10-3 Section 404 requires management of all public companies to issue an internal control report that includes the following: A statement that management is responsible for establishin
Trang 1Chapter 10
Section 404 Audits of Internal Control
and Control Risk
Review Questions
10-1 Management typically has three broad objectives in designing an effective
internal control system
1 Reliability of Financial Reporting Management is responsible for
preparing financial statements for investors, creditors, and other users.Management has both a legal and professional responsibility to be sure thatthe information is fairly presented in accordance with reporting requirementssuch as GAAP The objective of effective internal control over financialreporting is to fulfill these financial reporting responsibilities
2 Efficiency and Effectiveness of Operations Controls within an
organization are meant to encourage efficient and effective use of itsresources to optimize the company’s goals An important objective of thesecontrols is accurate financial and non-financial information about the entity’soperations for decision making
3 Compliance with Laws and Regulations Section 404 of the
Sarbanes-Oxley Act requires all public companies to issue a report about the operatingeffectiveness of internal control over financial reporting In addition to thelegal provisions of Section 404, public, nonpublic, and not-for-profitorganizations are required to follow many laws and regulations Some relate
to accounting only indirectly, such as environmental protection and civil rightslaws Others are closely related to accounting, such as income tax regulationsand fraud
10-2 Management designs systems of internal control to accomplish three
categories of objectives: financial reporting, operations, and compliance withlaws and regulations The auditor’s focus in both the audit of financial statementsand the audit of internal controls is on those controls related to the reliability offinancial reporting plus those controls related to operations and to compliancewith laws and regulations objectives that could materially affect financialreporting
10-3 Section 404 requires management of all public companies to issue an
internal control report that includes the following:
A statement that management is responsible for establishing and maintaining
an adequate internal control structure and procedures for financial reportingand
An assessment of the effectiveness of the internal control structure andprocedures for financial reporting as of the end of the company’s fiscal year
Trang 210-4 Management’s assessment of internal control over financial reporting
consists of two key components First, management must evaluate the design of
internal control over financial reporting Second, management must test the
operating effectiveness of those controls When evaluating the design of internal
control over financial reporting, management evaluates whether the controls aredesigned to prevent or detect material misstatements in the financial statements.When testing the operating effectiveness of those controls, the objective is todetermine whether the control is operating as designed and whether the personperforming the control possesses the necessary authority and qualifications toperform the control effectively
10-5 There are eight parts of the planning phase of audits: accept client and
perform initial planning, understand the client’s business and industry, assessclient business risk, perform preliminary analytical procedures, set materiality andassess acceptable audit risk and inherent risk, understand internal control andassess control risk, gather information to assess fraud risks, and develop anoverall audit plan and audit program Understanding internal control andassessing control risk is therefore part six of planning Only gathering information
to assess fraud risk and developing an overall audit plan and audit programfollow understanding internal control and assessing control risk
10-6 The second GAAS field work standard states “The auditor must obtain a
sufficient understanding of the entity and its environment, including its internalcontrols, to assess the risk of material misstatement of the financial statementswhether due to error or fraud and to design the nature, timing, and extent offurther audit procedures.” The auditor obtains the understanding of internalcontrol to assess control risk in every audit and that responsibility is the same foraudits of both public and nonpublic companies Auditors are primarily concernedabout controls related to the reliability of financial reporting and controls overclasses of transactions
10-7 Section 404 requires that the auditor attest to and issue a report on
management’s assessment of internal control over financial reporting Toexpress an opinion on internal controls, the auditor obtains an understanding of
and performs tests of controls related to all significant account balances, classes
of transactions, and disclosures and related assertions in the financialstatements PCAOB Standard 2 requires that the audit report on internal controlover financial reporting under Sarbanes-Oxley include the auditor’s opinion as towhether management’s assessment of the design and operating effectiveness ofinternal control over financial reporting is fairly stated in all material respects.This involves both evaluating management’s assessment process and arriving atthe auditor’s independent assessment of the internal controls’ design andoperating effectiveness
Trang 310-8 The six transaction-related audit objectives are:
1 Recorded transactions exist (occurrence)
2 Existing transactions are recorded (completeness)
3 Recorded transactions are stated at the correct amounts
(accuracy)
4 Recorded transactions are properly included in the master files and
correctly summarized (posting and summarization)._
5 Transactions are properly classified (classification)
6 Transactions are recorded on the correct dates (timing)
10-9 COSO’s Internal ControlIntegrated Framework is the most widely
accepted internal control framework in the U.S The COSO framework describesinternal control as consisting of five components that management designs andimplements to provide reasonable assurance that its control objectives will bemet Each component contains many controls, but auditors concentrate on thosedesigned to prevent or detect material misstatements in the financial statements
