1|Page

2017

AUDIT OF INTERNAL CONTROL

AND CONTROL RISK

CHAPTER
COMPILED BY: ALI SAJJAD

THE SUPERIOR COLLEGE, UNIVERSITY CAMPUS | 15-KM, RAIWIND ROAD, LAOHORE.

2|Page

INTERNAL CONTROL OBJECTIVES

OBJECTIVE A system of internal control consists of policies and procedures designed to provide
1-1 management with reasonable assurance that the company achieves its objectives and goals.
Describe the three
primary objectives These policies and procedures are often called controls, and collectively, they make up the
of effective internal entity’s internal control. Management typically has three broad objectives in designing an
control
effective internal control system:
1. Reliability of financial reporting. As we discussed in Chapter 6, management
is responsible for preparing statements for investors, creditors, and other users.
Management has both a legal and professional responsibility to be sure that the
information is fairly presented in accordance with reporting requirements of
accounting frameworks such as GAAP and IFRS. The objective of effective
internal control over financial reporting is to fulfill these financial reporting
responsibilities.
2. Efficiency and effectiveness of operations. Controls within a company en -
courage efficient and effective use of its resources to optimize the company’s
goals. An important objective of these controls is accurate financial and
nonfinancial information about the company’s operations for decision making.
3. Compliance with laws and regulations. Section 404 requires management of
all public companies to issue a report about the operating effectiveness of
internal control over financial reporting. In addition to the legal provisions of
Section 404,
public, nonpublic, and not-for-profit organizations are required to follow many laws and
regulations. Some relate to accounting only indirectly, such as environmental protection
and civil rights laws. Others are closely related to accounting, such as income tax
regulations and anti-fraud legal provisions.
Management designs systems of internal control to accomplish all three objectives. The
auditor’s focus in both the audit of financial statements and the audit of internal controls is
on controls over the reliability of financial reporting plus those controls over operations
and compliance with laws and regulations that could materially affect financial reporting.

PART 1/ AUDITING PROFESSION

 MANAGEMENT AND AUDITORS RESPONSIBILTIES FOR INTERNAL
CONTROL

1. Managements Responsibility for Establishing Internal Control

Responsibilities for internal controls differ between management and the auditor.
Management is responsible for establishing and maintaining the entity’s internal
controls. Management is also required by Section 404 to publicly report on the
operating effectiveness of those controls. In contrast, the auditor’s responsibilities
include understanding and testing internal control over financial reporting. Since
2004, auditors of larger public companies have been required by the SEC to
annually
issue an audit report on the operating effectiveness of those
controls.
design and implementation of internal control reasonable assurance and inherent
Management,
limitations. Reasonable Assurance A company should develop internal controls
not the auditor,
that provide reasonable, but not absolute, assurance that the financial statements are
must establish
fairly stated. Internal controls are developed by management after considering both the
and maintain the
costs and benefits of the controls. The concept of reasonable assurance allows for only a
entity’s internal
remote likelihood that material misstatements will not be prevented or detected on a
controls. This
timely basis by internal control.
concept is
consistent with Inherent Limitations Internal controls can never be completely effective, regard less of the

the requirement care followed in their design and implementation. Even if management can design an ideal

that system, its effectiveness depends on the competency and depend ability of the people using

management, it. Assume, for example, that a carefully developed procedure for counting inventory

not the auditor, requires two employees to count independently. If neither of the employees understands

is responsible the instructions or if both are careless in doing the counts, the inventory count is likely to

for the be wrong. Even if the count is correct, management might override the procedure and

preparation of instruct

financial
statements in
accordance with
applicable
accounting
frameworks
such as GAAP or
IFRS. Two key
concepts
underlie
management’s
an employee to increase the count to improve reported earnings. Similarly, the employees might
decide to overstate the counts to intentionally cover up a theft of inventory by one or both of
them. An act of two or more employees who conspire to steal assets or misstate records is called
collusion.
Because of its importance, knowledge about a client’s internal control is included in a
eparate
s generally accepted auditing standard. Recall that the second GAAS field work
tandard
s states “The auditor must obtain a sufficient understanding of the entity and its
environment, including its internal control, to assess the risk of material misstatement of the
financial statements whether due to error or fraud and to design the nature, timing, and extent
of further audit procedures.” The auditor obtains the understanding of internal control to assess
control risk in every audit. Auditors are primarily concerned about controls over the reliability
of financial reporting and controls over classes of transactions.

2. Managements Responsibility for Establishing Internal

Control
Controls Over the Reliability of Financial Reporting To comply with the second standard of
field work, the auditor focuses primarily on controls related to the first of management’ internal
control concerns: reliability of financial reporting. Financial statements are not likely to correctly
reflect GAAP or IFRS if internal controls over financial reporting are inadequate. Unlike the
client, the auditor is less concerned with controls that affect the efficiency and effectiveness of
company operations, because such controls may not influence the fair presentation of
financial statements. Auditors should not, however, ignore controls affecting internal
management information, such as budgets and internal performance reports. These types of
information are often important sources used by management to run the business and can be
important sources of evidence that help the auditor decide whether the financial statements are
fairly presented. If the controls over these internal reports are inadequate, the value of the
reports as evidence diminishes. As stated in Chapter 6, auditors have significant responsibility
for the discovery of material fraudulent financial reporting and misappropriation of assets
(fraud) and direct-effect illegal acts. Auditors are therefore also concerned with a client’s
internal control over the safeguarding of assets and compliance with laws and regulations if
they affect the fairness of the financial statements. Internal controls, if properly designed and
implemented, can be effective in preventing and detecting fraud.
Controls over Classes of Transactions Auditors emphasize internal control over classes of
transactions rather than account balances because the accuracy of accounting system outputs
(account balances) depends heavily on the accuracy of inputs and processing
(transactions). For example, if products sold, units shipped, or unit selling prices are wrong in
billing customers for sales, both sales and accounts receivable will be misstated. On the other
hand, if controls are adequate to ensure correct billings, cash receipts, sales returns and
allowan
ces, and
write-
offs, the
ending
balance
in
account
s
receivab
l
3. COSO COMPONENTS OF INTERNAL CONTROL
 concentrate on those designed to prevent or detect material misstatements in the financial
COSO’s Internal
statements. The COSO internal control components include the following:
Control—
1. Control environment
Integrated
2. Risk assessment
Framework, the
3. Control activities
most widely
4. Information and communication
accepted
5. Monitoring
internal control
framework in
the United 1. control environment consists of the actions, policies, and procedures that reflect the
States, overall attitudes of top management, directors, and owners of an entity about internal
describes five control and its importance to the entity. To understand and assess the control environment,
components of auditors should consider the most important control subcomponents.
internal control Integrity and Ethical Values Integrity and ethical values are the product of the entity’s
that thical and behavioral standards, as well as how they are communicated and reinforced in
management practice. They include management’s actions to remove or reduce incentives and
designs and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts.
implements to They also include the communication of entity values and behavioral standards to
provide personnel through policy statements, codes of conduct, and by example.
reasonable
Commitment to Competence: Competence is the knowledge and skills necessary to
assurance that
accomplish tasks that define an individual’s job. Commitment to competence includes
its control
management’s consideration of the competence levels for specific jobs and how those
objectives will
levels translate into requisite skills and knowledge.
be met. Each
Board of Director or Audit Committee Participation The board of directors is essential
component
for effective corporate governance because it has ultimate responsibility to make sure
contains many
management implements proper internal control and financial reporting processes. An
controls, but
effective board of directors is independent of management, and its members stay involved
auditors
in and scrutinize management’s activities.
Management’s Philosophy and Operating Style Management, through its activities,
provides clear signals to employees about the importance of internal control. For example,
does management take significant risks, or is it risk averse? Are sales and earnings targets
unrealistic, and are employees encouraged to take aggressive actions to meet those
targets? Can management be described as “fat and bureaucratic,” “lean and mean,”
Dominated by one or a few individuals, or is it “just right”? Understanding these and
similar aspects of management’s philosophy and operating style gives the auditor a sense
of management’s attitude about internal control.
Organizational Structure The entity’s organizational structure defines the existing lines
of
responsibility and authority. By understanding the client’s organizational structure, the
auditor can learn the management and functional elements of the business and perceive
how controls are implemented.
Human Resource Policies and Practices the most important aspect of internal control is
personnel. If employees are competent and trustworthy, other controls can be absent, and
reliable financial statements will still result. Incompetent or dishonest people can reduce
the system to a shambles even if there are numerous controls in place. Honest, efficient
people are able to perform at a high level even when there are few other controls to
support them. However, even competent and trustworthy people can have
shortcomings. For example, they can become bored or dissatisfied, personal problems
can disrupt their performance, or their goals may change. Because of the importance of
competent, trustworthy personnel in providing effective control, the methods by which
persons are hired, evaluated, trained, promoted, and compensated are an important part
of internal control.

