CHAPTER 7
Chapter 10Understanding Internal Control
Learning Check
10-1. a.The Foreign Corrupt Practices Act of 1977 is
administered by the Securities and Exchange Commission. The Act
pertains to management and directors of companies subject to the
reporting requirements of the Securities Exchange Act of 1934.
b.The antibribery and accounting standards provisions of the Act
require the maintenance of a satisfactory system of internal
control.
10-2. a.The National Commission on Fraudulent Financial
Reporting reemphasized the importance of internal control and
recommended the following:
Of overriding importance in preventing fraudulent financial
reporting is the "tone set by top management" that influences the
corporate environment within which financial reporting occurs.
All public companies should maintain internal controls that will
provide reasonable assurance that fraudulent financial reporting
will be prevented or subject to early detection.
The organizations sponsoring the Commission (including the
Auditing Standards Board [ASB]) should cooperate in developing
additional guidance on internal control systems.
b.COSO is an acronym for Committee of Sponsoring Organizations,
a body comprised of representatives from the AICPA, the American
Accounting Association, The Institute of Internal Auditors, the
Institute of Management Accountants, and the Financial Executives
Institute. The two principal purposes of its efforts were to:
Establish a common definition of internal control serving the
needs of different parties.
Provide a standard against which business and other entities can
assess their control systems and determine how to improve them.
COSO undertook these efforts as a response to the Treadway
Commission's recommendation that the organizations represented on
COSO should cooperate in developing additional guidance on internal
control system.
10-3. a.The COSO report defines internal control as a process,
effected by an entity's board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
Reliability of financial reporting.
Compliance with applicable laws and regulations.
Effectiveness and efficiency of operations.
b.The COSO report identifies five interrelated components of
internal control which are:
1. The control environment.
2. Risk assessment.
3. Control activities.
4. Information and communication.
5. Monitoring.
c.Of primary relevance in a financial statement audit are an
entity's controls that pertain to the reliability of financial
information, particularly those that are intended to provide
reasonable assurance that financial statements prepared by
management for external users are fairly presented in conformity
with generally accepted accounting principles. Other objectives and
related controls may also be relevant if they pertain to data the
auditor uses in applying audit procedures such as (1) nonfinancial
data used in analytical procedures and (2) certain financial data
developed primarily by management for internal purposes such as
budgets and performance data.
10-4.Inherent limitations in any entity's system of internal
control include:
Mistakes in judgment may be made by management and other
personnel in making business decisions or in performing routine
duties because of inadequate information, time constraints, or
other pressures.
Breakdowns in controls may occur because experienced, temporary,
or new personnel may misunderstand instructions or make errors due
to carelessness, distractions, or fatigue.
Collusion, which is individuals acting together, may enable the
concealment of an irregularity so as to prevent its detection by
the system of internal control.
Management override of prescribed policies or procedures
includes making deliberate misrepresentations to auditors and
others such as by issuing false documents to support the recording
of fictitious transactions.
Costs versus benefits which mitigates against the adoption of
controls, the benefits of which, in management's judgment, do not
outweigh the costs.
10-5.Several key responsible parties and their roles are as
follows:
Management which has the responsibility to establish and
maintain an effective system of internal control.
Board of directors and audit committee which, as part of their
general governance and oversight responsibilities, should determine
that management meets its responsibilities for establishing and
maintaining the system of internal control.
Internal auditors who should periodically examine and evaluate
the adequacy of an entity's system of internal control and make
recommendations for improvements.
Other entity personnel, which includes all other personnel who
provide information to, or use information provided by, the system
of internal control, have a responsibility to communicate to a
higher level in the organization any instances of noncompliance or
illegal acts of which they become aware.
Independent auditors who have a responsibility to report to
management and the board of directors certain conditions or
weaknesses in internal controls found in an audit.
Other external parties such as legislators and regulators who
may establish minimum statutory and regulatory requirements for the
establishment of internal controls by certain entities.
10-6. a.The five COSO interrelated components of internal
control which are:
Control environment.
Risk assessment.
Control activities.
Information and communication.
Monitoring.
In addition, the book adds a sixth component that is based on
PCAOB Audit Standard No. 2.
Anti-Fraud Programs and Control. This is sufficiently important
that it deserves separate attention and it influences the other
five COSO components.
b.The auditor focuses on the aspects of each component and
related controls that are designed to prevent or detect material
misstatements in the financial statements.
10-7. a.The factors that comprise the control environment
are:
Integrity and ethical values.
Commitment to competence.
Board of directors and audit committee.
Management's philosophy and operating style.
Organizational structure.
Assigning of authority and responsibility.
Human resource policies and practices.
b.Four things the CEO and other member of top management can do
to emphasize the importance of integrity and ethical values among
all personnel are (1) set the tone by example, (2) communicate to
all employees that the same is expected of them, (3) provide moral
guidance to employees who may be ignorant regarding what is right
and wrong, and (4) reduce or eliminate incentives and temptations
that might lead individuals to engage in dishonest, illegal, or
unethical acts.
c. Important IT aspects of the control environment include:
Involvement of management in setting policies for developing,
modifying and using computer programs and data.
Form of organization structure of data processing.
Methods of assigning authority and responsibility over computer
systems documentation, including procedures for authorizing
transactions and approving systems changes.
10-8. a.Management's risk assessment for financial reporting
purposes is similar to the external auditor's concern with inherent
risks, i.e., the risk that financial statement assertions will be
misstated. However, management's purpose is to manage identified
risks, and then design controls to prevent, or detect and correct,
misstatements. (Authors note: Managements of private companies may
consider cost benefit considerations when designing internal
control over financial reporting and may make the decision that the
cost of controls is more than the benefits that would be obtained.
However, PCAOB Auditing Standard No. 2says that cost benefit
considerations are not a reason to have adequate internal controls
relevant to a material assertion in the financial statements.) The
auditor's purpose is to evaluate the likelihood that material
misstatements exist in the financial statements in order to plan
the audit.
b.Important IT aspects of risk assessment include the assessment
of risks:
Transaction trails may be available for only a short period of
time.
Reduced documentary evidence of performance of controls.
Files and records usually cannot be read without a computer.
Decreased human involvement in computer processing can obscure
errors that might be observed in manual systems.
IT system vulnerability to physical disaster, unauthorized
manipulation, and mechanical malfunction.
IT systems may reduce traditional segregation of duties.
Changes in systems are more difficult to implement and
control.
