CHAPTER 10 UNDERSTANDING INTERNAL CONTROL

Learning Check
10-1. a. The Foreign Corrupt Practices Act of 1977 is administered by the Securities and !change Commission. The Act pertains to management and directors of companies sub"ect to the reporting re#uirements of the Securities !change Act of 19$%. The antibribery and accounting standards pro&isions of the Act re#uire the maintenance of a satisfactory system of interna' contro'. The )ationa' Commission on Fraudu'ent Financia' *eporting reemphasi+ed the importance of interna' contro' and recommended the fo''o,ing .f o&erriding importance in pre&enting fraudu'ent financia' reporting is the /tone set by top management/ that inf'uences the corporate en&ironment ,ithin ,hich financia' reporting occurs. A'' pub'ic companies shou'd maintain interna' contro's that ,i'' pro&ide reasonab'e assurance that fraudu'ent financia' reporting ,i'' be pre&ented or sub"ect to ear'y detection. The organi+ations sponsoring the Commission 0inc'uding the Auditing Standards 1oard 2AS134 shou'd cooperate in de&e'oping additiona' guidance on interna' contro' systems. C.S. is an acronym for Committee of Sponsoring .rgani+ations5 a body comprised of representati&es from the A6CPA5 the American Accounting Association5 The 6nstitute of 6nterna' Auditors5 the 6nstitute of 7anagement Accountants5 and the Financia' !ecuti&es 6nstitute. The t,o principa' purposes of its efforts ,ere to stab'ish a common definition of interna' contro' ser&ing the needs of different parties. Pro&ide a standard against ,hich business and other entities can assess their contro' systems and determine ho, to impro&e them. C.S. undertoo8 these efforts as a response to the Tread,ay Commission9s recommendation that the organi+ations represented on C.S. shou'd cooperate in de&e'oping additiona' guidance on interna' contro' system. The C.S. report defines interna' contro' as a process5 effected by an entity9s board of directors5 management5 and other personne'5 designed to pro&ide

b. 10-(. a.

b.

10-$.

a.

reasonab'e assurance regarding the achie&ement of ob"ecti&es in the fo''o,ing categories *e'iabi'ity of financia' reporting. Comp'iance ,ith app'icab'e 'a,s and regu'ations. ffecti&eness and efficiency of operations. b. The C.S. report identifies fi&e interre'ated components of interna' contro' ,hich are1. The contro' en&ironment. (. *is8 assessment. $. Contro' acti&ities. %. 6nformation and communication. :. 7onitoring. .f primary re'e&ance in a financia' statement audit are an entity9s contro's that pertain to the re'iabi'ity of financia' information5 particu'ar'y those that are intended to pro&ide reasonab'e assurance that financia' statements prepared by management for e!terna' users are fair'y presented in conformity ,ith genera''y accepted accounting princip'es. .ther ob"ecti&es and re'ated contro's may a'so be re'e&ant if they pertain to data the auditor uses in app'ying audit procedures such as 014 nonfinancia' data used in ana'ytica' procedures and 0(4 certain financia' data de&e'oped primari'y by management for interna' purposes such as budgets and performance data.

c.

10-%. 6nherent 'imitations in any entity9s system of interna' contro' inc'ude 7ista8es in "udgment may be made by management and other personne' in ma8ing business decisions or in performing routine duties because of inade#uate information5 time constraints5 or other pressures. 1rea8do,ns in contro's may occur because e!perienced5 temporary5 or ne, personne' may misunderstand instructions or ma8e errors due to care'essness5 distractions5 or fatigue. Co''usion5 ,hich is indi&idua's acting together5 may enab'e the concea'ment of an irregu'arity so as to pre&ent its detection by the system of interna' contro'. 7anagement o&erride of prescribed po'icies or procedures inc'udes ma8ing de'iberate misrepresentations to auditors and others such as by issuing fa'se documents to support the recording of fictitious transactions. Costs &ersus benefits ,hich mitigates against the adoption of contro's5 the benefits of ,hich5 in management9s "udgment5 do not out,eigh the costs. 10-:. Se&era' 8ey responsib'e parties and their ro'es are as fo''o,s 7anagement ,hich has the responsibi'ity to estab'ish and maintain an effecti&e system of interna' contro'. 1oard of directors and audit committee ,hich5 as part of their genera' go&ernance and o&ersight responsibi'ities5 shou'd determine that management meets its responsibi'ities for estab'ishing and maintaining the system of interna' contro'.

