Chapter 11

Assessing Control Risk and Reporting

on Internal Controls
Concept Checks

P. 350

1. As illustrated by Figure 11-1, there are four phases in the process of

understanding internal control and assessing control risk. In the first
phase the a uditor obtains an understanding of internal controls, which
includes an understanding of their design and whether they have been
implemented. Next the auditor must make a preliminary assessment of
control risk (phase 2) and perform tests of controls (phase 3). The auditor
uses the results of tests of controls to assess control risk and to ultimately
decide planned detection risk and substantive tests for the audit of financial
statements, which is phase 4.

2. The purpose of a control risk matrix is to assist the auditor in assessing

control risk at the transaction level. The control risk matrix identifies existing
controls and deficiencies for each audit objective in the transaction cycle,
making it easier for the auditor to assess control risk for each transaction-
related audit objective.

3. The four types of procedures used by auditors to test whether internal

controls are operating effectively are (1) inquiring of appropriate personnel
regarding the operation of controls; (2) examine documents and records
when there is a trail of evidence that the control is/is not operating (e.g., a
supervisor’s electronic signature on a time record; (3) observe control-
related activities in process, preferably at various points throughout the year,
and (4) reperform control activities performed by the client.

P. 354

1. The financial statement audit findings are relevant to the auditor’s opinion on
the effectiveness of internal controls over financial reporting because the
auditor may or may not identify misstatements during the audit. If the auditor
identifies material misstatements during the audit that were not prevented or
detected and corrected by the client’s internal controls, this would indicate a
potential material weakness in internal controls. Any identified
misstatements would indicate a potential control deficiency or significant
deficiency.

Copy right © 2020 Pearson Education Ltd.

11-1
Concept Check, P. 394 (continued)
2. Auditors are required to perform integrated audits, an audit of the financial
statements coupled with an audit of internal control over financial reporting,
on audit engagements of large publicly traded companies (accelerated
filers). For integrated audits, the auditor issues an opinion on the
effectiveness of internal control in addition to the opinion on the financial
statements. As a result, the level of understanding and the extent of testing
of internal controls need to be sufficient to express an opinion on the
effectiveness of internal controls. For financial statement-only audits, the
auditor does not issue an opinion on the effectiveness of internal controls,
but rather the focus is on understanding controls that are relevant to the
audit in order to identify and assess the risks of material misstatement.

 Review Questions
11-1 The auditor’s responsibility for obtaining an understanding of internal
control for a large public company, when an opinion is issued on the
effectiveness of internal controls, is significantly greater than the understanding
necessary when the auditor is solely expressing an opinion on the financial
statements. To express an opinion on internal controls for a large public
company, the auditor obtains an understanding of controls for all significant
account balances, classes of transactions, including disclosures and related
assertions in the financial statements. In contrast, for an audit of a nonpublic
company or a smaller public company, the auditor will obtain an understanding
of internal controls that are relevant to the financial statement audit i n order to
assess the risks of material misstatement. Thus, the level of understanding of
internal controls required for the audit of internal controls exceeds the level
required for an audit of only the financial statements.

11-2 The first half of her statement relates to the types of evidence used
in order to understand the design and implementation of controls.
Generally, four types of evidence are used:

1. inspection,
2. inquiry of entity personnel,
3. observation of employees performing control processes, and
4. reperformance by tracing one or a few transactions through the
accounting system from start to finish.

It is not required to use all the eight types of evidence for obtaining an
understanding of internal controls.

The second half of her statement relates to the use of internal control
questionnaire. An internal control questionnaire asks a series of questions
about the controls in each audit area as a means of identifying internal
control deficiencies. It is true that auditors cover each audit area
reasonably quickly by using such questionnaires. However, there are two
main disadvantages of questionnaires. Firstly, they are not able to provide

Copy right © 2020 Pearson Education Ltd.

11-2
an overview of the system. Secondly, it is difficult to apply such
questionnaires for some audits especially smaller ones. Based on the first
disadvantage discussed above, it is quite often recommended that auditors
use internal control questionnaires and flowcharts together for
understanding the client’s internal control designing and identifying internal
controls and deficiencies. Flowcharts provide an overview of the system,
while questionnaires offer useful checklists to remind the auditor of many
different types of internal controls that should exist .

