ACCT 3303 Chapter 11 Review Questions
Which internal control(s) would you recommend to prevent the following situations from occurring?
1) Authorization of a credit memo for a customer's account (on receivables) when the goods were never actually returned. Documents and records (must require a receiving report before authorizing a credit memo) 2) Theft of funds by the cashier, who cashed several checks and did not record their receipt. Segregation of duties (record keeping and asset custody) 3) Billing customers for the quantity ordered when the quantity shipped was actually less due to back-ordering of some items. Documents and records (cross check the sales order and the packing slip to check whether the quantity ordered is the same as quantity shipped; bill a customer on quantity shipped)
Why would a manager be inclined to use the COBIT framework as a guide for IT governance and management?
COBIT provides a supporting tool set that bridges the gap among IT control requirements, technical issues, and business risks. The COBIT framework: provides a business focus to align business and IT objectives; defines the scope and ownership of IT process and control; is consistent with accepted IT good practices and standards; provides a common language with a set of terms and definitions that are generally understandable by all stakeholders; meets regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and auditors.
COSO developed two frameworks: the COSO 2013 Internal Control framework and the COSO ERM framework. What are the differences between the two frameworks?
Difference: Internal control is an integral part of enterprise risk management. COSO 2013 Internal Control framework is the basis for existing rules, regulations, and laws. It has been incorporated into this ERM framework. In addition to internal controls, COSO ERM expands the COSO Internal Control framework to provide a broader view on risk management to maximize firm value.
The information system of Carlsbad Bottle Inc. is deemed to be 90% reliable. A major threat in the procurement process has been discovered with an exposure of $300,000. Two control procedures are identified to mitigate the threat. Implementation of control A would cost $18,000 and reduce the risk to 4%. Implementation of control B would cost $10,000 and reduce the risk to 6%. Implementation of both controls would cost $26,000 and reduce the risk to 2.5%. Given the information presented above and consider an economic analysis of costs and benefits only, which control procedure(s) should Carlsbad Bottle choose to implement?
Expected benefit of an internal control = Impact X Decreased Likelihood Control A: 300,000 X (10% - 4%) = 18,000 = 18,000 ($18,000 is 6% of $300K) Control B: 300,000 X (10% - 6%) = 12,000 > 10,000 ($12,000 is 4% of $300K) Control A&B: 300,000 X (10% - 2.5%) = 22,500 <26,000 ($22,500 is 6% of $300K) Carlsbad should implement control B.
There are three types of controls: preventive, detective, and corrective. List some examples of each type.
Preventive controls are designed to deter problems before they arise. Preventive controls require compliance with preferred procedures and thus stop undesirable events from happening. Examples: closed-loop verification, validity check. Detective controls find problems when they arise. These controls are procedures and techniques designed to identify undesirable events after they have already occurred. Examples: bank reconciliations, monthly trial balances. Corrective controls fix problems that have already occurred and been identified; These can include activities such as using backup files to recover corrupted data. Detective controls are often linked to accompanying corrective controls to remediate any issues that are discovered. Examples: Disaster Recovery Planning, periodic backups.
How has the Sarbanes-Oxley Act affected the audit profession and corporate governance of public firms?
SOX requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting. (Note - Only accelerated and large accelerated filers must have an external auditors report on ICOFR.) An accelerated filer has at least $75M in public float but less than $700M. A large accelerated filer is classified by the SEC as having more than $700M in public float. Public float is shares of a corporation that are in the hands of the public; not company officers, or controlling investors, or governments. SOX also established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms.
The sales department of a company received several claims from its customers that their payments were not credited to their accounts. Investigation uncovered that the accounts receivable clerk has been stealing some of customer payments. What are some of the internal control procedures that could prevent and detect the problem?
Segregation of Duties. Record keeping and asset custody should be separated so that one person cannot have access to remitted payments and be responsible for recording the customers AR balances. Send out monthly statements to customers to confirm their balances and reconcile differences.
What are the objectives and components of COSO ERM framework?
Strategic — high-level goals, aligned with and supporting the firm's mission and vision Operations — effectiveness and efficiency of operations Reporting — reliability of internal and external reporting Compliance — compliance with applicable laws and regulations
Segregation of duties is an important internal control. What functions must be separated? If ideal segregation of duties is not economically feasible, what are some compensating controls that would help reduce the risk of fraud or error?
The general guideline for segregation of duties (SOD) is that transaction authorization, record keeping and asset custody should be separated from each other. If ideal segregation of duties is not economically feasible, supervision can be used to mitigate the risk posed by imperfect segregation of duties. The supervising individual might be a superior within the organization, or in the case of a small business the owner of the firm.
