Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 24 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
24
Dung lượng
243 KB
Nội dung
Chapter 05 - Risk Assessment: Internal Control Evaluation CHAPTER Risk Assessment: Internal Control Evaluation LEARNING OBJECTIVES Review Checkpoints Exercises, Problems, and Simulations Distinguish between management’s and auditors’ responsibilities regarding an entity’s internal control 1, 2, 3, 4, 62, 63, 67 Define and describe internal control 6, 7, 68 Define and describe the five basic components of internal control, and specify some of their characteristics 9, 10, 11, 12, 13, 14, 15, 16, 17, 18 64, 72, 74 Explain the phases of an evaluation of control and risk assessment and the documentation and extent of audit work required 19, 20, 21, 22, 23, 24, 25 66, 69, 73 Describe additional responsibilities for management and auditors of public companies required by Sarbanes-Oxley and AS 26, 27, 28, 29 65, 74, 75 List the major components of the auditors’ report on internal control over financial reporting 30 Describe situations in which the auditors’ report on internal control over financial reporting would be modified 31, 32, 33 Explain the communication of internal control deficiencies to those charged with governance, such as the audit committee and other key management personnel 34 Explain the limitations of all internal control systems 35, 36 5-1 70, 71 Chapter 05 - Risk Assessment: Internal Control Evaluation 5-2 Chapter 05 - Risk Assessment: Internal Control Evaluation SOLUTIONS FOR REVIEW CHECKPOINTS 5.1 As stated in the Sarbanes-Oxley Act of 2002, management is responsible for establishing a control environment, assessing risks it wishes to control, specifying information and communication channels and content (including the accounting system and its reports), designing and implementing control procedures, and monitoring, supervising, and maintaining the controls Business managers can make estimates of benefits to be derived from controls and weigh them against the cost Managers are perfectly free to make their own judgments about the necessary extent of controls Managers can decide the degree of business risk they are willing to tolerate External auditors are not responsible for designing effective controls for audit clients They are responsible for evaluating existing internal control and assessing the control risk in them 5.2 Control risk is the probability that the client’s internal control procedures will fail to prevent or detect material errors and frauds, provided any enter the data processing system in the first place Assessing control risk is part of using the audit risk model in the planning stage of the audit 5.3 The primary reason for conducting an evaluation of a client’s existing internal control system is to give the auditors a basis for finalizing the details of the account balance audit program—to determine the nature, timing and extent of subsequent substantive audit procedures For public companies, Sarbanes-Oxley requires auditors to audit internal controls as part of the financial statement audit A secondary purpose for conducting an evaluation of internal control is to be able to make constructive suggestions for improvements Officially, the profession considers these suggestions a part of the audit function and does not define the work as a consulting consultation Another purpose of the evaluation is to report to management and the board of directors or its audit committee any discovery of any significant internal control deficiencies 5.4 If control risk is low, auditors can perform less effective substantive procedures, earlier in the audit, with smaller sample sizes, than if control risk is moderate or high 5.5 Using a numeric evaluation provides a precise level of risk that can be included in statistical sampling procedures However, using words recognizes the imprecise nature of evaluating control risk 5.6 The three categories of control objectives are: • Reliability of financial reporting • Effectiveness and efficiency of operations • Compliance with applicable laws and regulations Auditors are primarily concerned with reliability of financial reporting; however, some operating and compliance controls may be important for the financial statement audit 5.7 Internal control is operated by people People make the system work at every level of company management People establish the objectives, put control mechanisms in place, and operate them Since people operate the controls, breakdowns can occur Human error, deliberate circumvention, management override, and improper collusion among people who are supposed to act independently can cause failure to achieve objectives Hence, a company’s managers can decide that certain controls are too costly in light of the risk of loss that may occur 5-3 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.8 Four types of breakdowns relate to people-caused failures The four are: human error, deliberate circumvention, management override, and improper collusion among people who are supposed to act independently can cause failure to achieve objectives Internal control can help prevent and detect these people-caused failures, but it cannot guarantee that they will never happen 5.9 The COSO Report states that internal control consists of five interrelated components: • Management’s control environment • Management’s risk assessment • Management’s control procedures • Management’s monitoring • Management information and communication systems 5.10 The control environment sets the tone of the organization It is the foundation for all other components of internal control It provides discipline and structure Control environment factors include the integrity, ethical values, and competence of the company’s people The following are general elements of an internal control environment: • Management’s philosophy and operating style • Management and employee integrity and ethical values • Company organizational structure • Company commitment to competence—job skills and knowledge • Functioning of the board of directors, particularly its audit committee • Methods of assigning authority and responsibility • Presence of an internal audit function • Human resource policies and practices 5.11 The purpose of risk assessment is to identify and control for those factors, events, and conditions that may prevent the organization from achieving its business objectives All companies face the risk that their financial statements may be unreliable They may report assets that not exist or ones that are not owned by the company Asset and liability amounts may be improperly valued They may fail to report liabilities and expenses They may present information that does not conform to GAAP The risk of producing unreliable financial reports arises from control breakdowns 5.12 A company control procedure is an action taken for the purpose of preventing, detecting, or