Audit - Chap 6

Solutions Manualto accompany

Auditing: a practical approach 2nd edition

by

Jane Hamilton

CHAPTER 6

Gaining an understanding of the client's system of internal controls

© John Wiley & Sons Australia, Ltd 2013

Solutions manual to accompany Auditing: a practical approach 2e

Chapter 6 - Gaining an understanding of the client's system of internal controls

REVIEW QUESTIONS

6.11 If an auditor does not intend to rely on internal controls in the audit, does the auditor need to obtain an understanding of internal control? Explain.

ASA 315 requires the auditor to obtain an understanding of internal control on all audit engagements. Therefore, even if the auditor intends to take an entirely substantive approach to the audit and not rely on internal controls, the auditor must obtain an understanding of internal control. This is because without gaining this understanding, the auditor will not fully understand the risks of material misstatement of the financial report. ASA 315 states that gaining an understanding of the entity and its environment, including its internal control, establishes a frame of reference within which the auditor plans the audit and exercises professional judgement throughout the audit.The standard allows the auditor to use professional judgement to determine the extent of the understanding of internal controls required in each case.

6.12 Explain the difference between entity-level controls and transaction-level controls. Is an auditor interested in both?

Entity-level controls are:1. the control environment2. the entity’s risk assessment process3. the information system, including the related business processes, relevant to

financial reporting, and communication4. control activities5. monitoring of controls

Each of these controls relates to the whole organisation.

Transaction-level controls are controls that impact a particular transaction or group of transactions.

Therefore, the difference is that entity-level controls have the potential to impact all of the processes in the organisation, including those that have a direct impact on the financial report and others, while transaction-level controls impact only a specific group of transactions. Transactions make up the financial report that the auditor is auditing, and can be impacted by both entity-level and transaction-level controls. This is why an auditor would be interested in both types of controls.

© John Wiley and Sons Australia, Ltd 2013 6.2

Chapter 7: Gaining an understanding of the client’s system of internal controls

6.13 Discuss the contention that the control environment is the most important part of a system of internal controls because it provides the foundation.

The control environment sets the tone of the entity and influences the control consciousness of its people. People, through their actions, determine the effectiveness of internal controls. If the control environment does not encourage ethical behaviour and high quality work, the people within an organisation could fail to implement controls or override them when performing their duties. Even the best control system is not 100% effective, and all systems are less effective if the people working with them do not support the systems.However, all components of an internal control system are important. Having a strong control environment will not be sufficient by itself to ensure that an organisation is able to achieve its objectives.

6.14 Explain why an auditor would be interested in the functioning of the human resources department within an organisation.

The human resources department within an organisation is responsible for hiring, inducting, training, evaluating, counselling, promoting and compensating employees. This means that the HR department is responsible for ensuring that the organisation’s employees are competent and honest. As such, the HR department sets policies and procedures which have a direct effect on the organisation’s control environment. For example, the HR department ensures that employees have the required skills and qualifications for the position they are appointed to. The HR department influences the ability of the organisation to retain trained, competent, and experienced employees to discharge the duties required for the effective operation of the internal control systems.An auditor can gain an understanding of the organisation’s standards, commitment to quality, and the likelihood of effective control by studying the operation of the HR department.

6.15 What sort of risks would an entity’s risk assessment process consider? Give some examples for a retailer. Which of these risks would be relevant to financial reporting? Explain.

An entity’s risk assessment process would consider risks to its achievement of its objectives at all levels. These would include: risks to revenue through product competition, to attracting and retaining staff, exchange rate risks, transport interruption risks (both freight and passenger transport delays affecting staff and customers), climate change risk, financing risk (obtaining and servicing loans), supply risks, and risks relating to protection of assets from theft and fraud etc.A retailer would have a particular focus on the risk of not being able to buy the appropriate products from reputable suppliers, product quality risks which would lead to sales returns and/or warranty claims, exposure to exchange rate risks if suppliers are located in other countries, transport risk affecting imports, competitive risks from other retailers in the same location or servicing the same type of customer, staff risks relating to attracting and retaining the right type of staff for all shifts, physical risks including power interruption, shopping centre building issues, financing risks relating



to funding product purchases and paying expenses prior to receipt of cash from customers, and protection of assets and the integrity of sales and other transactions in the accounts. The retailer would be interested in identifying and controlling risks to its ability to operate and achieve its objectives.All uncontrolled risks for the entity could affect the ability of the entity to survive (i.e. be a going concern). Therefore, all risks are of interest to the auditor. However, the auditor is most directly concerned with risks relating to protection of assets and the integrity of transactions in the accounts. The auditor must consider the risk to the accounts so that the audit can be planned with appropriate consideration of the risk of material misstatement

6.16 Explain the importance of segregation of incompatible duties. What sort of duties would be segregated within the sales process? Why?

