Está en la página 1de 53

Solutions for Chapter 5 Internal Control over Financial Reporting

Review Questions: 5-1. Controls must emanate from the intent of owners and creditors of an organization to protect the resources entrusted to an organization. The stockholders give the board of directors power to delegate responsibilities to the management of the corporation. The board of directors is responsible for providing management oversight on behalf of the shareholders and is responsible for approving major investments, divestures, and financing for the corporation. Part of the responsibility of the management is to ensure that an effective and efficient control infrastructure is established and followed to produce reliable financial reports, to comply with laws, to run the business proficiently, and to safeguard assets. Research has shown that good internal control is correlated with higher economic returns and lower cost of capital. This reiterates that good internal control is good for business as it enhances the reliability of data for decision-making as well as ensuring that all transactions are recorded. Risk assessment is a process designed to identify potential events that may affect the entity and to manage those risks within the entity’s risk appetite. Controls are used to mitigate the risks that are identified.

5-2.

5-3.

The COSO Internal Control, Integrated Framework has five elements: • • • • • Control Environment Risk Assessment Control Activities Information & Communication Monitoring

These components are based on the organization first setting its objectives for financial reporting. The COSO Framework is the predominant framework used by companies in assessing the adequacy of its internal controls over financial reporting. Thus, the COSO Framework has become more widely used as a result of the enactment of the Sarbanes-Oxley Act of 2002.
5-4. Internal control is defined as: A process, effected by an entity’s board of directors, managers, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) compliance with applicable laws and regulations, (3) effectiveness and efficiency of operations, and (4) safeguarding of assets.

It is important to assess control risk in an audit engagement because it allows the auditor to identity the types of misstatements most likely to occur and to plan the audit. Internal control is a process that emanates from the board of directors and management of the company and thus is an integral part of the overall governance and risk management process. Internal control over financial reporting includes the design and implementation of control procedures to ensure, among other things, that all transactions are properly authorized, recorded in the correct time period, and valued correctly; and that assets are adequately safeguarded. Since the auditor’s job is to render an opinion on the financial statements, they are more concerned with the internal controls that affect financial reporting. In most companies, however, it is difficult to draw a line between “internal controls” and “internal controls over financial reporting,” because many controls that may seem unrelated can in some way indirectly affect financial reporting. The broader definition of internal auditing addresses objectives related to operations and compliance, as well as financial reporting. 5-5. “Tone at the top” is the impression the top management gives the organization about the importance of the internal control structure. If management is very strict about disciplining wrongdoings, personnel will learn that they must follow the rules very carefully. If management is lax about enforcing the controls, there is more likely to be financial misstatements. Auditors assess tone at the top through their interactions with management, and by observing the decision-making and behavior of management. For example, is management always “pushing the envelope”? Or, in contrast, is management conscientious about its interpretation and application of GAAP? Whether management fits into the former or the latter category is one indication of the tone at the top. An organization's control environment is the overall tone of operations of an organization which collectively serve to enhance, or alternatively mitigate, the functioning of specific control policies and procedures. The control environment reflects the overall attitude, awareness, and actions of those in control of the organization in creating an atmosphere of control. The components of the control environment include: • • • • • • 5-7. management's philosophy and operating style, the entity's organizational structure, the functioning of the board of directors and its committees, particularly the audit committee, human resource policies and practices, integrity and ethical values, commitment to competence.

5-6.

The auditor should be capable of evaluating the competency of the accounting staff: • • first, the auditor has expertise in the accounting area, second, the commitment to competence is an integral part of internal control, and by professional standards, the audit firm should not accept the engagement unless they have the expertise to assess the client’s controls.

There are a number of ways in which the auditor can evaluate the competency of the accounting staff, including the following:

• • • • • 5-8.

evaluating the judgments made on areas where accounting choices have been made, evaluating the number of exceptions noted in audit testing, discussions with accounting staff regarding accounting and audit issues, gathering input from the CEO or the audit committee, evaluating the background (academic and work) of the staff, as well as the experience in dealing with issues related to the company.

The board of directors and audit committee are responsible to the shareholders and therefore have significant oversight and monitoring responsibilities. Most reports on corporate governance have recommended the need for competent and independent directors who have the time and sufficient information system to provide oversight. If the board and audit committee do not meet the requirements, then it is difficult to assume that there is effective oversight over management. The control environment would be weak and the auditor would have to conclude that there is a significant deficiency in internal control. There are a number of factors the auditor can look at in evaluating the audit committee, including, but not limited to the following: • • • • • • • • the independence of the members, the accounting or financial expertise and background of the members, the types of questions asked during an audit committee meeting, an assessment, through interaction with the audit committee chair, and the other members of whether they take their oversight responsibilities seriously, the number of meetings held per year and the length of time of the meetings, the agendas for the audit committee meeting (can be compared with best practices), the actions the committee takes regarding the evaluation of internal audit and financial personnel, the audit committee’s own self evaluation.

5-9.

Monitoring is an overall control process that is designed to continually assess the design and operation of a control system. It is designed to give management feedback on how well the existing control system is operating. Examples of monitoring controls include:

• • •

management exception reports on transactions rejected by the computer system. management reports on gross margins of products by product lines and by stores. management oversight and review of operations.

The authors speculate that the concept of monitoring controls will change the audit by shifting focus on evaluating and testing the effectiveness of monitoring controls. If monitoring controls are working effectively, the auditor and the organization can have confidence that other controls are working properly. The rationale is that properly working monitoring controls should detect and correct problems in other controls on a timely basis. 5-10. There are a number of controls, other than compensation plans, that management can implement to encourage divisional management actions that are consistent with the long-run objectives of the organization. Some of these controls are

a. b. c. d.

Identification of non-financial measures of superior performance. Examples might include production or quality quotas, or both. Establishment of budgets and investigation of variances. Periodic review of controls by internal audit department. Management tone set at the top that manipulation of accounting is unacceptable - even the pushing of accounting transactions that might be acceptable to accomplish a particular objective.

There are significant risks associated with management compensation schemes that place heavy emphasis on reported divisional profits. Without sufficient controls, such as those discussed above, divisional management may be motivated to stretch the accounting for transactions to achieve higher reported earnings in order to maximize bonuses. Some of these schemes might mirror the example discussed in the chapter, but other schemes can have more serious effects on the organization. Some managers `cut corners' on the quality of production to boost profits. There have been examples in the defense industry where managers cut corners by purchasing substandard fasteners that are now failing on multi-million dollar pieces of equipment. Accounting research has shown that the structure of compensation plans for management can significantly influence behavior. Therefore, the auditor should gain an understanding of compensation schemes to determine their potential effect on the organization. 5-11 Significant deficiency in internal controls over financial reporting: a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. Material weakness in internal controls over financial reporting: a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. 5-12. If an audit committee has weak directors with little financial knowledge and inadequate independence, the auditor would evaluate the control environment part of internal control as weak. The PCAOB says that a non-effective audit committee would constitute a material weakness in internal control over financial reporting, as it indicates that an essential part of internal control may be lacking. Enron, WorldCom, and Tyco all had ineffective boards of directors, and it would be difficult to argue that those boards did not constitute material weaknesses in internal control. A material weakness in internal control is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. It is an auditor judgment, as well as a management judgment, as to whether a deficiency constitutes a significant deficiency or a material weakness. Some of the factors that the auditor will consider in making such a judgment include:

5-13.

• • • •

potential effect of the control failure on the account balance, i.e. if it could reasonably lead to material misstatements in the financial statements, then it is a material weakness, the pervasiveness of the deficiency, i.e. does it affect only one account or does it affect many financial statement accounts, or the overall internal control, whether the deficiency is related to a computer program and thus occurs on every transaction, or if it isolated to selected manual procedures, whether it addresses a high risk area, such as a material accounting estimate.

For each deficiency identified, the auditor should consider the types of misstatements that could take place in the financial statements and how the misstatements might occur. The auditor then should develop specific audit tests to determine if such misstatements are included in the financial statements. 5-14. Internal audit plays a key role in assisting management in preparing its report on internal control. Internal audit is one of three sources for management to receive information on the effectiveness of internal controls, but it is probably the most utilized source. Often internal auditors are the ones doing the testing and documentation of the controls rather than management itself. Under the PCAOB standard, internal auditors are considered to be an extension of management rather than independent of management. This is evidenced by the fact that external auditors cannot exclusively rely on the testing done by internal audit when preparing their report on the effectiveness of internal controls. 5-15. Segregation of duties is the separation of functions across individuals such that one individual is not put in a situation where he/she can both perpetrate a fraud or error and conceal the fraud or error through the manipulation of accounting records. The kinds of segregation of duties the auditor will want to inquire about include: The functions of authorizing a transaction, recording the transaction and handing any physical assets related to a transaction should be separate. Example: The purchasing agent should not be allowed to set up accounts payable or take custody of the goods when received. • Authorization of transactions should be separated from the custody of assets and processing of transactions. Example: The inventory clerk should not be allowed to transfer inventory without the written authorization of the production manager. Record-keeping and operational responsibilities should be separated . Example: The accounts receivable bookkeeper should not be responsible for the receipt of cash. There should be independent checks on the assets and records whereby one department reconciles or otherwise acts as a double check on another department . Example: Employees who are independent of inventory custody or record keeping periodically count inventory and compare it to amounts recorded in the perpetual inventory record.

The auditor needs knowledge of an organization’s compensation scheme to determine if there might be motivation to misstate financial data in order to meet performance goals. A reasonable limit for types of transactions is set in advance. A nuts and bolts department. Any items outside of the range would be written to an edit report and investigated before they can be processed. the transaction is written out to an edit report that can be reviewed to determine if the transaction is correct. the auditor should evaluate significant estimates with a great deal of skepticism. The auditor should evaluate the risk associated with accounts that could more directly be affected by those with compensation schemes that are considered risky. and thus to generate added bonuses or stock options. A validity test identifies a limited number of valid values that a data item may take. A common type of limit test is setting the number of hours that an employee is expected to work during a given time period. are not expected to work more than 30 hours during a given week. for example. The organization identifies all the data required to process a transaction. would not expect to sell items with unit prices exceeding $10. The nature of compensation affects human behavior. An example of a validity test would include the department number for which a sale is entered. A missing data check would prohibit the processing if the customer’s address were not entered. a. If a transaction exceeds the limit. does it promote a long-term view (such as vesting after six years)? • the employees are required to own company stock themselves so they can act as advocates of shareholders? 5-17. a retail customer may request a credit card and/or a catalog. and should perform increased analytical review to search for potential revenue recognition problems.5-16. An example of a reasonableness test in a retail organization would be setting parameters on the range of individual price items for a department. For example. Any items failing this list are written out to an edit test. d. An input transaction is compared with the previously identified list of valid transaction characters. Reasonableness Test. c. For example.00. In evaluating the compensation practices of a company. Validity. b. If someone with a part-time job code worked more than 30 hours. The concept is that the organization can determine the reasonable range within which specific types of transactions should fall. Missing Data. If part-time employees. Missing data are noted and either an edit report is written or the individual inputting the data may be reminded that such data is required in order to complete a transaction. it would be written to an edit report and reviewed by a supervisor to determine if it was valid. . then a limit test of 30 could be programmed into the system. If so. for example. the auditor should look at whether: • the compensation promotes short-term thinking? • the compensation places personal objectives above those of the company? • employees are compensated with stock. Limit Test.