10-10 The COSO Internal Control – Integrated Framework consists of the
following five components:
10-11 The control environment consists of the actions, policies, and procedures
that reflect the overall attitudes of top management, directors, and owners of anentity about internal control and its importance to the entity The following are themost important subcomponents the control environment:
Integrity and ethical values
Board of directors or audit committee participation
Management's philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
Trang 410-12 Internal control includes five categories of controls that management
designs and implements to provide reasonable assurance that its controlobjectives will be met These are called the components internal control, and are:
The control environment
is management's identification and analysis of risks relevant to the preparation offinancial statements in accordance with GAAP To respond to this riskassessment, management implements control activities and creates theaccounting information and communication system to meet its objectives forfinancial reporting Finally, management periodically assesses the quality ofinternal control performance to determine that controls are operating as intendedand that they are modified as appropriate for changes in conditions (monitoring).All five components are necessary for effectively designed and implementedinternal control
10-13 The five categories of control activities are:
Adequate separation of duties
Example: The following two functions are performed bydifferent people: processing customer orders and billing ofcustomers
Proper authorization of transactions and activities
Example: The granting of credit is authorized beforeshipment takes place
Adequate documents and records
Example: Recording of sales is supported by authorizedshipping documents and approved customer orders
Physical control over assets and records
Example: A password is required before entry into thecomputerized accounts receivable master file can be made
Independent checks on performance
Example: Accounts receivable master file contents areindependently verified
10-14 Separation of operational responsibility from record keeping is intended to
reduce the likelihood of operational personnel biasing the results of theirperformance by incorrectly recording information
Separation of the custody of assets from accounting for these assets isintended to prevent misappropriation of assets When one person performs bothfunctions, the possibility of that person's disposal of the asset for personal gainand adjustment of the records to relieve himself or herself of responsibility for theasset without detection increases
Trang 510-15 An example of a physical control the client can use to protect each of the
following assets or records is:
1 Petty cash should be kept locked in a fireproof safe
2 Cash received by retail clerks should be entered into a cash
register to record all cash received
3 Accounts receivable records should be stored in a locked, fireproof
safe Adequate backup copies of computerized records should bemaintained and access to the master files should be restricted viapasswords
4 Raw material inventory should be retained in a locked storeroom
with a reliable and competent employee controlling access
5 Perishable tools should be stored in a locked storeroom under
control of a reliable employee
6 Manufacturing equipment should be kept in an area protected by
burglar alarms and fire alarms and kept locked when not in use
7 Marketable securities should be stored in a safety deposit vault
10-16 Independent checks on performance are internal control activities
designed for the continuous internal verification of other controls Examples ofindependent checks include:
Preparation of the monthly bank reconciliation by an individual with
no responsibility for recording transactions or handling cash
Recomputing inventory extensions for a listing of inventory by
someone who did not originally do the extensions
The preparation of the sales journal by one person and the
accounts receivable master file by a different person, and areconciliation of the control account to the master file
The counting of inventory by two different count teams
The existence of an effective internal audit staff
10-17 As illustrated by Figure 10-3, there are four phases in the process of
understanding internal control and assessing control risk In the first phase theauditor obtains an understanding of internal controls, which includes anunderstanding of their design and whether they have been implemented Nextthe auditor must make a preliminary assessment control risk (phase 2) andperform tests of controls in every audit as part of their integrated audits (phase3) The auditor uses the results of tests of controls for both the audit report oninternal control over financial reporting and to assess control risk and toultimately decide planned detection risk and substantive tests for the audit offinancial statements, which is phase 4
10-18 Section 404 of the Sarbanes-Oxley Act requires management to
document its processes for assessing the effectiveness of the company’s internalcontrol over financial reporting Management must document the design ofcontrols, including all five control components and also the results of its testingand evaluation The types of information gathered by management to assess anddocument internal control effectiveness can take many forms, including policymanuals, flowcharts, narratives, documents, questionnaires and other forms thatare in either paper or electronic formats PCAOB Standard 2 requires the auditor
Trang 610-18 (continued)
to evaluate the client’s documentation when auditing internal control overfinancial reporting The lack of management documentation of internal controlover financial reporting may prevent the auditor from concluding that the controlsare adequately designed or operating effectively When documentation isinadequate, the auditor may decide to withdraw from the engagement or to issue
a disclaimer of opinion on internal control over financial reporting
10-19 When obtaining an understanding of internal control, the auditor must
assess two aspects about those controls First, the auditor must gather evidence
about the design of internal controls Second, the auditor must gather evidence about whether those controls have been implemented.