Segregation of incompatible duties is a part of the control activities of an organisation. Control activities are policies and procedures that help make sure management’s directives are carried out. The concept of segregation of incompatible duties is that no one employee or group of employees should be in a position both to perpetrate and hide errors or fraud in the normal course of their duties. If these duties are not segregated, an employee could steal assets (such as cash or stock) and adjust the records to conceal the theft. If the duties are segregated, the employee stealing the assets would have to get the cooperation of another employee to adjust the records to hide the theft.Therefore, it is very important for the effective operation of a control system that incompatible duties are split between different employees.Within the sales process, the person making the sale is not responsible for recording the sale, and should not be able to process a sales return or other adjustment to a debtors account balance. If these duties were not segregated, the sales employee could record a sale to a fictitious customer and take the goods for themselves. To conceal the theft, the employee would later process a sales return or adjustment to eliminate the balance in the fictitious debtor’s account.

6.17 Why would an auditor be interested in a client’s control monitoring processes?

A client should have processes for monitoring the effectiveness of its internal controls because circumstances and conditions change over time and controls need to adjust accordingly. An out-of-date control system may not be able to alert management to new risks, or control new types of transactions. The monitoring process allows the client to assess the need for changes to internal controls. As such, the auditor will be interested in the effectiveness of the monitoring system and whether the client’s management are able to be sure that internal controls remain current and valid. The auditor will also be able to assess the client’s management attitude to internal control systems through evaluation of the monitoring processes within the client.



6.18 Discuss the role of internal audit in an entity’s system of internal controls. Is internal audit an essential element of a control system? Explain.

Internal audit is a part of an entity with responsibility for assessing the performance of the entity’s control systems and making evaluations of client’s activities. Internal auditors provide information about the functioning of the entity’s internal control system, its strengths and weakness, and make recommendations’ for improvements, to the entity’s management. Although internal audit departments are usually separate to other functions within the client, they are not independent of the client.Not all organisations have an internal audit department. Smaller organisations usually do not have an internal audit function and many larger organisations outsource the internal audit function to a third party. However, as organisations become larger, the level of importance placed by an entity on its internal audit function can be a guide to its overall commitment to internal control.

6.19 Four approaches to internal control documentation are discussed in the chapter. Assess the advantages and disadvantages of each. How would documentation assist the auditor to identify strengths and weaknesses of an entity’s system of internal controls?

The four approaches to internal control documentation are:1. Narratives; the advantage is that the process can be described in full; the

disadvantage is that it can take many words to describe a process in full.2. Flowcharts or logic diagrams; the advantage is that the standardised graphics

allow a large amount of information to be presented on a single page to represent complex flows of transactions and the key controls. If there is common understanding of the symbols, it is easier to review and understand. The disadvantage is that the reader may not understand the symbols or require additional clarification.

3. Combinations of narratives and flow charts or logic diagrams; the advantage is that complex systems can be described using standardised symbols, with additional narrative to explain steps that are hard to chart. The disadvantage is that both the diagram and narrative have to be prepared and checked for consistency.

4. Checklists and preformatted questionnaires; the advantage is that it is helpful to inexperienced auditors because the checklist guides the process and assists in identifying critical controls. The disadvantage is that it can inhibit an experienced auditor and slow down the process.

The documentation assists the auditor because the process of preparing the documentation prompts the auditor to ask detailed questions in order to gain a full understanding. An experienced auditor would be able to identify departures from the systems used at similar organisations and the graphical forms of documentation reveal quickly the destination of all copies of documents.



6.20 Why do auditors prepare management letters?

ASA 260 requires the auditor to communicate matters from the audit with those charged with governance, and ASA 265 governs communicating deficiencies in internal control to those charged with governance and management. To satisfy the requirements in these standards, the auditor will prepare a management letter to those charged with governance. The auditor will also communicate on a timely basis with management of the entity, where appropriate, the deficiencies in internal control revealed during the audit that are either being communicated to those in governance or are not. The auditor uses their professional expertise to inform management about deficiencies in the internal control system which could affect the integrity of the financial report either in the current financial period or in the future. The feedback is provided in written form so that there is no confusion about the fact of the report or the observations and recommendations being made. The management of the entity is able to use the written report as a basis for a response. Sometimes, management is able to use a letter written at an interim stage of the audit as a basis for a response before the end of the audit.

6.21 Why don’t auditors usually test entity-level controls as part of the audit?

Entity level controls are the collection of the internal control components of control environment, entity’s risk assessment process, the information system, control activities, and control monitoring (ASA 315/ISA315). The entity level controls exist at an organisational or entity level rather than at a more detailed transaction level. The auditor is required to gain an understanding of the entity level controls, but they are not specifically tested. They are not specifically tested because of the difficulty in trying to do so. For example, there is rarely audit evidence that a control such as the ethics/tone at the top of an organisation is in existence and operating effectively, in the same way that there would be evidence that sales transactions above a specified level must be authorised by the sales manager. In addition, entity-level controls by themselves are not usually sensitive enough to prevent or detect and rectify material errors, such as controls over large sales transactions would prevent an incorrect sales figure entering the system.

