5.9 The COSO Report states that internal control consists of five interrelated components: • Management’s control environment • Management’s risk assessment • Management’s control proced
Trang 1CHAPTER 5
Risk Assessment: Internal Control Evaluation
LEARNING OBJECTIVES
Review Checkpoints Exercises, Problems, and Simulations
1 Distinguish between management’s and auditors’
responsibilities regarding an entity’s internal
control
1, 2, 3, 4, 5 62, 63, 67
3 Define and describe the five basic components of
internal control, and specify some of their
characteristics
9, 10, 11, 12, 13, 14,
15, 16, 17, 18 64, 72, 74
4 Explain the phases of an evaluation of control
and risk assessment and the documentation and
extent of audit work required
19, 20, 21, 22, 23, 24, 25
66, 69, 73
5 Describe additional responsibilities for
management and auditors of public companies
required by Sarbanes-Oxley and AS 5.
26, 27, 28, 29 65, 74, 75
6 List the major components of the auditors’ report
on internal control over financial reporting 30
7 Describe situations in which the auditors’ report
on internal control over financial reporting
would be modified
8 Explain the communication of internal control
deficiencies to those charged with governance,
such as the audit committee and other key
management personnel
34
9 Explain the limitations of all internal control 35, 36
Trang 3SOLUTIONS FOR REVIEW CHECKPOINTS
5.1 As stated in the Sarbanes-Oxley Act of 2002, management is responsible for establishing a control
environment, assessing risks it wishes to control, specifying information and communication channels and content (including the accounting system and its reports), designing and implementing control procedures, and monitoring, supervising, and maintaining the controls Business managers can make estimates of benefits to be derived from controls and weigh them against the cost Managers are perfectly free to make their own judgments about the necessary extent of controls Managers can decide the degree of business risk they are willing to tolerate
External auditors are not responsible for designing effective controls for audit clients They are responsible for evaluating existing internal control and assessing the control risk in them
5.2 Control risk is the probability that the client’s internal control procedures will fail to prevent or detect
material errors and frauds, provided any enter the data processing system in the first place Assessing control risk is part of using the audit risk model in the planning stage of the audit
5.3 The primary reason for conducting an evaluation of a client’s existing internal control system is to give the
auditors a basis for finalizing the details of the account balance audit program—to determine the nature, timing and extent of subsequent substantive audit procedures For public companies, Sarbanes-Oxley requires auditors to audit internal controls as part of the financial statement audit
A secondary purpose for conducting an evaluation of internal control is to be able to make constructive suggestions for improvements Officially, the profession considers these suggestions a part of the audit function and does not define the work as a consulting consultation
Another purpose of the evaluation is to report to management and the board of directors or its audit committee any discovery of any significant internal control deficiencies
5.4 If control risk is low, auditors can perform less effective substantive procedures, earlier in the audit, with
smaller sample sizes, than if control risk is moderate or high
5.5 Using a numeric evaluation provides a precise level of risk that can be included in statistical sampling
procedures However, using words recognizes the imprecise nature of evaluating control risk
5.6 The three categories of control objectives are:
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with applicable laws and regulations
Auditors are primarily concerned with reliability of financial reporting; however, some operating and compliance controls may be important for the financial statement audit
5.7 Internal control is operated by people People make the system work at every level of company
management People establish the objectives, put control mechanisms in place, and operate them
Since people operate the controls, breakdowns can occur Human error, deliberate circumvention,
management override, and improper collusion among people who are supposed to act independently can cause failure to achieve objectives Hence, a company’s managers can decide that certain controls are too costly in light of the risk of loss that may occur
Trang 45.8 Four types of breakdowns relate to people-caused failures The four are: human error, deliberate
circumvention, management override, and improper collusion among people who are supposed to act independently can cause failure to achieve objectives Internal control can help prevent and detect these people-caused failures, but it cannot guarantee that they will never happen
5.9 The COSO Report states that internal control consists of five interrelated components:
• Management’s control environment
• Management’s risk assessment
• Management’s control procedures
• Management’s monitoring
• Management information and communication systems
