ITAC Quiz 2
What does "pencils down" mean and why is it important?
"Pencils down" refers to the number of days (typically referred to in business days) prior to a planned filing when an outsourced XBRL solution provider requires a final version of the document
Conceptually when does the purchasing process begin?
(1)Begins when inventory levels drop to a predetermined reorder point
What internal control procedure(s) would provide protection against the following threat? The company's Web site was unavailable for seven hours because of a power outage.
- A UPS can power a system for a time, but most are unlikely to be able to power a system for seven hours. - Two better options are 1) Backup power generators capable of running the web site for seven hours 2) Real-time mirroring, with the system switching over to the other site when the system went down.
What internal control procedure(s) would provide protection against the following threat? Unauthorized disclosure of buying habits of several well-known customers.
- Access to customer information should be restricted using User IDs, passwords, and an access control matrix. - Employees given such access need to be trained to follow the organization's privacy policies. - In addition, encryption of the data would prevent snooping by IT employees who do not have direct access to the application system. Otherwise, such employees may be able to use their access to the operating system to be able to view data.
What internal control procedure(s) would provide protection against the following threat? A sales clerk sold a $7,000 wide-screen TV to a friend and altered the price to $700.
- All product prices and sales discounts maintained in the system - Use of barcodes and RFID tags to identify the product and sales price - A system configured to give sales clerks read-only access to pricing data to prevent them from changing the price. - Supervisor approvals for any needed changes or discounts to the listed price - A log of all system overrides and supervisor changes to prices
What internal control procedure(s) would provide protection against the following threat? Loss of all information about amounts owed by customers in New York City because the master database for that office was destroyed in a fire.
- Data: Regular backups with copies being stored off-site. - Hardware and software: Hot or cold site arrangements for both - Recovery: Disaster recovery plan developed, tested, and in place
Some products, such as music and software, can be digitized. How does this affect each of the four main activities in the revenue cycle?
- Digitized products do not change the four basic business activities of the revenue cycle. For all products, whether digitized or not, an order must be taken, the product shipped, the customer billed, and cash collected. - The only thing that digitized products change is inventory management as products do not need to be removed from a warehouse to be delivered. However, a copy of a product must be shipped (usually electronically, but in some cases it may need to be burned on a DVD and then shipped).
What internal control procedure(s) would provide protection against the following threat? Posting the sales amount to the wrong customer account because a customer account number was incorrectly keyed into the system.
- If the transactions are being entered online, closed loop verification could be used. The system could respond to the operator entering the account number by retrieving and displaying the customer's name for the operator to review. - If the transactions are being entered in batches, redundant data such as the first five characters of the customer's name could be included in each input record; after finding a match on customer account number, the system would also verify that the name characters match before posting the transaction. - Note that a validity check would only tell you if a valid customer number was entered, not if the correct valid customer number was entered. Likewise, check digit verification could tell you if the customer number existed, but not if it was the right customer number.
What internal control procedure(s) would provide protection against the following threat? Theft of cash by a waiter who destroyed the customer sales ticket for customers who paid cash.
- In a manual system, all sales tickets should be prenumbered and accounted for so management can detect missing sales tickets. - In many restaurant systems, waiters cannot get food out of the kitchen without entering a customer order into the system. The system creates a prenumbered sales document that must be cleared by the waiter that day. This prevents the waiter from destroying sales tickets and giving people free food. - The ending inventory of food is counted and compared to the projected ending inventory to determine if food items are missing. This check is most frequently used for expensive items of food like steak, shrimp, lobster, etc.
What internal control procedure(s) would provide protection against the following threat? Theft of funds by the cashier, who cashed several checks from customers.
- In order to cover up this theft, the cashier has to be able to alter the accounts receivable records. Otherwise, a customer who is subsequently notified that they are past due will complain and provide proof that they sent in payment. Therefore, the critical control is to segregate the duties of handling cash and making deposits from the maintenance of accounts receivable records. - One way to control cash receipts is shown below. The mailroom creates a cash prelist, sends a copy to a 3rd party, and sends the checks to the cashier. The cashier prepares duplicate deposit slips, sends the original to the bank with the checks, and sends a copy to the 3rd party. When the checks are deposited, the bank sends a copy of the validated deposit slip to the 3rd party, who compares all three documents to make sure all cash is deposited.
What internal control procedure(s) would provide protection against the following threat? Theft of checks by the mailroom clerk, who then endorsed the checks for deposit into the clerk's personal bank account.
- In order to cover up this theft, the mailroom clerk has to be able to alter the accounts receivable records. Otherwise, a customer who is subsequently notified that they are past due will complain and provide proof that they sent in payment. Therefore, the critical control is to segregate duties so that whoever opens the mail does not have the ability to maintain customer accounts. - If accounts receivable updates the records based on a cash receipts pre-list instead of the actual checks, the mailroom clerk could conceivably lap payments. To prevent this, the cash receipts pre-list could be compared to the checks before the list is sent to accounts receivable. The checks should not be sent to accounts receivable as the accounts receivable clerk could perform the lapping. - Other deterrents used to deter theft of checks by the mailroom clerk include having two people open the mail, using video cameras to tape the check opening process, and utilizing a bank lockbox.
What internal control procedure(s) would provide protection against the following threat? Theft of goods by the shipping dock workers, who claim that the inventory shortages reflect errors in the inventory records.
- Inventory clerks should count and document goods (on paper or by computer) as they leave inventory storage. Shipping personnel should be required to count and document receipt of goods from the finished goods storeroom to acknowledge responsibility for custody of the goods transferred. - Counting goods when they are received and when they are sent to inventory storage as well as when goods leave inventory storage and are sent to shipping helps maintain control over inventory. Reconciling the two sets of counts makes it more difficult for employees to steal inventory as it is received and shipped.
What internal control procedure(s) would provide protection against the following threat? Lost sales because of stockouts of several products for which the computer records indicated there was adequate quantity on hand.
- Regular physical inventory counts need to be made, the results compared to recorded amounts on hand, and needed adjustments to inventory quantities made. - In this scenario, it is possible that the judgment as to what is "adequate quantity on hand" was inaccurate. This quantity can be improved using an accurate sales forecasting system and frequently reviewing and revising the forecasts as needed.
What internal control procedure(s) would provide protection against the following threat? A shipping clerk who was quitting to start a competing business copied the names of the company's 500 largest customers and offered them lower prices and better terms if they purchased the same product from the clerk's new company.
- Shipping clerks should not have access to customer account information. - Access (and attempted access) to customer records should be logged and reports reviewed to verify that only authorized employees see that information.
Procurement cards are designed to improve the efficiency of small noninventory purchases. What controls should be placed on their use? Why?
- Since the primary benefit of procurement cards is to give employee's the ability to make small non-inventory purchases necessary for their area of responsibility -- be it office supplies, computer or office equipment, or meals and/or travel expenses -- a formal approval process for all purchases would negate the benefit of the procurement card. Therefore, the focus of procurement card controls should be on the initial issuance of the card and subsequent reviews and audits of purchases made by employees entrusted with procurement cards. - Employees receiving cards must be properly trained in their proper use and in the procurement card controls implemented by the organization. If employees know that any purchase they make can be the subject of subsequent review and audit, they are more likely to make legitimate purchases. - Subsequent reviews and audits must also require proper documentation related to each purchase made with the procurement card. During procurement card training, it should be emphasized that employees will be required to produce original receipts or other formal documentation for all items purchased. - Budgets and detailed variance analyses are an important detective control to identify potential problems before they get too large.
Why is the audit trail an important control?
- The audit trail is a detective control used to verify the accuracy and completeness of transaction processing. Tracing a set of source documents forward through the journal entries that updated the general ledger verifies that the transactions were actually recorded. Tracing changes in general ledger accounts back to source documents provides a way to verify that the transactions did indeed occur and that they were recorded correctly. - Although an accounting system should employ a variety of processing integrity controls to prevent errors from occurring, preventive controls are never 100% effective. Therefore, they need to be supplemented with detective controls like an audit trail.
COSO's monitoring principles
- The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. - The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
What internal control procedure(s) would provide protection against the following threat? Shipping goods to a customer but then failing to bill that customer.
- To prevent this from occurring deliberately, it is necessary to segregate the shipping and billing functions. - To prevent this from happening by accident, the system needs to automatically bill customers for shipments. The system should also be configured to periodically reconcile all shipments with a billing and generate reports of unbilled shipments for management review and corrective action.
What internal control procedure(s) would provide protection against the following threat? Making a credit sale to a customer who is already four months behind in making payments on his account.
- Up-to-date credit records must be maintained to control this problem. During the credit approval process, the credit manager should review the accounts receivable aging schedule to identify customer's with past-due balances to prevent additional sales to those customers. Alternatively, the computer system could be programmed to determine if the customer had any past due balances over a specified length of time (such as 60 days). If not, the sale would be approved. If they had a past-due balance, a notice could be sent to the credit manager who could review the sale and make a decision about extending additional credit. - A credit limit check would not be sufficient, because a customer could have a balance below the credit limit but be past due. A computer system could be programmed to check both credit limit and past due accounts and authorize sales. Sales not passing either the credit limit or the past due test would be sent to the credit manager for a decision.
One function of the AIS is to provide adequate controls to ensure the safety of organizational assets, including data. However, many people view control procedures as "red tape." They also believe that instead of producing tangible benefits, business controls create resentment and loss of company morale. Discuss this position.
- Well-designed controls should not be viewed as "red tape" because they can actually improve both efficiency and effectiveness. The benefits of business controls are evident if one considers the losses that frequently occur due to the absence of controls. - Consider a control procedure mandating a weekly backup of critical files. Regular performance of this control prevents the need to spend a huge amount of time and money recreating files that are lost when the system crashes if it is even possible to recreate the files at all. Similarly, control procedures that require workers to design structured spreadsheets can help ensure that the spreadsheet decision aids are auditable and that they are documented well enough so that other workers can use them. - It is probably impossible to eliminate resentment or loss of morale among all employees, but these factors may be minimized if controls are administered fairly and courteously. - Of course, there is a cost-benefit tradeoff in implementing internal controls. If an organization has too many controls, this may justifiably generate resentment and loss of morale among employees. Controls having only marginal economic benefit may be rejected for this reason. - Another factor is the obtrusiveness of the controls. When the user sees no clear need or purpose to control it can appear to be there only to control them and little more than that. When the user does not understand their purpose, controls can often provoke resentment.
What is a test of transaction
-A test of trans = a system audit procedure used for compliance testing -All of the steps in a typical business trans are tested -As the transaction is processed, for each step, all affected GL and Subledger accounts = checked to verify that the transaction is being processed properly
What is the difference between using check digit verification and using a validity check to test the accuracy of an account number entered on a transaction record?
-Check digit detect errors in entering the wrong digits (e.g., typing a 2 instead of a 3). Passing a check digit verification test only ensures that the account number could exist -Validity check verify that the account number actually does exist, by searching for it in a master file. A validity test requires accessing the relevant master file and takes time to search the account number field in that file to see if it contains a specific value
UDA control breakdowns can be traced to?
-Complexity of spreadsheet and calculations beyond users understanding or training -Purpose and use of spreadsheet is unknown -Number of spreadsheet users -Input, logic, and interface errors -Lack of documentation by spreadsheet developer -Uses of the spreadsheet's output is unknown -Frequency and extent of changes and modifications to the spreadsheet -Development and testing of the spreadsheet before utilization is not performed and/or documented
Example - HTML and XML Documents
-HTML example, the tags have predefined meaning that describes how the attributes will be presented in a document -XML example, the tags are customized to the user, and user's application can read and interpret the tagged date.
