Modern Auditing

Download as pdf or txt
Download as pdf or txt
You are on page 1of 76

1 0 [ ]

U NDERSTANDING I NTERNAL C ONTROL

[
THE IMPORTANCE OF INTERNAL CONTROL
The importance of internal control to management and independent auditors has been recognized in the professional literature for many years. A 1947 publication by the AICPA entitled Internal Control cited the following factors as contributing to the expanding recognition of the signicance of internal control:

The scope and size of the business entity have become so complex and widespread that management must rely on numerous reports and analyses to effectively control operations. The check and review inherent in a good system of internal control affords protection against human weaknesses and reduces the possibility that errors or irregularities will occur. It is impracticable for auditors to make audits of most companies within economic fee limitations without relying on the clients system of internal control. During the ve decades following this publication, management, independent auditors, and, external parties, such as investors and regulators, have placed even greater importance on internal control. In 1977, Congress passed the Foreign Corrupt Practices Act (FCPA). Under this Act, management and directors of companies subject to reporting requirements of the Securities Exchange Act of 1934 are required to comply with antibribery and accounting standards provisions and maintain a satisfactory system of internal control. The FCPA is administered by the Securities and Exchange Commission (SEC), and management and directors who do not comply with its provisions are subject to nes, penalties, and/or imprisonment. Ten years later, the National Commission on Fraudulent Financial Reporting (Treadway Commission) reemphasized the importance of internal control in reducing the incidence of fraudulent nancial reporting. The commissions nal report, issued in October 1987, included the following:

Of overriding importance in preventing fraudulent nancial reporting is the tone set by top management that inuences the corporate environment within which nancial reporting occurs. All public companies should maintain internal control that will provide reasonable assurance that fraudulent nancial reporting will be prevented or subject to early detection. The organizations sponsoring the Commission, including the Auditing Standards Board (ASB), should cooperate in developing additional guidance on internal control systems. In 1988, the ASB issued SAS 55, Consideration of the Internal Control Structure in a Financial Statement Audit (AU 319). The SAS signicantly expanded both the meaning of internal control and the auditors responsibilities in meeting the second standard of eldwork. In 1990, the AICPA issued a 263-page audit guide with the same title as the SAS to assist auditors in applying SAS 55. Finally, following up on the last recommendation of the Treadway Commission referred to previously, in 1992 the Committee of Sponsoring Organizations (COSO) of the Tread-

[ 390 ]

PART 2

AUDIT PLANNING

way Commission issued a report entitled Internal ControlIntegrated Framework. According to COSO, the two principal purposes of its efforts were to:

Establish a common denition of internal control serving the needs of different parties. Provide a standard against which business and other entities can assess their control systems and determine how to improve them. Then the ASB issued Statements and Standards for Attestation Engagements No. 2, which allowed auditors to conduct an audit and report on a clients system of internal control over nancial reporting. Then in 1995 the ASB amended AU 319 with SAS 78, Consideration of Internal Control in a Financial Statement Audit, to conform professional standards to the framework and language used in the COSO Report. Financial statement users have questioned whether it is more important to have assurance on the nancial statements themselves or assurance over the system that produces an entitys nancial statements. About a decade after the ASB created the rst standards for attest engagement on internal controls, the U.S. Congress passed the SarbanesOxley Act of 2002. Section 404 of this Act and PCAOB Standard No. 2 require managements of public companies to assess the adequacy of internal controls over nancial reporting, and their auditors must audit both managements assessment of internal controls over nancial reporting and the actual effectiveness of the system of internal controls over nancial reporting (in addition to auditing the nancial statements themselves).

[PREVIEW OF CHAPTER 10]


Chapter 10 continues the discussion of important audit planning and risk assessment procedures and addresses one major issue: understanding the entitys system of internal control. The following diagram provides an overview of the chapter organization and content.

Understanding Internal Control

Introduction to Internal Control Denition and Components Entity Objectives and Related Internal Control Relevant to an Audit Limitations of an Entitys System of Internal Control Roles and Responsibilities

Components of Internal Control Control Environment Risk Assessment Information and Communication Control Activities Monitoring Antifraud Programs and Controls Application to Small and Midsized Entities Summary

Understanding Internal Control What to Understand about Internal Control Effects of Preliminary Audit Strategies Procedures to Obtain an Understanding Documenting the Understanding

Appendices

Information Technology and Internal Control Computer General Controls Comprehensive Flowcharting Illustration

Chapter 10 focuses on the elements of a strong system of internal control. This chapter addresses the following aspects of the auditors knowledge and the auditors decision process.

Hadel Studio

(516) 333

2580

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 391 ]

focus on auditor knowledge


After studying this chapter you should understand the following aspects of an auditors knowledge base: K1. Know the denitions of internal control and the ve interrelated components of internal control. K2. Know the inherent limitations of internal control and explain the roles and responsibilities of various parties for an entitys internal controls. K3. Know the purpose of understanding internal control needed to plan an audit and how that understanding is used.

focus on audit decisions


After studying this chapter you should understand the factors that inuence the following audit decisions. D1. What are the key components of a strong control environment, including relevant IT aspects? D2. What are the key components of strong risk assessment activities, including relevant IT aspects? D3. What are the key components of an effective information and communication system, including relevant IT aspects? D4. What are the key components of strong control activities, including relevant IT aspects? D5. What are the key components of strong monitoring activities, including relevant IT aspects? D6. What are the key components of a strong antifraud program and controls? D7. What audit procedures are used to obtain an understanding of internal controls? D8. What are the requirements and alternative methods for documenting the understanding of internal control?

[INTRODUCTION TO INTERNAL CONTROL]


In this section, we examine the contemporary denition of internal control and ve interrelated components of internal control. In addition, we consider which entity objectives addressed by internal control are relevant to a nancial statement audit, briey describe the components of internal control, acknowledge certain inherent limitations of internal control, and specify the roles and responsibilities of various parties for an entitys internal control. DEFINITION AND COMPONENTS The COSO report denes internal control as follows: Internal control is a process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Reliability of nancial reporting Compliance with applicable laws and regulations Effectiveness and efciency of operations
Source: Committee of Sponsoring Organizations of the Treadway Commission, Internal ControlIntegrated Framework (Jersey City, NJ; American Institute of Certied Public Accountants, 1992).

[ 392 ]

PART 2

AUDIT PLANNING

Auditor Knowledge 1
Know the deni-

The COSO report also emphasized that the following fundamental concepts are embodied in the foregoing denition:

tions of internal control and the ve interrelated components of internal control.

Internal control is a process that is integrated with, not added onto, an entitys infrastructure. It is a means to an end, not an end in itself. People implement internal control. It is not merely a policy manual and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, because of its inherent limitations. Internal control is geared to the achievement of objectives in the overlapping categories of nancial reporting, compliance, and operations.

Implicit in the last bullet is the assumption that management and the board do in fact formulate and periodically update entity objectives in each of the three categories. To provide a structure for considering the many possible controls related to the achievement of an entitys objectives, the COSO report (and AU 319.07) identies ve interrelated components of internal control:

Control environment sets the tone of an organization, inuencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk assessment is the entitys identication and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed. Control activities are the policies and procedures that help ensure that management directives are carried out. Information and communication are the identication, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Monitoring is a process that assesses the quality of internal control performance over time.

These ve components are described in detail in later sections of this chapter. ENTITY OBJECTIVES AND RELATED INTERNAL CONTROL RELEVANT TO AN AUDIT As previously noted, management adopts internal control to provide reasonable assurance of achieving three categories of objectives: (1) reliability of nancial information, (2) compliance with applicable laws and regulations, and (3) effectiveness and efciency of operations. Because not all of those objectives and related controls are relevant to an audit of nancial statements, one of the auditors rst tasks in meeting the second standard of eldwork is to identify those objectives and controls that are relevant. Generally, this includes those that pertain directly to the rst categoryreliability of nancial reporting. In addition, Section 404 of the SarbanesOxley Act of 2002 only focuses on internal control over nancial reporting. Other objectives and related controls may also be relevant if they pertain to data the auditor uses in applying audit procedures. Examples include objectives and related controls that pertain to:

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 393 ]

Nonnancial data used in analytical procedures, such as the number of employees, the entitys manufacturing capacity and volume of goods manufactured, and other production and marketing statistics. Certain nancial data developed primarily for internal purposes, such as budgets and performance data, used by the auditor to obtain evidence about the amounts reported in the nancial statements.

Chapter 2 of this text explained the auditors responsibilities for detecting errors and irregularities, including management and employee fraud, and for detecting certain illegal acts. Thus, an entitys objectives and controls related to these matters are also relevant to the auditor. In particular, objectives and controls in the category of compliance with applicable laws and regulations are relevant when they could have a direct and material effect on the nancial statements. LIMITATIONS OF AN ENTITYS SYSTEM OF INTERNAL CONTROL One of the fundamental concepts identied earlier in the chapter is that internal control can provide only reasonable assurance to management and the board of directors regarding the achievement of an entitys objectives. AU 319.16-18, Consideration of Internal Control in a Financial Statement Audit, identies the following inherent limitations that explain why internal control, no matter how well designed and operated, can provide only reasonable assurance regarding achievement of an entitys control objectives.

Auditor Knowledge 2
Know the inherent

limitations of internal control and explain the roles and responsibilities of various parties for an entitys internal controls.

Mistakes in judgment. Occasionally, management and other personnel may exercise poor judgment in making business decisions or in performing routine duties because of inadequate information, time constraints, or other procedures. Breakdowns. Breakdowns in established control may occur when personnel misunderstand instructions or make errors owing to carelessness, distractions, or fatigue. Temporary or permanent changes in personnel or in systems or procedures may also contribute to breakdowns. Collusion. Individuals acting together, such as an employee who performs an important control acting with another employee, customer, or supplier, may be able to perpetrate and conceal fraud so as to prevent its detection by internal control (e.g., collusion among three employees from personnel, manufacturing, and payroll departments to initiate payments to ctitious employees, or kickback schemes between an employee in the purchasing department and a supplier or between an employee in the sales department and a customer). Management override. Management can overrule prescribed policies or procedures for illegitimate purposes such as personal gain or enhanced presentation of an entitys nancial condition or compliance status (e.g., inating reported earnings to increase a bonus payout or the market value of the entitys stock, or to hide violations of debt covenant agreements or noncompliance with laws and regulations). Override practices include making deliberate misrepresentations to auditors and others such as by issuing false documents to support the recording of ctitious sales transactions. Cost versus benefits. The cost of an entitys internal control should not exceed the benefits that are expected to ensue. Because precise measurement of both

[ 394 ]

PART 2

AUDIT PLANNING

costs and benefits usually is not possible, management must make both quantitative and qualitative estimates and judgments in evaluating the cost-benefit relationship.1 For example, an entity could eliminate losses from bad checks by accepting only certied or cashiers checks from customers. However, because of the possible adverse effects of such a policy on sales, most companies believe that requiring identication from the check writer offers reasonable assurance against this type of loss. ROLES AND RESPONSIBILITIES The COSO report concludes that everyone in an organization has some responsibility for, and is actually a part of, the organizations internal control. In addition, several external parties, such as independent auditors and regulators, may contribute information useful to an organization in effecting control, but they are not responsible for the effectiveness of internal control. Several responsible parties and their roles are as follows:

Management. It is managements responsibility to establish effective internal control. In particular, senior management should set the tone at the top for control consciousness throughout the organization and see that all the components of internal control are in place. Senior management in charge of organizational units (divisions, etc.) should be accountable for the resource in their units. The CEO and CFO of public companies must also make an assessment of the adequacy of internal controls over nancial reporting. Board of directors and audit committee. Board members, as part of their general governance and oversight responsibilities, should determine that management meets its responsibilities for establishing and maintaining internal control. The audit committee (or in its absence, the board itself) has an important oversight role in the nancial reporting process. Internal auditors. Internal auditors should periodically examine and evaluate the adequacy of an entitys internal control and make recommendations for improvements. They are part of the monitoring component of internal control, and active monitoring by internal auditors may improve the overall control environment. Other entity personnel. The roles and responsibilities of all other personnel who provide information to, or use information provided by, systems that include internal control should understand that they have a responsibility to communicate any problems with noncompliance with controls or illegal acts of which they become aware to a higher level in the organization. Independent auditors. When performing risk assessment procedures, an independent auditor may discover deciencies in internal control that he or she communicates to management and the audit committee, together with recommendations for improvements. This applies primarily to nancial reporting controls, and to a lesser extent to compliance and operations controls. If the

The PCAOB has taken the position that cost-benet is not a valid reason not to have adequate internal controls over nancial reporting relating to assertions that could have a material effect on the nancial statements.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 395 ]

managements responsibilities in an audit of internal control over financial reporting Managements of public companies are responsible for both fair presentation in the nancial statement and maintenance of an effective system of internal control over nancial reporting. The PCAOB Auditing Standard No. 2 establishes the following responsibility for management with respect to the companys internal control. Management must:

Accept responsibility for the effectiveness of the companys internal control over nancial reporting. Evaluate the effectiveness of the companys internal control over nancial reporting using suitable criteria (generally COSO). Support its evaluation with sufcient evidence, including documentation. Present a written assessment of the effectiveness of the companys internal control over nancial reporting as of the end of the companys most recent scal year.

auditor of a private company follows a primarily substantive approach, he or she may learn enough to understand the specic risks of misstatement, but may not evaluate the effectiveness of many control procedures. A private company audit in accordance with GAAS is performed primarily to enable the auditor to properly plan the audit. Neither does it result in the expression of an opinion on the effectiveness of internal control, nor can it be relied upon to identify all or necessarily even most signicant weaknesses in internal control. Other external parties. Legislators and regulators set minimum statutory and regulatory requirements for establishing internal controls by certain entities. The SarbanesOxley Act of 2002 is an example. Another example is the Federal Deposit Insurance Corporation Improvement Act of 1991, which requires that certain banks report on the effectiveness of their internal control over nancial reporting and that such reports be accompanied by an independent accountants attestation report on managements assertions about effectiveness.

[LEARNING CHECK
(The following questions draw from the opening vignette as well as from the chapter material.) a. Who administers the Foreign Corrupt Practices Act of 1977, and to whom does it pertain? b. What provisions of the Act relate to internal control and how? 10-2 a. What recommendations did the National Commission on Fraudulent Financial Reporting make regarding internal control? b. What is COSO? What were the two principal purposes of its efforts regarding internal control, and why did it undertake these efforts? 10-3 a. State the COSO denition of internal control. b. Identify ve interrelated components of internal control. c. Which entity objectives and related internal controls are of primary relevance in a nancial statement audit?
10-1

[ 396 ]

PART 2

AUDIT PLANNING

10-4 10-5

Identify and briey describe several inherent limitations of internal control. Identify several parties that have roles and responsibilities related to an entitys internal control and briey describe their roles and responsibilities.

[KEY TERMS
Components of internal control, p. 392 Control activities, p. 392 Control environment, p. 392 Fundaments concepts, p. 392 Information and communication, p. 392 Inherent limitations, p. 393 Internal control, p. 391 Monitoring, p. 392 Risk assessment, p. 392

[COMPONENTS OF INTERNAL CONTROL]


The COSO report and AU 319, Consideration of Internal Control in the Financial Statement Audit (SAS 78), identies ve interrelated components of internal control as listed in Figure 10-1. Each of the ve components includes numerous control policies and procedures that are needed to achieve entity objectives in each of the three categories of objectives previously identiednancial reporting, compliance, and operations. We have identied a sixth category, antifraud programs and controls. PCAOB Standard No. 2 considers antifraud programs and controls to be an integral aspect of internal controls. We discuss these controls separately because they affect all other aspects of internal control. Each component is explained in a following section. These explanations focus on the relationship of each component to those entity objectives and related internal control in each category that are of greatest relevance to the nancial statement

Figure 10-1 1 2 3 4 5

Components of Internal Control Control Environment Risk Assessment Information and Communication Control Activities Monitoring Antifraud Programs and Controls

**

Hadel Studio

(516) 333

2580

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 397 ]

auditnamely, those that are designed to prevent or detect material misstatements in the nancial statements. CONTROL ENVIRONMENT The control environment represents the tone set by management of an organization that inuences the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. A strong control environment comprises numerous factors that work together to enhance the control consciousness of people who implement controls throughout an entity. Among these are the following (AU 319.25):

Audit Decision 1
What are the key

components of a strong control environment, including relevant IT aspects?

Integrity and ethical values Commitment to competence Board of directors and audit committee Managements philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices

The extent to which each factor is formally addressed by an entity will vary based on such considerations as its size and maturity. These factors constitute a major part of an entitys culture. Brief discussion of each of these control environment factors follows. Integrity and Ethical Values The COSO report notes that managers of well-run entities have increasingly accepted the view that ethics paythat ethical behavior is good business. In order to emphasize the importance of integrity and ethical values among all personnel of an organization, the CEO and other members of top management should:

Set the tone by example, by consistently demonstrating integrity and practicing high standards of ethical behavior. Communicate to all employees, verbally and through written policy statements and codes of conduct, that the same is expected of them, that each employee has a responsibility to report known or suspected violations to a higher level in the organization, and that the violations will result in penalties. Provide moral guidance to any employees whose poor moral backgrounds have made them ignorant of what is right and wrong. Reduce or eliminate incentives and temptations that might lead individuals to engage in dishonest, illegal, or unethical acts. Examples of incentives for negative behavior include placing undue emphasis on short-term results or meeting unrealistic performance targets, or bonus and prot-sharing plans with terms that might elicit fraudulent nancial reporting practices. A strong control environment encourages employees to stay well away from questionable accounting practices and it places a strong emphasis on representational faithfulness in nancial reporting.