5.10 The control environment sets the tone of the organization It is the foundation for all other components of
internal control It provides discipline and structure Control environment factors include the integrity, ethical values, and competence of the company’s people The following are general elements of an internal control environment:
• Management’s philosophy and operating style
• Management and employee integrity and ethical values
• Company organizational structure
• Company commitment to competence—job skills and knowledge
• Functioning of the board of directors, particularly its audit committee
• Methods of assigning authority and responsibility
• Presence of an internal audit function
• Human resource policies and practices
5.11 The purpose of risk assessment is to identify and control for those factors, events, and conditions that may
prevent the organization from achieving its business objectives All companies face the risk that their financial statements may be unreliable They may report assets that do not exist or ones that are not owned
by the company Asset and liability amounts may be improperly valued They may fail to report liabilities and expenses They may present information that does not conform to GAAP The risk of producing unreliable financial reports arises from control breakdowns
5.12 A company control procedure is an action taken for the purpose of preventing, detecting, or correcting
errors and frauds in transactions
5.13 Four kinds of functional responsibilities that should be segregated:
1 Authorization to execute transactions
2 Recording of transactions (bookkeeping)
3 Custody of assets
4 Periodic reconciliation (comparison) of existing (real) assets to recorded amounts
5.14 The audit trail is the set of accounting operations from transaction analyses to reports It starts with the
source documents, proceeds to data entry, then to transaction processing and posting to ledger accounts, then from ledger accounts to the financial reports
Auditors often follow this trail forwards and backwards! They will follow it backwards from the financial reports to the source documents to determine whether everything in the financial reports is supported by appropriate source documents They will follow it forward from source documents to reports to determine that everything that happened (transactions) got recorded in the accounts and reported in the financial statements
Trang 55.15 ITGCs apply to all the applications systems and help insure their continued proper operations They
include controls over data center operations, system software acquisition and maintenance, access security, and application system development, including changes in software and data bases They include physical security, hardware controls, separation of duties within the IT department, documentation and back-up procedures, and other controls
ITACs include computerized steps within the application software and related manual procedures to controlthe processing of various types of transactions ITAC are specific to each cycle (e.g revenue and
collection, acquisition and expenditure, etc.) They are divided into the following categories: input controls, processing controls, and output controls
5.16 1 Valid character tests Customer name alphanumeric and customer number numeric
2 Valid sign test All amount fields positive, sales amount greater than zero
3 Missing data test Bill of lading document number included
4 Sequence test Invoice numbers are in sequence and none missing
5 Limit or reasonableness Total invoice less than $25,000 test
5.17 Many financial reporting processes such as final adjusting entries, consolidating entries, and footnote
amounts are performed using spreadsheet applications
5.18 Everyday monitoring examples:
• Operating managers compare internal reports and published financial statements with their
knowledge of the business
• Customer complaints of amounts billed are analyzed
• Vendor complaints of amounts paid are analyzed
• Regulators report to the company on compliance with laws and regulations (e.g., bank examiners’
reports, IRS audits)
• Accounting managers supervise the accuracy and completeness of transaction processing
• Recorded amounts are periodically compared to actual assets and liabilities (e.g., internal auditors’
inventory counts, receivables and payables confirmations, bank reconciliations)
• External auditors report on control performance and give recommendations for improvement
• Training sessions for management and employees heighten awareness of the importance of
• Chart of accounts
• Accounting manual—definitions and instructions about measuring and classifying transactions
• Computer systems documentation
• Computer program documentation
• Systems and procedures manuals
• Flowcharts of transaction processing
• Various paper forms
Trang 65.21 1 Advantages of control questionnaire:
• Easy to complete
• Checklist of questions
• Less chance of overlooking something important
Disadvantages:
• May contain numerous irrelevant questions
• Tendency to treat it like another form to fill out
2 Advantages of memorandum documentation:
• Can explain the precise controls applicable to the particular client (precise tailoring)
• Requires penetrating analysis
