Professional Documents
Culture Documents
Review Questions
2.
3.
10-1
10-8
10-9
COSOs Internal Control Integrated Framework is the most widely
accepted internal control framework in the U.S. The COSO framework
describes internal control as consisting of five components that management
designs and implements to provide reasonable assurance that its control
objectives will be met. Each component contains many controls, but auditors
concentrate on those designed to prevent or detect material misstatements in the
financial statements.
10-10 The COSO Internal Control Integrated Framework consists of the
following five components:
1.
2.
3.
4.
5.
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
10-11 The control environment consists of the actions, policies, and procedures
that reflect the overall attitudes of top management, directors, and owners of an
entity about internal control and its importance to the entity. The control
environment serves as the umbrella for the other four components. Without an
effective control environment, the other four are unlikely to result in effective
internal control, regardless of their quality. The following are the most important
subcomponents the control environment:
10-3
The control environment is the broadest of the five and deals primarily
with the way management implements its attitude about internal controls. The
other four components are closely related to the control environment. Risk
assessment is management's identification and analysis of risks relevant to the
preparation of financial statements in accordance with GAAP. To respond to
this risk assessment, management implements control activities and creates the
accounting information and communication system to meet its objectives for
financial reporting. Finally, management periodically assesses the quality of
internal control performance to determine that controls are operating as intended
and that they are modified as appropriate for changes in conditions (monitoring).
All five components are necessary for effectively designed and implemented
internal control.
10-13
10-4
10-14 (continued)
Separation of the custody of assets from accounting for these assets is
intended to prevent misappropriation of assets. When one person performs both
functions, the possibility of that person's disposal of the asset for personal gain
and adjustment of the records to relieve himself or herself of responsibility for the
asset without detection increases.
10-15 An example of a physical control the client can use to protect each of the
following assets or records is:
1.
2.
3.
4.
5.
6.
7.
10-17 As illustrated by Figure 10-3, there are four phases in the process of
understanding internal control and assessing control risk. In the first phase the
auditor obtains an understanding of internal controls, which includes an
understanding of their design and whether they have been implemented. Next
the auditor must make a preliminary assessment of control risk (phase 2) and
perform tests of controls (phase 3). The auditor uses the results of tests of
controls to assess control risk and to ultimately decide planned detection risk and
substantive tests for the audit of financial statements, which is phase 4.
10-5
10-6
10-23 (continued)
client's internal control will provide Maier with a basis for a decision about further
audit procedures and sample sizes based on assessed control risk. By not
obtaining an understanding of internal control until later in the engagement, Maier
risks performing either too much or too little work, or emphasizing the wrong areas
during her audit.
10-24 The extent of controls tested by auditors to express an opinion on
internal controls for a public company is significantly greater than that tested
solely to express an opinion on the financial statements. To express an opinion
on internal controls for a public company, the auditor obtains an understanding of
and performs tests of controls for all significant account balances, classes of
transactions, and disclosures and related assertions in the financial statements.
In contrast, the extent of controls tested by an auditor of a nonpublic company is
dependent on the auditors assessment of control risk. Whenever the auditor
assesses control risk below maximum, the auditor must perform tests of controls
to support that control risk assessment. The auditor will not perform tests of
controls when the auditor assesses control risk at maximum. When control risk is
assessed below the maximum, the auditor designs and performs a combination
of tests of controls and substantive procedures. Thus, for a nonpublic company,
the tests of controls vary based on the auditors assessment of control risk.
10-25 There is a significant overlap between tests of controls and procedures
to obtain an understanding of internal control. Both include inquiry, documentation,
and observation. There are two primary differences in the application of these
common procedures. First, in obtaining an understanding of internal control, the
procedures to obtain an understanding are applied to all controls identified during
that phase. Tests of controls, on the other hand, are applied only when the
assessed control risk has not been satisfied by the procedures to obtain an
understanding. Second, procedures to obtain an understanding are performed
only on one or a few transactions or, in the case of observations, at a single point
in time. Tests of controls are performed on larger samples of transactions (perhaps
20 to 100), and often observations are made at more than one point in time.
10-26 AU 318 indicates that reliance can be placed on controls that were
tested in a prior year. Controls should be tested at least every three years, and
whenever there is a significant change in the control. Continued reliance on the
effectiveness of automated controls is appropriate if the auditor is satisfied that
general controls over the computer applications are adequate to identify any
changes to computerized processes.
10-27 When the auditors risk assessment procedures identify significant risks,
the auditor is required to test the operating effectiveness of controls that mitigate
these risks in the current year audit, if the auditor plans to rely on those controls
to support a control risk assessment below 100%. Thus, tests of controls are
10-7
10-27 (continued)
required in the current year audit for those controls the auditor plans to rely on to
reduce control risk. The greater the risk, the more the audit evidence the auditor
should obtain that controls are operating effectively.
10-28 The auditor may issue an unqualified opinion on internal control over
financial reporting when two conditions are present:
10-30
a.
(3)
b.
(3)
c.
(4)
d.
(4)
10-31
a.
(3)
b.
(2)
c.
(4)
d.
(2)
10-32
a.
(3)
b.
(4)
c.
(4)
d.
(2)
10-8
10-33
1.
a.
b.
c.
d.
e.
2.
a.
b.
c.
d.
e.
3.
a.
b.
c.
d.
e.