[ 398 ]

PART 2

AUDIT PLANNING

Commitment to Competence To achieve entity objectives, personnel at every level in the organization must possess the requisite knowledge and skills needed to perform their jobs effectively. Commitment to competence includes managements consideration of the knowledge and skills needed, and the mix of intelligence, training, and experience required to develop that competence. For example, meeting nancial reporting objectives in a large publicly held company generally requires higher levels of competence on the part of the chief nancial ofcer and accounting personnel than would be the case for a small privately held company. It is also important for senior management to attend to the competence and training of individuals who develop or work with IT. Board of Directors and Audit Committee The composition of the board of directors and audit committee and the manner in which they exercise their governance and oversight responsibilities have a major impact on the control environment. Factors that impact the effectiveness of the board and audit committee include their independence from management; the accounting knowledge, experience and stature of their members; the extent of their involvement and scrutiny of managements activities; the appropriateness of their actions (e.g., the degree to which they raise and pursue difcult questions with management). An effective audit committee can enhance the independence and professional skepticism of an external auditor. The lack of an audit committee in a private company may not be a weakness if the board as a whole can carry out the audit committees responsibilities. Managements Philosophy and Operating Style Many characteristics may form a part of managements philosophy and operating style and have an impact on the control environment. The characteristics of managements philosophy and operating style include:

Approach to taking and monitoring business risks. Reliance on informal face-to-face contacts with key managers versus a formal system of written policies, performance indicators, and exception reports. Attitudes and actions toward nancial reporting. Conservative or aggressive selection from available accounting principles. Conscientiousness and conservatism in developing accounting estimates. Conscientiousness and understanding of the risks associated with IT.

The last four characteristics are of particular signicance in assessing the control environment over nancial reporting. For example, if management is aggressive in making judgments about accounting estimates (e.g., provision for bad debts, obsolete inventory, or depreciation expense) in ways that shift expenses from one period to another, earnings may be materially misstated. Organizational Structure An organizational structure contributes to an entitys ability to meet its objectives by providing an overall framework for planning, executing, controlling, and mon-

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 399 ]

external auditor evaluation of audit committees A companys audit committee plays an important role within the control environment and monitoring components of internal control over financial reporting. An effective audit committee helps set a positive tone at the top. The companys board of directors is primarily responsible for evaluating audit committee effectiveness. However, PCAOB Standard No. 2 also states that the auditor should evaluate the effectiveness of the auditor committee as part of understanding the control environment and monitoring. The external auditor should focus on the audit committees oversight of the companys external financial reporting and internal control over financial reporting. When making this evaluation, the auditor might consider:

The independence of the audit committee from management. The clarity with which the audit committees responsibilities are articulated. How well the audit committee and management understand those responsibilities. The audit committees involvement and interaction with the independent auditor. The audit committees interaction with key members of nancial management. Whether the right questions are raised and pursued with management and the auditor. Whether questions indicate an understanding of the critical accounting policies and judgmental accounting estimates. The audit committees responsiveness to issues raised by the auditor.

Ineffective oversight by the audit committee of the companys external nancial reporting should be regarded as at least a signicant deciency and is a strong indicator of a material weakness in internal control over nancial reporting.

itoring an entitys activity. Developing an organizational structure for an entity involves determining the key areas of authority and responsibility and the appropriate line of reporting. These will depend in part on the entitys size and the nature of its activities. An entitys organizational structure is usually depicted in an organization chart that should accurately reect lines of authority and reporting relationships. Management should attend not only to the structure of the entitys operations, but also to the organizational structure of information technology and accounting information systems (see the discussion of segregation of duties regarding IT on p. 447). An auditor needs to understand these relationships to properly assess the control environment and how it may impact the effectiveness of particular controls. Assignment of Authority and Responsibility The assignment of authority and responsibility includes the particulars of how and to whom authority and responsibility for all entity activities are assigned, and should enable each individual to know (1) how his or her actions interrelate with those of others in contributing to the achievement of the entitys objectives and (2) for what each individual will be held accountable. This factor also includes policies dealing with appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties.

[ 400 ]

PART 2

AUDIT PLANNING

Often when individuals or managers are not held accountable for their responsibilities, little attention is given to the accounting system and the completeness and accuracy of information that ows from the accounting system. If a manager is not held accountable for the results of his or her operating unit, there is little incentive to correct errors in accounting for transactions. Although written job descriptions should delineate specic duties and reporting relationships, it is important to understand informal structures that may exist and how individuals are held accountable for their responsibilities. The auditor should also be aware of how management assigns authority and responsibility for IT. This includes methods of assigning authority and responsibility over computer systems documentation, and the procedures for authorizing and approving system changes. A lack of accountability over making changes in programmed control procedures creates an environment that is conducive to utilizing IT to cover employee fraud. Human Resource Policies and Practices A fundamental concept of internal control previously stated is that it is implemented by people. Thus, for internal control to be effective, it is critical that human resource policies and procedures be employed that will ensure that the entitys personnel possess the expected levels of integrity, ethical values, and competence. Such practices include well-developed recruiting policies and screening processes in hiring; orientation of new personnel to the entitys culture and operating style; training policies that communicate prospective roles and responsibilities; disciplinary actions for violations of expected behavior; evaluation, counseling, and promotion of people based on periodic performance appraisals; and compensation programs that motivate and reward superior performance while avoiding disincentives to ethical behavior. Summary of Control Environment The control environment is critical because it has a pervasive effect on the other four components of internal control. For example, if senior management does not hire competent individuals and fails to underscore the importance of ethics and competence in the performance of work that supports the accounting system, employees may not perform other control procedures with adequate professional care. If top management, in assigning authority and responsibility, does not hold other managers accountable for their use of resources, there is little incentive to effectively implement the remaining components of internal control. If, however, top management emphasizes the importance of internal control and the need for reliable information for decision making, it increases the likelihood that other aspects of internal control will operate effectively. Top management can also take steps that minimize the incentives to engage in fraud, whether fraudulent nancial reporting or misappropriation of assets. Figure 10-2 summarizes some of the factors that can strengthen other aspects of internal control and lower the risk of material misstatement or weaken other aspects of internal control and increase the risk of material misstatement.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 401 ]

Figure 10-2

Summary of Control Environment Factors Control Environment Factors Integrity and ethical values

Higher Risk of Material Misstatement

Lower Risk of Material Misstatement Demonstrates high standards of ethical behavior. Top management emphasizes the importance of reporting known or suspected ethical violations Top management emphasizes the importance of ethical business practices and representational faithfulness in nancial reporting. Top management minimizes incentives for fraud.

Top management may engage in questionable business practices. Top management places a premium on achieving short-term results. Top management may encourage structuring transactions to meet GAAP requirements that do not match underlying economic substance. Top management sets unrealistic targets to attain bonuses.

Budgets constrain management, and some aspects of the organization may not have fully competent personnel. Operating positions have a priority over accounting or IT positions when it comes to obtaining competent personnel.

Commitment to competence

Top management seeks out competent personnel at every level of the organization. Top management seeks out competent personnel with accounting and IT skills for relevant positions

The board of directors is more passive in its governance roles and relies heavily on management. The auditor committee does not have members who are knowledgeable of accounting and auditing issues.

Board of directors and audit committee

The board of directors and the audit committee are active in their governance roles. The audit committee has competent members who are knowledgeable of accounting and auditing issues.

Top management is aggressive about taking business risks and may not monitor the impact of prior investment decisions. Top management emphasizes sales and operations issues and does not devote sufcient attention to risk associated with IT and the use of management discretion in nancial reporting. Top management is concerned about reporting nancial results that meet sales and earnings targets.

Managements philosophy and operating style

Top management is thoughtful about taking business risks, and appropriate monitoring systems are in place. Top management is conscientious in understanding the risks associated with IT and the use of management discretion in nancial reporting. Top management emphasizes the importance of representational faithfulness in nancial reporting.

The organization structure is strained and may not fully support effective planning, executing, controlling, and monitoring the entitys activities. The smaller size of the organization may not allow for adequate segregation of duties in IT and in other areas.

Organizational structure

Organizational structure supports effective planning, executing, controlling, and monitoring the entitys activities. Organizational structure allows for adequate segregation of duties in IT and in other areas. (continues)

[ 402 ]

PART 2

AUDIT PLANNING

Figure 10-2

(Continued) Control Environment Factors Assignment of authority and responsibility Lower Risk of Material Misstatement
Authority

Higher Risk of Material Misstatement

Inadequate communication of authority and responsibility hinders lower levels of management from coordinating their actions with others to achieve organizational objectives. Focus on immediate goals may not allow for appropriate monitoring of and accountability for organizational resources. Constraints limit assigning authority and responsibility in IT or in accounting in ways that would allow for appropriate segregation of duties and checks and balances.

and responsibility is assigned so that lower levels of management know how their actions interrelate with others in contributing to organizational objectives. Authority and responsibility is assigned with appropriate monitoring of and accountability for organizational resources. Top management assigns authority and responsibility in IT and in accounting in ways that allow for appropriate segregation of duties and checks and balances.

Budget constraints limit HR policies and practices, and entity personnel may not possess a high level of integrity, ethical values, or competence.

Human resource policies and practices

HR policies and practices ensure that entity personnel possess the expected level of integrity, ethical values, and competence.

RISK ASSESSMENT Risk assessment for nancial reporting purposes is an entitys identication, analysis, and management of risk relevant to the preparation of nancial statements that are fairly presented in conformity with generally accepted accounting principles.
Source: AU 319.28.

Audit Decision 2
What are the key

components of strong risk assessment activities, including relevant IT aspects?

Managements risk assessment process is depicted in Figure 10-3. Managements purpose is to (1) identify risk and (2) place effective controls in operation to control those risks. Management needs to seek a balance such that the higher the risk of misstatement in the nancial statements, the more effective the controls should be to prevent misstatements, or detect and correct them on a timely basis. In a strong risk assessment system, management should consider:

The entitys business risks and their nancial consequences. The inherent risks of misstatement in nancial statement assertions. The risk of fraud and its nancial consequences.

To the extent that management appropriately identies risks and successfully initiates control activities to address those risks, the auditors combined assessment of inherent and control risks for related assertions will be lower. In some cases,

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 403 ]

Figure 10-3

Managements Risk Assessment Process

Fraud Risk Inherent Risk Business Risk

Internal Controls

however, management may simply decide to accept some level of risk without imposing controls because of cost or other considerations. (516) 333 2580 Studio should Managements risk Hadel assessment include consideration of the risks associated with IT discussed in Appendix 10A. For example, management should design information and controls systems that mitigate the problems associated with the impact of IT in reducing the traditional segregation of duties. If management designs and implements a good system of computer general controls, many of these overall risks will be reduced to a manageable level. In a strong risk assessment system, management should also include special consideration of the risks that can arise from changed circumstances described in AU 319.29:

Changes in operating environment New personnel New or revamped information systems Rapid growth New technology New lines, products, or activities Corporate restructurings Foreign operations New accounting pronouncements

To the extent that these risks are present, management should put controls in place to control these risks. For example, when management develops a new information system for a segment of the organization, user departments should be involved in developing the specications of the system, there should be signicant testing of the system with test data, and users should be involved in the nal tests to ensure that the new system accomplishes its goals. These are important control activities that need to respond to the risk that a new information system may not function as desired.

[ 404 ]

PART 2

AUDIT PLANNING

INFORMATION AND COMMUNICATION The information and communication system relevant to nancial reporting objectives, which includes the accounting system, consists of the methods and records established to identify, assemble, analyze, classify, record, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets and liabilities. Communication involves providing a clear understanding of individual roles and responsibilities pertaining to internal control over nancial reporting.
Source: AU 319.34.

Audit Decision 3
What are the key

components of an effective information and communication system, including relevant IT aspects?

As noted in the foregoing, a major focus of the accounting system is on transactions. Transactions consist of exchanges of assets and services between an entity and outside parties, as well as the transfer or use of assets and services within an entity. It follows that a major focus of control policies and procedures related to the accounting system is that transactions be handled in a way that supports representational faithfulness and the application of GAAP in the nancial statements. Thus, an effective accounting system should:

Identify and record only the valid transactions of the entity that occurred in the current period (existence and occurrence assertion). Identify and record all valid transactions of the entity that occurred in the current period (completeness assertion). Ensure that recorded assets and liabilities are the result of transactions that produced entity rights to, or obligations for, those items (rights and obligations assertions). Measure the value of transactions in a manner that permits recording their proper monetary value in the nancial statements (valuation or allocation assertion). Capture sufcient detail of all transactions to permit their proper presentation in the nancial statements, including proper classication and required disclosures (presentation and disclosure assertion).

An effective accounting system should provide a complete audit trail or transaction trail for each transaction. An audit trail or transaction trail is a chain of evidence from initiating a transaction to its recording in the general ledger and nancial statements provided by coding, cross-reference, and documentation connecting account balances and other summary results with original transaction data. Transaction trails are essential both to management and to auditors. Management uses the trail in responding to inquiries from customers or suppliers concerning account balances. It is particularly important for management to ensure a clear transaction trail in IT systems where documentary evidence may be retained for only a short period of time. Computer systems that use on-line processing should create a unique transaction number that can be used to establish such a transaction trail. Auditors use the trail in tracing and vouching transactions as explained in Chapter 6. Documents and records represent an aspect of the information and communication system that provides important audit evidence. Documents provide evidence of the occurrence of transactions and the price, nature, and terms of the

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 405 ]

transactions. Invoices, checks, contracts, and time tickets are illustrative of common types of documents. When duly signed or stamped, documents also provide a basis for establishing responsibility for executing and recording transactions. Records include employee earnings records, which show cumulative payroll data for each employee, and perpetual inventory records. Another type of record is daily summaries of documents issued, such as sales invoices and checks. The summaries are then independently compared with the sum of corresponding daily entries to determine whether all transactions have been recorded. In modern accounting systems, records are usually in electronic format, and entities may create printed copies for ease of use. Communication includes making sure that personnel involved in the nancial reporting system understand how their activities relate to the work of others both inside and outside the organization. This includes the role of the system in reporting exceptions for followup as well as reporting unusual exceptions to higher levels within the entity. Policy manuals, accounting and nancial reporting manuals, a chart of accounts, and memoranda also constitute part of the information and communication component of internal control. CONTROL ACTIVITIES Control activities are those policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entitys objectives. Control activities have various objectives and are applied at various organization and functional levels.
Source: AU 319.32.

A strong system of control activities contains a number of elements that need to be placed in operation for the control activities to be effective. Figure 10-4 describes one way that control activities relevant to a nancial statement audit can be described. 1. Authorization Controls A major purpose of proper authorization procedures is to ensure that every transaction is authorized by management personnel acting within the scope of their authority. Each transaction entry should be properly authorized and approved in accordance with managements general or specic authorization. General authorization relates to the general conditions under which transactions are authorized, such as standard price lists for products and credit policies for charge sales. Specic authorization relates to the granting of the authorization on a case-by-case basis. When transactions are individually processed, authorization is usually provided in the form of a signature or stamp on the source document or in the form of electronic authorization that leaves a computerized audit trail. Proper authorization procedures often have a direct effect on control risk for existence and occurrence assertions, and in some cases, valuation or allocation assertions, such as the authorization of an expenditure or the authorization of a customers credit limit. The board of directors may authorize capital expenditures at a designated amount. Expenditures in excess of that amount might indicate

Audit Decision 4
What are the key

components of strong control activities, including relevant IT aspects?

[ 406 ]

PART 2

AUDIT PLANNING

Figure 10-4 1 2 3

Control Activities Authorization Controls Segregation of Duties Information Processing Controls a

General Controls

Computer Application Controls

Control over the Financial Reporting Process

4 5 6

Physical Controls Performance Reviews Controls over Management Discretion in Financial Reporting

existence problems (an invalid transaction) or presentation and disclosure problems (expenses classied as assets).
Hadel Studio

(516) 333

2580

2. Segregation of Duties Strong segregation of duties involves segregating (1) transaction authorization, (2) maintaining custody of assets, and (3) maintaining recorded accountability in the accounting records. Figure 10-5 depicts the traditional segregation of duties. Failure to maintain strong segregation of duties makes it possible for an individual to commit an error or fraud and then be in a position to conceal it in the normal course of his or her duties. For example, an individual who processes cash remittances from customers (has access to the custody of assets) should not also have authority to approve and record credits to customers accounts for sales returns and allowances or write-offs (authorize transactions). In such a case, the individual could steal a cash remittance and cover the theft by recording a sales return or allowance or bad-debt write-off. Sound segregation of duties also involves comparing recorded accountability with assets on hand. For example, sound internal control involves independent bank reconciliations comparing bank balances with book balances for each bank account. Perpetual inventory records should also be periodically compared with inventory on hand. Proper segregation of duties, should also be maintained within the IT department and between IT and user departments. Several functions within ITsystems develop-

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 407 ]

Figure 10-5

Traditional Segregation of Duties Authorize the transaction

Maintain recorded accountability

Periodic comparison of recorded accountability with assets

Maintain custody of assets

ment, operations, data controls, and securities administrationshould be segregated (see Figure In addition, IT should not correct data submitted by Hadel 10-21). Studio (516) 333 2580 user departments and should be organizationally independent from user departments. Segregation of duties within IT is so important that it is considered a critical aspect of general controls (see the discussion of organization and operation control on p. 447). 3. Information Processing Controls Information processing controls address risks related to the authorization, completeness, and accuracy of transactions. These controls are particularly relevant to the nancial statement audit. Most entities, regardless of size, now use computers for information processing in general and for accounting systems in particular. In such cases, it is useful to further categorize information processing controls as general controls and application controls, which are discussed below.
3a. General Controls

The purpose of general controls is to control program development, program changes, and computer operations, and to secure access to programs and data. The following ve types of general controls are widely recognized: Organization and operation controls address the segregation of duties within the IT department and between IT and user departments. A critical component is segregating access to programs from access to data les. Weakness in these controls usually affects all IT applications. Systems development and documentation controls relate to (1) review, testing, and approval of new systems and program changes, and (2) controls over documentation. Hardware and systems software controls are an important factor that contributes to the high degree of reliability of todays information technology.