11-3 In a walkthrough of internal control, the auditor s elects one or a few

documents for the initiation of a transaction type and traces them through the
entire accounting process. At each stage of processing, the auditor makes
inquiries and observes current activities, in addition to examining completed
documentation for the transaction or transactions selected. Thus, the auditor
combines observation, inspection, and inquiry to conduct a walkthrough of
internal control. PCAOB auditing standards require the auditor to perform at
least one walkthrough for each major class of transactions.

11-4 For many control activities, documentation of their performance is more

objectively evaluated in contrast to the evaluation of the control environment.
Due to the nature of the subcomponents that constitute the control
environment, such as integrity and ethical values and commitment to
competence, the nature of evidence used to evaluate the control environment
may differ somewhat from the nature of evidence used to evaluate control
activities. While auditors examine si milar types of evidence to assess both the
control environment and control activities, they often perform more extensive
inquires and observation to assess the design and implementation of control
environment subcomponents, such as the entity’s code of conduct and
whistleblowing system, so they can evaluate whether employees understand
those policies and procedures, and to gain a sense as to the overall ethical tone
and perception of management’s integrity. Because of the more judgmental
nature of many of the control environment subcomponents, auditors often make
numerous inquiries and perform extensive observation of client personnel in the
performance of policies and procedures to evaluate those subcomponents of
the control environment. While inquiry and observation may also be performed
to evaluate control activities, auditors frequently inspect documentation that
demonstrates a control activity was performed, such as examining approvals
of transactions or matching of documentation supporting a transaction, and they
often reperform certain client performed procedures, such as the calculation of
a transaction amount.

11-5 A significant deficiency exists if there are one or more control

deficiencies that are less severe than a material weakness, but important
enough to merit attention by those responsible for oversight of the company’s
financial reporting. A material weakness exists if a deficiency, by itself or in
combination with other deficiencies, results in a reasonable possibility that
internal control will not prevent or detect material financial statement
misstatements. The presence of one significant deficiency that is not deemed to
Copy right © 2020 Pearson Education Ltd.
11-3
be a material weakness may not affect the auditor’s report. In that instance, the
auditor’s report on internal control over financial reporting would contain an
unqualified opinion. However, if the deficiency is deemed to be a material
weakness, the auditor must express an adverse opinion on the effectiveness of
internal control over financial reporting.

11-6 The extent of controls tested by auditors for an integrated audit of a large
public company, in which the auditor will express an opinion on internal control,
is significantly greater than the extent of testing solely to express an opinion on
the financial statements. To express an opinion on internal controls for a large
public company, the auditor obtains an understanding of and performs tests of
controls for all significant account balances, classes of transactions, and
disclosures and related assertions in the financial statements.
In contrast, the extent of controls tested by an auditor of a nonpublic
company or a smaller public company is dependent on the auditor’s assessment
of control risk. Whenever the auditor assesses control risk below maximum, the
auditor must perform tests of controls to support that control risk assessment.

The auditor will not perform tests of controls when the auditor assesses control
risk at maximum. When control risk is assessed below the maximum, the
auditor designs and performs a combination of tests of controls and substantive
procedures. Thus, for a nonpublic company or smaller public company, the
tests of controls vary based on the auditor’s assessment of control risk.

11-7 Auditing standards indicate that reliance can be placed on controls that
were tested in a prior year, except for controls that mitigate significant risks,
which must be tested in the current year. Controls should be tested at least
every three years, and whenever there is a significant change in the control.
Continued reliance on the effectiveness of automated controls is appropriate if
the auditor is satisfied that general controls over the computer applications are
adequate to identify any changes to computerized processes. The ability to rely
on prior year tests of automated controls is due to the systematic nature of IT-
based procedures. That is, once an automated control is programmed to perform
correctly, it should continue performing in that manner until the underlying
software program is changed. In contrast, controls performed manually are
generally tested each year because there is always a risk of human error
occurring in the performance of a manual control.

11-8 When the auditor’s risk assessment procedures identify significant

risks, the auditor is required to test the operating effectiveness of controls that
mitigate these risks in the current year audit, if the auditor plans to rely on those
controls to support a control risk assessment below 100%. Thus, tests of
controls are required in the current year audit for those controls the auditor
plans to rely on to reduce control risk. The greater the risk, the more audit
evidence the auditor should obtain that controls are operating effectively.

