Chapter 9 The Study of Internal Control and Assessment of Control Risk

Transcription

1 Review Questions Chapter 9 The Study of Internal Control and Assessment of Control Risk 9-1 There are seven parts of the planning phase of audits: preplan, obtain background information, obtain information about the client's legal obligations, perform preliminary analytical procedures, assess materiality and risk, understand internal control and assess control risk, and develop an audit plan and audit program. Understanding internal control and assessing control risk is therefore part six of planning. Only developing an audit plan and audit program follow understanding internal control and assessing control risk. 9-2 Management and the auditor are both concerned that internal control provides reliable data and safeguards the company's assets and records. Their concerns differ in that the auditor is primarily interested in the effect of the controls on the financial statements, whereas management is also concerned that internal control optimizes the use of resources and ensures timely preparation of reliable information. 9-3 The independent auditor should point out to management that without reliable financial data many of management's critical business decisions may be based on erroneous information. Such decisions might be inappropriate and could prove costly to the company. In addition, without proper controls over assets, the company's resources may be drained by employee defalcation or theft by outsiders without subsequent detection. 9-4 The control environment consists of the actions, policies and procedures that reflect the overall attitudes of top management, the directors, and the owners of an entity about control and its importance to the entity. The nine factors listed are those which individually and collectively enhance or diminish internal control: 1. Management Philosophy and Operating Style 2. The functioning of the board of directors and its committees, particularly the audit committee 3. Organizational Structure 4. Methods of Assigning Authority and Responsibility 5. Management Control Methods 6. Systems Development Methodology 7. Personnel Policies and Procedures 8. Management Reaction to External Influences 9. Internal Audit 9-1

2 9-5 A company's internal control includes two basic categories of policies and procedures that management designs and implements to provide reasonable assurance that its control objectives will be met. These are called the elements of internal control, and are (1) the control environment and (2) control systems. Control systems have two components: the accounting system; the control procedures. The control environment is the broadest of the three and deals primarily with the way management implements its attitude about internal controls. The accounting system is the way accounting information is assembled, recorded and analyzed. The quality of the accounting system will depend heavily on the control environment. The control procedures are those policies and procedures a company implements to make sure that assets are safeguarded and accounting information is reliable. It depends heavily on the control environment and is a primary determinant of the accuracy of accounting information recorded in the accounting system. 9-6 Separation of operational responsibility from record-keeping is intended to reduce the likelihood of operational personnel biasing the results of their performance by incorrectly recording information. Separation of the custody of assets from accounting for these assets is intended to prevent fraud. When one person performs both functions, the possibility of the employee's disposal of the asset for personal gain and adjustment of the records to relieve him or herself of responsibility for the asset without detection is increased. 9-7 General authorizations refer to management-established policies that the organization is to follow. Subordinates are instructed to implement these general authorizations by approving all transactions within the limits set by the policy. Examples of general authority include the issuance of fixed price lists for the sale of products, credit limits for customers, and fixed automatic reorder points for purchases. Specific authorization relates to individual transactions for which management is unwilling to establish a general policy of authorization. Instead, they prefer to make authorizations on a case by case basis. Examples are the authorization of a sales transaction by a sales manager for a used car dealer or loan approvals over a specific limit in a bank. 9-8 Internal checks on performance (computer-generated or manual verification of performance and the accuracy of recorded amounts) provide a careful and continuous review of the other four internal control procedures by employees independent of the employee performing the original task. Examples of independent checks include: 1. Preparation of the monthly bank reconciliation by an individual with no responsibility for recording transactions or handling cash. 9-2

