Chapter 06 – Internal Control in a Financial Statement Audit
6-1
CHAPTER 6
INTERNAL CONTROL IN A
FINANCIAL STATEMENT AUDIT
Answers to Review Questions
6-1 From management’s perspective, internal control provides a way to accomplish
management’s stewardship or agency responsibilities. Management also needs a control
system that generates reliable information for decision-making purposes. The importance
of internal control to the auditor is rooted in the second standard of fieldwork. The
controls that are relevant to the entity’s ability to initiate, record, process, and report
substantive procedures.
6-2 The potential benefits and risks to an entity’s internal control from information technology
include (see Table 6-1):
Benefits:
• Consistent application of predefined business rules and performance of complex
calculations in processing large volumes of transactions or data.
• Enhancement of the timeliness, availability, and accuracy of information.
implementing security controls in applications, databases, and operating systems.
Risks:
• Reliance on systems or programs that inaccurately process data, process inaccurate
data, or both.
• Unauthorized access to data that may result in destruction of data or improper
• Potential loss of data.
6-2
6-3 Internal control is composed of five components:
1. Control Environment: The control environment is the set of standards, processes, and
structures that provide the basis for carrying out internal control across the
organization. The board of directors and senior management establish the tone at the
top regarding the importance of internal control and expected standards of conduct.
2. The Entity’s Risk Assessment Process: Risk assessment involves a dynamic and
environment.
5. Monitoring of Controls: Ongoing evaluations, separate evaluations, or some
combination of the two are used to ascertain whether each of the five components of
internal control, including controls to effect the principles within each component, are
present and functioning. Findings are evaluated and deficiencies are communicated in
a timely manner, with serious matters reported to senior management and to the board.
6-4 Factors that affect the control environment include (see Table 6-3):
• The organization demonstrates a commitment to integrity and ethical values.
• The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
6-5 A substantive audit strategy means that the auditor has made a decision not to rely on the
entity’s controls and to audit the related financial statement accounts directly. Control risk
is set at the maximum when a substantive audit strategy is followed. With a reliance
Chapter 06 – Internal Control in a Financial Statement Audit
6-3
6-6 In addition to planning the audit of the financial statements, the auditor’s understanding of
the entity’s internal control is used to (1) identify the types of potential misstatements, (2)
controls and substantive procedures.
6-7 The concept of reasonable assurance recognizes that the cost of an entity’s internal control
system should not exceed the benefits that are expected to be derived from the system.
Thus, an internal control system will not detect every error that might occur because it
personnel errors or mistakes, and collusion are inherent limitations of internal control.
6-8 A number of tools are available to the auditor for documenting the understanding of the
6-9 The auditor should document the achieved level of control risk for the controls evaluated.
The auditor’s assessment can be documented using a structured working paper, an internal
control questionnaire, or a memorandum.
6-10 The auditor might consider conducting substantive tests at an interim date for a number of
reasons. For example, the client may want the auditor to confirm accounts receivable
before year-end because of demands on the client’s staff at year-end. Alternatively, the
auditor may wish to conduct substantive tests at an interim date to minimize staff overtime
at year-end. The auditor should consider the following factors when substantive tests are
to be completed at an interim date:
• The control environment and other relevant controls.
reduce the risk that misstatement may exist at the period-end will not be detected.
When the auditor conducts substantive tests of an account at an interim date, additional
substantive tests might include comparing the year-end account balance with the interim
account balance, conducting some analytical procedures, and/or reviewing related journals
and ledgers for large or unusual transactions during the remaining period.
6-11 For private companies, auditing standards require that the auditor report to those charged
with governance (e.g., audit committee) any control deficiencies discovered by the auditor
Chapter 06 – Internal Control in a Financial Statement Audit
6-4
Answers to Multiple-Choice Questions
6-12
d
6-19
b
6-13
d
6-20
b
6-14
d
6-21
d
6-15
d
6-22
c
6-16
a
6-23
d
6-17
c
6-24
b
6-18
b
Solutions to Problems
6-25 a. The COSO definition is: “Internal control is designed and carried out by an entity’s
board of directors, management, and other personnel to provide reasonable assurance
about the achievement of the entity’s objectives in the following categories: (1)
reliability, timeliness, and transparency of internal and external, nonfinancial and
misstatements, (2) pinpoint factors that affect the risk of material misstatement, and
(3) design tests of controls and substantive procedures.
c. An auditor should document the understanding of the internal control components
obtained to plan the audit. The auditor should also document the assessed (achieved)
level of control risk.
