Chapter 05 - Risk Assessment: Internal Control Evaluation

CHAPTER 5
Risk Assessment: Internal Control Evaluation
LEARNING OBJECTIVES
Review
Checkpoints

Exercises, Problems,
and Simulations

1.

Distinguish between managements and auditors

responsibilities regarding an entitys internal
control.

1, 2, 3, 4, 5

62, 63, 67

2.

Define and describe internal control.

6, 7, 8

68

3.

Define and describe the five basic components of

internal control, and specify some of their
characteristics.

9, 10, 11, 12, 13, 14,

15, 16, 17, 18

64, 72, 74

4. Explain the phases of an evaluation of control

and risk assessment and the documentation and
extent of audit work required.

19, 20, 21, 22, 23, 24,

25

66, 69, 73

5. Describe additional responsibilities for

management and auditors of public companies
required by Sarbanes-Oxley and AS 5.

26, 27, 28, 29

65, 74, 75

6. List the major components of the auditors report

on internal control over financial reporting.

30

7. Describe situations in which the auditors report

on internal control over financial reporting
would be modified.

31, 32, 33

8.

Explain the communication of internal control

deficiencies to those charged with governance,
such as the audit committee and other key
management personnel.

34

9.

Explain the limitations of all internal control

systems.

35, 36

5-1

70, 71

Chapter 05 - Risk Assessment: Internal Control Evaluation

SOLUTIONS FOR REVIEW CHECKPOINTS

5.1

As stated in the Sarbanes-Oxley Act of 2002, management is responsible for establishing a control
environment, assessing risks it wishes to control, specifying information and communication channels and
content (including the accounting system and its reports), designing and implementing control procedures,
and monitoring, supervising, and maintaining the controls. Business managers can make estimates of
benefits to be derived from controls and weigh them against the cost. Managers are perfectly free to make
their own judgments about the necessary extent of controls. Managers can decide the degree of business
risk they are willing to tolerate.
External auditors are not responsible for designing effective controls for audit clients. They are responsible
for evaluating existing internal control and assessing the control risk in them.

5.2

Control risk is the probability that the clients internal control procedures will fail to prevent or detect
material errors and frauds, provided any enter the data processing system in the first place. Assessing
control risk is part of using the audit risk model in the planning stage of the audit.

5.3

The primary reason for conducting an evaluation of a clients existing internal control system is to give the
auditors a basis for finalizing the details of the account balance audit programto determine the nature,
timing and extent of subsequent substantive audit procedures. For public companies, Sarbanes-Oxley
requires auditors to audit internal controls as part of the financial statement audit.
A secondary purpose for conducting an evaluation of internal control is to be able to make constructive
suggestions for improvements. Officially, the profession considers these suggestions a part of the audit
function and does not define the work as a consulting consultation.
Another purpose of the evaluation is to report to management and the board of directors or its audit
committee any discovery of any significant internal control deficiencies.

5.4

If control risk is low, auditors can perform less effective substantive procedures, earlier in the audit, with
smaller sample sizes, than if control risk is moderate or high.

5.5

Using a numeric evaluation provides a precise level of risk that can be included in statistical sampling
procedures. However, using words recognizes the imprecise nature of evaluating control risk.

5.6

The three categories of control objectives are:

Reliability of financial reporting.

Effectiveness and efficiency of operations.

Compliance with applicable laws and regulations.

Auditors are primarily concerned with reliability of financial reporting; however, some operating and
compliance controls may be important for the financial statement audit.

5.7

Internal control is operated by people. People make the system work at every level of company
management. People establish the objectives, put control mechanisms in place, and operate them.
Since people operate the controls, breakdowns can occur. Human error, deliberate circumvention,
management override, and improper collusion among people who are supposed to act independently can
cause failure to achieve objectives. Hence, a companys managers can decide that certain controls are too
costly in light of the risk of loss that may occur.

5-2

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.8

Four types of breakdowns relate to people-caused failures. The four are: human error, deliberate
circumvention, management override, and improper collusion among people who are supposed to act
independently can cause failure to achieve objectives. Internal control can help prevent and detect these
people-caused failures, but it cannot guarantee that they will never happen.

5.9

The COSO Report states that internal control consists of five interrelated components:

Managements control environment

Managements risk assessment

Managements control procedures

Managements monitoring

Management information and communication systems.

5.10

The control environment sets the tone of the organization. It is the foundation for all other components of
internal control. It provides discipline and structure. Control environment factors include the integrity,
ethical values, and competence of the companys people. The following are general elements of an internal
control environment:

Managements philosophy and operating style

Management and employee integrity and ethical values

Company organizational structure

Company commitment to competencejob skills and knowledge

Functioning of the board of directors, particularly its audit committee

Methods of assigning authority and responsibility

Presence of an internal audit function

Human resource policies and practices

5.11

The purpose of risk assessment is to identify and control for those factors, events, and conditions that may
prevent the organization from achieving its business objectives. All companies face the risk that their
financial statements may be unreliable. They may report assets that do not exist or ones that are not owned
by the company. Asset and liability amounts may be improperly valued. They may fail to report liabilities
and expenses. They may present information that does not conform to GAAP. The risk of producing
unreliable financial reports arises from control breakdowns.

5.12

A company control procedure is an action taken for the purpose of preventing, detecting, or correcting
errors and frauds in transactions

5.13

Four kinds of functional responsibilities that should be segregated:

1.
Authorization to execute transactions.
2.
Recording of transactions (bookkeeping).
3.
Custody of assets.
4.
Periodic reconciliation (comparison) of existing (real) assets to recorded amounts.