The cards contain information needed to identify the user and must be present to gain access. modify. the plastic cards are often used in conjunction with a password system to further minimize . or some other information likely known only to that person such as mother's maiden name.e. the transaction is printed out for further review before processing. The primary methods to authenticate (or verify) that a user is attempting to gain access to restricted data or files include Method of Authentication a. Certain logical relationships of data should exist and if they do not exist. generally a plastic card with a magnetic strip. 5-18. Passwords are easy to implement and if guarded properly by users. such as passwords. b. The access control system should have the ability to identify and verify potential users as authorized or unauthorized to perform the function requested on the data item identified. Advantages and Disadvantages a. In sensitive systems. Identification by what the user knows. Userselected passwords can be easy to guess and therefore compromised. An example in the retail environment might match the department code with a valid list of products that are sold in that department. they can be quite effective. such as ATMs. b. Identification of users by something they possess. A security department should actively monitor attempts to compromise the system and prepare periodic reports to those responsible for the integrity of data items on access to the data items. The major principles that should guide the development of a comprehensive access control and security program for an organization include • • • The access to any data item should be limited to those individuals with an authorized need to know The ability to change. or delete a data item should be limited to those with the authorization to make such changes. Passwords are often compromised or shared with non-authorized users. • 5-19. Invalid combination of items. A disadvantage is that cards can be stolen or fraudulently used.

e. .g. Thus. thus completely eliminating the individual’s ability to use the system. an image of the physical representation must be stored somewhere on the computer system. Physical identification is often thought to be best because it is the method we utilize most often to identify other individuals. since the privilege is unique to that individual. Advantages and Disadvantages c. General controls are pervasive control procedures that affect all computerized applications. There is a second problem with physical identification. or other unique identification. most systems are going to a combination of the first two items noted above. Identification of users by some physical characteristic such as fingerprint. voiceprint.. They interact with application control procedures in forming a data processing control structure. c. The computer is then programmed to compare the representation in the computer with the physical representation sent into the system. If that representation is somehow stolen (either by accessing the system or copying it while being sent over communication lines). Remember that to implement any authentication technique. then it is lost to that individual for all time hence forth. The required hardware and software have been prohibitively expensive and reliability has been low. However. However. 5-20. the control procedure restricting access to computer programs and authorizing changes in computer programs. then there will be a need to revoke that user’s privilege. there are problems with implementation of identification by physical characteristics.Method of Authentication risk. There are also questions of potential reliability should someone be inadvertently denied access. Some general control procedures affect all applications and are considered by the auditor in evaluating the control risk of a specific application.

• • • • • • 5-22. feedback from operating personnel. often referred to as monitoring controls. periodic control self-assessments by management personnel. To test whether these controls are operating. supervisory review of transactions before recording. . For example. signed authorization of transaction before recorded. and only after a transaction is deemed to have happened can it be tested for accuracy. use of carefully controlled corporate documents. control procedures over program changes may not affect a computer application that does not undergo any changes during the current time period. The major control objective related to the occurrence assertion is that recorded transactions and events have occurred and they pertain to the entity in question. The auditor makes a decision regarding the testing of general controls based on (1) the importance of the procedure to the auditor's assessment of risk for assertions related to particular account balances and (2) the overall importance of the controls to other financial statement accounts. supervisory review of all exception reports generated by computer edit tests. limited access and proper authorization for changing prices for products sold. For example. The occurrence assertion is fundamental to auditing. Controls the auditor might examine to determine that "all valid transactions are recorded" might include: • • • • • • • use and reconciliation of pre-numbered documents. Management gains assurance about the quality of its internal control systems in much the same way as the external auditor. management controls provide evidence of the existence of the operation of other controls and may be used by the auditor as evidence of the functioning of other control procedures. For example. 5-23. date and time stamps on shipping documents. will affect all computer applications and should be treated as an integral part of the evaluation of control procedures for the application. Other control procedures. regulatory audits and reports. and similar date and time stamps indicating the recording of the transaction. the auditor can take a sample of transactions and trace them through the processing system to determine that (1) controls are working as described. external audits and reports. internal audit examinations and reports.Some general controls affect a specific computer application indirectly for the time period audited. the auditor may determine that the personnel manager gets complete reports on all changes to an important file and reviews all changes to that file for authorization and completeness thereby providing evidence on the effectiveness of other control procedures. such as access control procedures. exception reports. and (2) all valid transactions are recorded in a timely fashion. In some instances. management can gain assurance through: 5-21.

Review the key accounting judgments made by accounting personnel during the past year to determine if the judgments were (a) appropriate. Evaluate the background and education of accounting personnel. 4. Review composition of board to determine if the audit committee meets the requirements of independence and financial expertise by looking at their past experience and education. e. Determine whether adjustments that were made to the financial statement as a result of the audit reflect on the competency of accounting personnel. • A supervisor verifies that the employee worked. • Sales are recorded only with evidence of a customer’s order and shipment. 3. Determine the extent to which the board is active in strategic planning and risk management. Interview and interact with key personnel to determine their 5-25. Yes. 3. management is required to assess each of the items as they are all part of the control environment.To achieve the occurrence objective. 5. The PCAOB has mandated that the external auditor must test operating effectiveness of significant controls in the financial reporting process and cannot exclusively rely on management’s tests. or the payroll department verifies by existence of time cards. This PCAOB mandate only applies to public company audits. 3. Effectiveness of the Audit Committee Competence of Accounting Personnel . 1. 2. but only for public companies. etc. Yes. Review minutes of audit committee meeting to determine the nature of the meetings and the engagement of committee members. and therefore are a critical part of an organization’s internal controls. and (b) properly researched. 2. Non-public company auditors are not yet required to report separately on internal controls. including those tests performed by the internal auditors. Evaluate the quality of discussion that takes place during the period of time that the firm sits in on audit committee meetings or in private sessions with the audit committee.g. Review board composition to determine the number of independent directors. Assess the quality of interaction with the chair of the audit committee. 4. Examine the existence of any past relationship with the audit client. Management and external auditors would go about assessing each item as follows: Area Independence and Competence of the Board Audit Procedures to Assess 1. an organization might implement the following controls: • Pay employees only if the employee already exists on the master payroll and is entered on that payroll by someone independent of payroll processing. and if they address substantive issues. Review minutes to determine if board acts independently. 1. 5-24. a past supplier. 2.

Adherence to the Code of Ethics accounting knowledge. including those of the internal auditor • Determine which controls to test (all significant controls). 2. Determine whether a ‘hotline’ exists for employee complaints. In performing an audit of controls. and more importantly. Review the company’s plans (including internal audit) to gain assurance that company employees are adhering to the code of ethics. Publicly-held companies Auditors must attest to the effectiveness of the client’s internal controls over financial reporting. and • Reach a conclusion about the effectiveness of the client’s internal controls over financial reporting. determine the nature of follow up by the company. An auditor may choose not to test internal controls when they are not significant to the operations of the company. but not exclusively rely on management’s tests. the auditor must: • Review the client’s documentation of controls. how the action was communicated to other employees. This report is only for management and board use. and how to judge whether or not a control is effective. 3. including a description of how the controls are supposed to work (design) • Review the client’s testing of the controls as a basis for reaching their conclusion on effectiveness (operations). auditors attest to the effectiveness of the client’s internal controls over financial reporting. Review management’s findings and follow up on selected findings to verify the result. and c) A statistical confidence level that would assure the auditor that there is not more than a remote likelihood that the control could be failing and not be detected by the auditor Computerized controls as part of every transaction Must be sufficient to persuade the auditor that the control operates effectively across a wide variety of transactions throughout the year. Non-publicly-held companies Auditors must report to management and the board of directors significant deficiencies and material weaknesses in the design or operation of internal controls that are identified in the normal course of a financial audit. 5-26. 1. If the auditor has already tested controls • . Factors to consider in determining the sample size for testing: • Controls performed on every transaction a) Whether or not failure of the control procedure is likely to lead to a significant misstatement in the account balance b) The rate of failure that would lead to a material misstatement. Review known ethical violations to determine (a) what action was taken. Under AS 5. and (b) for significant violations. Review communication to employees about the Code of Ethics. Review the nature of complaints. how large of a sample to take. 4. For example. 5-27. the auditor may assess control risk as high and concentrate audit work on substantive tests of account balances.

production lines. and control of. the auditor "walks" a transaction through its processing and makes inquires of client personnel about the nature of the processing that takes place at each stage of processing. By walking through the processing of the transaction. Exception reports may be examined as well. identification and use of computerized collection mechanisms.over program change and has concluded those controls are effective. the tests of the computerized controls could be as small as one. or use of automated equipment to facilitate shipments of goods. The auditor should select a sample that includes a random selection of entries. documents used in operations that become part of the accounting system. the auditor can identify important controls and their operation. but also all entries of significant amount. and the physical control over assets. Some of these include: • • • • • • • important information on the procedures used for receipt of goods. an assessment of the control conscientiousness of employees (in a general sense) can be made based on observations. Multiple Choice Questions: . • Monthly control procedures If the design is adequate. including the orderly nature of equipment and inventory. and vice versa. etc. A general observation can the auditor quite a bit about how well things are controlled just by how neat the factory floor is and the general appearance of inventory items. The auditor can also identify situations where the client’s processing does not follow prescribed procedures. A walkthrough is an audit approach designed to gain an understanding of the processing that takes place in the accounting system. the smaller the sample size will be. Year-end adjusting entries The better the control environment. In performing a walkthrough. choose one month and re-test the client’s tests of these accounts. such as automated timekeeping systems. They should be tested to see that a) controls are not being overridden by management b) there is support for each entry c) each entry has proper approval • • 5-28. The sample should be taken from transactions during the latter part of the year following similar criteria to the transaction controls discussed above. information regarding the transfer of goods from work-in-process to finished goods. The general appearance of inventory. Controls over estimates The auditor is more concerned that these controls are working when it is likely that the amounts would be in year-end balance sheet accounts. or transfer of goods through the production cycle. Taking a tour of the plant can assist the auditor in gaining an understanding of controls in a significant number of ways. use of.

to comply with laws. how they operate. c d. and o there was a weakness in access controls related to the computer system. and how to test them. This is intended for discussion. Part of the responsibility of the management is to ensure that an effective and efficient control infrastructure is established and followed to produce reliable financial reports. c. Rather. Having such internal control weaknesses is not unethical. then the auditor might start to question the ethical intent/stewardship of management. 5-31. per se. e. This question is intended to challenge students to think about internal controls from a broader perspective than simply the technical details of. d. b. and financing for the corporation. 5-32. o there was improper segregation of duties regarding the accounting for. b. d. divestures. and management still does not apply the resources necessary to correct the problems. this question is designed to get students to consider the role of internal controls in assuring high quality financial reporting and solid business decision making. and to safeguard assets. Controls must emanate from the intent of owners and creditors of an organization to protect the resources entrusted to an organization. o there were improper controls over the dating and recording of sales near the end of the year that could affect the timeliness of recording transactions. 5-36. if the auditor identifies weaknesses. But. Auditors will not view weak controls as an ethical risk factor if management is quick and willing to address the problems. management’s lack of stewardship as evidenced by these weak controls is what is questionable. 5-37. to run the business proficiently. 5-30. 5-38. brings them to management’s attention. Discussion and Research Questions: 5-39. of inventory. Rather. 5-34. The board of directors is responsible for providing management oversight on behalf of the shareholders and is responsible for approving major investments.5-29. b. Stated another way: Controls are a way for management to meet the stewardship obligation to a company’s owners (shareholders). c. Recall that Milacron had the following internal control weaknesses: o the accounting department lacked the technical expertise to deal with many of the complex accounting issues that the company had to address. c. Support for the answer that it will improve governance is as follows: . d. for example. 5-35. 5-33. and control. The stockholders give the board of directors power to delegate responsibilities to the management of the corporation. what basic controls are. a.