6.22 In the sales transaction process, a key control affecting the accuracy assertion for sales is ‘Credit committee review and approve all applications for credit over $1000’. Explain the impact of this control on the valuation assertion for sales receivable (debtors).

A control such as ‘Credit committee review and approve all applications for credit over $1000’ will require applications for credit over the specified amount being separately authorised. This control is related to the accuracy assertion for sales because it prevents sales transactions being recorded that are incorrectly processed. For example, if a data entry error is made so that a sale for $500 is incorrectly entered as $5,000, the transaction would not be accepted until it had been authorised. Because there is a data entry error, the person responsible for authorising the transaction should notice that it is not for $5,000, but should be entered as $500. The control also



impacts on the valuation assertion for sales receivable because it would prevent the incorrect sale being entered to the debtors account, and thus prevent it from being overstated. In addition, if sales are genuinely being made for amounts over $1,000, the authorising person has a chance to consider if the debtor has capacity to pay large amounts. Procedures to check the credit-worthiness of debtors is likely to improve the chances of the amounts being paid by the debtors (because only debtors that can and will pay their debts are allowed to buy on credit), increasing the likelihood that debtors are valued correctly.



PROFESSIONAL APPLICATION QUESTIONS

6.23 Understanding client controlsRequiredExplain why the junior auditor’s suggestion is not appropriate.

The junior auditor’s suggestion is not appropriate because the auditor needs to have sufficient appropriate evidence about the effectiveness of controls in the current year. Any change in either the controls or the conditions would make last year’s evidence not applicable to the current period. At a minimum, the auditor would need evidence that the conditions remained the same and that the controls had not altered. The auditor should also consider whether the controls are able to provide sufficient control in the current circumstances. Even if there had been no changes since last period, the auditor should evaluate the effectiveness of the controls and draw a conclusion on the degree to which they can be relied upon.In this particular case, the controls were assessed with respect to their ability to ensure compliance with the regulations. It is likely that additional work is required for the controls to be assessed for their effectiveness at preventing or detecting material misstatements at the assertion level because this is a different objective.

6.24 Importance of internal controlRequired(a) Make a list of the potential problems that could occur in Powersys’ maintenance and improvements program.(b) Suggest ways that good internal control over parts, equipment and labour could help Powersys avoid these problems.

(a) Potential problems include: Problems with communication systems stop emergency reports reaching the

response teams in a timely manner Police or other emergency services are unable to contact Powersys during an

emergency because they do not have the required contact information or staff at Powersys are not rostered on to respond to emergencies

Trained staff are not available to respond to emergencies through mismanagement of leave or failure to recruit and train staff

Storms, fires or other emergencies are more extensive than anticipated and not enough staff and equipment are available to respond

Equipment, such as vehicles, diggers and cherry pickers, are not operational due to lack of suitable maintenance

Not sufficient supplies of specialised tools and parts are held in stores The large warehouse is not accessible in an emergency because the key holder

is away sick or on leave Too many staff are rostered onto normal maintenance and not enough

available for emergency response in a particular geographic location Changes are made to the electricity distribution system so that different parts

are required for maintenance and these new parts are not ordered in time



(b) suggested internal controls include: responsibility for maintaining communication systems with emergency

services assigned to a senior staff member at Powersys who also has information about staff rosters

HR department is made aware of staffing requirements for emergency response and reports to senior management on achievement of staff targets

HR department oversees policies and procedures for staff training to ensure that sufficient staff within the organisation have the required skills and qualifications

Scientific modelling of emergency situations, taking into account population growth and climatic conditions

Schedule of maintenance for equipment coordinated with senior staff responsible for emergency response

Stores report on holdings of various parts, with integration with new equipment purchases

Stores maintain security systems and assign responsibility for staff member to coordinate with emergency response teams

Staff schedules and rosters approved by senior management with consideration of balance between maintenance and emergency response

6.25 Segregation of duties in small businessRequired(a) Discuss the attitude and control consciousness of Big State Computers’ management.(b) Which duties should be segregated in this business? Recommend an appropriate allocation of duties for the staff at Big State Computers.

(a) The accounts show that the controls over sales, debtors and cash receipts are not good. The accounts are not up to date and client statements have not been issued for four months. These tasks were apparently the responsibility of the junior trainee, Sally, under the supervision of Max. Max appears to have been unaware of the problems, suggesting that he is not monitoring the processes very closely. Overall, this means that the management’s attitudes towards internal controls in general, and the accounts in particular, are not good. The fact that the bank has asked them to meet to discuss their worsening cash position also suggests that they are not managing their cash flow adequately.Although Betty is responsible for technical issues, such as repairing computers, rather than the administration side of the business, she is also an owner of the business and as such should be involved in setting the tone of the organisation. Max and Betty appear to have failed to establish good internal controls and to communicate and enforce the importance of the systems to their staff. There is no evidence of any unethical behaviour by the staff, but they do not appear to have been adequately trained and/or appropriately selected for the positions they hold.In a small business, such as this, management involvement is a substitute for a large system of formal controls. This means that Max and Betty must be personally involved in authorising and supervising transactions to a greater extent than if there were more staff.