2.Risk Assessent
Risk assessment for financial reporting is management’s identification and analysis of
risks relevant to the preparation of financial statements in conformity with appropriate
accounting standards. For example, if a company frequently sells products at a price below
inventory cost because of rapid technology changes, it is essential for the company to
R
incorporate adequate controls to address the risk of overstating inventory.
Similarly, failure to meet prior objectives, quality of personnel, geographic dispersion o
company operations, significance and complexity of core business processes,
introduction
 3. Control Activities

Control activities are the policies and procedures, in addition to those included in the
other four control components that help ensure that necessary actions are taken to
address risks to the achievement of the entity’s objectives. There are potentially many
such control activities in any entity, including both manual and automated controls. The
control activities generally fall into the following five types, which are discussed next:
1. Adequate separation of duties
2. Proper authorization of transactions and
activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance

Adequate Separation of Duties Four general guidelines for adequate separation of duties
to prevent both fraud and errors are especially significant for
auditors.
Separation of the Custody of Assets from accounting: To protect a company from
embezzlement, a person who has temporary or permanent custody of an asset should not
account for that asset. Allowing one person to perform both functions increases the risk of
that person disposing of the asset for personal gain and adjusting the records to cover up
the theft. If the cashier, for example, receives cash and is responsible for data entry for
cash receipts and sales, that person could pocket the cash received and adjust the
customer’s account by failing to record a sale or by recording a fictitious credit to the
account. Separation of the Authorization of Transactions from the Custody of Related
Assets It is desirable to prevent persons who authorize transactions from having control
over the related asset, to reduce the likelihood of embezzlement. For example, the
same person should not authorize the payment of a vendor’s invoice and also approve the
disbursement of funds to pay the bill.
Separation of Operational Responsibility from Record-Keeping Responsibility to
ensure unbiased information, record keeping is typically the responsibility of a separate
department reporting to the controller. For example, if a department or division oversees
the creation of its own records and reports, it might change the results to improve its
reported performance.
Separation of IT Duties from User Departments As the level of complexity of IT systems
increases, the separation of authorization, record keeping, and custody often becomes
blurred. For example, sales agents may enter customer orders online. The computer
authorizes those sales based on its comparison of customer credit limits to the master file
and posts all approved sales in the sales cycle journals. Therefore, the computer plays a
significant role in the authorization and record keeping of sales transactions. To
compensate for these potential overlaps of duties, it is important for companies to
separate major IT- related functions from key user department functions. In this example,
responsibility for designing and controlling accounting software programs that contain
the sales authorization and posting controls should be under the authority of IT, whereas
the ability to update information in the master file of customer credit limits should reside
in the company’s credit department outside the IT function.
Proper Authorization of Transactions and Activities: Every transaction must be
properly authorized if controls are to be satisfactory. If any person in an organization
could acquire or expend assets at will, complete chaos would result. Authorization can be
either general or specific. Under general authorization, management establishes policies
and subordinates are instructed to implement these general authorizations by approving
all transactions within the limits set by the policy. General authorization decisions include
the issuance of fixed price lists for the sale of products, credit limits for customers, and
fixed reorder points for making acquisitions.
Specific authorization applies to individual transactions. For certain transactions,
management prefers to authorize each transaction. An example is the authorization of a
s for a used-car company. The distinction between authorization and
a approval is also important. Authorization is a policy decision for
l either a general class of transactions or specific transactions.
e Approval is the implementation of management’s general
s authorization decisions. An example of a general authorization is
management setting a policy authorizing the ordering of inventory
t when less than a 3-week supply is on hand. When a department
r orders inventory, the clerk responsible for maintaining the perpetual
a record approves the order to indicate that the authorization policy
n has been met. In other cases, the computer approves the
s transactions by comparing quantities of inventory on hand to a
a master file of reorder points and automatically submits purchase
c orders to authorized suppliers in the vendor master file. In this case,
t the computer is performing the approval function using
i preauthorized information contained in the master files.
o Adequate Documents and Records Documents and records are the
n records upon which transactions are entered and summarized. They
include such diverse items as sales invoices, purchase orders,
b subsidiary records, sales journals, and employee time cards. Many of
y these documents and records are maintained in electronic rather
than paper formats. Adequate documents are essential for correct
t recording of transactions and control of assets. For example, if the
h receiving department completes an electronic receiving report when
e material is received, the accounts payable computer application can
verify the quantity and description on the vendor’s invoice by
s comparing it with the information on the receiving report, with
a exceptions resolved by the accounts payable department.
l
e
s

m
a
n
a
g
e
r
4. Accounting Information and Communication
The purpose of an entity’s accounting information and communication system is to
initiate, record, process, and report the entity’s transactions and to maintain
accountability the related assets. An accounting information and communication system
for
su has several bcomponents, typically made up of classes of transactions such as sales,
sales returns, cash receipts, acquisitions, and so on. For each class of transactions, the
accounting system must satisfy all of the six transaction-related audit objectives
identified in the slides. For example, the sales accounting system should be designed to
ensure that all shipments of goods are correctly recorded as sales (completeness and
accuracy objectives) and are reflected in the financial statements in the proper period
(timing objective). The system must also avoid duplicate recording of sales and recording
a sale if a shipment did not occur
(occurrence objective).

5.Monitoring
To understand the design of the accounting information system, the auditor determine (1)
the major classes of transactions of the entity; (2) how those transactions are initiated and
recorded; (3) what accounting records exist and their nature; (4) how the system captures
other events that are significant to the financial statements, such as declines in asset
values; and (5) the nature and details of the financial reporting process followed,
including procedures to enter transactions and adjustments in the general ledger.
Monitoring activities deal with ongoing or periodic assessment of the quality of internal
control by management to determine that controls are operating as intended and that they
are modified as appropriate for changes in conditions. The information being assessed
comes from a variety of sources, including studies of existing internal controls, internal
auditor reports, exception reporting on control activities, reports by regulators such as
bank
 regulatory agencies, feedback from operating personnel, and complaints from customers
about billing charges. For many companies, especially larger ones, an internal audit
department is essential for effective monitoring of the operating performance of internal
controls. To be effective, the internal audit function must be performed by staff
independent of both the operating and accounting departments and report directly to a
high level of authority within the organization, either top management or the audit
committee of the board of directors.
In addition to its role in monitoring an entity’s internal control, an adequate internal audit
staff can reduce external audit costs by providing direct assistance to the external auditor.

