Internal Control- Edited

Flowchart (*F*IND)

(*F*IND) *Flowchart* - This is a *visual depiction* of the I/C structure that shows a *process from beginning to end* and indicates which departments or groups of employees are responsible for each function, what *documents* are used and how they are distributed and disposed of, and the *interaction* among departments or groups of employees. This form of documentation is particularly helpful in determining if there is *adequate segregation of duties* as well as *tracing* documents through the system. Flowcharting requires knowledge of specialized symbols but does a good job of giving the auditor a sense of the *flow and sequence of transactions* in the client entity. -Testing on the *CPA exam* has been *limited* to reading flowcharts and then answering conventional questions about strengths and weaknesses in the I/C structure, and has never involved their preparation. -Historically, exam questions have been written so that the candidate could understand flowcharts provided, even if they had no prior knowledge of the standard meaning of the various symbols, and we do not suggest using your valuable study time in an attempt to learn all the symbols.

Internal Control Questionnaire (ICQ) (F*I*ND)

(F*I*ND) *Internal Control Questionnaire (ICQ)* - *(ARRC) *This is usually in the form of a series of questions that can be answered with a simple *yes or no*. They are usually designed so that a *yes* answer indicates that a control is *properly in place* (strength) and a *no* answer indicates a *potential weakness.* An advantage is that it *easily identifies potential weaknesses in I/C* but it is *difficult to develop a complete and comprehensive questionnaire *and it is *difficult to obtain an understanding of the flow of the system using it*. -This is the most structured of the approaches and is the easiest for an inexperienced staff member in an audit to utilize. -It is also a very *popular* area of testing on the *CPA exam*

Narrative or Memorandum (FI*N*D)

(FI*N*D) *Narrative or Memorandum* - This form of documentation, often referred to as the *narrative approach*, is in the form of a *detailed written description* of the I/C structure. It generally describes the system in a manner *similar* to how it is depicted in a flowchart but with *words rather than symbols.* This makes it easier for a user to understand the flow of the system and the interrelationships among departments and employees that are part of it. It *does not* clearly indicate whether there is *adequate segregation of duties*, however, and it is often *difficult to visualize* the flow of documentation. -This approach can be cumbersome and is not commonly used. -It is tested very *infrequently* on the *CPA exam*

Decision table/tree (FIN*D*)

(FIN*D*) *Decision table/tree* - Parts of an I/C structure may require a client employee to *choose* from *several alternative actions* depending on the conditions faced, and documenting such activities. This may best be accomplished by preparing a *decision table* that lists *each possible condition* and the *actions* that will result from each *(depicts the logic of an operation or process)*. It uses *Yes/No questions* and each answer will direct the user to the next relevant question. This is, however, a *limited tool* that cannot effectively document the entire structure.

Internal Control Reports & Communications, F/S Audit (Continued)

*1. Internal Control Reports for a F/S Audit under GAAS* *Communicating I/C Related Matters Identified in an Audit of F/S (In connection with Nonpublic Companies)* The auditor obtains an understanding of a client's I/C as part of the understanding of the entity and its environment, for the purpose of assessing the risk of material misstatement (RMM) of the F/S and to determine the nature, timing, and extent of further audit procedures. During the course of obtaining that understanding, the auditor may become aware of deficiencies in I/C. AU-C 265 requires the auditor to communicate to those charged with governance and management deficiencies in I/C that, in the auditor's judgment, are sufficiently important to merit their attention. -"A deficiency in internal control exists *(Control deficiency)* when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis." As indicated, a deficiency may be in *design or operation* -A *deficiency* in *design* occurs when either a needed control has not been put into place, or a control that has been put into place is not designed to mitigate the risk it was intended to address. -A deficiency in *operation* occurs when either a well-designed control is not operating as designed or the individual responsible for performing the control lacks the authority or ability to perform it effectively. In addition to deficiencies identified while the auditor is obtaining an understanding of I/C, the auditor may identify control deficiencies during risk assessment. When an auditor assesses RMM as moderate to high for a management assertion, it implies that either: -Inherent risk is high and of a nature that an effective control *could not* be designed and effectively put into operation. -Inherent risk is high and of a nature that an effective control *could* be designed and effectively put into operation, but that is not the case due to a deficiency in design or operation. When an auditor becomes aware of deficiencies in I/C, the auditor will evaluate them to determine if they amount to material weaknesses or significant deficiencies. -A *material weakness* is defined as "a deficiency, or combination of deficiencies, in I/C, such that there is a reasonable possibility that a *material misstatement* of the entity's F/S will not be prevented, or detected and corrected, on a timely basis." -A *significant deficiency* is defined as "a deficiency, or combination of deficiencies, in I/C that is *less severe than a material weakness* yet important enough to merit attention by those charged with governance."

Lecture 3.11 - Internal Control Reports & Communications, PCAOB Audit

*3. Audit of Internal Control that is Integrated with an Audit of F/S* When auditing the financial statements (F/S) of entities that report to the SEC under the 1934 act (issuers) and are subject to the requirements of the Public Company Accounting Oversight Board *(PCAOB)*, the auditor will have to also perform an audit of internal control over financial reporting *(ICFR)* that is Integrated with an audit of F/S in order to determine that management has complied with Rules 404a & b of the Sarbanes-Oxley Act of 2002. (AS 2201) -Rule 404a requires the annual report to include a report on internal control (I/C) indicating management's responsibility for I/C and management's assessment of I/C's effectiveness. -Rule 404b requires the auditor to report on management's assessment of I/C. -->The auditor does not report on the efficiency or the effectiveness of I/C but reports on management's assessment of it. -->The Act does not specify a date by which the auditor's report is to be submitted The standards for audits of ICFR under AU-C 940 were written to apply the guidance in PCAOB AS 2201 to nonissuers. The requirements and guidance are almost identical and, as a result, the information provided will reflect only those *differences* between AS 2201 and AU-C 940. One major difference is that AS 2201 is a requirement and auditors of issuers are required to perform an examination of I/C that is integrated with a financial statement audit, which expresses an opinion as of the date of the F/S. An examination under GAAS, however, is performed only if the auditor is engaged to do so. While most requirements are the same, under AS 2201, an auditor has greater responsibilities for the *communication*of I/C deficiencies: -*Material weaknesses* must be communicated to management and the audit committee in writing prior to the issuance of the auditor's report on ICFR. -*Significant deficiencies* identified by the auditor must also be communicated in writing to the audit committee prior to the issuance of the auditor's report on I/C. -The auditor should also communicate *control deficiencies* that are not significant deficiencies or material weaknesses to management in writing on a timely basis, prior to the issuance of the audit report on I/C. AS 2201 also provides slightly different definitions of control deficiencies and material weaknesses. -AS 2201 indicates that a control deficiency "exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis," while GAAS indicates a control deficiency as existing "when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect *and correct*, misstatements on a timely basis." -The definition of a material weakness is also different for the same reason. The only minor difference between an auditor's report on I/C prepared as a result of the GAAS standards and one issued as a result of AS 2201 is the definition of I/C, which uses the one provided with AS 2201.

Lecture 3.01 Internal Control

*AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements* Requires the auditor to perform risk assessment procedures to *assess RMM* at *both* the: -*Financial statement level* -*Assertion level*. The *objective* is to identify and assess the RMM (fraud or error), at each level through *understanding* the entity and its environment, including *I/C*, for the purpose of: -providing a basis for *designing and implementing responses* to the assessed RMM.

F/S Assertions-Account Balances

*Account Balances* The next four assertions relate to *account balances*, amounts reported as of the date of the F/S, as generally presented on the *balance sheet* *(RACE)*. They are: -*Rights and Obligation*s - The entity has rights to those items reported as assets and liabilities are the obligations of the entity *(they are ours).* -*Allocation and Valuation* - All assets, liabilities, and equity related items are reported in amounts that are appropriate as of the date of the F/S *(Amount is correct)*. -*Completeness* - All assets, liabilities, and equity that should have been reported are included on the financial statement. -*Existence* - Assets, liabilities, and equity reported on the F/S exist as of the financial statement date *(They are real).* Of course, if an entity has a healthy balance sheet, it is running a good *RACE*.

Lecture 3.04 - Operating Cycles: Revenue Cycle (Continued)

*Another way to look at the assertions:* As indicated, the auditor's understanding of the system of I/C is to determine if the financial statement assertions are correct and may be relied upon. In relation to sales for events and transactions *(CPA-CO):* -*Completeness* - All sales that occurred were recorded. The auditor will evaluate whether prenumbered sales order forms are being used and if the sequence of forms is being accounted for in which case a gap in the sequence may indicate an unrecorded transaction. -*Period Cutoff* - All transactions are recorded in the appropriate period. The auditor will determine if there is a process for identifying when goods were shipped, in the case of goods sold with fob shipping terms, or received, in the case of goods sold with FOB destination terms, and if the accounting department has a process for making certain that sales are reported in the appropriate period. -*Accuracy* - All transactions are recorded in the appropriate amount. The auditor will determine if the recording of sales involves comparing the quantities on customer order forms to internally prepared sales order forms and to goods shipped as well as whether there is a process for checking the mathematical accuracy of documents. -*Classification (Sorted)* - Amounts reported as sales include only sales of the entity's goods or services in the ordinary course of business and do not include proceeds from transactions that should not appropriately be reported as sales. The auditor will evaluate whether there is a means of preventing transactions that are not with a customer and are not accompanied by appropriate sales forms from being included in sales. -*Occurrence* - Each recorded sale actually occurred. The auditor will evaluate whether those responsible for recording are required to have some form of verification, such as a sales order signed by the customer, to indicate that a sale actually occurred as a prerequisite for its being recorded. In relation to accounts receivable balances *(RACE):* -*Rights and obligations* - All amounts reported as accounts receivable are owed to the entity. The auditor will want to make certain that receivables are supported by sales orders and shipping documents indicating that the entity has met its performance obligations and is entitled to the payment. -*Allocation and Valuation* - The amounts reported represent the amounts that the entity is actually owed. The auditor will evaluate this in the same manner as accuracy for sales. -*Completeness* - All receivables are included in the amount reported. The auditor will evaluate this in the same manner as completeness for sales. -*Existence* - All reported accounts receivable are actual claims that resulted from sales. The auditor will evaluate this in the same manner as occurrence for sales. In obtaining an understanding, the auditor should consider activities that may occur outside of the entity. For example, the company may direct customers to send payments directly to a bank lockbox instead of to the company itself, thereby eliminating access to cash and checks by any of the employees in the revenue cycle. This obviously strengthens the I/C over cash receipts. *Segregation of Duties in the Revenue Cycle* For proper segregation of duties, *authorization* of transactions, the *recording* function, and *custody* of assets should be kept separate. -The functions of authorizing sales on account and authorizing credits to accounts receivable that may result from sales discounts, sales returns, sales allowances, or write offs, should be segregated. -The function of authorizing sales, recording accounts receivable, and having custody of inventory should be segregated. -The functions of the cashier who has *custody* of the cash, the *recording* of cash receipts, and preparing the bank reconciliation *(comparison)* should be segregated. In businesses that handle large amounts of cash during the normal course of operations, obtaining bonds (insurance and background searches) for employees who handle cash is a common practice. Employee knowledge that bonding companies often prosecute those accused of dishonest acts can act as an effective deterrent to theft and fraud. -Employees responsible for authorizing sales approval, issuance of credit memos and bad debt write-offs should be denied access to cash. *SEE PIC OF REVENUE CYCLE* -pg 3-30 -in electronic Audit book pg 314

Evaluating Controls- Assertion Level

*Assertion Level* Controls are also evaluated at the *assertion level*. When management is presenting F/S, there are various assertions *embedded* in which management is: -indicating that the financial information contains *certain characteristics*. When a misrepresentation may result in a *material misstatement* to the F/S, the assertion affected is considered a: -*Relevant Assertion*. The auditor is required to obtain *sufficient appropriate audit evidence* to support every *relevant assertion* by: -Demonstrating through the use of *tests of controls* that internal controls are sufficient to: -->*prevent* a material misstatement in regard to that assertion or -->to *detect and correct* such a misstatement on a timely basis; -Obtain evidence through substantive tests to demonstrate the information presented is free of material misstatement, regardless of the existence of internal controls; or -Some combination of those approaches, which is most frequently the case. *F/S ASSERTION LEVEL* -SEE NEXT SLIDE

*C*RIME-*C*ontrol Activities

*C*RIME-*C*ontrol Activities Control activities are the *policies and procedures* helping to ensure that *management directives are followed.* Whether automated or manual, they have various objectives and are applied at various levels. (GLEIM) The focus of *control activities* may be one of the following: *(PIPS)* *We want controls over:* *P*erformance reviews *I*nformation processing *P*hysical controls *S*egregation of duties -*(ARCC)*

*C*RIME-*C*ontrol Activities (Continued)

*C*RIME-*C*ontrol Activities (Continued) The auditor will also have to determine if control activities are *relevant* to the audit. Some will be relevant in the *professional judgment* of the auditor. This will be the case when the auditor *determines* that a control activity *reduces* the *RMM* in relation to a *management assertion* and: -The auditor has a basis for *testing* the control activity to determine if it was properly *designed* and being *applied* properly during the period under audit; and -The *nature, timing, and extent* of further audit testing can be *reduced* as a result of *relying* on the control activity if the tests of controls indicate that it is *effective*. There may also be certain risks that could result in a material misstatement to the F/S that *cannot* be evaluated on the basis of substantive evidence alone. Ex: for a class of transactions that are processed *automatically* with a minimum of manual intervention and where much of the information related to the *initiation, authorization, recording, processing, and reporting* is in *electronic form*. The reliability of information derived from such transactions would be dependent on the *controls* related to the *processing* of those transactions. COSO has indicated that there are *three principles* related to *control activities*. They indicate that management and those charged with governance: 1. Select and develop *control activities*; 2. Select and develop *general controls* over *technology*; and 3. *Deploy* controls through *policies and procedures.*

4. Tests of Controls (Develop an Audit Strategy)

*Develop an audit strategy to either:* -Perform tests of control to determine if CR is *below maximum*, reducing RMM below the level of IR and allowing for the modification of the nature, timing, and extent of further audit procedures (sub tests): or -Decide *not* to perform tests of controls, assessing CR *at the maximum level* as if the control did not exist, and measuring RMM as being equal to IR *Testing the substance of controls in this step* To test the effectiveness of the *design and operation* of a control (what is the *substance*?). The auditor must consider: -*how* the control was applied, -the *consistency* with which it was applied and -by *whom* it was applied. -*Testing the Cycles* for *ARCC's* by doing *RIIO* There are four Procedures for testing controls *(RIIO)* -*R*eperformance - The auditor applies the control that the client personnel presumably performed to determine if the procedure was performed properly. Reperformance, which also includes recalculation, may involve the auditor performing a reconciliation to determine if the result is the same as that derived by the entity or may involve re-footing an invoice to make certain that amounts have been calculated correctly. -*I*nspection - The auditor examines controls, documents and reports that provide documentary evidence. For example, the auditor might examine paid invoices to make certain they have been properly cancelled to avoid paying the same invoice more than once. -*I*nquiry - The auditor asks client personnel involved in controls to state how effectively certain controls were enforced. For example, the auditor might ask the accounting personnel if they handled any cash or signed checks during the year. -*O*bservation - The auditor watches client personnel performing their regular functions to see if they follow the controls that were designed and implemented. For example, the auditor might observe the distribution of pay checks to see if appropriate procedures for verifying employees are being followed. These different types of tests of controls can be very effective in determining if a system features appropriate *segregation of duties*. In general, however, the most effective type of test of control is *observation*. Items susceptible to misstatement due to error or fraud are generally identified by applying a *"What Could Go Wrong"* analysis, applied at the assertion level and taking into consideration the auditor's understanding of the entity's I/C. For example, the auditor may be evaluating the occurrence assertion in relation to sales. The following may result: -The auditor determines that, since sales personnel are highly incentivized by a liberal commission system, they may be motivated to overstate sales reported to the company and, as a result, reported by the company. -The response to the auditor's question: "What could go wrong?" is that sales personnel may submit paperwork for sales that did not actually occur. -The auditor will next try to determine if there are controls that would either prevent the recording of sales that did not occur or would cause them to be detected and corrected on a timely basis. -->The controls may be built into the system, which the auditor can determine by reviewing the documented understanding. -->Otherwise, the auditor will inquire as to whether management has considered the possibility and developed a separate control, of which the auditor is not yet aware, to deal with the issue.

