08_aren_aud14c_tb.doc

Auditing, 14e (Arens) Chapter 8 Internal Control and COSO Framework 8.1 Describe the four primary objectives of effective internal control 1) A system of internal control consists of policies and procedures designed to provide management with A) reasonable assurance that the company achieves its objectives. B) assurance that fraud will be prevented. C) reasonable assurance that fraud will be detected. D) assurance that the firm's resources will be used in the optimal way. Answer: A Diff: 1 Type: MC Page Ref: 247 Learning Obj.: 8-1 Describe the four primary objectives of effective internal control 2) Who is responsible to identify and assess the risks and then manage and mitigate those risks by the implementation of a strong system of internal control? A) management B) external auditors C) internal auditors D) shareholders Answer: A Diff: 1 Type: MC Page Ref: 247 Learning Obj.: 8-1 Describe the four primary objectives of effective internal control 3) A) Describe the four broad objectives of management when designing an effective system of internal control. B) Describe the aspect of internal control that auditors are primarily concerned with for a financial statement audit. Answer: A) Management typically has the following four broad objectives when designing an internal control system: 1. Strategic, high-level goals that support the mission of the entity. 2. Reliability of financial reporting. 3. Efficiency and effectiveness of operations. 4. Compliance with laws and regulations. B) The aspect of internal control that auditors are primarily concerned with during a financial statement audit is prevention or detection of material misstatements in the financial systems. Diff: 2 Type: ES Page Ref: 247 Learning Obj.: 8-1 Describe the four primary objectives of effective internal control 4) Management's objectives with respect to internal control include A) having reasonable assurance that the financial statements are in accordance with IFRS or ASPE. B) ensuring that all policies and procedures are clearly documented to reduce employee training costs. C) preventing fraud and illegal activities at all costs. D) providing reasonable assurance that the company can achieve its objectives and goals. Answer: D Diff: 3 Type: MC Page Ref: 247 Learning Obj.: 8-1 Describe the four primary objectives of effective internal control 5) The Sarbanes Oxley Act has had consequences for many areas of corporate activities, including the following impact on the work of the auditor: A) The auditor is now required to report all fraudulent activities he/she uncovers directly to the Securities and Exchange Commission. B) The auditor must prepare a report verifying the information in the financial statements. C) The auditor must monitor how well management is carrying out its financial reporting responsibilities. D) The auditor is specifically required to assess and report on the effectiveness of internal control over financial reporting. Answer: D Diff: 1 Type: MC Page Ref: 247 Learning Obj.: 8-1 Describe the four primary objectives of effective internal control 6) Define a system of internal control. How does risk affect a system of internal control? Answer: A system of internal control consists of policies and procedures designed and implemented by management to mitigate risk and to provide reasonable assurance that the company can achieve its objectives and goals. These policies and procedures are often called controls, and collectively, they make up the entity's internal control. When thinking about control, one quickly realizes that risk and control are virtually inseparable. Management must first identify and assess the risks, and then manage and mitigate those risks by the implementation of a strong system of internal control. Diff: 2 Type: ES Page Ref: 247 Learning Obj.: 8-1 Describe the four primary objectives of effective internal control 8.2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 1) Carrie is the manager of the Bay Street Pharmacy. Carrie is considering implementing a security tag system to reduce the losses related to stolen goods at their store. The system Carrie is looking at currently costs $60 000 and is expected to be effective for 5 years. In order to justify the implementation of the security tag system, average theft per year should be at least A) $1000. B) $12 000. C) $60 000. D) Theft should be prevented at all costs. Answer: B Diff: 2 Type: MC Page Ref: 248 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 2) Internal controls can never be regarded as completely effective. Even if systems personnel could design an ideal system, its effectiveness depends on the A) adequacy of the computer system. B) proper implementation by management. C) ability of the internal audit staff to maintain it. D) competency and dependability of the people using it. Answer: D Diff: 2 Type: MC Page Ref: 248 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 3) Which of the following best describes the inherent limitations that should be recognized by an auditor when considering the potential effectiveness of an accounting system? A) Procedures whose effectiveness depends on segregation of duties can be circumvented by collusion. B) The competence and integrity of client personnel provides an environment conducive to accounting control and provides assurance that effective control will be achieved. C) Procedures designed to assure the execution and recording of transactions in accordance with proper authorizations are effective against irregularities perpetrated by management. D) The benefits expected to be derived from an effective accounting system usually do not exceed the costs of such control. Answer: A Diff: 2 Type: MC Page Ref: 249 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 4) An act of two or more employees to work together to misstate records is called A) malfeasance. B) collusion. C) defalcation. D) felony. Answer: B Diff: 1 Type: MC Page Ref: 248 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 5) To comply with auditing standards, the auditor need not be concerned with all areas of internal control that apply to management. The auditor's primary concerns are with the system's ability to A) maintain reliable control systems pertaining to financial transactions. B) promote efficiency and encourage adherence to policy. C) prevent and detect financial statement fraud and error. D) provide reliable data and safeguard assets. Answer: A Diff: 2 Type: MC Page Ref: 249 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 6) The accuracy of the results of the accounting system (account balances) is heavily dependent upon the A) knowledge and skills of the auditor. B) adequacy of the entity-level controls. C) accuracy of the inputs and processing (the transactions). D) training provided to the personnel. Answer: C Diff: 1 Type: MC Page Ref: 249 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 7) Which of the following controls would be of concern to management but not to the auditor? A) controls over the collection of accounts