Chapter1

AuditingandInternalControl
ReviewQuestions
1.

WhatisthepurposeofanITaudit?
Response:ThepurposeofanITauditistoprovideanindependentassessmentofsome
technologyorsystemsrelatedobject,suchasproperITimplementation,orcontrolsover
computerresources.BecausemostmodernaccountinginformationsystemsuseIT,ITplaysa
significantroleinafinancial(externalaudit),wherethepurposeistodeterminethefairnessand
accuracyofthefinancialstatements.
2.
Discusstheconceptofindependencewithinthecontextofafinancialaudit.Howis
independencedifferentforinternalauditors?
Response:Theauditorcannotbeanadvocateoftheclient,butmustindependentlyattestto
whetherGAAPandotherappropriateguidelineshavebeenadequatelymet.Independencefor
internalauditorsisdifferentbecausetheyareemployedbytheorganization,andcannotbeas
independentastheexternalauditor.Thusinternalauditorsmustuseprofessionaljudgmentand
independentmindsinperformingIAactivities.

3.
Whataretheconceptualphasesofanaudit?Howdotheydifferbetweengeneral
auditingandITauditing?
Response:Thethreeconceptualphasesofauditingare:
i.Auditplanning,
ii.Testsofinternalcontrols,and
iii.Substantivetests.
Conceptually,nodifferenceexistsbetweenITauditingandgeneralauditing.ITauditingis
typicallyasubsetoftheoverallaudit;theportionthatinvolvescomputertechnologyisthesubset.

4.
Distinguishbetweentheinternalandexternalauditors.
Response:Externalauditorsrepresenttheinterestsofthirdpartystakeholdersinthe
organization,suchasstockholders,creditors,andgovernmentagencies.Externalauditingis
conductedbycertifiedpublicaccountantswhoareindependentoftheorganizations
management.Internalauditorsrepresenttheinterestsofmanagement.Internalauditingtasks
includeconductingfinancialaudits,examininganoperationscompliancewithlegalobligations,
evaluatingoperationalefficiency,detectingandpursuingfraudwithinthefirm,andconductingIT
audits.ExternalauditorsalsoconductITauditsasasubsetoffinancialaudits.

5.
Whatarethefourprimaryelementsdescribedinthedefinitionofauditing?

Response:
a.auditingstandards
b.systematicprocess
c.managementassertionsandauditobjectives
d.obtainingevidence
6.

Explaintheconceptofmateriality.
Response:Materialityreferstothesizeoftheeffectofatransaction.Fromacostbenefit

pointofview,athresholdissetabovewhichtheauditorisconcernedwiththecorrectrecording
andeffectsoftransactions.Ratherthanusingstandardformulas,auditorsusetheirprofessional
judgmenttodeterminemateriality.

7.
HowdoestheSarbanesOxleyActof2002affectmanagementsresponsibilityfor
internalcontrols?
Response:TheSarbanesOxleyAct(SOX)specificallyholdsmanagementresponsiblefor
internalcontrols.SOXrequiresanannualreportoninternalcontrolsthatistheresponsibilityof
management;externalauditorsmustattesttotheintegrityofthereport.Managementmustassess
theeffectivenessoftheinternalcontrolstructureandproceduresforfinancialreportingasofthe
endofthemostrecentfiscalyearandidentifyanycontrolweaknesses.Anattestationbyexternal
auditorsreportsonmanagementsassessmentstatement.

8.
Whatarethefourbroadobjectivesofinternalcontrol?

Response:
a.tosafeguardtheassetsofthefirm
b.toensuretheaccuracyandreliabilityofaccountingrecordsandinformation
c.topromoteefficiencyinthefirmsoperations
d.tomeasurecompliancewithmanagementsprescribedpoliciesandprocedures

9. Whatarethefourmodifyingassumptionsthatguidedesignersandauditorsof
internalcontrolsystems?
Response:Managementresponsibility,reasonableassurance,methodsofdataprocessing,
andlimitations.

10. Giveanexampleofapreventivecontrol.

Response:Lockeddoors,passwords,anddataentrycontrolsforeachfield(e.g.,range
checks).

11. Giveanexampleofadetectivecontrol.

Response:Alogofusers,acomparisonwithcomputertotalsandbatchtotals.

12. Giveanexampleofacorrectivecontrol.

Response:Manualprocedurestocorrectabatchthatisnotacceptedbecauseofanincorrect
socialsecuritynumber.Aclericalworkerwouldneedtoinvestigateanddetermineeitherthe
correcthashtotalorthecorrectsocialsecuritynumberthatshouldbeentered.Aresponsibleparty
isthenneededtoreadexceptionreportsandfollowuponanomalies.

13. WhatarethefiveinternalcontrolcomponentsdescribedintheCOSOframework?

Response:
a.ControlEnvironment
b.RiskAssessment
c.InformationandCommunication
d.Monitoring
e.ControlActivities
14.WhatarethesixbroadclassesofcontrolactivitiesdefinedbyCOSO?

Response:ThesixbroadclassesofcontrolactivitiesdefinedbyCOSOare:
a.transactionauthorization,
b.segregationofduties,
c.supervision,
d.accountingrecords,
e.accesscontrol,and
f.independentverification.
15. Giveanexampleofindependentverification.

Response:
a.thereconciliationofbatchtotalsatperiodicpointsduringtransactionprocessing
b.thecomparisonofphysicalassetswithaccountingrecords
c.thereconciliationofsubsidiaryaccountswithcontrolaccounts
d.reviewsbymanagementofreportsthatsummarizebusinessactivity
e.periodicauditsbyindependentexternalauditors
f.periodicauditsbyinternalauditors

16. Differentiatebetweengeneralandapplicationcontrols.Givetwoexamplesofeach.

Response:Generalcontrolsapplytoawiderangeofexposuresthatsystematicallythreaten
theintegrityofallapplicationsprocessedwithintheITenvironment.Someexamplesofgeneral
controlswouldbecontrolsagainstvirusesandcontrolstoprotectthehardwarefromvandalism.
Applicationcontrolsarenarrowlyfocusedonriskswithinspecificsystems.Someexamplesof
applicationcontrolswouldbeacontroltomakesurethateachemployeereceivesonlyone
paycheckperpayperiodandacontroltoensurethateachinvoicegetspaidonlyonce.

17. Distinguishbetweentestsofcontrolsandsubstantivetesting.

Response:Thetestsofcontrolsphaseinvolvesdeterminingwhetherinternalcontrolsarein
placeandwhethertheyfunctionproperly.Thesubstantivetestingphaseinvolvesadetailed
investigationofspecificaccountbalancesandtransactions.
18.

Defineauditrisk.
Response:Auditriskistheprobabilitythattheauditorwillrenderanunqualified(clean)
opiniononfinancialstatementsthatare,infact,materiallymisstated.

19. Distinguishbetweenerrorsandirregularities.Whichdoyouthinkconcernauditors
themost?
Response:Errorsareunintentionalmistakeswhereasirregularitiesareintentionalmis
representationstoperpetrateafraudormisleadtheusersoffinancialstatements.Errorsarea
concerniftheyarenumerousorsizableenoughtocausethefinancialstatementstobematerially
misstated.Allprocessesthatinvolvehumanactionsarehighlysusceptibletosomeamountof
humanerror.Computerprocessesshouldcontainerrorsonlyiftheprogramsareerroneous,if
systemsoperatingproceduresarenotbeingcloselyandcompetentlyfollowed,orifsomeunusual
systemmalfunctionhascorrupteddata.Errorsaretypicallymucheasiertouncoverthan
misrepresentations.Thusauditorstypicallyaremoreconcernedaboutwhethertheyhave
uncoveredanyandallirregularities.Also,duetoSASNo.99andSarbanesOxley,auditorsare
muchmoreconcernedwithfraud(irregularities)thanbefore.