(E BOOK)

*E* *R* *C* *I* *M* *(ERC-IM)* *The Control Environment*- Sets the tone of the organization. It is the *foundation* for all other components of internal control. It provides *discipline and structure*. Control environment factors include the *integrity, ethical values, and competence* of the company's people *Risk Assessment*- The purpose of risk assessment is to *identify and control* for those factors, events, and conditions that *may prevent* the organization from *achieving* its business *objectives*. Management should take steps to *identify risks*, *estimate* their *significance* and likelihood, and consider *how to manage* the risks. By setting management objectives, management can identify critical success factors and institute policies and procedures to help ensure that they are met. *Control Activities*- Are actions taken for the purpose of*preventing, detecting, or correcting* errors and frauds in transactions to eliminate, mitigate, or compensate for risks identified by management. *Information and Communication*- This component is closely related to the accounting information system. The accounting information system produces a trail of activities from the identification of data elements in a transaction all the way to the general ledger (i.e., financial reports). This trail of activities is referred to as the *audit trail.* You can visualize that the audit trail *begins* with the *source documents* (purchase orders, sales orders, etc.) and *proceeds* through to the *financial reports*. Auditors often follow this trail frontward and backward, identifying and testing relevant control activities along the way. They follow it backward from the financial reports to the source documents to determine whether everything in the financial reports is supported by appropriate source documents (the occurrence assertion). They follow it forward from source documents to reports to determine whether everything that happened (transactions) was recorded in the accounts and reported in the financial statements (the completeness assertion). *Monitoring*- The COSO framework recognizes that in order to allow for continuous improvements and consider changes in the entity's operating environment, management needs to *monitor its internal control systems.* According to COSO, a well-functioning monitoring system is characterized by *philosophies* such as the following: -Ongoing and separate evaluations. -Ongoing evaluations of controls that are separate from other types of evaluations (e.g., operational) enable management to determine whether the other components of internal control continue to function over time. -Reporting deficiencies. -Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate. *Two Principles of Monitoring Activities* 1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Evaluating Controls- Entity Level

*Entity Level* Entity Level Controls are evaluated at the entity level, seeking assurance as to the: -*General Reliability of the Financial Reporting Process* ALSO: -the desire of the entity to *operate in an ethical environment* - to use systems and procedures to provide assurance to the *three primary objectives* of a system of I/C (ACE): *(ACE):* -*A*ccurate & reliable financial reporting -*C*ompliance with applicable laws and regulations -*E*fficient and effective operations

F/S Assertions-Events & Transactions

*Events & Transactions* The first five assertions relate to *events and transactions* that occurred during the period of audit, as generally presented on an entity's *income statement (CPA-CO)*. They are: -*Completeness* - All events or transactions pertaining to the entity that occurred have been reported. -*Period Cutoff* - All events and transactions have been reported in the appropriate period *(Everything is reported in the right Period)*. -*Accuracy* - The events or transactions have been reported in the appropriate amounts. -*Classification* - All events and transactions are included in appropriate accounts or categories. -*Occurrence* - The event or transaction, which pertains to the entity, did occur *(It happened)*. Just remember that if all revenue and expenses are properly reported, the *CPA-CO* will have no problem preparing your taxes.

Documentation of Internal Control Structure (Continued)

*Flowcharts & Narratives* Flowcharts and narratives are other potentially effective forms of I/C documentation. Both perform essentially the same function in that both a flowchart and a narrative generally describe each step in a cycle in sequence; identifies the party or department responsible for performing the procedure; indicates what forms enter the cycle, such as a customer's purchase order, or are created in the cycle, such as a material requisition form, how many copies are created, and how those copies are distributed; and most other aspects of the cycle. While the narrative uses a written description, however, the flowchart uses a diagram to describe the same process. -An advantage of the narrative is that it is easy to understand and often provides users a clearer view of the flow of a system and the interaction among the participants than other forms of documentation. Disadvantages, however, are that it is often difficult to identify whether responsibilities are properly segregated and it may be difficult to trace the flow of documents. -An advantage of flowcharts is that it is immediately clear whether there is appropriate segregation of duties and the flow of documents can be readily seen. A disadvantage is that, since most flowcharts are organized by department, the flow of a transaction may not be readily determinable. Candidates are often asked to identify strengths or weaknesses in I/C based on a narrative or a flowchart. These questions are best handled by the following process: -Examine each symbol in the flowchart or each sentence in the narrative. -Determine if the symbol or sentence represents a control activity *(PIPS)*. -Identify the assertion that the control activity relates to *(CPA-CO or RACE)*. -Evaluate whether the control activity is likely to be effective in providing assurance that an error or fraud will not cause a misrepresentation related to the assertion if the control activity is operating effectively. -Based on which of the components of the cycle is affected *(ARCC)*, ascertain that it is not being performed in the same department or by the same party performing an incompatible function. *SEE PG. 3-50 and GLIEM for Flowchart Symbols*

GAAS Audits

*GAAS Audits* Auditors of entities that *do not report to the SEC*, (*nonissuers*), are required to follow: -*GAAS*, issued by the *ASB* of the *AICPA*. and *require* the auditor to: - *obtain and document* an *understanding of the client's internal controls* in order to: -*assess the RMM*(IR xCR) of the F/S, and -then determine the *extent* to which *detection risk (DR)* must be reduced to reduce *audit risk* (AR) to an *acceptable level*. -When an auditor believes that the *N-T-E of substantive testing* can be *limited* as a result of effective I/C, the auditor must perform: -*tests of controls* to verify that they are operating effectively as *designed* and intended. ->-the auditor then draws a *conclusion* as to whether or not the controls can be *relied* upon for the *entire period* for which controls were tested.

Information processing

*Information processing -* Controls that prevent the processing of information unless *certain criteria are met.* Ex: the *matching* of certain documentation before recording a sale. In an IT environment, there are general controls that relate to the *overall operation of the system*, including: -the structure of the organization and access to information; and -the application of controls that relate to specific functions being performed.

Definition of Internal Control (GLEIM)

*Internal control*- a process effected by those *charged with governance*, management, and other personnel-*designed* to provide *reasonable assurance* regarding the achievement of *objectives* related to the following: *(ACE):* -*A*ccurate & reliable financial reporting -*C*ompliance with applicable laws and regulations -*E*fficient and effective operations

Lecture 3.07 - Operating Cycles: Investing, Financing, Production & Conversion

*Investing & Financing Cycle* The investing and financing cycle deals with transactions involving acquisition and disposal of assets other than inventory and transactions with creditors and shareholders. Lately the exam has done significant testing on Derivatives in the TBS section of the Audit exam. Substantive testing for derivatives will be covered in more detail in the audit evidence section. Since there are typically *very few transactions* in these areas in a typical year for a client, an auditor will often find it most efficient to *ignore the I/C structure* and simply test the few transactions that took place. In this case, the auditor will: -*Not* test the controls; -Assess risk of material misstatement at the *same level as inherent risk*, assuming that control risk is at the *maximum level*, generally resulting in a high RMM; and -*Reduce detection risk* by performing extensive substantive tests. In those less frequent cases where a large number of transactions have occurred, the auditor may find it more efficient to *rely on the I/C structure* rather than test the numerous transactions that took place. In this case, the auditor will: -*Test the controls* to determine their effectiveness; -Reduce the risk of material misstatement based on the results of the tests of controls; and -Accept *higher detection risk* by performing only limited substantive tests. As with the other cycles, the auditor is concerned with the relationship of the *I/C procedures to the management assertions on the F/S.* Examples of controls that support the assertions with regard to *investments* include *(PERCV):* -*P*resentation & Disclosure - The controller determines that securities are *classified* in the records correctly as trading securities, available-for-sale securities, or held-to-maturity securities, based on management decisions as to the intent of holding them. -*E*xistence or Occurrence - The treasurer *vouches* the agreement of *broker advices* on purchases with *cancelled checks*. -*R*ights & Obligations - Securities on hand *are examined* by senior management to ensure that they are *registered* in the name of the company. -*C*ompleteness & Cutoff - The internal auditor makes a *list of securities* in bank safe deposit boxes and *compares* them with the securities listed in the *records.* -*V*aluation, Allocation & Accuracy - The controller *compares* current market prices with the listed values of securities. Applying the *RACE* mnemonic for account balances: -*R*ights and obligations - Management examines investment securities to *verify that they are registered in the name of the entity* or *confirms* such with custodians of the investments. -*A*llocation and Valuation - The recorded values of investments are *periodically compared* to current market prices. -*C*ompleteness - The investments on hand and held by custodians are *periodically reconciled* to their recorded amounts. -*E*xistence - The entity maintains *physical custody* of investments in a secure physical location or they are *maintained in the custody of a trustee***, which can be confirmed. The procedures will typically be applied by management or other employees at a very high level, reflecting the extremely large value and great danger of fraud in connection with marketable securities. Requiring two officers to be involved in access is common. In fact, it is generally best to have an independent trustee maintain possession of securities so that they are safeguarded from all misappropriation by company employees. AU-C 501 presents guidance on auditing *derivative instruments*, hedging activities, and investments in both debt and equity securities. Applicable accounting standards are in the FASB Codification, Topic 815, *Derivatives and Hedging.* *Inherent risk* associated with investments, particularly marketable securities, is *generally high*, largely due to the fact that their value is readily determinable and they are frequently easily transferrable. *Inherent Risk Assessment (IR):* Factors affecting inherent risk in this area include: -Management's investment *objectives* -*Complexity* of the security or derivative instrument -Whether the transaction giving rise to the security involved cash -The entities with the security or derivative in question -Whether the derivative is *stand-alone* or an *embedded* feature of a separate agreement -External factors affecting management's assertions such as *credit, market and legal risks* -Evolving GAAP with respect to *derivatives and investments* -Reliance on *outside parties* -Assumptions about *future conditions*

Letter (Combined)

*LETTER (COMBINED)* *Combined Unmodified Audit Report on F/S and Unqualified I/C opinion (Issuer)* *Report of Independent Registered Public Accounting Firm* To the shareholders and the board of directors of Roger Company *Opinions on the Financial Statements and Internal Control over Financial Reporting* We have *audited* the accompanying balance sheets of Roger Company (the "Company") as of December 31, 20X8 and 20X7, and the related statements of income, stockholders' equity and comprehensive income, and cash flows for each of the years in the three-year period ended December 31, 20X8, and the related notes [and schedules] (collectively referred to as the "financial statements"). *We also have audited the Company's internal control over financial reporting as of December 31, 20X8, based on criteria established in Internal Control - Integrated Framework issued by COSO.* In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of the Company as of December 31, 20X8 and 20X7, and the results of its operations and its cash flows for each of the years in the three-year period ended December 31, 20X8 in conformity with accounting principles generally accepted in the United States of America. *Also in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20X8, based on criteria established in Internal Control - Integrated Framework issued by COSO.* *Basis for Opinion* The Company's management is responsible for these financial statements, *for maintaining effective internal control over financial reporting, and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying [title of management's report]*. Our responsibility is to express an opinion on the Company's financial statements *and an opinion on the Company's internal control over financial reporting based on our audits*. We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) ("PCAOB") and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud, *and whether effective internal control over financial reporting was maintained in all material respects.* Our audits of the financial statements included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial statements. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions. *Definition and Limitations of Internal Control Over Financial Reporting* A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. *Critical Audit Matters [if applicable]* [Include critical audit matters] Aaron & Co. CPAs We have served as the Company's auditor since 20X1. San Francisco, California, United States of America February 20X9 *Previously Reported Weaknesses under AS 6115* Under PCAOB AS 6115, the auditor of an issuer may be engaged to report on whether a previously reported I/C weakness continues to exist. In such an engagement, the auditor obtains reasonable assurance about whether the weakness continues to exist as of a date specified by management and issues a report to that effect. The standards for such an engagement involve: -Planning the engagement. -Obtaining an understanding of ICFR. -Testing and evaluating whether a material weakness continues to exist. -Form an opinion on whether a previously reported material weakness continues to exist.