• Minimizes tendency toward perfunctory review
Disadvantages:
• Hard to write Often lengthy
• Hard to revise in subsequent years
3 Advantages of flowchart:
• Graphic presentation of systems
• Shows the steps required and the flow of forms and documents
• Easy to read and analyze
• Easy to update in subsequent years
Disadvantages:
• Takes some time to draw neatly
5.22 A “bridge working paper” connects the control evaluation to the audit program (subsequent procedures) It
contains brief descriptions of control strengths and weaknesses, implications for control or error related to accounts, and statements of audit program procedures related to the strengths and weaknesses The procedures related to control strengths are test of control procedures”, and the ones related to control weaknesses are substantive procedures
5.23 A test of controls is an audit procedure designed to produce evidence about the effectiveness of a client’s
control activity A test of control procedure is a two-part statement, consisting of:
Part One: Identification of a data population from which a sample of items will be selected for audit.Part Two: Expression of an action of either (1) determining whether the selected items correspond to a standard or (2) determining whether the selected items agree with information in another data population
A test of control procedure may also consist of a direct observation of a control activity that leaves no documentary trail
5.24 “Inspection,” in a test of control procedure, refers to auditors looking to see whether client personnel
stamped, initialed, or left other signs that their assigned control procedures had been performed
“Reperformance,” in a test of control procedure, refers to auditors doing again the control that was supposed to have been performed by the client personnel (recalculating, looking up the right price, comparing quantities, and so forth)
5.25 A “dual-purpose test” serves the purposes of (1) obtaining evidence about a client’s control performance
[test of control], (2) obtaining evidence to help detect material misstatements in account balances and disclosures [substantive procedure]
Trang 85.26 Management must (1) acknowledge its responsibility for establishing and maintaining effective internal
control over financial reporting; (2) state that it has performed an evaluation and made a conclusion about the effectiveness of the entity’s internal control over financial reporting; (3) disclose to the audit team any frauds resulting in a material misstatement to the entity’s financial statements (as well as any other
immaterial fraud that involves key managers), all significant deficiencies, and any material weaknesses identified during its evaluation; and (4) state that management did not use the auditors’ procedures
performed during the audits of internal control over financial reporting or the financial statements as part ofthe basis for management’s assessment of the effectiveness of internal control over financial reporting.5.27 The six steps for auditing internal controls are:
1 Plan the engagement
2 Evaluate management’s assessment process
3 Gain an understanding of internal control over financial reporting
4 Test and evaluate design effectiveness of internal control over financial reporting
5 Test and evaluate operating effectiveness of internal control over financial reporting
6 Form an opinion on the effectiveness of internal control over financial reporting
5.28 An internal control deficiency exists when the design or operation of a control does not allow the
company’s management or employees to detect or prevent misstatements in a timely fashion A significant
deficiency is defined as a condition that could adversely affect the organization’s ability to initiate, record,
process, and report financial data in the financial statements A material weakness in internal control is
defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that amaterial misstatement would not be prevented or detected on a timely basis
5.29 Auditors can issue one of three types of reports on internal controls:
• Unqualified—no material weaknesses
• Qualified or disclaimer—audit team cannot perform all of the procedures considered necessary
• Adverse opinion—material weakness exists
5.30 The major components of the auditor’s standard, unqualified report on internal control over financial
reporting are:
• A title that includes the word independent.
• Statements regarding the responsibility of the auditors and management with respect to the
assessment and evaluation of internal control, as well as the title of management’s report oninternal control over financial reporting
• A paragraph indicating that the engagement was conducted in accordance with standards
established by the Public Company Accounting Oversight Board, with a brief description of theprocedures performed in the engagement
• The definition of internal control over financial reporting
• An identification of the inherent limitations of internal control over financial reporting
• The auditors’ opinion on whether the entity maintained effective internal control over financial
reporting The opinion in the above report represents an unqualified opinion on internal control
over financial reporting.