10-20 In a walkthrough of internal control, the auditor selects one or a few
documents for the initiation of a transaction type and traces them through theentire accounting process At each stage of processing, the auditor makesinquiries and observes current activities, in addition to examining completeddocumentation for the transaction or transactions selected Thus, the auditorcombines observation, documentation, and inquiry to conduct a walkthrough ofinternal control PCAOB Standard 2 requires the auditor to perform at least onewalkthrough for each major class of transactions
10-21 A key control is a control that is expected to have the greatest effect on
meeting the transaction-related audit objectives A control deficiency represents
a deficiency in the design or operation of controls that does not permit company
personnel to prevent or detect misstatements on a timely basis A design deficiency exists if a necessary control is missing or not properly designed An operation deficiency exists if a well designed control does not operate as
designed or when the person performing the control is insufficiently qualified orauthorized
10-22 A significant deficiency exists if one or more control deficiencies exist that,
more than remotely, adversely affect a company’s ability to initiate, authorize,
record, process, or report external financial statements reliably A materialweakness exists if a significant deficiency, by itself, or in combination with othersignificant deficiencies, results in a more than remote likelihood that internalcontrol will not prevent or detect material financial statement misstatements Thepresence of one significant deficiency that is not deemed to be a materialweakness may not affect the auditor’s report In that instance, the auditor’s report
on internal control over financial reporting would contain an unqualified opinion.However, if the deficiency is deemed to be a material weakness, the auditor mustexpress an adverse opinion on the effectiveness of internal control over financialreporting
10-23 The most important internal control deficiency which permitted the
defalcation to occur was the failure to adequately segregate the accountingresponsibility of recording billings in the sales journal from the custodialresponsibility of receiving the cash Regardless of how trustworthy Jamesappeared, no employee should be given the combined duties of custody ofassets and accounting for those assets
Trang 710-24 Maier is correct in her belief that internal controls frequently do not
function in the manner they are supposed to However, regardless of this, herapproach ignores the value of beginning the understanding of internal control bypreparing or reviewing a rough flowchart Obtaining an early understanding of theclient's internal control will provide Maier with a basis for a decision about furtheraudit procedures and sample sizes based on assessed control risk By notobtaining an understanding of internal control until later in the engagement, Maierrisks performing either too much or too little work, or emphasizing the wrongareas during her audit
10-25 The extent of controls tested by auditors to express an opinion on internal
controls for a public company is significantly greater than that tested solely toexpress an opinion on the financial statements To express an opinion on internalcontrols for a public company, the auditor obtains an understanding of and
performs tests of controls for all significant account balances, classes of
transactions, and disclosures and related assertions in the financial statements
In contrast, the extent of controls tested by an auditor of a nonpublic company isdependent on the auditor’s assessment of control risk Whenever the auditorassesses control risk below maximum, the auditor must perform tests of controls
to support that control risk assessment The auditor will not perform tests of controls when the auditor assesses control risk at maximum When control risk is
assessed below the maximum, the auditor designs and performs a combination
of tests of controls and substantive procedures Thus, for a nonpublic company,the tests of controls vary based on the auditor’s assessment of control risk
10-26 There is a significant overlap between tests of controls and procedures to
obtain an understanding of internal control Both include inquiry, documentation,and observation There are two primary differences in the application of thesecommon procedures First, in obtaining an understanding of internal control, theprocedures to obtain an understanding are applied to all controls identified duringthat phase Tests of controls, on the other hand, are applied only when theassessed control risk has not been satisfied by the procedures to obtain anunderstanding Second, procedures to obtain an understanding are performedonly on one or a few transactions or, in the case of observations, at a single point
in time Tests of controls are performed on larger samples of transactions(perhaps 20 to 100), and often observations are made at more than one point intime
10-27 PCAOB Standard 2 requires a public company auditor to test controls
each year for all relevant assertions for significant accounts and transactions.However, if evidence was obtained in the prior year’s audit that indicates that akey control was operating effectively, and the auditor determines that the control
is still in place, the extent of the tests of that control may be reduced somewhat inthe current year