6nterna' auditors ,ho shou'd periodica''y e!amine and e&a'uate the ade#uacy of an entity9s system of interna' contro' and ma8e recommendations for impro&ements. .ther entity personne'5 ,hich inc'udes a'' other personne' ,ho pro&ide information to5 or use information pro&ided by5 the system of interna' contro'5 ha&e a responsibi'ity to communicate to a higher 'e&e' in the organi+ation any instances of noncomp'iance or i''ega' acts of ,hich they become a,are. 6ndependent auditors ,ho ha&e a responsibi'ity to report to management and the board of directors certain conditions or ,ea8nesses in interna' contro's found in an audit. .ther e!terna' parties such as 'egis'ators and regu'ators ,ho may estab'ish minimum statutory and regu'atory re#uirements for the estab'ishment of interna' contro's by certain entities. The fi&e C.S. interre'ated components of interna' contro' ,hich are Contro' en&ironment. *is8 assessment. Contro' acti&ities. 6nformation and communication. 7onitoring. 6n addition5 the boo8 adds a si!th component that is based on PCA.1 Audit Standard )o. (. Anti-Fraud Programs and Contro'. This is sufficient'y important that it deser&es separate attention and it inf'uences the other fi&e C.S. components. The auditor focuses on the aspects of each component and re'ated contro's that are designed to pre&ent or detect materia' misstatements in the financia' statements. The factors that comprise the contro' en&ironment are 6ntegrity and ethica' &a'ues. Commitment to competence. 1oard of directors and audit committee. 7anagement9s phi'osophy and operating sty'e. .rgani+ationa' structure. Assigning of authority and responsibi'ity. <uman resource po'icies and practices. Four things the C . and other member of top management can do to emphasi+e the importance of integrity and ethica' &a'ues among a'' personne' are 014 set the tone by e!amp'e5 0(4 communicate to a'' emp'oyees that the same is e!pected of them5 0$4 pro&ide mora' guidance to emp'oyees ,ho may be ignorant regarding ,hat is right and ,rong5 and 0%4 reduce or e'iminate incenti&es and temptations that might 'ead indi&idua's to engage in dishonest5 i''ega'5 or unethica' acts. 6mportant 6T aspects of the contro' en&ironment inc'ude-

10-;. a.

b. 10-7. a.

b.

c.

6n&o'&ement of management in setting po'icies for de&e'oping5 modifying and using computer programs and data. Form of organi+ation structure of data processing. 7ethods of assigning authority and responsibi'ity o&er computer systems documentation5 inc'uding procedures for authori+ing transactions and appro&ing systems changes.

10-=.

a.

7anagement9s ris8 assessment for financia' reporting purposes is simi'ar to the e!terna' auditor9s concern ,ith inherent ris8s5 i.e.5 the ris8 that financia' statement assertions ,i'' be misstated. <o,e&er5 management9s purpose is to manage identified ris8s5 and then design contro's to pre&ent5 or detect and correct5 misstatements. 0Author>s note- 7anagements of pri&ate companies may consider cost ? benefit considerations ,hen designing interna' contro' o&er financia' reporting and may ma8e the decision that the cost of contro's is more than the benefits that ,ou'd be obtained. <o,e&er5 PCA.1 Auditing Standard )o. (says that cost ? benefit considerations are not a reason to ha&e ade#uate interna' contro's re'e&ant to a materia' assertion in the financia' statements.4 The auditor9s purpose is to e&a'uate the 'i8e'ihood that materia' misstatements e!ist in the financia' statements in order to p'an the audit. 6mportant 6T aspects of ris8 assessment inc'ude the assessment of ris8s Transaction trai's may be a&ai'ab'e for on'y a short period of time. *educed documentary e&idence of performance of contro's. Fi'es and records usua''y cannot be read ,ithout a computer. @ecreased human in&o'&ement in computer processing can obscure errors that might be obser&ed in manua' systems. 6T system &u'nerabi'ity to physica' disaster5 unauthori+ed manipu'ation5 and mechanica' ma'function. 6T systems may reduce traditiona' segregation of duties. Changes in systems are more difficu't to imp'ement and contro'. The accounting system consists of the methods and records estab'ished to identify5 assemb'e5 ana'y+e5 c'assify5 record5 and report entity transactions and maintain accountabi'ity for the re'ated assets and 'iabi'ities.
b. Attributes of an effective accounting system 6dentifies and records only the valid transactions of the entity that occurred in the current period 6dentifies and records all valid transactions of the entity that occurred in the current period nsures that recorded assets and 'iabi'ities are the resu't of transactions that produced entity rights to5 or ob'igations for5 c. Related category of financial statement assertions !istence or occurrence Comp'eteness *ights and ob'igations

b.

