INTERNAL CONTROLS

UNDERSTANDING INTERNAL CONTROLS (6 steps UPDATED)

1. Understanding of the design of I/C (CRIME) and perform risk assessment
Procedures (AIIO).
The auditor must first obtain an understanding of the design of the entitys I/C
(CRIME) and then determine if the controls have been implemented/placed in
operation. Determining whether a control has been placed in operation is from
whether it is operating effectively. Implementation of a control means that the
control exists and that the entity is using it.
This understanding is necessary in order to:
Identify types of potential misstatements
Consider factors that affect RMM
Design the nature, timing and extent of further audit procedures
It will also be useful later when designing TOCs and substantive tests.

The auditor is not expected to search for sgf deficiencies in this phase. If the
control is improperly designed, it may represent a material weakness in the
entitys I/C. The 5 elements of I/C are:
Control activities is composed of the various policies and procedures
that help ensure that necessary actions are taken to address risks to
achieving the entitys objectives. The auditor should obtain an
understanding of control activities relevant to the audit. An audit does not
require an understanding of all control activities. The auditor would utilize
info regarding the presence/absence of control activities to determine
areas that need attention. Such control activities include: PIPS.
Performance reviews Establishing budgets and forecasts to
identify variances from expectations is a mgt control method that
helps mgt supervise more effectively. It provides a means for mgt to
establish expectations, to compare them to actual results, and then
to follow up in areas where sgf diffs appeared. Such budgets
enable mgt to supervise more effectively than monitoring
compliance.
Information processing controls that check accuracy,
completeness and authorization of transactions. For e.g. Batch
processing the similar nature of transactions involved with
batch processing ordinarily makes it relatively easy to follow the
transactions thru out system. Here, transactions are processed by
type, not in the order they occur. These still exist and are not
expected to be replaced by online real time processing well into the

1
 future. May be used for both database and non-database
applications.
Physical controls activities that ensure physical security of
assets and records.
Segregation of duties ARCCs diff people are assigned with
duties relating to Authority, Recording, Custody & Comparisons.

Risk assessment is the identification, analysis and mgt of risks relevant

to the preparation of F/S that are fairly presented in conformity with GAAP.
Risk assessment, for e.g., addresses how the entity deals with unrecorded
transactions identified etc. usually factors affecting RMM are new events
and rapid growth and expansion. The ultimate purpose of assessing CR is
to contribute to the auditors evaluation of the RMM may exist in the F/S.
The assessment of CR along with assessment of IR aids the auditor in
identifying where MM might exist in F/S.
Risk assessment procedures include: AIIO
o AP using HIGH level data
o Inquiries of mgt and internal auditors,
o Inspection of documents and records and
o Observation of the application of specific controls.
The knowledge obtained thru these procedures will be used to:
o Identify the types of potential misstatements
o Consider factors affecting RMM
o Assist in audit planning - determine nature, timing and extent
of further audit procedures such as tests of controls and
substantive procedures.
Information and communication communicates relevant info internally
and externally. relate to the identification, capture and exchange of info
and consist of the procedures and records relevant to F/Rep objectives
(including the a/cing system). As such, the auditor should obtain sufficient
knowledge of the IS to understand the ff:
Sgf classes of transactions in the entitys operations.
Manual and automated procedures by which transactions are initiated,
authorized, recorded, processed and reported in the F/S.
The related accounting records supporting information, and specific
accounts in the financial statements involved in initiating, authorizing,
recording, processing, and reporting transactions
The financial reporting process used to prepare the entitys financial
statements, including significant accounting estimates and disclosures.
Controls surrounding journal entries.

Monitoring is a process that assesses the quality of I/C performance

over time. Are there ongoing conducts and /or separate evaluations and
2
 when any deficiencies discovered, are they evaluated and communicated
properly. E.g. reviewing the purchasing function. Note periodic audits are
not ordinarily performed by the audit committee (sub-committee of BOD).

Control Environment (CHOPPER) the control environment sets the

tone for the entire orgn and is the basis/is the foundation for all other
components of I/C.
Commitment to competence
Human resource policies & practices involving sound hiring and
training policies for new employees.
Organizational structure differences exist in a single building
b/s and a MNC.
Participation of governance - if the audit committee actively
monitors the internal auditors better and internal auditors have
direct access to audit committee.
Philosophy of Mgt & Mgt operating style if d/m involves more
people then employees will feel more a/cable.
Ethical values & integrity better to have honest employees. Mgt
should have zero tolerance for fraud.
Responsibility assignment no single person dominating
d/making. External policies established by parties outside the entity
(as in the case of a federal grant) is a positive influence.
Note: if mgt is dominated by one indv who is also s/h then mgts
attitude toward financial reporting wud significantly affect the control
environment which cud be counterbalanced by an active audit
committee overseeing policies or when the internal auditors have
direct access to BOD.
The auditor must obtain an understanding of the control
environment BEFORE determining the assessed level of CR.
This understanding is then used to assess CR.
Understanding the design of the I/C is not sufficient to assess
CR, the entity needs to also evaluate the operating
effectiveness of the entitys I/C.

Note: Understanding only relates whether the controls are in place and
does not require evaluating the operating effectiveness. It is the tests of
control that evaluate the effectiveness of I/C.
When obtaining an understanding of an entitys I/C procedures, an auditor shud
concentrate on the substance of the procedures, rather than their form, because
Mgt may establish appropriate procedures but not enforce compliance with them.
The auditor is not expected to search for significant deficiencies in the operation
of the I/C structure nor, is the auditor expected to determine whether control
procedures are suitably designed to prevent/detect material misstatements.
3
 Resolution of deficiencies is imp in assessing the controls environment.
GAAS requires the auditor to obtain an understanding of the I/C structure
sufficient to plan the audit. Note: however, the auditor does not need to
understand I/C specifically related to an a/c (if it is both immaterial and has low
IR), in order to plan the audit. i.e. auditor can skip some procedures.