10-9. a.The accounting system consists of the methods and
records established to identify, assemble, analyze, classify,
record, and report entity transactions and maintain accountability
for the related assets and liabilities.
b. Attributes of an effective accounting systemc. Related
category of financial statement assertions
Identifies and records only the valid transactions of the entity
that occurred in the current periodExistence or occurrence
Identifies and records all valid transactions of the entity that
occurred in the current periodCompleteness
Ensures that recorded assets and liabilities are the result of
transactions that produced entity rights to, or obligations for,
those itemsRights and obligations
Measures the value of transactions in a manner that permits
recording their proper monetary value in the financial
statementsValuation or allocation
Presentation and disclosure
d.Key IT aspects of the information and communication system
include:
Transaction may be initiated by computer
Audit trails may be in electronic form
How data is converted from source documents to machine-sensible
form
How computer files are accessed and updated
Computer processing involvement from initiation for transaction
to inclusion in financial statements.
Computer involvement in reporting process used to prepare
financial statements.
10-10. a.The objective of segregation of duties is to ensure
that individuals do not perform incompatible duties (i.e., an
individual should not be able to commit an error or irregularity
and then be in a position to conceal it in the normal course of his
or her duties).
b.There are two fundamental concepts associated with segregation
of duties. First, responsibility for authorizing a transaction,
executing a transaction, recording a transaction, and maintaining
custody of assets resulting from the transactions should be
assigned to different individuals or departments. Second, there
should be proper segregation of duties within the IT department and
between IT and user departments.
c.Several functions within IT: systems development, operations,
data controls and securities administration should be segregated.
In addition, IT should not correct data submitted by user
departments, and should be organizationally independent from user
departments.
10-11. a.The purpose of general controls is to control program
development, program changes, computer operations, and to secure
access to programs and data.
b.Because of the pervasive character of general controls, if the
auditor is able to obtain evidence that general controls function
effectively, then the auditor also has important assurance that
individual applications may be properly designed and operate
consistently during the period under audit. Effective general
controls allow the auditor to conclude that computer applications
are likely to operate effectively during periods when they are not
directly tested. Alternatively, deficiencies in general controls
may affect many applications and may prevent the auditor from
assessing control risk below the maximum for many applications and
transaction cycles.
10-12. a.The following bullets identify the three categories of
application controls and explain the purpose of each.
Input controls are designed to provide reasonable assurance that
data received for processing have been properly authorized and
converted into machine-sensible form. Input controls also include
manual control performed by the people who follow-up on the
rejection, correction, and resubmission of data that were initially
incorrect.
Processing controls are designed to provide reasonable assurance
that the computer processing has been performed as intended for the
particular application. Thus, processing controls should preclude
data from being lost, added, duplicated or altered during
processing.
Output controls are designed to ensure that the processing
results are correct, including both updated machine-sensible files
and printed output, and that only authorized personnel receive the
output.
b.The categories of controls pertaining to the conversion of
data are (1) verification controls, (2) computer editing, and (3)
control totals.
10-13.Most companies establish good controls over data going
into databases. However, when it comes time to prepare financial
statements a structured query language (SQL) is used to access the
database and download information into a spreadsheet. Spreadsheets
may be used to develop information for footnotes or they may be
used to develop consolidated financial statements. However, once
the data is in a spreadsheet, it may be subject to little or no
controls. Data in spreadsheets can be easily accessed and
manipulated without leaving an audit trail. If a macro is written
incorrectly it might inadvertently omit information from particular
general ledger account, or otherwise lose critical financial
statement information. This creates a risk that data the is well
controlled going into databases, is subject to a new risk of
material misstatement as spreadsheets are used in the financial
reporting process.
As part of a sound system of internal control companies should
limit access to spreadsheets. Furthermore, good controls include
testing the completeness of accuracy of inputs, and controlling the
accuracy of output (e.g., testing spreadsheets with test data).
Some companies perform an independent, manual check on the logic of
each spreadsheet and the data that is summarized with spreadsheets.
Companies should also maintain an inventory of spreadsheets used in
the financial reporting process and keep clear documentation of the
function accomplished by each spreadsheet.
10-14. a.Independent checks operate at the transaction level. In
an IT environment, application controls execute checks of
individual transactions to verify (1) work previously performed by
other individuals or departments or (2) the proper valuation of
recorded amounts.
Performance reviews represent the review of financial
information by management. For example performance reviews include
managements review of reports that summarize the detail of account
balances (e.g., reports of cash disbursements by department),
reports of actual performance versus budgets, forecasts, or prior
period amounts or reports comparing nonfinancial operating data and
financial data (for example, comparison of hotel occupancy
statistics with revenue data).
Monitoring is fundamentally different from the control
activities discussed above. Monitoring is the processes of
assessing the quality of the entire system of internal control. It
involves managements activities in making an ongoing assessment of
the effectiveness of the design and operation of internal
control.
b. Often management is involved in both executing transactions
and reviewing the financial results that show the processing of
those transactions. Examples of effective performance reviews
include:
The review of cash disbursement charged to a department by a
department manager, which is likely to be effective in identifying
completeness, valuation or classification problems.
The review of a report of sales transactions which may identify
completeness or valuation problems.
c.The monitoring function should involve the audit committee of
the board of directors (or other equivalent authority), senior
management, and internal auditing (if the function exists). With
respect to IT risks, management and the audit committee should be
conscious of IT risks associated with IT aspects of the control
environment, the information and communication system, and control
activities. Accounting officers should be conscious of, and
monitor, the same on an ongoing basis. Further, the audit committee
might charge internal audit with responsibility for periodic
reviews of IT risks and controls. Finally, independent monitoring
may occur when comments / complaints are received from customers,
employees, and vendors. For example, problems with internal control
may come to managements attention through complaints received from
customers about billing errors or from suppliers about payment
problems. Finally, alert managers may receive reports with
information that differs significantly from their first-hand
knowledge of operations.
10-15. a.The allowance for doubtful accounts should be
controlled the same way that other accounting estimates are
controlled. First, the accounting estimate must be based on
reliable information. The company must develop a reliable system of
aging individual invoices that are outstanding. Second, the
decision about the allowance should not rest with one or a few
individuals. Ideally, individuals responsible for approving credit,
approving charge-offs, operating managers responsible for sales,
and accounting personnel should all be involved in the review of
the allowance. Finally, some level of oversight by the audit
committee is appropriate.b.Oversight of nonroutine transactions
often rests with a disclosure committee. This committee is often
made up of individuals with strong accounting backgrounds (e.g.,
internal auditors), others with strong operational background who
are familiar with the transactions, and leadership from the audit
committee. The committee would make inquiries about nonroutine
transactions and review accounting for nonroutine transactions.
c.The selection of and application of new accounting principles
often rests with the disclosure committee as well. Again, it is
important for the committee to be made up of individuals with
strong accounting backgrounds that have some independence from the
controller and CFO (e.g., internal auditors), others with strong
operational background who are familiar with the transactions, and
leadership from the audit committee. The committee would be
responsible for reviewing decisions about the selection and
application of new accounting policies.10-16. Antifraud programs
and controls would normally include the following:
Control Environment
Code of conduct / ethical company culture
Ethics hotline
Audit committee oversight
Hiring, compensation, promotion and retentionFraud Risk
Assessment
Systematic assessment of fraud risks Evaluation of likelihood
and magnitude of potential misstatement
Information and Communication
Adequacy of the audit trail
Antifraud training
Control Activities
Adequate segregation of duties Linking controls to fraud
risks
Monitoring
Developing an effective oversight process
After the fact evaluations by internal audit
10-17. a.In a private company audit the auditor needs a
sufficient understanding of internal control to plan the audit.
