SULTHAN HAKIM/ 145020308121003

International Undergraduate Program in Accounting of Brawijaya University

Course: Auditing Laboratory

AUDITING CASES: 4. ASSESSING CONTROL RISK

DISCUSSION QUESTIONS

1. Statement on Auditing Standards 78, "Consideration of Internal Control in a Financial Statement

Audit: An Amendment to SAS No. 55," identifies the five elements of internal control as the
Control Environment, Risk Assessment, Control Activities, Information and Communication,
and Monitoring. Cline's questions appear to be designed to determine the degree of information
that has been established to date about each of these elements. Question (3) asks about the
information that the auditors could have looked at within the Lakeside Company in order to
respond adequately to these queries. Auditors must be able to gather sufficient data in the early
stages of an audit to assess the various risks involved in the examination.

In studying the control environment of a company, SAS 78 recommends that a number of factors
should be assessed including those listed below. For several of these factors, the types of
information that the Abernethy and Chapman auditors might use to make their evaluation is also
discussed. A quick look at the control environment will probably lead the auditors to the decision
that Lakeside has not established the environment needed for adequate internal control.

Integrity and ethical values. The auditors should inquire as to policy statements and a code
of ethics. They should also be aware of any actions by Lakeside's management to remove
or reduce incentives and temptations that might prompt its employees to engage in
dishonest, illegal, or unethical acts.
Commitment to competence. Lakeside should have a training program to ensure that its
employees have the knowledge and skills necessary to accomplish tasks. The auditors
should inquire as to any such programs.
Board of directors or audit committee participation. Abernethy and Chapman will need to
 determine the oversight role (if any) played by the board of directors. By looking at the
minutes of the meetings, the auditors should be able to determine whether the board is
actually serving in a control capacity. The case mentions that the board of directors had to
approve of the hiring of new independent auditors. Thus, a separate audit committee
probably does not exist. In addition, Rogers' assurance that the board would approve this
request would seem to imply that the board does not provide significant control over the
management of the company.
Management's philosophy and operating style. By talking with Rogers and the other
members of management, the auditors should be able to determine the actual priority
placed on internal control by the company. Documentation of this should also be available
for inspection. Rogers seems to understand that better systems are needed but has invested
neither the time nor the money to develop such policies and procedures. This lack of
support may indicate that the management is not serious about establishing adequate
control within the company. Because of the company's growth, improvements in the future
may be forthcoming, but at the present time the management appears (from what has been
said) to have let the company outgrow its control policies and procedures.
Organizational structure. If Lakeside has a chart presenting the various officials and their
jobs, the auditors can assess whether control policies would be easy to circumvent.
Although Exhibit 3-2 shows the company divided into clearly distinct areas, the Assistant
to the President does seem to be in a position to operate without proper control
supervision. In addition, the President seems to hold a significant amount of power in this
company, with very little control having been established.
Assignment of authority and responsibility. This factor includes how authority and
responsibility for operating activities are assigned and how reporting relationships and
authorization hierarchies are established. Since Lakeside is not a huge organization,
Rogers tends to intervene in many of the operating activities. However, as Lakeside
continues to grow, this may become a major concern to the auditors.
Human resource policies and practices. These policies and practices relate to hiring,
orientation, training, evaluating, counseling, promoting, compensating, and remedial
actions. The auditors should inquire and observe Lakeside's policies, including any
standards for hiring the most qualified individuals, training, and performance appraisals.
Risk assessment is the second component of internal control. The auditors will determine and
evaluate how Lakeside identifies, analyzes, and manages risks relevant to the preparation of the
financial statements. The auditors will want to pay particular attention to several changes occurring
at Lakeside and how the management deals with these changes. These changes include the expansion
of the company's stores, the concentration on the Cypress product line, and the relatively new bonus
system.