20. Distinguishbetweeninherentriskandcontrolrisk.Howdointernalcontrolsaffect

inherentriskandcontrolrisk,ifatall?Whatistheroleofdetectionrisk?
Response:Inherentriskisassociatedwiththeuniquecharacteristicsofthebusinessor
industryoftheclient.Firmsindecliningindustriesareconsideredtohavemoreinherentriskthan
firmsinstableorthrivingindustries.Auditorscannotreduceinherentrisk,whichisnotaffected
byinternalcontrols.Eveninasystemprotectedbyexcellentcontrols,financialdatacanbe
misstated.
Controlriskisthelikelihoodthatthecontrolstructureisflawedbecauseinternalcontrols
areeitherabsentorinadequatetopreventordetecterrorsintheaccounts.Auditorsassessthe
levelofcontrolriskbyperformingtestsofinternalcontrols.Internalcontroldoes,however,
directlyimpactcontrolrisk.Themoreeffectivetheinternalcontrolsthatareinplace,thelower
thelevelofassessedcontrolrisk.
Detectionriskistheriskthatauditorsarewillingtotakethaterrorsnotdetectedor
preventedbythecontrolstructurewillalsonotbedetectedbytheauditors.Typically,detection
riskwillbelowerforfirmswithhigherinherentriskandcontrolrisk.
21.

Whatistherelationshipbetweentestsofcontrolsandsubstantivetests?
Response:Therelationshipbetweentestsofcontrolsandsubstantivetestsisdirectlyrelated
theauditorsriskassessment.Thestrongertheinternalcontrols,thelesssubstantivetesting
theauditormustdo.
22.

SOXcontainsmanysections.Whichsectionsdoesthischapterfocuson?
Response:Thischapterconcentratesoninternalcontrolandauditresponsibilitiespursuant
toSOXSections302and404.
23.

WhatcontrolframeworkdoesthePCAOBrecommend?
Response:ThePCAOBrecommendstheuseofCOSOastheframeworkforcontrol
assessment.
24. COSOidentifiestwobroadgroupingsofinformationsystemcontrols.Whatare
they?
Response:ThetwobroadgroupingsofinformationsystemcontrolsidentifiedbyCOSO
areapplicationcontrolsandgeneralcontrols.
25.

Whataretheobjectivesofapplicationcontrols?
Response:Theobjectivesofapplicationcontrolsaretoensurethevalidity,completeness,
andaccuracyoffinancialtransactions.
26.

Givethreeexamplesofapplicationcontrols?
Response:Examplesinclude:
a.Acashdisbursementsbatchbalancingroutingthatverifiesthetotalpaymentstovendors
reconcileswiththetotalpostingstotheaccountspayablesubsidiaryledger.
b.Anaccountreceivablecheckdigitprocedurethatvalidatescustomeraccountnumbers
onsalestransactions.
c.Apayrollsystemlimitcheckthatidentifiesemployeetimecardrecordswithreported
hoursworkinexcessofthepredeterminednormallimit.
27.

Definegeneralcontrols.
Response:Generalcontrolsapplytoallsystems.Theyarenotapplicationspecific.

GeneralcontrolsincludecontrolsoverITgovernance,theITinfrastructure,securityandaccessto
operationsystemsanddatabases,applicationacquisitionanddevelopment,andprogramchanges.
28.

Whatisthemeaningofthetermattestservices?
Response:Theattestserviceisanengagementinwhichapractitionerisengagedtoissuea
writtencommunicationthatexpressesaconclusionaboutthereliabilityofawrittenassertionthat
istheresponsibilityofanotherparty(SSAENo.1,ATSec.100.01).
29.

Listfourgeneralcontrolareas.
Response:Thefollowingareexamplesofgeneralcontrolareas:
a.ItGovenancecontrols,
b.Security(datamanagementcontrols),
c.Security(operatingsystemandnetworkcontrols),
d.systemsdevelopmentandprogramchangecontrols,
DiscussionQuestions
1.

Discussthedifferencesbetweentheattestfunctionandadvisoryservices.
Response:Theattestserviceisdefinedasanengagementinwhichapractitionerisengaged
toissue,ordoesissue,awrittencommunicationthatexpressesaconclusionaboutthereliability
ofawrittenassertionthatistheresponsibilityofanotherparty.Thefollowingrequirementsapply
toattestationservices:
Attestationservicesrequirewrittenassertionsandapractitionerswrittenreport.
Attestationservicesrequiretheformalestablishmentofmeasurementcriteriaortheir
descriptioninthepresentation.
Thelevelsofserviceinattestationengagementsarelimitedtoexamination,review,and
applicationofagreeduponprocedures.
Advisory services are professional services offered by public accounting firms to improve
their client organizations operational efficiency and effectivness. The domain of
sdvisory services is intentionally unbounded so that it does not inhibit the growth of
future
services that are currently unforeseen. As examples, advisory services include
actuarial
advice, business advice, fraud investigation services, information system design and
implementation, and internal conrol assessments for compliance with SOX.

2.
ACPAfirmhasmanyclients.Forsomeofitsclients,itreliesveryheavilyonthework
oftheinternalauditors,whileforothersitdoesnot.Theamountofrelianceaffectsthefees
charged.
HowcantheCPAfirmjustifytheapparentinconsistencyoffeeschargedinacompetitive
marketplace?
Response:TheCPAfirmsrelianceontheworkoftheinternalauditorsdependsonthe
structureoftheorganizationandtowhomtheinternalauditorsreport.Iftheydonotreport
directlytotheboardofdirectors,thentheirpositionsmaybecompromised.Further,thequality
andtypeofworkconductedbytheinternalauditorswillaffectexternalauditorsreliance.
3. Accountingfirmsareveryconcernedthattheiremployeeshaveexcellent
communicationskills,bothoralandwritten.Explainwhythisrequirementissoimportant

bygivingexamplesofwheretheseskillswouldbenecessaryineachofthethreephasesofan
audit.
Response:Duringtheplanningphaseofanaudit,oralcommunicationskillsareusedin
interviews.Writtencommunicationskillsareneededforrecordingtheresultsofinterviewsand
duringobservationandsystemsdocumentationreviews.Inthetestsofcontrolsandsubstantive
testingphases,oralcommunicationskillsareimportantwhenworkingwiththeclients
employees.Writtencommunicationskillsarethenvitalinsummarizingtheresultsoftests.
4.
Explaintheauditobjectivesofexistenceoroccurrence,completeness,rightsand
obligations,valuationorallocation,andpresentationanddisclosure.
Response:
Theexistenceoroccurrenceassertionaffirmsthatallassetsandequitiescontainedinthe
balancesheetexistandthatalltransactionsintheincomestatementactuallyoccurred.
Thecompletenessassertiondeclaresthatnomaterialassets,equities,ortransactionshave
beenomittedfromthefinancialstatements.
Therightsandobligationsassertionmaintainsthatassetsappearingonthebalancesheet
areownedbytheentityandthattheliabilitiesreportedareobligations.
Thevaluationorallocationassertionstatesthatassetsandequitiesarevaluedin
accordancewithgenerallyacceptedaccountingprinciplesandthatallocatedamounts
suchasdepreciationexpensearecalculatedonasystematicandrationalbasis.
Thepresentationanddisclosureassertionallegesthatfinancialstatementitemsare
correctlyclassified(e.g.,longtermliabilitieswillnotmaturewithinoneyear)andthat
footnotedisclosuresareadequatetoavoidmisleadingtheusersoffinancialstatements.
5.
HowhastheForeignCorruptPracticesActof1977hadasignificantimpacton
organizationmanagement?
Response:TheFCPAof1977requiresthatallcompaniesregisteredwiththeSecuritiesand
ExchangeCommissionmaintainanappropriatesystemofinternalcontrols.Internalcontrols
typicallydirectlyimpacttheorganizationalstructureandsegregationoffunctions.
6.

