Part 1 Study Unit 9 Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA,...

Part 1 Study Unit 9

Internal Controls – Risk and Procedures for Control

By Ronald Schmidt, CMA, CFM

Internal Controls

Management accountants are expected to have a thorough understanding of the risks inherent to, and the internal controls within, a business. Internal controls have always been a good idea in a well-run business, but with the passage of the Foreign Corrupt Practices Act in 1977, an effective internal control system became a legal requirement.

9.1 Risk and the Control Environment

• The Assessment and Management of Risk– Every organization faces risks, that is, unforeseen

obstacles to the pursuit of its objectives. Risk may take many forms and can originate from within or from outside the organizations.

– Can you name some risks?


• What is risk assessment?– It is a “process” to identify vulnerabilities.– There's always a trade-off between cost and benefit,

and therefore there's no 100% percent system of internal control.

– Is the ongoing process of designing and operating internal controls to help mitigate inherent risks.

– The severity of consequences and the likelihood of occurrence can help us quantify risks.

– Risk can also be assessed in qualitative terms. Can you give examples?


“Risk management is the ongoing process of designing and operating internal controls that mitigate the risks

identified in the organization's risk assessment. “

Risk can be quantified as a combination of two factors:1. Severity of consequences2. Likelihood of occurrence

Risk can also be assessed in qualitative terms see example on page 327


• The AICPA audit risk model– Inherent risk (IR) is the susceptibility of one of the

company's objectives to obstacles arising from the nature of the objectives.

– Control risk (CR) is the risk that the control put in place will fail to prevent an obstacle from interfering with the achievement of the objectives.

– Detection risk (DR) is the risk that an obstacle to an objective will not be detected before loss has occurred.

– Total risk (TR) equals IR X CR X DR


• IMA's Management Accounting Glossary defines internal control as follows:And otherwise) established by management to carry on the business of the enterprise in an orderly and efficient manner, to ensure adherence to management policies, safeguard the assets, and ensure as far as possible the completeness and accuracy of the records.

Whose responsibility is the design and operation's system of internal controls?


• Design and operations of an organization's system of internal controls is the responsibility of management.

• Section 404 of the Sarbanes-Oxley act of 2002 requires publicly traded companies to issue a report stating that:– Management takes responsibility for establishing and

maintaining the firm's system of internal controls, and– That the system has been functioning effectively over

the reporting period.


• What does PCAOB stand for?• Part of an annual report is the assessment of the

company's internal controls.• AS 5 issued by PCAOB requires the external auditors to

express an opinion on both a system of internal control and the fair representation of financial statements.

• AS 5 focuses on material weaknesses.• With respect to the AICPA's auditing standards, material

weakness is a deficiency, or combination of deficiencies, and internal controls that result in a reasonable possibility of a material misstatement.


• COSO Control Objectives defined internal control as:Internal control is broadly defined as a process, affected by an entities Board of Directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operation• Reliability of financial reporting• Compliance with applicable laws and regulations


• Effectiveness and efficiency of operations relate to the achievement of an entities mission. Internal controls must be designed so that they focus effort on the achievement of the organization's objectives.

• Reliably of financial reporting is needed for investors and creditors to make sound decisions.

• Compliance with applicable laws and regulations entities must conduct activities according to applicable laws and regulations such as waste disposal, wage and hour issues and employee safety. The framework only states reasonable, not absolute would be economically impractical.


• COSO components of Internal Control include the:– Control environment, which sets the tone of an entity and

influences to control consciousness of personnel. – Risk assessment is the identification and analysis of relevant risk to

achievement of objectives.– Control activities are the policies and procedures that help ensure

management directives are carried out.– Information must be identified and captured, and communicated

in a form and timeframe that enable people to carry out their responsibilities.

– Internal control system need to be monitored, which is management's timely assessment and taking of corrective actions.


