Information Technology Auditing, 4th Edition Solution Manual

Preview (16 of 345 Pages)

100%

Purchase to unlock

Loading page image...

CHAPTER 1AUDITING AND INTERNAL CONTROLREVIEW QUESTIONS1.What is the purpose of an IT audit?Response: The purpose of an IT audit is to provide an independent assessment of sometechnology-or systems-related object, such as proper ITimplementation, or controls overcomputer resources. Because most modern accounting information systems use IT, ITplays a significant role in a financial (external audit), where the purpose is to determine thefairness and accuracy of the financial statements.2.Discuss the concept of independence within the context of a financial audit. How isindependence different for internal auditors?Response: The auditor cannot be an advocate of the client, but mustindependentlyattest towhether GAAP and other appropriate guidelines have been adequately met. Independencefor internal auditors is different because they are employed by the organization, and cannotbe as independent as the external auditor. Thus internal auditors must use professionaljudgment and independent minds in performing IA activities.3.What are the conceptual phases of an audit? How do they differ between generalauditing and IT auditing?Response: The three conceptual phases of auditing are:i. Auditplanning,ii. Testsofinternal controls, andiii. Substantivetests.Conceptually, no difference exists between IT auditing and general auditing. IT auditing istypically a subset of theoverall audit; the portion that involves computer technology is thesubset.4.Distinguish between the internal and external auditors.Response: External auditors represent the interests of third-party stakeholders in theorganization, such as stockholders, creditors, and government agencies. External auditing isconducted by certified public accountants who are independent of the organization’smanagement. Internal auditors represent the interests of management. Internal auditingtasks include conducting financial audits, examining an operation’s compliance with legalobligations, evaluating operational efficiency, detecting and pursuing fraud within the firm,and conducting IT audits. External auditors also conduct IT auditsas a subset of financialaudits.5.What are the four primary elements described in the definition of auditing?Response:a.auditing standardsb.systematic processc.management assertionsand audit objectivesd. obtainingevidence6.Explain the concept of materiality.Response: Materiality refers to the size of the effect of a transaction. From a cost-benefitpoint of view, a threshold is set above which the auditor is concerned with the correctrecording and effects of transactions. Rather than using standard formulas, auditors use

Loading page image...

their professional judgment to determine materiality.7.How does the Sarbanes-Oxley Act of 2002 affect management’s responsibility forinternal controls?Response: The Sarbanes-Oxley Act (S-OX) specifically holds management responsible forinternal controls. S-OX requires an annual report on internal controls that is theresponsibility of management; external auditors must attest to the integrity of the report.Management must assess the effectiveness of the internal control structure and proceduresfor financial reporting as of the end of the most recent fiscal year and identify any controlweaknesses. An attestation by external auditors reports on management’s assessmentstatement.8.What are the four broad objectives of internal control?Response:a. to safeguard the assets of the firmb. to ensure the accuracy and reliability of accounting records and informationc. to promote efficiency in the firm’s operationsd. to measure compliance with management’s prescribed policies and procedures9.What are the four modifying assumptions that guide designers and auditors ofinternal control systems?Response: Management responsibility, reasonable assurance, methods of data processing,and limitations.10.Give an example of a preventive control.Response: Locked doors, passwords, and data-entry controls for each field (e.g., rangechecks).11.Give an example of a detective control.Response: A log of users, a comparison with computer totals and batch totals.12.Give an example of a corrective control.Response: Manual procedures to correct a batch that is not accepted because of anincorrect social security number. A clerical worker would need to investigate anddetermine either the correct hash total or the correct social security number that should beentered. A responsible party is then needed to read exception reports and follow up onanomalies.13.What are the five internal control components described in the COSO framework?Response:a. Control Environmentb. Risk Assessmentc. Information and Communicationd. Monitoringe. Control Activities14.What are the six broad classes of control activities defined by COSO?Response: The six broad classes of control activities defined by COSO are:a. transaction authorization,b. segregationof duties,c. supervision,

Loading page image...