(b) Segregation of duties should follow the broad principle that the following duties are segregated:

Authorisation or approval of transactions affecting assets Custody of assets Recording or reporting of transactions Control over processing of a transaction should be separated from recording or

reporting a transaction

Sally is employed to help with administration. The other staff is a computer technician and a sales part-timer. This means that Sally and Max are the only two staff currently with administrative responsibilities. It will be difficult to adequately segregate duties with only two staff in the area. Therefore, Max and Betty must perform additional review tasks, such as separately reviewing all transactions over a certain limit, monthly reports of debtor’s balances and transactions, bank reconciliations etc.In addition, if Sally retains the task of banking, she should not be involved in recording transactions, particularly cash receipts. An alternative would be for Max to do the banking and leave Sally responsible for transaction processing. Betty could take responsibility for stock control, so that the sales staff are not involved in maintaining stock records as well as having access to the stock for making sales.

6.26 Control environmentRequiredHow does the above information affect your understanding of the control system at Cheetah Airways?

The information available to the auditor raises questions over the tone at the top of Cheetah Airways because it is alleged to have engaged in cartel activities (activities relating to distorting the market for freight or passengers). Specifically, is there a commitment to integrity and ethical values in the organisation? What is management’s philosophy and operating style? Is there a win at all costs attitude and lack of respect for laws that affect the business?At the time of the audit there is an investigation by the ACCC, but no prosecution against the client. However, several customers of the audit client have taken their business elsewhere. This fact also raises questions for the auditor because it suggests that the client’s revenue has been adversely affected, and could be more adversely affected if other customers also take this action. In the extreme case, there could be questions about the audit client’s ability to continue as a going concern (although this would require many more customers to also leave), and could impact on the auditor’s opinion.If there is a poor ethics/tone at the top, or evidence of fraudulent or illegal activities, the auditor should consider whether the client is one that they wish to continue to audit. The auditor should reconsider the information it gathered at the time of taking over the client – what did the prior auditor disclose, what did the auditor’s investigations disclose etc. Ultimately, the auditor will have to document the action taken to investigate the matter and consider the integrity of the client, and any impact on the auditor’s ability to perform the audit. For example, has the auditor had any difficulties in getting access to records and personnel it requires in order to do the audit? Has the client been able to offer the auditor any assurances about their integrity? The auditor may conclude that the bad publicity is unwarranted and the



departure of several customers is more related to activities by the client’s competitors. Alternatively, the auditor may decide to resign from the audit engagement if the client is unable to provide the assurances required.

6.27 Expense transaction riskRequiredDiscuss the risk of misstatement for depreciation costs. What could go wrong?

The main risk for depreciation costs is that they are understated. ‘What could go wrong’ is that it will overstate profits and overstate the written down value for assets.Capitalising expenditure on maintenance that should be a cost of the period by designating it as improvements would understate expenses. Depreciation expense could also be understated if the rate is reduced or new additions to assets are not depreciated. Auditors should determine if the accounting policy to capitalise maintenance and amortisation over the maintenance period is reasonable under the accounting standards.Depreciation costs have decreased even though the cost of aircraft and engines has not changed. This suggests that the scheduled period for maintenance is greater (a longer period before the next major maintenance is scheduled). This would be justified if the aircraft are flying fewer kilometres each year (a possibility if the GFC has led to flight cancellations). Auditors should investigate the flight schedules for aircraft to determine if the distances flown are lower.

6.28 Control environmentRequiredDiscuss the impact of the background material for Red Minerals on your likely assessment of entity-wide controls at Red Minerals.

The information suggests that there are problems with the client’s control environment surrounding the chemical spill incident. What are the circumstances of the spill? Was there evidence of suitable precautions being taken or was management treating the potential problem lightly because the country is poor (currency devaluation issues suggest economic problems in Bangaloo)? Was there evidence of appropriate consideration of the risks of a chemical spill and the impact of the cost of clean-up on the company? What action has management taken to repair the damage? Is the company’s failure to repair the damage evidence of financial problems at the client?The petty theft could be simply a problem isolated to several dishonest employees, or could be further evidence of poor control procedures at the client. Is the resignation of the COO related to either the chemical spill or the theft? Does it signify that there are further problems at the client which the client has not provided information about to the auditor? What procedures have been adopted to find a replacement?The auditor should consider whether those charged with governance (board of directors) are aware of the problems and taking action. Has the board established suitable policies for dealing with the risk of operating in Bangaloo?



What evidence can the auditor gather about Red Minerals’ management’ philosophy and operating style? What approach has management taken to establishing procedures to implement policies around the risk of chemical spills and control over company assets? How have the policies and procedures, as well as the ethical values of the organization, been communicated from the board to management and more widely in the organization?

6.29 Revenue fraud riskRequiredExplain why the revenue in income statements is at significant risk of fraudulent financial reporting by management.

