You are on page 1of 56

Solutions for Chapter 5 Internal Control over Financial Reporting

Review Questions: 5-1. Controls must emanate from the intent of owners and creditors of an organization to protect the resources entrusted to an organization. The stockholders give the board of directors power to delegate responsibilities to the management of the corporation. The board of directors is responsible for providing management oversight on behalf of the shareholders and is responsible for approving major investments, divestures, and financing for the corporation. Part of the responsibility of the management is to ensure that an effective and efficient control infrastructure is established and followed to produce reliable financial reports, to comply with laws, to run the business proficiently, and to safeguard assets. Research has shown that good internal control is correlated with higher economic returns and lower cost of capital. This reiterates that good internal control is good for business as it enhances the reliability of data for decision-making as well as ensuring that all transactions are recorded. Risk assessment is a process designed to identify potential events that may affect the entity and to manage those risks within the entitys risk appetite. Controls are used to mitigate the risks that are identified. The COSO Internal Control, Integrated Framework has five elements: Control Environment Risk Assessment Control Activities Information & Communication Monitoring

5-2.

5-3.

These components are based on the organization first setting its objectives for financial reporting. The COSO Framework is the predominant framework used by companies in assessing the adequacy of its internal controls over financial reporting. Thus, the COSO Framework has become more widely used as a result of the enactment of the Sarbanes-Oxley Act of 2002. 5-4. Internal control is defined as:

5-1

A process, effected by an entitys board of directors, managers, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) compliance with applicable laws and regulations, (3) effectiveness and efficiency of operations, and (4) safeguarding of assets. It is important to assess control risk in an audit engagement because it allows the auditor to identity the types of misstatements most likely to occur and to plan the audit. Internal control is a process that emanates from the board of directors and management of the company and thus is an integral part of the overall governance and risk management process. Internal control over financial reporting includes the design and implementation of control procedures to ensure, among other things, that all transactions are properly authorized, recorded in the correct time period, and valued correctly; and that assets are adequately safeguarded. Since the auditors job is to render an opinion on the financial statements, they are more concerned with the internal controls that affect financial reporting. In most companies, however, it is difficult to draw a line between internal controls and internal controls over financial reporting, because many controls that may seem unrelated can in some way indirectly affect financial reporting. The broader definition of internal auditing addresses objectives related to operations and compliance, as well as financial reporting. 5-5. Tone at the top is the impression the top management gives the organization about the importance of the internal control structure. If management is very strict about disciplining wrongdoings, personnel will learn that they must follow the rules very carefully. If management is lax about enforcing the controls, there is more likely to be financial misstatements. Auditors assess tone at the top through their interactions with management, and by observing the decision-making and behavior of management. For example, is management always pushing the envelope? Or, in contrast, is management conscientious about its interpretation and application of GAAP? Whether management fits into the former or the latter category is one indication of the tone at the top. An organization's control environment is the overall tone of operations of an organization which collectively serve to enhance, or alternatively mitigate, the functioning of specific control policies and procedures. The control environment reflects the overall attitude, awareness, and actions of those in control of the organization in creating an atmosphere of control. The components of the control environment include: management's philosophy and operating style, the entity's organizational structure, the functioning of the board of directors and its committees, particularly the audit committee, human resource policies and practices, 5-2

5-6.

5-7.

integrity and ethical values, commitment to competence.

The auditor should be capable of evaluating the competency of the accounting staff: first, the auditor has expertise in the accounting area, second, the commitment to competence is an integral part of internal control, and by professional standards, the audit firm should not accept the engagement unless they have the expertise to assess the clients controls.

There are a number of ways in which the auditor can evaluate the competency of the accounting staff, including the following: 5-8. evaluating the judgments made on areas where accounting choices have been made, evaluating the number of exceptions noted in audit testing, discussions with accounting staff regarding accounting and audit issues, gathering input from the CEO or the audit committee, evaluating the background (academic and work) of the staff, as well as the experience in dealing with issues related to the company.

The board of directors and audit committee are responsible to the shareholders and therefore have significant oversight and monitoring responsibilities. Most reports on corporate governance have recommended the need for competent and independent directors who have the time and sufficient information system to provide oversight. If the board and audit committee do not meet the requirements, then it is difficult to assume that there is effective oversight over management. The control environment would be weak and the auditor would have to conclude that there is a significant deficiency in internal control. There are a number of factors the auditor can look at in evaluating the audit committee, including, but not limited to the following: the independence of the members, the accounting or financial expertise and background of the members, the types of questions asked during an audit committee meeting, an assessment, through interaction with the audit committee chair, and the other members of whether they take their oversight responsibilities seriously, the number of meetings held per year and the length of time of the meetings, the agendas for the audit committee meeting (can be compared with best practices), the actions the committee takes regarding the evaluation of internal audit and financial personnel, the audit committees own self evaluation.

5-3

5-9.

Monitoring is an overall control process that is designed to continually assess the design and operation of a control system. It is designed to give management feedback on how well the existing control system is operating. Examples of monitoring controls include: management exception reports on transactions rejected by the computer system. management reports on gross margins of products by product lines and by stores. management oversight and review of operations.

The authors speculate that the concept of monitoring controls will change the audit by shifting focus on evaluating and testing the effectiveness of monitoring controls. If monitoring controls are working effectively, the auditor and the organization can have confidence that other controls are working properly. The rationale is that properly working monitoring controls should detect and correct problems in other controls on a timely basis. 5-10. There are a number of controls, other than compensation plans, that management can implement to encourage divisional management actions that are consistent with the long-run objectives of the organization. Some of these controls are a. b. c. d. Identification of non-financial measures of superior performance. Examples might include production or quality quotas, or both. Establishment of budgets and investigation of variances. Periodic review of controls by internal audit department. Management tone set at the top that manipulation of accounting is unacceptable even the pushing of accounting transactions that might be acceptable to accomplish a particular objective.

There are significant risks associated with management compensation schemes that place heavy emphasis on reported divisional profits. Without sufficient controls, such as those discussed above, divisional management may be motivated to stretch the accounting for transactions to achieve higher reported earnings in order to maximize bonuses. Some of these schemes might mirror the example discussed in the chapter, but other schemes can have more serious effects on the organization. Some managers `cut corners' on the quality of production to boost profits. There have been examples in the defense industry where managers cut corners by purchasing substandard fasteners that are now failing on multi-million dollar pieces of equipment. Accounting research has shown that the structure of compensation plans for management can significantly influence behavior. Therefore, the auditor should gain an understanding of compensation schemes to determine their potential effect on the organization. 5-11 Significant deficiency in internal controls over financial reporting:

5-4

a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. Material weakness in internal controls over financial reporting: a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. 5-12. If an audit committee has weak directors with little financial knowledge and inadequate independence, the auditor would evaluate the control environment part of internal control as weak. The PCAOB says that a non-effective audit committee would constitute a material weakness in internal control over financial reporting, as it indicates that an essential part of internal control may be lacking. Enron, WorldCom, and Tyco all had ineffective boards of directors, and it would be difficult to argue that those boards did not constitute material weaknesses in internal control. 5-13. A material weakness in internal control is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. It is an auditor judgment, as well as a management judgment, as to whether a deficiency constitutes a significant deficiency or a material weakness. Some of the factors that the auditor will consider in making such a judgment include: potential effect of the control failure on the account balance, i.e. if it could reasonably lead to material misstatements in the financial statements, then it is a material weakness, the pervasiveness of the deficiency, i.e. does it affect only one account or does it affect many financial statement accounts, or the overall internal control, whether the deficiency is related to a computer program and thus occurs on every transaction, or if it isolated to selected manual procedures, whether it addresses a high risk area, such as a material accounting estimate.

For each deficiency identified, the auditor should consider the types of misstatements that could take place in the financial statements and how the misstatements might occur. The auditor then should develop specific audit tests to determine if such misstatements are included in the financial statements. 5-14. Internal audit plays a key role in assisting management in preparing its report on internal control. Internal audit is one of three sources for management to receive information on the effectiveness of internal controls, but it is probably the most utilized source. Often

5-5

internal auditors are the ones doing the testing and documentation of the controls rather than management itself. Under the PCAOB standard, internal auditors are considered to be an extension of management rather than independent of management. This is evidenced by the fact that external auditors cannot exclusively rely on the testing done by internal audit when preparing their report on the effectiveness of internal controls. 5-15. Segregation of duties is the separation of functions across individuals such that one individual is not put in a situation where he/she can both perpetrate a fraud or error and conceal the fraud or error through the manipulation of accounting records. The kinds of segregation of duties the auditor will want to inquire about include: The functions of authorizing a transaction, recording the transaction and handing any physical assets related to a transaction should be separate. Example: The purchasing agent should not be allowed to set up accounts payable or take custody of the goods when received. Authorization of transactions should be separated from the custody of assets and processing of transactions. Example: The inventory clerk should not be allowed to transfer inventory without the written authorization of the production manager. Record-keeping and operational responsibilities should be separated. Example: The accounts receivable bookkeeper should not be responsible for the receipt of cash. There should be independent checks on the assets and records whereby one department reconciles or otherwise acts as a double check on another department. Example: Employees who are independent of inventory custody or record keeping periodically count inventory and compare it to amounts recorded in the perpetual inventory record.

5-16. The nature of compensation affects human behavior. The auditor needs knowledge of an organizations compensation scheme to determine if there might be motivation to misstate financial data in order to meet performance goals, and thus to generate added bonuses or stock options. The auditor should evaluate the risk associated with accounts that could more directly be affected by those with compensation schemes that are considered risky. For example, the auditor should evaluate significant estimates with a great deal of skepticism, and should perform increased analytical review to search for potential revenue recognition problems.

5-6

In evaluating the compensation practices of a company, the auditor should look at whether: the compensation promotes short-term thinking? the compensation places personal objectives above those of the company? employees are compensated with stock. If so, does it promote a long-term view (such as vesting after six years)? the employees are required to own company stock themselves so they can act as advocates of shareholders? 5-17. a. Limit Test. A reasonable limit for types of transactions is set in advance. If a transaction exceeds the limit, the transaction is written out to an edit report that can be reviewed to determine if the transaction is correct. A common type of limit test is setting the number of hours that an employee is expected to work during a given time period. If part-time employees, for example, are not expected to work more than 30 hours during a given week, then a limit test of 30 could be programmed into the system. If someone with a part-time job code worked more than 30 hours, it would be written to an edit report and reviewed by a supervisor to determine if it was valid. b. Reasonableness Test. The concept is that the organization can determine the reasonable range within which specific types of transactions should fall. Any items outside of the range would be written to an edit report and investigated before they can be processed. An example of a reasonableness test in a retail organization would be setting parameters on the range of individual price items for a department. A nuts and bolts department, for example, would not expect to sell items with unit prices exceeding $10.00. c. Validity. A validity test identifies a limited number of valid values that a data item may take. An input transaction is compared with the previously identified list of valid transaction characters. Any items failing this list are written out to an edit test. An example of a validity test would include the department number for which a sale is entered. d. Missing Data. The organization identifies all the data required to process a transaction. Missing data are noted and either an edit report is written or the individual inputting the data may be reminded that such data is required in order to complete a transaction. For example, a retail customer may request a credit card and/or a catalog. A missing data check would prohibit the processing if the customers address were not entered. e. Invalid combination of items. Certain logical relationships of data should exist and if they do not exist, the transaction is printed out for further review before processing. An example in the retail environment might match the department code with a valid list of products that are sold in that department. 5-18. The major principles that should guide the development of a comprehensive access control and security program for an organization include 5-7

The access to any data item should be limited to those individuals with an authorized need to know The ability to change, modify, or delete a data item should be limited to those with the authorization to make such changes. The access control system should have the ability to identify and verify potential users as authorized or unauthorized to perform the function requested on the data item identified. A security department should actively monitor attempts to compromise the system and prepare periodic reports to those responsible for the integrity of data items on access to the data items.