Discusstheconceptofexposureandexplainwhyfirmsmaytoleratesomeexposure.
Response:Anexposureistheabsenceorweaknessofaninternalcontrol.Sometimescost
benefitanalysismayindicatethattheadditionalbenefitsofaninternalcontrolproceduremaynot
exceedthecosts.Thus,thefirmmaydecidetotoleratesomecontrolriskassociatedwitha
particularexposure.
7.
Ifdetectivecontrolssignalerrors,whyshouldnttheyautomaticallymakea
correctiontotheidentifiederror?Whyareseparatecorrectivecontrolsnecessary?
Response:Foranydetectederror,morethanonefeasiblecorrectivesolutionmayexist,and
thebestcourseofactionmaynotalwaysbeobvious.Thus,linkinganautomaticresponsetoa
detectivecontrolmayworsenaproblembyapplyinganinappropriatecorrectiveaction.
8.
Mostaccountingfirmsallowmarriedemployeestoworkforthefirm.However,they
donotallowanemployeetoremainworkingforthemifheorshemarriesanemployeeof
oneoftheirauditingclients.Whydoyouthinkthispolicyexists?
Response:Theaccountingfirmmustretainitsindependencefromitsclients.Theauditor

mustnothavetheopportunitytocollude,inanyfashion,withanyemployeesofitsclient.
Havingonespouseworkingfortheclientandtheotherworkingfortheaccountingfirmwould
compromisetheindependenceoftheaccountingfirm.
9.
Discusswhetherafirmwithfeweremployeesthanthereareincompatibletasks
shouldrelymoreheavilyongeneralauthoritythenspecificauthority.
Response:Smallfirmswithfeweremployeesthanthereareincompatibletasksshouldrely
moreheavilyonspecificauthority.Moreapprovalsofdecisionbymanagementandincreased
supervisionshouldbeimposedinordertocompensatesomeforthelackofseparationofduties.
10. Anorganizationsinternalauditdepartmentisusuallyconsideredtobeaneffective
controlmechanismforevaluatingtheorganizationsinternalstructure.TheBirch
Companysinternalauditingfunctionreportsdirectlytothecontroller.Commentonthe
effectivenessofthisorganizationalstructure.
Response:Havingtheinternalauditingfunctionreporttothecontrollerisunacceptable.If
thecontrollerisawareof/orinvolvedinafraudordefalcation,thenhe/shemaygivefalseor
inaccurateinformationtotheauditors.Thepossibilitythattheauditorsmaylosetheirjobsifthey
donotkeepcertainmattersquietalsoexists.Further,thefraudmaybeoccurringatalevelhigher
thanthecontroller,andthecontrollermayfearlosinghis/herjobifthematterispursued.Thebest
routeistohavetheinternalauditingfunctionreportdirectlytotheauditcommittee.

11. AccordingtoCOSO,thepropersegregationoffunctionsisaneffectiveinternal
controlprocedure.Commentontheexposure(ifany)causedbycombiningthetasksof
paycheckpreparationanddistributiontoemployees.
Response:Ifapayrollemployeeweretoprepareapaycheckforanonexistentemployee
(perhapsunderanaliasorinthenameofarelative),whichisknownasghostemployeefraud,
andthisemployeealsohasthetaskofdistributingthechecks,thennoonewouldbethewiser.On
theotherhand,ifthechecksgodirectlytoanotherperson,whothendistributesthepaychecks,the
extracheckshouldbediscovered.
12.

DiscussthekeyfeaturesofSection302ofSOX.
Response:Section302requiresthatcorporatemanagement(includingtheCEO)certify
quarterlyandannuallytheirorganizationsinternalcontrolsoverfinancialreporting.The
certifyingofficersarerequiredto:
a.havedesignedinternalcontrols,and
b.discloseanymaterialchangesinthecompanysinternalcontrolsthathaveoccurred
duringthemostrecentfiscalquarter.
13.

DiscussthekeyfeaturesofSection404ofSOX.
Response:Section404requiresthemanagementofpubliccompaniestoassessthe
effectivenessoftheirorganizationsinternalcontrolsoverfinancialreportingandprovidean
annualreportaddressingthefollowingpoints:
a.astatementofmanagementsresponsibilityforestablishingandmaintainingadequate
internalcontrol,
b.anassessmentoftheeffectivenessofthecompanysinternalcontrolsoverfinancial
reporting,
c.astatementthattheorganizationsexternalauditorshasissuedanattestationreporton
managementsassessmentofthecompaniesinternalcontrols,
d.anexplicitwrittenconclusionastotheeffectivenessofinternalcontroloverfinancial
reporting,and
e.astatementidentifyingtheframeworkusedbymanagementtoconducttheirassessment
ofinternalcontrols.
14.Section404requiresmanagementtomakeastatementidentifyingthecontrol
frameworkusedtoconductitsassessmentofinternalcontrols.Discusstheoptionsin
selectingacontrolframework.
Response:TheSEChasmadespecificreferencetotheCommitteeoftheSponsoring
OrganizationsoftheTreadwayCommission(COSO)asarecommendedcontrolframework.
Furthermore,thePCAOBsAuditingStandardNo.5endorsestheuseofCOSOastheframework
forcontrolassessment.Althoughothersuitableframeworkshavebeenpublished,accordingto
StandardNo.5,anyframeworkusedshouldencompassallofCOSOsgeneralthemes.
15. Explainhowgeneralcontrolsimpacttransactionintegrityandthefinancialreporting
process.
Response:Consideranorganizationwithpoordatabasesecuritycontrols.Insucha
situation,evendataprocessedbysystemswithadequatebuiltinapplicationcontrolsmaybeat
risk.Anindividualwhocancircumventdatabasesecuritymaythenchange,steal,orcorrupt
storedtransactiondata.Thus,generalcontrolsareneededtoensureaccuratefinancialreporting.

16. PriortoSOX,externalauditorswererequiredtobefamiliarwiththeclient
organizationsinternalcontrols,butnottestthem.Explain.
Response:PriortoSOX,auditorshadtheoptionofnotrelyingoninternalcontrolsinthe
conductofanauditandthereforedidnotneedtotestthem.Instead,auditorscouldfocus
primarilyonsubstantivetests.UnderSOX,managementisrequiredtomakespecificassertions
regardingtheeffectivenessofinternalcontrols.Toattesttothevalidityoftheseassertions,
auditorsarerequiredtotestthecontrols.
17. Doesaqualifiedopiniononmanagementsassessmentofinternalcontrolsoverthe
financialreportingsystemnecessitateaqualifiedopiniononthefinancialstatements?
Explain.
Response:No.Auditorsarepermittedtosimultaneouslyrenderaqualifiedopinionon
managementsassessmentofinternalcontrolsandrenderanunqualifiedopiniononthefinancial
statements.Therefore,itistechnicallypossibleforauditorstodeterminethatinternalcontrols
overfinancialreportingareweak,butconcludethroughsubstantiveteststhattheweaknessesdo
notcausethefinancialstatementstobemateriallymisrepresented.
18. ThePCAOBStandardNo.5specificallyrequiresauditorstounderstandtransaction
flowsindesigningtheirtestsofcontrols.Whatstepsdoesthisentail?
Response:InordertobeincompliancewithPCAOBStandardNo.5auditorsmustdothe
following:
a.selectthefinancialaccountsthathavematerialimplicationsforfinancialreporting,
b.identifytheapplicationcontrolsrelatedtothoseaccounts,and
c.identifythegeneralcontrolsthatsupporttheapplicationcontrols.
19.