OBTAIN AND DOCUMENT UNDERSTANDING OF INTERNAL CONTROL

OBJECTIVE 4
The level of understanding internal control and extent of testing required for the audit of
internal control exceeds what is required for an audit of only the financial statements.
Therefore, when auditors first focus on the understanding and testing of internal control
for the audit of internal controls, they will have met the requirements for assessing
internal control for the financial statement audit. As discussed earlier, Sarbanes Oxley act
requires management to document its processes for assessing the effectiveness of the
company’s internal control over financial reporting. Management must document the
design of controls, including all five control components, and also the results of its
testing and evaluation. The types of information gathered by management to assess and
document internal control effectiveness can take many forms, including policy manuals,
flowcharts,
narratives, documents, questionnaires, and other paper and electronic
forms.
Auditing standards require auditors to obtain and document their understanding
of internal control for every audit. This understanding is necessary for both the
audit of internal controls over financial reporting and the audit of financial
 statements. Management’s documentation is a major source of information in
gaining the understanding.
As part of the auditor’s risk assessment procedures, the auditor uses procedures to
obtain an understanding, which involve gathering evidence about the design of internal
controls and whether they have been implemented, and then uses that information as a
basis for the integrated audit. The auditor generally uses four of the eight types of
evidence to obtain an understanding of the design and implementation of controls:
documentation, inquiry of entity personnel, and observation of employees performing
control processes, and Reperformance by tracing one or a few transactions through the
accounting system from start to finish.
Auditors commonly use three types of documents to obtain and document their
understanding of the design of internal control: narratives, flowcharts, and internal control
questionnaires. Because Sarbanes Oxley act requires management to assess and
document the design effectiveness of internal control over financial reporting, they have
usually already prepared this documentation. Narratives, flowcharts, and internal control
questionnaires, used by the auditor separately or in combination to document internal
control, are discussed next.
Narrative A narrative is a written description of a client’s internal controls. A proper
narration of an accounting system and related controls describes four
things:
1. The origin of every document and record in the system. For example, the description
should state where customer orders come from and how sales invoices are generated.
2. All processing that takes place. For example, if sales amounts are determined by a
computer program that multiplies quantities shipped by standard prices contained in
price master files, that process should be described.
3. The disposition of every document and record in the system. The filing of documents,
sending them to customers, or destroying them should be described.
4. An indication of the controls relevant to the assessment of control risk. These typically
include separation of duties (such as separating recording cash from handling cash),
authorizations and approvals (such as credit approvals), and internal verification (such as
comparison of unit selling prices to sales contracts).
Flowchart An internal control flowchart is a diagram of the client’s documents and their
sequential flow in the organization. An adequate flowchart includes the same four
characteristics identified for narratives.
Well prepared flowcharts are advantageous primarily because they provide a concise
overview of the client’s system, which helps auditors identify controls and deficiencies in
the client’s system. Flowcharts have two advantages over narratives: typically they are
easier to read and easier to update. It is unusual to use both a na rrative and a flowchart to
describe the same system because both present the same information.
Internal Control Questionnaire An internal control questionnaire asks a series of
questions about the controls in each audit area as a means of identifying internal control
deficiencies. Most questionnaires require a “yes” or a “no” response, with “no” responses
indicating potential internal control deficiencies. By using a questionnaire, auditors cover
each audit area reasonably quickly. The two main disadvantages of questionnaires are
their inability to provide an overview of the system and their inapplicability for some
audits, especially smaller ones.
In addition to understanding the design of the internal controls, the auditor must also
evaluate whether the designed controls are implemented. In practice, the understanding
of the design and implementation are often done simultaneously. Following are common
methods.

Evaluating Internal Control Implementation

Up d ate a nd Ev al u ate Au d i tor ’s Pre viou s Ex p eri ence with th e E nti ty
Most audits of a company are done annually by the same CA firm. After the first year’s
audit, the auditor begins with a great deal of information from prior years about the
client’s internal control. It is especially useful to determine whether controls that were
not previously operating effectively have been improved.
Make Inquiries of Client Personnel/Staff Auditors should ask management,
supervisors,
and staff to explain their duties. Careful questioning of appropriate personnel helps
auditors evaluate whether employees understand their duties and do what is described in
the client’s control documentation.
Examine Documents and Records The five components of internal control all involve the
creation of many documents and records. By examining completed documents, records,
and computer files, the auditor can evaluate whether information described in flowcharts
and narratives has been implemented.
Observe Entity Activities and Operations When auditors observe client personnel
carrying out their normal accounting and control activities, including their preparation of
 documents and records, it further improves their understanding and knowledge that
controls have been implemented.
Perform Walkthroughs of the Accounting System In a walkthrough, the auditor selects
one or a few documents of a transaction type and traces them from initiation through the
entire accounting process. At each stage of processing, the auditor makes inquiries,
observes activities, and examines completed documents and records. Walkthroughs
conveniently combine observation, documentation, and inquiry to assure that the
controls designed by
management have been implemented.

4. ASSESS CONTROL RISK

OBJECTIVE 4 The auditor obtains an understanding of the design and implementation of internal
.
control to make a preliminary assessment of control risk as part of the auditor’s
overall assessment of the risk of material misstatements. The auditor uses this
preliminary assessment of control risk to plan the audit for each material class of
transactions. However, in some instances the auditor may learn that the control
deficiencies are significant such that the client’s financial statements may not be
auditable. So, before making a preliminary assessment of control risk for each
material class of transactions, the auditor must first decide whether the entity is
auditable.
Two primary factors determine auditability: the integrity of management and the
adequacy of accounting records. If management lacks integrity, most auditors will
not accept the engagement. The accounting records are an important source of
audit evidence for most audit objectives. If the accounting records are deficient,
necessary audit evidence may not be available. For example, if the client has not
kept duplicate
sales invoices and vendors’ invoices, it is usually impractical to do an
audit.
In complex IT environments, much of the transaction information is available only in
electronic form without generating a visible audit trail of documents and records. In that
case, the company is usually still auditable; however, auditors must assess whether they
have the necessary skills to gather evidence that is in electronic form and can assign
personnel with adequate IT training and experience.
After obtaining an understanding of internal control, the auditor makes a
preliminary assessment of control risk as part of the auditor’s overall
assessment of the risk of material misstatement. This assessment is a measure
of the auditor’s expectation that internal controls will prevent material
misstatements from occurring or detect and correct them if they have
occurred.
The starting point for most auditors is the assessment of entity-level controls. By nature,
entity-level controls, such as many of the elements contained in the control environment,
risk assessment, and monitoring components, have an overarching impact on most major
types of transactions in each transaction cycle. For example, an ineffective board of
directors or management’s failure to have any process to identify, assess, or manage key
risks, has the potential to undermine controls for most of the transaction-related audit
objectives. Thus auditors generally assess entity-level controls before assessing
transaction specific controls.
Once auditors determine that entity-level controls are designed and placed in operation,
they next make a preliminary assessment for each transaction-related audit objective for
each major type of transaction in each transaction cycle. For example, in the sales and
collection cycle, the types of transactions usually involve sales, sales returns and
allowances, cash receipts, and the provision for and write-off of uncollectible accounts.
The auditor also makes the preliminary assessment for controls affecting audit objectives
for balance sheet accounts and presentations and disclosure in each cycle.

