Chapter 07

Moroney, Campbell, Hamilton, Warren Auditing: A Practical Approach, Third Canadian Edition
Solutions Manual
to accompany
Auditing: A Practical
Approach
Third Canadian Edition
by
Robyn Moroney
Fiona Campbell
Jane Hamilton
Valerie Warren
CHAPTER 7
Understanding and Testing the Client`s System of Internal Controls
John Wiley & Sons Canada, Ltd.

2018
Solutions Manual Chapter 7: Understanding and Testing the Client’s System of Internal Controls 7-
Chapter 7
Understanding and Testing the Client`s System of
Internal Controls
SOLUTIONS TO REVIEW QUESTIONS
REVIEW QUESTION 7.1

Internal control is defined as the process designed, implemented, and maintained by
those charged with governance, management, and other personnel to provide
reasonable assurance about the achievement of the entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations.
CAS 315 Identifying and Assessing the Risks of Material Misstatement Through
Understanding the Entity and Its Environment requires the auditor to obtain an
understanding of internal control on all audit engagements. Therefore, even if the auditor
intends to take an entirely substantive approach to the audit and not rely on internal
controls, the auditor must obtain an understanding of internal control. This is because
without gaining this understanding, the auditor will not fully understand the risks of
material misstatement of the financial statements. CAS 315 states that gaining an
understanding of the entity and its environment, including its internal control, establishes
a frame of reference within which the auditor plans the audit and exercises professional
judgement throughout the audit.
The standard allows the auditor to use professional judgement to determine the extent of
the understanding of internal controls required in each case.
REVIEW QUESTION 7.2

The seven objectives of internal control are:
1. Real: controls are designed to prevent or detect fictitious or duplicate transactions
from being recorded in the books and records of an entity.
2. Recorded: controls are designed to prevent or detect any missing transactions
from the books and records of an entity.
3. Valued: controls are designed to ensure accuracy in the amounts recorded in
transactions.
4. Classified: controls are designed to ensure that transactions are recorded to the
correct general ledger account.
5. Summarized: controls are designed to ensure accuracy and that the books and
records are totalled correctly.
6. Posted: controls are designed to ensure that totals are correctly transferred to the
general ledger and subsidiary ledgers.
7. Timely: controls are designed to ensure transactions are recorded in the correct
accounting period.
REVIEW QUESTION 7.3

Entity-level controls are:
1. the control environment
2. the entity’s risk assessment process
3. the information system, including the related business processes, relevant to
financial reporting, and communication
4. control activities
5. monitoring of controls
Each of these controls relates to the whole organization.
Transaction-level controls are controls that impact a particular transaction or group of
transactions.
Therefore, the difference is that entity-level controls have the potential to impact all of the
processes in the organization, including those that have a direct impact on the financial
statements and others, while transaction-level controls impact only a specific group of
transactions. Transactions make up the financial statements that the auditor is auditing,
and can be impacted by both entity-level and transaction-level controls. This is why an
auditor would be interested in both types of controls.
REVIEW QUESTION 7.4

Controls have two main objectives: to prevent or detect misstatements in financial
statements, or to support the automated parts of the business in the functioning of the
controls in place.
Preventive controls are designed to stop fraud or errors from occurring. The preventive
controls are applied to each transaction with the objective that all transactions that are
entered into the client’s accounting system do not contain any errors.
Detective controls designed to detect fraud or errors that have occurred. As such, they
are applied after transactions have been processed with the objective that any
transactions that were entered into the client’s accounting system with error are detected
so it can be rectified.
Ideally, preventive controls stop all fraud and error, so that detective controls are not
necessary. However, because preventive controls do not work at 100% effectiveness,
detective controls are necessary. Preventive controls are normally expected to be less
than 100% effective because of factors such as:
• Management override of the controls
• Failure to apply the preventive controls due to staff tiredness, busy schedules of
staff, or malfunctioning hardware or software
Also, preventive controls may not leave an auditable trail when they are applied. This
means that it is not always easy to verify if the preventive control has worked. For
example, there may be a signature of the person authorizing the transaction, but it is not
clear if the transaction was carefully checked before it was authorized. Also, the
preventive control may not leave any evidence if the transaction is not processed
(because it was not correct). An effective detective control will provide additional
assurance that the transaction was checked because it shows the errors detected.
The system should not rely solely on detective controls. Preventive controls are
necessary to support the detective controls because the detective controls are unlikely to
be sensitive enough to detect all errors after they enter the records.
REVIEW QUESTION 7.5

ITGC stands for information technology general controls.
They are controls over hardware and software that an entity uses including regular
maintenance and backup and recovery procedures. Their purposes are to support the
automated aspects of controls weather they are preventative or detective. They also
provide the auditor a basis for relying on audit evidence as they have been implemented
for applications that they auditors plan to rely on.
The three types of ITGCs are:
1. Program change controls – only appropriately authorized, tested and approved
changes are made to applications, interfaces, databases and operating
systems.
2. Logical access controls – only authorized personnel have access to data and
applications and can perform only authorized tasks and functions.
3. Other ITGCs, including regular and timely back-ups of data, following up and
resolving program faults and errors in a timely manner, following up any
deviations from scheduled processing on a timely basis, and planning
upgrades to programs and applications on a timely basis.
These controls are ‘general’ because they do not relate to a specific program, or
type of transaction process. They apply generally to the IT system.
REVIEW QUESTION 7.6

The four types of tests of controls are:
1. Enquiry – this means that the auditor asks an employee of the client about how
the control is performed and/or monitored.
4. Observation – this means that the auditor observed the control being
performed.
5. Inspection of physical evidence – this means that the auditor inspects the
documents for evidence that the control was performed.
6. Re-performance – this means that the auditor re-performs the control to test its
effectiveness.
The most reliable evidence is re-performance because the auditor obtains direct
evidence on how the control works. However, this test can be very time-consuming and
would not be applied to a very large sample. Inspection of physical evidence is the next
most reliable test because the auditor gathers evidence about the performance of the
controls in detail. However, the evidence may not be conclusive. For example, finding a
signature authorizing a document does not mean that the person properly checked the
transaction before authorizing it.
Enquiry and observation are limited as evidence gathering techniques because the
employee may not tell the truth, or may perform the control more diligently if the
employee knows that they are being observed. Although the control may be performed
correctly on that occasion, the auditor does not know if the control is always performed
the same way. The auditor would supplement evidence from enquiry and observation
with the evidence gathered from the other two types of tests.
REVIEW QUESTION 7.7

The factors affecting the auditor’s decision about how much control testing to do include:
• The frequency of the control’s operation
• The level of assurance required (i.e., how much the auditor will rely on the control
to reduce substantive testing)
• The persuasiveness of the evidence gained from testing the control
• The need to be sure that the control operated throughout the period
• The existence of a combination of controls address the WCGW (what can go
wrong)
• The relative importance of the WCGW being addressed
• The likelihood that the control operated as intended (i.e., how competent are the
staff, the quality of the control environment, changes in the accounting system,
unexplained changes in related account balances, the auditor’s prior period
experience with the client).
REVIEW QUESTION 7.8