Spreadsheet Risks
-Improper use of spreadsheet calculations -Spreadsheet failure due to corrupted or damaged file -Inappropriate or unintentional changes to spreadsheet data and formulas -Incorrect or incomplete data being used in calculations -Inappropriate or unintentional changes by inappropriate personnel accessing spreadsheets -Use of dated or unapproved versions -Historical data is lost or corrupted -Complex spreadsheets are developed ad-hoc and errors go undetected -Errors are detected after the financial statements and tax reporting have been released
Where in the Revenue Cycle is inventory reduced?
-Inventory records are updated by a separate department -Inventory control dept. records the reduction in inventory.
Batch Controls
-Reconcile system output with input originally entered into the system -Controls provide assurance that: ***All records in the batch are processed ***No records are processed more than once ***An audit trail of transaction processing is created Batch controls are used to manage the high transaction volumes in batch processing systems
Why do we need spreadsheet controls?
-Spreadsheets lack system-wide, general controls. Almost any employee can create, access, manipulate, and distribute spreadsheet data. -As a result, any employee can make a critical error while manually entering data, creating formulas, changing cell references.
What is a suspense account?
-Suspense accounts = a way to enter part of a transaction when not all of the details of the transaction = known -Suspense accounts provide for timing differences that occur in the real world -A suspense account entry is made to record the transaction until the rest of the transaction data = available (i.e. invoice received) **This account is used to estimate the unrecorded liabilities
Should every company switch from the traditional three-way matching process (purchase orders, receiving reports, and supplier invoices) to the two-way match (purchase orders and receiving reports) used in evaluated receipt settlement (ERS)? Why, or why not?
-Switching to ERS simplifies accounts payable and eliminates a major source of problems: inconsistency between supplier invoices and prices quoted when placing the order. However, ERS requires firm commitments to prices by suppliers - which may not be feasible for certain types of products like commodities. -ERS also requires that receiving dock employees exercise great care in counting merchandise received. -It also requires configuring the information system to automatically calculate and track payment due dates without the benefit of a reminder provided by receiving a supplier invoice
Describe XBRL - Implications on the Accounting Profession
-Taxonomy Errors: invalid mapping may cause material misrepresentation of financial data -Validation of instance documents: ensure that appropriate taxonomy and tags have been applied ^^^^#1 Bottleneck -External Audit scope & timeframe impacts ARE UNKNOWN (potential impact on auditor responsibility as a consequence of real-time distribution of financial statements)
What are SAP docs used for the Audit Trail?
-The SAP system records all steps in a transaction in a series of documents -A given transaction step may produce one or more documents -Bc of the integration, trans done in one part of the system (such as the material management module in SAP) will generate parallel activities in other parts of the system (such as the financial accounting module in SAP) -These docs = automatically generated by the system - this is termed "automized account determination" -This means that the system is configured so that there is no need to make manual JEs
Systems and Sub-Systems
-Time lag exists between transfer of physical assets to the company and the payment of the financial asset -Two economic events exist: physical and financial ***subsystems are created to capture each event
Describe important control procedures for the GL and Financial Reporting Cycles
-Transaction authorization - journal vouchers must be authorized by a manager in each recording dept -Segregation of duties - G/L accountants (Corporate Accounting) should not: **have recording responsibility for special journals or subsidiary ledgers **prepare journal vouchers **have custody of physical assets
What is Independent Verification
-Verify the accuracy and completeness of tasks that are performed in the revenue cycle. -Independent verification must occur at key points in the process -Errors can be detected quickly and corrected prior to the next step in the process
Describe XBRL: eXtensible Business Reporting Language
-XBRL is an XML-based language for standardizing methods for preparing, publishing, and exchanging financial information -XBRL taxonomies are classification schemes. Advantages: -Companies publish financial information once! -Computers read and interpret the tagged data, so users are not re-keying data -Consumers (you and me) import XBRL data into Excel, Access databases or Tableau to greatly facilitate analysis & the decision-making process.
What are the reasons Internal Control failures occur?
1) Data is not adequately protected 2) Information is available to workers 3) Information is distributed across corporate networks 4) Information is available to customers and suppliers
Effective segregation of duties is sometimes not economically feasible in a small business. What internal control elements do you think can help compensate for this threat?
1) Effective supervision and independent checks performed by the owner/manager may be the most important element of control in situations where the separation of functions cannot be fully achieved. In very small businesses, the owner-manager may find it necessary to supervise quite extensively. For example, the manager could reconcile the bank account, examine invoices, etc. 2) Fidelity bonding is the second form of internal control that is critical for persons holding positions of trust that are not entirely controlled by separation of functions. 3) Document design and related procedures are also important to internal control in this situation. Documents should be required with customer returns to encourage customer audits. - Document design should include sequential prenumbering to facilitate subsequent review. - Where appropriate, employees should be required to sign documents to acknowledge responsibility for transactions or inventories. - In small organizations, management can use computers to perform some of the control functions that humans perform in manual systems. For example, the computer can: ***Check all customer numbers to make sure they are valid - Automatically generate purchase orders and have a member of management or a designated buyer authorize them.
External Reporting Pain Points
1) Excel works poorly with word 2) No team collaboration or version control 3) Managing change is difficult 4) End-game crunch
Expenditure Cycle Objectives
1) Identify process steps performed during purchases and cash disbursement processes regardless of the technology used 2) Learn the functional departments involved in purchases and cash disbursements and the flow of these transactions through the organization 3) Understand the audit trail - documents, journals, and accounts that support decision making and financial reporting 4) Identify the threats associated with purchase and cash disbursements activities and the controls that reduce these risks
What can go wrong with Input Controls
1) Input errors carry through the entire process 2) Most human involvement occurs in the input stage 3) Easiest place to insert fictitious transactions 4) Easiest place to alter data (intentionally, or unintentionally) 5) Easiest place to lose data
What are the three important functions that controls perform?
1) Preventive -Deter problems 2) Detective -Discover problems 3) Corrective -Detect root cause -Correct problems
Expenditure Process
1) Purchasing Subsystem(receipt of goods from vendor) - Physical Subsystem Cash Disbursements Subsystem(transfer of payment to vendor) -Financial Subsystem
COSO Control Activities Principles
1) Selects and develops control activities 2) Selects and develops general controls over technology 3) Deploys through policies and procedures
How can companies use the data from the source documents to estimate a liabilty?
1) Send Purchase Order to the Supplier -Send a copy of Purchase Order to AP 2) Receive Goods and Fill out Receiving Report -Send a copy of Receiving Report to AP 3)Calc Amount Owed = Quantity Received (From Rec Report) * Price Per Unit (from Purchase Order)
What are online, real-time processing characteristics
1) Transactions are processed individually as they occur 2) All data processing steps (input, processing, output) take place at one time as the transaction is processed 3) Requires an online (networked) environment, so the master file account codes are available during data entry and can be verified
Post Adjusting Entries - 5 Categories
1)Accruals - reflect events that have occurred for which cash has not yet been paid/received. -Examples? AR, 2)Deferrals - reflect the exchange of cash prior to performance of the related event. -Examples? Deferred Revenue (warranty), gift cards 3)Estimates - reflect a portion of expenses expected to occur over a number of accounting periods - Example? 4)Revaluations - reflect differences between actual and recorded value of an asset or change in accounting principle. 5)Corrections - entries made to correct errors in the GL
Examples of Situations Requiring Testing of Controls in Spreadsheets
1)An ERP system significantly automates the revenue process and reporting of financial information 2)A Purchasing System with EDI that electronically transfers paperless orders and payments from one computer to another 3)Invoicing system automatically bills the customer 4)Complex calculations are performed by computers (commissions, loan loss reserves, inventory re-order points)
Key Duties to Segregate in the Revenue Cycle
1)Approving changes to customer credit and sales order entry. -If both duties are performed by the same person, they could authorize sales to friends/family that are subsequently not paid. 2)Shipping and billing. -If the same person performs both duties, they could ship merchandise to friends/family without billing them. 3)Depositing customer payments and recording accounts receivable. -If the same person performs both duties, they could commit the fraud known as lapping (stealing payments and covering it up by adjusting the accounts so that the customer does not complain about a missing credit). 4)Depositing customer payments and issuing credit memos -If the same person performs both duties, they could steal payments and create a credit memo to cover up the theft and adjust the customer's account so that they do not complain about a missing credit. 5)Depositing customer payments and reconciling the bank account -If the same person did both duties, they could steal cash and cover up the difference by listing fraudulent bank expenses to adjust the cash balance. 6)Recording accounts receivable and issuing credit memos. -If the same person performed both tasks, they could write off their friends' and family's accounts receivable.
COSO Internal Controls has five components. COSO ERM has the same five components, with an additional three components added. Which of the following are among the three added components?
1)Event identification 2)Objective setting 3)Risk response
1. What are the most challenging aspects of XBRL for large accelerated filers?
1)Final Review Process/Validation 2)Mapping/Tag Selection 3)Proper Handling of Negative Values 4)Internal Team's Level of XBRL Competency 5)Getting Educated on XBRL 6)Tagging/XBRL Exhibit Preparation 7)Pencils Down Period Associated w/ Outsourced XBRL Services 8)Experience Working w/ Outsourced XBRL Service Provider 9)Number of Respondents
Which of the following are part of an internal environment? a)Principles of value creation b)Commitment to integrity, ethical values, and competence c)Management's philosophy, operating style, and risk appetite d)Internal control oversight by the board of directors e)Effective management to auditor communication
1)Internal control oversight by the board of directors 2)Management's philosophy, operating style, and risk appetite 3)Commitment to integrity, ethical values, and competence
The COBIT 5 framework describes best practices for the effective governance and management of IT. It is based on five key principles of IT governance and management. Which of the following are among the five key principles?
1)Meeting stakeholders' needs 2)Enabling a holistic approach 3)Covering the enterprise end-to-end
Who uses spreadsheets?
1)Operational- track and monitor workflow of business processes (i.e. unpaid invoices) 2)Analytical- supports analytical review for management decision making 3)Financial - used to quantify financial statement transactions or adequacy of balances in the general ledger
Procure-to-Pay Process
1)Purchase Req 2)Purchase Order 3)Notify Vendor 4)Vendor Shipment 5)Goods Receipt 6)Invoice Receipt 7)Payment to Vendor
Sample Tests of Controls for Spreadsheets
1)Review the corporate policy on access security -Verify that the access security policy is implemented and access is monitored 2)Review SOD documentation to determine if individuals or groups are performing incompatible functions 3)Review systems documentation and maintenance records -Verify that maintenance programmers are not also design programmers
Sales Process
1)Sales Order Entry 2)Check Availability 3)Pick Materials 4)Post Goods Issue 5) Invoice Customer 6)Receipt of Payment
Three Rules for Segregation of Functions (For Business Process in General)
1)Transaction authorization should be separate from transaction processing. 2)Asset custody should be separate from asset recording. 3)Recording of journals and ledgers are separately maintained from the general ledger.
Which of the following are basic principles upon which the ERM is built?
1)Uncertainty results in the possibility that something can negatively affect the company's ability to create value. 2)Uncertainty results in the possibility that something can positively affect the company's ability to create value.
What risks are inherent in the "Order-to-Cash Cycle" of the Revenue Cycle?