correcting errors and frauds in transactions 5.13 Four kinds of functional responsibilities that should be segregated: Authorization to execute transactions Recording of transactions (bookkeeping) Custody of assets Periodic reconciliation (comparison) of existing (real) assets to recorded amounts 5.14 The audit trail is the set of accounting operations from transaction analyses to reports It starts with the source documents, proceeds to data entry, then to transaction processing and posting to ledger accounts, then from ledger accounts to the financial reports Auditors often follow this trail forwards and backwards! They will follow it backwards from the financial reports to the source documents to determine whether everything in the financial reports is supported by appropriate source documents They will follow it forward from source documents to reports to determine that everything that happened (transactions) got recorded in the accounts and reported in the financial statements 5-4 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.15 ITGCs apply to all the applications systems and help insure their continued proper operations They include controls over data center operations, system software acquisition and maintenance, access security, and application system development, including changes in software and data bases They include physical security, hardware controls, separation of duties within the IT department, documentation and back-up procedures, and other controls ITACs include computerized steps within the application software and related manual procedures to control the processing of various types of transactions ITAC are specific to each cycle (e.g revenue and collection, acquisition and expenditure, etc.) They are divided into the following categories: input controls, processing controls, and output controls 5.16 Valid character tests Valid sign test Missing data test Sequence test Limit or reasonableness Customer name alphanumeric and customer number numeric All amount fields positive, sales amount greater than zero Bill of lading document number included Invoice numbers are in sequence and none missing Total invoice less than $25,000 test 5.17 Many financial reporting processes such as final adjusting entries, consolidating entries, and footnote amounts are performed using spreadsheet applications 5.18 Everyday monitoring examples: • Operating managers compare internal reports and published financial statements with their knowledge of the business • Customer complaints of amounts billed are analyzed • Vendor complaints of amounts paid are analyzed • Regulators report to the company on compliance with laws and regulations (e.g., bank examiners’ reports, IRS audits) • Accounting managers supervise the accuracy and completeness of transaction processing • Recorded amounts are periodically compared to actual assets and liabilities (e.g., internal auditors’ inventory counts, receivables and payables confirmations, bank reconciliations) • External auditors report on control performance and give recommendations for improvement • Training sessions for management and employees heighten awareness of the importance of controls These are monitoring controls when they are used to determine the effectiveness of control procedures 5.19 Yes and no The phase understanding must always be followed by a control risk assessment phase and documentation of control risk less than 100% (compliance phase) However, test of controls procedures are only required for non public companies if the audit team wants to lower the control risk assessment 5.20 An audit team can find client’s documentation of the accounting system in the: • • • • • • • Chart of accounts Accounting manual—definitions and instructions about measuring and classifying transactions Computer systems documentation Computer program documentation Systems and procedures manuals Flowcharts of transaction processing Various paper forms 5-5 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.21 Advantages of control questionnaire: • Easy to complete • Checklist of questions • Less chance of overlooking something important Disadvantages: • May contain numerous irrelevant questions • Tendency to treat it like another form to fill out Advantages of memorandum documentation: • Can explain the precise controls applicable to the particular client (precise tailoring) • Requires penetrating analysis • Minimizes tendency toward perfunctory review Disadvantages: • Hard to write Often lengthy • Hard to revise in subsequent years Advantages of flowchart: • Graphic presentation of systems • Shows the steps required and the flow of forms and documents • Easy to read and analyze • Easy to update in subsequent years Disadvantages: • Takes some time to draw neatly 5.22 A “bridge working paper” connects the control evaluation to the audit program (subsequent procedures) It contains brief descriptions of control strengths and weaknesses, implications for control or error related to accounts, and statements of audit program procedures related to the strengths and weaknesses The procedures related to control strengths are test of control procedures”, and the ones related to control weaknesses are substantive procedures 5.23 A test of controls is an audit procedure designed to produce evidence about the effectiveness of a client’s control activity A test of control procedure is a two-part statement, consisting of: Part One: Identification of a data population from which a sample of items will be selected for audit Part Two: Expression of an action of either (1) determining whether the selected items correspond to a standard or (2) determining whether the selected items agree with information in another data population A test of control procedure may also consist of a direct observation of a control activity that leaves no documentary trail 5.24 “Inspection,” in a test of control procedure, refers to auditors looking to see whether client personnel stamped, initialed, or left other signs that their assigned control procedures had been performed “Reperformance,” in a test of control procedure, refers to auditors doing again the control that was supposed to have been performed by the client personnel (recalculating, looking up the right price, comparing quantities, and so forth) 5.25 A “dual-purpose test” serves the purposes of (1) obtaining evidence about a client’s control performance [test of control], (2) obtaining evidence to help detect material misstatements in account balances and disclosures [substantive procedure] 5-6 Chapter 05 - Risk Assessment: Internal Control Evaluation 5-7 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.26 Management must (1) acknowledge its responsibility for establishing and maintaining effective internal control over financial reporting; (2) state that it has performed an evaluation and made a conclusion about the effectiveness of the entity’s internal control over