C. Testing a program at year end provides assurance that the client's processing was accurate for the full year
D. Several transactions of each type must be tested
AACSB: Technology
AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application
Difficulty: Hard Learning Objective: 18
Short Answer Questions
54. You are an experienced audit senior. The new staff accountant on your audit team does not understand what a control deficiency is. Give him a definition of "control deficiency."
Include examples of two types of control deficiencies.
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A design deficiency exists when (1) a control necessary to meet the relevant control objective is missing; or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
Specific examples of control deficiencies will vary.
AACSB: Communications AICPA BB: Industry AICPA FN: Risk Analysis Bloom's: Comprehension Difficulty: Easy Learning Objective: 10 Learning Objective: 4
55. You are performing an audit on North South Natural Gas (NSNG). Alana, an NSNG employee, has responsibility for reconciling bank statements with the company's cash records.
You determine, however, that Alana has never been taught how to reconcile statements. In effect, the statements have not been properly reconciled for two years. How would you judge the significance of this control deficiency? How would you classify this deficiency?
To judge the materiality of a control deficiency, the auditor could consider the problem in terms of magnitude and likelihood. The likelihood of an event must be either reasonably possible or probable to be a significant deficiency or a material weakness. This deficiency is obviously probable, because the auditor knows the control has not operated for two years.
After the likelihood is determined, the auditor could consider the magnitude of a possible misstatement. A misstatement is not material if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would be clearly immaterial to the financial statements. A remote likelihood and insignificant magnitude would result in an insignificant deficiency. A significant deficiency occurs when there is reasonable possibility that a misstatement in the financial statements is not material but significant. A material weakness is a significant deficiency that results when the likelihood is reasonably possible and material.
Note: Students should then make and defend a judgment on whether this problem is an insignificant deficiency, significant deficiency, or material weakness.
AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Moderate Learning Objective: 10 Learning Objective: 4
56. CBA Accounting is auditing a large publicly traded company. The audit of internal controls over financial reporting has been properly planned and the auditors have already identified controls to test using a top-down, risk-based approach. What is the next step? Give three examples of procedures that may be completed in the next step in the audit.
The next step is testing the design and operating effectiveness of selected controls. For a public company, the auditor must obtain an understanding of the design of controls related to each component of internal control. The procedures the auditor can perform to test the design of specific controls include
• inquiring of appropriate management, supervisory, and staff personnel,
• inspecting company documents,
• observing the application of specific controls, and
• tracing a sample of transactions through the information system.
AACSB: Analytic AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Moderate Learning Objective: 6
57. Trumpeter Corporation is a small publicly traded company that specializes in the restoration and sale of fine musical instruments. The audit committee is made up of a CEO from a technology company, a college accounting professor, and a local marketing executive.
All are sufficiently independent from management. The audit committee meets three times a year. Each time they meet, a different member, who chooses the topics to discuss, leads each meeting. The audit committee then sends the minutes of their meetings to the company's CFO.
Solely from this information, what are your conclusions about this audit committee's role within the control environment?
An effective audit committee sets the overall tone for a company's internal control. While it is independent from management, the auditor would probably consider the audit committee to be ineffective. First, there appears to be no clear articulation or understanding of the audit committee's responsibilities. In fact, it is not even clear that the committee discusses relevant topics and issues. There is apparently little interaction with key members of financial
management; the only interaction consists of delivering a report of each meeting. In addition, there is no apparent interaction with the internal audit function, if there is one. The auditor would probably consider this lack of control as a significant deficiency and a strong indicator of a material weakness.
AACSB: Communications AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Analysis Difficulty: Easy Learning Objective: 10 Learning Objective: 4 Learning Objective: 6
58. Identify indicators of a material weakness in internal control over financial reporting.
Indicators of a material weakness in ICFR include (see Table 7-7):
• Identification of fraud, whether or not material, committed by senior management;
• Restatement of previously issued financial statements to reflect the correction of a material misstatement;
• Identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the company's ICFR; and
• Ineffective oversight of the company's external financial reporting and ICFR by the company's audit committee.
AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 10 Learning Objective: 4
59. AS5 requires that the auditor appropriately document the processes, procedures, judgments, and results relating to the audit of internal control. Specifically, what must this documentation include?
The auditor's documentation must include the auditor's understanding and evaluation of the design of each of the components of the entity's internal control over financial reporting. The auditor also documents the process used to determine and the points at which misstatements could occur within, significant accounts, disclosures, and major classes of transactions. The auditor must justify and document the extent to which he or she relied upon work performed by others. Finally, the auditor must describe the evaluation of any deficiencies discovered, as well as any other findings that could result in a modification to the auditor's report.
AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Moderate Learning Objective: 13
60. What is wrong with the following report on internal control over financial reporting for AB Corporation? The auditor believes an unqualified opinion on the effectiveness of internal control over financial reporting is warranted.
Report of Registered Public Accounting Firm
We have audited AB Corporation's internal control over financial reporting as of December 31, 2009, based on criteria established in Internal Control - Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). ABC's management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting. Our responsibility is to express an opinion on the company's internal control over financial reporting based on our audit.
We conducted our audit in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial
reporting was maintained in all material respects. Our audit included obtaining an
understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.
A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with
authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.
In our opinion, ABC maintained, in all material respects, effective internal control over
financial reporting as of December 31, 2009, based on criteria established in Internal Control - Integrated Framework, issued by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO).
We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the consolidated financial statements of ABC, and our report dated February 20, 2010 expressed an unqualified opinion.