Next, the auditors will look at the actual control activities in place to see that specific control
objectives are being met. Within this testing, the auditors should look at the following as goals of the
company's internal control:

Performance reviews. Independent checks on both performance and proper valuation of

recorded amounts should be conducted. The auditors will want to verify that
reconciliations and other comparisons are made at important junctures in the various
systems.
Information processing. The auditors will want to verify that Lakeside has both general
controls and application controls. They will especially verify that proper authorization
of transactions exist. The auditors can examine the documentation produced for a variety
of transactions to ensure that each was authorized by the appropriate individual within the
company. Further, the auditors will verify that Lakeside properly designs and uses
adequate documents. By walking through the various systems, the auditors can determine
if adequate documentation is required at each point and if those documents are preprinted
and prenumbered to ensure that the proper information is gathered and retained.
Physical controls. By physical observation of the warehouse, the stores, and other assets,
the auditor can determine if Lakeside has adequate safeguards over its assets.
Segregation of duties. By looking at the organization of a company, the auditors can
determine if the necessary separation of responsibilities is in place to facilitate adequate
control. For example, since Lakeside has a chart showing the various officials and their
jobs, the auditors can assess whether a true system of checks and balances has been
established. Although Exhibit 4-1 shows the company divided into clearly distinct areas,
information in Exhibits 4-3 and 4-4 indicates, for example, that the Assistant to the
President has a great many responsibilities, some of which raise the possibility of control
 problems.

Next, the auditors will have to examine any information that helps to ascertain the efficiency
of the company's information and communication system. In the case presented, little data is provided
to evaluate the information system except that Rogers feels the systems are outdated for a company
of this size. Therefore, the auditors should assess the design of the system and the people who operate
the accounting system. For example, the auditors might want to select a number of transactions and
trace them from the point of origination through the accounting system to see that the recording
process is performed properly. This testing is designed to determine if the system is capable of
performing the following tasks in an effective manner:

Identify and record all valid transactions.

Describe on a timely basis the transactions in sufficient detail to permit proper
classification.
Measure the value of transactions.
Determine the time period in which transactions occurred.
Present the transactions appropriately in the financial statements.

The final component of internal control is monitoring. Monitoring is the process that
assesses the quality of internal control performance over time. Lakeside does not appear
to have an extensive monitoring system, such as an internal audit function. Without an
internal auditor, no independent party within the company serves to monitor and oversee
the company's internal controls. The internal audit function can be extremely important in
a company, especially where stores and sales representatives operate at a geographic
distance from the home office

2. An evaluation of the overall control environment is not possible from Exhibits 4-3 and 4-4.
However, the auditors can see that responsibilities have been developed and divided within the
company. Each individual or department seems to have a well-defined job within the two systems.
Thus, some evidence exists to indicate that management is aware of the importance of internal
control. Such systems simply cannot be created without adequate support by the company's
management.
 In terms of risk assessment, Lakeside does not appear (from Cases 2 through 4) to have a formal
method of systematically assessing risks (Weakness). The auditors should recommend a system of
identifying risks, their significance, their likelihood of occurrence, and how they might be
managed. This is especially true with Lakeside's growth of stores, concentration of suppliers
(Cypress only), and installation of a bonus system.

In addressing control activities, the auditors can see, as indicated in the answer to Exercise (2), that
the company seems to use adequate documents and authorization procedures (Strength). In
addition, although the Assistant to the President has many different duties (Weakness), the
company seems to have made an attempt to segregate responsibilities in an appropriate manner.

Both of the information systems that are presented also seem well designed especially for a small
but growing company. However, the company still uses some manual systems that can be slow and
offer the opportunity for many human mistakes to be made (Weakness). The answer to Exercise
(2) goes into more detail concerning control strengths and weaknesses in this area.

The monitoring activities seem to be somewhat lax. However, with Lakeside still being relatively
small, Rogers' oversight somewhat compensates for the lack of monitoring. With the growth of
Lakeside, this is becoming less true.

3. After a preliminary assessment of control risk, the auditors have three possible actions:

a. Because of potential strengths found within internal control, the auditor may feel that control
risk can be assessed at below the maximum level. If so, the auditors must then be able to
identify specific control procedures that will likely prevent or detect material misstatements.
The auditors must perform tests of these controls to evaluate their effectiveness to determine
if a reduction in the assessment of control risk is justified.
b. Because of weaknesses found within internal control, the control risk may have to be assessed
at the maximum level. This evaluation will probably force the auditor to reduce detection risk
by such means as performing additional substantive testing, using more experienced staff
personnel, carrying out procedures closer to the balance sheet data, or relying on more effective
 testing procedures.
c. Although potential strengths may be identified within internal control, the auditors may still
opt to assess control risk at the maximum level. This decision would be made if additional
substantive tests appear to be easier and cheaper to make than performing the necessary tests
of specific control policies and procedures.

