1
CHAPTER 6
Internal Control Evaluation: Assessing Control Risk
LEARNING OBJECTIVES
Review Checkpoints / Exercises and Problems / Cases1.Write an essay or memo explaining primary and secondary reasons for conducting an evaluation of a client's internal control structure. / 1, 2, 3 / 29, 39, 55
2.Distinguish between management's and auditors' responsibility regarding a company's internal control structure. / 4, 5, 6 / 48 / 55
3.Define and describe the three basic elements of an internal control structure, and specify some of their component characteristics. / 7, 8, 9, 10, 11, 12 / 51 / 57
4.Identify and give examples of seven internal control objectives, and associate them with the five management assertions in financial account balances. / 10 / 52, 53 / 56, 57
5.List and explain the control procedures companies use to achieve control objectives. / 10, 11, 12, 13, 14, 15, 16, 17 / 52
6.Explain the phases of an evaluation of control and risk assessment and the documentation and extent of audit work required. / 18, 19, 20 / 49 / 28, 30, 31, 32, 33
7.Write procedures for an audit program, following the general form of a detail test of control procedure. / 21, 22 / 50, 51, 54 / 33
8.Define and explain reasonable assurance and cost-benefit in the context of control risk assessment. / 23, 24, 25 / 48
9.Adapt the concepts and processes of control risk assessment to small businesses. / 26, 27
POWERPOINT SLIDES
PowerPoint slides are included on thewebsite. Please take special note of:
* Phases of Risk Assessment Diagram
1
SOLUTIONS FOR REVIEW CHECKPOINTS
6.1The primary reason for conducting an evaluation of a client's existing internal control system is to give the auditors a basis for finalizing the details of the account balance audit program--to determine the nature, timing and extent of subsequent substantive audit procedures.
A secondary purpose for conducting an evaluation of internal control is to be able to make constructive suggestions for improvements. Officially, the profession considers these suggestions a part of the audit function and does not define the work as a MAS consultation.
Another purpose of the evaluation is to report to management and the board of directors or its audit committee any discovery of "any reportable conditions" of internal control deficiencies.
6.2A "substantive audit procedure" is any action (resembling a specific variation of one of the seven general audit procedures) undertaken for the purpose of producing evidence about a dollar amount of a disclosure that appears in the financial statements under audit.
The nature of a procedure is its description--usually associated with one of the seven general audit procedures. For example, the nature of a procedure may be confirmation, document, vouching, etc.
The timing of a procedure is the period during which it is performed--usually distinguished as interim (before the balance sheet date), year-end (on or close to the balance sheet date), and subsequent (after the balance sheet date).
The extent of a procedure is the number of details audited with it, or another measure of intensity or frequency. Oftentimes, extent is measured by the sample size.
6.3A reportable condition is a control deficiency in the design or operation of the internal controls that could adversely affect the client's ability to account for transactions properly.
A material weakness in internal control is an extreme type of reportable condition defined in auditing standards as a condition in which the specific control procedures or the degree of compliance with them do not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.
Business managers can make estimates of benefits to be derived from controls and weigh them against the cost. Managers are perfectly free to make their own judgments about the necessary extent of controls. Managers can decide the degree of business risk they are willing to tolerate (refer to SAS 30, AU 642.05).
6.4Management is responsible not only for the control structure that supports the production of financial statements, but also responsible for the internal control that achieves all the other objectives of the business.
1
Management is responsible for "managing" internal control to achieve these control objectives over and above the objectives related to external financial reporting:
1.Significant, managerial, and operating information reported internally is accurate, reliable, and timely;
2.The activities of the organization are in compliance with policies,
plans, standards, and procedures, and with applicable laws and regulations;
3.Resources are adequately protected;
4.Resources are acquired economically and used efficiently (or cost-effectively); and,
5.The organization's plans, goals, and objectives are achieved.
