Arens Auditing16e SM 12

Chapter 12
Assessing Control Risk and Reporting

on Internal Controls
Concept Checks
P. 381
1. As illustrated by Figure 12-1, there are four phases in the process of

understanding internal control and assessing control risk. In the first
phase the auditor obtains an understanding of internal controls, which
includes an understanding of their design and whether they have been
implemented. Next the auditor must make a preliminary assessment of
control risk (phase 2) and perform tests of controls (phase 3). The auditor
uses the results of tests of controls to assess control risk and to ultimately
decide planned detection risk and substantive tests for the audit of financial
statements, which is phase 4.
2. The purpose of a control risk matrix is to assist the auditor in assessing

control risk at the transaction level. The control risk matrix identifies existing
controls and deficiencies for each audit objective in the transaction cycle,
making it easier for the auditor to assess control risk for each transaction-
related audit objective.
3. The four types of procedures used by auditors to test whether internal

controls are operating effectively are (1) inquiring of appropriate personnel
regarding the operation of controls; (2) examine documents and records
when there is a trail of evidence that the control is/is not operating (e.g., a
supervisor’s signature on a time card); (3) observe control-related activities
in process, preferably at various points throughout the year, and (4)
reperform control activities performed by the client.
P. 386
1. The financial statement audit findings are relevant to the auditor’s opinion on
the effectiveness of internal controls over financial reporting because the
auditor may or may not identify misstatements during the audit. If the auditor
identifies material misstatements during the audit that were not prevented or
detected by the client’s internal controls, this would indicate a potential
material weakness in internal controls. Any identified misstatements would
indicate a potential control deficiency or significant deficiency.
12-1
Copyright © 2017 Pearson Education, Inc.
Concept Check, P. 386 (continued)
2. Auditors are required to perform integrated audits, an audit of the financial

statements coupled with an audit of internal control over financial reporting,
on audit engagements of large publicly traded companies (accelerated
filers). For integrated audits, the auditor issues an opinion on the
effectiveness of internal control in addition to the opinion on the financial
statements. As a result, the level of understanding and the extent of testing
of internal controls need to be sufficient to express an opinion on the
effectiveness of internal controls. For financial statement-only audits, the
auditor does not issue an opinion on the effectiveness of internal controls,
but rather the focus is on understanding controls that are relevant to the
audit in order to identify and assess the risks of material misstatement.
 Review Questions
12-1 The auditor’s responsibility for obtaining an understanding of internal
control for a large public company, when an opinion is issued on the
effectiveness of internal controls, is significantly greater than the understanding
necessary when the auditor is solely expressing an opinion on the financial
statements. To express an opinion on internal controls for a large public
company, the auditor obtains an understanding of controls for all significant
account balances, classes of transactions, and disclosures and related
assertions in the financial statements. In contrast, for an audit of a nonpublic
company or a smaller public company, the auditor will obtain an understanding
of internal controls that are relevant to the financial statement audit in order to
assess the risks of material misstatement. Thus, the level of understanding of
internal controls required for the audit of internal controls exceeds the level
required for an audit of only the financial statements.
12-2 Maier is correct in her belief that internal controls frequently do not
function in the manner they are supposed to. However, regardless of this,
her approach ignores the value of beginning the understanding of internal
control by preparing or reviewing a rough flowchart or other internal control
descriptions. Obtaining an early understanding of the client’s internal control will
provide Maier with a basis for a decision about further audit procedures and
sample sizes based on assessed control risk. By not obtaining an
understanding of internal control until later in the engagement, Maier risks
performing either too much or too little work, or emphasizing the wrong areas
during her audit.
12-3 In a walkthrough of internal control, the auditor selects one or a few

documents for the initiation of a transaction type and traces them through the
entire accounting process. At each stage of processing, the auditor makes
inquiries and observes current activities, in addition to examining completed
documentation for the transaction or transactions selected. Thus, the auditor
combines observation, inspection, and inquiry to conduct a walkthrough of
12-2
12-3 (continued)
internal control. PCAOB auditing standards require the auditor to perform at

least one walkthrough for each major class of transactions.
12-4 For many control activities, documentation of their performance is more

objectively evaluated in contrast to the evaluation of the control environment.
Due to the nature of the subcomponents that constitute the control
environment, such as integrity and ethical values and commitment to
competence, the nature of evidence used to evaluate the control environment
may differ somewhat from the nature of evidence used to evaluate control
activities. While auditors examine similar types of evidence to assess both the
control environment and control activities, they often perform more extensive
inquires and observation to assess the design and implementation of control
environment subcomponents, such as the entity’s code of conduct and
whistleblowing system, so they can evaluate whether employees understand
those policies and procedures, and to gain a sense as to the overall ethical tone
and perception of management’s integrity. Because of the more judgmental
nature of many of the control environment subcomponents, auditors often make
numerous inquiries and perform extensive observation of client personnel in the
performance of policies and procedures to evaluate those subcomponents of
the control environment. While inquiry and observation may also be performed
to evaluate control activities, auditors frequently inspect documentation that
demonstrates a control activity was performed, such as examining signatures
on documents or matching of documentation supporting a transaction, and they
often reperform certain client performed procedures, such as the calculation of
a transaction amount.
12-5 A significant deficiency exists if one or more control deficiencies exist

that are less severe than a material weakness, but important enough to merit
attention by those responsible for oversight of the company’s financial
reporting. A material weakness exists if a significant deficiency, by itself or in
combination with other significant deficiencies, results in a reasonable
possibility that internal control will not prevent or detect material financial
statement misstatements. The presence of one significant deficiency that is not
deemed to be a material weakness may not affect the auditor’s report. In that
instance, the auditor’s report on internal control over financial reporting would
contain an unqualified opinion. However, if the deficiency is deemed to be a
material weakness, the auditor must express an adverse opinion on the
effectiveness of internal control over financial reporting.
12-6 The extent of controls tested by auditors for an integrated audit of a large
public company, in which the auditor will express an opinion on internal control,
is significantly greater than the extent of testing solely to express an opinion on
the financial statements. To express an opinion on internal controls for a large
public company, the auditor obtains an understanding of and performs tests of
controls for all significant account balances, classes of transactions, and
disclosures and related assertions in the financial statements.
12-3
12-6 (continued)
In contrast, the extent of controls tested by an auditor of a nonpublic

company or a smaller public company is dependent on the auditor’s
assessment of control risk. Whenever the auditor assesses control risk below
maximum, the auditor must perform tests of controls to support that control risk
assessment. The auditor will not perform tests of controls when the auditor
assesses control risk at maximum. When control risk is assessed below the
maximum, the auditor designs and performs a combination of tests of controls
and substantive procedures. Thus, for a nonpublic company or smaller public
company, the tests of controls vary based on the auditor’s assessment of
control risk.
12-7 Auditing standards indicate that reliance can be placed on controls that
were tested in a prior year, except for controls that mitigate significant risks,
which must be tested in the current year. Controls should be tested at least
every three years, and whenever there is a significant change in the control.
Continued reliance on the effectiveness of automated controls is appropriate if
the auditor is satisfied that general controls over the computer applications are
adequate to identify any changes to computerized processes. The ability to rely
on prior year tests of automated controls is due to the systematic nature of IT-
based procedures. That is, once an automated control is programmed to perform
correctly, it should continue performing in that manner until the underlying
software program is changed. In contrast, controls performed manually are
generally tested each year because there is always a risk of human error
occurring in the performance of a manual control.
12-8 When the auditor’s risk assessment procedures identify significant

risks, the auditor is required to test the operating effectiveness of controls that
mitigate these risks in the current year audit, if the auditor plans to rely on those
controls to support a control risk assessment below 100%. Thus, tests of
controls are required in the current year audit for those controls the auditor
plans to rely on to reduce control risk. The greater the risk, the more audit
evidence the auditor should obtain that controls are operating effectively.
12-9 The fact that your client has outsourced the majority of its accounting
information system to a third-party data center does not change your professional
responsibilities. One of the principles underlying auditing standards requires the
auditor to obtain an understanding of internal controls in all audits. Thus, the
auditor would need to perform procedures to obtain information to provide an
understanding of internal controls that may reside at the data center. The
auditor would benefit greatly from a service auditor’s report, if one is available.
Because the client has outsourced a majority of the accounting information
system, the auditor is likely to identify controls that may support lower assessments
of control risk that must be tested. Either the auditors may decide to conduct
their own testing of those controls or they may be able to obtain a service
12-4
12-9 (continued)
auditor’s Report on Management’s Description of a Service Organization’s System

