Ac410 whittington 18 ed_ch18

Confi rming Pages

Chapter

18 Integrated Audits of Public Companies

Learning objectives

After studying this chapter, you should be able to:

LO1 Describe the nature of an integrated audit.

LO2 Discuss management’s responsibility for reporting on internal control as required by the Sarbanes-Oxley Act of 2002.

LO3 Describe the audi-tors’ responsibility for reporting on inter-nal control through integrated audits as required by the Public Company Accounting Oversight Board.

LO4 Present the auditors’ approach to analyzing internal control when performing an inte-grated audit.

LO5 Explain how fi ndings relating to the audits of internal control and the fi nancial state-ments may affect one another.

LO6 Discuss circumstances that require auditors to modify their report on internal control.

In this chapter, we provide information on integrated audits based on the provisions of Public Company Accounting Oversight Board (PCAOB) Standard No. 5, “An Audit of Internal Control Over Financial Reporting

That Is Integrated with an Audit of Financial Statements.” Throughout this chapter, our emphasis is on presenting (1) details on audits of internal control over fi nancial reporting and (2) information on how fi nancial statement audits are modifi ed when the auditors perform an integrated audit. Although we have referred to integrated audits earlier in the text, in this chapter we emphasize in detail the nature of a pub-lic company audit. While an integrated audit involves an enhanced consideration of internal control, the fi nancial statement audit’s various planning, evidence gathering, and reporting procedures remain largely unchanged. Accordingly, the focus of this chapter is on audits of internal control over fi nancial reporting (hereafter, internal control).

Overview

The Sarbanes-Oxley Act of 2002 requires that, in addition to reporting upon fi nancial statements, auditors of public companies should also report upon internal control over fi nancial reporting (hereafter, internal control). Consistently, PCAOB Standard No. 5 recognizes this relationship and states that the internal control and fi nancial statement audits should be viewed as integrated.

Section 404 is composed of two distinct sections. 1 Section 404(a) , which applies to all public companies, requires that each annual report fi led with the Securities and Exchange Commission include an internal control report prepared by management in which management acknowledges its responsibility for establishing and maintaining adequate internal control and provides an assessment of internal control eff ectiveness as of the end of the most recent fi scal year. Section 404(b), which applies to public companies with a market capitalization in excess of $75,000,000, requires the CPA fi rm to audit internal control and express an opinion on the eff ectiveness of internal control. While the emphasis of this chapter is on the auditors’ responsibility under Section 404(b), we will begin with an overview of management’s responsibility.

Describe the nature of an inte-grated audit.

LO1

1 While we emphasize Section 404 in this chapter, we also incorporate information from Sec-tion 103, which requires auditor reporting on internal control. In addition, other sections of the Sarbanes-Oxley Act are also relevant to the overall area of audits of fi nancial statements. Sec-tion 302 requires each of a company’s principal executives and fi nancial offi cers to certify the fi nancial and other information contained in the company’s quarterly and annual reports. These certifi cations must indicate that, based on the offi cer’s knowledge, the fi nancial statements and other fi nancial information included in the report fairly present, in all material respects, the fi nancial condition and results of operations of the company as of, and for, the period pre-sented in the report. Section 906 includes a similar certifi cation requirement but amends the Federal Criminal Code and explicitly sets forth possible criminal penalties for certifi cations that do not comply with the requirements.

whi1103X_ch18_696-725.indd 696whi1103X_ch18_696-725.indd 696 07/02/11 3:52 PM07/02/11 3:52 PM

Confi rming Pages

Integrated Audits of Public Companies 697

Management’s Responsibility for Internal Control

Management has always been responsible for maintaining eff ective internal control. However, the Sarbanes-Oxley Act of 2002 increases management’s responsibility for demonstrating that controls are eff ective. As operationalized by the Securities and Exchange Commission (SEC), management is required to:

• Accept responsibility for the eff ectiveness of internal control. • Evaluate the eff ectiveness of internal control using suitable control criteria. • Support the evaluation with suffi cient evidence. • Provide a report on internal control.

Management’s report and the auditors’ opinion must be included in Form 10-K, the annual report fi led with the SEC. The Sarbanes-Oxley Act requires management to per-form the above steps in a meaningful manner to support its report. While the exact word-ing of the report is left to management’s discretion, Section 404(a) of the Sarbanes-Oxley Act requires the report to: • State that it is management’s responsibility to establish and maintain adequate internal

control. • Identify management’s framework for evaluating internal control. • Include management’s assessment of the eff ectiveness of the company’s internal con-

trol over fi nancial reporting as of the end of the most recent fi scal period, including a statement as to whether internal control over fi nancial reporting is eff ective.

• Include a statement that the company’s auditors have issued an attestation report on management’s assessment.

For most SEC registrants, passage of Sarbanes-Oxley resulted in a one-time major project of evaluating and improving internal control to allow both management and the auditors to conclude that the company’s internal control is eff ective. Then, for each subsequent year’s reporting, the analysis is updated. The overall process is one of identifying the signifi cant controls and testing their design and operating eff ectiveness.

The project is performed either by the company itself or by the company assisted by consultants—often personnel from a CPA fi rm that does not audit the company’s fi nan-cial statements. The company’s external auditing fi rm may provide only limited assis-tance to management to avoid a situation in which its assessment is in essence part of management’s assessment, as well as its own. That is, the CPA fi rm performing the audit should not create a situation in which management relies in any way on the CPA fi rm’s assessment in making its own assessment.

As a starting point, the Securities and Exchange Commission, which provides oper-ational guidance for implementing the Sarbanes-Oxley requirements, has adopted the following defi nition for internal control:

Management’s Evaluation Process and Assessment

Discuss management’s respon-sibility for reporting on internal control as required by the Sar-banes-Oxley Act of 2002.

LO2

Internal control over fi nancial reporting is a process designed by, or under the supervision of, the company’s principal executive and principal fi nancial offi cers, or persons performing similar func-tions, and affected by the company’s board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of fi nancial reporting and the preparation of fi nancial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

1. Pertain to the maintenance of records that, in reasonable detail, accurately and fairly refl ect the transactions and dispositions of the assets of the company;

2. Provide reasonable assurance that transactions are recorded as necessary to permit prepa-ration of fi nancial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and

3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the fi nancial statements.


Confi rming Pages

698 Chapter Eighteen

Management’s report must be based on the preceding defi nition of internal control and must result from an evaluation using an accepted “control framework.” Although not required, the control framework ordinarily used is the Internal Control–Integrated Framework, created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO framework, discussed in detail in Chapter 7, is the internal control framework commonly used in audits of fi nancial statements.

To perform its evaluation and make its assessment, 2 management must understand the concepts of control defi ciency, signifi cant defi ciency, and material weakness—concepts originally presented in Chapter 7 of this text, although the latter two terms are defi ned diff erently for purposes of an integrated audit. A control defi ciency exists when the design or operation of a control does not allow management or employees, in the nor-mal course of performing their functions, to prevent or detect misstatements on a timely basis.

A material weakness is a control defi ciency, or combination of control defi cien-cies, in internal control over fi nancial reporting, such that there is a reasonable possibil-ity that a material misstatement of the company’s annual or interim fi nancial statements will not be prevented or detected on a timely basis. A reasonable possibility exists when the likelihood is either “reasonably possible” or “probable” as those terms are used in FASB ASC 450-20 “Loss Contingencies.”

A signifi cant defi ciency is a control defi ciency, or a combination of control defi -ciencies, in internal control over fi nancial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s fi nancial reporting.

Figures 18.1 and 18.2 illustrate relationships among defi ciencies, signifi cant defi cien-cies, and material weaknesses.

2 The “evaluation” or “evaluation process” refers to the methods and procedures management implements to comply with the requirements. The “assessment” is the disclosure required in man-agement’s report on internal control discussing any material weaknesses and management’s assess-ment of the effectiveness of internal control.

Defi ciency Severity

Does Existence Result in Required Modifi cation

of Management’s Assessment and Auditors’ Report?

Control Defi ciency

Not directly considered in defi nition

Only if it is a material weakness

Signifi cant Defi ciency

Less severe than a material weakness

No

Material Weakness

Reasonable possibility of a material misstatement

Yes

FIGURE 18.1 Comparison of Control Defi ciency, Signifi cant Defi ciency, and Material Weakness Defi nitions

FIGURE 18.2 Levels of Severity of Control Defi ciencies

Control Deficiency

Less than a SignificantDeficiency

Significant Deficiency Material Weakness


Confi rming Pages


In evaluating the signifi cance of identifi ed defi ciencies, both quantitative and qualitative factors are considered. Quantitative factors address the potential amount of loss. Qualitative factors include consideration of the nature of the accounts and assertions involved and the possible future consequences of the defi ciency. Chapters 6 and 16 of this text include discussions of qualitative factors aff ecting materiality judgments.

Additionally, the consideration of a control defi ciency should also include analysis of whether a compensating control exists to either prevent or detect the possible mis-statement. For example, assume a company has a defi ciency in control over cash dis-bursements. The compensating control of reconciliation of cash accounts by a competent individual who is otherwise independent of the cash function might make the likelihood of not detecting a signifi cant misstatement less than reasonably possible. Therefore, while a defi ciency might exist, it might not be a signifi cant defi ciency or a material weakness due to the existence of a compensating control.

Management must identify the signifi cant fi nancial statement accounts in order to evaluate the controls over major classes of transactions. Major classes of transac-tions are those that materially aff ect signifi cant fi nancial statement accounts—either directly through entries in the general ledger or indirectly through the creation of rights or obligations that may or may not be recorded in the general ledger.

The overall objective of management’s evaluation of internal control is to provide it with a reasonable basis for its annual assessment as to whether there are any material weaknesses in internal control as of the end of the fi scal year. How does management go about achieving this objective? The SEC guidance is structured about two broad prin-ciples—(1) evaluating the design of controls to identify controls and risks and (2) evalu-ating the operation of the controls. This is consistent with the internal control coverage throughout the text—fi rst consider the design, and then the operating eff ectiveness of controls.