Whatfrauddetectionresponsibilities(ifany)doesSOXimposeonauditors?
Response:StandardNo.2placesnewresponsibilityonauditorstodetectfraudulent
activity.Thestandardemphasizestheimportanceofcontrolsdesignedtopreventordetectfraud
thatcouldleadtomaterialmisstatementofthefinancialstatements.Managementis
responsibilityforimplementingsuchcontrolsandauditorsareexpresslyrequiredtotestthem.

Problems
1.
AuditCommittee(CMA689833)
MicroDynamics,adeveloperofdatabasesoftwarepackages,isapubliclyheldcompanywhose
stockistradedoverthecounter.Thecompanyrecentlyreceivedanenforcementrelease
proceedingthroughanSECadministrativelawjudgethatcitedthecompanyforinadequate
internalcontrols.Inresponse,MicroDynamicshasagreedtoestablishaninternalauditfunction
andstrengthenitsauditcommittee.
AmanageroftheinternalauditdepartmenthasbeenhiredasaresultoftheSEC
enforcementactiontoestablishaninternalauditfunction.Inaddition,thecompositionofthe
auditcommitteehasbeenchangedtoincludealloutsidedirectors.MicroDynamicshasheldits
initialplanningmeetingtodiscusstherolesofthevariousparticipantsintheinternalcontroland

financialreportingprocess.Participantsatthemeetingincludedthecompanypresident,thechief
financialofficer,amemberoftheauditcommittee,apartnerfromMicroDynamicsexternal
auditfirm,andthenewlyappointedmanageroftheinternalauditdepartment.Commentsbythe
variousmeetingparticipantsarepresentedbelow.
President:WewanttoensurethatMicroDynamicscomplieswiththeSECsenforcement
release,andthatwedontfindourselvesinthispositionagain.Theinternalauditdepartment
shouldhelptostrengthenourinternalcontrolsystembycorrectingtheproblems.Iwouldlike
yourthoughtsontheproperreportingrelationshipforthemanageroftheinternalaudit
department.
CFO:Ithinkthemanageroftheinternalauditdepartmentshouldreporttomesincemuchofthe
departmentsworkisrelatedtofinancialissues.Theauditcommitteeshouldhaveoversight
responsibilities.
Auditcommitteemember:Ibelieveweshouldthinkthroughourrolesmorecarefully.The
TreadwayCommissionhasrecommendedthattheauditcommitteeplayamoreimportantrolein
thefinancialreportingprocess;thedutiesoftodaysauditcommitteehaveexpandedbeyondthe
rubberstampapproval.Weneedtohavegreaterassurancethatcontrolsareinplaceandbeing
followed.
Externalauditfirmpartner:Weneedacloseworkingrelationshipamongallofourroles.
Theinternalauditdepartmentcanplayasignificantroleinmonitoringthecontrolsystemsona
continuingbasisandshouldhavestrongtiestoyourexternalauditfirm.
Internalauditdepartmentmanager:Theinternalauditdepartmentshouldbemoreinvolved
inoperationalauditing,butitalsoshouldplayasignificantmonitoringroleinthefinancial
reportingarea.
Required:
a.
Describetheroleofeachofthefollowingintheestablishment,maintenance,and
evaluationofMicroDynamicssystemofinternalcontrol.
i.Management
ii.Auditcommittee
iii.Externalauditor
iv.Internalauditdepartment
b.DescribetheresponsibilitiesthatMicroDynamicsauditcommitteehasinthefinancial
reportingprocess.
Response:
a.
i.Managementhastheoverallresponsibilityforprotectingcompanyassetsand,therefore,
forestablishing,maintaining,andevaluatingtheinternalcontrolsystem.
ii.Theauditcommitteesprimaryresponsibilityinvolvesassistingtheboardofdirectorsin
carryingoutitsresponsibilitiesastheyrelatetotheorganizationsaccountingpolicies,internal
control,andfinancialreportingpractices.Theauditcommitteeassistsmanagementandtheboard
infulfillingtheirfiduciaryandaccountabilityresponsibilities,andithelpsmaintainadirectline

ofcommunicationbetweentheboardandtheexternalandinternalauditors.
iii.Theexternalauditorreviewstheorganizationscontrolstructure,includingthecontrol
environment,accountingsystems,andcontrolprocedures,inordertoassessthecontrolrisksfor
financialstatementassertions.Inaddition,theexternalauditorwouldinformthecompanyofany
materialweaknessesfoundduringthereview.
iv.Theinternalauditdepartmentperformsbothoperationalandfinancialauditsto
determinecompliancewithestablishedpoliciesandproceduresandreportsitsfindingsand
recommendationstomanagementortheauditcommitteeforevaluationandcorrectiveaction.
Theinternalauditdepartmentmayalsoassisttheexternalauditorswiththeirreviewofthe
internalcontrolsystem.
b.TheresponsibilitiesoftheMicroDynamicsauditcommitteeinthefinancialreportingprocess
include
Obtainingassurancethattheorganizationscontrolsystemisadequateandeffectiveto
identifyriskandexposure,andthatthefinancialdisclosuresmadebymanagement
reasonablyreflectthefinancialposition,resultsofoperations,andchangesincashflow.
Reviewingtheprogressoftheauditandthefinalauditfindings.
Actingasaliaisonbetweentheauditorsandtheboardofdirectors.
2.
RoleofInternalAuditor(CMA12904Y8)
LeighIndustrieshasaninternalauditdepartmentconsistingofadirectorandfourstaffauditors.
Thedirectorofinternalaudit,DianeBauer,reportstothecorporatecontroller,whoreceives
copiesofallinternalauditreports.Inaddition,copiesofallinternalauditreportsaresenttothe
auditcommitteeoftheboardofdirectorsandtheindividualresponsiblefortheareaofactivity
beingaudited.
Inthepast,thecompanysexternalauditorshavereliedontheworkoftheinternalaudit
departmenttoasubstantialdegree.However,inrecentmonths,Bauerhasbecomeconcernedthat
theobjectivityoftheinternalauditfunctionisbeingaffectedbythenonauditworkbeing
performedbythedepartment.Thispossiblelossofobjectivitycouldresultinmoreextensive
testingandanalysisbytheexternalauditors.Thepercentageofnonauditworkperformedbythe
internalauditorshassteadilyincreasedtoabout25percentofthetotalhoursworked.Asampleof
fiverecentnonauditactivitiesfollows.
Oneoftheinternalauditorsassistedinthepreparationofpolicystatementsoninternal
control.Thesestatementsincludedsuchthingsaspoliciesregardingsensitivepayments
andthesafeguardingofassets.
Reconcilingthebankstatementsofthecorporationeachmonthisaregularassignmentof
oneoftheinternalauditors.Thecorporatecontrollerbelievesthisstrengthenstheinternal
controlfunctionbecausetheinternalauditorisnotinvolvedineitherthereceiptorthe
disbursementofcash.
Theinternalauditorsareaskedtoreviewtheannualbudgeteachyearforrelevanceand
reasonablenessbeforethebudgetisapproved.Attheendofeachmonth,thecorporate
controllersstaffanalyzesthevariancesfrombudgetandpreparesexplanationsofthese
variances.Thesevariancesandexplanationsarethenreviewedbytheinternalauditstaff.
Oneoftheinternalauditorshasbeeninvolvedinthedesign,installation,andinitial
operationofanewcomputerizedinventorysystem.Theauditorwasprimarilyconcerned
withthedesignandimplementationofinternalaccountingcontrolsandconductedthe
evaluationofthesecontrolsduringthetestruns.
Theinternalauditorsaresometimesaskedtomaketheaccountingentriesforcomplex