5-19. The primary methods to authenticate (or verify) that a user is attempting to gain access to restricted data or files include Method of Authentication a. Identification by what the user knows, such as passwords, or some other information likely known only to that person such as mother's maiden name. Advantages and Disadvantages a. Passwords are easy to implement and if guarded properly by users, they can be quite effective. Passwords are often compromised or shared with non-authorized users. Userselected passwords can be easy to guess and therefore compromised. b. Identification of users by something they possess, generally a plastic card with a magnetic strip. b. The cards contain information needed to identify the user and must be present to gain access. A disadvantage is that cards can be stolen or fraudulently used. In sensitive systems, such as ATMs, the plastic cards are often used in conjunction with a password system to further minimize risk. c. Identification of users by some physical characteristic such as fingerprint, voiceprint, or other unique identification. c. Physical identification is often thought to be best because it is the method we utilize most often to identify other individuals. However, there are problems with implementation of identification by physical characteristics. 5-8

Method of Authentication

Advantages and Disadvantages The required hardware and software have been prohibitively expensive and reliability has been low. There are also questions of potential reliability should someone be inadvertently denied access. There is a second problem with physical identification. Remember that to implement any authentication technique, an image of the physical representation must be stored somewhere on the computer system. The computer is then programmed to compare the representation in the computer with the physical representation sent into the system. If that representation is somehow stolen (either by accessing the system or copying it while being sent over communication lines), then there will be a need to revoke that users privilege. However, since the privilege is unique to that individual, then it is lost to that individual for all time hence forth, thus completely eliminating the individuals ability to use the system. Thus, most systems are going to a combination of the first two items noted above.

5-20.

General controls are pervasive control procedures that affect all computerized applications. They interact with application control procedures in forming a data processing control structure. Some general control procedures affect all applications and are considered by the auditor in evaluating the control risk of a specific application, e.g., the control procedure restricting access to computer programs and authorizing changes in computer programs. Some general controls affect a specific computer application indirectly for the time period audited. For example, control procedures over program changes may not affect a computer application that does not undergo any changes during the current time period. Other control procedures, such as access control procedures, will affect all computer applications and should be treated as an integral part of the evaluation of control procedures for the application.

5-9

The auditor makes a decision regarding the testing of general controls based on (1) the importance of the procedure to the auditor's assessment of risk for assertions related to particular account balances and (2) the overall importance of the controls to other financial statement accounts. In some instances, management controls provide evidence of the existence of the operation of other controls and may be used by the auditor as evidence of the functioning of other control procedures. For example, the auditor may determine that the personnel manager gets complete reports on all changes to an important file and reviews all changes to that file for authorization and completeness thereby providing evidence on the effectiveness of other control procedures. 5-21. Management gains assurance about the quality of its internal control systems in much the same way as the external auditor. For example, management can gain assurance through: exception reports, often referred to as monitoring controls, internal audit examinations and reports, regulatory audits and reports, external audits and reports, periodic control self-assessments by management personnel, feedback from operating personnel.

5-22. Controls the auditor might examine to determine that "all valid transactions are recorded" might include: use and reconciliation of pre-numbered documents, signed authorization of transaction before recorded, supervisory review of transactions before recording, supervisory review of all exception reports generated by computer edit tests, limited access and proper authorization for changing prices for products sold, date and time stamps on shipping documents, and similar date and time stamps indicating the recording of the transaction. use of carefully controlled corporate documents.

To test whether these controls are operating, the auditor can take a sample of transactions and trace them through the processing system to determine that (1) controls are working as described; and (2) all valid transactions are recorded in a timely fashion. 5-23. The major control objective related to the occurrence assertion is that recorded transactions and events have occurred and they pertain to the entity in question. The occurrence assertion is fundamental to auditing, and only after a transaction is deemed to have happened can it be tested for accuracy. To achieve the occurrence objective, an organization might implement the following controls: Pay employees only if the employee already exists on the master payroll and is entered on that payroll by someone independent of payroll processing. 5-10

A supervisor verifies that the employee worked, or the payroll department verifies by existence of time cards. Sales are recorded only with evidence of a customers order and shipment.

5-24. Yes, but only for public companies. The PCAOB has mandated that the external auditor must test operating effectiveness of significant controls in the financial reporting process and cannot exclusively rely on managements tests, including those tests performed by the internal auditors. This PCAOB mandate only applies to public company audits. Nonpublic company auditors are not yet required to report separately on internal controls. 5-25. Yes, management is required to assess each of the items as they are all part of the control environment, and therefore are a critical part of an organizations internal controls. Management and external auditors would go about assessing each item as follows:
Area Audit Procedures to Assess

Independence and Competence of the Board

Effectiveness of the Audit Committee

Competence of Accounting Personnel

1. Review board composition to determine the number of independent directors, 2. Review minutes to determine if board acts independently, and if they address substantive issues. 3. Assess the quality of interaction with the chair of the audit committee. 4. Determine the extent to which the board is active in strategic planning and risk management. 5. Examine the existence of any past relationship with the audit client, e.g. a past supplier, etc. 1. Review composition of board to determine if the audit committee meets the requirements of independence and financial expertise by looking at their past experience and education. 2. Evaluate the quality of discussion that takes place during the period of time that the firm sits in on audit committee meetings or in private sessions with the audit committee. 3. Review minutes of audit committee meeting to determine the nature of the meetings and the engagement of committee members. 1. Evaluate the background and education of accounting personnel. 2. Review the key accounting judgments made by accounting personnel during the past year to determine if the judgments were (a) appropriate, and (b) properly researched. 3. Determine whether adjustments that were made to the financial statement as a result of the audit reflect on the competency of accounting personnel.

5-11

Adherence to the Code of Ethics

4. Interview and interact with key personnel to determine their accounting knowledge. 1. Review the companys plans (including internal audit) to gain assurance that company employees are adhering to the code of ethics. Review managements findings and follow up on selected findings to verify the result. 2. Determine whether a hotline exists for employee complaints. Review the nature of complaints, and more importantly, determine the nature of follow up by the company. 3. Review communication to employees about the Code of Ethics. 4. Review known ethical violations to determine (a) what action was taken, and (b) for significant violations, how the action was communicated to other employees.

5-26. Publicly-held companies Auditors must attest to the effectiveness of the clients internal controls over financial reporting. In performing an audit of controls, the auditor must: Review the clients documentation of controls, including a description of how the controls are supposed to work (design) Review the clients testing of the controls as a basis for reaching their conclusion on effectiveness (operations), but not exclusively rely on managements tests, including those of the internal auditor Determine which controls to test (all significant controls), how large of a sample to take, and how to judge whether or not a control is effective, and Reach a conclusion about the effectiveness of the clients internal controls over financial reporting. Non-publicly-held companies Auditors must report to management and the board of directors significant deficiencies and material weaknesses in the design or operation of internal controls that are identified in the normal course of a financial audit. This report is only for management and board use. An auditor may choose not to test internal controls when they are not significant to the operations of the company. For example, the auditor may assess control risk as high and concentrate audit work on substantive tests of account balances. 5-27. Under AS 5, auditors attest to the effectiveness of the clients internal controls over financial reporting. Factors to consider in determining the sample size for testing: Controls performed on every transaction a) Whether or not failure of the control procedure is likely to lead to a significant misstatement in the account balance b) The rate of failure that would lead to a material misstatement, and 5-12

c) A statistical confidence level that would assure the auditor that there is not more than a remote likelihood that the control could be failing and not be detected by the auditor Computerized controls as part of every transaction Must be sufficient to persuade the auditor that the control operates effectively across a wide variety of transactions throughout the year. If the auditor has already tested controls over program change and has concluded those controls are effective, the tests of the computerized controls could be as small as one. Exception reports may be examined as well. Monthly control procedures If the design is adequate, choose one month and re-test the clients tests of these accounts. Controls over estimates The auditor is more concerned that these controls are working when it is likely that the amounts would be in year-end balance sheet accounts. The sample should be taken from transactions during the latter part of the year following similar criteria to the transaction controls discussed above. Year-end adjusting entries The better the control environment, the smaller the sample size will be, and vice versa. The auditor should select a sample that includes a random selection of entries, but also all entries of significant amount. They should be tested to see that a) controls are not being overridden by management b) there is support for each entry c) each entry has proper approval

5-28. A walkthrough is an audit approach designed to gain an understanding of the processing that takes place in the accounting system. In performing a walkthrough, the auditor "walks" a transaction through its processing and makes inquires of client personnel about the nature of the processing that takes place at each stage of processing. By walking through the processing of the transaction, the auditor can identify important controls and their operation. The auditor can also identify situations where the clients processing does not follow prescribed procedures. Taking a tour of the plant can assist the auditor in gaining an understanding of controls in a significant number of ways. Some of these include: important information on the procedures used for receipt of goods, information regarding the transfer of goods from work-in-process to finished goods,

5-13

an assessment of the control conscientiousness of employees (in a general sense) can be made based on observations, use of, and control of, documents used in operations that become part of the accounting system, identification and use of computerized collection mechanisms, such as automated time-keeping systems, or transfer of goods through the production cycle, or use of automated equipment to facilitate shipments of goods, and the physical control over assets, including the orderly nature of equipment and inventory. The general appearance of inventory, production lines, etc. A general observation can the auditor quite a bit about how well things are controlled just by how neat the factory floor is and the general appearance of inventory items.

Multiple Choice Questions: 5-29. 5-30. 5-31. 5-32. 5-33. 5-34. 5-35. 5-36. 5-37. 5-38. c. d. b. d. e. b. c. d. c d.

wer to delegate responsibilities to the management of the corporation. The board of directors is responsible for providing management oversight on behalf of the shareholders and is responsible for approving major investments, divestures, and financing for the corporation. Part of the responsibility of the management is to ensure that an effective and efficient control infrastructure is established and followed to produce reliable financial reports, to comply with laws, to run the business proficiently, and to safeguard assets. Stated another way: Controls are a way for management to meet the stewardship obligation to a companys owners (shareholders).

