Ch 5 Sm Finalca

7/27/2019 Ch 5 Sm Finalca

1/53

Solutions for Chapter 5

Internal Control over Financial Reporting

Review Questions:

5-1. Controls must emanate from the intent of owners and creditors of an organization to protect theresources entrusted to an organization. The stockholders give the board of directors power todelegate responsibilities to the management of the corporation. The board of directors isresponsible for providing management oversight on behalf of the shareholders and is responsiblefor approving major investments, divestures, and financing for the corporation. Part of theresponsibility of the management is to ensure that an effective and efficient control infrastructureis established and followed to produce reliable financial reports, to comply with laws, to run thebusiness proficiently, and to safeguard assets. Research has shown that good internal control is

correlated with higher economic returns and lower cost of capital. This reiterates that goodinternal control is good for business as it enhances the reliability of data for decision-making aswell as ensuring that all transactions are recorded.

5-2. Risk assessment is a process designed to identify potential events that may affect the entity and tomanage those risks within the entitys risk appetite. Controls are used to mitigate the risks thatare identified.

5-3. The COSOInternal Control, Integrated Frameworkhas five elements:

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring

These components are based on the organization first setting its objectives for financialreporting.

The COSO Framework is the predominant framework used by companies in assessing theadequacy of its internal controls over financial reporting. Thus, the COSO Frameworkhas become more widely used as a result of the enactment of the Sarbanes-Oxley Act of

2002.

5-4. Internal control is defined as:

A process, effected by an entitys board of directors, managers, and other personnel, designed toprovide reasonable assurance regarding the achievement of objectives in the following categories:(1) reliability of financial reporting, (2) compliance with applicable laws and regulations, (3)effectiveness and efficiency of operations, and (4) safeguarding of assets.


2/53

It is important to assess control risk in an audit engagement because it allows the auditor toidentity the types of misstatements most likely to occur and to plan the audit.

Internal control is a process that emanates from the board of directors and management of thecompany and thus is an integral part of the overall governance and risk management process.Internal control over financial reporting includes the design and implementation of control

procedures to ensure, among other things, that all transactions are properly authorized, recordedin the correct time period, and valued correctly; and that assets are adequately safeguarded. Sincethe auditors job is to render an opinion on the financial statements, they are more concerned withthe internal controls that affect financial reporting. In most companies, however, it is difficult todraw a line between internal controls and internal controls over financial reporting, becausemany controls that may seem unrelated can in some way indirectly affect financial reporting.

The broader definition of internal auditing addresses objectives related to operations andcompliance, as well as financial reporting.

5-5. Tone at the top is the impression the top management gives the organization about theimportance of the internal control structure. If management is very strict about disciplining

wrongdoings, personnel will learn that they must follow the rules very carefully. If management islax about enforcing the controls, there is more likely to be financial misstatements. Auditors assesstone at the top through their interactions with management, and by observing the decision-makingand behavior of management. For example, is management always pushing the envelope? Or, incontrast, is management conscientious about its interpretation and application of GAAP? Whethermanagement fits into the former or the latter category is one indication of the tone at the top.

5-6. An organization's control environment is the overall tone of operations of an organization whichcollectively serve to enhance, or alternatively mitigate, the functioning of specific control policiesand procedures. The control environment reflects the overall attitude, awareness, and actions ofthose in control of the organization in creating an atmosphere of control.

The components of the control environment include:

management's philosophy and operating style,

the entity's organizational structure,

the functioning of the board of directors and its committees, particularly the audit

committee,

human resource policies and practices,

integrity and ethical values,

commitment to competence.

5-7. The auditor should be capable of evaluating the competency of the accounting staff:

first, the auditor has expertise in the accounting area,

second, the commitment to competence is an integral part of internal control, and by

professional standards, the audit firm should not accept the engagement unless they havethe expertise to assess the clients controls.

There are a number of ways in which the auditor can evaluate the competency of the accountingstaff, including the following:


3/53

evaluating the judgments made on areas where accounting choices have been made,

evaluating the number of exceptions noted in audit testing,

discussions with accounting staff regarding accounting and audit issues,

gathering input from the CEO or the audit committee,

evaluating the background (academic and work) of the staff, as well as the experience in

dealing with issues related to the company.

5-8. The board of directors and audit committee are responsible to the shareholders and therefore havesignificant oversight and monitoring responsibilities. Most reports on corporate governance haverecommended the need for competent and independent directors who have the time and sufficientinformation system to provide oversight. If the board and audit committee do not meet therequirements, then it is difficult to assume that there is effective oversight over management. Thecontrol environment would be weak and the auditor would have to conclude that there is asignificant deficiency in internal control.

There are a number of factors the auditor can look at in evaluating the audit committee, including,but not limited to the following:

the independence of the members,

the accounting or financial expertise and background of the members,

the types of questions asked during an audit committee meeting,

an assessment, through interaction with the audit committee chair, and the other members

of whether they take their oversight responsibilities seriously,

the number of meetings held per year and the length of time of the meetings,

the agendas for the audit committee meeting (can be compared with best practices),

the actions the committee takes regarding the evaluation of internal audit and financial

personnel,

the audit committees own self evaluation.

5-9. Monitoring is an overall control process that is designed to continually assess the design andoperation of a control system. It is designed to give management feedback on how well theexisting control system is operating. Examples of monitoring controls include:

management exception reports on transactions rejected by the computer system.

management reports on gross margins of products by product lines and by stores.

management oversight and review of operations.

The authors speculate that the concept of monitoring controls will change the audit by shiftingfocus on evaluating and testing the effectiveness of monitoring controls. If monitoring controlsare working effectively, the auditor and the organization can have confidence that other controlsare working properly. The rationale is that properly working monitoring controls should detectand correct problems in other controls on a timely basis.

5-10. There are a number of controls, other than compensation plans, that management can implementto encourage divisional management actions that are consistent with the long-run objectives ofthe organization. Some of these controls are


4/53

a. Identification of non-financial measures of superior performance. Examples mightinclude production or quality quotas, or both.

b. Establishment of budgets and investigation of variances.c. Periodic review of controls by internal audit department.d. Management tone set at the top that manipulation of accounting is unacceptable - even

the pushing of accounting transactions that might be acceptable to accomplish a particular

objective.

There are significant risks associated with management compensation schemes that place heavyemphasis on reported divisional profits. Without sufficient controls, such as those discussedabove, divisional management may be motivated to stretch the accounting for transactions toachieve higher reported earnings in order to maximize bonuses. Some of these schemes mightmirror the example discussed in the chapter, but other schemes can have more serious effects onthe organization. Some managers `cut corners' on the quality of production to boost profits.There have been examples in the defense industry where managers cut corners by purchasingsubstandard fasteners that are now failing on multi-million dollar pieces of equipment.

Accounting research has shown that the structure of compensation plans for management can

significantly influence behavior. Therefore, the auditor should gain an understanding ofcompensation schemes to determine their potential effect on the organization.

5-11Significant deficiency in internal controls over financial reporting:

a deficiency, or a combination of deficiencies, in internal control over financial reporting thatis less severe than a material weakness, yet important enough to merit attention by thoseresponsible for oversight of the company's financial reporting.

Material weakness in internal controls over financial reporting:

a deficiency, or a combination of deficiencies, in internal control over financial reporting,such that there is a reasonable possibilitythat a material misstatement of the company's

annual or interim financial statements will not be prevented or detected on a timely basis.

5-12. If an audit committee has weak directors with little financial knowledge and inadequateindependence, the auditor would evaluate the control environment part of internal control asweak. The PCAOB says that a non-effective audit committee would constitute a materialweakness in internal control over financial reporting, as it indicates that an essential part ofinternal control may be lacking. Enron, WorldCom, and Tyco all had ineffective boards ofdirectors, and it would be difficult to argue that those boards did notconstitute materialweaknesses in internal control.

