Auditing, Ch 7
Suggest a number of sources from which you might obtain the information needed to prepare a description of internal control in the audit working papers.
Among the sources of information which auditors may use in preparing a working paper description of internal control are: organization charts, charts of accounts, job descriptions, interviews and discussions with officers and employees, reports of internal auditors, accounting reports and records, inspection of facilities, and working papers and reports from prior examinations
One basic concept of internal control is that no one employee should handle all aspects of a transaction. Assuming that a general category of transactions has been authorized by top management, how many employees (or departments) should participate in each transaction, as a minimum, to achieve strong internal control? Explain in general terms the function of each of these employees.
Assuming that the general category of transaction has already been authorized by top management, at least three employees or departments should usually participate in each transaction to achieve strong internal control. One employee approves the transaction after determining that the details conform to company policies, another employee records the transaction in the accounting records, and the third employee executes the transaction by releasing and/or taking custody of the related assets. (Note: the approval function may be omitted in an extremely simple transaction such as a cash sale not involving a check).
What are the purposes of the consideration of internal control required by generally accepted auditing standards?
Auditors consider internal control because its quality has a major effect on the nature, timing, and extent and nature of the audit procedures necessary to complete the audit. More specifically, the auditors' understanding of the entity and its environment, including internal control allows them to (1) assess the risks of material misstatements of the financial statements and (2) design the nature, timing and extent of further audit procedures.
Describe the relationship between corporate governance and internal control
Corporate governance is the system by which companies are directed and controlled. It includes the policies, procedures and mechanism established to ensure that the company operates in the best interests of its major stakeholders and society as a whole. The concept is broader than internal control in that corporate governance is not only concerned with the effectiveness of financial reporting, but it also encompasses ethical treatment of major stakeholders, compliance with laws, regulations, customary business practices and effective risk management. The control environment of internal control is particularly significant to corporate governance.
How is the auditors' understanding of the client's internal control documented in the audit working papers?
Documentation is usually in the form of flowcharts, questionnaires, or written narratives of the system.
What is a management letter? What is the letter's significance?
During their consideration of internal control, the auditors will inevitably encounter some deficiencies that should be brought to the attention of management. A management letter is the written report to the client describing such deficiencies, along with the auditors' recommendations for corrective action. This report serves as a useful reference document for management in implementing improvements in internal control and may also serve to limit the auditors' liability to the client in the event the control deficiencies subsequently give rise to defalcations or other losses.
A prospective client informs you that all officers and employees of the company are bonded, and he requests that under these circumstances you forgo a consideration of internal control in order to reduce the cost of an audit. Construct a logical reply to this request.
If the safeguarding of company assets were the only objective of internal control, then some basis might exist for the argument that the bonding of employees was an acceptable substitute for good internal control practices. However, internal control has such other important objectives as assuring the reliability of accounting data and other types of information needed by management for effective direction of the business. When internal controls are weak or absent, the losses from waste and inefficiency are apt to be far greater than losses from dishonest acts by employees. An assessment of internal control by the auditors is a prerequisite to the determination of the nature, timing, and extent of the further audit procedures necessary to express an opinion on the financial statements.Under normal circumstances, the assessment of internal control significantly reduces the cost of an audit, because a reduction in the assessed level of control risk permits the auditors to perform much less substantive procedures than would otherwise be necessary.
What is internal control?
Internal control is a process, effected by the entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the categories of (1) operations, (2) reporting, and (3) compliance.
Name three factors you consider of greatest importance in protecting a business against losses through embezzlement
Key factors in protecting a business against losses through embezzlement include adequate internal control, fidelity bonds, and regular audits by independent public accountants.
"All experienced auditors would design exactly the same audit plan (program) for a particular audit engagement." Do you agree? Explain.
No. Designing audit plans involves complex judgments, resulting in the possibility of inconsistencies in these judgments by auditors in the field. CPA firms attempt to reduce inconsistencies in judgments by developing firm policies, and "decision aids" or guides, that assist auditors in gathering relevant information or combining the information to make decisions about the nature, timing, and extent of substantive procedures.
How does separation of the record-keeping function from custody of assets contribute to internal control?
Separating recordkeeping from custody of the related assets provides an independently maintained record that may periodically be reconciled with assets on hand. This independent record holds the personnel of a custodial department accountable for assets entrusted to their care. If the custodial department maintained the accounting records, opportunity would exist for that department to conceal its errors or shortages by manipulating the records.
Under what circumstances are tests of controls efficient audit procedures?