receivable amounts B) controls over the entry of payroll wage rates into the computer systems C) controls over health and safety guidelines compliance by employer D) controls over the cost of inventory items as recorded in the perpetual inventory system Answer: C Diff: 3 Type: MC Page Ref: 249 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 8) Which of the following controls would not be of concern to the auditor? A) controls over the collection of accounts receivable amounts B) controls over the entry of payroll wage rates into the computer systems C) controls over health and safety guidelines compliance by employer D) controls over the cost of inventory items as recorded in the perpetual inventory system Answer: C Diff: 3 Type: MC Page Ref: 249 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 9) Which is one aspect of management's assessment of internal control over financial reporting? A) Have the external auditors document the internal control over financial reporting. B) Have the external auditors test the effectiveness the internal control over financial reporting. C) Evaluate the design of internal control over financial reporting. D) Evaluate the design of the payroll system. Answer: C Diff: 3 Type: MC Page Ref: 249 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 10) Distinguish between entity level controls and transactional controls. Give an example of each. Answer: Entity-level controls are controls that are implemented for multiple transaction cycles or for the entire organization. Entity-level controls contribute to the "tone at the top" and establish expectations in the control environment. Entity-level controls are often less tangible but they form the foundation on which other internal controls are built. Entity-level controls such as controls over management override, period-end reporting, hiring competent staff, and fraud-risk controls have an impact on all other control processes. If these entity-level controls are weak or unreliable, the best designed transaction controls will not be effective in preventing key risks such as management override. Transaction controls are controls that are implemented for specific transaction risks and are designed to specifically prevent or detect and correct misstatements in classes of transactions, account balances, or disclosures and their related assertions. The accuracy of the results of the accounting system (the account balances) is heavily dependent upon the accuracy of the inputs and processing (the transactions). For example, if products sold, units shipped, or unit-selling prices are incorrectly billed to customers for sales, both sales and accounts receivable will be misstated. If controls are adequate to ensure that billings, cash receipts, sales returns and allowances, and charge-offs are correct, the ending balance in accounts receivable is likely to be correct. Diff: 2 Type: ES Page Ref: 249-250 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 11) A) Describe the three basic concepts (assumptions) underlying the study of internal control and assessment of control risk. B) Describe the inherent limitations of internal control. Answer: A) The three basic concepts that underlie the study of internal control and control risk are: • It is management's responsibility to establish and maintain internal controls. • Reasonable but not absolute assurance should be provided because an ideal system cannot be justified on a cost/benefit basis. • Even the ideal internal control system has inherent limitations because of employee carelessness, lack of understanding, or management override. B) The effectiveness of internal controls depends on the competency and dependability of the people using it. Inherent limitations of internal control include: • competence and dependability of the people using it. • employee carelessness. • lack of understanding or confusion among employees. • management override. • little or no monitoring for ineffectiveness and change. • collusion. Diff: 2 Type: ES Page Ref: 248-250 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 12) Joan is the owner of a small manufacturing company. In prior years, your firm has conducted a review engagement of the company. However, this year, Joan obtained a loan from the federal business development bank and is required to have an audit of her financial statements. When you started asking about controls and procedures at the company, Joan got pretty upset. "All you need to be concerned about is the numbers! Why are you asking all of these questions? It takes too much time away from my staff to answer these questions! Just check the numbers and let us get on with our work!" You calmed her down a bit, and reminded her about the general discussion that occurred with the engagement letter. You have invited her for coffee to briefly explain the following items: 1. Why auditors are concerned about internal controls. 2. Why auditors are required to be concerned about internal controls. 3. What you need to do to understand internal controls. 4. What you will do once you have documented your understanding of internal controls. Required: Explain what you will say to Joan. Answer: 1. Auditors are concerned about internal controls because management uses internal controls to help ensure that business operations run in accordance with the goals and objectives of the company. The internal controls are also used to reduce the risk of fraud and illegal acts, and to help prevent and detect errors in the financial statements. 2. Auditors have rules, called generally accepted auditing standards (GAAS) that require them to understand and document internal controls so that they can plan the audit. It helps auditors to know that internal controls are in place to help prevent and detect errors, fraud, and illegal acts. 3. Interviews, walkthroughs, and documentation examination will be used to document internal controls so that they can be evaluated for each major transaction cycle and audit objective (such as completeness and accuracy). This is done for control environment, general controls and procedures, accounting systems, and control procedures. 