d. accountingrecords,e. accesscontrol, andf. independentverification.15.Give an example of independent verification.Response:a. the reconciliation of batch totals at periodic points during transaction processingb. the comparison of physical assets with accounting recordsc. the reconciliation of subsidiary accounts with control accountsd. reviews by management of reports that summarize business activitye. periodic audits by independent external auditorsf. periodic audits by internal auditors16.Differentiate between general and application controls. Give two examples of each.Response: General controls apply to a wide range of exposures that systematically threatenthe integrity of all applications processed within the IT environment. Some examples ofgeneral controls would be controls against viruses and controls to protect the hardwarefrom vandalism. Application controls are narrowly focused on risks within specificsystems. Some examples of application controls would be a control to make sure that eachemployee receives only one paycheck per pay period and a control to ensure that eachinvoice gets paid only once.17.Distinguish between tests of controls and substantive testing.Response: The tests of controls phase involves determining whether internal controls arein place and whether they function properly. The substantive testing phase involves adetailed investigation of specific account balances and transactions.18.Define audit risk.Response: Audit risk is the probability that the auditor will render an unqualified (clean)opinion on financial statements that are, in fact, materially misstated.19.Distinguish between errors and irregularities. Which do you think concern auditorsthe most?Response: Errors are unintentional mistakes whereas irregularities are intentional mis-representations to perpetrate a fraud or mislead the users of financial statements. Errors area concern if they are numerous or sizable enough to cause the financial statements to bematerially misstated. All processes that involve human actions are highly susceptible tosome amount of human error. Computer processes should contain errors only if theprograms are erroneous, if systems operating procedures are not being closely andcompetently followed, or if some unusual system malfunction has corrupted data. Errorsare typically much easier to uncover than misrepresentations. Thus auditors typically aremore concerned about whether they have uncovered any and all irregularities. Also, due toSAS No. 99 and Sarbanes-Oxley, auditors are much more concerned with fraud(irregularities) than before.20.Distinguish between inherent risk and control risk. How do internal controls affectinherent risk and control risk, if at all? What is the role of detection risk?Response: Inherent risk is associated with the unique characteristics of the business orindustry of the client. Firms in declining industries are considered to have more inherentrisk than firms in stable or thriving industries.Auditors cannot reduce inherent risk, whichis not affected by internal controls. Even in a system protected by excellent controls,

Loading page image...

financial data can be misstated.Control risk is the likelihood that the control structure is flawed because internal controlsare either absent or inadequate to prevent or detect errors in the accounts.Auditors assessthe level of control risk by performing tests of internal controls.Internal control does,however, directly impact control risk. The more effective the internal controls that are inplace, the lower the level of assessed control risk.Detection risk is the riskthatauditors are willing totakethat errors not detected orprevented by the control structurewill also not be detected by the auditors.Typically,detection risk will be lower for firms with higher inherent risk and control risk.21.What is the relationship between tests of controls and substantive tests?Response: The relationship between tests of controls and substantive tests is directly relatedtothe auditor’s risk assessment. The stronger the internal controls, the less substantivetestingthe auditor must do.22.SOX contains manysections. Which sections does this chapter focus on?Response: This chapterconcentrates on internal control and audit responsibilities pursuantto SOX Sections 302 and 404.23.What control framework does the PCAOB recommend?Response: The PCAOB recommends the use of COSO as the framework for controlassessment.24.COSO identifies two broad groupings of information system controls. What are they?Response:The two broad groupings of information system controls identified by COSOare application controls and general controls.25.What are the objectives of application controls?Response: The objectives of application controls are to ensure the validity, completeness,and accuracy of financial transactions.26.Give three examples of application controls?Response: Examples include:a. Acash disbursements batch-balancing routing that verifies the total payments to vendorsreconciles with the total postings to the accounts payable subsidiary ledger.b. Anaccount receivable check digit procedure that validates customer account numbers onsales transactions.c. Apayroll system limit check that identifies employee time card records with reportedhours work in excess of the predetermined normal limit.27.Define general controls.Response: General controls apply to all systems. They are not application specific.General controls include controls over IT governance, the IT infrastructure, security andaccess to operation systems and databases, application acquisition and development, andprogram changes.28.What is the meaning of the term attest services?Response: The attest service is an engagement in which a practitioner is engaged to issue awritten communication that expresses a conclusion about the reliability of a writtenassertion that is the responsibility of another party (SSAE No. 1, AT Sec. 100.01).