financial reporting; (3) disclose to the audit team any frauds resulting in a material misstatement to the entity’s financial statements (as well as any other immaterial fraud that involves key managers), all significant deficiencies, and any material weaknesses identified during its evaluation; and (4) state that management did not use the auditors’ procedures performed during the audits of internal control over financial reporting or the financial statements as part of the basis for management’s assessment of the effectiveness of internal control over financial reporting 5.27 The six steps for auditing internal controls are: Plan the engagement Evaluate management’s assessment process Gain an understanding of internal control over financial reporting Test and evaluate design effectiveness of internal control over financial reporting Test and evaluate operating effectiveness of internal control over financial reporting Form an opinion on the effectiveness of internal control over financial reporting 5.28 An internal control deficiency exists when the design or operation of a control does not allow the company’s management or employees to detect or prevent misstatements in a timely fashion A significant deficiency is defined as a condition that could adversely affect the organization’s ability to initiate, record, process, and report financial data in the financial statements A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis 5.29 Auditors can issue one of three types of reports on internal controls: • Unqualified—no material weaknesses • Qualified or disclaimer—audit team cannot perform all of the procedures considered necessary • Adverse opinion—material weakness exists 5.30 The major components of the auditor’s standard, unqualified report on internal control over financial reporting are: • A title that includes the word independent • Statements regarding the responsibility of the auditors and management with respect to the assessment and evaluation of internal control, as well as the title of management’s report on internal control over financial reporting • A paragraph indicating that the engagement was conducted in accordance with standards established by the Public Company Accounting Oversight Board, with a brief description of the procedures performed in the engagement • The definition of internal control over financial reporting • An identification of the inherent limitations of internal control over financial reporting • The auditors’ opinion on whether the entity maintained effective internal control over financial reporting The opinion in the above report represents an unqualified opinion on internal control over financial reporting • A reference to the auditors’ opinion on the financial statements, indicating the type of opinion expressed • The date of the report 5-8 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.31 5.32 Major reasons for departing from the standard, unqualified report on internal control over financial reporting include: Material weaknesses in internal control over financial reporting A limitation in the scope of the engagement Management’s disclosures of the effectiveness of its internal control over financial reporting are inappropriate Other auditors have audited the financial statements and internal control over financial reporting of one or more components of the entity Changes in internal control have occurred that materially and adversely affect the effectiveness of the company’s internal control over financial reporting Management provides other information in its report on internal control over financial reporting The auditors should issue an adverse opinion on the effectiveness of internal control over financial reporting if a material weakness exists If a material weakness in internal control is identified, the auditor’s standard, unqualified opinion on internal control over financial reporting would be modified to: • Include a paragraph immediately following the inherent limitations paragraph that defines a material weakness and describes any material weakness(es) identified during the audit • Modify the opinion paragraph to indicate that because of the effect of the material weakness(es) identified, the Company has not maintained an effective internal control over financial reporting 5.33 If a scope limitation exists, disclaimer of opinion would be issued or the auditors would withdraw from the engagement, depending upon the significance of the limitation 5.34 Auditors must communicate significant deficiencies and material weaknesses that come to their attention in the performance of the audit to management, the board of directors, or its audit committee Auditors often issue another type of report to management called a management letter This letter may contain commentary and suggestions on a variety of matters in addition to internal control matters 5.35 Internal control cannot provide absolute assurance that financial statements will not contain a material misstatement because: • The effectiveness of controls will be limited by the realities of human frailty • Internal controls can break down due to misunderstanding, mistakes, and errors due to carelessness, distraction or fatigue • Management can often override controls • The collusive activities of two or more individuals can result in control failures • Controls must be subjected to cost-benefit analysis 5.36 Reasonable assurance is closely related to cost-benefit analysis By definition, reasonable assurance recognizes that the cost of an organization’s internal control should not exceed the benefits obtained by the control 5-9 Chapter 05 - Risk Assessment: Internal Control Evaluation Management is responsible for assessing the cost and benefits of controls, hence their reasonable assurance Auditors get into the act of reasonable assurance assessment when they consider whether to make recommendations about control improvement in a management letter Both parties must consider that the SEC regards reasonable assurance is a high standard that means the probability of controls not detecting or preventing material misstatements is remote SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS 5.37 a Incorrect Effectiveness and efficiency is an objectives category, not a fundamental concept “People” is the most important fundamental concept Reliability of financial reporting is an objectives category, not a fundamental concept Compliance with laws and regulations is an objectives category, not a fundamental concept b c Correct Incorrect d Incorrect 5.38 a b c d Incorrect Correct Incorrect Incorrect Management letter suggestions are a secondary purpose Second GAAS fieldwork standard This is a paraphrase of the third GAAS fieldwork standard Communication of control-related matters is a secondary purpose 5.39 a b Incorrect Incorrect c d Incorrect Correct Larger sample sizes expand audit procedures Performing procedures at year-end