Chapter 10

Internal Control, Control Risk, and

Section 404 Audits

Review Questions

10-1 Management typically has three broad objectives in designing effective

internal controls.
1 Reliability of Financial Reporting Management is responsible for
preparing financial statements for investors, creditors, and other users.
Management has both a legal and professional responsibility to be sure
that the information is fairly presented in accordance with reporting
requirements such as GAAP or IFRS. The objective of effective
internal control over financial reporting is to fulfill these financial reporting
responsibilities.
2 Efficiency and Effectiveness of Operations
Controls within an
organization are meant to encourage efficient and effective use of its
resources to optimize the companys goals. An important objective of
these controls is accurate financial and non-financial information about
the entitys operations for decision making.
3 Compliance with Laws and Regulations
Section 404 of the
SarbanesOxley Act requires all public companies to issue a report
about the operating effectiveness of internal control over financial
reporting. In addition to the legal provisions of Section 404, public,
nonpublic, and not-for-profit organizations are required to follow many
laws and regulations. Some relate to accounting only indirectly, such as
environmental protection and civil rights laws. Others are closely related
to accounting, such as income tax regulations and anti-fraud regulations
such as the Foreign Corrupt Practices Act of 1977 and certain provisions
of the SarbanesOxley Act.
10-2 Management designs systems of internal control to accomplish three
categories of objectives: financial reporting, operations, and compliance with laws and
regulations. The auditors focus in both the audit of financial statements and the audit
of internal controls is on those controls related to the reliability of financial reporting
plus those controls related to operations and to compliance with laws and regulations
objectives that could materially affect financial reporting.
10-3 Section 404(a) requires management of all public companies to issue an
internal control report that includes the following:

10-3 (continued)
A statement that management is responsible for establishing and
maintaining an adequate internal control structure and procedures for
financial reporting and
An assessment of the effectiveness of the internal control structure and
procedures for financial reporting as of the end of the companys fiscal
year.

10-4 Managements assessment of internal control over financial reporting

consists of two key characteristics. First, management must evaluate the design of
internal control over financial reporting. Second, management must test the operating
effectiveness of those controls. When evaluating the design of internal control over
financial reporting, management evaluates whether the controls are designed to
prevent or detect material misstatements in the financial statements. When testing the
operating effectiveness of those controls, the objective is to determine whether the
control is operating as designed and whether the person performing the control
possesses the necessary authority and qualifications to perform the control effectively.
10-5 There are eight parts of the planning phase of audits: accept client and perform
initial planning, understand the clients business and industry, assess client business
risk, perform preliminary analytical procedures, set materiality and assess acceptable
audit risk and inherent risk, understand internal control and assess control risk, gather
information to assess fraud risks, and develop an overall audit plan and audit program.
Understanding internal control and assessing control risk is therefore part six of
planning. Only gathering information to assess fraud risk and developing an overall
audit plan and audit program follow understanding internal control and assessing
control risk.
10-6 The Responsibilities Principle underlying GAAS emphasizes the importance of
obtaining an understanding of the entity and its environment in order to assess the risk
of material misstatements. That involves understanding the clients system of internal
control in order to determine the extent to which controls address important
business risks. The auditor obtains the understanding of internal control to assess
control risk in every audit and that responsibility is the same for audits of both public
and nonpublic companies. However, the nature of the understanding is likely to be
more extensive when the auditor is reporting on the effectiveness of internal control
over financial reporting.
10-7 PCAOB Auditing Standard 5 requires that the auditor issue a report on the
effectiveness of internal control over financial reporting. To express an opinion on
internal controls, the auditor obtains an understanding of and performs tests of
controls related to all significant account balances, classes of transactions, and
disclosures and related assertions in the financial statements. PCAOB Auditing
Standard 5 requires the auditors independent assessment of the internal controls
design and operating effectiveness.

10-8

The six transaction-related audit objectives are:

1.
2.
3.
4.
5.
6.

Recorded transactions exist (occurrence).

Existing transactions are recorded (completeness).
Recorded transactions are stated at the correct amounts (accuracy).
Recorded transactions are properly included in the master files and
correctly summarized (posting and summarization).
Transactions are properly classified (classification).
Transactions are recorded on the correct dates (timing).