Loading page image...

29.List four general control areas.Response: The following are examples of general control areas:a. ItGovernancecontrols,b. Security(data management controls),c. Security(operating system and networkcontrols),d.Systemsdevelopmentand program changecontrols,DISCUSSION QUESTIONS1.Discuss the differences between the attest function andadvisoryservices.Response: The attest service is defined as an engagement in which a practitioner is engagedto issue, or does issue, a written communication that expresses a conclusion about thereliability of a written assertion that is the responsibility of another party. The followingrequirements apply to attestation services:Attestation services require written assertions and a practitioner’s written report.Attestation services require the formal establishment of measurement criteria or theirdescription in the presentation.The levels of service in attestation engagements are limited to examination, review,and application of agreed-upon procedures.Advisory services are professional services offered by public accounting firms to improvetheir client organizations’ operational efficiency andeffectiveness. The domain ofadvisoryservices is intentionally unbounded so that it does not inhibit the growth of futureservices that are currently unforeseen. As examples, advisory services includeactuarialadvice, business advice, fraud investigation services, information system design andimplementation, and internalcontrolassessments for compliance with SOX.2.A CPA firm has many clients. For some of its clients, it relies very heavily on the workof the internal auditors, while for others it does not. The amount of reliance affects thefees charged.How can the CPA firm justify the apparent inconsistency of fees charged in acompetitive marketplace?Response: The CPA firm’s reliance on the work of the internal auditors depends on thestructure of the organization and to whom the internal auditors report. If they do not reportdirectly to the board of directors, then their positions may be compromised. Further, thequality and type of work conducted by the internal auditors will affect external auditorsreliance.3.Accounting firms are very concerned that their employees have excellentcommunication skills, both oral and written. Explain why this requirement is soimportant by giving examples of where these skills would be necessary in each of thethree phases of an audit.Response: During the planning phase of an audit, oral communication skills are used ininterviews. Written communication skills are needed for recording the results of interviewsand during observation and systems documentation reviews. In the tests of controls andsubstantive testing phases, oral communication skills are important when working with theclient’s employees. Written communication skills are then vital in summarizing the results oftests.

Loading page image...

4.Explain the audit objectives of existence or occurrence, completeness, rights andobligations, valuation or allocation, and presentation and disclosure.Response:Theexistence or occurrenceassertion affirms that all assets and equitiescontained inthe balance sheet exist and that all transactions in the income statement actuallyoccurred.Thecompletenessassertion declares that no material assets, equities, or transactionshave been omitted from the financial statements.Therights and obligationsassertion maintains that assets appearing on the balancesheet are owned by the entity and that the liabilities reported are obligations.Thevaluation or allocationassertion states that assets and equities are valued inaccordance with generally accepted accounting principles and that allocated amountssuch as depreciation expense are calculated on a systematic and rational basis.Thepresentation and disclosureassertion alleges that financial statement items arecorrectly classified (e.g., long-term liabilities will not mature within one year) and thatfootnote disclosures are adequate to avoid misleading the users of financial statements.5.How has the Foreign Corrupt Practices Act of 1977 had a significant impact onorganization management?Response: The FCPA of 1977 requires that all companies registered with the Securities andExchange Commission maintain an appropriate system of internal controls. Internalcontrols typically directly impact the organizational structure and segregation of functions.6.Discuss the concept of exposure and explain why firms may tolerate some exposure.Response: An exposure is the absence or weakness of an internal control. Sometimes cost-benefit analysis may indicate that the additional benefits of an internal control proceduremay not exceed the costs. Thus, the firm may decide to tolerate some control riskassociated with a particular exposure.7.If detective controls signal errors, why shouldn’t they automatically make acorrection to the identified error? Why are separate corrective controls necessary?Response: For any detected error, more than one feasible corrective solution may exist, andthe best course of action may not always be obvious. Thus, linking an automatic responseto a detective control may worsen a problem by applying an inappropriate correctiveaction.8.Mostaccounting firms allow married employees to work for the firm. However, theydo not allow an employee to remain working for them if he or she marries anemployee of one of their auditing clients. Why do you think this policy exists?Response: The accounting firm must retain its independence from its clients. The auditormust not have the opportunity to collude, in any fashion, with any employees of its client.Having one spouse working for the client and the other working for the accounting firmwould compromise the independence of the accounting firm.9.Discuss whether a firm with fewer employees than there are incompatible tasksshould rely more heavily on general authority then specific authority.Response: Small firms with fewer employees than there are incompatible tasks should relymore heavily on specific authority. More approvals of decision by management andincreasedsupervision should be imposed in order to compensate some for the lack ofseparation of duties.