instead of at interim generally represents stricter application External evidence represents stricter application Smaller sample size is a restriction or relaxation of audit procedure application 5.40 a b c d Incorrect Correct Incorrect Correct Financial totals can be used as input, processing, and output controls Financial totals can be used as input, processing, and output controls Financial totals can be used as input, processing, and output controls Financial totals can be used as input, processing, and output controls 5.41 a b c d Incorrect Incorrect Incorrect Correct This is a general control that secures the hardware This is a general control over software changes This is a general control for all data This is an output control 5.42 a b c d Correct Incorrect Incorrect Incorrect The terminated person would not be in the timekeeping total Works only if the correct number of checks is known The terminated employee will have a valid number The use of hash total only indicates whether the employee numbers have been input correctly 5.43 a Incorrect b c Correct Incorrect d Incorrect The absolute amount of cost is irrelevant Year-end substantive work usually costs more than control evaluation work The year-end cost savings exceeds the control evaluation cost Whether the cost of control work exceeds (or does not exceed) the cost of year-end work is irrelevant Efficiency relates to the cost that can be saved as a result of control evaluation work Efficiency is not achieved by cost reductions being less than control work cost 5-10 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.44 a b Incorrect Correct c d Incorrect Incorrect a Correct b c d Incorrect Incorrect Incorrect 5.46 a b c d Incorrect Incorrect Incorrect Correct Substantive procedures produce evidence about financial statement assertions Company control procedures accomplish company control objectives Analytical review is not accomplished with test of control procedures Tests of controls produce the evidence about actual operation of company control procedures 5.47 a b c d Incorrect Correct Incorrect Incorrect This describes an audit procedure This is one general way to define the purpose of control procedures This is a definition of an accounting system This is a description of one of the elements of the control environment 5.48 a Correct b Incorrect c Incorrect d Incorrect The audit team identifies significant accounts, locations, and assertions in the planning stage of an integrated audit The audit team conducts a walkthrough of the internal control process when testing the effectiveness of the company’s internal control The audit team makes inquiries of employees regarding the existence of control procedures when testing the effectiveness of the company’s internal control The audit team reperforms control procedures performed by client employees to determine their effectiveness when testing the effectiveness of the company’s internal control 5.49 c Correct A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis 5.50 a b c d Incorrect Correct Incorrect Incorrect Record totals suggest dollar amounts Hash totals involve non dollar totals Data totals suggest dollar amounts Field totals suggest dollar amounts 5.51 d Correct Cash deposits + discounts = payments credit to receivables (Answers a, b, and c use the wrong arithmetic) 5.52 c Correct AS applies to financial reporting controls only 5.53 c Correct Under AS 5, auditors are required to issue a report on internal controls; they no longer have to report on management’s report on internal (required under AS 2) 5.54 c Correct AS requires testing for design effectiveness and operating effectiveness 5.45 The narrative is the documentation result of obtaining evidence The ICQ is a device for collecting evidence in the form of answers to control questions A flowchart is the documentation result of obtaining evidence (This is the throwaway!) The audit documentation is the documentation of the evidence obtained The bridge working paper connects control evaluation findings of strengths to test of control procedures for testing the strengths, and control evaluation findings of weakness to suggestions for substantive procedures Control objectives are only implicit in the bridge working paper Control objectives are only implicit in the bridge working paper Assertions are related directly to substantive procedures and not to test of control procedures 5-11 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.55 a b c d 5.56 NOTE TO INSTRUCTOR: Because of an error in the textbook question (qualified opinions are not longer an option), two answers to the posed question are correct a Incorrect This is an appropriate report b Correct Qualified opinions are no longer permitted under AS c Correct This is not one of the options offered by AS d Incorrect This is an appropriate report 5.57 a Correct In principle, the payroll function should be divided into its authorization, recording, and custody functions Authorization of hiring, wage rates, and deductions is provided by personnel Authorization of hours worked (executed by employees) is provided by production Based on these authorizations, accounting calculates and records the payroll Based on the calculated amounts, the treasurer prepares and distributes payroll checks 5.58 a b Incorrect Correct c d Incorrect Incorrect Supervisors should perform the reconciliation The total time spent on jobs should closely approximate the total time indicated on time cards Timekeeping’s comparison of these records should provide an independent check of the accuracy of time reported on the time cards This should be done by accounting Rate authorizations are kept by personnel 5.59 5.60 5.61 Incorrect Incorrect Incorrect Correct All three are indicators a material weakness All three are indicators a material weakness All three are indicators a material weakness All three are indicators a material weakness NOTE TO INSTRUCTOR: Since this question asks students to identify which statement is not true, the item labeled “correct” would not be true and those labeled “incorrect” would be true a Correct b Incorrect c d Incorrect Incorrect a b Incorrect Incorrect c Incorrect d Correct a Incorrect b Incorrect The report would be dated as of the day that enough evidence has been gathered to support the auditors’ opinion on the effectiveness of the entity’s internal control The report does express an opinion on management’s assessment of internal control over financial reporting as well as the effectiveness of internal control over financial reporting An adverse opinion is issued if one or more material weakness(es) exists The report on internal control over financial reporting can be presented along with the report on the company’s financial statements or as a combined report The reporting options when a scope limitation exists is a disclaimer of opinion A qualified opinion is no longer a valid reporting option for a