1)Wrong customer is billed 2)Check could be misappropriated before it was captured by the information system 3)Goods have been shipped but invoice is not prepared 4)The warehouse processes a fictitious picking list.
What are the biggest bottlenecks in the SEC reporting function for large accelerated filers?
1)XBRL 2)Late Changes 3)Internal Review Process 4)Data Collection 5)Auditor Review Process
Why do we need internal controls?
> 60% of companies experience a major failure in controlling the security and integrity of their data and systems - Operationally, there is a lot of push back on putting controls into place - Advancement of technology -> the right controls aren't implemented when new technology came into play - Poor tone at the top where management has unrealistic objectives for the company, causing people to circumvent the proper pathways
Purchase order
A document that creates a legal obligation to buy and pay for goods or services
Purchase requisition
A document used only internally to initiate the purchase of materials, supplies, or services
Debit memo
A document used to authorize a reduction in accounts payable because merchandise has been returned to a supplier
Disbursement voucher
A document used to list each invoice being paid by a check
Kickbacks
A fraud in which a supplier pays a buyer or purchasing agent in order to sell its products or services
Nonvoucher system
A method of maintaining accounts payable in which each supplier invoice is tracked and paid for separately
Voucher system
A method of maintaining accounts payable that generates one check to pay for a set of invoices from the same supplier
Evaluated receipts settlement (ERS)
A process for approving supplier invoices based on a two-way match of the receiving report and purchase order
What is Internal Control?
A process to provide reasonable assurance that control objectives are met.
What internal control procedure(s) would provide protection against the following threat? Authorizing a credit memo for a sales return when the goods were never actually returned.
A receiving report should be required before a credit for sales returns is issued. The system should be configured to block issuance of credit memos without the required documentation that the goods have been returned.
Procurement card
A special-purpose credit card used to purchase supplies
Receiving report
A system whereby suppliers are granted access to point-of-sale (POS) and inventory data in order to automatically replenish inventory levels
Vendor-managed inventory
A system whereby suppliers are granted access to point-of-sale (POS) and inventory data in order to automatically replenish inventory levels
Vendor invoices are approved by the _______.
A/P Department
What does A/P do in the Expenditure Cycle?
A/P reconciles invoice, purchase order and receiving report (3-Way Match) -Records transaction in the Purchases Journal & AP sub-ledger A/P reviews Voucher packages each day, identifies items due, sends supporting documents to cash disbursements department. A/P removes the liability from AP sub-ledger and sends AP summary to GL department.
Match the threat to appropriate control procedures. Wasted time and cost of returning unordered merchandise to suppliers
Accept only deliveries for which an approved purchase order exists.
Where in the process of the Expenditure Cycle is the liability recorded?
Accounts Payable periodically summarizes the entries made in the Purchases Journal into a journal voucher which is sent to the General Ledger (G/L) department. Entry in Purchase Journal: Dr. Inventory Cr. A/P
An adjusting entry that is made to reflect events that have occurred but for which cash has not yet been received or disbursed is called a(n)
Accrual
Match the threat to appropriate control procedures. Misappropriation of cash
Adopt a perpetual inventory system. Restrict access to blank checks.
Data analytics refers to
Advanced forms of analysis that can be used to explore large volumes of data and communicate insights
Which of the following is accomplished by corrective controls?
All of the above are accomplished by corrective controls.
Immediately after the adjusting entries are posted, the next step in the general ledger and reporting system is to prepare
An Adjusting trial balance
Blanket purchase order
An agreement to purchase set quantities at specified intervals from a specific supplier
Step 3: Determine Level of Controls
An appropriate combination of the following general controls should be implemented to mitigate the risks. All spreadsheets, even with low complexity should have controls 1-6 below: 1)Change Control - process for requesting changes and independent review and sign-off that the change is functioning as intended. 2)Version Control - ensuring only current and approved versions are being used (requires naming conventions and directory structures) 3)Access Control - limiting access at the file level on a central server and assigning appropriate rights (password protected) 4)Input Control - ensuring that reconciliations and checks occur to ensure data is input completely and accurately (validity check) As complexity and importance increase, controls 7-12 below are necessary: 5)Security and Integrity of data - data embedded is current and secure. (locking and protecting cells to prevent inadvertent or intentional changes) 6)Documentation - narratives and flowcharts are maintained and kept up-to-date to explain functions of the spreadsheet 7)Backup policy - implement a process to back up each spreadsheet located on central servers and local desktops. 8)Logic Inspection - independent review of the logic in each cell of the critical spreadsheet (review is formally documented) As complexity and importance increase, controls 7-12 below are necessary: 9)Development Lifecycle - Applying a standard SDLC to the development process of more critical and complex spreadsheets 10)Archiving - Maintaining historical files no longer available to update in a segregated drive and locking them as read-only 11)Segregation of Duties -Defining and implementing roles, authorities, responsibilities and procedures for issues such as ownership, sign-off, and usage 12)Overall Analytics- Implementing analytics as a detective control to find errors in spreadsheets used for calculations. However, analytics alone are not a sufficient control.
Economic order quantity (EOQ)
An inventory control system that seeks to minimize the sum of ordering, carrying, and stockout costs
Materials requirements planning (MRP)
An inventory control system that triggers production based on forecasted sales
Just-in-time (JIT) inventory system
An inventory control system that triggers production based upon actual sales
Match the threats to the appropriate control procedures Loss of accounts receivable data
Backup and disaster recovery procedures.
Batch Processing
Batch processing characteristics: -Transactions are processed in groups during off-peak processing times to maximize network capacity. Processing occurs in three separate stages: 1)Data is entered (input stage) 2)Master file is updated (processing stage) 3)System-generated reports are produced (output stage)
A(n) ________ helps employees understand management's vision. It communicates company core values and inspires employees to live by those values.
Belief System
The control procedure for restricting access to pricing master data is designed to mitigate the threat of:
Billing Errors
Where in the process of the Revenue Cycle is revenue recognized?
Billing department records the invoice in the sales journal
Describe the audit trail
Botton to Top: Source Doc -> Journal -> General Ledger -> Financial Statements Top to Bottom: Financial Statements -> General Ledger -> Journal -> Source Documents Accountants should be able to trace in both directions. Sampling and confirmation are two common techniques.
Describe ERM
COSO's Enterprise Risk Management Framework is a new and improved version of the Integrated Control Framework. It is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals. The basic principles behind ERM are: - Companies are formed to create value for their owners. - Management must decide how much uncertainty it will accept as it creates value. - Uncertainty results in risk and opportunity, which are the possibilities that something negatively or positively affects the company's ability to create or preserve value. - The ERM framework can manage uncertainty as well as create and preserve value. ERM adds three additional elements to COSO's IC framework: 1) Setting objectives 2) Identifying events that may affect the company 3) Developing a response to assessed risk. The ERM framework takes a risk-based rather than a controls-based approach. As a result, controls are flexible and relevant because they are linked to current organizational objectives. The ERM model also recognizes that risk, in addition to being controlled, can be accepted, avoided, diversified, shared, or transferred. Because the ERM model is more comprehensive than the Internal Control framework, it will likely become the most widely adopted of the two models.
Describe COSO
COSO's Internal Control Framework is widely accepted as the authority on internal controls and is incorporated into policies and regulations that control business activities. However, it examines controls without looking at the purposes and risks of business processes and provides little context for evaluating the results. It makes it hard to know which control systems are most important, whether they adequately deal with risk, and whether important controls are missing. In addition, it does not adequately address Information Technology issues. It has five components: 1) Control environment, which are the individual attributes, (integrity, ethical values, competence, etc.) of the people in the organization and the environment in which they operate. 2) Control activities, which are control policies and procedures that help ensure that the organization addresses risks and effectively achieves its objectives. 3) Risk assessment, which is the process of identifying, analyzing, and managing organizational risk 4) Information and communication, which is the system that captures and exchanges the information needed to conduct, manage, and control organizational operations. 5) Monitoring company processes and controls, so modifications and changes can be made as conditions warrant.
Match the threat to appropriate control procedures. Accidental loss of purchasing data
Carry out a regular backup of expenditure cycle database.
Where in the process of the Expenditure Cycle is cash reduced?
Cash Disbursements performs the following tasks: -Reviews Voucher Package (Invoice, Purchase Order, Receiving Report) for accuracy -Prepares the check -Return paid vouchers to accounts payable, mails the check to the supplier -Entry into Cash Disbursements Journal: Dr. A/P Cr. Cash
What does Cash Disbursements do in the Expenditure Cycle?
Cash Disbursements reviews documents for completeness and accuracy and prepares the payment for approval and signature.
Where in the Revenue Cycle is cash increased?
Cash receipts dept. records the payment in the cash receipts journal
Field Check
Characters in a field are proper type -Text (alpha), integer (numeric), date
What is SAP's generic corporate structure?
Client - an indiv customizable working environment Company - an indep legal entity w/ its own IS and BS Plant - the entity to which all logistical data are linked Storage Location - used for registration of materials into stock
Voucher package
Combination of a purchase order, receiving report, and supplier invoice that all relate to the same transaction
Validity Check
Compares data from transaction file to that of master file to verify existence -Compares actual field values against acceptable or standard values -Used to verify transaction codes, state abbreviations, employee job codes -Frequently used in cash disbursement systems to prevent making a fraudulent payment to a fictitious vendor -Input Control: matches vendor # on CD voucher against valid vendor list. If the code does not match, payment is denied and management reviews the transaction
How can we mitigate the risks of spreadsheet errors?
Compliance with SOX requires a process to ensure general controls are effective over spreadsheets. Five Step Approach: 1) Inventory Spreadsheets- list out all spreadsheets used in the process (use flowcharts and DFDs to identify files used) 2)Risk Assessment- evaluate the use and complexity of spreadsheets assess the impact ($) and likelihood of financial statement and/or tax reporting error (complexity) 3)Determine necessary level of controls 4)Evaluate existing controls for each spreadsheet 5)Develop action plans for remediation of control deficiencies
Check Digit Verification
Computed from input value to catch typo errors -Control digit is added to the data code as a prefix, suffix or embedded in the middle -During data entry, the system recalculates the check digit to ensure the input is correct -Example: Sum the digits in the code and use the 'sum' as the check digit ***Customer account code with check digit AT THE END = 53727 ***System calculates check digit by sum of 1st 4 digits: 5 + 3 + 7 + 2 = 17 ***Check digit of 7 is added to the customer code ***Customer account code with check digit = 53727 Note: This control does NOT catch transposition errors!
Match the threat to appropriate control procedures. Recording and posting errors in accounts payable
Conduct an automated comparison of total change in cash to total changes in accounts payable.
Configurations of SAP
Configuration is the process of making standard software fit your business SAP, as an ex, has: -Over 10k configuration decisions -Data Structuring -Modifications to Code -Customizations -Integrate w/ 3rd party
Step 2: Risk Assessment Impact Assessment
Considerations for Assessing Impact: 1) Total dollar value processed by the spreadsheet 2) Purpose of the spreadsheet output
Step 2: Risk Assessment Likelihood Assessment
Considerations for Assessing Likelihood: 1) Complexity of the spreadsheet 2) Number of users of the spreadsheet 3) Frequency of changes to the spreadsheet
Which person makes adjusting entries in the general ledger and reporting system?
Controller
Which person makes closing entries in the general ledger and reporting system?
Controller
Who creates adjusting journal entries?
