AEB15 SM C10 v4
AEB15 SM C10 v4
AEB15 SM C10 v4
Review Questions
10-1
10-3 (continued)
10-5 There are eight parts of the planning phase of audits: accept client and
perform initial planning, understand the clients business and industry, assess
client business risk, perform preliminary analytical procedures, set materiality and
assess acceptable audit risk and inherent risk, understand internal control and
assess control risk, gather information to assess fraud risks, and develop an
overall audit plan and audit program. Understanding internal control and assessing
control risk is therefore part six of planning. Only gathering information to assess
fraud risk and developing an overall audit plan and audit program follow
understanding internal control and assessing control risk.
10-7 PCAOB Auditing Standard 5 requires that the auditor issue a report on the
effectiveness of internal control over financial reporting. To express an opinion on
internal controls, the auditor obtains an understanding of and performs tests of
controls related to all significant account balances, classes of transactions, and
disclosures and related assertions in the financial statements. PCAOB Auditing
Standard 5 requires the auditors independent assessment of the internal controls
design and operating effectiveness.
10-2
10-8 The six transaction-related audit objectives are:
1. Recorded transactions exist (occurrence).
2. Existing transactions are recorded (completeness).
3. Recorded transactions are stated at the correct amounts (accuracy).
4. Recorded transactions are properly included in the master files and
correctly summarized (posting and summarization).
5. Transactions are properly classified (classification).
6. Transactions are recorded on the correct dates (timing).
10-9 The COSO Internal Control Integrated Framework is the most widely
accepted internal control framework in the U.S. The COSO framework describes
internal control as consisting of five components that management designs and
implements to provide reasonable assurance that its control objectives will be
met. Each component contains many controls, but auditors concentrate on those
designed to prevent or detect material misstatements in the financial statements.
10-10 The COSO Internal Control Integrated Framework consists of the following
five components:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
10-11 The control environment consists of the actions, policies, and procedures
that reflect the overall attitudes of top management, directors, and owners of an
entity about internal control and its importance to the entity. The control
environment serves as the umbrella for the other four components. Without an
effective control environment, the other four are unlikely to result in effective
internal control, regardless of their quality. The following are the most important
subcomponents the control environment:
Integrity and ethical values
Commitment to competence
Board of directors or audit committee participation
Managements philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
10-12 Internal control includes five categories of controls that management
designs and implements to provide reasonable assurance that its control
objectives will be met. These are called the components internal control, which
consists of the following:
The control environment
Risk assessment
Control activities
Information and communication
Monitoring
10-3
10-12 (continued)
The control environment is the broadest of the five and deals primarily with
the way management implements its attitude about internal controls. The other
four components are closely related to the control environment. Risk assessment
is managements identification and analysis of risks relevant to the preparation of
financial statements in accordance with accounting standards. Management
implements control activities and creates the accounting information and
communication system in response to risks identified as part of its risk assessment
in order to meet its objectives for financial reporting. Finally, management
periodically assesses the quality of internal control performance to determine that
controls are operating as intended and that they are modified as appropriate for
changes in conditions (monitoring). All five components are necessary for
effectively designed and implemented internal control.
10-4
10-15 An example of a physical control the client can use to protect each of the
following assets or records is:
1. Petty cash should be kept locked in a fireproof safe.
2. Cash received by retail clerks should be entered into a cash register
to record all cash received.
3. Accounts receivable records should be stored in a locked, fireproof
safe. Adequate backup copies of computerized records should be
maintained and access to the master files should be restricted via
passwords.
4. Raw material inventory should be retained in a locked storeroom with
a reliable and competent employee controlling access.
5. Perishable tools should be stored in a locked storeroom under
control of a reliable employee.
6. Manufacturing equipment should be kept in an area protected by
security and fire alarms and kept locked when not in use.
