Audit Chapter 11
Local area networks (LANs):
networks that connect computer equipment, data files, software, and peripheral equipment within a local area, such as a single building or a small cluster of buildings, for intracompany use
Wide area networks (WANs)
networks that connect computer equipment, databases, software, and peripheral equipment that reside in many geographic locations, such as client offices located around the world
Specific authorization
case-by-case approval of transactions not covered by companywide policies
General authorization
companywide policies for the approval of all transactions within stated limits
Encryption techniques
computer programs that change a standard message or data file into one that is coded, then decoded using a decryption program
Hardware controls
controls built into the computer equipment by the manufacturer to detect and report equipment failure
Input controls
controls designed by an organization to ensure that the information to be processed by the computer is authorized, accurate, and complete
Output controls
controls designed to ensure that computer-generated data are valid, accurate, complete, and distributed only to authorized people
Processing controls
controls designed to ensure that data input into the system are accurately and completely processed
Entity-level controls
controls that have a pervasive effect on the entity's system of internal control; also referred to as company-level controls
General controls
controls that relate to all parts of the IT function and affect many different software applications
Application controls
controls typically at the business process level that apply to processing transactions, such as the inputting, processing, and outputting of sales or cash receipts
Digital signatures
electronic certificates that are used to authenticate the validity of individuals and companies conducting business electronically
Database management systems
hardware and software systems that allow clients to establish and maintain databases shared by multiple applications
Chapter 8 introduced the 8 parts of the planning phase of audits. Which part is understanding internal control and assessing control risk? What parts precede and follow that understanding and assessing control risk?
here are eight parts of the planning phase of audits: accept client and perform initial audit planning, understand the client's business and industry, perform preliminary analytical procedures, set preliminary judgment of materiality and performance materiality, identify significant risks due to fraud or error, assess inherent risk, understand internal control and assess control risk, and finalize overall audit strategy and audit plan. Understanding internal control and assessing control risk is therefore part seven of planning. Only finalizing the audit strategy and audit plan follow understanding internal control and assessing control risk.
Independent checks
internal control activities designed for the continuous internal verification of other controls
Risk assessment
management's identification and analysis of risks relevant to the preparation of financial statements in accordance with an applicable accounting framework
Monitoring
management's ongoing and periodic assessment of the quality of internal control performance to determine that controls are operating gas intended and are modified when needed
Control activities
policies and procedures, in addition to those included in the other four components of internal control, that help ensure that necessary actions are taken to address risk in the achievement of the entity's objectives; they typically include the following five specific control activities: 1. Adequate separation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance
COSO principles
represent the fundamental concepts related to each of the 5 components of internal control; all principles must be function for control to be effective
Separation of duties
separation of the following activities in an organization: 1. Custody of asset from accounting 2. Authorization from custody of assets 3. Operation responsibility from record keeping and 4. IT duties from outside users of IT
Enterprise resource planning (ERP) systems
systems that integrate numerous aspects of an organization's activities into one accounting information system
Control environment
the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity
Cybersecurity
the information technology and internal control processes an organization has in place to protect computers, networks, programs, and data from unauthorized access
Those charged with governance
the persons with responsibility for overseeing the strategic direction of the entity and its obligations related of the accountability of the entity, including overseeing the financial reporting and disclosure process
Information and communication
the set of manual and/or computerized procedures that initiate, record, process, and report an entity's transactions and maintain accountability for the related assets
Application service providers (ASPs)
third-party entities that mange and supply software applications or software-related services to customers through the Internet
Collusion
an act of 2/more employees who conspire to steal assets or misstate records
Manual controls
application controls done by people
For each of the following, give an example of a physical control the client can use to protect the asset or record: 1. Computers 2. Cash received by retail clerks 3. Accounts receivable records 4. Raw material inventory 5. Perishable tools 6. Manufacturing equipment 7. Marketable securities
An example of a physical control the client can use to protect each of the following assets or records is: 1. Computers should be in an area protected by security and should be protected from extreme temperatures. Access should be password-protected. 2. Cash received by retail clerks should be entered into a cash register to record all cash received. 3. Adequate backup copies of computerized accounts receivable records should be maintained and access to the master files should be restricted via passwords. Other accounts receivable records should be stored in a locked, fireproof safe. 4. Raw material inventory should be retained in a locked storeroom with a reliable and competent employee controlling access. 5. Perishable tools should be stored in a locked storeroom under control of a reliable employee. 6. Manufacturing equipment should be kept in an area protected by security and fire alarms and kept locked when not in use. 7. Marketable securities should be stored in a safety deposit vault.