6-26 The control environment factors that establish, enhance, or mitigate the effectiveness of
specific controls, and their components, are:
Commitment to Integrity and Ethical Values
The effectiveness of an entity’s controls is influenced by the integrity and ethical values
of the individuals who create, administer, and monitor the controls. Integrity and ethical
values are essential elements of the control environment, affecting the design,
Committee)
The board of directors and audit committee significantly influence the control
Chapter 06 – Internal Control in a Financial Statement Audit
6-5
consciousness of the entity. Factors that affect the effectiveness of the board and audit
committee include the following: its independence from management, the experience and
stature of its members, the extent of its involvement with and scrutiny of the entity’s
activities, the appropriateness of its actions, the degree to which difficult questions are
raised and pursued with management, and its interaction with the internal and external
auditors.
Management and Board Establishes Appropriate Organizational Structure
The organizational structure defines how authority and responsibility are delegated and
monitored. Establishing a relevant organizational structure includes considering key areas
of authority and responsibility and appropriate lines of reporting. It provides a framework
for planning, executing, and monitoring operations. An entity develops an organizational
and taking remedial action.
Organization Holds Individuals Accountable
Management and the board of directors are responsible for establishing mechanisms to
communicate and hold individuals accountable for performance of internal control
responsibilities across the organization and for implementing corrective action as
necessary. Management and the board of directors also establish performance measures,
incentives, and rewards appropriate for responsibilities at all levels of the entity, reflecting
6-27 a. The auditor should consider a reliance strategy if evidence is available only in
electronic form. However, after developing an understanding of the new system, the
auditor would need to test the system to determine whether it is working as intended.
Chapter 06 – Internal Control in a Financial Statement Audit
6-6
b. When deciding whether to hire a specialist, the auditor in this case should consider
factors such as the complexity of the new system, whether the implementation of the
system allows the company to engage in electronic commerce and the extent to which
audit evidence is available only in electronic form. The auditor should ask the IT
system identifies and records all valid transactions and provides information sufficient
for preparing accurate and complete financial statements. Control activities are
important because new controls regarding the information system will have to be
designed and implemented. Monitoring of controls is important because the monitors
(including the internal and external auditors) will have to have sufficient knowledge of
the system to be able to effectively monitor the use of the system and its outputs.
6-28 a. The strength of using procedures manuals and organizational charts is that they help
the auditor document understanding of the internal control system.
The strength of a narrative description is that it provides a simple, written
memorandum that documents the understanding of internal control.
using a memorandum and internal control questionnaire. Documentation of the
information system and communication component, as well as control activities, may
be accomplished through the use of an internal control questionnaire and a flowchart.
For a small entity with a simple information system, documentation using a
memorandum may be sufficient.
6-29 a. The internal auditor would have the following concerns with respect to individual
entries:
• The reasonableness of significant entries (e.g., manual entries in traditionally
Chapter 06 – Internal Control in a Financial Statement Audit
6-7
entry (e.g., senior executives or unauthorized personnel),
b. The external auditor could rely on the work of the internal audit’s work, but not to the
exclusion of reperforming some of the internal audit’s work.
6-30 a. Before applying principal substantive procedures to balance sheet accounts at April
30, 2015, the interim date, Cook should assess the difficulty in controlling incremental
audit risk. Cook should consider whether
• Cook’s experience with the reliability of the accounting records and management’s
integrity has been good.
• Rapidly changing business conditions or circumstances may predispose General’s
management to misstate the financial statements in the remaining period.