Discussion and Research Questions: 5-39. a. Controls must emanate from the intent of owners and creditors of an organization to protect the resources entrusted to an organization. The stockholders give the board of directors po b. This question is intended to challenge students to think about internal controls from a broader perspective than simply the technical details of, for example, what basic controls are, how they operate, and how to test them. Rather, this question is designed to get students to consider the role of internal controls in assuring high quality financial reporting and solid business decision making. Recall that Milacron had the following internal control weaknesses:

5-14

o the accounting department lacked the technical expertise to deal with many of the complex accounting issues that the company had to address; o there was improper segregation of duties regarding the accounting for, and control, of inventory; o there were improper controls over the dating and recording of sales near the end of the year that could affect the timeliness of recording transactions; and o there was a weakness in access controls related to the computer system. Having such internal control weaknesses is not unethical, per se. Rather, managements lack of stewardship as evidenced by these weak controls is what is questionable. Auditors will not view weak controls as an ethical risk factor if management is quick and willing to address the problems. But, if the auditor identifies weaknesses, brings them to managements attention, and management still does not apply the resources necessary to correct the problems, then the auditor might start to question the ethical intent/stewardship of management. c. This is intended for discussion. Support for the answer that it will improve governance is as follows: Good governance is part of the tone at the top and the control environment. The auditor explicitly has to report to shareholders if the auditor believes there are weaknesses at this level. Thus, there is strong motivation to ensure that governance is good. Controls are designed to provide a stewardship report to the owners of the organization. It is hard to argue that this can be other than good. A sound control system will include improved monitoring controls, including sufficient monitoring by management and the board of directors. Improved monitoring by the board, including risk analysis, will improve the governance of most organizations. The major argument on the cost-benefit of governance is on the cost side of things. The initial implementation of Sarbanes-Oxley section 404 was very expensive because of the auditors emphasis on detailed documentation and testing of controls. It was also expensive because most organizations had not taken the time to document and test controls. Thus, there was a heavy start-up cost associated with Sec. 404 reports. However, like everything, there is a learning curve and costs are expected to decrease over time as auditors and managers learn to better document and improve controls. d. There is evidence that internal control information affects stock prices. Most of the effects on stock prices have been on the negative side due to: accounting restatements often due to a breakdown in controls, adverse reports on the quality of controls. 5-15

Investors expect high quality internal controls. When the controls and therefore the trust in management and managements reports are lacking, investors are not as willing to pay as high of a price for the company. This can occur through a higher risk-adjusted discount rate in determining stock prices. The higher discount negatively affects stock prices. 5-40. a. The major elements of an organization's internal control process are: Control Environment: The control environment sets the tone at the top of the organization and determines the rigor with which systems and controls are adequately designed. The control environment is pervasive. Risk Assessment: The process the entity goes through to identify and analyze the relevant risks that may affect the achievement of the organizations objectives. It is important that students understand that this risk assessment process is significantly broader than evaluating the risks associated only with the processing of transactions. Control Activities: The nature of controls to be implemented are directly dependent on the control environment and the risk assessment process. Control activities are the policies and procedures implemented by management to ensure the accomplishment of objectives and the mitigation of risks. Information and Communication: The process of identifying, capturing, and exchanging information in a timely fashion to enable the accomplishment of the organizations objectives. The communication may come in the form of management reports, detailed analysis of transactions, or direct communication resulting from management supervision. This component incorporates the organizations accounting system and its methods for recording and reporting on transactions. Monitoring: The process that assesses the quality of internal controls over time and takes corrective action on any deficiencies in either the design or operation of internal controls. Monitoring can take place through either (1) ongoing activities, or (2) separate evaluations. Examples of separate evaluations would include independent reports by the internal audit function. b. Deficiencies in the Internal Control Process: Deficiencies in the control environment will lead the auditor to assess the lack of control emphasis on the specific implementation of controls within accounting system. The auditor will consider the following:

5-16

The organization's control environment is pervasive. The attitude of those at the top, and their approaches to creating an environment which facilitates overall control provides the framework in which all the other controls operate. Detailed control procedures can be overlooked if management does not reiterate their importance, or in some cases can even be overridden by management. If there is inadequate follow-up and monitoring of controls, it is unlikely that the controls will be effectively implemented.

Deficiencies in Risk Assessment: This would imply the organization has not undertaken a systematic process to identify the pertinent risks that it faces. In turn, this implies that sufficient controls have not been developed to mitigate the risks. The implications for the audit are: The auditor has to assess the significant risks affecting the financial account balances. These risks include the transactions that are processed as part of the every day activities of the organization and the other processes that lead to accounting estimates. The auditor must determine whether sufficient controls are in place to mitigate these risks and whether or not those controls can be tested.

Unless the auditor can perform his or her own risk analysis and test the controls, it will be difficult to assess control risk at either a moderate or low level implying a shift towards greater direct tests of account balances. Deficiencies in Control Activities: Without adequate control procedures, the auditor will resort to direct tests of account balances as the major audit approach. Generally (unless the auditor is dealing with a very small client), such an audit approach will be much more expensive. Before doing so, the auditor will always ask the basic question, "Do sufficient controls exist to ensure that valid transactions will be recorded, or are there sufficient controls to lead to a conclusion that the entity is auditable?" Deficiencies in Information and Communication: A deficiency in information and communication activities implies that the systems have not been designed to accomplish the organization's objectives. Such deficiencies lead to the development of three major questions for the auditor: (1) is the system auditable, that is, are there sufficient controls to ensure that all valid transactions will be recorded, and only that valid transactions are recorded, and

5-17

(2)

is there sufficient documentation to ensure that the system is auditable, that is the auditor can gather sufficient competent evidence to determine the correctness of the client's account balances. what are the specific risks of account balance misstatements occurring? The auditor needs to identify the types of misstatements that are likely to occur because of the control deficiencies and design audit tests to determine whether or not such misstatements have occurred in amounts that could be material to the financial statements.

(3)

Deficiencies in Monitoring Activities: This implies that management has not set up a systematic process to determine if its underlying information and communication systems have gone out of control. Without such systems, it becomes difficult for the auditor to develop evidence that the system has been working effectively throughout the year (although it may still be possible by testing transactions throughout the year.) This would generally lead the auditor to directly testing account balances and not assessing control risk at a low level. c. The auditor must start with an understanding of the overall control philosophy of the organization. That philosophy manifests itself mostly in the control environment, the organizations commitment to risk assessment, and its commitment to monitoring the effectiveness of internal controls. That understanding is a fundamental part of the assessment. Once the understanding of the control environment is made, the auditor performs the control risk assessment for each accounting subsystem that processes material transactions. Some of the subsystems may contain strong controls activities built into the processing system, while others may contain deficiencies. The auditor then considers both (a) the control environment and (b) the specific control procedures in processing system to determine the likelihood that material misstatements in a particular account balance would not be prevented or detected. Based on that assessment, the auditor evaluates whether there is a material weakness or a significant deficiency in internal controls, and then determines the audit approach to address the possibility of a misstatement. 5-41. a. The elements of an organization's control environment that ought to be considered by the auditor as part of the auditor's process of assessing control risk include: management's philosophy and operating style, the entity's organizational structure, the functioning of the board of directors and its committees, particularly the audit committee,

5-18

human resource policies and practices, integrity and ethical values, commitment to competence.

The auditor seeks information on the organization's control environment because the control environment is pervasive. The attitude of those at the top, and their approaches to creating an environment that facilitates overall control provides the framework in which all the other controls operate. Detailed control activities can be overlooked if management does not reiterate their importance, or in some cases can even be overridden by management. If the control environment is weak, it is much more likely that the auditor will view control risk as high, will be unable to rely on controls, and will then have to perform a more substantive (and costly) audit. b. Sources of Information about the Control Environment: Sources of Information: Previous interaction with management, especially their openness and candor; and their actions taken on recommendations to improve control. Review of important corporate documents that set policy, such as Corporate Code of Ethics, or management's attention to policies. Management's support of an internal audit department and management's reaction to internal audit reports. Management compensation plans and management's apparent motivation to report higher earnings, coupled with management's willingness to use accounting as a basis to increase reported earnings. Press reports or regulatory reports dealing with the company, many of which will reflect on management. The Entity's Organizational Structure Review of organizational charts. Review of internal audit reports. Interviews with functional department heads to determine if actual organization actions are consistent with organizational structure. Auditors observation of informal structure versus formal structure. Review of reports, especially monitoring controls, and how they are followed up.

Control Environment Factor Management's Philosophy and Operating Style

5-19

Control Environment Factor The Functioning of the Board of Directors and its Committees, particularly the Audit Committee

Sources of Information: Review of minutes of board of director and audit committee meetings. Review of audit committee follow-up to previous recommendations by internal and external auditors. Personal interaction with the audit committee regarding their interest in identifying and following up on special projects. Discussion with the internal audit department to determine if the internal audit meets with the audit committee on a regular basis and whether substantive issues are discussed.

Human Resource Policies and Practices

Organizational charts, policy and procedure manuals. Interviews with functional department heads. Review of important employee contracts.

Commitment to Competence

Interaction with accounting personnel including an assessment of accounting knowledge, understanding of business purposes of transactions, and access to authoritative pronouncements. Review of hiring practices for key positions in the organization, including background checks. Review of resumes of key financial personnel. Interviews with audit committee and senior management about personnel development; procedures to improve the competence of existing taff; and a review of plans to upgrade financial competencies within the organization. Review of internal audit reports.

Integrity and Ethical Values.

Review of organizations Code of Conduct, including discussions with top and middle management to determine if the Code is followed within the organization. Review of internal audit reports and auditee (especially management) reactions to internal audit reports. Review ethical and legal complaints brought against the organization.

5-20

Control Environment Factor

Sources of Information: Review of follow-up to monitoring reports. Determination of whether effective and timely action is taken.

c.

The auditor can document the understanding of the client's control environment in a questionnaire or in a memo. The auditor's understanding needs to be documented such that the control environment's effect on the organization's controls and conduct of the audit can be communicated to all members of the audit team. The auditor should always document his or her reasoning process in concluding that controls are adequate or contain deficiencies. This reasoning process should cover all the elements of the control structure.