11-9 In recent years, it has become increasingly common for service centers
to engage a CPA firm to obtain an understanding and to test internal controls
Copy right © 2020 Pearson Education Ltd.
11-4
of the service center in order to issue a service organization control report for
use by all customers and their independent auditors. The purpose of such
independent assessments are two -fold:

 Providing service center customers reasonable assurance about t he

adequacy of the service center’s general and application controls; and
 Eliminating the need for redundant audits by customers’ auditors. This
is of particular significance if the service center has many customers
and each requires an understanding of the service center’s internal
control by its own independent auditor which will bring in substantial
inconvenience and cost to the service center.

The two types of reports are:

 Type 1 report, which reports on management’s description of a service

organization’s system and the suitability of the design of controls; and
 Type 2 report, which reports on management’s description of a service
organization’s system and the suitability of the design and operating
effectiveness of controls.

11-10 The auditor uses the control risk assessments and the results of tests
of controls to determine the appropriate level of detection risk and the nature
and extent of substantive tests for the audit engagement. The auditor links the
control risk assessments at the transaction level to the balance -related audit
objectives for the accounts affected by the transaction cycles.

11-11 First, the control risk assessments and results of test of controls are
linked to:

 the balance-related audit objectives for the accounts affected by the

major transaction types; and
 the four presentation and disclosure audit objectives.

Then, the appropriate level of detection risk for each balance-related auditor
objective is decided using the audit risk model.

Copy right © 2020 Pearson Education Ltd.

11-5
11-12 The auditor may issue an unqualified opinion on internal control over
financial reporting when two conditions are present:

 there are no identified material weaknesses as of the balance

sheet date; and
 there have been no restrictions on the scope of the auditor’s work.

A scope limitation is the condition that would cause the auditor to

express a qualified opinion or a disclaimer of opinion on internal control over
financial reporting. This type of opinion is issued when the auditor is unable to
determine if there are material weaknesses, due to a restriction on the scope of
the audit of internal control over financial reporting or other circumstances
where the auditor is unable to obtain sufficient appropriate evidence.

11-13 The most significant difference in the assessment of control risk for
integrated audits versus financial statement-only audits is that control risk may
be assessed at maximum for some or all audit objectives for nonpublic
companies receiving a financial statement-only audit. Public companies, even
relatively smaller ones, are expected to have effective internal controls for all
significant transaction cycles and accounts. Thus, it is likely control risk will be
set as low for public companies, whereas that is not necessarily the expectation
for nonpublic companies.

11-14 “Auditing through the computer” represents an audit approach whereby

the auditor tests the design and operating effectiveness of computerized
internal controls to determine the extent to which the controls are effective and
can be relied upon. In this case, the auditor can use the computer controls to
reduce control risk. Three common approaches to assessing controls include
the test data approach, parallel simulation or using embedded audit modules.
Assessing controls embedded in computerized information can be challenging
in complex systems and auditors often obtain assistance from information
systems specialists. In addition, there is often no paper trail associated with
controls embedded in information systems , which can make it difficult to test
operating effectiveness. The benefit, however, is that once a computerized
application control is determined to be operating effectively through one of the
three approaches mentioned above, the auditor does not need to test a sample
of transactions in order to rely on controls.
11-15 When using the embedded audit module approach, auditors insert an
audit module into the client’s application system to identify specific types of
transactions. Auditors may then, later, copy the identified transactions to a
separate data file and process those transactions using parallel simulation to
duplicate the function performed by the client’s system. Take the sales and
collection cycle as an example. Auditors may use an embedded module to
identify all sales exceeding $30,000 for follow-up with more detailed examination
for the occurrence and accuracy of transaction-related audit objectives. In short,
this approach is commonly used to identify unusual transactions for substantive

Copy right © 2020 Pearson Education Ltd.

11-6
11-15 (continued)
testing. This approach allows auditors to continuously audit transactions by
identifying actual transactions processed by the client, as compared to test data
and parallel simulation approaches which only allow intermittent testing.