10-9.

a.

those items 7easures the &a'ue of transactions in a manner that permits recording their proper monetary &a'ue in the financia' statements Captures sufficient detai' of a'' transactions to permit their proper presentation in the financia' statements5 inc'uding proper c'assification and re#uired disc'osures Aa'uation or a''ocation

Presentation and disc'osure

d.

Bey 6T aspects of the information and communication system inc'ude Transaction may be initiated by computer Audit trai's may be in e'ectronic form <o, data is con&erted from source documents to machine-sensib'e form <o, computer fi'es are accessed and updated Computer processing in&o'&ement from initiation for transaction to inc'usion in financia' statements. Computer in&o'&ement in reporting process used to prepare financia' statements. The ob"ecti&e of segregation of duties is to ensure that indi&idua's do not perform incompatib'e duties 0i.e.5 an indi&idua' shou'd not be ab'e to commit an error or irregu'arity and then be in a position to concea' it in the norma' course of his or her duties4. There are t,o fundamenta' concepts associated ,ith segregation of duties. First5 responsibi'ity for authori+ing a transaction5 e!ecuting a transaction5 recording a transaction5 and maintaining custody of assets resu'ting from the transactions shou'd be assigned to different indi&idua's or departments. Second5 there shou'd be proper segregation of duties ,ithin the 6T department and bet,een 6T and user departments. Se&era' functions ,ithin 6T- systems de&e'opment5 operations5 data contro's and securities administration shou'd be segregated. 6n addition5 6T shou'd not correct data submitted by user departments5 and shou'd be organi+ationa''y independent from user departments. The purpose of genera' contro's is to contro' program de&e'opment5 program changes5 computer operations5 and to secure access to programs and data. 1ecause of the per&asi&e character of genera' contro's5 if the auditor is ab'e to obtain e&idence that genera' contro's function effecti&e'y5 then the auditor a'so has important assurance that indi&idua' app'ications may be proper'y designed and operate consistent'y during the period under audit. ffecti&e genera' contro's a''o, the auditor to conc'ude that computer app'ications are 'i8e'y to operate effecti&e'y during periods ,hen they are not direct'y tested. A'ternati&e'y5 deficiencies in genera' contro's may affect many app'ications and may pre&ent the

10-10.

a.

b.

c.

10-11. a. b.

auditor from assessing contro' ris8 be'o, the ma!imum for many app'ications and transaction cyc'es. 10-1(. a. The fo''o,ing bu''ets identify the three categories of app'ication contro's and e!p'ain the purpose of each. 6nput contro's are designed to pro&ide reasonab'e assurance that data recei&ed for processing ha&e been proper'y authori+ed and con&erted into machinesensib'e form. 6nput contro's a'so inc'ude manua' contro' performed by the peop'e ,ho fo''o,-up on the re"ection5 correction5 and resubmission of data that ,ere initia''y incorrect. Processing contro's are designed to pro&ide reasonab'e assurance that the computer processing has been performed as intended for the particu'ar app'ication. Thus5 processing contro's shou'd prec'ude data from being 'ost5 added5 dup'icated or a'tered during processing. .utput contro's are designed to ensure that the processing resu'ts are correct5 inc'uding both updated machine-sensib'e fi'es and printed output5 and that on'y authori+ed personne' recei&e the output. The categories of contro's pertaining to the con&ersion of data are 014 &erification contro's5 0(4 computer editing5 and 0$4 contro' tota's.

b.

10-1$. 7ost companies estab'ish good contro's o&er data going into databases. <o,e&er5 ,hen it comes time to prepare financia' statements a structured #uery 'anguage 0SCD4 is used to access the database and do,n'oad information into a spreadsheet. Spreadsheets may be used to de&e'op information for footnotes or they may be used to de&e'op conso'idated financia' statements. <o,e&er5 once the data is in a spreadsheet5 it may be sub"ect to 'itt'e or no contro's. @ata in spreadsheets can be easi'y accessed and manipu'ated ,ithout 'ea&ing an audit trai'. 6f a macro is ,ritten incorrect'y it might inad&ertent'y omit information from particu'ar genera' 'edger account5 or other,ise 'ose critica' financia' statement information. This creates a ris8 that data the is ,e'' contro''ed going into databases5 is sub"ect to a ne, ris8 of materia' misstatement as spreadsheets are used in the financia' reporting process. As part of a sound system of interna' contro' companies shou'd 'imit access to spreadsheets. Furthermore5 good contro's inc'ude testing the comp'eteness of accuracy of inputs5 and contro''ing the accuracy of output 0e.g.5 testing spreadsheets ,ith test data4. Some companies perform an independent5 manua' chec8 on the 'ogic of each spreadsheet and the data that is summari+ed ,ith spreadsheets. Companies shou'd a'so maintain an in&entory of spreadsheets used in the financia' reporting process and 8eep c'ear documentation of the function accomp'ished by each spreadsheet. 10-1%. a. 6ndependent chec8s operate at the transaction 'e&e'. 6n an 6T en&ironment5 app'ication contro's e!ecute chec8s of indi&idua' transactions to &erify 014 ,or8 pre&ious'y performed by other indi&idua's or departments or 0(4 the proper &a'uation of recorded amounts.