Controller
What are the Key Independent Verification Controls?
Controls exist at the following points: 1)Shipping reconciles the picking ticket document and packing slip with the sales order and verifies the goods sent from the warehouse are correct in type and quantity 2)Billing reconciles the shipping advice with the sales order before preparing the sales invoice 3)General Ledger reconciles journal vouchers from billing, inventory control, cash receipts, and accounts receivable before posting to the general ledger.
Example of a corrective function?
Correcting data entry errors and GL account misclassifications
Which of the following controls could be used to mitigate the threat of uncollectible accounts?
Credit Limits
Current Environment regarding UDAs
Current environment: UDAs are developed by end-users on an ad-hoc basis without consultation from internal audit or consideration of IT controls and management approvals.
Processing Integrity
Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Which document is used to reduce the balance owed to a supplier?`
Debit Memo
An adjusting entry that is made to reflect the exchange of cash prior to performance of the related business activity is called a(n)
Deferral
Adjusting entries that are made to recognize revenue that has been received but not yet earned are classified as
Deferrals
Input Controls
Designed into the system at different points in the business process, depending on whether the data is processed in real time or batch. Prevent and detect errors that occur when transaction data is input prior to data processing. Very important due to high risk of errors.
Match the threats to the appropriate control procedures Orders later repudiated by customers who deny placing them
Digital signatures.
Match the threat to appropriate control procedures. Stockouts
Document all transfers of inventory. Restrict physical access to inventory. Adopt a perpetual inventory system.
Match the threat to appropriate control procedures. Theft of inventory
Document all transfers of inventory. Restrict physical access to inventory. Adopt a perpetual inventory system.
Picking ticket
Document that authorizes removal of merchandise from inventory
Credit memo
Document used to authorize reducing the balance in a customer account
Bill of lading
Document used to establish responsibility for shipping goods via a third party
Lockbox
Document used to establish responsibility for shipping goods via a third party
Back order
Document used to indicate stock outs exist
Cancelling all supporting documents when payment is made to a supplier is a control procedure designed to mitigate the threat of:
Duplicate Payments
How does COSO clarify req's for effective IC?
Effective internal control provides reasonable assurance regarding the achievement of objectives AND requires that: 1) Each component and each relevant principle is present and functioning 2) The five components are operating together in an integrated manner
Which of the following controls could be used to mitigate the threat of unauthorized disclosure of sensitive information in the expenditure cycle?
Encryption
What internal control procedure(s) would provide protection against the following threat? Interception and theft of customers' credit card numbers while being sent to the company's Web site.
Encryption of credit card information prior to transmitting over the Internet. Typically this involves using SSL.
Evaluated Receipt Settlement reduces the threat of:
Errors in Supplier Invoices
An adjusting entry that is made to record a portion of expenses that are expected to occur over multiple time periods is called a(n)
Estimate
What does COSO call an incident, whether positive or negative, that affects the implementation of an organization's strategy or the achievement of its objectives.
Event
Two ways to create processing integrity controls in Excel spreadsheets are to use the built-in Data Validation tool or to write custom code with IF statements. What are the relative advantages and disadvantages of these two approaches?
Excel provides a "Data Validation" tool on the Data tab -The Data Validation tool serves as a "wizard" to program a variety of input editing/ processing controls. For example, if you want to limit the values in cell A1 to be between 18 and 65, you could use the Data Validation tool to program this range check -The "Input Message" tab can be used to inform the user what values are permissible. The "Error Alert" tab can be used to create an error message that will be displayed if the values are not permissible (in the case of this example, if the values are either less than 18 or greater than 65). The same range check could be programmed using an IF statement, as follows: =IF(AND(A1>=18,A1<=65),"","Error: values must be between 18 and 65") - An IF statement consists of three arguments, separated by commas: =IF(first argument, the second argument, third argument). The first argument is the test to be performed, the second controls what happens if the test is true, and the third argument controls what happens if the test is false. In this example, the first argument is testing whether the value in cell A1 is between 18 and 65, inclusive. The second argument directs that if the test is true, no error message should be displayed (the two double-quote marks indicate that nothing will be displayed). The third argument controls what happens if the test is not true. In this example, if the value entered into cell A1 is less than 18 or greater than 65, the message "Error: values must be between 18 and 65" will be displayed. The Data Validation tool is easier to use. However, it is limited to performing tests of just one condition. More complex tests require the IF function. For example, perhaps we want to treat values of 18, 19, and 20 different from values 21-65. This can be done by nesting IF statements, as follows: =IF(A1>=18,IF(A1<21,"value is 18-20",IF(A1<=65,"value is between 21 and 65","Error: value must be less than or equal to 65")),"Error: Value must be greater than or equal to 18") -This formula works as follows: Step 1: the first IF statement tests whether the value in cell A1 is greater than or equal to 18. If it is true, then it proceeds to evaluate the second if statement. If the value entered is less than 18, it returns the final error message: "Value must be greater than or equal to 18" Step 2: If the first IF statement is true (i.e., the value in cell A1 is greater than or equal to 18) the next test is whether the value is less than 21. If it is, then the message "value is 18-20" is displayed. If the value in A1 is greater than or equal to 21, a third test is performed, testing whether it is less than or equal to 65. -Writing IF statements requires careful thought, but provides total flexibility in creating very complicated processing integrity checks.
What is the name of the law Congress passed to prevent companies from bribing foreign officials?
FCPA
Match the threat to appropriate control procedures. Failing to take available purchase discounts for prompt payment
File invoices by due date. Maintain a cash budget.
Internal Control Objectives:
Financial Objectives: 1) Safeguard assets. 2) Maintain records in sufficient detail to report company assets accurately and fairly. 3) Provide accurate and reliable information. 4) Prepare financial reports in accordance with established criteria. Operational Objectives: 5) Promote and improve operational efficiency. 6) Encourage adherence to managerial policies. 7) Comply with applicable laws and regulations.
Financial Reporting Process Steps
Financial Reporting is the final step in the overall accounting process that begins with transaction processing. Identify the missing steps in the Financial Reporting process. 1)Capture the transaction 2)Record in Special Journal 3)Post in Subsidiary Ledger 4)Post to General Ledger 5)Prepare the unadjusted trial balance 6)Prepare adjusting entries 7)Post Adjusting Entries 8)Prepare Adjusted Trial Balance 9)Prepare Financial Statements 10)Prepare and post the closing entries 11)Prepare the post-closing trial balance
What does the GL Dept do in the Expenditure Cycle?
General Ledger department receives journal voucher from AP dept and Account Summary from Inventory Control. General Ledger department posts to the general ledger control accounts and files the documents.
Functions of a GL + Reporting System
General ledger systems should: -collect transaction data promptly and accurately. -classify/code data and accounts using COA -validate collected transactions/ maintain accounting controls (e.g., debits = credits). -process transaction data: +post transactions to proper GL accounts +update general ledger accounts and transaction files +record adjustments (AJEs) to accounts -store transaction data. -generate timely financial reports.
What do we know about spreadsheet errors?
In large spreadsheets, the issue is NOT if an error exists, but how many errors exist -Research shows that ~ 40% of spreadsheets contain errors - one study was as high as 88% The perfect storm - spreadsheets & fraud? -Companies are focused on spreadsheet controls to prevent and detect innocent errors, as well as fraud
Segregation of Duties - SOD
Incompatible Job Functions To maintain proper Segregation of Duties, no employee should be responsible for more than one of the following functions for a single transaction. 1) Record Keeping - creating and maintaining departmental records 2) Asset Custody - Access to and/or control of physical assets 3) Authorization - Reviewing and approving transactions 4) Reconciliation - Assurance that transactions are appropriate and accurate
Limit Check
Input checked against fixed value -Identifies field values that exceed authorized limits -Example: Company policy is that no employee can work > than 44 hours per week -Payroll system input control: insert a limit check on the HOURS WORKED field in the weekly payroll records for values > 44.
Size Check
Input fit within field?
Range Check
Input within low and high range value? -Identifies values outside upper and lower limits -Example: range of pay rates for hourly employees is between $8 and $20 -Payroll system input control: examine the pay rate field of all payroll records to ensure they fall within range of 8 and 20 -Limitation - Control will NOT detect a correct pay rate of $9 that was entered as $15 (use reasonableness check)
An XBRL file presented to end users and that contains tagged data is called a(n)
Instance Document
What does Inventory Control do in the Expenditure Cycle?
Inventory Control prepares a purchase requisition (PR) and sends the PR to Purchasing
Match the threat to appropriate control procedures. Paying for items not received
Issue checks only for complete voucher packages (receiving report, supplier invoice, and purchase order).
Match the threat to appropriate control procedures. Paying the same invoice twice
Issue checks only for complete voucher packages (receiving report, supplier invoice, and purchase order). Cancel or mark "Paid" supporting documents in voucher package when check is issued.
What is financial electronic data interchange (FEDI)?
It is the combination of EFT and EDI that enables both remittance data and funds transfer instructions to be included in one electronic package.
Which of the following controls could be used to mitigate the threat of kickbacks?
Job rotation and mandatory vacations
Financial vs Operational Objectives
Keep in mind that financial controls are not always the same as operational controls Companies can get overly focused on operational controls and not put enough focus on financial controls (could potentially stem from tone at the top) and vice versa Must balance out these things
The control procedure of supplier audits is designed to mitigate the risk of:
Kickbacks
Which control would help reduce the threat of cash flow problems?
Lockbox arrangements
Which control would help reduce the threat of theft of cash?
Lockbox arrangements
Match the threats to the appropriate control procedures Cash flow problems
Lockboxes or electronic lockboxes. Cash flow budget
Match the threats to the appropriate control procedures Crediting customer payments to the wrong account.
Mail monthly statements to customers.
What are HTML reports?
Many companies post financial statements on their websites using HTML -Data in HTML reports cannot be processed due to the static nature of the data. Format used to produce Web pages -defines the page layout, fonts, and graphic elements -used to lay out information for display in an appealing manner -using both text and graphics (including pictures) The solution is XBRL -A derivative of XML
An approach to inventory management that seeks to reduce required inventory levels by improving the accuracy of forecasting techniques to better schedule purchases to satisfy production needs is called
Materials Requirements Planning
Credit limit
Maximum possible account balance for a customer
Open-invoice method
Method of maintaining customer accounts that generates payments for each individual sales transaction
Although XBRL facilitates the electronic exchange of financial information, some external users do not think it goes far enough. They would like access to the entire general ledger, not just to XBRL-tagged financial reports that summarize general ledger accounts. Should companies provide external users with such access? Why, or why not?
No, companies should not provide access to their general ledger. Providing external users access to a company's general ledger opens the company up to significant competitive and financial risk.
What are the three risk categories regarding spreadsheets?
Once end users are given the freedom to extract, manipulate, summarize and analyze their data without assistance from IT, the end users inherit certain risks. 1)Data Integrity Risk -No balancing or change management controls 2)Confidentiality Risk -UDA's may not be part of the IT backup process 3)Availability -No control over transmission of data outside of company
Which objective deals with a company's effectiveness and efficiency and the allocation of resources?
Operations Objectives
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. An employee of the finishing department walked off with several parts from the storeroom and recorded the items in the inventory ledger as having been issued to the assembly department.