3 2. Recomputing inventory extensions for a listing of inventory by someone who did not originally do the extensions. 3. The preparation of the sales journal by one person and the subsidiary accounts receivable ledgers by a different person and a reconciliation of the control account to the master file. 4. The counting of inventory by two different count teams. 5. The existence of an effective internal audit staff. 6. Automatic balancing by computer systems. 9-9 The purpose of understanding internal control is to find out how the client believes internal control operates. Assessing control risk means to state the degree to which the auditor intends to depend on internal control to reduce substantive procedures. For example, the auditor might assess control risk much below maximum or low. The understanding of the internal control is done by interviewing client personnel, examining procedures manuals, describing the flow of documents and records by the use of flowcharts and narrative descriptions, and using an internal control questionnaire. Assessing control risk is done judgmentally, based upon the findings in the understanding of internal control and the results of the tests of controls. It is an auditor's decision using professional judgment A control is an existing procedure in internal control that aids in the prevention of erroneous entries or omissions in the accounting system. A weakness describes a situation where controls are inadequate for a given transaction-related objective. Controls 1. Sales invoices are independently checked to customers' orders for prices, quantities, extensions, footings, credit discount, and freight terms. 2. The management of the credit department operates completely independent of the sales department. 3. The billing department is completely separated from accounts receivable and shipping functions. 4. All discounts given other than those in the normal course of the company policy require the approval of a responsible official. 5. Detailed customers' ledgers are maintained for all receivable accounts by personnel entirely separated from all cash functions. 6. Cash receipts are entered in the books of original entry by persons independent of the mail opening and receipt listing function. Weaknesses 1. The absence of any of these controls, if there were not compensating controls would constitute a weakness. 9-3

4 9-11 The most important internal control weakness which permitted the defalcation to occur was the failure to adequately segregate the accounting responsibility of recording billings in the sales journal from the custodial responsibility of receiving the cash. Regardless of how trustworthy James had appeared, no employee should be given the combined duties of custody of assets and accounting for those assets The flowchart provides an overview of the workings of the client's internal control, while the internal control questionnaire is a checklist reminder of many different types of controls. Advantages of flowcharting: 1. Provides concise overview of client's entire internal control useful as a tool to aid in identifying inadequacies. 2. Superior to written description easier to follow the diagram than to read a description. Also easier to update a flowchart than a narrative. Disadvantages of flowcharting: 1. Tendency for confusion if every processing detail is shown. Advantages of internal control questionnaire: 1. A good questionnaire can give relatively complete coverage of each audit area. 2. Can usually be prepared easily at the beginning of an audit engagement. Disadvantages of internal control questionnaire: 1. Individual parts of the internal control are examined without providing an overall view of the client's internal control. 2. A standard questionnaire is often inapplicable to some audit clients especially smaller ones. 3. In danger of being prepared in a mechanized fashion without carefully interviewing personnel and evaluating the implication of "no" responses "Significant deficiencies" are significant weaknesses in the design or operation of internal control; they represent an absence of adequate controls and likely increase the risk of misstatements in the financial statements. Section 5220 recommends that they should be reported by the auditor to the audit committee or an appropriate representative of management Tests of controls are procedures performed to ensure that key controls have been operating efficiently throughout all or most of the period under audit. There are four procedures for tests of controls: 9-4

5 1. Inquiries of client personnel 2. Inspection of documents and records 3. Observation 4. Reperformance An inspection of documents test of controls would be: examine time cards for initials which indicate that hours were re-added by an independent payroll clerk. A reperformance test of control would be: read the hours on a sample of time cards and compare the totals with the original calculations Both approaches are defined in Section 5205 of the CICA Assurance Handbook. The substantive approach is used when the auditor does not intend to rely on the internal controls; either because the auditor has assessed the control risk for a particular assertion as being too high, or because it is not cost-effective to rely on the controls for that assertion. The combined approach is used when the auditor assesses control risk below maximum and does intend to rely on the internal controls with respect to a particular assertion. Multiple Choice Questions 9-16 a. (3) b. (4) c. (4) d. (4) 9-17 a. (3) b. (4) c. (3) 9-18 a. (2) b. (4) c. (4) Discussion Questions and Problems a. 1) Adequate documents and records. 2) Independent checks on performance. b. Transactions are stated at the correct amounts. c. 1) All master file changes should be checked by a second person. 2) Periodic review of the master file by an independent person. 2. a. Adequate documents and records. b. Recorded transactions exist. c. 1) Require that payments only be made on original invoices. 2) Require a receiving report be attached to vendor's invoice before a payment is made. 3. a. 1) Adequate documents and records. 9-5