Sarbanes Oxley requires expanded internal control auditing because the Management Assessment
of Internal Control needs to be separately audited by a registered CPA firm, regardless of its effect
on the audit of the financial statements.

4. The auditor will normally begin verifying control policies and procedures by making inquiries of
the employees as to the performance of their duties. The answers provided indicate to the auditor
whether each individual understands the duties that have been assigned as well as their purpose. A
proper knowledge of a job usually means that employees are more likely to comply with the system
and fulfill their responsibilities. In addition, the auditor is often able to observe the work of these
individuals during the audit fieldwork. From these observations, an evaluation can also be made
as to the quality of the work being performed.

Although inquiry and observation are important steps in testing control procedures, the auditor
needs to obtain more substantial evidence. A well- devised system of controls should require each
employee to leave physical proof whenever a task has been completed: a tickmark must be used,
the person must sign a form, a code number must be entered, etc. Thus, the auditor should be able
to trace this physical evidence through an entire system noting whether the policies and procedures
are operating efficiently. For important measures that might reduce the assessment of control risk,
the auditor may want to verify effectiveness by examining a large number of documents.
Frequently, an auditor evaluates control procedures within an entire system through a "test of
transactions." Transactions are traced through an accounting system to make certain that the
recording has been made properly and that each control procedure is functioning as intended.

5. This new information provides an increased risk on the motivation/incentive for fraud to occur, in
terms of the fraud triangle. It does not mean that fraud has occurred and does not affect the
opportunity or rationalization necessary for fraud to occur. The auditor faced with this information
 should document the discussion, and make sure the audit team is aware of the conversation. It is
not the job of the staff auditor to initiate an investigation at this early point in the audit.

EXERCISES

1.
a. The following page presents a flowchart for the revenue recognition system. Numerous
acceptable variations of this flowchart may be created. This problem is not intended
to suggest a rigid format for the flowchart but rather to give the student experience in
constructing and reading one. When evaluating a student's work, several questions
should be asked:

Does the flowchart truly mirror the system?

Is the flowchart understandable?
Is the flowchart overly complex, containing too many symbols and explanations?

One technique that might be used with this assignment is to divide the class into teams
of three or four students each. Then select a flowchart at random from each team and
ask the team members to critique it. This process, which can be done inside or outside
of class, will compel the students to view the flowchart as an instrument intended to
communicate the design of a system.

b.

Revenue and Cash Receipts Cycle

Distributorship Cash Receipts

Checks arrive from customers along with the copy of the invoice slip. The checks are received by
the Treasurer's Office where each check is immediately stamped "For Deposit Only." The checks are
listed on a bank deposit slip and on a four-part cash remittance list. This listing includes the customer,
 the amount paid, and the invoice number.

The checks and the bank deposit slips are taken by the Treasurer's Office to the bank. The second
copy of the bank deposit slip is validated and returned to the Treasurer's Office where it is placed in
a permanent file by date along with the fourth copy of the cash remittance list. The bank returns the
first copy of the validated bank deposit slip directly to the Assistant to the President where it is placed
in a temporary file by date.

The invoice slips and the first three copies of the cash remittance list are sent by the Treasurer's Office
to the Sales Division. The second copy of the sales invoice and the fourth copy of the bill of lading
had originally been filed by that department when the goods were shipped. Each invoice slip is
matched with the corresponding sales invoice and bill of lading. The appropriate discount is
calculated and recorded on each copy of the cash remittance list. Each invoice slip is then attached
to the appropriate sales invoice and bill of lading and placed in a permanent file by invoice number.
The third copy of the cash remittance list is placed in a permanent file by date.

The second copy of the cash remittance list is sent to the Controller's Office where the cash receipts
and the sales discounts are refooted. From this information, a daily journal entry is made in the cash
receipts journal. Subsequently, the second copy of the cash remittance list is filed permanently by
date.

The sales division sends the first copy of the cash remittance list to the Assistant to the President. He
compares the bank deposit slip that he has received from the bank against the total of the cash
remittance list for that same date with a spot check of individual items. The list of collections is then
used to update the Accounts Receivable Subsidiary Ledger before being placed in a temporary file by
date. Upon receipt of the monthly bank statement, the cash remittance lists and the validated bank
deposits are removed and used to prepare the monthly bank reconciliation. The reconciliation, the
bank statement, the validated deposit slips, and the cash remittance lists are then placed in a permanent
file by date.