Loading page image...

10.Anorganization’s internal audit department is usually considered to be an effectivecontrol mechanism for evaluating the organization’s internal structure. The BirchCompany’s internal auditing function reports directly to the controller. Comment onthe effectiveness of this organizational structure.Response: Having the internal auditing function report to thecontroller is unacceptable. Ifthe controller is aware of/or involved in a fraud or defalcation, then he/she may give falseor inaccurate information to the auditors. The possibility that the auditors may lose theirjobs if they do not keep certain matters quiet also exists. Further, the fraud may beoccurring at a level higher than the controller, and the controller may fear losing his/her jobif the matter is pursued. The best route is to have the internal auditing function reportdirectly to the audit committee.11.According toCOSO, the proper segregation of functions is an effective internalcontrol procedure. Comment on the exposure (if any) caused by combining the tasksof paycheck preparation and distribution to employees.Response: If a payroll employee were to prepare a paycheck for a nonexistent employee(perhaps under an alias or in the name of a relative), which is known as “ghost employee”fraud, and this employee also has the task of distributing the checks, then no one would bethe wiser. On the other hand, if the checks go directly to another person, who thendistributes the paychecks, the extra check should be discovered.12.Discuss the key features of Section 302 of SOX.Response: Section 302 requires that corporate management (including the CEO) certifyquarterly and annually their organization’s internal controls over financial reporting. Thecertifying officers are required to:a. havedesigned internal controls, andb. discloseany material changes in the company’s internal controls that haveoccurred during the most recent fiscal quarter.13.Discuss the key features of Section 404 of SOX.Response:Section 404 requires the management of public companies to assess theeffectiveness of their organization’s internal controls over financial reporting and providean annual report addressing the following points:a. astatement of management’s responsibility for establishing and maintainingadequate internal control,b. anassessment of the effectiveness of the company’s internal controls overfinancial reporting,c. astatement that the organization’s external auditors has issued an attestation reporton management’s assessment of thecompany’sinternal controls,d. anexplicit written conclusion as to the effectiveness of internal control overfinancial reporting, ande. astatement identifying the framework used by management to conduct theirassessment of internal controls.14.Section 404 requires management to make astatement identifying the controlframework used to conduct its assessment of internal controls. Discuss the options inselecting a control framework.Response: The SEC has made specific reference to the Committee of the SponsoringOrganizations of the Treadway Commission (COSO) as a recommended controlframework. Furthermore, the PCAOB’s Auditing Standard No. 5 endorses the use of

Loading page image...