scope limitation and an adverse opinion would only be issued when one or more material weakness(es) is identified While a disclaimer of opinion is one possible reporting option, it is not appropriate to issue an unqualified opinion if a significant scope limitation exists The reporting option when a scope limitation exists is a disclaimer of opinion Reference to the audit of the entity’s financial statements would be included in the introductory paragraph of a combined report on the company’s financial statements and internal control over financial reporting, but not a separate report on internal control over financial reporting If a material weakness is identified, the auditor will add a paragraph to the report that defines a material weakness However, this information would not be included in the introductory paragraph 5-12 Chapter 05 - Risk Assessment: Internal Control Evaluation c Correct d Incorrect Statements identifying the responsibility of the auditor and management for internal control over financial reporting would be included in the introductory paragraph Reference to the auditor’s report and opinion on the company’s financial statements would be included in an explanatory paragraph following the opinion paragraph, not the introductory paragraph SOLUTIONS FOR EXERCISES, PROBLEMS, AND SIMULATIONS 5.62 5.63 Internal Control Audit Standards a In planning an audit, the auditors’ understanding of the internal control components should be used to identify the types of potential misstatements that could occur, to consider the factors affecting the risk of material misstatement, and to influence the design of substantive procedures b An audit team obtains an understanding of the design of relevant internal control procedures (policies and procedures) and whether they have been implemented Assessing control risk below the maximum level further involves identifying specific control procedures (policies and procedures) relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions It also involves performing tests of controls to evaluate the operating design and effectiveness of the client’s control procedures c When seeking a further reduction in the assessed level of control risk, an audit team should consider whether additional audit evidence sufficient to support a further reduction is likely to be available, and whether it would be efficient to perform tests of controls to obtain that audit evidence d An audit team should document the understanding of a client’s internal control system components to plan the audit The audit team also should document the basis for the conclusion about the assessed level of control risk If control risk is assessed at the maximum level, the audit team should document that conclusion and the reasons for it However, if the assessed level of control risk is below the maximum level, the audit team should document the basis for the conclusion that the effectiveness of the design and operation of internal control procedures supports that assessed level Costs and Benefits of Control Case 1: Porterhouse management may hesitate because its expected loss from bank accounting errors may be less than $10,000, or the expected benefit (reduction of the expected loss) by $10,000 or more might be in doubt Bank accounting is generally very accurate and further analysis might confirm management’s hesitation 5-13 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.63 Costs and Benefits of Control (Continued) Case 2: Joyce Harper should install the steel doors and burglar bars but not hire the armed guards Cost-Benefit of Doors and Bars Benefit $500,000 loss x 90% elimination Qualitative benefit— no longer a “push-over target” for thieves Direct cost Direct cost-subsequent maintenance Qualitative costs Net benefit estimated Cost-Benefit of Armed Guards Benefit Qualitative benefit—no longer a “push-over target” for thieves Direct cost Direct cost—subsequent inflation Qualitative cost—possibility of someone being killed or wounded in robbery attempt; social and insurance costs Net benefit estimated $450,000 Unknown ($25,000) small none (?) $425,000 $500,000 Unknown (75,000) some expected remote, but high $425,000 Marginal Analysis (Measurable Information) If armed guards are hired, no more loss reductions (benefit) is available to justify the additional $75,000 direct cost Loss expected without control Remaining expected loss with control Benefit (expected loss reduction) Cost of control Net benefit Doors and Bars Only 500,000 50,000 Guards Only 500,000 -0- Both 500,000 -0- Neither 500,000 500,000 450,000 500,000 500,000 25,000 75,000 100,000 425,000 425,000 400,000 The armed guards control has two adverse factors not expected with the doors/bars control: (1) Inflation in guard costs will probably outpace the doors/bars maintenance costs and (2) The possibility of a shooting incident on company property is not very appealing 5-14 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.63 Costs and Benefits of Control (Continued) Case 3: Both of the manager’s assertions are justifiable Cost-Benefit of the New Arrangement Benefits meals @ $6 x 260 days 10 meals @ $6 x 104 days Customer satisfaction Possible reduction of exposure to theft loss to collecting cashier at end of food line (former arrangement) 6,240 6,240 some * 12,480 *The control is cost-beneficial without considering whether theft of cash had occurred Costs New salary, annual New calculator, 5-year life Employee dissatisfaction TOTAL COST 10,000 500 none expected 10,500 Net benefit, first year Net benefit, succeeding years 1,980 2,480** **Assuming inflation in food prices tends to offset future salary increases The control is better because (i) The recording duty and cash custody are separate Running the cash register amounts to authorizing and recording transactions for all practical purposes, and under the former arrangement this person also handled the cash The cashier could have failed to ring up a sale and just pocketed the money (ii) The manager can compare the internal calculator cumulative total to the cash register total for correspondence of amounts A theft would require collusion of both persons The accountant should not express any opinion on management’s statement You could disclaim any opinion about the statement You could give advice to the manager about the analysis Still, the manager is responsible for risk analysis and cost-benefit decisions 5.64 Audit Simulation: Separation of Duties a Abigail Reconcile bank account b e Maintain personnel records f j Reconcile accounts receivable records to general ledger account g Bryan Open mail and list checks Prepare deposit and take to bank Maintain petty cash i Maintain general ledger 5-15 c Chris Prepare checks for signature d Prepare payroll checks h Maintain accounts receivable records Chapter 05 - Risk Assessment: Internal Control Evaluation 5-16 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.65 