5-13. A material weakness in internal control is a deficiency, or a combination of deficiencies, in

internal control over financial reporting, such that there is a reasonable possibilitythat a materialmisstatement of the company's annual or interim financial statements will not be prevented ordetected on a timely basis.

It is an auditor judgment, as well as a management judgment, as to whether a deficiencyconstitutes a significant deficiency or a material weakness. Some of the factors that the auditorwill consider in making such a judgment include:


5/53

potential effect of the control failure on the account balance, i.e. if it could reasonably

lead to material misstatements in the financial statements, then it is a material weakness,

the pervasiveness of the deficiency, i.e. does it affect only one account or does it affect

many financial statement accounts, or the overall internal control,

whether the deficiency is related to a computer program and thus occurs on every

transaction, or if it isolated to selected manual procedures, whether it addresses a high risk area, such as a material accounting estimate.

For each deficiency identified, the auditor should consider the types of misstatements that couldtake place in the financial statements and how the misstatements might occur. The auditor thenshould develop specific audit tests to determine if such misstatements are included in thefinancial statements.

5-14. Internal audit plays a key role in assisting management in preparing its report on internal control.Internal audit is one of three sources for management to receive information on the effectivenessof internal controls, but it is probably the most utilized source. Often internal auditors are theones doing the testing and documentation of the controls rather than management itself.

Under the PCAOB standard, internal auditors are considered to be an extension of managementrather than independent of management. This is evidenced by the fact that external auditorscannot exclusively rely on the testing done by internal audit when preparing their report on theeffectiveness of internal controls.

5-15. Segregation of duties is the separation of functions across individuals such that one individual isnot put in a situation where he/she can bothperpetrate a fraud or error and concealthe fraud orerror through the manipulation of accounting records.

The kinds of segregation of duties the auditor will want to inquire about include:

The functions of authorizing a transaction, recording the transaction and handing anyphysical assets related to a transaction should be separate. Example: The purchasingagent should not be allowed to set up accounts payable or take custody of the goods whenreceived.

Authorization of transactions should be separated from the custody of assets and

processing of transactions.

Example: The inventory clerk should not be allowed to transfer inventory without thewritten authorization of the production manager.

Record-keeping and operational responsibilities should be separated.

Example: The accounts receivable bookkeeper should not be responsible for the receipt

of cash.

There should be independent checks on the assets and records whereby one department

reconciles or otherwise acts as a double check on another department.Example: Employees who are independent of inventory custody or record keepingperiodically count inventory and compare it to amounts recorded in the perpetualinventory record.


6/53


7/53

e. Invalid combination of items. Certain logical relationships of data should exist and ifthey do not exist, the transaction is printed out for further review before processing.An example in the retail environment might match the department code with a validlist of products that are sold in that department.

5-18. The major principles that should guide the development of a comprehensive accesscontrol and security program for an organization include

The access to any data item should be limited to those individuals with an

authorized need to know

The ability to change, modify, or delete a data item should be limited to those

with the authorization to make such changes.

The access control system should have the ability to identify and verify potential

users as authorized or unauthorized to perform the function requested on the dataitem identified.

A security department should actively monitor attempts to compromise the system

and prepare periodic reports to those responsible for the integrity of data items onaccess to the data items.

5-19. The primary methods to authenticate (or verify) that a user is attempting to gain access torestricted data or files include

Method of Authentication Advantages and Disadvantages

a. Identification by what the user knows,such as passwords, or some otherinformation likely known only to thatperson such as mother's maiden name.

a. Passwords are easy to implement andif guarded properly by users, they can bequite effective.

Passwords are often compromised orshared with non-authorized users. User-selected passwords can be easy to guessand therefore compromised.

b. Identification of users by something

they possess, generally a plastic cardwith a magnetic strip.

b. The cards contain information needed

to identify the user and must be presentto gain access.

A disadvantage is that cards can bestolen or fraudulently used. In sensitivesystems, such as ATMs, the plastic cardsare often used in conjunction with apassword system to further minimize


8/53

Method of Authentication Advantages and Disadvantages

risk.

c. Identification of users by some

physical characteristic such asfingerprint, voiceprint, or other uniqueidentification.

c. Physical identification is often thought

to be best because it is the method weutilize most often to identify otherindividuals. However, there areproblems with implementation ofidentification by physical characteristics.The required hardware and softwarehave been prohibitively expensive andreliability has been low. There are alsoquestions of potential reliability shouldsomeone be inadvertently denied access.

There is a second problem with physicalidentification. Remember that toimplement any authentication technique,an image of the physical representationmust be stored somewhere on thecomputer system. The computer is thenprogrammed to compare therepresentation in the computer with thephysical representation sent into thesystem. If that representation issomehow stolen (either by accessing thesystem or copying it while being sentover communication lines), then therewill be a need to revoke that usersprivilege. However, since the privilegeis unique to that individual, then it is lostto that individual for all time henceforth, thus completely eliminating theindividuals ability to use the system.Thus, most systems are going to acombination of the first two items notedabove.

5-20. General controls are pervasive control procedures that affect all computerizedapplications. They interact with application control procedures in forming a dataprocessing control structure. Some general control procedures affect all applications andare considered by the auditor in evaluating the control risk of a specific application, e.g.,the control procedure restricting access to computer programs and authorizing changesin computer programs.


9/53

Some general controls affect a specific computer application indirectly for the timeperiod audited. For example, control procedures over program changes may not affect acomputer application that does not undergo any changes during the current time period.Other control procedures, such as access control procedures, will affect all computerapplications and should be treated as an integral part of the evaluation of control

procedures for the application.

The auditor makes a decision regarding the testing of general controls based on (1) theimportance of the procedure to the auditor's assessment of risk for assertions related toparticular account balances and (2) the overall importance of the controls to otherfinancial statement accounts. In some instances, management controls provide evidenceof the existence of the operation of other controls and may be used by the auditor asevidence of the functioning of other control procedures. For example, the auditor maydetermine that the personnel manager gets complete reports on all changes to animportant file and reviews all changes to that file for authorization and completenessthereby providing evidence on the effectiveness of other control procedures.

5-21. Management gains assurance about the quality of its internal control systems in much thesame way as the external auditor. For example, management can gain assurance through:

exception reports, often referred to as monitoring controls,

internal audit examinations and reports,

regulatory audits and reports,

external audits and reports,

periodic control self-assessments by management personnel,

feedback from operating personnel.

5-22. Controls the auditor might examine to determine that "all valid transactions are recorded" mightinclude:

use and reconciliation of pre-numbered documents,

signed authorization of transaction before recorded,

supervisory review of transactions before recording,

supervisory review of all exception reports generated by computer edit tests,

limited access and proper authorization for changing prices for products sold,

date and time stamps on shipping documents, and similar date and time stamps indicating

the recording of the transaction.

use of carefully controlled corporate documents.

To test whether these controls are operating, the auditor can take a sample of transactions andtrace them through the processing system to determine that (1) controls are working as described;and (2) all validtransactions are recorded in a timely fashion.

5-23. The major control objective related to the occurrence assertion is that recorded transactions andevents have occurred and they pertain to the entity in question. The occurrence assertion isfundamental to auditing, and only after a transaction is deemed to have happened can it be testedforaccuracy.


10/53

To achieve the occurrence objective, an organization might implement the following controls:

Pay employees only if the employee already exists on the master payroll and is entered

on that payroll by someone independent of payroll processing.

A supervisor verifies that the employee worked, or the payroll department verifies by

existence of time cards.

Sales are recorded only with evidence of a customers order and shipment.