7. Marketable securities should be stored in a safety deposit vault.
10-17 As illustrated by Figure 10-3, there are four phases in the process of
understanding internal control and assessing control risk. In the first phase the
auditor obtains an understanding of internal controls , which includes an
understanding of their design and whether they have been implemented. Next the
auditor must make a preliminary assessment of control risk (phase 2) and perform
tests of controls (phase 3). The auditor uses the results of tests of controls to
assess control risk and to ultimately decide planned detection risk and substantive
tests for the audit of financial statements, which is phase 4.
10-5
10-19 In a walkthrough of internal control, the auditor selects one or a few
documents for the initiation of a transaction type and traces them through the
entire accounting process. At each stage of processing, the auditor makes
inquiries and observes current activities, in addition to examining completed
documentation for the transaction or transactions selected. Thus, the auditor
combines observation, inspection, and inquiry to conduct a walkthrough of internal
control. PCAOB Auditing Standard 5 requires the auditor to perform at least one
walkthrough for each major class of transactions.
10-20 For many control activities, documentation of their performance is more
objectively evaluated in contrast to the evaluation of the control environment. Due
to the nature of the subcomponents that constitute the control environment, such
as integrity and ethical values and commitment to competence, the nature of
evidence used to evaluate the control environment may differ somewhat from the
nature of evidence used to evaluate control activities. While auditors examine
similar types of evidence to assess both the control environment and control
activities, they often perform more extensive inquires and observation to assess
the design and implementation of control environment subcomponents, such as
the entitys code of conduct and whistleblowing system, so they can evaluate
whether employees understand those policies and procedures and to gain a sense
as to the overall ethical tone and perception of managements integrity. Because of
the more judgmental nature of many of the control environment subcomponents,
auditors often make numerous inquiries and perform extensive observation of
client personnel in the performance of policies and procedures to evaluate those
subcomponents of the control environment. While inquiry and observation may
also be performed to evaluate control activities, auditors frequently inspect
documentation that demonstrates a control activity was performed, such as
examining signatures on documents or matching of documentation supporting a
transaction, and they often reperform certain client performed procedures, such as
the calculation of a transaction amount.
10-21 A significant deficiency exists if one or more control deficiencies exist that
are less severe than a material weakness, but important enough to merit attention
by those responsible for oversight of the companys financial reporting. A material
weakness exists if a significant deficiency, by itself or in combination with other
significant deficiencies, results in a reasonable possibility that internal control will
not prevent or detect material financial statement misstatements. The presence of
one significant deficiency that is not deemed to be a material weakness may not
affect the auditors report. In that instance, the auditors report on internal control
over financial reporting would contain an unqualified opinion. However, if the
deficiency is deemed to be a material weakness, the auditor must express an
adverse opinion on the effectiveness of internal control over financial reporting.
10-22 The most important internal control deficiency that permitted the defalcation
to occur was the failure to adequately segregate the accounting responsibility of
recording billings in the sales journal from the custodial responsibility of
receiving the cash. Regardless of how trustworthy James appeared, no employee
should be given the combined duties of custody of assets and accounting for those
assets.
10-6
10-23 Maier is correct in her belief that internal controls frequently do not
function in the manner they are supposed to. However, regardless of this, her
approach ignores the value of beginning the understanding of internal control by
preparing or reviewing a rough flowchart. Obtaining an early understanding of the
clients internal control will provide Maier with a basis for a decision about further
audit procedures and sample sizes based on assessed control risk. By not
obtaining an understanding of internal control until later in the engagement, Maier
risks performing either too much or too little work, or emphasizing the wrong areas
during her audit.
10-25 Entity level controls, such as the effectiveness of the board of directors
and audit committees oversight, can have a pervasive affect on many different
transaction-level controls. If entity-level controls are deemed to be deficient, then
there is greater likelihood that transaction-level controls may be ineffective in their
design or operation. In contrast, if entity-level controls are deemed to be highly
effective, the auditor may be able to place greater reliance on those controls,
which may provide an opportunity to reduce testing of transaction-level controls
thereby increasing the efficiency of the audit procedures.