and the Suitability of the Design and Operating Effectiveness of Controls
(referred to as a Type 2 report).
12-10 The auditor uses the control risk assessments and the results of tests
of controls to determine the appropriate level of detection risk and the nature
and extent of substantive tests for the audit engagement. The auditor links the
control risk assessments at the transaction level to the balance-related audit
objectives for the accounts affected by the transaction cycles, and also to the
presentation and disclosure audit objectives.
12-11 If the auditor assesses control risk as high for a transaction-related

audit objective, then in order to maintain a desired level of audit risk, the auditor
will need to set a lower level of detection risk. A lower level of detection risk in
turn means more extensive substantive testing.
12-12 The auditor may issue an unqualified opinion on internal control over
financial reporting when two conditions are present:
 there are no identified material weaknesses as of the balance
sheet date; and
 there have been no restrictions on the scope of the auditor’s work.
A scope limitation is the condition that would cause the auditor to

express a qualified opinion or a disclaimer of opinion on internal control over
financial reporting. This type of opinion is issued when the auditor is unable to
determine if there are material weaknesses, due to a restriction on the scope of
the audit of internal control over financial reporting or other circumstances
where the auditor is unable to obtain sufficient appropriate evidence.
12-13 The most significant difference in the assessment of control risk for
integrated audits versus financial statement-only audits is that control risk may
be assessed at maximum for some or all audit objectives for nonpublic
companies receiving a financial statement-only audit. Public companies, even
relatively smaller ones, are expected to have effective internal controls for all
significant transaction cycles and accounts. Thus, it is likely control risk will be
set as low for public companies, whereas that is not necessarily the expectation
for nonpublic companies.
12-14 “Auditing through the computer” represents an audit approach whereby

the auditor tests the design and operating effectiveness of internal controls
embedded in applications that are only available electronically to determine the
extent to which the controls are effective and can be relied upon. In this case,
the auditor can use the computer controls to reduce control risk. Three common
approaches to assessing controls include the test data approach, parallel
12-5
12-14 (continued)
simulation or using embedded audit modules. Assessing controls embedded in

computerized information can be challenging in complex systems and auditors
often obtain assistance from information systems specialists. In addition, there
is often no paper trail associated with controls embedded in information
systems, which can make it difficult to test operating effectiveness. The benefit,
however, is that once a computerized application control is determined to be
operating effectively through one of the three approaches mentioned above, the
auditor does not need to test a sample of transactions in order to rely on
controls.
12-15 The test data approach involves processing the auditor’s test data using
the client’s computer system and the client’s application software program to
determine whether the computer-performed controls correctly process the test
data. Because the auditor designs the test data, the auditor is able to identify
which test items should be accepted or rejected by the computer. When using
this approach the auditor should assess the following:
 How effectively does the test data represent all relevant conditions
that the auditor wants to test?
 How certain is the auditor that the application programs being tested
by the auditor’s test data are the same programs used by the client
throughout the year to process actual transactions?
 How certain is the auditor that test data is effectively eliminated
from the client’s records once testing is completed?
Parallel simulation with audit software involves the auditor’s use of an
auditor-controlled software program to perform parallel operations to the
client’s software by using the same data files. Because the auditor’s software is
designed to parallel an operation performed by the client’s software, this strategy is
referred to as parallel simulation testing. Parallel simulation could be used in the
audit of payroll by writing a program that calculates the accrued vacation pay
liability for each employee using information contained in the employee master
file. The total liability calculated by the auditor’s software program would then
be compared to the client’s calculation to determine if the liability for accrued
vacation pay is fairly stated at year-end.
 Multiple Choice Questions From CPA Examinations
12-16 a. (3) b. (2) c. (4)

12-17 a. (2) b. (4) c. (4)
12-18 a. (3) b. (3) c. (3)
 Multiple Choice Questions From Becker CPA Exam Review
12-19 a. (4) b. (1) c. (2)
12-6
 Discussion Questions and Problems
12-20 1. a. Adequate segregation of duties and proper authorization of

transactions and activities.
b. Recorded transactions exist.
c. An unauthorized or invalid time record turned in by an
existing employee. The time record may be for an employee
who formerly worked for the company or one who is
temporarily laid off.
d. An employee could be claiming too many hours by having a
friend punch him or her in early, or by making manual
changes on time cards.
e. Check to see that all employees that are punched in one
day are physically present.
2. a. Adequate documents and records.
b. Existing transactions are recorded.
c. A missing time record number never could be identified
before preparation of payroll starts.
d. An employee would not be paid for a time period. (The
employee is almost certain to bring this to management’s
attention.) The primary benefit of the control would be to
prevent misstatements for a short period of time and to prevent
employee dissatisfaction from failure to pay them.
e. Obtain a list of company employees and make sure that
each one has received a paycheck for the time period in
question.
3. a. Independent check on performance.
b. Recorded transactions are stated at the correct amounts.
c. Mechanical errors of adding up the number of hours,
calculating the gross payroll incorrectly, or calculating
withholding incorrectly.
d. Payroll checks incorrectly calculated could be paid to
employees.
e. Recheck the amounts for gross payroll, withholding and net
payroll.
12-7
12-20 (continued)
4. a. Adequate documents and records.

b. Existing transactions are recorded.
c. Preparation of a check for an inappropriate person, the
distribution of that check to that person, and the recording
of that check in the cash disbursements journal as a
voided check.
d. An employee who is supposed to void a check could record
it as voided on the books and cash the check. At month-end
the amount of the check could be covered by adjusting the
bank reconciliation.
e. Test month-end bank reconciliations in detail to determine
that the account reconciles properly, that all supporting
documents are proper, looking especially for a check that
cleared and was supposed to be voided, and that no
alterations have been made to the bank statement.
5. a. Proper authorization of transactions and activities.

b. Recorded transactions exist and recorded transactions are
stated at the correct amounts.
c. Both errors and fraud are likely to be prevented if
competent, trustworthy employees are hired. Hiring honest
employees minimizes a likelihood of fraud. Hiring
competent employees minimizes the likelihood of
unintentional errors.
d. Several types of intentional misstatements could occur if a
dishonest person is hired. Similarly, several types of
unintentional errors could occur if an incompetent person is
hired.
e. An examination of cancelled checks and supporting
documents, including time records and personnel records,
is a test of the possibility of fraud. A test of the calculation of
payroll is a test for an unintentional error caused by
employees who are not competent.
6. a. Proper authorization of transactions and activities.

c. A paycheck cannot be processed for an invalid employee
number.
d. A fictitious payroll check could be processed for a
fictitious employee if invalid employee numbers are
included in the employee master file.
e. Include test data transactions with invalid employee
numbers to be inputted into the payroll accounting system
and determine that all invalid transactions are automatically
rejected by the software application.
12-8
12-20 (continued)
7. a. Adequate separation of duties.

c. A fictitious payroll check that is originated by the person
both preparing the payroll checks and distributing the payroll
checks.
d. If one person kept a record of time, prepared the payroll,
and distributed the checks, that person could add a
nonexistent employee to the payroll, process the
information for the employee and deposit the funds
electronically or by paycheck in his or her own bank
account without detection.
e. Perform a surprise payoff in which the auditor accounts for
all paychecks and distributes them to the employees, who
must provide identification in order to receive their checks
or payroll direct deposit notifications.
8. a. Proper authorization of transactions and activities, and

adequate documents and records.
c. The preparation of an inappropriate payroll check for a
former employee is prevented.
d. A terminated employee could be continued on the payroll
with someone else obtaining the paycheck.
e. Perform a surprise payoff in which the auditor accounts for
all paychecks and distributes them to the employees, who
must provide identification to receive their checks or payroll
direct deposit notifications.
9. a. Physical control over assets and records, and adequate

segregation of duties.
c. Checks prepared for nonexistent employees or employees
on vacation, or absent for other reasons, are controlled
and safeguarded.
d. Checks could be lost that were intended for absent
employees or a check could be taken by the person
responsible for distributing the checks.
e. Examine cancelled checks to make certain that each check
is properly endorsed, supported by a time record, and the
person to whom the check is made out is still working for the
company.
12-9
12-20 (continued)
10. a. Proper authorization of transactions and activities and

adequate separation of duties.
b. Recorded transactions exist and recorded transactions are
stated at the correct amounts.
c. Preparation of a check for a fictitious employee or
preparation of checks using an unapproved pay rate are
prevented.
d. A fictitious payroll check could be processed for a fictitious
employee if those with record keeping responsibilities are
allowed to enter new employee numbers into the master
file. Also, paychecks to valid employees could be
overstated if unauthorized personnel have the ability to
make changes to the pay rates in the master files.
e. Attempt to access the online payroll master file using a
password that is not allowed access to that master file.
12-21 a. The size of a company has a significant effect on the nature of the
controls likely to exist. A small company has difficulty establishing
adequate separation of duties and justifying an internal audit staff.
However, a major type of control available in a small company is
the knowledge and concern of the top operating person, who is
frequently an owner-manager. His or her ability to understand the
entire operation of the company is potentially a significant
compensating control. The owner-manager’s interest in the
organization and close relationship with the personnel enable him
or her to evaluate the competence of the employees and the
effectiveness of internal controls.
While some of the five control activities are unavailable in a
small company, especially adequate segregation of duties, it is still
possible for a small company to have proper authorization of
transactions and activities, adequate documents and records,
physical controls over assets and records, and, to a limited
degree, independent checks on performance.
b. Phersen and Collier take opposite and extreme views as to the