The GFC creates additional pressures on management to achieve performance targets, including revenue growth and profit. In the case of Leopard Airways, there is a risk that the amount of revenue received in advance is transferred to revenue too early because it would help management achieve their revenue and profit targets. The evidence from the financial statements suggests that there is a greater fall in revenue received in advance than in revenue. This could occur if revenue received in advance is incorrectly treated as revenue of the period (revenue in advance would be decreased and revenue for the period would be increased). Although both type of account are lower than previous years, the decrease is not evenly distributed across the two types of account, as would be expected. However, an alternative explanation is that the revenue in advance is lower because bookings for the next period have fallen even further than bookings for the current period.



6.30 Objectives of internal controlRequired(a) Give examples of transactions that would occur at Emerald Spa.(b) Explain what could go wrong with these transactions if the system of internal controls could not meet any of the seven generally accepted objectives of internal controls.

(a) Transactions would include: Cash receipts from customers for services Reimbursement from health insurance companies for counselling and massage

services Credit purchases of supplies, such as oils, hair products Electronic funds transfers to pay wages Cheque payments for rent, electricity, furniture purchases, insurances, tax

remittances, advertising Depreciation for furniture and equipment

(b) Potential problems in transactions if control system does not meet objectives include:

Incorrect pricing used for customer services; services provided but not charged to customers or recorded in the accounts; duplicate receipts recorded

Not all cash receipts are banked intact in a timely manner Failure to claim reimbursements from health insurance companies on behalf of

clients, or claims for the wrong services Ordering wrong supplies or sufficient supplies to meet demand Failure to keep supplies safely locked away, as required Failure to record purchase of supplies; payment for supplies not received;

incorrect cost of supplies recorded Branch manager approves salary payments for hours not worked by staff, at

wrong rates, or for staff that do not work for the business Failure to control costs such as electricity, through inefficient use of

equipment Equipment and furniture not accounted for, not kept secure at the premises,

charging depreciation on furniture and equipment no longer used by the business; failure to record depreciation because equipment not recorded as asset

Repairs to furniture and equipment recorded as new purchases of assets; new purchases recorded as repairs

6.31 Control environment at a large company



RequiredDiscuss the control environment at International Bank assuming the press reports are correct.Which parts appear to be most deficient?

The problems at International Bank (IB) appear to begin at the most senior levels of the foreign currency department, rather than with an individual trader. The attitude at senior levels was that if the trader was able to make a profit, the official policies and procedures could be ignored, or overridden. This suggests that the control environment in the department did not reinforce integrity and ethical values, and encouraged risk taking in pursuit of profit. Questions must be asked about more senior levels in IB if senior management of one department has a poor ethical attitude, how was this viewed by higher levels of management and those charged with governance? Did senior levels in the foreign currency department hide their attitudes from their supervisors, or did those supervisors ‘turn a blind eye’ to the issue provided the department was profitable? The press reports suggest that the poor ethical attitudes are not confined to the foreign currency department, adding weight to the view that more senior management were likely to have poor attitudes to ethical conduct. There should have been stronger communication and enforcement of integrity and ethical values through the organisation, through measures such as codes of conduct.The press reports do not suggest that the rogue trader or the supervisors lacked technical knowledge about foreign currency trading.The organisation structure at IB could be deficient if there was not effective supervision of the foreign currency department. In addition, HR policies and practices were either ignored or were nonexistent with respect to inculcating ethical attitudes and behaviour.Overall the most significant problem was with communication and enforcement of integrity and ethical values.

Other considerations:The risk assessment processes at IB appear to not have considered the potential problems in the foreign currency department, or at least have addressed them in full.The information system should have produced reports to more senior levels of these irregularities.Control activities, such as performance reviews, should have detected the common occurrence of the risky trading behaviour, or alerted senior management to excessive profitability based on risky activity.Internal audit department of IB should have provided information on the risky trades to those charged with governance.Finally, transaction level controls should have prevented or detected the large trades and unbalanced positions.

6.32 Segregation of duties and documentation



Required(a) Create a flowchart to represent the flow of transactions from the

raising of a purchase order to cash payment.(b) Which duties in the above process should be segregated?

(a)


Requisition for stock prepared by stores sent to purchases department

Funds available?

Approved vendor available?

No

Refer to purchases manager to source approved supplier

Yes

No

Yes

Request approval to exceed purchases limit

Request approved? No

Reject purchase requisition

Yes

Create purchase order and send to vendor

Receiving report, packing list and supplier invoice received

Do quantities, unit price and shipping agree to purchase order?

No

Yes

Contact supplier to resolve discrepancy

Stock receival process

Supplier payment process

Process purchase in purchase ledger


(b) As indicated on the flowchart, the stores which create the requisition and receive the goods are separate from the purchasing process. The store’s manager is not permitted to make purchases directly with suppliers because there needs to be a segregation of the authority to commit the entity to purchasing goods and the custody of the goods. The recording of purchases into the stock account is separated from the record keeping at the stores.Also, the payment process is separate from the purchases process. At various points in the process, permission is sought from purchases manager and the accountant for action. The purchases manager arranges for suppliers to be selected and approved. Only approved suppliers are used to ensure that they are reliable and the items meet the entity’s specifications. The accountant gives permission to create purchase orders if the purchases department does not have approved funds available.Payment is not approved for processing until the purchase order, receiving report and packing list, and supplier invoice are matched and reconciled. Not shown on this flowchart, approval for processing the payment would be required before the supplier is paid.