Internal Control Reports & Communications, Attestation Engagement (Continued)

*LETTER 1* *Unmodified Opinion on I/C (Nonissuer)* *Independent Auditor's Report (Au-C 940)* To: Management, the Audit Committee and the Board of Directors *Report on Internal Control Over Financial Reporting* We have *audited* Asher Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria, such as those established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)]. *Management's Responsibility for Internal Control Over Financial Reporting* Asher Company's management is responsible for designing, implementing, and maintaining (DIM) effective internal control over financial reporting, and for its assessment about the effectiveness of internal control over financial reporting, included in the accompanying [indicate title of management's report]. *Auditor's Responsibility* Our responsibility is to express an opinion on Asher Company's internal control over financial reporting based on our audit. We conducted our examination in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. An audit of internal control over financial reporting involves performing procedures to obtain evidence about whether a material weakness exists. The procedures selected depend on the auditor's judgment, including the assessment of the risks that a material weakness exists. An audit includes obtaining an understanding of internal control over financial reporting and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion. *Definition and Inherent Limitations of Internal Control Over Financial Reporting* An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with [indicate the applicable financial reporting framework such as accounting principles generally accepted in the United States of America]. An entity's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with [the applicable financial reporting framework indicated above], and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any assessment of the effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. *Opinion* In our opinion, Asher Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based upon [identify criteria]. *Report on Financial Statements* We have also audited, in accordance with auditing standards generally accepted in the United States of America, the [identify financial statements audited] of Asher Company, and our report dated [date of report, which should be the same dates as the report on ICFR] expressed [indicate nature of opinion]. G Ruiz, CPA San Francisco, CA [Date]

Lecture 3.11 - Internal Control Reports & Communications, PCAOB Audit (Continued)

*LETTER* *Unqualified Opinion on ICFR* (Used when separate reports are issued on F/S and I/C in a PCAOB audit.) *Report of Independent Registered Public Accounting Firm on Internal Control Over Financial Reporting* To the shareholders and the board of directors of ABC, Inc. *Opinion on Internal Control over Financial Reporting* We have *audited* ABC, Inc.'s internal control over financial reporting *as of* January 31, 20X8, based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (the COSO criteria). In our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20X8, based on the COSO criteria. We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) ("PCAOB"), the consolidated balance sheets of ABC, Inc. as of January 31, 20X8 and 20X7, and the related consolidated statements of income, shareholders' equity, and cash flows for each of the three years in the period ended January 31, 20X8 and our report dated March 26, 20X8 expressed an unqualified opinion thereon. *Basis for Opinion* ABC Inc.'s management is responsible for maintaining effective internal control over financial reporting, and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying [title of management's report]. Our responsibility is to express an opinion on the Company's internal control over financial reporting based on our audit. We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) ("PCAOB") and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audit also included performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion. *Definition and Limitations of Internal Control Over Financial Reporting* A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. W. Philipp, CPAs SF, CA March 26, 20X8

Internal Control Reports & Communications, F/S Audit (Continued)

*LETTER* *Written Communication to Management and Those Charged with Governance* (For communicating I/C-related matters identified in a F/S audit.) *Internal Control Report (F/S Audit)* To: Management, the Audit Committee and the Board of Directors (Governance) (Date: no later than 60 days after the report release date) In planning and performing our audit of the financial statements of ABC Company as of and for the year ended December 31, 20XX, in accordance with auditing standards generally accepted in the United States of America, we considered ABC Company's internal control over financial reporting (internal control) as a basis for designing our auditing procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company's internal control. Accordingly, we do not express an opinion on the effectiveness of the Company's internal control. Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be significant deficiencies or material weaknesses and therefore, significant deficiencies or material weaknesses may exist that were not identified. However, as discussed below, we identified certain deficiencies in internal control that we consider to be *material weaknesses* [and other *deficiencies* that we consider to be significant deficiencies]. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. We consider the following deficiencies to be material weaknesses in internal control: [Describe the material weaknesses that were identified and an explanation of their potential effects.] [A significant deficiency is a deficiency, or combinations of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the following deficiencies in the Company's internal control to be significant deficiencies.] [Describe the significant deficiencies that were identified and an explanation of their potential effects.] This communication is intended solely for the information and use of management, [identify the body or individuals charged with governance], others within the organization, and [identify any specified governmental authorities to which the auditor is required to report] and is not intended to be, and should not be used by anyone other than these specified parties. L. Rosenthal, CPA Santa Monica, CA April 8, 20XX

Internal Control Reports & Communications, Attestation Engagement (Continued)

*Letter 2* (Combined) *Combined Unmodified Opinion on I/C and an Unmodified Opinion on F/S (Nonissuer)* *Independent Auditor's Report* To: Management, the Audit Committee and the Board of Directors (Governance) *Report on the Financial Statements and Internal Control* We have *audited* the accompanying financial statements of Roger Company, which comprise the balance sheet as of December 31, 20XX, and the related statements of income, changes in stockholder's equity, and cash flows for the year then ended, and the related notes to the financial statements. *We also have audited Roger Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria].* *Management's Responsibility for the Financial Statements AND Internal Control Over Financial Reporting* Roger Company's management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of effective internal control relevant to the preparation and fair presentation of these financial statements that are free from material misstatement, whether due to error of fraud. *Management is also responsible for its assertion about the effectiveness of internal control over financial reporting, included in the accompanying [title of management's report].* *Auditor's Responsibility* Our responsibility is to express an opinion on these financial statements *and an opinion on Roger Company's internal control over financial reporting based on our audits.* We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free of material misstatement *and whether effective internal control over financial reporting was maintained in all material respects.* An audit of financial statements involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor's judgment, including assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances. An audit of financial statements also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. An audit of internal control over financial reporting involves performing procedures to obtain evidence about whether a material weakness exists. The procedures selected depend on the auditor's judgment, including the assessment of the risk that a material weakness exists. An audit of internal control over financial reporting involves obtaining an understanding of internal control over financial reporting and testing and evaluating the design and operating effectiveness of internal control over financial reporting based on the assessed risk. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinions. *Definitions and Inherent Limitations of Internal Control Over Financial Reporting* An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with [applicable financial reporting framework, such as accounting principles generally accepted in the United States of America]. An entity's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with [applicable financial reporting framework, such as accounting principles generally accepted in the United States of America], and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. Because of its *inherent limitations*, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any assessment of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. *Opinions* In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of Roger Company as of December 31, 20XX, and the results of its operations and its cash flows for the year then ended in accordance with accounting principles generally accepted in the United States of America. *Also in our opinion, Roger Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on [identify criteria].* [Auditor's signature] [Auditor's city and state] [Date of the auditor's report]

Lecture 3.04 - Operating Cycles: Revenue Cycle

*Operating Cycles & the Flow of Transactions - Overview* An auditor *divides* the audit down into *different cycles* that make up the flow of transactions for the entire company. All related accounts within each cycle are *audited together*. Within each cycle, the auditor is concerned with *what each specific employee does*, the *documents* they handle and how each document *relates to the segregation* of *ARCC* (Authorization, Recording, Custody and Comparison). Controls have a function of either *Preventing* misstatements before they occur (most effective) or *Detecting and Correcting* misstatements that have already occurred (less expensive to implement, but could detect too late). In obtaining an understanding of an entity's I/C, the auditor will identify the different *types of transactions or events* that occur on an ongoing basis and that affect the entity's operations or its financial position. The auditor will then obtain an understanding of various components and in particular: -Initiation (*S*tart) - The auditor should determine what event or circumstance *initiates a transaction*. -->Sales transactions, for example, may be initiated when the entity's sales force make calls to their regular customers or when customers call in orders as they identify their needs. -*A*uthorization - Before an entity will commit resources to meet its obligations in a transaction or to respond to an event or circumstance, it will want to determine that the *counterparty* to the transaction is a *legitimate party* with the *intent and ability to perform* or that the *event or circumstance is real.* -*C*ompletion or execution - The entity should have policies and procedures to make certain that its obligations in transactions and its responses to recurring events and circumstances are being performed in *accordance with management's directives.* -->This will include the *flow of documents, services, goods, and other resources* throughout the system. -*R*ecording - The entity should have a system for making certain that all transactions, events, or circumstances that affect operations or financial position are *properly captured and reflected in the entity's financial records.* -Verifications (*E*valuate *D*efenses) - Each system should have *checks and balances* to make certain that each function within the system is *performed properly and in the appropriate sequence.* -->This may involve policies such as those requiring the shipping department to *compare* a customer's purchase order with an internal sales order and to a list of goods transferred from stores before shipping the goods. -->It may also involve accounting for the *sequence of prenumbered documents*, checking for *authoritative signatures*, or periodically *reconciling* recorded amounts to physical assets. These verifications may occur throughout a system It should be easy to remember that a good system of I/C is *SACRED* to a business. When the auditor obtains an understanding of each of the systems applied to recurring transactions, often referred to as cycles, *the auditor is concerned with:* -what *each* specific employee *does*, -the *documents they handle*, and -whether there is appropriate *segregation of duties.* The duties to be segregated are the *authorization* of transactions, the *recording* of those transactions, *custody* of the resources that are associated with that transaction, and *comparison* or reconciliation of the recorded amounts to the physical resources *(ARCC)*. Some controls are considered *PREVENTATIVE*, designed to *minimize the possibility that misstatements will occur.* Although a preventative approach has the tendency to be the *most effective*, it is not always feasible to develop controls that will be effective at preventing a misstatement, particularly one that results from fraud, and in many cases, the cost of developing an effective preventative control will exceed the benefit that can be derived from it. Other controls are designed to be *CORRECTIVE* in that they are designed to *identify misstatements* that may occur due to errors or fraud and establish a means of *correcting them* on a timely basis. These, of course, have their limitations in that they *may not be effective* for a fraudulent misstatement that is cleverly concealed and may identify a misstatement after a negative impact has already occurred.

PCAOB Audits

*PCAOB Audits* Auditors of entities that *do report to the SEC*, (*issuers*), are also required to obtain an understanding of I/C. Like auditors of nonissuers, they are required to *obtain and document the understanding* in order to: -*assess RMM* of the F/S, and -*plan* and *perform* the audit. *Sarbanes-Oxley* requires an *integrated audit* of both internal control over financial reporting *(ICFR)*and of the F/S. As a result, in addition to obtaining sufficient evidence to support the auditor's CR assessment, the auditor is required to *obtain sufficient evidence* to support an *opinion on ICFR* as of a *specific point in time*, the date of the F/S.

*C*ontrol Activities

*PIPS* and *ARCC*

Performance reviews

*Performance reviews -* Controls involving the evaluation of performance against some *criteria* such as: -comparing *actual* amounts to *budgeted* amounts, -comparing *current* period results to those of *prior years*, or -evaluating *financial data* in relation to *nonfinancial* data.

Physical controls

*Physical controls -* Controls that limit access to assets.

F/S Assertions-Presentation of the F/S & Disclosure

*Presentation of the F/S & Disclosures* The final five assertions relate to the presentation of the F/S and the financial statement disclosures *(RACOU-n)*. They are: -*Rights and Obligations* - All information presented and disclosed is related to events, transactions, and other matters that pertain to the entity *(It all Took place)*. -*Accuracy and Valuation* - Both financial and nonfinancial information is fairly presented, properly disclosed, and provides appropriate amounts *(We Know it is all correct)*. -*Completeness* - All information that should be presented is disclosed *(It is All included)*. -*Occurrence* - Disclosed events, transactions and other matters have occurred and pertain to the entity -*Understandability and Classification* - Financial information is appropriately presented and described and disclosures are expressed in a clear manner *(Everything is Clear)*. *RACOU-n's* are always presenting and disclosing my garbage at night!!

Lecture 3.05 - Operating Cycles: Spending Cycle

*Purchases/ Accounts Payable / Cash Disbursements* The *spending cycle* of a business consists of: -ordering goods or services, -receiving or using them, and -paying for them. In order to properly segregate the incompatible functions of *authorization, recording, and custody*, the activities may include specific employees with each of the following duties: -*Purchasing manager* - Approves purchase requests before they are processed and negotiates terms with vendors *(authorization)*. -*Purchasing* clerk - Places orders with vendors *(recording)*. -*Receiving clerk* - Receives delivery of goods from vendors *(custody)*. -*Payables clerk* - Prepares payment voucher which is the basis for authorizing the issuance of a check to the vendor after verifying the accuracy of the vendor invoice and comparing supporting documents *(recording)*. -*Payables manager* - Oversees the Posting of vouchers to appropriate purchase records *(recording)*. -*Treasurer* - Signs and mails check for payment *(custody)*. -*Shipping department*- - Sends goods back to vendors when goods are nonconforming or a right to cancel an order is being exercised by the company *(custody)*. The *documents* most often discussed on the exam include: -*Purchase requisition* - The internal request by the department in need for goods to be ordered by the purchasing department. -*Purchase order* - The external form mailed to the vendor to request that goods be delivered to the company. -*Receiving report* - The document prepared in the receiving department and signed by the carrier to acknowledge the goods that have been delivered to the company. -*Purchase (vendor) invoice* - The document received from the vendor indicating the goods the vendor claims to have shipped. This is the same document that is known as the sales invoice when considered from the vendor's side of the transaction. -*Invoice register* - A book listing invoices received from vendors. -*Payment voucher* - The document prepared by the payables clerk to request that a check be issued for payment to a vendor. -*Purchase journal(or voucher register)* - A book listing all of the payment vouchers generated by the company. There are certain issues involving the various purchase documents that are commonly repeated on the exam: -When the *purchase order* is prepared by the purchasing clerk to send to the vendor, additional copies of the order are sent to the receiving department to authorize them to accept delivery of the goods and the payables department to enable them to do appropriate comparisons later. The receiving department copy does *not include quantities* for the goods ordered so as to ensure that the receiving department will perform an independent count of the goods delivered instead of relying on the purchase order numbers. The payables clerk compares the purchase order and receiving report with the vendor invoice to ensure they agree before preparing the payment voucher. -The *check* for payment is usually prepared by a clerk in the treasury department who doesn't have signature authority. They will provide the unsigned check along with the payment voucher and supporting document to the treasurer for signature. The treasurer makes sure the check agrees with the voucher and other documents before signing. *Immediately after signing*, the treasurer cancels the supporting documents (so that they won't accidentally be processed again at a later time), places the check in the envelope, seals it, and arranges for mailing.