5.14

The audit trail is the set of accounting operations from transaction analyses to reports. It starts with the
source documents, proceeds to data entry, then to transaction processing and posting to ledger accounts,
then from ledger accounts to the financial reports.
Auditors often follow this trail forwards and backwards! They will follow it backwards from the financial
reports to the source documents to determine whether everything in the financial reports is supported by
appropriate source documents. They will follow it forward from source documents to reports to determine
that everything that happened (transactions) got recorded in the accounts and reported in the financial
statements.

5-3

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.15

ITGCs apply to all the applications systems and help insure their continued proper operations. They
include controls over data center operations, system software acquisition and maintenance, access security,
and application system development, including changes in software and data bases. They include physical
security, hardware controls, separation of duties within the IT department, documentation and back-up
procedures, and other controls.
ITACs include computerized steps within the application software and related manual procedures to control
the processing of various types of transactions. ITAC are specific to each cycle (e.g. revenue and
collection, acquisition and expenditure, etc.). They are divided into the following categories: input
controls, processing controls, and output controls.

5.16

1.
2.
3.
4.
5.

Valid character tests

Valid sign test
Missing data test
Sequence test
Limit or reasonableness

Customer name alphanumeric and customer number numeric.

All amount fields positive, sales amount greater than zero.
Bill of lading document number included.
Invoice numbers are in sequence and none missing.
Total invoice less than $25,000 test

5.17

Many financial reporting processes such as final adjusting entries, consolidating entries, and footnote
amounts are performed using spreadsheet applications.

5.18

Everyday monitoring examples:

Operating managers compare internal reports and published financial statements with their
knowledge of the business.

Customer complaints of amounts billed are analyzed.

Vendor complaints of amounts paid are analyzed.

Regulators report to the company on compliance with laws and regulations (e.g., bank examiners
reports, IRS audits).

Accounting managers supervise the accuracy and completeness of transaction processing.

Recorded amounts are periodically compared to actual assets and liabilities (e.g., internal auditors
inventory counts, receivables and payables confirmations, bank reconciliations).

External auditors report on control performance and give recommendations for improvement.

Training sessions for management and employees heighten awareness of the importance of
controls.
These are monitoring controls when they are used to determine the effectiveness of control procedures.

5.19

Yes and no. The phase 1 understanding must always be followed by a control risk assessment phase and
documentation of control risk less than 100% (compliance phase). However, test of controls procedures are
only required for non public companies if the audit team wants to lower the control risk assessment.

5.20

An audit team can find clients documentation of the accounting system in the:

Chart of accounts
Accounting manualdefinitions and instructions about measuring and classifying transactions
Computer systems documentation
Computer program documentation
Systems and procedures manuals
Flowcharts of transaction processing
Various paper forms

5-4

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.21

1.

Advantages of control questionnaire:

Easy to complete.

Checklist of questions.

Less chance of overlooking something important.

Disadvantages:

May contain numerous irrelevant questions.

Tendency to treat it like another form to fill out.

2.

Advantages of memorandum documentation:

Can explain the precise controls applicable to the particular client. (precise tailoring)

Requires penetrating analysis.

Minimizes tendency toward perfunctory review.

Disadvantages:

Hard to write. Often lengthy.

Hard to revise in subsequent years.

3.

Advantages of flowchart:

Graphic presentation of systems.

Shows the steps required and the flow of forms and documents.

Easy to read and analyze.

Easy to update in subsequent years.

Disadvantages:

Takes some time to draw neatly.

5.22

A bridge working paper connects the control evaluation to the audit program (subsequent procedures). It
contains brief descriptions of control strengths and weaknesses, implications for control or error related to
accounts, and statements of audit program procedures related to the strengths and weaknesses. The
procedures related to control strengths are test of control procedures, and the ones related to control
weaknesses are substantive procedures.

5.23

A test of controls is an audit procedure designed to produce evidence about the effectiveness of a clients
control activity. A test of control procedure is a two-part statement, consisting of:
Part One: Identification of a data population from which a sample of items will be selected for audit.
Part Two: Expression of an action of either (1) determining whether the selected items correspond to a
standard or (2) determining whether the selected items agree with information in another data population.
A test of control procedure may also consist of a direct observation of a control activity that leaves no
documentary trail.

5.24

Inspection, in a test of control procedure, refers to auditors looking to see whether client personnel
stamped, initialed, or left other signs that their assigned control procedures had been performed.
Reperformance, in a test of control procedure, refers to auditors doing again the control that was
supposed to have been performed by the client personnel (recalculating, looking up the right price,
comparing quantities, and so forth).

5.25

A dual-purpose test serves the purposes of (1) obtaining evidence about a clients control performance
[test of control], (2) obtaining evidence to help detect material misstatements in account balances and
disclosures [substantive procedure].

5-5

Chapter 05 - Risk Assessment: Internal Control Evaluation

5-6

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.26

Management must (1) acknowledge its responsibility for establishing and maintaining effective internal
control over financial reporting; (2) state that it has performed an evaluation and made a conclusion about
the effectiveness of the entitys internal control over financial reporting; (3) disclose to the audit team any
frauds resulting in a material misstatement to the entitys financial statements (as well as any other
immaterial fraud that involves key managers), all significant deficiencies, and any material weaknesses
identified during its evaluation; and (4) state that management did not use the auditors procedures
performed during the audits of internal control over financial reporting or the financial statements as part of
the basis for managements assessment of the effectiveness of internal control over financial reporting.