Nature refers to the type of test (enquiry, observation, inspection of physical evidence, re-
performance). The types of tests vary in the reliability of the evidence produced.
Timing refers to the date of testing (i.e., interim vs. year-end). Interim testing is common
for controls testing because it provides evidence about control risk which influences the
nature, timing, and extent of substantive testing to be conducted at or near year-end.
Further control testing is conducted during the remainder of the year to provide evidence
that the controls continue to operate effectively throughout the financial period.
Extent refers to the number of items tested (i.e., size of the sample). A larger sample
provides more reliable evidence about the strength of controls, and would be used if the
auditor wishes to gain a higher level of assurance from the controls testing.
REVIEW QUESTION 7.9

The four approaches to internal control documentation are:
1. Narratives; the advantage is that the process can be described in full, the
disadvantage is that it can take many words to describe a process in full.
2. Flowcharts; the advantage is that the standardized graphics allow a large

amount of information to be presented on a single page to represent complex
flows of transactions and the key controls. If there is common understanding of
the symbols, it is easier to review and understand. The disadvantage is that the
reader may not understand the symbols or require additional clarification.
3. Combinations of narratives and flow charts; the advantage is that complex

systems can be described using standardized symbols, with additional
narrative to explain steps that are hard to chart. The disadvantage is that both
the flowchart and narrative have to be prepared and checked for consistency.
4. Checklists and preformatted questionnaires; the advantage is that it is helpful

to inexperienced auditors because the checklist guides the process and assists
in identifying critical controls. The disadvantage is that it can inhibit an
experienced auditor and slow down the process.
The documentation assists the auditor because the process of preparing the
documentation prompts the auditor to ask detailed questions in order to gain a full
understanding. An experienced auditor would be able to identify departures from the
systems used at similar organizations and the graphical forms of documentation reveal
quickly the destination of all copies of documents.
REVIEW QUESTION 7.10

CAS 260 Communication with Those Charged with Governance requires the auditor to
communicate matters from the audit with those charged with governance, and CAS 265
Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management governs communicating deficiencies in internal control to those charged
with governance and management. To satisfy the requirements in these standards, the
auditor will prepare a management letter to those charged with governance. The auditor
will also communicate on a timely basis with management of the entity, where
appropriate, the deficiencies in internal control revealed during the audit that are either
being communicated to those in governance or are not.
The auditor uses their professional expertise to inform management about deficiencies in
the internal control system which could affect the integrity of the financial statements
either in the current financial period or in the future. The feedback is provided in written
form so that there is no confusion about the fact of the report or the observations and
recommendations being made. The management of the entity is able to use the written
report as a basis for a response. Sometimes, management is able to use a letter written
at an interim stage of the audit as a basis for a response before the end of the audit.
SOLUTIONS TO PROFESSIONAL APPLICATION QUESTIONS
PROFESSIONAL APPLICATION 7.1 — Importance of internal control

a) Potential problems include:
• Problems with communication systems stop emergency reports reaching
the response teams in a timely manner
• Police or other emergency services are unable to contact Powersys during
an emergency because they do not have the required contact information or
staff at Powersys are not rostered on to respond to emergencies
• Trained staff are not available to respond to emergencies through
mismanagement of leave or failure to recruit and train staff
• Storms, fires or other emergencies are more extensive than anticipated and
not enough staff and equipment are available to respond
• Equipment, such as vehicles, diggers and cherry pickers, are not
operational due to lack of suitable maintenance
• Not sufficient supplies of specialized tools and parts are held in stores
• The large warehouse is not accessible in an emergency because the key
holder is away sick or on holidays
• Too many staff are rostered onto normal maintenance and not enough
available for emergency response in a particular geographic location
• Changes are made to the electricity distribution system so that different
parts are required for maintenance and these new parts are not ordered in
time
b) Suggested internal controls include:

• Responsibility for maintaining communication systems with emergency
services assigned to senior staff member at Powersys who has information
about staff rosters
• HR department is made aware of staffing requirements for emergency
response and reports to senior management on achievement of staff targets
• HR department oversees policies and procedures for staff training to ensure
that sufficient staff within the organization have the required skills and
qualifications
• Scientific modelling of emergency situations, taking into account population
growth and climatic conditions
• Schedule of maintenance for equipment coordinated with senior staff
responsible for emergency response
• Stores report on holdings of various parts, with integration with new
equipment purchases
• Stores maintain security systems and assign responsibility for staff member
to coordinate with emergency response teams
• Staff schedules and rosters approved by senior management with
consideration of balance between maintenance and emergency response
PROFESSIONAL APPLICATION 7.2 — Objectives of internal control

a) Transactions would include:
• Cash receipts from customers for services
• Reimbursement from health insurance companies for counselling and
massage services
• Credit purchases of supplies, such as oils, hair products
• Electronic funds transfers to pay wages
• Cheque payments for rent, electricity, furniture purchases, insurances, tax
remittances, advertising
• Depreciation for furniture and equipment
b) Potential problems in transactions if control system does not meet

objectives include:
• Incorrect pricing used for customer services; services provided but not
charged to customers or recorded in the accounts; duplicate receipts
recorded
• Not all cash receipts are deposited in a timely manner
• Failure to claim reimbursements from health insurance companies on behalf
of clients, or claims for the wrong services
• Ordering wrong supplies or sufficient supplies to meet demand
• Failure to keep supplies safely locked away, as required
• Failure to record purchase of supplies; payment for supplies not received;
incorrect cost of supplies recorded
• Branch manager approves salary payments for hours not worked by staff, at
wrong rates, or for staff that do not work for the business
• Failure to control costs such as electricity, through inefficient use of
equipment
• Equipment and furniture not accounted for, not kept secure at the premises,
charging depreciation on furniture and equipment no longer used by the
business; failure to record depreciation because equipment not recorded as
asset
• Repairs to furniture and equipment recorded as new purchases of assets;
new purchases recorded as repairs
PROFESSIONAL APPLICATION 7.3 — Control objectives

1. A customer’s order was shipped without credit approval
• The internal control objective of valuation is violated. By shipping an order without
a credit check there is a greater likelihood that the customer account may not be
collected in the future leading to an accounts receivable overstatement
(overvalued).
2. Some sales made in January were recorded as being made in December. The
company has a December 31 fiscal year end.
• The internal control objective of timeliness has been violated. Controls put in
place to ensure transactions are recorded in the correct accounting period would
prevent cut off and completeness issues.
3. Duplicate sales were recorded.

• The control objective that ensures duplicate transactions
are not posted is “real”.
4. Sales to a subsidiary were recorded as sales to outsiders instead of as intercompany

sales.
• Intercompany sales should be separately disclosed therefore this violates the
internal control objective of classification where transactions are recorded to the
correct accounts
5. Some shipments of goods to customers were not recorded.