6.5External auditors' communications of reportable conditions and material weaknesses are intended to help management carry out its responsibilities for internal control monitoring and change.
Accountants in public practice may undertake engagements to design and install control structures as MAS engagements.
6.6Control risk is the probability that the client's internal control procedures will fail to detect material errors and irregularities, provided any enter the data processing system in the first place.
The seven general types of errors and irregularities are:
1.Invalid transactions are recorded.
2.Valid transactions are omitted from the accounts.
3.Unauthorized transactions are executed and recorded.
4.Transaction amounts are inaccurate.
5.Transactions are classified in the wrong accounts.
6.Transaction accounting is incomplete.
7.Transactions are recorded in the wrong period.
6.7Some of the important characteristics of "tone at the top" and control environment:
Management philosophy and operating style
Ethical values and moral guidance communicated
throughout the organization by word and deed.
Company organization structure
Functioning of board of directors and audit committee
Methods of assigning authority and responsibility
Management's monitoring methods
Functioning of internal audit department
Personnel (human resource) policies and practices
External influences (e.g. regulation)
6.8An auditor can find client's documentation of the accounting system in the:
1
Chart of accounts
Accounting manual--definitions and instructions about measuring and classifying transactions
Computer systems documentation
Computer program documentation
Systems and procedures manuals
Flowcharts of transaction processing
Various paper forms
6.9The audit trail is the set of accounting operations from transaction analyses to reports. It starts with the source documents, proceeds to data entry, then to transaction processing and posting to ledger accounts, then from ledger accounts to the financial reports.
Auditors often follow this trail frontwards and backwards! They will follow it backwards from the financial reports to the source documents to determine whether everything in the financial reports is supported by appropriate source documents. They will follow it forward from source documents to reports to
determine that everything that happened (transactions) got recorded in the accounts and reported in the financial statements.
6.10A "control environment" may consist of many things, including management's attitude and behavior related to concern about accuracy, carefulness, and honesty, management's methods of communicating responsibility and authority to accounting personnel. In general a "control environment" is a setting that affects all accounting operations and all transaction subsystems (like "general controls" in an EDP setting).
The "accounting system" is a specific set of directions and procedures for keeping records. Various policies and procedures are specified for performance in order to achieve some control over data preparation, data entry, transaction processing and report preparation and distribution.
The control procedures are specific procedures in which people review, reperform, or supervise the work of other people. Controls can, of course, be automated in a computer system.
Control objectives ensure that financial statements assertions are correct.
6.11Four kinds of functional responsibilities that should be segregated:
1.Authorization to execute transactions.
2.Recording of transactions (bookkeeping).
3.Custody of assets.
4.Periodic reconciliation (comparison) of existing (real) assets to recorded amounts.
6.12Examples of periodic comparisons:
Count of cash on hand.
Reconciliation of bank accounts.
Count of securities.
Confirmation of accounts receivable.
Confirmation of accounts payable.
Physical count of inventory.
6.13A company control procedure is an action taken for the purpose of preventing, detecting, or correcting errors and irregularities in transactions.
1
6.14Typical duties of computer personnel:
1.Systems analysis. Personnel will design and direct the development of new applications.
2.Programming: Other personnel will actually do the programming dictated by the system design.
3.Operating: Other people will operate the computer during processing runs, so that programmers and analysts cannot interfere with the programs designed and executed, even if they produce errors.
4.Converting data: Since this is the place where misstatements and errors can be made--the interface between the hardcopy data and the machine-readable transformation, people unconnected with the computer system itself do the data conversion.
5.Library-keeping: Persons need to control others' access to system and program software so it will be used by authorized personnel for authorized purposes.
6.Controlling: Errors always occur, and people not otherwise connected with the computer system should be the ones to compare input control information with output information, provide for correction of errors not involving system failures, and distribute output to the people authorized to receive it.