5.27

The six steps for auditing internal controls are:

1. Plan the engagement
2. Evaluate managements assessment process
3. Gain an understanding of internal control over financial reporting
4. Test and evaluate design effectiveness of internal control over financial reporting
5. Test and evaluate operating effectiveness of internal control over financial reporting
6. Form an opinion on the effectiveness of internal control over financial reporting

5.28

An internal control deficiency exists when the design or operation of a control does not allow the
companysmanagementoremployeestodetectorpreventmisstatementsinatimelyfashion.Asignificant
deficiencyisdefinedasaconditionthatcouldadverselyaffecttheorganizationsabilitytoinitiate,record,
process,andreportfinancialdatainthefinancialstatements.Amaterialweaknessininternalcontrolis
defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a
materialmisstatementwouldnotbepreventedordetectedonatimelybasis.

5.29

Auditors can issue one of three types of reports on internal controls:

Unqualifiedno material weaknesses

Qualified or disclaimeraudit team cannot perform all of the procedures considered necessary

Adverse opinionmaterial weakness exists.

5.30

The major components of the auditors standard, unqualified report on internal control over financial
reporting are:

Atitlethatincludesthewordindependent.

Statements regarding the responsibility of the auditors and management with respect to the
assessment andevaluation ofinternal control,as well asthe titleof managements report on
internalcontroloverfinancialreporting.

A paragraph indicating that the engagement was conducted in accordance with standards
establishedbythePublicCompanyAccountingOversightBoard,withabriefdescriptionofthe
proceduresperformedintheengagement.

Thedefinitionofinternalcontroloverfinancialreporting.

Anidentificationoftheinherentlimitationsofinternalcontroloverfinancialreporting.

Theauditorsopiniononwhethertheentitymaintainedeffectiveinternalcontroloverfinancial
reporting.Theopinionintheabovereportrepresentsanunqualifiedopiniononinternalcontrol
overfinancialreporting.

Areferencetotheauditorsopiniononthefinancialstatements,indicatingthetypeofopinion
expressed.

Thedateofthereport.

5-7

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.31

5.32

Major reasons for departing from the standard, unqualified report on internal control over financial
reportinginclude:
1.

Material weaknesses in internal control over financial reporting.

2.

A limitation in the scope of the engagement.

3.

Managements disclosures of the effectiveness of its internal control over financial reporting are
inappropriate.

4.

Other auditors have audited the financial statements and internal control over financial reporting
of one or more components of the entity.

5.

Changes in internal control have occurred that materially and adversely affect the effectiveness of
the companys internal control over financial reporting.

6.

Management provides other information in its report on internal control over financial reporting.

The auditors should issue an adverse opinion on the effectiveness of internal control over financial
reporting if a material weakness exists.
If a material weakness in internal control is identified, the auditors standard, unqualified opinion on
internal control over financial reporting would be modified to:

Include a paragraph immediately following the inherent limitations paragraph that defines a
material weakness and describes any material weakness(es) identified during the audit.

Modify the opinion paragraph to indicate that because of the effect of the material weakness(es)
identified, the Company has not maintained an effective internal control over financial reporting.

5.33

If a scope limitation exists, disclaimer of opinion would be issued or the auditors would withdraw from the
engagement, depending upon the significance of the limitation.

5.34

Auditors must communicate significant deficiencies and material weaknesses that come to their attention in
the performance of the audit to management, the board of directors, or its audit committee. Auditors often
issue another type of report to management called a management letter. This letter may contain
commentary and suggestions on a variety of matters in addition to internal control matters.

5.35

Internal control cannot provide absolute assurance that financial statements will not contain a material
misstatement because:

The effectiveness of controls will be limited by the realities of human frailty.

Internal controls can break down due to misunderstanding, mistakes, and errors due to
carelessness, distraction or fatigue.

Management can often override controls.

The collusive activities of two or more individuals can result in control failures.

Controls must be subjected to cost-benefit analysis

5.36

Reasonable assurance is closely related to cost-benefit analysis. By definition, reasonable assurance

recognizes that the cost of an organizations internal control should not exceed the benefits obtained by the
control.

5-8

Chapter 05 - Risk Assessment: Internal Control Evaluation

Management is responsible for assessing the cost and benefits of controls, hence their reasonable assurance.
Auditors get into the act of reasonable assurance assessment when they consider whether to make
recommendations about control improvement in a management letter. Both parties must consider that the
SEC regards reasonable assurance is a high standard that means the probability of controls not detecting or
preventing material misstatements is remote.

SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS

5.37

a.

Incorrect

Effectiveness and efficiency is an objectives category, not a fundamental

concept.
People is the most important fundamental concept.
Reliability of financial reporting is an objectives category, not a fundamental
concept.
Compliance with laws and regulations is an objectives category, not a
fundamental concept.

b.
c.

Correct
Incorrect

d.

Incorrect

5.38

a.
b.
c.
d.

Incorrect
Correct
Incorrect
Incorrect

Management letter suggestions are a secondary purpose.

Second GAAS fieldwork standard.
This is a paraphrase of the third GAAS fieldwork standard.
Communication of control-related matters is a secondary purpose.

5.39

a.
b.

Incorrect
Incorrect

c.
d.

Incorrect
Correct

Larger sample sizes expand audit procedures.

Performing procedures at year-end instead of at interim generally represents
stricter application.
External evidence represents stricter application.
Smaller sample size is a restriction or relaxation of audit procedure application.

5.40

a.
b.
c.
d.

Incorrect
Correct
Incorrect
Correct

Financial totals can be used as input, processing, and output controls.

Financial totals can be used as input, processing, and output controls
Financial totals can be used as input, processing, and output controls
Financial totals can be used as input, processing, and output controls

5.41

a.
b.
c.
d.

Incorrect
Incorrect
Incorrect
Correct

This is a general control that secures the hardware.

This is a general control over software changes.
This is a general control for all data.
This is an output control.

5.42

a.
b.
c.
d.

Correct
Incorrect
Incorrect
Incorrect

The terminated person would not be in the timekeeping total.