PROBLEM: Employees can commit and conceal fraud when they have access to physical inventory (custody) and to inventory records (recording). SOLUTION: This can be prevented by restricting storeroom access to authorized employees. Likewise, access to inventory records should be limited to authorized employees. Where possible, no storeroom employee should have access to both the physical inventory and the inventory records
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. A cashier prepared a fictitious invoice from a company using his brother-in-law's name. He wrote a check in payment of the invoice, which the brother-in-law later cashed.
PROBLEM: Segregation of duties is violated here because the cashier had the ability to both write the check (custody) and approve the invoice for payment (authorization). SOLUTION: The functions of authorizing invoices for payment and preparing checks for signature should be organizationally independent.
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. A payroll clerk recorded a 40-hour work-week for an employee who had quit the previous week. He then prepared a paycheck for this employee, forged her signature, and cashed the check.
PROBLEM: Segregation of duties is violated here because the payroll clerk had the ability to record time worked and to prepare the payroll check (custody). This allowed the payroll clerk to both commit and conceal the fraud. The payroll clerk ignored the authorization process or had the authority to authorize the payment. SOLUTION: These three functions should be segregated. One person should authorize payments, another should record the payments, a third should prepare the check, and a fourth should sign it.
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. An accounts payable clerk recorded invoices received from a company that he and his wife owned and authorized their payment.
PROBLEM: The accounts payable clerk had recording duties and he authorized payments. SOLUTION: The functions of recording invoices and authorizing payments should be organizationally independent. In addition, vendors should only be allowed to purchase goods and services from approved vendors. Controls should be put into place to endure that employees cannot add an unauthorized or unapproved vendor to the vendor master file. The company needs to establish policies and a code of conduct that prohibits conflicts of interest and related party transactions, such as buying goods from a company in which you have an ownership interest.
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. An insurance claims adjuster had the check-signing authority of up to $6,000. The adjuster created three businesses that billed the insurance company for work not performed on valid claims. The adjuster wrote and signed checks to pay for the invoices, none of which exceeded $6,000.
PROBLEM: The adjuster had the authorization to add vendors to the vendor master file, authorization to write checks up to $6,000, and had custody of the signed the checks. Apparently, the adjuster also had some recording duties (maintaining the vendor master file). SOLUTION: The functions of signing checks for invoices, approving vendors, and maintaining the vendor master file should be organizationally independent. Payments should not be made to anyone that is not on the approved vendor list. Controls should be put into place to endure that employees cannot add an unauthorized or unapproved vendor to the vendor master file.
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. A cashier cashed a check from a customer in payment of an account receivable, pocketed the cash, and concealed the theft by properly posting the receipt to the customer's account in the accounts receivable ledger.
PROBLEM: The cashier had custody of the checks and was responsible for posting (recording) to the accounts receivable ledger. SOLUTION: Custody of the checks and posting to the Accounts Receivable Ledger should be organizationally independent. In addition, there should be an independent reconciliation of the three items: i. dollar amounts of the checks received ii. dollar amounts of the checks deposited in the bank iii. dollar amounts credited to customer accounts.
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. A cashier created false purchase return vouchers to hide his theft of several thousand dollars from his cash register.
PROBLEM: The cashier had recorded (creating return vouchers), custody (cash in the cash register), and authorization (authorize the return of goods) duties. SOLUTION: These three duties should be performed by three separate people. A cashier should only have custody duties. Cashiers and others with access to cash should not be allowed to have recording or authorization duties. Cashiers should not pay out on cash on purchase return vouchers until they are authorized by a supervisor.
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. While opening the mail, a cashier set aside, and subsequently cashed, two checks payable to the company on account.
PROBLEM: The cashier who opened the mail had custody of the cash. The cashier opening the mail can pocket the checks and forge a signature, never giving the authorized endorser a chance to be involved. For this reason, many companies have the mail opened by two people or have those opening the mail videotaped. SOLUTION: While the cashier can get away with this fraud for a few weeks or months, the missing checks will eventually be noticed - usually when the customer complains - because the cashier has no way to conceal the fraud (recording function). An investigation would include an examination of the stolen checks and that could lead to the cashier as the person cashing the checks. To be successful in the long term, the cashier needs access to the recording function to indicate that customer accounts are paid so that their complaints do not start an investigation
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. Several customers returned clothing purchases. Instead of putting the clothes into a return bin to be put back on the rack, a clerk put the clothing in a separate bin under some cleaning rags. After her shift, she transferred the clothes to a gym bag and took them home.
PROBLEM: The clerk was authorized to accept the return, grant credit, and had custody of the inventory. It is also possible that the clerk may have had the responsibility to record the returns, but did not do so to cover the theft. SOLUTION: All purchase returns should be documented by preparing a customer receipt and recording the return in a purchase returns journal. No cash or credit can be given without the return being authorized by a supervisor and recorded in the data files recorded in the cash register. The purchase returns area should be kept clean and orderly so that returns cannot be "hid" among excess returns. Employees should not be allowed to have gym bags or other personal items that could conceal stolen items in work areas.
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. A purchasing agent received a 10% kickback of the invoice amount for all purchases made from a specific vendor.
PROBLEM: The purchasing agent has both recording (prepare the purchase order) and authorization (select a vendor from a list of authorized vendors) duties. The purchasing agent gets custody to cash when the vendor gives her the kickback. SOLUTION: Purchasing agents should only be allowed to purchase goods and services from approved vendors. Controls should be put into place to ensure that employees cannot add an unauthorized or unapproved vendor to the vendor master file. Vendor performance with respect to reliability, quality of goods, and prices charged should be tracked and periodically reviewed. Prices should periodically be compared to those charged by other vendors to make sure they are fair, competitive, and reasonable. Analytical procedures can be performed to track the percentage of business a purchasing agent gives to vendors. The company needs to establish policies and a code of conduct that prohibits conflicts of interest, related party transactions, and kickbacks.
Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. A receiving clerk noticed that four cases of MP3 players were included in a shipment when only three were ordered. The clerk put the extra case aside and took it home after his shift ended.
PROBLEM: The receiving clerk had custody of arriving goods, counted the goods, and compared the count to a purchase order. The problem is that, while the receiving clerk did not record the purchase order, she did have access to a document that showed the amount ordered. This allows her to steal any excess items shipped without having to record anything to conceal it. SOLUTION: Purchase orders sent to the receiving area should not indicate how many items or cases were ordered, thus helping ensure that all shipments are counted and recorded. The purchasing department should reconcile items received against items ordered.
Internal control is often referred to as a(n) _______, because it permeates an organization's operating activities and is an integral part of management activities.
PROCESS
What internal control procedure(s) would provide protection against the following threat? A fire in the office next door damaged the company's servers and all optical and magnetic media in the server room. The company immediately implemented its disaster recovery procedures and shifted to a backup center several miles away. The company had made full daily backups of all files and stored a copy at the backup center. However, none of the backup copies were readable.
Periodically practicing and testing the backup and restoration process would verify its effectiveness.
Match the threats to the appropriate control procedures Theft of inventory by employees.
Physical access controls on inventory Periodic physical counts of inventory Perpetual inventory system.
Which of the following is a threat to the shipping process?
Picking the wrong items or the wrong quantity.
What are Effective Control Activities?
Policies and procedures to ensure that the appropriate actions are taken in response to identified risks - Control Activities are grouped by COSO into 2 distinct categories: 1) IT Controls —relate specifically to the information systems/AIS environment 2) Physical Controls —primarily pertain to business processes (human/manual activities)
Table 12-1 suggests that restricting physical access to inventory is one way to reduce the threat of theft. How can information technology help accomplish that objective?
Possibilities include: - Electronic locks on all entrances and exits to the inventory area. - Smart card technology where employees must scan their ID card prior to entering/exiting the inventory area. - Biometric access controls (fingerprint reader, face recognition software, etc.) - Attach RFID tags to inventory items and install RFID tag scanners at each exit of the inventory area. - Install and monitor surveillance cameras in the inventory area.
The control procedure for mailing monthly statements to customers is designed to mitigate the threat of:
Posting errors in accounts receivable
Importance of Application Controls
Pre-SOX, many organizations placed all their reliance on manual controls and failed to consider the risks that existed within their IT systems. The Challenge: companies were relying on their systems without understanding how the systems supported their financial and tax reporting objectives. The Result: this practice was a significant oversight and led to material weaknesses in internal control.
Preferred Environment regarding UDAs
Preferred environment: An IT-developed and supported application with standard software development control procedures and generally within the scope of an internal auditor's review.
Example of a detective function?
Preparing account reconcilations
Hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information are examples of what kind of internal controls?
Preventative Controls
Cycle billing
Process of dividing customer account master file into subsets and preparing invoices for one subset at a time
Once end users develop UDAs without assistance from IT, they inherit certain risks. Which one is NOT a risk?
Processing Risk
What are typical Expenditure Cycle Transactions?
Purchase Requisition - an internal request to acquire goods. Purchase Order - A formal order for the goods. This doc = sent to the vendor and requests the goods from the vendor Goods Delivery - a receipt of goods in the receiving department. This event triggers the creation of the receiving doc that verifies the items received Invoice Report - the bill is received from the vendor Payment - the vendor is paid
The control procedure of requiring competitive bidding is primarily designed to mitigate the risk of:
Purchasing at Inflated Prices
What does Purchasing do in the Expenditure Cycle?
Purchasing selects vendor(s) & prepares a purchase order (PO) & updates Open PO file -PO copies are sent to Vendor, Inventory control, AP, and a Blind copy to receiving
What does Receiving do in the Expenditure Cycle?
Receiving clerk receives the goods and reconciles with packing slip and blind copy of PO -Sends receiving report to Inventory Control, Purchasing, and Files hard copy
Match the threats to the appropriate control procedures Errors in customer invoices
Reconciliation of invoices with packing lists and sales orders.
Match the threats to the appropriate control procedures Failure to bill customers.
Reconciliation of invoices with packing lists and sales orders. Segregation of duties of shipping and billing.
Match the threats to the appropriate control procedures Failure to ship orders to customers.
Reconciliation of packing lists with sales orders. Periodic reconciliation of prenumbered sales orders with prenumbered shipping documents.
Match the threats to the appropriate control procedures Mistakes in shipping orders to customers.
Reconciliation of packing lists with sales orders. Use of bar-codes or RFID tags.
The company objective that helps management improve decision making and monitor company activities and performance is called:
Reporting Objective
Match the threat to appropriate control procedures. Purchasing items at inflated prices
Require purchasing agents to disclose financial or personal interests in suppliers. Require purchases to be made only from approved suppliers. Restrict access to the supplier master data. Train employees in how to properly respond to gifts or incentives offered by suppliers.
Match the threat to appropriate control procedures. Purchasing goods of inferior quality
Require purchasing agents to disclose financial or personal interests in suppliers. Require purchases to be made only from approved suppliers. Train employees in how to properly respond to gifts or incentives offered by suppliers. Hold purchasing managers responsible for costs of scrap and rework.
Match the threat to appropriate control procedures. Kickbacks
Require purchasing agents to disclose financial or personal interests in suppliers. Train employees in how to properly respond to gifts or incentives offered by suppliers.
Match the threats to the appropriate control procedures Reduced prices for sales to friends.
Restrict access to master data.
Match the threats to the appropriate control procedures Uncollectible sales
Restrict access to master data. Credit approval by someone not involved in sales.
Match the threats to the appropriate control procedures Unauthorized disclosure of customer personal information.
Restrict access to master data. Encrypt customer information while in storage.
Match the threat to appropriate control procedures. Disclosure of sensitive supplier information (e.g., banking data)
Restrict access to the supplier master data.