Discussion Questions and Problems

11-16 a. The size of a company has a significant effect on the nature of the
controls likely to exist. A small company has difficulty establishing
adequate separation of duties and justifying an internal audit staff.
However, a major type of control available in a small company is
the knowledge and concern of the top operating person, who is
frequently an owner-manager. His or her ability to understand the
entire operation of the company is potentially a significant
compensating control. The owner-manager’s interest in the
organization and close relationship with the personnel enable him
or her to evaluate the competence of the employees and the
effectiveness of internal controls.
While some of the five control activities are unavailable in a
small company, especially adequate segregation of duties, it is still
possible for a small company to have proper authorization of
transactions and activities, adequate documents and records,
physical controls over assets and records, and, to a limited
degree, independent checks on performance.

b. Kumar and Collier take opposite and extreme views as to the

credence given to internal control in a small firm. Kumar seems to
treat a small firm in the same manner as he would a large firm,
which is inefficient. Because many types of controls are often
lacking in a small firm, especially one that is a nonpublic company,
assessed control risk should be increased and more extensive
substantive tests must be used. Because assessed control risk is
higher, less emphasis is needed to identify the internal controls.
Collier is not meeting the standards of the profession in that
she completely ignores the possibility of a severe deficiency in the
system. She must obtain an understanding of internal control to
determine whether it is possible to conduct an audit at all. Auditing
standards require, at a minimum, an understanding of internal
control.
The auditor must understand the control environment and
the flow of transactions. It is not necessary, however, for the
auditor to prepare flowcharts or internal control questionnaires. The
auditor of a nonpublic company is required to provide a written
report about significant deficiencies or material weaknesses to
those charged with governance, which may be common on many
small audit clients.

Copy right © 2020 Pearson Education Ltd.

11-7
11-16 (continued)

c. Collier’s approach is not acceptable when auditing either a public

or nonpublic company. Collier must obtain an understanding of
internal controls over financial reporting in all audits. When the
auditor assesses control risk below the maximum, which is
generally the case for public companies, the auditor must perform
tests of controls to determine whether key controls over
financial reporting are operating effectively. Those procedures
must provide Collier a basis to express an opinion about internal
controls over financial reporting for accelerated filer public
companies.

d. While Kumar’s approach includes procedures similar to those that

would be performed to obtain an understanding of internal
controls, if Kumar is auditing a public company, he may need to
expand those procedures to ensure that enough information is
obtained about the design and operation of internal controls over
financial reporting. Furthermore, Kumar must perform tests of key
controls over financial reporting to provide a basis for expressing
an opinion on internal controls over financial reporting for
accelerated filer public companies.

11-17 1. a. Automated control (AC).

b. Recorded sales transactions exist (occurrence).
c. Sales could be made to fictitious customers, or sales could
be made to customers with poor credit.
d. The auditor could perform substantive tests of transactions
or confirm year-end receivable balances to verify that they
exist.

2. a. Automated control (AC).

b. Recorded sales transactions exist (occurrence).
c. Sales could be made to fictitious customers, or sales could
be made to customers with poor credit.
d. The auditor could perform substantive tests of transactions
or confirm year-end receivable balances to verify that they
exist. The auditor can test subsequent collections on
outstanding receivables as a test of valuation.

3. a. Manual control with an automated component (MAC).

b. Sales transactions are accurate (accuracy).
c. Quantities invoiced could differ from amounts shipped or
ordered by the customer.
d. Substantive tests of transactions could be performed to
verify that quantities invoiced agree to quantities shipped
and ordered by the customer.

Copy right © 2020 Pearson Education Ltd.

11-8
11-17 (continued)
4. a. Manual control with an automated component (MAC).
b. Existing sales transactions are recorded (completeness).
c. Goods could be shipped but not invoiced to customers.
d. Trace from a sample of shipping documents to recorded
sales.
5. a. Manual control with an automated component (MAC). The
authorization of price changes is a manual control.
b. Sales transactions are accurate (accuracy).
c. Customers could be invoiced at incorrect prices.
d. Substantive tests of transactions could be performed to
verify that invoice prices agree with the approved price
master file.

6. a. Manual control if sent by client personnel; automated

control if the statements are sent electronically by the
computer.
b. Recorded sales transactions exist and are accurate
(occurrence, accuracy).
c. Sales could be recorded to incorrect c ustomers or for
incorrect amounts.
d. The auditor could perform substantive tests of transactions
or confirm year-end receivable balances to verify that they
exist and are accurate.