Evaluating Design Eff ectiveness of Controls The evaluation process begins with identifying and assessing the risks to reliable fi nancial reporting. Management then considers whether it has controls placed in operation (imple-mented) that are designed to adequately address those risks. Management ordinarily uses a top-down approach in which it begins with the identifi cation of entity-level controls and works down to detailed controls only to the extent necessary. For example, if man-agement determines that a control within the company’s period-end fi nancial reporting process (an entity-level control) is designed to adequately address the risk of a material misstatement of interest expense, management may not need to identify any additional controls related to interest expense. When additional assurance is needed, consideration of additional controls becomes necessary. Since the process auditors go through is simi-lar, we discuss this in greater detail later in the chapter.

Evaluating Operating Eff ectiveness of Internal Control Management then evaluates operating eff ectiveness of controls in those areas that pose a high risk to reliable fi nancial reporting. Evidence on operating eff ectiveness is obtained from tests of controls and from ongoing monitoring activities related to the controls. Tests of controls are similar to those performed by fi nancial statement auditors as described in detail in Chapter 7. Ongoing monitoring includes activities that provide information about the operation of controls. This information is obtained, for example, through assessments made by employees, assessments made by management (referred to as self-assessment procedures), and the analysis of performance measures designed to track the operation of controls (e.g., budgets).

Documentation A required part of management’s evaluation process is appropriate documentation of internal control. The documentation often occurs throughout the entire evaluation


Confi rming Pages


process. Virtually all of the documentation tools included in Chapters 7 and 8 of this text are relevant for both management’s evaluation and the external auditors’ audit of internal control.

Reporting Management’s evaluation process culminates with the issuance of management’s report on internal control, which includes management’s assessment. If management believes that no material weaknesses exist at year-end, it is able to issue a report concluding that the company maintained eff ective internal control over fi nancial reporting. An illustration of such a report is included in Figure 18.3 . In the next section, we will describe the audi-tors’ process for evaluating and reporting on internal control.

The Auditors’ Responsibility for Reporting on Internal Control in PCAOB Audits

The auditors’ objective in an audit of internal control is to express an opinion on the com-pany’s internal control over fi nancial reporting. To meet this objective, the auditors must plan and perform the audit to obtain reasonable assurance about whether material weak-nesses exist as of the date specifi ed in management’s assessment. Evidence is gathered on both the design and operating eff ectiveness of internal control as of the date specifi ed in management’s assessment—normally the last day of the company’s fi scal year. The audit may be viewed as consisting of the following fi ve stages.

1. Plan the engagement. 2. Use a top-down approach to identify controls to test. 3. Test and evaluate design eff ectiveness of internal control. 4. Test and evaluate operating eff ectiveness of internal control. 5. Form an opinion on the eff ectiveness of internal control.

Management is responsible for establishing and maintaining adequate internal control over fi nancial reporting. Carver Company’s internal control system was designed to pro-vide reasonable assurance to the company’s management and board of directors regard-ing the preparation and fair presentation of published fi nancial statements.

All internal control systems, no matter how well designed, have inherent limitations. Therefore, even a system determined to be effective can provide only reasonable assur-ance with respect to fi nancial statement preparation and presentation. [ Note: This para-graph is not required. ]

We assessed the effectiveness of the company’s internal control over fi nancial reporting as of December 31, 20X4. In making this assessment, we used the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal Control–Integrated Framework. Based on our assessment, we believe that, as of Decem-ber 31, 20X4, the company’s internal control over fi nancial reporting is effective based on those criteria.

Carver Company’s independent auditors have issued an audit report on our assessment of the company’s internal control over fi nancial reporting. This report appears on page XX.

Sally Jones John Hankson Chief Executive Offi cer Chief Financial Offi cer February 12, 20X5

FIGURE 18.3 Management Report on Internal Control

Describe the auditors’ responsibil-ity for reporting on internal con-trol through integrated audits as required by the Public Company Accounting Oversight Board.

LO3


Confi rming Pages


As indicated in Figure 18.4 , the auditors fi rst plan the engagement. Effi cient planning requires coordination with the fi nancial statement audit. For purposes of both audits, the auditors consider matters related to the client’s industry, regulatory matters, the client’s business, and any recent changes in the client’s operations. The auditors’ knowledge of a client’s internal control at the planning stage of the engagement will diff er signifi cantly depending upon the nature of the client and the auditors’ experience with that client, and this in turn will aff ect the scope of the auditors’ procedures. For example, when the audi-tors have previously performed audits of the client, the auditors begin the integrated audit with more information than in a circumstance in which the company is a new audit client. Accordingly, they only have to perform procedures to update their knowledge.

Present the auditors’ approach to analyzing internal control when performing an integrated audit.

LO4

FIGURE 18.4 An Audit of Internal Control over Financial Reporting

CompanyInternalControl

Management‘sEvaluation of

Internal Control

Control Criteria(ordinarily COSOInternal ControlFramework)

Issue Auditors‘Attestation Report

Plan theengagement

Use a top-down approachto identify controls

to test

Management’sreport on internal control

(with internal controlassessment)

Test and evaluatedesign effectiveness

Test and evaluateoperating effectiveness

Form an opinion onthe effectiveness ofinternal control overfinancial reporting

Plan the Engagement


Confi rming Pages


There is a subtle diff erence between the auditors’ consideration of internal control for the audit of internal control as compared to their consideration of internal control in an audit of fi nancial statements. In the audit of internal control, the focus is on whether inter-nal control is eff ective at a point in time—the as of date —which is ordinarily the last day of the client’s fi scal period. To express the internal control opinion, the auditors must obtain suffi cient evidence on the eff ectiveness of controls at the as of date. By itself, this would involve performing tests of controls for a period that is usually signifi cantly less than the entire year. On the other hand, in a fi nancial statement audit the consideration of internal control is performed to help plan the audit and to assess control risk for the entire fi nancial statement period. Therefore, the auditors must perform tests of controls of transactions occurring throughout the year to meet the objective of obtaining suffi cient evidence to support the opinion on internal control and assess control risk. This distinc-tion is discussed in more detail later in this chapter.

When planning and performing the audit of internal control, the auditors should take into account the results of the fi nancial statement fraud risk assessment. Specifi cally, the auditors should identify and test controls that address the risk of fraud, including man-agement override of other controls. These controls include those over:

• Signifi cant unusual transactions, particularly those reported late in the period and those related to the period-end fi nancial reporting process.

• Related party transactions. • Signifi cant management estimates. • Incentives for management to falsify or inappropriately manage fi nancial results.

When planning and performing the audit of internal control, the auditors should also recognize internal control diff erences between small and large clients. Often these diff er-ences are related to the degree of complexity of their operations. For example, when the auditors are auditing a small company, many control objectives may be accomplished through daily interaction of senior management and other company personnel rather than through formal policies and procedures. Because of the extensive involvement of senior management in performing controls and the period-end fi nancial reporting process, the auditors of a small company should realize that controls to prevent management override are even more important than it is for a large company. Accordingly, for example, while detailed oversight by the audit committee may be an important control for most compa-nies, it may be particularly important for a small company.

Figure 18.4 indicates that the auditors use a top-down approach to identify controls to test. What is a “top-down” approach? As indicated in Figure 18.5 , the “top-down” approach starts at the top—the fi nancial statements and entity-level controls—and links the fi nancial statement elements and entity-level controls to signifi cant accounts, relevant assertions, and to the major classes of transactions. The goal is to focus on testing those controls that are most important to the auditor’s conclusion on internal control, while avoiding those that are less important.

Entity-Level Controls Entity-level controls often are those included in the control environment or monitoring components of internal control. For example, the portions of the control environment deal-ing with the tone at the top, assignment of authority and responsibility, and corporate codes of conduct have a pervasive eff ect on internal control. Also, information technology general controls over program development, program changes, and computer controls over pro-cessing have a pervasive eff ect in that they help ensure that specifi c controls over process-ing are operating eff ectively. The pervasiveness of entity-level controls distinguishes them

Use a Top-Down Approach to Identify Controls to Test 3

3 This terminology is used in PCAOB Standard No. 5. This stage corresponds to obtaining an under-standing of internal control in a fi nancial statement audit.


Confi rming Pages


from other controls that are designed to achieve the specifi c objectives. As an example of a control that is not an entity-level control, consider control of requiring accounting for all shipping documents. This control activity is aimed primarily at assuring the completeness of recorded sales and does not have the pervasive eff ect of an entity-level control.

Entity-level controls relating to audit committee eff ectiveness, fraud, and the period-end fi nancial reporting process are particularly emphasized in Standard No. 5. The audit committee is particularly important since an eff ective audit committee exercises over-sight responsibility over both fi nancial reporting and internal control. Indeed, ineff ec-tive audit committee oversight by itself is regarded as a strong indication that a material weakness in internal control exists.

PCAOB Standard No. 5 also emphasizes the need for controls specifi cally intended to address the risk of fraud. These controls range from entity-level control environment controls, such as an appropriate tone at the top, corporate codes of conduct, and an eff ec-tive antifraud program, to control activities, such as the reconciliation of cash accounts. Figure 18.6 provides examples of antifraud programs and elements.

The period-end fi nancial reporting process (often referred to as “fi nancial statement close”) is also very signifi cant. The period-end process involves the procedures used to enter transaction totals into the general ledger through the end of the fi nancial statement reporting process. Auditors must thoroughly evaluate this process, including the man-ner in which fi nancial statements are produced, the extent of information technology involved, who participates from management, the locations involved, and the types of adjusting entries and oversight by appropriate parties.

In considering entity-level controls, the auditors should be aware that controls may have either an indirect or a direct eff ect on the likelihood of misstatement. Controls with an indirect eff ect on the likelihood of misstatement might aff ect the auditors’ decisions about the other controls that the auditors select for testing, as well as the nature, timing, and extent of procedures the auditors perform on other controls. For example, a positive tone at the top of the organization may lead to more eff ective lower level control perfor-mance, yet it does not have a direct eff ect on the likelihood of misstatement for any par-ticular assertion. Such a control might allow the auditors to decrease the testing of other lower level controls.

Controls with a direct eff ect on the likelihood of misstatement operate at varying levels of precision. Some of these controls might be designed to identify possible breakdowns in lower level controls and operate at a level of precision that would allow auditors to reduce, but not eliminate, the testing of other controls. As an example, a monitoring control that detects only relatively large misstatements may fall into this category. When

Overall Approach Illustration

Financialstatements

Significant accountsand disclosures

Relevantassertions

Major classes oftransactions and

significant processes

Entity-levelcontrols

Variousothercontrols

Balancesheet

Accountsreceivable

Completenessassertion

Cash receipt andtransactions remittance

process

Centralizedprocessing

Detailed listof cashreceipts

FIGURE 18.5 A Top-Down Approach to Testing Internal Control


Confi rming Pages


Antifraud Program or Element Strong Indicator of Signifi cant Defi ciency

Management accountability Senior management conducts ineffective oversight of antifraud programs and controls.