• Control environment– Attitudes and actions of the Board of Directors and

upper management. This includes:• Organizational structure• Policies• Objectives and goals• Management philosophy and operating style• Assignment of authority and responsibility


• What is the Board of Directors role?– Governing authority– Overall corporate policy– Fiduciary responsibility or duty– Reasonable care– They typically:

• Selecting remove officers• Determined the capital structure• Add, and amend, or repeal bylaws• Initiate fundamental changes, such as mergers and divestitures• Clear dividends• Set the compensation of officers and management


• Audit committee's role– Subcommittee of the Board of Directors whose

purpose is to help keep the external auditors independent of management

• The importance of human resource policies and practices– Hiring standards– training policies– commitment to competence

9.1 Question 1

A. Profit margins are maximized, and operational efficiency is optimized.

B. The chief accounting officer reviews all accounting transactions.

C. Corporate morale problems are addressed immediately and effectively.

D. Financial reporting is reliable.

One of the financial statement auditor’s major concerns is to ascertain whether internal control is designed to provide reasonable assurance that

9.1 Question 1 AnswerCorrect Answer: D

Internal control is designed to provide reasonable assurance of the achievement of objectives in the categories of (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with laws and regulations. Controls relevant to a financial statement audit ordinarily pertain to the objective of preparing external financial statements that are fairly presented in conformity with GAAP or another comprehensive basis of accounting.

Incorrect Answers:

A: Many factors beyond the purview of the auditor affect profits, and the controls related to operational efficiency are usually not directly relevant to an audit.

B: The chief accounting officer need not review all accounting transactions.

C: Controls relevant to a financial statement audit do not concern the treatment of corporate morale problems.

9.1 Question 2

A.Submit copies of all engagement communications to the CEO and audit committee.

B. Strengthen independence through organizational status.

C.Discuss all pending engagement communications to the CEO with the audit committee.

D.Request board establishment of policies covering the internal audit activity’s (IAA’s) relationships with the audit committee.

To avoid creating conflict between the chief executive officer (CEO) and the audit committee, the chief audit executive (CAE) should

9.1 Question 2 AnswerCorrect Answer: D

To avoid conflict between the CEO and the audit committee, the CAE should request that the board establish policies covering the IAA’s relationships with the audit committee. The CAE should have regular communication with the board, audit committee, or other appropriate governing authority. Furthermore, the board should approve a charter that defines the purpose, authority, and responsibility of the IAA.

Incorrect Answers:

A: The CEO and audit committee most likely should receive summary reports. Senior management and the board ordinarily are not involved in the details of internal audit work.

B: Independence is not sufficient to avert conflict unless reporting relationships are well defined.

C: The CEO and audit committee most likely should receive summary reports. Senior management and the board ordinarily are not involved in the details of internal audit work.

9.1 Question 3

A. Auditors must quantify control risk in numeric terms.

B.A publicly-traded firm must establish and maintain a system of internal accounting control.

C.External auditors must express an opinion on a firm’s internal control at the same time as the opinion on the financial statements.

D.Publicly-traded firms must address each of the five interrelated components of internal control.

The PCAOB’s Auditing Standard (AS) 5 focuses on internal controls in their relation to the fair presentation of financial statements. One requirement of AS 5 is that

9.1 Question 3 Answer• Correct Answer: C

In fulfillment of the requirements of PCAOB AS 5, external auditors must express an opinion on a firm’s internal control at the same time as the opinion on the financial statements.

Incorrect Answers:

A: Risk may be measured in quantitative or qualitative terms.

B: The requirement to establish and maintain a system of internal accounting control is a part of the Foreign Corrupt Practices Act.

D: Addressing internal control as a group of five interrelated components is a feature of the COSO model of internal control.

9.1 Question 4

Internal controls are designed to provide reasonable assurance that

A Material errors or fraud will be prevented or detected and corrected within a timely period by employees in the course of performing their assigned duties.

B Management’s plans have not been circumvented by worker collusion.

C The internal auditing department’s guidance and oversight of management’s performance is accomplished economically and efficiently.

D Management’s planning, organizing, and directing processes are properly evaluated.