7. a. Automated control (AC).

b. Recorded sales transactions are correctly summarized and
recorded in the general ledger and recorded in correct
customer accounts (posting and summarization).
c. Failure to record sales or record them in customer
accounts.
d. Foot the journal for a test period and verify postings to the
general ledger and subledger. Test monthly reconciliation of
the accounts receivable subledger to the general ledger.

8. a. Manual control (MC).

b. Recorded sales transactions are correctly summarized and
recorded in the general ledger and subledger (posting and
summarization).
c. Failure to record sales or record them in customer
accounts.
d. Foot the journal for a test period and verify postings to the
general ledger and subledger.

Copy right © 2020 Pearson Education Ltd.

11-9
11-18 1. a. Proper authorization of transactions and activities.
b. Recorded transactions exist and recorded transactions are
stated at the correct amounts.
c. Both errors and fraud are likely to be prevented if
competent, trustworthy employees are hired. Hiring honest
employees minimizes a likelihood of fraud. Hiring
competent employees minimizes the likelihood of
unintentional errors.
d. Several types of intentional misstatements could occur if a
dishonest person is hired. Several types of unintentional errors
could also occur if an incompetent person is hired.
e. An examination of cancelled checks or electronic payroll
deposits and supporting documents, including time records
and personnel records, is a test of the possibility of fraud. A
test of the calculation of payroll is a test for an unintentional
error caused by employees who are not competent.

2. a. Adequate segregation of duties and proper authorization of

transactions and activities.
b. Recorded transactions occurred.
c. An unauthorized or invalid time record turned in by an
existing employee. The time record may be for an employee
who formerly worked for the company or one who is
temporarily laid off.
d. An employee could be claiming too many hours by having a
friend punch him or her in early, or by making manual
changes on time cards.
e. Check to see that all employees that are punched in one
day are physically present.
3. a. Adequate documents and records.
b. Existing transactions are recorded.
c. A missing time record number never could be identified
before preparation of payroll starts.
d. An employee would not be paid for a time period. (The
employee is almost certain to bring this to management’s
attention.) The primary benefit of the control would be to
prevent misstatements for a short period of time and to prevent
employee dissatisfaction from failure to pay them.
e. Obtain a list of company employees and make sure that
each one has received a paycheck for the time period in
question.
4. a. Independent check on performance.
b. Recorded transactions are stated at the correct amounts.
c. Mechanical errors in adding the number of hours, calculating
the gross payroll incorrectly, or calculating withholding
incorrectly.

Copy right © 2020 Pearson Education Ltd.

11-10
11-18 (continued)

d. Payroll checks incorrectly calculated could be paid to

employees.
e. Recheck the amounts for gross payroll, withholding and net
payroll.

5. a. Proper authorization of transactions and activities.

b. Recorded transactions occurred.
c. A paycheck cannot be processed for an invalid employee
number.
d. A fictitious payroll check could be processed for a
fictitious employee if invalid employee numbers are
included in the employee master file.
e. Include test data transactions with invalid employee
numbers to be inputted into the payroll accounting system
and determine that all invalid transactions are automatically
rejected by the software application.

6. a. Adequate separation of duties.

b. Recorded transactions occurred.
c. A fictitious payroll check that is originated by the person
both preparing the payroll checks and distributing the payroll
checks.
d. If one person kept a record of time, prepared the payroll,
and distributed the checks, that person could add a
nonexistent employee to the payroll, process the
information for the employee and deposit the funds
electronically or by paycheck in his or her own bank
account without detection.
e. Perform a surprise payoff in which the auditor accounts for
all paychecks and distributes them to the employees, who
must provide identification in order to receive their checks
or payroll direct deposit notifications.

7. a. Proper authorization of transactions and activities, and

adequate documents and records.
b. Recorded transactions occurred.
c. The preparation of an inappropriate payroll check for a
former employee is prevented.
d. A terminated employee could be continued on the payroll
with someone else obtaining the paycheck.
e. Perform a surprise payoff in which the auditor accounts for
all paychecks and distributes them to the employees, who
must provide identification to receive their checks or payroll
direct deposit notifications.

Copy right © 2020 Pearson Education Ltd.

