Solution Manual for Auditing and Assurance Services A Systematic Approach 10th Edition Messier Glover Prawitt 0077732502 9780077732509
Full download link at:
Solution manual: https://testbankpack.com/p/solution-manual-forauditing-and-assurance-services-a-systematic-approach-10th-editionmessier-glover-prawitt-0077732502-9780077732509/
Test bank: https://testbankpack.com/p/test-bank-for-auditing-and-assuranceservices-a-systematic-approach-10th-edition-messier-glover-prawitt-00777325029780077732509/
CHAPTER 6
INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT
Answers to Review Questions
6-1 From management's perspective, internal control provides a way to accomplish management’s stewardship or agency responsibilities. Management also needs a control system that generates reliable information for decision-making purposes. The importance of internal control to the auditor is rooted in the second standard of fieldwork. The controls that are relevant to the entity's ability to initiate, record, process, and report financial data consistent with management's assertions are the auditor's main concern. The auditor needs assurances about the reliability of the data generated within the entity's internal control system in terms of how it affects the fairness of the financial statements and how well the assets and records of the entity are safeguarded. The auditor uses this understanding of internal control to identify the types of potential misstatements, ascertain factors that affect the risk of material misstatement, and design tests of controls and substantive procedures.
6-2 The potential benefits and risks to an entity’s internal control from information technology include (see Table 6-1):
Benefits:
Consistent application of predefined business rules and performance of complex calculations in processing large volumes of transactions or data.
Enhancement of the timeliness, availability, and accuracy of information.
Facilitation of additional analysis of information.
Enhancement of the ability to monitor the performance of the entity's activities and its policies and procedures.
Reduction in the risk that controls will be circumvented.
Enhancement of the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.
Risks:
Reliance on systems or programs that inaccurately process data, process inaccurate data, or both.
Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.
Unauthorized changes to data in master files.
Unauthorized changes to systems or programs.
Failure to make necessary changes to systems or programs.
Inappropriate manual intervention.
Potential loss of data.
6-3Internal control is composed of five components:
1. Control Environment: The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regardingthe importance of internal control and expected standards of conduct.
2. The Entity’s Risk Assessment Process: Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, thereby forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.
3. Information and Communication: Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communicationoccursbothinternallyandexternallyandprovidestheorganizationwith the information needed to carry out day-to-day internal control activities. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives.
4. Control Activities: Control activities are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes, and over the technology environment.
5. Monitoring of Controls: Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.
6-4Factors that affect the control environment include (see Table 6-3):
The organization demonstrates a commitment to integrity and ethical values.
© 2017 by McGraw-Hill Education. This is proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any manner. This document may not be copied, scanned, duplicated, forwarded, distributed, or posted on a website, in whole or part.
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
6-5 A substantive audit strategy means that the auditor has made a decision not to rely on the entity's controls and to audit the related financial statement accounts directly. Control risk is set at the maximum when a substantive audit strategy is followed. With a reliance strategy, the auditor relies on the entity's controls and sets control risk below the maximum. A reliance strategy requires a more detailed understanding and documentation
of internal control than does a substantive strategy. The auditor also plans and performs tests of controls to support the lower assessed level of control risk.
6-6 In addition to planning the audit of the financial statements, the auditor's understanding of the entity's internal control is used to (1) identify the types of potential misstatements, (2) pinpoint factors that affect the risk of material misstatement, and (3) design tests of controls and substantive procedures.
6-7 The concept of reasonable assurance recognizes that the cost of an entity's internal control system should not exceed thebenefits that are expectedto be derivedfromthesystem. Thus, an internal control system will not detect every error that might occur because it would be too costly to design such a system. Management override of internal control, personnel errors or mistakes, and collusion are inherent limitations of internal control.
6-8 A number of tools are available to the auditor for documenting the understanding of the internal control, including copies of the entity's procedures manuals and organizational charts, internal control questionnaires, flowcharts, and narrative descriptions.
6-9 The auditor should document the achieved level of control risk for the controls evaluated. The auditor’s assessment can be documented using a structured working paper, an internal control questionnaire, or a memorandum.
6-10 The auditor might consider conducting substantive tests at an interim date for a number of reasons. For example, the client may want the auditor to confirm accounts receivable before year-end because of demands on the client’s staff at year-end. Alternatively, the auditor may wish to conduct substantive tests at an interim date to minimize staff overtime at year-end. The auditor should consider the following factors when substantive tests are to be completed at an interim date:
The control environment and other relevant controls.
Theavailabilityofinformationatalaterdatethatisnecessaryfortheauditor’sprocedures (e.g., information stored electronically for a limited period of time).
The purpose of the substantive procedure.
The assessed risk of material misstatement.
The nature of the class of transactions or account balance and relevant assertions.