4. Once the internal controls have been documented, the auditor decides whether it is more efficient to test internal controls or to simply do tests of details ("looking at the numbers"). Overall, enough evidence needs to be gathered to provide a high level of assurance on the financial statements. Diff: 3 Type: ES Page Ref: 249-250 Learning Obj.: 8-2 Contrast management's responsibilities for maintaining controls with the auditor's responsibilities for evaluating and reporting on internal control 8.3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 1) The essence of an effectively controlled organization lies in the A) effectiveness of its auditor. B) effectiveness of its internal auditor. C) attitude of its employees. D) attitude of its management. Answer: D Diff: 2 Type: MC Page Ref: 251 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 2) The control environment consists of actions, policies, and procedures that A) reflect the overall attitudes of top management, the directors, and the owners of an entity about control and its importance. B) govern access to particular applications, such as how employees use passwords to change master file payroll rates. C) are recorded on the web site (for example, access policies to data). D) help implement the ethical attitudes at the organization, such as a computer usage policy. Answer: A Diff: 3 Type: MC Page Ref: 251 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 3) The board of directors is essential for effective corporate governance because it has ultimate responsibility to A) make sure management implements proper internal control and financial reporting processes. B) assist management in the preparation of the financial statements. C) test internal controls and ensure they are working properly. D) provide a report to the auditor confirming that internal controls are working properly. Answer: A Diff: 3 Type: MC Page Ref: 251-253 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 4) To help with corporate governance and a positive "tone at the top," the board of directors and its committees, such as the audit committee, should A) rubber-stamp the financial statements once per year. B) consist of all members of executive management. C) follow the policies and procedures approved by management. D) take an active role in overseeing the company. Answer: D Diff: 3 Type: MC Page Ref: 252-253 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 5) A well-designed organizational structure at an entity A) has operations and programming personnel tasks combined. B) clearly defines authority and responsibility assignments. C) requires that wage rates are recorded and tracked by the human resources department. D) has the internal audit department report to the Chief Financial Officer. Answer: B Diff: 3 Type: MC Page Ref: 253 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 6) The methods that management uses to enforce accountability over internal controls are called A) personnel practices. B) performance measures. C) control testing. D) management's operating style. Answer: B Diff: 2 Type: MC Page Ref: 253-254 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 7) It is important for the public accountant to consider the competence of the audit clients' employees because their competence bears directly and importantly upon the A) cost/benefit relationship of internal controls. B) achievement of the objectives through effective internal controls. C) comparison of recorded accountability with assets. D) timing of the tests to be performed. Answer: B Diff: 2 Type: MC Page Ref: 251-253 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 8) Which of the following is an example of a general authorization? A) The highest credit limit allowed for accounts receivable is $50 000. B) ABC Company has a credit limit of $25 000. C) Each supervisory wage rate must be approved by the executive manager. D) Grocery supervisors approve each transaction reversal over five dollars. Answer: A Diff: 3 Type: MC Page Ref: 258 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 9) Management safeguards assets by A) having the internal auditors conduct periodic counts of physical assets. B) controlling access and by comparing physical items to records. C) requiring the external auditors to do surprise audits. D) having management sign a management representation letter. Answer: B Diff: 3 Type: MC Page Ref: 259 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 10) The operational responsibility and the recording of transactions are normally kept separate A) to centralize activities in order to be more cost efficient. B) to ensure unbiased information is recorded. C) because operational personnel rarely have the necessary accounting skills to record transactions. D) to avoid confusion of responsibilities and duplication of efforts. Answer: B Diff: 3 Type: MC Page Ref: 259 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 11) Why is it important to separate systems development (or acquisition) and program maintenance activities from accounting? A) Accounting personnel have the expertise to evaluate program changes that have been implemented. B) Custody of media is important to help ensure ongoing operations. C) This allows accounting to reconcile transaction totals to transaction details. D) Lack of separation could result in unauthorized changes to programs and systems. Answer: D Diff: 3 Type: MC Page Ref: 259-260 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 12) An important type of protective measure for safeguarding assets and records is A) adequate segregation of duties among personnel. B) proper authorization of transactions. C) the use of physical precautions. D) adequate documentation. Answer: C Diff: 2 Type: MC Page Ref: 259 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 13) An essential characteristic of the persons performing internal check procedures is A) independence from the original data preparer. B) a thorough knowledge of accounting. C) an analytical and inquisitive mind. D) competence in data entry skills. Answer: A Diff: 2 Type: MC Page Ref: 258 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 14) An example of general computer control systems that provide reasonable assurance of authorization of application systems is A) operations and information systems support. B) systems, acquisition, development, and maintenance controls. C) organization and management controls. D) application system control procedures. Answer: B Diff: 3 Type: MC Page Ref: 265 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 15) FiddleWare Limited uses a purchased software package to handle the processing of its transactions. An important control that management should implement with respect to information systems is the A) use of a formal systems development methodology. B) evaluation of potential new systems against organizational objectives. C) use of appropriate checkpoints and milestones during development. D) tracking of routine program maintenance changes. Answer: B Diff: 3 Type: MC Page Ref: 255-256 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 16) Bravo Design had IMB consulting provide them with a service center to record the job costs and sales in progress. What process did Bravo Design follow? A) in-house development B) systems acquisition C) outsourcing D) turnkey software development Answer: C Diff: 3 Type: MC Page Ref: 215 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 17) The chart of accounts is an important control because it provides the framework for determining the information presented to management and other financial statement users. What type of error is the chart of accounts helpful in preventing? A) errors of occurrence B) errors of completeness C) errors of accuracy D) errors of classification Answer: D Diff: 2 Type: MC Page Ref: 258-259 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 18) Management assesses risks as a part of designing and operating internal