4.
a.
b.
c.
d.
10-9
10-33 (continued)
e.
5.
b.
c.
d.
e.
6.
a.
b.
c.
d.
e.
7.
a.
b.
c.
d.
e.
10-10
10-33 (continued)
8.
a.
b.
c.
d.
e.
9.
a.
b.
c.
d.
e.
10.
a.
10-11
10-34
1.
a.
b.
c.
2.
a.
b.
c.
3.
a.
b.
c.
4.
a.
b.
c.
5.
a.
b.
c.
6.
a.
b.
c.
7.
a.
b.
c.
10-13
10-34 (continued)
8.
a.
b.
c.
10-35 The criteria for dividing duties is to keep all asset custody duties with one
person (Cooper). Document preparation and recording is done by the other
person (Smith). Miller will perform independent verification. The two most
important independent verification duties are the bank reconciliation and
reconciling the accounts receivable master file with the control account, therefore
they are assigned to Miller. The duties should be divided among the three as
follows:
Robert Smith:
James Cooper:
Bill Miller:
10-36
a.
b.
c.
d.
10-37
a.
2
15
4
18
7
5
10
12
11
14
13
16
17
10-14
10-37 (continued)
While some of the five control activities are unavailable in a
small company, especially adequate segregation of duties, it is still
possible for a small company to have proper authorization of
transactions and activities, adequate documents and records,
physical controls over assets and records, and, to a limited degree,
independent checks on performance.
b.
c.
d.
10-15
10-38
1.
a.
b.
2.
c.
a.
b.
10-16
10-38 (continued)
c.
3.
a.
b.
c.
10-17
10-39 (continued)
Completeness
a.
b.
c.
d.
10-18
10-39 (continued)
2.
3.
1.
2.
3.
4.
5.
10-19
10-41 Following are the appropriate reporting formats for the five independent
situations:
INDEPENDENT
SITUATION
APPROPRIATE
AUDIT REPORT
1.
Adverse
2.
Qualified or
disclaimer
3.
Adverse
4.
Unqualified
5.
Unqualified
10-20
Case
10-42
a.
Sales
TRANSACTIONRELATED
AUDIT OBJECTIVE
CONTROL
Occurrence
Completeness
Accuracy
Posting and
summarization
Classification
Timing
None
10-21
10-42 (continued)
b.
Cash Receipts
TRANSACTIONRELATED AUDIT
OBJECTIVE
CONTROL
Occurrence
Completeness
Accuracy
Posting and
summarization
Classification
None
Timing
10-22
10-42 (continued)
c.
10-43
PINNACLE MANUFACTURINGPART III
Following are control risk matrices and related notes that are used to direct a
discussion of the requirements of the case. It should be understood that judgment
is a critical element in this case, and accordingly, there often is no single right
answer.
Computer-prepared matrices using Excel (P1043.xls) are contained on the
Companion Website and on the Instructors Resource CD-ROM, which is
available upon request. They are essentially the same as the matrices on the
next two pages.
10-23
10-43 (continued)
PINNACLE MANUFACTURING - Part III
Control Risk Matrix Acquisitions
Transaction-Related
Audit Objective
Internal
Controls
Recorded
acquisitions
are for goods
and services
received
(occurrence).
10-23
2. Proper approval
3. Segregation of functions
4. Cancellation of documents
5. Prenumbering of documents
with accounting for sequence
6. Internal verification of
documents/records
Existing
acquisition
transactions are
recorded
(complete-ness).
Recorded
acquisition
transactions
are stated at
the correct
amounts
(accuracy).
Recorded
acquisition
transactions are
properly
included in the
master files, and
are properly
summarized
(posting and
summarization).
Acquisition
transactions
are properly
classified
(classification).
Acquisition
transactions
are recorded
on the
correct dates
(timing).
C
C
9. Monthly reconciliation of
A/P master file with general
ledger
Assessed control risk
C
Low
Low
Low
Low
Low
Low
10-43 (continued)
PINNACLE MANUFACTURING - Part III
Control Matrix - Cash Disbursements
Transaction-Related
Audit Objectives
Internal
Controls
Recorded cash
disbursements
are for goods
and services
actually
received
(occurrence).
10-24
1.
Segregation of functions
2.
3.
4.
5.
6.
Existing cash
disbursement
transactions are
recorded
(completeness).
Recorded cash
disbursement
transactions are
stated at the
correct amounts
(accuracy).
Recorded cash
disbursement
transactions are
properly included
in the master file
and are properly
summarized
(posting and
summarization).
Cash
Cash
disbursement disbursement
transactions
transactions
are properly
are recorded
classified
on the correct
(classification). dates (timing).
C
C
C
C
Deficiencies
D
1.
2.
Medium
Medium
High
3.
Low
Low
Low
10-43 (continued)
Notes to 10-43, Part III
1.
2.
3.
10-1
Section 404 of the Sarbanes-Oxley Act of 2002 requires management of
a public company to issue a report on internal control over financial reporting
(ICFR) as of the end of the companys fiscal year. Many companies have
reported that their ICFR was operating effectively, while others have reported
that such controls were not effective in design or operation. Companies issue
their reports on ICFR through filings with the Securities and Exchange
Commission (SEC). Visit the SEC website [http://www.sec.gov] to learn more and
answer the following questions:
1.
10-26
10-27