Audit committee Audit committee passively conducts oversight.

It does not actively engage the topic of fraud.

Internal audit Inadequate scope of activities.

Inadequate communication, involvement, and interaction with the audit committee.

Code of conduct/ethics Nonexistent code or code that fails to address confl icts of interest, related party transac-tions, illegal acts, and monitoring by management and the board.

Ineffective communication to all covered persons.

“Whistleblower” program* No program for anonymous submissions.

Inadequate process for responding to allega-tions of suspicions of fraud.

Whistleblower program signifi cantly defective in design or operation.

Hiring and promotion procedures Failure to perform substantive background investigations for individuals being consid-ered for employment or promotion to a posi-tion of trust.

Remediation Failure to take appropriate and consistent remedial actions with regard to identifi ed signifi cant defi ciencies, material weaknesses, actual fraud, or suspected fraud.

* A program for handling complaints and for accepting confi dential submissions of concerns about questionable accounting, auditing, and other matters (e.g., hotlines).

FIGURE 18.6 Entity-Level Antifraud Programs and Elements

such a control is operating eff ectively, it might allow the auditor to reduce, but not elimi-nate, the testing of other controls.

Other entity-level controls that have a direct eff ect on the likelihood of misstatement might be designed to operate at a level of precision that would adequately prevent or detect material misstatements to one or more relevant assertions. Such controls may allow the auditor to omit testing additional controls relating to that risk. Monitoring controls that identify relatively small misstatements may fall into this category. Note, however, that this area has been controversial as some have asked how frequently such controls actually exist, and thus allow the elimination of testing of controls beneath “the top.”

Signifi cant Accounts and Disclosures As shown in Figure 18.5 , the auditors must obtain an understanding of signifi cant accounts and disclosures. An account is signifi cant if there is a reasonable possibility that it could contain a misstatement that, individually or when aggregated with others, has a material eff ect on the fi nancial statements, considering both the risks of understatementand overstatement. The assessment should be made without giving any consideration to the eff ectiveness of internal control. Factors that the auditors consider in deciding whether an account is signifi cant include:

• Size and composition. • Susceptibility of loss due to errors or fraud.


Confi rming Pages


• Volume of activity, complexity, and homogeneity of individual transactions. • Nature of the account. • Accounting and reporting complexity. • Exposure to losses. • Possibility of signifi cant contingent liabilities. • Existence of related party transactions. • Changes from the prior period.

Identifying Relevant Financial Statement Assertions Once they have determined the signifi cant accounts and disclosures, the auditors must determine which fi nancial statement assertions are relevant to the signifi cant accounts: (1) existence or occurrence; (2) completeness; (3) valuation or allocation; (4) rights and obligations; and/or (5) presentation and disclosure. Relevant assertions for an account are those that have a meaningful bearing on whether the account is presented fairly. For example, valuation may be very relevant to determining the amount of receivables, but it is not ordinarily relevant to cash unless currency translation is involved.

Obtaining a Further Understanding of Likely Sources of Misstatement To further understand the likely sources of potential misstatements, auditors should under-stand the fl ow of transactions related to the relevant assertions. This understanding allows the auditors to identify points within the company’s processes where a material misstate-ment could arise and to identify the controls to prevent or detect these misstatements.

Throughout the text (e.g., Chapter 6, Chapters 11–16), we have discussed the concept of transaction cycles. Transaction cycles (also referred to as classes of transactions) are those transaction fl ows that have a meaningful bearing on the totals accumulated in the company’s signifi cant accounts and, therefore, have a meaningful bearing on relevant assertions. Consider a company whose sales may be initiated by customers either through the Internet or in a retail store. These two types of sales may be viewed as representing two major classes of transactions within the sales process.

Although not explicitly discussed in PCAOB Standard No. 5, it is helpful to classify transactions by transaction type —routine, nonroutine, or accounting estimates. Routine transactions are for recurring activities, such as sales, purchases, cash receipts and disbursements, and payroll. Nonroutine transactions occur only periodically; they generally are not part of the routine fl ow of transactions and include transactions such as counting and pricing inventory, calculating depreciation expense, or determining prepaid expenses. Accounting estimates are activities involving management’s judgments or assumptions, such as determining the allowance for doubtful accounts, estimating war-ranty reserves, and assessing assets for impairment.

Throughout the audit of internal control, auditors must be concerned about all three transaction types. However, the auditors must be aware that the unique nature of non-routine transactions and the subjectivity involved with accounting estimate transactions make them particularly prone to misstatement unless they are properly controlled.

To understand the likely sources of potential misstatements and as a part of selecting the controls to test, the auditors should:

• Understand the fl ow of transactions; • Verify points within the company’s processes at which a misstatement could arise that

could be material; • Identify the controls management has implemented to address these potential mis-

statements; and • Identify the controls management has implemented to prevent or detect on a timely

basis unauthorized acquisition, use, or disposition of the company’s assets that could result in a material misstatement.


Confi rming Pages


FIGURE 18.7 Relationships among Processes, Transaction Types, and Signifi cant Accounts

Examples of Signifi cant Accounts

Transaction Example Processes Types C

ash

Acc

ou

nts

Rec

eiva

ble

Allo

wan

ce f

or D

oubt

ful A

ccou

nts

Inve

nto

ries

Inve

nto

ry R

eser

ves

Prep

aid

Pro

per

ty, P

lan

t, &

Eq

uip

men

t

Oth

er A

cco

un

ts

Sto

ckh

old

ers’

Eq

uit

y

Financial statement close Nonroutine X X X X X X X X XCash receipts Routine X X X Cash disbursements Routine X X Payroll Routine Inventory costing (CGS) Routine X X Estimate purchase commitments Estimation X Estimate excess and obsolete inventory Estimation X Lower-of-cost-or-market calculation Estimation X LIFO calculation Nonroutine X Physical inventory count Nonroutine X Accounts receivable and sales Routine X

Source: Adapted from Ernst & Young, Evaluating Internal Control: Considerations for Documenting Controls at the Process, Transaction, or Application Level, 2003.

Figure 18.7 provides an illustration of the relationships among signifi cant accounts, processes, and transaction types emphasizing inventory processes; it presumes one major class of transactions for each process.

Selecting Controls to Test The auditors should test those controls that are important to their conclusion about whether the company’s controls suffi ciently address the risk of misstatement for each relevant assertion. It is not necessary to design tests of all controls. For example, tests of redundant controls (those that duplicate other controls) need not be designed when tests of the related control are planned, unless redundancy itself is a control objective. The auditors may decide to design tests of preventive controls, detective controls, or a combination of both for the various assertions and signifi cant accounts. Preventive con-trols have the objective of preventing errors or fraud from occurring; detective controls have the objective of detecting errors or fraud that have already occurred. Eff ective inter-nal control generally involves “levels” of controls composed of a combination of both preventive and detective controls. Some controls are complementary controls in that they work together to achieve a particular control objective. When tests are being per-formed related to that control objective, the complementary controls must be tested.

A question that arises when a client has multiple locations is: Must the auditors design and perform tests at all locations? The answer is no. In determining the locations at which to perform tests of controls, the auditor should assess the risk of material misstatement to the fi nancial statements of each location and base the amount of testing on the degree of risk.


Confi rming Pages


Performing Walk-throughs While not required, performing walk-throughs may frequently be the most eff ective way to obtain an understanding of the likely sources of misstatement. A walk-through involves literally tracing a transaction from its origination through the company’s infor-mation system until it is refl ected in the company’s fi nancial reports. Walk-throughs pro-vide the auditors with evidence to:

• Verify that they have identifi ed points at which a signifi cant risk of misstatement to a relevant assertion exists.

• Verify their understanding of the design of controls, including those related to the prevention or detection of fraud.

• Evaluate the eff ectiveness of the design of controls. • Confi rm whether controls have been placed in operation (implemented).

Because much judgment is required in performing a walk-through, the auditors should either perform walk-throughs themselves or supervise the work of others who provide assistance to them (e.g., internal auditors).

While performing walk-throughs, the auditors ask those involved to describe their understanding of the processing involved and to demonstrate what they do. In addition, follow-up inquiries should be made to help identify abuse of controls or indicators of fraud. Examples of such follow-up inquiries include:

• What do you do when you fi nd an error? • What kind of errors have you found? • What happened as a result of fi nding the errors, and how were the errors resolved? • Have you ever been asked to override the process or controls? If yes, why did it occur

and what happened?

The auditors test the design eff ectiveness of controls by determining whether the com-pany’s controls, if operating properly, satisfy the company’s control objectives and can eff ectively prevent or detect errors or fraud that could result in material misstatements. The procedures performed here include a combination of inquiry of appropriate person-nel, observation of the company’s operations, and inspection of relevant documenta-tion. Figure 18.8 provides an example of control objectives, risks, and controls using the COSO framework. The auditors specifi cally consider whether the controls, if function-ing, would reduce the risks to an appropriately low level.

Tests of the operating eff ectiveness of a control determine whether the control func-tions as designed and whether the person performing the control possesses the necessary authority and qualifi cations. In deciding how to design tests of operating eff ectiveness, the auditors must focus on the nature, timing, and extent of the tests.

Nature of Tests of Operating Eff ectiveness Tests of controls, in the order of increasing persuasiveness, include a combination of inquiries of appropriate personnel, inspection of relevant documents, observation of the company’s operations, and reperformance of the application of controls. For example, to evaluate whether the second control objective in Figure 18.8 , the accurate and complete recording of invoices, is achieved, the auditors might use generalized audit software to inspect electronic documents to determine that no gaps exist in the sequence of shipping documents. Also, Standard No. 5 states that the auditors should vary the exact tests per-formed when possible to introduce unpredictability into the audit process.