9.1 Question 4 Answer

Correct Answer: A

Reasonable assurance is provided when cost-effective actions are taken to restrict deviations to a tolerable level. This implies, for example, that material errors and improper or illegal acts will be prevented or detected and corrected within a timely period by employees in the normal course of performing their assigned duties. The cost-benefit relationship is considered by management during the design of systems. The potential loss associated with any exposure or risk is weighed against the cost to control it.

9.1 Question 5

Which one of the following options would be most effective in deterring the commission of fraud?

A Policies of strong internal control, segregation of duties, and requiring employees to take vacations.

B Policies of strong internal control and punishments for unethical behavior.

C Employee training, segregation of duties, and punishment for unethical behavior.

D Hiring ethical employees, employee training, and segregation of duties.


Correct Answer: A

Strong internal control policies are essential for establishing the “tone at the top.” Segregation of duties is one of the most fundamental forms of internal control. Requiring vacations makes it difficult for employees to carry on undiscovered fraud in the absence of collusion.

9.2 Control Procedures

• The control process includes:– Establishing standards for the operation to be

controlled,– Measuring performance against the standards,– Examining and analyzing deviations,– Taking corrective actions, and– Reappraising the standards based on experience


• Types of controls– Primary controls include:

• Preventive controls to deter the occurrence of unwanted events.

• Detective controls which alert after an unwanted event.• Corrective controls to correct the negative effects of

unwanted events.• Direct of controls which cause or encouraging currents of

desirable events

Continued

9.2 Control Procedures• Secondary controls include:

• Compensatory (mitigate) controls may reduce risk when the primary controls are ineffective.

• Complementary controls work with other controls to reduce risk to an acceptable level.

• Time-based classifications:– Feedback controls– Concurrent controls– Feedforward controls

Continued


• Financial versus Operating controls:– Financial controls should be based on relevant

establish accounting principles– Operating controls applied to production and support

activities are also called administrative controls

• People-Based versus System-Based controls– People-based controls are dependent on the intervention of

humans for their proper operation.– System-based controls are executed whenever needed with

no human intervention.

Continued


• Control activities are designed in place in operation to ensure that management's directives are executed, and include:

– Segregation of duties, including four basic functional responsibilities

– Independent checks verifications– Safeguarding controls– Pre-numbered forms– Specific document flow

Continued


• Segregation of duties include:– Independent checks and verifications–Safeguarding controls–Pre-numbered forms–Specific document flow

See examples starting at the bottom of page 335

9.2 Question 1

A. Authorizing a transaction records it.

B.Authorizing a transaction maintain custody of the asset that resulted from the transaction.

C.Maintaining custody of an asset be entitled to access the accounting records for the asset.

D.Recording a transaction not compare the accounting record of the asset with the asset itself.

A proper segregation of duties requires that an individual

9.2 Question 1 Answer• Correct Answer: D

One person should not be responsible for all phases of a transaction, i.e., for authorization, recording, and custodianship of the related assets. These duties should be performed by separate individuals to reduce the opportunities for any person to be in a position of both perpetrating and concealing errors or fraud in the normal course of his/her duties. For instance, an employee who receives and lists cash receipts should not be responsible for comparing the recorded accountability for cash with existing amounts.

Incorrect Answers:

A: Authorization and recordkeeping should be separate.

B: Authorization and asset custody should be separate.

C: Recordkeeping and asset custody should be separate.

9.2 Question 2

A. A requirement for double endorsement of checks.

B. The cancellation of vouchers by accounting personnel.

C. The cancellation of vouchers by treasurer personnel.

D. The mailing of payments directly to payees by accounting personnel.

The procedure that would best discourage the resubmission of vendor invoices after they have been paid is

9.2 Question 2 Answer• Correct Answer: C

Canceling vouchers and supporting papers (with perforations, ink, etc.) upon payment prevents the payment of a duplicate voucher. If the person signing the check does the canceling, the documents cannot be recycled for duplicate payments. Securing the paid-voucher file from access by the accounts payable clerk is another effective control.