• A reference to the auditors’ opinion on the financial statements, indicating the type of opinion
expressed
• The date of the report
Trang 95.31 Major reasons for departing from the standard, unqualified report on internal control over financial
reporting include:
1 Material weaknesses in internal control over financial reporting
2 A limitation in the scope of the engagement
3 Management’s disclosures of the effectiveness of its internal control over financial reporting are
inappropriate
4 Other auditors have audited the financial statements and internal control over financial reporting
of one or more components of the entity
5 Changes in internal control have occurred that materially and adversely affect the effectiveness of
the company’s internal control over financial reporting
6 Management provides other information in its report on internal control over financial reporting.5.32 The auditors should issue an adverse opinion on the effectiveness of internal control over financial
reporting if a material weakness exists
If a material weakness in internal control is identified, the auditor’s standard, unqualified opinion on internal control over financial reporting would be modified to:
• Include a paragraph immediately following the inherent limitations paragraph that defines a
material weakness and describes any material weakness(es) identified during the audit
• Modify the opinion paragraph to indicate that because of the effect of the material weakness(es)
identified, the Company has not maintained an effective internal control over financial reporting
5.33 If a scope limitation exists, disclaimer of opinion would be issued or the auditors would withdraw from the
engagement, depending upon the significance of the limitation
5.34 Auditors must communicate significant deficiencies and material weaknesses that come to their attention in
the performance of the audit to management, the board of directors, or its audit committee Auditors often issue another type of report to management called a management letter This letter may contain
commentary and suggestions on a variety of matters in addition to internal control matters
5.35 Internal control cannot provide absolute assurance that financial statements will not contain a material
misstatement because:
• The effectiveness of controls will be limited by the realities of human frailty
• Internal controls can break down due to misunderstanding, mistakes, and errors due to
carelessness, distraction or fatigue
• Management can often override controls
• The collusive activities of two or more individuals can result in control failures
• Controls must be subjected to cost-benefit analysis
5.36 Reasonable assurance is closely related to cost-benefit analysis By definition, reasonable assurance
recognizes that the cost of an organization’s internal control should not exceed the benefits obtained by the control
Trang 10Management is responsible for assessing the cost and benefits of controls, hence their reasonable assurance.Auditors get into the act of reasonable assurance assessment when they consider whether to make
recommendations about control improvement in a management letter Both parties must consider that the SEC regards reasonable assurance is a high standard that means the probability of controls not detecting or preventing material misstatements is remote
SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS
5.37 a Incorrect Effectiveness and efficiency is an objectives category, not a fundamental
concept
b Correct “People” is the most important fundamental concept
c Incorrect Reliability of financial reporting is an objectives category, not a fundamental
concept
d Incorrect Compliance with laws and regulations is an objectives category, not a
fundamental concept
5.38 a Incorrect Management letter suggestions are a secondary purpose
b Correct Second GAAS fieldwork standard
c Incorrect This is a paraphrase of the third GAAS fieldwork standard
d Incorrect Communication of control-related matters is a secondary purpose
5.39 a Incorrect Larger sample sizes expand audit procedures
b Incorrect Performing procedures at year-end instead of at interim generally represents
stricter application
c Incorrect External evidence represents stricter application
d Correct Smaller sample size is a restriction or relaxation of audit procedure application.5.40 a Incorrect Financial totals can be used as input, processing, and output controls
b Correct Financial totals can be used as input, processing, and output controls
c Incorrect Financial totals can be used as input, processing, and output controls
d Correct Financial totals can be used as input, processing, and output controls
5.41 a Incorrect This is a general control that secures the hardware
b Incorrect This is a general control over software changes
c Incorrect This is a general control for all data
d Correct This is an output control
5.42 a Correct The terminated person would not be in the timekeeping total
b Incorrect Works only if the correct number of checks is known
c Incorrect The terminated employee will have a valid number
d Incorrect The use of hash total only indicates whether the employee numbers have been
input correctly
5.43 a Incorrect The absolute amount of cost is irrelevant Year-end substantive work usually
costs more than control evaluation work
b Correct The year-end cost savings exceeds the control evaluation cost
c Incorrect Whether the cost of control work exceeds (or does not exceed) the cost of
year-end work is irrelevant Efficiency relates to the cost that can be saved as a result of control evaluation work
d Incorrect Efficiency is not achieved by cost reductions being less than control work cost
Trang 115.44 a Incorrect The narrative is the documentation result of obtaining evidence.