This means that the auditor should have sufficient knowledge
to:
Identify the types of potential misstatement that may occur.
Understand the factors that affect the risk of material
misstatement
Design the nature, timing, and extent of further audit
procedures
b.In addition to the items discussed in (a) above, the auditor
of a public company should also have a sufficient understanding to
plan and perform an audit to obtain reasonable assurance that
internal controls over financial reporting are operating
effectively.
10-18. a.Two matters that should be covered in obtaining an
understanding of internal controls are:
The design of policies and procedures pertaining to each
component of internal control.
Whether the policies and procedures have been placed in
operation.
b.Knowledge of internal control components should be used by the
auditor to:
Identify types of potential misstatements.
Consider factors that affect the risk of material
misstatements.
Design substantive tests to provide reasonable assurance of
detecting the misstatements related to specific assertions.
10-19. a.An understanding of the system of internal controls is
needed regardless of which strategy is chosen. But normally the
level of understanding of the components that is needed under the
lower assessed level of control risk approach is greater than that
required under the primarily substantive approach. This is
particularly true for the control activities component.
b.Other factors besides the preliminary audit strategy that
affect the auditor's judgment about the level of understanding
required include:
Knowledge of the client from previous audits.
Preliminary assessments of inherent risk and materiality.
An understanding of the industry in which the entity
operates.
The complexity and sophistication of the entity's operations and
accounting system.
10-20. a.The auditor should obtain sufficient knowledge of the
control environment component to understand (1) the attitude,
awareness, and actions of management and the board of directors
concerning the control environment and (2) the pervasive and
specific effects these factors may have on the effectiveness of the
other internal control components.
b.The auditor should obtain sufficient knowledge of the
information system relevant to financial reporting to
understand:
The classes of transactions in the entity's operations that are
significant to the financial statements.
How those transactions are initiated.
The accounting records, supporting documents, and specific
accounts in the financial statements involved in the processing and
reporting of transactions.
The accounting processing involved from the initiation of a
transaction to its inclusion in the financial statements, including
how the computer is used to process data.
The financial reporting process used to prepare the entity's
financial statements, including significant accounting estimates
and disclosures.
10-21. a.An understanding of the system of internal control is
normally obtained by the following procedures:
Reviewing previous experience with the client.
Inquiring of appropriate management and supervisory and staff
personnel.
Inspecting documents and records.
Observing entity activities and operations.
A transaction walk-through
b.A transaction walk-through review occurs when one or a few
transactions within a major class of transactions is traced through
the transaction trail and the related internal controls are
identified and observed.
10-22. When planning an audit of the financial statements of a
private company the auditor needs to have sufficient knowledge of
the system of internal control to plan the audit. The auditor may
not plan on testing the operating effectiveness of internal
controls for many assertions. With respect to a public company
where the auditor is testing the effectiveness of internal controls
over financial reporting for every financial statement assertion,
the level of understanding is much more comprehensive, particularly
with respect to control activities.
10-23. a.An auditor may document the understanding of internal
controls through completed questionnaires, flowcharts, and
narrative memoranda.
b.Yes, documentation may occur concurrently with obtaining an
understanding. For example, the auditor may use a questionnaire to
obtain the understanding and the completed questionnaire provides
the documentation.
10-24. a.The questions on an internal control questionnaire are
designed to enable the auditor to determine whether the entity has
adopted internal controls that the auditor considers necessary to
prevent material misstatements in the financial statements.
b.Questionnaires are easy to use and to complete. Moreover, they
significantly reduce the possibility of overlooking important
aspects in each of the components of internal control.
10-25. a.Narrative memoranda may supplement other forms of
documentation by summarizing the auditor's overall understanding of
internal controls, individual components of internal controls, or
specific controls.
b.In small audits, a narrative memorandum may serve as the only
documentation of the auditor's understanding of internal controls.
A narrative may be sufficient to explain the auditors understanding
of how transactions are processed and the controls that might be
present in the system. In a small audit, the documentation may
actually be series of narratives that address the control
environment, risk assessment, monitoring, and the documentation of
information and communication system and control activities might
be documented separately for each major transaction cycle. 10-26.
a.A flowchart is a schematic diagram using standardized symbols,
interconnecting flow lines, and annotations that graphically
portray the steps involved in processing information through the
accounting system.
b.A flowchart pertaining to a specific class of transactions
should show
All significant operations performed in processing the class of
transactions.
The methods of processing (manual or computerized).
The extent of segregation of duties by identifying each
operation with a functional area, department, or individual.
The source, flow, and distribution of relevant copies of the
documents, records, and reports involved in processing.
10-27. a. Management of a public company is responsible for
documenting internal controls over financial reporting. That
documentation should include:
The design of controls over all relevant assertions related to
all significant accounts and disclosures in the financial
statements. The documentation should include the five components of
internal control over financial reporting and company-level
controls such as:
Controls within the control environment.
Managements risk assessment process.
Centralized process and controls, including shared service
environments.
Controls to monitor the results of operations.
Controls to monitor other controls, including activities of the
internal audit function, the audit committee, and self-assessment
programs.
The period-end financial reporting process.
Board-approved policies that address significant business
control and risk management practices.
Information about how significant transactions are initiated,
authorized, recorded, processed and reported.
Sufficient information about the flow of transactions to
identify the point at which material misstatements due to error or
fraud could occur.
Controls designed to prevent or detect fraud, including who
performs controls and the related segregation of duties.
Controls over the period-end financial reporting process.
Controls over safeguarding of assets.
The results of managements testing and evaluation.
b.Inadequate documentation by the public company client could
cause the independent auditor to conclude that there is a
limitation on the scope of the engagement.
10A-1. a.The principal hardware component is the central
processing unit (CPU) which consists of a control unit, an internal
storage unit, and an arithmetic-logic unit.
b.Peripheral hardware components are input devices, output
devices, and auxiliary storage devices.