Incorrect Answers:

A: A single endorsement is not a control weakness if the person who signs does not have incompatible functions and if proper documentation is required before signing.

B: The vouchers should not be canceled before payment.

D: Mailing payments directly to payees does not prevent a second use of invoices by unethical personnel. Also, record keepers should not have access to signed checks.

9.2 Question 3

A.Approval of bad debt write-offs, and reconciliation of the accounts payable subsidiary ledger and controlling account.

B. Distribution of payroll checks and approval of sales returns for credit.

C.Posting of amounts from both the cash receipts journal and cash payments journal to the general ledger.

D. Recording of cash receipts and preparation of bank reconciliations.

If internal control is well designed, two tasks that should be performed by different persons are


Recording of cash establishes accountability for assets. The bank reconciliation compares that recorded accountability with actual assets. The recording of cash receipts and preparation of bank reconciliations should therefore be performed by different individuals since the preparer of a reconciliation could conceal a cash shortage. For example, if a cashier both prepares the bank deposit and performs the reconciliation, (s)he could embezzle cash and conceal the theft by falsifying the reconciliation.

Incorrect Answers:

A: There is no conflict between writing off bad debts (accounts receivable) and reconciling accounts payable, which are liabilities.

B: Distribution of payroll checks and approval of sales returns are independent functions. People who perform such disparate tasks are unlikely to be able to perpetrate and conceal a fraud. In fact, some companies use personnel from an independent function to distribute payroll checks.

C: Posting both ledgers would cause no conflict as long as the individual involved did not have access to the actual cash. If a person has access to records but not the assets, there is no danger of embezzlement without collusion.

9.2 Question 4

One control objective of the financing/treasury cycle is the proper authorization of company transactions dealing with debt and equity instruments. Which of the following controls would best meet this objective?

A Separation of responsibility for custody of funds from recording of the transaction.

B Written company policies requiring review of major funding/repayment proposals by the board of directors.

C Use of an underwriter in all cases of new issue of debt or equity instruments.

D The company serves as its own registrar and transfer agent.


Correct Answer: B

The control objective of authorization concerns the proper execution of transactions in accordance with management’s wishes. One means of achieving this control objective is the establishment of policies as guides to action. When a decision affects the capitalization of the entity, a policy should be in force requiring review at the highest level.

9.2 Question 5

Management wishes to include in its internal controls over factory payroll a procedure to ensure that employees are paid only for work actually performed. To meet this objective, which of the following internal control actions would be most appropriate?

A Compare piecework records with inventory additions from production.

B Have supervisors distribute paychecks to employees in their sections.

C Use time cards.

D Keep unclaimed paychecks in a vault.


Correct Answer: A

Piecework is production that is compensated at a set amount per unit of output rather than time spent on the job. Comparing production amounts (inventory additions) with payments (piecework records) is therefore an appropriate control over payroll.

Essays

The essay portion of the exam will begin once you complete the multiple-choice section or

after three hours, whichever comes first.

Essays

• Essays test your understanding of how specific pieces of information relate to one another, and your ability to apply your knowledge to real-life situations.

• It requires understanding of the content and being able to make recommendations.

• Your strategy should be to learn the content first, then practice multiple-choice exam-type questions, then learn how to respond to essay questions.

Essays

• How to write essay answers– You will respond to the questions asked.

• Directly respond to the questions asked.• Are presented in a logic manner.• Demonstrate an appropriate understanding of the

subject matter.

Essays

• Use the same verbs (from the question) within your answer will ensure that you are responding directly and completely to the questions.– You need to have an understanding of:

• Financial statements• Time value of money concepts• Elementary statistics

Essays

• Writing Skills– Based on the use of:

• Use of standard English• Organization• Clarity

• When working through the essays, pay close attention the key words in the question, organize your response, and start writing the answer to the question.

Essays

• To make the best use of your time to complete the essay portion:– Take online tutorial to become familiar with the

testing screens. The tutorial is not part of your testing time and may be repeated. However, the tutorial time is limited to 20 minutes.