Evaluating responses to inquiries represents a particular challenge in that the responses may range from formal written inquiries (e.g., representation letters) to informal oral inquiries. Because of the possibility of misrepresentation or misunderstanding of the

Test and Evaluate Design Effectiveness of Internal Control over Financial Reporting

Test and Evaluate Operating Effectiveness of Internal Control over Financial Reporting


Confi rming Pages


FIGURE 18.8 Process: Accounts Receivable

Control Objective Risks Controls

1. Ensure that all goods shipped are accurately billed in the proper period.

Missing documents or incorrect information

• Use standard shipping or contract terms.• Communicate nonstandard shipping or contract

terms to accounts receivable department.• Identify shipments as being before or after period

end by means of a shipping log and prenumbered shipping documents.

Improper cutoff of ship-ment at the end of a period

2. Accurately record invoices for all authorized shipments and only for such shipments.


• Prenumber and account for shipping documents and sales invoices.

• Match orders, shipping documents, invoices, and customer information, and follow through on miss-ing or inconsistent information.

• Mail customer statements periodically and investi-gate and resolve disputes or inquiries by individuals independent of the invoicing function.

• Monitor number of customer complaints regarding improper invoices or statements.

3. Accurately record all authorized sales returns and allowances and only such returns and allowances.


• Authorization of credit memos by individuals inde-pendent of accounts receivable function.

• Prenumber and account for credit memos and receiving documents.

• Match credit memos and receiving documents and resolve unmatched items by individuals indepen-dent of the accounts receivable function.

• Mail customer statements periodically and investi-gate and resolve disputes or inquiries by individuals independent of the invoicing function.

Inaccurate input of data

4. Ensure continued completeness and accuracy of accounts receivable.

Unauthorized input for nonexistent returns, allowances, and write-offs

• Review correspondence authorizing returns and allowances.

• Reconcile accounts receivable subsidiary ledger with sales and cash receipts transactions.

• Resolve differences between the accounts receiv-able subsidiary ledger and the accounts receivable control account.

5. Safeguard accounts receivable records.

Unauthorized access to accounts receivable records and stored data

• Restrict access to accounts receivable fi les and data used in processing receivables.

Source: Adapted from Internal Control–Integrated Framework, Evaluation Tools.

responses, inquiry alone does not provide suffi cient evidence to support the operating eff ectiveness of a control. Thus, auditors should substantiate the responses to inquiries by performing other procedures, such as inspecting reports or other documentation relating to the inquiries.

Timing of Tests of Controls Tests of controls should be performed over a period of time suffi cient to determine whether, as of the date specifi ed in management’s report, the controls were operating eff ectively. The auditors are aware that some controls operate continuously (e.g., con-trols over routine transactions, such as sales), while others operate only periodically (e.g., controls over nonroutine transactions or events, such as the preparation and analysis of monthly or quarterly fi nancial statements). For controls that operate only periodically, it may be necessary to wait until after the date of management’s report to test them; for example, controls over period-end fi nancial reporting normally operate only after the date


Confi rming Pages


of management’s report. The auditors’ tests can be performed only at the time the con-trols are operating.

Extent of Tests of Controls PCAOB Standard No. 5 requires the auditors to obtain suffi cient evidence about the eff ectiveness of controls for all relevant assertions related to all signifi cant accounts. This means that the auditors must design procedures to provide a high level of assurance that the controls related to each relevant assertion are operating eff ectively. For man-ual controls, this generally involves more extensive testing than for automated controls. Generally, the more frequently controls operate, the more auditors should test them, and controls that are relatively more important should be tested more extensively. Also, the auditors cannot be satisfi ed with less-than-persuasive evidence because of a belief that management is honest.

When control exceptions are identifi ed, the auditors should critically assess the nature and extent of testing and consider whether additional testing is appropriate. Also, a con-clusion that an identifi ed control exception does not represent a control defi ciency is only appropriate if evidence beyond what the auditors had originally planned, and beyond inquiry, supports that conclusion. The issue of evaluating exceptions will be described in more detail later in this chapter.

Can auditors use the work of others—internal auditors, company personnel, and third parties—in the audit of internal control? For example, if client personnel have already performed certain procedures that the auditors had intended, may the auditors use that work? The answer is yes because PCAOB Standard No. 5 allows auditors to use the work of others. It is expected that the work of others used by the auditors will often be related to relatively low-risk areas. In any event, the auditors must understand that when they use the work of others they remain responsible for their opinion and they cannot share responsibility with those others. In all cases in which the work of others is used, the auditors should evaluate the competence and objectivity of those individuals and test the work they have performed.

Another issue relates to the degree to which auditors must retest controls in detail each year. In audits subsequent to the fi rst year, auditors should incorporate knowledge obtained during past audits of internal control. Using this “cumulative audit knowledge” (knowledge obtained from prior audits), the auditors often may be able to reduce the amount of work performed. In making decisions as to the necessary testing, the auditors should consider the various risk factors related to a control as well as:

• The nature, timing, and extent of procedures performed in previous audits, • The results of the previous years’ testing of the control, and • Whether there have been changes in the control, or the signifi cant process in which it

operates, since the previous audit.

Illustrative Case Frequency of Testing

One CPA fi rm provided the following guidance to its auditors as to frequency of testing:

Frequency of Control Suggested Number of Items to Test Annual 1 Quarterly 2 Monthly 3–6 Weekly 10–20 Daily 20–40 Multiple times per day 30–60


Confi rming Pages


To illustrate, assume that a control presents a low risk overall in that there is a low inher-ent risk, a low degree of complexity, few changes in controls, and the previous year revealed no defi ciencies. In such a case, the auditors may determine that suffi cient evi-dence of operating eff ectiveness could be obtained by performing a walk-through. In addition, the auditors may use the work of others to a greater extent than in the past. But, on an overall basis, the auditors must test controls every year and cannot “rotate” analysis of various transaction types between various years (e.g., consider controls over sales this year, and purchases next year).

Relationship between Tests of Controls Performed for the Internal Control Audit and Those Performed for the Financial Statement Audit Are the types of tests of controls performed for an internal control audit the same as those performed for a fi nancial statement audit? May the evidence from tests performed for an internal control audit be used for the fi nancial statement audit? While the answer to both of these questions is yes, the auditors must consider the diff erences in the objectives of the tests.

The objective of tests of controls in an audit of internal control is to obtain evidence about the eff ectiveness of controls to support the auditors’ opinion on whether manage-ment’s assessment of the eff ectiveness of internal control, taken as a whole, is fairly stated as of a point in time. Accordingly, to express this opinion the auditors must obtain evidence about the eff ectiveness of controls over all relevant assertions for all signifi cant accounts and disclosures in the fi nancial statements.

The objective of tests of controls for a fi nancial statement audit is to assess control risk. If the auditors decide to assess control risk at less than the maximum, they are required to obtain evidence that the relevant controls operated eff ectively during the entire period upon which they plan to place reliance on those controls. However, the auditors are not required to assess control risk at less than the maximum for all assertions.

How may these two diff erent approaches for tests of controls be reconciled in an inte-grated audit? PCAOB Standard No. 5, for purposes of the internal control audit, allows the auditors to obtain evidence about operating eff ectiveness at diff erent times throughout the year—provided that the auditors update those tests or obtain other evidence that the controls still operated eff ectively at the end of the year. Thus, although the timing for issuing the internal control report will not ordinarily require tests from throughout the year, the inte-grated nature of the two audits suggests that testing should be spread throughout the year.

The requirements of Standard No. 5 have had the eff ect of pushing auditors to perform fi nancial statement audits using the systems approach—an approach with heavy reliance on internal control evidence. In essence, since extensive tests of controls are required for each signifi cant account for the internal control audit, the auditors should have signifi cant evidence about the eff ectiveness of internal control for the fi nancial statement audit. The auditors generally must merely extend the tests to cover the fi nancial statement period in order to assess control risk at a low level for purposes of the fi nancial statement audit.

Eff ect of Tests of Controls on Financial Statement Audit Substantive Procedures Historically, to enhance audit effi ciency and eff ectiveness, auditors often have used a substantive audit approach that is not acceptable for integrated audits. Auditors have traditionally relied primarily (or completely) on evidence from substantive procedures rather than testing controls in audit areas when a substantive approach was considered the most cost-eff ective approach. To illustrate, when only a fi nancial statement audit is being performed, auditors often rely heavily upon substantive procedures to audit areas such as property, plant, and equipment; investments; and long-term debt. Since auditors must now report on the eff ectiveness of internal control, approaches limiting the testing of controls are not acceptable.

Historically, another effi ciency that has developed in fi nancial statement audits is min-imizing the testing of controls aimed at preventive controls (e.g., transaction level controls), and emphasizing the testing of detective controls (e.g., various types of reconciliations and exception reports). When auditors express an opinion on internal

Explain how fi ndings relating to the audits of internal control and the fi nancial statements may aff ect one another.

LO5


Confi rming Pages


control, the auditors are more likely to use an approach that includes testing of both pre-ventive and detective controls.

Since an integrated audit requires tests of controls for all major accounts and relevant assertions, circumstances in which controls are found to be eff ective will lead to a decreased scope of substantive procedures as compared to a situation in which tests of controls have revealed an ineff ective system or a situation in which tests of controls have not been per-formed. However, when signifi cant defi ciencies or material weaknesses have been identi-fi ed, the auditors must obtain assurance that such defi ciencies have not resulted in undetected material misstatements. As an example, if controls over the recording of revenues are con-sidered ineff ective, the auditors must determine whether the audit procedures designed into their audit program must be modifi ed to obtain more evidence about the fairness of revenue.

The extensive level of controls testing performed during an integrated audit leads to the question of whether substantive tests may be omitted completely in areas in which controls have been found to operate eff ectively. This is not acceptable. Regardless of the assessed level of control risk, the auditors must perform substantive procedures for all relevant assertions related to all signifi cant accounts and disclosures.

Eff ect of Financial Statement Substantive Procedures on the Audit of Internal Control We have shown that the audit of internal control may aff ect the scope of substantive procedures performed for the fi nancial statement audit. Alternatively, the results of sub-stantive procedures may aff ect the audit of internal control. The fi ndings obtained while performing substantive procedures in the fi nancial statement audit may provide evidence of the eff ectiveness or ineff ectiveness of internal control over fi nancial reporting. For example, identifi cation of a material misstatement in the fi nancial statements is consid-ered indicative of at least a signifi cant defi ciency in internal control. Additional examples of substantive procedures fi ndings that might aff ect the internal control audit are those relating to illegal acts, related party transactions, the reasonableness of accounting esti-mates, and the client’s overall selection of accounting principles.