credence given to internal control in a small firm. Phersen seems
to treat a small firm in the same manner as he would a large firm,
which is inefficient. Because many types of controls are often
lacking in a small firm, especially one that is a nonpublic company,
assessed control risk should be increased and more extensive
substantive tests must be used. Because assessed control risk is
higher, less emphasis is needed to identify the internal controls.
Collier is not meeting the standards of the profession in that
she completely ignores the possibility of a severe deficiency in the
12-10
12-21 (continued)
system. She must obtain an understanding of internal control to

determine whether it is possible to conduct an audit at all. Auditing
standards require, at a minimum, an understanding of internal
control.
The auditor must understand the control environment and
the flow of transactions. It is not necessary, however, for the
auditor to prepare flowcharts or internal control questionnaires. The
auditor of a nonpublic company is required to provide a written
report about significant deficiencies or material weaknesses to
those charged with governance, which may be common on many
small audit clients.
c. Collier’s approach is not acceptable when auditing either a public

or nonpublic company. Collier must obtain an understanding of
internal controls over financial reporting in all audits. When the
auditor assesses control risk below the maximum, which is
generally the case for public companies, the auditor must perform
tests of controls to determine whether key controls over
financial reporting are operating effectively. Those procedures
must provide Collier a basis to express an opinion about internal
controls over financial reporting for accelerated filer public
companies.
d. While Pherson’s approach includes procedures similar to those

that would be performed to obtain an understanding of internal
controls, if Pherson is auditing a public company, he may need to
expand those procedures to ensure that enough information is
obtained about the design and operation of internal controls over
financial reporting. Furthermore, Pherson must perform tests of
key controls over financial reporting to provide a basis for
expressing an opinion on internal controls over financial reporting
for accelerated filer public companies.
12-22 1. a.  Supplying the receiving department with electronic

access to the purchase order is regarded as a
deficiency in that the department may be less careful
in checking goods than they would be if they were
working without a record of the quantities that should
be received.
 The failure to have the storekeeper receipt for the
materials when they are sent to him or her from the
receiving department or to tie in the items placed in
storage with the acquisition constitutes a deficiency
in control in that responsibility for shortages cannot
be conclusively placed on either receiving or stores.
12-11
12-22 (continued)
The receiving department might, in collusion with a

vendor, report receipts of materials that were never
received. Also, either the receiving department or the
stores department might fraudulently convert some
of the materials and because of the lack of a
record of responsibility, the company would be
unable to determine which department was
responsible.
b.  The first deficiency increases the likelihood of
obsolete inventory and the possibility of theft of
shipments larger than the amount ordered. It also
increases the likelihood of inaccurate counts of
inventory actually received and recorded.
 The failure to isolate responsibility for shortages also
increases the likelihood of obsolescence in that
employees are likely to be less concerned when they
are not held accountable. Because the company
cannot isolate responsibility, it might also encourage
receiving or stores to take goods.
c. Use a “blind” copy of the purchase order or a separate

receiving report without a copy of the purchase order. Use
perpetual inventory records to hold the storekeeper
accountable. The storekeeper should also initial the
receiving report or purchase order when he or she receives
the goods.
2. a.  The payroll checks should not be returned to the

computer department supervisor but should be
distributed by persons independent of those having a
part in generating the payroll data.
 There is a lack of internal verification of the hours,
rates, extensions, or employees by above.
b.  Padding of payroll with fictitious names and
extracting the checks made out to such names when
they are returned after they have been signed.
 There may be misstatements in hours, rates,
extensions, and the existence of nonworking
employees.
c.  Have the checks handed out by an independent
person and not returned to Strode.
 Internal verification of that information by Webber or
someone else.
12-12
12-22 (continued)
3. a. The bank statement and cancelled checks should not be

reconciled by the manager, but should be sent by the bank
directly to the home office, where the reconciliations should
be made against the manager’s report of cash
disbursements.
b. The manager may draw checks to herself or others for
personal purposes and omit them from her list of cash
disbursements or inflate other reported disbursement
amounts.
c. Have all bank statements sent directly to the home office
and have Cooper report directly to the home office by use
of a list of cash disbursements and all supporting
documentation.
12-23 1. No testing is required in the December 31, 2016, audit because

the auditor has determined that the automated control has not
been changed since the prior year. The auditor obtains
reasonable assurance that the automated control has not been
changed due to the effective controls over IT security and software
program changes. Thus, the auditor should consider the extent of
testing of IT security and software changes that might be
necessary in the current year audit due to the auditor’s reliance on
them to prevent changes to the underlying automated
reconciliation control.
2. Testing is required in the December 31, 2016, audit because the
underlying control is performed by a person and is not automated.
Because the control is manually performed, there is a risk that the
operation of the control may not be consistent with the design or
the control may not have been performed. Thus, the auditor
should test the control’s operating effectiveness in the current
year’s audit.
control is designed to mitigate a significant risk. Controls that
mitigate significant risks must be tested each year.
client made changes to the software system during the current
year.
5. No testing is required in the December 31, 2016, audit because
the auditor has determined that the automated controls have not
been changed since the prior year. The auditor obtains
reasonable assurance that the automated controls have not been
changed due to the effective controls over IT security and
software program changes. Thus, the auditor should consider the
12-13
12-23 (continued)
extent of testing of IT security and software changes that might be

necessary in the current year audit due to the auditor’s reliance on
them to prevent changes to the underlying automated purchase
controls.
12-24 The following are deficiencies of internal control, by transaction-related

audit objective.
Occurrence
 The receiving report is not sent to the stores department. A copy
of the receiving report should be sent from the receiving room
directly to the stores department with the materials received. The
stores department, after verifying the accuracy of the receiving
report, should indicate approval on that copy and send it to the
accounts payable department. The copy sent to accounts payable
will serve as proof that the materials ordered were received by the
company and are in the user department.
 The controller should not be responsible for cash disbursements.
The cash disbursement function should be the responsibility of the
treasurer, not the controller, so as to provide proper segregation of
duties between the custody of assets and the recording of
transactions.
 The purchase requisition is not approved. The purchase
requisition should be approved by a responsible person in the
stores department. The approval should be indicated on the
purchase requisition after the approver is satisfied that it was
properly prepared based on a need to replace stores or the
proper request from a user department.
 Preliminary review should be made before preparing purchase
orders. Prior to preparation of the purchase order, the purchase
office should review the company’s need for the specific materials
requisitioned and approve the request.
Completeness
 Purchase orders and purchase requisitions should not be
combined and filed with the unmatched purchase requisitions, in
the stores department. A separate file should be maintained for
the combined and matched documents. The unmatched purchase
requisitions file can serve as a control over merchandise
requisitioned but not yet ordered.
 There is no indication of control over vouchers in the accounts
payable department. A record of all vouchers submitted to the
cashier should be maintained in the accounts payable department,
and a copy of the vouchers should be filed in an alphabetical
vendor reference file.
12-14
12-24 (continued)
 There is no indication of any control over prenumbered

documents. All prenumbered documents should be accounted for.
Accuracy
 Purchase requisitions and purchase orders are not compared in
the stores department. Although purchase orders are attached to
purchase requisitions in the stores department, there is no
indication that any comparison is made of the two documents.
Prior to attaching the purchase order to the purchase
requisition, the requisitioner’s functions should include a check
that:
a. Prices are reasonable;

b. The quality of the materials ordered is acceptable;
c. Delivery dates are in accordance with company needs;
d. All pertinent data on the purchase order and purchase
requisition (e.g., quantities, specifications, delivery dates,
etc.) are in agreement.
Because the requisitioner will be charged for the materials