However. When the controls – and therefore the trust in management and management’s reports – are lacking. Controls are designed to provide a stewardship report to the owners of the organization. It is important that students understand that this risk assessment process is significantly broader than evaluating the risks associated only with the processing of transactions.Good governance is part of the ‘tone at the top’ and the control environment. Control activities are the policies and procedures implemented by management to ensure the accomplishment of objectives and the mitigation of risks. The auditor explicitly has to report to shareholders if the auditor believes there are weaknesses at this level. The major argument on the cost-benefit of governance is on the cost side of things. capturing. The major elements of an organization's internal control process are: Control Environment: The control environment sets the tone at the top of the organization and determines the rigor with which systems and controls are adequately designed. a. including sufficient monitoring by management and the board of directors. there was a heavy start-up cost associated with Sec. will improve the governance of most organizations. Most of the effects on stock prices have been on the negative side due to:   accounting restatements – often due to a breakdown in controls. investors are not as willing to pay as high of a price for the company. There is evidence that internal control information affects stock prices. The higher discount negatively affects stock prices. 404 reports. The control environment is pervasive. Investors expect high quality internal controls. and exchanging information in a timely fashion to enable the accomplishment of the organization’s objectives. Information and Communication: The process of identifying. This can occur through a higher ‘risk-adjusted’ discount rate in determining stock prices. It is hard to argue that this can be other than good. The communication may come in the form of management . The initial implementation of Sarbanes-Oxley section 404 was very expensive because of the auditor’s emphasis on detailed documentation and testing of controls. there is strong motivation to ensure that governance is good. adverse reports on the quality of controls. A sound control system will include improved monitoring controls. Improved monitoring by the board. Risk Assessment: The process the entity goes through to identify and analyze the relevant risks that may affect the achievement of the organization’s objectives. Control Activities: The nature of controls to be implemented are directly dependent on the control environment and the risk assessment process. there is a learning curve and costs are expected to decrease over time as auditors and managers learn to better document and improve controls. Thus. including risk analysis. d. 5-40. like everything. Thus. It was also expensive because most organizations had not taken the time to document and test controls.

such an audit approach will be much more expensive.reports. The auditor will consider the following: • • The organization's control environment is pervasive. Deficiencies in the Internal Control Process: Deficiencies in the control environment will lead the auditor to assess the lack of control emphasis on the specific implementation of controls within accounting system. or (2) separate evaluations. the auditor will resort to direct tests of account balances as the major audit approach. Monitoring: The process that assesses the quality of internal controls over time and takes corrective action on any deficiencies in either the design or operation of internal controls. In turn. Generally (unless the auditor is dealing with a very small client). Deficiencies in Control Activities: Without adequate control procedures. the auditor will always ask the basic question. or direct communication resulting from management supervision. Unless the auditor can perform his or her own risk analysis and test the controls. The auditor must determine whether sufficient controls are in place to mitigate these risks and whether or not those controls can be tested. The attitude of those at the top. If there is inadequate follow-up and monitoring of controls. • Deficiencies in Risk Assessment: This would imply the organization has not undertaken a systematic process to identify the pertinent risks that it faces. These risks include the transactions that are processed as part of the every day activities of the organization and the other processes that lead to accounting estimates. "Do sufficient controls exist to ensure that valid transactions will be recorded. or are there sufficient controls to lead to a conclusion that the entity is auditable?" . it will be difficult to assess control risk at either a moderate or low level implying a shift towards greater direct tests of account balances. Examples of separate evaluations would include independent reports by the internal audit function. Detailed control procedures can be overlooked if management does not reiterate their importance. Before doing so. Monitoring can take place through either (1) ongoing activities. and their approaches to creating an environment which facilitates overall control provides the framework in which all the other controls operate. This component incorporates the organization’s accounting system and its methods for recording and reporting on transactions. The implications for the audit are: • • The auditor has to assess the significant risks affecting the financial account balances. this implies that sufficient controls have not been developed to mitigate the risks. it is unlikely that the controls will be effectively implemented. detailed analysis of transactions. or in some cases can even be overridden by management. b.

Deficiencies in Information and Communication: A deficiency in information and communication activities implies that the systems have not been designed to accomplish the organization's objectives. The elements of an organization's control environment that ought to be considered by the auditor as part of the auditor's process of assessing control risk include: . Based on that assessment. are there sufficient controls to ensure that all valid transactions will be recorded. The auditor then considers both (a) the control environment and (b) the specific control procedures in processing system to determine the likelihood that material misstatements in a particular account balance would not be prevented or detected. and is there sufficient documentation to ensure that the system is auditable. and then determines the audit approach to address the possibility of a misstatement. that is. the organization’s commitment to risk assessment. it becomes difficult for the auditor to develop evidence that the system has been working effectively throughout the year (although it may still be possible by testing transactions throughout the year. That understanding is a fundamental part of the assessment. a. while others may contain deficiencies. Without such systems. the auditor evaluates whether there is a material weakness or a significant deficiency in internal controls. the auditor performs the control risk assessment for each accounting subsystem that processes material transactions. what are the specific risks of account balance misstatements occurring? The auditor needs to identify the types of misstatements that are likely to occur because of the control deficiencies and design audit tests to determine whether or not such misstatements have occurred in amounts that could be material to the financial statements. Once the understanding of the control environment is made. 5-41. c. and only that valid transactions are recorded.) This would generally lead the auditor to directly testing account balances and not assessing control risk at a low level. and its commitment to monitoring the effectiveness of internal controls. The auditor must start with an understanding of the overall control philosophy of the organization. (3) Deficiencies in Monitoring Activities: This implies that management has not set up a systematic process to determine if its underlying information and communication systems have gone out of control. Such deficiencies lead to the development of three major questions for the auditor: (1) (2) is the system auditable. That philosophy manifests itself mostly in the control environment. Some of the subsystems may contain strong controls activities built into the processing system. that is the auditor can gather sufficient competent evidence to determine the correctness of the client's account balances.

integrity and ethical values. The Entity's Organizational Structure Review of organizational charts. particularly the audit committee. b. Sources of Information about the Control Environment: Sources of Information: Previous interaction with management. the functioning of the board of directors and its committees. The attitude of those at the top. and their approaches to creating an environment that facilitates overall control provides the framework in which all the other controls operate. many of which will reflect on management. Auditor’s observation of informal structure versus formal structure. or in some cases can even be overridden by management. Management compensation plans and management's apparent motivation to report higher earnings. especially their openness and candor. Press reports or regulatory reports dealing with the company. commitment to competence. Control Environment Factor Management's Philosophy and Operating Style . Review of internal audit reports. If the control environment is weak. and their actions taken on recommendations to improve control. Detailed control activities can be overlooked if management does not reiterate their importance. human resource policies and practices. The auditor seeks information on the organization's control environment because the control environment is pervasive. will be unable to rely on controls. and will then have to perform a more substantive (and costly) audit. it is much more likely that the auditor will view control risk as high. Management's support of an internal audit department and management's reaction to internal audit reports.• • • • • • management's philosophy and operating style. the entity's organizational structure. or management's attention to policies. coupled with management's willingness to use accounting as a basis to increase reported earnings. Review of important corporate documents that set policy. such as Corporate Code of Ethics. Interviews with functional department heads to determine if actual organization actions are consistent with organizational structure.

Review of important employee contracts. Review of internal audit reports and auditee (especially management) reactions to internal audit reports. including discussions with top and middle management to determine if the Code is followed within the organization. Interviews with audit committee and senior management about personnel development. and access to authoritative pronouncements. policy and procedure manuals. . Review of internal audit reports. procedures to improve the competence of existing staff. Personal interaction with the audit committee regarding their interest in identifying and following up on special projects. Commitment to Competence Interaction with accounting personnel including an assessment of accounting knowledge. including background checks. especially monitoring controls. and how they are followed up. Review of audit committee follow-up to previous recommendations by internal and external auditors. Review of resumes of key financial personnel. Review of organization’s Code of Conduct. Review of hiring practices for key positions in the organization. Human Resource Policies and Practices Organizational charts. understanding of business purposes of transactions.Control Environment Factor Sources of Information: Review of reports. Integrity and Ethical Values. Discussion with the internal audit department to determine if the internal audit meets with the audit committee on a regular basis and whether substantive issues are discussed. The Functioning of the Board of Directors and its Committees. Interviews with functional department heads. particularly the Audit Committee Review of minutes of board of director and audit committee meetings. and a review of plans to upgrade financial competencies within the organization.

o decline in operations. o expected changes related to current economic conditions. a. Review of follow-up to monitoring reports. Monitoring is an element of internal control that management. graphical analysis of sales by time period with an emphasis on identifying significant. b. reconciliation controls that identify significant changes or deviations from expectations. . and monthly sales with: o past results for the store. Management would learn about failure of other controls if exceptions are noted: o skimming of cash receipts. b. o inadequate control over product and inventory. Examples of monitoring controls include:     periodic internal audit of major processes. Monitoring Control: comparison of daily. The auditor's understanding needs to be documented such that the control environment's effect on the organization's controls and conduct of the audit can be communicated to all members of the audit team. 7-Eleven Store: a. exception reports that indicate that operations are different from that budgeted or expected given current economic conditions. The auditor can document the understanding of the client's control environment in a questionnaire or in a memo. This reasoning process should cover all the elements of the control structure. o gross profit analysis for same time periods. Determination of whether effective and timely action is taken. compliance with organizational policies and procedures.Control Environment Factor Sources of Information: Review ethical and legal complaints brought against the organization. c. the board. o failure to record all transactions. 5-42. weekly. and others establish to provide feedback on the effectiveness of operations. o results in similar stores. and the effectiveness of internal controls to accomplish financial reporting objectives. o poor management of the store. unusual sales made near the end of a quarter. Monitoring controls provide feedback of potential breakdowns internal control elements in a timely fashion such that timely corrective action can take place. Monitoring Controls in Different Types of Organizations: i. The auditor should always document his or her reasoning process in concluding that controls are adequate or contain deficiencies.