10A-2. a. Computer software consists of the programs and
routines that facilitate the programming and operation of a
computer.
b.Systems programs perform generalized functions for one or more
application programs. In contrast, application programs contain
instructions that enable the user to perform data processing tasks
appropriate for specific applications, such as payrolls and
inventory.
10A-3. a.Under the traditional file method, separate files of
data are created for each processing application. The files are
organized into master files and transaction files. The database
method stores all data in one central file (the database) and
allows each user to access the portion of the database that is
needed.
b.In sequential file processing, files are arranged sequentially
and transaction data are sequenced before processing. Under
sequential processing, the entire file must be read by the computer
each time a transaction is processed. In direct access processing,
file data are not maintained in any particular order. Under this
type of processing, the transaction file is not sorted before
processing. Moreover, it is not necessary to read the entire master
file in updating.
10A-4. a.The essential characteristics of the two methods of EDP
processing are:
On-line entry/batch processing in which individual transactions
are entered directly into the computer via a terminal as they
occur. A machine-readable validated transaction file is accumulated
as the transactions are entered and this file is subsequently
processed to update the master file.
On-line entry/on-line processing in which data are entered
directly via a terminal as described above. It differs from on-line
entry/batch processing in that (a) master files are updated
concurrently with data entry and (b) a transaction log is produced
that provides a chronological record of all transactions.
b.An advantage and a disadvantage for each method are:
On-line entry/batch processing. An advantage is that input data
are subjected to immediate validation at the time of entry. A
disadvantage is that the master file cannot be updated until the
batch data are accumulated. On-line entry/on-line processing. The
advantage is that input data are subjected to immediate validation
at the time of entry. The disadvantages are (1) the risk of errors
in the master file from concurrent updating and (2) the possible
loss of part or all of the master files in case of hardware
failure.
10A-5. a.The major benefits of IT systems over manual systems
include:
IT systems can provide greater consistency in processing than
manual systems because they uniformly subject all transactions to
the same controls.
More timely computer generated accounting reports may provide
management with more effective means of analyzing, supervising and
reviewing the operations of the company.
b.Important risks of IT systems over manual systems include:
The IT system may produce a transaction trail that is available
for audit for only a short period of time.
There is often less documentary evidence of the performance of
control procedures in computer systems.
Files and records in IT systems are usually in machine-sensible
form and cannot be read without a computer.
The decrease of human involvement in computer processing can
obscure errors that might be observed in manual systems.
IT systems may be more vulnerable to physical disaster,
unauthorized manipulation, and mechanical malfunction than
information in manual systems.
Various functions may be concentrated in IT systems, with a
corresponding reduction in the traditional segregation of duties
followed in manual systems.
Changes in the system are often more difficult to implement and
control in IT systems than in manual systems.
10A-6. a.The following diagram depicts how important internal
controls function in computer systems.
b. The following discussion provides an example of each of the
boxes outlined in the diagram above in the context of processing
payroll transactions.
Input. Input to the accounting system represents, for example,
timecards with information about the number of hours worked and a
list from a payroll master file of employees that are authorized to
work for the entity.
Computer processing and programmed application control
procedures. This represents the computer processing of payroll,
including both programmed checks that employees who worked were
authorized, that hours worked and amounts paid were reasonable, and
the actual processing of payroll withholdings and the writing of
payroll checks.
Computer general control procedures. This set of control
activities establishes control of the payroll program and access to
payroll master files and data. The goal of general controls is to
control the computer environment, not specific transactions such as
payroll transactions. However, evidence that computer general
control procedures are effective will give the auditor some
assurance that the payroll programs and computer controls are also
effectively designed and that they operate effectively.
Exception reports. If application controls find exceptions they
report them either on screen on through printed exception reports.
For example, if a time card is submitted that does not match the
employee master file, it should be rejected and reported on an
exception report. If a paycheck calculates to an amount more than
might be considered reasonable by a limit test it would also be
rejected and reported on an exception report.
Manual follow-up. Exception reports should be distributed to
individuals who were not responsible for authorizing transactions
or who do not have custody of assets. They should be responsible
for following-up on items reported on exception reports and
initiating appropriate corrective action.
Output of processed transactions and reports. The output of the
accounting and system will be, in this case, processed payroll
checks, a payroll journal, and other reports, such as labor
distribution reports.
User controls over assertions. Company may establish manual
control over computer output. Performance reviews are one example,
where management reviews a summary of transactions charged to their
responsibility center. In this way they might identify charges for
fictitious employees, or errors in calculating payroll. The auditor
may choose to test these manual controls directly without having to
test computer general or application controls.
10A-7. a.Computer application controls are programmed control
procedures designed to control the transactions. Their purpose is
to control the completeness and accuracy of accounting processing
of individual transactions in transaction cycles such as sales and
collections transactions or payroll transactions.
b.Computer general controls are designed to control computer
applications. Their purpose is to control program development,
program changes, computer operations, and to secure access to
programs and data.
10B-1. a.Information processing controls address risks related
to the authorization, completeness, and accuracy of
transactions.
b.Two subcategories of information processing controls related
to the computer system are (1) general controls and (2) application
controls.
c. Five types of general controls are:
Organization and operation controls.
Systems development and documentation controls.
Hardware and system software controls
Access controls
Data and procedural controls
All general controls work together to control program
development, program changes, computer operations, and to secure
access to programs and data. General controls pertain to the IT
environment and all IT activities, rather than to a single IT
application. Thus, general controls are pervasive in their effect
on application controls and on transaction cycles.
10B-2. a.Documentation controls in an IT department pertain to
the documents and records maintained by a company to describe
computer processing activities.
b.Documentation enables management and the auditor by providing
the primary source of information about the flow of transactions
through the system and related accounting controls. It also assists
in reviewing the system, training new personnel, and maintaining
and revising existing systems and programs.
c. IT documentation should include:
Descriptions and flowcharts of the systems and programs.
Operating instructions for computer operators.
Control procedures to be followed by operators and users.
Descriptions and samples of required inputs and outputs.
10B-3. a.The purpose of access controls is to prevent
unauthorized use of IT equipment, data files, and computer
programs. Access controls accomplish this purpose through physical
access controls (e.g., housing computer equipment in a secured area
with restricted access), logical access controls or software
controls (e.g., programs that require passwords to be able to
process transactions that modify data files or program files), and
procedural safeguards (e.g., management review of computer
utilization reports).
b.To provide the necessary control with on-line data entry, each
user of a remote input device is given a key, code, card or
biometric control (voice print, iris scan, finger print) that
identifies the holder as an authorized user. Other access controls
are (1) computer call-back procedures when the telephone is used to
dial the computer, and (2) passwords that are checked by the
computer before a person can enter a transaction.