10-9
The COSO Internal Control Integrated Framework is the most widely
accepted internal control framework in the U.S. The COSO framework describes
internal control as consisting of five components that management designs and
implements to provide reasonable assurance that its control objectives will be met.
Each component contains many controls, but auditors concentrate on those designed
to prevent or detect material misstatements in the financial statements.
10-10 The COSO Internal Control Integrated Framework consists of the following five
components:
1
2
3
4
5

Control environment
Risk assessment
Control activities
Information and communication
Monitoring

10-11 The control environment consists of the actions, policies, and procedures that
reflect the overall attitudes of top management, directors, and owners of an entity
about internal control and its importance to the entity. The control environment
serves as the umbrella for the other four components. Without an effective control
environment, the other four are unlikely to result in effective internal control,
regardless of their quality. The following are the most important subcomponents the
control environment:

Integrity and ethical values

Commitment to competence
Board of directors or audit committee participation
Managements philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
10-12 Internal control includes five categories of controls that management designs
and implements to provide reasonable assurance that its control objectives will be
met. These are called the components internal control, which consists of the following:

The control environment

Risk assessment
Control activities

Information and communication

Monitoring
10-12 (continued)
The control environment is the broadest of the five and deals primarily with
the way management implements its attitude about internal controls. The other four
components are closely related to the control environment. Risk assessment is
managements identification and analysis of risks relevant to the preparation of
financial statements in accordance with accounting standards. Management
implements control activities and creates the accounting information and
communication system in response to risks identified as part of its risk assessment in
order to meet its objectives for financial reporting. Finally, management
periodically assesses the quality of internal control performance to determine that
controls are operating as intended and that they are modified as appropriate for
changes in conditions (monitoring). All five components are necessary for
effectively designed and implemented internal control.
10-13

The five categories of control activities are:

Adequate separation of duties

Example: The following two functions are performed by
different people: processing customer orders and billing of
customers.

Proper authorization of transactions and activities

Example: The granting of credit is authorized before shipment
takes place.

Adequate documents and records

Example: Recording of sales is supported by authorized
shipping documents and approved customer orders.

Physical control over assets and records

Example: A password is required before an entry can be made into
the computerized accounts receivable master file.

Independent checks on performance

Example: Bill clerk verifies prices and quantities on sales invoices
before they are sent to customers.

10-14 Separation of operational responsibility from record keeping is intended to

reduce the likelihood of operational personnel biasing the results of their
performance by incorrectly recording information.
Separation of the custody of assets from accounting for these assets is
intended to prevent misappropriation of assets. When one person performs both
functions, the possibility of that persons disposal of the asset for personal gain and
adjustment of the records to relieve himself or herself of responsibility for the asset
without detection increases.

10-15 An example of a physical control the client can use to protect each of the
following assets or records is:
1.
2.
3.
4.
5.
6.
7.

Petty cash should be kept locked in a fireproof safe.

Cash received by retail clerks should be entered into a cash register to
record all cash received.
Accounts receivable records should be stored in a locked, fireproof safe.
Adequate backup copies of computerized records should be maintained
and access to the master files should be restricted via passwords.
Raw material inventory should be retained in a locked storeroom with a
reliable and competent employee controlling access.
Perishable tools should be stored in a locked storeroom under control
of a reliable employee.
Manufacturing equipment should be kept in an area protected by security
and fire alarms and kept locked when not in use.
Marketable securities should be stored in a safety deposit vault.

10-16 Independent checks on performance are internal control activities designed for
the continuous internal verification of other controls. Examples of independent checks
include:

Preparation of the monthly bank reconciliation by an individual with no responsibility

for recording transactions or handling cash.
Recomputing inventory extensions for a listing of inventory by someone who did
not originally do the extensions.
The preparation of the sales journal by one person and the accounts receivable
master file by a different person, and a reconciliation of the control account to the
master file.
The counting of inventory by two different count teams.
The existence of an effective internal audit staff.
10-17 As illustrated by Figure 10-3, there are four phases in the process of
understanding internal control and assessing control risk. In the first phase the
auditor obtains an understanding of internal controls, which includes an
understanding of their design and whether they have been implemented. Next the
auditor must make a preliminary assessment of control risk (phase 2) and perform
tests of controls (phase 3). The auditor uses the results of tests of controls to
assess control risk and to ultimately decide planned detection risk and substantive
tests for the audit of financial statements, which is phase 4.
10-18 When obtaining an understanding of internal control, the auditor must assess
two aspects about those controls. First, the auditor must gather evidence about the
design of internal controls. Second, the auditor must gather evidence about whether
those controls have been implemented.