10-26 Auditing standards indicate that reliance can be placed on controls that
were tested in a prior year, except for controls that mitigate significant risks which
must be tested in the current year. Controls should be tested at least every three
years, and whenever there is a significant change in the control. Continued
reliance on the effectiveness of automated controls is appropriate if the auditor is
satisfied that general controls over the computer applications are adequate to
identify any changes to computerized processes. The ability to rely on prior year
tests of automated controls is due to the systematic nature of IT-based procedures.
That is, once an automated control is programmed to perform correctly, it should
continue performing in that manner until the underlying software program is
changed. In contrast, manual performed controls are generally tested each year
because there is always a risk of human error occurring in the performance of a
manual control.
10-7
10-27 When the auditors risk assessment procedures identify significant risks,
the auditor is required to test the operating effectiveness of controls that mitigate
these risks in the current year audit, if the auditor plans to rely on those controls to
support a control risk assessment below 100%. Thus, tests of controls are required
in the current year audit for those controls the auditor plans to rely on to reduce
control risk. The greater the risk, the more the audit evidence the auditor should
obtain that controls are operating effectively.
10-28 The auditor may issue an unqualified opinion on internal control over
financial reporting when two conditions are present:
there are no identified material weaknesses; and
there have been no restrictions on the scope of the auditors work.
A scope limitation is the condition that would cause the auditor to express
a qualified opinion or a disclaimer of opinion on internal control over financial
reporting. This type of opinion is issued when the auditor is unable to determine if
there are material weaknesses, due to a restriction on the scope of the audit of
internal control over financial reporting or other circumstances where the auditor
is unable to obtain sufficient appropriate evidence.
10-29 PCAOB Auditing Standard 5 requires that the audit of the financial
statements and the audit of internal control over financial reporting be integrated.
In an integrated audit, the auditor must consider the results of audit procedures
performed to issue the audit report on the financial statements when issuing the
audit report on internal control. For example, if the auditor identifies a material
misstatement in the financial statements that was not initially identified by the
companys internal controls, the auditor should consider this as at least a
significant deficiency, if not a material weakness for purposes of reporting on
internal control. In such circumstances, the auditors report on the financial
statements may be unqualified as long as management corrected the misstatement
before issuing the financial statements. In contrast, however, the auditors report
on internal control must include an adverse opinion if the auditor concludes it is a
material weakness.
10-8
Discussion Questions and Problems
10-33
10-34
a. b.
TRANSACTION-
CONTROL RELATED AUDIT
INTERNAL CONTROL ACTIVITY OBJECTIVE(S)
1. Sales invoices are matched with shipping Adequate Occurrence
documents and customer orders before documents
recording in the sales journal. and records
2. Receiving reports are prenumbered and Adequate Completeness
accounted for on a daily basis. documents Timing
and records
3. Sales invoices are independently verified Independent Accuracy
before being sent to customers. checks on
performance
4. Payments by check are received in the mail Adequate Completeness
by the receptionist, who lists the checks and separation of
restrictively endorses them. duties
5. Overtime hours for payroll are approved by Proper Occurrence
the employees supervisor. authorization Accuracy
of
transactions
6. Checks are signed by the company Adequate Occurrence
president, who compares the checks with separation of Accuracy
the underlying supporting documents. duties
Independent
checks on
performance
10-9
10-34 (continued)
a. b.
TRANSACTION-
CONTROL RELATED AUDIT
INTERNAL CONTROL ACTIVITY OBJECTIVE(S)
7. Unmatched shipping documents are Physical control Completeness
accounted for on a daily basis. over Timing
documents
and records
8. All payroll payments must have a valid Adequate Occurrence
employee identification number assigned separation of
by the human resources department at the duties
time of hiring.
9. The accounts receivable master file is Independence Posting and
reconciled to the general ledger on a checks on summarization
monthly basis. performance
10-10
payroll.