COSO as the framework for control assessment. Although other suitable frameworks havebeen published, according to Standard No. 5, any framework used should encompass all ofCOSO’s general themes.15.Explain how general controls impact transaction integrity and the financial reportingprocess.Response: Consider an organization with poor database securitycontrols. In such asituation, even data processed by systems with adequate built-in application controls maybe at risk. An individual who can circumvent database security may then change, steal, orcorrupt stored transaction data. Thus, general controls are needed to ensure accuratefinancial reporting.16.Prior to SOX, external auditors were required to be familiar with the clientorganization’s internal controls, but not test them. Explain.Response: Prior to SOX, auditors had the option of not relying on internal controls in theconduct of an audit and therefore did not need to test them. Instead, auditors could focusprimarily on substantive tests. Under SOX, management is required to make specificassertions regarding the effectiveness of internal controls. To attest to the validity of theseassertions, auditors are required to test the controls.17.Does a qualified opinion on management’s assessment of internal controls over thefinancial reporting system necessitate a qualifiedopinion on the financial statements?Explain.Response:No. Auditors are permitted to simultaneously render a qualified opinion onmanagement’s assessment of internal controls and render an unqualified opinion on thefinancial statements. Therefore, it is technically possible for auditors to determine thatinternal controls over financial reporting are weak, but conclude through substantive teststhat the weaknesses do not cause the financial statements to be materially misrepresented.18.The PCAOB Standard No. 5 specifically requires auditors to understand transactionflows in designing their tests of controls. What steps does this entail?Response: In order to be in compliance with PCAOB Standard No. 5 auditors must do thefollowing:a. selectthe financial accounts that have material implications for financial reporting,b. identifythe application controls related to those accounts, andc. identifythe general controls that support the application controls.19.What fraud detection responsibilities (if any) does SOX impose on auditors?Response: Standard No. 2 places new responsibility on auditors to detect fraudulentactivity. The standard emphasizes the importance of controls designed to prevent or detectfraud that could lead tomaterial misstatement of the financial statements. Management isresponsibility for implementing such controls and auditors are expressly required to testthem.

Loading page image...

MULTIPLE CHOICE QUESTIONS1.d2.b3.a4.d5.c6.a7.a8.b9.b10.aPROBLEMS1.Segregation ofFunctionsComment on the specific risks (if any) that are caused by the following combination oftasks.a.A sales manager, who works on commission based on gross sales, approves credit andhas the authority to write off uncollectible accounts.b.The warehouse clerk, who has custodial responsibility over inventory in thewarehouse, updates the inventory subsidiary ledger and prepares an inventory summaryfor the general ledger department.c.The billing clerk bills customers and records sales in the sales journald.The shop foreman approves and submits time cards to timekeeping and distributespaychecks to employees.e.The accounting clerk posts to individual account receivable subsidiary accounts andperforms the reconciliation of the subsidiary ledger and the general ledger controlaccount.Response:a.This situation is in violation because the sales manager has the power of creditauthorization as well as accounts receivable record keeping. The potential risk is thatthe manager may approve credit to a friend’s or relative’s business and then write offthe account as bad.b.This situation is in violation because the warehouse clerk has custodialresponsibility as well as record keeping responsibility. The potential risk is that theclerk may steal inventory and use his record keeping authority to adjust the inventoryrecords to hide the theft.c.No risks due to combining these tasks. The billing clerk is responsible forrecording sales in the sales journal after they have been shipped to the customerd.This situation is in violation because the foreman has authority to authorize timecards and also has asset custody (the employee pay check). The potential risk is

Loading page image...

that the supervisor may submit a false time card for a terminated or non-existentemployee and then keep the paycheck that results.e.Thissituation is in violation because the accounting clerk both records transactionsand verifies the accuracy of the recording. The purpose of reconciliation is to verifythat the two sets of records are equivalent. The risk is that the accounting clerk mayconceal errors or cover up balances that do not equal because of embezzlement offunds.2.Segregation of DutiesExplain why each of the following combinations of tasks should, or should not, beseparated to achieve adequate internal control.a.Recording cash receipts in the journal and posting to the account receivable subsidiaryledger.b.Preparation of accounts payable and distribution of payroll checks to employees(paymaster).c.Posting of amounts from both the cash receipts and the cash disbursements journals tothe general ledger.d.Distribution of payroll checks to employees and approval of time cards.e.Approval of bad debt write-offs and the reconciliation of accounts payable subsidiaryledger and the general ledger control account.Response:a.These two tasks need to be separated because the individual has asset custody andrecordkeeping responsibility.b.These two tasks do not need to be separated because they are independent of oneanother. AP clerks do notprepare payroll checks.c.In neither case does the employee have access to the assets; therefore no danger exists.d.These tasks should be separated. The potential risk is that the individual may submit afalse time card for a terminated or non-existent employee and then keep the paycheck thatresults.e.These tasks need not be separated because they are independent tasks.3.Role of Internal Audit FunctionNano CircuitsInc., is a publicly traded company that produces electronic control circuits,which are used in many products. In an effort to comply with SOX, Nano is in theprocess of establishing an in-house internal audit function, which previously had beenoutsourced. The company began this process by hiring a Director of Internal Audits.Nano Circuits’ CEO recently called a planning meeting to discuss the roles of keycorporate participants regarding the implementation and maintenance of internal controls.Central to this decision is the organizational placement of the future internal auditfunction and to whom the new Director of Internal Audit should report. In addition,Nano Circuits considered the need to reconstitute its Board of Directors AuditCommittee. Participants at the meeting included the company president, the chieffinancial officer, a member of the audit committee, a partner from Nano Circuits externalaudit firm, and the Director of InternalAudits. Expectations and concerns presented bythe meeting participants are summarized below.