Walk thru is the procedure that involves literally tracing a transaction from its
origination thru the companys information systems until it is reflected in the
companys financial report. It provides evidence to:
Confirm the auditors understanding of the flow of transactions and the
design effectiveness of controls i.e. evaluate effectiveness of design
not operating effectiveness.
Confirm whether controls have been implemented.
Performing a walk-thru is an efficient way of:
i. Understanding flow of transactions in the entity
ii. Identifying points within the entitys processes at which MM
due to fraud or error could arise.
iii. Identifying controls that mgt has implemented to address
potential misstatements.
iv. Identifying the controls that mgt has implemented to
prevent or timely detect unauthorized acqn, use or
disposition of company assets that could result in MM
of the F/S.
In performing a walkthrough, the auditor follows a transaction from
origination through the company's processes, including information
systems, until it is reflected in the company's financial records, using the
same documents and information technology that company personnel
use. Walkthrough procedures usually include a combination of inquiry,
observation, inspection of relevant documentation, and re-performance of
controls. A simple spreadsheet program like Microsoft Excel is sometimes
used for storage and reporting of G/L transactions. Examples include:
o Follows a transaction thru cos processes
o Follows a transaction thru companys I/S e.g. ERP system
o Follows a transaction thru companys I/S e.g. Microsoft excel.
An eg Qs that would be asked from an employee are that: have you ever
been asked to override the process? what do you do when you find an
error? What kind of errors have you found?

2. Document the understanding of I/C (FIND)

Factors that most likely influence the form and extent of the auditors
documentation of an entitys I/C are as follows:
Nature, size and complexity of the industry

4
 I/C environment
Availability of info from that entity
Specific audit methodology
Extent of technology used
The I/C are put in place to protect:
The reliability of F/REP
The effectiveness and efficiency of operations and,
Its compliance with applicable laws and regulations.
The auditor is reqed to document key elements (CRIME) of I/C in ff ways:
Flowcharts is a visual depiction of I/C. It is a symbolic representation
of system or series of sequential processes. This is particularly helpful
in determining if there is adequate segregation of duties. A CPA prepares
flowcharts to assemble I/C findings into a comprehensible format
suitable for analysis.
Advantages include: systematic approach, tailored to client, fairly
easy to review and understand, easy to update from year to year.
Disadvantages include: tedious, time consuming to initially prepare,
might fail to recognize deficiencies if overly absorbed in details.
ICQs series of Q that can be answered with a simple yes/no. The more
yes the better the controls.
Main adv easily identifies weaknesses in I/C thru the no
answers, can have a std form for many clients.
Disadvantages include these are generic not tailored to client
personally, irrelevant qs may annoy clients, client may conceal
deficiencies by incorrect answers.

Narratives/memorandums - is the form of a detailed written description

of I/C structure. Describes what is in the flowchart with words rather than
symbols.
Advantage is easy to understand and review by supervisors, can be
tailored to client, easy to prepare, can be as detailed as desired.
Disadvantages include: is not systematic more unstructured,
cumbersome, does not clearly indicate whether there is adequate
segregation of duties and other weaknesses.
Tested infrequently on the CPA exam.

Decision table/trees help to list each possible condition and the actions
what will result from each (depicts the logic of an operation or process). It
uses yes/no questions and each answer will direct the user to the next
relevant question. It is usually presented in a tabular form. This is

5
 however, a limited tool as it cannot effectively document the entire
structure.

3. Assessing RMM Planned audit risk level

The auditor may use a substantive approach or a combined approach of both
substantive testing and tests of controls. The degree used depends on reliance
that the auditor places on I/C. Reliance means the same thing as to assess CR
at less than maximum level (therefore higher level of DR may be accepted).
The auditor shud identify and assess the RMM at the F/S level and at the
relevant assertion level related to classes of transactions, a/c balances
and disclosures.
RMM at assertion level:
If the risk assessment is based on an expectation that controls are
operating effectively, the auditor shud test the operating effectiveness of
controls using TOC. Note: just TOC is not sufficient to base an audit
opinion (bcoz minimum needed to for DR). TOC will always be combined
with substantive testing (with a decreased scope of substantive testing
where reliance is high).
The risk assessment may not include an expectation that controls operate
effectively (for reasons below) then use substantive testing not TOC. In
other words, if auditor places no reliance i.e. CR is assessed at the
maximum level then a wholly substantive audit approach is used.
If the controls appear effective then combined approach is used. The fact
that controls appear adequate means that TOCs must be performed
before an auditor can actually rely upon a control procedure to reduce CR.
The assessment of CR at a low level requires that the auditor provide the
basis for reducing the assessment. The basis is provided by performing
TOCs and documenting the results which support a lowered CR
assessment. In turn, the low CR assessment enables the auditor to
reduce the amount of substantive testing in an area, thus increasing DR.
The auditor is required to document conclusion and basis for that
conclusion regarding assessed level of CR IN ALL CASES whether
maximum or below maximum.
In order to assess CR at below maximum, the auditor must collect
evidence to support the reduction. Collecting such evidence involves
identifying specific I/C relevant to specific assertions and then performing
TOC to evaluate the effectiveness of the controls. Such assertions may be
found in the a/c balance, - transaction class or disclosure components.
Based on the CR assessments, the auditor determines the nature, timing,
and extent of the auditing procedures to be performed.

6
 If the auditor desires to further reduce level of CR, he must first consider
whether additional evidence will be available to support such a reduction
and whether it would be efficient (cost-effective) to collect such evidence.
Gaining an understanding of I/C and assessing CR may be performed
concurrently. Procedures performed to obtain an understanding of I/C may
also be used to gather the evidence needed to assess CR.
Assessing CR at the maximum level, means placing no reliance usually
because:
Evaluating the effectiveness of the controls would be inefficient
No availability of sufficient evidential matter to support the
assertions.
Even if additional evidential matter is available, gathering that
evidence would not be efficient. Remember, the cost of gathering
that additional evidence should not be higher than the benefit
derived from being able to reduce substantive tests.
Where there are few transactions involved with large amounts, a
substantive approach would be more efficient and so the auditor
would most likely assess CR risk at the maximum level.
DR is a function of the effectiveness of an auditing procedure and
of its application by the auditor. It is inversely related to the
assurance provided by substantive tests.

RMM at the F/S level as the risk of RMM increases the auditor may have the
following overall response:
Assign more experienced staff to the engagement
Provide closer supervision
Use specialists
Use more unpredictable audit procedures.