5-24. Yes, but only for public companies. The PCAOB has mandated that the external auditor must testoperating effectiveness of significant controls in the financial reporting process and cannotexclusively rely on managements tests, including those tests performed by the internal auditors.This PCAOB mandate only applies to public company audits. Non-public company auditors arenot yet required to report separately on internal controls.

5-25. Yes, management is required to assess each of the items as they are all part of the controlenvironment, and therefore are a critical part of an organizations internal controls. Managementand external auditors would go about assessing each item as follows:

Area Audit Procedures to Assess

Independence andCompetence of theBoard

1. Review board composition to determine the number ofindependent directors,

2. Review minutes to determine if board acts independently, and ifthey address substantive issues.

3. Assess the quality of interaction with the chair of the auditcommittee.

4. Determine the extent to which the board is active in strategicplanning and risk management.

5. Examine the existence of any past relationship with the auditclient, e.g. a past supplier, etc.

Effectiveness of theAudit Committee

1. Review composition of board to determine if the auditcommittee meets the requirements of independence andfinancial expertise by looking at their past experience andeducation.

2. Evaluate the quality of discussion that takes place during theperiod of time that the firm sits in on audit committee meetingsor in private sessions with the audit committee.

3. Review minutes of audit committee meeting to determine thenature of the meetings and the engagement of committeemembers.

Competence ofAccounting Personnel

1. Evaluate the background and education of accountingpersonnel.

2. Review the key accounting judgments made by accountingpersonnel during the past year to determine if the judgmentswere (a) appropriate, and (b) properly researched.

3. Determine whether adjustments that were made to the financialstatement as a result of the audit reflect on the competency ofaccounting personnel.

4. Interview and interact with key personnel to determine their


11/53

accounting knowledge.

Adherence to the Codeof Ethics

1. Review the companys plans (including internal audit) to gainassurance that company employees are adhering to the code ofethics. Review managements findings and follow up onselected findings to verify the result.

2. Determine whether a hotline exists for employee complaints.

Review the nature of complaints, and more importantly,determine the nature of follow up by the company.

3. Review communication to employees about the Code of Ethics.4. Review known ethical violations to determine (a) what action

was taken, and (b) for significant violations, how the action wascommunicated to other employees.

5-26. Publicly-held companiesAuditors must attest to the effectiveness of the clients internal controls over financialreporting. In performing an audit of controls, the auditor must:

Review the clients documentation of controls, including a description of how the

controls are supposed to work (design)

Review the clients testing of the controls as a basis for reaching their conclusion on

effectiveness (operations), but not exclusively rely on managements tests, includingthose of the internal auditor

Determine which controls to test (all significant controls), how large of a sample to

take, and how to judge whether or not a control is effective, and

Reach a conclusion about the effectiveness of the clients internal controls over

financial reporting.

Non-publicly-held companies

Auditors must report to management and the board of directors significant deficienciesand material weaknesses in the design or operation of internal controls that are identified

in the normal course of a financial audit. This report is only for management and boarduse.

An auditor may choose not to test internal controls when they are not significant to the operationsof the company. For example, the auditor may assess control risk as high and concentrate auditwork on substantive tests of account balances.

5-27. Under AS 5, auditors attest to the effectiveness of the clients internal controls over financialreporting. Factors to consider in determining the sample size for testing:

Controls performed on every transaction

a) Whether or not failure of the control procedure is likely to lead to a significant

misstatement in the account balanceb) The rate of failure that would lead to a material misstatement, andc) A statistical confidence level that would assure the auditor that there is not more than

a remote likelihood that the control could be failing and not be detected by theauditor

Computerized controls as part of every transaction

Must be sufficient to persuade the auditor that the control operates effectively across awide variety of transactions throughout the year. If the auditor has already tested controls


12/53

over program change and has concluded those controls are effective, the tests of thecomputerized controls could be as small as one. Exception reports may be examined aswell.

Monthly control procedures

If the design is adequate, choose one month and re-test the clients tests of these

accounts.

Controls over estimates

The auditor is more concerned that these controls are working when it is likely that theamounts would be in year-end balance sheet accounts. The sample should be taken fromtransactions during the latter part of the year following similar criteria to the transactioncontrols discussed above.

Year-end adjusting entries

The better the control environment, the smaller the sample size will be, and vice versa.The auditor should select a sample that includes a random selection of entries, but also allentries of significant amount. They should be tested to see that

a) controls are not being overridden by managementb) there is support for each entryc) each entry has proper approval

5-28. A walkthrough is an audit approach designed to gain an understanding of the processing thattakes place in the accounting system. In performing a walkthrough, the auditor "walks" atransaction through its processing and makes inquires of client personnel about the nature of theprocessing that takes place at each stage of processing. By walking through the processing of thetransaction, the auditor can identify important controls and their operation. The auditor can alsoidentify situations where the clients processing does not follow prescribed procedures.

Taking a tour of the plant can assist the auditor in gaining an understanding of controls in asignificant number of ways. Some of these include:

important information on the procedures used for receipt of goods,

information regarding the transfer of goods from work-in-process to finished goods,

an assessment of the control conscientiousness of employees (in a general sense) can be

made based on observations,

use of, and control of, documents used in operations that become part of the accounting

system,

identification and use of computerized collection mechanisms, such as automated time-

keeping systems, or transfer of goods through the production cycle, or use of automated

equipment to facilitate shipments of goods, and the physical control over assets, including the orderly nature of equipment and inventory.

The general appearance of inventory, production lines, etc. A general observation can the

auditor quite a bit about how well things are controlled just by how neat the factory flooris and the general appearance of inventory items.

Multiple Choice Questions:


13/53

5-29. c.5-30. d.5-31. b.5-32. d.5-33. e.5-34. b.

5-35. c.5-36. d.5-37. c5-38. d.

Discussion and Research Questions:

5-39. a. Controls must emanate from the intent of owners and creditors of an organization to protectthe resources entrusted to an organization. The stockholders give the board of directorspower to delegate responsibilities to the management of the corporation. The board ofdirectors is responsible for providing management oversight on behalf of the shareholdersand is responsible for approving major investments, divestures, and financing for the

corporation. Part of the responsibility of the management is to ensure that an effective andefficient control infrastructure is established and followed to produce reliable financialreports, to comply with laws, to run the business proficiently, and to safeguard assets.

Stated another way: Controls are a way for management to meet the stewardship obligationto a companys owners (shareholders).

b. This question is intended to challenge students to think about internal controls from a broaderperspective than simply the technical details of, for example, what basic controls are, howthey operate, and how to test them. Rather, this question is designed to get students toconsider the role of internal controls in assuring high quality financial reporting and solidbusiness decision making. Recall that Milacron had the following internal control

weaknesses:

o the accounting department lacked the technical expertise to deal with many of the complex

accounting issues that the company had to address;o there was improper segregation of duties regarding the accounting for, and control, of

inventory;o there were improper controls over the dating and recording of sales near the end of the year

that could affect the timeliness of recording transactions; ando there was a weakness in access controls related to the computer system.

Having such internal control weaknesses is not unethical, per se. Rather, managements lackof stewardship as evidenced by these weak controls is what is questionable. Auditors will not

view weak controls as an ethical risk factor if management is quick and willing to address theproblems. But, if the auditor identifies weaknesses, brings them to managements attention,and management still does not apply the resources necessary to correct the problems, then theauditor might start to question the ethical intent/stewardship of management.

c. This is intended for discussion. Support for the answer that it will improve governance is asfollows:


14/53

Good governance is part of the tone at the top and the control environment. The auditorexplicitly has to report to shareholders if the auditor believes there are weaknesses at thislevel. Thus, there is strong motivation to ensure that governance is good.

Controls are designed to provide a stewardship report to the owners of the organization. It ishard to argue that this can be other than good.

A sound control system will include improved monitoring controls, including sufficientmonitoring by management and the board of directors. Improved monitoring by theboard, including risk analysis, will improve the governance of most organizations.