An audit client is creating an online, Web-based sales ordering system for customers to purchase products using personal credit cards for payment. Identify 3 risks related to an online sales system that management should consider. For each risk, identify an internal control that could be implemented to reduce the risk.
An online sales ordering system poses many potential risks for an audit client. Risks that may exist include: 1. Customer data is susceptible to interception by unauthorized third parties. 2. The client company's data, programs, and hardware are susceptible to potential interception or sabotage by external parties. 3. An unauthorized third party may attempt to transact business with the client company. These risks can be addressed by the use of firewalls, encryption techniques, and digital signatures. A firewall is a system of hardware and software that monitors and controls the flow of e-commerce communications by channeling all network connections through a control gateway. A firewall protects data, programs, and other IT resources from external users accessing the system through networks, such as the Internet. Encryption techniques are based on computer programs that transform a standard message into a coded (encrypted) form. One key (the public key) is used for encoding the message and the other key (the private key) is used to decode the message. Encryption techniques protect the security of electronic communication during the transmission process. Finally, the use of digital signatures can enhance internal controls over the online sales order system by authenticating the validity of customers and other trading partners who conduct business with the client company.
Compare the risks associated with network systems and database systems to those associated with centralized IT functions
Because many companies that operate in a network environment decentralize their network servers across the organization, there is an increased risk for a lack of security and lack of overall management of the network operations. The decentralization may lead to a lack of standardized equipment and procedures. In many instances responsibility for purchasing equipment and software, maintenance, administration, and physical security often resides with key user groups rather than with a centralized IT function. Also, network-related software often lacks the security features, including segregation of duties, typically available in traditionally centralized environments because of the ready access to software and data by multiple users. In database management systems where many applications share the same data, controls can often be strengthened as data are more centralized and duplicate files can be eliminated. However, there are also increased risks in some cases given that multiple users, including individuals outside accounting, access and update data files. Without proper database administration and access controls, risks of unauthorized, inaccurate, and incomplete data files increase. Centralization of data also increases the need to properly back up data information on a regular
Describe why auditors generally evaluate entity-level controls before evaluating transaction-level controls.
Entity level controls, such as the effectiveness of the board of directors' and audit committee's oversight, can have a pervasive affect on many different transaction-level controls. If entity-level controls are deemed to be deficient, then there is greater likelihood that transaction-level controls may be ineffective in their design or operation. In contrast, if entity-level controls are deemed to be highly effective, the auditor may be able to place greater reliance on those controls, which may provide an opportunity to reduce testing of transactionlevel controls thereby increasing the efficiency of the audit procedures.
Distinguish between general controls and application controls and give 2 examples of each.
General controls relate to all aspects of the IT function. They have a global impact on all software applications. Examples of general controls include controls related to the administration of the IT function; software acquisition and maintenance; physical and online security over access to hardware, software, and related backup; back-up planning in the event of unexpected emergencies; and hardware controls. Application controls apply to the processing of individual transactions. Examples of application controls include a programmed control that verifies that all time cards submitted are for valid employee ID numbers included in the electronically accessible employee master file; and a control that recomputes net pay from gross pay and deductions.
Explain how the effectiveness of general controls impacts the effectiveness of automated application controls.
If general controls are effective, there is an increased likelihood of placing greater reliance on automated application controls. Stronger general controls should lead to greater likelihood that automated application controls operate effectively and data files contain accurate, authorized, and complete information. If general controls are ineffective, there is a potential for material misstatement in each computer-based accounting application, regardless of the quality of automated application controls. If, for example, the systems development process is not properly controlled, there is a greater risk that unauthorized and untested modifications to accounting applications software have occurred that may have affected the automated control.