o failure to deposit all receipts. the auditor can take comfort in the operation of monitoring controls if:   the auditor has already gained an understanding of the design and operation of the processing and other reporting controls. review of returns as a percentage of sales. or other items. reviews of exception reports. review of aging of receivables and # of days sales in receivables. i. and monthly sales with: o past results for the store. iii. especially liquor transactions. or skimming of items. weekly. A chain restaurant such as the Olive Garden: a. . comparison of inventory with past results and with competitors. where merited. including: 1. documentation of follow-up investigations and corrective actions. b. b. weekly. returns. Monitoring Control: comparison of daily. o industry trends o gross margin o other monitoring controls. are taken. Management would learn about failure of other controls if exceptions are noted: o failure to record all transactions. o expected changes related to current economic conditions. o gross profit analysis for same time periods. and monthly sales with: o past results. Monitoring Control: comparison of daily. If monitoring controls are effective.e. 2. Corrective actions are taken as necessary. o potential inventory shrinkage and control over recording of inventory. Management would learn about failure of other controls if exceptions are noted: o potential fictitious or unusual sales. including possible failure of periodic count and reconciliation of actual inventory with book inventory. o results in similar stores. reviews of internal audit reports. c. the auditor has assurance that the monitoring controls are soundly designed and exceptions are followed up promptly to determine their cause.ii. Specific examples of monitoring controls might include:     reviews of reconciliations. sales are made with unusual terms or with management override of policies regarding credit. Manufacturing division making rubberized containers: a. efficiency of processing. If in a properly designed control system. the auditor should be able to examine monitoring controls to determine if they signal problems and that proper follow-up and corrective action. 3. o gross margin analysis would indicate problems with food ordering.

the external auditor can shift most of the control testing to determining the effectiveness of monitoring. and then corroborate that information with a small sample of specific controls to determine that monitoring is providing a correct assessment of the controls. .The bottom line is that if the design of monitoring is effective.

• Review selected activities to determine that there is evidence that segregation duties takes place. 2. Review of internal audit reports and auditee (especially management) reactions to internal audit reports. • Read the minutes of the meetings. 3. Review ethical and legal complaints brought against the organization. • Interview selected parties to determine if they understand their responsibilities. including discussions with top and middle management to determine if the Code is followed within the organization. and authorities consistent with those responsibilities. Management monitors adherence to the code of ethics. • Review communications regarding internal controls to see what parties receive the communication and whether appropriate actions are taken in response to the communication. Determination of whether effective and timely action is taken. to determine that the organizational structure operates as designed. facilitates effective communication about controls and reporting. • Consider board relationships and percentage of independent directors • Discuss overall operation with the Board Chair or independent lead director • Review composition of board subcommittees • Review charter and operation of the audit committee • • Review of organizational structure design to determine that roles and responsibilities are appropriately defined. is designed with proper description of roles and responsibilities. Is independent and competent 2. Evidence Reviewed Review of organization’s Code of Conduct. etc. provides for adequate segregation of functions. • Examine correspondence. • Review the organizational design to determine that proper segregation of duties is contemplated in the design. Addresses meaningful organizational risks Organizational Structure: 1.5-43. interview various parties. . 3. Ethical values are clearly communicated. • Review of follow-up to monitoring reports. Underlying Principle Integrity and Ethical Values 1. Ethical values are clearly articulated. Meets on a regular basis 3. Board of Directors 1. 2.

• Review policy manuals to determine the nature of accounting policies and management’s commitment to a sound process of selecting and implementing accounting policies. as well as practical experience. 1. 2. • • • • Review policy manuals to determine the responsibilities and authorities that are assigned. as well as their authorities. Take a sample of transactions and determine if they were authorized by proper personnel. Policy manuals exist that clearly identify authorities and responsibilities. 3. supports a disciplined approach to selecting and implementing financial reporting principles. or are covered [including internal audit reports]. The company has a hiring and promotion practice that emphasizes financial accounting and control competencies. Company avoids transactions that are overly complex and not consistent with the organization’s strategies. 3.Management Philosophy and Operating Style 1. • Examine the nature of complex transactions that the company enters into to determine whether they are commensurate with the risks taken and the competencies of the financial reporting personnel. • Review HR and other hiring and evaluation processes to determine the extent that financial competencies are evaluated in both the hiring and promotion decisions. Review board minutes and determine the extent to which authorities and responsibilities are reviewed. 2. • Determine the extent that policies are revised and reviewed by top management by examining updates to the policies that provide evidence of supervisory approval. Commitment to Financial Reporting Competencies. is designed to emphasize the importance of sound financial reporting objectives. • Review the vitas of the financial personnel to determine their educational levels. 3. including an assessment of their competencies to make financial reporting decisions. . management clearly articulates financial reporting objectives. 2. evaluate whether or not the assignment is consistent with the organization’s objectives and minimizing risk. Review management’s communication of responsibilities. • Interview employees to determine their personal philosophy on accounting • Continuous evaluation of financial accounting personnel as part of every audit engagement. Organization commits to developing financial competencies commensurate with the nature of accounting transactions undertaken by the company. There is board responsibility in overseeing the appointment of key financial positions. There is clear communication as to the appropriate responsibilities of various parties. Authority and Responsibility 1.

internal controls exist to identify and manage risks facing a business. which will lead to a more effective company. and employee hires to determine if they followed organizational policies. Review employee contracts to determine the benefits associated with employees. and that financial statements are fairly presented in accordance with generally accepted accounting principles. management will be sure to put more emphasis in their internal control design and operation. Procedures are in place to develop and produce information that is needed to comply with various state and federal regulatory requirements regarding employees. • • • • • • Review HR policy manual to determine hiring policies. Within the framework of broad guidelines and policies developed by management. control activities. job applications. Periodic staff evaluations reflect a commitment to financial competencies. Take a sample of recent interviews.g. valued. information and communication. Review recent staff evaluations to determine whether the evaluations were completed on time and complied with company policies. They include the specific control procedures developed by management to ensure that all transactions are properly recorded. as well as establishing benefits for employees (e. specific control procedures are developed to achieve specific control objectives. Management sets the tone of control consciousness that affects the rest of the organization. 5-44. risk assessment. In the broad sense. Internal accounting controls are part of the broader set of internal controls. and monitoring. Internal controls are an important part of corporate governance. Four main parties that benefit: • Management Because they have to provide an assessment of internal controls and stand behind it. designed to determine compliance with regulatory requirements. Hiring practices reflect a commitment to competencies. they will do independent tests in their own thorough assessment • . 2. Take a sample of recent payments to determine if they are appropriately accounted for. Internal controls over financial reporting are much more specific. Review regulatory audits. or internal audits. but they should not be the auditor’s only focus. the framework for which consists of the control environment. Inquire of personnel to determine their approach to ensure that they are in compliance with various regulations.Human Resources 1. 3. Key accounting control activities are controls that effectively prevent or detect misstatements. a. They are a very important part. pensions). Auditor Because the auditor is required to attest to management’s report on the effectiveness of internal control. b.

A company’s trading partner may be interested in the quality of an organization’s controls because today many businesses are becoming more integrated with one another. however. • c. the financial statement audit can be focused in certain directions based on the results of internal control testing. and can create for more quality interactions with the external auditor. they need to know that the supplier has proper controls to ensure that they will receive high quality supplies. The internal control model anticipates that all of the components work together to accomplish the organization’s objectives. the auditor’s testing will be very likely to turn up inefficiencies and create improvements in existing internal control. Some of the issues that the groups may want to discuss include risks of: • • • Management Override Improper Estimates Improper Closing Entries . In addition to the work of management.” and the stock price will drop accordingly. a. and do not create problems for the future cash flows of the company. more efficient financial markets. will simply see the report as a “red flag. Many investors.of internal control. however. However. Some investors may look at the description of deficiencies and the solutions that have been put in place and realize that the problems are in the past. For example. there have been stock price declines associated with these negative disclosures. d. the internal control assessments of both management and the external auditor will create a more informed board of directors as a whole. 5-45. as the Professional Judgment in Context feature points out. we suggest that the instructor may want to place the discussion in the context of an organization that is known locally. To facilitate the discussion. A negative report on internal controls would likely reduce the market price of that particular company’s stock. This is arguable. • Audit Committee When shared with the audit committee. a weakness in the control environment cannot be offset just be control activities in a particular processing system. Public Required reporting on internal controls leads to more transparent financial information on companies. The report must address all the components of internal control. A more informed board can make better decisions for the company. Major risks to the achievement of effective internal control. If a manufacturer enters into contracts with major suppliers to provide just-in-time inventory. e. their privacy will be protected. and that there will be proper accounting for the transactions. or could be related to nationally such that the students have a common frame of reference. which leads to better decisions by investors and in turn. Also.

To the extent that transaction controls are identified. Summary of all adjusting entries for review by the audit committee. the control over management override could include: • • • Review of controls by internal audit. the groups should identify approaches to test each control. and so forth. Laid off approximately 75 factory workers Assessment Not necessarily a deficiency. Cut hourly wages by $3 per hour Most likely no effect on internal controls. The groups should identify specific tests that would be persuasive in determining whether the controls operate as expected. access to the computer system. 3. pre-numbered documents. there should be evidence that the audit committee reviews the nature of the internal audit reports. For example. A material weakness in internal controls. 5-46. the group should identify a specific type of control that would help mitigate the risk. and is it more efficient? • Are any of these employees involved in the internal control over financial reporting? • Has the wage cut affected either their attitude or conscientiousness about performing control activities? • How many directors are there? • What is the independence 2. Potential Control Deficiencies and Internal Control Weaknesses Issue 1. primarily due to the decline in the number of independent . including All valid transactions are recorded Incorrect recording of data Incorrect prices Incorrect processing of transactions Shipments to the wrong place For each risk. Transaction Related Risks. Reduced the size of the board etc. For example. An active audit committee and an independent audit firm. Controls over transactions processing can would include traditional edit tests. Additional Information Needed.• • • • • • b. a. if applicable • Did the change affect the segregation of duties? • Is the streamlined receiving working. c.

Significant deficiency in internal controls.directors. It is a bit troubling here that the client will be the first public client of the audit firm. A material weakness in internal controls for two reasons: a. Thus. for managers • To what extent do the current year results differ from the previous years? . the change in compensation to only stock options may influence the directors and audit committee members attitudes towards accounting choices. There is a consideration regarding operating philosophy and style. Eliminated the internal audit etc. There is no objective assessment by any party. It makes sense to reduce costs in a time of difficult financial conditions. is a very weak form of monitoring. Significant deficiency in internal control. We all know that people are motivated by how they are compensated. 5. or in testing the controls. Changed from a Big 4 audit firm to a regional audit firm 6. Increased reliance on monitoring controls 7. of the one remaining outside director? 4. Tighter performance goals etc. b. they are not objective when it comes to evaluating the adequacy of the controls. Comparison of budget with actual. Many local and regional audit firms are outstanding. by itself. However. It is a good thing to have the process owners assume responsibility for evaluating and implementing internal controls. The external audit is not part of the organization’s internal control system. In addition.