ordered, the requisitioner is the logical person to perform these
steps.
 The purchase office does not review the invoice prior to
processing approval. The purchase office should review the
vendor’s invoice for overall accuracy and completeness,
verifying quantity, prices, specifications, terms, dates, etc., and if
the invoice is in agreement with the purchase order, receiving
report, and purchase requisition, the purchase office should
clearly indicate on the invoice that it is approved for payment
processing. The approved invoice should be sent to the accounts
payable department.
 The copy of the purchase order sent to the receiving room
generally should not show quantities ordered, thus forcing the
department to count goods received. In addition to counting the
merchandise received from the vendor, the receiving department
personnel should examine the condition and quality of the
merchandise upon receipt.
 There is no indication of control over dollar amounts on vouchers.
Accounts payable personnel should prepare and maintain control
information on the dollar amounts of vouchers. Such information
should be sent to departments posting transactions to the general
ledger and master files.
Note: Classification, timing, and posting and summarization are
not applicable. Recording in journals is not included in the
flowcharts.
12-15
12-25 Following are the appropriate reporting formats for the six independent
situations:
INDEPENDENT APPROPRIATE
SITUATION AUDIT REPORT REASON FOR REPORT
1. Adverse The presence of a material misstatement
not detected by the company’s internal
controls is considered at least a
significant deficiency, if not a material
weakness, for purposes of reporting on
internal controls.
2. Qualified or The auditor’s inability to obtain any
disclaimer evidence about the operating
effectiveness of internal controls
represents a scope limitation.
3. Adverse The auditor considers the combination of
the several significant deficiencies to be
a material weakness requiring an
adverse opinion.
4. Adverse The detection of a deficiency that will not
prevent or detect a material
misstatement in the financial
statements meets the definition of a
material weakness, which requires an
adverse opinion.
5. Unqualified The control deficiency was remediated
and the auditor was able to obtain
sufficient appropriate evidence that the
new control operates effectively. Thus,
an unqualified opinion on internal
control is appropriate.
6. Unqualified Because the auditor does not believe the
significant deficiency in internal control
is a material weakness, the auditor’s
report would contain an unqualified
opinion.
12-16
12-26 a. The important controls and related sales transaction-related audit
objectives are:
SALES TRANSACTION-RELATED
CONTROL AUDIT OBJECTIVE
1. Use of prenumbered sales  Existing sales transactions are recorded

orders
2. Segregated approval of sales by  Recorded sales are for shipments made to
credit department; customer existing customers
purchase orders are attached to
sales orders; approval is noted
on form
3. Segregated entry of approved  Recorded sales are for shipments made to
sales orders existing customers
 Recorded sales are posted to correct
customer account
Prices are entered using an  Recorded sales are at the correct price
approved price list
Sales invoices are prepared from  Recorded sales are for shipments made to
the data file created from sales existing customers
order entry; hash totals are  Existing sales transactions are recorded
generated and used; sales  Recorded sales are at the correct amount
invoices are prenumbered;  Sales transactions are properly included in
control totals are reconciled by the master files
an independent person
4. & 5. Bills of lading are produced  Existing sales transactions are recorded
with sales invoices and  Recorded sales are for the correct quantity
eventually filed with the sales of goods shipped
invoice in numerical order;
differences in quantities are
corrected and transaction
amounts are adjusted
6. Hash totals of daily processing  Existing sales transactions are recorded.
matched to hash and control  Recorded transactions are for shipments
totals generated by independent made to existing customers
person
12-17
12-26 (continued)
b. Among the audit procedures to be applied to a sample of the

invoices and source documents are the following:
1. Account for the sequence of prenumbered sales order forms.

2. Review the sales order forms for agreement with purchase
orders from customers.
3. Determine that evidence of approval by the credit department
appears on all sales order forms.
4. Account for the sequence of prenumbered sales invoices.
5. Ascertain that bills of lading have been prepared for all
invoices and are in agreement therewith.
6. Determine that the price list used by the billing clerk has
been properly authorized. Trace prices on the list to invoices,
and test the extensions and additions on the invoices.
7. Ascertain that the sales invoices are in agreement with the
data on the sales order forms.
Among the audit procedures to be applied to the data file are the
following:
1. Verify the company’s predetermined “hash” totals and control
amounts by computing similar totals on selected batches of
invoices and items from the data file.
2. Compare totals and see that they reconcile.
3. Arrange for a tabulating run to be made of selected test
transactions. Compare the items in this printout with the totals
previously compiled from the test transactions.
12-27 a. The use in grocery stores of bar code scanning technologies impacts
a number of financial statement accounts for a grocery. The bar
code scanner is used to retrieve unit prices for each product
scanned, which is then used to calculate the amount to be posted
to the Revenue, Sales Tax Payable, and Cash accounts (and any
overnight Receivable accounts related to sales paid by debit and
or credit cards that may not be processed until the next business
day). Sometimes bar scanning technologies are used to process
coupons and other discounts, which would be recorded in the
Sales Discount account. Similarly, when goods are returned by
customers to the store, the bar scanning technology is used to
process amounts recorded in the Sales Returns account and related
credit to the Cash account. In addition to recording the transaction
amounts paid by the customer, the bar scanning technologies are
also used to update perpetual inventory records for cost amounts,
which impacts the Inventory and Cost of Goods Sold accounts.
12-18
12-27 (continued)
b.
Risks Inherent to How Bar Scanning

Sales Processing Accounts Affected Technologies Help Reduce Risk
Wrong unit price is used Revenues The system automatically retrieves
to process sale Cash the unit retail price from the
approved price list master file.
Calculation of amounts Revenues The system extends price times
due from customer for Cash quantity and adds each extended
all items purchased is Sales Taxes Payable amount to calculate the total
inaccurate sales price, including sales taxes
due from customer.
Reduction in inventory Inventory The system tracks the number of
accounts for items sold Cost of Goods Sold units removed by product
is inaccurate number, which is used to update
perpetual inventory records.
Not all inventory items Revenues As the system reads each bar
taken by customer are Cash code, it generates a sound to
included in the Inventory indicate to the cashier and
processing of the Cost of Goods Sold customer that each product
customer’s purchase scanned has been captured by
amount the system.
Coupons and discounts Sales Discounts The system retrieves coupon and
are incorrectly Cash discount information from the
calculated master file of promotions and
discounts and automatically
calculates discount amounts.
c. Below are examples of how the auditor might test the operating
effectiveness of the bar code scanner technology:
1. The auditor could select a number of different products and
use the bar scanning technology to process the sales amounts
for comparison to the auditor’s separate calculation of
transaction amounts based on items processed. The auditor
could perform the same kind of test using coupons and other
discount programs.
2. The auditor may be able to use audit software to test the
accuracy of individual customer transactions and to test the
summation of all customer transactions processed by a cash
register machine by day and by store.
3. The auditor may be able to use audit software to test the
accuracy of the postings of daily totals to the client’s general
ledger system.
12-19
12-27 (continued)
4. The auditor may use audit software to review all unit prices
in the price list master file to identify unusual price amounts
for further investigation (e.g., negative prices, large unit
prices, etc.).
5. The auditor may be able to use audit software to identify
the most recent date of the most recent date of sale by
product number to identify those products that have not
been sold to customers for an extended period of time to
identify potentially obsolete inventory still on hand.
12-28 a. The nature of generalized audit software is to provide computer

programs that can process a variety of file media and record formats
to perform a number of functions using computer technology.
There are several types of generalized audit software
packages. Usually, generalized audit software is a purchased audit
software program that is Windows-based and easily operated on
the auditor’s desktop or laptop computer. Other generalized audit
software exists that contain programs that create or generate
other programs, programs that modify themselves to perform
requested functions, or skeletal frameworks of programs that must
be completed by the user.
A package can be used to perform or verify mathematical
calculations; to include, exclude, or summarize items having specified
characteristics; to provide subtotals and final totals; to compute,
select, and evaluate statistical samples for audit tests; to print
results or sequences that will facilitate an audit step; to compare,
merge, or match the contents of two or more files; and to produce
machine-readable files in a format specified by the auditor.
b. Ways in which a generalized audit software package can be used

to assist in the audit of inventory of Boos & Baumkirchner, Inc.,
include the following:
1. Compare data on the CPA’s set of preprinted inventory
count cards to data on the electronic inventory master file
and list all differences. This will assure that the set of count
cards furnished to the CPA is complete.
2. Determine which items and parts are to be test-counted by
selecting a random sample from the audit deck of count
cards or the electronic inventory master file. Exclude from
the population items with a high unit cost or total value that
have already been selected for test counting.
3. Access the client’s electronic inventory master file and list
all items or parts for which the date of last sale or usage
indicates a lack of recent transactions. This list provides
data for determining possible obsolescence.
12-20
12-28 (continued)
4. Access the client’s electronic inventory master file and list