5-42. a. Monitoring is an element of internal control that management, the board, and others establish to provide feedback on the effectiveness of operations, compliance with organizational policies and procedures, and the effectiveness of internal controls to accomplish financial reporting objectives. Monitoring controls provide feedback of potential breakdowns internal control elements in a timely fashion such that timely corrective action can take place. Examples of monitoring controls include: periodic internal audit of major processes, exception reports that indicate that operations are different from that budgeted or expected given current economic conditions, reconciliation controls that identify significant changes or deviations from expectations, graphical analysis of sales by time period with an emphasis on identifying significant, unusual sales made near the end of a quarter.

b. Monitoring Controls in Different Types of Organizations: i. 7-Eleven Store: a. Monitoring Control: comparison of daily, weekly, and monthly sales with: o past results for the store, o results in similar stores, o expected changes related to current economic conditions, o gross profit analysis for same time periods, b. Management would learn about failure of other controls if exceptions are noted: o skimming of cash receipts, o failure to record all transactions, o inadequate control over product and inventory, o poor management of the store,

5-21

o decline in operations. ii. A chain restaurant such as the Olive Garden: a. Monitoring Control: comparison of daily, weekly, and monthly sales with: o past results for the store, o results in similar stores, o expected changes related to current economic conditions, o gross profit analysis for same time periods, b. Management would learn about failure of other controls if exceptions are noted: o failure to record all transactions, especially liquor transactions, o failure to deposit all receipts, o gross margin analysis would indicate problems with food ordering, efficiency of processing, or skimming of items. iii. Manufacturing division making rubberized containers: a. Monitoring Control: comparison of daily, weekly, and monthly sales with: o past results, o industry trends o gross margin o other monitoring controls, including: 1. comparison of inventory with past results and with competitors, 2. review of returns as a percentage of sales, 3. review of aging of receivables and # of days sales in receivables. b. Management would learn about failure of other controls if exceptions are noted: o potential fictitious or unusual sales, i.e. sales are made with unusual terms or with management override of policies regarding credit, returns, or other items, o potential inventory shrinkage and control over recording of inventory, including possible failure of periodic count and reconciliation of actual inventory with book inventory. c. If in a properly designed control system, the auditor can take comfort in the operation of monitoring controls if: the auditor has already gained an understanding of the design and operation of the processing and other reporting controls,

5-22

the auditor has assurance that the monitoring controls are soundly designed and exceptions are followed up promptly to determine their cause. Corrective actions are taken as necessary.

If monitoring controls are effective, the auditor should be able to examine monitoring controls to determine if they signal problems and that proper follow-up and corrective action, where merited, are taken. Specific examples of monitoring controls might include: reviews of reconciliations, reviews of internal audit reports, reviews of exception reports, documentation of follow-up investigations and corrective actions.

The bottom line is that if the design of monitoring is effective, the external auditor can shift most of the control testing to determining the effectiveness of monitoring, and then corroborate that information with a small sample of specific controls to determine that monitoring is providing a correct assessment of the controls. 5-43. Underlying Principle Integrity and Ethical Values 1. Ethical values are clearly articulated. 2. Ethical values are clearly communicated. 3. Management monitors adherence to the code of ethics. Evidence Reviewed Review of organizations Code of Conduct, including discussions with top and middle management to determine if the Code is followed within the organization. Review of internal audit reports and auditee (especially management) reactions to internal audit reports. Review ethical and legal complaints brought against the organization. Review of follow-up to monitoring reports. Determination of whether effective and timely action is taken. Read the minutes of the meetings, Consider board relationships and percentage of independent directors Discuss overall operation with the Board Chair or independent lead director Review composition of board subcommittees Review charter and operation of the audit

Board of Directors 1. Is independent and competent 2. Meets on a regular basis 3. Addresses meaningful organizational risks

5-23

Organizational Structure: 1. is designed with proper description of roles and responsibilities, and authorities consistent with those responsibilities. 2. facilitates effective communication about controls and reporting, 3. provides for adequate segregation of functions.

Management Philosophy and Operating Style 1. is designed to emphasize the importance of sound financial reporting objectives. 2. supports a disciplined approach to selecting and implementing financial reporting principles. 3. management clearly articulates financial reporting objectives. Commitment to Financial Reporting Competencies. 1. Organization commits to developing financial competencies commensurate with the nature of accounting transactions undertaken by the company. 2. Company avoids transactions that are overly complex and not consistent with the organizations strategies. 3. The company has a hiring and

committee Review of organizational structure design to determine that roles and responsibilities are appropriately defined. Examine correspondence, interview various parties, etc. to determine that the organizational structure operates as designed, Interview selected parties to determine if they understand their responsibilities, Review communications regarding internal controls to see what parties receive the communication and whether appropriate actions are taken in response to the communication. Review the organizational design to determine that proper segregation of duties is contemplated in the design. Review selected activities to determine that there is evidence that segregation duties takes place.

Review policy manuals to determine the nature of accounting policies and managements commitment to a sound process of selecting and implementing accounting policies. Determine the extent that policies are revised and reviewed by top management by examining updates to the policies that provide evidence of supervisory approval. Interview employees to determine their personal philosophy on accounting Continuous evaluation of financial accounting personnel as part of every audit engagement, including an assessment of their competencies to make financial reporting decisions. Examine the nature of complex transactions that the company enters into to determine whether they are commensurate with the risks taken and the competencies of the financial reporting personnel. Review the vitas of the financial personnel to determine their educational levels, as well as practical experience. Review HR and other hiring and evaluation processes to determine the extent that financial 5-24

promotion practice that emphasizes financial accounting and control competencies. Authority and Responsibility 1. There is board responsibility in overseeing the appointment of key financial positions. 2. There is clear communication as to the appropriate responsibilities of various parties, as well as their authorities. 3. Policy manuals exist that clearly identify authorities and responsibilities. Human Resources 1. Hiring practices reflect a commitment to competencies. 2. Periodic staff evaluations reflect a commitment to financial competencies. 3. Procedures are in place to develop and produce information that is needed to comply with various state and federal regulatory requirements regarding employees, as well as establishing benefits for employees (e.g. pensions).

competencies are evaluated in both the hiring and promotion decisions.

Review policy manuals to determine the responsibilities and authorities that are assigned; evaluate whether or not the assignment is consistent with the organizations objectives and minimizing risk. Review managements communication of responsibilities. Take a sample of transactions and determine if they were authorized by proper personnel. Review board minutes and determine the extent to which authorities and responsibilities are reviewed, or are covered [including internal audit reports]. Review HR policy manual to determine hiring policies. Take a sample of recent interviews, job applications, and employee hires to determine if they followed organizational policies. Review employee contracts to determine the benefits associated with employees. Take a sample of recent payments to determine if they are appropriately accounted for. Inquire of personnel to determine their approach to ensure that they are in compliance with various regulations. Review regulatory audits, or internal audits, designed to determine compliance with regulatory requirements. Review recent staff evaluations to determine whether the evaluations were completed on time and complied with company policies.

5-44. a. In the broad sense, internal controls exist to identify and manage risks facing a business. Internal controls are an important part of corporate governance, the framework for which consists of the control environment, risk assessment, control activities, information and communication, and monitoring. Management sets the tone of control consciousness that affects the rest of the organization. Within the

5-25

framework of broad guidelines and policies developed by management, specific control procedures are developed to achieve specific control objectives. Internal controls over financial reporting are much more specific. They include the specific control procedures developed by management to ensure that all transactions are properly recorded, valued, and that financial statements are fairly presented in accordance with generally accepted accounting principles. Key accounting control activities are controls that effectively prevent or detect misstatements. Internal accounting controls are part of the broader set of internal controls. They are a very important part, but they should not be the auditors only focus. b. Four main parties that benefit: Management Because they have to provide an assessment of internal controls and stand behind it, management will be sure to put more emphasis in their internal control design and operation, which will lead to a more effective company. Auditor Because the auditor is required to attest to managements report on the effectiveness of internal control, they will do independent tests in their own thorough assessment of internal control. In addition to the work of management, the auditors testing will be very likely to turn up inefficiencies and create improvements in existing internal control. Also, the financial statement audit can be focused in certain directions based on the results of internal control testing. Audit Committee When shared with the audit committee, the internal control assessments of both management and the external auditor will create a more informed board of directors as a whole. A more informed board can make better decisions for the company, and can create for more quality interactions with the external auditor. Public Required reporting on internal controls leads to more transparent financial information on companies, which leads to better decisions by investors and in turn, more efficient financial markets.

c. A companys trading partner may be interested in the quality of an organizations controls because today many businesses are becoming more integrated with one another. If a manufacturer enters into contracts with major suppliers to provide justin-time inventory, they need to know that the supplier has proper controls to ensure that they will receive high quality supplies, their privacy will be protected, and that there will be proper accounting for the transactions.

5-26

d. A negative report on internal controls would likely reduce the market price of that particular companys stock. This is arguable, however. Some investors may look at the description of deficiencies and the solutions that have been put in place and realize that the problems are in the past, and do not create problems for the future cash flows of the company. Many investors, however, will simply see the report as a red flag, and the stock price will drop accordingly. However, as the Professional Judgment in Context feature points out, there have been stock price declines associated with these negative disclosures. e. The report must address all the components of internal control. The internal control model anticipates that all of the components work together to accomplish the organizations objectives. For example, a weakness in the control environment cannot be offset just be control activities in a particular processing system. 5-45. To facilitate the discussion, we suggest that the instructor may want to place the discussion in the context of an organization that is known locally, or could be related to nationally such that the students have a common frame of reference. a. Major risks to the achievement of effective internal control. Some of the issues that the groups may want to discuss include risks of: b. Management Override Improper Estimates Improper Closing Entries Transaction Related Risks, including All valid transactions are recorded Incorrect recording of data Incorrect prices Incorrect processing of transactions Shipments to the wrong place

For each risk, the group should identify a specific type of control that would help mitigate the risk. For example, the control over management override could include: Review of controls by internal audit, Summary of all adjusting entries for review by the audit committee, An active audit committee and an independent audit firm.

Controls over transactions processing can would include traditional edit tests, access to the computer system, pre-numbered documents, and so forth.

5-27

c.

The groups should identify specific tests that would be persuasive in determining whether the controls operate as expected. For example, there should be evidence that the audit committee reviews the nature of the internal audit reports. To the extent that transaction controls are identified, the groups should identify approaches to test each control.

5-46. a. Potential Control Deficiencies and Internal Control Weaknesses Additional Information Needed, if applicable 1. Laid off approximately Not necessarily a Did the change affect 75 factory workers deficiency. the segregation of duties? Is the streamlined receiving working, and is it more efficient? 2. Cut hourly wages by Most likely no effect on Are any of these $3 per hour internal controls. employees involved in the internal control over financial reporting? Has the wage cut affected either their attitude or conscientiousness about performing control activities? 3. Reduced the size of the A material weakness in How many directors are board etc. internal controls, primarily there? due to the decline in the What is the number of independent independence of the directors. one remaining outside director? In addition, the change in compensation to only stock options may influence the directors and audit committee members attitudes towards accounting choices. 4. Eliminated the internal Significant deficiency in internal control. It is a audit etc. good thing to have the process owners assume responsibility for evaluating and implementing internal 5-28 Issue Assessment

5. Changed from a Big 4 audit firm to a regional audit firm

controls. However, they are not objective when it comes to evaluating the adequacy of the controls, or in testing the controls. The external audit is not part of the organizations internal control system. It makes sense to reduce costs in a time of difficult financial conditions. Many local and regional audit firms are outstanding. It is a bit troubling here that the client will be the first public client of the audit firm. A material weakness in internal controls for two reasons: a. There is no objective assessment by any party. b. Comparison of budget with actual, by itself, is a very weak form of monitoring. Significant deficiency in internal controls. There is a consideration regarding operating philosophy and style. We all know that people are motivated by how they are compensated. Thus, there is a risk that the individual performance objectives may lead some managers to override controls. The auditor would look to see if there are any

6. Increased reliance on monitoring controls

7. Tighter performance goals etc. for managers

To what extent do the current year results differ from the previous years?