The major argument on the cost-benefit of governance is on the cost side of things. Theinitial implementation of Sarbanes-Oxley section 404 was very expensive because of theauditors emphasis on detailed documentation and testing of controls. It was also expensivebecause most organizations had not taken the time to document and test controls. Thus, therewas a heavy start-up cost associated with Sec. 404 reports. However, like everything, there isa learning curve and costs are expected to decrease over time as auditors and managers learnto better document and improve controls.

d. There is evidence that internal control information affects stock prices. Most of the effects onstock prices have been on the negative side due to:

accounting restatements often due to a breakdown in controls,

adverse reports on the quality of controls.

Investors expect high quality internal controls. When the controls and therefore the trust inmanagement and managements reports are lacking, investors are not as willing to pay ashigh of a price for the company. This can occur through a higher risk-adjusted discount ratein determining stock prices. The higher discount negatively affects stock prices.

5-40.

a. The major elements of an organization's internal control process are:

Control Environment: The control environment sets the tone at the top of theorganization and determines the rigor with which systems and controls are adequatelydesigned. The control environment is pervasive.

Risk Assessment: The process the entity goes through to identify and analyze therelevant risks that may affect the achievement of the organizations objectives. It isimportant that students understand that this risk assessment process is significantlybroader than evaluating the risks associated only with the processing of transactions.

Control Activities: The nature of controls to be implemented are directly dependent onthe control environment and the risk assessment process. Control activities are thepolicies and procedures implemented by management to ensure the accomplishment ofobjectives and the mitigation of risks.

Information and Communication: The process of identifying, capturing, andexchanging information in a timely fashion to enable the accomplishment of theorganizations objectives. The communication may come in the form of management


15/53

reports, detailed analysis of transactions, or direct communication resulting frommanagement supervision. This component incorporates the organizations accountingsystem and its methods for recording and reporting on transactions.

Monitoring: The process that assesses the quality of internal controls over time and takescorrective action on any deficiencies in either the design or operation of internal controls.

Monitoring can take place through either (1) ongoing activities, or (2) separateevaluations. Examples of separate evaluations would include independent reports by theinternal audit function.

b. Deficiencies in the Internal Control Process:

Deficiencies in thecontrol environment will lead the auditor to assess the lack ofcontrol emphasis on the specific implementation of controls within accounting system.The auditor will consider the following:

The organization's control environment ispervasive.

The attitude of those at the top, and their approaches to creating an environment

which facilitates overall control provides the framework in which all the othercontrols operate. Detailed control procedures can be overlooked if managementdoes not reiterate their importance, or in some cases can even be overridden bymanagement.

If there is inadequate follow-up and monitoring of controls, it is unlikely that the

controls will be effectively implemented.

Deficiencies in Risk Assessment:

This would imply the organization has not undertaken a systematic process to identify thepertinent risks that it faces. In turn, this implies that sufficient controls have not beendeveloped to mitigate the risks. The implications for the audit are:

The auditor has to assess the significant risks affecting the financial account

balances. These risks include the transactions that are processed as part of theevery day activities of the organization and the other processes that lead toaccounting estimates.

The auditor must determine whether sufficient controls are in place to mitigate

these risks and whether or not those controls can be tested.

Unless the auditor can perform his or her own risk analysis and test the controls, it will bedifficult to assess control risk at either a moderate or low level implying a shift towardsgreater direct tests of account balances.

Deficiencies inControl Activities:

Without adequate control procedures, the auditor will resort to direct tests of accountbalances as the major audit approach. Generally (unless the auditor is dealing with a verysmall client), such an audit approach will be much more expensive. Before doing so, theauditor will always ask the basic question, "Do sufficient controls exist to ensure thatvalid transactions will be recorded, or are there sufficient controls to lead to a conclusionthat the entity is auditable?"


16/53

Deficiencies in Information and Communication:

A deficiency in information and communication activities implies that the systems havenot been designed to accomplish the organization's objectives. Such deficiencies lead tothe development of three major questions for the auditor:

(1) is the system auditable, that is, are there sufficient controls to ensure that all validtransactions will be recorded, and only that valid transactions are recorded, and

(2) is there sufficient documentation to ensure that the system is auditable, that is theauditor can gather sufficient competent evidence to determine the correctness ofthe client's account balances.

(3) what are the specific risks of account balance misstatements occurring? Theauditor needs to identify the types of misstatements that are likely to occurbecause of the control deficiencies and design audit tests to determine whether ornot such misstatements have occurred in amounts that could be material to thefinancial statements.

Deficiencies in Monitoring Activities:

This implies that management has not set up a systematic process to determine if itsunderlying information and communication systems have gone out of control. Withoutsuch systems, it becomes difficult for the auditor to develop evidence that the system hasbeen working effectively throughout the year (although it may still be possible by testingtransactions throughout the year.) This would generally lead the auditor to directlytesting account balances and not assessing control risk at a low level.

c. The auditor must start with an understanding of the overall control philosophy of theorganization. That philosophy manifests itself mostly in the control environment, the

organizations commitment to risk assessment, and its commitment to monitoring theeffectiveness of internal controls. That understanding is a fundamental part of theassessment.

Once the understanding of the control environment is made, the auditor performs thecontrol risk assessment for each accounting subsystem that processes materialtransactions. Some of the subsystems may contain strong controls activities built into theprocessing system, while others may contain deficiencies. The auditor then considersboth (a) the control environment and (b) the specific control procedures in processingsystem to determine the likelihood that material misstatements in aparticular accountbalance would not be prevented or detected. Based on that assessment, the auditorevaluates whether there is a material weakness or a significant deficiency in internal

controls, and then determines the audit approach to address the possibility of amisstatement.

5-41.

a. The elements of an organization's control environment that ought to be consideredby the auditor as part of the auditor's process of assessing control risk include:


17/53

management's philosophy and operating style,

the entity's organizational structure,

the functioning of the board of directors and its committees, particularly

the audit committee,

human resource policies and practices,

integrity and ethical values,

commitment to competence.

The auditor seeks information on the organization's control environment becausethe control environment ispervasive. The attitude of those at the top, and theirapproaches to creating an environment that facilitates overall control provides theframework in which all the other controls operate. Detailed control activities canbe overlooked if management does not reiterate their importance, or in some casescan even be overridden by management. If the control environment is weak, it ismuch more likely that the auditor will view control risk as high, will be unable torely on controls, and will then have to perform a more substantive (and costly)audit.

b. Sources of Information about the Control Environment:

Control

Environment Factor

Sources of Information:

Management'sPhilosophy andOperating Style

Previous interaction with management, especially their openness and canand their actions taken on recommendations to improve control.

Review of important corporate documents that set policy, such as CorporCode of Ethics, or management's attention to policies.

Management's support of an internal audit department and management'sreaction to internal audit reports.

Management compensation plans and management's apparent motivationreport higher earnings, coupled with management's willingness to useaccounting as a basis to increase reported earnings.

Press reports or regulatory reports dealing with the company, many of whwill reflect on management.

The Entity'sOrganizationalStructure

Review of organizational charts.

Review of internal audit reports.

Interviews with functional department heads to determine if actualorganization actions are consistent with organizational structure.

Auditors observation of informal structure versus formal structure.


18/53

Control

Environment Factor


Review of reports, especially monitoring controls, and how they are folloup.

The Functioning ofthe Board ofDirectors and itsCommittees,particularly the AuditCommittee

Review of minutes of board of director and audit committee meetings.

Review of audit committee follow-up to previous recommendations byinternal and external auditors.

Personal interaction with the audit committee regarding their interest inidentifying and following up on special projects.

Discussion with the internal audit department to determine if the internal a

meets with the audit committee on a regular basis and whether substantiveissues are discussed.