The ability of the auditor to perform appropriate substantive procedures or substantive procedures combined with tests of controls to cover the remaining period in order to reduce the risk that misstatement may exist at the period-end will not be detected. When the auditor conducts substantive tests of an account at an interim date, additional substantive tests might include comparing the year-end account balance with the interim account balance, conducting some analytical procedures, and/or reviewing related journals and ledgers for large or unusual transactions during the remaining period.
6-11 For private companies, auditing standards require that the auditor report to those charged with governance (e.g., audit committee) any control deficiencies discovered by the auditor that are serious enough to be considered a significant deficiencyor a material weakness. See Chapter 7 for the auditor’s reporting responsibility for reporting on internal control.
Answers to Multiple-Choice Questions
Solutions to Problems
6-25 a. The COSO definition is: “Internal control is designed and carried out by an entity’s board of directors, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives in the following categories: (1) reliability, timeliness, and transparency of internal and external, nonfinancial and financial reporting; (2) effectiveness and efficiency of operations, including safeguarding of assets; and (3) compliance with applicable laws and regulations. In Chapter 7, you will find a somewhat similar definition for internal control that is included in the PCAOB’s AS5.
b. The auditor should obtain an understanding of each of the five components of internal control in order to plan the audit. This understanding includes knowledge about the design of relevant controls and whether theyhave been placed in operation by the entity. The auditor uses this knowledge to (1) identify the types of potential misstatements, (2) pinpoint factors that affect the risk of material misstatement, and (3) design tests of controls and substantive procedures.
c. An auditor should document the understanding of the internal control components obtained to plan the audit. The auditor should also document the assessed (achieved) level of control risk.
6-26 The control environment factors that establish, enhance, or mitigate the effectiveness of specific controls, and their components, are:
Commitment to Integrity and Ethical Values
The effectiveness of an entity’s controls is influenced by the integrity and ethical values of the individuals who create, administer, and monitor the controls. Integrity and ethical values are essential elements of the control environment, affecting the design, administration, and monitoring of the other components. Integrity and ethical behavior are the product of the entity’s ethical and behavioral standards, how they are communicated, and how they are reinforced in practice.
Participation of Those Charged with Governance (Board of Directors and Audit Committee)
The board of directors and audit committee significantly influence the control
6-27
consciousness of the entity. Factors that affect the effectiveness of the board and audit committee include the following: its independence from management, the experience and stature of its members, the extent of its involvement with and scrutiny of the entity's activities,theappropriatenessofitsactions,thedegreetowhichdifficultquestionsareraised and pursued with management, and its interaction with the internal and external auditors.
Management and Board Establishes Appropriate Organizational Structure
The organizational structure defines how authority and responsibility are delegated and monitored. Establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. It provides a framework for planning, executing, and monitoring operations. An entity develops an organizational structure that depends on its size and the nature of its business.
This factor includes how authorityand responsibilityfor operating activities are assigned and how reporting relationships and authorization hierarchies are established.
This includes policies regarding acceptable business practices, the knowledge and experience of key personnel, and the resources provided for carrying out duties. It also includes policies and communications directed toward ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable.
A Commitment to Competence
Management must specify the competence level for a particular job and translate it into the required level of knowledge and skill. Management must then hire employees who have the appropriate competence for a job. The quality of internal control is a direct function of the quality of the personnel operating the system. The entity should have personnel policies for hiring, training, evaluating, counseling, promoting, compensating, and taking remedial action.
Organization Holds Individuals Accountable
Management and the board of directors are responsible for establishing mechanisms to communicate and hold individuals accountable for performance of internal control responsibilitiesacrossthe organizationandforimplementing corrective action as necessary. Management and the board of directors also establish performance measures, incentives, and rewards appropriate for responsibilities at all levels of the entity, reflecting reasonable expectations for performance and standards of conduct in light of both short-term and longer-term objectives
a. Theauditorshouldconsiderareliancestrategyifevidenceisavailableonlyinelectronic form. However, after developing an understanding of the new system, the auditor would need to test the system to determine whether it is working as intended. If the system is working effectively, the auditor is more likely to use a reliance strategy. The auditor should also consider whether the firm’s knowledge of IT systems is sufficient to allow it to use a reliance strategy; if not, a substantive strategy may be more appropriate.
b. When deciding whether to hire a specialist, the auditor in this case should consider
6-28
factors such as the complexity of the new system, whether the implementation of the system allows the company to engage in electronic commerce and the extent to which audit evidence is available only in electronic form. The auditor should ask the IT specialist to communicate information including how IT controls are designed and how data and transactions are initiated, recorded, processed, and reported.