10B-4. a.Data and procedural controls provide a framework for
controlling daily computer operations, minimizing the likelihood of
processing errors, and assuring the continuity of operations in the
event of a physical disaster or computer failure.
b.The activities of included in a data control function usually
include receiving and screening all data to be processed,
accounting for all input data, following-up on processing errors,
and verifying the proper distribution of output.
Comprehensive Questions
10-28.(Estimated time - 35 minutes)
a.Internal control is a process, effected by an entity's board
of directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories: (1) reliability of financial reporting; (2)
compliance with applicable laws and regulations; and (3)
effectiveness and efficiency of operations.
b.Four fundamental embodied in the definition of internal
control are:
Internal control is a process. It is a means to an end, not an
end in itself. It consists of a series of actions that are
pervasive and integrated with, not added onto, an entity's
infrastructure.
Internal control is effected by people. It is not merely policy
manuals and forms, but people at every level of an organization,
including the board of directors, management, and other
personnel.
Internal control can be expected to provide only reasonable
assurance, not absolute assurance, to an entity's management and
board because of limitations inherent in all internal control
systems and the need to consider the relative costs and benefits of
establishing controls.
Internal control is geared to the achievement of objectives in
the overlapping categories of financial reporting, compliance, and
operations.
c.The five components of an internal control are (1) control
environment, (2) risk assessment, (3) information and
communication, (4) control activities, and (5) monitoring.
d.Inherent limitations that should be considered in evaluating
any entity's system of internal control include:
Mistakes in judgment may be made by management and other
personnel in making business decisions or in performing routine
duties because of inadequate information, time constraints, or
other pressures.
Breakdowns in controls may occur because experienced, temporary,
or new personnel may misunderstand instructions or make errors due
to carelessness, distractions, or fatigue.
Collusion, which is individuals acting together, may enable the
concealment of an irregularity so as to prevent its detection by
internal controls.
Management override of prescribed internal controls includes
making deliberate misrepresentations to auditors and others such as
by issuing false documents to support the recording of fictitious
transactions.
Costs versus benefits which mitigates against the adoption of
controls, the benefits of which, in management's judgment, do not
outweigh the costs.
e.Six parties who have a role or responsibility regarding an
entity's internal controls are:
Management which has the responsibility to establish and
maintain an effective internal controls.
Board of directors and audit committee which, as part of their
general governance and oversight responsibilities, should determine
that management meets its responsibilities for establishing and
maintaining internal controls.
Internal auditors who should periodically examine and evaluate
the adequacy of an entity's internal controls and make
recommendations for improvements.
Other entity personnel, which includes all other personnel who
provide information to, or use information provided by, internal
controls, have a responsibility to communicate to a higher level in
the organization any instances of noncompliance or illegal acts of
which they become aware.
Independent auditors who have a responsibility to report to
management and the board of directors certain conditions or
weaknesses in internal controls found in an audit.
Other external parties such legislators and regulators (e.g.,
the SEC) who may establish minimum statutory and regulatory
requirements for the establishment of internal controls by certain
entities.
10-29.(Estimated time - 20 minutes)
a.The auditor should gain an understanding of (1) the design of
policies and procedures pertaining to each internal control
component and (2) whether the policies and procedures have been
placed in operation. In obtaining the understanding, the auditor
should obtain sufficient knowledge about the internal control
components to be able to:
Identify types of potential misstatements.
Consider factors that affect the risk of material
misstatement.
Design substantive tests to provide reasonable assurance of
detecting the misstatementsrelated to specific assertions.
b.The auditor obtains the understanding through:
Reviewing prior experience with the client
Inquiry of appropriate management and supervisory and staff
personnel.
Inspecting documents and records.
Observing entity activities and operations.
c.Yes, documenting the understanding of internal control
components is required in all audits.
d.The auditor's documentation in the working papers may be made
through completed questionnaires, flowcharts, and narrative
memoranda. Advantages of questionnaires include that they (1) are
usually developed by very experienced professionals and provide
excellent guidance to less experienced staff who may be obtaining
the understanding on a particular engagement, (2) are relatively
easy to use, and (3) significantly reduce the possibility of
overlooking important internal control matters. A disadvantage may
involve the need to customize the questionnaires for a particular
client. Another disadvantage is the potential for response bias
where respondents answer in a manner most favorable to good
internal controls. In other instances, respondents may not know the
answer to a question, yet answer anyway.Flowcharts should enable
the auditor to see the relationships that exist between controls,
and facilitate the identification of key controls related to
specific financial statement assertions. They can be prepared in
varying degrees of detail by the auditor or obtained from the
client. Once thought to be difficult to prepare, flowcharting
software for personal computers now eases the task of preparing and
amending flowcharts for the auditor's working papers.
Narrative memoranda are perhaps the easiest form of
documentation to prepare and are particularly effective on audits
of smaller entities with fairly simple system of internal controls.
In such audits, they may constitute the only form of documentation
of the understanding of the system of internal control. For larger
entities with more complex systems of internal control, narrative
memoranda are generally used only as supplements to questionnaires
and flowcharts. The problem with narrative memoranda is that they
may not be updated and kept current to reflect changes in the
system. Each year, narrative memoranda should be critically
evaluated to ascertain whether the system described is still the
system in use.10-30.(Estimated time - 25 minutes)
a.The control environment factors that can affect the
effectiveness of specific policies and procedures related to the
other components of an internal control are:
Integrity and ethical values.
Commitment to competence.
Board of directors and audit committee.
Management's philosophy and operating style.
Organizational structure.
Assigning of authority and responsibility.
Human resource policies and practices.
b.The auditor should obtain sufficient knowledge of the control
environment component to understand (1) the attitude, awareness,
and actions of management and the board of directors concerning the
control environment and (2) the pervasive and specific effects
these factors may have on the effectiveness of the other internal
control components.
c.The required level of understanding of several of the control
environment factors, such as management's philosophy and operating
style, organizational structure, and board of directors or audit
committee, will ordinarily be the same for each audit strategy. For
some factors, however, such as human resource policies and
practices, additional knowledge may be necessary when the lower
assessed level of control risk approach is used.
10-31. (Estimated Time 25 Minutes)
Itema. Component of Internal Controlb. Additional example of
component
of internal control.
1.Control environmentAn audit committee is formed comprised of
outside directors
2.Control activitiesAccess to mainframe computers, inventories,
and cash and securities is restricted (physical controls).