4. Tests of controls (RIIO)

The purpose of performing TOC is to verify that the controls that looked good on
paper (design effectiveness) were actually working as intended thru out the
period (operating effectiveness). This involves identifying specific controls that
are likely to detect or prevent MM and then performing TOCs to evaluate their
effectiveness. There are 4 procedures for testing controls:
Re-performance of the control procedure
Inspection of documents and reports and records
Inquiry the auditor asks client personnel involved in controls how
effectively certain controls were enforced.
Observation the auditor watches client personnel performing their
regular functions to see if controls are followed.

7
 Remember, for the audit of a non-issuer, TOCs are only required
when the auditor relies on the controls, or substantive tests are not
sufficient to audit particular assertions. TOCs are only performed on
those controls that the auditor plans to RELY ON.
In an audit of F/S in accordance with GAAS, an auditor is reqed to:
Identify specific I/C structure procedures reg F/S assertions
Perform TOCs to evaluate effectiveness
Determine whether procedures are suitably designed to prevent or
detect material misstatements
Only if such controls are to be tested and used to reduce the
CR assessment of if the control relates to sgf risk areas.
If the auditor plans to use audit evidence obtained from prior audits and
the controls have not changed since they were last tested, the auditor
shud test the operating effectiveness of such controls at least every 3rd
year.
When the auditor plans to rely on controls that have changed since
they were last tested, the auditor should test the operating
effectiveness of such controls in the current audit.
The objective of tests of details of transactions performed as TOCs
is NOT to detect MM in the a/c balances (that is achieved thru
substantive testing) but to evaluate whether I/C operated effectively.
In a highly automated information processing system, substantive
tests alone will not be sufficient to restrict DR to an acceptable level
and so some TOCs may be required. When evidence is available only in
electronic form, the auditor may find that generalized audit software is the
best and most efficient means to extract evidence from clients database.
The auditor would be least likely to be concerned about I/C as it relates to
shareholder meetings as they will often attend the S/H meetings and be
aware of what has transpired, but important matters at such meetings are
generally publicly available.

5. Reassess CR/RMM to determine DR Overall audit risk

This is to determine the scope of substantive procedures based on DR. If TOC
reveals that the system operates as expected, then no need to change the scope
of planned substantive procedures. Conversely, if the system does not operate
as effectively then CR goes up, to make DR go down, increase substantive
testing.
The auditor does not assess DR, the auditor controls/restricts DR based on
assessments of IR and CR and selection of the auditing procedures to be
performed.
The auditor is not required to obtain knowledge about the operating effectiveness
of I/C i.e. perform TOCs.

8
 DR is effectively set by the auditor when decisions about the nature, timing and
extent of substantive audit procedures are made.
The ultimate purpose of assessing CR is to contribute to the auditors evaluation
of the risk that MM exist in the F/S. Assessing CR & IR help the auditor to identify
where misstatements might exist, the auditor then performs auditing procedures
to detect those misstatements.
Significant risks are those that the auditor believes require special audit
consideration. E.g. issues involving judgement.

6. Document conclusions
Documenting the assessed level of CR comes after the evaluation of the
operating effectiveness of the controls. The auditor is required to communicate
sgf deficiencies and material weaknesses to Mgt and those charged with
governance.
The basis of risk assessment must always be documented, and the
justification for reducing the CR risk assessment below maximum. If the
control risk is assessed at maximum, the auditor is also reqed to
document that and the basis for that. Contradicting info in audit evidence
Major elements of the understanding of CRIME and RMM, the sources of
info used for that understanding and the risk assessment procedures
performed. This includes an understanding of the a/cing system which is
part of the Information and Communication component.
Assessment of RMM at F/S and at assertion levels
Sgf risks identified and related controls evaluated - Significant risks are
risks that the auditor believes require special audit consideration. Usually
involves judgmental matters like accounting estimates.
Risks identified that require TOC to obtain sufficient audit evidence and
related controls evaluated.
Major elements of the understanding of CRIME of I/C to assess the risk of
RMM.

REQUIRED COMMUNICATION
Under the AICPA professional stds, written communication is required no later than 60
days after the audit report release date (incl matters communicated orally during the
audit).
1. The auditor must communicate in writing the sgf deficiencies and material
weaknesses identified in the audit to Mgt and those charged with Governance.
Both categories of deficiencies should be reported separately.
2. Certain matters such as mgt integrity cannot be communicated to Mgt.

9
 3. The auditors written communication on I/C deficiencies identified in an audit
shud include a disclaimer of opinion on the effectiveness of ICFR.
4. An auditors letter issued on sgf deficiencies relating to an entitys I/C observed
during a F/S audit should indicate that the audits purpose was to report on the
F/S and not provide assurance on I/C.
5. Communication of I/C matters usually should be addressed to the Senior mgt
and those charged with governance.
6. Include definitions of sgf deficiency and material weakness in the report.
Definition of sgf deficiency may be excluded if no sgf deficiency.
7. The auditor may include other lesser matters. E.g. minor I/C problems as well as
recommendations for improving controls.
8. A restriction on the distribution of the report i.e. limited to use of the audit
committee, mgt, or those charged with governance and others within the orgn,
not external parties.
The auditor should not issue a written communication that no sgf
deficiencies were identified during the audit.
The auditor is permitted to orally communicate I/C related matters during
fieldwork as deemed appropriate. However, the auditor must nonetheless
communicate all material weaknesses and sgf deficiencies in writing as
reqed by prof stds, including those that may have been communicated
orally during fieldwork.

SIGNIFICANT DEFICIENCY
A significant deficiency is a deficiency/combination of deficiencies in I/C that is
less severe than a material weakness, yet important enough to merit attention by
those charged with governance. It is a control deficiency in the design or
operation of I/C that could adversely affect the entitys F/rep process. It must be
reported to Mgt and Governance if discovered during the audit. It could result
from a failure in the design of the I/C as well as a failure in the operation of an
I/C. e.g. evidence of lack of objectivity by those responsible for making
accounting decisions, ineffective oversight of F/rep by governance.
Factors to be considered in evaluating deficiencies include:
Entitys size
Complexity
Nature and diversity of b/s activities.
Sgf uncorrected deficiencies by mgt would not necessarily cause the auditor to
consider whether material misstatements exist as Mgt is may have cost-benefit
considerations when deciding whether to correct I/C weaknesses.
Sgf deficiencies do need to be recommunicated each year even if Mgt chooses
not to fix the deficiency.