5-29

8. The purchasing department has been challenged to move away from single-supplier contracts

compensating or mitigating controls, e.g. internal audit. In this case, the lack of internal audit would cause the auditor to, at a minimum; conclude that there is a significant deficiency in internal controls. Of course, this makes a great deal of sense. There are some risks that are related to operational efficiency, and potentially to accounting that the auditor must consider. However, those risks do not constitute a material weakness or significant deficiency in internal control. The two major risks are as follows: a. Potential decrease in the quality of products going into the company products, b. Potential increase in warranty expenses due to the decrease in cost. A significant deficiency or possibly a material weakness in internal controls. Again, this is not an unusual action to be taken during a time of severe economic problems. However, since it is in accounting, it may affect: a. the commitment to necessary competencies, and

Although there may not be enough time to fully assess, the auditor should be alert to the possibility of greater returns or warranty expenses related to a potential decrease in the quality of parts.

9. A freeze on all hiring, etc.

5-30

b. the likelihood that more accounting errors will be made because of key personnel being overworked and will not have the time to pay attention to detail. b. The risk related to financial reporting has increased during the year due to: Potential violation of debt covenants, Loss of independent directors, Shortage of accounting personnel, New compensation system that focuses on reported performance, Changing major suppliers (and potential loss in quality), Change in employee morale, and Higher fraud risk.

There are many ways in which the risk might manifest itself, including: Changes in warranty cost, Changes in accounting estimates, Pressure to record revenue prematurely, More errors in accounting processes.

The auditor needs to adjust the audit as follows: 5-47. a. Testing a control in operation means that the auditor is taking a sample of transactions to determine if evidence exists that the control is operating as it is designed to operate - and thus is effective in achieving the organization's processing control objectives. The auditor makes a determination of which controls to test by determining which controls most effectively contribute to the accomplishment of a control objective. 5-31 More skepticism and more experienced auditors assigned to the audit, Recognition of potential for fraud, More detailed testing of accounting balances (higher CR risk, and would likely set AR lower). More analysis of sales recognition during the last quarter, More testing of internal controls, Expand work on warranty, More testing of estimates.

If there are three controls that contribute to the accomplishment of a control objective, for example, the auditor may choose to test the one control that, if operating effectively will accomplish the processing objective. b. The top-down, risk-based approach advocated by the PCAOB recognizes that auditors should: c. Start with the end-product, i.e. the financial statements and determine the accounts that are material, Determine the risk that the account balance may be misstated, Develop specific tests that create a better understanding of the controls regarding the recording of the material accounts, Determine the likelihood of a material misstatement in the accounts, and what might cause the account balance to be misstated, Develop tests to determine whether a material misstatement occurred.

If a documented control is not operating effectively, it is not much different than the control not operating at all. There are two potential consequences: (1) The auditor reassesses the control risk in the accounting subsystem assuming that the control is not operative. The auditor then determines the critical importance of the control and the effect on processing transactions. If the control is partially working, the auditor's assessment as it affects material misstatements may not be as harsh. The auditor needs to determine the types of misstatements that will occur and not be prevented or detected by the control procedure, and design specific tests of the account balances to determine if such misstatements had taken place.

(2)

d.

Should a document not be able to be located by the client, the auditor should become more uncomfortable with assessing the control as effective. Another document (or documents) should be tested. However, realize that when a sample is taken, the original documents (including the lost one) should all be taken into account when making a final assessment.

5-48. a. Potential application control procedures for the order-taking process at Cabelas might include Self-checking digits for all part numbers (optional because some of the other controls procedures listed below might compensate for not having this control). Well-designed screen format to capture all the required information in a systematic fashion for every order. 5-32

Reference to a customer address and history file. The order taker can gather information such as a customer code number on the catalog or last name and zip code to access a customer history file. The order taker can then verify current address and avoid the need to reenter the data for repeat customers. The order taker can also verify past credit history with the customer and determine whether a credit limit has been established for the customer. Computerized tables for prices. The customer can indicate the product number ordered. The system should then access the price table to record the approved catalog price for the item. The order taker can also verify the product description and the price with the customer. This verification process is sufficient to eliminate the need for the self-checking digit. Internet ordering whereby the customer clicks on the item for sale and the sale price, adds it to the cart, and then checks out. The key controls include the master part number, description, picture, and price. This approach contains many of the other controls identified above. Reference to inventory file to determine quantities on hand. The order taker can improve customer service by referencing the current inventory file to determine whether goods are on hand or back ordered and, if back ordered, the approximate date of shipment so that the customer can determine whether to wait. Automatic computation of order total. This total can be communicated to the customer. Credit verification with a credit card company before shipment. Phone orders would require the use of an approved credit card or payment before shipment. Most catalog companies do not establish an accounts receivable file. Oral verification of products ordered using part number and description. This could effectively replace the self-checking digits and expedite the ordering process.

Edit tests that might be embedded in the software include: Valid product code. Pre-established credit limits. Oral verification of products ordered

b. Similar controls would be used for on-line ordering via the Internet. However, the access to information such as inventory on hand, shipping date, and so forth would be done through the computer software and would not use the intermediary on the phone. 5-33

Instead of using self-checking digits, the user has a picture and description of the item ordered. The user must submit an approved method of payment before the item can be prepared and shipped. Finally, the user must have an ability to review the total order before final processing (the shopping cart). c. Response to Control Deficiencies: Control Deficiency Self-Checking Digit 1. Types of Errors or Irregularities that Might Occur Incorrect products might be shipped. However, as noted, this control may be offset by other controls, e.g. oral verification. 2. Audit Procedures to Address Potential Misstatements Review logs of customer complaints to determine magnitude of customer complaints. Confirm receivables or credit card disputes to determine amounts that might not be collectible. Information is missing or Examine log of items not orders not processed. processed. Major risk is that items will be improperly billed resulting in either misstatement of receivables or inventory. Consider expanding receivables tests and observation of inventory. Bill to the wrong address. Similar to above responses. Grant credit inappropriately. Either there will be customer complaints or a rise in receivables that may indicate uncollectible accounts. Customers could be billed at Review customer complaints incorrect prices. and receivables. Inconsistent billing across Take a sample of invoices and agents taking the orders. trace back to authorized price list to determine potential magnitude of problem. Increased backorders. Customer disputes should be Billing for items not investigated. shipped. Expand accounts receivables tests. Review inventory at end of year, probably physically count inventory because of lack of controls.

Well Designed Screen Format

No Customer Address File

No computerized prices.

Reference to Quantities on Hand

5-34

Control Deficiency Automatic Computation of Order

Credit Verification

1. Types of Errors or Irregularities that Might Occur Orders are computed incorrectly. There is also a potential legal problem if there is a systematic mispricing of orders. Ship goods to customers who do not have credit. Likelihood of collectibility is lower. Increase in uncollectible accounts. Increase the likelihood that (a) incorrect products are shipped, or (b) they are shipped at wrong prices, or (c) there are fictitious invoices.

2. Audit Procedures to Address Potential Misstatements Examine customer complaints. Take a sample of billings and recomputed total billing. Examine aging of accounts receivable. Investigate if there are significant differences. Take a random sample of billings and trace to electronic credit approval. Review aging of accounts receivable. Investigate causes of increase. Review aging of accounts receivable. Investigate causes of increase.

Require approved credit card. Oral Verification

Note: Most of the deficiencies will be detected by strong monitoring controls, especially a review of all customer inquiries/complaints by a department separate from the billing department. Such departments normally keep logs of activities. The auditor should be able to examine those logs. Further, if there are problems, the auditor should note that there is either (a) an increase in the amount of write-offs of uncollectible accounts, or (b) an increase in both the volume and the aging of accounts receivable. These signs should lead the auditor to perform additional verification of accounts receivable including increased confirmation and follow-up of receivables. 5-49. a. Authorized price list for all products should be kept in computer tables that must be referenced for all orders. If the price charged a customer differs (either by a small percentage or by any amount), the order would be rejected for processing pending a review and approval of the transaction by the marketing manager. b. Total payroll on a weekly basis should be compared with the number of employees and previous week's payroll. Batch control procedures should be established to prevent duplicate processing.

5-35

Edit tests could be implemented to compare the hours worked for a specific time period to determine whether an employee had already been paid for the current period. c. Access to data files should be limited and controlled via access control methods, preventing the employee's access to the master file. It is especially important that procedures are established relating to employees who have security responsibilities and then are terminated. As an example of this situation in practice, in April of 2007, a key security employee of Wal-Mart took digital secrets regarding plans to sell off part of the business and leaked the information to the Wall Street Journal. d. Access controls should limit the ability to change the files. In this particular situation, the individual tried to change a product master file. A printout of all changes should be developed as changes are made and sent to the individuals responsible for making the changes. The report would provide evidence of the unauthorized change should the access control procedures fail to operate effectively. e. Edit tests would determine the validity of a product number. Self-checking digits on high priced products. The computer edit program should verify part number and billing price. Use of self-checking digit would have prevented the error. Further tests could be performed by comparing some other information furnished by the customer such as shipping name or address with the data contained in the customer address file for the customer identifier. g. Segregation of duties would prevent the individual billing or posting of accounts receivable from receiving cash remittances. The initial segregation can develop accountability and batch controls to ensure the completeness of processing. h. A limit test on the number of hours worked would detect the errors. A daily report on hours worked by job center prepared and sent to the supervisor of the department for approval would detect the misstatements. Another test would be to limit the timecard to authorized hours and allow changes only when overtime had been authorized. i. Reference to the up-to-date credit file would identify the error. Credit limits for all customers should be established to minimize the amount of risk. 5-50. a. Questions regarding normal physical controls: Are there cameras to monitor the actions of employees? 5-36

f.