6 2) Physical control over assets. 3) Independent checks on performance. b. Recorded transactions exist. c. 1) Fence in the physical facilities and prohibit employees from parking inside the fencing. 2) Require the accounting department to maintain perpetual inventory records and take physical counts of actual sides of beef periodically. 4. a. Independent checks on performance. b. Transactions are stated at the correct amounts. c. Counts by qualified personnel and independent checks on performance. 5. a. Proper procedures for authorization. b. Recorded transactions are stated at the correct amounts. c. 1) Make sure the salesman has a current price list. 2) Require independent approval of all transactions including the price before shipment is made. 6. a. 1) Adequate documents and records. 2) Independent checks on performance. b. Transactions are recorded at their proper time. c. Carefully coordinate the physical count of inventory on the last day of the year with the recording of sales to make certain counted inventory has not been billed and billed inventory has not been counted. 9-2o The criteria for dividing is to keep all asset custody duties with one person (Smith). Document preparation and recording is done by the other person (Wong). Chiu will perform independent verification. The two most important independent verification duties are the bank reconciliation and reconciling the receivables master file with the control account, therefore they are assigned to Chiu. The duties should be divided among the three as follows: Robert Smith: *1 *3 *7 *9 10 *12 *16 17 Karen Wong: *2 *4 5 *6 *8 * Barbara Chiu: a. Three basic controls are established by this procedure: 1. The server, who records the sale, is not the same individual who takes the money. In this way he is prevented from not recording the sale of a certain item and keeping the money. 9-6

7 2. By recording on the tape the number of people in the party, the cashier is able to check to see that additional people are not leaving with another party and avoiding paying their bill. 3. By stapling the second tape to the first tape, the customer is prevented from merely presenting the smaller tape as payment and leaving without paying the larger amount. b. The manager can make an evaluation of these control procedures by comparing the totals on the cash register to those on the adding machine tapes, and comparing that to the cash received. Also, he can compare this amount to the amount of food used to see if the cash total is appropriate. c. The usual fast food outlet has the customer pay prior to receiving food. This prevents a customer from leaving without paying. However, there may be an insufficient check on the cashier to insure he or she is not keeping the cash and failing to record the sale. A control to help prevent this type of fraud is a visual display on the cash register showing the amount of the sale and a cash register receipt given to the customer. d. The benefit of this system is a prevention of the theft of cash by the cashier, a prevention of customers from leaving without paying and a faster handling of customers on the cafeteria line. The cost of this system is the salary of the extra server a. The size of a company has a significant effect on the nature of the controls likely to exist. A small company experiences difficulty in establishing appropriate segregation of duties and justifying an internal audit staff. However, a major type of control available in a small company is the knowledge and concern of the top operating person, who is frequently an owner-manager. His or her ability to understand and oversee the entire operation of the company is potentially a significant compensating control. His or her interest in the organization and close relationship with the personnel enable him or her to evaluate the competence of the employees and the effectiveness of internal control. While some of the five internal control procedures are unavailable in a small company, especially segregation of duties, it is still possible for a small company to have proper procedures for authorization, adequate documents, records and reports; physical controls over assets and records; and, to a limited degree, checks on performance. b. Phersen and Violette take opposite and extreme views as to the credence to be given internal control in a small firm. Phersen seems to treat a small firm in the same manner he would a large firm which is inefficient. Because many types of controls are usually lacking in a small firm, assessed control risk should be increased and more extensive substantive procedures must be utilized. Because 9-7