transactionsastheemployeesintheaccountingdepartmentarenotadequatelytrainedto
handlesuchtransactions.Thecorporatecontrollerbelievesthisgivesanaddedmeasure
ofassurancetotheaccuraterecordingofthesetransactions.
Required:
a.
Defineobjectivityasitrelatestotheinternalauditfunction.
b.
Foreachofthefivenonauditactivitiespresented,explainwhethertheobjectivityof
LeighIndustriesinternalauditdepartmenthasbeenmateriallyimpaired.Considereachsituation
independently.
c.
Thedirectorofinternalauditreportsdirectlytothecorporatecontroller.Doesthisreporting
relationshipaffecttheobjectivityoftheinternalauditdepartment?Explainyouranswer.
d.
WouldyourevaluationofthefivesituationsinQuestionbchangeifthedirectorofinternal
auditreportedtotheauditcommitteeoftheboardofdirectors?Explainyour answer.
Response:
a.
Theinternalauditormusthaveandmaintainobjectivity,whichimpliesnosubordinationof
judgmenttoanotherandarisesfromanindependentmentalattitudethatviewseventsonafactual
basiswithoutinfluencefromfeelings,prejudice,opinions,orinterests.
b.
i.Theinternalauditorsobjectivityisnotimpairedbythepreparationofpolicystatements
oninternalcontrol.Thepreparationofpolicystatementstoguideothersinthedevelopmentand
implementationofinternalcontrolsisaresponsibilityoftheinternalauditstaff.
ii.Theinternalauditorsobjectivityisimpaired.Inordertomaintainobjectivity,the
auditorshouldnotperformoperationalassignmentsthatareincludedaspartoftheindependent
evaluationandverificationofapropersystemofinternalcontrol.Separationofdutiesmustbe
maintained.
iii.Objectivityisnotimpairedinthereviewofthebudgetforrelevanceandreasonableness
iftheinternalauditorhasnoresponsibilityforestablishingorimplementingthebudget.However,
thereviewofvariancesandexplanationswouldimpairobjectivityasthisisanareathatwould
normallybereviewedduringanoperationalaudit.
iv.Objectivityisimpairedtotheextentthattheinternalauditorhasbeeninvolvedinthe
designandinstallationofinternalaccountingcontrolsbecausetherewillbelittleconfidencein
auditfindingsissuedbytheindividualwhodesignedandinstalledthesystembeingaudited.
v.Thepreparationofaccountingrecordswillmateriallyimpairtheinternalauditors
objectivitybyinvolvingtheauditorindaytodayoperations.
c.
i.Thisreportingrelationshipadverselyaffectstheobjectivityoftheinternalaudit
Department.Thecorporatecontrollerisresponsiblefortheaccountingsystemandrelated
operationaltransactions.Theinternalauditstaffisresponsiblefortheindependentandobjective
reviewandexaminationoftheaccountingsystemandrelatedoperationaltransactions.
Independenceandobjectivitymaynotexistbecausetheinternalauditstaffisresponsiblefor
reviewingtheworkofthecorporatecontroller,thepersontowhomitreports.
ii.No,theresponsesforQuestionbwouldnotbeaffectedbytheinternalauditstaff
reportingtoanauditcommitteeratherthanthecorporatecontroller.Inordertomaintain
objectivity,theinternalauditstaffshouldrefrainfromperformingnonauditfunctionssuchas
managementdecisionmaking,designandinstallationofsystems,recordkeeping,oroperational
duties.
3.
SegregationofFunction(CMA1288322)
Aneffectivesystemofinternalcontrolincludesthesegregationofincompatiblefunctions.
Someoftheexamplespresentedrepresentincompatibleduties.Commentonthespecificrisks

(ifany)thatarecausedbythecombinationoftasks.
a.
Thetreasurerhastheauthoritytosignchecksbutgivesthesignatureblocktotheassistant
treasurertorunthechecksigningmachine.
b.
Thewarehouseclerk,whohasthecustodialresponsibilityoverinventoryinthewarehouse,
mayauthorizedisposalofdamagedgoods.
c.
Thesalesmanager,whoworksoncommissionbasedongrosssales,approvescreditand
hastheauthoritytowriteoffuncollectibleaccounts.
d.
Theshopforemansubmitstimecardsanddistributespaycheckstoemployees.
e.
Theaccountingclerkpoststoindividualaccountreceivablesubsidiaryaccountsand
performsthereconciliationofthesubsidiaryledgerandthegeneralledgercontrolaccount.
Response:
a.
Norisksduetocombinationoftasks.Thetreasurerisresponsibleforhavingcustodyofthe
assets.Thetreasurerisnotresponsibleforeitherauthorizingorrecordingthetransaction.By
delegatingthetaskofsigningthecheckstotheassistanttreasurer,noviolationoftheprincipleof
theseparationoffunctionsoccursbecausetheassistanttreasurerdoesnotauthorizeorrecord
transactionseither.
b.
Thissituationisinviolationbecausethewarehouseclerkhascustodialresponsibilityas
wellasauthorizationoftransactions.Thepotentialriskisthattheclerkmayusetheauthorization
powertorecordthedisposalofstolengoodsasdamagedgoods.
c.
Thissituationisinviolationbecausethesalesmanagerhasthepowerofcredit
authorizationaswellasaccountsreceivablerecordkeeping.Thepotentialriskisthatthemanager
mayapprovecredittoafriendsorrelativesbusinessandthenwriteofftheaccountasbad.
d.
Thissituationisinviolationbecausethetimeclerkhasrecordkeepingtasksaswellas
assetcustody.Thepotentialriskisthatthetimeclerkmayneglecttorecordtheterminationofan
employeeandproceedtokeepthepaychecksforhim/herself.
e.
Thissituationisinviolationbecausetheaccountingclerkbothrecordstransactionsand
verifiestheaccuracyoftherecording.Thepurposeofreconciliationistoverifythatthetwosets
ofrecordsareequivalent.Theriskisthattheaccountingclerkmayconcealerrorsorcoverup
balancesthatdonotequalbecauseofembezzlementoffunds.
4.
SegregationofDuties(CMA1288323)
Explainwhyeachofthefollowingcombinationsoftasksshould,orshouldnot,beseparatedto
achieveadequateinternalcontrol.
a.
Approvalofbaddebtwriteoffsandthereconciliationofaccountspayablesubsidiary
ledgerandthegeneralledgercontrolaccount.
b.
Distributionofpayrollcheckstoemployeesandapprovalofsalesreturnsforcredit.
c.
Postingofamountsfromboththecashreceiptsandcashdisbursementsjournalstothe
generalledger.
d.
Distributionofpayrollcheckstoemployeesandrecordingcashreceiptsinthejournal.
e.
Recordingcashreceiptsinthejournalandpreparingthebankreconciliation.
Response:
a.
Thesetwotasksdonotneedtobeseparatedbecausenoconflictexistsbetweenwritingoff
baddebts(assetaccountsreceivable)andreconcilingaccountspayable(liability).
b.
Thesetwotasksdonotneedtobeseparatedbecausetheyareindependentofoneanother.
c.
Inneithercasedoestheemployeehaveaccesstotheassets;thereforenodangerexists.
d.
Thesetwotasksdonotneedtobeseparatedbecausetheyareindependentofoneanother.