Works only if the correct number of checks is known.
The terminated employee will have a valid number.
The use of hash total only indicates whether the employee numbers have been
input correctly.

5.43

a.

Incorrect

b.
c.

Correct
Incorrect

d.

Incorrect

The absolute amount of cost is irrelevant. Year-end substantive work usually

costs more than control evaluation work.
The year-end cost savings exceeds the control evaluation cost.
Whether the cost of control work exceeds (or does not exceed) the cost of
year-end work is irrelevant. Efficiency relates to the cost that can be saved as a
result of control evaluation work.
Efficiency is not achieved by cost reductions being less than control work cost.

5-9

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.44

a.
b.

Incorrect
Correct

c.
d.

Incorrect
Incorrect

a.

Correct

b.
c.
d.

Incorrect
Incorrect
Incorrect

5.46

a.
b.
c.
d.

Incorrect
Incorrect
Incorrect
Correct

Substantive procedures produce evidence about financial statement assertions.

Company control procedures accomplish company control objectives.
Analytical review is not accomplished with test of control procedures.
Tests of controls produce the evidence about actual operation of company
control procedures.

5.47

a.
b.
c.
d.

Incorrect
Correct
Incorrect
Incorrect

This describes an audit procedure.

This is one general way to define the purpose of control procedures.
This is a definition of an accounting system.
This is a description of one of the elements of the control environment.

5.48

a.

Correct

b.

Incorrect

c.

Incorrect

d.

Incorrect

The audit team identifies significant accounts, locations, and assertions in the
planning stage of an integrated audit..
The audit team conducts a walkthrough of the internal control process when
testing the effectiveness of the companys internal control..
The audit team makes inquiries of employees regarding the existence of control
procedures when testing the effectiveness of the companys internal control...
The audit team reperforms control procedures performed by client employees to
determine their effectiveness when testing the effectiveness of the companys
internal control..

5.49

c.

Correct

A material weakness in internal control is defined as a deficiency, or

combination of deficiencies, that results in a reasonable possibility that a
material misstatement would not be prevented or detected on a timely basis.

5.50

a.
b.
c.
d.

Incorrect
Correct
Incorrect
Incorrect

Record totals suggest dollar amounts.

Hash totals involve non dollar totals.
Data totals suggest dollar amounts.
Field totals suggest dollar amounts.

5.51

d.

Correct

Cash deposits + discounts = payments credit to receivables. (Answers a, b, and c

use the wrong arithmetic)

5.52

c.

Correct

AS 5 applies to financial reporting controls only.

5.53

c.

Correct

Under AS 5, auditors are required to issue a report on internal controls; they no

longer have to report on managements report on internal (required under AS 2).

5.54

c.

Correct

AS 5 requires testing for design effectiveness and operating effectiveness.

5.45

The narrative is the documentation result of obtaining evidence.

The ICQ is a device for collecting evidence in the form of answers to control
questions.
A flowchart is the documentation result of obtaining evidence.
(This is the throwaway!) The audit documentation is the documentation of the
evidence obtained.
The bridge working paper connects control evaluation findings of strengths to
test of control procedures for testing the strengths, and control evaluation
findings of weakness to suggestions for substantive procedures.
Control objectives are only implicit in the bridge working paper.
Control objectives are only implicit in the bridge working paper.
Assertions are related directly to substantive procedures and not to test of
control procedures.

5-10

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.55

a.
b.
c.
d.

5.56

NOTE TO INSTRUCTOR: Because of an error in the textbook question (qualified opinions are not longer
an option), two answers to the posed question are correct.
a.
Incorrect
This is an appropriate report.
b.
Correct
Qualified opinions are no longer permitted under AS 5.
c.
Correct
This is not one of the options offered by AS 5.
d.
Incorrect
This is an appropriate report.

5.57

a.

Correct

In principle, the payroll function should be divided into its authorization,

recording, and custody functions. Authorization of hiring, wage rates, and
deductions is provided by personnel. Authorization of hours worked (executed
by employees) is provided by production. Based on these authorizations,
accounting calculates and records the payroll. Based on the calculated amounts,
the treasurer prepares and distributes payroll checks.

5.58

a.
b.

Incorrect
Correct

c.
d.

Incorrect
Incorrect

Supervisors should perform the reconciliation.

The total time spent on jobs should closely approximate the total time indicated
on time cards. Timekeepings comparison of these records should provide an
independent check of the accuracy of time reported on the time cards.
This should be done by accounting.
Rate authorizations are kept by personnel.

5.59

5.60

5.61

Incorrect
Incorrect
Incorrect
Correct

All three are indicators a material weakness.

All three are indicators a material weakness.
All three are indicators a material weakness.
All three are indicators a material weakness.

NOTE TO INSTRUCTOR: Since this question asks students to identify which statement is not true, the
item labeled correct would not be true and those labeled incorrect would be true.
a.

Correct

b.

Incorrect

c.
d.

Incorrect
Incorrect

a.
b.

Incorrect
Incorrect

c.

Incorrect

d.

Correct

a.

Incorrect

b.

Incorrect

The report would be dated as of the day that enough evidence has been gathered
to support the auditors opinion on the effectiveness of the entitys internal
control. .
The report does express an opinion on managements assessment of internal
control over financial reporting as well as the effectiveness of internal control
over financial reporting.
An adverse opinion is issued if one or more material weakness(es) exists.
The report on internal control over financial reporting can be presented along
with the report on the companys financial statements or as a combined report.
The reporting options when a scope limitation exists is a disclaimer of opinion.
A qualified opinion is no longer a valid reporting option for a scope limitation
and an adverse opinion would only be issued when one or more material
weakness(es) is identified.
While a disclaimer of opinion is one possible reporting option, it is not
appropriate to issue an unqualified opinion if a significant scope limitation
exists.
The reporting option when a scope limitation exists is a disclaimer of opinion.
Reference to the audit of the entitys financial statements would be included in
the introductory paragraph of a combined report on the companys financial
statements and internal control over financial reporting, but not a separate report
on internal control over financial reporting.
If a material weakness is identified, the auditor will add a paragraph to the report
that defines a material weakness. However, this information would not be
included in the introductory paragraph.