Human ResourcePolicies and Practices

Organizational charts, policy and procedure manuals.

Interviews with functional department heads.

Review of important employee contracts.

Commitment toCompetence

Interaction with accounting personnel including an assessment of accountiknowledge, understanding of business purposes of transactions, and accessauthoritative pronouncements.

Review of hiring practices for key positions in the organization, includingbackground checks.

Review of resumes of key financial personnel.

Interviews with audit committee and senior management about personneldevelopment; procedures to improve the competence of existing staff; andreview of plans to upgrade financial competencies within the organization

Review of internal audit reports.

Integrity and EthicalValues.

Review of organizations Code of Conduct, including discussions with topmiddle management to determine if the Code is followed within theorganization.

Review of internal audit reports and auditee (especially management)reactions to internal audit reports.


19/53

Control

Environment Factor


Review ethical and legal complaints brought against the organization.

Review of follow-up to monitoring reports. Determination of whethereffective and timely action is taken.

c. The auditor can document the understanding of the client's control environment ina questionnaire or in a memo. The auditor's understanding needs to bedocumented such that the control environment's effect on the organization'scontrols and conduct of the audit can be communicated to all members of theaudit team. The auditor should always document his or her reasoning processin concluding that controls are adequate or contain deficiencies. Thisreasoning process should cover all the elements of the control structure.

5-42.

a. Monitoring is an element of internal control that management, the board, and others establishto provide feedback on the effectiveness of operations, compliance with organizationalpolicies and procedures, and the effectiveness of internal controls to accomplish financialreporting objectives. Monitoring controls provide feedback of potential breakdowns internalcontrol elements in a timely fashion such that timely corrective action can take place.Examples of monitoring controls include:

periodic internal audit of major processes,

exception reports that indicate that operations are different from that budgeted orexpected given current economic conditions,

reconciliation controls that identify significant changes or deviations fromexpectations,

graphical analysis of sales by time period with an emphasis on identifying significant,unusual sales made near the end of a quarter.

b. Monitoring Controls in Different Types of Organizations:

i. 7-Eleven Store:a. Monitoring Control: comparison of daily, weekly, and monthly sales with:

o past results for the store,

o results in similar stores,

o expected changes related to current economic conditions,

o gross profit analysis for same time periods,b. Management would learn about failure of other controls if exceptions are noted:

o skimming of cash receipts,

o failure to record all transactions,

o inadequate control over product and inventory,

opoor management of the store,

o decline in operations.


20/53

ii. A chain restaurant such as the Olive Garden:a. Monitoring Control: comparison of daily, weekly, and monthly sales with:

o past results for the store,

o results in similar stores,

o expected changes related to current economic conditions,

o gross profit analysis for same time periods,

b. Management would learn about failure of other controls if exceptions are noted:o failure to record all transactions, especially liquor transactions,

o failure to deposit all receipts,

o gross margin analysis would indicate problems with food ordering,

efficiency of processing, or skimming of items.

iii. Manufacturing division making rubberized containers:a. Monitoring Control: comparison of daily, weekly, and monthly sales with:

opast results,

o industry trends

o gross margin

o other monitoring controls, including:1. comparison of inventory with past results and with competitors,2. review of returns as a percentage of sales,3. review of aging of receivables and # of days sales in receivables.

b. Management would learn about failure of other controls if exceptions are noted:opotential fictitious or unusual sales, i.e. sales are made with unusual

terms or with management override of policies regarding credit,returns, or other items,

opotential inventory shrinkage and control over recording of inventory,

including possible failure of periodic count and reconciliation of actualinventory with book inventory.

c. If in a properly designed control system, the auditor can take comfort in the operation ofmonitoring controls if:

the auditor has already gained an understanding of the design and operation of theprocessing and other reporting controls,

the auditor has assurance that the monitoring controls are soundly designed andexceptions are followed up promptly to determine their cause. Corrective actions aretaken as necessary.

If monitoring controls are effective, the auditor should be able to examine monitoringcontrols to determine if they signal problems and that proper follow-up and corrective action,

where merited, are taken. Specific examples of monitoring controls might include:

reviews of reconciliations,

reviews of internal audit reports,

reviews of exception reports,

documentation of follow-up investigations and corrective actions.


21/53

The bottom line is that if the design of monitoring is effective, the external auditor can shiftmost of the control testing to determining the effectiveness of monitoring, and thencorroborate that information with a small sample of specific controls to determine thatmonitoring is providing a correct assessment of the controls.


22/53

5-43.

Underlying Principle Evidence Reviewed

Integrity and Ethical Values

1. Ethical values are clearlyarticulated.

2. Ethical values are clearlycommunicated.

3. Management monitorsadherence to the code of ethics.

Review of organizations Code of Conduct, including

discussions with top and middle management todetermine if the Code is followed within theorganization.

Review of internal audit reports and auditee (especiallymanagement) reactions to internal audit reports.

Review ethical and legal complaints brought againstthe organization.

Review of follow-up to monitoring reports.

Determination of whether effective and timelyaction is taken.

Board of Directors

1. Is independent and competent2. Meets on a regular basis3. Addresses meaningful

organizational risks

Read the minutes of the meetings,

Consider board relationships and percentage of

independent directors

Discuss overall operation with the Board Chair or

independent lead director

Review composition of board subcommittees

Review charter and operation of the audit

committee

Organizational Structure:

1. is designed with properdescription of roles andresponsibilities, and authoritiesconsistent with thoseresponsibilities.

2. facilitates effectivecommunication about controlsand reporting,

3. provides for adequatesegregation of functions.

Review of organizational structure design to

determine that roles and responsibilities areappropriately defined.

Examine correspondence, interview various

parties, etc. to determine that the organizationalstructure operates as designed,

Interview selected parties to determine if they

understand their responsibilities,

Review communications regarding internal

controls to see what parties receive the

communication and whether appropriate actionsare taken in response to the communication.

Review the organizational design to determine

that proper segregation of duties is contemplatedin the design.

Review selected activities to determine that there

is evidence that segregation duties takes place.


23/53

Management Philosophy and

Operating Style

1. is designed to emphasize theimportance of sound financial

reporting objectives.2. supports a disciplined approachto selecting and implementingfinancial reporting principles.

3. management clearly articulatesfinancial reporting objectives.

Review policy manuals to determine the nature of

accounting policies and managementscommitment to a sound process of selecting andimplementing accounting policies.

Determine the extent that policies are revised and

reviewed by top management by examiningupdates to the policies that provide evidence ofsupervisory approval.

Interview employees to determine their personal

philosophy on accounting

Commitment to Financial Reporting

Competencies.

1. Organization commits to

developing financialcompetencies commensuratewith the nature of accountingtransactions undertaken by thecompany.

2. Company avoids transactionsthat are overly complex and notconsistent with theorganizations strategies.

3. The company has a hiring andpromotion practice that

emphasizes financialaccounting and controlcompetencies.

Continuous evaluation of financial accounting

personnel as part of every audit engagement,including an assessment of their competencies tomake financial reporting decisions.

Examine the nature of complex transactions thatthe company enters into to determine whetherthey are commensurate with the risks taken andthe competencies of the financial reportingpersonnel.

Review the vitas of the financial personnel to

determine their educational levels, as well aspractical experience.

Review HR and other hiring and evaluation

processes to determine the extent that financialcompetencies are evaluated in both the hiring and

promotion decisions.

Authority and Responsibility

1. There is board responsibility inoverseeing the appointment ofkey financial positions.

2. There is clear communicationas to the appropriate

responsibilities of variousparties, as well as theirauthorities.

3. Policy manuals exist thatclearly identify authorities andresponsibilities.

Review policy manuals to determine the

responsibilities and authorities that are assigned;evaluate whether or not the assignment isconsistent with the organizations objectives andminimizing risk.