Which control could be used to mitigate the threat of inaccurate or invalid general ledger data? a)Audit trail creation and review. b)Reconciliations and control reports. c)Review of all changes to general ledger data. d)Spreadsheet error protection controls.
Review of all changes to general ledger data.
The amount of risk a company is willing to accept in order to achieve its goals and objectives is called
Risk Appetite
Considering the potential of fraud belongs to which component of COSO's Internal Control Model?
Risk Assessment
SoD examples for Expenditure Cycle
Rule 1: Inventory Control (requisitioning) is separate from Purchasing Rule 2: Receiving is separate from AP (recording in subledger) Rule 3: Accounts payable is separate from G/L Group
What is SAP?
SAP is the forms and reports -The database structure is defined "out of the box" -Users of SAP input data using forms -The queries are generated and a report is produced -The concept is fairly straight forward, the difficult part is the overall scale of the system
What is the source document created in the billing process?
Sales Invoice
Which of the following is used to change a customer's accounts receivable balance?
Sales Invoice
Where does SoD take place in the Revenue Cycle?
Sales Order Processing: -Credit authorization separate from sales order processing -Warehouse separate from shipping -Accounts receivable sub-ledger separate from general ledger control account Cash Receipts Processing -Cash receipts separate from -Accounts receivable accounts receivable sub-ledger separate from general ledger
Revenue Process Subsystems
Sales Subsystem (delivery of goods to customer) -Physical Subsystem Cash Receipts Subsystem (receipt of payment from customer) -Financial Subsystem
What is the name of the law that Congress passed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud?
Sarbanes Oxley Act
Example of a preventative function?
Segregating employee duties
Match the threats to the appropriate control procedures Theft of customer payments.
Segregation of duties of handling cash and maintaining accounts receivable. Lockboxes or electronic lockboxes. Mail monthly statements to customers.
Which of the following documents normally triggers the billing process in the revenue cycle?
Shipping advice received from the shipping department
What internal control procedure(s) would provide protection against the following threat? Billing customers for the quantity ordered when the quantity shipped was actually less due to back ordering of some items.
Shipping personnel should be required to record the actual quantity shipped on the order document and/or enter the quantity shipped into the accounting system, in order that bills can be prepared based upon the quantity shipped rather than the quantity ordered. The system should be configured to generate invoices automatically based on the quantity shipped.
Step 1: Identifying UDAs
Some questions to consider: 1)Is the UDA's use critical in performing key financial, tax or operational control processes (e.g., tax provision)? 2)If the spreadsheet became unavailable, would the loss impact financial and tax reporting? 3)Does a failure in the UDA's integrity represent a likely threat to the reliability of the financial statements, tax liability, or key operational management reports?
CRM system
System that contains customer-related data organized in a manner to facilitate customer service, sales, and retention
FEDI
System that integrates EFT and EDI information
Describe COBIT
The COBIT Framework consolidates systems security and control standards into a single framework. This allows management to benchmark security and control practices of IT environments, users to be assured that adequate IT security and control exist, and auditors to substantiate their internal control opinions and to advise on IT security and control matters. The framework addresses control from three vantage points: 1) Business objectives, to ensure information conforms to and maps into business objectives. 2) IT resources, including people, application systems, technology, facilities, and data. 3) IT processes, including planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation.
COSO Physical Control Activities
The COSO model specifies six Control Activity classifications: 1. Proper Transaction Authorization 2. Segregation of Duties 3. Project development and acquisition controls 4. Design and use of documents and records 5. Access controls - safeguarding assets, records, and data 6. Independent Verification
Many companies use accounts receivable aging schedules to project future cash inflows and bad-debt expense. Review the information typically presented in such a report. Which specific metrics can be calculated from those data that might be especially useful in providing early warning about looming cash flow or bad-debt problems?
The accounts receivable aging report shows dollar amounts outstanding by number of days past due by customer and by invoice. The following metrics can provide useful early warnings about looming cash flow or bad-debt problems. - The percentage of total accounts receivable categorized by days past due would alert management of categories that are increasing. This could also be reported by customer and by invoice. This way if a particular invoice was not being paid, the company could more quickly identify the invoice, contact the customer, and potentially resolve any problems or disputes about the particular invoice. - Reporting by customer can help to identify chronic "slow paying" customers so that corrective action could be taken such as offering discounts for quick payment, changes in terms, and notifying the credit manager to restrict credit for this particular customer. - The company may have a threshold for each category of past due accounts either in percentages or absolute dollars. A metric could be calculated and presented that highlights the categories exceeding that threshold
The control procedure for separating the duties of the billing and shipping functions is designed to mitigate the threat of:
The failure to bill customers
What should spreadsheet inventory include?
The inventory should include: 1)Name of the spreadsheet 2)Brief description and financial amounts calculated 3)Department responsible for the spreadsheet as well as any other dept that utilizes it 4)Frequency and extent of changes to the spreadsheet
Difference b/w COSO and ERM
The major difference between COSO and COSO-ERM is that COSO-ERM's focus is on a risk-based approach and the components are expanded for this approach (objective setting, event identification, and risk response are added). All of the other components are similar. These orgs = really the thought leaders providing feedback on key issues in our profession
Imprest fund
The method used to maintain the cash balance in the petty cash account
What internal control procedure(s) would provide protection against the following threat? Writing off a customer's accounts receivable balance as uncollectible to conceal the theft of subsequent cash payments from that customer.
The problem usually occurs because the same individual writes off accounts and processes cash payments. Therefore, the best control procedure to prevent this problem is to separate the function of authorizing write-offs of uncollectible accounts from the function of handling collections on account.
What is Effective Monitoring? And what are some examples of ongoing monitoring?
The process for assessing the Effectiveness of 1) IC design and 2) IC operation - Evidence of control adequacy obtained from testing controls and communicating control strengths and weaknesses. Ex of ongoing monitoring - computer modules integrated into routine operations - management reports which highlight trends and exceptions from normal performance in sales, purchasing, production, cash disbursements
What are risks inherent in the Revnue Cycle?
The risk of material misstatement (ROMM) due to revenue recognition mistakes and/or fraud. 1. Early revenue recognition 2. Holding the books open past the close of the accounting period 3. Fictitious sales 4. Failure to record sales returns 5. Side agreements used to alter sales terms and conditions 6. Channel stuffing
A potential adverse occurrence is called a threat or an event. With respect to threats, which of these statements is false?
The timing of when a threat will occur is called the timeframe or timeline.
Separation of the check-writing and accounts payable functions is designed to mitigate the threat of:
Theft of Cash
Should the controller be involved in making decisions regarding the evaluation and recommendation of ways to use IT to improve efficiency and effectiveness? Why, or why not? Should the company's chief information officer make these decisions instead?
There are several reasons why accountants should be involved in decisions about investing in IT and not leave such decisions solely to IS professionals. 1) First, the economic merits of proposed IT investments need to be subjected to the same kind of detailed analysis as any other major capital investment (e.g., plant expansions). Accountants are skilled in making such analyses. 2) Second, the operational feasibility of IT investments must also be evaluated. How will investment affect daily operating procedures? Will the system be able to adapt as the company changes the nature of its operations? As one of the major users of the information system, accountants need to participate in these analyses. 3) Third, what is the long-run viability of the proposed supplier? Here again, accountants can make a valuable contribution by analyzing the long-run economic viability of proposed vendors.
When you go to a movie theater, you buy a prenumbered ticket from the cashier. This ticket is handed to another person at the entrance to the movie. What kinds of irregularities in the theater trying to prevent? What controls is it using to prevent these irregularities? What remaining risks or exposures can you identify?
There are two reasons for using tickets. 1) The theater is trying to prevent cashiers from stealing cash by providing greater control over cash receipts. You cannot get into the theater without a ticket so you never give cash to a cashier without insisting on a ticket. That makes it much harder for a cashier to pocket cash. 2) Prenumbered tickets are also used so cashiers cannot give tickets to their friends. The number of tickets sold at the cashier counter can be reconciled with the number of tickets taken by the usher letting patrons into the theater. - Reconciling the cash in the register to the tickets sold and then reconciling the number of tickets sold to the number collected by the ticket-taker helps prevent the theft of cash and giving tickets away to friends. - Despite these controls, the following risks still exist: 1) The ticket-taker can let friends into the theater without tickets. 2) The ticket-taker may take money from theater patrons, pocketing the cash and letting them enter without a ticket. 3) The cashier and the ticket-taker may collude in selling admittances without issuing tickets and then split the proceeds.
Defining Application Controls
Three types of controls: 1) Manual Controls - performed without assistance of technology (supervisory controls, written authorizations) 2) Automatic Controls - performed by computers, always function as designed 3) IT Dependent Manual Controls (hybrid) - combination of manual and automated processes. Ex: System-generated Receivables Aging report is reviewed by the Receivables Manager for reasonableness.
Which person makes original journal entries in the general ledger and reporting system about events such as dividend payments and payments to creditors?
Treasurer
Remittance advice
Turnaround document returned by customers with payments
What are UDAs?
UDAs can be simple calculations, macros, or complex spreadsheets that gather financial data. -Spreadsheets -Query tools, SQL scripts, and -Databases developed, maintained and used by end-users (not IT developed). Typically these applications are used by business units to process data for financial reporting purposes. UDAs are extensively used for these reasons: -Access to data is readily available -Files are easily customizable -Less costly to develop and maintain by end-users -No need for consultation with the IT department
What are unrecorded liabilities and why are they a major risk to the Expenditure Cycle?
Unrecorded Liabilities exist due to the time lag in the recording process by A/P Example: The PO and Receiving Report are received before the Supplier's Invoice. -Accountants must estimate the liability for all periods prior to the arrival of the invoice from the supplier -Auditors & Tax Professionals need to be aware of unrecorded liabilities at quarter-end to prepare the Tax Provision and Form 10-Q
What is a three-way match?
Upon receipt of the supplier's invoice: A/P reconciles 3 documents 1)PO 2)Receiving Report, and 3)Invoice -Control performed prior to updating the Purchases Journal, and recording the liability.
Match the threats to the appropriate control procedures Excess inventory.
Use of either EOQ, MRP, or JIT inventory control system.
Close-Loop Verification
Uses input data to retrieve and display related data -When data is entered, additional information is displayed -Examples: ***Enter the employee SSN, and the employee name is displayed ***Enter the customer zip code, and the city and state are displayed ***Enter the supplier ID #, and the supplier address and contact information are displayed
Which control ensures that the master inventory file actually contains an inventory item identified by the number 251184?
Validity Check
Who is the leading XBRL solution provider based on satisfaction rates?
Webfilings
A legal contract that defines responsibility for goods while they are in transit is called
a bill of lading.