10
 Letters on sgf deficiencies are restricted as to distribution only mgt, audit
committee or governance and others within the orgn.
Sgf deficiency is a control deficiency that can adversely affect the F/S. E.g
evidence of a lack of objectivity by those responsible for a/cing decisions.

Compensating control - is a control that lessens the severity of a material

weakness or sgf deficiency. For eg. Reconciliation of cash a/cs where a sgf
control deficiency regarding the processing of cash receipts exists. Or, allowing
for greater mgt oversight esp of incompatible duties for lack of adequate
segregation of duties in a small orgn.

Control deficiency when the design or operation of a control does not allow
mgt or employees, in the normal course of performing their assigned functions, to
prevent, detect and correct MM on a timely basis. It does not explicitly consider
the likelihood of loss. All material weaknesses are control deficiencies.
Deficiency in design when a control necessary to meet the control objv
is missing, or when the control objective is not always met, even if the
control operates as designed.
Deficiency in operation when a properly designed control does not
operate as designed, or when the person performing the control does not
have the authority or competence to effectively perform the control.
2 factors that the auditor will consider when evaluating a control deficiency
to determine if it is a sgf deficiency or material weakness are probability
and magnitude. Probability relates to likelihood of MM in F/S remote,
reasonably possible and probable. Magnitude of MM relates to immaterial
or material.
o Remote and immaterial control deficiency
o Reasonably possible and material material weakness

MATERIAL WEAKNESS
Material weakness is a deficiency (or combination of deficiencies) in I/C such
that there is a reasonable possibility that a material misstatement of the entitys
F/S will not be prevented or detected and corrected on a timely basis. It is
determined by whether there is more than a remote likelihood of a material
loss occurring due to the control deficiency; the actual loss identified need not be
material though usually material amounts are involved.
Reasonable possibility is defined as reasonably possible or probable not
moderate. Reasonable assurance is more than moderate level of assurance
usually it means a high level of assurance.
The auditor should not issue a written communication stating that no sgf
deficiencies were identified- however, the auditor is permitted to add a comment
that no material weaknesses were identified.

11
 Mgt may issue a written response and if such a written response is included with
the auditors communication, the auditor shud add a paragraph to disclaim an
opinion on mgts written response.
More than remote is the likelihood of loss due to material weakness. No
likelihood threshold given for sgf deficiency or control deficiency.
Indicators of material weaknesses in I/C include:
Ineffective oversight by audit committee
Fraud material or immaterial on the part of senior mgt
Restatement of previously issued F/S to reflect the correction of a MM due
to fraud/error.
Identification by the auditor of MM which would not have been detected by
the entitys I/C.

ASSERTIONS (UPERCV)
In order to assess CR below maximum, the auditor must collect evidence to
support the reduction. Collecting such evidence involves identifying specific I/C
relevant to specific assertions and then performing TOC to evaluate the
effectiveness of the controls. Such assertions may be found in the a/c balance, -
transaction class or disclosure components. Based on the CR assessments, the
auditor determines the nature, timing, and extent of the auditing procedures to be
performed.
Some specific applications of these assertions include:
Understanding and classification - transactions & events have been
recorded in the proper a/cs and info is presented & described clearly.
Presentation and disclosure all transactions have been presented
correctly and disclosure made of any RP transactions.
Existence or occurrence (vouching) all transactions have actually
taken place. Here the auditor moves from the books to the source
documents. E.g. vouching the acquisition of assets with cancelled checks.
Rights and obligations confirms right or ownership to assets or to
collect receivables or pay off liabilities. E.g., verifying that securities in the
safe deposit box are registered in the entitys name.
Completeness (tracing) & cutoff deals with whether all transactions
are recorded. E.g tracing a bill of lading to the sales invoice. Or,
comparing assets on record (pref pre-numbered with physical check).
Valuation, allocation and accuracy deals with whether a/cs are valued
correctly e.g. current prices of recorded investments, A/R are likely to be
collected.

12
TRANSACTION CYCLES
A transaction cycle is a group of essentially homogenous transactions i.e.
transactions of the same type. E.g. revenue, payroll, expenditures, inventory, FA,
investing/financing.
CR is generally constant within a particular category of transactions as all
transactions are processed in the same way. So the transaction cycle is the
highest level of aggregation for which CR may be viewed as a constant. Within a
given transaction cycle, CR is essentially constant.
To obtain an understanding of a manufacturing entitys I/C structure concerning
any transaction cycle an auditor would most likely review the entitys policies
and procedures.

CASH RECEIPTS B/S CYCLE

Segregation of duties:
Receptionist opening mail, handling checks reced, verify amount of the
check with the amount identified on RA and preparing list of cash receipts.
Imp control - FIRST & ASAP prepare a (duplicate/pre) remittance listing of
checks received. This ensures that control over cash received is
established. Also, checks received should be endorsed for deposit only.
Send copy of this listing to cashier and A/R dept. The listing could
later be used to ensure that all checks were properly added to summary.
When a customer fails to include a Remittance advice (RA) with a
payment, the receptionist is expected to prepare one. This dept. has to be
independent of the sales function. The receptionist separates the RAs
from the checks and forwards them to the accounting dept so that the total
posted to the A/R ledger is independent from the amounts deposited in the
bank. In case the cashier steals the money he can falsify daily cash
summaries but not A/R which will be complete.
Custody is Cashier - receiving checks from mailroom along with a copy
of remittance listing prepared. The cashier is responsible for preparing
daily deposit slip and making daily deposits. The addition of checks to the
daily cash summary would be performed by the cashier. He/she is also
responsible for endorsing the checks. Receiving remittances from the
mailroom is a custodial duty and may be properly combined with the
preparation of the daily deposit slip.
Recording A/R dept maintains A/R records. It is supposed to receive
a copy of the remittance listing sent to update the subsidiary A/R records.
E.g. billing.