Identify the traditionally segregated duties in IT systems
In most traditional accounting systems, the duties related to authorization of transactions, recordkeeping, and custody of assets are segregated across three or more individuals. As accounting systems make greater use of IT, many of the tasks that were traditionally performed manually are now performed by the computer. As a result, some of the traditionally segregated duties, particularly authorization and recordkeeping, fall under the responsibility of IT personnel. To compensate for the collapsing of duties under the IT function, key IT tasks related to programming, operation of hardware and software, and data control are segregated. Separation of those IT functions restricts an IT employee's ability to inappropriately access software and data files in order to misappropriate assets.
Explain what is meant by independent checks on performance and give 5 specific examples.
Independent checks on performance are internal control activities designed for the continuous internal verification of other controls. Examples of independent checks include: Preparation of the monthly bank reconciliation by an individual with no responsibility for recording transactions or handling cash. Recomputing inventory extensions for a listing of inventory by someone who did not originally do the extensions. The preparation of the sales journal by one person and the accounts receivable master file by a different person, and a reconciliation of the control account to the master file. The counting of inventory by two different count teams. The existence of an effective internal audit staff.
Describe which of the 3 categories of broad objectives for internal controls are considered by the auditor in an audit of both the financial statements and internal control over financial reporting.
Management designs systems of internal control to accomplish three categories of objectives: reporting, operations, and compliance with laws and regulations. The auditor's focus in both the audit of financial statements and the audit of internal controls is on those controls related to the reliability of financial reporting plus those controls related to operations and to compliance with laws and regulations objectives that could materially affect financial reporting.
Describe the 3 broad objectives management has when designing effective internal control
Management typically has three broad objectives in designing effective internal controls. 1. Reliability of Reporting While this objective relates to both external and internal reporting, we focus here on the reliability of external financial reporting. Management is responsible for preparing financial statements for investors, creditors, and other users. Management has both a legal and professional responsibility to be sure that the information is fairly presented in accordance with reporting requirements such as GAAP or IFRS. The objective of effective internal control over financial reporting is to fulfill these financial reporting responsibilities. 2. Efficiency and Effectiveness of Operations Controls within an organization are meant to encourage efficient and effective use of its resources to optimize the company's goals. An important objective of these controls is accurate financial and non-financial information about the entity's operations for decision making. 3. Compliance with Laws and Regulations Section 404 of the Sarbanes-Oxley Act requires all public companies to issue a report about the operating effectiveness of internal control over financial reporting. In addition to the legal provisions of Section 404, public, nonpublic, and not-for-profit organizations are required to follow many laws and regulations. Some relate to accounting only indirectly, such as environmental protection and civil rights laws. Others are closely related to accounting, such as income tax regulations and anti-fraud regulations such as the Foreign Corrupt Practices Act of 1977 and certain provisions of the Sarbanes-Oxley Act.
What 2 aspects of internal control must management assess when reporting on internal control to comply with Section 404 of the Sarbanes-Oxley Act?
Management's assessment of internal control over financial reporting consists of two key characteristics. First, management must evaluate the design of internal control over financial reporting. Second, management must test the operating effectiveness of those controls. When evaluating the design of internal control over financial reporting, management evaluates whether the controls are designed to prevent or detect material misstatements in the financial statements. When testing the operating effectiveness of those controls, the objective is to determine whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.
When performing an integrated audit of a public company, what are the auditor's responsibilities related to internal control as required by PCAOB standards?
PCAOB Auditing Standard 5 requires that the auditor issue a report on the effectiveness of internal control over financial reporting. To express an opinion on internal controls, the auditor obtains an understanding of and performs tests of controls related to all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements. PCAOB Auditing Standard 5 requires the auditor's independent assessment of the internal controls' design and operating effectiveness.