Loading page image...

CEO:The CEO expressed concern that Nano Circuits complies with SOX and PCAOBrequirements and recommendations. The internal audit function should strengthen theorganization’s internal control system by developing control policies and procedures andby detecting violations of policies and procedures.CFO:The CFO saw the role of the internal audit function as one that should be focusedprimarily on financial issues and therefore, the director of Internal Audits should report tothe CFO.Audit committee member:The committee member felt strongly that the AuditCommittee as currently constituted is appropriate and no changes need to be made.Although none of the committee members are trained accountants they all have extensiveindustry experience, they have all been associated with Nano Circuits in variouscapacities for many years, and are well qualified to fulfill their policy-oversightresponsibilities.External audit partner:The external audit partner pointed out that the internal auditfunction should be organized such that it supports a close working relationship with theexternal auditors. This would include monitoring internal control systems on a continuingbasis to provide a body of evidence on which the external auditor can rely.Director of Internal Audits:The Director of Internal Audits argued that the new IAfunction should focus more on operational auditing issues, but it also should play a role inthe review of internal controls over financial reporting.Required:a.Describe the role that each of the following areas has in the establishment,maintenance, and evaluationof internalcontrol:i.Managementii.External auditoriii.Internal auditb. Towhom should the Director of Internal Audits report. Explain your answer.c.Comment on the audit committee member’s perspective as to the committee’s currentcomposition.Response:a.i. SOX requires management of public companies to implement an adequate system ofinternal controls over their financial reporting process. This includes controls overtransaction processing systems that feed data to the financial reporting systems. Inaddition, Section 404 of SOX requires the management of public companies to assess theeffectiveness of their organization’s internal controls. This entails providing an annualreport addressing the following points:1.Understand the flow of transactions, including IT aspects, in sufficient detail toidentify points at which a misstatement could arise.2.Using a risk-based approach, assess both the design and operating effectiveness ofselected internal controls related to material accounts.3.Assess the potential for fraud in the system and evaluate the controls designed toprevent or detect fraud.4.Evaluate and conclude on the adequacy of controls over the financial statementreporting process.5.Evaluate entity-wide (general) controls that correspond to the components of theCOSO framework.

Loading page image...