Of course. the commitment to necessary competencies. it may affect: a. A significant deficiency or possibly a material weakness in internal controls. Potential increase in warranty expenses due to the decrease in cost. However. and potentially to accounting that the auditor must consider. A freeze on all hiring. this makes a great deal of sense. the lack of internal audit would cause the auditor to. The purchasing department has been challenged to move away from single-supplier contracts • Although there may not be enough time to fully assess.there is a risk that the individual performance objectives may lead some managers to override controls. at a minimum. since it is in accounting. those risks do not constitute a material weakness or significant deficiency in internal control. internal audit. The two major risks are as follows: a. and b. the likelihood that more accounting errors will be made because of key 8. In this case. There are some risks that are related to operational efficiency. e. However. conclude that there is a significant deficiency in internal controls.g. The auditor would look to see if there are any compensating or mitigating controls. b. etc. Potential decrease in the quality of products going into the company products. this is not an unusual action to be taken during a time of severe economic problems. 9. the auditor should be alert to the possibility of greater returns or warranty expenses related to a potential decrease in the quality of parts. . Again.

Loss of independent directors.e. If there are three controls that contribute to the accomplishment of a control objective.personnel being overworked and will not have the time to pay attention to detail. More testing of internal controls. Changes in accounting estimates. including:     Changes in warranty cost. More skepticism and more experienced auditors assigned to the audit. . if operating effectively will accomplish the processing objective. b.and thus is effective in achieving the organization's processing control objectives. New compensation system that focuses on reported performance. More testing of estimates. More analysis of sales recognition during the last quarter. More errors in accounting processes. the financial statements and determine the accounts that are material. the auditor may choose to test the one control that. risk-based approach advocated by the PCAOB recognizes that auditors should:  Start with the end-product. The risk related to financial reporting has increased during the year due to:        Potential violation of debt covenants. and would likely set AR lower). Testing a control in operation means that the auditor is taking a sample of transactions to determine if evidence exists that the control is operating as it is designed to operate . More detailed testing of accounting balances (higher CR risk. Shortage of accounting personnel. Expand work on warranty. Changing major suppliers (and potential loss in quality). Change in employee morale. b. i. a. The top-down. for example. The auditor makes a determination of which controls to test by determining which controls most effectively contribute to the accomplishment of a control objective. and Higher fraud risk. Pressure to record revenue prematurely. Recognition of potential for fraud. The auditor needs to adjust the audit as follows:        5-47. There are many ways in which the risk might manifest itself.

The auditor needs to determine the types of misstatements that will occur and not be prevented or detected by the control procedure. Well-designed screen format to capture all the required information in a systematic fashion for every order. The order taker can then verify current address and avoid the need to reenter the data for repeat customers. Develop specific tests that create a better understanding of the controls regarding the recording of the material accounts. If the control is partially working. and design specific tests of the account balances to determine if such misstatements had taken place. Determine the likelihood of a material misstatement in the accounts. Another document (or documents) should be tested. the original documents (including the lost one) should all be taken into account when making a final assessment. There are two potential consequences: (1) The auditor reassesses the control risk in the accounting subsystem assuming that the control is not operative. The auditor then determines the critical importance of the control and the effect on processing transactions. the auditor's assessment as it affects material misstatements may not be as harsh. it is not much different than the control not operating at all.    c. The order taker can also verify the product description • . Reference to a customer address and history file. Potential application control procedures for the order-taking process at Cabela’s might include • • • Self-checking digits for all part numbers (optional because some of the other controls procedures listed below might compensate for not having this control). Computerized tables for prices. However. (2) d. If a documented control is not operating effectively. The system should then access the price table to record the approved catalog price for the item. Determine the risk that the account balance may be misstated. Develop tests to determine whether a material misstatement occurred. The order taker can also verify past credit history with the customer and determine whether a credit limit has been established for the customer. the auditor should become more uncomfortable with assessing the control as effective. realize that when a sample is taken. The order taker can gather information such as a customer code number on the catalog or last name and zip code to access a customer history file. Should a document not be able to be located by the client. The customer can indicate the product number ordered. 5-48. a. and what might cause the account balance to be misstated.

• • • • • Edit tests that might be embedded in the software include: • • • Valid product code. Pre-established credit limits. Reference to inventory file to determine quantities on hand. and so forth would be done through the computer software and would not use the intermediary on the phone. Oral verification of products ordered b. Response to Control Deficiencies: . the access to information such as inventory on hand. and then checks out. adds it to the cart. c. Instead of using self-checking digits. The key controls include the master part number. Automatic computation of order total.and the price with the customer. shipping date. description. However. the approximate date of shipment so that the customer can determine whether to wait. This verification process is sufficient to eliminate the need for the self-checking digit. picture. This total can be communicated to the customer. Most catalog companies do not establish an accounts receivable file. Oral verification of products ordered using part number and description. The user must submit an approved method of payment before the item can be prepared and shipped. Phone orders would require the use of an approved credit card or payment before shipment. Similar controls would be used for on-line ordering via the Internet. • Internet ordering whereby the customer clicks on the item for sale and the sale price. and price. The order taker can improve customer service by referencing the current inventory file to determine whether goods are on hand or back ordered and. Finally. This approach contains many of the other controls identified above. Credit verification with a credit card company before shipment. the user has a picture and description of the item ordered. the user must have an ability to review the total order before final processing (the shopping cart). if back ordered. This could effectively replace the self-checking digits and expedite the ordering process.

Major risk is that items will be improperly billed resulting in either misstatement of receivables or inventory. Well Designed Screen Format No Customer Address File No computerized prices.Control Deficiency Self-Checking Digit 1. Grant credit inappropriately. Information is missing or Examine log of items not orders not processed. However. Similar to above responses. Investigate if there Likelihood of collectibility are significant differences. Customer disputes should be Billing for items not investigated. Reference to Quantities on Hand Automatic Computation of Order Credit Verification 2. and receivables. Increased backorders. probably physically count inventory because of lack of controls. e. incorrectly. . Types of Errors or Irregularities that Might Occur Incorrect products might be shipped. trace back to authorized price list to determine potential magnitude of problem. shipped. processed. Consider expanding receivables tests and observation of inventory. Orders are computed Examine customer complaints. oral verification. Confirm receivables or credit card disputes to determine amounts that might not be collectible. as noted. Either there will be customer complaints or a rise in receivables that may indicate uncollectible accounts. Expand accounts receivables tests. this control may be offset by other controls.g. Inconsistent billing across Take a sample of invoices and agents taking the orders. Review inventory at end of year. receivable. Customers could be billed at Review customer complaints incorrect prices. Audit Procedures to Address Potential Misstatements Review logs of customer complaints to determine magnitude of customer complaints. There is also a Take a sample of billings and potential legal problem if recomputed total billing. Ship goods to customers Examine aging of accounts who do not have credit. Bill to the wrong address. there is a systematic mispricing of orders.

Audit Procedures to Address Potential Misstatements Take a random sample of billings and trace to electronic credit approval. preventing the employee's access to the master file. Total payroll on a weekly basis should be compared with the number of employees and previous week's payroll. Increase the likelihood that (a) incorrect products are shipped. Batch control procedures should be established to prevent duplicate processing. or (b) they are shipped at wrong prices. The auditor should be able to examine those logs. a key security employee of Wal-Mart took digital secrets regarding plans to sell off part of the business and leaked the information to the Wall Street Journal. Investigate causes of increase. Further. Edit tests could be implemented to compare the hours worked for a specific time period to determine whether an employee had already been paid for the current period. c. These signs should lead the auditor to perform additional verification of accounts receivable including increased confirmation and follow-up of receivables. a. Authorized price list for all products should be kept in computer tables that must be referenced for all orders. if there are problems. . It is especially important that procedures are established relating to employees who have security responsibilities and then are terminated. Investigate causes of increase. Oral Verification 2. the order would be rejected for processing pending a review and approval of the transaction by the marketing manager. As an example of this situation in practice. Types of Errors or Irregularities that Might Occur is lower. Review aging of accounts receivable. Require approved credit card. Increase in uncollectible accounts. in April of 2007. or (c) there are fictitious invoices. especially a review of all customer inquiries/complaints by a department separate from the billing department. If the price charged a customer differs (either by a small percentage or by any amount). the auditor should note that there is either (a) an increase in the amount of write-offs of uncollectible accounts. b.Control Deficiency 1. 5-49. or (b) an increase in both the volume and the aging of accounts receivable. Review aging of accounts receivable. Such departments normally keep logs of activities. Note: most of the deficiencies will be detected by strong monitoring controls. Access to data files should be limited and controlled via access control methods.

A daily report on hours worked by job center prepared and sent to the supervisor of the department for approval would detect the misstatements. h. The initial segregation can develop accountability and batch controls to ensure the completeness of processing. Questions regarding normal physical controls: Are there cameras to monitor the actions of employees? Are there locks on doors where appropriate to keep unauthorized users from where they are not permitted to be? Are secret paper files containing passwords or other personal information properly secured from public view? Does the company use physical scanning as a basis to authorize access to the computer area? Are all employees required to wear badges with identification information on them in order to access the computing facility? b. Segregation of duties would prevent the individual billing or posting of accounts receivable from receiving cash remittances. 5-50. i. The report would provide evidence of the unauthorized change should the access control procedures fail to operate effectively. Three primary methods to authenticate users: f. g.d. . Further tests could be performed by comparing some other information furnished by the customer such as shipping name or address with the data contained in the customer address file for the customer identifier. the individual tried to change a product master file. A printout of all changes should be developed as changes are made and sent to the individuals responsible for making the changes. A limit test on the number of hours worked would detect the errors. Edit tests would determine the validity of a product number. a. Credit limits for all customers should be established to minimize the amount of risk. Self-checking digits on high priced products. In this particular situation. The computer edit program should verify part number and billing price. Another test would be to limit the timecard to authorized hours and allow changes only when overtime had been authorized. Use of self-checking digit would have prevented the error. e. Access controls should limit the ability to change the files. Reference to the up-to-date credit file would identify the error.