6.33 Internal control components(a) Explain how the internal control components are usually adjusted to meet the needs of small entities. What advantages and disadvantages does this bring?(b) Assess the internal controls at Featherbed. What changes would you recommend?

(a) Small entities have limitations in their ability to implement a comprehensive control system. There are fewer employees in small entities, which means that segregation of incompatible duties is harder to organise. In addition, small entities usually do not have formal documentation of their control systems, making assessment of their design effectiveness more difficult. However, managers of smaller entities (who are usually also the owners) are able to have a greater personal involvement in all aspects of the business and are therefore able to monitor activities directly. With direct monitoring, many departures from control systems could be detected. The effectiveness of this direct monitoring is dependent on managers’ knowledge and interest in controls, which could be low. Managers may also be tempted to override systems because they do not distinguish between their interests and the interests of the entity.

(b) There is little separation between the board and the senior management – Sarah is both CFO and director of both Featherbed and the Morris Group. The control environment would be stronger if the CFO and the director positions were splitManagement philosophy and operating style are ‘laid back’, suggesting that formal control structures are not in place. Although some documentation is now being done, it is being done at a low level rather than being designed by senior management. There is a risk that the documentation will be incomplete, without the necessary review procedures.Peter Pinn does not appear to be very active in reviewing the performance of the more junior staff, and there is a lack of clear information on whether Sarah is adequately supervising Peter. The lines of accountability should be stronger and because of the



small size of the accounts department, should include periodic reviews of transactions authorised and processed at lower levels.There appears to be a lack of adequate segregation of duties, both Kristen and Julie are involved in opening mail, processing transactions, banking, bank reconciliations, and payroll. These duties should be segregated so that staff handling cash are also not able to record transactions. Bank reconciliations and reviews of journal postings should be done by Sarah or Peter, and they should also be authorising transactions. There appears to be no separate HR function and there is a danger that payroll is not valid.Overall, the internal controls appear to have deficiencies. The documentation should be completed by Sarah and she should take more responsibility for overseeing the operations of the accounts department. Peter does not appear to be performing the necessary authorisation and supervision roles.

6.34 Communication with managementWrite a management letter to Justin and Sarah Morris.

The management letter would conform to the example in the text. It would be addressed to the chair of the board of Featherbed (Justin Morris). It would explain the deficiencies in internal control, as outlined in Professional Application Question 6.33, with the appropriate recommendations with respect to segregating duties and completion of documentation of policies and procedures.

6.35 Components of internal control RequiredSelect two (2) components of internal control. Explain how the role of internal and external audit would differ in assessing these components in relation to the new manufacturing costing system.

(1) Control Environment. The high level of security around information relating to product design, manufacturing and costing, and the client identity and transactions is a key part of the internal control system at Securimax. The secure environment provides the foundation for the successful implementation of the new manufacturing costing system because data are secure and only certain personnel will have access to it.The highly secure environment indicates that the control environment at Securimax has a focus on clear assignment of authority and responsibility and a formalised organisational structure. It also reflects management’s philosophy and operating style which rates security highly.Consistent with this approach it would be expected that internal audit have a formal and important role in the organisation. Internal audit were involved in all stages of the installation of the new manufacturing costing system. Their role would have been to ensure that the integration with other systems (e.g. sales) is correct. Internal audit will also be interested in maintaining the secure environment and assessing the performance (i.e. efficiency and effectiveness) of the new system.External audit would focus on understanding the control environment and assessing whether the control environment means that management has positive attitudes



towards internal control systems. The auditors would be interested in assessing how well the implementation of the new costing system was executed, and whether the secure environment was maintained.

(2) Risk assessment process.The risk assessment process refers to management’s processes to identifying and responding to business risks. Securimax has responded to the risk of using inaccurate costing data by installing the new manufacturing costing system. However, there are risks involved with the installation and these would need to be managed.The internal audit department would be involved in assessing how management handle the implementation and other risks.The external audit department would use the information from the internal audit department’s assessment to evaluate the level of risk to the financial accounts from any problems with the manufacturing costing system.

(3) Control activitiesThe information provided does not explain the segregation of duties and physical controls relating to the new manufacturing costing system. However, internal audit would assess the level of segregation and physical controls when determining the success of the implementation process.External audit would require an understanding of these matters in order to assess control risk for transactions relating to the costing system.

6.36 Control environmentDiscuss the implications of the sales bonus system for the control environment within HCHG. What special factors would management have to have to consider?