Performance re&ie,s represent the re&ie, of financia' information by management. For e!amp'e performance re&ie,s inc'ude management>s re&ie, of reports that summari+e the detai' of account ba'ances 0e.g.5 reports of cash disbursements by department45 reports of actua' performance &ersus budgets5 forecasts5 or prior period amounts or reports comparing nonfinancia' operating data and financia' data 0for e!amp'e5 comparison of hote' occupancy statistics ,ith re&enue data4. 7onitoring is fundamenta''y different from the contro' acti&ities discussed abo&e. 7onitoring is the processes of assessing the #ua'ity of the entire system of interna' contro'. 6t in&o'&es management>s acti&ities in ma8ing an ongoing assessment of the effecti&eness of the design and operation of interna' contro'. b. .ften management is in&o'&ed in both e!ecuting transactions and re&ie,ing the financia' resu'ts that sho, the processing of those transactions. !amp'es of effecti&e performance re&ie,s inc'ude The re&ie, of cash disbursement charged to a department by a department manager5 ,hich is 'i8e'y to be effecti&e in identifying comp'eteness5 &a'uation or c'assification prob'ems. The re&ie, of a report of sa'es transactions ,hich may identify comp'eteness or &a'uation prob'ems. The monitoring function shou'd in&o'&e the audit committee of the board of directors 0or other e#ui&a'ent authority45 senior management5 and interna' auditing 0if the function e!ists4. Eith respect to 6T ris8s5 management and the audit committee shou'd be conscious of 6T ris8s associated ,ith 6T aspects of the contro' en&ironment5 the information and communication system5 and contro' acti&ities. Accounting officers shou'd be conscious of5 and monitor5 the same on an ongoing basis. Further5 the audit committee might charge interna' audit ,ith responsibi'ity for periodic re&ie,s of 6T ris8s and contro's. Fina''y5 independent monitoring may occur ,hen comments F comp'aints are recei&ed from customers5 emp'oyees5 and &endors. For e!amp'e5 prob'ems ,ith interna' contro' may come to management>s attention through comp'aints recei&ed from customers about bi''ing errors or from supp'iers about payment prob'ems. Fina''y5 a'ert managers may recei&e reports ,ith information that differs significant'y from their firsthand 8no,'edge of operations. The a''o,ance for doubtfu' accounts shou'd be contro''ed the same ,ay that other accounting estimates are contro''ed. First5 the accounting estimate must be based on re'iab'e information. The company must de&e'op a re'iab'e system of aging indi&idua' in&oices that are outstanding. Second5 the decision about the a''o,ance shou'd not rest ,ith one or a fe, indi&idua's. 6dea''y5 indi&idua's responsib'e for appro&ing credit5 appro&ing charge-offs5 operating managers responsib'e for sa'es5 and accounting personne' shou'd a'' be in&o'&ed in the re&ie, of the a''o,ance. Fina''y5 some 'e&e' of o&ersight by the audit committee is appropriate.

c.

10-1:. a.

b.

.&ersight of nonroutine transactions often rests ,ith a disc'osure committee. This committee is often made up of indi&idua's ,ith strong accounting bac8grounds 0e.g.5 interna' auditors45 others ,ith strong operationa' bac8ground ,ho are fami'iar ,ith the transactions5 and 'eadership from the audit committee. The committee ,ou'd ma8e in#uiries about nonroutine transactions and re&ie, accounting for nonroutine transactions. The se'ection of and app'ication of ne, accounting princip'es often rests ,ith the disc'osure committee as ,e''. Again5 it is important for the committee to be made up of indi&idua's ,ith strong accounting bac8grounds that ha&e some independence from the contro''er and CF. 0e.g.5 interna' auditors45 others ,ith strong operationa' bac8ground ,ho are fami'iar ,ith the transactions5 and 'eadership from the audit committee. The committee ,ou'd be responsib'e for re&ie,ing decisions about the se'ection and app'ication of ne, accounting po'icies.

c.