all items or parts of which the quantity on hand seems
excessive in relation to quantity used or sold during the
year. This list provides data for determining overstocked or
slow-moving items or parts.
5. Access the client’s electronic inventory master file and list all
items or parts where the quantity on hand seems excessive
in relation to economic order quantity. This list should be
reviewed for possible slow-moving or obsolete items.
6. Enter the audit test-count quantities onto the cards. Match
these cards against the client’s adjusted electronic
inventory master file, comparing the quantities on the
cards to the quantities on the electronic file and list any
differences. This will indicate whether the client’s year-end
inventory counts and the master file are substantially in
agreement.
7. Use the adjusted electronic inventory master file and
independently extend and total the year-end inventory and
print the grand total on an output report. When compared to
the balance determined by the client, this will verify the
calculations performed by the client.
8. Use the client’s electronic inventory master file and list all
items with a significant cost per unit. The list should show
cost per unit and both major and secondary vendor codes.
This list can be used to verify the cost per unit.
9. Use the costs per unit on the client’s electronic inventory
master file, and extend and total the dollar value of the
counts on the audit test count cards. When compared to
the total dollar value of the inventory, this will permit
evaluation of audit coverage.
12-21
12-29
a. b. c.
OPPORTUNITY TO
INTERNAL TYPE OF TRANSACTION-RELATED RELY ON PRIOR
CONTROL CONTROL AUDIT OBJECTIVE YEAR TESTING
1 AC Recorded payroll transactions Yes

exist for valid employees
exist (i.e., are for currently
employed personnel)
are classified into the correct
accounts
are at the correct amounts
are summarized and posted
to the correct general ledger
account at the correct amounts
6 MC Recorded payroll transactions No, since
exist; existing payroll manual control
transactions are recorded
exist (i.e., are for time actually
worked)
exist (i.e., are for time actually manual control
worked)
are at the correct amounts manual control
exist (i.e., for valid work
performed); recorded payroll
transactions are at the correct
amounts
12-30 a. The following deficiencies in the Parts for Wheels, Inc., online
sales system may lead to material misstatements:
1. Lack of Sales System Interface. The lack of automatic
interface between the online sales ordering system and the
sales accounting system may increase the risk of material
misstatements for sales.
12-22
12-30 (continued)
Sales orders printed from the online system may be lost
and not recorded, or they may be recorded more than
once if not properly controlled. Additionally, because each
sale must be manually entered, there is increased risk
that sales may be processed or recorded inaccurately.
2. Lack of Inventory System Interface. The lack of automatic
interface between the online sales ordering system and the
inventory management system may increase the risk that
processed sales may not be properly reflected in the
inventory accounting records. With manual processing,
there may be some risk that shipments occurred without
completion of a proper bill of lading, which is required to
adjust inventory records. As a result, shipments will not be
accurately deducted from inventory records. Also, if bills of
lading are not properly numbered and accounted for, there
is a possibility that completed bills of lading are not entered
or are entered more than once. Furthermore, the manual
process of recording inventory transactions increases the
risk of inaccurate posting of bills of lading into the inventory
records.
3. Manual Credit Approval. The process of verifying credit
authorization with the credit card agency is dependent on
human processing. The lack of automatic electronic credit
authorization may increase the risk of sales to unauthorized
customers. This may lead to an increased risk of collection
problems from credit card receivables.
4. Premature Recording. Currently, sales are entered into the
sales journal on the date credit is authorized, which is often
the date the order is placed. This may result in premature
recording of sales, given that sales are recorded before
shipment has occurred. As a result, sales may be recorded
in accounting periods different from when inventory records
are updated for the shipment. Cutoff problems may occur.
5. Inadequate Tracking of Returns. If systems for tracking and
estimating online sales returns are inadequate, Parts for
Wheels, Inc., may understate estimates of customer returns,
including estimated costs for refunding shipping costs. This
could result in overstated net sales and understated
shipping costs.
b. Below are suggested changes that could be made to the existing

manual system to enhance internal control, without re-designing
the online system:
12-23
12-30 (continued)
1. When the accounting department prints submitted orders

from the online system, each order should be numbered
sequentially with the range of used numbers logged daily.
When the sales orders are recorded, the order number
should be recorded.
2. Prenumbered bills of lading should be used. All bills of
lading should be accompanied by the sales order used by
warehouse personnel to process shipment. All bills of lading
should be forwarded to accounting on the date of shipment.
3. Accounting should match the bills of lading with the accounting
department’s copy of the sales orders before any entries
are recorded in the sales journal and inventory system.
Entries to the sales journal and inventory records should be
made on the same day to ensure consistent cutoff of the
recording of transactions.
c. For the deficiencies identified in part a, the auditors would be most

concerned about the following transaction-related and balance-
related audit objectives:
1. Lack of Sales System Interface. Auditors would be
concerned about occurrence, completeness, accuracy, and
timing of sales as well as occurrence, completeness,
accuracy, and cutoff of accounts receivable.
2. Lack of Inventory System Interface. Auditors would be
concerned about occurrence, completeness, accuracy, and
timing of cost of goods sold as well as occurrence,
completeness, accuracy, and cutoff of inventory.
3. Manual Credit Approval. Auditors would be most concerned
with realizable value of credit card receivables.
4. Premature recognition. Auditors would be most concerned
with timing of sales recognition and cutoff of accounts
receivable.
5. Inadequate Tracking of Returns. The auditor would be
concerned about completeness of sales returns
(occurrence of sales) and shipping costs.
d. Auditors could use generalized audit software in several ways.

First, they could use audit software to match orders made through
the online sales order system to sales recorded manually by
comparing the records. Any unmatched orders or sales could be
identified for follow-up. Second, the generalized audit software
could be used to compare the date of the shipment according to
the bill of lading to the date the sale is recorded to identify sales
recorded prematurely at year-end.
12-24
12-30 (continued)
Audit software could also be used to compare updates to

the inventory system with the sales recorded to ensure all sales
are recorded in the inventory system as well. Each of the
procedures using generalized audit software would be made even
easier by the changes recommended in part b. above.
12-31 a. When an organization outsources its information technology functions

to a third party, there are several inherent risks that arise. For First
Community Bank, management is totally reliant on Technology
Solutions’ internal controls designed to protect IT hardware ,
operations, software, and data maintained at the data center. In
essence, the design and operation of most of the IT general
controls necessary to reduce IT related risks to acceptable levels
are under direct control of Technology Solutions. Thus, the bank’s
management is reliant on Technology Solutions’ implementation of
effective IT-related general controls.
Because First Community must transmit transaction related
data between the bank and the Technology Solutions data center,
there is a risk that data may be lost, corrupted, or stolen during the
communication transfer process. Also, like First Community,
other organizations that use Technology Solutions to manage IT
have access to servers located at Technology Solutions. There is
some risk that other customers of Technology Solution might
negatively affect IT operations of First Community.
b. As noted in the answer to part a., the outsourcing of the IT function
to Technology Solutions means that most of the IT general controls
are now under the direct supervision of management at Technology
Solutions. While management at First Community continues to be
responsible for the design and operation of internal controls,
including those related to IT, they are now dependent on Technology
Solutions’ design and operation of effective IT controls, especially
those related to IT general controls.
c. The use of Technology Solutions is likely to have a significant
effect on the audit of the financial statements of First Community
Bank. Because the bank has outsourced all of the bank’s financial
reporting applications to Technology Solutions, most of the IT-
related controls and underlying applications and data files now
reside at Technology Solutions. The auditors for First Community
will need to understand all IT related operations, including those at
Technology Solutions, so that they can understand internal control,
assess the risks of material misstatements, and perform appropriate
tests of controls and substantive tests. Most likely the auditors of
First Community will seek a service auditor’s Type 2 report on
controls that have been implemented and tested for operating
effectiveness.
12-25
12-32 a. 1. Automated control embedded in computer software
2. Manual control whose effectiveness is based significantly
on IT-generated information
3. Automated control embedded in computer software
4. Manual control whose effectiveness is based significantly
5. Manual control whose effectiveness is not significantly reliant
b. 1. The extent of testing of this control could be significantly

reduced in subsequent years if effective controls over program
and master file changes are in place. Such controls would
increase the likelihood that the inventory software program
that contains the automated control and the related inventory
master file are not subject to an unauthorized change. If the
auditor determines that no changes have been made to the
automated control, the auditor can rely on prior year audit
tests of the controls as long as the control is tested at least
once every third year audit. If the control mitigates a
significant risk, the control must be tested in the current
year’s audit.
2. The extent of testing of this control could be moderately
reduced in subsequent years if effective controls over
program and master file changes are in place. Such controls
would increase the likelihood that the printout of prices
accurately reflects actual prices used by the system to
record inventory transactions. Adequate controls over the
master file decrease the likelihood that prices approved by
the sales and purchasing department managers have been
changed without authorization. However, because this
control is also dependent on manager review of computer
generated output, some testing may be required each year,
although the amount of testing may be reduced by effective
general controls.
3. The extent of testing of this control could be significantly
reduced in subsequent years if effective controls over
program and master file changes are in place. Such controls
would increase the likelihood that the inventory software
program that processes the automatic purchase order and
the related inventory master file of product numbers are not
subject to an unauthorized change.
12-26
12-32 (continued)
4. The extent of testing of this control could be moderately

reduced in subsequent years if effective controls over program
changes are in place. Such controls would increase the
likelihood that the purchasing system software program that
identifies purchases exceeding $10,000 per vendor functions
accurately. However, because this control is also dependent
on manager review of the computer generated exception
listing, some testing may be required each year.
5. Because this control is not dependent on technology

processes, the strength of general controls over program and
master file changes is not likely to have an impact on the extent
of testing of this review by the sales department manager.
12-33 Note: The PCAOB reorganized their auditing standards effective