The sales bonus system would impact on the control environment at HCHG because it increases the focus on recorded sales and provides incentives for personnel to take actions to increase their bonus through increasing sales. A bonus structure can work against management attempts to communicate and enforce integrity and ethical values because it implies a reward for ‘cutting corners’ in order to increase sales. When such a bonus system is in place management have to work hard to communicate the core values and show through their philosophy and operating style that there is not a focus on increasing sales at all costs. Management will need to ensure that there is a commitment to competence through mechanisms such as HR recruitment and review policies and practices. Management would also pay attention to ensuring that sales, particularly those on credit to new customers, are authorised by appropriately senior staff, and performance reviews are used to guide sales staff towards the organisation’s objectives.



6.37 Control risks in new IT systems With reference to the ‘control activities’ component of internal control, formulate one question that each of internal audit and external audit will ask regarding the switch-over of the patient revenue systems by Gardens Nursing Home.

The internal audit department was required to ‘make sure the switch-over worked without any problems’. This means that the internal audit department was primarily focussed on the effectiveness of the switch-over, and not just making sure it was completed at the lowest possible cost. Therefore, the potential questions would address the accuracy of information from the new system. Examples include:

How did the performance indicators address the effectiveness of the switch-over? Who was responsible for the switch-over and how was the effectiveness measured for the purpose of performance review?

What changes were made to the information processing activities and how was their effectiveness assessed?

What physical controls are used to prevent unauthorised changes to the manufacturing costing system?

The external auditor is required to gather evidence to support an opinion about the truth and fairness of the financial report, and its compliance with the relevant accounting standards. The auditor would require evidence that the transactions are processed accurately, meeting the objectives of the internal control system (real, recorded, valued, classified, summarised, posted, timely).Therefore, the external auditor would have questions to address the control risks in the new manufacturing costing system, including:

How are duties segregated with respect to approving changes to programs, authorising transactions, custody of raw materials and work in process, reporting costs?

What controls exist to ensure that all product movements are recorded accurately?

What controls exist to ensure that invoices to customers are based on correct costs?

What controls exist to ensure that the correct labour costs are added to the manufacturing costs assigned to products?



Case Study Cloud 9

You have been assigned the task of documenting the understanding of the process for recording sales, accounts receivable, and cash receipt transactions for wholesale customers. In your absence, Josh met with the Cloud 9 Pty Ltd financial controller, Carla Johnson, and received permission to tape the interview, which is provided as a transcript (see appendix). Using this interview transcript and other information presented in the case, you are asked to:

1. Prepare a flowchart or narrative documenting your understanding of the sales to cash receipts process for wholesale sales.

2. Identify any follow-up questions you would like to ask the client if aspects of the process are not adequately explained. You could address such questions to Carla Johnson or any other employee you deem appropriate.

3. Identify the potential misstatement that could occur in the sales to cash receipts process for wholesale sales.

4. Identify, for the misstatements in 3, the financial report assertion that is affected.

To answer requirements 3 and 4, draw up a worksheet using the following format. Use as many rows as you need. Use the first three columns of the following worksheet to present your findings. (You will complete the fourth column of the worksheet in the next chapter.)

Significant process Potential misstatement

Assertions Transaction level internal controls

Solution

1. NARRATIVE – Cloud 9 wholesale sales to cash receipts:

A sales transaction begins with the receipt of the customer purchase order via the inventory management system, Swift. Swift is a custom-made software package that has an interface through a secured site key to retailer inventory systems. When stock balances at retailers get below a pre-determined amount (which is established and updated by the customer), the system automatically alerts the customer to complete a purchase order on-line.

Purchase orders are initiated in Swift based on a master price file and the available stock in the warehouse. Swift does not allow quantities to be ordered greater than the amount on hand in the warehouse. The price file is maintained by the sales manager and is reviewed monthly. Changes to the master file must be approved by the sales director and the finance director. Only those 3 employees have access to the file.



Once the purchase order is completed by the customer, a credit limit check is automatically performed by the system against pre-determined limits maintained in the customer master file. If the customer exceeds their limit, the system will reject the order. Daily, the sales manager reviews a listing of rejected purchase orders to follow up with the customer regarding the order. This may result in credit limit increases being approved. Once the credit check is successful, the system will generate the sales order.

Each day, the warehouse manager downloads the outstanding sales orders to hand held computers for his team. Warehouse personnel collect the goods and take them to the packaging staging area. Here, they scan the bar codes of each product with the hand held computer that is linked to Swift. This creates the dispatch note in Swift, which is automatically matched to the sales order. Only when there is match, does the approval box get activated. The Shipping Supervisor electronically signs off on the dispatch note by entering his passcode to approve the dispatch note.

The goods are boxed up and placed in the secure caged areas for the Cloud 9 drivers to pick up the following day. In the morning, drivers print the approved dispatch notes and arrange their delivery schedule. For each order, they confirm the total number of boxes in the staging area against the dispatch notes prior to loading in the truck/van. They sign off on the top copy of the dispatch note and leave it with the shipping supervisor prior to departure.

Upon delivery, the customer signs the dispatch note confirming receipt of goods. That copy is sent to the billing team. Any undelivered items are returned to the cage.