Review managements communication of

responsibilities.

Take a sample of transactions and determine ifthey were authorized by proper personnel.

Review board minutes and determine the extent to

which authorities and responsibilities arereviewed, or are covered [including internal auditreports].


24/53

Human Resources

1. Hiring practices reflect acommitment to competencies.

2. Periodic staff evaluationsreflect a commitment tofinancial competencies.

3. Procedures are in place todevelop and produceinformation that is needed tocomply with various state andfederal regulatory requirementsregarding employees, as well asestablishing benefits foremployees (e.g. pensions).

Review HR policy manual to determine hiring

policies.

Take a sample of recent interviews, job

applications, and employee hires to determine if

they followed organizational policies. Review employee contracts to determine the

benefits associated with employees. Take asample of recent payments to determine if theyare appropriately accounted for.

Inquire of personnel to determine their approach

to ensure that they are in compliance with variousregulations.

Review regulatory audits, or internal audits,

designed to determine compliance with regulatoryrequirements.

Review recent staff evaluations to determine

whether the evaluations were completed on timeand complied with company policies.

5-44.

a. In the broad sense, internal controls exist to identify and manage risks facing a business.Internal controls are an important part of corporate governance, the framework for whichconsists of the control environment, risk assessment, control activities, information andcommunication, and monitoring. Management sets the tone of control consciousness thataffects the rest of the organization. Within the framework of broad guidelines and policies

developed by management, specific control procedures are developed to achieve specificcontrol objectives.

Internal controls over financial reporting are much more specific. They include the specificcontrol procedures developed by management to ensure that all transactions are properlyrecorded, valued, and that financial statements are fairly presented in accordance withgenerally accepted accounting principles. Key accounting control activities are controls thateffectively prevent or detect misstatements. Internal accounting controls are part of thebroader set of internal controls. They are a very important part, but they should not be theauditors only focus.

b. Four main parties that benefit:

Management

Because they have to provide an assessment of internal controls and stand behind it,management will be sure to put more emphasis in their internal control design andoperation, which will lead to a more effective company.

Auditor

Because the auditor is required to attest to managements report on the effectivenessof internal control, they will do independent tests in their own thorough assessment


25/53

of internal control. In addition to the work of management, the auditors testing willbe very likely to turn up inefficiencies and create improvements in existing internalcontrol. Also, the financial statement audit can be focused in certain directions basedon the results of internal control testing.

Audit Committee

When shared with the audit committee, the internal control assessments of bothmanagement and the external auditor will create a more informed board of directorsas a whole. A more informed board can make better decisions for the company, andcan create for more quality interactions with the external auditor.

Public

Required reporting on internal controls leads to more transparent financialinformation on companies, which leads to better decisions by investors and in turn,more efficient financial markets.

c. A companys trading partner may be interested in the quality of an organizations controlsbecause today many businesses are becoming more integrated with one another. If a

manufacturer enters into contracts with major suppliers to provide just-in-time inventory,they need to know that the supplier has proper controls to ensure that they will receive highquality supplies, their privacy will be protected, and that there will be proper accounting forthe transactions.

d. A negative report on internal controls would likely reduce the market price of that particularcompanys stock. This is arguable, however. Some investors may look at the description ofdeficiencies and the solutions that have been put in place and realize that the problems are inthe past, and do not create problems for the future cash flows of the company. Manyinvestors, however, will simply see the report as a red flag, and the stock price will dropaccordingly. However, as the Professional Judgment in Context feature points out, there havebeen stock price declines associated with these negative disclosures.

e. The report must address all the components of internal control. The internal controlmodel anticipates that all of the components work together to accomplish theorganizations objectives. For example, a weakness in the control environmentcannot be offset just be control activities in a particular processing system.

5-45.

To facilitate the discussion, we suggest that the instructor may want to place thediscussion in the context of an organization that is known locally, or could be related tonationally such that the students have a common frame of reference.

a. Major risks to the achievement of effective internal control. Some of the issues thatthe groups may want to discuss include risks of:

Management Override

Improper Estimates

Improper Closing Entries


26/53

Transaction Related Risks, including

All valid transactions are recorded

Incorrect recording of data

Incorrect prices

Incorrect processing of transactions

Shipments to the wrong place

b. For each risk, the group should identify a specific type of control that would helpmitigate the risk. For example, the control over management override couldinclude:

Review of controls by internal audit,

Summary of all adjusting entries for review by the audit committee,

An active audit committee and an independent audit firm.

Controls over transactions processing can would include traditional edit tests,access to the computer system, pre-numbered documents, and so forth.

c. The groups should identify specific tests that would be persuasive in determiningwhether the controls operate as expected. For example, there should be evidencethat the audit committee reviews the nature of the internal audit reports. To theextent that transaction controls are identified, the groups should identifyapproaches to test each control.

5-46.

a. Potential Control Deficiencies and Internal Control Weaknesses

Issue Assessment Additional Information

Needed, if applicable

1. Laid off approximately75 factory workers

Not necessarily a deficiency. Did the change affect the

segregation of duties?

Is the streamlined

receiving working, and isit more efficient?

2. Cut hourly wages by $3per hour

Most likely no effect oninternal controls.

Are any of these

employees involved inthe internal control overfinancial reporting?

Has the wage cut affectedeither their attitude orconscientiousness aboutperforming controlactivities?

3. Reduced the size of theboard etc.

A material weakness ininternal controls, primarilydue to the decline in thenumber of independent

How many directors are

there?

What is the independence


27/53

directors.

In addition, the change incompensation to only stockoptions may influence thedirectors and audit

committee membersattitudes towards accountingchoices.

of the one remainingoutside director?

4. Eliminated the internal

audit etc.

Significant deficiency ininternal control. It is a goodthing to have the processowners assumeresponsibility for evaluatingand implementing internalcontrols. However, they arenot objective when it comesto evaluating the adequacy of

the controls, or in testing thecontrols.

5. Changed from a Big 4audit firm to a regional auditfirm

The external audit is not partof the organizations internalcontrol system.

It makes sense to reducecosts in a time of difficultfinancial conditions. Manylocal and regional auditfirms are outstanding. It is abit troubling here that the

client will be the first publicclient of the audit firm.

6. Increased reliance onmonitoring controls

A material weakness ininternal controls for tworeasons:

a. There is no objectiveassessment by any party.

b. Comparison of budgetwith actual, by itself, is avery weak form of

monitoring.7. Tighter performancegoals etc. for managers

Significant deficiency ininternal controls. There is aconsideration regardingoperating philosophy andstyle. We all know thatpeople are motivated by howthey are compensated. Thus,

To what extent do the

current year results differfrom the previous years?


28/53

there is a risk that theindividual performanceobjectives may lead somemanagers to overridecontrols.

The auditor would look tosee if there are anycompensating or mitigatingcontrols, e.g. internal audit.In this case, the lack ofinternal audit would causethe auditor to, at a minimum;conclude that there is asignificant deficiency ininternal controls.

8. The purchasingdepartment has been

challenged to move awayfrom single-suppliercontracts

Of course, this makes a greatdeal of sense. There are

some risks that are related tooperational efficiency, andpotentially to accounting thatthe auditor must consider.However, those risks do notconstitute a materialweakness or significantdeficiency in internalcontrol. The two major risksare as follows:

a. Potential decrease in the

quality of products goinginto the company products,

b. Potential increase inwarranty expenses due to thedecrease in cost.

Although there may not

be enough time to fully

assess, the auditor shouldbe alert to the possibilityof greater returns orwarranty expenses relatedto a potential decrease inthe quality of parts.

9. A freeze on all hiring, etc. A significant deficiency orpossibly a material weaknessin internal controls. Again,this is not an unusual actionto be taken during a time ofsevere economic problems.