Many auditors use a control risk matrix to assist in the control risk assessment
process at the transaction level. The purpose is to provide a convenient way to
organize assessing control risk for each audit objective. Figure 10-5 illustrates
the use of a control risk matrix for sales transaction audit objectives of Hills
burg Hardware Co. While Figure 10-5 only illustrates the control risk
matrix for transaction-related audit objectives, auditors use a similar control
risk matrix format to assess control risk for balance-related and presentation
and disclosure-
related audit objectives. We now discuss the preparation of the
matrix.
Identify Audit Objectives The first step in the assessment is to identify the audit
objectives for classes of transactions, account balances, and presentation and disclosure to
which the assessment applies. For example, this is done for classes of transactions by
applying the specific transaction-related audit objectives introduced earlier, which were
stated in general form, to each major type of transaction for the entity. For example, the
auditor makes an assessment of the occurrence objective for sales and a separate
assessment of the completeness objective. Transaction-related audit objectives are shown
for sales transactions for Hills burg Hardware at the top of Figure 10-5.
Identify Existing Controls Next, the auditor uses the information discussed in the
previous section on obtaining and documenting an understanding of internal control to
identify the controls that contribute to accomplishing transaction-related audit objectives.
One way for the auditor to do this is to identify controls to satisfy each objective. For
example, the auditor can use knowledge of the client’s system to identify controls that are
likely to prevent errors or fraud in the occurrence transaction-related audit objective. The
same thing can be done
for all other objectives. It is also helpful for the auditor to use the five control activities
(separation of duties, proper authorization, adequate documents and records, physical
control over assets and records, and independent checks on performance) as reminders of
controls. For example: Is there adequate separation of duties and how is it achieved? Are
transactions properly authorized? Are renumbered documents properly accounted for?
Are key master files properly restricted from unauthorized access?
The auditor should identify and include only those controls that are expected to have the
greatest effect on meeting the transaction-related audit objectives. These are often called
key controls. The reason for including only key controls is that they will be sufficient to
achieve the transaction-related audit objectives and also provide audit efficiency.
Examples of key controls for Hills burg Hardware are shown in Figure 10-5.
Associate Controls with Related Audit Objectives Each control satisfies one or more
related audit objectives. This can be seen in Figure 10-5 for transaction-related audit
objectives. The body of the matrix is used to show how each control contributes to the
accomplishment of one or more transaction-related audit objectives. In this illustration, a
C was entered in each cell where a control partially or fully satisfied an objective. A
similar control risk matrix would be completed for balance-related and presentation and
disclosure-related audit objectives. For example, the mailing of statements to customers
satisfies three objectives in the audit of Hills burg Hardware, which is indicated by the
placement of each C on the row in Figure 10-5 describing that control.
Identify and Evaluate Control Deficiencies, Significant Deficiencies, and Material
Weaknesses Auditors must evaluate whether key controls are absent in the design of
internal control over financial reporting as a part of evaluating control risk and the
likelihood of financial statement misstatements. Auditing standards define three levels of
the absence of internal controls:
1. Control deficiency. A control deficiency exists if the design or operation of controls
does not permit company personnel to prevent or detect misstatements on a timely basis
in the normal course of performing their assigned functions. A design deficiency exists if
necessary control is missing or not properly designed. An operation deficiency exists if a
well-designed control does not operate as designed or if the person performing the control
is insufficiently qualified or authorized.
2. Significant deficiency. A significant deficiency exists if one or more control
deficiencies exist that is less severe than a material weakness (defined below), but
important enough to merit attention by those responsible for oversight of the company’s
financial reporting.
3. Material weakness. A material weakness exists if a significant deficiency, by itself, or
in combination with other significant deficiencies, results in a reasonable possibility
that
internal control will not prevent or detect material financial statement misstatements on a
timely basis.
To determine if a significant internal control deficiency or deficiencies are a material
weakness, they must be evaluated along two dimensions: likelihood and significance. The
horizontal line in Figure 10-6 depicts the likelihood of a misstatement resulting from the
significant deficiency, while the vertical line depicts its significance. If there is more than a
reasonable possibility (likelihood) that a material misstatement (significance) could result
from the significant deficiency or deficiencies, then it is considered a material weakness.
A five-step approach can be used to identify deficiencies, significant deficiencies, and
material weaknesses:
1. Identify existing controls. Because deficiencies and material weaknesses
are the absence of adequate controls, the auditor must first know which
ex
controls
2. ist. The methods for identifying controls have already been disIdentify the
absence of key controls. Internal control questionnaires, flow charts, and
walkthroughs are useful tools to identify where controls are lacking and the
likelihood of misstatement is therefore increased. It is also useful to examine
the control risk matrix, such as the one in Figure 10-5 (p. 309), to look for
objectives where there are no or only a few controls to prevent or detect
misstatements.
3. Consider the possibility of compensating controls. A compensating
control is one elsewhere in the system that offsets the absence of a key
control. A common example in a small business is the active involvement of
the owner. When a compensating control exists, there is no longer a
significant deficiency or material weakness.
4. Decide whether there is a significant deficiency or material weakness.
The likelihood of misstatements and their materiality are used to evaluate if
there are significant deficiencies or material weaknesses.
5. Determine potential misstatements that could result. This step is
intended to identify specific misstatements that are likely to result because of
the significant deficiency or material weakness. The importance of a
significant deficiency or material weakness is directly related to the likelihood
and materiality of potential misstatements. Figure 10-7 for Hills burg
Hardware
includes two significant deficiencies but no material
weaknesses.
Associate Significant Deficiencies and Material Weaknesses with Related Audit
Objectives the same as for controls, each significant deficiency or material weakness can
apply to one or more related audit objectives. In the case of Hills burg Hardware in Figure
10-5 (p. 309), there are two significant deficiencies, and each applies to only one
transaction-related objective. The significant deficiencies are shown in the body of the
figure by a D in the appropriate objective column.
Assess Control Risk for Each Related Audit Objective After controls, significant
deficiencies, and material weaknesses are identified and associated with transaction-
related audit objectives, the auditor can assess control risk for transaction related audit
objectives. This is the critical decision in the evaluation of internal control.
The auditor uses all of the information discussed previously to make a subjective control
risk assessment for each objective. There are different ways to express this assessment.
Some auditors use a subjective expression such as high, moderate, or low. Others use
numerical probabilities such as 1.0, 0.6, or 0.2.
Again, the control risk matrix is a useful tool for making the assessment. Referring to
Figure
10-5, the auditor assessed control risk for each objective for Hills burg’s sales by
reviewing each column for pertinent controls and significant deficiencies and asking,
“What is the likelihood that a material misstatement would not be prevented or detected,
or corrected if it occurred, by these controls, and what is the effect of the deficiencies or
weaknesses?” If the likelihood is low, then control risk is low, and so forth. Figure 10-5 (p.
309) for Hills burg Hardware shows that all objectives are assessed as low except
occurrence and timing, which are medium.
This assessment is not the final one. Before making the final assessment at the end of the
integrated audit, the auditor will test controls and perform substantive tests. These
procedures can either support the preliminary assessment or cause the auditor to make
changes. In some cases, management can correct deficiencies and material weaknesses
before the auditor does significant testing, which may permit a reduction in control risk.
After a preliminary assessment of control risk is made for sales and cash receipts, the
auditor can complete the three control risk rows of the evidence-planning work - sheet
that was introduced in Chapter 9 on page 272. If tests of controls results do not support
the preliminary assessment of control risk, the auditor must modify the worksheet
later. Alternatively, the auditor can wait until tests of controls are done to complete the
three control risk rows of the worksheet. An evidence-planning worksheet for Hills burg
Hardware with the three rows for control risk completed is illustrated in Figure 15-6 on
page 499
As part of understanding internal control and assessing control risk, the auditor
is required to communicate certain matters to those charged with governance.
This information and other recommendations about controls are also
often
communicated to management.
Communications to Those Charged with Governance The auditor must communicate
significant deficiencies and material weaknesses in writing to those charged with
 governance as soon as the auditor becomes aware of their existence. The communication
is usually addressed to the audit committee and to management.
Timely communications may provide management an opportunity to address control
deficiencies before management’s report on internal control must be issued. In some
instances, deficiencies can be corrected sufficiently early such that both management and
the auditor can conclude that controls are operating effectively as of the balance sheet
date. Regardless, these communications must be made no later than 60 days following the
audit report release.
Management Letters In addition to these matters, auditors often identify less significant
internal control-related issues, as well as opportunities for the client to make operational
improvements. These should also be communicated to the client. The form of
communication is often a separate letter for that purpose, called a management letter.
Although management letters are not required by auditing standards, auditors generally
prepare them as a value-added service of the audit.

