978-0134065823 Chapter 11 Solution Manual Part 1

11-1

Chapter 11

Internal Control and COSO Framework

 Concept Checks

P. 339

1. Management typically has three broad objectives in designing effective

internal controls.

1. Reliability of Reporting While this objective relates to both

external and internal reporting, we focus here on the reliability of

external financial reporting. Management is responsible for

The objective of effective internal control over financial reporting

is to fulfill these financial reporting responsibilities.

2. Efficiency and Effectiveness of Operations Controls within an

information about the entity’s operations for decision making.

3. Compliance with Laws and Regulations Section 404 of the

Sarbanes–Oxley Act requires all public companies to issue a

404, public, nonpublic, and not–for–profit organizations are

required to follow many laws and regulations. Some relate to

accounting only indirectly, such as environmental protection and

the Sarbanes–Oxley Act.

11-2

Concept Check – p. 339 (continued)

 A statement that management is responsible for establishing and

maintaining an adequate internal control structure and procedures

for financial reporting and

the company’s fiscal year.

P. 348

1. The COSO Internal Control – Integrated Framework consists of the

following five components:

 Control environment

 Risk assessment

identification and analysis of risks relevant to the preparation of financial

statements in accordance with accounting standards. Management

to determine that controls are operating as intended and that they are modified

as appropriate for changes in conditions (monitoring). All five components are

2. The updated COSO Internal Control – Integrated Framework includes

seventeen broad principles that provide more guidance related to the five COSO

to ensure that all of the principles are present and functioning. For example, in

considering whether monitoring controls are designed and operating effectively,

can remediate those deficiencies.

11-3

Concept Check (continued)

P. 355

1. General controls relate to all aspects of the IT function. They have a

global impact on all software applications. Examples of general controls include

processing of individual transactions. Examples of application controls include a

programmed control that verifies that all time cards submitted are for valid

deductions.

2. The typical duties often segregated within an IT function include systems

development, computer operations, and data control. Systems development

involves the acquisition or programming of application software. Systems

development personnel work with test copies of programs and data files to

develop new or improved application software programs. Computer operations

personnel are responsible for executing live production jobs in accordance with

 Review Questions

11–1 Management designs systems of internal control to accomplish three

categories of objectives: reporting, operations, and compliance with laws and

regulations. The auditor’s focus in both the audit of financial statements and the

11–2 Management’s assessment of internal control over financial reporting

consists of two key characteristics. First, management must evaluate the

design of internal control over financial reporting. Second, management must

test the operating effectiveness of those controls. When evaluating the design

financial statements.

11-4

11–2 (continued)

qualifications to perform the control effectively.

11–3 There are eight parts of the planning phase of audits: accept client and

perform initial audit planning, understand the client’s business and industry,

perform preliminary analytical procedures, set preliminary judgment of

assessing control risk.

11–4 PCAOB Auditing Standard 5 requires that the auditor issue a report on

the effectiveness of internal control over financial reporting. To express an

opinion on internal controls, the auditor obtains an understanding of and

11–5 When obtaining an understanding of internal control, the auditor must

assess two aspects about those controls. First, the auditor must gather

evidence about the design of internal controls. Second, the auditor must gather

evidence about whether those controls have been implemented.

material misstatements in the financial statements.

11–7 The control environment consists of the actions, policies, and

procedures that reflect the overall attitudes of top management, directors, and

implemented internal control.

11-5

11–8 The five categories of control activities are:

 Adequate separation of duties

customers.

 Proper authorization of transactions and activities

Example: The granting of credit is authorized before

shipment takes place.

 Adequate documents and records

shipping documents and approved customer orders.

 Physical control over assets and records

Example: A password is required before an entry can be

made into the computerized accounts receivable master

file.

 Independent checks on performance

11–9 Separation of operational responsibility from record keeping is

intended to reduce the likelihood of operational personnel biasing the

results of their performance by incorrectly recording information.

Separation of the custody of assets from accounting for these assets is

for the asset without detection increases.

11–10 An example of a physical control the client can use to protect each of

the following assets or records is:

password–protected.

2. Cash received by retail clerks should be entered into a cash

register to record all cash received.

3. Adequate backup copies of computerized accounts receivable

control of a reliable employee.