However, since it is inaccounting, it may affect:

a. the commitment tonecessary competencies, and

b. the likelihood that moreaccounting errors will bemade because of key


29/53

personnel being overworkedand will not have the time topay attention to detail.

b. The risk related to financial reporting has increased during the year due to:

Potential violation of debt covenants,

Loss of independent directors,

Shortage of accounting personnel,

New compensation system that focuses on reported performance,

Changing major suppliers (and potential loss in quality),

Change in employee morale, and

Higher fraud risk.

There are many ways in which the risk might manifest itself, including:

Changes in warranty cost,

Changes in accounting estimates, Pressure to record revenue prematurely,

More errors in accounting processes.

The auditor needs to adjust the audit as follows:

More skepticism and more experienced auditors assigned to the audit,

Recognition of potential for fraud,

More detailed testing of accounting balances (higher CR risk, and would likely setAR lower).

More analysis of sales recognition during the last quarter,

More testing of internal controls,

Expand work on warranty,

More testing of estimates.

5-47.

a. Testing a control in operation means that the auditor is taking a sample of transactions todetermine if evidence exists that the control is operating as it is designed to operate - andthus is effective in achieving the organization's processing control objectives.

The auditor makes a determination of which controls to test by determining whichcontrols most effectively contribute to the accomplishment of a control objective. If there

are three controls that contribute to the accomplishment of a control objective, forexample, the auditor may choose to test the one control that, if operating effectively willaccomplish the processing objective.

b. The top-down, risk-based approach advocated by the PCAOB recognizes that auditorsshould:

Start with the end-product, i.e. the financial statements and determine the accountsthat are material,


30/53

Determine the risk that the account balance may be misstated,

Develop specific tests that create a better understanding of the controls regarding therecording of the material accounts,

Determine the likelihood of a material misstatement in the accounts, and what mightcause the account balance to be misstated,

Develop tests to determine whether a material misstatement occurred.

c. If a documented control is not operating effectively, it is not much different than thecontrol not operating at all. There are two potential consequences:

(1) The auditor reassesses the control risk in the accounting subsystem assuming thatthe control is not operative. The auditor then determines the critical importanceof the control and the effect on processing transactions. If the control is partiallyworking, the auditor's assessment as it affects material misstatements may not beas harsh.

(2) The auditor needs to determine the types of misstatements that will occur and notbe prevented or detected by the control procedure, and design specific tests of theaccount balances to determine if such misstatements had taken place.

d. Should a document not be able to be located by the client, the auditor should becomemore uncomfortable with assessing the control as effective. Another document (ordocuments) should be tested. However, realize that when a sample is taken, the originaldocuments (including the lost one) should all be taken into account when making a finalassessment.

5-48.

a. Potential application control procedures for the order-taking process at Cabelas

might include

Self-checking digits for all part numbers (optional because some of the other

controls procedures listed below might compensate for not having this control).

Well-designed screen format to capture all the required information in a

systematic fashion for every order.

Reference to a customer address and history file. The order taker can gather

information such as a customer code number on the catalog or last name and zipcode to access a customer history file. The order taker can then verify current

address and avoid the need to reenter the data for repeat customers. The ordertaker can also verify past credit history with the customer and determine whethera credit limit has been established for the customer.

Computerized tables for prices. The customer can indicate the product number

ordered. The system should then access the price table to record the approvedcatalog price for the item. The order taker can also verify the product description


31/53

and the price with the customer. This verification process is sufficient toeliminate the need for the self-checking digit.

Internet ordering whereby the customer clicks on the item for sale and the sale

price, adds it to the cart, and then checks out. The key controls include the master

part number, description, picture, and price. This approach contains many of theother controls identified above.

Reference to inventory file to determine quantities on hand. The order taker can

improve customer service by referencing the current inventory file to determinewhether goods are on hand or back ordered and, if back ordered, the approximatedate of shipment so that the customer can determine whether to wait.

Automatic computation of order total. This total can be communicated to the

customer.

Credit verification with a credit card company before shipment.

Phone orders would require the use of an approved credit card or payment before

shipment. Most catalog companies do not establish an accounts receivable file.

Oral verification of products ordered using part number and description. This

could effectively replace the self-checking digits and expedite the orderingprocess.

Edit tests that might be embedded in the software include:

Valid product code.

Pre-established credit limits.

Oral verification of products ordered

b. Similar controls would be used for on-line ordering via the Internet. However, theaccess to information such as inventory on hand, shipping date, and so forth would bedone through the computer software and would not use the intermediary on the phone.Instead of using self-checking digits, the user has a picture and description of the itemordered. The user must submit an approved method of payment before the item can beprepared and shipped. Finally, the user must have an ability to review the total order

before final processing (the shopping cart).

c. Response to Control Deficiencies:


32/53

Control Deficiency 1. Types of Errors or

Irregularities that Might

Occur

2. Audit Procedures to

Address Potential

Misstatements

Self-Checking Digit Incorrect products might beshipped. However, as

noted, this control may beoffset by other controls, e.g.oral verification.

Review logs of customercomplaints to determine

magnitude of customercomplaints.Confirm receivables or creditcard disputes to determineamounts that might not becollectible.

Well Designed ScreenFormat

Information is missing ororders not processed.

Examine log of items notprocessed. Major risk is thatitems will be improperly billedresulting in eithermisstatement of receivables or

inventory. Considerexpanding receivables testsand observation of inventory.

No Customer AddressFile

Bill to the wrong address.Grant credit inappropriately.

Similar to above responses.Either there will be customercomplaints or a rise inreceivables that may indicateuncollectible accounts.

No computerizedprices.

Customers could be billed atincorrect prices.Inconsistent billing across

agents taking the orders.

Review customer complaintsand receivables.Take a sample of invoices and

trace back to authorized pricelist to determine potentialmagnitude of problem.

Reference to Quantitieson Hand

Increased backorders.Billing for items notshipped.

Customer disputes should beinvestigated.Expand accounts receivablestests.Review inventory at end ofyear, probably physicallycount inventory because oflack of controls.

Automatic Computationof Order Orders are computedincorrectly. There is also apotential legal problem ifthere is a systematicmispricing of orders.

Examine customer complaints.Take a sample of billings andrecomputed total billing.

Credit Verification Ship goods to customerswho do not have credit.Likelihood of collectibility

Examine aging of accountsreceivable. Investigate if thereare significant differences.


33/53

Control Deficiency 1. Types of Errors or

Irregularities that Might

Occur

2. Audit Procedures to

Address Potential

Misstatements

is lower. Take a random sample of billings and trace to electronic

credit approval.Require approved creditcard.

Increase in uncollectibleaccounts.

Review aging of accountsreceivable. Investigate causesof increase.

Oral Verification Increase the likelihood that(a) incorrect products areshipped, or (b) they areshipped at wrong prices, or(c) there are fictitiousinvoices.

Review aging of accountsreceivable. Investigate causesof increase.

Note: most of the deficiencies will be detected by strong monitoring controls, especially a reviewof all customer inquiries/complaints by a department separate from the billing department. Suchdepartments normally keep logs of activities. The auditor should be able to examine those logs.Further, if there are problems, the auditor should note that there is either (a) an increase in theamount of write-offs of uncollectible accounts, or (b) an increase in both the volume and theaging of accounts receivable. These signs should lead the auditor to perform additionalverification of accounts receivable including increased confirmation and follow-up of receivables.

5-49.

a. Authorized price list for all products should be kept in computer tables that must bereferenced for all orders. If the price charged a customer differs (either by a small

percentage or by any amount), the order would be rejected for processing pending areview and approval of the transaction by the marketing manager.

b. Total payroll on a weekly basis should be compared with the number of employeesand previous week's payroll.Batch control procedures should be established to prevent duplicate processing.