Protzman & Hull Morgan Hill, CA February 10, 2010
First, the title of the report should include the word "independent." Second, the report should include a paragraph stating that, because of inherent limitations, internal control over financial reporting may not prevent or detect misstatements and that projections of any evaluation of effectiveness to future periods are subjected to certain risks and uncertainties. Finally, the date of both the auditor's report on the company's financial statements and the auditor's report on the company's internal control over financial reporting should be the same.
AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Analysis Difficulty: Moderate Learning Objective: 14
61. On the audit of Technology Unlimited, a leading manufacturer of computer chips, the external audit staff discovers that the internal audit staff has performed extensive evaluation and testing on the control environment. What should the external auditors do to determine the extent to which they may use the work of the internal audit staff? Can the external audit staff rely on the internal audit staff for evaluating and testing the control environment?
The auditor should also evaluate the competence and objectivity of the individuals who performed the work. Internal auditors are generally expected to have greater competence and objectivity than other company personnel. If internal auditors have performed an extensive amount of relevant work and the auditor determines they possess a high degree of competence and objectivity, the auditor can rely on the results of their work to the extent possible while still providing the principal evidence for his or her opinion.
The auditor should also evaluate the nature of the controls subjected to the work of others. As the risk of material misstatement in the accounts and disclosures addressed by the control, the degree of judgment required to evaluate the operating effectiveness of the control, the
pervasiveness of the control and the potential for management override increase in
significance, the auditor should increase his or her own work on those controls and decrease reliance on the work of others.
The external auditor should test some of the work performed by others to evaluate the quality and effectiveness of their work. In performing this, the auditor should evaluate such factors as the scope of their work, the adequacy of their work programs, the adequacy of the work performed, the appropriateness of their conclusions, and the consistency of their reports with the work performed.
Even considering these steps, the auditor is not permitted to rely on the work of others in evaluating and testing the control environment. The auditor must perform enough of the testing that his or her own work provides the principal evidence for the auditor's opinion.
AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Moderate Learning Objective: 7
62. Information Nation has two hundred locations spread across the fifty states. Twenty of the locations are considered to be individually important, but fifty of the locations are not
important even when aggregated from the others. Five locations deal with foreign exchange trading. These locations are not considered important, but they are important when aggregated with the other locations. As an auditor, discuss the considerations involved in testing multiple locations and group the locations accordingly (provide how many locations are included in each group). Include the treatment that each group should receive from the auditor.
First, the auditor should determine which locations are individually important. There are twenty locations and the auditor should evaluate documentation and test controls over relevant assertions for significant accounts at each location.
Second, the auditor should determine the locations with specific risks. Foreign exchange trading is normally considered a specific risk. Of the 180 locations left, five have specific risks. For these, the auditor should evaluate documentation and test controls over specific risks.
Of the 175 locations left, the auditor should next determine which are not important even when aggregated with others. This group includes fifty locations. No further action is required for such units.
Now 125 locations are left. The auditor should determine if there are documented company-level controls over this group. If there are, the auditor should evaluate documentation and test company-level controls over the group. If documented company-level controls are not
present, some testing of controls at individual locations is required.
AACSB: Analytic AICPA BB: Industry AICPA FN: Decision Making Bloom's: Analysis
Difficulty: Moderate Learning Objective: 14
63. Discuss the differences between a control deficiency, a significant deficiency, a material weakness, and the two dimensions of the control deficiency - likelihood and magnitude.
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A design deficiency exists when: (1) a control necessary to meet the relevant control objective is missing or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.
Significant Deficiency. A significant deficiency is a control deficiency, or combination of control deficiencies, in ICFR that is less sever than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
Material Weakness. A material weakness is a deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis.
Likelihood and Magnitude. According to the above definitions, in judging the significance of a control deficiency, management and the auditor must consider two dimensions of the
deficiency: likelihood and magnitude. The definition of material weakness includes the phrase
"reasonable possibility." This term is to be interpreted using the guidance in ASC Topic 450, Contingencies. Accordingly, the likelihood of an event is a "reasonable possibility" if it is either reasonably possible or probable. Magnitude refers to the size of the potential
misstatement that could occur due to the deficiency. In determining whether it is reasonably possible that a financial statement misstatement resulting from a deficiency is material, the auditor relies on the same concept of materiality as is used in determining financial statement materiality.
AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Comprehension Difficulty: Moderate Learning Objective: 4
64. Discuss entity-level controls and provide examples of these types of controls.
Entity-level controls can have a pervasive effect on the entity's ability to meet the COSO control criteria. If general controls are not effective, the specific controls are probably
unreliable. Entity-level controls addressing management's ability to override specific controls are thus of central importance. The pervasiveness of entity-level controls suggests that it may be appropriate for the auditor to test and evaluate them before evaluating the other aspects of internal control over financial reporting. However, testing entity-level controls alone is not sufficient for the purpose of expressing an opinion on the effectiveness of an entity's internal control over financial reporting. Examples of entity-level controls include:
1. Controls within the control environment, which includes the tone at the top, assignment of authority and responsibility, consistent policies and procedures, and company-wide programs that apply to all locations and business units (such as codes of conduct and fraud prevention).
2. Controls over management override.
3. Management's risk assessment process.
4. Centralized processing and controls, including shared service environments.
5. Controls to monitor results of operations.
6. Controls to monitor other controls, including activities of the internal audit function, the audit committee and self-assessment programs.
7. The period-end financial reporting process.
8. Policies that address significant business control and risk management practices.
AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Comprehension Difficulty: Moderate Learning Objective: 5