6.15The most significant separation of duties unique to computer systems are those performed by the systems analyst, programmer, computer operator, and data base administrator. The idea is that anyone who designs a processing system should not also do the technical work, and anyone who performs either of these tasks should not also be the computer operation when real data is processed.
6.16A self-checking number is a two-part number consisting of a basic set of digits followed by (or preceded by) a "check digit." The check digit is determined by performing a mathematical calculation on the basic set of digits, thus an erroneous basic number may be detected by a computer. A common self-checking number is on every credit card number.
6.171.Valid character testsCustomer name alphanumeric and customer number numeric.
2.Valid sign testAll amount fields positive, sales amount greater than zero.
3.Missing data testBill of lading document number included.
4.Sequence testInvoice numbers are in sequence and none missing.
5.Limit or reasonableness testTotal invoice less than $25,000.
6.18Yes and no. The phase 1 understanding must always be followed by a control risk assessment phase and documentation of control risk less than 100% (compliance phase). However, compliance procedures are required only if an auditor wants to lower the control risk assessment.
6.191.Advantages of control questionnaire:
Easy to complete.
Checklist of questions.
Less chance of overlooking something important.
Disadvantages:
May contain numerous irrelevant questions.
Tendency to treat it like another form to fill out.
2.Advantages of memorandum documentation:
Can explain the precise controls applicable to the particular client. (precise tailoring)
1
Requires penetrating analysis.
Minimizes tendency toward perfunctory review.
Disadvantages:
Hard to write. Often lengthy.
Hard to revise in subsequent years.
3.Advantages of flowchart:
Graphic presentation of systems.
Shows the steps required and the flow of forms and documents.
Easy to read and analyze.
Easy to update in subsequent years.
Disadvantages:
Takes some time to draw neatly.
6.20A "bridge working paper" connects the control evaluation to the audit program (subsequent procedures). It contains brief descriptions of control strengths and weaknesses, implications for control or error related to accounts, and statements of audit program procedures related to the strengths and weaknesses. The procedures related to control strengths are test of control procedures, and the ones related to control weaknesses are substantive procedures.
6.21A test of control procedure is an audit procedure designed to produce evidence about the performance of a control procedure. A test of control procedure is a two-part statement, consisting of:
Part One: Identification of a data population from which a sample of items will be selected for audit.
Part Two: Expression of an action of either (1) determining whether the selected items correspond to a standard or (2) determining whether the selected items agree with information in another data population.
A test of control procedure may also consist of a direct observation of a control activity that leaves no documentary trail.
6.22"Inspection," in a test of control procedure, refers to auditors looking to see whether client personnel stamped, initialed, or left other signs that their assigned control procedures had been performed.
"Reperformance," in a test of control procedure, refers to auditors doing again the control that was supposed to have been performed by the client personnel (recalculating, looking up the right price, comparing quantities, and so forth).
6.23Reasonable assurance is closely related to cost-benefit analysis. By definition, reasonable assurance recognizes that the cost of an organization's internal control should not exceed the benefits obtained by the control.
Management is basically responsible for assessing the cost and benefit of controls, hence their reasonable assurance. Auditors get into the act of reasonable assurance assessment when they consider whether to make recommendations about control improvement in a management letter.
1
6.24Audit problems can arise when costly controls are necessary to prevent, detect, and correct material misstatements in the accounts. Management may believe the costs outweigh the benefits and appeal to "reasonable assurance" to justify not having some controls. Nevertheless, control can therefore be deficient, and the auditors will need to take the deficiency under consideration when planning the substantive audit program.
6.25A "dual-purpose test" serves the purposes of (1) obtaining evidence about a client's control procedure performance [test of control compliance purpose], (2) obtaining evidence to help detect material misstatements in account balances and disclosures [substantive balance-audit purpose].
6.26The general theory of internal control is applicable to both large and small businesses as long as the underlying behavioral assumptions are met. However, the fact that small businesses have only a few people usually means that the general theory requirement of separation of duties is not satisfied, and the general theory is less applicable as a practical matter.