December 31, 2016. Auditing Standard No. 5 is identified in the
reorganized standards as AS 2201.
a. Paragraph .01 of AS 2201 notes that the integrated audit standard
applies when an auditor is engaged to perform an audit of internal
control over financial reporting that is integrated with an audit of
the financial statements. Large public companies (accelerated
filers) are required by Section 404(b) of the Sarbanes-Oxley Act to
engage an independent auditor to perform an audit of
management’s assessment of the effectiveness of internal control
over financial reporting.
b. According to paragraph .07 of the standard, the auditor’s objective
in an audit of internal control over financial reporting is to express
an opinion on the effectiveness of internal controls over financial
reporting as of year-end. The objective of a financial statement
audit is to express an opinion on whether the financial statements
are fairly stated in accordance with accounting standards. In an
integrated audit, the auditor should gather sufficient evidence
related to internal controls to support their opinion on the
effectiveness of internal controls over financial reporting and also
to support the assessment of control risk that is relevant to the
financial statement audit.
c. As discussed in paragraphs .10 through .12 of AS 2201, risk
assessment related to the audit of internal control over financial
reporting, similar to risk assessment related to the financial
statement audit, involves identifying significant accounts and
disclosures and the related assertions and audit objectives. In an
audit of internal control over financial reporting, the auditor is
concerned about the risk a material weakness exists, and that
assessed risk in turn affects the level of substantive testing to be
performed.
12-27
12-33 (continued)
d. Paragraph .39 notes that the auditor should test those controls
that are important to the auditor’s conclusion about whether the
company’s controls sufficiently address the assessed risk of
misstatement to each relevant assertion. The auditor uses a top-
down, risk-based approach to selecting which controls to test. The
top-down approach means the auditor will focus first on entity-
level controls and then work their way down to significant
accounts and then relevant assertions and audit objectives. Both
quantitative and qualitative factors are important in identifying
significant accounts and relevant assertions.
e. If the auditor identifies a material misstatement during the financial
statement audit that was not prevented or detected by the client’s
internal controls over financial reporting, this suggests the
existence of a material weakness. If the auditor identifies
misstatements below materiality, then a control deficiency, a
significant deficiency, or possibly even a material weakness is
implied.
12-34 1. Students should have located the Form 10-K for Bob Evans
Farms, Inc., for the year ended April 25, 2014. Instructors may
want to encourage students to use the EDGAR Full-Text Search
option to identify the company’s filings more efficiently.
2. Management’s Annual Report on Internal Control Over Financial

Reporting provides the following answers to the questions in a.
through f.:
a. Management is responsible for establishing and
maintaining adequate internal control over financial
reporting.
b. Management’s report addresses internal control over
financial reporting.
c. Management conducted its assessment of the effectiveness
of internal control over financial reporting based on criteria
established in the COSO Internal Control – Integrated
Framework.
d. Management concluded that its internal control over
financial reporting was not effective due to the existence of
material weaknesses as described in e. below.
e. Management arrived at its conclusion that internal control
over financial reporting is not effective due to material
weaknesses related to current and deferred income tax
accounting and property, plant, and equipment accounting.
f. Management does not disclose any changes in their report,
but discloses additional information in Item 9A of the form
12-28
12-34 (continued)
10-K. Management discloses that they have taken actions

to remediate both material weaknesses; however, they did
not have sufficient time to test the effectiveness of the
controls prior to the balance sheet date and thus continue
to disclose the material weaknesses as of that date.
3. The report of the independent registered public accounting firm

notes the firm audited internal control over financial reporting in
accordance with the standards of the PCAOB. The auditor’s report
also discusses the material weaknesses identified in
management’s report and concludes internal controls over
financial reporting are not effective as of the balance sheet date.
The report also references the associated audit report on the
financial statements.
 Case
12-35 1. Strengths in lines of reporting from IT to senior management at

Jacobsons:
 Melinda Cullen (IT Manager) and the chief operating officer
(COO) work closely on identifying hardware and software
needs.
 Melinda’s boss, the COO, has access to the board of
directors and provides periodic updates about IT issues, if
needed.
Deficiencies in lines of reporting from IT to senior management:
 The chief IT person (Melinda) is relegated to a manager level
and is not considered a part of the senior executive team.
This signals a potential lack of adequate support extended
by top management to the IT function.
 The IT Manager reports to a key user, the COO. The COO
may place undue pressure on IT to work on IT related projects
that affect the COO’s areas of responsibility. Thus, other
areas, such as those under the chief financial officer’s control
(e.g., the accounting system), may not receive adequate
IT resources.
 Melinda and the COO make all major hardware and software
decisions without input from other user personnel and the
board of directors.
 There does not appear to be a written IT strategic plan that
sets direction for the IT function.
Recommendations related to the lines of reporting from IT to senior
management:
12-29
12-35 (continued)
 The IT Manager should report directly to the president and

be considered a part of senior management (e.g., on equal
footing relative to the COO, CFO, etc.).
 The board of directors should receive regular input from the
IT Manager about the status of IT projects.
 A written strategic plan should be developed and reviewed
annually by the board.
 Significant hardware and software changes should be approved
by the board or its IT Steering Committee. Other changes
to application software should also be approved by affected
user departments.
2. Assessment of Melinda’s fulfillment of IT Manager responsibilities,
including her strengths:
 Melinda is actively involved in the IT function and closely
monitors day-to-day IT activities.
 Melinda is experienced in Jacobson’s IT function, having been
employed by the company for 12 years. She has served in
several IT roles at Jacobsons. Thus, she offers stability for
the IT function.
 Melinda performs extensive background checks before offering
candidates employment in IT functions.
 Melinda has successfully maintained a fairly stable IT staff.
 Melinda conducts weekly IT departmental meetings to discuss
issues affecting the performance of the department.
 Apparently the IT department is functioning well, given that
few IT-related problems must be reported by the COO to the
board.
Concerns about current management of the IT function:
 Melinda may be over-delegating tasks to IT personnel without
maintaining close accountability for employee actions. For
example, programmers are given extensive leeway in
programming changes to software and operators check each
other’s work to ensure that Melinda’s job schedule was
properly followed.
 Melinda spends too much of her time in the systems analyst
role, which leaves little time for her to adequately monitor
all IT tasks.
Recommendations for change related to the management of the
IT department:
 Consider assigning systems analyst responsibilities to a
senior programmer.
12-30
12-35 (continued)
 Establish standardized programming procedures and have

Melinda review changed programs for compliance with those
procedures.
 Melinda should reconcile the Job Processed Log to the job
schedule developed by her.Melinda should assign or at
least approve the assignment of programmer staff
responsibilities.
3. Assessment of the strengths of the programming function at

Jacobsons:
 The programming staff is experienced with both systems
software and Jacobsons’ application software.
 The assignment of projects based on time availability of
programmers ensures that each programmer stays familiar
with all types of software in use at Jacobsons.
 Programmers regularly attend continued professional
education courses.
 Extensive logs of tape use and of changes made to programs
are maintained.
Concerns about the programming function:

 Programmers work with both systems and application software
program changes. Thus, a programmer is more likely to be
able to implement an unauthorized change to an application
program that also requires an unauthorized change to
systems software.
 Programmers are responsible for maintaining secondary
storage of live programs and data files. Thus, programmers
are able to make unauthorized changes to live production
copies of programs and data files.
Recommendations for change related to the programming function

at Jacobsons:
 Divide programmers into systems programmers and application
programmers. Only assign system software changes to systems
programmers and application software changes to application
programmers.
 Reassign responsibility for maintaining secondary storage
to either the computer operators or to data control personnel.
4. Assessment of the strengths of the IT operations function at

Jacobsons:
 Melinda prepares a job schedule which operators follow to
process transactions. Day-shift operators reconcile Job
12-31
12-35 (continued)
Processed Logs generated during the night shift to the job
schedule, and night shift operators do the same type of
reconciliation for jobs processed during the day.
 Operators perform routine monthly backup procedures.
 Input batch controls are generated to verify the accuracy
and completeness of processing.
Concerns about the IS operations function:

 Backup procedures only occur monthly, which increases the
risk of data loss.
 No one, other than operators, verifies that only jobs included
on the job schedule are processed. Melinda depends totally
on the completeness of the operators’ identification of
exceptions noted by operators.
 Jobs Processed Logs are generally discarded, unless the
output does not reconcile to the job schedule.
 Operators have the authority to make small changes to
application programs.
 Comparison of batch input control totals to computer processing
is not performed by someone independent of the operator
responsible for the processing.
IS operations function:
 Update key data files and program tapes on a more periodic
basis (perhaps daily). Store backup copies offsite.
 Prohibit operators from performing any programming tasks.
Restrict access to program files to a READ/USE only capability.
5. Assessment of the strengths of the IT data control function at
Jacobsons:
 Data control personnel review exception listings and submit
requests for correction on a timely basis.
 Data control clerks monitor the distribution of output.
Concerns about the IT data control function:
 Data control personnel have the authority to approve changes
to master files. Thus, they could add a fictitious employee
to the employee master file to generate a payroll check for
a non-existent employee.
IT data control function:
 Restrict data control personnel from being able to authorize

changes to master files. Only allow the respective user
12-32
12-35 (continued)
department to authorize changes to master files. Data control

clerks should be held accountable for only inputting user
department authorized changes to master files.
6. Users should be responsible for approving changes to master
files. They should actively compare authorized input to output to
ensure the accuracy, completeness, and authorization of output.
Users should also be an active participant in the program systems
development process. They should participate in program development
design, testing, and implementation. In addition, users should have
a voice in establishing the job schedule, given that users understand
their processing needs best.
12-36 ACL Problem
a. There are 5,298 records in the “Purchase_orders” dataset, with a
total dollar value for the purchase order amount column of
$62,047,339.67. (Use the Total command under the Analyze for the
Purchase Order Amount column).
b. Below is the ACL output from the Stratify command for the
Purchase Order Amount column. The first strata with purchase
order amounts ranging from $100 to $10,089.99 accounts for the
largest number of purchase transactions at 3,783 transactions.
STRATIFY ON po_amount SUBTOTAL po_amount MINIMUM 100
Command:
MAXIMUM 100000 INTERVALS 10 TO SCREEN
Table: Purchase_orders
Minimum encountered was 100.32

Maximum encountered was 273,698.86
Percent of Percent of Purchase Order

Purchase Order Amount Count
Count Field Amount
100.00 - 10,089.99 3,783 71.4% 17.66% 10,959,684.20
10,090.00 - 20,079.99 655 12.36% 15.15% 9,399,478.68
20,080.00 - 30,069.99 282 5.32% 11.14% 6,913,537.96
30,070.00 - 40,059.99 182 3.44% 10.19% 6,320,381.51
40,060.00 - 50,049.99 106 2% 7.64% 4,741,547.94
50,050.00 - 60,039.99 87 1.64% 7.57% 4,695,597.55
60,040.00 - 70,029.99 56 1.06% 5.82% 3,608,147.20
70,030.00 - 80,019.99 38 0.72% 4.6% 2,854,213.35
80,020.00 - 90,009.99 17 0.32% 2.31% 1,435,789.51
90,010.00 - 100,000.00 26 0.49% 3.98% 2,469,222.55
>100,000.00 66 1.25% 13.94% 8,649,739.22
Totals 5,298 100% 100% 62,047,339.67
12-33
12-36 (continued)
c. Highlighting the Purchase Order Number column and using the

“Gaps” command under Analyze, there are 343 gap ranges
detected in the “Purchase_orders” dataset. In addition, it appears
based on scanning the purchase order numbers and purchase
dates, the purchase orders appear to be used out of order. This
suggests poor internal controls over purchasing activity. The auditor
would want to know why there are 343 purchase orders missing,
and whether they were used but not recorded. If they were used but
not recorded, the auditor would be concerned about a potentially
material understatement of purchases. It is possible the purchase
orders are canceled if an employee makes an error while filling one
out; however, it would be important for the client to keep track of
any voided purchase orders so they can ensure purchases are
complete. Using the “Duplicates” command under Analyze, there
are no duplicate purchase orders identified in the dataset. If there
had been duplicates, the auditor would be concerned about an
overstatement of purchases if they were being recorded more than
once.
d. Highlighting the “Requisition Number” column, and using the
“Summarize” command, there are 3,097 purchase transactions (out
of the 5,298 total transactions) that do not have a requisition. The
total dollar value of purchases without requisitions is
$35,228,641.28, which represents 57% of the total dollar amount of
purchases. It would be important for the auditor to understand the
client’s policy related to purchases, and when a requisition is
required. Internal control over purchasing would be strengthened if
the client required a purchase requisition for all purchase
transactions, or an indication of why that policy may be violated
(e.g., if a purchase needs to be expedited and no one is available
to approve a requisition). The concern when there is no requisition
is that the purchase may not have been approved, or may not be
for a legitimate business purpose.
e. Use the “Classify” command to classify by vendor number with a
subtotal for purchase amount and save the output to “file.” That
indicates there are 2,823 unique vendor numbers. Performing a
“Quick Sort” of the percent of field column (in descending order) in
the file created by the Classify command shows there are no
vendors that account for more than 5% of purchases. The
maximum percent of total purchases is 1.1% for vendor number
VN-0010390476508.
12-34
12-36 (continued)
f. Below is the output from filtering on purchases greater than

$100,000. There are a total of 66 purchase transactions greater
than $100,000. Not all output columns are included below.
po_number po_date vendor_number po_amount created_on

028493214615 1/19/2014 VN-0010090307334 115183.06 1/19/2014
028493215666 3/26/2014 VN-0010000259877 109933.27 3/26/2014
028493215782 4/5/2014 VN-0010340106140 149638.15 4/5/2014
028493215789 4/1/2014 VN-0010230187330 127375.73 4/1/2014
028493215811 4/7/2014 VN-0010000394772 108840.26 4/7/2014
028493215837 4/5/2014 VN-0010090260265 105883.12 4/5/2014
028493215843 4/6/2014 VN-0010260172176 128973.34 4/6/2014
028493215844 4/7/2014 VN-0010070247341 101968.05 4/7/2014
028493215924 4/14/2014 VN-0010000024372 111524.37 4/14/2014
028493215931 4/9/2014 VN-0010000271470 109810.9 4/9/2014
028493216120 4/20/2014 VN-0010000110409 114456.03 4/20/2014
028493216185 4/26/2014 VN-0010000433003 137635.35 4/26/2014
028493216189 4/26/2014 VN-0010260179830 115138.1 4/26/2014
028493216213 4/28/2014 VN-0010000195648 165841.62 4/28/2014
028493216220 4/30/2014 VN-0010000245035 227778.89 4/30/2014
028493216221 4/27/2014 VN-0010390088981 150800.65 4/27/2014
028493216250 5/3/2014 VN-0010000147105 102095.08 5/3/2014
028493216432 5/12/2014 VN-0010090203173 126002.08 5/12/2014
028493216438 5/7/2014 VN-0010450022589 115068.47 5/7/2014
028493216439 5/10/2014 VN-0010390190953 140503.18 5/10/2014
028493216467 5/12/2014 VN-0010450113576 132830.82 5/12/2014
028493216559 5/18/2014 VN-0010000256594 106881.05 5/18/2014
028493216591 5/20/2014 VN-0010090193739 138132.97 5/20/2014
028493216596 5/18/2014 VN-0010160206123 102713.45 5/18/2014
028493216597 5/18/2014 VN-0010000269163 104790.21 5/18/2014
028493216619 5/19/2014 VN-0010070241895 108725.19 5/19/2014
028493216718 5/26/2014 VN-0010210023460 106386.5 5/26/2014
028493216747 5/26/2014 VN-0010410272994 125765.85 5/26/2014
028493216752 5/27/2014 VN-0010480512685 152527.65 5/27/2014
028493216753 5/25/2014 VN-0010070502023 148475.86 5/25/2014
028493216914 5/31/2014 VN-0010000268675 155921.72 5/31/2014
028493216922 6/4/2014 VN-0010250311629 117570.63 6/4/2014
028493217004 6/7/2014 VN-0010070108651 103041.69 6/7/2014
028493217009 6/4/2014 VN-0010200427270 108830.02 6/4/2014
028493217050 6/8/2014 VN-0010090260265 135321.12 6/8/2014
028493217057 6/8/2014 VN-0010480078505 117350.22 6/8/2014
12-35
12-36 (continued)
028493217135 6/15/2014 VN-0010000267717 200945.74 6/15/2014