5-11

Chapter 05 - Risk Assessment: Internal Control Evaluation

c.

Correct

d.

Incorrect

Statements identifying the responsibility of the auditor and management for

internal control over financial reporting would be included in the introductory
paragraph.
Reference to the auditors report and opinion on the companys financial
statements would be included in an explanatory paragraph following the opinion
paragraph, not the introductory paragraph.

SOLUTIONS FOR EXERCISES, PROBLEMS, AND SIMULATIONS

5.62

5.63

Internal Control Audit Standards

a.

In planning an audit, the auditors understanding of the internal control components should be
used to identify the types of potential misstatements that could occur, to consider the factors
affecting the risk of material misstatement, and to influence the design of substantive procedures.

b.

An audit team obtains an understanding of the design of relevant internal control procedures
(policies and procedures) and whether they have been implemented. Assessing control risk below
the maximum level further involves identifying specific control procedures (policies and
procedures) relevant to specific assertions that are likely to prevent or detect material
misstatements in those assertions. It also involves performing tests of controls to evaluate the
operating design and effectiveness of the clients control procedures.

c.

When seeking a further reduction in the assessed level of control risk, an audit team should
consider whether additional audit evidence sufficient to support a further reduction is likely to be
available, and whether it would be efficient to perform tests of controls to obtain that audit
evidence.

d.

An audit team should document the understanding of a clients internal control system components
to plan the audit. The audit team also should document the basis for the conclusion about the
assessed level of control risk. If control risk is assessed at the maximum level, the audit team
should document that conclusion and the reasons for it. However, if the assessed level of control
risk is below the maximum level, the audit team should document the basis for the conclusion that
the effectiveness of the design and operation of internal control procedures supports that assessed
level.

Costs and Benefits of Control

Case 1:
Porterhouse management may hesitate because its expected loss from bank accounting errors may be less
than $10,000, or the expected benefit (reduction of the expected loss) by $10,000 or more might be in
doubt. Bank accounting is generally very accurate and further analysis might confirm managements
hesitation.

5-12

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.63

Costs and Benefits of Control (Continued)

Case 2:
Joyce Harper should install the steel doors and burglar bars but not hire the armed guards.
Cost-Benefit of Doors and Bars
Benefit $500,000 loss x 90% elimination
Qualitative benefit no longer a push-over target for thieves
Direct cost
Direct cost-subsequent maintenance
Qualitative costs
Net benefit estimated
Cost-Benefit of Armed Guards
Benefit
Qualitative benefitno longer a push-over target for thieves
Direct cost
Direct costsubsequent inflation
Qualitative costpossibility of someone
being killed or wounded in robbery
attempt; social and insurance costs
Net benefit estimated

$450,000
Unknown
($25,000)
small
none (?)
$425,000
$500,000
Unknown
(75,000)
some expected
remote, but high
$425,000

Marginal Analysis (Measurable Information)

1.

If armed guards are hired, no more loss reductions (benefit) is available to justify the
additional $75,000 direct cost.

2.
Loss expected without control
Remaining expected loss with
control
Benefit (expected loss
reduction)
Cost of control
Net benefit

Doors and
Bars Only
500,000
50,000

Guards
Only
500,000
-0-

Both
500,000
-0-

Neither
500,000
500,000

450,000

500,000

500,000

25,000

75,000

100,000

425,000

425,000

400,000

The armed guards control has two adverse factors not expected with the doors/bars control: (1)
Inflation in guard costs will probably outpace the doors/bars maintenance costs and (2) The
possibility of a shooting incident on company property is not very appealing.

5-13

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.63

Costs and Benefits of Control (Continued)

Case 3:
Both of the managers assertions are justifiable.
1.

Cost-Benefit of the New Arrangement

Benefits
4 meals @ $6 x 260 days
10 meals @ $6 x 104 days
Customer satisfaction
Possible reduction of exposure to theft
loss to collecting cashier at end of food
line (former arrangement)

6,240
6,240
some

*
12,480
*The control is cost-beneficial without considering whether theft of cash had occurred.
Costs
New salary, annual
New calculator, 5-year life
Employee dissatisfaction
TOTAL COST

10,000
500
none expected
10,500

Net benefit, first year

Net benefit, succeeding years

1,980
2,480**

**Assuming inflation in food prices tends to offset future salary increases.

2.

The control is better because

(i)

The recording duty and cash custody are separate. Running the cash register
amounts to authorizing and recording transactions for all practical purposes, and
under the former arrangement this person also handled the cash. The cashier
could have failed to ring up a sale and just pocketed the money.

(ii)

The manager can compare the internal calculator cumulative total to the cash
register total for correspondence of amounts. A theft would require collusion of
both persons.

The accountant should not express any opinion on managements statement. You could disclaim
any opinion about the statement. You could give advice to the manager about the analysis. Still,
the manager is responsible for risk analysis and cost-benefit decisions.
5.64

Audit Simulation: Separation of Duties

a.

Abigail
Reconcile bank account

b.

e.

Maintain personnel records

f.

j.

Reconcile accounts receivable

records to general ledger
account

g.

Bryan
Open mail and list
checks
Prepare deposit and
take to bank
Maintain petty cash

i.

Maintain general ledger

5-14

c.

Chris
Prepare checks for signature

d.

Prepare payroll checks

h.