In forming an opinion on internal control over fi nancial reporting, the auditors evaluate all evidence, including:

1. The results of their evaluation of the design, 2. The results of tests of the operating eff ectiveness of controls, 3. Negative results of substantive procedures performed during the fi nancial statement

audit, and 4. Any identifi ed control defi ciencies.

Form an Opinion on the Effectiveness of Internal Control over Financial Reporting

It is possible to use statis-tical attribute sampling (presented in Chapter 9) to

consider control defi ciency seriousness. Consider a control over authorization of sales transactions:

1% = Deviation rate in the auditors’ sample

6% = Achieved upper deviation rate

5% = Risk of assessing control risk too low

If one further assumes that $3,000,000 of the transaction type occurred, the auditor may estimate that $180,000

(6% × $3,000,000) worth of transactions may not have been properly approved. That is, there is less than a reasonable possibility that $180,000 in transactions were not properly approved.

If one assumes that $180,000 is material, the defi ciency represents a material weakness. Alternatively, if it is not considered quantitatively material, an auditor must judg-mentally determine whether it represents a signifi cant defi ciency that should be communicated to the audit com-mittee. Note, however, that the auditors must also take into account qualitative considerations.

Illustrative Case Using Attributes Sampling to Consider Control Defi ciencies


Confi rming Pages


An unqualifi ed audit opinion may be issued when no material weaknesses in internal control have been identifi ed as existing at the as of date (year-end) and when there have been no restrictions on the scope of the auditors’ work. The auditors may issue separate reports on the fi nancial statements and internal control or a combined report. Figure 18.9 is an example of a separate report on internal control.

One or more material weaknesses in internal control result in an adverse opinion. 4 Scope limitations may result in either a disclaimer or withdrawal from the engagement depending on the extent of the limitation.

Determining whether defi ciencies have been identifi ed and, if so, the likelihood and potential amount of misstatement is key to identifying the proper opinion to issue. If no defi ciencies have been identifi ed and no scope limitations are involved, an unqualifi ed opinion is appropriate.

Evaluating Defi ciencies The auditors must evaluate whether identifi ed control defi ciencies, individually or in combination, are signifi cant defi ciencies or material weaknesses. This involves a consid-eration of both quantitative and qualitative factors.

When a defi ciency has been identifi ed, the auditors will consider whether any other controls eff ectively mitigate the risk of potential misstatement and create a situation in which the defi ciency is not signifi cant or, at least, does not constitute a material weak-ness. Earlier in this chapter, we used the example of a weakness in cash disbursements that was mitigated by the compensating control of reconciliation of the bank account by an individual otherwise independent of the cash function. Such a compensating control might cause the auditors to alter their assessment of a defi ciency—reducing it from one that otherwise would be considered signifi cant (or a material weakness) to one that is simply a control defi ciency.

In evaluating the potential amount of misstatement related to a control defi ciency, the auditors should consider not only the misstatements identifi ed, but also the amount that could occur with a reasonable possibility. Although there are various possible approaches to this evaluation, one is to directly consider whether a reasonable possibility exists that a material amount of misstatement could occur. If that is the case, the defi ciency is a material weakness. Alternatively, if the defi ciency is less severe than a material weak-ness, yet important enough to merit the attention by those responsible for oversight of the company’s fi nancial reporting (ordinarily the audit committee), the defi ciency represents a signifi cant defi ciency.

The auditors must also consider qualitative factors when evaluating materiality, as is the case with fi nancial statement audits. Examples of qualitative factors include whether the weakness relates to related party transactions and whether there are changes in account characteristics in relation to the prior year. Chapter 6 presents additional infor-mation on qualitative factors that are used by the auditors. In essence, the auditors should attempt to determine what a prudent offi cial in the conduct of his or her own aff airs would consider a signifi cant defi ciency and a material weakness.

While a material weakness in internal control can arise in a wide variety of situations, PCAOB Standard No. 5 provides the following indicators of material weaknesses:

• Identifi cation of fraud, whether or not material, on the part of senior management. • Restatement of previously issued fi nancial statements to refl ect the correction of a

material misstatement. • Identifi cation by the auditors of a material misstatement in circumstances that indicate

that the misstatement would not have been detected by the company’s internal control. • Ineff ective oversight of the company’s external fi nancial reporting and internal control

by the company’s audit committee.

Discuss circumstances that require auditors to modify their report on internal control.

LO6

4 Notice that this is different from reports on audits of fi nancial statements. In an audit of fi nancial statements, a departure from generally accepted accounting principles results in either a qualifi ed opinion or an adverse opinion based on materiality.


Confi rming Pages


Report of Independent Registered Public Accounting Firm

To the Audit Committee and Stockholders of Carver Company:

[Introductory paragraph]

We have audited Carver Company’s internal control over fi nancial reporting as of December 31, 20X8, based on criteria established in Internal Control–Integrated Framework issued by the Committee of Sponsoring Organiza-tions of the Treadway Commission (COSO). Carver Company’s management is responsible for maintaining effective internal control over fi nancial reporting, and for its assessment of the effectiveness of internal control over fi nancial reporting, included in the accompanying [title of management’s report]. Our responsibility is to express an opinion on the company’s internal control over fi nancial reporting based on our audits.

[Scope paragraph]

We conducted our audit in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over fi nancial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over fi nancial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audit also included performing such other procedures as we considered necessary in the circum-stances. We believe that our audit provides a reasonable basis for our opinion.

[Defi nition paragraph]

A company’s internal control over fi nancial reporting is a process designed to provide reasonable assurance regard-ing the reliability of fi nancial reporting and the preparation of fi nancial statements for external purposes in accor-dance with generally accepted accounting principles. A company’s internal control over fi nancial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly refl ect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of fi nancial statements in accordance with gen-erally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assur ance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the fi nancial statements.

[Inherent limitations paragraph]

Because of its inherent limitations, internal control over fi nancial reporting may not prevent or detect misstate-ments. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or proce-dures may deteriorate.

[Opinion paragraph]

In our opinion, Carver Company maintained, in all material respects, effective internal control over fi nancial reporting as of December 31, 20X8, based on criteria established in Internal Control–Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

[Explanatory paragraph]

We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the balance sheets of Carver Company as of December 31, 20X8 and 20X7, and the related state-ments of income, shareholders’ equity and comprehensive income, and cash fl ows for each of the three years for the period ended December 31, 20X8, of Carver Company. Our report, dated February 12, 20X9, expressed an unqualifi ed opinion.

Willington & Co., CPAs

Bisbee, Arizona, United States of America February 20X9

FIGURE 18.9 Report with Standard Unqualifi ed Opinion on Internal Control over Financial Reporting


Confi rming Pages


Correcting a Material Weakness Recall that the audit report is modifi ed for material weaknesses that exist at the as of date (year-end). Consider a situation in which four months prior to year-end management identifi es a material weakness. If management corrects this weakness prior to year-end, can the auditors issue an unqualifi ed opinion on internal control? Yes, but only if the auditors have suffi cient evidence to provide reasonable assurance that the new control is operating eff ectively. Obtaining such evidence is much easier for controls that oper-ate frequently, in contrast to those that operate only monthly or quarterly (e.g., fi nancial statement close). All in all, the timing of the identifi cation of the material weakness is very important. For example, if the material weakness is not identifi ed until after year-end, an adverse opinion must be issued even if the weakness is corrected: The control did not operate eff ectively on the date of management’s report.

Existence of a Material Weakness A material weakness in internal control that exists at year-end results in the issuance of an adverse opinion. When expressing an adverse opinion, the auditors’ report must defi ne a material weakness, indicate that one has been identifi ed, and refer to the description of it in management’s report. Figure 18.10 provides an example of an adverse opinion.

Scope Limitations If a restriction on the scope of the audit is imposed by the circumstances, the auditors should withdraw from the engagement or disclaim an opinion. Earlier we discussed the situation in which the auditors identify a material weakness and management takes steps to correct that material weakness prior to year-end. If the auditors are unable to obtain suffi cient evidence that the new controls are eff ective for a suffi cient period of time, they will issue a disclaimer of opinion on internal control.

Management’s Report on Internal Control Is Incomplete or Improperly Presented When management’s report on internal control (including its assessment) is found to be inadequate, the auditors should modify their report to include an explanatory paragraph describing the reasons for this determination. If management does not disclose a material weakness properly, the auditors should state that the material weakness is not included in management’s assessment and describe it in the audit report. Note that the auditors’ report is already adverse due to the existence of a material weakness. In this situation, the auditors also are required to communicate in writing to the audit committee that the mate-rial weakness was not disclosed or identifi ed as a material weakness in management’s report. Figure 18.11 summarizes reporting for this and the preceding circumstances described in this section.

Audit Report Modifi cations

(Paragraphs 1–4 and the fi nal paragraph are identical to Figure 18.9 standard unqualifi ed report)

[Explanatory paragraph]

A material weakness is a control defi ciency, or a combination of control defi ciencies, in internal control over fi nan-cial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim fi nancial statements will not be prevented or detected on a timely basis. A material weakness was identifi ed and is described in management’s assessment of internal control. That material weakness relates to [describe the material weakness, including its actual and potential effect on the fi nancial statements].

[Opinion paragraph]

In our opinion, because of the effect of the material weakness described above on the achievement of the objec-tives of the control criteria, Carver Company has not maintained effective internal control over fi nancial reporting as of December 31, 20X8, based on criteria established in Internal Control–Integrated Framework issued by the Commit-tee of Sponsoring Organizations of the Treadway Commission (COSO).

FIGURE 18.10 Abstract of Report with Adverse Opinion on Internal Control over Financial Reporting


Confi rming Pages


Reliance on Other Auditors When other auditors have performed a portion of the audit, the auditors must decide whether they are able to serve as the principal auditors. The considerations and reporting requirements are essentially the same as when other auditors are involved in the fi nancial statement audit. The auditors who are able to serve as the principal auditors of the fi nan-cial statements ordinarily also serve as principal auditors of internal control. When the principal auditors decide to refer in their report to the work of the other auditors, this ref-erence is included both in describing the scope of the audit and in expressing the opinion.