At the end of the day, the warehouse manager reviews the unfilled sales order report and contacts the customer service representative to notify the customer of when the expected delivery for their items would be.

When goods are returned, they are received in the warehouse and scanned. The goods are tagged in the system as either “Warranty Return” or “Sales Return”. For warranty returns, if the return date is within 12 months of the sale date, a special sales order with $0 price is generated, triggering a replacement pair to be sent to the customer following the normal shipment procedures. If the return date is greater than 12 months, a warranty decline notice is printed and sent with the original goods back to the customer. For sales returns (where stores have over purchased), a credit memo is generated in the system and the product is returned to inventory. All credit memos are electronically approved by the receiving manager. Any credit memos greater than $10,000 are also approved by the financial controller.

Once the dispatch report is signed, the system automatically generates the invoice, which is maintained in “draft” status for the billing team. The billing team matches the draft sales invoice to the returned dispatch note. Final invoices are printed in duplicate at 4pm each day and mailed to the customer. The invoice copy and signed dispatch note are stapled and put on the customer’s file. After the print run, an exception report is generated to catch any shipments for which the final bill was not issued. The signed dispatch note file is checked regularly to catch any unmatched notes.



Once the invoice is printed, the receivables and sales entries are recorded automatically by the system. The system automatically posts the sales in the sub-ledger to general ledger.

Most customers pay by EFT. Each morning, the AR clerk downloads from on-line banking the receipts received the previous day. The amounts are applied to the customer’s accounts receivable balance in the sub-ledger system. Once each receipt is entered, a batch report of postings to Accounts Receivable is generated and reconciled back to the direct banking receipts. That reconciliation is reviewed and approved by Carla. Any unapplied cash receipts are posted to a dummy account until they can be cleared against a specific customer. The dummy account balance is reviewed weekly for unapplied balances that need follow-up.

Bank reconciliations are prepared on a monthly basis by Carla and reviewed by David.

2. Additional questions:

From the interview transcript, students should ask the following questions for further information or clarification:

For the sales manager How often are prices changed? What is the process for making a change to the

master price list? Who has access to the master price lists? What are the mechanics of the credit check the system performs? Who set the

limits? What happens if they are over their limits? How are the limits changed?

For the shipping supervisor How are the goods prepared for delivery – i.e. how are they packaged? Do the drivers check their loads against the dispatch notes prior to departing

the warehouse or during their deliveries? How is this evidenced?

For the warehouse manager How do you ensure all sales orders are filled? What happens if a product is returned?

For Carla Johnson (to represent finance) What happens if the batch posting report doesn’t reconcile to the bank report? How do you know to what invoice the payment relates? Do you ever have cash that you can’t determine what customer or invoice

against which it should be applied?

For an IT ManagerOverall, there is such a reliance on the IT systems that the audit team would want to get an IT specialist involved to help review the general controls (access, change management, backups) as well as help understand exactly what happens to the data that gets entered.



3 & 4: Potential misstatements and assertions

The Wholesale Sales to Cash Receipts process includes transactions recorded in Sales, Accounts Receivable and Cash. Students should have identified the following potential errors:

Significant Process Potential Misstatements Assertions

Sales/Accounts Receivable

Credit memos are not issued or recorded for returns on a timely basis or at all.

Sales - Occurrence; Accounts Receivable - Existence

Duplicate/false sales transactions are recorded.

Sales - Occurrence; Accounts Receivable - Existence; Allowance for Bad Debt - Completeness

Invoice misstates the quantity of goods shipped or incorrect pricing.

Sales - Accuracy; Accounts Receivable - Valuation; Inventory - Valuation; COGS - Accuracy

Proper credit authorisation is not obtained for wholesaler transactions.

Allowance for Bad Debt - Completeness

Sales journal/sub-ledger is incorrectly posted to G/L or does not reconcile.

Sales - Completeness

Sales transaction is not recorded upon shipment of goods.

Sales - Completeness; Accounts Receivable - Completeness; Inventory - Existence; COGS – Occurrence

Sales transaction is recorded when goods not shipped.

Sales - Occurrence, Accounts Receivable - Existence; Inventory - Completeness; COGS - Completeness

Cash Receipts Cash receipts are not recorded

when received.Accounts Receivable - Completeness; Cash - Completeness

Cash receipts in foreign currencies are incorrectly valued (e.g. by using the incorrect exchange rate).

Accounts Receivable - Valuation; Cash - Valuation

Cash receipts recorded differ from amounts deposited.

Accounts Receivable - Completeness and Existence; Cash - Completeness and Existence

Cash receipts and transfers are recorded in the wrong period.

Accounts Receivable - Completeness; Cash -



Completeness Duplicate postings of cash

receipts are made to the general ledger. This would lead to a discrepancy between the general ledger and the underlying AR subledger.

Cash - Existence

Totals in cash receipts journal are incorrectly posted.

Cash - Completeness


Audit - Chap 6

Documents

Transcript of Audit - Chap 6