10-1;. Antifraud programs and contro's ,ou'd norma''y inc'ude the fo''o,ingContro' n&ironment Code of conduct F ethica' company cu'ture thics hot'ine Audit committee o&ersight <iring5 compensation5 promotion and retention Fraud *is8 Assessment Systematic assessment of fraud ris8s &a'uation of 'i8e'ihood and magnitude of potentia' misstatement 6nformation and Communication Ade#uacy of the audit trai' Antifraud training Contro' Acti&ities Ade#uate segregation of duties Din8ing contro's to fraud ris8s 7onitoring @e&e'oping an effecti&e o&ersight process GAfter the factH e&a'uations by interna' audit 10-17. a. 6n a pri&ate company audit the auditor needs a sufficient understanding of interna' contro' to p'an the audit. This means that the auditor shou'd ha&e sufficient 8no,'edge to 6dentify the types of potentia' misstatement that may occur.

 b.

Inderstand the factors that affect the ris8 of materia' misstatement @esign the nature5 timing5 and e!tent of further audit procedures

6n addition to the items discussed in 0a4 abo&e5 the auditor of a pub'ic company shou'd a'so ha&e a sufficient understanding to p'an and perform an audit to obtain reasonab'e assurance that interna' contro's o&er financia' reporting are operating effecti&e'y. T,o matters that shou'd be co&ered in obtaining an understanding of interna' contro's are The design of po'icies and procedures pertaining to each component of interna' contro'. Ehether the po'icies and procedures ha&e been p'aced in operation. Bno,'edge of interna' contro' components shou'd be used by the auditor to 6dentify types of potentia' misstatements. Consider factors that affect the ris8 of materia' misstatements. @esign substanti&e tests to pro&ide reasonab'e assurance of detecting the misstatements re'ated to specific assertions. An understanding of the system of interna' contro's is needed regard'ess of ,hich strategy is chosen. 1ut norma''y the 'e&e' of understanding of the components that is needed under the 'o,er assessed 'e&e' of contro' ris8 approach is greater than that re#uired under the primari'y substanti&e approach. This is particu'ar'y true for the contro' acti&ities component. .ther factors besides the pre'iminary audit strategy that affect the auditor9s "udgment about the 'e&e' of understanding re#uired inc'ude Bno,'edge of the c'ient from pre&ious audits. Pre'iminary assessments of inherent ris8 and materia'ity. An understanding of the industry in ,hich the entity operates. The comp'e!ity and sophistication of the entity9s operations and accounting system. The auditor shou'd obtain sufficient 8no,'edge of the contro' en&ironment component to understand 014 the attitude5 a,areness5 and actions of management and the board of directors concerning the contro' en&ironment and 0(4 the per&asi&e and specific effects these factors may ha&e on the effecti&eness of the other interna' contro' components. The auditor shou'd obtain sufficient 8no,'edge of the information system re'e&ant to financia' reporting to understand The c'asses of transactions in the entity9s operations that are significant to the financia' statements. <o, those transactions are initiated.

10-1=.

a.

b.

10-19.

a.

b.

10-(0.

a.

b.

 10-(1. a.

The accounting records5 supporting documents5 and specific accounts in the financia' statements in&o'&ed in the processing and reporting of transactions. The accounting processing in&o'&ed from the initiation of a transaction to its inc'usion in the financia' statements5 inc'uding ho, the computer is used to process data. The financia' reporting process used to prepare the entity9s financia' statements5 inc'uding significant accounting estimates and disc'osures.

An understanding of the system of interna' contro' is norma''y obtained by the fo''o,ing procedures *e&ie,ing pre&ious e!perience ,ith the c'ient. 6n#uiring of appropriate management and super&isory and staff personne'. 6nspecting documents and records. .bser&ing entity acti&ities and operations. A transaction ,a'8-through A transaction ,a'8-through re&ie, occurs ,hen one or a fe, transactions ,ithin a ma"or c'ass of transactions is traced through the transaction trai' and the re'ated interna' contro's are identified and obser&ed.

b.