The bureaucratic assumptions of strict separation of duties, a tight authority structure, an extensive system of rules and files, and impersonality are harder to satisfy in small businesses that have only a few employees operating in an informal manner. When the assumptions cannot be observed to exist, then an auditor must be careful not to rely blindly on the general theory.
6.27The two main features of internal control in a small business are (1) the small number of people engaged in the accounting and control systems, making segregation of functional responsibilities very difficult, and (2) the active involvement of the owner-manager in the accounting and control responsibilities.
KINGSTON COMPANY CASE STUDY SOLUTIONS
6.28Kingston Company Organization Chart
6.29Kingston Company, Identification of Errors and Irregularities in Inventory Issue and Sales Transactions.
and
6.30Kingston Company: Specification of Controls to Handle these Errors and Irregularities
NOTE TO INSTRUCTOR: THE SOLUTIONS TO THESE TWO QUESTIONS ARE COMBINED TO SHOW THE SPECIFIC CONTROLS ALONGSIDE THE POSSIBLE ERRORS AND IRREGULARITIES. You may want to tell students to combine the problems in this fashion.
6.29 and 6.30
Kingston Company
Possible Errors/Irregularities in Inventory Issues
and Sales Transactions
December 31, 2002
Transactions:
a.Inventory issues (goods delivered to customers)
b.Sales (sales invoices prepared)
1.Invalid transactions may be recorded.
a.Inventory issues: Goods may be shown as shipped/delivered to customers, when in fact they have not been shipped.
CONTROL:
Prevention:Kingston shipping personnel are the ones who "show" shipment, and they cannot get the goods until inventory stores gets invoice copy authorization to move goods to shipping.
1
Detection:Shipping personnel can steal goods. If they show them as shipped, the customer gets billed and can later complain about being charged for goods not received. If shipping personnel do not forward invoice Copy 4, the accounts receivable department will investigate the status of old copies 1 and 2 held in the "pending shipment file."
Correction:Customer complaints are handled by customer relations personnel and not by shipping personnel.
b.Sales invoices may be prepared for goods no customer ordered.
CONTROL:
Prevention:Kingston's billing department controls the blank invoices and is not supposed to make an invoice unless credit is approved or cash is received and indicated on a customer order form. However, a clerk could write a fictitious invoice.
Detection:Kingston's accounts receivable department should question and investigate (using customer relations personnel) invoices with no customer order attached. If the billing department destroys copies 1 and 2 (does not send them to accounts receivable, so no such question will arise), then accounts receivable personnel should still question the missing invoice when Copy 4 arrives from shipping and there are no copies 1 and 2 in the "pending shipment file."
Correction:Accounts receivable personnel, not billing personnel investigate the missing documents.
2.Valid transactions are omitted from the accounts.
a.Inventory issues: Shipping personnel ship/deliver goods to customers but fail to forward invoice Copy 3 to inventory records for entry to reduce the inventory. (Inventory records also produces the cost report for the general ledger cost of goods sold entry.)
CONTROL:
Prevention:Kingston's inventory records personnel should account for the numerical sequence of sales invoices.
Detection:Inventory personnel should investigate missing invoices in the numerical sequence by inquiry with accounts receivable personnel.
Correction:A copy from accounts receivable can then be used by inventory records to produce the inventory entry and the cost of goods sold report.
b.Sales: Shipping personnel ship/deliver goods to customers but fail to forward invoice Copy 4 to accounts receivable.
CONTROL:
Prevention:Depends on shipping department personnel care to forward all papers.
Detection:Kingston's accounts receivable personnel should investigate old invoices in the "pending shipment file."
Correction:Investigation done by accounts receivable and customer relations personnel and not by shipping personnel. If invoice Copy 3 was sent to inventory records, a copy can be recovered to produce the final billing to the customer (completion of invoice copies 1 and 2).