10-28 When the auditor’s risk assessment procedures identify significant risks,
the auditor is required to test the operating effectiveness of controls that mitigatethese risks in the current year audit, if the auditor plans to rely on those controls
to support a control risk assessment below 100% Thus, tests of controls arerequired in the current year audit for those controls the auditor plans to rely on toreduce control risk The greater the risk, the more the audit evidence the auditorshould obtain that controls are operating effectively
Trang 810-29 PCAOB Standard 2 requires that the auditor’s report on internal control
include two auditor opinions:
1 The auditor’s opinion on whether management’s assessment of theeffectiveness of internal control over financial reporting as of the end ofthe fiscal period is fairly stated, in all material respects In practice it isunlikely for the auditor to issue anything other than an unqualified report
on this opinion If the auditor concludes that management has notidentified and reported all significant deficiencies and materialweaknesses, it will be in management’s best interests to revise its report
to conform to the auditor’s conclusions
2 The auditor’s opinion on whether the company maintained, in all materialrespects, effective internal control over financial reporting as of thespecified date There is likely to be more variety in these reports
10-30 The auditor may issue an unqualified opinion on internal control over
financial reporting when two conditions are present:
there are no identified material weaknesses; and
there have been no restrictions on the scope of the auditor’s work
A scope limitation is the condition that would cause the auditor to express a
qualified opinion or a disclaimer of opinion on internal control over financial
reporting This type of opinion is issued when the auditor is unable to determine ifthere are material weaknesses, due to a restriction on the scope of the audit ofinternal control over financial reporting or other circumstances where the auditor
is unable to obtain sufficient evidence
10-31 PCAOB Standard 2 requires that the audit of the financial statements and
the audit of internal control over financial reporting be integrated In an integratedaudit, the auditor must consider the results of audit procedures performed toissue the audit report on the financial statements when issuing the audit report oninternal control For example, if the auditor identifies a material misstatement inthe financial statements that was not initially identified by the company’s internalcontrols, the auditor should consider this as at least a significant deficiency, if not
a material weakness for purposes of reporting on internal control In suchcircumstances, the auditor’s report on the financial statements may beunqualified as long as management corrected the misstatement before issuingthe financial statements In contrast, however, the auditor’s report on internalcontrol must include an adverse opinion if the auditor concludes it is a materialweakness
Multiple Choice Questions From CPA Examinations
10-32 a (3) b (3) c (4) d (4)
10-33 a (3) b (2) c (4) d (2)
10-34 a (3) b (4) c (4) d (2)
Trang 9 Discussion Questions and Problems
10-35 1. a Adequate segregation of duties and proper authorization of
transactions and activities
b Recorded transactions exist
c An unauthorized or invalid time card turned in by an existing
employee The time card may be for an employee whoformerly worked for the company or one who is temporarilylaid off
d An employee could be claiming too many hours by having a
friend punch him or her in early, or by making manualchanges on time cards
e Check to see that all employees that are punched in one day
are physically present
b Existing transactions are recorded
c A missing time card number never could be identified before
preparation of payroll starts
d An employee would not be paid for a time period (The
employee is almost certain to bring this to management'sattention.) The primary benefit of the control would be toprevent misstatements for a short period of time and toprevent employee dissatisfaction from failure to pay them
e Obtain a list of company employees and make sure that
each one has received a paycheck for the time period inquestion
3 a Proper authorization of transactions and activities
b Recorded transactions exist
c A paycheck cannot be processed for an invalid employee
number
d A fictitious payroll check could be processed for a fictitious
employee if invalid employee numbers are included in theemployee master file
e Include test data transactions with invalid employee numbers
in the data to be inputted into the payroll accounting systemand determine that all invalid transactions are automaticallyrejected by the software application
4 a Adequate separation of duties
b Recorded transactions exist
c A fictitious payroll check that is originated by the person both
preparing the payroll checks and distributing the payrollchecks
d If one person kept a record of time, prepared the payroll, and
distributed the checks, that person could add a nonexistentemployee to the payroll, process the information for theemployee and deposit the paycheck in his or her own bankaccount without detection
Trang 1010-35 (continued)
e Perform a surprise payoff in which the auditor accounts for
all paychecks and distributes them to the employees, whomust provide identification in order to receive their checks