8 assessed internal control is higher, less emphasis is needed to identify the internal controls. Violette is not meeting the standards of the profession in that she completely ignores the possibility of severe weaknesses in the system. She must obtain an understanding of internal control to determine whether it is possible to conduct an audit at all. Auditing standards require, at a minimum, an understanding of internal control. The auditor must understand the control environment and flow of transactions. It is not necessary, however, for the auditor to prepare flowcharts or internal control questionnaires. The auditor is not required to identify weaknesses if he or she does not plan to reduce control risk below maximum (that is, rely only on substantive procedures), as would be common on many small audit clients a. 1) The payroll cheques should not be returned to the supervisor but should be distributed by persons independent of those having a part in making up the payroll data. 2) There is a lack of internal verification of the hours, rates, extensions or employees by above. b. 1) Padding of payroll with fictitious names and extracting the cheques made out to such names when they are returned after they have been signed. 2) There may be errors in hours, rates, extensions, and the existence of non-working employees. c. 1) Have the cheques handed out by an independent person and not returned to Strode. 2) Internal verification of that information by Webber or someone else. 2. a. The bank statement and cancelled cheques should not be reconciled by the manager but should be sent by the bank directly to the home office, where the reconciliations should be made against the manager's report of reimbursements. b. The manager may draw cheques to herself or others for personal purposes and omit them from her list of disbursements or inflate other reported disbursement amounts. c. Have all bank statements sent directly to the home office and have Cooper report directly to the home office by use of a list of expenditures and all supporting documentation Section of the CICA Assurance Handbook states that the auditor should report weaknesses in internal control to the audit committee. Also, they should be made aware of the significance of the weaknesses in internal control that the auditor has found. 9-8

9 In summary, while a letter is not required under GAAS, it is good practice to provide one. There is definite value in that the auditor has made management aware of the weakness(s) should a problem later develop and the letter is a good public relations gesture. Cases 9-25 Memo to: From: Subject: Partner in charge of the audit CA Campbell s Toy Store (CTS) year-end audit Below I have outlined the audit implications and have recommended internal control procedures with regard to the virus that infected CTS s microcomputer system. Audit implications of virus Interim audit testing The most important factor in determining the impact on our audit is the extent of damage done to the integrity of the computer applications and data. A virus could be benign, which would have little impact on our audit, or it could be malignant, necessitating a change in our approach to this year s audit. Because of CTS s obvious vulnerability to viruses, we must question the reliability of the conclusions we reached at the interim audit date in January. Year-end audit procedures Our audit procedures can no longer rely on CTS s computerized data. To regain our confidence in the system we will have to retest the data. The successful infiltration of the virus could indicate weak computer internal controls, which means that the control risk is higher than originally anticipated. Since our risk is increased, we will probably need to rely on a substantive approach. We must find out what procedures CTS carried out to remove the virus and determine whether we can rely on them. We must also complete procedures to ensure that the virus was eliminated from the system. CAAT s or virus detection program may be sufficient. We must assess the integrity of the financial results before the detection of the virus, as the virus might have been active before it was detected. 9-9

10 Keeping a clean system from becoming infected The following internal control procedures that will make CTS s system more virus resistant: Only source code should be shared, not object code, since it is harder to hide a virus in source code. Only the network administrator should be allowed to install new software. Never boot a hard drive-based system from a floppy disk since many viruses are transmitted to the hard drive only when an infected external disk is used to boot the system. Install up-to-date virus detection packages and update them regularly. The system should log any access attempt: unsuccessful attempts should be investigated. Password security should be strictly enforced to prevent the loading of untested software onto the system. Passwords should be updated and kept confidential. Access to programs should be restricted to authorized users. Access to modems should be restricted by means of passwords, callback and any other methods of limiting access. Employees should be notified that unauthorized programs are disallowed. Testing of new software and information All new software should be checked for the presence of viruses before it is installed. System software should be write-protected so that if a virus tries to update the disk it will be clocked and an error message will appear, thus uncovering the virus. Hidden messages should be searched for, since the character string will reveal malicious intent. Different system dates should be used. If tests fail to detect a virus, it will be caught by the change in update time. (date/time) General environmental controls The company should document and enforce backup policies and procedures. Backups on all files should be made daily or at key points in time. Backups should be dated and kept for years since the virus may be active for a long period before it is discovered. A disaster recovery plan should be in place in case of an event that causes irreparable damage. 9-10