Accordingly, management has concluded that this control deficiency constitutes a material wea%ness.1
64ote, +nternet problems address current issues using +nternet sources. 2ecause +nternet sites are subject to change, +nternet problems and solutions may change. !urrent information on +nternet problems is available at www.pearsonhighered.comIarens.7

1($4=