6. Manufacturing equipment should be kept in an area protected by

11-6

11–10 (continued)

7. Marketable securities should be stored in a safety deposit vault.

11–11 Independent checks on performance are internal control activities

designed for the continuous internal verification of other controls. Examples of

independent checks include:

 Preparation of the monthly bank reconciliation by an individual

 Recomputing inventory extensions for a listing of inventory by

 The preparation of the sales journal by one person and the

accounts receivable master file by a different person, and a

11–12 The most important internal control deficiency that permitted the defalcation

to occur was the failure to adequately segregate the accounting responsibility of

recording billings in the sales journal from the custodial responsibility of

11–13 Entity level controls, such as the effectiveness of the board of directors’

and audit committee’s oversight, can have a pervasive affect on many different

transaction–level controls. If entity–level controls are deemed to be deficient,

11–14 The proper installation of IT can lead to internal control enhancements

by replacing manually performed controls with computer–performed controls. IT–

based accounting systems have the ability to handle tremendous volumes of

complex business transactions cost effectively. Computer–performed controls

can reduce the potential for human error by replacing manual controls with

programmed controls that apply checks and balances to each transaction

processed. The systematic nature of IT offers greater potential to reduce the risk

11-7

11–15 When entities rely extensively on IT systems to process financial

information, there are risks specific to IT environments that must be

considered. Key risks include the following:

financial statement information.

 Systematic versus random errors. Due to the uniformity of processing

performed by IT–based systems, errors in computer software can

result in incorrect processing for all transactions processed. This

increases the risk of many significant misstatements.

access from remote locations.

 Loss of data. Centralized storage of data in electronic form

 Visibility of audit trail. The use of IT often converts the traditional

and paper–based journals and records.

 Reduced human involvement. The replacement of traditional

manual processes with computer–performed processes reduces

obtaining traditional manual approvals.

 Reduced segregation of duties. The installation of IT–based

accounting systems centralizes many of the traditionally segregated

11–16 In most traditional accounting systems, the duties related to authorization

of transactions, recordkeeping, and custody of assets are segregated

across three or more individuals. As accounting systems make greater use of

IT, many of the tasks that were traditionally performed manually are now

files in order to misappropriate assets.

11-8

11–17 If general controls are effective, there is an increased likelihood of

systems development process is not properly controlled, there is a greater risk

that unauthorized and untested modifications to accounting applications software

have occurred that may have affected the automated control.

key user groups rather than with a centralized IT function. Also, network–related

software often lacks the security features, including segregation of duties,

typically available in traditionally centralized environments because of the ready

access to software and data by multiple users. In database management

data also increases the need to properly back up data information on a regular

basis.

11–19 An online sales ordering system poses many potential risks for an audit

client. Risks that may exist include:

parties.

2. The client company’s data, programs, and hardware are susceptible

to potential interception or sabotage by external parties.

3. An unauthorized third party may attempt to transact business with

the client company.

based on computer programs that transform a standard message into a coded

(encrypted) form. One key (the public key) is used for encoding the message

and the other key (the private key) is used to decode the message. Encryption

11-9

11–19 (continued)

company.

 Multiple Choice Questions From CPA Examinations

11–20 a. (1) b. (1) c. (4)

11–21 a. (3) b. (3) c. (1)

11–22 a. (4) b. (3) c. (2)

 Discussion Questions and Problems

11–23

1. d. Information and communication

2. c. Control activities

3. a. Control environment

4. b. Risk assessment

11–24

INTERNAL CONTROL

a.

CONTROL

ACTIVITY

b.

TRANSACTION–

RELATED AUDIT

OBJECTIVE(S)

1.

Sales invoices are matched with shipping

documents by the computer system and

an exception report is generated.

Adequate

documents and

records

Occurrence

2.

Receiving reports are prenumbered and

accounted for on a daily basis.

Adequate

documents and

records

Completeness

Timing

3.

Sales invoices are independently verified

before being sent to customers.

Independent

checks on

performance

Accuracy

4.

Payments by check are received in the

mail by the receptionist, who lists the

checks and restrictively endorses them.

Adequate

separation of

duties

Completeness

5.

Labor hours for payroll are reviewed for

reasonableness by the computer system.

Independent

checks on

performance

Proper

authorization of

transactions

Occurrence

Accuracy

6.

Checks are signed by the company

president, who compares the checks with

the underlying supporting documents.

Adequate

separation of

duties

Independent

checks on

performance

Occurrence

Accuracy

7.

Unmatched shipping documents are

accounted for on a daily basis.

Physical control

over documents

and records

Completeness

Timing

8.

The computer system verifies that all

payroll payments have a valid employee

identification number assigned

by the human resources department at the

time of hiring.

Adequate

separation of

duties

Occurrence

9.

The accounts receivable master file is

reconciled to the general ledger on a

monthly basis.

Independent

checks on

performance

Posting and

summarization