TEST OF CONTROLS
We’ve examined how auditors link controls, significant deficiencies, and material
weaknesses in internal control to related audit objectives to assess control risk for
each objective. Now we’ll address how auditors test those controls that are used to
support a control risk assessment. For example, each key control in Figure 10-5 (p.
309) that the auditor intends to rely on to support a control risk of medium or low
must be supported by sufficient tests of controls. We will deal with tests of controls
for both audits of internal control for financial reporting and audits of financial
statements.
Assessing control risk requires the auditor to consider both the design and operation of
controls to evaluate whether they will likely be effective in meeting related audit
objectives. During the understanding phase, the auditor will have already gathered some
evidence in support of both the design of the controls and their implementation by using
procedures to obtain an understanding (see pages 302–307). In most cases, the auditor
will not have gathered enough evidence to reduce assessed control risk to a sufficiently
low level. The auditor must therefore obtain additional evidence about the operating
effectiveness of controls throughout all, or at least most, of the period under audit. The
procedures to test effectiveness of controls in support of a reduced assessed control risk
are called tests of controls.
If the results of tests of controls support the design and operation of controls as expected,
the auditor uses the same assessed control risk as the preliminary assessment. If,
however,
the tests of controls indicate that the controls did not operate effectively, the assessed
control risk must be reconsidered. For example, the tests may indicate that the application
of a control was curtailed midway through the year or that the person applying it made
frequent misstatements. In such situations, the auditor uses a higher assessed control risk,
unless compensating controls for the same related audit objectives are identified and
found to be effective. Of course, the auditor must also consider the impact of those
controls that
are not operating effectively on the auditor’s report on internal
control.
The auditor is likely to use four types of procedures to support the operating
effectiveness of internal controls. Management’s testing of internal control will
likely include the same types of procedures. The four types of procedures are as
follows:
1. Make inquiries of appropriate client personnel. Although inquiry is not a
highly reliable source of evidence about the effective operation of controls, it is
still appropriate. For example, to determine that unauthorized personnel are
denied access to computer files, the auditor may make inquiries of the person
who controls the computer library and of the person who controls online
access security password assignments.
2. Examine documents, records, and reports. Many controls leave a clear trail
of documentary evidence that can be used to test controls. Suppose, for example,
that when a customer order is received, it is used to create a customer sales
order, which is approved for credit. (See the first and second key controls in
Figure 10-5 on page 309.) Then the customer order is attached to the sales order
as authorization for further processing. The auditor can test the control by
examining the documents to make sure that they are complete and properly
matched and that required signatures or initials are present.
3. Observe control-related activities. Some controls do not leave an evidence
trail, which means that it is not possible to examine evidence that the control was
executed at a later date. For example, separation of duties relies on specific
persons performing specific tasks, and there is typically no documentation of the
separate performance. (See the third key control in Figure 10-5.) For controls
that leave no documentary evidence, the auditor generally observes them being
applied at various points during the year.
4. Reperform client procedures. There are also control-related activities for
which there are related documents and records, but their content is insufficient
for the auditor’s purpose of assessing whether controls are operating effectively.
For example, assume that prices on sales invoices are obtained from the master
price list, but no indication of the control is documented on the sales invoices.
(See the seventh
key control in
Figure 10-5.) In
these cases, it is
common for the
auditor
 to reperform the control activity to see whether the proper results were
obtained. For this example, the auditor can reperform the procedure by tracing
the sales prices to the authorized price list in effect at the date of the transaction.
If no misstatements are found, the auditor can conclude that the procedure is
operating as intended.
The extent to which tests of controls are applied depends on the preliminary assessed
control risk. If the auditor wants a lower assessed control risk, more extensive tests of
controls are applied, both in terms of the number of controls tested and the extent of the
tests for each control. For example, if the auditor wants to use a low assessed control risk,
a larger sample size for documentation, observation, and Reperformance procedures
should be applied. The extent of testing also depends on the frequency of the operation of
the controls, and whether it is manual or automated.
Rel iance o n Evid e nce f ro m th e P rio r Yea r’ s Au d i t When auditors plan to
use evidence about the operating effectiveness of internal control obtained in prior
audits, auditing standards require tests of the controls’ effectiveness at least every third
year. If auditors determine that a key control has been changed since it was last tested,
they should test it in the current year. When there are a number of controls tested in prior
audits that have not been changed, auditing standards require auditors to test some of
those controls each year to ensure there is a rotation of controls testing throughout the
three year period.
Testing of Controls Related to Significant Risks: Significant risks are those risks that
the auditor believes require special audit consideration. When the auditor’s risk
assessment procedures identify significant risks, the auditor is required to test the
operating effectiveness of controls that mitigate these risks in the current year audit, if
the auditor plans to rely on those controls to support a control risk assessment below
100%. The greater the risk, the more audit evidence the auditor should obtain that
controls are operating effectively.
Testing Less Than the Entire Audit Period Recall that management’s report on internal
control deals with the effectiveness of internal controls as of the end of the fiscal year.
PCAOB Standard 5 requires the auditor to perform tests of controls that are adequate to
determine whether controls are operating effectively at year-end. The timing of the
auditor’s tests of controls will therefore depend on the nature of the controls and when the
company uses them. For controls that are applied throughout the accounting period, it is
usually practical to test them at an interim date. The auditor will then determine later if
changes in controls occurred in the period not tested and decide the implication of any
change. Controls dealing with financial statement preparation occur only quarterly or at
year-end and must therefore also be tested at quarter and year-end.
 There is a significant overlap between tests of controls and procedures to obtain an
understanding. Both include inquiry, documentation, and observation. There are two primary
differences in the application of these common procedures.
1. In obtaining an understanding of internal control, the procedures to obtain an
understanding are applied to all controls identified during that phase. Tests of
controls, on the other hand, are applied only when the assessed control risk has
not been satisfied by the procedures to obtain an understanding.
2. Procedures to obtain an understanding are performed only on one or a few
transactions or, in the case of observations, at a single point in time. Tests of
controls are performed on larger samples of transactions (perhaps 20 to 100),
and
often, observations are made at more than one point in
time.
For key controls, tests of controls other than Reperformance are essentially an extension
of procedures to obtain an understanding. Therefore, assuming the auditors plan to
obtain a low assessed control risk from the beginning of the integrated audit, they will
likely combine both types of procedures and perform them simultaneously.
Table 10-3 illustrates this concept in more detail. One option is to perform the audit
procedures separately, as shown in Table 10-3, where minimum procedures to obtain an
understanding of design and operation are performed, followed by additional tests o
controls. An alternative is to combine both columns and do them simultaneously. The
same amount of evidence is accumulated in the second approach, but more
efficiently. The determination of the appropriate sample size for tests of controls is an
important audit
decision.