3.Control environmentManagement is involved in setting policies
for developing , modifying and using computer programs and
data.
4.MonitoringManagement receives information from external
auditors about weaknesses in internal controls and recommended
improvements.
5.Risk assessmentManagement carefully assesses the impact of new
laws and regulations on its business and reporting practices.
6.Control activitiesControls are in place to review, test, and
approve all new systems, control program changes, and to document
procedures.
7.Control activitiesPhysical controls limit direct access to
assets and records and limit indirect access through the
preparation or processing of documents that authorize the
disposition of assets.
8.Control activitiesManagement responsibilities include
performance reviews where the appropriate level of management
reviews disbursements charged to their responsibility center.
9.Control environmentAuthority and responsibility is assigned in
such a way that each individual knows how his or her actions
interrelate with those of others in contributing to the achievement
of the entitys objectives, and how he or she will be held
accountable for the entitys performance.
10.Information and communicationThe accounting system includes a
provision for properly measuring and recording the value of
transactions in the financial statements.
10-32 (Estimated Time 25 minutes)
ControlCategoryAssertion(s)
a. Management has established a code of conduct that includes
rules regarding conflicts of interest for purchasing
agents.1Existence and Occurrence
b. Waterfront has established a disclosure committee to review
the selection of new accounting policies.4.6Valuation and
Allocation, Presentation and Disclosure
c. Any computer program revision must be approved by user
departments after testing the entire program with test
data.4.3.1Virtually any assertion
d. The managers of each of Waterfronts manufacturing departments
must review and expenditures charged to their responsibility center
weekly.4.3.5Existence and Occurrence, Completeness, Valuation and
Allocation
e. The CEO, CFO, and controller review the financial
consequences of business risks annually to ensure that controls are
in place to address significant business risks.2Valuation and
Allocation
f. Human resources focuses on ensuring that accounting personnel
have adequate qualifications for work performed in billing and
accounts receivable.1Virtually any assertion
g. Security software limits access to programs and data files,
and keeps a log of programs and files that have been accessed which
is reviewed by the security manager daily.4.3.1Existence and
Occurrence
h. A computer program prints a daily report of all shipments
that have not yet been billed to customers.4.3.2Completeness
i. The controller reviews sales and collections bi-monthly.
4.5Valuation, Completeness
j. The computer compares the information on the sales invoice
with underlying shipping information.4.3.2Existence and
Occurrence
k. Customer billing complaints are directed to internal audit
for follow-up and resolution.5Virtually any assertion
l. The documentary transaction trail for all credit sales is
documented in company policy manuals.3Virtually any assertion
m. A committee of the board of directors evaluates and monitors
business risks.1Virtually any assertion
n. Access to spreadsheets used in the financial reporting
process is limited and spreadsheets are tested with test data on a
quarterly basis.4.3.3Virtually any assertion
10-33.(Estimated Time 20 minutes)
a.Assignment of functions
Employee No. 1--Accountant
Maintain general ledger (1)
Maintain disbursements journal (5)
Issue credits on returns and allowances (6)
Employee No. 2--Cashier
Prepare checks for signature (4)
Handle and deposit cash receipts (8)
Employee No. 3--Bookkeeper (subsidiary ledger)
Maintain accounts payable ledger (2)
Maintain accounts receivable ledger (3)
Reconcile the bank account (7)
b.Undesirable combinations are
Handle cash receipts (8) and maintain accounts receivable ledger
(3)
Handle cash receipts (8) and issue credit memos (6)
Prepare checks (4) and maintain accounts payable ledger (2)
Maintain accounts receivable ledger (3) and issue credit memos
(6)
Handle cash receipts (8) and reconcile bank (7)
Prepare checks (4) and reconcile bank (7)
10-34.(Estimated Time 25 minutes).
Itema. Category of Control Activitiesb. Assertion
1. The computer must match information from a vendors invoices
with information from receiving and information from the purchase
order before a check is issued.Computer application
controlsExistence and occurrence
2. A knowledgeable audit committee reviews and approves new
applications of GAAP.Control over management discretion in
financial reportingPresentation and disclosure
3. Two authorized signatures are required on every check over
$100,000.AuthorizationExistence and occurrence
4. Each month management carefully reviews the aged trial
balance of accounts receivable to identify past-due balances and
follows up for collection.Performance reviewsValuation and
allocation
5. A supervisor must approve overtime
workAuthorizationCompleteness
6. The computer assigns sequential numbers to sales invoices
used in the billing system.
Computer application controlsValuation and allocation
7. The computer verifies the mathematical accuracy of each
voucher and prints an exception report for items with mathematical
errors.Computer application controlsExistence and occurrence
Completeness
Valuation and allocation
8. Employee payroll records are kept on a computer file that can
only be accessed by certain terminals and are password
protected.Performance reviewsPresentation and disclosure
9. Internal auditors review journal entries periodically for
reasonableness of account classifications.Control over management
discretion in financial reportingPresentation and disclosure
10. The chairman of the audit committee directly accepts
confidential e-mails or other submissions concerning questionable
accounting and auditing matters.Controls over management discretion
in financial reportingExistence and occurrence
11. Checks received from customers and related remittance
advices are separated in the mailroom and subsequently processed by
different individualsSegregation of dutiesExistence and
occurrence
Completeness
Valuation and allocation
12. All vouchers must be stamped paid on payment.
Physical controlsValuation and allocation
13. Department managers review accounting for warranty claims on
a weekly basis.Performance reviewsValuation and allocation
14. On a quarterly basis, warranty expenses are compared with
actual warranty claims.
Control over management discretion in financial
reportingValuation and allocation
15. Only computer operators are allowed in the computer
room.Computer general controlsPervasive affect on multiple
assertions
16. The computer will not complete the processing of a batch
when the accounts receivable control account does not match the
total of the subsidiary ledgersComputer application
controlsExistence or occurrence or completeness
10-35. (Estimated Time 25 minutes)
a.The quantity of serially numbered tickets issued during the
shift of each cashier is multiplied by the price per ticket to
determine the amount of cash the cashier should have on hand at the
end of the shift. Two employees participate in each transaction.
The withholding of cash receipts would require collusion between
the cashier and door person because the door person does not have
access to cash and the cashier cannot cause a patron to be admitted
without issuing a serially numbered ticket.
b.The following steps should be taken by the manager to make
these controls work effectively:
Maintain a careful control over unused rolls of tickets.
Make a record of the serial number of the first and last ticket
issued on each cashier's shift.
Count the cash in possession of cashier at beginning and end of
shift.
In addition to these regular routines, the manager should take
the following steps at unannounced intervals:
Observe that the cashier never has loose tickets in his/her
possession and does not sell tickets in any manner other than
ejecting them from the ticket machine.