• This relates to the internal control objective of “recorded” as controls should be in
place to ensure all shipments are recorded as sales.
PROFESSIONAL APPLICATION 7.4 — Control environment at a large company

The problems at International Bank (IB) appear to begin at the most senior levels of the
foreign currency department, rather than with an individual trader. The attitude at senior
levels was that if the trader was able to make a profit, the official policies and procedures
could be ignored, or overridden. This suggests that the control environment in the
department did not reinforce integrity and ethical values, and encouraged risk taking in
pursuit of profit.
Questions must be asked about more senior levels in IB if senior management of one
department has a poor ethical attitude, how was this viewed by higher levels of
management and those charged with governance? Did senior levels in the foreign
currency department hide their attitudes from their supervisors, or did those supervisors
‘turn a blind eye’ to the issue provided the department was profitable? The press reports
suggest that the poor ethical attitudes are not confined to the foreign currency
department, adding weight to the view that more senior management were likely to have
poor attitudes to ethical conduct. There should have been stronger communication and
enforcement of integrity and ethical values through the organization, through measures
such as codes of conduct.
The press reports do not suggest that the rogue trader or the supervisors lacked
technical knowledge about foreign currency trading.
The organization structure at IB could be deficient if there was not effective supervision
of the foreign currency department. In addition, HR policies and practices were either
ignored or were nonexistent with respect to inculcating ethical attitudes and behaviour.
Overall most significant problem was communication and enforcement of integrity and
ethical values.
Other considerations:
• The risk assessment processes at IB appear to not have considered the potential
problems in the foreign currency department, or at least have addressed them in
full.
• The information system should have produced reports to more senior levels of
these irregularities.
• Control activities, such as performance reviews, should have detected the
common occurrence of the risky trading behaviour, or alerted senior management
to excessive profitability based on risky activity.
• Internal audit department of IB should have provided information on the risky
trades to those charged with governance.
• Finally, transaction level controls should have prevented or detected the large
trades and unbalanced positions.
PROFESSIONAL APPLICATION 7.5 — Categories of controls

a) Physical controls
b) Information processing
c) Segregation of incompatible duties
d) Information processing
e) Physical controls
f) Performance reviews
g) Authorization
h) Authorization
i) Physical controls
j) Segregation of incompatible duties
k) Performance reviews
PROFESSIONAL APPLICATION 7.6 — IT controls – suppliers

The control is a transaction control. Specifically it is an IT application control. The
purpose of the control is to prevent errors because the order cannot enter the system if
the correct supplier code is not used. This prevents a clerk from either making an error
with the code itself (such as recording 865 as 8655) or using a supplier that has not been
authorized for use.
It is not clear whether the supplier code is linked to the items being purchased. For
example, if the clerk uses an incorrect but valid supplier code, will the system accept the
purchase order? If item ABC is only to be ordered from supplier 865, and not from
supplier 864, will the order be accepted if the item ABC is being ordered from supplier
864 (which is a valid supplier code)? If the suppliers are not linked to the items that may
be ordered from them, there is the potential for some incorrect orders to be accepted into
the system.
Another potential weakness of the system is that there might be a delay between
identifying a suitable supplier and getting the supplier approved and an approved
supplier number issued and accepted into the system. It is probably for this reason that
the clerk has obtained the password that allows the clerk to allocate a code to a new
supplier. It is a control failure to allow passwords to be shared in this way. It means that
the system will show that the new code was properly authorized, but it has not been
because the supervisor has not necessarily seen the information and made a decision
about using that supplier. A stronger control would require additional evidence that the
supervisor has agreed to add the new supplier (such as a document trail with signatures
or additional authorizations).
PROFESSIONAL APPLICATION 7.7 — Preventive controls

a) Preventive controls would be designed to stop sales being made to non-
creditworthy customers. For example, the software would not allow a sale to be
made until the credit manager has approved the sale on credit, or the software
could require a credit check authorization number to be included in the sale
transaction. The system could require all new customers to be approved before a
new receivables account can be opened, and the account has to be opened
before a sale can be processed to that customer. The system would prevent a
sale being made if the sale took the account balance beyond the approved credit
limit, unless authorized by the credit manager.
b) The auditor observes that no credit sale has been processed which takes a
customer over its credit limit. The two possible explanations are: (1) the preventive
control is working effectively; (2) no customer has tried to purchase items which
take it over its credit limit. In the second case, there is no evidence that the
preventive control is working or not working, because it was not triggered.
c) The transaction could have been authorized by the credit manager (or other
senior manager). The authorization could be because the client has security for
the balance owing. However, the authorization could be inappropriate and be a
case of management override of the control. That is, the manager may have
overridden the preventive control to make a sale for reasons such as receiving a kick-
back from the customer, disregard for company policy against such sales, an
effort to reach sales targets in the department, etc. The auditor would
consider whether there was evidence of higher level authorization of the
transactions, such as reading board minutes, reading correspondence or
memos between the managers, reading the customer file for
evidence of security for the balance due, making enquiries of the relevant
sales managers. The auditor would also consider if other similar transactions (same
sales manager, same client, same product, etc.) are being processed correctly, or if
there is evidence of other sales in excess of credit limits being prevented.
PROFESSIONAL APPLICATION 7.8 — Controls at a small start-up company

a) Internal controls are the process designed, implemented and maintained by
those charged with governance, management and other personnel to provide
reasonable assurance about the achievement of the entity's objectives with
regard to:
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with applicable laws and regulations
(b) Four things your friends should do to ensure they create a strong control
environment include:
1. Have a code of conduct and ensure all employees are aware of it and follow it.
7. Hire competent ethical employees.
8. Assign responsibility and authority — have job descriptions.
9. Ensure human resource policies are in place over hiring, training, evaluating,
counselling, promoting and compensating employees
c) List eight control activities they should have in place. Ensure each is relevant to
their business.
• Keep cash locked up
• Limit purchases to only authorized personnel (management).
• Ensure all cash receipts deposited every day.
• Have security system in place.
• Have monthly financial statements prepared and review them each month.
• Ensure staff take vacations.
• Have all accounts (especially cash) reconciled monthly and reviewed by
someone other than preparer.
• Limit access to sales and purchasing modules to only servers and the
receiver.
(Students may also include any other relevant and reasonable controls.)
PROFESSIONAL APPLICATION 7.9 — Testing bank reconciliation controls

a) The most reliable evidence would be gathered by re-performance of a sample of
bank reconciliations. The auditor could judge if all items were dealt with
appropriately. In addition, completed bank reconciliations can be inspected for
evidence of identification of errors and follow-up. The least reliable evidence
would be obtained from observing client staff complete a bank reconciliation or by
making enquiries of the client staff (because these procedures would not provide
reliable evidence about the bank reconciliation performance at earlier periods
when different staff were involved).
(b The auditor would approach discussions with client staff with professional
scepticism. This means that the auditor does not assume the client staff are lying,
but the auditor has a questioning mind, being alert to conditions which may
indicate possible errors or fraud. The auditor makes a critical assessment of any
statements by the staff. For example, do the statements make sense given what
the auditor knows about the client and in the context of other evidence gathered?
What other evidence could be obtained to support the statements? How much
would the auditor expect the staff to know about bank reconciliations performed by
other staff at other periods? The auditor cannot assume that staff would lie and
not ask them about the audit, but the auditor cannot rely on staff statements alone.
c) The staff changes impact on the controls testing program because the auditor
would require evidence that the performance of bank reconciliations was similar in
different periods. The auditor would be careful to obtain evidence about the
performance of the controls from each period. If there was any evidence that
performance was poor during any sub-period, the auditor would seek to obtain
additional evidence about control performance, or increase the substantive
testing.
PROFESSIONAL APPLICATION 7.10— Payroll controls