10-((. Ehen p'anning an audit of the financia' statements of a pri&ate company the auditor needs to ha&e sufficient 8no,'edge of the system of interna' contro' to p'an the audit. The auditor may not p'an on testing the operating effecti&eness of interna' contro's for many assertions. Eith respect to a pub'ic company ,here the auditor is testing the effecti&eness of interna' contro's o&er financia' reporting for e&ery financia' statement assertion5 the 'e&e' of understanding is much more comprehensi&e5 particu'ar'y ,ith respect to contro' acti&ities. 10-($. a. b. An auditor may document the understanding of interna' contro's through comp'eted #uestionnaires5 f'o,charts5 and narrati&e memoranda. Jes5 documentation may occur concurrent'y ,ith obtaining an understanding. For e!amp'e5 the auditor may use a #uestionnaire to obtain the understanding and the comp'eted #uestionnaire pro&ides the documentation. The #uestions on an interna' contro' #uestionnaire are designed to enab'e the auditor to determine ,hether the entity has adopted interna' contro's that the auditor considers necessary to pre&ent materia' misstatements in the financia' statements. Cuestionnaires are easy to use and to comp'ete. 7oreo&er5 they significant'y reduce the possibi'ity of o&er'oo8ing important aspects in each of the components of interna' contro'.

10-(%.

a.

b.

10-(:. a.

)arrati&e memoranda may supp'ement other forms of documentation by summari+ing the auditor9s o&era'' understanding of interna' contro's5 indi&idua' components of interna' contro's5 or specific contro's. 6n sma'' audits5 a narrati&e memorandum may ser&e as the on'y documentation of the auditor9s understanding of interna' contro's. A narrati&e may be sufficient to e!p'ain the auditor>s understanding of ho, transactions are processed and the contro's that might be present in the system. 6n a sma'' audit5 the documentation may actua''y be series of narrati&es that address the contro' en&ironment5 ris8 assessment5 monitoring5 and the documentation of information and communication system and contro' acti&ities might be documented separate'y for each ma"or transaction cyc'e. A f'o,chart is a schematic diagram using standardi+ed symbo's5 interconnecting f'o, 'ines5 and annotations that graphica''y portray the steps in&o'&ed in processing information through the accounting system. A f'o,chart pertaining to a specific c'ass of transactions shou'd sho, A'' significant operations performed in processing the c'ass of transactions. The methods of processing 0manua' or computeri+ed4. The e!tent of segregation of duties by identifying each operation ,ith a functiona' area5 department5 or indi&idua'. The source5 f'o,5 and distribution of re'e&ant copies of the documents5 records5 and reports in&o'&ed in processing. 7anagement of a pub'ic company is responsib'e for documenting interna' contro's o&er financia' reporting. That documentation shou'd inc'ude The design of contro's o&er a'' re'e&ant assertions re'ated to a'' significant accounts and disc'osures in the financia' statements. The documentation shou'd inc'ude the fi&e components of interna' contro' o&er financia' reporting and company-'e&e' contro's such aso Contro's ,ithin the contro' en&ironment. o 7anagement>s ris8 assessment process. o Centra'i+ed process and contro's5 inc'uding shared ser&ice en&ironments. o Contro's to monitor the resu'ts of operations. o Contro's to monitor other contro's5 inc'uding acti&ities of the interna' audit function5 the audit committee5 and se'f-assessment programs. o The period-end financia' reporting process. o 1oard-appro&ed po'icies that address significant business contro' and ris8 management practices. 6nformation about ho, significant transactions are initiated5 authori+ed5 recorded5 processed and reported. Sufficient information about the f'o, of transactions to identify the point at ,hich materia' misstatements due to error or fraud cou'd occur.

b.

10-(;. a.

b.

10-(7. a.

 b.

Contro's designed to pre&ent or detect fraud5 inc'uding ,ho performs contro's and the re'ated segregation of duties. Contro's o&er the period-end financia' reporting process. Contro's o&er safeguarding of assets. The resu'ts of management>s testing and e&a'uation.