Are there locks on doors where appropriate to keep unauthorized users from where they are not permitted to be? Are secret paper files containing passwords or other personal information properly secured from public view? Does the company use physical scanning as a basis to authorize access to the computer area? Are all employees required to wear badges with identification information on them in order to access the computing facility? b. Three primary methods to authenticate users: Something they know, such as a password These are quick and easy, but are also prone to get lost, stolen, or guessed. Something they possess, such as an access card These are better than just passwords, because they cant be guessed, but they can be stolen. Something about themselves, such as a fingerprint, a voiceprint, or some other type of physical identification These are the most sophisticated and most difficult to steal or copy, but they are very expensive and create more cause for concern about proper controls c. If people were to break into a system and steal or copy the physical scans of authorized users, those individuals could masquerade as the authorized personnel by submitting their profiles when logging on to the system. Once the company became aware of the compromise, they would have to revoke the privilege of the authorized user, and the correct person would then be denied access to the system. The key is that a company has to compare the physical scans with previously authorized scans that are on the computer system. If those original scans are compromised then the system is fully compromised. Further, if someone intercepts the passage of a physical scan, then that persons security is compromised. Therefore, most of use of physical scans is limited to direct (private) lines into the computer system, e.g. access to the computer operations area. An access control system must restrict access to authorized users for authorized purposes. The three dimensional matrix matches user groups to data and authorized functions such as ability to read an item, change an item, or input a new item. The organization must identify every data asset or program and then map users and allowable accesses. Then, the organization must implement an authentication procedure to ensure that an individual is who he or she claims to be. An access matrix is vitally important for security. People should not be able to access data or programs that are not related to their work duties. This concept can be seen in non-electronic environments also with physical controls.

d.

5-37

5-51. a. There are numerous ways in which continuous monitoring might be applied in a computerized application that processes sales. Options the students might consider include: Compare daily recorded sales with sales orders and reconcile differences on a daily basis, Implement a procedure that identifies all items that were rejected by controls and determine that they are investigated and corrected on a timely basis, Use software that continuously tests processed transactions for anomalies in the data, as well as potential controls that did not work or were overridden.

b. The intent of this exercise is to get students familiar with a new class of IT monitoring software that has now reached the market. The three systems the firms sell have a common ability to test for areas where controls are not operating, or were overridden. In addition, they are also quite effective for analyzing incompatible duties in ERP systems such as Oracle or SAP. The software of some of these firms is designed to: Anticipate all the items that could go wrong in processing, Expand the testing beyond the application, for example, the software can check social security numbers against a list of valid social security numbers, Prepare both text reports and graphical reports that quickly tell those who have oversight responsibilities where the systems may be going wrong.

These systems all have the ability to take advantage of many years of analysis of what can go wrong in processing transactions and thus brings an expertise to the systems that is beyond that which any one individual company might accomplish. The discussion of whether these systems constitute a monitoring control or just another level of controls is interesting. In many instances, monitoring often acts as a control that checks the operation of other controls. Thus, in the authors opinion, the products sold by these companies represent an effective way to monitor existing controls.
5-52.

Control Tested (1) All sales over $10,000 require computer check of outstanding balances to see if approved balance is exceeded.

Test Results Tested throughout year with a sample size of 30. Only 3 failures, all in the last quarter, but all approved by sales manager.

Significant Deficiency? Yes. Obviously $10,000 is a material enough amount that they decided to set the threshold there. A 10% failure rate suggests that the 5-38

Material Weakness? No, it does not rise to this level given the sales managers actions.

(2) The computer is programmed to record a sale only when an item is shipped.

Sampled ten items during the last month. One indicated that it was recorded before shipped. Management was aware of the recording.

control is not operating effectively, even if the transactions that fell through were later approved. The risk here would be that the estimate for uncollectible accounts would be understated. But the sales managers approval is an adequate compensating control. No, because it rises to the level of a material weakness.

(3) All prices are obtained from a standardized price list maintained within the computer and accessible only by the marketing manager.

Auditor selected 40 invoices and found 5 instances in which the price was less than the price list. All of the price changes were initiated by sales people.

(4) Sales are shipped only upon receiving an

Auditor selects 15 transactions near the end of each quarter.

No. The transactions were still recorded for the proper amountwhat the customer paid. This does not appear as though it would cause a misstatement as much as it could lead to lower profitability of the business. Questions of computer access controls should also be raised. No, because it rises to the level of a material weakness.

Yes. Computers do not make errors. The fact that the recording was made before shipment suggests that the computer control is flawed. Because this is a fundamental transaction to the revenue cycle and many others could potentially have been affected, it should be classified as a material weakness. No

Yes. 20% or more error suggests a material deficiency.

5-39

authorized purchase order from customer.

On average, 3 4 are shipped each quarter based on salespersons approval and without a customer purchase order.

(5) Every shipment is assigned a number by the computer when an order is taken. A report is prepared each month showing the status of all items where purchase orders have been received, items currently in progress, and items shipped.

Auditor examines No, because it rises to three of the weekly the level of a material reports and observes weakness. that the items shown as shipped do not reconcile with the number of items invoiced. Management says this is a regular process and does not affect recording.

Considering that this again is a fundamental transaction, the error could have occurred on a large (material) scale. Revenue could be overstated if unauthorized shipments are being made. The estimate for uncollectible accounts would also be affected. Yes. When an item is shipped, the computer is programmed to then record a sale. If the amount shipped does not reconcile with the amount invoiced, the program is not functioning correctly. If the error is large enough, it could be classified as a material deficiency in internal control.

5-40

5-53.
a. Deficiency
(1) The payroll person has complete access to the system and is responsible for keying in all data and preparing payroll checks for distribution. The payroll person can also change pay rates and add/delete personnel. Checks are distributed by supervisors who could have a fictitious employee paid.

b. Potential Misstatements
The payroll person could:

c. Mitigating Controls

d. Audit Test
(1) Detailed payroll tests could be performed whereby a random selection of paychecks is made and all items are verified including the existence of employee time cards, foremen approval of jobs, president approval of wage rates, and existence of employment forms. (2) Perform an analytical review of payroll expense in relationship to sales or production and investigate any unusual fluctuations.

Without the addition of a personnel department to act as a check on the payroll operations, there are no strong (1) add fictitious individuals to the mitigating controls. Some that could be considered: payroll and pocket the checks; (1) a list of authorized employees is kept by someone (2) change pay rates of a friend and independent of the payroll person. The paychecks issued split the extra pay. every period are reconciled to the total. The Controller or the President of the company could perform the (3) systematically, even reconciliation. unintentionally, pay employees at the wrong rate. (2) The president could review payroll expense each period for unusual fluctuations or personnel counts. (3) Wage expense per job or functional area could be compared to budget and any excess expenses promptly investigated. (4) The payroll bank reconciliation should be periodically reconciled by someone independent of payroll. On a test basis, the signatures on canceled checks could be compared with employee W-4 forms.

(2) The person handling cash receipts is in a position to cover up a cash shortage. Someone that does not directly handle cash should perform bank reconciliations.

The person handling cash can take Have someone independent of the cash processing cash receipts and cover it up through function prepare the monthly bank reconciliations. the bank reconciliation. Someone independent of the cash handling process should periodically reconcile cash receipts with the credits to accounts receivable and investigate any unusual debits to the cash receipts journal (such as excess cash discounts.)

Perform a detailed test of the client's bank reconciliation. Independently reconcile the client's bank account at yearend.

(3) Anyone can operate the cash register, therefore there is no individual

For a sample of days, reconcile recorded deposits with actual cash receipts to determine if cash is promptly recorded and deposited. The waitresses could omit orders for The kitchen could be instructed to only prepare food when It is difficult to test for the friends. a ticket is presented. If tickets are in duplicate, the kitchen under-recording of cash and could keep a copy. The total of the kitchen copies could revenue. The auditor could

5-41

a. Deficiency
accountability for the accuracy of the cash drawer. There is no evidence that the waitress slips are prenumbered or separately accounted for to ensure that all sales are collected.

b. Potential Misstatements

c. Mitigating Controls

d. Audit Test
perform analytical review to determine if there were significant fluctuations in weekly income that could not be explained by the tourist season or weather. One concern the auditor might have is whether the business shows sufficient income to justify its continuance as a going concern. There is a risk that some companies may systematically avoid recognizing income to avoid the income taxes. Review for the existence and effective operation of passwords. Develop independent tests of sales and accounts receivable.

Cash receipts could be collected but be reconciled with the total in the cash register for the day. not rung up in the cash register. The employee could pocket the cash. Prenumbering could be added to the tickets. The owner could account for all the prenumbered tickets at the end of Items could be billed at incorrect each day. amounts and not detected because there is no independent review of The owner could observe the operation of the cash register. the tickets.

(4) There is no indication of password protection for any of the files. There is multiple access to the system without recognition of corresponding accountability. The sales clerk has offhours access to the system, but that access may provide access to other individuals as well. There is no indication that access is restricted. (5) There is no major problem in this situation as long as the individual at the terminal does not have ability to change any of the credit history or other files.

Anyone with access to the system may have the opportunity to make changes to files or records. Access is not restricted to authorized employees, especially during off-hours. The company may be vulnerable to any loss of data or the computer since there is no evidence of backup of facilities or programs.

Implement a password protection program and change the passwords frequently. The controller should implement independent reconciliations, such as bank reconciliation and reconciliation of total billings with sales orders.

There are no apparent problems as long as the system is preprogrammed to review the credit history and determine if an order should be shipped.

Shipments should be reconciled with orders. The credit program should be periodically reviewed. Any indication of sales to customers beyond the preapproved credit limit should be investigated.

The program can be tested periodically to ensure that the credit program is working effectively. Individual sales orders could be sampled to determine that goods shipped were billed at correct catalog prices and the

5-42

a. Deficiency

b. Potential Misstatements

c. Mitigating Controls

d. Audit Test
customer's credit was okay.

(6) The purchasing and receiving functions are concentrated in the hands of the individual placing the purchase order. The purchasing agent orders the goods, reviews the receipts, and approves the items for payment after receiving the invoice from the vendor.

A purchase agent could develop fictitious vendors, place orders, dummy up receiving reports, and send invoices for the goods. The agent could then match all the items and send the complete package to accounts payable for payment.

Receipts and invoices must go directly to accounts payable. If the purchasing agent wants a copy, then copies could be sent to the purchasing agent. The receiving function needs to be independent of the purchasing function.

Detailed tests, including physical observation of inventory are needed. If fictitious items are ordered, inventory will be overstated. Investigation of any vendors with post office box numbers rather than street addresses. Analysis of any unusual purchasing patterns by a purchasing agent.

(7) The sales person enters both the sales price and the purchase price into the document for processing.

Since the sales person's commission is based on gross margin, there is the possibility that the salesperson may fraudulently enter an inappropriately low value for the cost of the inventory. Consequently, inventory will be inappropriately relieved and its ending value will be overstated, cost of goods sold will be understated, and sales commissions will be overstated.

Computerize the system so that the purchase price is entered into the system when the purchase is made. Identification of the part number sold generates the reduction of inventory and debit to cost of goods sold. Periodic review of departmental gross margin for unusual fluctuations.

Perform detailed tests of yearend inventory to determine correct costing of goods.