Effects of Sarbanes-Oxley Act Mr Foster Puckett, CEO Central Office Supply, Inc Indianapolis, IN Dear Foster, The Sarbanes-Oxley Act and the related PCAOB Auditing Standard Number will cause increased costs for Central Office Supply (COS), should your board of directors decide to go public The specific effects regarding internal control reporting apply both to the management of COS and to the audit You will be responsible for documenting, testing and assessing the quality of your internal controls over financial reporting This is usually a costly procedure; however, it will likely be beneficial for COS to have a firm grasp of the controls in place You will have to prepare a written assessment whereby management accepts responsibility for the controls and evaluates the effectiveness of the controls as of the end of each year You will have to support your evaluation with sufficient evidence, including documentation As auditors, we will have to gather evidence to report on the effectiveness of COS’ internal control We will be able to use some of the tests your personnel perform, but the principle evidence for our report must be based on our own work, and we cannot use your work to reduce the work we perform on the control environment We are unable to provide a precise estimate of the additional cost of the additional work, but it is true that many companies have seen their audit fees double as a result of the new requirements The board should factor this possibility into the costs of going public Sincerely, Your name, Audit Partner 5.66 ICQ Items: Assertions, Tests of Controls, and Possible Errors or Frauds a Recorded payroll transactions are valid (occurrence—no fictitious employees) b Select a sample of personnel files for new hires and terminations and trace to reports submitted to the personnel department Trace also to first or last paycheck issued and to cumulative payroll records c Paychecks might be delayed and terminated workers might continue to be “paid” (with theft of check by someone else) if payroll is not promptly notified of new hires and terminations d Select a sample of terminated employees Interview their supervisors or the employees themselves for information about termination date Search next payroll register for evidence of overpayment the next pay period a Recorded payroll deductions are valid (occurrence) b Select a sample of payroll deductions and vouch them to signed authorizations c Incorrect amounts might be deducted from pay 5-17 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.67 d Same as tests of controls: Select a sample of paychecks, and vouch the deductions to the amount authorized according to the personnel files a Recorded payroll transactions are valid and authorized (occurrence) b Observe the timekeeping operations to determine whether they are performed separately c If payroll department personnel were also responsible for time records, they would have effective control over transaction authorization (i.e., hours worked approval) and could overpay themselves or friends d Select the paychecks issued to the people involved in combined duties Examine them for evidence of overpayment (wage rate or overtime) a Payroll and labor cost transactions are complete (completeness) b Obtain reconciliation worksheets or check-off reports and see if the reconciliation is done c Cost accounting records might contain more or fewer dollars than actually paid (per payroll data) Simple errors in cost analyses might occur d If possible, obtain a total of labor charged to cost accounting jobs or processes, and reconcile to total wages reported on Federal Form 941 For details: Select a sample of labor cost analyses, and reconcile to the payroll register for the same period Obtaining a “Sufficient” Understanding of Internal Control Martin is not correct in asserting that GAAS requires reviews and tests of control in all audits Reviews and obtaining and documenting an understanding are necessary, and Jones may not be suggesting that no work at all be done on becoming acquainted with the clients’ internal control Martin has overlooked the common-sense (and GAAS) idea that tests of controls need to be done only on those controls on which the audit team believes to be strong to reduce the initial control risk assessment Martin appears to be proposing that if a partner wishes to extend the substantive procedures and “act as if the control risk were high,” he should be free to so Under GAAS, this is OK This is a common problem in practice Many small-client audits may be accomplished through extensive substantive procedural work, making up for little or no work on control The trade-off is the time and cost involved in performing test of control work against the reduction in substantive procedure work If the latter cannot be reduced much under any circumstances, then a lot of work on internal control may be uneconomical 5.68 Fraud Opportunities The discussion could take several directions, including some or all of the following: Material Weakness The facts seem to suggest “a condition in which specific control features (few or none are described) or the degree of compliance with them not reduce to a relatively low level the risk that errors or frauds in amounts that could be material to the financial statements may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.” Gault has authority and influence over too many interrelated activities Nothing he does seems to be subject to review or supervision He even is able to exclude the internal auditor 5-18 Chapter 05 - Risk Assessment: Internal Control Evaluation An identification of the potential frauds will illustrate the misdeeds he can perpetrate almost single-handedly Potential frauds include: a Gault can collude with customers to rig low bids and take kickbacks, thereby depriving the company of legitimate revenue b Gault can direct purchases to favored suppliers, pay unnecessarily high prices and take kickbacks He might even set up a controlled dummy company to sell overpriced materials to the company No competitive bidding control prevents these activities c Gault, through the control of physical inventory, can (i) remove materials for himself and (ii) manipulate the inventory accounts to conceal shortages d Gault can order truck shipping services for his own purposes and cause the charges to be paid by the company e 5.68 Gault can manipulate the customer billing (similar to a above) to deprive the company of legitimate revenue while taking an unauthorized commission or kickback Fraud Opportunities (Continued) Almost every desirable characteristic of good internal control has been circumvented: a Separation of Functional Responsibilities Gault has authorization and custodial responsibilities b Authorization, Supervision Gault is apparently subject to no supervision or review The accounting staff is probably powerless to challenge transactions because of Simon’s apparent