10-19 In a walkthrough of internal control, the auditor selects one or a few

documents for the initiation of a transaction type and traces them through the entire
accounting process. At each stage of processing, the auditor makes inquiries and
observes current activities, in addition to examining completed documentation for
the transaction or transactions selected. Thus, the auditor combines observation,
inspection, and inquiry to conduct a walkthrough of internal control. PCAOB Auditing
Standard 5 requires the auditor to perform at least one walkthrough for each major
class of transactions.
10-20 For many control activities, documentation of their performance is more
objectively evaluated in contrast to the evaluation of the control environment. Due to
the nature of the subcomponents that constitute the control environment, such as
integrity and ethical values and commitment to competence, the nature of evidence
used to evaluate the control environment may differ somewhat from the nature of
evidence used to evaluate control activities. While auditors examine similar types of
evidence to assess both the control environment and control activities, they often
perform more extensive inquires and observation to assess the design and
implementation of control environment subcomponents, such as the entitys code of
conduct and whistleblowing system, so they can evaluate whether employees
understand those policies and procedures and to gain a sense as to the overall ethical
tone and perception of managements integrity. Because of the more judgmental
nature of many of the control environment subcomponents, auditors often make
numerous inquiries and perform extensive observation of client personnel in the
performance of policies and procedures to evaluate those subcomponents of the
control environment. While inquiry and observation may also be performed to
evaluate control activities, auditors frequently inspect documentation that
demonstrates a control activity was performed, such as examining signatures on
documents or matching of documentation supporting a transaction, and they often
reperform certain client performed procedures, such as the calculation of a transaction
amount.
10-21 A significant deficiency exists if one or more control deficiencies exist that are
less severe than a material weakness, but important enough to merit attention by
those responsible for oversight of the companys financial reporting. A material
weakness exists if a significant deficiency, by itself or in combination with other
significant deficiencies, results in a reasonable possibility that internal control will not
prevent or detect material financial statement misstatements. The presence of one
significant deficiency that is not deemed to be a material weakness may not affect the
auditors report. In that instance, the auditors report on internal control over financial
reporting would contain an unqualified opinion. However, if the deficiency is deemed
to be a material weakness, the auditor must express an adverse opinion on the
effectiveness of internal control over financial reporting.
10-22 The most important internal control deficiency that permitted the defalcation
to occur was the failure to adequately segregate the accounting responsibility of
recording billings in the sales journal from the custodial responsibility of receiving
the cash. Regardless of how trustworthy James appeared, no employee should be given

the combined duties of custody of assets and accounting for those assets.
10-23 Maier is correct in her belief that internal controls frequently do not
function in the manner they are supposed to. However, regardless of this, her
approach ignores the value of beginning the understanding of internal control by
preparing or reviewing a rough flowchart. Obtaining an early understanding of the
clients internal control will provide Maier with a basis for a decision about further audit
procedures and sample sizes based on assessed control risk. By not obtaining an
understanding of internal control until later in the engagement, Maier risks performing
either too much or too little work, or emphasizing the wrong areas during her audit.
10-24 The extent of controls tested by auditors to express an opinion on internal
controls for a public company is significantly greater than that tested solely to express
an opinion on the financial statements. To express an opinion on internal controls for a
public company, the auditor obtains an understanding of and performs tests of
controls for all significant account balances, classes of transactions, and
disclosures and related assertions in the financial statements. In contrast, the extent of
controls tested by an auditor of a nonpublic company is dependent on the auditors
assessment of control risk. Whenever the auditor assesses control risk below
maximum, the auditor must perform tests of controls to support that control risk
assessment. The auditor will not perform tests of controls when the auditor assesses
control risk at maximum. When control risk is assessed below the maximum, the
auditor designs and performs a combination of tests of controls and substantive
procedures. Thus, for a nonpublic company, the tests of controls vary based on the
auditors assessment of control risk.
10-25 Entity level controls, such as the effectiveness of the board of directors and
audit committees oversight, can have a pervasive affect on many different
transaction-level controls. If entity-level controls are deemed to be deficient, then there
is greater likelihood that transaction-level controls may be ineffective in their design or
operation. In contrast, if entity-level controls are deemed to be highly effective, the
auditor may be able to place greater reliance on those controls, which may provide
an opportunity to reduce testing of transaction-level controls thereby increasing the
efficiency of the audit procedures.
10-26 Auditing standards indicate that reliance can be placed on controls that were
tested in a prior year, except for controls that mitigate significant risks which must be
tested in the current year. Controls should be tested at least every three years, and
whenever there is a significant change in the control. Continued reliance on the
effectiveness of automated controls is appropriate if the auditor is satisfied that
general controls over the computer applications are adequate to identify any changes
to computerized processes. The ability to rely on prior year tests of automated controls
is due to the systematic nature of IT-based procedures. That is, once an automated
control is programmed to perform correctly, it should continue performing in that
manner until the underlying software program is changed. In contrast, manual
performed controls are generally tested each year because there is always a risk of
human error occurring in the performance of a manual control.