10-35 (continued)
10-11
10-35 (continued)
10-12
10-35 (continued)
10-13
10-36 (continued)
10-37 The criteria for dividing duties is to keep all asset custody duties with one
person (Cooper). Document preparation and recording is done by the other person
(Smith). Miller will perform independent verification. The two most important
independent verification duties are the bank reconciliation and reconciling the
accounts receivable master file with the control account; therefore, they are
assigned to Miller. The duties should be divided among the three as follows:
Robert Smith: 2 4 5 7 9 11 14 16 17
James Cooper: 1 3 6 8 10 12 13
Bill Miller: 15 18
10-38 a. The size of a company has a significant effect on the nature of the
controls likely to exist. A small company has difficulty establishing
adequate separation of duties and justifying an internal audit staff.
However, a major type of control available in a small company is the
knowledge and concern of the top operating person, who is
frequently an owner-manager. His or her ability to understand and
the entire operation of the company is potentially a significant
compensating control. The owner-managers interest in the
organization and close relationship with the personnel enable him or
her to evaluate the competence of the employees and the
effectiveness of internal controls.
While some of the five control activities are unavailable in a
small company, especially adequate segregation of duties, it is still
possible for a small company to have proper authorization of
transactions and activities, adequate documents and records,
physical controls over assets and records, and, to a limited degree,
independent checks on performance.
10-14
10-38 (continued)
The auditor must understand the control environment and the flow of
transactions. It is not necessary, however, for the auditor to prepare
flowcharts or internal control questionnaires. The auditor of a nonpublic
company is required to provide a written report about significant
deficiencies or material weaknesses to those charged with governance,
which may be common on many small audit clients.
10-15
10-39 1. a. Supplying the receiving department with electronic
access to the purchase order is regarded as a deficiency
in that the department may be less careful in checking
goods than they would be if they were working without
a record of the quantities that should be received.
The failure to have the storekeeper receipt for the
materials when they are sent to him or her from the
receiving department or to tie in the items placed in
storage with the acquisition constitutes a deficiency in
control in that responsibility for shortages cannot be
conclusively placed on either receiving or stores. The
receiving department might, in collusion with a vendor,
report receipts of materials that were never received.
Also, either the receiving department or the stores
department might fraudulently convert some of the
materials and because of the lack of a record of
responsibility, the company would be unable to
determine which department was responsible.
10-16
10-39 (continued)
Occurrence
The receiving report is not sent to the stores department. A copy of
the receiving report should be sent from the receiving room directly
to the stores department with the materials received. The stores
department, after verifying the accuracy of the receiving report,
should indicate approval on that copy and send it to the accounts
payable department. The copy sent to accounts payable will serve
as proof that the materials ordered were received by the company
and are in the user department.
The controller should not be responsible for cash disbursements.
The cash disbursement function should be the responsibility of the
treasurer, not the controller, so as to provide proper segregation of
duties between the custody of assets and the recording of
transactions.
The purchase requisition is not approved. The purchase requisition
should be approved by a responsible person in the stores
department. The approval should be indicated on the purchase
requisition after the approver is satisfied that it was properly
prepared based on a need to replace stores or the proper request
from a user department.
Preliminary review should be made before preparing purchase
orders. Prior to preparation of the purchase order, the purchase
office should review the companys need for the specific materials
requisitioned and approve the request.
10-17
10-40 (continued)
Completeness
Purchase orders and purchase requisitions should not be combined
and filed with the unmatched purchase requisitions, in the stores
department. A separate file should be maintained for the combined
and matched documents. The unmatched purchase requisitions file
can serve as a control over merchandise requisitioned but not yet
ordered.
There is no indication of control over vouchers in the accounts payable
department. A record of all vouchers submitted to the cashier should
be maintained in the accounts payable department, and a copy of
the vouchers should be filed in an alphabetical vendor reference file.
There is no indication of any control over prenumbered documents.