Something they possess.Something they know. or input a new item. If those original scans are compromised then the system is fully compromised. such as a password These are quick and easy. stolen. such as an access card These are better than just passwords. 5-51. An access control system must restrict access to authorized users for authorized purposes. Implement a procedure that identifies all items that were rejected by controls and determine that they are investigated and corrected on a timely basis. most of use of physical scans is limited to direct (private) lines into the computer system. access to the computer operations area. If people were to break into a system and steal or copy the physical scans of authorized users. or some other type of physical identification These are the most sophisticated and most difficult to steal or copy. because they can’t be guessed. such as a fingerprint. Therefore. but are also prone to get lost. The key is that a company has to compare the physical scans with previously authorized scans that are on the computer system. they would have to revoke the privilege of the authorized user. Then. and the correct person would then be denied access to the system.g. Use software that continuously tests processed transactions for anomalies in the data. e. but they are very expensive and create more cause for concern about proper controls c. This concept can be seen in non-electronic environments also with physical controls. Something about themselves. then that person’s security is compromised. People should not be able to access data or programs that are not related to their work duties. a. or guessed. Once the company became aware of the compromise. An access matrix is vitally important for security. change an item. d. There are numerous ways in which continuous monitoring might be applied in a computerized application that processes sales. Further. as well as potential controls that did not work or were overridden. . The three dimensional matrix matches user groups to data and authorized functions such as ability to read an item. those individuals could masquerade as the authorized personnel by submitting their profiles when logging on to the system. the organization must implement an authentication procedure to ensure that an individual is who he or she claims to be. Options the students might consider include: • • • Compare daily recorded sales with sales orders and reconcile differences on a daily basis. but they can be stolen. if someone intercepts the passage of a physical scan. The organization must identify every data asset or program and then map users and allowable accesses. a voiceprint.

in the authors’ opinion.b.000 is a material enough amount that they decided to set the threshold there. Computers do not make errors. Material Weakness? No. (3) All prices are Auditor selected 40 No. it should be classified as a material weakness. Obviously $10. The discussion of whether these systems constitute a monitoring control or just another level of controls is interesting. No . In addition. The transactions were Yes. The intent of this exercise is to get students familiar with a new class of IT monitoring software that has now reached the market. all in the last quarter. it does not rise to this level given the sales manager’s actions. Sampled ten items during the last month. But the sales manager’s approval is an adequate compensating control. Thus. Because this is a fundamental transaction to the revenue cycle and many others could potentially have been affected. In many instances. Control Tested (1) All sales over $10. even if the transactions that fell through were later approved. No. Test Results Tested throughout year with a sample size of 30. but all approved by sales manager. they are also quite effective for analyzing incompatible duties in ERP systems such as Oracle or SAP. These systems all have the ability to take advantage of many years of analysis of what can go wrong in processing transactions and thus brings an expertise to the systems that is beyond that which any one individual company might accomplish. Prepare both text reports and graphical reports that quickly tell those who have oversight responsibilities where the systems may be going wrong. or were overridden. 5-52. for example. (2) The computer is programmed to record a sale only when an item is shipped.000 require computer check of outstanding balances to see if approved balance is exceeded. Management was aware of the recording. A 10% failure rate suggests that the control is not operating effectively. One indicated that it was recorded before shipped. Expand the testing beyond the application. the software can check social security numbers against a list of valid social security numbers. monitoring often acts as a control that checks the operation of other controls. The software of some of these firms is designed to: • • • Anticipate all the items that could go wrong in processing. The three systems the firms sell have a common ability to test for areas where controls are not operating. Significant Deficiency? Yes. the products sold by these companies represent an effective way to monitor existing controls. The risk here would be that the estimate for uncollectible accounts would be understated. Only 3 failures. The fact that the recording was made before shipment suggests that the computer control is flawed. because it rises to the level of a material weakness.

No. 20% or more error suggests a material deficiency. This does not appear as though it would cause a misstatement as much as it could lead to lower profitability of the business. items currently in progress. Yes. When an item is shipped. Yes. because it rises to the level of a material weakness. Considering that this again is a fundamental transaction. because it rises to the level of a material weakness. Management says this is a regular process and does not affect recording. and items shipped. On average. (4) Sales are shipped only upon receiving an authorized purchase order from customer. Auditor examines three of the weekly reports and observes that the items shown as shipped do not reconcile with the number of items invoiced. Questions of computer access controls should also be raised. still recorded for the proper amount-what the customer paid. (5) Every shipment is assigned a number by the computer when an order is taken. invoices and found 5 instances in which the price was less than the price list. All of the price changes were initiated by sales people. Revenue could be overstated if unauthorized shipments are being made. 3 – 4 are shipped each quarter based on salesperson’s approval and without a customer purchase order. If the amount shipped does not reconcile with the amount invoiced. A report is prepared each month showing the status of all items where purchase orders have been received. the computer is programmed to then record a sale. The estimate for uncollectible accounts would also be affected. If the error is large enough. . it could be classified as a material deficiency in internal control.obtained from a standardized price list maintained within the computer and accessible only by the marketing manager. No. the program is not functioning correctly. the error could have occurred on a large (material) scale. Auditor selects 15 transactions near the end of each quarter.

and existence of employment forms. Independently reconcile the client's bank account at yearend. The payroll person can also change pay rates and add/delete personnel. Mitigating Controls d. For a sample of days. (3) Anyone can operate the The waitresses could omit orders for The kitchen could be instructed to only prepare food when It is difficult to test for the . Someone independent of the cash handling process should periodically reconcile cash receipts with the credits to accounts receivable and investigate any unusual debits to the cash receipts journal (such as excess cash discounts. pay employees at the wrong rate. (1) a list of authorized employees is kept by someone (2) change pay rates of a friend and independent of the payroll person. (4) The payroll bank reconciliation should be periodically reconciled by someone independent of payroll. Audit Test (1) Detailed payroll tests could be performed whereby a random selection of paychecks is made and all items are verified including the existence of employee time cards. the bank reconciliation. Deficiency (1) The payroll person has complete access to the system and is responsible for keying in all data and preparing payroll checks for distribution. The Controller or the President of the company could perform the (3) systematically. Some that could be considered: payroll and pocket the checks. a. Without the addition of a personnel department to act as a check on the payroll operations. (2) Perform an analytical review of payroll expense in relationship to sales or production and investigate any unusual fluctuations. The paychecks issued split the extra pay. (3) Wage expense per job or functional area could be compared to budget and any excess expenses promptly investigated. unintentionally. Checks are distributed by supervisors who could have a fictitious employee paid. (2) The person handling cash receipts is in a position to cover up a cash shortage. every period are reconciled to the total. foremen approval of jobs. there are no strong (1) add fictitious individuals to the mitigating controls. the signatures on canceled checks could be compared with employee W-4 forms. On a test basis. president approval of wage rates.) Perform a detailed test of the client's bank reconciliation. Potential Misstatements The payroll person could: c. b.5-53. reconcile recorded deposits with actual cash receipts to determine if cash is promptly recorded and deposited. Someone that does not directly handle cash should perform bank reconciliations. even reconciliation. (2) The president could review payroll expense each period for unusual fluctuations or personnel counts. The person handling cash can take Have someone independent of the cash processing cash receipts and cover it up through function prepare the monthly bank reconciliations.

(5) There is no major problem in this situation as long as the individual at the terminal does not have ability to change any of the credit history or other files. The determine if there were employee could pocket the cash. there is no independent review of The owner could observe the operation of the cash register. Prenumbering could be added to the tickets. There are no apparent problems as long as the system is preprogrammed to review the credit history and determine if an order should be shipped. c. such as bank reconciliation and Develop independent tests of authorized employees. There is a risk that some companies may systematically avoid recognizing income to avoid the income taxes. sales and accounts receivable. The controller should implement independent Access is not restricted to reconciliations. therefore there is no individual accountability for the accuracy of the cash drawer. Deficiency cash register. There is multiple access to the system without recognition of corresponding accountability. There is no evidence that the waitress slips are prenumbered or separately accounted for to ensure that all sales are collected. but that access may provide access to other individuals as well. Mitigating Controls d. a ticket is presented. The credit program should be periodically reviewed. Potential Misstatements friends. The sales clerk has offhours access to the system. If tickets are in duplicate. be explained by the tourist amounts and not detected because season or weather. the kitchen under-recording of cash and could keep a copy. passwords. b. One concern the auditor might have is whether the business shows sufficient income to justify its continuance as a going concern. during off-hours. Any indication of sales to customers beyond the preapproved credit limit should be investigated. The owner significant fluctuations in could account for all the prenumbered tickets at the end of weekly income that could not Items could be billed at incorrect each day. Shipments should be reconciled with orders. the tickets.a. The program can be tested periodically to ensure that the credit program is working effectively. Audit Test (4) There is no indication of password protection for any of the files. perform analytical review to not rung up in the cash register. The auditor could Cash receipts could be collected but be reconciled with the total in the cash register for the day. There is no indication that access is restricted. The company may be vulnerable to any loss of data or the computer since there is no evidence of backup of facilities or programs. effective operation of changes to files or records. The total of the kitchen copies could revenue. Individual sales orders could be sampled to determine that . Anyone with access to the system Implement a password protection program and change the Review for the existence and may have the opportunity to make passwords frequently. especially reconciliation of total billings with sales orders.

Detailed tests. then copies could be sent to the purchasing agent. (7) The sales person enters both the sales price and the purchase price into the document for processing. If fictitious items are ordered. Investigation of any vendors with post office box numbers rather than street addresses. Identification of the part number sold generates the reduction of inventory and debit to cost of goods sold. cost of goods sold will be understated. Periodic review of departmental gross margin for unusual fluctuations. inventory will be overstated. Mitigating Controls d. inventory will be inappropriately relieved and its ending value will be overstated. The receiving function needs to be independent of the purchasing function.a. and send invoices for the goods. The agent could then match all the items and send the complete package to accounts payable for payment. (6) The purchasing and receiving functions are concentrated in the hands of the individual placing the purchase order. The purchasing agent orders the goods. A purchase agent could develop fictitious vendors. . Analysis of any unusual purchasing patterns by a purchasing agent. Consequently. Potential Misstatements c. dummy up receiving reports. Deficiency b. Since the sales person's commission is based on gross margin. If the purchasing agent wants a copy. Receipts and invoices must go directly to accounts payable. place orders. Perform detailed tests of yearend inventory to determine correct costing of goods. and sales commissions will be overstated. there is the possibility that the salesperson may fraudulently enter an inappropriately low value for the cost of the inventory. reviews the receipts. including physical observation of inventory are needed. Audit Test goods shipped were billed at correct catalog prices and the customer's credit was okay. Computerize the system so that the purchase price is entered into the system when the purchase is made. and approves the items for payment after receiving the invoice from the vendor.