e.
Thesetasksshouldbeseparated.Theemployeerecordsthetransactionsandhasaccessto
assets.Toallowtheemployeetoverifytheaccuracyoftherecordswouldallowherorhimto
coverupanymoneyembezzledbydoctoringthebankreconciliation.
5.
InternalControl(CMAAdapted128934)
Oakdale,Inc.,isasubsidiaryofSolomonPublishingandspecializesinthepublicationand
distributionofreferencebooks.Oakdalessalesforthepastyearexceeded$18million,andthe
companyemployedanaverageof65employees.Solomonperiodicallysendsamemberofits
internalauditdepartmenttoaudittheoperationsofeachofitssubsidiaries,and
KatherineFord,Oakdalestreasurer,iscurrentlyworkingwithRalphJohnsonofSolomons
internalauditstaff.JohnsonhasjustcompletedareviewofOakdalesinvestmentcycleand
preparedthefollowingreport.
General
Throughouttheyear,Oakdalehasmadebothshorttermandlongterminvestmentsinsecurities;
allsecuritiesareregisteredinthecompanysname.AccordingtoOakdalesbylaws,longterm
investmentactivitymustbeapprovedbyitsboardofdirectors,whileshortterminvestment
activitymaybeapprovedbyeitherthepresidentorthetreasurer.
Transactions
Oakdalehasacomputerlinkwithitsbroker;thus,allbuyandsaleordersaretransmitted
electronically.Onlyindividualswithauthorizedpasswordsmayinitiatecertaintypesof
transactions.Allpurchasesandsalesofshorttermsecuritiesintheyearweremadebythe
treasurer.Inaddition,twopurchasesandonesaleoflongtermsecuritieswereexecutedbythe
treasurer.ThelongtermsecuritypurchaseswereapprovedbytheBoard.Thepresident,having
onlineauthorizationaccesstoalltransactions,wasabletoapproveasaleofalong termsecurity.
Thepresidentisgivenaccesstoauthorizealltransactionsengagedinbythefirm.Becausethe
treasurerislistedwiththebrokerasthecompanyscontact,allrevenuefromtheseinvestmentsis
receivedbythisindividual,whothenforwardsthecheckstoaccountingforprocessing.
Documentation
Purchaseandsalesauthorizations,alongwithbrokersadvices,aremaintainedinanelectronic
filewithauthorizedaccessbythetreasurer.Brokersadviceisreceivedverballyonthephone,
andthisadviceisnotedonabrokeradviceform.Thisformisfiledbythetreasurer.The
certificatesforalllongterminvestmentsarekeptinasafedepositboxatthelocalbank;onlythe
presidentofOakdalehasaccesstothisbox.Aninventoryofthisboxwasmade,andall
certificateswereaccountedfor.Certificatesforshortterminvestmentsarekeptinalockedmetal
boxintheaccountingoffice.Otherdocumentssuchaslongtermcontractsandlegalagreements
arealsokeptinthisbox.Therearethreekeystotheboxheldbythepresident,treasurer,andthe
accountingmanager.Theaccountingmanagerskeyisavailabletoallaccountingpersonnel,
shouldtheyrequiredocumentskeptinthisbox.Certificatesofinvestmentsmaytakeuptofour
weekstoreceiveafterthepurchaseoftheinvestment.Anelectronicinventorylistiskept
perpetually.Thedataarekeyedinbyaccountingpersonnelwhoreceiveabuy/saletransaction
sheetfromthetreasurer.Thepresident,treasurer,andaccountingmanagerallhavepasswordsto
accessandupdatethisinventorylist.Theaccountingmanagerspasswordisknowbytwoofthe
accountingsupervisorsincasetheinventorylistneedstobeupdatedwhentheaccounting
managerisnotavailable.
Documentationfortwoofthecurrentshortterminvestmentscouldnotbelocatedinthisbox;the
accountingmanagerexplainedthatsomeoftheinvestmentsareforsuchshortperiodsoftimethat
formaldocumentationisnotalwaysprovidedbythebroker.

AccountingRecords
Depositsofchecksforinterestanddividendsearnedoninvestmentsarerecordedbythe
accountingdepartment,butthesecheckscouldnotbetracedtothecashreceiptsjournal
maintainedbytheindividualwhonormallyopens,stamps,andlogsincomingchecks.These
amountsarejournalizedmonthlytoanaccountforinvestmentrevenue.Electronicpaymentsfor
investmentpurchasesareauthorizedbythetreasurer.Iftheamountisinexcessof
$15,000,anauthorizationcodegivenbythetreasurerorpresidentisnecessary.
Eachmonth,theaccountingmanagerandthetreasurerpreparethejournalentriesrequired
toadjusttheshortterminvestmentaccount.Therewasinsufficientbackupdocumentation
attachedtothejournalentriesreviewedtotracealltransactions;however,thebalanceinthe
accountattheendoflastmonthcloselyapproximatestheamountshownonthestatement
receivedfromthebroker.Theamountinthelongterminvestmentaccountiscorrect,andthe
transactionscanbeclearlytracedthroughthedocumentationattachedtothejournalentries.No
attemptsaremadetoadjusteitheraccounttothelowerofaggregatecostormarket.
Required:
ToachieveSolomonPublishingsobjectiveofsoundinternalcontrol,thecompanybelievesthe
followingfourcontrolsarebasicforaneffectivesystemofaccountingcontrol.
Authorizationoftransactions
Completeandaccuraterecordkeeping
Physicalcontrol
Internalverification
a.
Describethepurposeofeachofthefourcontrolslistedabove.
b.
IdentifyanareainOakdalesinvestmentproceduresthatviolateseachofthefourcontrols
listedabove.
c.
Foreachoftheviolationsidentified,describehowOakdalecancorrectit.

Response:
a.
Thepurposeofeachofthefourcontrolsfollows.
Authorizationoftransactionsisrequiredtoadequatelysafeguardassetsagainstfraudand
illegaltransactionsandprovidealevelofinternalcontrol.Aformalsystemoftransaction
authorizationsallowsthecommitmentofcompanyresourcesinaccordancewith
managementgoalsandobjectives.Transactionsmustbeexecutedaccordingtotheterms
oftheirgeneralorspecificauthorizations,byresponsiblepersonnelactingwithinthe
scopeoftheirprescribedauthorityandresponsibility.
Completeandaccuraterecordkeepingisnecessarytoassurethatprompt,timely,and
accuraterecordingoftransactionsoreconomiceventsoccurs.Companiesmustmakeand
keepbooks,records,andaccountsthat,inreasonabledetail,accuratelyreflectthe
transactionsanddispositionsofassets.Furthermore,therecordingoftransactionsis
necessarytopermitpreparationoffinancialstatementsinconformitywithGAAP.
Physicalcontrolsrelatetosafeguardingassets,documents,andrecordstopreventtheir
loss,destruction,oralteration.
Internalverificationreferstotheindependentreviewoftheaccuracyandproprietyof
anotherpartyswork,andthetestingoftherecordedaccountabilityforassetsas

comparedtoexistingassetsatreasonabletimeintervals.
b.andc.
Violation
Thesaleoflongtermsecuritiesbasedonthe
presidentsapprovalwhentheboardof
directorsapprovalisrequiredviolates
authorizationprocedures.
Alldiffidenceandinterestchecksarereceived
bythetreasurerandforwardedtothe
accountingdepartment;noentryismadeinthe
cashreceiptsbook.Itis,therefore,notpossible
todetermineifallinterestanddividendchecks
havebeenreceivedanddeposited.