a) The new system provides expenses and accruals for the accounting system, and
thus any errors in its calculations can have a direct effect on the accounts. No
testing prior to the new system going ‘live’. The auditor cannot review evidence of
the system’s ability to operate in the same way as the old system (i.e. would the
same data be generated under both systems). Limited staff training increases the
risk that there will be errors in either the system and its financial data or the way it
is interpreted and used by the client’s staff.
b) Accuracy is affected by the raw data and the calculations. Controls could be over
the entry of data (e.g. hours worked, approved pay rates linked to the position
classification, limits on total amounts calculated to prevent 10 hours being entered
as 100 hours because the total would be over the approved limit), and over the
calculations (e.g. reasonableness tests such as overall limits on total payments).
c) Occurrence relates to whether the payment is for hours actually worked, there
would need to be a control that did not allow payment to be made until a
supervisor had authorized the hours worked; controls to prevent duplicate
payments (i.e. same worker paid twice for hours worked). There should be a
reconciliation between payments made and recorded in the general ledger with
records of hours worked via the payroll report.
d) Tests of controls could include use of dummy data (feed in new data to determine
if the controls prevented the payment if it was not authorized, feed in deliberately
incorrect data, such as duplicate payments); gathering documentary evidence of
approvals of hours worked; reconciling hours worked for a pay period with total
payments made that period; seeking documentary evidence for supervisor reviews
of salary payments etc.
An example of a control test:
Client name: xxxxx Year end: 31 December 2020
Working paper: Payroll control testing
Purpose of test:
The purpose of this test is to verify that the payroll reconciliation control for
hours worked with overall payments is adequately designed and implemented
for the 12 months ending 31 December 2020.
Work to be performed:
Select two payroll reconciliations from different months, tie the total payments
as per the general ledger to the payroll report, and the payments on the payroll
report with the approved hours worked, tie the payments listed on the payroll
report to the bank statement, and vouch all differences between the payroll
report and the approved hours worked, and payroll report with general ledger
and bank statement greater than 10% to supporting documentation to ensure
valid reconciling items and that the reconciliation has been performed
correctly. Ensure the reconciliation has been prepared and reviewed on a
timely basis.
Findings/results of testing:
Conclusion:
Prepared by: Reviewed by: Index:

P1.1
PROFESSIONAL APPLICATION 7.11 — Internal control components

There is little separation between the board and the senior management – Sarah is both
CFO and director of both Featherbed and the Morris Group. The control environment
would be stronger if the CFO and the director positions were split.
Management philosophy and operating style are ‘laid back’, suggesting that formal
control structures are not in place. Although some documentation is now being done, it is
being done at a low level rather than being designed by senior management. There is a
risk that the documentation will be incomplete, without the necessary review procedures.
Peter Pinn does not appear to be very active in reviewing the performance of the more
junior staff, and there is a lack of clear information on whether Sarah is adequately
supervising Peter. The lines of accountability should be stronger and because of the
small size of the accounts department, should include periodic reviews of transactions
authorized and processed at lower levels.
There appears to be a lack of adequate segregation of duties, both Kristen and Julie are
involved in opening mail, processing transactions, banking, bank reconciliations, and
payroll. These duties should be segregated so that staff handling cash are not also able
to record transactions. Bank reconciliations and reviews of journal postings should be
done by Sarah or Peter, and they should also be authorizing transactions. There appears
to be no separate HR function and there is a danger that payroll is not valid.
Overall, the internal controls appear to have deficiencies. The documentation should be
completed by Sarah and she should take more responsibility for overseeing the
operations of the accounts department. Peter does not appear to be performing the
necessary authorization and supervision roles.
PROFESSIONAL APPLICATION 7.12 — Communication with management

The management letter would conform to the example in the text. Would be addressed to
chair of the board of Featherbed (Justin Morris). It would explain the deficiencies in
internal control, as outlined in Professional Application Question 7.11, with the
appropriate recommendations with respect to segregating duties and completion of
documentation of policies and procedures.
PROFESSIONAL APPLICATION 7.13 — Components of internal control

(1) Control Environment.
The high level of security around information relating to product design, manufacturing
and costing, and the client identity and transactions is a key part of the internal control
system at Securimax. The secure environment provides the foundation for the successful
implementation of the new manufacturing costing system because data are secure and
only certain personnel will have access to it.
The highly secure environment indicates that the control environment at Securimax has a
focus on clear assignment of authority and responsibility and a formalized organizational
structure. It also reflects management’s philosophy and operating style which rates
security highly.
Consistent with this approach it would be expected that internal audit have a formal and
important role in the organization. Internal audit were involved in all stages of the
installation of the new manufacturing costing system. Their role would have been to
ensure that the integration with other systems (e.g. sales) is correct. Internal audit will
also be interested in maintaining the secure environment and assessing the performance
(i.e. efficiency and effectiveness) of the new system.
External audit would focus on understanding the control environment and assessing
whether the control environment means that management has positive attitudes towards
internal control systems. The auditors would be interested in assessing how well the
implementation of the new costing system was executed, and whether the secure
environment was maintained.
(2) Risk assessment process.
The risk assessment process refers to management’s processes to identifying and

responding to business risks. Securimax has responded to the risk of using inaccurate
costing data by installing the new manufacturing costing system. However, there are
risks involved with the installation and these would need to be managed.
The internal audit department would be involved in assessing how management handle
the implementation and other risks.
The external audit department would use the information from the internal audit
department’s assessment to evaluate the level of risk to the financial accounts from any
problems with the manufacturing costing system.
(3) Control activities

The information provided does not explain the segregation of duties and physical
controls relating to the new manufacturing costing system. However, internal audit would
assess the level of segregation and physical controls when determining the success of
the implementation process.
External audit would require an understanding of these matters in order to assess control
risk for transactions relating to the costing system.
PROFESSIONAL APPLICATION 7.14 — Understanding types of controls

Automated application controls apply to the processing of individual transactions. These
controls include credit checks, validations, calculations, interfaces and authorizations.
For example:
• Only authorized personnel would have access to the costing system – this would
be controlled through log-on, password procedures.
• All transactions would have an appropriate level of authorization, through input of
an authorization code by a senior manager (once transaction request is input, the
manager’s computer would alert the manager to the transaction and request
approval, then the transaction would be released for processing).
• Inventory movement transactions entered into the system would require input of
an inventory part number which is checked against a master file before the
transaction is allowed to proceed.
PROFESSIONAL APPLICATION 7.15 — Preventative and detective controls