Take a sample of credit memos and examine for existence of proper support (receipt of returned goods. determine if credit approval was obtained for the shipments. Select a The auditor would be concerned with the payment for fictitious goods and would want to expand the observation of the client's counting of the physical inventory. Expand sample of remittances to ensure that all remittances are recorded on a timely basis or expand confirmation work on accounts receivable.000 and review for credit approval. (c) Randomly select from sales invoices greater than $15. (b) Observe the receiving function to determine if receiving slips are filled out when goods are received. The auditor would expand tests aimed at valuing the allowance for doubtful accounts. purchase order. Test of Control (a) Randomly select new orders and determine if credit process is working as described. Test their process for accuracy. Such tests might include: (a) detailed aging of accounts receivable. (d) obtaining outside credit analysis of large past due accounts. (5) Cash Receipts and Cash Remittance Advices (6) Adding Employees to . Determine that the accounts receivable bookkeeper has not initiated or approved any of the credit memos. customer adjustment. (2) Pre-numbered Receiving Slips (a) Review procedures utilized by client to account for prenumbered receiving slips. The auditor would likely expand audit tests when observing the client's physical inventory. b. (c) requesting financial statements of large accounts with past due balances. Control (1) Credit Approval a. and vendor invoice.000 and determine if current shipments are made to the accounts. Determine if there is evidence that the items have been matched (such as checkmarks on the documents or initials of the person performing the matching). If yes. (a) Take a sample of vendor payments to determine that all such payments are accompanied by a receiving slip. Generate a listing of employees added to the master file. (b) Obtain a computer print-out of all accounts with a past due balance greater than $22. and so forth).5-54. Select a sample of day’s remittances and reconcile deposit slip with remittance advices sent to accounts receivable. (3) Payments require purchase order and receiving document. Expand payroll tests to examine for the validity of There will be concern that all receipts were properly recorded. (4) Credit Memos Not allowed by Accounts Receivable Bookkeeper. (b) review of past due accounts to determine collectibility. Modification of Audit Procedures if Control Not Effective Accounts receivable valuation is likely to be affected since sales would be made to customers that do not meet the client's credit standards. The auditor would expand the credit memo test to determine that proper support exists for credit memos issued.

Review for large adjustments to customers for possible kick-backs to sales person. b. Submit data to the computer application to determine if the edit tests would reject the items submitted if the items are beyond the limits. or more than 3 jobs. (10) Approval of price adjustments more than 6% of customer purchases. Expand credit memo testing to determine if all receipts of returned merchandise has resulted in credit memo preparation. Review print-outs of changes made to payroll file and trace to authorization. Trace paychecks for selected employees to personnel department records. Determine if that function has any logs of access to files (or attempted accesses) by other than the authorized parties. whether it was obtained. Interview payroll personnel regarding password protection.Control Payroll Master File a. Modification of Audit Procedures if Control Not Effective employees. Examine credit memos for proper approval noting attachment of receiving slips or authorization from sales department. Discuss with divisional manager the process for implementing the control. (9) Issuance of Credit Memos. Expand payroll tests as per above. . Expand detailed tests of payroll to determine employee validity and calculation of gross and net pay. Attempt to access the files using common passwords. Determine if such adjustments affects the validity of recorded sales or receivables. and if so. Test of Control sample and see that each employee added had a written authorization form signed by someone in the personnel department. Review all credit memos in excess of a specific dollar limit to determine if divisional management approval is required. Review policies for adding/deleting or changing passwords with the data processing function responsible for password control. (7) Password Protection of Payroll File (8) Edit Limit Tests Review edit reports generated by computer application to determine disposition of employees working more than 53 hrs.

This is a significant investment and should be approved by senior management to ensure that the commitment of resources is likely to generate a return. In a small company. with review by supervisory personnel or functional management. Before adding someone new to the list of authorized vendors. All orders for goods should come from the purchasing agents. The re-writing of the program represents a major commitment of data processing resources. (4) Shipping Goods on Account to New Customer (5) Purchases from new customer (6) Temporary investments of funds. Overtime pay should be authorized by those who will be held accountable for the accomplishment of a job or task within time and cost constraints. Divisional management or production supervisor. The Board of Directors is designated to see that such transactions are carried out in the best interests of existing shareholders. Authorization Required Credit manager or president of a small company. The rationale is to minimize potential risk of temporary funds needed for short-term business purposes. Credit Department Purchasing Agent. Divisional management or capital budgeting committee. (2) Acquisition of New Company (3) Overtime Pay Board of Directors This represents a major corporate strategic direction and use of shareholder's investment. the credit department should determine the credit standing of the new company to minimize uncollectible accounts. (9) Re-writing of major computer program. Transaction (1) Write-off of accounts receivable.5-55. (7) New line of equipment. It should be approved by someone directly responsible to ensure that overtime is legitimately worked. Data Processing Steering Committee (A committee of top executives with responsibility to ensure that computerized developments are consistent with organizational objectives) Since the goods are shipped on account. Treasurer. subject to overall policies developed by board of directors and senior management. Investing funds is the treasurer's function. The resources should be committed only after there has been a review to ensure that the development is consistent with the overall operations of the organization. This is an operational decision that is appropriately left in the hands of those responsible for the operations of the division. the president should have knowledge of the credit risks assumed by the organization. . Foreman or supervisor for job. However. Rationale Someone independent of cash receipts and accounts receivable should have the authority to write-off old receivables so that someone with cash couldn't divert cash and cover it up through write-offs. (8) Purchase of a new machine. the company may want to examine the vendor's reputation for quality and timeliness. some organizations have specific policies that prohibit investments in common stock.

There are no controls to assure that all receivables that are due are paid on a timely basis. 9. Copy work paid in cash is balanced to the cash register. 3. 7. 5. Elements of Poor Internal Controls include: 1. Bank reconciliations are made. a. 5. 3. Weak control is exerted over cash transactions. 7. All remittances are not recorded timely. A cash log is maintained even though it is not used effectively. Unusual variations between costs and revenues are investigated on a monthly basis. nor is cash deposited daily. 8. although they could be performed more effectively. 6. The control over slow or delinquent payments is very poor. Monthly analyses of cost percentages of revenue items are performed. 5-58. It also provides a diversity of background and items that can be called upon by the instructor to illustrate control concepts. 2. 10. Forms are not prenumbered or accounted for.5-56. There are no running control totals to prevent contract services from exceeding the contract ceilings. Examples: bookkeeping services. or an overzealous management that was willing to override the existing control structure to accomplish their own goals. 4. 5-57. No control is in effect between production type work and potential revenues due. Periodic analyses are performed of unpaid bills. 4. 6. . Many of the recent business failures have been typified by a poor or non-existent control structure. design and printing services. Accounts receivable are not recorded nor controlled. and tax work. This is a project that the authors have used successfully to facilitate student identification of controls in actual working systems. 2. No controls are in effect to assure that all work was billed. b. Historical evidence (audit trail) is maintained of all production work. No credit checks are made of contract clients. Elements of Good Internal Control include: 1. The objective of this project is to have the students read actual accounts of such failures and identifies the control structure problems associated with the failures.

If more information is not available. should perform write-offs. one copy is sent to the warehouse. Current outstanding balances are not examined before additional credit is granted. this can be performed automatically. There is the Uncollectible accounts are not promptly identified and provided for. Copies of purchase orders should not be sent to warehouse for shipping until credit is approved. Review the credit limits periodically as more information is obtained on payment history and current financial status of the customer. This may or may not be appropriate and may not be consistent when there is turnover in the position.Cases: 5-59. . Credit should be updated as new information becomes available. Sales representatives should send both copies of purchase orders to headquarters for credit review. b. If a computer system is implemented. After credit approval. Controller. Establish formal policies and guidelines regarding write-offs of accounts. The list of customers with "established" credit is not reviewed for changes in credit worthiness until the account is considered uncollectible. Customer balances may become larger than the credit risk might warrant. or at least review the credit manager's analysis. Recommendation Establish specific credit limits for each account. the other to accounting. or other appropriate officer. Risk Customer balances may become larger than the credit risk might warrant. Deficiency Specific credit limits are not established for each customer. Credit should be updated on a periodic basis as more information becomes available. Sales may continue to be made to accounts that are not collectible. No review of write-offs is made except by the credit manager. Goods shipped to customers whose credit is not approved thereby increasing credit risk. Establish policy for periodic review of outstanding account balances. Conditions may change. The current system depends on the initiative of the credit manager and on the manager's judgment. The following deficiencies are noted: a. Formal policies for writing off accounts receivable have not been established. The customer's current balance should be examined before additional credit is granted. Accounts receivable may be overstated. Excessive and nonwarranted granting of credit. a periodic time period for updating should be established.

• Sales for recycled products should only be recorded when a supporting receipt is present. Credit manager may have poor judgment potentially resulting in unwarranted credit risks. • Invoices should be printed only with a completed work order for special-request pick-ups. (Occurrence) Control Activities • All uses of the scale (and total weight) should be logged electronically. This will serve as an independent check of accuracy. b. • Should a use of the scale be voided.a. Transactions can only be recorded based on logged uses of the scale. Recommendation No formal policies or guidelines exist for initial credit approval. • A computer program that has been thoroughly tested for accuracy makes all computations. • Invoices should be automatically printed when an installment is due from the government. Minimum requirements for customers' financial situation should be set. • Send periodic statements to outside customers who do not pay with cash with changes in balance.” • Manager should reconcile total weight from scale log to total cash receipts. Control Objective Recorded transactions have occurred and pertain to the entity. display a sign that says “Your next transaction is free if we fail to issue a receipt. (Accuracy) Transactions have been recorded in the correct accounting period. Formal policies and guidelines should be established for initial credit approval. (Completeness) Amounts have been recorded accurately. require all transactions to be logged All transactions have been recorded. and the register (or computer) will log a copy. (Cutoff) . • When services are provided. This will serve as an independent check of completeness. a & b. match date on the work order to the date on the invoice. To serve as an independent check. • Manager should reconcile total weight from scale log to total cash receipts. • At the scale houses. Deficiency Risk potential for kickback arrangements between customers and credit managers. only a manager should have access control to void the transaction. Each use of the scale must result in a revenue entry made within the same day. • All uses of the scale (and total weight) should be logged electronically. One receipt will go to the customer. No changes have been made to the program. • Require the issuance of a receipt for every transaction. • Send periodic statements to outside customers who do not pay with cash with a balance due. 5-60.

have computer program controls to only allow the operator to make one entry (i. and wages are determined by the job classification. (Completeness) Control Activities An employee is paid only if the employee already exists on the master payroll and is entered on that payroll by someone independent of payroll processing. or the payroll department verifies by existence of time cards. Payroll department reconciles total hours paid within the time period with total hours worked per supervisor or time cards. No changes have been made to the program. Computer program performing calculations and postings is independently tested and maintained. Employee expects a check within a specific time frame and acts as an independent check on performance.e. (Classification) • • • within same day that they occurred. debit to cash. Company uses a chart of accounts and routinizes payroll entries to ensure uniformity from period to period. In scale houses. Amounts have been recorded accurately. A computer program that has been thoroughly tested for accuracy makes all computations. Monitoring controls might include: Periodic reports on waste product versus past history and activity at other waste sites. credit to revenue). Company uses a chart of accounts and routinizes revenue entries to ensure uniformity from period to period. (Accuracy) Transactions have been recorded in the correct accounting period. Payroll department reconciles total hours paid within the time period with total hours worked per supervisor or time cards. (Occurrence) All transactions have been recorded. Internal audit verify use of scales and billing on a surprise basis. No one except supervisory personnel can change the job classification. Identify the Control Procedures Control Objective Recorded transactions have occurred and pertain to the entity.Transactions have been recorded in the proper accounts. Computer program performing calculations and postings is independently tested and maintained. Payroll supervisor reconciles hours worked and overall payroll cost for each period and investigates unusual differences. Individual employee examines paycheck to determine if amounts are correct. A supervisor verifies that the employee worked. c. (Classification) . (Cutoff) Transactions have been recorded in the proper accounts. Each employee is given a job classification. Employee expects a check within a specific time frame and acts as an independent check on performance. Any inquiries are directed to someone independent of the person processing the payroll. Follow-up and investigation of any significant differences.