Verify by inspection of tickets being presented by patrons to
the door person that only recently. issued tickets (current serial
numbers) are being used.
c.Collusion by the cashier and door person to abstract cash
receipts often consists of the door person pocketing whole tickets
presented by patrons rather than tearing the ticket in half. The
door person may then give these used tickets to the cashier
(perhaps in off-duty hours); the cashier may then resell the
tickets to customers at the box office rather than punching out new
tickets on the machines. The cashier withholds the cash received
from sales of these "used tickets" and divides it with the
doorperson.
d.Observation on a surprise basis by the manager of the serial
numbers of tickets being presented at the door by customers may
reveal that these tickets are not freshly issued ones. Observation
of the cashier's work may reveal that he or she is handling loose
tickets.
Cases
10-36.(Estimated Time - 30 minutes)
a.Examples of poor internal control:
1. No credit checks are made of contract clients.
2. Accounts receivable are not recorded nor controlled.
3. Weak control is exerted over cash transactions.
4. No control is effected between production type work and
potential revenues due.
5. Examples: bookkeeping services, design and printing services,
and tax work.
6. No forms are prenumbered and, thus, accounted for.
7. No controls are in effect to assure that all receivables that
are due are paid.
8. The control over slow or delinquent payments is very
poor.
9. All remittances and cash are not deposited daily.
10. There are no running controls to prevent contract services
from exceeding thecontract ceiling.
11. No controls are in effect to assure that all work was
billed.
b.Examples of good internal control:
1. Some cash is deposited daily.
2. A cash log is maintained though not used effectively.
3. Bank reconciliation's are made.
4. Monthly analyses of cost percentages of revenue items (though
improperly performed as not considering the effect of accounts
receivable).
5. Historical evidence is maintained of all production type
work.Periodic analyses are performed of unpaid bills.
6. Copy work paid in cash is balanced to the cash register.
7. Close tics are available for production type work to cash
received.
10-37. (Estimated Time - 45 minutes)
The flowchart for the sales system for SummerVoice, Inc. is
displayed on the following page. The flowchart is most effective
when accompanied by a discussion similar to that presented in the
problem.
a.
b.
AssertionControl Activity
Existence and occurrenceThe sales program compares invoice
information with information on the shipping files for quantities
and dates shipped.
CompletenessReview and follow-up of daily report of unfilled
orders and back orders.
Rights and obligationsThe sales program ensures that all sales
invoices for credit sales are supported by actual goods
shipped.
Valuation and allocationCredit is approved prior to customer
being put on customer master file. Credit is checked against
customer master file by order program.
Invoice pricing information is checked against sales order
file.
Run-to-run totals check accuracy of sales and receivable
files.
Presentation and disclosureNo significant controls exist.
Professional Simulation
Research
SituationCommunicationInternal
Controls
The following paragraphs of AU 319 address the professional
standards that apply to any audit regarding the understanding of
internal controls that is necessary to plan the audit.
.25In all audits, the auditor should obtain an understanding of
each of the five components of internal control sufficient to plan
the audit. A sufficient understanding is obtained by performing
procedures to understand the design of controls relevant to an
audit of financial statements and determining whether they have
been placed in operation. In planning the audit, such knowledge
should be used to
Identify types of potential misstatement.
Consider factors that affect the risk of material
misstatement.
Design tests of controls, when applicable. Paragraphs .65
through .69 of this section discuss factors the auditor considers
in determining whether to perform tests of controls.
Design substantive tests.
.26The nature, timing, and extent of procedures the auditor
chooses to perform to obtain the understanding will vary depending
on the size and complexity of the entity, previous experience with
the entity, the nature of the specific controls used by the entity
including the entitys use of IT, the nature and extent of changes
in systems and operations, and the nature of the entity's
documentation of specific controls. For example, the understanding
of risk assessment needed to plan an audit for an entity operating
in a relatively stable environment may be limited. Also, the
understanding of monitoring needed to plan an audit for a small,
noncomplex entity may be limited. Similarly, the auditor may need
only a limited understanding of control activities to plan an audit
for a noncomplex entity that has significant owner-manager approval
and review of transactions and accounting records. On the other
hand, the auditor may need a greater understanding of control
activities to plan an audit for an entity that has a large volume
of revenue transactions and that relies on IT to measure and bill
for services based on a complex, frequently changing rate
structure.
.27Whether a control has been placed in operation at a point in
time is different from its operating effectiveness over a period of
time. In obtaining knowledge about whether controls have been
placed in operation, the auditor determines that the entity is
using them. Operating effectiveness, on the other hand, is
concerned with how the control (whether manual or automated) was
applied, the consistency with which it was applied, and by whom it
was applied. The auditor determines whether controls have been
placed in operation as part of the understanding of internal
control necessary to plan the audit. The auditor evaluates the
operating effectiveness of controls as part of assessing control
risk, as discussed in paragraphs .62 through .83 of this section.
Although understanding internal control and assessing control risk
are discussed separately in this section, they may be performed
concurrently in an audit. Furthermore, some of the procedures
performed to obtain the understanding may provide evidential matter
about the operating effectiveness of controls relevant to certain
assertions.
.28The auditor's understanding of internal control may sometimes
raise doubts about the auditability of an entity's financial
statements. Concerns about the integrity of the entity's management
may be so serious as to cause the auditor to conclude that the risk
of management misrepresentation in the financial statements is such
that an audit cannot be conducted. Concerns about the nature and
extent of an entity's records may cause the auditor to conclude
that it is unlikely that sufficient competent evidential matter
will be available to support an opinion on the financial
statements.
Understanding of Internal Control Necessary to Plan the
Audit
.29In making a judgment about the understanding of internal
control necessary to plan the audit, the auditor considers the
knowledge obtained from other sources about the types of
misstatement that could occur, the risk that such misstatements may
occur, and the factors that influence the design of tests of
controls, when applicable, and substantive tests. Other sources of
such knowledge include information from previous audits and the
auditors understanding of the industry and market in which the
entity operates. The auditor also considers his or her assessment
of inherent risk, judgments about materiality, and the complexity
and sophistication of the entity's operations and systems,
including the extent to which the entity relies on manual controls
or on automated controls.
.30In making a judgment about the understanding of internal
control necessary to plan the audit, the auditor also considers IT
risks that could result in misstatements. For example, if an entity
uses IT to perform complex calculations, the entity receives the
benefit of having the calculations consistently performed. However,
the use of IT also presents risks, such as the risk that improperly
authorized, incorrectly defined, or improperly implemented changes
to the system or programs performing the calculations, or to
related program tables or master files, could result in
consistently performing those calculations inaccurately. As an
entity's operations and systems become more complex and
sophisticated, it becomes more likely that the auditor would need
to increase his or her understanding of the internal control
components to obtain the understanding necessary to design tests of
controls, when applicable, and substantive tests.