2. A preliminary analysis of the control procedures in the cash receipts system.

Documents Found in This System:

Invoice Slips (one copy per payment) - prepared internally but returned directly by outside
party. It is the bottom portion of the number 4 copy of the sales invoice.

Validated Bank Deposit Slips (two copies per day) - prepared internally but validated by
outside bank and mailed directly to the Assistant to the President.

Cash Remittance List (four copies per day) - prepared internally.

Sales Invoice (second copy) - prepared internally.

Bill of Lading (only fourth copy is a part of this system) - prepared internally, two copies sent
to customer.

Bank Statement (one copy per month) - prepared externally.

Bank Reconciliation (one copy per month) - prepared internally.

Answer to Exhibit 4.5 (Internal Control Preliminary Analysis)

1. Prenumbering of forms - Exhibits 4-3 and 4-4 indicate that the sales invoices (including the
sales invoice slip) and the bills of lading are prenumbered. None of the other documents
shown in this system would normally be pre- numbered.
2. Authority for completing each document - Exhibit 4-4 indicates that all documents within
this system are clearly assigned to a specific department.
3. Review of documents - a number of the documents are reviewed prior to the beginning of
this system such as the sales invoice and the bill of lading. The validated bank deposit slips
are reviewed by the Assistant to the President while the cash remittance list is reviewed by
the Controller's Office. The bank statement is reviewed by the Assistant to the President.
Finally, the bank reconciliation is prepared by the Assistant to the President but does not
appear to be reviewed. The failure to review this document would constitute an internal
control weakness.
 4. Procedures for completing each document and for reviewing each document - all
instructions on the worksheet appear to be reasonably complete, although any set of written
instructions could be put into more detail. One problem does exist: none of the instructions
give guidance when discrepancies are found. For example, according to the flowchart, a
major problem exists in the sales division at point B. According to the explanation, no
instructions exist when the collection is less than the amount of the invoice. Rather than
rebilling the additional amount, the invoice information is placed in a permanent file.
Although this rebilling process may be handled through the Assistant to the President or
some other party, this procedure is not indicated by the flowchart.
5. Separation of record-keeping function and custody function--the Treasurer's Office which
serves the custodial function for the cash funds also records the initial receipt of cash. That
type of organization is typical of small companies but does offer the opportunity for theft or
cash manipulation. In addition, the Assistant to the President maintains the Accounts
Receivable Subsidiary Ledger and reconciles the bank statements. Although not specifically
a control weakness because this individual does not have access to the cash account, these
combined responsibilities do offer the opportunity for successful theft through collusion.
6. Verification of mathematical computations - all computations are independently verified
except for the cash discounts. The flowchart is unclear as to the procedure to be applied
when the sales division calculation does not agree with the customer's payment.
7. Immediate record-keeping--the record-keeping function appears to begin immediately upon
the receipt of the cash.
8. Transactions authorized -- all transactions seemed to be appropriately authorized.
9. Other control procedures:
- checks are immediately stamped "For Deposit Only"
- spot checks made of cash remittance list totals to bank statement deposits are made to
counter potential "lapping" activities.
10. Other control weaknesses that might be noted by the students - invoice slips and related
documents are permanently filed by invoice number in the sales division rather than by
customer name without any apparent cross- referencing. In case of a later dispute, locating
the invoice might be difficult.

3. As a small organization, the controls that might actually be implemented are limited to those
procedures that would be cost effective. Listed below are several possible improvements that could
be considered:

- Establish a separate credit department to investigate new clients and set credit limits based on
this information.
- Prohibit Rogers or other company personnel from giving credit except under specified
conditions.
- Use a sales order form that is different from the sales invoice. The two documents serve
different purposes and are most useful if designed to meet those specific needs.
- Have a separate shipping department to provide control over the inventory being removed from
the company.
- Establish a separate accounts receivable department to monitor all changes in each customer's
individual account.
- Establish a separate billing department to prepare the sales invoices and ensure their accuracy.
- When goods are shipped, a signed receipt should be received as proof of the transfer.