The data entry control that would best prevent entering an invoice received from a vendor who is not on an authorized supplier list is
a validity check
Entries that are made to counteract the effects of errors found in the general ledger are called a)Corrections. b)Accruals. c)Estimates. d)Deferrals.
a) Corrections
Effective segregation of accounting duties is achieved when which of the following functions are separated? (Check all that apply.) a)Authorization of transactions and decisions b)Custody of cash and other assets c)Recording transactions and preparing documents and reports d)Supervision of accounting duties and processes e)Managing information systems
a)Authorization of transactions and decisions b)Custody of cash and other assets c)Recording transactions and preparing documents and reports
According to the text, management can respond to risk in which of the following ways? (Check all that apply.) a)Avoid it by not engaging in the activity that produces the risk b)Accept its likelihood and impact c)Share it or transfer it to someone else d)Examine its likelihood and impact e)Prepare for its occurrence f)Reduce its likelihood and impact
a)Avoid it by not engaging in the activity that produces the risk b)Accept its likelihood and impact c)Share it or transfer it to someone else f)Reduce its likelihood and impact
A management report that measures four dimensions of performance: financial, internal operations, innovation and learning, and customer perspectives of the organization is known as a)Balanced Scorecard b)Schema c)Flexible budget d)Extension taxonomy
a)Balanced Scorecard
Identify all the controls that mitigate the threat of picking the wrong items or the wrong quantity of an item: (Check all that apply.) a)Bar-code and RFID technology b)Reconciliation of picking lists to sales order details c)Restriction of physical access to inventory d)Periodic physical counts of inventory, and reconciliation to recorded quantities e)Documentation of all inventory transfers f)Data entry edit controls
a)Bar-code and RFID technology b)Reconciliation of picking lists to sales order details
Identify all the controls that mitigate the threat of theft of inventory: (Check all that apply.) a)Bar-code and RFID technology b)Data entry edit controls c)Reconciliation of shipping documents with sales orders, picking tickets, and packing slips d)Restriction of physical access to inventory e)Documentation of all inventory transfers f)Periodic physical counts of inventory, and reconciliation to recorded quantities g)Reconciliation of picking lists to sales order details
a)Bar-code and RFID technology d)Restriction of physical access to inventory e)Documentation of all inventory transfers f)Periodic physical counts of inventory, and reconciliation to recorded quantities
Identify all the controls that mitigate the threat of shipping errors: (Check all that apply.) a)Bar-code and RFID technology b)Reconciliation of picking lists to sales order details c)Periodic physical counts of inventory, and reconciliation to recorded quantities d)Documentation of all inventory transfers e)Data entry edit controls f)Restriction of physical access to inventory
a)Bar-code and RFID technology e)Data entry edit controls
To achieve proper segregation of systems duties, which of the following system functions should be separated from the other system functions? (Check all that apply.) a)Change management b)Systems analysis c)Programming d)Security management e)Users f)Accounting g)Data control h)Internal auditing
a)Change management b)Systems analysis c)Programming d)Security management e)Users g)Data control
Assume that the XYZ Company wants to create batch totals for a transaction file that contains payments to suppliers. Which of the following fields could be used to create a financial total? (Check all that apply.) a)Check amount b)Vendor number c)Purchase order number d)Quantity purchased e)Gross amount due f)Discount for prompt payment
a)Check amount e)Gross amount due f)Discount for prompt payment
16.4 The control that is used to match account numbers with account descriptions, to ensure that the correct general ledger account is being accessed is called a)Closed-loop verification. b)Field (format) checks. c)A completeness test. d)A validity check.
a)Closed-loop verification.
According to internal control frameworks, which of the following principles apply to the information and communication process? (Check all that apply.) a)Communicate relevant internal control matters to external parties b)Monitor all management decisions to ensure they were properly made c)Obtain or generate the information needed to support internal control d)Internally communicate the information needed to support all internal control components e)Audit internal control systems to make sure they function properly
a)Communicate relevant internal control matters to external parties c)Obtain or generate the information needed to support internal control d)Internally communicate the information needed to support all internal control components
Which of the following are ways that companies endorse integrity? (Check all that apply.) a)Developing a written code of conduct that explicitly describes honest and dishonest behaviors b)Consistently rewarding achievements and giving verbal labels to both high and low producers c)Making a commitment to competence, and hiring employees with the necessary knowledge, experience, training, and skills d)Implementing aggressive sales practices and handsomely rewarding those who achieve them and not giving bonuses to those who underachieve e)Requiring employees to report dishonest or illegal acts, and disciplining employees who knowingly fail to report them f)Actively making employees aware that favorable outcomes and reports are more important than almost anything else
a)Developing a written code of conduct that explicitly describes honest and dishonest behaviors c)Making a commitment to competence, and hiring employees with the necessary knowledge, experience, training, and skills e)Requiring employees to report dishonest or illegal acts, and disciplining employees who knowingly fail to report them
Which principles of graph design make graphs easier to read? (Check all that apply.) a)Displaying data values for each bar in a bar chart b)Using 2D rather than 3D bar charts c)Beginning the vertical axis at zero d)Including a meaningful title e)Ordering the x-axis chronologically from left to right
a)Displaying data values for each bar in a bar chart b)Using 2D rather than 3D bar charts d)Including a meaningful title
Which of the following statements are true? (Check all that apply.) a)Management must take an entity-wide view of risk. b)Residual risk is the susceptibility of a set of accounts or transactions to significantly control problems in the absence of internal control. c)Management must specify objectives clearly enough for risks to be identified and assessed. d)Inherent risk is the risk that remains after management implements internal controls, or some other response, to risk. e)Management must identify and analyze risks to determine how they should be managed.
a)Management must take an entity-wide view of risk. c)Management must specify objectives clearly enough for risks to be identified and assessed. e)Management must identify and analyze risks to determine how they should be managed.
Which of the following is part of an internal environment? a)Methods of assigning authority and responsibility b)Organizational structure c)Monitoring the achievement of management objectives d)Commitment to risk assessment and response e)Human resource standards that attract, develop, and retain competent individuals
a)Methods of assigning authority and responsibility b)Organizational structure e)Human resource standards that attract, develop, and retain competent individual
Which of the following controls could be used to mitigate the threat of accepting unordered items? a)Requiring existence of approved purchase order prior to accepting any delivery. b)Configuration of the ERP system to flag discrepancies between received and ordered quantities that exceed tolerance threshold for investigation. c)Supplier audits. d)Use of bar codes and RFID tags.
a)Requiring existence of approved purchase order prior to accepting any delivery.
Which statement(s) about graphic design are true? a)Reversing the sequence of years on the x-axis causes an increasing trend to look like a decreasing trend. b)Starting the y-axis at a point other than zero ensures that the magnitude of any trend is accurately portrayed. c)All of the statements are true. d)Starting the y-axis at zero causes an increasing trend to look like a decreasing trend.
a)Reversing the sequence of years on the x-axis causes an increasing trend to look like a decreasing trend.
According to the text, which of the following are key methods of monitoring internal control system performance? (Check all that apply.) a)Use responsibility accounting systems b)Implement effective supervision c)Install fraud detection software d)Observe employees implementing the controls e)Schedule periodic government inspections f)Track purchased software and mobile devices
a)Use responsibility accounting systems b)Implement effective supervision c)Install fraud detection software f)Track purchased software and mobile devices
To minimize the risk of the theft of cash, the person who handles customer payments should not also have the duties of: (Check all that apply.) a)posting remittances to customer accounts. b)creating or authorizing credit memos. c)picking merchandise. d) taking customer orders. e)reconciling the bank account.
a)posting remittances to customer accounts. b)creating or authorizing credit memos. e)reconciling the bank account.
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? Receiving-dock personnel steal inventory and then claim the inventory was sent to the warehouse.
a. Count all deliveries and record counts on a receiving report. b. Require warehouse personnel to count the goods received when they are transferred to the warehouse and acknowledge receipt of the specified quantity by signing the receiving report. c. Have accounts payable personnel review the signed receiving report copy (signed by both the receiving department and the warehouse personnel) prior to approving payment.
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? Inventory records show that an adequate supply of copy paper should be in stock, but none is available on the supply shelf.
a. Count physical inventory periodically. b. Correct system records using the count.
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? The petty cash custodian confesses to having "borrowed" $12,000 over the last five years.
a. Create a petty cash imprest fund and only replenish it based on receipts documenting how the funds were used b. Conduct periodic surprise counts of petty cash on hand to verify that the total of cash plus receipts equals the fund amount.
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? The company fails to take advantage of a 1% discount for promptly paying a vendor invoice.
a. File invoices by discount date b. Maintain a cash budget
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? A fictitious invoice is received and a check is issued to pay for goods that were never ordered or delivered.
a. Program the system so that it only prints checks to approved suppliers listed in the database b. Restrict access to the supplier master data. c. Require appropriate background checks and management approvals before adding a new supplier to the supplier master data d. Review changes to the supplier master data periodically e. Require supporting documents (purchase order and receiving report) for each invoice that is paid f. Require the person who authorizes disbursements to review the purchase order and receiving report, as well as the invoice. g. Segregate duties by having the person signing checks be different from the person authorizing disbursements and preparing checks h. Ensure that the check signer reviews the invoice, purchase order, and receiving report supporting each disbursement prior to signing a check. i. Deface the invoice and all supporting documents (such as marking them paid) so they cannot be used to support the payment of a duplicate invoice
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? A purchasing agent orders materials from a supplier that he partially owns.
a. Require a purchase requisition from an operating department as authorization for the preparation of all purchase orders. b. Require purchasing manager, before approving PO, to - Review the purchase requisition - Ensure that orders are placed only with approved vendors c. Require purchasing agents to disclose any financial interest in supplier companies, though this may be difficult to enforce. d. Ensure that purchasing agents do not have investments in vendors on the approved vendor list.
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? A clerk affixes a price tag intended for a low-end flat-panel TV to a top-of-the-line model. The clerk's friend then purchases that item, which the clerk scans at the checkout counter.
a. Restrict access to price tags so that cashiers do not have access to price tags b. Segregate duties by not letting stocking clerks work as cashiers. c. Monitor check-out clerks, either live or by closed-circuit cameras, to deter fraud. d. Hire honest and ethical employees by conducting effective interviews, checking references, and conducting background checks if cost effective
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? A purchasing agent adds a new record to the supplier master file. The company does not exist. Subsequently, the purchasing agent submits invoices from the fake company for various cleaning services. The invoices are paid.
a. Restrict access to the supplier master file b. Require appropriate background checks and management approvals before adding a new supplier to the supplier master data c. Monitor on a regular basis all changes made to the supplier master data d. Implement budgetary controls and regular analyses of expenses related to services to detect this type of problem, as well as higher-than-expected expenses for a particular department
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? A company is late in paying a particular invoice. Consequently, a second invoice is sent, which crosses the first invoice's payment in the mail. The second invoice is submitted for processing and also paid.
a. Review related supporting voucher package or records (receiving report and purchase order) before approving an invoice for payment. b. Change the status of the invoice and its supporting records from "pending" to "paid" after payment is made. c. Deface the invoice and all supporting documents (such as marking them paid) so they cannot be used to support the payment of a duplicate invoice.
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? A clerical employee obtains a blank check and writes a large amount payable to a fictitious company. The employee then cashes the check.
a. Store unused blank company checks in a secure location. b. Segregate duties by having the person reconciling the bank account be different from the person making payments c. Segregate duties by having the person signing checks be different from the person authorizing disbursements and preparing checks d. Ensure that the check signer reviews the documentation (purchase order and receiving report) supporting each disbursement prior to signing each check
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? An unordered supply of laser printer paper delivered to the office is accepted and paid for because the "price is right." After all of the laser printers are jammed, however, it becomes obvious that the "bargain" paper is of inferior quality.
a. The problem here is that office employees are seldom trained about proper procedures for receiving, because it is assumed that all goods are delivered only to the warehouse. Office employees, like receiving employees, need to be trained not to accept deliveries unless they can verify the existence of an approved purchase order for those goods. b. In addition, companies should not approve and pay invoices unless they can match the invoice to an approved purchase order and receiving report
Which internal control procedure would be most cost-effective in dealing with the following expenditure cycle threat? The inventory records are incorrectly updated when a receiving-dock employee enters the wrong product number at the terminal.
a. Use closed loop verification - The item number is entered as input, the system displays the corresponding item description, and the user is asked to verify that it is the desired b. Use bar-codes or RFID tags to eliminate the need to enter the item number manually.