• • • • Review customer balance inquiries and concerns taken by customer service reps. Reconcile scale log to transaction journal. only a manager should have access control to void the transaction. Review the controls over program changes.” • Manager should reconcile total weight from scale log to total cash receipts.Job codes are verified with the database of active job codes. • Sales for recycled products should only be recorded when a supporting receipt is present. This will serve as an independent check of accuracy. • Send periodic statements to outside customers who do not pay with cash with changes in balance. Completeness • All uses of the scale (and total weight) should be logged electronically. • Invoices should be printed only with a completed work order for special-request pickups. • • Review void transactions for manager approval. . This will serve as an independent check of completeness. Reconcile recycled product transactions to receipts. and review circumstances for granting of each coupon. Check that no changes have been made to the program. • Send periodic statements to outside customers who do not pay with cash with a balance due. d. Review “coupon” log. determine through review – that there have been no changes to the program. • Manager should reconcile total weight from scale log to total cash receipts. • Invoices should be automatically printed when an installment is due from the government. • • Take a sample of daily reconciliations and determine that the reconciliation has been performed. Each use of the scale must result in a revenue entry made within the same day. Transactions can only be recorded based on logged uses of the scale. Accuracy • A computer program that has been thoroughly tested for accuracy makes all computations. One receipt will go to the customer. To serve as an independent check. Take a sample of work orders and determine that the work order and the invoice match. If the control process is adequate. • Require the issuance of a receipt for every transaction. • Should a use of the scale be voided. Take a sample and review that the reconciliations have been performed. display a sign that says “Your next transaction is free if we fail to issue a receipt. match date Tests • • • • • Take a random sample and determine that all recorded transactions match the scale log? Take a random sample and determine that invoices automatically print on the proper date? Reconcile special-request invoices to work orders. Control Activities Occurrence • All uses of the scale (and total weight) should be logged electronically. Identify the approaches to test the controls. Review customer balance inquiries and concerns taken by customer service reps. Cutoff • When services are provided. and the register (or computer) will log a copy.

C. credit to revenue). the tolerable rate of error approaches zero. Penney would need to inspect the billings twice a month before wiring the funds to TAL as well. especially skimming money from transactions that are not recorded. • At the scale houses. J. J. • Computer program performing calculations and postings is independently tested and maintained. Alternatively. . The auditor should independently test that accruals for benefits are recorded. • • • Ensure that the chart of accounts is up-to-date and accurate. take a random sample of source entries and trace through the system to determine proper billing. In most environments. exclusive rights to manufactured items. and at authorized prices.C. Penney would have to know a great deal about TAL to be able to trust them in such a partnership. and (b) the sales are recorded at authorized prices and are recorded in a timely fashion. J. J. Revenue Recognition: The auditor is concerned that (a) all sales are recorded. Because of fraud. Review any unusual entries. The receiving department could then match their count to the invoice provided by TAL. • Reconcile scale log to transaction posting date. the auditor would establish a low tolerable error.on the work order to the date on the invoice.C. The auditor could take a large sample size with a small tolerable error. debit to cash. Penney would have to have basically an “all-access pass” to TAL operations. Monitoring controls that track revenue recorded and reconciling them with known contracts will be an important part of the audit process. including the software for processing the transactions.C. Otherwise. and the authorization procedures to change pay rates. and that benefits are properly accrued. The auditor is concerned that employees are accurately paid for time worked. • In scale houses. C. If not. Review any unusual entries. Classification • Company uses a chart of accounts and routinizes revenue entries to ensure uniformity from period to period. To ensure that only goods received were billed. Before entering into such a contract.C. most of the shipments should follow Penney’s regular process and require goods to go to distribution centers. In this scenario. Penney would want to review financial statements to ensure that TAL is financially stable. e. Penney would have to establish a contract regarding confidentiality of information. The testing guidelines follow these objectives. only for goods received. and quality of TAL’s computer system (including security). 5-61. The auditor would expect to see a low amount of tolerable error for each of these areas. b & c. and the overall efficiency of operations. at authorized pay rates (especially union-approved rates). the treatment of the workers. the auditor could thoroughly test the client’s computerized payroll process. J. Payroll. have computer program controls to only allow the operator to make one entry (i. J. Penney should set up a receiving function within each store for unusual items. require all transactions to be logged within same day that they occurred. a. In summary. The environment of a waste hauler is one in which there are more opportunities to conduct fraud. This inspection would also serve as a check that the billing was for authorized prices. Accounts Payable: The auditor is primarily concerned that all items are paid. Review internal audit or other testing to determine if it is adequate. They would want to tour the manufacturing plants to gain an idea of the quality control mindset.e.

but they actually have not. The auditor should seek evidence on the level and type of compensation that the accounting and finance personnel receive. The auditor needs to decide whether or not management has remedied the material weakness in internal controls. If the auditor concludes that the problems have been remediated. Should items be stolen from the receiving dock while in the possession of J. as they will only add to the perception of TAL as a trustworthy business partner. (2) Assess consequences of decision. • Retain individuals with those competencies. (4) Evaluate the information /audit evidence gathering alternatives. The risks are that the auditor may incorrectly conclude that controls are better or worse than they actually are. The analysis of the effectiveness of the remediation plans might involve the following steps: (1) Structure the audit problem. the importance of the auditor’s assessment comes down to accurately assessing control risk going forward. invoice reconciliations. or physical controls.C. but they actually have been. If the auditor concludes that the problems have not been remediated. then shareholders will incorrectly be led to believe that controls are better than they actually are. and should evaluate the professional certification of the individual(s) that Milacron hired in the wake of the material weakness. They should have no problems with physical counts. TAL should take an interest in these controls being implemented.d. and accurately conveying any problems in internal controls to shareholders. Is it adequate? Is it appropriately motivating in terms of what those individuals could make elsewhere? . they are working hard to become a trustworthy business partner to retailers. The auditor is going to need to assess whether management’s remediation plans have been effective. a formal receiving function would allow for a count of product as it arrives from TAL. From their perspective. 5-62. then management would rightfully be upset about the auditor’s incorrect conclusion. The auditor should seek evidence on the hiring process. The auditor must determine whether management has control procedures in place to accomplish the following tasks: • Identify competencies. Again. (3) Assess risks and uncertainties of the audit problem. Penney. a. Ultimately. Physical controls such as locked doors (physical access controls) and video cameras would also help to avoid theft. which could be directly compared to the count that makes it to the shelves. TAL would want to make sure that they are not suspected of any wrongdoing.

Auditors will not view weak controls as an ethical risk factor if management is quick and willing to address the problems. The auditor needs to acquire and document information about the items discussed in part (4) above. Probably does not apply to this particular decision.g. then the auditor might start to question the ethical intent/stewardship of management. . e. particularly if the weak controls manifest themselves in problems in the area of the judgmental aspects of accounting. brings them to management’s attention.. (5) Conduct sensitivity analyses. and they should seek evidence on the training provided to accounting and finance personnel. (7) Make the decision about the audit problem. But. Using the information gathered in steps 4 and 6 above. if the auditor identifies weaknesses. continuing professional education. (6) Gather information/audit evidence. b. the auditor will have the data necessary to determine whether or not management has effectively remediated the problems. The auditor should seek evidence on the review procedures concerning complex accounting judgments. and management still does not apply the resources necessary to correct the problems.• Periodically evaluate competencies.

• • 1d. fraud) may still be reflected in the financial statements. The comment about “inherent limitations” is designed to point out to financial statement users that no control system provides perfect. What are disclosure controls? Why are they important? The SEC defines “disclosure controls and procedures” as “controls and other procedures designed to ensure that information required to be disclosed … in [Exchange Act] reports … is recorded.. Both Ford and Toyota management comment on the fact that internal control over financial reporting has “inherent limitations”.” 1b. controls and procedures designed to ensure that information required to be disclosed by an issuer in its Exchange Act reports is accumulated and communicated to the issuer’s management. Review of the internal control process by the internal audit department. while controls may be designed and monitored properly. Management needs to develop procedures that they can rely on in order to gain assurance that internal control continues to be operating effectively. . 100% assurance. unintentional errors or intentional misstatements (e. summarized and reported. This change effectively limits benefits to employees to a defined contribution plan (rather than a defined benefit plan). Change in shipping/transfer of ownership terms in Europe. Ford changed from a quarterly to an annual communication to dealers about incentive availability. Both Ford and Toyota management comment on “disclosure controls”. within the time periods specified in the Commission rules and forms. Thus.” “Disclosure controls and procedures include. effectively delaying it from the point of shipment to the point of delivery. it appears that this gives Ford more leeway in committing to dealer incentives. Results of ‘self-assessment’ tests by departments. or groups. What are those inherent limitations? The inherent limitations are that. Monitoring of internal controls following the guidelines issued by COSO. processed. the new agreement puts Ford at less risk.FORD MOTOR COMPANY AND TOYOTA MOTOR CORPORATION: INTERNAL CONTROL OVER FINANCIAL REPORTING 1a. Companies have taken a variety of approaches to gain that assurance including: • • • • Sub-certifications by managers at all levels in the organization. 1c. Ford notes a variety of material changes in internal control What are those changes? Do any cause you particular concern? • Change in communication to dealers about incentives. Change in agreements to employees regarding health care liability. This change affects revenue recognition. thereby shifting some risk away from Ford and to its dealers directly.g. as appropriate to allow timely decisions regarding required disclosure. or divisions. How does management get reach their comfort level that internal control does not contain any material deficiencies? We addressed this question earlier. without limitation. that the financial statements are free of material error. including its principal executive and financial officers. Essentially.

. From a conceptual point of view.1e. A higher discount rate would result in a lower stock price for the company. If the company has less reliable information. However. one has a material weakness in internal control over financial reporting and the other does not have any deficiencies? Should the stock price of the two be different? If yes. then the company has greater risk to the investor. participate in the same industry. Greater risk implies that the investor would use a higher discount rate in calculating the expected value of the company’s stock. and have the same reported net income. but one has a weakness in internal control that would imply that the market has less confidence in the ability of the company to properly prepare financial information that is given to the public on either an annual basis or on an interim basis throughout the year. If two companies appear to be about the same. assume two companies are the same size. what is the rationale for the difference in the stock price? This is an important question in evaluating the value of public reporting on internal control.