approval of Gault’s powers c Controlled Access The whole situation gives Gault access to necessary papers, records, and assets to carry out his one-man show d Periodic Comparison No one else apparently has any access to the materials inventory in order to conduct an actual count for comparison to the book value (recorded accountability) of the inventory 5-19 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.69 ICQ Items: Errors that Could Occur from Control Weaknesses Questions (abbreviated) Possible Error or Fraud Employees paid by check? Errors in withholding, rate Special payroll bank account used? Hours of fictitious employee Bank reconciliation errors Independent payroll check signers? Fictitious employees Unauthorized payments Independent bank statement reconciliation? Fictitious employees, incomplete accounting Payroll employees rotated, take vacations and bonded? Fictitious employees Timekeeping independent of payroll? Fictitious employees or hours Wage rates approved? Unauthorized rates, improper rates Deduction authorizations signed by employees? Incorrect deductions Hours and cost distribution approved by supervisor? Hours overcharged (fictitious hours) 10 Time clock used? 10 Incorrect hours claimed and paid 11 Payroll sheet signed and approved? 11 Unauthorized employees, hours or rate 12 Personnel department reports employees terminated to payroll department? 12 Terminated employees paid and another cashes checks (Fictitious employee) 13 Payroll compared to personnel files? 13 Fictitious employees 14 Independent check distribution? 14 Fictitious employees 15 Unclaimed wages controlled? 15 Improper cashing of checks 16 Occasional surprise payoff by internal auditors? 16 Fictitious employees 17 Personnel department reports employees hired to payroll departments? 17 Unauthorized employee paid (Fictitious employee) 18 Payroll checks prenumbered? Sequence checked? 18 Checks issued and not recorded 19 Qualified person track retirement? 19 Retirement obligations incorrect 20 Actuary employed? Assumptions reviewed? 20 Retirement amounts incorrect 21 Cost records reconciled to payroll? 21 Incomplete accounting—usually cost records not complete 22 Periodic audit of payroll by internal auditors? 22 Undetected errors and frauds (all of the above) 23 Reconciliation with tax reports? 23 Over/underreporting 24 Classification instructions? 24 Misclassified debits in accounts 25 Review by accounting officer? 25 Accounting and classification errors 5-20 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.70 Reports on Internal Control Over Financial Reporting (Report Modifications) a b This situation would result in an adverse opinion being issued on the effectiveness of the company’s internal control over financial reporting Assuming that management’s appropriately concludes that it has not maintained an effective internal control over financial reporting, the auditor would express an unqualified opinion on management’s assessment of internal control over financial reporting The standard report would be modified as follows: • Modify the introductory paragraph to note that management’s assessment indicated the company has not maintained an effective internal control over financial reporting • Include a paragraph immediately following the inherent limitations paragraph that defines a material weakness and describes any material weakness identified during the audit • Modify the opinion paragraph to indicate that because of the effect of the material weakness identified, the Company has not maintained an effective internal control over financial reporting This situation represents a scope limitation; depending upon the significance of the scope limitation, the auditor could issue either a qualified opinion or disclaimer of opinion If a qualified opinion is issued, the standard report would be modified as follows: • Modify the scope paragraph to refer to scope limitation (“except for”) • Provide an explanatory paragraph describing the scope limitation If the scope limitation is related to the inability to gather sufficient evidence with respect to a potential material weakness, this paragraph should also include the definition of a material weakness • Modify the opinion paragraph to reflect a qualified opinion (“except for the effect of matters we might have discovered…”) If a disclaimer of opinion is issued, the standard report would be modified as follows: 5.70 • Delete the sentence describing the auditor’s responsibility for internal control over financial reporting in the introductory paragraph • Delete the scope paragraph • Provide an explanatory paragraph describing the scope limitation If the scope limitation is related to the inability to gather sufficient evidence with respect to a potential material weakness, this paragraph should also include the definition of a material weakness • Modify the opinion paragraph to either disclaim an opinion (“the scope of our work was not sufficient to enable us to express, and we not express, an opinion”) It is important to note that the scope limitation will normally affect the auditor’s ability to issue an opinion on both management’s assessment of internal control over financial reporting and the effectiveness of internal control over financial reporting Reports on Internal Control Over Financial Reporting (Report Modifications) (Continued) c In this situation, an unqualified opinion would still be appropriate, assuming that the work of other auditors can be relied upon and does not indicate the existence of one or more material weakness(es) The introductory, scope, and opinion paragraphs would be modified to indicate the division of responsibility 5-21 Chapter 05 - Risk Assessment: Internal Control Evaluation d 5.71 If management has not adequately disclosed a material weakness in its internal control over financial reporting, they should include an explanatory paragraph describing the reasons the auditors believe management’s disclosures should be modified Audit Simulation: Reports on Internal Control Over Financial Reporting (Identify Report Deficiencies) Introductory Paragraph: The introductory paragraph does not discuss Van Dyke’s responsibility with respect to maintaining an effective internal control over financial reporting Auditors no longer report on management’s assessment of internal control over financial reporting Inherent Limitations Paragraph: This paragraph is omitted Material Weakness Paragraphs: The paragraph defining a material weakness was omitted The paragraph identifying the material weaknesses in internal control noted by Sorrell should provide some brief information on the nature of the material weaknesses The paragraph discussing the effect of material weaknesses on the nature, timing, and extent of audit tests should explicitly indicate that the report on internal control over financial reporting does not affect Sorrell’s report on the financial statements The