Subsequent Events Subsequent events relevant to the internal control audit are changes in internal control subsequent to year-end but before the date of the auditors’ report. The auditors have a responsibility to make inquiries of management about whether there have been any such changes. If the auditors obtain knowledge of subsequent events that materially and adversely aff ect the eff ectiveness of internal control, they should issue an adverse opin-ion. If the auditors are unable to determine the eff ect of the subsequent event, they should disclaim an opinion.

Issuing a Combined Report on the Financial Statements and Internal Control PCAOB Standard No. 5 allows auditors to either issue separate reports on their audits of the fi nancial statements and internal control or issue one combined report. The illus-trations in this chapter have been based on separate reports. Figure 18.12 provides an illustration of a combined unqualifi ed report on both the fi nancial statements and internal control.

PCAOB Standard No. 5 requires that auditors communicate in writing to management all control defi ciencies, regardless of their severity—this includes material weaknesses, sig-nifi cant defi ciencies, and other defi ciencies. In addition, a written communication to the audit committee must be issued that includes material weaknesses, signifi cant defi cien-cies, and an indication that all defi ciencies have been communicated to management. The written communications on weaknesses to both management and the audit committee should be made prior to issuance of the audit report on internal control.

In addition, when the auditors conclude that the oversight of the company’s external fi nancial reporting and internal control over fi nancial reporting is ineff ective, they must communicate that conclusion in writing to the board of directors.

Other Communication Requirements

Circumstance Auditors’ Opinion

Material Weakness Exists Adverse

Material Weakness Existed during Year, System Changed Prior to the As of Date

Auditors test new system and material weakness eliminated Unqualifi ed

Auditors do not have suffi cient time to test new system Treat as scope restriction

Scope Restriction* Disclaimer or Withdraw from Engagement

Management’s Report on Internal Control Is Incomplete or Improperly Presented

Report does not acknowledge a material weakness identifi ed by the auditor

Adverse

Other Issues Unqualifi ed (but with an explanatory paragraph)

* If the auditors intend to issue a disclaimer of opinion, yet know of a material weakness, the material weakness should be described in the report.

FIGURE 18.11 Circumstances Aff ecting Auditors’ Opinion on Internal Control


Confi rming Pages


Report of Independent Registered Public Accounting Firm To the Audit Committee and Stockholders of Carver Company

[Introductory paragraph]

We have audited the accompanying balance sheets of Carver Company as of December 31, 20X8 and 20X7, and the related statements of income, stockholders’ equity and comprehensive income, and cash fl ows for each of the years in the three-year period ended December 31, 20X8. We also have audited Carver Company’s internal control over fi nancial reporting as of December 31, 20X8, based on [Identify control criteria: for example, “criteria established in Internal Control–Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)”]. Carver Company’s management is responsible for these fi nancial statements, for maintain-ing effective internal control over fi nancial reporting, and for its assessment of the effectiveness of internal control over fi nancial reporting included in the accompanying [title of management’s report]. Our responsibility is to express an opinion on these fi nancial statements and an opinion on the company’s internal control over fi nancial reporting based on our audits.

[Scope paragraph]

We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the fi nancial statements are free of material misstatement and whether effective internal control over fi nancial reporting was maintained in all material respects. Our audits of the fi nancial statements included exam-ining, on a test basis, evidence supporting the amounts and disclosures in the fi nancial statements, assessing the accounting principles used and signifi cant estimates made by management, and evaluating the overall fi nancial statement presentation. Our audit of internal control over fi nancial reporting included obtaining an understanding of internal control over fi nancial reporting, assessing the risk that a material weakness exists, and testing and evalu-ating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits pro-vide a reasonable basis for our opinions.

[Defi nition paragraph]

A company’s internal control over fi nancial reporting is a process designed to provide reasonable assurance regard-ing the reliability of fi nancial reporting and the preparation of fi nancial statements for external purposes in accor-dance with generally accepted accounting principles. A company’s internal control over fi nancial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly refl ect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of fi nancial statements in accordance with gen-erally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the fi nancial statements.

[Inherent limitations paragraph]

Because of its inherent limitations, internal control over fi nancial reporting may not prevent or detect misstate-ments. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or proce-dures may deteriorate.

[Opinion paragraph]

In our opinion, the fi nancial statements referred to above present fairly, in all material respects, the fi nancial position of Carver Company as of December 31, 20X8 and 20X7, and the results of its operations and its cash fl ows for each of the years in the three-year period ended December 31, 20X8, in conformity with accounting principles generally accepted in the United States of America. Also in our opinion, Carver Company maintained, in all material respects, effective internal control over fi nancial reporting as of December 31, 20X8, based on [identify control crite-ria: for example, “criteria established in Internal Control–Integrated Framework issued by the Committee of Sponsor-ing Organizations of the Treadway Commission (COSO)”].

Willington & Co., CPAs Bisbee, Arizona, United States of America

February 20X9

FIGURE 18.12 Combined Report with Standard Unqualifi ed Opinion on Financial Statements and Internal Control over Financial Reporting


Confi rming Pages


After the existence of a material weakness has led to an adverse opinion in an internal control audit report, the company is ordinarily motivated to eliminate the weakness as quickly as is reasonably possible. When management believes that the material weak-ness has been eliminated, the auditors may be engaged to report on whether the material weakness continues to exist. PCAOB Standard No. 4, “Reporting on Whether a Previ-ously Reported Material Weakness Continues to Exist,” provides the guidance for such engagements.

To engage the auditors to perform this service, management must fi rst gather suf-fi cient evidence to demonstrate that the material weakness has been eliminated, docu-ment this evidence, and provide a written assertion stating that the material weakness no longer exists. The auditors then plan and perform an engagement that focuses on con-trols that are relevant to the particular weakness. If they determine that the controls are now eff ective, the auditors may issue an unqualifi ed report indicating that the material weakness no longer exists. PCAOB Standard No. 4 provides other reporting guidance, including:

• A signifi cant scope limitation on the auditors’ procedures should result in either a disclaimer of opinion or the resignation of the auditors (qualifi ed opinions are not allowed).

• When the auditors’ original report includes other material weaknesses that are not being considered in this engagement, the report should be modifi ed to disclose that the other weaknesses are not addressed by the opinion.

• After a change in auditors, the successor auditors may issue such a report, but they fi rst must obtain a suffi cient understanding of the entity and the related material weakness.

• If, while performing the engagement, the auditors discover an additional material weakness, the auditors should inform the audit committee about the matter, but they are not required to modify their report.

While nonpublic companies are not required to undergo integrated audits, the option is available. As an example, management may be considering taking the company public in the relatively near future and might choose to undergo such an audit. Attestation standard AT 501 provides guidance for performing the internal control portion of an integrated audit for a nonpublic company.

The procedures for a nonpublic integrated audit are very similar to those for a public company that we have emphasized throughout this chapter. Accordingly, we will not provide extensive detail, but will simply summarize signifi cant diff erences as shown below.

Integrated Audits for Nonpublic Companies

Reporting on Whether a Previously Reported Material Weakness Continues to Exist

Issue PCAOB Standard 5 AT 501

Title of the engagement? Audit Examination

Report on subject matter and/or assertion?

Only on subject matter Subject matter or assertion when no material weakness exists; when a material weak-ness exists, subject matter

May the report issued indicate that no mate-rial weaknesses were identifi ed?

Yes No

Which standards are followed by the CPA as indicated in the report?

PCAOB Standards Attestation standards estab-lished by the AICPA


Confi rming Pages


This chapter explained the nature of integrated audits of public companies performed in response to the Sarbanes-Oxley Act of 2002 and in accordance with Public Company Accounting Oversight Board Standard No. 5. To summarize:

1. Section 404(a) of the Sarbanes-Oxley Act requires management to acknowledge its responsibility for establishing and maintaining adequate internal control and provide an assessment of internal control eff ectiveness as of the end of the most recent fi scal year.

2. Section 404(b) of the Sarbanes-Oxley Act requires the auditors to provide an opinion on the eff ectiveness of internal control.

3. Material weaknesses involve a reasonable possibility that a material misstatement of the fi nancial statements will not be prevented or detected on a timely basis. Signifi -cant defi ciencies are less severe than maternal weaknesses, yet important enough to merit attention by those responsible for oversight of the company’s fi nancial reporting.

4. An integrated audit includes an audit report on both the fi nancial statements and internal control. To issue such a report, the auditors perform procedures to test con-trols over all signifi cant accounts, as well as substantive tests to support their opinion on the fairness of the fi nancial statements.

5. Internal control audit reports are modifi ed for a material weakness that exists at year-end. The report issued includes an adverse opinion indicating that eff ective internal control does not exist. If the scope of the auditors’ work is limited, they should issue a disclaimer of opinion, or withdraw from the engagement.

6. After a client has remediated a material weakness that led to an adverse report, audi-tors may be engaged to attest to the elimination of the material weakness.

Chapter Summary

Accounting estimate (705) A transaction involving management’s judgments or assumptions, such as determining the allowance for doubtful accounts, establishing warranty reserves, and assessing assets for impairment. As of date (702) An audit of internal control over fi nancial reporting assesses internal control as of a particular point in time, the “as of” date, as opposed to the entire period under audit. This date is ordinarily the last day of the client’s fi scal period. Compensating control (699) A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective (e.g., avoiding misstatements). Compensating controls are ordinarily controls performed to detect, rather than prevent, the misstatement from occurring. For example, a reconciliation of the bank account performed by an individual otherwise independent of the cash function serves to detect a variety of possible misstatements (both errors and fraud) that may have occurred in the processing of cash receipts and disbursements. Complementary controls (706) Controls that function together to achieve the same control objective (e.g., avoiding misstatements). Control defi ciency (698) A weakness in the design or operation of a control that does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis. Detective controls (710) Policies and procedures that are designed to identify errors or fraud after they have occurred. Detective controls can be applied to groups of transactions (e.g., bank reconciliations). Integrated audit (under PCAOB Standard No. 5 ) (696) An audit that includes audit reports on both a company’s internal control over fi nancial reporting and the fi nancial statements. Major classes of transactions (699) Those transaction fl ows that have a meaningful bearing on the totals accumulated in the company’s signifi cant accounts and, therefore, have a meaningful bearing on relevant assertions. Material weakness (698) A control defi ciency, or a combination of control defi ciencies, in internal control over fi nancial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim fi nancial statements will not be prevented or detected on a timely basis.