Thebalanceintheaccountsasoftheendofthe
monthcloselyapproximatedtheamounts
shownonthebrokersstatements.
Thetreasurerhastheauthoritytobuyandsell
securities,receivesrevenue,andmakesjournal
entriesrelatedtosecurities.
Accesstoshorttermsecuritiesisunrestricted
intheaccountingdepartment.

ProposedCorrection
Implementformalizedprocedures(inaddition
tothecompanysbylaws)reinforcingthe
policythatonlytheboardofdirectorscan
authorizelongtermsecuritypurchases,and
sales.
Allchecksshouldbeforwardedtothegroup
thatnormallyopens,stampsandlogsincoming
checks,andthechecksshouldberecordedin
thecashreceiptsbookatthetimeofreceipt.
Theinterestanddividendchecks(entries)
shouldbereconciledbytheaccounting
departmenttothemonthlybrokersstatements.
Thesestatementsshouldbekeptonfileto
assurethatallcheckshavebeenreceived,
deposited,andaccountedfor.
Theaccountingdepartmentmustundertakethe
reconciliationofthedifferencesandimplement
appropriateprocedurestoassurethatthe
accountsandthebrokeragestatementsare
reconcilesmonthly.
Strengtheninternalcontrolsothatthetreasurer
doesnothaveconflictingduties.
Theshorttermsecuritiesshouldbeplacedina
restrictedfacilitysuchasabanksafedeposit
boxoracompanysafe.
Accesstoshorttermsecuritiesshouldbe
limitedtoafewresponsiblepersonnelandtwo
peopleshouldbepresenteachtimethe
securitiesareaccessed.Additionally,alog
bookshouldbemaintainedtorecordany
dispositionofsecurities.

6.
InternalControl(CMA129042)
ArlingtonIndustriesmanufacturesandsellscomponentenginepartsforlargeindustrial
equipment.Thecompanyemploysover1,000workersforthreeshifts,andmostemployeeswork
overtimewhennecessary.Arlingtonhashadmajorgrowthinitsproductionandhaspurchaseda
mainframecomputertohandleorderprocessing,inventorymanagement,productionplanning,
distributionoperations,andaccountingapplications.MichaelCromley,presidentofArlington,
suspectsthattheremaybeinternalcontrolweaknessesduetothequickimplementationofthe
computersystem.CromleyrecentlyhiredKathleenLuddyastheinternalcontrolaccountant.
CromleyaskedLuddytoreviewthepayrollprocessingsystemfirst.Luddyhasreviewed

thepayrollprocess,interviewedtheindividualsinvolved,andcompiledtheflowchartshownon
page38inthetext.Thefollowingadditionalinformationconcernspayrollprocessing.
ThepersonneldepartmentdeterminesthewagerateofallemployeesatArlington.
Personnelstartstheprocessbysendinganauthorizationformforaddinganemployeeto
thepayrolltoMarjorieAdams,thepayrollcoordinator.AfterAdamsinputsthis
informationintothesystem,thecomputerautomaticallydeterminestheovertimeand
shiftdifferentialratesfortheindividual,updatingthepayrollmasterfiles.
Arlingtonusesanexternalservicetoprovidemonthlypayrolltaxupdates.Thecompany
receivesamagnetictapeeverymonth,whichthedataprocessingdepartmentinstallsto
updatethepayrollmasterfilefortaxcalculations.
EmployeesatArlingtonuseatimeclocktorecordthehoursworked.EveryMonday
morning,Adamscollectsthepreviousweekstimecardsandbeginsthecomputerized
processingofpayrollinformationtoproducepaychecksthefollowingFriday.Adams
reviewsthetimecardstoensurethatthehoursworkedarecorrectlytotaled;thesystem
willdeterminewhetherovertimehasbeenworkedorashiftdifferentialisrequired.
AlltheotherprocessesdisplayedontheflowchartareperformedbyAdams.Thesystem
automaticallyassignsasequentialnumbertoeachpayrollcheckproduced.Thechecks
arestoredinaboxnexttothecomputerprintertoprovideimmediateaccess.Afterthe
checksareprinted,Adamsusesanautomaticchecksigningmachinetosignthechecks
withanauthorizedsignatureplatethatAdamskeepslockedinasafe.
Afterthecheckprocessingiscompleted,Adamsdistributesthecheckstotheemployees,
leavingthechecksforthesecondandthirdshiftemployeeswiththeappropriateshift
supervisor.Adamsthennotifiesthedataprocessingdepartmentthatsheisfinishedwith
herweeklyprocessing,anddataprocessingmakesabackupofthepayrollmasterfileto
magnetictapeforstorageonthetapeshelvesinthecomputerroom.
Required:
ByreferringtotheinformationinProblem6andtheflowchart,identifyanddescribe:
a.
FivedifferentareasinArlingtonspayrollprocessingsystemwherethesystemcontrolsare
inadequate.
b.
TwodifferentareasinArlingtonspayrollprocessingsystemwherethesystemcontrolsare
satisfactory.
Response:
a.
FivedifferentareasinArlingtonIndustriespayrollprocessingsystemwherethesystem
controlsareinadequateare
Thepayrollprocessingsystemviolatestheprincipleofsegregationofduties.Thesame
individualverifiesthetimecards,inputspayrollinformationintothemasterfile,prints
thechecks,machinesignsthechecks,distributesthechecks,andpreparesthepayroll
journalentry,whichmayleadtocorruption.
Thereisnoauthorizationofemployeestimecardsbyasupervisororotherobjectiveparty,
suchasatimekeeper.
Thepayrollchecksarenotprenumberednoraretheyproperlystored.Asaresult,thereis
noaudittrailtoverifycheckusage.
Thereisnocontroloverthemachinesigningofchecksnocontrolofthesignatureplate
byasecondpartyoruseofalogtorecordactivity.

 Thedataprocessingdepartmentappearstohavefullaccesstothepayrollfilesandchecks,
whichcouldleadtosensitivepayrollinformationbeingleaked.

b.
TwodifferentareasinArlingtonIndustriespayrollprocessingsystemwherethesystem
controlsaresatisfactoryare
Thepersonneldepartmentdeterminesthewagerateandinitiatesthesetupofpayroll
records,whichisagoodexampleofsegregationofduties.
Abackupofthemasterfileismadeaftereachweeklyprocessingofthepayroll.