Internal Control Reports & Communications, Attestation Engagement (Continued)

*Report Modifications* There are several reasons that an auditors report on ICFR may be modified. Examples include: -The identification of material weaknesses -An incomplete or improper management report -A scope limitation -Reference to the report of a component auditor -The inclusion of other information in management's report *Material Weaknesses* Unless there is a limitation on the scope of the engagement, when material weaknesses are identified, the auditor will express an adverse opinion on the effectiveness of an entity's ICFR. The report will include a definition of a material weakness and a statement that one or more material weaknesses have been identified. -The report will also identify material weaknesses described in management's assessment of ICFR. -When material weaknesses identified by the auditor are not included in management's assessment, the report will be modified to so indicate. The auditor will also determine the impact, if any, on the opinion on the financial statements and should disclose whether or not the opinion has been affected. -This may be disclosed in an other-matter paragraph; or -It may be disclosed in the paragraph identifying the material weakness that was omitted from management's assessment. The report will include all of the same components as an unmodified report up through the section providing the definition of ICFR and its inherent limitations. Instead of an opinion paragraph following, the remainder of the report will appear as follows: *Basis for Adverse Opinion* A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. The following material weakness has been identified and included in the accompanying [title of management's report]. [Identify the material weakness described in management's report.] *Adverse Opinion* In our opinion, because of the effect of the material weakness described in the Basis for Adverse Opinion paragraph on the achievement of the objectives of [identify criteria], Asher Company has not maintained effective internal control over financial reporting as of December 31, 20XX, based upon [identify criteria]. *Report on Financial Statements* We have also audited, in accordance with auditing standards generally accepted in the United States of America, the [identify financial statements audited] of Asher Company, and our report dated [date of report, which should be the same dates as the report on ICFR] expressed [indicate nature of opinion]. We considered the material weakness identified above in determining the nature, timing, and extent of audit procedures applied in our audit of the 20XX financial statements, and this report does not affect such report on the financial statements. G Ruiz, CPA San Francisco, CA [Date] *Incomplete or Incorrect Management Report* Management's report may be missing one or more of the elements required to be included by auditing standards. When this is the case, the auditor will request that management revise the report. If management refuses to do so, the auditor will include an other-matter paragraph describing the reason the auditor considers the report deficient. If management's report neglects to dislose one or more material weakness, the auditor will issue an adverse opinion. *Scope Limitations* When a scope limitation is imposed on the auditor after acceptance of the engagement, the audior should either withdraw from the engagement or express a disclaimer of opinion. If the scope limitation consists of the client's refusal to provide an assertion regarding the effectiveness of ICFR, the auditor is required to withdraw and will only issue a disclaimer if not allowed to withdraw as a result of law or regulation. When an auditor issuing a disclaimer of opinion on ICFR has identified one or more material weakness, the disclaimer should define a material weakness and provide a description of any material weaknesses identified. *Making Reference to the Report of a Component Auditor* When an entity includes one or more components, the ICFR of which was audited by a component auditor, the auditor responsible for the report, the engagement auditor, will use the same criteria in determining whether or not to refer to the report of the component auditor as used when reporting on the audit of group F/S. Reference should not be made to a component auditor unless the engagement auditor is satisfied that the component auditor conducted an audit in accordance with GAAS, or with the provisions of the PCAOB, if appropriate; and that the component auditor has issued a report on ICFR that is not restricted. *Additional Information in Management's Report* In some circumstances, management's report, or the document containing management's report, will also include additional information. When this is the case: -The auditor should disclaim an opinion in reference to the additional information; and -The auditor should read the additional information to make certain that it does not contain information that is inconsistent with management's report or a misstatement of fact.

Risk assessment procedures

*Risk assessment procedures:* Procedures designed to provide the auditor with an *understanding* to enable the auditor to effectively *assess the RMM* of the F/S. *(AIIO)* -*Analytical procedures* (Using high level data) -*Inquiries* of management and others within the entity, including inquiries of internal auditors. -*Inspection* (of documents and records) -*Observation* (the application of specific controls)

Segregation of duties

*Segregation of duties -* Controls that involve assigning different people responsibilities for: -*A*uthorization of transactions -*R*ecording (posting) of transactions -*C*ustody of assets -*C*omparisons (reconciliations) It is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of their duties *(ARCC)*

Lecture 3.06 - Operating Cycles: Personnel & Payroll (Continued)

*Service Organizations* Many companies use various types of service bureaus to assist them with the processing of routine transactions. Certain transactions, like payroll, may require a particular expertise and can often be processed more efficiently by an entity that specializes in that type of transaction. One of the most common types of service bureaus processes the payroll of various customer entities. When an entity uses one of these service bureaus, also referred to as *service organizations*, AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, provides guidance as to the impact on an audit. It defines a service organization as *"an organization or segment of an organization that provides services to user entities that are relevant to those user entities' internal control over financial reporting."* The objective of the *"user auditor"* (the auditor of the client using the services of the service organization) are to: -*obtain an understanding of the nature and significance of the services provided*, and -*evaluate their effect on the user entity's I/C* in order to assess the risks of material misstatement, and to *design and perform audit procedures* responsive to those risks. Since the auditor is not in a position to examine the activities of such an outside organization, they will often need to *rely on reports of the auditor of the service organization* itself, referred to as the *service auditor*. The service auditor will usually issue a report on the I/C structure that the auditor may consider in assessing the I/C structure of the client. The report on I/C structure by the service organization's auditor will describe the *services of the organization* that are covered by the report and a *description of the auditor's procedures.* This will enable the auditor of one of the service organization's customers to understand the overall impact of the service organization's work on the I/C structure of the customer. *Before relying on such a report*, the auditor should be satisfied as to the *competence and independence* of the *service auditor*, and the *adequacy* of the *standards* under which the *report was issued.* The report of the service organization's auditor will assist the customer's auditor in gaining an understanding of the I/C structure of the customer, to the extent it depends on the service organization's work. This *will not*, however, be considered a *basis for determining the effectiveness of the customer's I/C structure*, so the use of the report is *not a division of responsibility.* As a result, there must be *no* reference to the auditor of the service organization in the audit report on the F/S of the customer Transactions processed by *service organization* (payroll processing) (AU-C 402/AT-C 320) *-*TofC in place at client. *-*TofC in place at service organization by another auditor. -->Report on whether controls have been implemented and controls operating effectiveness. *-*Get report from the other Auditor (service auditor). -->*Expresses an opinion* on management's assertions regarding: ---->Management's description of the service organization's system fairly presents the system that was designed and implemented during the period. ---->The controls related to the control objectives stated in management's description were suitably designed and operated effectively during the period. -->The report also includes a description of the tests of controls and the results of those tests that were performed by the service auditor. -->Description of the Scope and nature of procedures performed. -->ID party specifying objectives. -->ID purpose of engagement. -->ID parties Intended use. *-*A service auditor should inquire of management about subsequent events. As part of obtaining an understanding of the internal controls of a client using a service organization, the auditor should obtain an understanding as to how the client uses the service organization. The understanding will include: -The nature of the services provided; -The significance of the services to the user entity; -The effect on the user entity's I/C; -The nature and materiality of transactions that are processed by the service organization; -Interaction between the activities of the user entity and of the service organization; -The nature of the relationship between the entities; and -Contractual terms for activities performed by the service organization.

FROM E BOOK

*The basic sequence of activities and accounting in a revenue and collection cycle is:* a. Receiving and processing customer orders. Entering data in an order system and obtaining a credit check. b. Delivering goods and services to customers. Authorizing release from storekeeping to shipping to customer. Entering shipping information in the accounting system. c. Billing customers, producing sales invoices. Accounting for accounts receivable. d. Collecting cash and depositing it in the bank. Accounting for cash receipts. e. Reconciling bank statements.

Internal Control Reports & Communications, F/S Audit (Continued)

*Two factors* that the auditor will consider when evaluating a control deficiency to determine if it is a *significant deficiency* or a *material weakness*, are *probability and magnitude*. In general, when a control deficiency exists, the auditor evaluates the likelihood that it will result in a *misstatement to the F/S*. The likelihood of a misstatement might be: -*Remote* -*Reasonably possible* -*Probable* In addition, the magnitude of misstatement that might result might be either: -*Immaterial* -*Material* Clearly, a deficiency in a control that should prevent, or detect and timely correct, a misstatement that would not be material and is only remotely likely to occur would be neither a significant deficiency nor a material weakness. A deficiency in a control that should prevent, or detect and timely correct, a misstatement that would cause the F/S, taken as a whole, to be materially misstated and is probably going to occur would clearly be a material weakness. Evaluation of anything in between is a matter of auditor judgment. If an auditor determines that a deficiency, or combination of deficiencies, is not a material weakness, the auditor should consider if prudent officials, having the same knowledge of the facts and circumstances, would draw the same conclusion. *Material weaknesses* are indicated by: -*Ineffective oversight* by those charged with governance. -*Restatements* of prior years' F/S due to *material misstatements* due to error or fraud. -Material misstatements that would have not been detected by the company's I/C, but were *identified by the auditor.* -*Fraud by senior management*, whether material or immaterial. Although identifying such deficiencies is *not an objective* of the audit, the auditor must *notify* the client, *management and those charged with Governance (board, audit committee)*, in writing of any *significant deficiencies or material weaknesses* that come to the auditor's attention. This requirement includes significant deficiencies and material weaknesses that were previously communicated and have not yet been resolved. The communication is best made by the report release date, but should be made no later than *60 days* after the report release date. They may also be communicated during the audit, if the auditor sees fit. The communication of *significant deficiencies and material weaknesses* is required to be in writing. The written communication should: -State that the *purpose* of the audit was to report on the F/S and not to provide assurance on the effectiveness of I/C. -Indicate that the auditor is not expressing an opinion on the effectiveness of I/C. -Include a statement that the auditor's consideration of I/C was not designed to identify all significant deficiencies or material weaknesses. -Include the *definition* of material weaknesses and, if applicable, significant deficiencies. -Identify which matters noted are considered significant deficiencies and which are material weaknesses. -State that the communication is intended solely for management, those charged with governance, and others within the organization, and is NOT intended for any others *(Limited Use statement)*. A written report indicating that no material weaknesses were identified may be issued; however, a written report indicating that no significant deficiencies were identified may not be issued. *Those charged with Governance* is defined as the persons with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This may include the board of directors and audit committee. The I/C report is generally issued to Management and those charged with Governance. In addition to the written communication to governance, per the clarity standards, the auditor is required to provide the following to an appropriate level of management on a timely basis: -A written communication indicating significant deficiencies and material weaknesses that the auditor intends to communicate to the audit committee or those charged with governance. -A written or oral communication indicating other deficiencies in I/C that: -->Have not been communicated to management by others -->Are sufficiently important to merit management's attention

Internal Control Steps 2,3,4

1. Prepare for the audit *2. Obtain understanding of client, its environment & I/C* *3. Assess RMM & design further procedures* *4. Perform tests of controls* 5. Perform substantive procedures 6. Form opinion 7. Issue report

Lecture 3.10 - Internal Control Reports & Communications, Attestation Engagement

2. Audit of Internal Control Integrated with Audit of F/S under GAAS AU-C 940, An Audit of Internal Control Over Financial Reporting (ICFR) that is Integrated with an Audit of Financial Statements, provides guidance to be applied by the auditor of a *nonissuer* when accepting an engagement to report on the entity's internal controls. Whereas an auditor of a nonissuer may accept such an engagement but is not required to do so, an audit of an issuer under PCAOB standards requires the auditor to perform an integrated engagement and report on internal controls. -The auditor will normally examine the *effectiveness* of ICFR as of the end of the entity's fiscal year. -->The examination may be as of a different date, which should correspond to the date of the balance sheet being audited. -->The examination may be for the period of time covered by the financial statements (F/S) being audited. -In all cases, the engagement should only be performed for an examination that is integrated with an audit of the entity's F/S, including the use of the same measure of *materiality*. The objective of an examination is to *form an opinion* as to the *effectiveness* of ICFR. The auditor obtains a written assertion from management as to the effectiveness of ICFR. Management's refusal to provide such an assertion is a scope limitation that cannot be overcome. -The accountant should withdraw from the integrated engagement if allowed to do so by law or regulation. -If not allowed to do so, the auditor will issue a disclaimer of opinion. In an integrated engagement, the auditor is required to obtain *sufficient appropriate evidence* to obtain *reasonable assurance* as to whether *material weaknesses* exist as of the date of management's assertion. In performing the examination, the auditor uses the same criteria as management uses in evaluating the effectiveness of ICFR. -ICFR cannot be effective if one or more material weaknesses exist. -A material weakness may exist even though the F/S are not materially misstated. -The auditor is not required to search for I/C deficiencies that are not material weaknesses. An engagement to examine I/C may only be accepted if management agrees to certain conditions: -Accepting responsibility for the effectiveness of I/C. -Evaluating I/C effectiveness using suitable and available criteria. -Supporting its assertion about the effectiveness of I/C with sufficient appropriate evidence. -Providing its assertion regarding the effectiveness of I/C in a report accompanying the auditor's report. An integrated audit is planned and performed to meet the objectives of both the audit of the entity's F/S and the examination of the entity's ICFR. As a result, tests of controls should be designed to provide sufficient appropriate evidence to support: -The auditor's opinion on the effectiveness of I/C as of the end of the period. -The degree to which the auditor has decided to rely on the entity's I/C to reduce the assessed risk of material misstatement. The planning of the examination takes into account the auditor's risk assessment, used to identify significant accounts and disclosures, as well as relevant assertions. The auditor should also evaluate whether controls address risks of fraud, including those identified in the discussion among engagement staff held as part of the audit. -As is true in the audit, the auditor pays more attention to those areas representing greater risk. -Tests of controls would not be performed when a deficiency in a control would not cause a material misstatement to be more than remote. In both the audit of the F/S and the examination of I/C, the auditor uses a *top-down approach*: -First, the auditor assess risk at the financial statement level. -->Incorporates use of the auditor's overall understanding of I/C. -->Concentrates on *entity level controls*, including controls over: ▪ The control environment ▪ Management override ▪ Company's risk assessment process ▪ Monitoring results ▪ Assessing business risk ▪ Monitoring the activities of the audit committee ▪ The period-end financial reporting process. -Next, the auditor directs attention to significant accounts and disclosures and their relevant assertions. -->Attention is directed to accounts, disclosures, and assertions that present a greater than remote possibility of material misstatement. -->The understanding of risks in the entity's processes is verified, often through the performance of *walkthroughs:* ▪ May include Reperformance or recalculation, inquiry, inspection of documents and observation *(RIIO)*. The auditor identifies potential deficiencies in design or operation. -Controls that address risks of material misstatement in each of the relevant assertions is selected for testing: -->The auditor performs tests of the effectiveness of both the design and the operation of controls. -->Testing designed to provide evidence appropriately based for the degree of risk represented by a potential deficiency

Inherent Limitations

A system of I/C can be designed to provide only *reasonable assurance* of achieving an entity's objectives. That is, even with an effective system of I/C, the following *inherent limitations (COCO)* may result in failures (ie, fraud and error): *Collusion* - Control activities that depend on segregation of duties will not be effective if those engaged in the segregated functions conspire with one another. *(Fraud)* *Override by management* - Since management designs and implements the system of I/C, it is in a position to override it. *(Fraud)* *Competency/Human error* - If control procedures are erroneously applied, they will not be effective. I/C cannot be expected to prevent mistakes in human judgment. *(Error)* *Obsolescence*

Advantages and disadvantages of using (FIND)

Advantages and disadvantages of using *(a)* an internal control questionnaire, *(b)* a narrative memorandum, and *(c)* a flowchart are: *(a) Advantages of an internal control questionnaire:* · Is easy to complete. · Has checklist of questions. · Decreases chance of overlooking something important. *Disadvantages:* · May contain numerous irrelevant questions. · Tends to be treated like another form to fill out. *(b) Advantages of a narrative memorandum:* · Can explain the precise controls applicable to the particular client (precise tailoring). · Requires penetrating analysis. · Minimizes tendency toward perfunctory review. *Disadvantages:* · Is difficult to write and often lengthy. · Is difficult to revise in subsequent years. *(c) Advantages of flowchart:* · Provides graphic presentation of systems. · Shows the steps required and the flow of forms and documents. · Is easy to read and analyze. · Is easy to update in subsequent years. *Disadvantages:* · Takes a significant amount of time to complete. · Can be quite complex, requiring specific skills to complete.