Maintain accounts receivable

records

Chapter 05 - Risk Assessment: Internal Control Evaluation

5-15

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.65

Effects of Sarbanes-Oxley Act

Mr. Foster Puckett, CEO
Central Office Supply, Inc.
Indianapolis, IN
Dear Foster,
The Sarbanes-Oxley Act and the related PCAOB Auditing Standard Number 5 will cause increased costs
for Central Office Supply (COS), should your board of directors decide to go public. The specific effects
regarding internal control reporting apply both to the management of COS and to the audit.
You will be responsible for documenting, testing and assessing the quality of your internal controls over
financial reporting. This is usually a costly procedure; however, it will likely be beneficial for COS to have
a firm grasp of the controls in place. You will have to prepare a written assessment whereby management
accepts responsibility for the controls and evaluates the effectiveness of the controls as of the end of each
year. You will have to support your evaluation with sufficient evidence, including documentation.
As auditors, we will have to gather evidence to report on the effectiveness of COS internal control. We
will be able to use some of the tests your personnel perform, but the principle evidence for our report must
be based on our own work, and we cannot use your work to reduce the work we perform on the control
environment.
We are unable to provide a precise estimate of the additional cost of the additional work, but it is true that
many companies have seen their audit fees double as a result of the new requirements. The board should
factor this possibility into the costs of going public.
Sincerely,
Your name,
Audit Partner.

5.66

ICQ Items: Assertions, Tests of Controls, and Possible Errors or Frauds

1.

2.

a.

Recorded payroll transactions are valid (occurrenceno fictitious employees).

b.

Select a sample of personnel files for new hires and terminations and trace to reports
submitted to the personnel department. Trace also to first or last paycheck issued and to
cumulative payroll records.

c.

Paychecks might be delayed and terminated workers might continue to be paid (with
theft of check by someone else) if payroll is not promptly notified of new hires and
terminations.

d.

Select a sample of terminated employees. Interview their supervisors or the employees

themselves for information about termination date. Search next payroll register for
evidence of overpayment the next pay period.

a.

Recorded payroll deductions are valid (occurrence).

b.

Select a sample of payroll deductions and vouch them to signed authorizations.

c.

Incorrect amounts might be deducted from pay.

5-16

Chapter 05 - Risk Assessment: Internal Control Evaluation

3.

4.

5.67

d.

Same as tests of controls: Select a sample of paychecks, and vouch the deductions to the
amount authorized according to the personnel files.

a.

Recorded payroll transactions are valid and authorized (occurrence).

b.

Observe the timekeeping operations to determine whether they are performed separately.

c.

If payroll department personnel were also responsible for time records, they would have
effective control over transaction authorization (i.e., hours worked approval) and could
overpay themselves or friends.

d.

Select the paychecks issued to the people involved in combined duties. Examine them for
evidence of overpayment (wage rate or overtime).

a.

Payroll and labor cost transactions are complete (completeness).

b.

Obtain reconciliation worksheets or check-off reports and see if the reconciliation is

done.

c.

Cost accounting records might contain more or fewer dollars than actually paid (per
payroll data). Simple errors in cost analyses might occur.

d.

If possible, obtain a total of labor charged to cost accounting jobs or processes, and
reconcile to total wages reported on Federal Form 941. For details: Select a sample of
labor cost analyses, and reconcile to the payroll register for the same period.

Obtaining a Sufficient Understanding of Internal Control

Martin is not correct in asserting that GAAS requires reviews and tests of control in all audits. Reviews and
obtaining and documenting an understanding are necessary, and Jones may not be suggesting that no work
at all be done on becoming acquainted with the clients internal control. Martin has overlooked the
common-sense (and GAAS) idea that tests of controls need to be done only on those controls on which the
audit team believes to be strong to reduce the initial control risk assessment.
Martin appears to be proposing that if a partner wishes to extend the substantive procedures and act as if
the control risk were high, he should be free to do so. Under GAAS, this is OK.
This is a common problem in practice. Many small-client audits may be accomplished through extensive
substantive procedural work, making up for little or no work on control. The trade-off is the time and cost
involved in performing test of control work against the reduction in substantive procedure work. If the
latter cannot be reduced much under any circumstances, then a lot of work on internal control may be
uneconomical.

5.68

Fraud Opportunities
The discussion could take several directions, including some or all of the following:
1.

Material Weakness. The facts seem to suggest a condition in which specific control features (few
or none are described) or the degree of compliance with them do not reduce to a relatively low
level the risk that errors or frauds in amounts that could be material to the financial statements
may occur and not be detected within a timely period by employees in the normal course of
performing their assigned functions. Gault has authority and influence over too many interrelated
activities. Nothing he does seems to be subject to review or supervision. He even is able to
exclude the internal auditor.

5-17

Chapter 05 - Risk Assessment: Internal Control Evaluation

An identification of the potential frauds will illustrate the misdeeds he can perpetrate almost
single-handedly.
2.

Potential frauds include:

a.

Gault can collude with customers to rig low bids and take kickbacks, thereby depriving
the company of legitimate revenue.

b.

Gault can direct purchases to favored suppliers, pay unnecessarily high prices and take
kickbacks. He might even set up a controlled dummy company to sell overpriced
materials to the company. No competitive bidding control prevents these activities.

c.

Gault, through the control of physical inventory, can (i) remove materials for himself and
(ii) manipulate the inventory accounts to conceal shortages.

d.

Gault can order truck shipping services for his own purposes and cause the charges to be
paid by the company.

e.

5.68

Gault can manipulate the customer billing (similar to a above) to deprive the company of
legitimate revenue while taking an unauthorized commission or kickback.
Fraud Opportunities (Continued)
3.

Almost every desirable characteristic of good internal control has been circumvented:
a.