[ 408 ]

PART 2

AUDIT PLANNING

Hardware and software controls are designed to detect any malfunctioning of the equipment. To achieve maximum benet from these controls, (1) there should be a program of preventive maintenance on all hardware, and (2) controls over changes to systems software should parallel the systems development and documentation controls described above. Access controls are designed to prevent unauthorized use of IT equipment, data les, and computer programs. The specic controls include a combination of physical, software, and procedural safeguards. Data and procedural controls provide a framework for controlling daily computer operations, minimizing the likelihood of processing errors, and assuring the continuity of operations in the event of a physical disaster or computer failure through adequate le backup and other controls.

Computer general controls pertain to the IT environment and all IT activities as opposed to a single IT application. Because of the pervasive character of general controls, if the auditor is able to obtain evidence that general controls function effectively, then the auditor also has important assurance that individual applications may be properly designed and operate consistently during the period under audit. For example, strong computer general controls involve regular testing and review of individual programs that process sales, cash receipts, payroll, and many other transactions. Alternatively, deciencies in general controls may affect many applications and may prevent the auditor from assessing control risk below the maximum for many applications and transaction cycles. Students not familiar with the details of computer general controls should study the in-depth discussion in Appendix 10B.
3b. Computer Application Controls

The purpose of application controls is to use the power of information technology to control transactions in individual transaction cycles. Hence, applications controls will differ for each transaction cycle (e.g., sale vs. cash receipts). The following three groups of application controls are widely recognized:

Input controls Processing controls Output controls

These controls are designed to provide reasonable assurance that the recording, processing, and reporting of data by IT are properly performed for specic applications. Thus, the auditor must consider these controls separately for each signicant accounting application, such as billing customers or preparing payroll checks. In todays IT environment, application controls execute the function of independent checks by (1) using programmed application controls to identify transactions that contain possible misstatements and (2) having people follow up and correct items noted on exception reports. The following discussion explains how programmed controls may be used to identify items that should be included on various exception reports.
Input Controls Input controls are program controls designed to detect and report errors in data that are input for processing. They are of vital importance in IT systems because most of the errors occur at this point. Input controls are

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 409 ]

designed to provide reasonable assurance that data received for processing have been properly authorized and converted into machine-sensible form. These controls also include the people who follow up on the rejection, correction, and resubmission of data that were initially incorrect. Controls over the conversion of data into machine-sensible form are intended to ensure that the data are correctly entered and converted data are valid. Specic controls include:

Verication controls. These controls often compare data input for computer processing with information contained on computer master les, or other data independently entered at earlier stages of a transaction. Computer editing. These are computer routines intended to detect incomplete, incorrect, or unreasonable data. They include: Missing data check to ensure that all required data elds have been completed and no blanks are present. Valid character check to verify that only alphabetical, numerical, or other special characters appear as required in data elds. Limit (reasonableness) check to determine that only data falling within predetermined limits are entered (e.g., time cards exceeding a designated number of hours per week may be rejected). Valid sign check to determine that the sign of the data, if applicable, is correct (e.g., a valid sign test would ensure that the net book value of an asset was positive and that assets are not overdepreciated). Valid code check to match the classication (i.e., expense account number) or transaction code (i.e., cash receipts entry) against the master list of codes permitted for the type of transaction to be processed. Check digit to determine that an account, employee, or other identication number has been correctly entered by applying a specic arithmetic operation to the identication number and comparing the result with a check digit embedded within the number.

The correction and resubmission of incorrect data are vital to the accuracy of the accounting records. If the processing of a valid sales invoice is stopped because of an error, both accounts receivable and sales will be understated until the error is eliminated and the processing completed. Misstatements should be corrected by those responsible for the mistake. Furthermore, strong controls create a log of potential misstatements, and the data control group periodically reviews their disposition.
Processing Controls Processing controls are designed to provide reasonable assurance that the computer processing has been performed as intended for the particular application. Thus, these controls should preclude data from being lost, added, duplicated, or altered during processing. Processing controls take many forms, but the most common ones are programmed controls incorporated into the individual applications software. They include the following:

Control totals. Provision for accumulating control totals is written into the computer program to facilitate the balancing of input totals with processing totals

[ 410 ]

PART 2

AUDIT PLANNING

for each run. Similarly, run-to-run totals are accumulated to verify processing performed in stages. File identication labels. External labels are physically attached to magnetic tape or disks to permit visual identication of a le. Internal labels are in machinesensible form and are matched electronically with specied operator instructions (or commands) incorporated into the computer program before processing can begin or be successfully completed. Limit and reasonableness checks. A limit or reasonableness test would compare computed data with an expected limit (e.g., the product of payroll rates times hours worked would be included on an exception report and not processed if it exceeded an predetermined limit). Before-and-after report. This report shows a summary of the contents of a master le before and after each update. Sequence tests. If transactions are given identication numbers, the transaction le can be tested for sequence (e.g., an exception report would include missing numbers or duplicate numbers in a sequence of sales invoices). Process tracing data. This control involves a printout of specic data for visual inspection to determine whether the processing is correct. For evaluating changes in critical data items, tracing data may include the contents before and after the processing (e.g., information from shipping data with information on sales invoices).

Output Controls Output controls are designed to ensure that the processing results are correct and that only authorized personnel receive the output. The accuracy of the processing results includes both updated machine-sensible les and printed output. This objective is met by the following:

Reconciliation of totals. Output totals that are generated by the computer programs are reconciled to input and processing totals by the data control group or user departments. Comparison to source documents. Output data are subject to detailed comparison with source documents. Visual scanning. The output is reviewed for completeness and apparent reasonableness. Actual results may be compared with estimated results.

The data control group usually controls who can have access to data in a database and maintains control over any centrally produced reports for the distribution of output. This group should exercise special care over the access to, or distribution of, condential output. To facilitate control over the disposition of output, systems documentation should include reports of who has access to various aspects of a database or some form of a report distribution sheet.
3c. Controls over the Financial Reporting Process

Figure 10-6 provides an overview of the nancial reporting process in many businesses. In many cases, computer application controls provide a strong control over the information that is included in a computer database. When the time comes to prepare nancial statements, a structured query language (SQL) is used to access the database and download information into a spreadsheet. However, once the data is in a spreadsheet, it may be subject to little or no controls. Data in

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 411 ]

Figure 10-6

Overview of the Financial Reporting Process

Accounting Database

SQL

Financial Statements

Strong Controls

Weak or No Controls

Weak or No Controls

spreadsheets can be easily accessed and manipulated without leaving an audit trail. If a macro is written incorrectly, it might inadvertently omit information from particular general ledger account, or 333 otherwise (516) 2580 lose critical nancial stateHadel Studio ment information. Furthermore, a signicant amount of information included in footnote disclosures is often maintained or summarized in spreadsheets. The sum of the controls over the information included in spreadsheets is only as strong as the weakest link in the control chain. Many companies summarize a signicant amount of nancial statement information using spreadsheets. As part of a sound system of internal control companies should limit access to spreadsheets. Furthermore, good controls include testing the completeness of accuracy of inputs, and controlling the accuracy of output (e.g., testing spreadsheets with test data). Some companies perform an independent, manual check on the logic of each spreadsheet and the data that is summarized with spreadsheets. Companies should also maintain an inventory of spreadsheets used in the nancial reporting process and keep clear documentation of the function accomplished by each spreadsheet. Without these controls the benets obtained from strong computer application controls can be lost by having inadequate controls over the processing of nancial statement information in spreadsheets, or other nancial statement preparation software, prior to the preparation of the nancial statements. 4. Physical Controls Physical controls are concerned with limiting the following two types of access to assets and important records: (1) direct physical access and (2) indirect access through the preparation or processing of documents such as sales orders and disbursement vouchers that authorize the use or disposition of assets. Physical controls pertain primarily to security devices and measures used for the safekeeping of assets, documents, records, and computer programs or les. Security devices include on-site safeguards such as reproof safes and locked storerooms, and offsite safeguards such as bank deposit vaults and certied public warehouses. Security measures also include limiting access to storage areas to authorized personnel. Such controls reduce the risk of theft and are thus relevant in assessing control risk for existence or occurrence assertions. Physical controls also involve the use of mechanical and electronic equipment in executing transactions. For example, cash registers help to assure that all cash

[ 412 ]

PART 2

AUDIT PLANNING

receipt transactions are rung up, and they provide locked-in summaries of daily receipts. Such controls are relevant in assessing control risk for completeness assertions. When IT equipment is used, access to the computer, computer records, data les, and programs should be restricted to authorized personnel. The use of passwords, keys, and identication badges provides means of controlling access. When such safeguards are in place, control risk may be reduced for various existence or occurrence, completeness, and valuation or allocation assertions related to transaction classes and accounts processed by IT. Finally, physical control activities include periodic counts of assets and comparison with amounts shown on control records. Examples include petty cash counts and physical inventories. These activities may be relevant in assessing existence or occurrence, completeness, and valuation or allocation assertions as discussed further in Part 4 of the text in the context of specic transaction cycles. 5. Performance Reviews Examples of performance reviews include management review and analysis of

Reports that summarize the detail of account balances such as an aged trial balance of accounts, reports of cash disbursements by department, or reports of sales activity and gross prot by customer or region, salesperson, or product line. Actual performance versus budgets, forecasts, or prior-period amounts. The relationship of different sets of data such as nonnancial operating data and nancial data (for example, comparison of hotel occupancy statistics with revenue data).

Managements use of reports that drill down and summarize the transactions that make up sales or cash disbursements may provide an independent check on the accuracy of the accounting information. For example, a university department chair might review the details of the payroll that was charged to his or her department on a monthly basis. The quality of this review may provide control over the occurrence, completeness, and valuation of payroll transactions. Managements analysis of operating performance may serve another purpose similar to the auditors use of analytical procedures in audit planning. That is, management may develop nonnancial performance measures that correlate highly with nancial outcomes, and may allow it to detect accounts that might be misstated. Such misstatements might involve existence or occurrence, completeness, valuation or allocation, or presentation and disclosure assertions. 6. Controls over Management Discretion in Financial Reporting The PCAOB in Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, expects public companies to establish internal controls in the three following areas:
1. Controls over signicant nonroutine and nonsystematic transactions, such as

assertions involving judgments and estimates.


2. Controls over the selection and application of GAAP. 3. Controls over disclosures.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 413 ]

In these circumstances it is rare to nd good internal controls in private companies. Private companies may have solid internal control over routine transactions that are high in volume, and internal controls are often very cost-effective. However, the circumstances identied above often involve signicant management discretion, and the size and nature of the company are such that the auditor is the primary check and balance over these issues. Public companies with more resources are now establishing internal controls over all aspects of nancial statement disclosure. As a general rule, key decisions about accounting for individual transactions, accounting policy, or disclosures should not rest with one individual. It is important that such critical decisions represent the consensus of a knowledgeable group. Internal controls over nonroutine and nonsystematic transactions, such as assertions involving accounting estimates, often have two layers of control. The rst stage is control over the data used to make the judgmental computation, and the second stage is the concurrent review process. For example, if management makes an estimate of the allowance for doubtful accounts, the auditor should determine that the data used in making the assessment should be appropriately controlled. An accounting estimate can be no more reliable than the data used to develop the accounting estimate. The data should come from a system that is relevant to the estimate. Second, there should also be a review process that allows for a followup process that reviews prior accounting estimates with hindsight. In addition, there should be an internal process involving individuals who understand the business issues related to the accounting estimates that focuses on ensuring consistent estimates. The independent review process should focus on the consistency of the estimation process. The goal is to avoid the abuses where management has developed accounting estimates that tend to overestimate expenses in good years and underestimate expenses in years of poor scal performance. Some companies are also developing disclosure committees to provide an independent review of the appropriateness of selection of choices of accounting principles, accounting for unusual and nonrecurring transactions, the reasonableness of accounting estimates, and the overall level of disclosure in the nancial statements. These committees are often staffed with both (1) individuals who have strong accounting backgrounds and (2) members of operational management who are familiar with the companys operations and transactions. Disclosure committees, and then the audit committee, generally review these critical elements of the nancial statements before they are released to the auditor. These committees are most effective when they are staffed by knowledgeable individuals who provide an independent check on the initial decisions made by a controller, chief accounting ofcer, or a chief nancial ofcer. MONITORING Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions.
Source: AU 319.38.

[ 414 ]

PART 2

AUDIT PLANNING

Audit Decision 5
What are the key

components of strong monitoring activities, including relevant IT aspects?

Effective monitoring activities usually involve (1) ongoing monitoring programs, (2) separate evaluations, and (3) an element of reporting deciencies to the audit committee. Ongoing monitoring activities might take a variety of forms. An active internal audit function that regularly performs tests of controls using an integrated test facility or internal auditors may regularly rotate tests of different aspects of the system of internal control. In addition, controls may be designed with various self-monitoring processes. For example, problems with internal control may come to managements attention through complaints received from customers about billing errors or from suppliers about payment problems, or from alert managers who receive reports with information that differs signicantly from their rsthand knowledge of operations. Monitoring also occurs through separate periodic evaluations. Managements of public companies must perform periodic evaluations of internal controls in order to support an assertion about the effectiveness of the system of internal control. Furthermore, management and the audit committee should be conscious of IT risks and perform separate evaluations of computer general controls because of their pervasive effect on various programmed application controls. The audit committee also might charge internal audit with periodic reviews of IT risks and controls. Finally, management may receive information from the separate evaluation of regulators, such as bank examiners. The nal element of sound monitoring controls involves the reporting of deciencies to the audit committee (or full board of directors). Deciencies that surface through ongoing monitoring programs or separate evaluations should be regularly brought to the audit committee for discussion and decisions about corrective actions. ANTIFRAUD PROGRAMS AND CONTROLS Antifraud programs and controls are policies and procedures put in place to help ensure that managements antifraud directives are carried out. An effective antifraud program should impact every aspect of the system of internal control. Figure 10-7 summarizes a variety of common aspects of strong antifraud programs and controls.

Figure 10-7

Antifraud Programs and Controls Control Activities


Control Environment

Code of conduct/ethical company culture Ethics hotline Audit committee oversight Hiring and promotion Systematic assessment of fraud risks Evaluation of likelihood and magnitude of potential misstatement Adequacy of the audit trail Antifraud training

Adequate segregation of duties Linking controls to fraud risks Developing an effective oversight process After the fact evaluations by internal audit

Monitoring

Fraud Risk Assessment


Information and Communication


CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 415 ]

Audit Decision 6
What are the key

components of strong antifraud programs and controls?

Creating an ethical company culture is an aspect of the control environment that has a pervasive impact on other aspects of internal controls. Implementing an ethical company culture includes setting a tone at the top of the organization, establishing a code of conduct, creating a positive workplace environment, hiring and promoting ethical employees, providing ethics training, and disciplining and prosecuting violators. For example, in 2002 Genesco, Inc., found evidence of improper revenue recognition when it asked employees to sign an ethics statement. It then launched an internal investigation, and when it found evidence that the divisional president, CFO, and controller booked sales for goods that had not been shipped, the employees were dismissed. This activity sent a strong statement about the importance of ethics in accounting and business practices. The code of conduct should also address conicts of interest, related party transactions, illegal acts, and monitoring of the code by management and the audit committee or board. Many corporations have established ethics hotlines for accepting condential submissions of concerns about fraud and questionable accounting matters. It is essential that these hotlines be directed to internal auditors or an independent outside company, which will then anonymously report issues raised through the hotline to management and the audit committee. A specic aspect of managements risk assessment process should concern itself with the risk of fraud. Management should address both the risk of misappropriation of assets and the risk of fraudulent nancial reporting. An important rst step in responding to fraud risk is for management to consider a regular program of antifraud training, which is part of the information and communication system. Management should also make sure that there is an adequate audit trail to allow control activities to function effectively. As noted in Figure 10-3, it is essential that management institute sufcient controls to offset the fraud risks present in an organization. A strong system of internal control can limit the opportunity for fraud. If adequate segregation of duties exists, and information processing controls (both general controls and specic application controls) are designed to prevent or detect and correct misstatements, the opportunity for fraud is reduced. An audit committee must provide an oversight role in implementing controls over management discretion in nancial reporting. Finally, effective monitoring is necessary to ensure that other antifraud programs work effectively. The audit committee and management must regularly monitor the effectiveness of the control environment, risk assessment, information and communication, and control activities in preventing or detecting fraud. The audit committee should receive separate after the fact reports from internal auditors regarding issues reported through the ethics hotline. If monitoring activities become ineffective, it may not be long before other antifraud controls begin to deteriorate. APPLICATIONS OF COMPONENTS TO SMALL AND MIDSIZED ENTITIES All ve components of internal control are applicable to entities of all sizes. However, the degree of formality and the specics of how the components are implemented may vary considerably for practical and sound reasons. AU 319.15 identies the following factors to be considered in deciding on how to implement each of the ve components:

[ 416 ]

PART 2

AUDIT PLANNING

The entitys size Its organization and ownership characteristics The nature of its business The diversity and complexity of its operation Its methods of processing data Its applicable legal and regulatory requirements

Following are some of the differences typical of smaller versus larger entities. Smaller entities are less likely to have written codes of conduct, outsider directors, formal policy manuals, sufcient personnel to provide for optimal segregation of duties, or internal auditors. However, they can mitigate these conditions by developing a culture that places an emphasis on integrity, ethical values, and competence. In addition, owner-managers can assume responsibility for certain critical tasks, such as approving credit, signing checks, reviewing bank statements and bank reconciliations, monitoring customer balances, and approving the write-off of uncollectible accounts. Moreover, the familiarity that managers of smaller entities can have with all critical areas of operations, and the simpler and shorter lines of communication, can obviate the need for numerous other formalized control activities essential in larger entities. SUMMARY This concludes the discussion of the components of internal control. Two summary tables are presented to capture key issues from the preceding discussion. Figure 10-8 provides a list of questions that address many of the key issues that the auditor should understand about the clients system of internal control. A summary of the components is presented in Figure 10-9, including important IT components.