Lecture 3.08 - Documentation of Internal Control Structure

An auditor is *required* to document the understanding of a client's internal control (I/C). There is no specific means of documentation required and the auditor may select any method, or combination of methods, that best suits the needs of the auditor in being able to apply the understanding to result in an audit that is both efficient and effective. *Internal Control Questionnaire* One common form of documentation is the internal control questionnaire (ICQ). A questionnaire always phrases questions in a form that requires a *yes or no* answer for each question, with a yes answer indicating the presence of a potentially useful control, and a no response indicating a weakness. This is consistent with the emphasis of the auditor on finding *strengths* in the system to rely on. A well-designed questionnaire will include questions related to each of the different types of *control activities* (from the *PRAISE* mnemonic) that may be utilized in an I/C structure. There is no perfect questionnaire that can be memorized for the exam, but the following list includes questions that can be adapted to individual TBS types of questions (these questions should be made more precise by referring to documents and personnel that are used in the specific department that is being tested). For each of the six activities, two potential questions are provided, since recommended solutions usually have contained around 12 questions spread over all the activities *(PRAISE)*: -*P*hysical controls - Is proper security maintained over valuable department assets? Are there adequate safeguards over unused documents? -*R*ecording - Are transactions documented as to all relevant terms and descriptions? Are documents prenumbered and periodically accounted for? -*A*uthorization - Are transactions authorized by personnel at least one level above the request level? Are the third parties involved in transactions approved in advance? -*I*ndependent checks - Are documents compared to verify their agreement before transactions are executed? Are records periodically reconciled to related documents? -*S*egregation of duties - Is the principal function of the department (Authorization, Recording, or Custody) independent of each of the other two functions? -*E*valuate performance - Are there written department policies and procedures? Are unusual or uncompleted transactions periodically investigated? ->*Segregation of duties* - Are the principal functions of each process, authorization, recording, custody, and comparison *(ARCC)* independent of one another? -->*A*uthorization - Are transactions authorized by personnel at least one level above the request level? -->*R*ecording - Are transactions documented as to all relevant terms and descriptions? Are documents prenumbered and periodically accounted for? -->*C*ustody of assets - Is custody limited to those with a need to have access? Are those with access subjected to bonding or appropriate background checks? -->*C*omparison - Are physical assets periodically reconciled to recorded amounts? Are normal activities, such as bank deposits, subject to comparisons of recorded amounts to support documents, such as comparing daily deposits to remittance listings or reconciling amounts in cash registers?

Lecture 3.03 Understanding the Internal Control Structure

An auditor performs the following procedures to *obtain and apply an understanding* of internal control (I/C) to an audit (AU-C 315): *Step 1* - Obtain an understanding of the design of *(CRIME)* (all five components of the entity's I/C) through the performance of risk assessment procedures. *(AIIO)* *Step 2* - Document the understanding of I/C. (*FIND)* *Step 3* - Assess Risk of Material Misstatement (RMM) which consists of inherent risk (IR) and control risk (CR). RMM = IR × CR). *Step 4* - Develop an audit strategy to either: -->*(RELY?) Perform tests of control (TofC)* to determine if CR is *below maximum*, reducing RMM below the level of IR and allowing for the modification of the nature, timing, and extent of further audit procedures (sub tests): or -->*(NOT Rely)* Decide *NOT* to perform tests of controls, assessing CR at the *maximum* level as if the control did not exist, and measuring RMM as being equal to IR. *Step 5* - Reassess Risk of Material Misstatement and evaluate results. -For controls for which tests of controls were performed, evaluate results to reassess RMM and determine if it is appropriate to modify the nature, timing, and extent of further audit procedures. *Step 6* - Document conclusions and determine the effect on the planned substantive procedures. At this point, the audit program needs to be developed or revised for further audit procedures. ------*Public*------ -Do Steps *1-6* ------*Non-Public*------ -Do Step *1-3*, and *6* unless you intend to *RELY*, then -Do Steps *1-6*

Lecture 3.09-Internal Control Reports & Communications, F/S Audit

Auditors have a responsibility to communicate with management and those charged with their clients' governance regarding certain internal control (I/C) matters. Those responsibilities vary, depending on the nature of the engagement. *Under GAAS* 1. An auditor of nonissuers is required to communicate *identified weaknesses* in I/C. 2. An auditor may be engaged to perform an examination of I/C as of a *specified date or for a period of time* (Integrated audit). -Such an engagement may only be accepted when integrated with an audit of the entity's F/S. -As a result of such an engagement, the auditor issues a report on the *effectiveness of the entity's I/C*. *Under PCAOB* 3. An auditor of issuers is required to report on *management's assertion* regarding the *effectiveness of I/C as of a specified date*. *SEE PG. 3-65 for Chart of Reports*

Control Risk is High

Auditors of both issuers and nonissuers may conclude either that: -internal controls are *not reliable* to limit the substantive testing, or -the *cost* of testing controls *exceeds the benefits.* In either case, the auditor will *not* perform tests of controls for the purpose of reducing RMM and will, *instead:* -perform *substantive tests* based on *CR set at maximum* (100% probability I/C will *neither* *p*revent, *d*etect or *c*orrect on a timely basis. When the auditor also is performing an examination of I/C (always for issuers) the auditor is required to perform tests of the *operating effectiveness of internal controls* even when: -controls are *not* expected to be effective or -the *cost* is expected to *exceed* the cost reductions in substantive testing. -An entity's I/C *cannot* be considered effective if *one or more* *MATERIAL WEAKNESSES* exist. -The auditor must obtain *reasonable assurance* as to whether material weaknesses exist as of the *specified date*. -Material weaknesses *may exist* even when the F/S are *not* materially misstated.

5. Reassess RMM to Determine DR (Readjust Audit Program)

Based on the results of the tests of controls the auditor will determine whether it is necessary to *modify the scope of substantive procedures*. -If tests of control reveal that the system *operates as expected*, there will generally be *no need to change the scope* of planned substantive procedures. Conversely, if the system *does not operate as effectively as expected*, the *scope* of substantive procedures for the relevant assertions involved *will increase* (thereby decreasing detection risk). -DR tells you how much substantive testing to do -Must do substantive testing (adjust Audit Program for Substantive tests) -AR / (IR × CR) = DR When an auditor decides to rely on controls, tests of controls are performed to determine if the controls were working effectively as they were designed for the period under audit. If, based on the tests of controls, the auditor concludes that the controls are *effective*, the *nature, timing, and extent* of further audit procedures in relation to that assertion will be *reduced.* If, however, based on the tests of controls, the auditor *cannot* conclude that the controls are *effective*, CR will be reset to *maximum* and the auditor will develop an audit program to test the assertion applying *substantive audit procedures* as if there were *no controls* related to the assertion and as if *no test of controls* had been performed. Since the most expensive and inefficient alternative is to perform tests of controls, only to determine that the controls are not reliable, the auditor will do a *cost/benefit analysis* before deciding to perform tests of controls. In performing the analysis: -The auditor will estimate the cost of performing a substantive audit without performing tests of controls. -The auditor will estimate the cost of performing tests of controls. -The auditor also estimate the cost of the reduced substantive testing that will be performed if the controls prove to be reliable. -Finally, the auditor will estimate the likelihood that the controls to be tested are likely to be effective. The auditor will then: -Add the cost of performing tests of controls to the cost of reduced substantive testing and multiply the total by the probability that the controls will be effective. -Add the cost of performing tests of controls to the cost of the unreduced substantive testing and multiply the total by the probability that controls will not be reliable, which is 100% minus the probability used previously. -The total of those two amounts will be compared to the cost of performing substantive tests exclusively. *The lower of the two amounts will determine the strategy to be taken.* Tests of controls alone are *not* normally considered *sufficient evidence* upon which to base an audit opinion. As a result, even when tests of controls prove that controls can be relied upon, further audit procedures may be reduced *but will not be eliminated.* In many cases, the auditor will use *dual purpose testing*, which consists of tests that are designed to test the effectiveness of controls while providing evidence as to the fairness or correctness of an element of the F/S by supporting one of management's assertions. -When the results are satisfactory, the auditor will conclude that the control *may be relied upon* and the evidence obtained is sufficient to support the assertion, eliminating the need for further testing. -When the results are not satisfactory, the auditor will conclude that the control *may not be relied upon* and will determine the *nature, timing, and extent* of *further* audit procedures that will be necessary to support the assertion.

C*R*IME-*R*isk Assessment

C*R*IME-*R*isk Assessment An entity's risk assessment for financial reporting purposes is its *identification, analysis, and management* of *risks* relevant to the preparation of *financial statements* that are *fairly presented* in *conformity* with *GAAP*. Risk assessment includes *events and circumstances* that *may adversely affect* an *entity's ability* to *initiate, authorize, record, process, and report* financial data consistent with financial statement assertions. (GLEIM) Ex: risk assessment may address how the entity deals with the possibility of *unrecorded transactions* or analyzes *significant estimates* recorded in the F/S. Risks relevant to *financial reporting* include external and internal factors, such as the following: -*CHANGES* -->in the operating *environment* -->to accounting *pronouncements* -->to the *economic* environment -*NEW* -->*personnel* -->(or revamped) *IT systems* -->*technology* -->lines of *business, products, or activities* -*Rapid growth* -*Corporate restructurings* -*Foreign operations* COSO has indicated that there are *four principles* related to *risk assessment*. They indicate that management and those charged with governance: 1. Specify suitable *objectives*; 2. Identify and analyze *risk*; 3. Assess *fraud risk*; and 4. Identify and analyze *significant change.*

COSO's Internal Control Framework

COSO defines five components of I/C: *(ERC-IM)* -Control *E*nvironment -*R*isk assessment -*C*ontrol activities -*I*nformation and communication -*M*onitoring The *mnemonic CRIME* reminds management that it would be a crime not to consider all the I/C elements when designing the system. AU-C 315 requires the auditor to *obtain an understanding* of all five components of I/C* (CRIME) under COSO in order to: *1.* evaluate the *design* of relevant controls *2.* determine whether they have been *implemented*; *3.* -assess the *(RMM)*; and *4.* design the *N-T-E* of further audit procedures.

CR*I*ME-*I*nformation and Communication

CR*I*ME-*I*nformation and Communication The *information and communication* component of I/C relates to the *flow of information to and from the entity as well as within the entity*. Information should flow in *all directions* so that management's directives can be communicated: -to those who are expected to work toward achieving them and -so that management can obtain feedback to determine if objectives are being achieved. *Communication* with external parties facilitates: -the flow of goods and services and enhances the *efficiency* with which business can be conducted. -enables parties in which an entity does business to assist in the enforcement of the entity's internal controls. -->If business customers are informed, for example, that all sales are expected to be reported on a specific *pre-numbered* sales form, customers may prevent a salesperson from taking an order without completing such a form. The auditor is concerned, in particular, with *information systems relevant to financial reporting*. The auditor, as a result, should obtain an *understanding* related to how: -Info system consists of the methods and records used to *record, process, summarize and report* Co.'s transactions and to maintain *accountability* for the related accounts. -Communication involves establishing *individual duties and responsibilities* to involved personnel relating to I/C -Transactions are *initiated, authorized, and processed*; and how transactions, events, and conditions are *reported*, including which components are performed *manually* and which are performed *electronically*. -Accountability is maintained for *assets, liability, and equity*, including the maintenance of records supporting information or specific items in the F/S. -The incorrect processing of transactions is *identified and resolved*. -Recurring and nonrecurring journal entries, unusual transactions, and other adjustments are *identified and prepared*. -System *overrides* or bypasses to controls are processed and *accounted* for. -Information is *transferred* from the processing systems to the general ledger. -Events and conditions, other than transactions, that are relevant to financial reporting, including depreciation and amortization of assets and collectibility of receivables, *are identified*, and how *information is captured*. -F/S are prepared, including the development of *estimates*. -Information that is required to be disclosed is *identified, accumulated, recorded, processed, summarized, and properly reported*. COSO has indicated that there are *three principles* related to *information and communication*. They indicate that management and those charge with governance: 1. Use relevant information; 2. Communicate internally; and 3. Communicate externally.

CRI*M*E-*M*onitoring

CRI*M*E-*M*onitoring *Monitoring activities* are the means by which management *determines* if internal controls are being *followed* and if they are *effective*. Controls are monitored thorough some combination of ongoing activities, which are generally part of recurring activities such as the *supervision of employees; and separate evaluations*. When the entity has an *internal audit function*, understanding the role it plays *contributes* to the auditor's *understanding of the entity* and its environment, and, in particular, its *I/C*. In some circumstances, the auditor *may use* the work performed by the entity's *internal auditor's* either to: -modify the *N-T-E* of other audit procedures to be performed, or -to *assist* in the performance of audit procedures under the *oversight* of the auditor. In addition to obtaining an understanding of how the entity monitors its internal controls, the auditor should also *obtain an understanding* of the *information* that is used in the entity's monitoring activities, the *sources* of that information and the basis upon which the *reliability* of the information is evaluated. COSO has indicated that there are *two principles* related to *monitoring*. They indicate that management and those charge with governance: 1. Conduct ongoing and/or separate evaluations; and 2. Evaluate and communicate deficiencies.

CRIM*E*-Control *E*nvironment (CHOPPER)

CRIM*E*-Control *E*nvironment This component is the *FOUNDATION* for the other components. It provides *discipline and structure* and *sets the tone* of the organization, including the control consciousness of its members. It includes *governance and management* functions as well as the *attitudes, awareness, and actions* of management and those charged with governance regarding internal control and its importance. (GLEIM) *(CHOPPER):* *Commitment to competence* - Effective control requires a sincere interest on the part of the employees in performing good work. *Human resource policies & practices* - A company can minimize the control difficulties created by new employees by sound hiring and training policies for employees. *Organizational structure* - A company that operates all over the world has different I/C problems than one operating entirely within a single building. *Participation of those charged with Governance* - An audit committee of the board of directors that actively monitors the internal audit function produces a more attentive management on such matters. *Philosophy of management & mgt operating style* - The belief (or lack of it) in the importance of I/C by management will affect the seriousness with which it is taken by the rest of the employees. This is especially the case when decision-making in the company is dominated by a single individual. *Ethical values & Integrity* - Honest employees will be less likely to cause I/C difficulties related to fraud and improve the opportunity for those resulting from errors to be effectively detected. *Responsibility assignment* - The manner in which authority, responsibility and accountability is assigned to different employees determines the controls that will be needed. Again, the domination of decision-making by a single individual holds significance, since such power makes it extremely difficult for I/C to be trusted.