Tests of controls are efficient auditing procedures when the reduction in the substantive procedures that results from a lower assessed level of control risk exceeds the amount of work involved in performing the tests of controls.
What consideration, if any, may external auditors give to the work of a client's internal audit staff?
The external auditors should consider the work of the internal auditors as a portion of the control environment of internal control. After evaluating the competence, objective, and disciplined approach of the internal auditors, the external auditors will determine the extent to which the work of the internal auditors may be used in determining the nature, timing, and extent of their testing.
Identify the five components of an organization's internal control.
The five basic components of an organization's internal control are (1) control environment; (2) risk assessment; (3) control activities; (4) (accounting) information and communication and (5) monitoring.
List the five stages of the auditors' overall approach in an audit of internal control performed in accordance with PCAOB requirements.
The five stages of an audit of internal control performed in accordance with PCAOB requirements are: (1) Plan the engagement. (2) Obtain an understanding of internal control over financial reporting (internal control). (3) Test and evaluate design effectiveness of internal control. (4) Test and evaluate operating effectiveness of internal control. (5) Form an opinion on the effectiveness of internal control over financial reporting.
Identify the four types of control activities and describe how each type contributes to effective internal control.
The four types of control activities are (1) performance review, (2) transaction processing, (3) physical controls and (4) segregation of duties. Performance reviews contribute to internal control by providing management with an overall indication of whether personnel at various levels are effectively pursuing the objectives of the organization. Transaction processing controls are performed to check the completeness, validity, and authorization of transactions. Physical controls contribute by assuring physical security over both records and other assets. Segregation of duties reduces the opportunities for any one person to both perpetuate and conceal errors or irregularities.
Compare the objectives of the internal auditors with those of the independent auditors.
The primary objective of the internal auditor is to aid corporate management in efficient administration by investigating and reporting upon compliance with company policies, reliability of accounting and statistical records and reports, adequacy of internal control, efficiency of operating procedures, and effectiveness of performance in all areas of operation. The primary objective of the external (independent) auditors is to determine whether the financial statements fairly reflect the financial position, operating results, and cash flows of the business. The external auditors have a responsibility to stockholders, creditors, and the public as well as to management.
List the principles related to an organization's control environment.
The principles related to the control environment include commitment to integrity and ethical values; board of directors independence and exercise of oversight; establishment of effective structure, including reporting lines and appropriate authorities and responsibilities; commitment to attract, develop, and retain competent employees; holding employees accountable for internal control responsibilities.
Describe what is meant by the risk assessment component of internal control and how it contributes to internal control.
The risk assessment component of internal control relates to the factors that affect the risk that the organization's reporting objectives will not be achieved. An awareness of this component contributes to internal control because management's consideration of the possibility that reports (including financial statements) may be misstated decreases the likelihood of misstatement.
Distinguish between the two subsections of Section 404 of the SarbanesOxley Act of 2002.
The two subsections of Section 404 of the Sarbanes-Oxley Act are 404a and 4040b. Section 404a requires each annual report filed with the SEC to include a report in which management (1) acknowledges its responsibility for establishing and maintaining adequate internal control over financial reporting, and (2) provides an assessment of internal control effectiveness as of the end of the most recent fiscal year. Section 404b requires auditors of certain companies to attest to, and report on, internal control over financial reporting.
Describe the two types of monitoring and provide an example of each
The two types of monitoring are (1) ongoing monitoring activities, and (2) separate evaluations. Examples of ongoing monitoring activities include continuous monitoring of customer complaints and reviewing the reasonableness of management reports. Separate evaluations include periodic audits by the internal auditors.
Comment on the following: The Committee of Sponsoring Organizations has issued frameworks on internal control and on enterprise risk management. A starting point for management of a company just beginning operations is to determine which one of the two to select for use.
While it is true that COSO has issued frameworks on both internal control and enterprise risk management, the remainder of the quote is incorrect. The frameworks are meant to complement one another. ERM may be viewed as including internal control, but extending beyond internal control to focus upon effectively managing all risk and opportunities.
You have discussed with the president of Vista Corporation several material weaknesses in internal control that have come to your attention during your audit. At the conclusion of this discussion, the president states that he will personally take steps to remedy these problems and that there is no reason for you to bring these matters to the attention of the board of directors. He explains that he believes the board should deal with major policy decisions and not be burdened with day-to-day management problems. How would you respond to this suggestion? Explain fully.
You should explain to the president that auditing standards require the auditors to report significant deficiencies and material weaknesses to the audit committee of the board of directors. Failure to submit such a report to the board would be a violation of generally accepted auditing standards.