Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
11-1
Chapter 11
Internal Control and COSO Framework
Concept Checks
P. 339
1. Management typically has three broad objectives in designing effective
internal controls.
1. Reliability of Reporting While this objective relates to both
external and internal reporting, we focus here on the reliability of
external financial reporting. Management is responsible for
The objective of effective internal control over financial reporting
is to fulfill these financial reporting responsibilities.
2. Efficiency and Effectiveness of Operations Controls within an
information about the entity’s operations for decision making.
3. Compliance with Laws and Regulations Section 404 of the
Sarbanes–Oxley Act requires all public companies to issue a
404, public, nonpublic, and not-for-profit organizations are
required to follow many laws and regulations. Some relate to
accounting only indirectly, such as environmental protection and
the Sarbanes–Oxley Act.
11-2
Concept Check - p. 339 (continued)
A statement that management is responsible for establishing and
maintaining an adequate internal control structure and procedures
for financial reporting and
the company’s fiscal year.
P. 348
1. The COSO Internal Control – Integrated Framework consists of the
following five components:
Control environment
Risk assessment
identification and analysis of risks relevant to the preparation of financial
statements in accordance with accounting standards. Management
to determine that controls are operating as intended and that they are modified
as appropriate for changes in conditions (monitoring). All five components are
2. The updated COSO Internal Control – Integrated Framework includes
seventeen broad principles that provide more guidance related to the five COSO
to ensure that all of the principles are present and functioning. For example, in
considering whether monitoring controls are designed and operating effectively,
can remediate those deficiencies.
11-3
Concept Check (continued)
P. 355
1. General controls relate to all aspects of the IT function. They have a
global impact on all software applications. Examples of general controls include
processing of individual transactions. Examples of application controls include a
programmed control that verifies that all time cards submitted are for valid
deductions.
2. The typical duties often segregated within an IT function include systems
development, computer operations, and data control. Systems development
involves the acquisition or programming of application software. Systems
development personnel work with test copies of programs and data files to
develop new or improved application software programs. Computer operations
personnel are responsible for executing live production jobs in accordance with
Review Questions
11-1 Management designs systems of internal control to accomplish three
categories of objectives: reporting, operations, and compliance with laws and
regulations. The auditor’s focus in both the audit of financial statements and the
11-2 Management’s assessment of internal control over financial reporting
consists of two key characteristics. First, management must evaluate the
design of internal control over financial reporting. Second, management must
test the operating effectiveness of those controls. When evaluating the design
financial statements.
11-4
11-2 (continued)
qualifications to perform the control effectively.
11-3 There are eight parts of the planning phase of audits: accept client and
perform initial audit planning, understand the client’s business and industry,
perform preliminary analytical procedures, set preliminary judgment of
assessing control risk.
11-4 PCAOB Auditing Standard 5 requires that the auditor issue a report on
the effectiveness of internal control over financial reporting. To express an
opinion on internal controls, the auditor obtains an understanding of and
11-5 When obtaining an understanding of internal control, the auditor must
assess two aspects about those controls. First, the auditor must gather
evidence about the design of internal controls. Second, the auditor must gather
evidence about whether those controls have been implemented.
material misstatements in the financial statements.
11-7 The control environment consists of the actions, policies, and
procedures that reflect the overall attitudes of top management, directors, and
implemented internal control.
11-5
11-8 The five categories of control activities are:
Adequate separation of duties
customers.
Proper authorization of transactions and activities
Example: The granting of credit is authorized before
shipment takes place.
Adequate documents and records
shipping documents and approved customer orders.
Physical control over assets and records
Example: A password is required before an entry can be
made into the computerized accounts receivable master
file.
Independent checks on performance
11-9 Separation of operational responsibility from record keeping is
intended to reduce the likelihood of operational personnel biasing the
results of their performance by incorrectly recording information.
Separation of the custody of assets from accounting for these assets is
for the asset without detection increases.
11-10 An example of a physical control the client can use to protect each of
the following assets or records is:
password-protected.
2. Cash received by retail clerks should be entered into a cash
register to record all cash received.
3. Adequate backup copies of computerized accounts receivable
control of a reliable employee.