b Correct The ICQ is a device for collecting evidence in the form of answers to control
questions
c Incorrect A flowchart is the documentation result of obtaining evidence
d Incorrect (This is the throwaway!) The audit documentation is the documentation of the
evidence obtained
5.45 a Correct The bridge working paper connects control evaluation findings of strengths to
test of control procedures for testing the strengths, and control evaluation findings of weakness to suggestions for substantive procedures
b Incorrect Control objectives are only implicit in the bridge working paper
c Incorrect Control objectives are only implicit in the bridge working paper
d Incorrect Assertions are related directly to substantive procedures and not to test of
control procedures
5.46 a Incorrect Substantive procedures produce evidence about financial statement assertions
b Incorrect Company control procedures accomplish company control objectives
c Incorrect Analytical review is not accomplished with test of control procedures
d Correct Tests of controls produce the evidence about actual operation of company
control procedures
5.47 a Incorrect This describes an audit procedure
b Correct This is one general way to define the purpose of control procedures
c Incorrect This is a definition of an accounting system
d Incorrect This is a description of one of the elements of the control environment
5.48 a Correct The audit team identifies significant accounts, locations, and assertions in the
planning stage of an integrated audit
b Incorrect The audit team conducts a walkthrough of the internal control process when
testing the effectiveness of the company’s internal control
c Incorrect The audit team makes inquiries of employees regarding the existence of control
procedures when testing the effectiveness of the company’s internal control
d Incorrect The audit team reperforms control procedures performed by client employees to
determine their effectiveness when testing the effectiveness of the company’sinternal control
5.49 c Correct A material weakness in internal control is defined as a deficiency, or
combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis 5.50 a Incorrect Record totals suggest dollar amounts
b Correct Hash totals involve non dollar totals
c Incorrect Data totals suggest dollar amounts
d Incorrect Field totals suggest dollar amounts
5.51 d Correct Cash deposits + discounts = payments credit to receivables (Answers a, b, and c
use the wrong arithmetic)5.52 c Correct AS 5 applies to financial reporting controls only.
5.53 c Correct Under AS 5, auditors are required to issue a report on internal controls; they no
longer have to report on management’s report on internal (required under AS 2).
Trang 125.55 a Incorrect All three are indicators a material weakness.
b Incorrect All three are indicators a material weakness
c Incorrect All three are indicators a material weakness
d Correct All three are indicators a material weakness
5.56 NOTE TO INSTRUCTOR: Because of an error in the textbook question (qualified opinions are not longer
an option), two answers to the posed question are correct.
a Incorrect This is an appropriate report
b Correct Qualified opinions are no longer permitted under AS 5.
c Correct This is not one of the options offered by AS 5.
d Incorrect This is an appropriate report
5.57 a Correct In principle, the payroll function should be divided into its authorization,
recording, and custody functions Authorization of hiring, wage rates, and deductions is provided by personnel Authorization of hours worked (executed
by employees) is provided by production Based on these authorizations, accounting calculates and records the payroll Based on the calculated amounts, the treasurer prepares and distributes payroll checks
5.58 a Incorrect Supervisors should perform the reconciliation
b Correct The total time spent on jobs should closely approximate the total time indicated
on time cards Timekeeping’s comparison of these records should provide an independent check of the accuracy of time reported on the time cards
c Incorrect This should be done by accounting
d Incorrect Rate authorizations are kept by personnel
5.59 NOTE TO INSTRUCTOR: Since this question asks students to identify which statement is not true, the
item labeled “correct” would not be true and those labeled “incorrect” would be true.
a Correct The report would be dated as of the day that enough evidence has been gathered
to support the auditors’ opinion on the effectiveness of the entity’s internal control
b Incorrect The report does express an opinion on management’s assessment of internal
control over financial reporting as well as the effectiveness of internal control over financial reporting
c Incorrect An adverse opinion is issued if one or more material weakness(es) exists
d Incorrect The report on internal control over financial reporting can be presented along
with the report on the company’s financial statements or as a combined report.5.60 a Incorrect The reporting options when a scope limitation exists is a disclaimer of opinion
b Incorrect A qualified opinion is no longer a valid reporting option for a scope limitation
and an adverse opinion would only be issued when one or more material weakness(es) is identified
c Incorrect While a disclaimer of opinion is one possible reporting option, it is not
appropriate to issue an unqualified opinion if a significant scope limitation exists
d Correct The reporting option when a scope limitation exists is a disclaimer of opinion.5.61 a Incorrect Reference to the audit of the entity’s financial statements would be included in
the introductory paragraph of a combined report on the company’s financial statements and internal control over financial reporting, but not a separate report
on internal control over financial reporting
b Incorrect If a material weakness is identified, the auditor will add a paragraph to the report
that defines a material weakness However, this information would not be included in the introductory paragraph