6nade#uate documentation by the pub'ic company c'ient cou'd cause the independent auditor to conc'ude that there is a 'imitation on the scope of the engagement. a. The principa' hard,are component is the centra' processing unit 0CPI4 ,hich consists of a contro' unit5 an interna' storage unit5 and an arithmetic-'ogic unit. Periphera' hard,are components are input de&ices5 output de&ices5 and au!i'iary storage de&ices. a. Computer soft,are consists of the programs and routines that faci'itate the programming and operation of a computer. Systems programs perform genera'i+ed functions for one or more app'ication programs. 6n contrast5 app'ication programs contain instructions that enab'e the user to perform data processing tas8s appropriate for specific app'ications5 such as payro''s and in&entory. Inder the traditiona' fi'e method5 separate fi'es of data are created for each processing app'ication. The fi'es are organi+ed into master fi'es and transaction fi'es. The database method stores a'' data in one centra' fi'e 0the database4 and a''o,s each user to access the portion of the database that is needed. 6n se#uentia' fi'e processing5 fi'es are arranged se#uentia''y and transaction data are se#uenced before processing. Inder se#uentia' processing5 the entire fi'e must be read by the computer each time a transaction is processed. 6n direct access processing5 fi'e data are not maintained in any particu'ar order. Inder this type of processing5 the transaction fi'e is not sorted before processing. 7oreo&er5 it is not necessary to read the entire master fi'e in updating. The essentia' characteristics of the t,o methods of @P processing are .n-'ine entryFbatch processing in ,hich indi&idua' transactions are entered direct'y into the computer &ia a termina' as they occur. A machine-readab'e &a'idated transaction fi'e is accumu'ated as the transactions are entered and this fi'e is subse#uent'y processed to update the master fi'e. .n-'ine entryFon-'ine processing in ,hich data are entered direct'y &ia a termina' as described abo&e. 6t differs from on-'ine entryFbatch processing in that 0a4 master fi'es are updated concurrent'y ,ith data entry and 0b4 a transaction 'og is produced that pro&ides a chrono'ogica' record of a'' transactions.

10A-1. b. 10A-(. b.

10A-$. a.

b.

10A-%. a.

b.

An ad&antage and a disad&antage for each method are .n-'ine entryFbatch processing. An ad&antage is that input data are sub"ected to immediate &a'idation at the time of entry. A disad&antage is that the master fi'e cannot be updated unti' the batch data are accumu'ated. .n-'ine entryFon-'ine processing. The ad&antage is that input data are sub"ected to immediate &a'idation at the time of entry. The disad&antages are 014 the ris8 of errors in the master fi'e from concurrent updating and 0(4 the possib'e 'oss of part or a'' of the master fi'es in case of hard,are fai'ure.

10A-:.

a.

The ma"or benefits of 6T systems o&er manua' systems inc'ude 6T systems can pro&ide greater consistency in processing than manua' systems because they uniform'y sub"ect a'' transactions to the same contro's. 7ore time'y computer generated accounting reports may pro&ide management ,ith more effecti&e means of ana'y+ing5 super&ising and re&ie,ing the operations of the company. 6mportant ris8s of 6T systems o&er manua' systems inc'ude The 6T system may produce a transaction trai' that is a&ai'ab'e for audit for on'y a short period of time. There is often 'ess documentary e&idence of the performance of contro' procedures in computer systems. Fi'es and records in 6T systems are usua''y in machine-sensib'e form and cannot be read ,ithout a computer. The decrease of human in&o'&ement in computer processing can obscure errors that might be obser&ed in manua' systems. 6T systems may be more &u'nerab'e to physica' disaster5 unauthori+ed manipu'ation5 and mechanica' ma'function than information in manua' systems. Aarious functions may be concentrated in 6T systems5 ,ith a corresponding reduction in the traditiona' segregation of duties fo''o,ed in manua' systems. Changes in the system are often more difficu't to imp'ement and contro' in 6T systems than in manua' systems.

b.

10A-;.

a.

The fo''o,ing diagram depicts ho, important interna' contro's function in computer systems.
6nput

Computer genera' contro' procedures

Computer processing and programmed app'ication contro' procedures

!ception reports

.utput of processed transactions and reports Iser contro's o&er assertions

7anua' fo''o,-up

b.

The fo''o,ing discussion pro&ides an e!amp'e of each of the bo!es out'ined in the diagram abo&e in the conte!t of processing payro'' transactions. Input. 6nput to the accounting system represents5 for e!amp'e5 timecards ,ith information about the number of hours ,or8ed and a 'ist from a payro'' master fi'e of emp'oyees that are authori+ed to ,or8 for the entity. Computer processing and programmed application control procedures. This represents the computer processing of payro''5 inc'uding both programmed chec8s that emp'oyees ,ho ,or8ed ,ere authori+ed5 that hours ,or8ed and amounts paid ,ere reasonab'e5 and the actua' processing of payro'' ,ithho'dings and the ,riting of payro'' chec8s. Computer general control procedures. This set of contro' acti&ities estab'ishes contro' of the payro'' program and access to payro'' master fi'es and data. The goa' of genera' contro's is to contro' the computer en&ironment5 not specific transactions such as payro'' transactions. <o,e&er5 e&idence that computer genera' contro' procedures are effecti&e ,i'' gi&e the auditor some assurance that the payro'' programs and computer contro's are a'so effecti&e'y designed and that they operate effecti&e'y. Exception reports. 6f app'ication contro's find e!ceptions they report them either on screen on through printed e!ception reports. For e!amp'e5 if a time card is submitted that does not match the emp'oyee master fi'e5 it shou'd be re"ected and reported on an e!ception report. 6f a paychec8 ca'cu'ates to an amount more than might be considered reasonab'e by a 'imit test it ,ou'd a'so be re"ected and reported on an e!ception report. Manual follow-up. !ception reports shou'd be distributed to indi&idua's ,ho ,ere not responsib'e for authori+ing transactions or ,ho do not ha&e custody of assets. They shou'd be responsib'e for fo''o,ing-up on items reported on e!ception reports and initiating appropriate correcti&e action. Output of processed transactions and reports. The output of the accounting and system ,i'' be5 in this case5 processed payro'' chec8s5 a payro'' "ourna'5 and other reports5 such as 'abor distribution reports. User controls over assertions. Company may estab'ish manua' contro' o&er computer output. Performance re&ie,s are one e!amp'e5 ,here management re&ie,s a summary of transactions charged to their responsibi'ity center. 6n this ,ay they might identify charges for fictitious emp'oyees5 or errors in