Separation of Functional Responsibilities. Gault has authorization and custodial

responsibilities.

b.

Authorization, Supervision. Gault is apparently subject to no supervision or review. The

accounting staff is probably powerless to challenge transactions because of Simons
apparent approval of Gaults powers.

c.

Controlled Access. The whole situation gives Gault access to necessary papers, records,
and assets to carry out his one-man show.

d.

Periodic Comparison. No one else apparently has any access to the materials inventory in
order to conduct an actual count for comparison to the book value (recorded
accountability) of the inventory.

5-18

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.69

ICQ Items: Errors that Could Occur from Control Weaknesses

Questions (abbreviated)

Possible Error or Fraud

1.

Employees paid by check?

1.

Errors in withholding, rate.

2.

Special payroll bank account used? Hours

of fictitious employee.

2.

Bank reconciliation errors.

3.

Independent payroll check signers?

3.

Fictitious employees. Unauthorized payments.

4.

Independent bank statement reconciliation?

4.

Fictitious employees, incomplete accounting.

5.

Payroll employees rotated, take vacations

and bonded?

5.

Fictitious employees.

6.

Timekeeping independent of payroll?

6.

Fictitious employees or hours.

7.

Wage rates approved?

7.

Unauthorized rates, improper rates.

8.

Deduction authorizations signed by

employees?

8.

Incorrect deductions.

9.

Hours and cost distribution approved by

supervisor?

9.

Hours overcharged (fictitious hours)

10. Time clock used?

10. Incorrect hours claimed and paid.

11. Payroll sheet signed and approved?

11. Unauthorized employees, hours or rate.

12. Personnel department reports employees

terminated to payroll department?

12. Terminated employees paid and another cashes

checks (Fictitious employee)

13. Payroll compared to personnel files?

13. Fictitious employees.

14. Independent check distribution?

14. Fictitious employees.

15. Unclaimed wages controlled?

15. Improper cashing of checks.

16. Occasional surprise payoff by internal

auditors?

16. Fictitious employees.

17. Personnel department reports employees

hired to payroll departments?

17. Unauthorized employee paid. (Fictitious employee)

18. Payroll checks prenumbered? Sequence

checked?

18. Checks issued and not recorded.

19 Qualified person track retirement?

19. Retirement obligations incorrect.

20. Actuary employed? Assumptions

reviewed?

20. Retirement amounts incorrect.

21. Cost records reconciled to payroll?

21. Incomplete accountingusually cost records not

complete.

22. Periodic audit of payroll by internal

auditors?

22. Undetected errors and frauds (all of the above).

23. Reconciliation with tax reports?

23. Over/underreporting.

24. Classification instructions?

24. Misclassified debits in accounts.

25. Review by accounting officer?

25. Accounting and classification errors.

5-19

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.70

Reports on Internal Control Over Financial Reporting (Report Modifications)

a.

b.

This situation would result in an adverse opinion being issued on the effectiveness of the
companys internal control over financial reporting. Assuming that managements appropriately
concludes that it has not maintained an effective internal control over financial reporting, the
auditor would express an unqualified opinion on managements assessment of internal control
over financial reporting. The standard report would be modified as follows:

Modify the introductory paragraph to note that managements assessment indicated the
company has not maintained an effective internal control over financial reporting.

Include a paragraph immediately following the inherent limitations paragraph that defines
a material weakness and describes any material weakness identified during the audit.

Modify the opinion paragraph to indicate that because of the effect of the material
weakness identified, the Company has not maintained an effective internal control over
financial reporting.

This situation represents a scope limitation; depending upon the significance of the scope
limitation, the auditor could issue either a qualified opinion or disclaimer of opinion.
If a qualified opinion is issued, the standard report would be modified as follows:

Modify the scope paragraph to refer to scope limitation (except for).

Provide an explanatory paragraph describing the scope limitation. If the scope limitation
is related to the inability to gather sufficient evidence with respect to a potential material
weakness, this paragraph should also include the definition of a material weakness.

Modify the opinion paragraph to reflect a qualified opinion (except for the effect of
matters we might have discovered).

If a disclaimer of opinion is issued, the standard report would be modified as follows:

5.70

Delete the sentence describing the auditors responsibility for internal control over
financial reporting in the introductory paragraph.

Delete the scope paragraph.

Provide an explanatory paragraph describing the scope limitation. If the scope limitation
is related to the inability to gather sufficient evidence with respect to a potential material
weakness, this paragraph should also include the definition of a material weakness.

Modify the opinion paragraph to either disclaim an opinion (the scope of our work was
not sufficient to enable us to express, and we do not express, an opinion).

It is important to note that the scope limitation will normally affect the auditors ability to issue an
opinion on both managements assessment of internal control over financial reporting and the
effectiveness of internal control over financial reporting.
Reports on Internal Control Over Financial Reporting (Report Modifications) (Continued)
c.

In this situation, an unqualified opinion would still be appropriate, assuming that the work of other
auditors can be relied upon and does not indicate the existence of one or more material
weakness(es). The introductory, scope, and opinion paragraphs would be modified to indicate the
division of responsibility.
5-20

Chapter 05 - Risk Assessment: Internal Control Evaluation

d.

5.71

If management has not adequately disclosed a material weakness in its internal control over
financial reporting, they should include an explanatory paragraph describing the reasons
the auditors believe managements disclosures should be modified .

Audit Simulation: Reports on Internal Control Over Financial Reporting (Identify Report
Deficiencies)
Introductory Paragraph:
1.

The introductory paragraph does not discuss Van Dykes responsibility with respect to maintaining an
effective internal control over financial reporting.

2.

Auditors no longer report on managements assessment of internal control over financial reporting.