Figure 10-8

Key Questions Regarding a Clients System of Internal Control Key Questions

Component of Internal Control Control Environment Integrity and ethical values Commitment to competence Board of directors and audit committee

Does everyone at the client embrace standards of proper behavior? Does the client hire the best people? Does the board actively monitor the way management manages the business? How involved is the audit committee in the nancial reporting function? What is the collective effect of the boards and audit committees actions regarding internal control?

Managements philosophy and operating style

Does management philosophy about business risks support a strong system of internal control? What is the collective effect of managements actions regarding internal control? (continues)

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 417 ]

Figure 10-8

(Continued) Key Questions

Component of Internal Control Control Environment (continued) Organizational structure

Does management have the right people in the right roles to achieve its objectives? Did management consider IT risks when thinking about the organizational structure of IT?

Assignment of authority and responsibility Human resource policies and practices Risk Assessment

Does the organization support a high level of accountability for the accomplishment of organizational objectives and ownership of controls? Are HR supports in place to emphasize the importance of controls? How does management identify, and continually monitor, relevant business risks, inherent risks, and fraud risks? Are control objectives aligned with actual business processes and risks? Is there a shared understanding of accountability for objectives, risks, and controls?

Information and Communication

For each signicant transaction cycle, how does the accounting system identify, assemble, analyze, classify, record, and report the entitys transactions? Is a clear understanding of individual roles and responsibilities communicated?

Control Activities Authorization Segregation of duties Information processing controls General controls Are effective controls in place to segregate program development and design from IT operations? Are effective controls in place over program changes? Application controls Do effective input, processing, and output controls monitor transaction class assertions? Is manual followup of computer-identied exceptions effective? Controls over the nancial reporting process Physical controls Performance reviews Are procedures in place to control data that is downloaded into spreadsheets to ensure the completeness and accuracy of the nancial reporting process? Do physical controls adequately control access to the entitys assets and resources? Does management adequately review the performance of each key operating unit? Do unit managers adequately review transactions charged to their responsibility center? Controls over management discretion in nancial reporting Are key accounting decisions centralized in one or a few key individuals? Are accounting estimates consistent and based on reliable data? Has the audit committee placed in operation effective controls over management discretion in nancial reporting? (continues) Is there a method of specic authorization for each signicant transaction cycle? Is there appropriate segregation of duties within each transaction cycle?

[ 418 ]

PART 2

AUDIT PLANNING

Figure 10-8

(Continued) Key Questions Are there effective ways for customers and vendors to independently report concerns about information coming from the nancial reporting system? Is management involved in monitoring the effectiveness of other aspects of internal control?

Component of Internal Control Monitoring

Antifraud Programs and Controls

Does the control environment set a tone at the top that encourages ethical conduct? Does the company offer an anonymous hotline or other opportunities for employees to report suspected fraud to individuals who are independent of management? Does management have an effective program for assessing fraud risks and for matching effective controls with assessed risks? Does management have an effective program for ongoing monitoring of fraud risk and for separate after the fact evaluation of fraud?

[LEARNING CHECK
a. Name the six components of internal control. b. In a nancial statement audit, the auditor focuses on each components relationship to entity objectives and related controls that are designed to do what? 10-7 a. List the factors that comprise the control environment. b. State four things the CEO and other members of top management should do to emphasize the importance of integrity and ethical values among the entitys personnel. c. Explain the important IT aspects of the control environment. 10-8 a. How is managements risk assessment for nancial reporting purposes similar to, and different from, the auditors risk assessment? b. Identify the key risks that management should be concerned about with respect to information technology and internal control. 10-9 a. In addition to its being a part of the information and communication component, how would you describe the accounting system? b. What are the attributes of an effective accounting system? c. Discuss how the attributes identied in (b) above relate to one or more of the ve categories of nancial statement assertions. d. Identify key IT aspects of the information and communication system. 10-10 a. What is the objective of segregation of duties? b. Describe two key aspects of segregation of duties. c. Describe important segregations of duties within the IT department. 10-11 a. Explain the purpose of computer general controls. b. If computer general controls are effective, what are the implications for other aspects of the audit?
10-6

Figure 10-9

Components of Internal Controls

Component
Control environment factors:

Description Relative to Financial Reporting Key Factors

Important IT Factors

Control Environment Integrity and ethical values. Commitment to competence. Board of directors and audit committee. Managements philosophy and operating style.

Sets the tone for an organization; inuences control consciousness of its people, is the foundation for all other components of internal controls. Organizational structure. of authority and responsibility. Human resource policies and practices.

Involvement of management in setting policies for developing, modifying, and using computer programs and data. Form of organization structure of data processing.

Assignment

Methods of assigning authority and responsibility over computer systems documentation, including procedures for authorizing transactions and approving systems changes. Assessment of risk: That transaction trail may be available for only a short period of time. Of reduced documentary evidence of performance of controls. Files and records usually cannot be read without a computer. That decreased human involvement in computer processing can obscure errors that might be observed in manual systems. Of IT system vulnerability to physical disaster, unauthorized manipulation, and mechanical malfunction. That IT systems may reduce traditional segregation of duties. That changes in systems are more difcult to implement and control. (continues)

Risk Assessment

Entitys identication, analysis, and management of risks relevant to the preparation of nancial statements that are fairly presented in conformity to GAAP.

Process should consider: Relationship of risks to specic nancial statement assertions and the related activities of recording, processing, summarizing, and reporting nancial data. Internal and external events and circumstances. Special consideration of changed circumstances. Inherent risks.

Figure 10-9

(Continued)

Component
Audit

Description Relative to Financial Reporting Key Factors


Focus of accounting system is on transactions: Effective accounting systems should result in handling of transactions in a way that prevents misstatements in managements nancial statement assertions. Systems should provide a complete audit or transaction trail. Includes policy manuals, charts of accounts, and memoranda.

Important IT Factors
Transaction may be initiated by computer. trail may be in electronic form. How data is converted from source documents to machine-sensible form. How computer les are accessed and updated. Computer processing involvement from initiation for transaction to inclusion in nancial statements. Computer involvement in reporting process used to prepare nancial statements.

Information and Communication

The information systems include the accounting system and consist of the methods and records established to identify, assemble, analyze, classify, record, and report entity transactions, and maintain accountability for related assets and liabilities; communication involves providing a clear understanding of individual roles and responsibilities pertaining to internal controls over nancial reporting. Policies and procedures that help ensure that management directives are carried out and that necessary actions are taken to address risks to achievement of entity objectives; have various objectives and are applied at various organizational and functional levels. General controls Application controls Controls over the nancial reporting process? Physical controls Performance reviews Controls over management discretion in nancial reporting Can occur through: Ongoing activities Separate period evaluations May include input from: Internal sources such as management and internal auditors External sources such as a customers, suppliers, regulators, and independent auditors

Control Activities

Categories: Authorization Segregation of Duties Information processing controls

General controls Organization and operation controls Systems development and documentation controls Hardware and system software controls Access controls Data and procedural controls Application controls Input Processing Output

Monitoring

Process by appropriate personnel that assess the quality of internal controls over time; includes assessment and design, whether operating as intended, and whether modied as appropriate for changed conditions.

IT may be monitored in a similar fashion to other internal controls

Antifraud Programs and Controls

Specic programs that help ensure that managements antifraud directives are carried out.

See Figure 10-7 for antifraud aspects of each element of the system of internal control.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 421 ]

a. Indicate the purpose of each of the three types of applications controls. b. Identify the categories of controls pertaining to the conversion of data. 10-13 a. Explain the risks associated with the nancial reporting process and explain relevant controls that might prevent or detect misstatements in the nancial reporting process. 10-14 a. Differentiate between independent checks, performance reviews, and monitoring. b. Describe several situations in which performance reviews may provide control over nancial statement assertions. c. Describe who should be involved in the monitoring, and discuss how an entity should monitor risks associated with information technology. 10-15 a. Describe the controls that a company might design to effectively control the development of an appropriate allowance for doubtful accounts. b. Describe the controls that a company might design to effectively control nonroutine transactions. c. Describe the controls that a company might design to effectively control the selection and application of GAAP. 10-16 Describe the controls a company might use as part of its antifraud programs and controls.
10-12

[KEY TERMS
Access controls, p. 408 Accounting system, p. 404 Antifraud programs and controls, p. 414 Application controls, p. 408 Assignment of authority and responsibility, p. 399 Audit trail, p. 404 Board of directors and audit committee, p. 398 Commitment to competence, p. 398 Control activities, p. 405 Control environment, p. 397 Controls over nonroutine and nonsystematic transactions, p. 413 Data and procedural controls, p. 408 Disclosure committees, p. 413 Documents and records, p. 404 General controls, p. 407 Hardware and systems software controls, p. 407 Human resource policies and procedures, p. 400 Independent checks, p. 408 Information processing controls, p. 407 Information and communication system, p. 404 Input controls, p. 408 Integrity and ethical values, p. 397 Managements philosophy and operating style, p. 398 Monitoring, p. 413 Organization and operation controls, p. 407 Organizational structure, p. 398 Output controls, p. 410 Performance reviews, p. 412 Physical controls, p. 411 Processing controls, p. 409 Proper authorization, p. 405 Risk assessment, p. 402 Segregation of duties, p. 406 Systems development and documentation controls, p. 407 Transaction trail, p. 404 Transactions, p. 404

[ 422 ]

PART 2

AUDIT PLANNING

[UNDERSTANDING INTERNAL CONTROL]


The auditor has two separate reasons for obtaining an understanding of internal control. The foundation needed for an audit of the nancial statements requires that an auditor obtain an understanding of internal control that allows the auditor to plan the audit and make decisions about the nature, timing, extent, and stafng of audit tests. In addition, public company auditors must also obtain sufcient knowledge to plan an audit to express reasonable assurance about the effectiveness of internal control over nancial reporting. Figure 10-10 provides a comparison of these two purposes. WHAT TO UNDERSTAND ABOUT INTERNAL CONTROL A sufcient understanding of internal control is essential for an effective audit because it informs the auditor about where misstatements are likely to occur. In order to support an opinion on the nancial statements (rather than an opinion on internal controls), auditors need a sufcient knowledge of internal control to plan a nancial statement audit. Obtaining an understanding involves performing procedures to:

Auditor Knowledge 3
Know the purpose

of understanding internal control needed to plan an audit and how that understanding is used.

Understand the design of policies and procedures related to each component of internal control. Determine whether the policies and procedures have been placed in operation.

The auditor uses this knowledge in three ways. The auditor should know enough to
1. Identify the types of potential misstatements that may occur. 2. Understand the factors that affect the risk of material misstatement. 3. Design further audit procedures.

Each of these three steps is discussed below.

Figure 10-10

Understanding Internal Control in Private Company and Public Company Audits

Knowledge to Support an Opinion on the System of Internal Control

The auditor should have sufficient knowledge to plan and perform an audit to obtain reasonable assurance that material weaknesses in internal control are identified

Knowledge to Support an Opinion on Financial Statements

The auditor needs sufficient knowledge of internal control to:


Identify the types of potential misstatement that may occur. Understand the factors that effect the risk of material misstatement

Design the nature, timing, and extent of further audit procedures

Hadel Studio

(516) 333

2580

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 423 ]

understanding of internal controls needed to support an opinion on internal controls Auditors of public companies need to have sufcient knowledge to support both an opinion on the nancial statement and an opinion on internal control over nancial reporting (ICFR). The latter requires that the auditor understand the system of ICFR in sufcient detail that the auditor can determine that effective controls have been placed in operation to prevent or detect any material misstatement (individually or in aggregate) in the nancial statements on a timely basis. Even if the auditor plans a primarily substantive approach for an assertion (e.g., the valuation of net receivables), the auditor needs to understand (and test) the clients system of internal controls over that assertion. For each signicant process, the auditor of a public company should:

Understand the ow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported. Identify the points within the process at which a misstatementincluding a misstatement due to fraudrelated to each relevant nancial statement assertion could arise. Identify the controls that management has implemented to address these potential misstatements. Identify the controls that management has implemented for the prevention or timely detection of unauthorized acquisition, use, or disposition of the companys assets.

Identifying the Types of Potential Misstatements that May Occur An important aspect of assessing the risk of material misstatement involves obtaining an understanding of the points at which errors or fraud could occur. Some internal control weaknesses have a pervasive effect on the nancial statements. A poor control environment, or weak computer general controls, might increase the risk of material misstatement for most or all assertions in the nancial statements. Other weaknesses are assertion specic. At some stage in the recording of a transaction, the change of information, or the addition of new information, may not be controlled. For example, an entity might record sales when an order is taken from a customer rather than when goods are shipped, resulting in potential cutoff errors. Perhaps a company has designed effective computer controls, but due to changes in personnel the company has hired someone who does not adequately understand the role that he or she plays in following up on items that appear on exception reports. This lack of knowledge and inappropriate manual followup may create potential for error or fraud. As a result, auditors usually consider how errors in each nancial statement assertion might occur. Once this potential is understood, the auditor will identify potential controls that prevent or detect misstatements in each assertion. Understanding the Factors that Affect the Risk of Material Misstatement Once the auditor understands the types of potential misstatements that may occur, the auditor must assess the risk of material misstatement. When consider-

[ 424 ]

PART 2

AUDIT PLANNING

ing the factors that affect the risk of material misstatement, the auditor usually considers:

The magnitude of the misstatement that might occur. The likelihood of misstatements in the nancial statements.

For example, the magnitude of a revenue recognition problem is usually greater than the magnitude of a misstatement in the amortization of prepaid expenses. In addition, revenue recognition might be a more likely problem for a software company that is selling a group of bundled products and services than for a retailer who delivers goods at the point of sale. Every company might have a risk of a material misstatement if a hacker is able to gain unauthorized access to a companys computer system. The magnitude of potential misstatement might be very signicant. However, the auditor must also assess the likelihood of such an event. If a company has good access controls, strong rewalls, and other controls that might detect attempts at unauthorized access to computer systems, the likelihood of unauthorized access is remote. Designing Further Audit Procedures The auditor uses the knowledge of internal control in three ways. At this stage the auditor has completed the risk assessment procedures outlined in Figure 7-4. First, the auditor needs to consider whether these procedures are adequate to allow the auditor to assess the risk of material misstatement for each signicant nancial statement assertion. If the auditor does not have adequate information, the auditor should perform additional risk assessment procedures. Second, the auditor uses this knowledge to plan tests of controls. The design of tests of controls is discussed extensively in Chapter 11. Finally, the auditor needs to know the system of internal control in order to design substantive tests. Knowledge of the audit trail is essential in understanding the potential for error or fraud and for designing effective substantive tests. Chapter 12 discusses the important audit decisions about the design of substantive audit procedures. Risks for Which Substantive Tests Alone Will Not Reduce Audit Risk to a Sufciently Low Level In some cases, the clients accounting system is sufciently automated that substantive tests alone will not reduce audit risk to a sufciently low level. Many businesses that take orders over the phone do not generate a paper trail for the transactions. For example, many airlines take reservations over the phone (or electronically over the Internet), record the reservation and transaction in electronic form, and then issue an electronic ticket. Some companies have purchase systems that never generate a paper purchase order, but have only an electronic trail of the transaction and provide the vendor with only an electronic purchase order in a business-to-business e-commerce system. In these cases the only way that the auditor can obtain reasonable assurance about the completeness and accuracy of the transactions in the transaction cycle is to test computer general controls, computer application controls, and manual followup procedures. In many charitable organizations, there is no way to ensure the completeness of donations without testing the internal controls over cash receipts. The understanding of the nature of the system of internal controls may dictate a lower assessed level of control risk audit strategy.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 425 ]

EFFECTS OF PRELIMINARY AUDIT STRATEGIES In Chapter 9, three alternative preliminary audit strategies for planning the audit of significant financial statement assertions were identified and explained (see Figure 9-8). With a public company a deep understanding of internal control is needed regardless of which strategy is chosen because the auditor must issue an opinion on the effectiveness of the entitys system of internal control. However, private company auditors may plan to obtain a minimal understanding of internal control for assertions where a primarily substantive approach is efficient. Although the level of understanding of internal control sufficient to plan audit tests varies depending on the planned audit strategy, a greater understanding of internal control is needed under the lower assessed level of control risk approach than under a primarily substantive approach. This is particularly true of the control activities component as explained further in the following sections. An important issue in a private company audit is understanding the minimum level of understanding of internal control that the auditor needs when performing primarily substantive approach. An auditor cannot assess control risk at the maximum without support. Following is a brief summary of the minimum knowledge that the auditor needs in order to understand the risk of misstatement and to plan a primarily substantive approach.