7.EvaluationofControls
GauravMirchandaniisisthewarehousemanagerforalargeofficesupplywholesaler.
Mirchandaniisreceivestwocopiesofthecustomersalesorderfromthesalesdepartment.He
electsthegoodsfromtheshelvesandsendsthemandonecopyofthesalesordertotheshipping
department.Hethenfilesthesecondcopyinatemporaryfile.Mirchandaniisretrievesthesales
ordersfromthetemporaryfileandupdatestheinventorysubsidiaryledgerfromaterminalinhis
office.Atthattime,heidentifiesitemsthathavefallentolowlevels,selectsasupplier,and
preparesthreecopiesofapurchaseorder.Oncecopyissenttothesupplier,oneissenttothe
accountspayableclerk,andoneisfilesinthewarehouse.Whenthegoodsarrivefromthe
supplier,Mirchandaniisreviewstheattachedpackingslip,countsandinspectsthegoods,places
themontheshelves,andupdatestheinventoryledgertoreflectthereceipt.Hethenpreparesa
receivingreportandsendsittotheaccountspayabledepartment.
Required:
a.
Prepareasystemsflowchartoftheprocedurespreviouslydescribed.
b.
Identifyanycontrolproblemsinthesystem.
c.
Whatsortsoffraudarepossibleinthissystem?

Solution to Problem 1-7

Responses:
a.

b.

Thefollowingsegregationoffunctionsproblemsexist:
1.Mirchandaniisisthewarehousemanager(assetcustody)andisresponsibleforupdating
theinventorysubsidiaryledger(recordkeeping).
2.Mirchandaniisdetermineswhatshouldbeordered(authorization)andtheplacesthe
order(transactionprocessing).

c.

Thefollowingfraudscouldresultfromthesecontrolweaknesses:
i.KickbackfraudSinceMirchandaniisselectsthesupplierandalsoplacestheorder,he
couldorderinventorythatisnotneededorthatisabovemarketpricefromasupplierwithwhom
hehasapersonalfraudulentarrangement.Inexchange,thesupplierpaysakickbacktothe
warehousemanager.
ii.VendorfraudMirchandaniisauthorizes,orders,andreceivesthegoods;hecould
establishhimselfasavendorandprocessfraudulenttransactions.
iii.TheftofinventoryMirchandaniiscansimplyremovetheassetsfromthewarehouse,
sellthem,andadjusttheinventoryrecords.Areconciliationbetweenthephysicalinventoryon
handandtherecordswouldindicatenodiscrepancies.
8.EvaluationofControls
MattDemkoistheloadingdocksupervisorforadrycementpackagingcompany.Hisworkcrew
iscomposedofunskilledworkerswholoadlargetransporttruckswithbagsofcement,gravel,
andsand.Theworkishard,andtheemployeeturnoverrateishigh.Employeesrecordtheir
attendanceonseparatetimecards.Demkoauthorizespayrollpaymentseachweekbysigningthe
timecardsandsubmittingthemtothepayrolldepartment.Payrollthenpreparesthepaychecks
andgivesthemtoDemko,whodistributesthemtohisworkcrew.
Required:
a.
Prepareasystemsflowchartoftheproceduresdescribedhere.
b.
Identifyanycontrolproblemsinthesystem.
c.
Whatsortsoffraudarepossibleinthesystem?

a.

b.

Thefollowingsegregationoffunctionsproblemexists:
Demkoauthorizesthetransaction(signsandsubmitstimecards)andhasassetcustody(he
distributesthecheckstoemployees).
c.

Thefollowingfraudscouldresultfromthesecontrolweaknesses:
i.KickbackfraudDemkopermitsemployeestoinflatethehoursworkedandapproves
payment.Theemployeethensplitstheexcesspaywiththesupervisorasakickback.
ii.NonexistentemployeefraudAfteranemployeeleavesthecompany,thesupervisor
continuestosubmittimecardforhim.WhenthepaychecksaredistributedtoDemko,hekeepsthe
onesfortheterminatedemployeesandcashesthembyforgingtheirnames.

PROJECTS
1.VisitaWebsiteforoneoftheauditprofessionalorganizations.Findtheanswerstothe

followingquestions:
a.Whatrelevantcertification(s)is(are)supportedbytheorganization?Whatisthecosttotake
thecertificationexam?
b.Whatrequirementsdoestheorganizationhaveforcontinuingeducationrequirements?
c.HowdoestheorganizationsupportITauditors?Bespecific.
d.Whatpublicationsareprovidedbytheorganization?Howdoesthepublicationrelateto
ITaudits?
e.Whatservicesareprovidedbytheorganizationtoitsmembers?
f.Whereistheclosestchapter?
g.Doesastudentmembershipprogramexistfortheorganization?Ifso,whatisthecostfor
studentmembers?
Response:
Certifications
ContEd
SupportIT
Publications
Service
ClosestChapter
Students

AICPA
CPA,CITP
40hr:8=A&A/
year
CITP,ITsection,
SAS,seminars,
training
Newsletter,JoA
Cont.Educ.,
seminars,local
chapters
<Depends>
Yes:$30

ISACA
CISA
Avg.40hr/year

IIA
CIA
Avg.40hr/year

ACFE
CFE
Avg.20hr/year

Cobit,tools,
books,seminars,
training
ISCJournal,
Blobal
Communiqu
Cont.Educ.,
seminars,local
chapters
<Depends>
Yes:$25

eSAC,tools,
books,seminars,
training
InternalAuditor

Tools,books,
seminars,training

Cont.Educ.,
seminars,local
chapters
<Depends>
Yes:$30

Newsletter,White
papers,Annual
report
Cont.Educ.,
seminars,local
chapters
<Depends>
Yes:$25

2.
FinancialfraudssuchasEnron,WorldCom,andAdelphialedtothepassageofthe
SarbanesOxleyAct2002.UsingtheInternet,findanswerstothefollowingquestionsabout
changesbeingmaderegardingauditcommitteesinSOX:
a.
DescribearequirementforauditcommitteesinSOX.
b.
DescribearequirementforinternalcontrolsinSOX.
c.
HowdothesechangesaffectITauditors?
d.
Howdothesechangesaffectinternalauditors?
e.
Howdothesechangesaffectfinancialauditors?
Response:
a.
i.Financialexpertisebyatleastonememberofauditcommittee.

ii.Membersmustbeoutsiders(independencefactor).

iii.Auditcommitteehiresexternalauditorsandsetsauditfees.

iv.Responsibleforwhistleblowingsystem,tips,andcomplaintssystem

b.

i.Reportbymanagementoninternalcontrolsannually.
ii.Disclosureonmaterialweaknessesininternalcontrols.

c.
i.ITauditorswillprobablybeinvolvedinevaluatingtheinternalcontrolsfor
managementsannualreport.
ii.ITauditorsmayinteractmorewithauditcommitteeonsignificanterrors,frauds,orother
matters.
d.
i.Internalauditorswillmostlikelybethefirstchoiceofmanagementtoprovidetheannual
report.Itwillprobablyneedtobedonewellbeforetheendofthefiscalyearinordertoallow
timefortheorganizationtorespondtoanymaterialweaknessesfoundintheevaluation,thus
givingtheorganizationtimetocorrecttheweaknessandNOThavetodiscloseit.
ii.Internalauditorswillprobablyinteractmorewiththeauditcommittee,especially =on
significanterrors,allfrauds,tipsandcomplaints,andwhistleblowerreports.
e.
i.Financialauditorswillbehiredbytheauditcommitteeinthefuture.

ii.Financialauditorswillhavetheirauditfeessetbytheauditcommitteeandnot
management.
iii.Financialauditorswillnotbeabletoprovidecertainservicesandtheaudit/assurance.
iv.FinancialauditorswillbeexpectedtointeractwiththeAuditCommitteewhen
disagreementsoccurbetweenexternalauditorsandmanagementregardingtheapplicationof
GAAP.
v.Insomecases,publicaccountingfirmsmaybehiredtoprovidetheannualevaluationof
internalcontrols.