Inherent Limitations Paragraph:

3.

This paragraph is omitted.

Material Weakness Paragraphs:

4.

The paragraph defining a material weakness was omitted.

5.

The paragraph identifying the material weaknesses in internal control noted by Sorrell should
provide some brief information on the nature of the material weaknesses.

6.

The paragraph discussing the effect of material weaknesses on the nature, timing, and extent of
audit tests should explicitly indicate that the report on internal control over financial reporting
does not affect Sorrells report on the financial statements.

7.

The paragraph identifying deficiencies in internal control over financial reporting less severe than
material weaknesses is inappropriate. [no applicable reference]

Opinion Paragraph:
8.

Sorrells disclaimer of opinion on Van Dykes assessment of internal control over financial
reporting is inappropriate because auditors no longer report on managements assessment of
internal control over financial reporting.

Explanatory Paragraph (Financial Statement Report):

9.
The final explanatory paragraph should reference Sorrells report on the financial statements, as
well as the date and type of opinion rendered on those financial statements.
Date:
10.

The date on the report should not be the balance sheet date.

5-21

Chapter 05 - Risk Assessment: Internal Control Evaluation

5.72

5.73

Kaplan CPA Exam Simulation: Internal Control Components

1.

2.

3.

4.

5.

6.

7.

8.

9.

By having the receptionist open the cash receipts/remittances (instead of

the accounts receivable clerk), Southland has demonstrated a good
example of separation of duties. Separation of duties forms part of the
total control activities at Southland.
The lockbox system is an example of the safeguarding of assets.
Safeguarding of assets is a physical control and forms part of the total
control activities at Southland.
The changes implemented in the internal control system during the
current year are an example of monitoring. Monitoring assesses the
quality of the internal control effectiveness over time and implements
changes when necessary.
Managements philosophy and operating style is a control environment
factor.
Proper authorization by the credit manager forms part of the total control
activities at Southland. It is an example of separation of duties. For
instance, the sales manager would not be setting the credit limits for new
customers due to the potential conflict situation.
Individual and detailed job descriptions form part of the control
environment. The job descriptions specifically relate to the delegation of
authority.
Accounting systems that are designed to generate reports would clearly
form part of the internal controls over the information and
communication system.
Active participation by the board of directors is a component of the
control environment (delegation of authority and responsibility).
The IT managers actions are an example of risk assessment. Risk
assessment refers to a companys ability to anticipate potential
misstatements (such as the lack of integration between certain
components of Southlands accounting system) and work to prevent them
before they occur.

Kaplan CPA Exam Simulation Internal Control Evaluation

To: Partner, P&M
From: Manager, P&M
Subject: Significant Deficiencies and Material Weaknesses
Significant deficiencies are defined as conditions, or combinations of conditions, that could adversely affect
the organizations ability to initiate, record, process, and report financial data in the financial statements.
While not material, they are important enough to bring to the attention of those charged with governance
(usually the audit committee). Some examples follow:

Absence of appropriate separation of duties.

Absence of appropriate reviews and approvals of transactions.

Evidence of failure of control procedures.

A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that

results in a reasonable possibility that a material misstatement would not be prevented or detected on a
timely basis. The following circumstances should be regarded as strong indicators that a material weakness
exists:

Restatement of previously issued financial statements to reflect the correction of a misstatement.

5-22

Chapter 05 - Risk Assessment: Internal Control Evaluation

Evidence of material misstatements (caught by the audit team) that were not prevented or detected
by the clients internal controls.

Ineffective oversight of the financial reporting process by the entitys audit committee.

Indication of fraud (either material or immaterial) by senior management.

Because Lakeland is a public company, we are required to follow the Sarbanes-Oxley act, which requires
us to identify significant deficiencies and material weakness and report them in writing to the audit
committee.

5.74

Mini-Case: Control Environment

NOTE TO INSTRUCTOR: For this assignment, questions 3 and 4 from this Mini-Case are applicable.

5.75

3.

Auditors usually begin with inquiry of management, employees, and others charged with
governance (including the audit committee). Auditors also investigate senior managements
reputation in the community. Indicators of a weak tone at the top include involvement by
nonaccounting managers in accounting issues, pressure to achieve earnings, disputes between the
auditors and clients, and observing a lack of ethics in dealing with customers, suppliers, and
employees.

4.

Auditors have to follow up on all whistle blower accusations, regardless of how far-fetched. The
accusations must be handled with professional skepticismneither assuming they are true or
false. Often client personnel will be asked to assist in the follow-up, but their input must be
independently verified by the auditor. The accusations should be treated as red flags, which may
call for additional evidence gathering in affected areas. Finally, if the accusations appear to be
credible, the auditors should notify their attorneys as well as the client's audit committee.

Mini-Case: Effect of Internal Control Evaluation on Auditors Fees

NOTE TO INSTRUCTOR: For this assignment, questions 5 and 6 from this Mini-Case are applicable.
5.

The high cost of Sarbanes-Oxley compliance can be found by reviewing the total audit fees
reported by GE and by the Fortune 100/500 companies. As shown in Exhibits 2 and 3, these fees
have increased significantly from 2002 to 2004. (A portion of this increase may result from the
SECs revised definition of audit fees).
While the audit fees have continued to increase in 2006, the smaller rate of increase from 2004 to
2006 may reflect a learning curve for auditors and some initial start-up costs with respect to the
implementation of Section 404.

6.

The changes required by AS 5 (eliminating the requirement to express an opinion on

managements assessment of internal control over financial reporting, using a top-down, riskbased audit approach, and increasing the extent to which the work of others can be relied upon)
should reduce the amount of audit fees and, perhaps, audit-related fees. This possibility can be
evaluated through reference to future proxy statements.

5-23