Control Environment. Because the control environment has such a pervasive inuence on other aspects of internal control, as well as the risk of misstatement in the nancial statements, the auditor should answer the questions about the control environment outlined in Figure 10-8. In every audit, the auditor needs to understand the control environments collective effect on other aspects of internal control. Risk Assessment. The auditor should understand how management has designed controls to offset business risks, inherent risks, and the risk of fraud. The questions in Figure 10-8 provide a common understanding about risk assessment that the auditor should obtain in any audit. Information and Communication. Regardless of audit strategy, AU 319.36 indicates that the auditor should obtain sufcient knowledge of the information systems relevant to nancial reporting to understand: The classes of transactions in the entitys operations that are signicant to the nancial statements. How those transactions are initiated. The accounting records, supporting documents, and specic accounts in the nancial statements involved in the processing and reporting of transactions. The accounting processing involved from the initiation of a transaction to its inclusion in the nancial statements, including electronic means (such as computer and electronic data interchange) used to transmit, process, maintain, and access information. The nancial reporting process used to prepare the entitys nancial statements, including signicant accounting estimates and disclosures.

The auditor needs to understand the information and communication system in sufcient detail to identify the points at which misstatements may occur in the accounting system and to be able to design effective substantive tests.

[ 426 ]

PART 2

AUDIT PLANNING

Control Activities. Control activities are essential to reducing the opportunity for fraud. At a minimum, auditors should understand how transactions are authorized and the adequacy of segregation of duties. The degree to which auditors understand control activities is related to the extent to which the auditor plans to test those controls and change the nature, timing, or extent of substantive tests. Monitoring. It is important to understand the types of activities used by the entity, top management, accounting management, and internal auditors to monitor the effectiveness of internal control in meeting nancial reporting objectives. Knowledge should also be obtained as to how corrective actions are initiated based on information gleaned from monitoring activities.

GAAS (AU 319.23) suggests several other factors that should be considered in reaching a judgment about the required level of understanding, as follows:

Knowledge of the client from previous audits. Preliminary assessments of materiality and inherent risk (as explained in Chapters 8 and 9). An understanding of the entity and its environment (as explained in Chapter 7). The complexity and sophistication of the entitys operations and systems, including whether the method of controlling information processing is based on manual procedures independent of the computer or is highly dependent on computerized controls.

In addition, when signicant inherent risks are identied, the auditor must understand the design of internal controls relevant to those assertions and whether the controls have been placed in operation. When the auditor plans to audit an assertion following a lower assessed level of control risk approach, the auditor will normally understand the control activities aspect of the system of internal controls in much more depth. Under a lower assessed level of control risk approach, the auditor will usually understand information processing controls (general controls, application controls, and controls over the nancial reporting process), manual followup procedures, and other controls (e.g., performance reviews) that may be relevant to the planned audit strategy. PROCEDURES TO OBTAIN AN UNDERSTANDING In obtaining an understanding of controls that are relevant to audit planning, the auditor should perform procedures to provide sufcient knowledge of the design of the relevant controls pertaining to each of the ve internal control components and whether they have been placed in operation. AU 319.41 suggests that the procedures to obtain an understanding consist of:

Audit Decision 7
What audit proce-

dures are used to obtain an understanding of internal controls?

Reviewing previous experience with the client. Inquiring of appropriate management, supervisory, and staff personnel. Inspecting documents and records. Observing entity activities and operations. Tracing transactions through the information and communication system.

The nature and extent of the procedures performed generally vary from entity to entity and are inuenced by the size and complexity of the entity, the auditors

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 427 ]

knowledge to plan an audit of internal controls over financial reporting When planning an audit of internal controls over nancial reporting, the auditor needs a comprehensive knowledge of the company. Some of that knowledge pertains directly to the entitys system of internal controls, including:

Knowledge of the companys internal control over nancial reporting obtained in other engagements. The extent of recent changes in internal control over nancial reporting. Managements process for assessing the effectiveness of the companys internal control over nancial reporting based on control criteria. Control deciencies previously communicated to the audit committee or management. The type and extent of available evidence related to the effectiveness of the companys internal control over nancial reporting. Preliminary judgments about the effectiveness of internal control over nancial reporting. The number of signicant business locations or units, including managements documentation and monitoring of controls over such locations or business units.

In addition, the auditor needs knowledge of the company and its environment. This knowledge might include:

Matters affecting the industry in which the company operates, such as nancial reporting practices, economic conditions, laws and regulations, and technological changes. Matters relating to the companys business, including its organization, operating characteristics, capital structure, and distribution methods. The extent of recent changes in the companys operations. Preliminary judgments about materiality, risk, and other factors related to the determination of a material weakness. Legal or regulatory matters of which the company is aware.

Hence, an understanding of the company and its environment that is obtained for an audit of the nancial statements also sets the context for an audit of internal control over nancial reporting.

previous experience with the entity, the nature of the particular control, and the entitys documentation of specic controls. When the auditor has previous experience with the client, the previous years working papers should contain a great deal of information relevant to the current years audit. The previous years conclusions about strengths and weaknesses in internal control can be used as the starting point, with the auditor making inquiries about changes that may have occurred in the current year that would affect the previous conditions. The working papers should also contain information about the types of misstatements found in prior audits and their causes. The working papers might show whether prior misstatements resulted from (1) lack of adequate controls, (2) deliberate circumvention of prescribed controls, (3) unin-

[ 428 ]

PART 2

AUDIT PLANNING

tentional noncompliance with prescribed controls by inexperienced personnel, or (4) differences in professional judgment about accounting estimates. The auditor can follow up on this information to determine whether corrective actions have been taken. Relevant documents and records of the entity should be inspected. Examples include organization charts, policy manuals, the chart of accounts, accounting ledgers, journals, source documents, transaction owcharts, and reports used by management in performance reviews such as comparative reports showing actual and budgeted data and variances. These inspections will inevitably lead to additional inquiries about specic controls and changes in conditions. Observation of the performance of some controls will be needed to determine that they have been placed in operation. To reinforce the understanding of some aspects of the accounting system and certain control activities, some auditors perform a transaction walkthrough review. A transaction walkthrough allows the auditor to observersthand how controls actually work. A transaction walkthrough is a required step in performing an audit of internal controls over nancial reporting. It provides the auditor with evidence to:

Conrm the auditors understanding of the process ow of transactions. Conrm the auditors understanding of the design of controls identied for all ve components of internal control over nancial reporting, including those related to the prevention or detection of fraud. Conrm that the auditors understanding of the process is complete by determining whether all points in the process at which misstatements related to each relevant nancial statement assertion that could occur have been identied. Evaluate the effectiveness of the design of controls. Conrm whether controls have been placed in operation.

Transaction walkthroughs should include effective inquiry to ensure that employees fully understand how to effectively implement the controls that they are responsible for. Some auditing rms also provide special training for staff in interviewing skills used in administering questionnaires. For example, by being alert to nonverbal signals given by interviewees, such as the hesitancy to respond, apparent lack of familiarity with controls, or undue nervousness during interviews, the auditors understanding can be signicantly enhanced.

[LEARNING CHECK
10-17 a. Explain the purpose of understanding internal control in a private entity

audit. b. Explain the purpose of understanding internal control in a public company audit. 10-18 a. Identify two matters that should be covered in obtaining an understanding of internal control. b. Explain three ways in which the auditor uses knowledge of internal control. Provide an example of each. 10-19 a. What effect does the auditors choice of preliminary audit strategy for an assertion have on the level of understanding needed for each element of internal control?

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 429 ]

b. What other factors affect the auditors judgment about the required level of understanding? 10-20 a. What should the auditor understand about the control environment component of internal control? b. What aspects of the information system relevant to nancial reporting should be included in the auditors understanding? 10-21 a. What procedures can be used in obtaining an understanding of internal control? b. What is a transaction walkthrough review? 10-22 Explain how the understanding of internal control for a public company differs from the understanding of internal control associated with the audit of a private entity in accordance with GAAS.

[KEY TERMS
Obtaining an understanding, p. 422 Procedures to obtain an understanding, p. 426 Transaction walkthrough review, p. 428

Audit Decision 8
What are the

requirements and alternative methods for documenting the understanding of internal control?

DOCUMENTING THE UNDERSTANDING Documenting the understanding of internal control is required in all audits. AU 319.44 states that the form and extent of documentation are inuenced by the size and complexity of the entity, and the nature of the entitys internal control. Documentation in the working papers may take the form of completed questionnaires, owcharts, decision tables (in a computerized accounting system), and narrative memoranda. In an audit of a large entity involving a combination of audit strategies, all four types of documentation may be used for different parts of the understanding. In an audit of a small entity where the primarily substantive approach predominates, a single memorandum may sufce to document the understanding of all the components. The auditor may document the understanding concurrent with obtaining it. Auditors frequently record clients responses to inquiries in questionnaires that become part of the working papers. Auditors can also document the understanding of the entitys accounting system and certain control activities by preparing owcharts or including in the working papers owcharts provided by the clients for the auditors use. In a repeat engagement, it may only be necessary to update questionnaires, owcharts, or narrative memoranda carried forward from the prior years working papers. Documentation need pertain only to portions of internal control that are relevant to the audit. The following discussion explains four forms of documentation commonly used by auditors: questionnaires, owcharts, decision tables, and narrative memoranda. Questionnaires A questionnaire consists of a series of questions about internal control that the auditor considers necessary to prevent material misstatements in the nancial statements. The questions are usually phrased so that either a Yes, No, or N/A (not applicable) answer results, with a Yes answer indicating a favorable condition. Space is also provided for comments such as who performs a control procedure

[ 430 ]

PART 2

AUDIT PLANNING

and how often. There are usually separate questions for each major transaction class (e.g., sales or cash disbursements). The auditors software then analyzes the pattern of responses across related questions and guides the auditor through subsequent steps in assessing control risk and designing substantive tests for specic nancial statement assertions. Excerpts from two questionnaires are illustrated in Figures 10-11 and 10-12. These illustrations pertain to parts of the control environment and the control activities internal control components. In Figure 10-12, it may be observed that the questions relate to several possible categories of control activities. For example, questions 1 and 4 pertain to authorization procedures, 2 and 6 to documents and records, 5, 8, and 9 to independent checks, 3 to physical controls, and 7a and b to segregation of duties. More importantly, the questions may be linked to nancial statement assertions. For example, No answers to the questions listed below could signal the potential for misstatements in the indicated related assertions for cash disbursements: Questions 1,2, 6, or 7a 2, 3, 7b, 8, or 9 5, 8, 9 8, 9 5 Assertions Existence and Occurrence Completeness Valuation and allocation Existence and Occurrence, Cutoff Presentation and Disclosure

Note that some questions pertain to more than one assertion. As a means of documenting the understanding, questionnaires offer a number of advantages. They are usually developed by very experienced professionals and provide excellent guidance to the less experienced staff. They are relatively easy to use, and they signicantly reduce the possibility of overlooking important internal control structure matters. Flowcharts A owchart is a schematic diagram using standardized symbols, interconnecting ow lines, and annotations that portray the steps involved in processing information through the accounting system. Flowcharts vary in the extent of detail shown. A broad overview owchart containing just a few symbols can be prepared for the accounting systems as a whole or for a particular transaction cycle such as a revenue cycle. In addition, very detailed owcharts can be prepared depicting the processing of individual classes of transactions such as sales, cash receipts, purchases, cash disbursements, payroll, and manufacturing. Many of the owcharts shown in this text are designed to work with a narrative description that describes controls in additional detail. These owcharts show:

The ow of transactions from initiating the transaction to their summarization in the general ledger (that support the nancial statements). The key functions included in the owchart. The documentary audit trail. Key reports produced by the accounting system.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 431 ]

Figure 10-11 Client

Excerpts from Internal Control Questionnaire Control Environment Amalgamated Products, Inc. R&C Date 9/12/x1 Balance Sheet Date Reviewed by g&j 12/31/x1 Date 9/29/x1

Completed by

Internal Control Questionnaire Component: Control Environment Question Integrity and ethical values: 1. Does management set the tone at the top by demonstrating a commitment to integrity and ethics through both its words and deeds? 2. Have appropriate entity policies regarding acceptable business practices, conicts of interest, and codes of conduct been established and adequately communicated? 3. Have incentives and temptations that might lead to unethical behavior been reduced or eliminated? Board of directors and audit committee: 1. Are there regular meetings of the board and are minutes prepared on a timely basis? 2. Do board members have sufcient knowledge, experience, and time to serve effectively? 3. Is there an audit committee composed of outside directors? Managements philosophy and operating style: 1. Are business risks carefully considered and adequately monitored? 2. Is managements selection of accounting principles and development of accounting estimates consistent with objective and fair reporting? 3. Has management demonstrated a willingness to adjust the nancial statements for material misstatements? Human resource policies and practices: 1. Do existing personnel policies and procedures result in recruiting or developing competent and trustworthy people necessary to support an effective internal control structure? 2. Do personnel understand the duties and procedures applicable to their jobs? 3. Is the turnover of personnel in key positions at an acceptable level? Yes Yes Yes Management is conservative about business risks. Management has readily accepted all proposed adjustments in prior audits. Yes Yes No Board consists of nine inside members, three of whom currently serve on audit committee. Consideration is being given to adding three outside members to board who would comprise the audit committee. Yes Management is conscious of setting an example. Entity does not have a formal code of conduct; expectations of employees included in a policy manual distributed to all employees. Prot sharing plan monitored by audit committee. Yes, No, N/A Comments

Yes Yes

Yes

Yes Yes

Formal job descriptions are provided for all positions. Normal turnover.

[ 432 ]
Client

PART 2

AUDIT PLANNING

Figure 10-12

Excerpts from Internal Control QuestionnaireControl Activities Amalgamated Products, Inc. R&C Date 9/12/x1 Balance Sheet Date Reviewed by g&j 12/31/x1 Date 10/29/x1

Completed by

Internal Control Questionnaire Component: Control Activities Question Cash disbursements transactions: 1. Is there an approved payment voucher with supporting documents for each check prepared? 2. Are prenumbered checks used and accounted for? 3. Are unused checks stored in a secure area? 4. Are only authorized personnel permitted to sign checks? 5. Do check signers verify agreement of details of check and payment voucher before signing? 6. Are vouchers and supporting documents cancelled after payment? 7. Is there segregation of duties for: a. Approving payment vouchers and signing checks? b. Signing checks and recording checks? 8. Is there an independent check of agreement of daily summary of checks issued with entry to cash disbursements? 9. Are there periodic independent reconciliations of checking accounts? Yes, No, N/A Yes Yes Yes Yes Yes Yes Vouchers and all supporting documents are stamped Paid. Safe in treasurers ofce. Only the treasurer and assistant treasurer can sign checks. Comments

Yes Yes No

Comparison currently made by assistant treasurer; will recommend comparison be performed by asst. controller. Performed by assistant controller.

Yes

Computer programs and les where information is stored.

A detailed example of cash receipts is provided in Appendix 10c: Comprehensive Flowcharting Illustration. Once a owchart is obtained from the client or prepared by the auditor, many auditors perform a transaction walkthrough, as previously described, to test its accuracy and completeness. The owchart should then be studied to identify and document strengths and weakness. Internal control strengths provide the potential for the auditor to perform tests of controls and support an audit strategy of a lower assessed level of control risk. Internal control weaknesses create situations where the auditor must determine whether there are mitigating strengths or whether there are signicant risks of misstatement in assertions that must be addressed by a substantive audit strategy. Flowcharts are easy to read and understand. They provide a quick overview of a system for an individual who is not familiar with that system. Today many audit firms develop flowcharts with computer software that allows the auditor to identify internal control strengths and weaknesses on the flowchart, describe the controls in detail, and cross-reference the strengths and weaknesses to subsequent audit tests.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 433 ]

Decision Tables A decision table is a matrix used to document the logic of a computer program. Decision tables usually have three key components, (1) conditions related to accounting transactions, (2) actions taken by the computer program, and (3) decision rules that are used to like conditions with subsequent actions. Figure 10-13 provides an example of a decision table. The conditions included in a decision table usually represent conditions related to control procedures that are relevant to the audit. Figure 10-13 provides two examples in the expenditure cycle. First, a computer program might compare the vendor number input to record a liability with vendor numbers that have previously been approved as part of a master vendor le. Second, the expenditure program might compare information from the vendors invoice with information previously entered into the computer regarding goods that were received. Numerous examples of control procedures (conditions) are discussed in Part 4 of the text for the revenue cycle, the expenditure cycle, and the production and payroll cycles. Actions represent the actions taken by the computer program when conditions are encountered. Continuing the example in Figure 10-13, we see that when the rst condition is encountered, the computer program will process the transactions when the expected conditions are met. However, if the vendor number entered in accounts payable does not match a vendor on the approved vendor list, the transaction will not be processed and an exception will appear on the data entry screen. An alternative action is described in the second example. In this case, if the information on the vendors invoice does not match the receiving information, the transaction is put in a suspense le and an exception report is printed for further investigation. The combination of conditions and actions describe the programs decision rules. For example, if the conditions of the control procedures described in Figure 10-13 are met, the transaction is processed. Understanding the decision rules is critical to designing tests of controls. For example, the auditor might choose to submit test data to test each decision rule of audit interest. The decision rules in the decision table clearly describe the types of test data that would need to be designed and submitted to perform a test of controls.

Figure 10-13

Example Decision Table Documentation Decision Rules 1 2 3

Conditions Does the vendor number match with the authorized vendor le? Does receiving information match with information on the vendors invoice? Actions Process transaction. Show exception on data entry screen and ask operator to reenter data. Move transaction to suspense le and print exception on exception report for further investigation.

Y Y

N N

X X X

[ 434 ]

PART 2

AUDIT PLANNING

Decision tables are particularly useful when understanding programmed application controls. The advantages of decision tables are that they are compact and easily understood, they provide a systematic approach for analyzing program logic, and it is easy to design tests of controls using decision tables. Narrative Memoranda A narrative memorandum consists of written comments concerning the auditors consideration of internal controls. A memorandum may be used to supplement owcharts or other forms of documentation by summarizing the auditors overall understanding of internal control, individual components of internal control, or specic policies or procedures. In audits of small entities, a narrative memorandum may serve as the only documentation of the auditors understanding. Figure 10-14 illustrates this type of documentation for a small owner-managed company. Narrative memoranda are cost-effective, easy to create, and descriptive of the internal controls used by an entity.