13
 Review Supervisor - Each days cash receipts acc to listing compared to
agreement with each days deposit according to the bank
statement/validated deposit slips.
Review Supervisor - Bank reconciliations should be reviewed by an
appropriate supervisor and initialed to document approval.
Authorization Treasurers dept establishes credit policies, authn of
write-offs, custody of securities/cash.
Remember lack of segregation of duties is an I/C weakness. Allowing
sales dept to authorize credit memos is an I/C weakness that could permit
an employee defalcation scheme.
Adjusting journal entries should be approved by MGT.
Bank reconciliations should be reviewed by MGT.
A/R dept Employees with access to cash receipts ordinarily shud be bonded.
Bonding is a form of insurance against theft by a covered employee and
includes background investigation by the bonding agent. Fidelity bonding insures
the co against loss from illegal acts by employees. Bonded employees must be
approved by the bonding co. As a result, fidelity bonding reduces the possibility
of employing dishonest individuals and deters dishonesty by making employees
aware that insurance cos may investigate and prosecute dishonest acts.
Establishing a bank lockbox system would provide the best control over
customer receipts because it would prevent the employees from having
access to the receipts so reduce risk of diversion. Here the collection of
receivables is done directly by the bank thereby eliminating employee contact
with the cash.
Where a clerk is responsible for both approving credit memos and has access to
cash, then there is a high risk of fraud as the clerk can collect money from a
customer and issue a fraudulent credit memo as the basis for credit to
customers a/c. A responsible person shud review credit memos after they are
recorded to see a receiving report for sales returns for which the credit memos
have been generated.
When A/R are written off they should be controlled for possible future collection
and accordingly they should be recorded to maintain a/cablity in a separate
ledger. If they were simply written off and forgotten, there would be no means of
maintaining a/cability over these contingent assets.
In an ordinary sales transaction, authorization is required for the ff:
Granting of credit credit dept
Shipment of goods
Determination of discounts/w/offs - Treasurer
Selling of goods for cash lack of specific authorization will not as such raise
concern as the fact that cash is being received eliminates any credit problem
considerations. Also ath the point of selling goods for cash, decisions on matters
such as appropriate discounts will have already been made.

14
 Lapping involves the altering of A/R when cash that is intended for the payment
of a recable is misappropriated. The first recable collected is used to cover the
misappropriation , while the second recable is collected to a/c for the first
occurs when a remittance reced from one customer is stolen and the shortage is
hidden by crediting the first customers a/c with the cash received from a second
customer. It is best prevented by separating custody from recording i.e.
segregation of duties btw those receiving cash and those posting to the A/R
ledger. Best audit procedure: comparing date checks are deposited per bank
statements with the dates remittance credits are recorded. Remember, lapping
will result in a delay in the recording of specific remittance credits but the checks
will be recorded on the same day. Another way to prevent lapping is to have
customers send payments directly to the companys depository bank.
Online systems are better than batch systems as in they enable shipments of
customer orders to be initiated as soon as the orders are reced.
Pre-numbering is the std cure for completeness to enable all sales transactions
to be recorded.
A proper form of comparison over sales transactions involves matching the
customers PO with the shipping document and sales invoice for agreement.
Indirect access to merchandise by unauthed access to a cos computer system
can be controlled by computer passwords being periodically revised and limited
to authed personnel.
An auditor may analyze the completeness of sales using cash receipts and
A/R e.g. A/R b/fwd Cash receipts + A/R c/fwd = estimate of sales.
Testing credit approval relates to the valuation assertion as it helps assure that
goods are shipped to customers who are likely to be able to pay.
Cut-offs relate to the completeness assertion whether all transactions have
been recorded in the proper period.
Presentation assertion relates to whether F/S components are properly
classified, described and disclosed.
Likely frauds that can occur in the revenue cycle include shipping goods to
nonexistent customers (which are stolen by employees), failing to bill customers
(these could again be employees) for goods shipped, recording sales without an
underlying transaction in order to inflate the sales and accounts receivable
figures, creating fictitious credit memos for returned goods (a method of
stealing cash), and booking sales in periods earlier than they actually occurred
(to hike up the sales figures). A client most likely will overstate revenue and
accounts receivable in a fraudulent scheme. Only the authorization of credit
memos by personnel who receive cash may permit the misappropriation of cash
is a likely scenario which would benefit either the entity or certain dishonest
employees.

15
SPENDING/DISBURSEMENT
Steps/Segregation
Authorization Initiating depts. to authorize requisition/request of
goods. This should not be performed by purchasing as same person
cannot authorize request for goods as well as purchase of goods.
Authorization Purchasing dept would verify that requisitions are
properly completed and authorized. Also, the issue and approval of
purchase orders and negotiation of terms with vendors are both authn
functions. Also issue of debit/credit memos which are then sent to A/C
dept for recording. Will also send copies of POs to the receiving dept (pref
with qty column to be filled in by the receiving dept).
Authorization Voucher payable dept responsible for reviewing
vouchers (incl. checking mathematical accuracy), verification of invoices
by matching with related supporting documentation (PO, receiving report)
and getting an authorized person to sign for payment. Also, includes
indicating the asset and expense a/cs to be debited.
Authorization A/P dept approving vendors invoices for payment,
invoice verification i.e. match vendors invoice with receiving report and
purchase order to ensure that the item was both ordered and received.
Compare invoice price to purchase order price, ensure proper authn of
invoice and compare quantities ordered to quantity purchased. Ensuring
that the goods have been received by the party requesting the goods will
be something that A/P would be unable to determine as normally goods
received are placed in stores. Processing the payment for the invoice,
sending the check to treasurer for signing and mailing and then filing all
the supporting doc after payment.
Custody - Treasurer signs checks and mails them and cancels all
supporting documentation. Mailing disbursement checks and RA should
be controlled by the employee who signs the checks last. Less risk of
diverting or modifying checks before mailing. Also same person also
cancels supporting documents to prevent duplicate payments for the same
invoice and stamps paid on the voucher to prevent double payment.
Custody Receiving dept uses approved purchase order copy from
purchasing dept to accept incoming goods. I/C is strengthened when the
receiving dept personnel are unaware of the quantities ordered (bcoz qty
ordered is omitted from copy of PO sent) so that they will provide an
independent count of quantities received.
Recordkeeping Accounts dept posting the A/P records.
Review reconciling A/P ledger.