Section 404(a) of the Sarbanes-Oxley Act requires management to issue a report on internal control over financial reporting. Identify the specific Section 404(a) reporting requirements for management.
Section 404(a) of the Sarbanes-Oxley Act requires management of all public companies to issue an internal control report that includes the following: A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting and An assessment of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the company's fiscal year.
The separation of operational responsibility from record keeping is meant to prevent different types of misstatements than the separation of the custody of assets from accounting. Explain the difference in the purposes of these 2 types of separation of duties.
Separation of operational responsibility from record keeping is intended to reduce the likelihood of operational personnel biasing the results of their performance by incorrectly recording information. Separation of the custody of assets from accounting for these assets is intended to prevent misappropriation of assets. When one person performs both functions, the possibility of that person's disposal of the asset for personal gain and adjustment of the records to relieve himself or herself of responsibility for the asset without detection increases.
What are the 5 components of internal control in the COSO internal control framework? What is the relationship among these 5 components?
The COSO Internal Control - Integrated Framework consists of the following five components: Control environment Risk assessment Control activities Information and communication Monitoring The control environment is the broadest of the five and deals primarily with the way management implements its attitude about internal controls. The other four components are closely related to the control environment. In the context of internal controls related to financial reporting, risk assessment is management's identification and analysis of risks relevant to the preparation of financial statements in accordance with accounting standards. Management implements control activities and creates the accounting information and communication system in response to risks identified as part of its risk assessment in order to meet its objectives for financial reporting. Finally, management periodically assesses the quality of internal control performance to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions (monitoring). All five components are necessary for effectively designed and implemented internal control.
Management must identify the framework used to evaluate the effectiveness of i.c. over financial reporting. What framework is used by most US public companies?
The COSO Internal Control - Integrated Framework is the most widely accepted internal control framework in the U.S. The COSO framework, updated in 2013, describes internal control as consisting of five components that management designs and implements to provide reasonable assurance that its control objectives will be met. Each component contains many controls, but auditors concentrate on those designed to prevent or detect material misstatements in the financial statements.
What is meant by the control environment? What is the relationship between the control environment and other four components of internal control?
The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity. The control environment serves as the umbrella for the other four components (risk assessment, control activities, information and communication, and monitoring). Without an effective control environment, the other four are unlikely to result in effective internal control, regardless of their quality. However, all five components are necessary for effectively designed and implemented internal control.
List the types of specific control activities and provide one specific illustration of a control in the sales area for each control activity.
The five categories of control activities are: Adequate separation of duties Example: The following two functions are performed by different people: processing customer orders and billing of customers. Proper authorization of transactions and activities Example: The granting of credit is authorized before shipment takes place. Adequate documents and records Example: Recording of sales is supported by authorized shipping documents and approved customer orders. Physical control over assets and records Example: A password is required before an entry can be made into the computerized accounts receivable master file. Independent checks on performance Example: Bill clerk verifies prices and quantities on sales invoices before they are sent to customers.
Employee has been responsible for accounting-related matters for 2 years. He embezzled more than $500,000 over 10-year period by not recording billing in the sales journal and subsequently diverting the cash receipts. What major factors permitted the embezzlement to take place?
The most important internal control deficiency that permitted the defalcation to occur was the failure to adequately segregate the accounting responsibility of recording billings in the sales journal from the custodial responsibility of receiving the cash. Regardless of how trustworthy James appeared, no employee should be given the combined duties of custody of assets and accounting for those assets.
Explain how client internal controls can be improved through the proper installation of IT
The proper installation of IT can lead to internal control enhancements by replacing manually performed controls with computer-performed controls. ITbased accounting systems have the ability to handle tremendous volumes of complex business transactions cost effectively. Computer-performed controls can reduce the potential for human error by replacing manual controls with programmed controls that apply checks and balances to each transaction processed. The systematic nature of IT offers greater potential to reduce the risk of material misstatements resulting from random, human errors in processing. The use of IT-based accounting systems also offers the potential for improved management decisions by providing more and higher-quality information on a more timely basis than traditional manual systems. IT-based systems are usually administered effectively because the complexity requires effective organization, procedures, and documentation. That in turn enhances internal control.