Figure 10-14

Narrative Memorandum Documenting Understanding of Control Environment


BALANCE SHEET DATE 12/31 Reviewed by: jp Date: 11/02/X5 Reviewed by: jp Date: 10/29/X6

CLIENT Quinco, Inc. Completed by: m/w Updated by: m/w

Date: 9/30/X5 Date: 9/15/X6

Understanding of the Control Environment The Company manufactures plastic shing worms at one location and is managed by its sole owner, Ed Jones. Management of the company is dominated by Jones, who is responsible for marketing, purchasing, hiring, and approving major transactions. He has an understanding of the business and the industry in which it operates. Jones believes that hiring experienced personnel is particularly important because there are no layers of supervisory personnel and thus, because of limited segregation of duties, few independent checks of employees work. Jones has a moderate-to-conservative attitude toward business risks. The business has demonstrated consistent protability and, because Jones considers lower taxes to be as important as nancial results, he has a conservative attitude toward accounting estimates. Jones and Pat Willis, the bookkeeper, readily consult with our rm on routine accounting questions, including the preparation of accounting estimates (tax accrual, inventory obsolescence, or bad debts). Our rm also assists in assembling the nancial statements. The Companys board of directors is composed of family members. The board is not expected to monitor the business or the owner-managers activities. Most of the signicant accounting functions are performed by Willis, the bookkeeper, and Joness secretary, Chris Ross. Willis was hired by the company in 19X0, has a working knowledge of accounting fundamentals, and we have no reason to question her competence. Willis regularly consults with our rm on unusual transactions, and past history indicates that it is rare for adjustments to arise from errors in the processing of routine transactions. Jones made the decision to purchase a microcomputer and a turnkey accounting software package. The source code is not available for this software. Access to the computer and computer les is limited to Willis, Ross, and Jones, who effectively have access to all computer les. The owner-manager carefully reviews computer generated nancial reports, such as reports on receivable aging, and compares revenues and expenses with prior years performance. He also monitors the terms of the long-term debt agreement that requires certain ratios and compensating balances.
Source: AICPA Audit Guide, Consideration of the Internal Control Structure in a Financial Statement Audit (1990), p. 117118.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 435 ]

managements documentation of internal control over financial reporting Management of a public company is responsible for documenting internal controls over nancial reporting. That documentation should include:

The design of controls over all relevant assertions related to all signicant accounts and disclosures in the nancial statements. The documentation should include the ve components of internal control over nancial reporting and company-level controls such as: Controls within the control environment. Managements risk assessment process. Centralized process and controls, including shared service environments. Controls to monitor the results of operations. Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs. The period-end nancial reporting process. Board-approved policies that address signicant business control and risk management practices. Information about how signicant transactions are initiated, authorized, recorded, processed, and reported. Sufcient information about the ow of transactions to identify the point at which material misstatements due to error or fraud could occur. Controls designed to prevent or detect fraud, including who performs controls and the related segregation of duties. Controls over the period-end nancial reporting process. Controls over safeguarding of assets. The results of managements testing and evaluation.

Inadequate documentation could cause the independent auditor to conclude that there is a limitation on the scope of the engagement.

[LEARNING CHECK
10-23 a. What methods can be used to document the auditors understanding of

internal control? b. Can documentation occur concurrently with obtaining an understanding? Explain. 10-24 a. What is the general nature of the questions included in internal control questionnaires? b. Identify several advantages of using questionnaires to document the auditors understanding of internal control. 10-25 a. How may narrative memoranda supplement other forms of documentation? b. Would a narrative memorandum ever be appropriate as the sole documentation of the auditors understanding of internal control? Explain.

[ 436 ]

PART 2

AUDIT PLANNING

10-26 a. What is a owchart?

b. What essential components of a system should be displayed in a owchart? 10-27 a. What is managements responsibility to document the system of internal control in a public company where the auditor is engaged to give an opinion on the system of internal control? b. How should the auditor respond in an engagement to audit the system of internal control if managements documentation is deemed inadequate?

[KEY TERMS
Decision table, p. 433 Documenting the understanding, p. 429 Flowchart, p. 430 Narrative memorandum, p. 434 Questionnaire, p. 429

[FOCUS ON AUDITOR KNOWLEDGE AND AUDIT DECISIONS]


This chapter focuses on understanding the clients system of internal control. In making decisions to support high-quality audit work, the auditor must be able to use the knowledge summarized in Figure 10-15 and address the decisions summarized in Figure 10-16. Page references are provided indicating where these issues are discussed in more detail.
Figure 10-15

Summary of Auditor Knowledge Discussed in Chapter 10 Summary Internal control is a process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of nancial reporting, (2) compliance with applicable laws and regulations, and (3) effectiveness and efciency of operations. The auditor is primarily concerned with internal controls over nancial reporting. The ve interrelated components of internal control are (a) the control environment, (b) risk assessment, (c) information and communication, (d) control activities, and (e) monitoring. Inherent limitations of any system of internal control include mistakes in judgment, breakdowns, collusion, management override, and cost versus benets (although this last limitation may not be relevant for public companies). This section also discusses the responsibilities of management, the board of directors and audit committee, internal auditors, other entity personnel, and independent auditors. Chapter References pp. 392393

Auditor Knowledge K1. Know the denitions of internal control and the ve interrelated components of internal control.

K2. Know the inherent limitations of internal control and explain the roles and responsibilities of various parties for an entitys internal controls.

pp. 393395

(continues)

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 437 ]

Figure 10-15

(Continued) Summary In a nancial statement audit, the auditor needs sufcient knowledge of internal control to (1) identify the types of potential misstatements that may occur, (2) understand the factors that affect the risk of material misstatement, and (3) design the nature, timing, and extent of further audit procedures. When the auditor is engaged to express an opinion on internal controls over nancial reporting, the auditor must obtain sufcient knowledge to plan and perform an audit to obtain reasonable assurance that deciencies which, individually or in aggregate, would represent a material weakness in internal control, are identied. Chapter References pp. 422428

Auditor Knowledge K3. Know the purpose of understanding internal control needed to plan an audit and how that understanding is used.

Figure 10-16

Summary of Audit Decisions Discussed in Chapter 10 Factors that Inuence the Audit Decision The control environment is a critical aspect of internal control because of its pervasive effect on other components of internal control. Key components of the control environment include integrity and ethical values, commitment to competence, board of directors and audit committee, managements philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices. Important IT aspects of the control environment are summarized in Figure 10-9. The risk assessment process is one in which management assesses the risk of misstatement in specic nancial statement assertions related to the activities of recording, processing, summarizing, and reporting nancial data. Management uses this risk assessment to guide the design of specic control activities. Important IT aspects of the risk assessment process are summarized in Figure 10-9. The information and communication system relevant to nancial reporting objectives, which includes the accounting system, consists of the methods and records established to identify, assemble, analyze, classify, record and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets and liabilities. Communication involves providing a clear understanding of individual roles and responsibilities pertaining to internal control over nancial reporting. Important IT aspects of information and communication processes are summarized in Figure 10-9. Chapter References pp. 397402

Audit Decision D1. What are the key components of a strong control environment, including relevant IT aspects?

D2: What are the key components of strong risk assessment activities, including relevant IT aspects?

pp. 402403

D3. What are the key components of an effective information and communication system, including relevant IT aspects?

pp. 404405

(continues)

[ 438 ]

PART 2

AUDIT PLANNING

Figure 10-16

(Continued) Factors that Inuence the Audit Decision Important aspects of control activities include controls over authorization of transactions, segregation of duties, information processing controls including general and application controls, physical controls, performance reviews, controls over management discretion in nancial reporting, and antifraud programs and controls. Important IT aspects of control activities are summarized in Figure 10-9. Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Important IT aspects of monitoring activities are summarized in Figure 10-9. Effective antifraud programs and controls inuence every aspect of the system of internal control through monitoring. Figure 10-9 provides an overview of the elements of an effective system of antifraud programs and controls. An auditor normally uses the following procedures to obtain an understanding of the entitys system of internal control: reviewing previous experience with the client, inquiring of appropriate management, supervisory, and staff personnel, inspecting documents and records, observing entity activities and operations, and tracing transactions through the information and communication system. Auditors are required to document their understanding of the clients system of internal control in every audit. That documentation is exible and may include the use of questionnaires, owcharts, decision tables, and narrative memoranda. The text provides numerous examples of four forms of documentation. Chapter References pp. 405413

Audit Decision D4. What are the key components of strong control activities, including relevant IT aspects?

D5: What are the key components of strong monitoring activities, including relevant IT aspects? D6. What are the key components of a strong antifraud program and controls? D7. What audit procedures are used to obtain an understanding of internal controls?

pp. 413414

pp. 414415

pp. 426428

D8. What are the requirements and alternative methods for documenting the understanding of internal control?

pp. 429435

appendix 10a INFORMATION TECHNOLOGY AND INTERNAL CONTROL Information technology (IT) was one of the most important developments of the second half of the twentieth century. Computer installations now range in size from microcomputers to minicomputers to large mainframe computers linked together in complex international communication networks. A company may elect to lease or own its computer system or to use outside, independent computer service organizations to process accounting data. Nearly all companies now use computers to some extent in their accounting systems. Regardless of the extent of computerization or the methods of data processing used, management is responsible for establishing and maintaining an appropriate

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 439 ]

system of internal control. Similarly, the auditor has the responsibility to obtain an understanding of internal control sufcient to plan the audit. This appendix provides an introductory overview of some important IT concepts that are useful in understanding an entitys system of internal control. Important IT Components The auditor should be familiar with the following components of an IT system:

Hardware Software Data organization and processing methods

Computer Hardware

Hardware is the physical equipment associated with the system. The basic hardware conguration consists of the central processing unit (CPU) and peripheral input and output devices. Figure 10-17 illustrates common types of computer hardware. The principal hardware component is the CPU, and it is composed of a
Figure 10-17

Computer Hardware
Output Devices Display terminal

Input Devices Display terminal

Keyboard/printer terminal Central Processing Unit Arithmetic logic unit Control unit Magnetic tape drive Internal storage unit

Keyboard/printer terminal

Optical and magnetic ink character recognition devices

Printer

Magnetic tape drive

Magnetic disk drive

Magnetic disk drive

[ 440 ]

PART 2

AUDIT PLANNING

control unit, an internal storage unit, and an arithmetic-logic unit. The control unit directs and coordinates the entire system, including the entry and removal of information from storage, and the routing of the data between storage and the arithmetic-logic unit. The internal storage unit, or computer memory unit, is so named because it is capable of performing mathematical computations and certain logical operations. Peripheral to the CPU are input devices, output devices, and auxiliary storage devices. Peripheral equipment in direct communication with the CPU is considered to be on-line.
Computer Software

This component consists of the programs and routines that facilitate the programming and operation of the computer. There are several kinds of computer software. Of particular interest to auditors are the systems programs and applications programs. Systems programs, sometimes called supervisory programs, perform general functions required for the operation of the computer as it executes specic tasks. Systems programs include the following:

Operating systems direct the operation of the computer, including input and output devices, main storage, execution of programs, and management of les. Utility programs perform common data processing tasks, such as copying, reorganizing data in a le, sorting, merging, and printing. Other kinds of utility programs may be used to gather information about the use of the hardware and software, aid in the detection of unauthorized use or changes to programs and data, provide documentation of program logic, and facilitate testing of new systems. Compilers and assemblers translate specic programming languages into instructions in a language that can be understood by the computer. Each computer has a specic machine language determined by the engineers who designed it. Companies employing a computerized database utilize database management systems. These programs control the data records and les independently of the applications programs that allow changes in or use of the data. Security programs restrict and monitor access to programs and data. Security programs can restrict access to programs or data, allow read only access, or read and write access. Furthermore, security programs monitor and report unauthorized attempts to access programs or data.

Systems programs generally are purchased from hardware suppliers and software companies. They are then adapted, as necessary, by each user to suit individual needs. Applications programs contain instructions that enable the computer to perform specic data processing tasks for the user. These tasks include nancial accounting, budgeting, engineering design, and quality control. Within nancial accounting, specic applications include general ledger accounting; sales order, shipping, billing, and accounts receivable; purchasing, receiving, vouchers payable, and cash disbursements; inventory; and payroll. In some cases, the programs operate as standalone applications. Increasingly, in modern systems, they are designed to operate as parts of integrated systems. Applications programs may be developed by the user or purchased from software vendors.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 441 ]

Data Organization and Processing Methods

The accounting function often involves recording, updating, retrieving, and reporting on large volumes of transaction data and related information. To understand how all this information is handled in an IT environment, the auditor must be familiar with the principal methods of data organization and data processing as explained in the following sections.
Data Organization Methods

The term data organization methods refers to the ways data are organized within a computer le. The two principal methods of data organization are the database method and the traditional le method. The database method of data organization is the principal method used in many accounting applications. The method is based on the creation and maintenance of a single common direct access le for all applications using common data. Thus, each data element is stored only once but is accessible by all authorized application programs. In the case of the payroll and personnel applications mentioned earlier, the employee name, Social Security number, address, and pay rate data would be included in the le just once but would be usable in both application programs. Sophisticated database management systems software is designed to provide control over which users and applications can access and change specic data elements. Once used only in very large systems, the database method has gained popularity in medium and smaller systems as well. Audit approaches to IT systems that utilize the database method are complex and specialized knowledge and the use of sophisticated software are often required. It is common for a computer specialist to be a member of the audit team in many audits today. The traditional le method of data organization may be used in a few accounting applications. Under this method the following two types of les are maintained: (1) master les that contain up-to-date information about a given class of data such as the current balances of customers accounts or the current quantities of inventory items and (2) transaction les that contain the details of individual transactions of the same class such as a days credit sales or a days cash disbursements. These files are usually organized for direct access processing. In direct access files, neither the master nor related transaction file data need to be maintained in any particular order. Thus, the transaction file need not be sorted prior to processing. Under the traditional file method, separate master and transaction files are maintained for each application such as accounts receivable, inventory, payroll, and sales. Typically, the data in these files are accessible only by the single application program for which the files were created. Because of this, redundancy of data across files is common. For instance, a payroll file generally includes the following data elements among others: employee name, Social Security number, address, and pay rate. These same data elements are likely to be repeated in a separate personnel file. The creation and maintenance of the same data elements in several files is costly. The single program access and redundancy drawbacks of the traditional file method have made the database method more popular.

[ 442 ]

PART 2

AUDIT PLANNING

Data Processing Methods

The term data processing methods refers to the ways data are entered into and processed by the computer. The following sections explain the two widely used methods: (1) on-line entry/batch processing and (2) on-line entry/on-line processing. Under the on-line entry/batch processing method of processing, individual transactions are entered directly into the computer via a terminal as they occur. A machine-readable validated transaction le is accumulated as the transactions are entered. This le is subsequently processed to update the master le. An advantage of this method is that the data are subjected to certain edit or validation checks by the computer program at the time of entry and error messages are communicated immediately to the terminal operator. For example, the programmed edit routine may detect missing, incomplete, or invalid data such as a nonexistent customer number. This permits immediate detection and correction of most data entry errors. The method also retains the control advantage of batch entry/batch processingnamely, batch control totals and batch reference numbers. On-line entry/batch processing may be used either with reference access to the related master le or with no access. In reference access, the le may be read but not updated from the terminal. Reference access is necessary in cash receipts processing in which payments received from customers must be matched with open invoices in the customers le. In contrast with no access, the related master le cannot be read when the transaction data are entered. Figure 10-18 illustrates on-

Figure 10-18

On-Line Entry/Batch Processing

Master file

Terminal Entry of data Receive error/ validation messages

Validate and store transaction

Validated transaction file/ database

Periodic processing

Immediate validation with access to master file

Terminal Entry of data Receive error/ validation messages

Validate and store transaction

Validated transaction file/ database

Periodic processing

Master file

Immediate validation without access to master file

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 443 ]

line entry/batch processing both with and without access. On-line entry/batch processing may also be used with a database system of le organization. The on-line entry/on-line processing method differs from on-line entry/batch processing in the following two respects: (1) master files are updated concurrently with data entry and (2) a transaction log is produced that consists of a chronological record of all transactions. To provide a transaction trail, each transaction is assigned a unique identifying number by the computer program. On-line entry/on-line processing is used in airline and hotel reservations systems. A common accounting application is found in many retail stores where electronic cash registers immediately update inventory records when the sale is rung up. The major disadvantages of this type of processing are the risk of errors in the master file from concurrent updating and the possible loss of part or all of the master files in case of hardware failure. To minimize these risks, some companies use memo updating of the master file at the time of data entry. This involves the use of a copy of the master file. The transaction log is then used to update the actual master file periodically. Figure 10-19 illustrates both immediate processing and memo updating of the master file under on-line processing. Benets and Risks of IT Systems In order to understand internal control in a computer environment, it is important to understand the benets and risks of IT systems. The major benets of IT systems over manual systems include the following:

IT systems can provide greater consistency in processing than manual systems because they uniformly subject all transactions to the same controls. More timely computer-generated accounting reports may provide management with more effective means of analyzing, supervising, and reviewing the operations of the company. IT systems enhance the ability to monitor the entitys performance and activities. Important risks of IT systems over manual systems include the following:

The IT system may produce a transaction trail that is available for audit for only a short period of time. There is often less documentary evidence of the performance of control procedures in computer systems. Files and records in IT systems are usually in machine-sensible form and cannot be read without a computer. The decrease of human involvement in computer processing can obscure errors that might be observed in manual systems. IT systems may be more vulnerable to physical disaster, unauthorized manipulation, and mechanical malfunction than information in manual systems. Various functions may be concentrated in IT systems, with a corresponding reduction in the traditional segregation of duties followed in manual systems. Changes in the system are often more difcult to implement and control in IT systems than in manual systems. IT systems are vulnerable to unauthorized changes in programs, systems, or data in master les.