16
 When the shipping dept returns goods to a vendor, the purchasing dept shud
send a debit memo to the a/cing dept. A debit memo advises the accounting that
the vendor invoice shud not be paid in full due to returned goods.
Not all payments made are vouchered so correct control to determine
unauthorized payments would be getting a sample of cancelled checks.
If the auditor is concerned that invoices and vouchers are being paid and
destroyed, then u cant take sample of invoices or vouchers. The auditor would
select a sample of cash disbursements for inventory and trace to the vendor
invoice, approved voucher and receiving report.
Voucher register records goods reced thru purchase - The main benefit of
maintaining an A/P subsidiary ledger over voucher register is partial payments to
vendors are continuously made in the ordinary course of b/s.
Pre-numbering is a control for completeness to ensure that no voucher got lost
and that all vouchers got recorded.
To determine whether checks are being issued for unauthorized expenditures
need to examine sample of cancelled checks.
If receiving reports are getting misplaced and therefore missing, the auditor can
only identify receipt of goods thru open purchase orders and vendor invoices.
Unrecorded payables = search for unrecorded liabilities = examine cash
disbursements after y/end i.e. JAN following year. Payments made that month
are existing liabilities that should have been accrued @ y/end.

PAYROLL CYCLE
Authorization Personnel - hiring of personnel, approve changes in pay rates
and deductions from employee salaries. The personnel dept must promptly send
employee termination notices to the payroll supervisor so that they are
immediately removed from payroll.
Custodial function Treasurer signs checks and hands over the checks to
appropriate departmental supervisor (who will distribute the checks to personnel)
& custody of unclaimed pay checks.
o Personnel with access to payroll checks should be bonded.
o Proper segregation of duties btw personnel and payroll
disbursement eliminates many frauds in which the phantom
employees are being paid.
o For a cash payroll, each employee should be asked to sign a
receipt after being paid. The best control is to get the unclaimed
cash out of the firms physical control and into the bank.
o Payroll supervisor cannot distribute payroll checks to employees
only treasurer/ independent pay master can.
o Undistributed checks should be deposited in a bank a/c.

17
 Recordkeeping Payroll maintain payroll register which is a primary
accounting record which lists amounts owed to individual employees for a given
payroll period. This dept. calculates the salary to be paid. They should not
authorize payroll rate changes.
Payroll dept supervisor responsible for:
o Reviewing and approving time reports to ensure that payment is
made only for the work performed.
o Hiring subordinate employees.
o Initiate requests for salary adjustments for subordinate employees.

Overtime payments should be approved by mgt.

The payroll observation is an auditing procedure which is generally performed
when the various phases of payroll work are not sufficiently segregated to afford
effective I/C..
Maintaining the a/cability for cash which is in a safe-deposit box is difficult.
Company should maintain a separate checking a/c specifically for payroll
transactions to establish more a/cability and control over these important
transactions.
Special emphasis on TOCs over proper classification of payroll transactions is
required when the client is a manufacturing orgn because a portion of the
salaries paid will be inventoried in the manufactured product.
Strong internal controls lower the risk of material misstatement. In the payroll
department, the auditor would be looking for controls such as:
a payroll imprest system (the accounting department wires funds to the bank
account, the amount of which is based on totals from the payroll department
summary),
separation of duties for payroll preparation (payroll process is supervised by
the treasurer or the CFO signs the checks that the payroll department has
prepared),
separation of duties for distribution of checks, and
special control procedures for unclaimed check
If the payroll clerk distributes signed payroll checks that the payroll clerk has
prepared, there is no separation of duties. This procedure allows an
opportunity for the clerk to prepare a check for someone who is not an
employee or to keep an extra check for himself. Returning the undistributed
checks to the payroll department also provides an opportunity for
misappropriation of those payroll checks.
Undistributed checks should be held and investigated by someone outside
the payroll department like the internal auditor. This will enable detection of
any fictitious employee who may have been placed on the payroll.

PRODUCTION CYCLE

18
 The objectives of the I/C structure for a production cycle are to provide
assurance that transactions are properly executed and recorded, and that access
to assets (R/M, WIP & FGs) is permitted only in acc with Mgts authorization, and
finally, the recorded accountability for assets is compared with the existing assets
at reasonable intervals and differences are investigated and resolved.
Inventory the use of periodic inventory counts to adjust the perpetual inventory
records would ensure inventory records are accurate.
Primary concern here is custody/control/access to inventory of R/M, WIP and
of FG and they are properly maintained and that all releases of R/M by
storekeepers are based on approved requisition documents.
A perpetual inventory system will show when and where materials are being
used.
Vendors invoices for R/M approved for payment, signed checks for
purchase of R/M and details of disbursements for R/M balanced with the
total to be posted to general ledger are all related to disbursement cycle.
Finished goods should be accepted for stock only after presentation of a
completed production order and inspection report. This is because
finished goods should be inspected to determine their condition before
leaving the production dept.
Comparison of daily j/es with factory labor summary will detect direct
manufacturing labor which has been properly recorded on the labor
summary but incorrectly posted to a manu o/head a/c.

FIXED ASSETS CYCLE

Major asset acquisitions are properly approved by the firms BOD and properly
controlled thru capital budgeting techniques. Using budgets to control
acquisitions implies a follow-up analysis of budget variances and also permits the
level of authorized expenditures to be controlled.
Detailed records are available for property assets and acc depn
Written policies exist for capitalization v expensing decisions.
Retirements approved by the appropriate level of mgt.
Physical controls over assets to prevent thefts
Depreciation properly calculated and depreciation policy reviewed annually.
Periodic physical inspection of P&M by individuals who are otherwise
independent of PPE e.g. internal auditors.
Acquisitions are made by the user dept and require executive approvals before
purchase. Approval cannot be made by the same user dept. There is no separate
purchasing dept.
Variances btw authorized equipment expenditures and actual costs are to be
immediately reported to mgt.