– Briefly skim through both essay questions and get an idea what each question is asking you to do (i.e. describe, analyze, calculate, etc.).

Continued

Essays

– You have one hour to complete the full essay exam (more if you have finished the multiple-choice section earlier than the three-hour limit). Determine how much time you will dedicate to each essay question.

– Start with the question you know best. Begin by writing key words, thoughts, facts, figures, and anything else that can be used to answer the question.

Continued

Essays

– Answer you answer one question, issues related to the other may occur to you. Write that information next to the appropriate question. This will build your confidence and give you a starting place when you begin the second question.

Continued

Essays

• To answer each question:– Read the entire question for requirements.– Be aware of the verb clues that delineate what is being asked.

This well help you formulate and organize your answer. Note that you may have more than task – define, interpret…

– Write the basic requirements in the answer space so that you are sure to address them.

– Begin your answer with one or two sentences that directly answer the question. If possible, rephrase the question’s essential terms in a statement that directly answers the question.

continued

Essays

– Use bullet points to show main ideas, and support each point with sufficient detail to show that you understand all the issues relevant to the question.

– Make it as easy as possible for graders to give you points. The goal is grading is to award you points, so show your thinking clearly and effectively. Do not write too little or too much.

– Finish your essay with one or two sentences that summarize you main point(s).

– Proofread you answer for logic, thoroughness, and clarity.continued

Essays

– Keep track of time. Do not spend too much time on one question.

– If you do not have enough time to write a full essay, write an outline of your main points to show what you know in order to get partial credit.

Essays

• Each essay question actually consists of several related questions based on one scenario.

• The question as a whole is worth a set number of points and is graded against a scorecard to ensure consistent grading.

• The scorecard list appropriate terms, topics, and ideas that address the answer.

9.3 Legal Aspects of Internal Controls

• Foreign corrupt practices act had its origin in the Watergate investigation.– It amends the securities exchange act of 1934 which

was prohibit corrupt payments to any:• Foreign official• Foreign political party or official thereof• Candidate for political office in a foreign country• Payments to foreign business owners or corporate offices

are not addressed by the foreign corrupt practices act

Continued


• All public companies registered under 1934 act must devise and maintain a system of internal accounting control sufficient to provide reasonable assurance that:– Transactions are executed in accordance with management's

general or specific authorization– Transactions are recorded as necessary to permit the

operation of financial statements and to maintain accountability of assets

– Axis assets is permitted only in accordance with management's general specific authorization

– Recorded assets are compared with existing assets and appropriate action is taken with respect to any differences


• Sarbanes-Oxley act– Response to numerous financial reporting scandals involving large public

companies– The act applies to issuers of public traded securities subject to federal

securities laws– The act requires that each member of the audit committee, including at least

one or who is a financial expert, be an independent member of the issue's Board of Directors. An independent director is not affiliated with, and receives no compensation other than that for service on the board from the issuer

– Prohibit non-audit services– Audit partner rotation– Statutory financial reporting– Internal control report

Continued


• Sarbanes-Oxley section 201 - Services outside the scope of practice of auditors

• Sarbanes-Oxley section 203 - Audit partner rotation

• Sarbanes-Oxley section 302 - Corporate responsibility for financial reports


• Audit approaches include:– The substantive procedure approach - Also referred to as the

vouching approach– The balance sheet approach - Focus on balance sheet accounts,

with only limited procedures being carried out on income statement/profit loss accounts

– The systems-based approach - Requires auditors assess effectiveness of internal controls, and then to do direct substantive procedures primary to those areas where it is considered that system objectives will not be met

– In the risk-based approach - Audit resources are directed towards those areas of the financial statements it may contain misstatements as a consequence of the risk faced by the business

9.3 Question 1

A. Chief financial officer.

B. Board of directors.

C. Director of internal auditing.

D. Company as a whole with no designation of specific persons or positions.

The requirement of the Foreign Corrupt Practices Act of 1977 to devise and maintain adequate internal control is assigned in the Act to the


The accounting requirements apply to all public companies that must register under the Securities Exchange Act of 1934. The responsibility is thus placed on companies, not individuals.