[ 444 ]

PART 2

AUDIT PLANNING

Figure 10-19

On-Line Entry/On-Line Processing

Master files/ database

Terminal Entry of data Receive error/ validation messages Receive transaction results

Immediate validate, update, process

Transaction log

Immediate processing of all transactions

Memo file

Copied beginning of period

Master file

Terminal Entry of data Receive error/ validation messages Receive transaction results

Immediate validate, update, process

Transaction log

Periodic update

Memo updating

Unauthorized access to data may result in the destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions, or inaccurate recording of transactions. Reliance is placed on systems that process inaccurate data, process data inaccurately, or both. There may be inappropriate manual intervention.

Many of these risks are controlled by layering control procedures, such that one set of controls is designed to control the processing of transactions, whereas another set of controls is designed to control the systems and programs that con-

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 445 ]

Figure 10-20

On-Line Entry/On-Line Processing

Input

Computer general control procedures

Computer processing and programmed application control procedures

Exception reports

Output of processed transactions and reports

Manual follow-up

User controls over assertions

trol and process transactions. Figure 10-20 provides an important overview of control procedures in a computer environment. This figure describes how important controls function in IT systems, regardless of the methods of input, data organization, data processing, or output devices. The following paragraphs describe the control procedures depicted in Figure 10-20. For purposes of illustration, consider the processing of a sales order. When a sales order is input, the computer program accepts the data and submits it to various edit checks and controls, such as the validity of the item number or customer number or whether the customers credit limit has been reached. The controls are called computer application controls, which are designed to provide reasonable assurance that IT records, processes, and reports data properly for specific applications. Different applications controls will be custom made for applications such as sales, cash receipts, purchases, inventory control, or payroll. The results of computer processing and application controls are usually twofold. First, the computer will output transactions and reports. In some systems, the processed transactions or reports will be subject to manual controls such as supervisory review. Second, the system generates exception reports. Some exception reports may appear on a screen, such as an edit check of the validity of a customer number. Some exception reports may result in printed reports, such as all transactions in a batch where customers exceeded their credit limit. In either case, people must follow up on the exceptions noted by the computer. The effectiveness of the control depends on the effectiveness of both the programmed application control and the manual followup.

[ 446 ]

PART 2

AUDIT PLANNING

Finally, an important set of controls is called general controls. Computer general controls control program development, program changes, computer operations, and access to programs and data. They represent a higher level of controls designed to provide reasonable assurance that individual computer applications operate consistently and effectively. Computer general controls are explained in depth in Appendix 10B. Since several levels of control are important to IT systems, this also allows for a variety of audit strategies when testing computer controls, which will be discussed in Chapter 11. Understanding this overview will make it easier to understand the computer aspects of each of the ve components of internal control identied in the COSO report and AU 319, Consideration of Internal Control in a Financial Statement Audit.

[LEARNING CHECK
10A-1 a. What is the principal hardware component in an IT system?

10A-2 10A-3

10A-4 10A-5

10A-6

10A-7

b. What hardware components are peripheral to the principal hardware component? a. Explain the nature and functions of computer software. b. Distinguish between systems programs and applications programs. a. Distinguish between the traditional le and database methods of organizing data. b. Distinguish between sequential methods of data processing and direct access processing. For each of the two methods of data processing, indicate (a) their essential characteristics and (b) an advantage and a disadvantage. a. Describe several advantages of computer processing of accounting information over manual systems. b. Describe the risks of computer processing of accounting information over manual systems. a. Develop a diagram that depicts the importance of internal control functions in computer systems, regardless of the methods of data input, data organization, or data processing. b. In the context of the processing of a payroll transaction, describe each stage depicted in your diagram. a. Dene computer applications controls and explain their purpose. b. Dene computer general controls and explain their purpose.

[KEY TERMS
Applications programs, p. 440 Data organization methods, p. 441 Data processing methods, p. 442 Database method, p. 441 On-line entry/batch processing, p. 442 On-line entry/on-line processing, p. 442 Systems programs, p. 440 Traditional le method, p. 441

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 447 ]

appendix 10b COMPUTER GENERAL CONTROLS The purpose of general controls is to control program development, program changes, computer operations, and to secure access to programs and data. The following ve types of general controls are widely recognized:

Organization and operation controls Systems development and documentation controls Hardware and system software controls Access controls Data and procedural controls

Computer general controls pertain to the IT environment and all IT activities as opposed to a single IT application. Thus, these controls are pervasive in their effect. If the auditor is able to obtain evidence that general controls function effectively, then the auditor also has assurance that individual applications may be properly designed and operate effectively. Alternatively, deciencies in general controls may affect many applications and may prevent the auditor from assessing control risk below the maximum for many applications and transaction cycles. Each aspect of computer general controls is explained below. Organization and Operation Controls Organization and operation controls relate to the management philosophy and operating style and organizational structure control environment factors. In addition, these general controls pertain to the segregation of duties within the IT department and between IT and user departments. Weakness in these controls usually affects all IT applications. The organizational structure shown in Figure 10-21 illustrates an arrangement that provides for clear-cut lines of authority and responsibility within the IT department.

Figure 10-21

IT Functions Requiring Segregation of Duties IT Manager

Systems Development

Operations

Data Control

Information Security

Systems Analysis

Programmers

Computer Operators

Librarians

Network Administrators

Data Control Group

Database Administrator

Hadel Studio

(516) 333

2580

[ 448 ]

PART 2

AUDIT PLANNING

The primary responsibilities for each position are as follows:


POSITION PRIMARY RESPONSIBILITIES

IT Manager Systems Development Systems Analysts

Exercises overall controls, develops short- and long-range plans, and approves systems. Evaluates existing systems, designs new systems, outlines the systems, and prepares specications for programmers. Flowcharts logic of computer programs, develops and documents programs, and debugs programs. Operates the computer hardware and executes the program according to operating instructions. Maintains custody of systems documentation, programs, and les. Plans and maintains networks linking programs and data les. Acts as liaison with user departments and monitors input, processing, and output. Designs content and organization of the database and controls access to and use of the database. Manages security of IT systems, including hardware and security software, monitors access to programs and data, and follows up on security breaches.

Programmer IT Operations Computer Operator Librarian Network Administrator Data Control Data Control Group Database Administrator Information Security Security Administrator

The fundamental duties that should always be segregated are systems development, operations, data control, and information security. In small organizations, the positions of systems analysts and programmers may be combined. However, the combining of systems development and operations duties results in incompatible duties. This would give an individual access to both programs and data and opens the opportunity to both commit and conceal errors. A number of computer frauds have resulted when these duties were combined. The IT department should be organizationally independent of user departments. Thus, the IT manager should report to an executive, such as the CFO or CEO, who is not regularly involved in authorizing transactions for computer processing. In addition, IT personnel should not correct errors unless they originate within IT. For example, the sales department, not IT, should correct sales orders with an invalid code number. When the organizational plan does not provide for appropriate segregation of duties, the auditor may have serious doubts about the reliability of the results produced by the system. Systems Development and Documentation Controls Systems development and documentation controls are an integral part of the information and communication component of internal control. Systems develop-

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 449 ]

ment controls relate to (1) review, testing, and approval of new systems, (2) control of program changes, and (3) documentation procedures. The following procedures are helpful in providing the necessary controls:

Systems design should include representatives of user departments and, as appropriate, the accounting department and internal auditors. Each system should have written specications that are reviewed and approved by management and the user department. Systems testing should be a cooperative effort of users and IT personnel. The IT manager, the database administrator, user personnel, and the appropriate level of management should give nal approval to a new system before it is placed in normal operation. Program changes should be approved before implementation to determine whether they have been authorized, tested, and documented.

Documentation controls pertain to the documents and records maintained by a company to describe computer processing activities. Documentation allows management to (1) review the system, (2) train new personnel, and (3) maintain and revise existing systems and programs. Documentation provides the auditor with the primary source of information about the ow of transactions through the system and related accounting controls. Documentation includes:

Descriptions and owcharts of the systems and programs Operating instructions for computer operators Control procedures to be followed by operators and users Descriptions and samples of required inputs and outputs

In database management systems, an important documentation control is the data dictionary/directory. The directory is software that keeps track of the denitions and locations of data elements in the database. Hardware and Systems Software Controls Hardware and systems software controls are an important factor that contributes to the high degree of reliability of todays information technology. Hardware and software controls are designed to detect any malfunctioning of the equipment. This category of controls includes the following:

Dual read. Input data are read twice, and the two readings are compared. Parity check. Data are processed by the computer in arrays of bits (binary digits of 0 or 1). In addition to bits necessary to represent the numeric or alphabetic characters, a parity bit is added, when necessary, to make the sum of all the 1 bits even or odd. As data are entered and ultimately transferred within the computer, the parity check is applied by the computer to assure that bits are not lost during the process. Echo check. The echo check involves transmitting data received by an output device back to the source unit for comparison with the original data. Read after write. The computer reads back the data after they have been recorded, either in storage or in the output device, and veries the data by comparison with their original source.

To achieve maximum benet from these controls, (1) there should be a program of preventive maintenance on all hardware, and (2) controls over changes to systems

[ 450 ]

PART 2

AUDIT PLANNING

software should parallel the systems development and documentation controls described above. Access Controls Access controls should prevent unauthorized use of IT equipment, data les, and computer programs. The specic controls include physical, software, and procedural safeguards. Access to computer hardware should be limited to authorized individuals, such as computer operators. Physical safeguards include the housing of equipment in an area that is separate from user departments. Security guards, door locks, or special keys should restrict access to the computer areas. Access to data les and programs should be designed to prevent unauthorized use of both data and programs. Physical controls exist in the form of a library and a librarian. Access to program documentation and data les should be limited to individuals authorized to process, maintain, or modify particular systems. Ordinarily, the librarian keeps a log of the use of les and programs. Alternatively, under the database method of ling, the data dictionary software provides an automated log of access to programs and data elements. In systems with on-line entry of data, many users have direct access to the CPU through remote input devices. Access often extends beyond company employees to outside agents and even to customers who have special keys, such as magnetic cards issued by banks, which activate the computer. To provide the necessary control, each user of a remote input device is given a key, code, or card that identifies the holder as an authorized user. Other access controls are (1) computer callback procedures when the telephone is used to dial the computer and (2) passwords that are checked by the computer before a person can enter a transaction. Procedural and software safeguards should involve management review of computer utilization reports. Security software that limits access to programs and data les, and keeps a log of programs and les that have been accessed, should be reviewed by IT security administration. IT security administrators both manage security software and follow up on security violations. Data and Procedural Controls Data and procedural controls provide a framework for controlling daily computer operations, minimizing the likelihood of processing errors, and assuring the continuity of operations in the event of a physical disaster or computer failure. The rst two objectives are achieved through a control function performed by individuals or departments that are organizationally independent of computer operations. The data control group within IT usually assumes this responsibility. The control function involves:

Accounting for all input data Following up on processing errors Verifying the proper distribution of output

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 451 ]

The ability to maintain the continuity of computer operations involves (1) the use of off-premise storage for important les, programs, and documentation; (2) physical protection against environmental hazards; (3) formal record retention and recovery plans for data; and (4) arrangements for the use of backup facilities at another location. The ability to reconstruct data files is equally important. When sequential processing is used, a common method of record reconstruction is the grandfather-father-son concept illustrated in the top panel of Figure 10-22 Under this concept the new updated master file is the son. The master file utilized in the updating run that produced the son is the father, and the previous master file is the grandfather. To update those earlier master files, records of the transactions for the current and prior periods must be retained. In the event that the current computer master file is destroyed, the system then has the capability to replace it. Ideally, the three generations of master files and the transaction files should be stored in separate locations to minimize the risk of losing all the files at one time. When direct access processing is used, the master file and transaction logs should be dumped, or copied, periodically to a movable disk. In the event the on-line files are destroyed or damaged, these disks may be used with a special recovery program to reconstruct the master file as illustrated in the lower panel of Figure 10-22.

[LEARNING CHECK
10B-1 a. Information and processing controls is one category of control activi-

ties. What risks do these controls address? b. Name two subcategories of information and processing controls in a computerized system. c. Identify ve types of general controls and state their common attribute. 10B-2 a. What are documentation controls in an IT department? b. Why is documentation important to management and the auditor? c. What items should be included in IT documentation? 10B-3 a. Explain the purposes and nature of access controls. b. Enumerate the access controls that may be used in an on-line entry system. 10B-4 a. Indicate the scope of data and procedural controls. b. Describe the activities of a data control group.

[KEY TERMS
Access controls, p. 450 Data and procedural controls, p. 450 General controls, p. 447 Grandfather-father-son concept, p. 451 Hardware and systems software controls, p. 449 Organization and operation controls, p. 447 Systems development and documentation controls, p. 448

[ 452 ]

PART 2

AUDIT PLANNING

Figure 10-22

Reconstruction of Data Files Grandfather-Father-Son Backup and recovery for tape files Transaction file

This processing period

Father Old master file File updating run

Son New master file Save for current use

Save

Save Grandfather master file Release when new grandfather prepared if not required for other purposes Backup and recovery for on-line disk files Input from terminal

Saved from prior processing period

Transactions

On-line processing

Continuous on-line updating of master file

Log of all transactions

Periodic backup

Master file

Backup processingcopy master file

Backup copy of master file

Recovery

Recovery program

Restored master file

Hadel Studio

(516) 333

2580

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 453 ]

appendix 10c COMPREHENSIVE FLOWCHARTING ILLUSTRATION Flowcharting is a creative task, making it unlikely that any two people would draw owcharts exactly alike for any given system. The more commonly used owcharting symbols are shown in Figure 10-23. Some rms supplement these basic symbols with more extensive sets of special-purpose symbols.

Figure 10-23

Flowcharting Symbols

INPUT/OUTPUT Adding machine tape Floppy disk

Document

Punched card

Input/output (basic symbol may be used in place of specific symbols)

Manual input (online keyboard)

Magnetic tape

On-line storage

N D A

File or off-line storage N = Numerical D = Date A = Alphabetic

Magnetic disk

Display terminal

PROCESSING Manual operation On-line computer process Off-line auxiliary operation Keying (punching, verifying, typing)

OTHER SYMBOLS On-page connector Exit to or entry from another part of chart Off-page connector Entry to or exit from a page Comment, annotation

Communication link Terminal (start, stop, delay) Flow line

[ 454 ]

PART 2

AUDIT PLANNING

Most auditors prepare owcharts for each material class of transactions. Flowcharts generally include:

The ow of transactions from initiating the transaction to their summarization in the general ledger (that supports the nancial statements). The key functions included in the owchart. The documentary audit trail. Key reports produced by the accounting system. Computer programs and les where information is stored.

This information is important, for it assists the auditor in identifying where new information is added or where information changes form (from documents to electronic form and back to documents) from initiating the transaction to the general ledger. This is where the risk of misstatement is the highest. The owchart does not document every copy of every document that the client might use, but it does show the critical path from initiating the transaction to the general ledger. The owchart is designed as an overview of the transaction ow and is supplemented by the following narrative discussion obtained through inquiries of the client personnel, observations, and review of documents. A owchart is a means to an end, not an end in itself. Besides enabling the auditor to follow the transaction from initiating the transaction to the general ledger, it should also allow the auditor to see the relationships that exist between controls and to facilitate the identication of key controls related to specic nancial statement assertions. Because many important controls are programmed controls, an accompanying narrative is often necessary to describe the role information technology plays in detecting potential misstatements and reporting exceptions for followup. The combined owchart and narrative are useful in identifying the following:

Documents and records The use of remittance advices returned by customers with payments. Preparation of prelist of cash receipts for use in subsequent control. Retention of validated deposit slips for use in subsequent control. Computer les where information is stored. The generation of exception reports, the cash receipts journal, the aged trial balance, and report of cash transactions and balances. Segregation of handling cash (mailroom and cashier) from recorded accountability (accounts receivable), from following up on exception reports (ofce of CFO). Independent checks Computer compares deposit information with independent information from prelist. Run-to-run comparisons by the computer. Computer comparison of subsidiary ledger with general ledger. Independent bank reconciliation. Other controls Restrictive endorsement of checks immediately upon receipt. Deposit of receipts intact daily. Management reviews of cash transactions and overall cash balances.

Figure 10-24 provides an illustrative owchart of the cash receipts system described below. Figure 14-6 illustrates how sales might be initiated and how goods are delivered and billed to customers.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 455 ]

Figure 10-24
Functions

System FlowchartCash Receipts Transactions


Documentary Audit Trail Check Key Reports Computer Programs and Files

Cash Receipts Deposit Slips

Enter Cash Deposits

Remittance Advice CASH RECEIPTS PROGRAM: Compare bank deposit with postings to accounts receivable create cash receipts transaction file.

Cash Receipt Prelist

Suspense File

Enter Cash Receipts

Exception Reports

Cash Receipts Transaction File

Sales Disbursements Journal

General Ledger

Exception Reports

MASTER FILE UPDATE PROGRAM: Update master files and G/L print cash receipts journal and reports.