ca'cu'ating payro''. The auditor may choose to test these manua' contro's direct'y ,ithout ha&ing to test computer genera' or app'ication contro's. 10A-7. a. Computer app'ication contro's are programmed contro' procedures designed to contro' the transactions. Their purpose is to contro' the comp'eteness and accuracy of accounting processing of indi&idua' transactions in transaction cyc'es such as sa'es and co''ections transactions or payro'' transactions. Computer genera' contro's are designed to contro' computer app'ications. Their purpose is to contro' program de&e'opment5 program changes5 computer operations5 and to secure access to programs and data.

b.

101-1. a. b. c.

6nformation processing contro's address ris8s re'ated to the authori+ation5 comp'eteness5 and accuracy of transactions. T,o subcategories of information processing contro's re'ated to the computer system are 014 genera' contro's and 0(4 app'ication contro's. Fi&e types of genera' contro's are .rgani+ation and operation contro's. Systems de&e'opment and documentation contro's. <ard,are and system soft,are contro's Access contro's @ata and procedura' contro's A'' genera' contro's ,or8 together to contro' program de&e'opment5 program changes5 computer operations5 and to secure access to programs and data. Kenera' contro's pertain to the 6T en&ironment and a'' 6T acti&ities5 rather than to a sing'e 6T app'ication. Thus5 genera' contro's are per&asi&e in their effect on app'ication contro's and on transaction cyc'es. @ocumentation contro's in an 6T department pertain to the documents and records maintained by a company to describe computer processing acti&ities. @ocumentation enab'es management and the auditor by pro&iding the primary source of information about the f'o, of transactions through the system and re'ated accounting contro's. 6t a'so assists in re&ie,ing the system5 training ne, personne'5 and maintaining and re&ising e!isting systems and programs. 6T documentation shou'd inc'ude @escriptions and f'o,charts of the systems and programs. .perating instructions for computer operators. Contro' procedures to be fo''o,ed by operators and users. @escriptions and samp'es of re#uired inputs and outputs.

101-(. a. b.

c.

101-$. a.

The purpose of access contro's is to pre&ent unauthori+ed use of 6T e#uipment5 data fi'es5 and computer programs. Access contro's accomp'ish this purpose through physica' access contro's 0e.g.5 housing computer e#uipment in a secured area ,ith restricted access45 'ogica' access contro's or soft,are contro's 0e.g.5 programs that re#uire pass,ords to be ab'e to process transactions that modify data fi'es or program fi'es45 and procedura' safeguards 0e.g.5 management re&ie, of computer uti'i+ation reports4. To pro&ide the necessary contro' ,ith on-'ine data entry5 each user of a remote input de&ice is gi&en a 8ey5 code5 card or biometric contro' 0&oice print5 iris scan5 finger print4 that identifies the ho'der as an authori+ed user. .ther access contro's are 014 computer ca''-bac8 procedures ,hen the te'ephone is used to dia' the computer5 and 0(4 pass,ords that are chec8ed by the computer before a person can enter a transaction. @ata and procedura' contro's pro&ide a frame,or8 for contro''ing dai'y computer operations5 minimi+ing the 'i8e'ihood of processing errors5 and assuring the continuity of operations in the e&ent of a physica' disaster or computer fai'ure. The acti&ities of inc'uded in a data contro' function usua''y inc'ude recei&ing and screening a'' data to be processed5 accounting for a'' input data5 fo''o,ing-up on processing errors5 and &erifying the proper distribution of output.

b.

101-%. a.

b.