• The year-end balances of accounts selected for interim testing will be predictable.
audit conclusions from the interim date to year-end. However, if Cook assesses control
risk at the maximum during the final two months, Cook should consider whether the
effectiveness of the substantive tests to cover that period will be impaired.
b. Cook should design the substantive procedures so that the assurance from those tests
and the tests to be applied as of the interim date, and any assurance provided from the
assessed level of control risk, will achieve the audit objectives at year-end. Such tests
should include the comparison of year-end information with comparable interim
6-31 a. The following communication is the report on significant deficiencies for Houghton
Enterprises:
In planning and performing our audit of the financial statements of Houghton
Enterprises as of and for the year ended December 31, 2015, in accordance with
Chapter 06 – Internal Control in a Financial Statement Audit
6-8
for the purpose of expressing our opinion on the financial statements, but not for the
purpose of expressing an opinion on the effectiveness of the Company’s internal
deficiency is a control deficiency, or combination of control deficiencies, in internal
control, which is less severe than a material weakness; yet important enough to merit
attention by those responsible for oversight of the company’s financial reporting. We
consider the following items are significant deficiencies:
1. Control activities for granting credit to new customers were inadequate. In
particular, the Credit Department did not perform an adequate check of the
creditworthiness of the customer with an outside credit agency.
2. There were not adequate physical safeguards over the Company’s inventory.
There were no safeguards to prevent employees from stealing high-value
inventory parts.
This communication is intended solely for the information and use of management,
individuals charged with governance, and others within the organization and is not
intended to be and should not be used by anyone other than these specified parties.
b. If the second item were a material weakness, the following report would be issued:
In planning and performing our audit of the financial statements of Houghton
Enterprises as of and for the year ended December 31, 2015, in accordance with
auditing standards generally accepted in the United States of America, we considered
Houghton Enterprises’ internal control over financial reporting (internal control) as a
Chapter 06 – Internal Control in a Financial Statement Audit
6-9
A deficiency in internal control exists when the design or operation of a control does
not allow employees, in the normal course of performing their assigned functions, to
prevent, or detect and correct, misstatements on a timely basis. A material weakness
company’s financial reporting. We consider the following item to be a significant
deficiency:
Control activities for granting credit to new customers were inadequate. In particular,
the Credit Department did not perform an adequate check of the creditworthiness of
the customer with an outside credit agency.
This communication is intended solely for the information and use of management,
individuals charged with governance, and others within the organization and is not
intended to be and should not be used by anyone other than these specified parties.
Solution to Discussion Case
6-32 1. In their complaint against Koss Corporation, the SEC noted the following internal
control deficiencies:
• Lack of segregation of duties over disbursements and bank reconciliations.
• Old and weak accounting system, leaving little audit trail and enabling post–
closing entries, among other weaknesses.
margins).
• Failure to change passwords on a regular basis, along with other IT security and
control deficiencies.
2. Koss could have implemented a number of internal controls that might have
Chapter 06 – Internal Control in a Financial Statement Audit
6-10
prevented the misappropriation of assets:
• The biggest improvement that Koss could have made was to establish a stronger
control environment, including better oversight of and segregation of duties over
accounting and financial reporting functions. The Company could have assigned
someone outside of the accounting function to provide an independent check and
of its bank accounts
• Someone outside of accounting should periodically review documentation to
support the general journal entries to verify that the corresponding transactions
were being executed in accordance with Koss’s accounting policies and recorded
as necessary to permit preparation of financial statements in conformity with
Generally Accepted Accounting Principles.
• Develop an internal audit function. With a well-qualified internal audit function
many of the deficiencies in internal control could have been corrected.
6-33 1. Many of the same issues found in the Koss fraud existed in the Dixon IL fraud.
• Lack of segregation of duties.
• Little oversight or monitoring by the part-time city administrators.
2. There appears that a number of things went wrong on the audits conducted by Clifton,
Larson, Allen, LLP (CLA). In 2005, CLA resigned from the city “audit” to take on
more additional consulting work. However, it appears that they continued to provide
information to the small firm (Janis Card Company, LLC) who assumed the audit.
Not much information is available publicly about the quality of the audits performed
Chapter 06 – Internal Control in a Financial Statement Audit
6-11
© 2017 by McGraw-Hill Education. This is proprietary material solely for authorized instructor use. Not authorized for sale or distribution in any
manner. This document may not be copied, scanned, duplicated, forwarded, distributed, or posted on a website, in whole or part.
have simply been a two minute phone call to the Illinois Department of
Transportation in Springfield,” Bruce said.