DECIDE PLANNED DETECTION RISK AND DESIGN SUBSTENTIVE TESTS

We’ve focused on how auditors assess control risk for each related audit objective and support control
risk assessments with tests of controls. The completion of these activities is sufficient for the audit of
internal control over financial reporting, even though the report will not be finalized until the auditor
completes the audit of financial statements.
The auditor uses the control risk assessment and results of tests of controls to determine planned
detection risk and related substantive tests for the audit of financial statements. The auditor does this
by linking the control risk assessments to the balance related audit objectives for the accounts affected
by the major transaction types and to the four presentation and disclosure audit objectives. The
appropriate level of detection risk for each balance-related audit objective is then decided using the
audit risk model. The relationship of transaction-related audit objectives to balance-related audit
objectives and the selection and design of audit procedures for substantive tests of financial
statement balances are discussed and illustrated in Chapter 13.
REPORTING ON INTERNAL CONTROL

OBJECTIVE 7 Understand the Requirements for Auditor

reporting on Internal Control
The scope of the auditor’s report on internal control is limited to obtaining reasonable
assurance that material weaknesses in internal control are identified. Thus, the audit is
not designed to detect deficiencies in internal control that individually, or in the aggregate,
are less severe than a material weakness. The distinction between deficiencies, significant
deficiencies, and material weaknesses was discussed earlier.
Unqualified Opinion The auditor will issue an unqualified opinion on internal control
over
financial reporting when two conditions exist:
 There are no identified material weaknesses.
 There have been no restrictions on the scope of the auditor’s
work.
Adverse Opinion When one or more material weaknesses exist, the auditor must express
an adverse opinion on the effectiveness of internal control. The most common cause of an
adverse opinion in the auditor’s report on internal control is when management identified
a material weakness in its report.
Qualified or Disclaimer of Opinion A scope limitation requires the auditor to express a
qualified opinion or a disclaimer of opinion on internal control over financial reporting.
This type of opinion is issued when the auditor is unable to determine if there are
material weaknesses, due to a restriction on the scope of the audit of internal control over
financial reporting or other circumstances where the auditor is unable to obtain sufficient
appropriate evidence. Because the audit of the financial statements and the audit of
internal control over financial reporting are integrated, the auditor must consider the
results of audit procedures performed to issue the audit report on the financial
statements when issuing the audit report on internal control. For example, assume the
auditor identifies material misstatement in the financial statements that was not initially
identified by the company’s internal controls. The following four responses to this finding
are likely:

1. Because there is a material error in the financial statements, the auditor should
consider whether the misstatement indicates the existence of a material weakness.
Determining if the misstatement is in fact a material weakness or a significant deficiency
involves judgment and depends on the nature and size of the misstatement.
 2. The auditor can issue an unqualified opinion on the financial statements if the client
adjusts the statements to correct the misstatement prior to issuance
3. Management is likely to change its report on internal control to assert that the controls
are not operating effectively.
4. The auditor must issue an adverse opinion on internal control over financial reporting if
the deficiency is considered a material weakness.
Figure 10-8 illustrates the definition of material weakness and opinion paragraphs from
an auditor’s separate report on internal control when the auditor expresses an adverse
opinion on the effectiveness of internal control over financial reporting because of the
existence of a material weakness. If the material weakness has not been included in
management’s assessment, the report should note that a material weakness has been
identified but not
included in management’s assessment.

ESSENTIAL TERMS
Assessment of control risk—a measure of the Collusion—a cooperative effort among employees
auditor’s expectation that internal controls will to steal assets or misstate records
neither prevent material misstatements from Control activities—policies and procedures, in
occurring nor detect and correct them if they have addition to those included in the other four
occurred; control risk is assessed for each trans - components of internal control, that help ensure
action-related audit objective in a cycle or class of that necessary actions are taken to address risks in
transactions the achievement of the entity’s objectives; they
Chart of accounts—a listing of all the entity’s typically include the following five specific control
accounts, which classifies transactions into activities: (1) adequate separation of duties, (2)
individual balance sheet and income statement proper authorization of trans actions and activities,
accounts (3) adequate documents and records, (4) physical
Compensating control—a control elsewhere in control over assets and records, and (5)
the system that offsets the absence of a key independent checks on performance
control
Control deficiency—a deficiency in the design or (2) Effectiveness and efficiency of operations, and
operation of controls that does not permit (3) compliance with applicable laws and
company personnel to prevent or detect regulations
misstatements on a timely basis Internal control questionnaire—a series of
Control environment—the actions, policies, and questions about the controls in each audit area
procedures that reflect the overall attitudes of top used as a means of indicating to the auditor
management, directors, and owners of an entity aspects of internal control that may be inadequate
about internal control and its importance to the Key controls—controls that are expected to have
entity. the greatest effect on meeting the transaction-
Control risk matrix—a methodology used to help related audit objectives
the auditor assess control risk by matching key Management letter—an optional letter written by
internal controls and internal control deficiencies the auditor to a client’s management containing
with transaction-related audit objectives the auditor’s recommendations for improving any
Entity-level controls—Controls that have a aspect of the client’s business
pervasive effect on the entity’s system of internal Material weakness—a significant deficiency in
control; also referred to as “company-level internal control that, by itself, or in combination
controls” with other significant deficiencies, results in a
Flowchart—a diagrammatic representation of the reasonable possibility that a material misstatement
client’s documents and records and the sequence of the financial statements will not be prevented or
in which they are processed detected
General authorization—companywide policies Monitoring—management’s ongoing and periodic
for the approval of all transactions within stated assessment of the quality of internal control
limits performance to determine that controls are
Independent checks—internal control activities operating as intended and are modified when
designed for the continuous internal verification of needed
other controls Narrative—a written description of a client’s
Information and communication—the set of internal controls, including the origin, processing,
manual and/or computerized procedures that and disposition of documents and records, and the
initiates, records, processes, and reports an entity’s relevant control procedures
transactions and maintains accountability for the Procedures to obtain an understanding—
related assets Procedures used by the auditor to gather evidence
Internal control—a process designed to provide about the design and implementation of specific
reasonable assurance regarding the achievement controls
of management’s objectives in the following Risk assessment—management’s identification
categories: and analysis of risks relevant to the preparation of
(1) Reliability of financial reporting, financial statements in accordance with an
applicable accounting framework
Separation of duties—separation of the following Specific authorization—case-by-case approval of
activities in an organization: (1) custody of assets transactions not covered by companywide policies
from accounting, (2) authorization from custody of Tests of controls—audit procedures to test the
assets, (3) operational responsibility from record operating effectiveness of controls in support of
keeping, and (4) IT duties from outside users of IT. reduced assessed control risk
Significant deficiency—one or more control Those charged with governance—the person(s)
deficiencies exist that is less severe than a material with responsibility for over - seeing the strategic
weakness, but important enough to merit attention direction of the entity and its obligations related to
by those responsible for oversight of the the accountability of the entity, including
company’s financial reporting overseeing the financial reporting and disclosure
Significant risks—risks the auditor believes process
require special audit consideration; the auditor is Walkthrough—the tracing of selected
required to test the operating effectiveness of transactions
controls that mitigate these risks in the current through the accounting system to determine that
year audit if control risk is to be assessed controls are in place.
below the
maximum