19
 Misclassification of equipment acquisitions as maintenance exps would most
likely be detected thru investigation of R&M variances. Equipment acquisitions
tend to be large $ purchases which will distort normal maintenance exps.
Initiation and execution of FA transactions would not include restricted access to
equipment. Reviewing FA acqns for soliciting competitive bids is a valid
consideration for initiation and execution of FA.
Should attach FA ID tags to individual assets and maintain a detailed listing of all
such tags with $ balances reconciled to the general ledger control a/c.
A weakness in I/C over recording retirements of equipment means that some
assets are being shown in records even though they have been retired thereby
overstating equipment a/c. The auditor can identify such assets by selecting
certain items in the a/cing records and attempting to locate them.
To improve a/cability for FA retirements, mgt most likely would implement control
that includes continuous utilization of serially numbered retirement work orders.

FINANCING & INVESTING CYCLE

For notes payable, main control q is whether direct borrowings on NP are
authorized by the BOD.
Debt and equity transactions are properly approved by the cos BOD.
An independent trustee handles bond transactions.
A stock registrar/ stock transfer agent handle capital stock transactions. The
primary responsibility will be to verify that stock is issued in acc with AOA and
BOD i.e. to prevent any over-issuance of stock.
Cancelled stock certificates are defaced to prevent their reissuance.
Marketable securities:
Primary concern here is preventing unauthorized access.
The best way to safeguard against the loss of marketable securities is to
have an independent trust company that has no direct contact with the
employees who have record keeping responsibilities has possession of
the securities.
If an independent trust agent is not employed, the securities will physically
come to the company and must be safeguarded. The combination of a
bank safe-deposit box and dual access (requiring 2 co officials to access
the securities) will provide the best security. This is because access to
securities should be vested in more than one individual.
Independently reconcile recorded balances in the investment subsidiary
ledger with the physical assets per safe deposit box.
Securities should be registered in the name of the owner.
The best person to make periodic reviews of investment activity is the
investment committee of the BOD, if the authority for investment decisions
was delegated by the BOD.

20
PCAOB AS #5 INTEGRATED AUDIT
The objective of such an engagement is to express an opinion on MGTS
ASSESSMENT of the effectiveness of ICFR.
Risk assessment underlies the entire audit process described by PCAOB
AS#5.
The auditor should not issue a written communication stating that no
sgf deficiencies were identified- however, the auditor is permitted to
add a comment that no material weaknesses were identified.
Planning the audit the audit of ICFR should be integrated with the audit
of F/S that is TOC should be designed to address both the objectives of
the audit of ICFR and the audit of F/S. Can use the work of others
includes internal auditors, other co personnel, service auditors and 3rd
parties. As the CR increases, the auditor should take increasing
responsibility for performing the work instead of using the work of others.
Top-down approach is a risk-based approach to auditing that
o Begins at the F/S level and with the auditors understanding of the
overall risks to ICFR.
o The auditor then focuses on entity-level controls and
o Finally works down to sgf a/cs and disclosures and their relevant
assertions.
Entity-level controls the term refers to policies and procedures that
have very broad implications to the achievement of an entitys control-
related objectives operating activities, F/rep, and compliance.
o Controls related to the control environment;
o Controls over mgt override;
o The cos risk assessment process;
o Controls to monitor results of operations or other controls;
o Controls over the period-end F/rep process
o Policies that address sgf b/s control and risk mgt practices.

Understanding likely sources of misstatement:

o The auditor should achieve control objectives e.g. issues such as
the completeness of recording of sales.
o Perform walk-throughs the process of following a transaction
from origination thru the cos processes until reflected in the
financial records. In an audit of ICFR, the auditor should perform

21
 walkthrus for each of the sgf processes identified, not each and
every transaction type unless all controls are deemed ineffective.
Remember, a walk-thru involves probing questions that go beyond
a narrow focus on the single transaction. A walk-thru will enable
the auditor to gain a sufficient understanding of the process and be
able to identify imp points at which a necessary control is missing
or not designed effectively. The following procedures applicable to
performing walk-thrus are RIIO. Confirmation is a substantive
auditing procedure.
Auditors should perform appropriate review procedures related to mgts
required quarterly certifications about ICFR.
When mgts report on ICFR includes other info regarding mgts plans, for
example, to implement new control procedures, the auditors report on
ICFR should disclaim an opinion on that other info.
Testing design effectiveness of controls IIO - inquiry, observation and
inspection.
Testing operating effectiveness of I/C: - RIIO re-performance is the
additional procedure for testing operating effectiveness.
PCAOB states that a deficiency in any one of the ff controls would at least be a
sgf deficiency:
Controls over the selection and application of a/cing prins that are in
conformity with GAAP
Anti-fraud programs and controls.
Controls over non-routine and non-systematic transactions.
Controls over the period-end F/rep process.
The existence of any sgf deficiencies at the end of the reporting
period does not necessarily mean that mgt should consider ICFR to
be ineffective.
Some indicators of material weaknesses:
1. Identification of fraud involving senior mgt, whether or not material;
2. Restatement of previously issued F/S;
3. Identification by the auditor of a MM of the F/S in the current period;
and
4. Ineffective oversight of the cos external F/rep and I/C by the cos
audit committee.
Evaluation of the existence of material weaknesses in ICFR is
primarily based NOT on whether there are any MM in the F/S but that
the controls will fail to PREVENT/DETECT a MM.
Communicating identified deficiencies: the auditor must
communicate in WRITING:
1. All material weaknesses identified to mgt and the audit committee
2. Other sgf deficiencies identified to the audit committee.

22
 3. All other deficiencies writing in ICFR to mgt and inform the
audit committee that such a communication has been made.
4. If the auditor concludes that the audit committees oversight of
F/rep and ICFR is ineffective then must communicate that
conclusion in writing to the BOD.

Mgts Report on ICFR would include:

o A statement that the cos auditor has issued an attestation report on
mgts assertion.
o Identification of the framework for evaluating I/C.
o Mgts assessment of the effectiveness of I/C.
o Mgts responsibility to maintain DIM of I/C.