6. Manufacturing equipment should be kept in an area protected by
11-6
11-10 (continued)
7. Marketable securities should be stored in a safety deposit vault.
11-11 Independent checks on performance are internal control activities
designed for the continuous internal verification of other controls. Examples of
independent checks include:
Preparation of the monthly bank reconciliation by an individual
Recomputing inventory extensions for a listing of inventory by
The preparation of the sales journal by one person and the
accounts receivable master file by a different person, and a
11-12 The most important internal control deficiency that permitted the defalcation
to occur was the failure to adequately segregate the accounting responsibility of
recording billings in the sales journal from the custodial responsibility of
11-13 Entity level controls, such as the effectiveness of the board of directors’
and audit committee’s oversight, can have a pervasive affect on many different
transaction-level controls. If entity-level controls are deemed to be deficient,
11-14 The proper installation of IT can lead to internal control enhancements
by replacing manually performed controls with computer-performed controls. IT-
based accounting systems have the ability to handle tremendous volumes of
complex business transactions cost effectively. Computer-performed controls
can reduce the potential for human error by replacing manual controls with
programmed controls that apply checks and balances to each transaction
processed. The systematic nature of IT offers greater potential to reduce the risk
11-7
11-15 When entities rely extensively on IT systems to process financial
information, there are risks specific to IT environments that must be
considered. Key risks include the following:
financial statement information.
Systematic versus random errors. Due to the uniformity of processing
performed by IT-based systems, errors in computer software can
result in incorrect processing for all transactions processed. This
increases the risk of many significant misstatements.
access from remote locations.
Loss of data. Centralized storage of data in electronic form
Visibility of audit trail. The use of IT often converts the traditional
and paper-based journals and records.
Reduced human involvement. The replacement of traditional
manual processes with computer-performed processes reduces
obtaining traditional manual approvals.
Reduced segregation of duties. The installation of IT-based
accounting systems centralizes many of the traditionally segregated
11-16 In most traditional accounting systems, the duties related to authorization
of transactions, recordkeeping, and custody of assets are segregated
across three or more individuals. As accounting systems make greater use of
IT, many of the tasks that were traditionally performed manually are now
files in order to misappropriate assets.
11-8
11-17 If general controls are effective, there is an increased likelihood of
systems development process is not properly controlled, there is a greater risk
that unauthorized and untested modifications to accounting applications software
have occurred that may have affected the automated control.
key user groups rather than with a centralized IT function. Also, network-related
software often lacks the security features, including segregation of duties,
typically available in traditionally centralized environments because of the ready
access to software and data by multiple users. In database management
data also increases the need to properly back up data information on a regular
basis.
11-19 An online sales ordering system poses many potential risks for an audit
client. Risks that may exist include:
parties.
2. The client company’s data, programs, and hardware are susceptible
to potential interception or sabotage by external parties.
3. An unauthorized third party may attempt to transact business with
the client company.
based on computer programs that transform a standard message into a coded
(encrypted) form. One key (the public key) is used for encoding the message
and the other key (the private key) is used to decode the message. Encryption
11-9
11-19 (continued)
company.
Multiple Choice Questions From CPA Examinations
11-20 a. (1) b. (1) c. (4)
11-21 a. (3) b. (3) c. (1)
11-22 a. (4) b. (3) c. (2)
Discussion Questions and Problems
11-23
1. d. Information and communication
2. c. Control activities
3. a. Control environment
4. b. Risk assessment
11-24
INTERNAL CONTROL
a.
CONTROL
ACTIVITY
b.
TRANSACTION-
RELATED AUDIT
OBJECTIVE(S)
1.
Sales invoices are matched with shipping
documents by the computer system and
an exception report is generated.
Adequate
documents and
records
Occurrence
2.
Receiving reports are prenumbered and
accounted for on a daily basis.
Adequate
documents and
records
Completeness
Timing
3.
Sales invoices are independently verified
before being sent to customers.
Independent
checks on
performance
Accuracy
4.
Payments by check are received in the
mail by the receptionist, who lists the
checks and restrictively endorses them.
Adequate
separation of
duties
Completeness
5.
Labor hours for payroll are reviewed for
reasonableness by the computer system.
Independent
checks on
performance
Proper
authorization of
transactions
Occurrence
Accuracy
6.
Checks are signed by the company
president, who compares the checks with
the underlying supporting documents.
Adequate
separation of
duties
Independent
checks on
performance
Occurrence
Accuracy
7.
Unmatched shipping documents are
accounted for on a daily basis.
Physical control
over documents
and records
Completeness
Timing
8.
The computer system verifies that all
payroll payments have a valid employee
identification number assigned
by the human resources department at the
time of hiring.
Adequate
separation of
duties
Occurrence
9.
The accounts receivable master file is
reconciled to the general ledger on a
monthly basis.
Independent
checks on
performance
Posting and
summarization