DISCUSSION QUESTIONS AND PROBLEMS

QUESTION 01 (Objective 3)
Following are descriptions of ten internal controls.
1. The company’s computer systems track individual transactions and automatically accumulate
transactions to create a trial balance.
2. The company must receive university transcripts documenting all college degrees earned before an
individual can begin their first day of employment with the company.
3. Senior management obtains data about external events that might affect the entity and evaluates the
impact of that information on its existing accounting processes.
4. Each quarter, department managers are required to perform a self-assessment of the department’s
compliance with company policies. Reports summarizing the results are to be submitted to the senior
executive overseeing that department.
5. Before a cash disbursement can be processed, all payee information must be verified by matching the
payee to the company’s approved vendor listing.
6. The system automatically reconciles the detailed accounts receivable subsidiary ledger to the
accounts receivable general ledger account on daily basis.
7. The company has developed a detailed series of accounting policy and procedures manuals to help
provide detailed instructions to employees about how controls are to be performed.
 8. The company has an organizational chart that establishes the formal lines of reporting and
authorization protocols.
9. The compensation committee reviews compensation plans for senior executives to determine if those
plans create unintended pressures that might lead to distorted financial statements.
10. On a monthly basis, department heads review a budget to actual performance report and investigate
unusual differences.
Indicate which of the five COSO internal control components is best represented by each internal control.
 Control environment
 Risk assessment
 Control activities
 Information and communication
 Monitoring
QUESTION 02 (Objectives 3, 4, 5, 6)
Each of the following internal controls has been taken from a standard internal control questionnaire used by a
CA firm for assessing control risk in the payroll and personnel cycle.
1. Approval of department head or foreman on time cards is required before preparing payroll.
2. All prenumbered time cards are accounted for before beginning data entry for preparation of checks.
3. The computer calculates gross and net pay based on hours inputted and information in employee
master files, and payroll accounting personnel double-check the mathematical accuracy on a test
basis.
4. All voided and spoiled payroll checks are properly mutilated and retained.
5. Human resources policies require an investigation of an employment application from new employees.
Investigation includes checking the employee’s background, former employers, and references.
6. The payroll accounting software application will not accept data input for an employee number not
contained in the employee master file.
7. Persons preparing the payroll do not perform other payroll duties (timekeeping, distribution of
checks)
or have access to payroll data master files or cash.
8. Written termination notices, with properly documented reasons for termination, and approval of an
appropriate official are required.
9. All checks not distributed to employees are returned to the treasurer for safekeeping.
10. Online ability to add employees or change pay rates to the payroll master file is restricted via
passwords to authorized human resource personnel.
Required:
a. For each internal control, identify the type(s) of specific control activity (activities) to which it applies
(such as adequate documents and records or physical control over assets and records).
b. For each internal control, identify the transaction-related audit objective(s) to which it applies.
 c. For each internal control, identify a specific misstatement that is likely to be prevented if the control
exists and is effective.
d. For each control, list a specific misstatement that could result from the absence of the control.
e. For each control, identify one audit test that the auditor could use to uncover misstatements resulting
from the absence of the control.
QUESTION NO 03 (Objectives 3, 4, 5)
The following are misstatements that have occurred in Fresh Foods Grocery Store, a retail and wholesale
grocery company:
a. The incorrect price was used on sales invoices for billing shipments to customers because the wrong
price was entered into the computer master file of prices.
b. A vendor invoice was paid even though no merchandise was ever received. The accounts payable
software application does not require the input of a valid receiving report number before payment
can be made.
c. Employees in the receiving department took sides of beef for their personal use. When a shipment of
meat was received, the receiving department filled out a receiving report and forwarded it to the
accounting department for the amount of goods actually received. At that time, two sides of beef were
put in an employee’s pickup truck rather than in the storage freezer.
d. During the physical count of inventory of the retail grocery, one counter wrote down the wrong
description of several products and miscounted the quantity.
e. A salesperson sold an entire carload of lamb at a price below cost because she did not know the cost of
lamb had increased in the past week.
f. A vendor’s invoice was paid twice for the same shipment. The second payment arose because the
vendor sent a duplicate copy of the original 2 weeks after the payment was due.
g. On the last day of the year, a truckload of beef was set aside for shipment but was not shipped. Because
it was still on hand the inventory was counted. The shipping document was dated the last day of the
year, so it was also included as a current-year sale.
h. An accounts payable clerk processed payments to himself by adding a fictitious vendor address to the
approved vendor master file.
Required:
 For each misstatement, identify one or more types of controls that were absent.
 For each misstatement, identify the transaction-related audit objectives that have not been met.
 For each misstatement, suggest a control to correct the deficiency.

QUESTION NO 04 (Objective 3)
The division of the following duties is meant to provide the best possible controls for the Meridian Paint
Company, a small wholesale store:
 1. Approve credit for customers included in the customer credit master file.
2. Input shipping and billing information to bill customers, record invoices in the sales journal, and
update the accounts receivable master file.
3. Open the mail and prepare a prelisting of cash receipts.
4. Enter cash receipts data to prepare the cash receipts journal and update the accounts receivable
master file.
5. Prepare daily cash deposits.
6. Deliver daily cash deposits to the bank.
7. Assemble the payroll time cards and input the data to prepare payroll checks and update the payroll
journal and payroll master files.
8. Sign payroll checks.
9. Assemble supporting documents for general and payroll cash disbursements.
10. Sign general cash disbursement checks.
11. Input information to prepare checks for signature, record checks in the cash disbursements journal,
and update the appropriate master files.
12. Mail checks to suppliers and deliver checks to employees.
13. Cancel supporting documents to prevent their reuse.
14. Update the general ledger at the end of each month and review all accounts for unexpected balances.
15. Reconcile the accounts receivable master file with the control account and review accounts
outstanding more than 90 days.
16. Prepare monthly statements for customers by printing the accounts receivable master file; then mail
the statements to customers.
17. Reconcile the monthly statements from vendors with the accounts payable master file.
18. Reconcile the bank account.
Required:
You are to divide the accounting-related duties 1 through 18 among Rashid, Javaid, and Bilal. All of the
responsibilities marked with a dagger are assumed to take about the same amount of time and must be
divided equally between Rashid and Javaid. Both employees are equally competent. Bilal, who is president of
the company, is not willing to perform any functions designated by a dagger and will perform only a
maximum of two of the other functions.
QUESTION NO 05 (Objectives 2, 4, 8)
Ali and Amir are friends who are employed by different CA firms. One day during lunch they are discussing the
importance of internal control in determining the amount of audit evidence required for an engagement. Ali
expresses the view that internal control must be evaluated carefully in all companies, regardless of their size
or whether they are publicly held, in a similar manner. His CA firm requires a standard internal control
questionnaire on every audit as well as a flowchart of every transaction area. In addition, he says the firm
requires a careful evaluation of the system and a modification in the evidence accumulated based on the
controls
and deficiencies in the system. Amir responds by saying he believes that internal control cannot be adequate
in many of the small companies he audits; therefore, he simply ignores internal control and acts under the
assumption of inadequate controls. He goes on to say, “Why should I spend a lot of time obtaining an
understanding of internal control and assessing control risk when I know it has all kinds of weaknesses before
I start? I would rather spend the time it takes to fill out all those forms in testing whether the statements are
correct.”
Required:
1. Express in general terms the most important difference between the nature of the potential controls
available for large and small companies.
2. Criticize the positions taken by Ali and Amir, and express your own opinion about the similarities and
differences that should exist in understanding internal control and assessing control risk for different
sized companies.
3. Discuss whether Amir’s approach is acceptable under existing auditing standards for either public or
nonpublic companies.
4. Describe what additional procedures Ali must perform if auditing the financial statements of a public
company.
QUESTION NO 06 (Objectives 3, 5)
The following are partial descriptions of internal controls for companies engaged in the manufacturing
business:
1. When Mr. Ahmad orders materials, he sends a duplicate purchase order to the receiving department.
During the delivery of materials, Mr. Usman, the receiving clerk, records the receipt of shipment on
this purchase order and then sends the purchase order to the accounting department, where it is
used to record materials purchased and accounts payable. The materials are transported to the
storage area by Mr. Faisal. The additional purchased quantities are recorded on storage records.
2. Every day, hundreds of employees clock in using time cards at Generous Motors Corporation. The
timekeepers collect these cards once a week and deliver them to the computer department, which
handles data entry. There, the data on these time cards are entered into the computer. The entered
data is used in the preparation of the labor cost distribution records, the payroll journal, and the
payroll checks. The treasurer, Mrs. Waqas, compares the payroll journal with the payroll checks, signs
the checks, and returns them to Mr. Sumair, the supervisor of the computer department. The payroll
checks are distributed to the employees by Mr. Sumair.
3. The smallest branch of Connor Cosmetics employs Maria, the branch manager, and her sales assistant,
Jaweria. The branch uses a bank account to pay expenses. The account is kept in the name of “Connor
Cosmetics—Special Account.” To pay expenses, checks must be signed by Maria or by the treasurer,
Jaweria. Maria receives the cancelled checks and bank statements. She reconciles the branch account
herself and files cancelled checks and bank statements in her records. She also periodically prepares
reports of cash disbursements and sends them to the home office.
Required:
 a. List the deficiencies in internal control for each of these situations. To identify the deficiencies, use the
methodology that was discussed in this chapter.
b. For each deficiency, state the type(s) of misstatement(s) that is (are) likely to result. Be as specific as
possible.
c. How would you improve internal controls for each of the three companies?
QUESTION NO 07 (Objective 5)
ASIF, CA, prepared the flowchart which portrays the raw materials purchasing function of one of ASIF’s clients,
Medium-Sized Manufacturing Company, from the preparation of initial documents through the vouching of
invoices for payment in accounts payable. Assume that all documents are prenumbered. Identify the
deficiencies in internal control that can be determined from the flowchart. Use the methodology discussed in
this chapter. Include internal control deficiencies resulting from activities performed or not performed.
QUESTION 08 (Objective 6)
The following internal controls were tested in prior audits. Evaluate each internal control independently and
determine which controls must be tested in the current year’s audit of the December 31, 2013 financial
statements. Be sure to explain why testing is or is not required in the current year.
1. The general ledger accounting software system automatically reconciles totals in each of the
subsidiary master files for accounts receivable, accounts payable, and inventory accounts to the
respective general ledger accounts. This control was most recently tested in the prior year. No
changes to the software have been made since testing and there are strong controls over IT security
and software program changes.
2. The accounts payable clerk matches vendor invoices with related purchaser orders and receiving
reports and investigates any differences noted. This control was tested in the 2011 fiscal year end
audit. No changes to this control or personnel involved have occurred since testing was performed.
3. The sales system automatically determines whether a customer’s purchase order and related accounts
receivable balance are within the customer’s credit limit. The risk of shipping goods to customers who
exceed their credit limit is deemed to be a significant risk. This control was last tested in the
December
31, 2009 financial statement audit.
4. The perpetual inventory system automatically extends the unit price times quantity for inventory on
hand. This control was last tested in the audit of December 31, 2009 financial statements. During
2011, the client made changes to this software system.
5. The client’s purchase accounting system was acquired from a reputable software vendor several years
ago. This system contains numerous automated controls. The auditor tested those controls most
recently in the 2010 audit. No changes have been made to any of these controls since testing and the
client’s controls over IT security and software program changes are excellent.
QUESTION NO 09 (Objective 7)
The following are independent situations for which you will recommend an appropriate audit report on
internal control over financial reporting as required by auditing standards:
 1. The auditor identified a material misstatement in the financial statements that was not detected by
management of the company.
2. The auditor was unable to obtain any evidence about the operating effectiveness of internal control
over financial reporting.
3. The auditor determined that a deficiency in internal control exists that will not prevent or detect a
material misstatement in the financial statements.
4. During interim testing, the auditor identified and communicated to management a significant control
deficiency. Management immediately corrected the deficiency and the auditor was able to sufficiently
test the newly-instituted internal control before the end of the fiscal period.
5. As a result of performing tests of controls, the auditor identified a significant deficiency in internal
control over financial reporting; however, the auditor does not believe that it represents a material
weakness in internal control.
Required:
For each situation, state the appropriate audit report from the following alternatives:
 Unqualified opinion on internal control over financial reporting
 Qualified or disclaimer of opinion on internal control over financial reporting
 Adverse opinion on internal control over financial reporting