Reporting on ICFR:
o Separate or combined reports the auditor may choose to
combine report or separate. The separate reports should contain an
additional para that references the other report.
o Title of the report - should include the word Independent
o Combined report an unqualified report on the F/S and on ICFR
consists of 5 paras: Intro, Scope, Definition, Inherent limitations and
Opinion.
o Report date if separate reports are issued, they should be dated
the same.
o Disclaimer Opinion - Inadequate documentation of ICFR by mgt
would be viewed by the auditor as a scope limitation. In that case,
the auditor should issue a disclaimer or withdraw from the
engagement.
o Adverse opinion required to be adverse if even one material
weakness exists at year-end (as of date) not even qualified
opinion is an option. The as-of date is the last day of the fiscal
period; it is this date on which the auditor concludes as to the
effectiveness of I/C. Should determine the effect the adverse
opinion on ICFR has on the opinion on the entitys F/S.
Reasonable assurance as it relates to I/C always consider CBA.
Use the word examine instead of the word audit.
Test ALL CONTROLS. So general distribution.
Always have audit committees in Public companies.
Purchases by telephone and internet are a part of the purchase process
and represent major classes of transactions. Remember, that purchase
transactions may or may not be investigated in extreme detail. Purchases
are not assertions. Purchase type transactions themselves are not control
objectives for IC.

23
 COSO - The COSO I/C framework most used by mgt in its I/C assessment
under PCAOB.
Roll-fwd procedures when operating effectiveness has been tested at
an interim date, the auditor should consider what additional testing for the
remaining period may be necessary.

EXAM NOTES
Mgt integrity is a critical component of an effective I/C that a lack of it cud lead to
the auditor withdrawing from the engagement.
An auditor shud consider both quantitative and qualitative aspects of deviations
noted. The square footage of selling space is a non-financial info which may be
used in considering the overall reasonableness of sales.
Computer systems typically supported by a variety of utility software packages
that are important to an auditor because they may enable unauthorized changes
to data files if not properly controlled. Auditor must determine that no unplanned
interventions using utility routines have taken place during processing.
A primary criterion of designing any I/C system is the cost-benefit r/ship. The cost
of an entitys I/C shud not exceed the benefits to be derived.
Internal control can only provide reasonable assurance with the cost/benefit
ratio being the limiting factor and additional inherent limitations. Because of
inherent limitations like the ones below, only reasonable assurance can be
provided that an entity will achieve its control objectives - COCO
Competence - Mistakes in judgement (esp when tired)
Override of mgt e.g. CEO requesting a check without PO.
Collusion among employees.
Obsolescence
Controls whose effectiveness depends on segregation of duties cannot be relied
upon to ensure that collusion among employees will not occur as it may be
circumvented by collusion.
An auditor uses computer software to access client data files, prepare spread
sheets, construct parallel simulations but LEAST LIKELY USE IT to assess
computer CR. Both the computer and manual systems are assessed after
performing TOCs.
The auditor must perform substantive tests to some degree for all sgf audit areas
cannot assess CR so low that substantive testing is omitted entirely!!
When controls duplicate other controls the auditor who wishes to rely upon I/C
need not test both sets.
When documentation of a control does not exist, the auditor may use observation
and inquiry to test the procedure. Similarly, with lack of audit trail.

24
 Estimation transactions are activities involving mgts judgments or assumptions
such as determining the provision for d/debts, warranty reserves, assessing
assets for impairment.
Remember AP is also part of substantive testing so increasing AP is =
increased substantive testing for a weakness in I/C.
Even a single material weakness always results in an adverse opinion.
An auditor would most likely limit substantive testing of sales transactions when
CR is assessed as low for the existence or occurrence assertion and the auditor
has already gathered evidence supporting cash receipts and A/R.
Electronic funds transfer reduces manual handling and therefore reduces risk of
data entry error.
Creation and use of self-monitoring access controls are a limitation of an
electronic system.
Can obtain info from mgt, governance, internal auditors and staff from all depts
thru out the audit.
Suggesting fixes to a control is out of the scope of an audit and close to
consulting services. Therefore, if a transaction is incorrectly processed, the
auditor should obtain an understanding of how the incorrect processing of
transactions was resolved and the effect on CR.
Concluding on the effectiveness of a given control is NOT part of the risk
assessment process.
To determine whether a particular assertion is relevant to a sgf a/c balance or
disclosure, the auditor should evaluate
the nature of assertion,
the volume of transactions/data related to the assertion and
the nature and the complexity of the systems including IT.
The auditor does not evaluate the individual transactions that make up the
a/c.
RMM assessment can be in quantitative terms, qualitative terms F/S level and
relevant assertion level.
A decrease in the amount of tolerable misstatement, means that a more careful
audit needs to be planned to detect small misstatements.
New hire training materials prepared by HR do not meet the definition of reports
prepared by mgt.
Difference btw integrated audit ICFR and obtaining an understanding of I/C +
assessing CR as part of an audit :
Scope different much more extensive for integrated audit test ALL controls.
Procedures similar AIIO v RIIO.
Objective different: understanding of design v- operating effectiveness.
Reviewing ICQ would help the auditor to determine RMM and identify reportable
conditions, but this procedure would not be helpful in identifying non-compliance
with laws and regulations.

25
 The fact that employees are not required to take regular vacations is a weakness
in I/C, but it has nothing to do with the computer access.
When the operating effectiveness of a control is not evidenced by written
documentation, the auditor should perform risk assessment procedures (AIIO) to
obtain an understanding of the entity and its environment, including I/C.
Intercompany transactions and large revenue transactions at period end are egs
of non-routine or non-systemic transactions that may indicate a RMM.
Flowcharts would provide the least assurance about the operating effectiveness
of an I/C. Mainly assist the auditor with understanding the design of the I/C.
When an I/C is considered deficient it means it is a material weakness. An
auditor may elect not to test that control if it does not present a RMM to the F/S.
REMEMBER AN AUDITOR ONLY TESTS THE CONTROL IT PLANS TO RELY
ON.
An auditor may decide to perform only substantive testing procedures if no
effective controls relevant to the assertion have been identified.
COSO includes tests of transaction cutoffs, transaction terms and a/c valuation
for end of period a/cs, and tests to ensure a baseline level of I/C.
In planning an integrated audit, the auditor does NOT evaluate the entity having
an operating and effective audit committee.
If the assessed risk is lower because of internal controls and the auditor intends
to base the substantive procedures on that low assessment, then the auditor
performs tests of those controls, as required by paragraph. This may be the
case, for example, for a class of transactions of reasonably uniform, noncomplex
characteristics that are routinely processed and controlled by the entity's
information system.
Large returns in the middle of the period not an e.g. of non-routine
transactions.

26