controls to minimize fraud and errors. Auditors assess risks to A) decide the evidence needed in the audit. B) fully implement the audit risk model. C) enable them to assess the completeness of internal controls. D) make sure that the company will continue to operate over the next year. Answer: A Diff: 3 Type: MC Page Ref: 254 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 19) The first step for management in the risk assessment process is to identify factors that may increase risk, for example failure to meet prior objectives. Then, management will A) assess the likelihood of the risk occurring. B) make sure that procedures are developed to eliminate the risk. C) estimate the significance of that risk. D) develop specific actions to reduce the risk to an acceptable level. Answer: C Diff: 3 Type: MC Page Ref: 254 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 20) Which of the following duties would indicate a weakness in internal controls? A) The accounting function is under the controller. B) The custodianship of cash is the responsibility of the treasurer's function. C) The internal auditor reports to the board of directors. D) The custodianship of buildings and equipment is the responsibility of the controller's function. Answer: D Diff: 3 Type: MC Page Ref: 259 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 21) Which one of the following is an example of a specific authorization? A) The computer systems automatically reorder inventory when quantities fall below the economic order quantity. B) The highest credit limit allowed for accounts receivable customers is $100 000. C) Each sales transaction that exceeds the credit limit of a customer must be approved by the controller. D) Grocery sales clerks may approve returns of goods less than ten dollars in value. Answer: C Diff: 3 Type: MC Page Ref: 258 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 22) External auditor Maryann Smith may not rely on the work of internal auditor Raymond Jones unless A) Jones is certified (CA, CGA, or CMA). B) Jones is independent of the client. C) Jones is supervised by Smith. D) Smith obtains evidence that supports the competence, integrity, and objectivity of Jones. Answer: D Diff: 2 Type: MC Page Ref: 270 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 23) For large companies, what is essential for effective monitoring of internal controls? A) competent external auditors B) competent fraud department C) competent accounting department D) competent internal audit department Answer: D Diff: 2 Type: MC Page Ref: 270 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 24) An employee who communicates improprieties is called a A) spy. B) tipster. C) informer. D) whistleblower. Answer: D Diff: 2 Type: MC Page Ref: 270 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 25) A firewall allows the organization to A) monitor network hot spots for signs of intruders. B) prevent known spyware and malware from entering the system. C) support identity management initiatives. D) prevent unauthorized communication both into and out of the network. Answer: D Diff: 2 Type: MC Page Ref: 267 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 26) Public key encryption uses A) four keys. B) three keys. C) one key. D) two keys. Answer: D Diff: 2 Type: MC Page Ref: 270 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 27) You, a PA, have been assigned as the in-charge auditor of a long-time audit client of your firm, Mikla Tool Inc. (MTI). MTI is owned by George Mikla, an experienced machinist. George established the business over 20 years ago, and it has grown into a $10-million-a-year business with an excellent reputation for high quality machined parts. MTI has regular clients in the automobile parts sector and in the healthcare sector. The company has recently begun producing parts for environmentally friendly products such as recycling containers. The business is versatile in dealing with a variety of metals as well as plastics, using both manually controlled and machine controlled (computerized) equipment. The following description is based on your review of prior files, and planning discussions with personnel at MTI. Equipment suppliers have helped MTI develop efficient operations by providing sample programs for standard operations and by providing training to employees. One of the suppliers unfortunately sent sample programs that had been infected by a virus. George's daughter, Tiffany, had to cleanse the servers and each of the machines of the malicious software. When contacted, the supplier did not know that the software was infected and apologized profusely. The company's four CAD/CAM terminals and printers are connected to the company's central local area network. The local area network is maintained by Toni Lee, the owner of a computer shop conveniently located three blocks away. All computer equipment, software, and supplies are now purchased from Mr. Lee, who is responsible for installing and maintaining equipment, upgrading software, and maintaining user profiles on the network. To reduce the amount of Mr. Lee's work as network administrator, he has set up passwords by function. There is one user identification code (userid) and password for accounting (shared by Tiffany, George, and the accounting clerk, Isabel). The plant supervisors share another userid that is used for production control and to initiate the time-keeping system every morning. A separate userid and password allowing for only enquiry into the job costing system has also been set up and can be used by all employees. A standard routine has been set up to back up the accounting systems. Either Tiffany or the accounting clerk inserts one of seven tape cartridges into the system at the end of the day (they are labelled with the day of the week), so that the company has a full set of accounting backups for the week. Tiffany keeps the backup files in her office. These are particularly important, since during the last office move, two years ago, the original software for the accounting system was misplaced. The network has two central servers, eleven user stations, and five printers. The user stations are set up as follows: four CAD/CAM, two time-keeping, two production planning and control, two accounting, and one for George. A good working relationship is extremely important for satisfying some of the company's larger customers. MTI has paid for computer equipment for each of the supervisors so that they have fully functioning computers at home. If a rush job requires weekend work, these senior personnel can work at home to get the necessary quoting or design work completed. Since the at-home systems are identical to the office systems, Mr. Lee simply copied the MTI systems to the home computers. Files can be easily taken home and then brought back to the office using thumb drives. It is understood that when times are slower, a day off can be taken to compensate for this weekend work. It has been almost 10 years since Tiffany arranged for the implementation of the network and