C
QUESTION NO 10 (Objective 5)
ase study
The following is the description of sales and cash receipts for the Lady’s Fashion Fair, a retail store
dealing in expensive women’s clothing. Sales are for cash or credit, using the store’s own billing rather
than credit cards. Each salesclerk has her own sales book with prenumbered, three-copy, multicolored sales
slips attached, but punctured. Only a central cash register is used. It is operated by the store supervisor, who
has been employed for 10 years by Ali, the store owner. The cash register is at the store entrance to control
theft of clothes. Salesclerks prepare the sales invoices in triplicate. The original and the second copy a re
given to the cashier. The third copy is retained by the salesclerk in the sales book. When the sale is for cash,
the customer pays the salesclerk, who marks all three copies “paid” and presents the money to the cashier
with the invoice copies. All clothing is put into boxes or packages by the supervisor after comparing the
clothing to the description on the invoice and the price on the sales tag. She also rechecks the clerk’s
calculations. Any corrections are approved by the salesclerk. The clerk changes her sales book at that time.
A credit sale is approved by the supervisor from an approved credit list after the salesclerk prepares the three-
part invoice. Next, the supervisor enters the sale in her cash register as a credit or cash sale. The second copy
of the invoice, which has been validated by the cash register, is given to the customer.
At the end of the day, the supervisor recaps the sales and cash and compares the totals to the cash register
tape.
The supervisor deposits the cash at the end of each day in the bank’s deposit box. The cashier’s copies of the
invoices are sent to the accounts receivable clerk along with a summary of the day’s receipts. The bank mails
the deposit slip directly to the accounts receivable clerk.
Each clerk summarizes her sales each day on a daily summary form, which is used in part to calculate
employees’ sales commissions. Marge, the accountant, who is prohibited from handling cash, receives the
supervisor’s summary and the clerk’s daily summary form. Daily, she puts all sales invoice information into
the firm’s computer, which provides a complete printout of all input and summaries. The accounting
summary includes sales by salesclerk, cash sales, credit sales, and total sales. Marge compares this output with
the supervisor’s and salesclerks’ summaries and reconciles all differences.
The computer updates accounts receivable, inventory, and general ledger master files. After the update
procedure has been run on the computer, Marge’s assistant files all sales invoices by customer number. A list
of the invoice numbers in numerical sequence is included in the sales printout. The mail is opened each
morning by a secretary in the owner’s office. All correspondence and complaints are given to the owner. The
secretary prepares a prelist of cash receipts. He totals the list, prepares a deposit slip, and deposits the cash
daily. A copy of the prelist, the deposit slip, and all remittances returned with the cash receipts are given to
Marge. She uses this list and the remittances to record cash receipts and update accounts receivable, again by
computer. She reconciles the total receipts on the prelist to the deposit slip and to her printout. At the same
time, she compares the deposit slip received from the bank for cash sales to the cash receipts journal.
A weekly aged trial balance of accounts receivable is automatically generated by the computer. A separate
listing of all unpaid bills over 60 days is also automatically prepared. These are given to Mrs. Ali, who acts as
her own credit collector. She also approves all write-offs of uncollectible items and forwards the list to Marge,
who writes them off. Each month Marge mails statements generated by the computer to customers.
Complaints and disagreements from customers are directed to Mrs. Ali, who resolves them and informs Marge
in writing of any write-downs or misstatements that require correction. The computer system also
automatically totals the journals and posts the totals to the general ledger. A general ledger trial balance is
printed out, from which Marge prepares financial statements. Marge also prepares a monthly bank
reconciliation and reconciles the general ledger to the aged accounts receivable trial balance. Because of
the importance of inventory control, Marge prints out the inventory perpetual totals monthly, on the last day
of each month. Salesclerks count all inventory after store hours on the last day of each month for comparison
with the perpetual. An inventory shortages report is provided to Mrs. Ali. The perpetual are adjusted by Marge
after Mrs. Ali has approved the adjustments. Required:
a. For each sales transaction-related audit objective, identify one or more existing
controls.
b. For each cash receipts transaction-related audit objective, identify one or more existing
controls. c. Identify deficiencies in internal control for sales and cash receipts.