In addition your business risk assessment procedures indicate there is a risk that
payments to suppliers are made prior to goods being received. As part of your evaluation
of the potential mitigating internal controls you note that accounting staff perform the
following procedures.
1. A pre-numbered cheque requisition is prepared for all payments.
10. The details on the supplier’s invoice are matched to the appropriate
receiving report.
11. The details on the supplier’s invoice and receiving report are matched to an
authorized purchase order.
12. The cheque requisition is stapled to the authorized purchase order,

receiving report and supplier’s invoice and forwarded to the appropriate senior
staff member for review and authorization.
13. The authorized cheque requisition, together with the supporting documents,
is passed to accounts payable for payment.
Account at risk a. Assertion at risk b. Preventative c. Detective internal

internal control control
A. Payroll Occurrence, Use different Review of overtime

expense: accuracy codes for payment reports
overpayment of standard shifts
overtime and overtime
hours; require
special
authorization of
overtime
payments
B. Accounts occurrence Require supplier Reconciliation of

payable: and invoice code supplier accounts
payments made to be input at time each month, detect
twice to the same of processing debit balances or
supplier payment – system accounts with more
to reject payments than
duplicates; invoices
Cancel
documents used
to support
payment to
prevent reuse
PROFESSIONAL APPLICATION 7.16 — Preventative controls

a) Payment to suppliers before goods are received creates the risk that the payment
is for goods that may never be received, or not received in the relevant period at
the price quoted. The assertions at risk are the occurrence of the payment of
payables. The cheque has been drawn against the bank account, but the payment
is not for a liability owing for goods purchased.
b) Requiring a receiving report before payment (with appropriately verified details of

date, amount, unit price, total price and supplier) mitigates the risk of payment
before receipt of goods. The receiving department will not prepare the receiving
report until the goods are received. The senior staff member will review the
package of documents for evidence of receipt, thus ensuring that the receiving
report is included, and it matches the other documents.
c) Review authorized packages of documents for evidence of the existence of the

receiving report and verify that the details on the receiving report match the other
documents (i.e. the number of goods received is the same as the number of
goods on the supplier’s invoice and purchase order).
PROFESSIONAL APPLICATION 7.17 — Segregation of duties and documentation

a) Create a flowchart or logic diagram to represent the flow of transactions from the
creation of a purchase order to cash payment.
Purchase order
initiated
Approval of
purchase order
Purchase order
sent to suppliers
from an
approved
supplier list
Goods are
transported from
Southeast Asia
by ship
Goods are
delivered by
truck to Hardies
Wholesaling
central
Awarehouse
receiving
report is
generated by the
receiving
department
when goods
Receiving are
report
received
is forwarded to
the accounts
department for
maching with
the purchase
order and
Theinvoice
purchase
order and
invoice are
intered into the
general ledger
Accounts
payable creates
a voucher to
request payment
of the invoice
Payment is
approved and a
cash payment is
made
b) Which duties in the above process should be segregated?
The receiving department duties should be segregated from the purchasing

department. This control will ensure that purchase orders are not modified after
deliver to show that less goods were ordered than were actually received.
The payment process should be segregated from the process or recording the
transaction in the books and records. This will decrease the risk of theft of cash
being covered up by manipulating the financial records.
The purchasing department should be segregated from the record keeping
department and then payment process.
PROFESSIONAL APPLICATION 7.17 — Control testing results and documentation

a) The audit assistant is incorrectly interpreting an absence of evidence of an event
as evidence of the absence of the event. There is no evidence of any program
changes or overrides, but only limited testing has been done. The auditors need to
gather direct evidence that there were no changes or overrides. The auditors will
need to conduct further tests to verify the statements.
b) Other options available to the auditor include testing other controls that could
perform the same function, that is, what other controls exist to prevent or detect
the WCGW (what can go wrong)? Further, would failure of the control being tested
necessarily lead to a potential material misstatement in the financial statements?
For example, is the control aimed at behaviour which does not impact on the
financial statements (e.g., making sure that inventory is sorted correctly by colour
on the shelves is not relevant to the financial statements)? If the auditor concludes
that the controls relevant to preventing or detecting an error are likely to result in a
material misstatement in the financial statements then the auditor would increase
substantive testing.
c) Working papers (whether electronic or paper based) are used to provide

instructions to audit staff and to record results of testing. As the working papers
are completed, more senior staff review the results of the tests in order to assess
the adequacy of the evidence. The audit opinion must be based on
sufficient, appropriate evidence. Ultimately, the audit partner must sign off on
an audit report using the results recorded in the working papers as justification.
Within the audit firm, other partners are often used to review the decisions
reached to ensure quality standards are maintained. These other partners are
not involved in the audit and must rely on the documentation to understand the
nature, timing, and extent of all testing, and the results obtained. The papers
must be completed with sufficient detail to allow the review partners to reach a
decision. Audit partners from other firms could also review the working papers
to provide more independent testing of the audit quality as part of peer
review programs within the auditing profession. Regulators, such as the Canadian
Public Accountability Board (CPAB), the Canadian Securities Administrators (CSA),
and the self-regulatory inspection group of each provincial professional
accounting body for each Canadian designation (CPA, and formerly, the
CA, CMA, CGA designations), may also review some audit working papers to
monitor audit quality and write reports on the overall level of audit quality .
Finally, the working papers could be used as evidence in legal disputes
between auditors and their clients or other interested parties.
PROFESSIONAL APPLICATION 7.19 — Technique for testing computerized