the purchase of the standard integrated accounting packages (general ledger, order entry/accounts receivable, purchases/payable and payroll), and for the purchase of the job-costing and time-keeping systems. A variety of reports are printed daily, weekly, or monthly from the job-costing system. These reports are used for monitoring employee hours, the status of the jobs, the costs accumulated for particular jobs, and the work-in-progress inventory. The weekly report of hours from the job-costing system is approved by the production supervisors and is used as an input source for hours worked into the payroll system. The accounting clerk enters the hours into the accounting system so that weekly payroll cheques and reports can be produced. The accounting clerk handles most data entry. Tiffany is really pleased with their accounting clerk, Isabel, who has been with the company for three years. She insists that fate had a hand in getting Isabel working for MTI. Isabel had been "pounding the pavement," having recently immigrated, and had no Canadian business experience. Her accounting skills were rudimentary but she quickly learned the accounting software and has reorganized the filing systems. Tiffany considers her as indispensable. When Isabel goes on holiday, many things just don't get done! Tiffany can do the payroll in a pinch, but accounts payable and cash disbursements are always done by Isabel. If she's away, suppliers are simply told to wait, or Tiffany issues a manual cheque for recording later. Isabel is very good at clearing queries from suppliers and ensuring that new suppliers are set up properly. The purchasing supervisor and his staff rely on Isabel, as she checks the account allocation of purchases and makes any necessary corrections. Tiffany or George are signing officers, although Tiffany realizes that she checks supporting materials more thoroughly than George, who usually just queries Isabel verbally about larger purchases. In the past, MTI's audit has been entirely substantive. However, your partner has decided that with MTI's growth, it is time for the company to consider adding additional internal controls. Accordingly, he has asked you to draft a management letter to be addressed to George and Tiffany. Required: A) Prepare a draft management letter, clearly identifying the weaknesses (W), impact or implications of the weaknesses (I), and recommendations for improvement (R). [The following is a theory question that does not require examples from the case, although examples could be used.] B) Explain how the control environment and general IT (information technology) controls are related. Describe the impact of the control environment and of general IT controls on different types of application controls and on the audit process. Answer: A) Note that W = weakness, I = implication, R = recommendation 1. Virus Detection/Prevention W -although MTI appears to have software that can detect/eliminate viruses, it seems that the software is not sufficient to prevent infection of the entire system. I -damaging viruses could erase or damage data or programs that could infect machines without virus protection, and thus could infect the rest of the network. -viruses that seek to gather data (such as banking passwords) could be accessed by hackers R -current anti-virus software should be loaded onto every machine (including the home machines) with daily updates. -programs should be automatically scanned before being downloaded. 2. Network Maintenance/Support W -the network is maintained and configured by an outside vendor (a single person, Mr. Lee), whose work does not appear to be checked or managed by company personnel. I -in the event of Mr. Lee's unavailability, it may be difficult to maintain or support the network. -Mr. Lee may not be doing maintenance that is in alignment with the company's business objectives or that provides the most effective control systems. R -Mr. Lee should be requested to properly document the nature of his work and MTI should hold a copy of this documentation. -Tiffany (and possibly George) should periodically reassess what Mr. Lee is doing for the company and whether changes should be made. 3. and 4. Passwords/Access Controls W -common passwords are used by multiple individuals based on function. I -unauthorized actions or errors could be entered into the network and could not be traced to specific individuals. -it is easier to "overhear'"or "uncover" common passwords, so the password could be used by unauthorized individuals. R -unique user identification codes and passwords should be established for every user of the system. -user identification codes and passwords should be tailored to the specific functions required by individual users to complete their work. -new users should be approved in writing (with the appropriate functional allocation) and the set up of the users verified by someone other than Mr. Lee. -privacy violations could occur (unauthorized access to private data). W -passwords are maintained by an external party (Mr. Lee) and may not be changed or removed on a timely basis. I -in the event that an employee leaves or is terminated, his/her access codes may still be valid, allowing that employee continued access to the system. R -someone at MTI should be trained in the process of removing passwords so that if an employee leaves, MTI personnel can remove that person's access codes (this should likely be done by Tiffany). 5. and 6. Backup/Disaster Recovery W -all copies of the backups are kept at MTI premises. I -in the event of physical problems (such as fire or theft) all backup could be damaged or removed, making it difficult or impossible for the company to resume operations. R -an additional copy of the backups should be taken periodically (as a minimum, weekly) and taken offsite, or the regular daily tapes should be cycled so that at least two are kept offsite. W -it appears that only the accounting systems are backed up. -original licensed software for the accounting systems cannot be found. I -as indicated above, in the event of physical problems (or even a hard disk crash), the company may be unable to resume operations of its non-accounting systems. R -all systems, not just accounting systems should be backed up on a daily basis, and at least two copies kept offsite in a secure location. -the company should contact the accounting software supplier and determine whether replacement software CDs can be obtained at reasonable cost. 7. Copyright Violation W -Mr. Lee copied MRI's software onto several home computers for employee use. I -this copying may have violated software licence agreements, exposing the company to potential copyright violation charges. R -additional software licenses should be acquired, where necessary, for home machines. 