paragraph identifying deficiencies in internal control over financial reporting less severe than material weaknesses is inappropriate [no applicable reference] Opinion Paragraph: Sorrell’s disclaimer of opinion on Van Dyke’s assessment of internal control over financial reporting is inappropriate because auditors no longer report on management’s assessment of internal control over financial reporting Explanatory Paragraph (Financial Statement Report): The final explanatory paragraph should reference Sorrell’s report on the financial statements, as well as the date and type of opinion rendered on those financial statements Date: 10 The date on the report should not be the balance sheet date 5-22 Chapter 05 - Risk Assessment: Internal Control Evaluation 5.72 5.73 Kaplan CPA Exam Simulation: Internal Control Components C C E A C A D A B By having the receptionist open the cash receipts/remittances (instead of the accounts receivable clerk), Southland has demonstrated a good example of separation of duties Separation of duties forms part of the total control activities at Southland The lockbox system is an example of the safeguarding of assets Safeguarding of assets is a physical control and forms part of the total control activities at Southland The changes implemented in the internal control system during the current year are an example of monitoring Monitoring assesses the quality of the internal control effectiveness over time and implements changes when necessary Management’s philosophy and operating style is a control environment factor Proper authorization by the credit manager forms part of the total control activities at Southland It is an example of separation of duties For instance, the sales manager would not be setting the credit limits for new customers due to the potential conflict situation Individual and detailed job descriptions form part of the control environment The job descriptions specifically relate to the delegation of authority Accounting systems that are designed to generate reports would clearly form part of the internal controls over the information and communication system Active participation by the board of directors is a component of the control environment (delegation of authority and responsibility) The IT manager’s actions are an example of risk assessment Risk assessment refers to a company’s ability to anticipate potential misstatements (such as the lack of integration between certain components of Southland’s accounting system) and work to prevent them before they occur Kaplan CPA Exam Simulation – Internal Control Evaluation To: Partner, P&M From: Manager, P&M Subject: Significant Deficiencies and Material Weaknesses Significant deficiencies are defined as conditions, or combinations of conditions, that could adversely affect the organization’s ability to initiate, record, process, and report financial data in the financial statements While not material, they are important enough to bring to the attention of those charged with governance (usually the audit committee) Some examples follow: • Absence of appropriate separation of duties • Absence of appropriate reviews and approvals of transactions • Evidence of failure of control procedures A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis The following circumstances should be regarded as strong indicators that a material weakness exists: • Restatement of previously issued financial statements to reflect the correction of a misstatement 5-23 Chapter 05 - Risk Assessment: Internal Control Evaluation • Evidence of material misstatements (caught by the audit team) that were not prevented or detected by the client’s internal controls • Ineffective oversight of the financial reporting process by the entity’s audit committee • Indication of fraud (either material or immaterial) by senior management Because Lakeland is a public company, we are required to follow the Sarbanes-Oxley act, which requires us to identify significant deficiencies and material weakness and report them in writing to the audit committee 5.74 Mini-Case: Control Environment NOTE TO INSTRUCTOR: For this assignment, questions and from this Mini-Case are applicable 5.75 Auditors usually begin with inquiry of management, employees, and others charged with governance (including the audit committee) Auditors also investigate senior management’s reputation in the community Indicators of a weak tone at the top include involvement by nonaccounting managers in accounting issues, pressure to achieve earnings, disputes between the auditors and clients, and observing a lack of ethics in dealing with customers, suppliers, and employees Auditors have to follow up on all whistle blower accusations, regardless of how far-fetched The accusations must be handled with professional skepticism—neither assuming they are true or false Often client personnel will be asked to assist in the follow-up, but their input must be independently verified by the auditor The accusations should be treated as red flags, which may call for additional evidence gathering in affected areas Finally, if the accusations appear to be credible, the auditors should notify their attorneys as well as the client's audit committee Mini-Case: Effect of Internal Control Evaluation on Auditors’ Fees NOTE TO INSTRUCTOR: For this assignment, questions and from this Mini-Case are applicable The high cost of Sarbanes-Oxley compliance can be found by reviewing the total audit fees reported by GE andby the Fortune 100/500 companies As shown in Exhibits and 3, these fees have increased significantly from 2002 to 2004 (A portion of this increase may result from the SEC’s revised definition of “audit fees”) While the audit fees have continued to increase in 2006, the smaller rate of increase from 2004 to 2006 may reflect a “learning curve” for auditors and some initial start-up costs with respect to the implementation of Section 404 The changes required by AS (eliminating the requirement to express an opinion on management’s assessment of internal control over financial reporting, using a “top-down, riskbased” audit approach, and increasing the extent to which the work of others can be relied upon) should reduce the amount of audit fees and, perhaps, audit-related fees This possibility can be evaluated through reference to future proxy statements 5-24 ... information and communication channels and content (including the accounting system and its reports), designing and implementing control procedures, and monitoring, supervising, and maintaining... accounts Accounting manual definitions and instructions about measuring and classifying transactions Computer systems documentation Computer program documentation Systems and procedures manuals Flowcharts... wage rates, and deductions is provided by personnel Authorization of hours worked (executed by employees) is provided by production Based on these authorizations, accounting calculates and records