CRIM*E*-Control *E*nvironment (Continued)

CRIM*E*-Control *E*nvironment (Continued) COSO has indicated that there are *five principles* related to the *control environment*. They indicate that management and those charge with governance: 1. Demonstrate a commitment to *integrity* and *ethical* values; 2. Exercise their *oversight* responsibility; 3. Establish *structure, authority, and responsibility*; 4 Demonstrate a commitment to *competence*; and 5. Enforce *accountability*. The auditor is responsible for determining if the control environment, influenced by management with the oversight of those charged with governance, has established an: - *honest culture, promoting ethical behavior*. The control environment, consisting of what are referred to as *entity-level controls*, should provide: -a *foundation* for the overall I/C structure, including the other components and -for assuring that internal controls are not undermined by *deficiencies* in the control environment. *Entity-level controls* deal with: -*company-wide* issues -sets the *tone* of the organization, -assigns *authority and responsibility*, and -addresses *conduct*. *Entity-level controls include:* -a *mission statement* that is part of the entity's culture; -a *code of conduct* that applies to all members of the organization -*organization charts and job descriptions* that indicate -->the *roles* of individuals within the organization; and -->the *behavior* of management and executives (Significant component) The auditor obtains *knowledge* of entity-level controls through: -*inquiries* made of management and others; and - *observations* of relationships (all employees shown respect) between employees/ supervisors/ management

GAAS Audits vs PCAOB Audits

GAAS Audits- *entire period* PCAOB Audits- *specific point in time*

1. Understand the Design of CRIME by Performing Risk Assessment Procedures-(what is the form?)

Have the controls been *implemented (put into use)* by the entity? The auditor first considers the *design* of the control. -->If *improperly designed*, it may represent a *material weakness* in the entity's I/C. An auditor obtains an *understanding of the entity and its environment, including its I/C (CRIME)* through the performance of: -*Risk assessment procedures* to: -->*Assess the RMM* of the F/S. *Risk assessment procedures include:* -*Analytical procedures* (Using high level data) -*Inquiries* of management and others within the entity, including inquiries of internal auditors. -*Inspection* (of documents and records) -*Observation* (the application of specific controls) Most of the information that an auditor obtains about the *design* of internal controls will initially be the result from: -*inquiries* of management, and -*reviewing prior period engagement files*(If the auditor is a continuing auditor) The auditor will determine its potential of reducing RMM. -*If not*, the control is not relevant and determination of implementation will be *skipped*. -*If so*, the auditor can determine if the control has been *implemented* and operating as *designed* only by performing a: -*Walk through*. This involves: -Applying *analytical procedures* -Test *ARRC* through *RIIO* -->*R*eperformance -->*I*nquiry -->*I*nspection -->*O*bservation -A *walkthrough* is not enough to determine if the control was *operating effectively* throughout the period being audited *or* to *rely on the control* for modifying further audit procedures. -If the auditor *intends to rely on the control* for modifying further audit procedures, the auditor is *required to determine:* ---> if the control was *operating effectively* throughout the affected period through the performance of *tests of controls*. In the course of obtaining an understanding of I/C, the auditor *may identify control deficiencies*, weaknesses in I/C that might allow errors to occur without the ability to identify and correct them on a timely basis. The auditor will look for: -*significant deficiencies* and -*material weaknesses* -->*must* communicate them to *management*

4. Tests of Controls (Develop an Audit Strategy) (Continued)

If there are *NOT CONTROLS* to deal with the issue that are either built into the system or have been separately developed and implemented, the auditor would *likely conclude that a control deficiency* has been identified. The auditor will evaluate the control deficiency, determining if it is a *significant deficiency or a material weakness* and, if so, make certain to include it in a *communication* to those charged with *governance*. In addition, however, the auditor will evaluate what further audit procedures will provide evidence that *recorded sales did actually occur.* -The auditor will develop an audit program with procedures designed to *verify* that the information reported on the F/S is *correct.* -To test the assertion of *occurrence*, the auditor will likely select a sample from the population of *recorded sales* and *trace them to supporting documentation* to verify that they *actually occurred*. If there *ARE CONTROLS intended to deal with the issue*, the auditor will evaluate the *design* of the controls and make a determination as to whether the design is *suitable* and if the control is likely to be *effective.* If not, the auditor will not attempt to verify that the control has been implemented as it is*irrelevant.* If, however, the control is *expected to be effective*, the auditor will perform some form of *walk through* involving *observing* the control, *inspecting* documents, or performing *analytical procedures.* The auditor will then determine an audit strategy: -The auditor may decide *NOT TO RELY* on the controls related to a relevant assertion. -->RMM will be *equal* to the assertion's *inherent risk* under the assumption that there are no relevant controls in place. -->The auditor will develop a program to test the assertion by applying *substantive audit procedure*s that the auditor believes will provide sufficient appropriate audit evidence. -The auditor may decide *TO RELY* on the controls related to the relevant assertion. -->RMM will be *reduced* from IR, taking into account the effect of CR being below the maximum. -->The auditor will perform tests of the controls selecting from a population that covers the entire period during which the auditor is anticipating that the controls were in place. If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in *prior audits* and the controls have *not changed* since they were last tested, the auditor should test the operating effectiveness of such controls at least *once in every three years.* The auditor will determine that controls have not changed since they were last tested through the performance of *risk assessment procedures.*

Lecture 3.07 - Operating Cycles: Investing, Financing, Production & Conversion (Continued)

In order to apply hedge accounting to a derivative instrument, at the inception management must designate the derivative as a hedge; formally document the hedging relationship, the entity's risk management strategy for using the hedge, and the method of assessing its effectiveness; and have the expectation that the hedge will be highly effective. The auditor should gather evidence that management has met these requirements. *In addition:* -For *fair value hedges*, the auditor should obtain evidence to support the recorded change in the hedged item that is attributable to the hedged risk. -For a *cash flow hedge* of a forecasted transaction, the auditor should obtain evidence that supports management's determination that the forecasted transaction will probably occur. Support may include evidence: -->Regarding the frequency of similar past transactions. -->Supporting the entity's ability to execute the transaction. -->Indicating the loss that might result if the transaction does not occur. -->Supporting the likelihood that substantially different transactions might be used to achieve the same business purpose. Most testing related to *property, plant, and equipment* transactions concerns itself with the different types of *controls that reduce the risk of misstatement.* In a good I/C structure, the internal audit staff will periodically *inspect physical assets.* This cycle includes *acquisitions, disposals and depreciation expense.* Among the *objectives* are: -Verifying the *existence* of recorded assets by *Vouching* from records to the physical assets. This can assist in identifying *unrecorded disposals.* -Verifying the *completeness* of acquisitions by *Tracing *from the physical assets to the records. This can assist in identifying *unrecorded acquisitions*. A common problem involves the recording of equipment purchases in *expense accounts*, especially for *repairs and maintenance*. Besides the tracing of physical assets to records mentioned above, the internal audit staff may also *examine the relevant accounts and compare them with budgeted amounts*, since large *variances* may indicate the expensing of costs that should have been capitalized. *Production & Conversion Cycle* The production and conversion cycle deals with *manufacturing operations.* Most of the controls are similar to those in the purchasing and spending cycle, since inventory may be involved in both cycles, the difference being whether they were manufactured or purchased. Acquisition of, and accounting for, raw materials purchased in a manufacturing process would be *similar* to merchandise inventory in a nonmanufacturing entity. Examples of controls related to the *management assertions for manufactured inventory include:* -*Presentation & Disclosure* - *Direct labor* charged to individual time tickets is *compared* to the *total direct labor *charged to work-in-process, in order to ensure direct labor costs have *not* been charged to *manufacturing overhead.* -*Existence or Occurrence* - Perpetual inventory records are *compared* with goods on hand. -*Completeness & Cutoff* - Forms used for material requisitions are *prenumbered* and *periodically accounted* for. -*Valuation, Allocation & Accuracy* - Subsidiary records are *periodically reconciled to inventory control accounts.* Using the mnemonic *RACE* for account balances: -*R*ights and obligations - Terms of notes, lines of credit, and other debt instruments are *evaluated to determine* if inventories have been *pledged as collateral.* -*A*llocation and Valuation - Allocations of salaries and wages to inventory are reviewed to make certain *appropriate amounts are included*. -*C*ompleteness - Forms used for the acquisition of raw materials and other items are *prenumbered* and all numbers are accounted for. -*E*xistence - Perpetual inventory records are regularly *reconciled to goods in inventory* to make certain that recorded amounts are *still on hand.* As with the purchasing and spending cycle, the objectives within the production and conversion cycle include properly recording and executing transactions. In addition, an especially difficult objective of I/C with respect to manufacturing processes is *maintaining proper custody* as *raw materials* become *work-in-process* and then *finished goods.* In contrast, inventory in a merchandising company normally only goes from the *receiving department to inventory* when *acquired* and then from *inventory to the shipping department* when sold.

Lecture 3.02 5 Components of Internal Control (CRIME)-COSO's Internal Control Framework

Internal control is a *process-effected* by those charged with governance, management, and other personnel designed to provide *reasonable assurance* regarding the achievement of *objectives* related to the following *(ACE):* *Accurate and reliable financial reporting* - This is the *primary interest* of the outside auditor since it relates to the fair presentation of the F/S being audited. -*Compliance with laws and regulations* - This is primarily relevant to *compliance auditing*, which may occur in connection with audits under government auditing standards. The financial statement auditor would, however, be concerned about *compliance with laws and regulations* that could have a material direct or indirect effect on the F/S. -*Effectiveness and efficiency of operations* - This is generally not addressed by the financial statement auditor, but is addressed in consulting engagements and *operational audits*. The *mnemonic ACE* will remind management that it should try to establish a strong internal control structure so as to have an *ACE* in the hole.

Lecture 3.07 - Operating Cycles: Investing, Financing, Production & Conversion (Continued)

Internal controls reduce control risk such that, regardless of a high inherent risk, risk of material misstatement can be reduced. When internal controls in relation to investments are expected to reduce control risk below the maximum, reducing the risk of material misstatement, specific controls are associated with management assertions and tests of controls are performed to gather evidential matter regarding their operating effectiveness. *Control Risk Assessment (CR):* Identify specific controls applicable to assertions and gather evidential matter regarding their operating effectiveness (tests of controls). Examples of controls include: -Monitoring of investment activities and reporting by independent control staff; -Senior management approval of transactions; -Accurate risk measurement systems for investments and derivatives; -Regular reconciliations to control account balances; -Definitions and regular reviews of limits and constraints on investment activities; and -Regular reviews of controls by senior management or some independent body. -->As CR↑ (increases) the auditor's acceptable level of DR↓ (decreases), which means the auditor will perform MORE ↑ Substantive Testing. *Substantive Procedures* (discussed in more detail in Audit Evidence) Since derivatives are required to be reported at fair value, the auditor is required to evaluate whether the fair values of investments in derivatives have been determined appropriately, using an acceptable valuation method. Substantive procedures in the area of investments in Derivatives should be designed to test management's assertions with regard to *(PERCV):* *P*resentation & Disclosure - This will involve *reading disclosures* to make certain they are in compliance with GAAP; determining if securities have been *pledged* as collateral for indebtedness through inquiries and inspection of documents; and determining that investments are appropriately *classified* through inquiries of management. *E*xistence - This may involve the *inspection of securities on hand*; *confirmations* with brokers or other third parties either holding securities or who may be counter-parties; *reviewing documents;* and, when appropriate, *inspecting documentation of settlement or realization.* *R*ights & Obligations - This may involve the *review of documents* and *confirmations* with counterparties. *C*ompleteness - This may involve *review of minutes of the board of directors* or others responsible for governance; *tests of subsequent transactions* for evidence of realization or settlement; *confirmations* with counterparties, financial institutions, brokers, and others; and evaluating beginning amounts for disposition of inclusion in ending amounts. *V*aluation: -For valuation *based on COST:* ▪ Inspection of documentation ▪ Confirmation -For valuation based on financial results of investee: ▪ Obtaining audit evidence supporting investee's results ▪ Reading available F/S of investee -For valuation *based on FAIR VALUE:* ▪ Obtaining quoted market prices on exchanges when available ▪ Obtaining quoted market prices from broker-dealers for unlisted securities ▪ Obtaining estimates, including those using models like Black-Scholes An entity uses derivatives as hedges to protect itself against various risks that may be inherent in the assets or liabilities they hold, in anticipated transactions, or other aspects of their business. The purpose of the hedge is to shift the risk to a counterparty. For example: -An entity with a fixed rate receivable may be concerned that fluctuations in interest rates will affect its fair value. They might enter into an interest rate swap in which they will pay out interest at a fixed rate, to offset the interest received, and receive interest from the counterparty at a variable rate. -->As a result, they will always be paying the market rate of interest and changes in the fair value of the note will be offset by changes in the fair value of the derivative used as a hedge. -->This would be considered a *fair value hedge*. -An entity with a variable rate receivable may be concerned about the uncertainty of future cash inflows due to fluctuations in the interest rate. They might enter into an interest rate swap in which they will pay out interest at a variable rate, to offset the interest received, and receive interest from the counterparty at a fixed rate. -->As a result, regardless of changes in the market interest rate, the entity will receive a steady and predictable stream of interest cash inflows. -->This would be considered a *cash flow hedge*. A cash flow hedge may also be used to transfer risk associated with a forecasted transaction. A company planning to purchase goods or services from a foreign supplier may enter into a forward exchange contract to make certain that a change in the foreign currency exchange rates does not adversely affect the cash flows associated with the transaction.