8. and 9. Potential Payroll Errors W -payroll hours are recorded twice: once into the time-keeping/job-cost system, and again by means of data entry into the payroll software package. I -data entry errors could arise due to the information being entered twice. -excess labour costs are incurred (i.e. the work to enter the hours). R -the job-costing system should be examined to determine whether data files can be created in a form that can be automatically read into the payroll system to reduce data entry costs. -hours entered into the payroll system should be reconciled to hours worked according to the job-costing system to help eliminate potential data entry errors. W -no independent verification/reconciliation of payroll hours entered to hours worked. I -the payroll clerk could enter inaccurate payroll data (accidentally or deliberately). R -after hours are entered into the payroll system, they should be independently checked (likely by Tiffany) against the approved list signed by the supervisors. 10. Segregation of Duties W -the accounting clerk handles data entry, supplier master file set up, account allocations for purchasing, and cheque preparation. I -unauthorized or inaccurate transactions could be recorded in the accounts payable system. R -the master file should be handled by Tiffany, OR -periodic printouts of the master files should be independently printed and reviewed. 11. Accounts Payable Payments W -supporting documents for payments are not always carefully reviewed when cheques are signed. I -unauthorized suppliers could be set up or money stolen by the accounting clerk. R -supporting documents should be carefully reviewed (including account allocations) by someone independent of the preparer (Tiffany should likely do this). 12. IT Governance (could also be discussed as an IT dependency issue) W -IT governance controls over IT hardware and software acquisitions are weak given all computer equipment, software, and supplies are purchased by Mr. Lee, who may not follow SDLC controls such as vetting user requirements or finding the most cost-beneficial solution. I -IT hardware or software procured may be suboptimal in terms of cost or meeting user requirements. R -any IT hardware or software purchases should be governed by SDLC controls including gaining an understanding of user requirements, costing comparisons, user acceptance testing, and training of employees. 13. Control Environment W -Isabel has very basic accounting skills and may not be competent in ensuring that transactions are properly accounted for and there is little oversight of her work. I -increased risk of material misstatement if Isabel's lack of accounting knowledge causes her to book entries incorrectly. R -ensure all of Isabel's work is reviewed in depth by Tiffany or have it periodically reviewed by someone with an accounting designation. -have Isabel take accounting courses. B) General IT controls (ITGC - IT general controls) are a subset of the control environment, so ITGC enable an effective control environment over the organization's use of IT. Strong controls: -the control environment affects ITGC controls, so a strong control environment enables strong ITGC. -a strong control environment and strong ITGC (specifically good SDLC controls or good acquisition and maintenance controls) means that the auditor will likely be able to rely upon automated (programmed) application controls. -this would also enable reliance upon the automated portion of interdependent application controls. -if the auditor plans reliance upon automated application controls (programs), then they should be tested. -being able to rely upon specific programs (automated application controls) would allow the auditor to reduce control risk (CR) for the assertions that those programs are associated with (e.g. accuracy of a calculation). -a strong control environment and strong ITGC over access controls means that the auditor will be able to rely upon IT to enforce segregation of duties. Weak controls: -if the control environment is weak, this would mean that the ITGCs are also weak. -if ITGCs are weak, then likely all application controls would also be weak and generally cannot be relied upon for the auditor's work (the exception would be automated controls in a software package, where the client is unable to change programs). -if ITGCs are weak, then potentially SDLC controls cannot be relied upon and therefore changes to applications may not have been fully tested and could increase the risk of material misstatement due to potential programming errors. -if ITGCs over SDLC are poor, then application controls may not be reliable and the auditor will need to look for compensating manual controls to test or perform substantive testing. -if the control environment and ITGCs are weak, then all application controls cannot be relied upon, and control risk will be assessed as high. -if all application controls cannot be relied upon, then a more substantive approach and detailed tests of balances or testing are required in order to gain assurance. -if the control environment and manual entity level controls are sound, if automated application controls cannot be relied upon, may still be able to rely upon manual application controls that are not directly related to the company's information system. -the cost of the audit will probably increase as testing of manual controls and substantive testing will take more time than if the auditor could rely on application controls. -qualification or scope limitation could arise if controls cannot be tested and alternative audit procedures are not available. Diff: 3 Type: ES Page Ref: 247-271 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 28) A) Discuss what is meant by the term "control environment" and identify four control environment subcomponents that the auditor should consider. B) List the steps that management follows in assessing risks relevant to the preparation of financial statements in conformity with an applicable financial reporting framework. C) How does the auditor obtain knowledge about management's risk assessment process? D) Explain how management's risk assessment process differs from the auditor's risk assessment process. E) What is the relationship between management's risk assessment process and audit evidence? Answer: A) The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about control and its importance to the entity. Subcomponents include: 1. demonstrate commitment to integrity and ethical values. 2. board of directors exercises oversight responsibility. 3. management establishes structure, authority, and responsibility. 4. commitment to competence. 5. organization establishes and enforces accountability. 6. organization specifies relevant objectives. 7. identifies and assesses risks. 8. considers the potential for fraud in assessing risk. 9. identifies and assesses significant changes. 10. selects and develops control activities. 11. selects and develops general controls over technology. 12. deploys policies and procedures. 13. obtains or generates relevant, quality information. 14. communicates internally. 