5-43

5-54.
Control a. Test of Control b. Modification of Audit Procedures if Control Not Effective
Accounts receivable valuation is likely to be affected since sales would be made to customers that do not meet the client's credit standards. The auditor would expand tests aimed at valuing the allowance for doubtful accounts. Such tests might include: (a) detailed aging of accounts receivable, (b) review of past due accounts to determine collectibility, (c) requesting financial statements of large accounts with past due balances, (d) obtaining outside credit analysis of large past due accounts. (2) Pre-numbered Receiving Slips (a) Review procedures utilized by client to account for prenumbered receiving slips. Test their process for accuracy. (b) Observe the receiving function to determine if receiving slips are filled out when goods are received. (3) Payments require purchase order and receiving document. (a) Take a sample of vendor payments to determine that all such payments are accompanied by a receiving slip, purchase order, and vendor invoice. Determine if there is evidence that the items have been matched (such as checkmarks on the documents or initials of the person performing the matching). Take a sample of credit memos and examine for existence of proper support (receipt of returned goods, customer adjustment, and so forth). Determine that the accounts receivable bookkeeper has not initiated or approved any of the credit memos. Select a sample of days remittances and reconcile deposit slip with remittance advices sent to accounts receivable. Generate a listing of employees added to the master file. Select a The auditor would be concerned with the payment for fictitious goods and would want to expand the observation of the client's counting of the physical inventory. The auditor would expand the credit memo test to determine that proper support exists for credit memos issued. Expand sample of remittances to ensure that all remittances are recorded on a timely basis or expand confirmation work on accounts receivable. Expand payroll tests to examine for the validity of There will be concern that all receipts were properly recorded. The auditor would likely expand audit tests when observing the client's physical inventory.

(1) Credit Approval

(a) Randomly select new orders and determine if credit process is working as described. (b) Obtain a computer print-out of all accounts with a past due balance greater than $22,000 and determine if current shipments are made to the accounts. If yes, determine if credit approval was obtained for the shipments. (c) Randomly select from sales invoices greater than $15,000 and review for credit approval.

(4) Credit Memos Not allowed by Accounts Receivable Bookkeeper. (5) Cash Receipts and Cash Remittance Advices (6) Adding Employees to

5-44

Control
Payroll Master File

a. Test of Control
sample and see that each employee added had a written authorization form signed by someone in the personnel department. Review policies for adding/deleting or changing passwords with the data processing function responsible for password control. Determine if that function has any logs of access to files (or attempted accesses) by other than the authorized parties. Attempt to access the files using common passwords. Interview payroll personnel regarding password protection.

b. Modification of Audit Procedures if Control Not Effective


employees. Trace paychecks for selected employees to personnel department records. Review print-outs of changes made to payroll file and trace to authorization. Expand detailed tests of payroll to determine employee validity and calculation of gross and net pay.

(7) Password Protection of Payroll File

(8) Edit Limit Tests

Review edit reports generated by computer application to determine disposition of employees working more than 53 hrs. or more than 3 jobs. Submit data to the computer application to determine if the edit tests would reject the items submitted if the items are beyond the limits.

Expand payroll tests as per above.

(9) Issuance of Credit Memos. (10) Approval of price adjustments more than 6% of customer purchases.

Examine credit memos for proper approval noting attachment of receiving slips or authorization from sales department. Discuss with divisional manager the process for implementing the control. Review all credit memos in excess of a specific dollar limit to determine if divisional management approval is required, and if so, whether it was obtained.

Expand credit memo testing to determine if all receipts of returned merchandise has resulted in credit memo preparation. Review for large adjustments to customers for possible kick-backs to sales person. Determine if such adjustments affects the validity of recorded sales or receivables.

5-45

5-55.
Transaction
(1) Write-off of accounts receivable.

Authorization Required
Credit manager or president of a small company.

Rationale
Someone independent of cash receipts and accounts receivable should have the authority to write-off old receivables so that someone with cash couldn't divert cash and cover it up through write-offs. In a small company, the president should have knowledge of the credit risks assumed by the organization.

(2) Acquisition of New Company (3) Overtime Pay

Board of Directors

This represents a major corporate strategic direction and use of shareholder's investment. The Board of Directors is designated to see that such transactions are carried out in the best interests of existing shareholders. Overtime pay should be authorized by those who will be held accountable for the accomplishment of a job or task within time and cost constraints. It should be approved by someone directly responsible to ensure that overtime is legitimately worked.

Foreman or supervisor for job.

(4) Shipping Goods on Account to New Customer (5) Purchases from new customer (6) Temporary investments of funds. (7) New line of equipment. (8) Purchase of a new machine. (9) Re-writing of major computer program.

Credit Department Purchasing Agent, with review by supervisory personnel or functional management. Treasurer, subject to overall policies developed by board of directors and senior management. Divisional management or capital budgeting committee. Divisional management or production supervisor. Data Processing Steering Committee (A committee of top executives with responsibility to ensure that computerized developments are consistent with organizational objectives)

Since the goods are shipped on account, the credit department should determine the credit standing of the new company to minimize uncollectible accounts. All orders for goods should come from the purchasing agents. Before adding someone new to the list of authorized vendors, the company may want to examine the vendor's reputation for quality and timeliness. Investing funds is the treasurer's function. However, some organizations have specific policies that prohibit investments in common stock. The rationale is to minimize potential risk of temporary funds needed for short-term business purposes. This is a significant investment and should be approved by senior management to ensure that the commitment of resources is likely to generate a return. This is an operational decision that is appropriately left in the hands of those responsible for the operations of the division. The re-writing of the program represents a major commitment of data processing resources. The resources should be committed only after there has been a review to ensure that the development is consistent with the overall operations of the organization.

5-46

5-56. a. Elements of Poor Internal Controls include: 1. 2. 3. 4. No credit checks are made of contract clients. Accounts receivable are not recorded nor controlled. Weak control is exerted over cash transactions. No control is in effect between production type work and potential revenues due. Examples: bookkeeping services, design and printing services, and tax work. 5. Forms are not prenumbered or accounted for. 6. There are no controls to assure that all receivables that are due are paid on a timely basis. 7. The control over slow or delinquent payments is very poor. 8. All remittances are not recorded timely, nor is cash deposited daily. 9. There are no running control totals to prevent contract services from exceeding the contract ceilings. 10. No controls are in effect to assure that all work was billed. b. Elements of Good Internal Control include: 1. A cash log is maintained even though it is not used effectively. 2. Bank reconciliations are made. 3. Monthly analyses of cost percentages of revenue items are performed, although they could be performed more effectively. 4. Historical evidence (audit trail) is maintained of all production work. 5. Periodic analyses are performed of unpaid bills. 6. Copy work paid in cash is balanced to the cash register. 7. Unusual variations between costs and revenues are investigated on a monthly basis. 5-57. Many of the recent business failures have been typified by a poor or non-existent control structure, or an overzealous management that was willing to override the existing control structure to accomplish their own goals. The objective of this project is to have the students read actual accounts of such failures and identifies the control structure problems associated with the failures.

5-58.
This is a project that the authors have used successfully to facilitate student identification of controls in actual working systems. It also provides a diversity of background and items that can be called upon by the instructor to illustrate control concepts.

5-47

Cases: 5-59. The following deficiencies are noted:


a. Deficiency Specific credit limits are not established for each customer. Risk Customer balances may become larger than the credit risk might warrant. Customer balances may become larger than the credit risk might warrant. Goods shipped to customers whose credit is not approved thereby increasing credit risk. Conditions may change. Credit should be updated as new information becomes available. b. Recommendation Establish specific credit limits for each account. Review the credit limits periodically as more information is obtained on payment history and current financial status of the customer. The customer's current balance should be examined before additional credit is granted. If a computer system is implemented, this can be performed automatically. Sales representatives should send both copies of purchase orders to headquarters for credit review. After credit approval, one copy is sent to the warehouse, the other to accounting. Credit should be updated on a periodic basis as more information becomes available. If more information is not available, a periodic time period for updating should be established. Establish formal policies and guidelines regarding write-offs of accounts.

Current outstanding balances are not examined before additional credit is granted. Copies of purchase orders should not be sent to warehouse for shipping until credit is approved. The list of customers with "established" credit is not reviewed for changes in credit worthiness until the account is considered uncollectible. Formal policies for writing off accounts receivable have not been established.

The current system depends on the initiative of the credit manager and on the manager's judgment. This may or may not be appropriate and may not be consistent when there is turnover in the position. Accounts receivable may be overstated. Sales may continue to be made to accounts that are not collectible. Excessive and nonwarranted granting of

Uncollectible accounts are not promptly identified and provided for. No review of write-offs is made except by the credit

Establish policy for periodic review of outstanding account balances.

Controller, or other appropriate officer, should perform write-offs, or at least

5-48

a. Deficiency manager.

Risk credit. There is the potential for kickback arrangements between customers and credit managers. Credit manager may have poor judgment potentially resulting in unwarranted credit risks.

b. Recommendation review the credit manager's analysis.

No formal policies or guidelines exist for initial credit approval.

Formal policies and guidelines should be established for initial credit approval. Minimum requirements for customers' financial situation should be set.

5-60. a & b.
Control Objective Recorded transactions have occurred and pertain to the entity. (Occurrence) Control Activities All uses of the scale (and total weight) should be logged electronically. Transactions can only be recorded based on logged uses of the scale. Invoices should be automatically printed when an installment is due from the government. Invoices should be printed only with a completed work order for special-request pick-ups. Sales for recycled products should only be recorded when a supporting receipt is present. All uses of the scale (and total weight) should be logged electronically. Each use of the scale must result in a revenue entry made within the same day. Should a use of the scale be voided, only a manager should have access control to void the transaction. Send periodic statements to outside customers who do not pay with cash with a balance due. This will serve as an independent check of completeness. Require the issuance of a receipt for every transaction. One receipt will go to the customer, and the register (or computer) will log a copy. To serve as an independent check, display a sign that says Your next transaction is free if we fail to issue a receipt. Manager should reconcile total weight from scale log to total cash receipts. A computer program that has been thoroughly tested for accuracy makes all computations. No changes have been made to the program. Manager should reconcile total weight from scale log to total cash receipts. Send periodic statements to outside customers who do not pay with cash with changes in balance. This will serve as an independent check of accuracy. When services are provided, match date on the work order to the date on the invoice.

All transactions have been recorded. (Completeness)

Amounts have been recorded accurately. (Accuracy)

Transactions have been recorded in the correct accounting period. (Cutoff)

5-49

Transactions have been recorded in the proper accounts. (Classification)

At the scale houses, require all transactions to be logged within same day that they occurred. Company uses a chart of accounts and routinizes revenue entries to ensure uniformity from period to period. In scale houses, have computer program controls to only allow the operator to make one entry (i.e. debit to cash, credit to revenue). Computer program performing calculations and postings is independently tested and maintained.