Documentation of Internal Control Structure (Continued)

Normally, it is possible to identify at least one document, record, or asset to fit each question. Thus, a questionnaire involving the production cycle might ask, "Is proper security maintained over work-in-process inventories?" One involving the payroll cycle might ask, "Is proper security maintained over signature plates?" *To prepare ICQ/Narrative* -What cycle are you in? -Key controls (ARCCS). -For each document. ▪PPN? (Preprinted, pre-numbered, numerical sequence). ▪Information on the document? ▪Send copies to whom? Among the biggest challenges of using an ICQ is the preparation of the questionnaire itself. In order to be effective, the auditor must understand the nature of the cycle being evaluated well enough to be able to include a question about every control that should be included in the system in order for internal controls to be effective. If the auditor neglects to include a question about a control that may be considered necessary to support one of management's assertions, there will not be a "no" answer to indicate to the auditor that there is a control deficiency. The preparation of an ICQ involves the application of a systematic process that begins with identifying the system that is being evaluated. The auditor then determines what account balances or classes of transactions are affected by that system. Sales and accounts receivable are affected by the revenue cycle, for example, while inventory and accounts payable is affected by the purchases cycle. Once the auditor has identified which account balances and classes of transactions are affected by the cycle being evaluated, the auditor should next determine where in the cycle *(SACRED)* there should be controls for each of the assertions relevant to that account balance or class of transaction. In the sales or revenue cycle, for example, evidence that a transaction occurred will primarily be created during the initiation *(Start)* of a transaction. -The auditor will determine what evidence would indicate that a recorded transaction actually occurred, which may be a sales order from the customer. -The auditor will then devise a question that will indicate that such evidence is obtained in the initiation of a sales transaction. It should be kept in mind that there may be evidence regarding one or more assertions in several of the phases of the cycle. In addition, there are many ways in which evidence may be created and obtained. As a result, questions must be made general enough to accommodate the client's system, since the questionnaire is developed before the auditor knows the client's system, yet specific enough to make certain that there are, in fact, controls that are designed to prevent errors or fraud, or to detect and correct them on a timely basis. In order for a questionnaire to be effective, the auditor will also have to anticipate the forms that the client should use, how many copies of each form will be needed, and how those copies should be distributed. Without this information, a question with a yes or no answer is unlikely to provide the auditor with information about forms that are used and their disposition, an essential element of I/C. The auditor also needs to determine what information should be on each form so that appropriate questions can be formulated. The auditor will also have to design the questionnaire to identify any circumstances where there is not appropriate segregation of duties. This may require the auditor to anticipate what individual, or what department, within the client's organization should have responsibility for each component so that a question with a yes or no answer can be developed.

Lecture 3.04 - Operating Cycles: Revenue Cycle (Continued)

Some of the *documents* and records that are commonly seen in the revenue cycle include the following. This list, like that of individuals within the system, is being presented simply to ensure that you will be familiar with the purpose of each when mentioned on the exam: -*Sales order* - The list of goods ordered by the customer along with the prices to be charged. Even if a customer has submitted their own purchase order, a sales order will be prepared, since these are: *(PPN)* *p*re-printed *p*renumbered, and *n*umerically controlled It makes it possible to periodically account for orders to be sure they were processed. -*Bill of lading* - The shipping document that is signed by the carrier, often a trucker, accepting goods from the shipping clerk. -*Sales invoice* - The bill that is prepared and sent to the customer after shipment to request payment. Before doing so, the billing clerk should compare the sales order and bill of lading to ensure they are in agreement. -*Sales register (journal)* - A book in which sales invoice information is posted. Cash register records provide similar information for retail outlets and other cash businesses. -*Subsidiary receivables ledger* - A book that lists the outstanding receivables with a separate record for each customer. -*Remittance advice* - The document included in an envelope with the check or other form of payment to indicate the purpose of the check. -*Remittance listing* - A summary of the money received that day. This may be called a prelist in some cases, and is prepared by the employee first receiving the cash, which is usually the mail room clerk. -*Cash receipts journal* - A book in which the remittance listings are posted. -*Deposit slip* - The document signed or stamped by the bank to acknowledge receipt of checks and that is periodically reconciled to postings into the cash receipts journal by an independent employee. -*Bank Reconciliation* - Comparison of the cash balance according to the entity's books to the amount indicated by the bank that it is holding on behalf of the entity (book to physical). The purpose of most other documents and records can be determined by seeing the context in which they are being used on the exam. Ultimately, the reason an auditor cares about the I/C structure is that it relates to whether the *financial statement assertions* are correct and therefore may be relied upon. The assertions are discussed in detail in another section, but some specific applications of these assertions are frequently tested in discussing the revenue cycle. Examples related to each assertion follow *(UPERCV):* -*Understandability & Classification* - Transactions and events have been recorded in the proper accounts and information is presented and described clearly -*Presentation & Disclosure* - Management asserts that all sales to employees have been properly identified in the statements and notes as related party transactions. The auditor may review sales invoices for specific sales to employees and then trace these invoices to the general ledger entry to see if they are posted to the "due from employees" account. -*Existence or Occurrence (Vouching)* - Management asserts that all sales that have been recorded actually have taken place (be sure not to confuse this with the previous assertion). The auditor may select a sales invoice and vouch from the sales invoice to the bill of lading in order to ensure that items billed to customers were based on actual shipments. -*Rights & Obligations* - Management asserts the right to collect receivables. An auditor can vouch from postings in the subsidiary receivables ledger for a specific client back to the sales order, bill of lading, and sales invoice, in order to establish that the goods were ordered, shipped, and billed, giving the company the right to collect. -*Completeness (Tracing) & Cutoff* - Management asserts that it has recorded all sales that have taken place. The auditor may select a bill of lading and then trace from the bill of lading to the sales invoice in order to ensure that all shipped goods have been billed to customers. -*Valuation, Allocation & Accuracy* - Management asserts that receivables are likely to be collected. The auditor can test the process of credit approval before shipment in order to determine that the company is only shipping to customers likely to pay.

1. Understand the Design of CRIME by Performing Risk Assessment Procedures-(what is the form?) (Continued)

The *knowledge* obtained through *risk assessment procedures* is used to: -*Identify* the types of *potential misstatements* (Errors or Fraud). -Consider *factors that affect* the RMM -Design *tests of controls* and *substantive procedures*. -->As part of obtaining an understanding of I/C sufficient to plan the audit, the auditor should evaluate whether the client's *programs and controls* that address the identified *RMM* due to fraud have been *designed* and *implemented* properly. ---->Understanding *DOESN'T* require evaluating their *operating effectiveness.* The *goal of this understanding* is to *identify* those *controls* that might *reduce the RMM*. If the auditor believes that these *controls can be relied upon:* -*tests of controls* will be performed to evaluate their *operating effectiveness*. -->If effective, the auditor will *reduce substantive testing.* The auditor is *only* trying to determine what controls have been *implemented* (are being used), and is *not* determining whether the controls have been *operating effectively*. Determining whether the controls have been *operating effectively* is only necessary in a F/S audit if the auditor plans to *rely* on the controls The *techniques* available to the auditor to *gain information* about a client's *I/C structure* include: -->*Prior audits* - Reviewing audit documentation that document the I/C structure of the client in prior years. *(RIIO)* -->*R*eperformance - Applying the control that the client personnel presumably performed to determine if the procedure was performed properly. -->*I*nquiry - Asking management and other client personnel to describe the controls that they are currently using. -->*I*nspection - Examining documents that are used in I/C, such as authorization forms and procedures manuals. -->*O*bservation - Watching employees perform their jobs. The auditor is initially interested in the *form*, but is ultimately interested in the *substance* of the controls. -*inquiry and inspection* will provide the auditor with information about controls that have been *designed* - *observation* will show if controls are *being enforced* and whether controls involving *segregation of duties* are being *implemented.*

3. Assessing Risk of Material Misstatement (RMM) (Continued)

The auditor also assesses risk at the financial statement level by identifying those items that may have a propensity for misstatement. This may be individual accounts, such as items on the balance sheet; classes of transactions, such as items on the income statement; or disclosures, including footnotes as well as descriptions and notations on the F/S themselves. Items will represent a *greater risk of misstatement* for a variety of reasons. It may be due to error as a result of: -The *difficulty of obtaining information* needed to accurately record the transaction; or -The *complexity* of the requirements for accounting for an item. An item may be more *susceptible to fraud* because: -It is a *valuable item* that might be misappropriated by employees or others; -It is an item for which it is *easy to conceal a misstatement*; or -A misstatement to the item has the potential of influencing other actions such as the *payment of a commission* or the earning of a *bonus* based on performance. Once items that are susceptible to misstatement are identified, risk of material misstatement is assessed at the *relevant assertion level.* The fact that an item is likely to be misstated will generally affect all of the assertions and the risk should be analyzed accordingly. For example: -For an entity that might have a tendency to *overstate* results because it is competing in the capital markets, sales may be likely to be overstated and the auditor will be concerned about: -->*Occurrence*, since the entity may record sales that did not occur; -->*Cutoff*, since the entity may record sales from the next period in the current period; -->*Accuracy*, since the entity may record sales in amounts greater than the actual transactions; and -->*Classification, since the entity may wish to characterize the proceeds from the issuance of debt or from the sale of assets that do not generate revenues into sales. -->The auditor would not be concerned about *completeness*, however, since an entity wishing to overstate sales would not omit sales -For an entity that might have a tendency to *understate* results for the purpose of avoiding taxation, sales may be likely to be understated and the auditor will be concerned about: -->*Completeness*, since the entity may omit sales; -->*Cutoff*, since the entity may postpone the recognition of sales that occurred this period until the next period; and -->*Valuation*, since sales may be reported at amounts lower than the actual amounts. The auditor would be less concerned about occurrence since an entity intending to -->The auditor would be less concerned about *occurrence*, since an entity intending to understate sales is not likely to report sales that did not occur; and -->The auditor would be less concerned with *classification*, since an entity intending to understate sales is not likely to include items that are not properly reported as sales in that category.

Internal Control Reports & Communications, Attestation Engagement (Continued)

The auditor evaluates the severity of identified deficiencies, which consist of their *magnitude and their probability:* -A material weakness has the potential of causing a material misstatement to the F/S. -A material weakness indicates at least a reasonable possibility that controls will not prevent the misstatement, nor detect and correct it on a timely basis. As a result of the examination, the auditor forms an opinion on the effectiveness of the entity's ICFR and evaluates management's assertion regarding the I/C contained in a report that accompanies the auditor's report. *Management's report should contain:* -Acknowledgment of management's responsibility for I/C; -A description of what was examined, such as controls related to preparing F/S in accordance with GAAP; -Identification of the criteria used to evaluate I/C, such as those established by the report of the Committed of Sponsoring Organizations of the Treadway Commission (COSO) entitled Internal Control - Integrated Framework; -Management's assertion regarding the effectiveness of the entity's I/C. -A description of any material weaknesses; and -The date of the assertion. The auditor should also obtain *written representations* from management, some of which will repeat items in the report. Representations will indicate: -Management's responsibility for I/C -An indication that management has performed an assessment of the entity's ICFR based on a set of criteria that is identified -That management's assessment did not incorporate the results of procedures performed by the auditor -Management's assessment of ICFR as of a specified date -An indication that management has informed the auditor of all deficiencies in ICFR, whether deficiencies in design or operation, separately indicating significant deficiencies and material weaknesses -Any fraud either resulting in a material misstatement to the F/S or involving senior management, management, or other employees involved in ICFR, even if the fraud does not result in a material misstatement to the F/S -An indication as to whether significant deficiencies and material weaknesses previously identified have been resolved, indicating those that have not -An indication as to any changes to ICFR made subsequent to the date being reported on, including any corrective action taken by management The auditor forms an opinion on the effectiveness of ICFR through the consideration of various factors, including: -Tests of controls performed for the examination of ICFR, as well as any additional tests of controls performed in relation to the audit of the F/S. -Misstatements detected during the course of the audit of the F/S. -Deficiencies identified. -Reports issued by internal auditors. -The results of substantive procedures performed in the audit of the F/S, including: -->The auditor's risk assessment; -->Findings related to noncompliance with applicable laws and regulations; -->Related party transactions and complex or unusual transactions; -->Indications of management bias in the selection of accounting principles or in the development of estimates; and -->The nature and extent of misstatements detected -Management's report. At the conclusion of the engagement, the auditor communicates certain matters to management and those charged with governance. The communication includes all material weaknesses and significant deficiencies identified by the auditor, including those that may have been identified in a previous period but have not yet been corrected. It should be in writing and made by the date on which the auditor's report is released. -The auditor also issues a written report to management within *60 days* of the report release date. -It includes all deficiencies, including those that are not material weaknesses or significant deficiencies. The auditor issues a *report on I/C* that includes certain elements: -A title that includes the word "independent." -An appropriate addressee. -An introductory paragraph containing: -->The identity of the entity whose ICFR was audited with an indication that ICFR has been audited; -->The date as of which the ICFR was assessed; and -->The criteria against which it was measured.--> A section with the subheading "Auditor's Responsibility": that indicates: -The auditor's responsibility to express an opinion on the entity's ICFR based on the audit; -That the engagement was conducted in accordance with GAAS, which requires the auditor to plan and perform the audit to obtain reasonable assurance about the effectiveness of ICFR; -A description of the audit stating that the auditor performed procedures to obtain evidence about the existence of material weaknesses, that the auditor applied judgment in determining what procedures to perform; and that the audit included obtaining an understanding of ICFR and testing and evaluating its design and operation; and -An indication that the auditor believes that the examination sufficiently supports the opinion. -A section with the subheading "Definition and Inherent Limitations of Internal Control Over Financial Reporting" that includes the definition of I/C with an indication of its inherent limitations. -A section with the subheading "Opinion" that contains the auditor's opinion. -The auditor's signature, the city and state in which the auditor operates, and the date of the report.