b Recorded transactions are stated at the correct amounts
c Mechanical errors of adding up the number of hours,
calculating the gross payroll incorrectly, or calculatingwithholding incorrectly
d Payroll checks incorrectly calculated could be paid to
employees
e Recheck the amounts for gross payroll, withholding and net
payroll
b Existing transactions are recorded
c Preparation of a check for an inappropriate person, the
distribution of that check to that person, and the recording ofthat check in the cash disbursements journal as a voidedcheck
d An employee who is supposed to void a check could record
it as voided on the books and cash the check At month-endthe amount of the check could be covered by adjusting thebank reconciliation
e Test month-end bank reconciliations in detail to determine
that the account reconciles properly, that all supportingdocuments are proper, looking especially for a check thatcleared and was supposed to be voided, and that noalterations have been made to the bank statement
7 a Proper authorization of transactions and activities
b Recorded transactions exist and recorded transactions are
stated at the correct amounts
c Both errors and fraud are likely to be prevented if competent
trustworthy employees are hired Hiring honest employeesminimizes a likelihood of fraud Hiring competent employeesminimizes the likelihood of unintentional errors
d Several types of intentional misstatements could occur if a
dishonest person is hired Similarly, several types ofunintentional errors could occur if an incompetent person ishired
e An examination of cancelled checks and supporting
documents, including time cards and personnel records, is atest of the possibility of fraud A test of the calculation ofpayroll is a test for an unintentional error caused byemployees who are not competent
Trang 1110-35 (continued)
8 a Proper authorization of transactions and activities, and
adequate documents and records
b Recorded transactions exist
c The preparation of an inappropriate payroll check for a
former employee is prevented
d A terminated employee could be continued on the payroll
with someone else obtaining the paycheck
e Perform a surprise payoff in which the auditor accounts for
all paychecks and distributes them to the employees, whomust provide identification to receive their checks
9 a Physical control over assets and records, and adequate
segregation of duties
b Recorded transactions exist
c Checks prepared for nonexistent employees or employees
on vacation, or absent for other reasons are controlled andsafeguarded
d Checks could be lost which are intended for absent
employees or a check could be taken by the personresponsible for distributing the checks
e Examine cancelled checks to make certain that each check
is properly endorsed, supported by a time card, and theperson for whom the check is made out is still working forthe company
10 a Proper authorization of transactions and activities and
adequate separation of duties
b.Recorded transactions exist and recorded transactions are stated
at the correct amounts
c.Preparation of a check for a fictitious employee or preparation of
checks using an unapproved pay rate are prevented
d.A fictitious payroll check could be processed for a fictitious
employee if those with record keeping responsibilities areallowed to enter new employee numbers into the master file.Also, paychecks to valid employees could be overstated ifunauthorized personnel have the ability to make changes tothe pay rates in the master files
e.Attempt to access the on-line payroll master file using a password
that is not allowed access to that master file
Trang 1210-36 1. a Adequate documents and records and independent checks
on performance
b Transactions are stated at the correct amounts
c (1) Make sure that the billing clerk receives the
current price list
(2) Internal verification by someone who has the current
price list
b Recorded transactions exist
c (1) Require that payments only be made on
original invoices
2) Require a receiving report be attached to the vendor's
invoice before a payment is made
3 a Adequate documents and records, and independent checks
on performance
b Transactions are recorded on the correct dates
c Carefully coordinate the physical count of inventory on the
last day of the year with the recording of sales to makecertain counted inventory has not been billed and billedinventory has not been counted
4 a Proper authorization of transactions and adequate
documents and records
b Recorded transactions exist
c Include a control in the accounts payable software that
requires the input of a valid receiving report number beforethe software will process a payment on an accounts payable
5 a Adequate documents and records, physical control over
assets and records, and independent checks onperformance
b Recorded transactions exist
c 1) Fence in the physical facilities and prohibit employees
from parking inside the fencing
2) Require the accounting department to maintain
perpetual inventory records and take physical counts
of actual sides of beef periodically
6 a Independent checks on performance
b Recorded transactions are stated at the correct amounts
c Counts by qualified personnel and independent checks on
performance
7 a Proper authorization of transactions and activities
b Transactions are stated at the correct amounts
c 1) Make sure that the salesman has a current
price list
2) Require independent approval of all transactions,
including the price, before shipment is made