General Ledger Master File

Accounts Receivable Aging

Accounts Receivable Master File

Report of Daily Cash Balances

[ 456 ]

PART 2

AUDIT PLANNING

example system of cash receipts All receipts from customers are received by mail and are accompanied by a preprinted remittance advice (bottom portion of the billing originally sent to the customer). In the mailroom, the checks and remittance advices are separated. The checks are restrictively endorsed (For Deposit Only) and sent to the cashier for deposit. The remittance advices are used to create a listing (prelist) of the checks identifying the customer, the amount, and the specic invoices paid; the prelist is prepared in triplicate and totaled. One copy of the prelist is sent to accounts receivable, and another copy to general accounting. The cashier prepares a bank deposit slip in duplicate and makes the daily bank deposit. The cashier then logs on to the computer system and enters the amount of the daily deposit. The cashier forwards the validated copy of the bank deposit slip (stamped and dated by the bank) to general accounting and les the prelist by date. In accounts receivable, the remittances are posted to the cash receipts transaction le based on the cash prelist, including a control total for the total of the prelisting of cash. A cash receipts program is run at the end of the day and compares the sum of individual cash receipts with the control total and the amount from the deposit slip entered by the cashier. An exception report of any differences is printed and forwarded to the chief nancial ofcers (CFOs) ofce. Transactions that do not match are held in a suspense le for followup. The master le update program then processes the cash receipts transaction le. Run-to-run totals compare the beginning receivables, plus cash receipts, with ending accounts receivables before the routine is processed. It also updates the general ledger, generates the Cash Receipts Journal (shows the individual transactions and daily totals for cash, discounts, and posting to accounts receivable), accounts receivable aging, and daily cash balances. The remittance advice, prelist, and summary report are then led by date. An assistant to the chief nancial ofcer follows up on any exception reports and reports the results to the CFO. The CFO also reviews daily cash transactions (including cash receipts) for reasonableness and monitors daily cash balances. The assistant to the CFO also prepares monthly bank reconciliations that are reviewed by the CFO. The credit department receives a weekly aging of receivables and follows up with customers regarding reasons for the delay of payment on past-due accounts.

objective questions
Objective questions are available for the students at www.wiley.com/college/boynton

comprehensive questions
10-28 (Internal control fundamentals) Internal control has gained increasing importance among management, external auditors, regulators, and others. Required a. What is internal control, and what is it intended to provide to an entity? b. What fundamental concepts are embodied in the denition of internal control?

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 457 ]

c. List the ve components of an internal control structure. d. When considering the effectiveness of an internal control structure, what inherent limitations should be considered? e. Identify six parties who have a role or responsibility regarding an entitys ICS and briey state the role or responsibility of each. 10-29 (Obtaining an understanding) In meeting the second generally accepted auditing standard of eldwork, the auditor is required to obtain sufcient understanding of each component of an entitys internal controls to plan the audit of the entitys nancial statements. Required a. What knowledge should be obtained about the control components in obtaining an understanding of it? b. How does the auditor obtain the understanding? c. Is it necessary in all cases to document the understanding? d. Briey discuss the alternative methods available for documenting the understanding and comment on the relative advantages or disadvantages of each. 10-30 (Control environment) Peterson, CPA, is auditing the nancial statements of the publicly held manufacturing company, Amalgamated Products, Inc. In complying with the second standard of eldwork, Peterson seeks to obtain an understanding of Amalgamateds control environment. Required a. Identify the control environment factors that can affect the effectiveness of specic policies and procedures related to the other components of an internal control structure. b. What should the auditor understand about the control environment and the factors that comprise it to have sufcient knowledge of this component? c. What effect may the preliminary audit strategy have on the required level of understanding of the control environment factors? 10-31 (Components of internal control) The chapter identied ve components of internal control. Listed below are specic control policies and procedures prescribed by Suntron Company. 1. Management gives careful consideration to the requisite knowledge and skills personnel need at all levels of the organization. 2. General controls and application controls are established in the electronic data processing department. 3. Management acts to reduce or eliminate incentives and temptations that might lead individuals to engage in dishonest or illegal acts. 4. Management is alert to complaints received from customers about billing errors. 5. Management gives special consideration to the risks that can arise from the use of information technology in the accounting system. 6. Employees responsibilities are assigned so as to avoid any individuals being in a position to both commit an error or irregularity and then conceal it. 7. IT management has designed controls to prevent unauthorized use of IT equipment, data les, and computer programs. 8. The processing of payroll includes a check on the total number of hours submitted. If

[ 458 ]

PART 2

AUDIT PLANNING

more than 65 hours are reported in a weekly pay period, the transaction is printed on an exception report and put in a suspense le for additional review or additional authorization. 9. Suntrons internal audit staff periodically assesses the effectiveness of various ICS components. 10. Policy manuals, accounting and nancial reporting manuals, and a chart of accounts have been developed and implemented. Required a. Identify the components of internal control to which each policy or procedure relates. b. For each item, identify one other policy or procedure for that internal control component that is not on the preceding list. 10-32 (Components of internal control) Internal controls can be categorized using the following framework. 1. Control environment 2. Risk assessment 3. Information and communication 4. Control activities 4.1. Authorization 4.2. Segregation of duties 4.3. Information processing controls 4.3.1. Computer general controls 4.3.2. Computer application controls 4.3.3. Controls over the nancial reporting process 4.4. Physical controls 4.5. Performance reviews 4.6. Controls over management discretion in nancial reporting 5. Monitoring 6. Antifraud programs and controls Following is a list of controls prescribed by Waterfront, Inc. a. Management has established a code of conduct that includes rules regarding conicts of interest for purchasing agents. b. Waterfront has established a disclosure committee to review the selection of new accounting policies. c. Any computer program revision must be approved by user departments after testing the entire program with test data. d. The managers of each of Waterfronts manufacturing departments must review all expenditures charged to their responsibility center weekly. e. The CEO, CFO, and controller review the nancial consequences of business risks annually to ensure that controls are in place to address signicant business risks. f. Human resources focuses on ensuring that accounting personnel have adequate qualications for work performed in billing and accounts receivable. g. Security software limits access to programs and data les, and keeps a log of programs and les that have been accessed, which is then reviewed by the security manager daily.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 459 ]

h. A computer program prints a daily report of all shipments that have not yet been billed to customers. i. The controller reviews sales and collections bimonthly. j. The computer compares the information on the sales invoice with underlying shipping information. k. Customer billing complaints are directed to internal audit for followup and resolution. l. The documentary transaction trail for all credit sales is documented in company policy manuals. m. A committee of the board of directors evaluates and monitors business risks. n. Access to spreadsheets used in the nancial reporting process is limited and spreadsheets are tested with test data on a quarterly basis. Required a. Indicate the category of internal control applicable to each procedure using the framework above. b. Identify an assertion to which each procedure pertains (some procedures may have a pervasive impact on multiple assertions). 10-33 (Segregation of duties) The Richmond Company, a client of your rm, has come to you with the following problem. It has three clerical employees who must perform the following functions: 1. Maintain general ledger. 2. Maintain accounts payable ledger. 3. Maintain accounts receivable ledger. 4. Prepare checks for signature. 5. Maintain disbursements journal. 6. Issue credits on returns and allowances. 7. Reconcile the bank account. 8. Handle and deposit cash receipts. Required Assuming there is no problem as to the ability of any of the employees, the company requests your advice on assigning the above functions to the three employees in such a manner as to achieve the highest degree of internal control. It may be assumed that these employees will perform no other accounting functions than the ones listed. a. State how you would recommend distributing the above functions among the three employees. Assume that, with the exception of the nominal jobs of the bank reconciliation and the issuance of credits on returns and allowances, all functions require an equal amount of time. (Hint: Give each employee a job title.) b. List four possible unsatisfactory combinations of the above-listed functions. AICPA (adapted) 10-34 (Control activities and related assertions) Several categories of control activities are identied in the chapter using the following framework. a. Authorization b. Segregation of duties

[ 460 ]

PART 2

AUDIT PLANNING

c. Information processing controls 1. General controls 2. Application controls 3. Controls over the nancial reporting process d. Physical controls e. Performance reviews f. Control over management discretion in nancial reporting Following are specic control procedures prescribed by Trusty Company. 1. The computer must match information from a vendors invoices with information from receiving and information from the purchase order before a check is issued. 2. A knowledgeable audit committee reviews and approves new applications of GAAP. 3. Two authorized signatures are required on every check over $100,000. 4. Each month management carefully reviews the aged trial balance of accounts receivable to identify past-due balances and follows up for collection. 5. A supervisor must approve overtime work. 6. The computer assigns sequential numbers to sales invoices used in the billing system. 7. The computer veries the mathematical accuracy of each voucher and prints an exception report for items with mathematical errors. 8. Employee payroll records are kept on a computer le that can only be accessed by certain terminals and are password protected. 9. Internal auditors review journal entries periodically for reasonableness of account classifications. 10. The chairman of the audit committee directly accepts condential e-mails or other submissions concerning questionable accounting and auditing matters. 11. Checks received from customers and related remittance advices are separated in the mailroom and subsequently processed by different individuals. 12. All vouchers must be stamped paid on payment. 13. Department managers review accounting for warranty claims on a weekly basis. 14. On a quarterly basis, warranty expenses are compared with actual warranty claims. 15. Only computer operators are allowed in the computer room. 16. The computer will not complete the processing of a batch when the accounts receivable control account does not match the total of the subsidiary ledgers. Required a. Indicate the category of control activities applicable to each procedure using the framework above. b. Identify an assertion to which each procedure pertains. 10-35 (Control procedures for cash receipts) At the Main Street Theater, the cashier, located in a box ofce at the entrance, receives cash from customers and operates a machine that ejects serially numbered tickets. To gain admission to the theater, a customer hands the ticket to a doorperson stationed some 50 feet from the box ofce at the entrance to the theater lobby. The doorperson tears the ticket in half, opens the door, and returns the stub to the customer. The other half of the ticket is dropped by the doorperson into a locked box.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 461 ]

Required a. What internal controls are present in this phase of handling cash receipts? b. What steps should be taken regularly by the manager or other supervisor to give maximum effectiveness to these controls? c. Assume that the cashier and doorperson decided to collaborate in an effort to abstract cash receipts. What action might they take? d. Continuing the assumption made in (c) above of collusion between the cashier and doorperson, what features of the control procedures would be likely to disclose the embezzlement? AICPA

cases
10-36 (Identifying control strengths and weaknesses) Brown Company provides ofce services for more than 100 small clients. These services consist of 1. Supplying temporary personnel 2. Providing monthly bookkeeping services 3. Designing and printing small brochures 4. Copying and reproduction services 5. Preparing tax reports Some clients pay for these services on a cash basis; others use 30-day charge accounts; and still others operate on a contractual basis with quarterly payments. Browns new ofce manager was concerned about the effectiveness of controls over sales and cash ow. At the managers request, the process was reviewed and disclosed the following: 1. Contracts were written by account executives and then passed to the accounts receivable department where they were led. Contracts had a limitation (ceiling) as to the types of services and the amount of work covered. Contracts were payable quarterly, in advance. 2. Client periodic payments on contracts were identied to the contract, and a payment receipt was placed in the contract le. Accounting records showed Credit Revenue; Debit Cash. 3. Periodically, a clerk reviewed the contract les to determine their status. 4. Work orders relating to contract services were placed in the contract le. Accounting records showed Debit Cost of Services; Credit Cash or Accounts Payable or Accrued Payroll. 5. Monthly bookkeeping services were usually paid for when the work was complete. If not paid in cash, a copy of the invoice marked Unpaid $______ was put into a cash pending le. It was removed when cash was received, and accounting records showed Debit Cash; Credit Revenue. 6. Design and printing work was handled like bookkeeping. However, a design and printing order form was used to accumulate costs and to compute the charge to be made to the client. A copy of the order form served as a billing to the client and when cash was received as a remittance advice.

[ 462 ]

PART 2

AUDIT PLANNING

7. Reproduction (copy) work was generally a cash transaction that was rung up on a cash register and balanced at the end of the day. Some reproduction work was charged to open accounts. A billing form was given to the client with the work, and a copy was put in an open le. It was removed when paid. In both cases, when cash was received, the accounting entry was Debit Cash; Credit Revenue. 8. Tax work was handled like the bookkeeping services. 9. Cash from cash sales was deposited daily. Cash from receipts on account or quarterly payments on contracts were deposited after being matched with evidence of the receivable. 10. Bank reconciliations were performed using the deposit slips as original data for the deposits on the bank statements. 11. A cash log was maintained of all cash received in the mail. This log was retained and used for reference purposes when a payment was disputed. 12. Monthly comparisons were made of the costs and revenues of printing, design, bookkeeping, and tax service. Unusual variations between revenues and costs were investigated. However, the handling of deferred payments made this analysis difcult. Required a. List eight examples of poor internal control that are evident. b. List six examples of good internal control that are in effect. 10-37 (Flowcharting: key controls) SummerVoice, Inc., a distributor of music CDs to retailers and a new audit client of yours, processes sales in the following manner: As orders are received, sales order clerks use on-line terminals and an order program to determine that the customer has been approved and that the order will not cause the customers balance to exceed the customers authorized credit limit. If the customer is a new one, the order is transferred to the credit department who checks credit and enters customer information on the customer master le for approved customers. The program also checks the inventory master le to determine that goods are on hand to ll the order, and it prices the sales order based on information in an approved master price le. If the order is accepted, the computer enters it into an open order le and a copy of the sales order form is produced on a printer in the sales order department and sent to the customer. When an order is not accepted, a message is displayed on the terminal indicating the reason for the rejection. The approved sales order is electronically forwarded to the warehouse as authorization to release goods to shipping. The warehouse completes a packing slip and forwards goods to shipping. In shipping, personnel rst make an independent check on agreement of the goods received with the accompanying sales order form. They then use their on-line terminals and a shipping program to retrieve the corresponding sales order from the open order le and add appropriate shipping data. The perpetual inventory system is also updated for the shipment of goods. Next the computer transfers the transaction from the open order le to a shipping le and produces a prenumbered shipping document on the printer in the shipping department. A report is generated daily of unlled orders and back orders for the sales department. Sales invoices are automatically generated based on shipped goods. The computer rechecks vendor information and data on goods shipped against data entered in sales and shipping. The computer prices the information based on information on the sales order and checks the numerical accuracy of the sales invoice. The computer also checks dates shipped with dates on the sales invoice. As each billing is completed, the computer enters it into a sales transaction le. After all the transactions in the batch have been processed, the billing program compares the total invoices with the total shipments for the day.

CHAPTER 10

UNDERSTANDING INTERNAL CONTROL

[ 463 ]

The transaction le is processed and posted to the sales transaction le, the accounts receivable master le, and the general ledger master le. Run-to-run totals compare beginning balances plus processed transactions with ending balances immediately prior to posting the transactions. Exceptions are printed on an exception report, and these transactions are held in a suspense le to be cleared by the billing supervisor. The program also produces monthly statements. All customer inquiries on monthly statements are directed to the controllers ofce for followup. A separate program also prints daily sales reports with sales, gross margins, and inventory-on-hand by product for management review. Management must also coordinate followup on all past-due receivables with the credit department. Required a. Prepare a owchart of the system described above. b. For each nancial statement assertion related to credit sales, identify internal control that may provide reasonable assurance of preventing misstatements or detecting and correcting misstatements on a timely basis.

professional simulation
Situation Research Communication Internal Controls

You have been assigned to the audit of Alpha Corporation, a manufacturer of auto parts. Alpha Corporation is a private company that is wholly owned by George Alpha, that has only one manufacturing location. The auto parts that Alpha manufactures are shipped to approximately 25 manufacturing plants in the United States. During the current year Alpha Corporation upgraded its accounting system. The system upgrade involved changing soft (516) Hadel Studionew 333 2580 ware and implementing a totally accounting package related to purchases, inventory and inventory control, and expenditures. Accounting personnel in the company have been upgraded to support the new system.

Research Situation Communication Internal Controls

In the past the audit approach for inventory has followed a primarily substantive approach. It has been cost effective to directly observe inventory at year-end and perform price testing on the inventory after year-end. The partner on the engagement, Michelle Driscoll, believes that it will continue to be cost effective to follow a primarily substantive approach. Michelle knows that professional standards require the auditor to understand internal con (516) 2580 Hadelthough Studio the 333 trols in every audit. Even audit will follow a primarily substantive approach, what guidance do the professional standards provide about the understanding of the new accounting system and related internal controls that is necessary to plan the audit. Cut and paste the standard sections that apply to this issue.

[ 464 ]

PART 2

AUDIT PLANNING

Communication Situation Research Internal Controls

You are helping Michelle prepare for a planning meeting with Alphas audit committee. Michelle knows that a discussion of the new system of internal controls will come up. In particular she want to brief the audit committee on the inherent limitations of any system of internal control. Prepare a memo outlining the inherent limitations of a system of internal control. Support your memo with guidance provided by relevant professional stanHadel Studio (516) 333 2580 dards. To: Re: Michelle Driscoll, Partner Inherent Limitations of an Entitys Internal Control

From: CPA Candidate

Internal Controls Situation Research Communication

Following is a list of various control activities that might be found in Alphas system of internal control. For each control identify the assertion that might be controlled by the Alphas policy or procedure using the following coding: a. b. c. d. e. Existence and occurrence Completeness Hadel Studio Rights and obligations Valuation and allocation Presentation and disclosure

(516) 333

2580

a. 1. The computer veries an employee authorization code in order to enter a purchase order. 2. The computer produces a report of all receiving reports that have not resulted in a voucher. 3. The computer matches information on the voucher regarding quantities and prices of goods purchased with underlying receiving reports and purchase orders. 4. The computer compares the account coding on a voucher with the account coding on the purchase order. 5. The computer checks the mathematical accuracy of the voucher and supporting vendors invoice. 6. The computer has a unique account coding for the receipt and acquisition of consignment inventory. 7. The computer matches each voucher with an underlying receiving report and cancels the related vendors invoice to prevent duplicate payment.

b.

c.

d.

e.

You might also like