15. communicates externally. B) Management's steps include: • identify factors that may increase risk. • estimate the significance of risks. • assess the likelihood that risks would occur. • develop specific actions that need to be taken to reduce the risk to an acceptable level. C) The auditor: • determines how management identifies risk relevant to financial reporting. • evaluates the significance of these risks. • evaluates the likelihood of the risks occurring. • decides what evidence is required pertaining to the risks. Questionnaires and discussions with management are the most common ways to obtain this understanding. D) Management's risk assessment process is focused on the identification and analysis of risks relevant to the preparation of financial statements in conformity with an applicable financial reporting framework. Management assesses risks as a part of designing and operating internal controls to minimize errors and fraud. Auditors assess risks to decide the evidence needed in the audit. E) There is an inverse relationship: If management effectively assesses and responds to risks, the auditor will typically accumulate less evidence than when management fails to identify or respond to significant risks. Diff: 2 Type: ES Page Ref: 251-256 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 29) A) The COSO internal control framework consists of five components. Describe each of these components. B) Custody of assets and reconciliation should be separated to contribute to strong internal control. List the general categories of activities that should be separated. Answer: A) The five components of internal control are: 1. The control environment: The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management about control and its importance to the company. 2. Risk assessment: Management's identification and analysis of risks relevant to the preparation of financial statements in conformity with an applicable financial reporting framework. 3. Control activities: Policies and procedures that management has established to meet its objectives for financial reporting. 4. Information and communication: Includes the process to initiate, record, process, and report the entity's transactions and to maintain accountability for the related assets. 5. Monitoring: Management's ongoing and periodic assessment of the quality of internal control performance to determine that controls are operating as intended and modified when needed. B) The six general categories of activities that should be separated are: • custody of assets. • recording or data entry of transactions. • systems development/acquisition and maintenance. • computer operations. • reconciliation. • authorization of transactions and activities. Diff: 2 Type: ES Page Ref: 250-260 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 30) Dimple Leather is a chain of retail stores that sells leather clothing and accessories across Canada. Each store has point-of-sale equipment that is linked to a local server. At night, local accounting information is transmitted to the head office computer and any updates to prices or other adjustments are transferred to the local office. Required: Define the control environment. List the components of the control environment. For each component, provide an example of a control that might exist at Dimple Leather. Answer: Definition: The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, the directors, and the owners of an entity about control and its importance to the entity. Components of the control environment with an example: (Note that many examples are possible; answers may vary.) 1. Demonstrate Commitment to Integrity and Ethical Values: Employees are required to sign and abide by a corporate code of ethics. 2. Board of Directors Exercises Oversight Responsibility: An effective board of directors has the appropriate background and expertise, the outside directors are independent of management, and its members are involved and scrutinize management's activities. 3. Management Establishes Structure, Authority, and Responsibility: A well-controlled entity would have an organizational structure appropriate for its size and operating activities and that clearly defines the lines of responsibilities and authority. 4. Commitment to Competence: The most important aspect of any system of controls is personnel. If employees are competent and trustworthy, other controls can be absent and reliable financial statements will still result. 5. Organization Establishes and Enforces Accountability: A well-controlled organization should have a structure and tone at the top that establishes and enforces individual accountability for internal control. 6. Organization Specifies Relevant Objectives: In order to ensure that the organization meets its objective of reliable external financial reporting, management should consider whether its reporting objectives are consistent with the relevant financial reporting framework and are appropriate in the circumstances. 7. Identifies and Assesses Risks: The organization should consider both external and internal risks to the achievement of financial reporting objectives. 8. Considers the Potential for Fraud in Assessing Risk: As part of the risk assessment process, the organization considers risks related to financial reporting, management override, misappropriation of assets, and corruption. 9. Identifies and Assesses Significant Changes: Change creates risk. Therefore, management should implement processes that enable it to identify and evaluate changes in the external and internal environment that could significantly impact the system of internal control. 10. Selects and Develops Control Activities: Since an organization develops control activities that are specifically designed to mitigate the risks for that particular organization, control activities will vary among organizations. 11. Selects and Develops General Controls over Technology: Practically all organizations rely upon some sort of information technology to enable reliable financial reporting. 12. Deploys Policies and Procedures: The policies and procedures for the control activities should be spelled out in systems documentation (in a manual or on the company intranet) to encourage consistent application. 13. Obtains or Generates Relevant, Quality Information: An organization must have established information requirements to support effective operations of controls within the five components of internal controls. 14. Communicates Internally: Communication within the organization includes both formal and informal communication, such as policy manuals, newsletters, job descriptions, and training sessions. 15. Communicates Externally: The organization should have in place processes to communicate relevant and timely information to external parties including shareholders, members, partners, owners, regulators, customers, financial analysts, and any other relevant stakeholders. 16. Selects, Develops, and Performs Ongoing and Separate Evaluations: Monitoring should include evaluation built into business/financial reporting and performed on a real-time basis (ongoing) as well as separate periodic evaluations. 