c. The control environment likely is not affected to a great extent by the switch to an automated system except inasmuch as the switch might signal management’s commitment to competence and willingness to improve its controls. The entity’s risk assessment is affected because the existence of an automated system creates a new set of risks, such as risks involving the design of the control system. In terms of the information system and communication, the auditor will have to verify that the new system identifies and records all valid transactions and provides information sufficient for preparing accurate and complete financial statements. Control activities are important because new controls regarding the information system will have to be designed and implemented. Monitoring of controls is important because the monitors (including the internal and external auditors) will have to have sufficient knowledge of the system to be able to effectively monitor the use of the system and its outputs.
a. The strength of using procedures manuals and organizational charts is that they help the auditor document understanding of the internal control system. The strength of a narrative description is that it provides a simple, written memorandum that documents the understanding of internal control. The strength of an internal control questionnaire is that it provides a systematic and comprehensive way to evaluate internal control. A strength of using a flowchart is that it provides a diagrammatic representation of the entity’s internal control system. This facilitates the auditor's analysis of the system's controls.
b. On many engagements, auditors combine these tools to document their understanding of the components of internal control. The combination depends on the complexity of the entity’s internal control system. For example, in a complex information system where a large volume of transactions occurs electronically, the auditor may document the control environment, the entity’s risk assessment process, and monitoring activities using a memorandum and internal control questionnaire. Documentation of the information system and communication component, as well as control activities, may be accomplished through the use of an internal control questionnaire and a flowchart. For a small entity with a simple information system, documentation using a memorandum may be sufficient.
6-29 a. The internal auditor would have the following concerns with respect to individual entries:
The reasonableness of significant entries (e.g., manual entries in traditionally automated accounts such as inventory),
The review of the appropriateness of the individual who prepared the journal entry (e.g., senior executives or unauthorized personnel),
6-30
The review of the frequency of journal entries, particularly those that are relevant to management authorization levels,
The identification of journal entries without descriptions, and
Potentially fraudulent entries.
b. The external auditor could rely on the work of the internal audit’s work, but not to the exclusion of reperforming some of the internal audit’s work.
a. Before applying principal substantive procedures to balance sheet accounts at April 30, 2015, the interim date, Cook should assess the difficultyin controlling incremental audit risk. Cook should consider whether
Cook's experience with the reliability of the accounting records and management's integrity has been good.
Rapidly changing business conditions or circumstances may predispose General's management to misstate the financial statements in the remaining period.
The year-end balances of accounts selected for interim testing will be predictable.
General's procedures for analyzing and adjusting its interim balances and for establishing proper accounting cutoffs will be appropriate.
General's accounting system will provide sufficient information about year-end balances and transactions in the final two months of the year to permit investigation of unusual transactions, significant fluctuations, and changes in balance compositions that may occur between the interim and balance sheet dates.
The cost of the substantive tests necessary to cover the final two months of the year and provide the appropriate audit assurance at year-end is substantial. Assessing control risk at below the maximum would not be required to extend the audit conclusions from the interim date to year-end. However, if Cook assesses control risk at the maximum during the final two months, Cook should consider whether the effectiveness of the substantive tests to cover that period will be impaired.
b. Cook should design the substantive procedures so that the assurance from those tests and the tests to be applied as of the interim date, and any assurance provided from the assessed level of control risk, will achieve the audit objectives at year-end. Such tests should include the comparison of year-end information with comparable interim information to identify and investigate unusual amounts. Other analytical procedures and/or substantive procedures should be performed to extend Cook's conclusions relative to the assertions tested at the interim date to the balance sheet date.
6-31 a. The following communication is the report on significant deficiencies for Houghton Enterprises:
In planning and performing our audit of the financial statements of Houghton Enterprises as of and for the year ended December 31, 2015, in accordance with auditing standards generally accepted in the United States of America, we considered Houghton Enterprises’ internal control over financial reporting (internal control) as a basis for designing our auditing procedures that are appropriate in the circumstance for the purpose of expressing our opinion on the financial statements, but not for the
purpose of expressing an opinion on the effectiveness of the Company’s internal control. Accordingly, we do not express an opinion on the effectiveness of the Company’s internal control.
Our consideration of internal control was for the limited purpose described in the preceding paragraph and would not necessarily identify all deficiencies in internal control that might be significant deficiencies or material weaknesses. However, as discussed below, we identified certain deficiencies in internal control that we consider to be significant deficiencies.
A deficiency in internal control exists when the design or operation of a control does not allow employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timelybasis. A significant deficiency isacontroldeficiency,orcombinationofcontroldeficiencies,ininternalcontrol,which islessseverethanamaterialweakness; yet importantenoughtomeritattentionbythose responsible for oversight of the company’s financial reporting. We consider the following items are significant deficiencies:
1. Control activities for granting credit to new customers were inadequate. In particular, the Credit Department did not perform an adequate check of the creditworthiness of the customer with an outside credit agency.