028493217142 6/14/2014 VN-0010330031684 199494.08 6/14/2014
028493217274 6/21/2014 VN-0010070241895 110073.07 6/21/2014
028493217278 6/18/2014 VN-0010000259361 117540.23 6/18/2014
028493217392 6/28/2014 VN-0010000087814 111687.45 6/28/2014
028493217398 6/24/2014 VN-0010000102912 101973.45 6/24/2014
028493217423 6/29/2014 VN-0010000147105 108972.1 6/29/2014
028493217431 7/1/2014 VN-0010100020125 107515.38 7/1/2014
028493217544 7/2/2014 VN-0010450319216 139761.96 7/2/2014
028493217715 7/12/2014 VN-0010000281402 164763.19 7/12/2014
028493217722 7/14/2014 VN-0010160228550 122279.13 7/14/2014
028493217723 7/12/2014 VN-0010070052167 127611.4 7/12/2014
028493217815 7/21/2014 VN-0010000108791 143510.51 7/21/2014
028493217822 7/21/2014 VN-0010460029032 141854.71 7/21/2014
028493217823 7/20/2014 VN-0010070059858 102233.56 7/20/2014
028493217938 7/22/2014 VN-0010000273841 115415.65 7/22/2014
028493218094 8/3/2014 VN-0010270141534 127599.74 8/3/2014
028493218180 8/9/2014 VN-0010000430933 101012.03 8/9/2014
028493218187 8/9/2014 VN-0010000282973 149550.22 8/9/2014
028493218224 8/13/2014 VN-0010000270884 148361.72 8/13/2014
028493218231 8/11/2014 VN-0010070344773 104780.65 8/11/2014
028493218275 8/16/2014 VN-0010090168632 118950.76 8/16/2014
028493218346 8/16/2014 VN-0010380323702 273698.86 8/16/2014
028493218353 8/19/2014 VN-0010290049720 143706.72 8/19/2014
028493218354 8/17/2014 VN-0010000268420 132859.03 8/17/2014
028493218453 8/24/2014 VN-0010000233061 119706.99 8/24/2014
028493218549 9/1/2014 VN-0010070241895 142498.05 9/1/2014
028493218555 9/1/2014 VN-0010000249805 182623.85 9/1/2014
028493218556 9/2/2014 VN-0010150116435 145616.81 9/2/2014
028493218579 9/2/2014 VN-0010000207185 113427.53 9/2/2014
12-36
 Integrated Case Application
12-37 (see text Web site for Excel solution - Filename P1237.xls)
PINNACLE MANUFACTURING―PART IV
Following are control risk matrices and related notes that are used to direct a
discussion of the requirements of the case. It should be understood that
judgment is a critical element in this case, and accordingly, there often is no
single right answer.
Computer-prepared matrices using Excel (P1237.xls) are contained on
the text web site. They are essentially the same as the matrices on the next
two pages.
12-37
12-37 (continued)
PINNACLE MANUFACTURING - Part IV

Control Risk Matrix – Acquisitions
Recorded
Transaction-Related acquisition
Audit Objective transactions are
Recorded properly Acquisition
Recorded Existing acquisition included in the Acquisition transactions
acquisitions acquisition transactions master files, and transactions are recorded
are for goods trans- are stated at are properly are properly on the
and services actions are the correct summarized classified correct

Internal received recorded amounts (posting and (classifica- dates
Controls (occurrence). (completeness). (accuracy). summarization). tion). (timing).
1. Required use of PO and

receiving report with check of C
completeness
12-38
2. Proper approval C C
3. Segregation of functions C
4. Cancellation of documents C
5. Prenumbering of documents
C
with accounting for sequence
6. Internal verification of
C C C C C
documents/records
7. Use of chart of accounts C
8. Procedures requiring prompt

C
processing
9. Monthly reconciliation of
A/P master file with general C
ledger
Assessed control risk Low Low Low Low Low Low

12-37 (continued)
PINNACLE MANUFACTURING - Part IV

Control Matrix - Cash Disbursements
Transaction-Related
Audit Objectives Recorded cash
disbursement
Recorded cash transactions are
disbursements Recorded cash properly included Cash Cash
are for goods Existing cash disbursement in the master file disbursement disbursement
and services disbursement transactions are and are properly transactions transactions
actually transactions are stated at the summarized are properly are recorded
Internal received recorded correct amounts (posting and classified on the correct
Controls (occurrence). (completeness). (accuracy). summarization). (classification). dates (timing).
1. Segregation of functions C
2. Review of support, signing of

C
checks by authorized person
12-39
3. Prenumbered checks; accounted

C
for
4. Use of chart of accounts C
5. Procedures for prompt recording C

6. Monthly reconciliation of A/P
C
master file with G/L
Deficiencies
1. Lack of an independent bank D D
reconciliation (Done by Treasurer)
2. Lack of internal verification of
documentation package by cash D D D
disbursements clerk.
3. Lack of internal verification of key
entry into cash disbursements D D D
file.
Assessed control risk Medium Medium High Low Low Low

12-37 (continued)
Notes to 12-37, Part IV
1. The purpose of Part IV is to have the students:

(a) develop specific transaction-related audit objectives for a
cycle,
(b) obtain controls from a flowchart description,
(c) relate controls to objectives,
(d) evaluate a set of controls as a system.
2. Control is quite good for acquisitions. If misstatements in

acquisitions occur, they will result from the incorrect application of
controls, not their absence. This demonstrates the inherent
deficiencies in any control system. It explains the reasons why
some misstatements were found last year. However, they were not
material. It also indicates the need for tests of controls and
substantive tests of details of balances and/or transactions.
Controls for cash disbursements are not nearly as good, given the
three deficiencies. This provides an opportunity to discuss both
fraud and errors. Given the deficiencies, there is potential for fraud
in cash.
3. It is appropriate to use the matrices to consider whether all

controls shown are important to both the client and to the
auditor. Is it necessary to have all controls (e.g., prenumbering of
requisitions)? Are the controls costly (e.g., internal verification of
all acquisitions)? Should all controls be tested (e.g., cancellation
of documents)?
12-40

Arens Auditing16e SM 12

Uploaded by

Copyright:

Available Formats

Arens Auditing16e SM 12

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Arens Auditing16e SM 12

Uploaded by

Copyright:

Available Formats

Chapter 12

Assessing Control Risk and Reporting

1. As illustrated by Figure 12-1, there are four phases in the process of

2. The purpose of a control risk matrix is to assist the auditor in assessing

3. The four types of procedures used by auditors to test whether internal

2. Auditors are required to perform integrated audits, an audit of the financial

12-3 In a walkthrough of internal control, the auditor selects one or a few

internal control. PCAOB auditing standards require the auditor to perform at

12-4 For many control activities, documentation of their performance is more

12-5 A significant deficiency exists if one or more control deficiencies exist

In contrast, the extent of controls tested by an auditor of a nonpublic

12-8 When the auditor’s risk assessment procedures identify significant

auditor’s Report on Management’s Description of a Service Organization’s System

12-11 If the auditor assesses control risk as high for a transaction-related

A scope limitation is the condition that would cause the auditor to

12-14 “Auditing through the computer” represents an audit approach whereby

simulation or using embedded audit modules. Assessing controls embedded in

 Multiple Choice Questions From CPA Examinations

12-16 a. (3) b. (2) c. (4)

 Multiple Choice Questions From Becker CPA Exam Review

12-19 a. (4) b. (1) c. (2)

12-20 1. a. Adequate segregation of duties and proper authorization of

4. a. Adequate documents and records.

5. a. Proper authorization of transactions and activities.

6. a. Proper authorization of transactions and activities.

7. a. Adequate separation of duties.

8. a. Proper authorization of transactions and activities, and

9. a. Physical control over assets and records, and adequate

10. a. Proper authorization of transactions and activities and

b. Phersen and Collier take opposite and extreme views as to the

system. She must obtain an understanding of internal control to

c. Collier’s approach is not acceptable when auditing either a public

d. While Pherson’s approach includes procedures similar to those

12-22 1. a.  Supplying the receiving department with electronic

The receiving department might, in collusion with a

c. Use a “blind” copy of the purchase order or a separate

2. a.  The payroll checks should not be returned to the

3. a. The bank statement and cancelled checks should not be

12-23 1. No testing is required in the December 31, 2016, audit because

extent of testing of IT security and software changes that might be

12-24 The following are deficiencies of internal control, by transaction-related

 There is no indication of any control over prenumbered

a. Prices are reasonable;

Because the requisitioner will be charged for the materials

1. Use of prenumbered sales  Existing sales transactions are recorded

b. Among the audit procedures to be applied to a sample of the

1. Account for the sequence of prenumbered sales order forms.

Risks Inherent to How Bar Scanning

12-28 a. The nature of generalized audit software is to provide computer

b. Ways in which a generalized audit software package can be used

4. Access the client’s electronic inventory master file and list

1 AC Recorded payroll transactions Yes

b. Below are suggested changes that could be made to the existing

1. When the accounting department prints submitted orders

c. For the deficiencies identified in part a, the auditors would be most

d. Auditors could use generalized audit software in several ways.

Audit software could also be used to compare updates to

12-31 a. When an organization outsources its information technology functions

b. 1. The extent of testing of this control could be significantly