2. Document Understanding of Internal Control

The auditor is required to *document* key elements of the *understanding* of the entity and its environment, as well as each of the 5 components of I/C *(CRIME)*, the sources of information from which the understanding was obtained, and the risk assessment procedures performed. The *form* is influenced by the *size and complexity* of the entity. I/C documentation methods for understanding *CRIME* These are *(FIND):* *Flowchart* *Internal Control Questionnaire (ICQ)* *Narrative or Memorandum* *Decision table/tree*

6. Document Conclusions and Develop or Revise Audit Programs

The auditor is required to communicate *significant deficiencies* and *material weaknesses* to management and those charged with governance. The basis for risk assessment must always be documented. The auditor needs to *document:* -The assessment of the risks of material misstatement at the financial statement and relevant assertion levels; -The basis for that assessment; -Significant risks identified and related controls evaluated; and -Risks identified that require tests of controls to obtain sufficient audit evidence and the related controls evaluated. The auditor will document the procedures performed and the conclusions reached such that others will understand what procedures were performed, what items were tested and how they were selected, the evidence gathered, and the conclusions drawn. In addition, the auditor will develop *audit programs* to indicate the further audit procedures that the auditor believes are necessary and appropriate in order to draw a conclusion related to a management assertion

Lecture 3.05 - Operating Cycles: Spending Cycle (Continued)

The auditor should look for specific applications of the different control activities to the spending cycle. Commonly tested examples of *auditing procedures* used to understand the I/C structure related to spending include *(PRAISE)*: -*P*hysical controls - Verify that all goods are received by the receiving department and returns are shipped by the shipping department. -*R*ecording - Verify that receiving reports are prepared for all goods received and that debit memos are prepared for all goods that are returned. -*A*uthorization - Select individual cancelled checks and vouch them to the purchase orders, receiving reports, vendor invoices, and payment vouchers. -*I*ndependent checks - Verify that the client periodically performs inventory counts and reconciles amounts on hand to inventory records so as to know when inventory has been lost or stolen. -*S*egregation of duties - Use *inquiry and observation* to determine that there is a separation of the functions of: *(1)* authorization of purchases and payments, *(2)* recording of purchase orders and posting to the purchase journal, and *(3)* custody of inventory and checks for payment. -*E*valuate performance - Determine if the client uses a standard costing system that generates variances, enabling them to identify actual cost numbers that may be incorrect. Just as in the case of the revenue cycle, the auditor is primarily concerned with the relationship of the various control activities to the various management assertions. Similarly to the revenue cycle, -*tracing* through the system in the normal order *(from source documents to postings in books and records)* is an attempt to verify the *completeness* of the records. -*vouching* in reverse order *(from books and records back to source documents)* is an attempt to verify the *existence or occurrence* of all the transactions that are reflected in the records. *SEE Picture pg 3-32* *Segregation of Duties in the Purchases & Spending Cycle* For proper segregation of duties, *authorization* of transactions, the *recording* function, and *custody* of assets should be kept separate. -The functions of *authorizing* purchases, *receiving* goods purchased, and *recording* the purchase should be segregated. -The cash functions should be segregated. *Authorizing* payment for purchases, *recording* payments, *access to checks*, and *reconciliation* of the bank account should be segregated. -Individuals with authority to approve vouchers for payment should not have access to unused purchase orders.

3. Assessing Risk of Material Misstatement (RMM)

The auditor should perform the risk assessment to identify and assess the RMM for: -*classes of transactions*, -*account balances*, and -*disclosures* at the: -*Financial statement level* and -*Relevant assertion level* *NO-RMM high (Sub Approach)* *YES-RMM low (Combined Approach)* The auditor first assesses RMM at the *financial statement level* by: -evaluating the entity's ability to prepare F/S that are *fairly presented* -->*competency* of accounting personnel -->*evaluation* to develop *estimates* -->if the *industry* or the *economy* has created *challenges*; or -if the entity is *seeking financing* or anticipating entering into a *substantial transaction.* Any of these or a variety of other factors *may increase the risk* that the F/S, taken as a whole, will be *materially misstated.* The auditor may use either a: -*substantive approach* (substantive procedures are emphasized), or -*combined approach*, (both tests of controls and substantive procedures are emphasized) The auditor needs to: -Identify the risks. -Relate the identified risks to the types of potential misstatements that could occur at the relevant assertion level. -Consider whether the risks are so significant that they could result in a material misstatement of the F/S. -Consider the likelihood (probability) that the identified risks could result in material misstatements on the F/S. If the risk assessment is based on an expectation that controls are *operating effectively*, the auditor should -test the *operating effectiveness* of controls *(TofC)* that have been designed to prevent or detect material misstatements. -Intend to Rely? The risk assessment may *NOT* include an expectation that controls operate effectively when *(Substantive approach): * -->Controls appear *inadequate / Ineffective/ weak*. -->Auditor believes that performing extensive substantive procedures is likely to be more cost effective than performing tests of controls. *(Cost/benefit - inefficient)*. If the controls appear effective, tests of controls will be performed when *(Combined approach):* -The auditor's risk assessment includes an expectation of *operating effectiveness of controls* because the likelihood of material misstatement is lower if the control operates effectively (Cost effective) or -When *substantive procedures alone* do not provide sufficient audit evidence. The decision to perform tests of controls will be made when the auditor believes that a *combination of tests of controls and a decreased scope of substantive procedures* is likely to be more *cost effective* than performing more extensive substantive procedures. The *overall approach* here, as it relates to controls is to: -Identify controls that are *relevant to specific assertions* that are likely to prevent or detect material misstatements, and -Perform *tests of controls* to evaluate the *effectiveness* of those controls

Lecture 3.06 - Operating Cycles: Personnel & Payroll (Continued)

The auditor will also evaluate the internal controls established by the user entity to administer the relationship with the service organization. The entity may, for example, have controls to verify the accuracy of the output of the service organization. The auditor will use the understanding of the nature and significance of the services provided by the service organization, along with the entity's related controls, to identify and assess risks of material misstatement that may result. In some cases, the auditor will be unable to obtain a sufficient understanding of the nature and significance of the relationship with a service organization using the resources available through the user entity. In such cases, the auditor will obtain a sufficient understanding by performing one or more of the following: -Obtaining and reading a *type 1 or type 2 report*, if available; -Obtain information from contact with the service organization, through the user entity; -Apply procedures directly to the operations of the service organization; or -Use the work of another auditor applying procedures designed to obtain the necessary information. There are *two reports* that the auditor of a service organization may issue: *A type 1 report* is a report on management's description of the service organization's system of controls and the suitability of the *design of the controls*. It consists of: -Management's description of the system; -Management's written assertion that, in all material respects, based on appropriate criteria, -->The description of the system fairly presents the system that was designed and implemented as of a specified date and -->Controls related to objectives stated in management's description were suitably designed to achieve those objectives; and -A report from the auditor of the service organization, referred to as the service auditor, expressing an opinion in relation to management's written assertions *A type 2 report* is a report on management's description of the service organization's system of controls and the suitability of the *design of and the operating effectiveness* of the controls. It consists of: -Management's description of the system; -Management's written assertion that, in all material respects, based on appropriate criteria -->The description of the system fairly presents the system that was designed and implemented as of a specified date, -->Controls related to objectives stated in management's description were suitably designed to achieve those objectives, and -->The controls related to the specified objectives were operating effectively throughout the specified period; and -A report from the auditor of the service organization, referred to as the service auditor, expressing an opinion in relation to management's written assertions and describing the tests of controls performed and the results of those tests. To *rely* upon a *type 1* or *type 2* report, the auditor should: -Determine that the date of a type 1 report, or the period covered by a type 2 report is appropriate for the auditor's needs; -Evaluate whether the evidence provided by the report is appropriate and sufficient for the purpose of obtaining an understanding of the user's I/C; and -Determine if the user entity has developed controls that are complementary to those of the service organization that address risks of material misstatement relating to relevant assertions in the user's F/S. When the auditor of the user entity intends to *rely on the controls at the service organization*, they must be subjected to *tests of controls*, which may be accomplished by: -Obtaining and reading a *type 2* report; -Applying *tests of controls* at the service organization; or -Using *another auditor* to perform *tests of control* at the service organization. If the auditor's test of controls consists of obtaining and reading a *type 2 report*, the auditor will *evaluate* the report to determine: -Whether it is for an appropriate *period*; -Whether there are c*omplementary controls* at the user entity identified by the service organization as addressing risks of material misstatement and, if so, *determining* if those controls have been *designed and implemented* and applying *tests of controls* to them; -If the time period covered by tests of controls is adequate and evaluating the length of time since testing; and -Whether tests of controls performed by the service auditor provide *sufficient appropriate audit evidence* to support the user auditor's risk assessment.

Objectives of the Auditor (GLEIM)

The objective of the auditor is to *identify* and *assess the RMM*, whether due to error or fraud, at the: -*Financial Statement level*, and -*Relevant Assertion level* This objective is achieved through *understanding* the entity and its environment, including the entity's I/C, to provide a basis for *designing and implementing* responses to the *assessed RMMs*. --->A *relevant assertion* has a *reasonable possibility* of containing a *misstatement* that could cause a material misstatement(s) of the F/S. Thus, a relevant assertion has a *meaningful bearing* on whether the account is *fairly stated.*

Lecture 3.06 - Operating Cycles: Personnel & Payroll

The personnel cycle of a business normally is segregated between different departments: *(ARCC)* *A*--*Personnel* - This is the *a*uthorization department that is responsible for hiring of new employees, approval of changes in pay rates, and termination of employees. *R*--*Payroll* - This is the *r*ecording department that performs the calculation of payroll amounts. They will examine and then update records based on authorization forms for hiring, firing, and pay rates received from personnel, and will calculate payroll based on time sheets and other reports approved by appropriate supervisors in the various operational departments of the company. They update pay records and prepare vouchers for the amount of payment. They may also be involved in the preparation of pay checks as long as they do not have the ability to sign them and do not receive custody of signed but unclaimed pay checks that have not been voided. *C*--*Treasurer* - This is the *c*ustody department that is responsible for the signing and distribution of pay checks to employees, and unclaimed paychecks should always be retained within this same department until they are either distributed or voided. If payment of wages is in cash, employees should be required to sign a receipt for the amount received. *C*--*Controller* - *C*omparison - Bank Reconciliation *SEE GRAPH PG 3-34* *Personnel (Authorize)* -Hire -Fire -Salary Rates *Payroll (Recording)* -Calculate Pay *Treasurer (Custody)* -Signs and distributes checks -Custody of cash and unclaimed checks *Controller (Comparison)* -Bank Reconciliation *Key Documents* The key documents generated in this cycle include: -Personnel records -Hiring and deduction authorization forms (W-4) -Timecards -Payroll register -Paychecks -Payroll cost allocation -Bank reconciliations *Description of the Personnel & Payroll Cycle* -*Personnel Department (HR)* - The personnel department is involved with the *personnel* *records* and all the *hiring forms*, including the *deduction forms* for payroll deductions. The personnel department approves changes in pay rates and deductions from employee salaries. The personnel department is also involved in the termination process. It is essential that the personnel department promptly sends employees' termination notices to the payroll department. -*Employee*—The employee prepares a *timecard*, and submits it to the supervisor for authorization. The timecard is then sent to the payroll department. -*Payroll Department* - The payroll department examines authorization forms from the personnel department for new employees and adds the employees' names to the payroll processing program. The payroll department promptly updates the records for changes in deductions, pay rates, and terminations. The payroll department enters all the timecard and wage rate information into the *payroll register*. *Payroll checks*are prepared by the payroll department and submitted to the treasurer for signature. The payroll department also prepares a payroll cost allocation based on the timecard information. The *payroll cost allocation* is used to distribute payroll costs over the various accounts affected. -*Treasurer* - The treasurer receives the checks from the payroll department and signs them. The treasurer is responsible for distribution of paychecks. Unclaimed paychecks should remain in the custody of the treasurer. Unclaimed checks should *not* be returned to the payroll department. -*Controller* - As an overall verification of custody controls over cash, the controller should prepare monthly *bank reconciliations* to verify that there were no errors made in recording receipts in the cash receipts journal. *Segregation of Duties in the Personnel & Payroll Cycle* For proper segregation of duties, *(ARCC)* should be kept separate. -The functions of *authorizing* the hiring of personnel, payroll processing *(recording)* and distributing payroll checks *(custody)* should be segregated. -The functions of authorizing payroll rate changes and payroll processing (recording) should be segregated. -Payroll checks should be prepared by the payroll department and signed by the treasurer, segregating recording and custody.

F/S Assertions

There are several assertions, some of which overlap one another, classified into *three categories*. 1. Events and transactions-income statement *(CPA-CO)* 2. Account Balances- balance sheet *(RACE)* 3. Presentation of the F/S & Disclosures *(RACOU-n)*

When answering cycle questions, think of:

What *stage in cycle* am I? What *department and person/people* are involved? What *documents* are handled? -->Use *(ARRC)* in answering MPC questions

Lecture 3.04 - Operating Cycles: Revenue Cycle (Continued)

When evaluating the system for a particular cycle, the focus will be on the *accounts balances* or *classes of transactions* that are affected. The revenue cycle will generally result in a *debit to cash or accounts receivable and a credit to sales*, The purchasing cycle will result in a *debit to purchases* in a periodic system, or to *inventory* in a perpetual system, and a *credit to accounts payable*. For the account affected, the auditor will evaluate whether or not a step or process within the system *supports one or more of management's assertions.* -A *requirement* that each recorded sale be supported by an order signed by a customer supports management's assertion of *occurrence* in that having a signed purchase order provides evidence that a *sale did occur. * -A *policy* that the accounting clerk notify a supervisor whenever an internally generated sales order is presented out of sequence supports the assertion of *completeness* in that tracing all sales orders to the accounting records will provide evidence that *all sales transactions have been recorded.* *Revenue Cycle (Sales Revenue / Accounts Receivable / Cash Receipts)* The revenue cycle of a business consists of *sales, billings, and collections*. In order to properly segregate the incompatible functions of *authorization, recording, and custody,* the activities may include specific employees with each of the following duties. This list should be reviewed simply to make sure you are comfortable with the meaning of each job title: -*Sales clerk* - Accepts orders from customers and prepares written sales orders using internal *preprinted* forms *prenumbered* and *numerical controlled (PPN)* *(recording)*. -*Credit manager* - Approves customer credit on orders *(authorization)*. -*Warehouse clerk* - Holds goods in inventory awaiting requests for shipment *(custody)*. -*Shipping clerk* - Removes items from inventory to ship to customer *(custody)*. -*Billing clerk* - Prepares sales invoices to send to customers *(recording)*. -*Receivables clerk* - Posts sales and collections to individual customer accounts based on sales invoices and remittance advices, respectively *(recording)*. -*General ledger bookkeeper* - Posts journal entries for sales and collections *(recording)*. -*Mail room clerk/receptionist* - Opens mail containing customer checks (or cash) and remittance advices, prepares a prelist of checks, referred to as a remittance listing, and directs these items to appropriate parties within the system *(custody)*. -*Cashier* - Receives checks, prepares deposit slip, and deposits funds at the bank *(custody)*. -*Cash receipts clerk* - Receives remittance listing and posts to cash receipts journal *(recording)*. -*Receiving clerk* - Receives all goods that are being returned and returns them to inventory *(custody)*. -*Treasurer* - Approves credit memos for returns and write-offs of uncollectible accounts *(authorization)*. -*Controller/Internal Audit* - Bank reconciliations and analyses of past-due accounts receivable should be performed by individuals independent of cash receipts and disbursements *(comparison)*. A system may not necessarily include all of the above employees, and sometimes a function may be performed by another employee or one of the above employees identified by a different title. For example, all of the clerks involved in recording may simply be called bookkeepers. Also, the system will include periodic reconciliations, such as reconciling the bank account, that may be performed by virtually any employee who is not involved in the preparation of either of the two types of records being compared and does not have custody of resources being compared to recorded amounts. A key aspect of *segregation of duties* is that an employee who is responsible for *one* of the three functions *(authorization, recording, custody)* should not be involved in either of the *other two*.

Big question

Whether or not we can *RELY* on controls