controls
Possible tests include:
• Test data – the auditor prepares some data to process through the client’s
computer system. The data would have valid and invalid types of transactions.
The auditor would try to prepare enough invalid transactions to mimic all types of
errors (e.g., if the client does not sell items with values greater than $1,000, the
auditor could prepare a transaction with $1,000,000 as the value to test if the
client’s system will reject the transaction).
• Process the client’s actual transactions through another software package
controlled by the auditor. The auditor would test if the output from the client’s
software is the same as the output from the auditor’s software. This would require
the auditor to have software that would be similar enough to the client’s systems.
• Interrogation software – the auditor would have special software to interrogate the
client’s systems to request reports of transactions with certain parameters. The
audit software could also search for evidence of changes, which could be
unauthorized, made to the client’s software. The audit software could also search
for certain likely problems with client software.
Case Study 7.20 Integrative Case Study — Armstrong, Aldrin & Collins
Professional Corporation
AUDIT ENGAGEMENT PLANNING MEMO
a) Memo
To: Partner
From: Student
Re: Audit Planning
Risk for the engagement will be set as high because of the following:
• The bank specifically requires that the financial statements are prepared in
accordance with GAAP (in particular, AAC plans to follows Canadian
ASPE). This will be a first time audit and the first time the financial
statements will be prepared in accordance with GAAP.
• While the controller is a designated accountant, he has had problems
keeping up to date with the standards as they change, leading to higher risk
that the financial statements are not in accordance with GAAP.
• Additionally, the shareholders of the company are too busy to worry
themselves with accounting matters. This indicates a weak control
environment.
APPROACH
The approach for the engagement will be primarily substantive because:
• The controller demonstrates a lack of understanding of GAAP, which
suggests a poor control environment therefore it is unlikely we will be able
to rely upon controls.
b) Draft Report
To: Client
From: CPA Student
Re: Control weaknesses with the new IT system
Passwords
Weakness: Passwords to enter the system are saved on staff computers for
automatic login.
Implication: This could allow anyone with access to an AAC computer to access
the system, read confidential client files and perhaps change information.
Recommendation: Staff members are to enter their personal password manually
each time they log into the website and passwords are to be changed frequently.
Passwords are to be of a prescribed minimal number of characters and combine
numeric and alphabetic characters.
7.20 Integrative Case Study (Continued)
Simultaneous Access
Weakness: It is possible for two users to access the same archived file at the
same time.
Implication: This may result in staff making inconsistent changes to file
information. If a senior staff member is reviewing working paper file information at
the same time that another staff is entering or changing file information, a risk
exists that the information being reviewed is not the final version of the file
contents.
Recommendation: Allow only one staff member to access a particular file at any
one time. The working paper needs to be described as finalized to ensure that the
final, pre-review working paper is being reviewed.
Access to Functions
Weakness: No controls are described that would restrict the functions that may be
performed in the software by any staff member.
Implication: An unauthorized staff member to access/print financial statements
and assurance reports or file income tax returns without the approval or
knowledge of senior staff.
Recommendation: Install appropriate access controls. All software functions
dealing with communications with persons outside the firm must be approved by
an appropriate senior staff member through the use of separate supervisory
passwords.
PROGRAM CHANGES:
Weakness: “ClientPrep” software updates are sent directly to the website host
which notifies AAC after a change has been made.
Implication: Employees at the ISP have the ability to make unauthorized or
incorrect changes (e.g., improper access to program changes, confidential client
information). Changes may be made to both programs and web links with only an
e-mail from Michelle Collins, and if anyone is able to send an e-mail from
Michelle’s e-mail address, further unauthorized program changes can be made.
Recommendation: Restrict program changes by requiring that Michelle or an
appropriate emergency substitute attend the ISP offices and enter an
authorization password to make changes to the program or web links.
SECURITY AND BACK-UP:

Files
Weakness: Files on the server are backed up only once each week.
Implication: If the server were to crash prior to the next scheduled backup, all work
documented over the past seven days could be lost and would be very expensive
and inconvenient to reproduce.
Recommendation: Consider leasing another server that is located away from the
premises of the website host (e.g. at AAC’s office) and have the host files copied
7.20 Integrative Case Study (Continued)
to this back-up server at least on a daily basis. This will also keep backups offsite,
which will increase data recovery in the event of a fire or flood at AAC’s office.
Control Over Confidential Data

Weakness: Website host staff may have the ability to make copies of confidential
client files on CDs.
Implication: Website host staff could then improperly use these files.
Recommendation: Install appropriate controls to restrict the copying of files and to
allow for copying only when authorized. Consider leasing another server to ensure
that authorized CD’s can only be made at the website and that a supervisor
password is entered at the premises of the website host site by authorized AAC
staff.
Virus Protection
Weakness: Confidential files are scanned by a program that AAC has no control
over.
Implication: This could result in unauthorized copies of files being made or files
being transmitted to unauthorized third parties without AAC’s knowledge.
Recommendation: Discuss with your computer consultant random ways of using
anti-virus software that would prevent an unauthorized person from altering data.
Updates
Weakness: The annual update (or any other revision) of “ClientPrep” is sent
directly to the website host who makes the necessary changes to the “ClientPrep”
program stored on the server and sends notification of the change to AAC.
Implication: This could result in unauthorized copies of files being made or files
being transmitted to unauthorized third parties without AAC’s knowledge.
Recommendation: Discuss with your computer consultant random ways of using
anti-virus software that would prevent an unauthorized person from altering data.
Case Study — Cloud 9

PART 1
a) NARRATIVE – Cloud 9 wholesale sales to cash receipts:
A sales transaction begins with the receipt of the customer purchase order via the
inventory management system, Swift. Swift is a custom-made software package
that has an interface through a secured site key to retailer inventory systems.
When inventory balances at retailers get below a pre-determined amount (which is
established and updated by the customer), the system automatically alerts the
customer to complete a purchase order on-line.
Purchase orders are initiated in Swift based on a master price file and the
available inventory in the warehouse. Swift does not allow quantities to be
ordered greater than the amount on hand in the warehouse. Once the purchase
order is completed by the customer, a credit limit check is automatically performed
by the system against pre-determined limits maintained in the customer master
file. If the customer exceeds their limit, the system will reject the order. Once the
credit check is successful, the system will generate the sales order.
Each day, the warehouse manager downloads the outstanding sales orders to
hand held computers for his team. Warehouse personnel collect the goods and
take them to the packaging staging area. Here, they scan the bar codes of each
product with the hand held computer that is linked to Swift. This creates the
dispatch note in Swift, which is automatically matched to the sales order. Only
when there is match, does the approval box get activated. The Shipping
Supervisor electronically signs off on the dispatch note by entering his passcode
to approve the dispatch note.
The goods are boxed up and placed in the secure caged areas for the Cloud 9
drivers to pick up the following day. In the morning, drivers print the approved
dispatch notes and arrange their delivery schedule. Upon delivery, the customer
signs the dispatch note confirming receipt of goods. That copy is sent to the billing
team. Any undelivered items are returned to the cage.
At the end of the day, the warehouse manager reviews the unfilled sales order
report and contacts the customer service representative to notify the customer of
when the expected delivery for their items would be.
When goods are returned, they are received in the warehouse and scanned.
Once the dispatch report is signed, the system automatically generates the
invoice, which is maintained in “draft” status for the billing team. The billing team
matches the draft sales invoice to the returned dispatch note. Final invoices are
printed in duplicate at 4pm each day and mailed to the customer. The invoice
copy and signed dispatch note are stapled and put on the customer’s file. After
Case Study — Cloud 9 (Continued)
the print run, an exception report is generated to catch any shipments for which
the final bill was not issued. The signed dispatch note file is checked regularly to
catch any unmatched notes.
Once the invoice is printed, the receivables and sales entries are recorded
automatically by the system. The system automatically posts the sales in the sub-
ledger to general ledger.
Most customers pay by EFT. Each morning, the A/R clerk downloads from on-line
banking the receipts received the previous day. The amounts are applied to the
customer’s accounts receivable balance in the sub-ledger system. Once each
receipt is entered, a batch report of postings to Accounts Receivable is generated
and reconciled back to the direct banking receipts. That reconciliation is reviewed
and approved by Carla. Any unapplied cash receipts are posted to a dummy
account until they can be cleared against a specific customer. The dummy
account balance is reviewed weekly for unapplied balances that need
follow-up.
Bank reconciliations are prepared on a monthly basis by Carla and reviewed by

David.
b) Additional follow-up questions:

From the interview transcript, students should ask the following questions for
further information or clarification:
For the sales manager

• How often are prices changed? What is the process for making a change to
the master price list? Who has access to the master price lists?
• What are the mechanics of the credit check the system performs? Who set
the limits? What happens if they are over their limits? How are the limits
changed?
For the shipping supervisor

• How are the goods prepared for delivery – i.e., how are they packaged?
• Do the drivers check their loads against the dispatch notes prior to
departing the warehouse or during their deliveries? How is this evidenced?
For the warehouse manager

• How do you ensure all sales orders are filled?
• What happens if a product is returned?
For Carla Johnson (to represent finance)

• What happens if the batch posting report doesn’t reconcile to the bank
report?
• How do you know to what invoice the payment relates?
• Do you ever have cash that you can’t determine what customer or invoice
against which it should be applied?
For an IT Manager
• Overall, there is such a reliance on the IT systems that the audit team would
want to get an IT specialist involved to help review the general controls
(access, change management, backups) as well as help understand exactly
what happens to the data that gets entered.
c) & d): Potential misstatements and assertions

The Wholesale Sales to Cash Receipts process includes transactions recorded
in Sales, Accounts Receivable and Cash. Students should have identified the
following potential errors:
Significant Process Potential Material Misstatements Assertions
Sales/Accounts Credit memos are not issued or Sales – Occurrence; Accounts

Receivable recorded for returns on a timely Receivable – Existence
basis or at all.
Duplicate/false sales transactions Sales – Occurrence; Accounts
are recorded. Receivable - Existence;
Allowance for Bad Debt –
Completeness
Invoice misstates the quantity of Sales – Accuracy; Accounts

goods shipped or incorrect Receivable – Valuation;
pricing. Inventory – Valuation; COGS –
Accuracy
Proper credit authorization is not Allowance for Bad Debt –
obtained for wholesaler Completeness
transactions.
Sales journal/sub-ledger is Sales – Completeness
incorrectly posted to G/L or does
not reconcile.
Sales transaction is not recorded Sales – Completeness;
upon shipment of goods. Accounts Receivable –
Completeness; Inventory –
Existence; COGS – Occurrence
Sales transaction is recorded Sales – Occurrence, Accounts

when goods not shipped. Receivable – Existence;
Inventory – Completeness;
COGS – Completeness

Cash Receipts Cash receipts are not recorded Accounts Receivable –
when received. Completeness; Cash –
Completeness
Cash receipts in foreign Accounts Receivable –
currencies are incorrectly valued Valuation; Cash – Valuation
(e.g., by using the incorrect
exchange rate).
Cash receipts recorded differ from Accounts Receivable –
amounts deposited. Completeness and Existence;
Cash – Completeness and
Existence
Cash receipts and transfers are Accounts Receivable –
recorded in the wrong period. Completeness; Cash –
Completeness
Duplicate postings of cash Cash – Existence
receipts are made to the general
ledger. This would lead to a
discrepancy between the general
ledger and the underlying AR
subledger.
Totals in cash receipts journal are Cash – Completeness

incorrectly posted.
PART 2
1. Use your worksheet from the case study assignment in Part A to complete this part of
the assignment. In column four include the transaction level internal controls Cloud 9
has implemented to prevent and/or detect potential errors.
2. Based on the preliminary assessment of Cloud 9’s control environment obtained in

earlier procedures, the audit team has decided to test controls over the sales to cash
receipts process. It is expected that there will be no deficiencies in the transaction level
internal controls.
3. Josh has partially completed the testing for selected controls over the sales/accounts
receivable and cash receipts processes. He has asked you to complete the testing for
him. All information has been provided by the client (refer to the appendix). Document
your findings on the working papers Josh has started (see the tables below) and then
conclude with your assessment on the overall effectiveness of the controls tested.
4. Using the results of your control testing, assess the control risk for the following
assertions and write your conclusions in the following worksheet. Use the information
you provided in the worksheet completed for requirement 1 to focus your controls
testing on the significant assertions.
Solution
1. Controls
Potential Assertions
Significant Process
Misstatements
Sales/Accounts Credit memos are not Sales - Occurrence; Credit memos > $10,000 ar
Receivable Process issued or recorded for Accounts Receivable - director. All others are app
returns on a timely Existence
basis or at all.
Bar code scanners used to
Duplicate/false sales Sales - Occurrence; Sales order automatically m

transactions are Accounts Receivable - shipment.
recorded. Existence; Allowance for
Bad Debt - Completeness
Shipping supervisor enters
System generates draft inv

shipping supervisor.
System automatically posts
Invoice misstates the Sales - Accuracy; Accounts Draft sales invoices are agr
quantity of goods Receivable - Valuation;
shipped or incorrect Inventory - Valuation;
pricing. COGS - Accuracy
Sale price taken from mast
Sales order automatically m

shipment.

Proper credit Allowance for Bad Debt - Credit limit check is automa
authorization is not Completeness master file.
obtained for
wholesaler
transactions.
Sales journal/sub- Sales - Completeness System automatically posts

ledger is incorrectly
posted or does not
reconcile.
Daily review of the unfilled
Sales transaction is Sales - Completeness; Draft sales invoices are agr

not recorded upon Accounts Receivable -
shipment of goods. Completeness; Inventory -
Existence; COGS –
Occurrence
Review of exception report

shipment.
Signed shipping note file ch

Sales transaction is Sales - Occurrence, Draft sales invoices are agr

recorded when goods Accounts Receivable -
not shipped. Existence; Inventory -
Completeness; COGS -
Completeness

shipment.

Cash Receipts Cash receipts are not Accounts Receivable - Bank reconciliations are pre
recorded when Completeness; Cash -
received. Completeness
Direct banking receipts are

reviewed/approved.
Cash receipts in Accounts Receivable - Bank reconciliations are pre

foreign currencies Valuation; Cash - Valuation
incorrectly valued.
Cash receipts Accounts Receivable - Bank reconciliations are pre

recorded differ from Completeness and
amounts deposited. Existence; Cash -
Completeness and
Existence

reviewed/approved.
Cash Accounts Receivable - Bank reconciliations are pre

receipts/transfers are Completeness; Cash -
recorded in wrong Completeness
period.

reviewed/approved.
Duplicate postings of Cash - Existence Bank reconciliations are pre

cash receipts are
made to G/L.
Totals in cash receipts Cash - Completeness Bank reconciliations are pre

journal are incorrectly
posted.

reviewed/approved.
1.
2.
2.
2.
2.
2.
2.
2.
2. Complete testing
Cloud 9
Controls Testing —
Sales/AR Process
December 31, 2020
AIM
To test selected controls over the Sales and

Accounts Receivable process.
SAMPLE
We haphazardly selected 25 sales invoices from

the entire year.
RESULTS
Invoice
Sale matches Shipping
Amount Shippin Supervisor
Sales (exc g Note Shipping authorization
Invoice # Date Customer Name GST) (A) Note # (B)
1/14/20 David Jones – D001248