.31The auditor should consider whether specialized skills are
needed for the auditor to determine the effect of IT on the audit,
to understand the IT controls, or to design and perform tests of IT
controls or substantive tests. A professional possessing IT skills
may be either on the auditors staff or an outside professional. In
determining whether such a professional is needed on the audit
team, the auditor considers factors such as the following:
The complexity of the entitys systems and IT controls and the
manner in which they are used in conducting the entitys
business
The significance of changes made to existing systems, or the
implementation of new systems
The extent to which data is shared among systems
The extent of the entitys participation in electronic
commerce
The entitys use of emerging technologies
The significance of audit evidence that is available only in
electronic form
.32Procedures that the auditor may assign to a professional
possessing IT skills include inquiring of an entitys IT personnel
how data and transactions are initiated, recorded, processed, and
reported and how IT controls are designed; inspecting systems
documentation; observing the operation of IT controls; and planning
and performing tests of IT controls. If the use of a professional
possessing IT skills is planned, the auditor should have sufficient
IT-related knowledge to communicate the audit objectives to the
professional, to evaluate whether the specified procedures will
meet the auditors objectives, and to evaluate the results of the
procedures as they relate to the nature, timing, and extent of
other planned audit procedures. fn9
Communication
SituationResearchInternal Controls
To: Michelle Driscoll, Partner
Re: Inherent Limitations of an Entitys Internal Control
From:CPA Candidate
The professional standards directly address the limitations of
any system of internal control in paragraphs 319.21-.24. In general
these paragraphs make the following points.
No matter how well the system of internal control is designed
and operated, it can provide only reasonable assurance of achieving
an entity's control objectives.
Human judgment in decision-making can be faulty and that
breakdowns in internal control can occur because of human failures
such as simple errors or mistakes.
Internal controls, whether manual or automated, can be
circumvented by the collusion of two or more people or
inappropriate management override of internal control.
Internal control is often influenced by cost- benefit
decisions.
Custom, culture, and the corporate governance system may inhibit
fraud, but they are not absolute deterrents. An effective control
environment, too, may help reduce the risk of fraud.
For additional discussion, these paragraphs are directly quoted
below.
.21 Internal control, no matter how well designed and operated,
can provide only reasonable assurance of achieving an entity's
control objectives. The likelihood of achievement is affected by
limitations inherent to internal control. These include the
realities that human judgment in decision-making can be faulty and
that breakdowns in internal control can occur because of human
failures such as simple errors or mistakes. For example, errors may
occur in designing, maintaining, or monitoring automated controls.
If an entitys IT personnel do not completely understand how an
order entry system processes sales transactions, they may
erroneously design changes to the system to process sales for a new
line of products. On the other hand, such changes may be correctly
designed but misunderstood by individuals who translate the design
into program code. Errors also may occur in the use of information
produced by IT. For example, automated controls may be designed to
report transactions over a specified dollar limit for management
review, but individuals responsible for conducting the review may
not understand the purpose of such reports and, accordingly, may
fail to review them or investigate unusual items.
.22Additionally, controls, whether manual or automated, can be
circumvented by the collusion of two or more people or
inappropriate management override of internal control. For example,
management may enter into side agreements with customers that alter
the terms and conditions of the entitys standard sales contract in
ways that would preclude revenue recognition. Also, edit routines
in a software program that are designed to identify and report
transactions that exceed specified credit limits may be overridden
or disabled.
.23Internal control is influenced by the quantitative and
qualitative estimates and judgments made by management in
evaluating the cost-benefit relationship of an entitys internal
control. The cost of an entity's internal control should not exceed
the benefits that are expected to be derived. Although the
cost-benefit relationship is a primary criterion that should be
considered in designing internal control, the precise measurement
of costs and benefits usually is not possible.
.24Custom, culture, and the corporate governance system may
inhibit fraud, but they are not absolute deterrents. An effective
control environment, too, may help reduce the risk of fraud. For
example, an effective board of directors, audit committee, and
internal audit function may constrain improper conduct by
management. Alternatively, the control environment may reduce the
effectiveness of other components. For example, when the nature of
management incentives increases the risk of material misstatement
of financial statements, the effectiveness of control activities
may be reduced.
Internal Controls
SituationResearchCommunication
a.b.c.d.e.
1. The computer verifies an employee authorization code in order
to enter a purchase order(((((
2. The computer produces a report of all receiving reports that
have not resulted in a voucher.(((((
3. The computer matches information on the voucher regarding
quantities and prices of goods purchased with underlying receiving
reports and purchase orders.(((((
4. The computer compares the account coding on a voucher with
the account coding on the purchase order.(((((
5. The computer checks the mathematical accuracy of the voucher
and supporting vendors invoice.(((((
6. The computer has a unique account coding for the receipt and
acquisition of consignment inventory.(((((
7. The computer matches each voucher with an underlying
receiving report and cancels the related vendors invoice to prevent
duplicate payment.(((((
User controls
over assertions
Manual follow-up
Output of processed transactions and reports
Exception reports
Computer general control procedures
Computer processing and programmed application control
procedures
Input
Daily Sales
Reports
Monthly
Statements
Gross Margin
Reports
Accounts Receivable
Master File
General Ledger
Master File
General
Ledger
Sales
Journal
SALES REPORTS PROGRAM:
Produces reports for analysis.
Record
Sales
Sales
Transaction
File
Exception
Reports
Sales
Invoice
SALES PROGRAM:
Retrieve shipped order data: prepare invoices;
perform edit checks; enter
data in sale transaction file, Master files are updated, and
sale journal, G/l,, monthly statements, are produced..
Deliver
Goods
Unfilled Orders
and Back
Orders
Enter data
on Goods Shipped
Shipping
Document
Authorization
to Pick
Goods
Shipping
File
Perpetual
Inventory
SHIPPING PROGRAM:
Retrieve open orders:
add shipping data; transfer
to shipping file; print
shipping documents
Open
Orders
Sales
Order
Authorized
Price List
Perpetual
Inventory
Customer
Master File
ORDER PROGRAM:
Perform edit and
credit checks; print
sales orders
Enter
Sales Order
Computer Programs and Files
Key Reports
Documentary
Audit Trail
Initiate
Sales
Functions
SummerVoice, Inc. -- Credit Sales Transactions
Open
Orders
Inventory
On-hand
Perpetual
Inventory