Identify the typical duties within an IT function and describe how those duties should be segregated among IT personnel
The typical duties often segregated within an IT function include systems development, computer operations, and data control. Systems development involves the acquisition or programming of application software. Systems development personnel work with test copies of programs and data files to develop new or improved application software programs. Computer operations personnel are responsible for executing live production jobs in accordance with a job schedule and for monitoring consoles for messages about computer efficiency and malfunctions. Data control personnel are responsible for data input and output control. They often independently verify the quality of input and the reasonableness of output. By separating these functions, no one IT employee can make changes to application software or underlying master files and then operate computer equipment to use those changed programs or data files to process transactions
How do the COSO principles help an org. assess whether internal controls are designed and operating effectively?
The updated COSO Internal Control - Integrated Framework includes seventeen broad principles that provide more guidance related to the five COSO components. The components and principles are listed together in Table 11-1. According to the COSO guidance, all of these seventeen principles must be present and functioning in order for controls to be effective. In assessing whether internal controls are designed and operating effectively, management would want to ensure that all of the principles are present and functioning. For example, in considering whether monitoring controls are designed and operating effectively, management would want to perform periodic evaluations of the monitoring controls and also ensure that identified deficiencies are being communicated to those who can remediate those deficiencies.
Identify risks for extensive IT-based accounting systems
When entities rely extensively on IT systems to process financial information, there are risks specific to IT environments that must be considered. Key risks include the following: Reliance on the functioning capabilities of hardware and software. The risk of system crashes due to hardware or software failures must be evaluated when entities rely heavily on IT to produce financial statement information. Systematic versus random errors. Due to the uniformity of processing performed by IT-based systems, errors in computer software can result in incorrect processing for all transactions processed. This increases the risk of many significant misstatements. Unauthorized access. The centralized storage of key records and files in electronic form increases the potential for unauthorized online access from remote locations. Loss of data. Centralized storage of data in electronic form increases the risk of data loss in the event the data file is altered or destroyed. Visibility of audit trail. The use of IT often converts the traditional paper trail to an electronic audit trail, eliminating source documents and paper-based journals and records. Reduced human involvement. The replacement of traditional manual processes with computer-performed processes reduces opportunities for employees to recognize misstatements resulting from transactions that might have appeared unusual to experienced employees. Lack of traditional authorization. IT-based systems can be programmed to initiate certain types of transactions automatically without obtaining traditional manual approvals. Reduced segregation of duties. The installation of IT-based accounting systems centralizes many of the traditionally segregated manual tasks under the authority of the IT function now that those functions are mainly performed by the computer. Need for IT experience. As companies rely on IT-based systems to a greater extent, the need for personnel trained in IT systems increases in order to install, maintain, and use systems.
What 2 aspects of internal control must the auditor assess when performing procedures to obtain an understanding of i.c.?
When obtaining an understanding of internal control, the auditor must assess two aspects about those controls. First, the auditor must gather evidence about the design of internal controls. Second, the auditor must gather evidence about whether those controls have been implemented.
Pilot testing
a company's computer testing approach that involves implementing a new system in just one part of the organization while maintaining the old system at other locations
Parallel testing
a company's computer testing approach that involves operating the old and new systems simultaneously
Cloud computer environments
a computer resource deployment and procurement model that enables an organization to obtain IT resources and applications at an IT service center shared with other organizations from any location via an internet connection
Chart of accounts
a listing of all the entity's accounts that classifies transactions into individual balance sheet and income statement accounts
Internal control
a process designed to provide reasonable assurance regarding the achievement of management's objectives in the following categories: 1. Reliability of reporting, 2. Effectiveness and efficiency of operations, and 3. Compliance with applicable laws and regulations
Firewall
a system of hardware and software that monitors and controls the flow of e-commerce communications by channeling all network connections through a control gateway
Service center
an organization that provides IT services for companies on an outsourcing basis
Automated controls
application controls done by the computer