Reasonableness Check
an edit check of the logical correctness of relationships among data items -Compare one field to another to see if a data relationship is appropriate -Often performed after passing limit and range checks -Company policy: Employees in job code 693 should be paid $18 per hour -Payroll system input control: compares pay rate of $18 per hour with job code of 693
Completeness Check
an edit check that verifies that all data required have been entered
Which control could be used to mitigate the threat of fraudulent financial reporting? a) Balanced scorecard. b)Audit. c)Responsibility accounting. d)Use of packaged software.
b)Audit.
Which principle of graph design mitigates the threat that the graph will mislead viewers about the magnitude of a trend? a) Including a meaningful title b)Beginning the vertical axis at zero c)Using 2D rather than 3D bar charts d)Displaying data values for each bar in a bar chart e)Ordering the x-axis chronologically from left to right
b)Beginning the vertical axis at zero
Which of the following is not a key method of monitoring internal control system performance? a)Employ a computer security officer. b)Hire private investigators to investigate employee behavior. c)Implement a fraud hotline. d)Perform internal control evaluations.
b)Hire private investigators to investigate employee behavior.
Which principle of graph design mitigates the threat that viewers will mistake an increasing trend for a decreasing trend? a)Beginning the vertical axis at zero b)Ordering the x-axis chronologically from left to right c)Including a meaningful title d)Displaying data values for each bar in a bar chart e)Using 2D rather than 3D bar charts
b)Ordering the x-axis chronologically from left to right
Which of the following control procedures is designed to mitigate the threat of the theft of cash? (Check all that apply.) a)Filing invoices by discount due date b)Physical security of blank checks c)Cash flow budgets d)Requiring that all supplier invoices be matched to supporting documents e)Use of corporate credit cards for travel expenses f)Use of a dedicated computer and browser for online banking g)Restriction of access to the supplier master file h)Positive Pay arrangements with banks
b)Physical security of blank checks f)Use of a dedicated computer and browser for online banking g)Restriction of access to the supplier master file
Which of the following are output controls that help achieve the objective of processing integrity? (Check all that apply.) a)File labels b)Reconciliation procedures c)User review d)Data transmission controls e)Reasonableness test f)Batch totals g)Cross-footing and zero-balance tests
b)Reconciliation procedures c)User review d)Data transmission controls
Identify all the controls that mitigate the threat of mistakes when counting deliveries from suppliers: (Check all that apply.) a)Budgetary controls b)Requiring receiving employees to sign the receiving report c)Use of bar codes and RFID tags d)Not informing receiving employees about the quantities ordered e)Restriction of physical access to inventory f)Documentation of all transfers of inventory g)Segregation of duties of inventory custody and receiving h)Requiring the existence of an approached purchase order prior to accepting any delivery
b)Requiring receiving employees to sign the receiving report c)Use of bar codes and RFID tags d)Not informing receiving employees about the quantities ordered
Which documents are used to create a three-way match when approving the payment of a supplier invoice? (Check all that apply.) a)Credit memo b)Supplier invoice c)Purchase order d)Receiving report
b)Supplier invoice c)Purchase order d)Receiving report
Which section of the Balanced Scorecard would benefit most from collecting data from external parties, rather than relying on internally-generated data? a. Financial b. Customer c. Internal Operations d. Innovation and Learning
b. Customer
Which of the following XBRL components can, if used too much, limit the potential benefits of comparability across organizations? a. Presentation linkbases b. Taxonomy extensions c. Style sheets d. Schemas
b. Taxonomy extensions
The theory underlying the Balanced Scorecard is that improvements in the section will lead to improvements in the section, leading to improvements in the section, ultimately creating better results in the financial section. a. customer, learning & innovation, internal b. learning & innovation, internal, customer c. internal, customer, learning & innovation
b. learning & innovation, internal, customer
Which of the following are important independent checks on performance? (Check all that apply.) a)An independent review where a person double checks the work she performed b)Single-entry accounting c)Analytical reviews that examine relationships between different sets of data d)Reconciliation of independently maintained records.
c)Analytical reviews that examine relationships between different sets of data d)Reconciliation of independently maintained records.
Which of the following is not a SOX requirement? a)The CEO must certify that financial statements were reviewed by management and are not misleading. b)Audit committee members must be on the company's board of directors and be independent of the company. c)Auditors must maintain an audit trail that documents all client-auditor communications. d)Auditors mist report specific information to the company's audit committee.
c)Auditors must maintain an audit trail that documents all client-auditor communications.
Assume that the XYZ Company wants to create batch totals for a transaction file that contains all sales invoices. Which of the following fields could be used to create a hash total? (Check all that apply.) a)Total amount of sale b)Customer name c)Customer number d)Quantity sold e)Part number
c)Customer number d)Quantity sold e)Part number
Which of the following controls is designed to mitigate the risk of purchasing goods of inferior quality? a) Collecting and monitoring supplier delivery performance data b)Price lists c)Holding purchasing managers responsible for the costs associated with rework and scrap d)Periodic physical counts of the inventory
c)Holding purchasing managers responsible for the costs associated with rework and scrap
Which of the following does not help safeguard assets, documents, and data? a)Store data and documents in fireproof storage areas or secure offsite locations. b)Restrict access to data and documents. c)Measure the throughput and utilization of data and physical assets. d)Create and enforce appropriate policies and procedures. e)Periodically reconcile recorded asset quantities with a count of those assets.
c)Measure the throughput and utilization of data and physical assets.
Which document is no longer used to approve a supplier payment when a company is using ERS? a)Credit memo b)Receiving report c)Supplier invoice d)Purchase order
c)Supplier invoice
Which of the following statements are true? (Check all that apply.) a)The likelihood and impact of a risk must be considered separately. b)Detective controls are superior to preventive controls; neither is as good as a corrective control. c)The objective of an internal control system is to provide reasonable assurance that events do not take place. d)Some events pose a greater risk because they are more likely to occur. e)The benefits of an internal control procedure are usually easier to measure than the costs.
c)The objective of an internal control system is to provide reasonable assurance that events do not take place. d)Some events pose a greater risk because they are more likely to occur.
The examination of the relationships between different sets of data is called a)comparison of actual quantities with recorded amounts. b)reconciliation of independently maintained records. c)analytical reviews. d) top-level reviews.
c)analytical reviews.
To minimize the risk of the theft of cash, the person who makes cash disbursements should not also have the duties of: (Check all that apply.) a)ordering goods. b)receiving goods. c)reconciling the bank account. d) approving supplier invoices.
c)reconciling the bank account. d) approving supplier invoices.
Violating which of the following principles of graph design would result in distorting the magnitude of a trend in sales? a. Displaying trend data in chronological sequence from left-to-right on the x-axis b. Starting the y-axis at zero c. Neither of the above d. Both of the above
c. Neither of the above
Fraudulent financial reporting is a concern in the GL/reporting cycle. The best control to deal with that potential problem is . a. proper segregation of duties b. processing integrity controls such as validity checks c. an independent audit of all adjusting entries d. requiring mandatory vacations for all managers e. prenumbering of all documents
c. an independent audit of all adjusting entries
Creation and review of an audit trail is a detective control that can enable organizations to find and correct problems arising from __________. a. inaccurate updating of the general ledger b. unauthorized adjusting entries c. both a and b d. neither a nor b
c. both a and b
An adjusting entry to record bad debt expense is an example of a(n) ______. a. accrual b. deferral c. estimate d. revaluation e. correction
c. estimate
All of the following controls for online entry of a sales order would be useful except
check digit verification on the dollar amount of the order.
Recognizing advance insurance payments from customers as a liability would result in what type of adjusting entries? a)Accruals. b)Corrections. c)Estimates. d)Deferrals.
d) Deferrals
Which control could be used to mitigate the threat of inaccurate updating of the general ledger? a)Use of packaged software. b)Training and experience in applying IFRS and XBRL. c)Audit. d)Audit trail creation and review.
d)Audit trail creation and review.
Data entry processing integrity controls such as field checks, completeness tests, and closed-loop verification are NOT needed for journal entries made by a)The Treasurer b)All of the listed sources of journal entries (Treasurer, Controller, Other Accounting Subsystems) need to employ field checks, completeness tests, and closed-loop verification to ensure accuracy. c)The Controller d)Other accounting subsystems
d)Other accounting subsystems
Identify all the controls that mitigate the threat of the theft of inventory: (Check all that apply.) a)Not informing receiving employees about the quantities ordered b)Requiring the existence of an approved purchase order prior to accepting any delivery c)Budgetary controls d)Restriction of physical access to inventory e) Requiring receiving employees to sign the receiving report f)Use of bar codes and RFID tags g)Documentation of all transfers of inventory h)Segregation of duties of inventory custody and receiving
d)Restriction of physical access to inventory g)Documentation of all transfers of inventory h)Segregation of duties of inventory custody and receiving
Which of the following XBRL components contains information about which items should be summed to create a category total (e.g., which items comprise current liabilities)? a. Instance document b. Style sheet c. Taxonomy d. Linkbase e. Schema
d. Linkbase
Journal entries made by either the treasurer or controller should be subject to input edit and processing controls. A data entry application control that is designed to ensure that the total debits in a journal entry equal the total credits is called a . a. sign check b. equality check c. reasonableness check d. zero-balance check
d. zero-balance check
Safeguarding assets is one of the control objectives of internal control. Which of the following is not one of the other control objectives?
ensuring that no fraud has occurred
Which of the following statements are true? (Check all that apply.) i)Employees who process transactions should verify the presence of appropriate authorizations. ii)Controls are more effective when placed in a system after it is up and running. iii)Systems analysts have the ultimate responsibility for selecting and implementing appropriate controls over technology. iv)Control activities are policies and procedures that provide reasonable assurance that risk responses are carried out. v)Throughput and response time are useful system performance measurements.
i)Employees who process transactions should verify the presence of appropriate authorizations. iv)Control activities are policies and procedures that provide reasonable assurance that risk responses are carried out. v)Throughput and response time are useful system performance measurements.
The purpose of employing data entry processing integrity controls is to mitigate the threat of
inaccurate updating of the general ledger.
Which control procedure is designed to minimize the threat of posting errors to accounts receivable?
mailing of monthly statements to customers
One of the objectives of the segregation of duties is to
make sure that different people handle different parts of the same transaction.
To minimize the risk of theft of consumer remittances, the person who handles and deposits customer payments can also
none of these activities can be performed by the person who handles and deposits customer payments
Which of the following is generally not shown on a receiving report?
price of the items
Sign Check
proper arithmetic sign
Duties in the expenditure cycle should be properly segregated to promote internal control. This means that the authorization functions are performed by _________, the recording function is performed by _________, and cash handling is performed by _________.
purchasing; accounts payable; cash disbursements
Restricting physical access to inventory is designed to minimize the threat of
theft of inventory
Batch Control Total
total dollar value of transactions were processed
Record Count
total number of records were processed
Hash Totals
total of non-financial field to ensure processing was complete Example : SO#s 14327, 67345, 19983, 88943, 96543 = 287141 is the hash total