ii. The external auditor reviews the organization’s control structure per the COSO internalcontrol model. This includes the control environment, risk assessment, information andcommunications, monitoring, and control procedures. The auditor issues an opinion oncontrol adequacy and identifies any material weaknesses in internal controls.iii. Internalauditors perform a wide range of activities on behalf of the organization,including conducting financial audits, examining an operation’s compliance withorganizational policies, reviewing the organization’s compliance with legal obligations,evaluating operational efficiency, and detecting and pursuing fraud within the firm. Forcost reduction and efficiency purposes internal auditors often cooperate with and assistexternal auditors in performing aspects of financial audits including tests of controls. Forexample, a team of internal auditors can perform tests of computer controls under thesupervision of a single external auditor.b. The Director of Internal Audits should report to the Board of Directors AuditCommittee.When an internal audit department reports directly to a department, the internal auditor’sindependence is compromised, and the external auditor is prohibited by professionalstandards from relying on evidence provided by the internal auditors. In contrast, externalauditors can rely in part on evidence gathered by internal audit departments that areorganizationally independent and report to the board of directors’ audit committee.c. The audit committee probably needs to be reconstituted to be in compliance with SOX.The audit committee serves as an independent “check and balance” for the internal auditfunction and liaison with external auditors.The audit committee must be willing tochallenge the internal auditors as well as management, when necessary. To be effective:The audit committee should consist of people who outsiders (not associated with thefamilies of executive management nor former officers, etc.).With the advent of the Sarbanes-Oxley Act, at least one member of the audit committeemust be a “financial expert.”4.Internal Auditor IndependenceTechnical Solutions,Inc.is expanding and reorganizing its Internal Audit (IA) function.Currently the Director of Internal Audit, Sharon Kalafut, reports to the corporatecontroller, who receives and reviews all internal audit reports. Kalafut forwards copies ofthe internal audit reports to the audit committee of the board of directors and to themanager directly responsible for the function being audited.An issue of contention among the management team pertains to which department orfunction the Director of Internal Audits should report.Martin Stevens the CEO wants toensure that Technical Solutions complies with the SOX and that the internal auditdepartment is structured such that it strengthens the company’s internal control system.Also, an overarching objective for the reorganized audit function is that the externalauditors are able to rely on the work performed by the internal audit department to asubstantial degree.Arguments put forth by interested parties as to where the IAdepartment should be organizationally located are presented below:Chief Operations Officer (COO).John Sweeney, the COO of Technical

Loading page image...

Solutions, believes that the Director of IA should report to him. Under thisarrangement the IA staff members would be involved in the preparation of policystatements on internal control regarding safeguarding of assets and in the designof business processes.Chief Information Officer (CIO). Larry Rich, the CIO, has pushed hard tohave the IA function report to him and take on an active role in the design,installation, and initial operation of a new computerized systems. IA staff will beprimarily concerned with the design and implementation of internal accountingcontrols and conduct the evaluation of these controls during the test runs andaudits.Corporate Controller. The controller, Linda Johnson, believes the IA groupshould remain within her functional area. Currently the IA staff performs anumber of controller related tasks. These include:Internal auditors reconcile bank statements of the corporation each month. Thecontroller believes this strengthens the internal control function because theinternal auditor is not involved in either the receipt or the disbursement of cash.Internal auditors review the annual budget each year for relevance andreasonableness before the budget is approved. At the end of each month, thecontroller’s staff analyzes the variances from budget and prepares explanations ofthese variances. These variances and explanations are then reviewed by theinternal audit staff.Finally, the internal auditors make accounting entries for complex transactionswhen employees of the accounting department are not adequately trained tohandle such transactions. The controller believes this gives an added measure ofassurance to the accurate recording of such transactions.Required:a.Define independence as it relates to the internal audit function.b.For each of the proposed tasks to be performed by the IA function, explainwhether Technical Solutions’ internal audit independence will be materiallyimpaired. Consider each manager’s arguments independently.c.To maintain independence, where should the Director of Internal Auditsreport? Explain your answer.Response:a.Internal auditor independence implies no subordination of judgment to another andarises from an independent mental attitude that views events on a factual basis withoutinfluence from organizational units to which IA is subordinate.b.i. The internal auditor’s independence is not impaired by the preparation of policystatements on internal control. The preparation of policy statements to guide othersin the development and implementation of internal controls is a responsibility ofthe internal audit staff.ii. Auditor independence is impaired to the extent that the internal auditor is involvedin the design and installation of computerized internal accounting controls beingtested. Little confidence can be placed in audit findings issued by the individualwho designed and installed the system being audited.iii. The internal auditor’s independence is impaired by reconciling bank statements.

Loading page image...