All prenumbered documents should be accounted for.
Accuracy
Purchase requisitions and purchase orders are not compared in
the stores department. Although purchase orders are attached to
purchase requisitions in the stores department, there is no indication
that any comparison is made of the two documents.
Prior to attaching the purchase order to the purchase
requisition, the requisitioners functions should include a check that:
10-18
10-40 (continued)
10-19
10-42 Following are the appropriate reporting formats for the six independent
situations:
INDEPENDENT APPROPRIATE
SITUATION AUDIT REPORT REASON FOR REPORT
10-20
Case
10-43 a. Sales
TRANSACTION-RELATED
AUDIT OBJECTIVE CONTROL
Classification None
10-21
10-43 (continued)
b. Cash Receipts
TRANSACTION-RELATED
AUDIT OBJECTIVE CONTROL
Occurrence Monthly bank reconciliation is prepared.
Accounts receivable clerk compares duplicate
deposit slip from bank to sales and cash receipts
journal.
Completeness Cash register is used for cash sales.
Cash collected on receivables is prelisted.
Supervisor deposits money in a locked box.
Accuracy Supervisor recaps cash sales and compares
totals to the cash receipts tapes.
Monthly bank reconciliation prepared.
Accounts receivable clerk compares duplicate
deposit slip from bank to cash sales and cash
receipts journal.
Monthly statements are sent to customers.
Posting and Computer is used to update records.
summarization Monthly statements are sent.
The aged trial balance is compared to the general
ledger.
Classification None
Timing Cash is deposited daily.
10-22
Integrated Case Application
10-44
Following are control risk matrices and related notes that are used to direct a
discussion of the requirements of the case. It should be understood that judgment
is a critical element in this case, and accordingly, there often is no single right
answer.
Computer-prepared matrices using Excel (P1044.xls) are contained on the
Companion Website and on the Instructors Resource CD-ROM, which is available
upon request. They are essentially the same as the matrices on the next two
pages.
10-23
10-44 (continued)
Recorded
Transaction-Related acquisition
Audit Objective transactions are
Recorded properly Acquisition
Recorded Existing acquisition included in the Acquisition transactions
acquisitions acquisition transactions master files, and transactions are recorded
are for goods trans- are stated at are properly are properly on the
and services actions are the correct summarized classified correct
Internal received recorded amounts (posting and (classifica- dates
Controls (occurrence). (completeness). (accuracy). summarization). tion). (timing).
2. Proper approval C C
3. Segregation of functions C
4. Cancellation of documents C
5. Prenumbering of documents
C
with accounting for sequence
6. Internal verification of
C C C C C
documents/records
9. Monthly reconciliation of
A/P master file with general C
ledger
Transaction-Related
Audit Objectives Recorded cash
disbursement
Recorded cash transactions are
disbursements Recorded cash properly included Cash Cash
are for goods Existing cash disbursement in the master file disbursement disbursement
and services disbursement transactions are and are properly transactions transactions
actually transactions are stated at the summarized are properly are recorded
Internal received recorded correct amounts (posting and classified on the correct
Controls (occurrence). (completeness). (accuracy). summarization). (classification). dates (timing).
1. Segregation of functions C
Deficiencies
1. Lack of an independent bank D D
reconciliation (Done by Treasurer)
2. Lack of internal verification of
documentation package by cash D D D
disbursements clerk.
3. Lack of internal verification of key
entry into cash disbursements D D D
file.
1. Students should have located the Form 10-K for Organic Alliance,
Inc., for the year ended 12-31-11. Instructors may want to encourage
students to use the EDGAR Full-Text Search option to identify the
companys filings more efficiently.
10-26
Research Problem 10-1 (continued)
(Note: Research problems address current issues, using Internet sources. Because
Internet sites are subject to change, Research problems and solutions may change.
Any revisions to Research problems will be posted on the textbook Web site at
www.pearsonhighered.com/arens.)
10-27