10-27 When the auditors risk assessment procedures identify significant risks, the
auditor is required to test the operating effectiveness of controls that mitigate these
risks in the current year audit, if the auditor plans to rely on those controls to support a
control risk assessment below 100%. Thus, tests of controls are required in the current
year audit for those controls the auditor plans to rely on to reduce control risk. The
greater the risk, the more the audit evidence the auditor should obtain that controls are
operating effectively.
10-28 The auditor may issue an unqualified opinion on internal control over financial
reporting when two conditions are present:
there are no identified material weaknesses; and
there have been no restrictions on the scope of the auditors work.

A scope limitation is the condition that would cause the auditor to express a
qualified opinion or a disclaimer of opinion on internal control over financial reporting.
This type of opinion is issued when the auditor is unable to determine if there are
material weaknesses, due to a restriction on the scope of the audit of internal control
over financial reporting or other circumstances where the auditor is unable to obtain
sufficient appropriate evidence.
10-29 PCAOB Auditing Standard 5 requires that the audit of the financial
statements and the audit of internal control over financial reporting be integrated. In an
integrated audit, the auditor must consider the results of audit procedures performed
to issue the audit report on the financial statements when issuing the audit report on
internal control. For example, if the auditor identifies a material misstatement in the
financial statements that was not initially identified by the companys internal controls,
the auditor should consider this as at least a significant deficiency, if not a material
weakness for purposes of reporting on internal control. In such circumstances, the
auditors report on the financial statements may be unqualified as long as management
corrected the misstatement before issuing the financial statements. In contrast,
however, the auditors report on internal control must include an adverse opinion if the
auditor concludes it is a material weakness.

Multiple Choice Questions From CPA Examinations

10-30

a.

(3)

b.

(1)

c.

(1)

d.

(4)

10-31

a.

(3)

b.

(2)

c.

(4)

d.

(2)

10-32

a.

(2)

b.

(2)

c.

(4)

d.

(4)

10-38

a.

The size of a company has a significant effect on the nature of the

controls likely to exist. A small company has difficulty establishing

adequate separation of duties and justifying an internal audit staff.
However, a major type of control available in a small company is the
knowledge and concern of the top operating person, who is frequently
an owner-manager. His or her ability to understand and the entire
operation of the company is potentially a significant compensating
control. The owner-managers interest in the organization and close
relationship with the personnel enable him or her to evaluate the
competence of the employees and the effectiveness of internal
controls.
While some of the five control activities are unavailable in a small
company, especially adequate segregation of duties, it is still possible for
a small company to have proper authorization of transactions and
activities, adequate documents and records, physical controls over
assets and records, and, to a limited degree, independent checks on
performance.
10-38 (continued)
b.

Phersen and Collier take opposite and extreme views as to the credence
to be given internal control in a small firm. Phersen seems to treat a
small firm in the same manner as he would a large firm, which is
inefficient. Because many types of controls are usually lacking in a small
firm, especially one that is a nonpublic company, assessed control risk
should be increased and more extensive substantive tests must be used.
Because assessed control risk is higher, less emphasis is needed to
identify the internal controls.
Collier is not meeting the standards of the profession in that she
completely ignores the possibility of a severe deficiency in the system.
She must obtain an understanding of internal control to determine
whether it is possible to conduct an audit at all. Auditing standards
require, at a minimum, an understanding of internal control.
The auditor must understand the control environment and the flow of
transactions. It is not necessary, however, for the auditor to prepare
flowcharts or internal control questionnaires. The auditor of a nonpublic
company is required to provide a written report about significant
deficiencies or material weaknesses to those charged with governance,
which may be common on many small audit clients.

c.

Colliers approach is not acceptable when auditing either a public or

nonpublic company. Collier must obtain an understanding of internal
controls over financial reporting in all audits. When the auditor
assesses control risk below the maximum, which is generally the case for
public companies, the auditor must perform tests of controls to
determine whether key controls over financial reporting are operating
effectively. Those procedures must provide Collier a basis to express an

opinion about internal controls over financial reporting for accelerated

filer public companies.
d.
While Phersons approach includes procedures similar to those that would be
performed to obtain an understanding of internal controls, if Pherson is auditing a
public company, he may need to expand those procedures to ensure that enough
information is obtained about the design and operation of internal controls over
financial reporting. Furthermore, Pherson must perform tests of key controls over
financial reporting to provide a basis for expressing an opinion on internal controls
over financial reporting for accelerated filer public companies.