To maintain independence, the auditor should not perform operational assignmentsthat are included as part of the independent evaluation and verification of a propersystem of internal control. Separation of duties must be maintained.iv. Objectivity is not impaired in the review of the budget for relevance andreasonableness if the internal auditor has no responsibility for establishing orimplementing the budget. However, the review of variances and explanations wouldimpair objectivity as this is an area that would normally be reviewed during anoperational audit.v. The preparation of complex accounting transactions will materially impair theinternal auditor’s objectivity by involving the auditor in day-to-day operations.c.TheDirector of Internal Audits should report to the Board of Directors AuditCommittee.The independence and competence of the internal audit staff determine the extent towhich external auditors may cooperate with and rely on work performed by internalauditors. When the internal audit department reports directly to a department, such as thecontroller, the internal auditor’s independence is compromised, and the external auditor isprohibited by professional standards from relying on evidence provided by the internalauditors. In contrast, external auditors can rely in part on evidence gathered by internalaudit departments that are organizationally independent and report to the board ofdirectors’ audit committee.5.Assessing Internal ControlThe following describes the cash receipts procedures for amedium-sized online andcatalogue-based retailer.Customer payments come directly to the general mail room along with other mail items.The customer payments mail constitutes about 20 percent of the total mail received eachday. The mailroom clerkssort through the mail, open the customer payment envelopes,remove the customer checks and remittance advices, and reconcile the two documents.The mailroom supervisor then sends the reconciled checks and remittance advices to theAccounts Receivable clerk, who posts the amounts received to the customer ARsubsidiary ledger and the cash receipts journal from her computer terminal. The AR clerkthen manually prepares a remittance list of all checks received, endorses the checks “fordeposit only” and sends the checks and remittance list to the Treasurer. Finally, the clerkfiles the remittance advices in the AR department.Once the checks and remittance list arrive at the Treasury department, the treasurerreconciles the documents, and manually prepares three hard copies of the deposit slip.Next, he sends the checks and two copies of the deposit slip to the bank. Finally, he filesthe third copy of the deposit slip and the remittancelistin the department.Required:a) Identify the internal control weaknesses in the cash receipts process.b) For each weakness, describe the associated risks.c) For each weakness provide a possible control activity.

Loading page image...

Response:1.a) Weakness: Mailroom clerks have access to checks and remittance advices.b) Risk: The mailroom clerks who open the mail could steal the check and destroy the remittanceadvice and thus leave no record of the transaction.c) Control: Mixing general mail and cashreceipts mail in this way creates a chaotic environmentthat is difficult to control. The company should require the cash receipts to be sent to aseparate POBox, which could be a separate room or location. This smaller amount of similarmail can be better controlled though supervision.2.a) Weakness: The AR clerk receives checks and remittance advices from the mailroomsupervisor.b) Risk: The AR clerk has access to both asset and records. The clerk could steal the check anddestroy the remittance advice to eliminate any record of the cash receipt. (See skimming inchapter 12 for details).c) Control: A remittance list should be prepared in the mailroom to control the checks andremittance advices. Any loss or theft of checks after they are recorded on the remittance listwould result in a discrepancy between the remittance list and the checks that are deposited inthe bank.3.a) Weakness: The AR clerk has responsibility for recording cash and updating the customeraccounts.b) Risk: The clerk could engage in a lapping fraud. (See chapter 12 for details).c) Control: Segregationsofduties is needed to separate the tasks of recording accounts receivableand receivingcash receipts.

Preview Mode

This document has 345 pages. Sign in to access the full document!

Report

Study Now!

Document Details

Related Documents

The Audit Report and Internal Control Evaluation

Audit Procedures and Internal Control Evaluation for Smackey Dog Foods, Inc.

Auditing Inventories; Cost of Goods Sold; And Property, Plant, and Equipment

Test Bank For Auditing And Assurance Services, 5th Edition

Test Bank for Auditing and Assurance Services, 17th Edition

Auditing and Assurance Services 6th Edition Solution Manual

Solution Manual for Assurance Practice Set for Comprehensive Assurance & Systems Tool (CAST), 4th Edition

Principles of Fraud Examination 4th Edition Solution Manual

Auditing : A Practical Approach, Canadian Edition Solution Manual

Auditing: The Art And Science Of Assurance Engagements, Fourteenth Canadian Edition Solution Manual

Company

Explore

Study Tools