2. There were not adequate physical safeguards over the Company's inventory. There were no safeguards to prevent employees from stealing high-value inventory parts.
This communication is intended solely for the information and use of management, individuals charged with governance, and others within the organization and is not intended to be and should not be used by anyone other than these specified parties.
b. If the second item were a material weakness, the following report would be issued:
In planning and performing our audit of the financial statements of Houghton Enterprises as of and for the year ended December 31, 2015, in accordance with auditing standards generally accepted in the United States of America, we considered Houghton Enterprises’ internal control over financial reporting (internal control) as a basis for designing our auditing procedures that are appropriate in the circumstance for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control. Accordingly, we do not express an opinion on the effectiveness of the Company’s internal control.
Our consideration of internal control was for the limited purpose described in the preceding paragraph and would not necessarily identify all deficiencies in internal control that might be material weaknesses or significant deficiencies. However, as discussed below, we identified certain deficiencies in internal control that we consider to be a material weakness and a significant deficiency.
A deficiency in internal control exists when the design or operation of a control does not allow employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. We believe that the following deficiency constitutes material weaknesses:
There were not adequate physical safeguards over the Company's inventory. There were no safeguards to prevent employees from stealing high-value inventory parts.
A significant deficiency is a control deficiency, or combination of control deficiencies, in internal control, which is less severe than a material weakness; yet important enough to merit attention by those responsible for oversight of the company’s financial reporting. We consider the following item to be a significant deficiency:
Control activities for granting credit to new customers were inadequate. In particular, the Credit Department did not perform an adequate check of the creditworthiness of the customer with an outside credit agency.
This communication is intended solely for the information and use of management, individuals charged with governance, and others within the organization and is not intended to be and should not be used by anyone other than these specified parties.
Solution to Discussion Case
6-32 1. In their complaint against Koss Corporation, the SEC noted the following internal control deficiencies:
Lack of segregation of duties over disbursements and bank reconciliations.
Old and weak accounting system, leaving little audit trail and enabling post-closing entries, among other weaknesses.
Lack of documentation for journal entries.
Failure to perform monthly bank reconciliations.
Lack of required review of wire transfers prior to execution (note the distinction between a preventive policy and a preventive control).
Lack of an after-the-fact review of journal entries.
Lack of detailed review of financial information by CEO (very cursory).
Insufficient monthly analytical procedures (e.g., no monitoring of even gross margins).
Failure to change passwords on a regular basis, along with other IT security and control deficiencies. 2. Koss could have implemented a number of internal controls that might have prevented the misappropriation of assets:
6-33
The biggest improvement that Koss could have made was to establish a stronger control environment, including better oversight of and segregation of duties over accounting and financial reporting functions. The Company could have assigned someone outside of the accounting function to provide an independent check and balance on employees' integrity and to maintain a sufficiently strong control system. For example, different employees could have performed the separate duties of signing checks, processing cash receipts and cash disbursements, and maintaining the books of original entry.
Koss could have updated its computerized accounting system.
Someone outside the accounting department, such as Michael Koss as the CFO or the Vice President of Operations, review large wire transfers or the recording of payments on accounts payable when not processed through the accounts payable system.
Someone outside of accounting should have reviewed the monthly reconciliations of its bank accounts
Someone outside of accounting should periodically review documentation to support the general journal entries to verify that the corresponding transactions were being executed in accordance with Koss's accounting policies and recorded as necessary to permit preparation of financial statements in conformity with Generally Accepted Accounting Principles.
Develop an internal audit function. With a well-qualified internal audit function many of the deficiencies in internal control could have been corrected.
1. Many of the same issues found in the Koss fraud existed in the Dixon IL fraud.
Lack of segregation of duties.
Little oversight or monitoring by the part-time city administrators.
Ability to deposit funds from one account to another without approval or review.
Lack of review of bank statements and reconciliations.
It does not appear that the city had a mandatory vacation policy where someone performed Crundwell’s job.
2. There appears that a number of things went wrong on the audits conducted by Clifton, Larson, Allen, LLP (CLA) In 2005, CLA resigned from the city “audit” to take on more additional consulting work. However, it appears that they continued to provide information to the small firm (Janis Card Company, LLC) who assumed the audit. Not much information is available publicly about the quality of the audits performed by either firm. The city’s attorneyhas stated that a number of invoices provided to the firm were fabricated. For example, he pointed to more than 170 phony invoices created by Crundwell, supposedly from the Illinois Department of Transportation. The fake invoices are visibly different from real documents. He stated: “The invoices that she showed to Clifton auditors were palpably different. They were day and night than the true invoices from the Illinois Department of Transportation. All those are red flags that Clifton should have identified, should have followed up on and it would have simply been a two minute phone call to the Illinois Department of Transportation in Springfield,” Bruce said.