Edit tests could be implemented to compare the hours worked for a specific timeperiod to determine whether an employee had already been paid for the currentperiod.

c. Access to data files should be limited and controlled via access control methods,preventing the employee's access to the master file. It is especially important thatprocedures are established relating to employees who have security responsibilitiesand then are terminated. As an example of this situation in practice, in April of 2007,a key security employee of Wal-Mart took digital secrets regarding plans to sell offpart of the business and leaked the information to the Wall Street Journal.


34/53

d. Access controls should limit the ability to change the files. In this particular situation,the individual tried to change a product master file. A printout of all changes shouldbe developed as changes are made and sent to the individuals responsible for makingthe changes. The report would provide evidence of the unauthorized change shouldthe access control procedures fail to operate effectively.

e. Edit tests would determine the validity of a product number.Self-checking digits on high priced products.The computer edit program should verify part number and billing price.

f. Use of self-checking digit would have prevented the error.

Further tests could be performed by comparing some other information furnished bythe customer such as shipping name or address with the data contained in thecustomer address file for the customer identifier.

g. Segregation of duties would prevent the individual billing or posting of accountsreceivable from receiving cash remittances. The initial segregation can developaccountability and batch controls to ensure the completeness of processing.

h. A limit test on the number of hours worked would detect the errors.

A daily report on hours worked by job center prepared and sent to the supervisor ofthe department for approval would detect the misstatements.

Another test would be to limit the timecard to authorized hours and allow changesonly when overtime had been authorized.

i. Reference to the up-to-date credit file would identify the error. Credit limits for allcustomers should be established to minimize the amount of risk.

5-50.

a. Questions regarding normal physical controls:

Are there cameras to monitor the actions of employees?Are there locks on doors where appropriate to keep unauthorized users fromwhere they are not permitted to be?Are secret paper files containing passwords or other personal informationproperly secured from public view?Does the company use physical scanning as a basis to authorize access to thecomputer area?Are all employees required to wear badges with identification information onthem in order to access the computing facility?

b. Three primary methods to authenticate users:


35/53

Something they know, such as a passwordThese are quick and easy, but are also prone to get lost, stolen, or guessed.

Something they possess, such as an access cardThese are better than just passwords, because they cant be guessed, but

they can be stolen.

Something about themselves, such as a fingerprint, a voiceprint, or some othertype of physical identification

These are the most sophisticated and most difficult to steal or copy, butthey are very expensive and create more cause for concern about propercontrols

c. If people were to break into a system and steal or copy the physical scans ofauthorized users, those individuals could masquerade as the authorized personnelby submitting their profiles when logging on to the system. Once the company

became aware of the compromise, they would have to revoke the privilege of theauthorized user, and the correct person would then be denied access to the system.The key is that a company has to compare the physical scans with previouslyauthorized scans that are on the computer system. If those original scans arecompromised then the system is fully compromised. Further, if someoneintercepts the passage of a physical scan, then that persons security iscompromised. Therefore, most of use of physical scans is limited to direct(private) lines into the computer system, e.g. access to the computer operationsarea.

d. An access control system must restrict access to authorized users for authorizedpurposes. The three dimensional matrix matches user groups to data andauthorized functions such as ability to read an item, change an item, or input anew item. The organization must identify every data asset or program and thenmap users and allowable accesses. Then, the organization must implement anauthentication procedure to ensure that an individual is who he or she claims tobe. An access matrix is vitally important for security. People should not be ableto access data or programs that are not related to their work duties. This conceptcan be seen in non-electronic environments also with physical controls.

5-51.

a. There are numerous ways in which continuous monitoring might be applied in a

computerized application that processes sales. Options the students might consider include:

Compare daily recorded sales with sales orders and reconcile differences on a daily

basis,

Implement a procedure that identifies all items that were rejected by controls and

determine that they are investigated and corrected on a timely basis,

Use software that continuously tests processed transactions for anomalies in the data,

as well as potential controls that did not work or were overridden.


36/53

b. The intent of this exercise is to get students familiar with a new class of IT monitoringsoftware that has now reached the market. The three systems the firms sell have a commonability to test for areas where controls are not operating, or were overridden. In addition, theyare also quite effective for analyzing incompatible duties in ERP systems such as Oracle orSAP. The software of some of these firms is designed to:

Anticipate all the items that could go wrong in processing,

Expand the testing beyond the application, for example, the software can check social

security numbers against a list of valid social security numbers,

Prepare both text reports and graphical reports that quickly tell those who have

oversight responsibilities where the systems may be going wrong.

These systems all have the ability to take advantage of many years of analysis of what can gowrong in processing transactions and thus brings an expertise to the systems that is beyondthat which any one individual company might accomplish. The discussion of whether thesesystems constitute a monitoring control or just another level of controls is interesting. Inmany instances, monitoring often acts as a control that checks the operation of other controls.Thus, in the authors opinion, the products sold by these companies represent an effective wayto monitor existing controls.

5-52.

Control Tested Test Results Significant Deficiency? Material Weakness?

(1) All sales over$10,000 requirecomputer check ofoutstanding balances tosee if approved balanceis exceeded.

Tested throughout yearwith a sample size of 30.Only 3 failures, all inthe last quarter, but allapproved by salesmanager.

Yes. Obviously $10,000 isa material enough amountthat they decided to set thethreshold there. A 10%failure rate suggests thatthe control is not operating

effectively, even if thetransactions that fellthrough were laterapproved. The risk herewould be that the estimatefor uncollectible accountswould be understated. Butthe sales managersapproval is an adequatecompensating control.

No, it does not rise to thislevel given the salesmanagers actions.

(2) The computer isprogrammed to record asale only when an item

is shipped.

Sampled ten itemsduring the last month.One indicated that it was

recorded before shipped.Management was awareof the recording.

No, because it rises to thelevel of a materialweakness.

Yes. Computers do notmake errors. The fact thatthe recording was made

before shipment suggeststhat the computer control isflawed. Because this is afundamental transaction tothe revenue cycle and manyothers could potentiallyhave been affected, it shouldbe classified as a materialweakness.

(3) All prices are Auditor selected 40 No. The transactions were No


37/53

obtained from astandardized price listmaintained within thecomputer and accessibleonly by the marketingmanager.

invoices and found 5instances in which theprice was less than theprice list. All of theprice changes wereinitiated by sales people.

still recorded for the properamount-what the customerpaid. This does not appearas though it would cause amisstatement as much as itcould lead to lower

profitability of thebusiness. Questions ofcomputer access controlsshould also be raised.

(4) Sales are shippedonly upon receiving anauthorized purchaseorder from customer.

Auditor selects 15transactions near the endof each quarter. Onaverage, 3 4 areshipped each quarterbased on salespersonsapproval and without acustomer purchaseorder.


Yes. 20% or more errorsuggests a materialdeficiency. Considering thatthis again is a fundamentaltransaction, the error couldhave occurred on a large(material) scale. Revenuecould be overstated ifunauthorized shipments arebeing made. The estimatefor uncollectible accountswould also be affected.

(5) Every shipment isassigned a number bythe computer when anorder is taken. A reportis prepared each monthshowing the status of allitems where purchaseorders have beenreceived, items currentlyin progress, and itemsshipped.

Auditor examines threeof the weekly reportsand observes that theitems shown as shippeddo not reconcile with thenumber of itemsinvoiced. Managementsays this is a regularprocess and does notaffect recording.


Yes. When an item isshipped, the computer isprogrammed to then recorda sale. If the amountshipped does not reconcilewith the amount invoiced,the program is notfunctioning correctly. If theerror is large enough, itcould be classified as amaterial deficiency in

internal control.


38/53

5-53.

a. Defic

Documents

Ch 5 Sm Finalca