1 124874 20 Moose Jaw 645.87 74
1/23/20 Foot Locker – D001250

2 125048 20 Ottawa 745.21 48
2/7/202 Rebel Sport – D001253

3 125324 0 Vancouver Island 905.46 24
D001255
4 125542 2/16/20 Rebel Sport – 42
20 Sunshine Coast
517.32
3/2/202 D001259
5 125987 0 Myer – Moncton 675.28 87
3/10/20 Dick's Sports – St. D001260

6 126067 20 John’s 367.96 67
4/8/202 Foot Locker – D001268

7 126845 0 Regina 781.62 45
4/27/20 Running Shop – D001271

8 127111 20 Calgary 457.24 11
For purposes of this case study, sample tests 9-19 have been removed. There
were no exceptions noted in the results.
2 10/13/2 David Jones – D001328

0 132811 020 Moose Jaw 917.92 11
2 10/27/2 Rebel Sport – D001334

1 133410 020 Vancouver Island 723.72 10
2 11/4/20 D001340
2 134063 20 Myer – Moncton 752.20 63
2 Cross Country D001341

x
3 134104 11/6/20 Sports 229.48 04
2 12/12/2 Wide Road D001352

4 135215 020 Speciality Retailer 1,192.14 15
2 12/20/2 Foot Locker – D001369

5 136947 020 Regina 1,021.60 47
A To complete this test, we agreed the sales invoice to the shipping note,
ensuring it was signed by the customer.
B To complete this test, we reviewed the shipping note noting the encrypted
passcode symbol. As passcodes are not printed, our IT specialists will perform
control testing around passcode entry and the generation of the shipping note
once entered.
x It was noted on the shipping note that a customer signature was not obtained.
Upon discussion with the billing team, it was determined that the customer was
called to verify receipt of the goods. This should have been noted on the
shipping note to prove that the goods were received and the control was
performed properly.
CONCLUSION
With the exception noted in the testing above, we cannot conclude at this time that
the control around matching the sales invoice to the shipping note is working
effectively. To be able to rely on this control, we would need to increase our sample
size by another 15 (assuming no exceptions found).
The control for the shipping supervisor's authorization

does appear to be working effectively.
Cloud 9
Controls Testing — Cash Receipts Process
December 31,
2020
AIM
To test selected controls over the Cash Receipts process.
SAMPLE
We haphazardly selected 25 workdays from the entire year in order to test the
reconciliation of daily bank receipts to A/R.
RESULTS
Total Bank Evidence

Date Total Posted to AR Deposit of Review
1 1/8/2020 10,548.45 10,548.45
2 1/18/2020 9,587.37 9,587.37
3 2/15/2020 11,486.82 11,486.82
4 2/27/2020 7,456.24 7,456.24
5 3/11/2020 5,836.08 5,836.08
6 3/19/2020 8,012.74 8,012.74
7 4/4/2020 8,753.91 8,753.91
8 4/22/2020 9,687.45 9,687.45
FFor purposes of this case study, sample tests 9-19 have been removed. There were no excep
20 9/19/2020 10,577.23 10,57
21 10/8/2020 8,765.49 8,76
22 10/23/2020 5,490.61 5,49
23 11/12/2020 9,302.20 9,30
24 12/3/2020 12,567.33 12,56
25 12/19/2020 13,874.85 13,87
CONCLUSION
Based on the results above, the control appears to be operating effectively throughout the entire period
Research Question 7.1 — Alberta oil sands development

The solution to this research question will depend on the sources selected by the student
and the information gathered.

Chapter 07

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 07

Uploaded by

Copyright:

Available Formats

Moroney, Campbell, Hamilton, Warren Auditing: A Practical Approach, Third Canadian Edition

John Wiley & Sons Canada, Ltd.

SOLUTIONS TO REVIEW QUESTIONS

REVIEW QUESTION 7.1

REVIEW QUESTION 7.2

REVIEW QUESTION 7.3

REVIEW QUESTION 7.4

REVIEW QUESTION 7.5

REVIEW QUESTION 7.6

REVIEW QUESTION 7.7

REVIEW QUESTION 7.8

REVIEW QUESTION 7.9

2. Flowcharts; the advantage is that the standardized graphics allow a large

3. Combinations of narratives and flow charts; the advantage is that complex

4. Checklists and preformatted questionnaires; the advantage is that it is helpful

REVIEW QUESTION 7.10

SOLUTIONS TO PROFESSIONAL APPLICATION QUESTIONS

PROFESSIONAL APPLICATION 7.1 — Importance of internal control

b) Suggested internal controls include:

PROFESSIONAL APPLICATION 7.2 — Objectives of internal control

b) Potential problems in transactions if control system does not meet

PROFESSIONAL APPLICATION 7.3 — Control objectives

prevent cut off and completeness issues.

3. Duplicate sales were recorded.

4. Sales to a subsidiary were recorded as sales to outsiders instead of as intercompany

5. Some shipments of goods to customers were not recorded.

PROFESSIONAL APPLICATION 7.4 — Control environment at a large company

PROFESSIONAL APPLICATION 7.5 — Categories of controls

PROFESSIONAL APPLICATION 7.6 — IT controls – suppliers

PROFESSIONAL APPLICATION 7.7 — Preventive controls

PROFESSIONAL APPLICATION 7.8 — Controls at a small start-up company

PROFESSIONAL APPLICATION 7.9 — Testing bank reconciliation controls

PROFESSIONAL APPLICATION 7.10— Payroll controls

An example of a control test:

Client name: xxxxx Year end: 31 December 2020

Working paper: Payroll control testing

Prepared by: Reviewed by: Index:

PROFESSIONAL APPLICATION 7.11 — Internal control components

PROFESSIONAL APPLICATION 7.12 — Communication with management

PROFESSIONAL APPLICATION 7.13 — Components of internal control

(2) Risk assessment process.

The risk assessment process refers to management’s processes to identifying and

(3) Control activities

PROFESSIONAL APPLICATION 7.14 — Understanding types of controls

PROFESSIONAL APPLICATION 7.15 — Preventative and detective controls

12. The cheque requisition is stapled to the authorized purchase order,

Account at risk a. Assertion at risk b. Preventative c. Detective internal

A. Payroll Occurrence, Use different Review of overtime

B. Accounts occurrence Require supplier Reconciliation of

PROFESSIONAL APPLICATION 7.16 — Preventative controls

b) Requiring a receiving report before payment (with appropriately verified details of

c) Review authorized packages of documents for evidence of the existence of the

PROFESSIONAL APPLICATION 7.17 — Segregation of duties and documentation

b) Which duties in the above process should be segregated?

The receiving department duties should be segregated from the purchasing

PROFESSIONAL APPLICATION 7.17 — Control testing results and documentation

c) Working papers (whether electronic or paper based) are used to provide

PROFESSIONAL APPLICATION 7.19 — Technique for testing computerized

AUDIT ENGAGEMENT PLANNING MEMO

Re: Audit Planning

Re: Control weaknesses with the new IT system

7.20 Integrative Case Study (Continued)