Key Terms Introduced or Emphasized in Chapter 18


Confi rming Pages


Nonroutine transaction (705) A transaction that occurs only periodically, such as counting and pricing inventory, calculating depreciation expense, or determining prepaid expenses. Preventive controls (710) Procedures designed to prevent an error or fraud. Preventive controls are normally applied at the individual transaction level. Redundant controls (706) Duplicate controls that both achieve a control objective. Routine transaction (705) A transaction for a recurring fi nancial activity recorded in the accounting records in the normal course of business, such as sales, purchases, cash receipts, cash disbursements, and payroll. Sarbanes-Oxley Act of 2002 (697) An act passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations by improving the accuracy and reliability of corporate disclosures. Section 404 (696) The primary section of the Sarbanes-Oxley Act dealing with management and auditor reporting on internal control over fi nancial reporting. Section 404(a) requires that each annual report fi led with the Securities and Exchange Commission include an internal control report prepared by management in which management acknowledges its responsibility for establishing and maintaining adequate internal control and an assessment of internal control eff ective as of the end of the most recent fi scal year. Section 404(b) requires that the CPA fi rm attest to and report internal control. Signifi cant account (704) An account for which there is a reasonable possibility that it could contain misstatements that individually, or when aggregated with others, could have a material eff ect on the fi nancial statements. Signifi cant defi ciency (698) A defi ciency, or a combination of defi ciencies, in internal control over fi nancial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s fi nancial reporting. Walk-through (707) A procedure in which an auditor follows a transaction from origination through the company’s processes, including information systems, until it is refl ected in the company’s fi nancial records, using the same documents and information technology that company personnel use. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and reperformance of controls.

Review Questions 18–1. Section 404 of the Sarbanes-Oxley Act of 2002 includes two sections. Describe those sections. 18–2. Identify management’s four overall responsibilities with respect to internal control over fi nan-

cial reporting that arise due to the Securities and Exchange Commission’s implementation of the Sarbanes-Oxley Act of 2002.

18–3. What information must be included in management’s report on internal control over fi nancial reporting in the annual report fi led with the Securities and Exchange Commission?

18–4. Describe the diff erence between a signifi cant defi ciency and a material weakness in internal control.

18–5. Comment on the accuracy of the following statement: “Since both signifi cant defi ciencies and material weaknesses must be reported to the audit committee, for practical purposes, there is no distinction between the two.”

18–6. What is meant by the “as of ” date when reporting on internal control over fi nancial reporting? 18–7. What is a compensating control? 18–8. Provide examples of antifraud programs that the auditors might expect the client to have. 18–9. Describe what is meant by a “walk-through.” Must walk-throughs be performed during audits

of internal control over fi nancial reporting? May the client perform a walk-through and the auditors then review the client’s work?

18–10. While performing a walk-through, auditors ordinarily make certain inquiries of employees. Provide three examples of such inquiries.

18–11. Auditors often perform walk-throughs in integrated audits. Describe the evidence that is typi-cally provided by a walk-through.

18–12. When performing an audit of internal control over fi nancial reporting, auditors may distin-guish among the following types of transactions: routine, nonroutine, and accounting esti-mates. Distinguish between these three types of transactions and give an example of each.

18–13. When performing an integrated audit, auditors must identify signifi cant accounts and disclo-sures. What makes an account signifi cant? What factors should be considered in deciding whether an account is signifi cant?


Confi rming Pages


18–14. A client operates out of 25 locations. Must the CPA perform tests related to internal control at each of these locations?

18–15. Comment on the following: “Auditors must decide, based on cost considerations, whether to test the design eff ectiveness or operating eff ectiveness of controls.”

18–16. Provide an example of a situation in which the design of controls may be eff ective but those controls do not operate eff ectively.

18–17. Comment on the following: “Inquiry alone does not provide suffi cient evidence to support the operating eff ectiveness of a control.”

18–18. Comment on the following: “All controls should be tested either prior to or on the ‘as of’ date.”

18–19. What requirements exist when the auditors use the work of client personnel as a part of the evidence obtained for an audit of internal control? In which areas of the audit would one expect this to be most likely to occur?

18–20. Provide an example of a situation in which the performance of substantive procedures for the fi nancial statement audit might aff ect the internal control audit.

18–21. Provide an example of a situation in which the performance of tests of controls for the internal control audit might aff ect the performance of substantive procedures in a fi nancial statement audit.

18–22. Distinguish between entity-level controls and controls designed to achieve specifi c control objectives.

18–23. Provide three examples of fi ndings by the auditors that are at least signifi cant defi ciencies and strong indicators of the existence of a material weakness in internal control.

18–24. The auditors have completed an examination of internal control and are preparing to issue a report. Does the opinion paragraph on the client’s internal control conclude on internal control or management’s assessment of internal control?

18–25. What type of report on internal control is likely to be issued when management imposes a scope limitation?

18–26. If an adverse internal control report is issued by the auditors, may an unqualifi ed report be issued on the fi nancial statements?

18–27. Which types of defi ciencies must be communicated to the audit committee? 18–28. Describe the requirements involved when auditors are engaged to report on whether a previ-

ously reported material weakness continues to exist.

Questions Requiring Analysis

18–29. The CPA fi rm of Carson & Boggs LLP is performing an internal control audit in accordance with PCAOB Standard No. 5. The partner in charge of the engagement has asked you to explain the process of determining which controls to test. Describe the process, presenting each of the links in this process and a short summary of how the auditors approach each of them.

LO 1, 5 18–30. Tests of controls are ordinarily performed for both fi nancial statement audits and internal control audits.

a. What is the objective of tests of controls when performed for internal control audits? b. What is the objective of tests of controls when performed for fi nancial statement audits? c. How are these diff erent objectives reconciled in an integrated audit?

18–31. The CPA fi rm of Webster, Warren, & Webb LLP issued an adverse opinion on the internal control of Alexandria Financial, a public company, due to a material weakness. The weakness involved the lack of suffi cient accounting expertise to evaluate and adopt appropriate account-ing principles. Subsequent to issuance of the report, management of Alexandria hired a new controller to eliminate the weakness.

a. Describe what steps Alexandria must perform to engage Webster, Warren, & Webb to issue a report indicating that the weakness no longer exists.

b. Describe how Webster, Warren, & Webb should approach the engagement. c. Describe what Webster, Warren, & Webb must do if, during the course of the engagement,

a member of the audit team discovers another material weakness in internal control over fi nancial reporting. Will the new weakness aff ect the auditors’ report?

LO 6

LO 3


Confi rming Pages


All applicable questions are available with McGraw-Hill’s ConnectTM Accounting.

18–32. Multiple Choice QuestionsSelect the best answer for each of the following questions. Explain the reasons for your selection:

a. In an integrated audit, which of the following must the auditors communicate to the audit committee?

Known Material Known Signifi cant Weaknesses Defi ciencies

(1) Yes Yes(2) Yes No(3) No Yes(4) No No

b. In an integrated audit, which of the following lead(s) to an adverse opinion on internal control?



c. In an integrated audit, which of the following must be communicated by management to the audit committee?



d. Which of the following is most likely to be considered a material weakness in internal control? (1) Ineff ective oversight of fi nancial reporting by the audit committee. (2) Restatement of previously issued fi nancial statements due to a change in accounting

principles. (3) Inadequate controls over nonroutine transactions. (4) Weaknesses in risk assessment.

e. Which of the following is defi ned as a weakness in internal control that allows a reason-able possibility of a misstatement that is material?

(1) Control defi ciency. (2) Material weakness. (3) Reportable condition. (4) Signifi cant defi ciency.

f. The auditors identifi ed a material weakness in internal control in August. The client was informed and the client corrected the material weakness prior to year-end (December 31); the auditors concluded that management eliminated the material weakness prior to year-end. The appropriate audit report on internal control is:

(1) Adverse. (2) Qualifi ed. (3) Unqualifi ed. (4) Unqualifi ed with explanatory language relating to the material weakness.

LO 3

LO 6

LO 2

LO 6

LO 3

LO 6

Objective Questions


Rev.Confi rming Pages


g. Which of the following need not be included in management’s report on internal control under Section 404(a) of the Sarbanes-Oxley Act of 2002?

(1) A statement that the company’s auditors have issued an attestation report on manage-ment’s assertion.

(2) An identifi cation of the framework used for evaluating internal control. (3) Management’s assessment of the eff ectiveness of internal control. (4) Management’s acknowledgment of its responsibility to establish and maintain internal

control that detects all signifi cant defi ciencies.

h. Management’s documentation of internal control ordinarily should include information on:

Controls Designed Controls Designed to Ensure to Prevent Fraud Employee Personal Integrity


i. A material weakness is a control defi ciency (or combination of control defi ciencies) that results in a reasonable possibility that a misstatement of at least what amount will not be prevented or detected?

(1) Any amount greater than zero. (2) A greater amount than zero, but an amount that is at least inconsequential. (3) A greater amount than inconsequential. (4) A material amount.

j. A procedure that involves tracing a transaction from origination through the company’s information systems until it is refl ected in the company’s fi nancial report is referred to as a(n):

(1) Analytical analysis. (2) Substantive test. (3) Test of a control. (4) Walk-through.

k. Which of the following is not a typical question asked during a walk-through? (1) Have you ever been asked to override the process or controls? (2) What do you do when you fi nd an error? (3) What is the largest fraudulent transaction you ever processed? (4) What kind of errors have you found?

l. An audit of internal control over fi nancial reporting ordinarily assesses internal control:

(1) As of the last day of the fi scal period. (2) As of the last day of the auditor’s fi eldwork. (3) For the entire fi scal period. (4) For the entire period plus the period of the auditor’s fi eldwork.

18–33. While performing an internal control audit in conformity with PCAOB Standard No. 5, the auditors must be able to identify both control strengths and control weaknesses. Items (1) through (11) present various control strengths and defi ciencies. For each item, select from the following list the appropriate response.

A. Control strength for the revenue cycle (including cash receipts).

B. Control defi ciency for the revenue cycle (including cash receipts).

C. Control strength unrelated to the revenue cycle.

LO 2

LO 2

LO 3

LO 4

LO 4

LO 4

LO 4


Rev.Confi rming Pages


1. Credit is granted by a credit department. 2. Sales returns are presented to a sales department clerk who prepares a written prenum-

bered shipping report. 3. Statements are sent monthly to customers. 4. Write-off s of accounts receivable are approved by the controller. 5. Cash disbursements over $10,000 require two signatures on the check. 6. Cash receipts received in the mail are received by a secretary with no record keeping

responsibility. 7. Cash receipts received in the mail are forwarded unopened, with remittance advices, to

accounting. 8. The cash receipts journal is prepared by the treasurer’s department. 9. Cash is deposited weekly. 10. Support for disbursement checks is canceled after payment by the treasurer. 11. Bank reconciliation is prepared by individuals independent of cash receipts record keeping.