Monitoring controls might include: Periodic reports on waste product versus past history and activity at other waste sites. Follow-up and investigation of any significant differences. Internal audit verify use of scales and billing on a surprise basis.
c. Identify the Control Procedures
Control Objective Recorded transactions have occurred and pertain to the entity. (Occurrence) All transactions have been recorded. (Completeness) Control Activities An employee is paid only if the employee already exists on the master payroll and is entered on that payroll by someone independent of payroll processing. A supervisor verifies that the employee worked, or the payroll department verifies by existence of time cards. Employee expects a check within a specific time frame and acts as an independent check on performance. Payroll department reconciles total hours paid within the time period with total hours worked per supervisor or time cards. A computer program that has been thoroughly tested for accuracy makes all computations. No changes have been made to the program. Each employee is given a job classification, and wages are determined by the job classification. No one except supervisory personnel can change the job classification. Payroll supervisor reconciles hours worked and overall payroll cost for each period and investigates unusual differences. Individual employee examines paycheck to determine if amounts are correct. Any inquiries are directed to someone independent of the person processing the payroll. Employee expects a check within a specific time frame and acts as an independent check on performance. Payroll department reconciles total hours paid within the time period with total hours worked per supervisor or time cards. Company uses a chart of accounts and routinizes payroll entries to ensure uniformity from period to period. Computer program performing calculations and postings is independently tested and maintained.

Amounts have been recorded accurately. (Accuracy)

Transactions have been recorded in the correct accounting period. (Cutoff) Transactions have been recorded in the proper accounts. (Classification)

5-50

Job codes are verified with the database of active job codes.

d. Identify the approaches to test the controls.


Control Activities Occurrence All uses of the scale (and total weight) should be logged electronically. Transactions can only be recorded based on logged uses of the scale. Invoices should be automatically printed when an installment is due from the government. Invoices should be printed only with a completed work order for special-request pickups. Sales for recycled products should only be recorded when a supporting receipt is present. Completeness All uses of the scale (and total weight) should be logged electronically. Each use of the scale must result in a revenue entry made within the same day. Should a use of the scale be voided, only a manager should have access control to void the transaction. Send periodic statements to outside customers who do not pay with cash with a balance due. This will serve as an independent check of completeness. Require the issuance of a receipt for every transaction. One receipt will go to the customer, and the register (or computer) will log a copy. To serve as an independent check, display a sign that says Your next transaction is free if we fail to issue a receipt. Manager should reconcile total weight from scale log to total cash receipts. Accuracy A computer program that has been thoroughly tested for accuracy makes all computations. Check that no changes have been made to the program. Manager should reconcile total weight from scale log to total cash receipts. Send periodic statements to outside customers who do not pay with cash with changes in balance. This will serve as an independent check of accuracy. Cutoff Tests Take a random sample and determine that all recorded transactions match the scale log? Take a random sample and determine that invoices automatically print on the proper date? Reconcile special-request invoices to work orders. Reconcile recycled product transactions to receipts. Reconcile scale log to transaction journal.

Review void transactions for manager approval.

Review customer balance inquiries and concerns taken by customer service reps. Review coupon log, and review circumstances for granting of each coupon.

Take a sample of daily reconciliations and determine that the reconciliation has been performed. Review the controls over program changes. If the control process is adequate, determine through review that there have been no changes to the program. Take a sample and review that the reconciliations have been performed. Review customer balance inquiries and concerns taken by customer service reps.

5-51

When services are provided, match date on the work order to the date on the invoice. At the scale houses, require all transactions to be logged within same day that they occurred. Classification Company uses a chart of accounts and routinizes revenue entries to ensure uniformity from period to period. In scale houses, have computer program controls to only allow the operator to make one entry (i.e. debit to cash, credit to revenue). Computer program performing calculations and postings is independently tested and maintained.

Take a sample of work orders and determine that the work order and the invoice match. Reconcile scale log to transaction posting date.

Ensure that the chart of accounts is up-to-date and accurate. Review any unusual entries. Review any unusual entries.

Review internal audit or other testing to determine if it is adequate. If not, take a random sample of source entries and trace through the system to determine proper billing.

e. Accounts Payable: The auditor is primarily concerned that all items are paid, only for goods received, and at authorized prices. The testing guidelines follow these objectives. The auditor would expect to see a low amount of tolerable error for each of these areas. Payroll. The auditor is concerned that employees are accurately paid for time worked, at authorized pay rates (especially union-approved rates), and that benefits are properly accrued. In most environments, the tolerable rate of error approaches zero. The auditor could take a large sample size with a small tolerable error. Alternatively, the auditor could thoroughly test the clients computerized payroll process, including the software for processing the transactions, and the authorization procedures to change pay rates. The auditor should independently test that accruals for benefits are recorded. Revenue Recognition: The auditor is concerned that (a) all sales are recorded, and (b) the sales are recorded at authorized prices and are recorded in a timely fashion. The environment of a waste hauler is one in which there are more opportunities to conduct fraud, especially skimming money from transactions that are not recorded. Because of fraud, the auditor would establish a low tolerable error. Monitoring controls that track revenue recorded and reconciling them with known contracts will be an important part of the audit process. 5-61. a. Before entering into such a contract, J.C. Penney would have to have basically an all-access pass to TAL operations. J.C. Penney would want to review financial statements to ensure that TAL is financially stable. They would want to tour the manufacturing plants to gain an idea of the quality control mindset, the treatment of the workers, and the overall efficiency of operations. In summary, J.C. Penney would have to know a great deal about TAL to be able to trust them in such a partnership. J. C. Penney would have to establish a contract regarding confidentiality

5-52

of information, exclusive rights to manufactured items, and quality of TALs computer system (including security). b & c. To ensure that only goods received were billed, J.C. Penney should set up a receiving function within each store for unusual items. Otherwise, most of the shipments should follow Penneys regular process and require goods to go to distribution centers. The receiving department could then match their count to the invoice provided by TAL. In this scenario, J.C. Penney would need to inspect the billings twice a month before wiring the funds to TAL as well. This inspection would also serve as a check that the billing was for authorized prices. d. Again, a formal receiving function would allow for a count of product as it arrives from TAL, which could be directly compared to the count that makes it to the shelves. Physical controls such as locked doors (physical access controls) and video cameras would also help to avoid theft. TAL should take an interest in these controls being implemented. From their perspective, they are working hard to become a trustworthy business partner to retailers. They should have no problems with physical counts, invoice reconciliations, or physical controls, as they will only add to the perception of TAL as a trustworthy business partner. Should items be stolen from the receiving dock while in the possession of J.C. Penney, TAL would want to make sure that they are not suspected of any wrongdoing. 5-62. a. The analysis of the effectiveness of the remediation plans might involve the following steps: (1) Structure the audit problem. The auditor needs to decide whether or not management has remedied the material weakness in internal controls. (2) Assess consequences of decision. If the auditor concludes that the problems have been remediated, but they actually have not, then shareholders will incorrectly be led to believe that controls are better than they actually are. If the auditor concludes that the problems have not been remediated, but they actually have been, then management would rightfully be upset about the auditors incorrect conclusion. Ultimately, the importance of the auditors assessment comes down to accurately assessing control risk going forward, and accurately conveying any problems in internal controls to shareholders. (3) Assess risks and uncertainties of the audit problem. The risks are that the auditor may incorrectly conclude that controls are better or worse than they actually are. (4) Evaluate the information /audit evidence gathering alternatives. The auditor is going to need to assess whether managements remediation plans have been effective. The

5-53

auditor must determine whether management has control procedures in place to accomplish the following tasks: Identify competencies. The auditor should seek evidence on the hiring process, and should evaluate the professional certification of the individual(s) that Milacron hired in the wake of the material weakness. Retain individuals with those competencies. The auditor should seek evidence on the level and type of compensation that the accounting and finance personnel receive. Is it adequate? Is it appropriately motivating in terms of what those individuals could make elsewhere? Periodically evaluate competencies. The auditor should seek evidence on the review procedures concerning complex accounting judgments, and they should seek evidence on the training provided to accounting and finance personnel, e.g., continuing professional education. (5) Conduct sensitivity analyses. Probably does not apply to this particular decision. (6) Gather information/audit evidence. The auditor needs to acquire and document information about the items discussed in part (4) above. (7) Make the decision about the audit problem. Using the information gathered in steps 4 and 6 above, the auditor will have the data necessary to determine whether or not management has effectively remediated the problems. b. Auditors will not view weak controls as an ethical risk factor if management is quick and willing to address the problems. But, if the auditor identifies weaknesses, brings them to managements attention, and management still does not apply the resources necessary to correct the problems, then the auditor might start to question the ethical intent/stewardship of management, particularly if the weak controls manifest themselves in problems in the area of the judgmental aspects of accounting.

5-54

FORD MOTOR COMPANY AND TOYOTA MOTOR CORPORATION: INTERNAL CONTROL OVER FINANCIAL REPORTING 1a. Both Ford and Toyota management comment on disclosure controls. What are disclosure controls? Why are they important? The SEC defines disclosure controls and procedures as controls and other procedures designed to ensure that information required to be disclosed in [Exchange Act] reports is recorded, processed, summarized and reported, within the time periods specified in the Commission rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its Exchange Act reports is accumulated and communicated to the issuers management, including its principal executive and financial officers, as appropriate to allow timely decisions regarding required disclosure. 1b. Both Ford and Toyota management comment on the fact that internal control over financial reporting has inherent limitations. What are those inherent limitations? The inherent limitations are that, while controls may be designed and monitored properly, unintentional errors or intentional misstatements (e.g., fraud) may still be reflected in the financial statements. The comment about inherent limitations is designed to point out to financial statement users that no control system provides perfect, 100% assurance, that the financial statements are free of material error. 1c. Ford notes a variety of material changes in internal control What are those changes? Do any cause you particular concern? Change in communication to dealers about incentives. Ford changed from a quarterly to an annual communication to dealers about incentive availability. Essentially, it appears that this gives Ford more leeway in committing to dealer incentives, thereby shifting some risk away from Ford and to its dealers directly. Change in agreements to employees regarding health care liability. This change effectively limits benefits to employees to a defined contribution plan (rather than a defined benefit plan). Thus, the new agreement puts Ford at less risk. Change in shipping/transfer of ownership terms in Europe. This change affects revenue recognition, effectively delaying it from the point of shipment to the point of delivery.

1d. How does management get reach their comfort level that internal control does not contain any material deficiencies? We addressed this question earlier. Management needs to develop procedures that they can rely on in order to gain assurance that internal control continues to be operating effectively. Companies have taken a variety of approaches to gain that assurance including:

5-55

Sub-certifications by managers at all levels in the organization, Review of the internal control process by the internal audit department, Results of self-assessment tests by departments, or groups, or divisions. Monitoring of internal controls following the guidelines issued by COSO.

1e. From a conceptual point of view, assume two companies are the same size, participate in the same industry, and have the same reported net income. However, one has a material weakness in internal control over financial reporting and the other does not have any deficiencies? Should the stock price of the two be different? If yes, what is the rationale for the difference in the stock price? This is an important question in evaluating the value of public reporting on internal control. If two companies appear to be about the same, but one has a weakness in internal control that would imply that the market has less confidence in the ability of the company to properly prepare financial information that is given to the public on either an annual basis or on an interim basis throughout the year. If the company has less reliable information, then the company has greater risk to the investor. Greater risk implies that the investor would use a higher discount rate in calculating the expected value of the companys stock. A higher discount rate would result in a lower stock price for the company.

5-56