17. Evaluates and Communicates Deficiencies: Internal control deficiencies need to be reported in a timely manner to those responsible for taking corrective action, senior management, and the board of directors (or the audit committee). Diff: 3 Type: ES Page Ref: 250-270 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 31) HomeTown Tanning Company is the largest leather tanning operation in Canada. Hides from various animals are stretched and treated, then cut into shapes for shipment to wholesalers. Computer-assisted operations are important in maintaining temperature, humidity, and proper mix proportions in chemical solutions used for the tanning process. Computer assistance has helped improve the quality of the tanning process, as well as provide a safer environment for employees. Computer operations and backup are supported by the warehouse manager, Joe. Individual hides are tagged with a bar code and tracked for quality control purposes. The HomeTown Tanning Company uses a centralized microcomputer-based system for its manufacturing and accounting operations. The two owners of the company are active in the business and approve all new hardware and software acquisitions. The controller is responsible for network upgrades as well as for maintaining passwords and user identification codes on the network. Accounting transactions are entered by accounting staff, although the controller has the ability to review and correct transactions. Required: List the six categories of functions that need to be separated from each other. Does HomeTown Tanning have these functions separated? For any functions that are not separated, indicate the potential impact upon controls and upon the audit. Answer: 1. Separation of custody of assets from accounting: Yes. Warehousing and manufacturing operations are separate from the accounting department. 2. Separation of operational responsibility from recording or data entry of transactions: Yes. Same as #1. 3. Separation of systems development or acquisition and maintenance from accounting: Yes. The owners approve new systems. The owners are not in the accounting department. 4. Separation of IT Duties from User Departments: Yes for backup and recovery. The warehouse manager is responsible for computer operations (backup), which is separate from accounting. No for password control and security. The controller is responsible for maintaining security passwords, and is also involved in accounting. The impact of this upon the audit is that the controller could record erroneous transactions and hide this fact since he/she has access to the whole system. The auditor will need to look for compensating controls (such as increased owner involvement). 5. Separation of reconciliation from data entry: No. It is not stated who is responsible for reconciliation. However, all individuals in the accounting department, including the controller, have data-entry capability. This means that one or more of these individuals could enter incorrect or incomplete information and hide the fact. The auditor will need to look for compensating controls (such as increased owner involvement), or may need to increase the amount of tests of details. 6. Separation of authorization from control over assets: Yes. Controller and owners are responsible for authorization, while the warehouse manager has custody of assets. Diff: 3 Type: ES Page Ref: 259-260 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 32) A) List the four types of general computer control systems. B) Adequate segregation of duties is an important control procedure. Describe the specific functions that should be separated for segregation of duties to prevent both intentional and unintentional misstatements that are of significance to auditors. C) Adequate documents and records are important for effective internal control. Five principles dictate the proper design and use of documents and records. One principle is that documents and records should be prenumbered consecutively to facilitate control over missing documents and to aid in locating documents when they are needed at a later date. Discuss each of the other four principles of adequate documents and records. Answer: A) The four types of general computer control systems are: 1. Information technology system controls. 2. Organization and management controls. 3. Security management and access controls. 4. Program development and change controls. B) The general guidelines are: • Custody of assets should be separated from accounting. • Operational responsibility should be separated from recording or data entry of transactions. • Separation of systems development or acquisition and maintenance from accounting. • Separation of computer operations from programming and accounting. • Separation of reconciliation from data entry. • Proper authorization of transactions and activities from control over assets. C) Documents and records should be: • prepared at the time a transaction takes place or as soon thereafter as possible. • pre-numbered or automatically numbered. • sufficiently simple to ensure that they are clearly understood. • designed for multiple use whenever possible to minimize the number of different forms. • constructed in a manner that encourages correct preparation, such as providing a degree of internal check within the form or record. Diff: 2 Type: ES Page Ref: 258-268 Learning Obj.: 8-3 Explain the five components of the COSO internal control framework and the 17 principles of effective control 8.4 Understand the important risks and controls in small businesses 1) A major control available in a small company, which might not be feasible in a large company, is A) a wider segregation of duties. B) use of sequentially numbered documents. C) fewer transactions to process. D) the owner-manager's personal interest in and close relationship with personnel. Answer: D Diff: 1 Type: MC Page Ref: 271 Learning Obj.: 8-4 Understand the important risks and controls in small businesses 2) Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by A) employment of temporary personnel to aid in the segregation of duties. B) direct participation by the owner of the business in the record-keeping activities of the business. C) engaging a public accountant to perform monthly "write-up" work. D) delegation of full, clear-cut responsibility to each employee for the functions assigned to each. Answer: B Diff: 2 Type: MC Page Ref: 271 Learning Obj.: 8-4 Understand the important risks and controls in small businesses 3) As a first time auditor of a small company, what will be your strategy to obtain an understanding of internal controls of the company? A) as the company is small, defer the procedure to understand internal controls until next year B) conduct the procedure of understanding internal controls in the current year C) rely on the verbal assurance from management that internal control exists D) get the company employees to test the internal controls for you Answer: B Diff: 2 Type: MC Page Ref: 271 Learning Obj.: 8-4 Understand the important risks and controls in small businesses PAGE \* MERGEFORMAT 2 © 2019 Pearson Canada Inc.