18–34. Simulation Bill Jensen, a staff member of Zhan & Co., CPAs, has given you the following list of what he refers to as “internal control defi ciencies” for the Zabling Co. audit and has asked you to review each point and make certain that you agree that each is an internal control defi ciency. For each of the following items, reply A (Agree) or D (Disagree) indicating whether the item represents an internal control defi ciency.

a. Voided checks are torn up and destroyed.

b. Separate sequences of prenumbered checks are used for each bank account.

c. The purchasing department manager and assistant manager are the authorized check signers.

d. No checks are made payable to cash.

e. The authorized check signers reconcile bank accounts.

f. All cash receipts (checks) received through the mail are prelisted by the two individuals who open the mail.

g. All cash receipts received through the mail are restrictively endorsed when received.

h. When a disbursement is made based on paper supporting documents, those supporting documents are canceled by the individual who signs the check.

18–35. Match the following defi nitions (or partial defi nitions) to the appropriate term. Each term may be used once or not at all.

Items to be answered:

LO 4

LO 2, 3, 4, 6

Defi nition (or Partial Defi nition) Term

a. A control defi ciency, or a combination of control defi ciencies, in internal control over fi nancial reporting, such that there is a reasonable possibility that a material misstate-ment of the company’s annual or interim fi nancial statements will not be prevented or detected on a timely basis

b. A weakness in the design or operation of a control that does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis

c. An account for which there is a reasonable possibility that it could contain misstate-ments that individually, or when aggregated with others, could have a material effect on the fi nancial statements

d. The primary section of the Sarbanes-Oxley Act dealing with management and auditor reporting on internal control over fi nancial reporting

e. Those transaction fl ows that have a meaningful bearing on the totals accumulated in the company’s signifi cant accounts and, therefore, have a meaningful bearing on relevant assertions

f. Tracing a transaction from origination through the company’s information systems until it is refl ected in the company’s fi nancial reports

1. Control defi ciency 2. Detective controls 3. Major classes of transactions 4. Material weakness 5. Nonroutine transaction 6. Routine transaction 7. Section 243 8. Section 404 9. Signifi cant account10. Signifi cant defi ciency11. Substantive procedure12. Walk-through


Confi rming Pages


All applicable problems are available with McGraw-Hill’s ConnectTM Accounting.

18–36. Your working papers for an integrated audit being performed under PCAOB Standard No. 5 include the narrative description below of the cash receipts and billing portions of internal control of Slingsdale Building Supplies, Inc. Slingsdale is a single-store retailer that sells a variety of tools, garden supplies, lumber, small appliances, and electrical fi xtures to the public, although about half of Slingsdale’s sales are to construction contractors on account. Slingsdale employs 12 salaried sales associates, a credit manager, three full-time clerical workers, and several part-time cash register clerks and assistant bookkeepers. The full-time clerical workers perform such tasks as cash receipts, billing, and accounting and are ade-quately bonded. They are referred to in the narrative as “accounts receivable supervisor,” “cashier,” and “bookkeeper.”

Retail customers pay for merchandise by cash or credit card at cash registers when merchan-dise is purchased. A contractor may purchase merchandise on account if approved by the credit manager, based only on the manager’s familiarity with the contractor’s reputation. After credit is approved, the sales associate fi les a prenumbered charge form with the accounts receivable (AR) supervisor to set up the receivable.

The AR supervisor independently verifi es the pricing and other details on the charge form by reference to a management-authorized price list, corrects any errors, prepares the invoice, and supervises a part-time employee who mails the invoice to the contractor. The AR supervi-sor electronically posts the details of the invoice in the AR subsidiary ledger; simultaneously, the transaction’s details are transmitted to the bookkeeper. The AR supervisor also prepares a monthly computer-generated AR subsidiary ledger (without a reconciliation with the AR control account) and a monthly report of overdue accounts.

The cash receipts functions are performed by the cashier, who also supervises the cash register clerks. The cashier opens the mail, compares each check with the enclosed remittance advice, stamps each check “for deposit only,” and lists checks for deposit. The cashier then gives the remittance advices to the bookkeeper for recording. The cashier deposits the checks daily, separate from the daily deposit of cash register receipts. The cashier retains the verifi ed deposit slips, to assist in reconciling the monthly bank statements, but forwards to the book-keeper a copy of the daily cash register summary. The cashier does not have access to the journals or ledgers.

The bookkeeper receives the details of transactions from the AR supervisor and the cashier for journalizing and posting to the general ledger. After recording the remittance advices received from the cashier, the bookkeeper electronically transmits the remittance information to the AR supervisor for subsidiary ledger updating. The bookkeeper sends monthly statements to contractors with unpaid balances upon receipt of the monthly report of overdue balances from the AR supervisor. The bookkeeper authorizes the AR supervisor to write off accounts as uncol-lectible when six months have passed since the initial overdue notice was sent. At this time, the credit manager is notifi ed by the bookkeeper not to grant additional credit to that contractor.

a. Based only on the information in the narrative, describe the internal control defi ciencies in Slingsdale’s internal control over the cash receipts and billing functions. Organize the weaknesses by employee job function: Credit manager, AR supervisor, Cashier, and Bookkeeper.

b. Assume that you have performed your audit of internal control in conformity with PCAOB standards. Based on your results for part (a), you believe that several of the defi ciencies represent material weaknesses. What eff ect will this have on your report on Slingsdale’s internal control? Which types of opinions may be appropriate?

c. What communication responsibilities do you have for any weaknesses that represent sig-nifi cant defi ciencies?

LO 4

Narrative:

Required:

18–37. For each of the following independent cases, state the highest level of defi ciency that you believe the circumstances represent—a control defi ciency, a signifi cant defi ciency, or a mate-rial weakness. Explain your decision in each case.

The company processes a signifi cant number of routine intercompany transactions. Individual intercompany transactions are not material and primarily relate to balance sheet activity—for example, cash transfers between business units to fi nance normal operations. A formal man-agement policy requires monthly reconciliation of intercompany accounts and confi rmation of balances between business units. However, there is not a process in place to ensure performance

LO 6

Case 1:

In-Class Team Cases

Problems


Confi rming Pages


of these procedures. As a result, detailed reconciliations of intercompany accounts are not performed on a timely basis. Management does perform monthly procedures to investigate selected large-dollar intercompany account diff erences. In addition, management prepares a detailed monthly variance analysis of operating expenses to assess their reasonableness.

During its assessment of internal control over fi nancial reporting, management identifi ed the following defi ciencies. Based on the context in which the defi ciencies occur, management and the auditors agree that these defi ciencies individually represent signifi cant defi ciencies:

• Inadequate segregation of duties over certain information system access controls. • Several instances of transactions that were not properly recorded in the subsidiary ledgers;

the transactions involved were not material, either individually or in the aggregate. • No timely reconciliation of the account balances aff ected by the improperly recorded

transactions.

The company uses a standard sales contract for most transactions, although sales personnel are allowed to modify sales contract terms as necessary to make a profi table sale. Individual sales transactions are not material to the entity. The company’s accounting personnel review sig-nifi cant or unusual modifi cations to the sales contract terms, but they do not review changes in the standard shipping terms. The changes in the standard shipping terms could require a delay in the timing of revenue recognition. Management reviews gross margins on a monthly basis and investigates any signifi cant or unusual relationships. In addition, management reviews the reasonableness of inventory levels at the end of each accounting period. The company has experienced limited situations in which revenue has been inappropriately recorded in advance of shipment, but amounts have not been material.

The company has a standard sales contract, but sales personnel frequently modify the terms of the contract. Sales personnel frequently grant unauthorized and unrecorded sales dis-counts to customers without the knowledge of the accounting department. These amounts are deducted by customers in paying their invoices and are recorded as outstanding balances on the accounts receivable aging. Although these amounts are individually insignifi cant, they are material in the aggregate and have occurred consistently over the past few years.

The company has found it necessary to restate its fi nancial statements for the past two years due to a material overstatement of revenues two years ago (and an equal understatement last year). The errors are due to sales of certain software that allowed the purchasers extremely lenient rights of return. The errors were discovered shortly following the end of the current accounting year. Members of management indicated that the misstatements occurred because they simply didn’t know the accounting rules. Now they know the rules and they won’t let it happen again.

Assume the same facts exist as in Case (5) except that you, the auditor, have identifi ed the misstatements at the end of June of the year currently under audit. Members of management acknowledged that the misstatements occurred because they simply didn’t know the rules at the time, and now they know the rules. Management, within the last six months of the year under audit, hired a new fi nancial accounting expert and believes that the control weakness has been corrected as of year-end. Management believes that it is extremely unlikely that such a misstatement could occur again with the new expert reviewing these matters.

Assume the same facts exist as in Case (6), except that management has informed the chief fi nancial offi cer that she must watch over these matters much more carefully. She has attended several CPE courses on accounting and seems to be caught up in the area in which the mis-statements occurred.

Subsequent to year-end, the auditors have determined that they believe that management has understated its warranty obligations. The auditors know that, according to the Professional Standards, they should consider the diff erence between management’s estimate and the clos-est reasonable estimate as “likely misstatement.” The chief fi nancial offi cer (CFO) has argued that this amount is reasonable. Yet, in fact, neither the auditors nor the CFO knows which amount is right. The CFO is under no particular pressure to meet an earnings forecast; he just thinks that the warranty obligations for many of the products will expire and will not be exer-cised. Still, the CFO can’t convince the auditors. Likewise, the auditors can’t convince the CFO of their position. The CFO fi nally agrees to a material adjustment to get to the auditors’ amount and “keep the peace.”

(Adapted from PCAOB Standard No. 5 )

Case 2:

Case 3:

Case 4:

Case 5:

Case 6:

Case 7:

Case 8:


Date post:	07-Nov-2014
Category:	Business
Upload:	chocolateblueskittles
View:	1,920 times
Download:	0 times

Ac410 whittington 18 ed_ch18

Business