Incorrect Answers:

A: Compliance with the FCPA is not the specific responsibility of the chief financial officer.

B: Compliance with the FCPA is not the specific responsibility of the board of directors.

C: Compliance with the FCPA is not the specific responsibility of the director of internal auditing.

9.3 Question 2

A.Keep records that reflect the transactions and dispositions of assets and to maintain a system of internal accounting controls.

B. Provide access to records by authorized agencies of the federal government.

C. Prepare financial statements in accord with international accounting standards.

D.Produce full, fair, and accurate periodic reports on foreign commerce and/or foreign political party affiliations.

A major impact of the Foreign Corrupt Practices Act of 1977 is that registrants subject to the Securities Exchange Act of 1934 are now required to

9.3 Question 2 Answer• Correct Answer: A

The main purpose of the Foreign Corrupt Practices Act of 1977 is to prevent bribery by firms that do business in foreign countries. A major ramification is that it requires all companies that must register with the SEC under the Securities Exchange Act of 1934 to maintain adequate accounting records and a system of internal accounting control.

Incorrect Answers:

B: Authorized agents of the federal government already have access to records of SEC registrants.

C: Although some international accounting standards have been promulgated, they are incomplete and have not gained widespread acceptance.

D: There are no requirements for providing periodic reports on foreign commerce or foreign political party affiliations.

9.3 Question 3

A. Companies must rotate their audit firms at least every 5 years.

B.Audit firms must rotate their engagement coordinating audit partner at least every 5 years.

C. Audit firms must rotate their engagement lead audit partner at least every 5 years.

D.Audit firms must rotate their engagement reviewing audit partner at least every 5 years.

Which of the following statements is false with respect to the auditor rotation provisions of Section 203 of the Sarbanes-Oxley Act of 2002?

9.3 Question 3 Answer• Correct Answer: A

Section 203 does not require companies to change their auditors every 5 years, or at any time.

Incorrect Answers:

B: This is a requirement of Section 203. Both lead (or coordinating) audit partners and reviewing audit partners cannot have served on the audit client’s engagement in the preceding 5 years.

C: This is a requirement of Section 203. Both lead (or coordinating) audit partners and reviewing audit partners cannot have served on the audit client’s engagement in the preceding 5 years.

D: This is a requirement of Section 203. Both lead (or coordinating) audit partners and reviewing audit partners cannot have served on the audit client’s engagement in the preceding 5 years.

9.3 Question 4

The Sarbanes-Oxley Act has strengthened auditor independence by requiring that management

A Engage auditors to report in accordance with the Foreign Corrupt Practices Act.

B Report the nature of disagreements with former auditors.

C Select auditors through audit committees.

D Hire a different CPA firm from the one that performs the audit to perform the company’s tax work.


Correct Answer: C

The Sarbanes-Oxley Act requires that the audit committee of a public company hire and pay the external auditors. Such affiliation inhibits management from changing auditors to gain acceptance of a questionable accounting method. Also, a potential successor auditor must inquire of the predecessor auditor before accepting an engagement.

9.3 Question 5

Which of the following statements is false with respect to the auditor rotation provisions of Section 203 of the Sarbanes-Oxley Act of 2002?

A Companies must rotate their audit firms at least every 5 years.

B Audit firms must rotate their engagement coordinating audit partner at least every 5 years.

C Audit firms must rotate their engagement lead audit partner at least every 5 years.

D Audit firms must rotate their engagement reviewing audit partner at least every 5 years.


Correct Answer: A

Section 203 does not require companies to change their auditors every 5 years, or at any time.

Part 1 Study Unit 9 Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA,...

Documents

Transcript of Part 1 Study Unit 9 Internal Controls – Risk and Procedures for Control By Ronald Schmidt, CMA,...