11-11
11-18 (continued)

8. a. Physical control over assets and records, and adequate

segregation of duties.
b. Recorded transactions occurred.
c. Checks prepared for nonexistent employees or employees
on vacation, or absent for other reasons , are controlled
and safeguarded.
d. Checks could be lost that were intended for absent
employees or a check could be taken by the person
responsible for distributing the checks.
e. Examine cancelled checks to make certain that each check
is properly endorsed, supported by a time record, and the
person to whom the check is made out is still working for the
company.

9. a. Proper authorization of transactions and activities and

adequate separation of duties.
b. Recorded transactions occurred and recorded transactions
are stated at the correct amounts.
c. Preparation of a check for a fictitious employee or
preparation of checks using an unapproved pay rate are
prevented.
d. A fictitious payroll check could be processed for a fictitious
employee if those with record keeping responsibilities are
allowed to enter new employee numbers into the master
file. Also, paychecks to valid employees could be
overstated if unauthorized personnel have the ability to
make changes to the pay rates in the master files.
e. Attempt to access the online payroll master file using a
password that is not allowed access to that master file.

11-19 1. a.  The payroll checks should not be returned to the

computer department supervisor but should be
distributed by persons independent of those having a
part in generating the payroll data.
 There is a lack of internal verification of the hours,
rates, extensions, or employees by above.
b.  Padding of payroll with fictitious names and
extracting the checks made out to such names when
they are returned after they have been signed.
 There may be misstatements in hours, rates,
extensions, and the existence of nonworking
employees.
c.  Have the checks handed out by an independent
person and not returned to Strode.
 Internal verification of that information by Lee or
someone else.
Copy right © 2020 Pearson Education Ltd.
11-12
11-19 (continued)

2. a.  Supplying the receiving department with electronic

access to the purchase order is regarded as a
deficiency in that the department may be less careful
in checking goods than they would be if they were
working without a record of the quantities that should
be received.
 The failure to have the storekeeper receipt for the
materials when they are sent to him or her from the
receiving department or to tie in the items placed in
storage with the acquisition constitutes a deficiency
in control in that responsibility for shortages cannot
be conclusively placed on either receiving or stores.
The receiving department might, in collusion with a
vendor, report receipts of materials that were never
received. Also, either the receiving department or the
stores department might fraudulently convert some
of the materials and because of the lack of a
record of responsibility, the company would be
unable to determine which department was
responsible.
b.  The first deficiency increases the likelihood of
obsolete inventory and the possibility of theft of
shipments larger than the amount ordered. It also
increases the likelihood of inaccurate counts of
inventory actually received and recorded.
 The failure to isolate responsibility for shortages also
increases the likelihood of obsolescence in that
employees are likely to be less concerned when they
are not held accountable. Because the company
cannot isolate responsibility, it might also encourage
receiving or stores to take goods.
c. Use a “blind” copy of the purchase order or a separate
receiving report without a copy of the purchase order. Use
perpetual inventory records to hold the storekeeper
accountable. The storekeeper should also initial the
receiving report or purchase order when he or she receives
the goods.

3. a. The bank statement should not be reconciled by the

manager but should be sent by the bank directly to the
home office, where the reconciliations should be made
against the manager’s report of cash disbursements.
b. The manager may draw checks to herself or others for
personal purposes and omit them from her list of cash
disbursements or inflate other reported disbursement
amounts.
Copy right © 2020 Pearson Education Ltd.
11-13
11-19 (continued)

c. Have all bank statements sent directly to the home office

and have Cooper report directly to the home office by use
of a list of cash disbursements and all supporting
documentation.

11-20 1. No testing is required in the December 31, 2019, audit because

the auditor has determined that the automated control has not
been changed since the prior year. The auditor obtains
reasonable assurance that the automated control has not been
changed due to the effective controls over IT security and software
program changes. Thus, the auditor should consider the extent of
testing of IT security and software changes that might be
necessary in the current year audit due to the auditor’s reliance on
them to prevent changes to the underlying automated
reconciliation control.

2. No testing is required in the December 31, 2019, audit because

the auditor has determined that the automated controls have not
been cha nged since the prior year. The auditor obtains
reasonable assurance that the automated controls have not been
changed due to the effective controls over IT security and
software program changes. Thus, the auditor should consider the
extent of testing of IT security and software changes that might be
necessary in the current year audit due to the auditor’s reliance on
them to prevent changes to the underlying automated purchase
controls.

3. Testing is required in the December 31, 2019, audit because the

underlying control is performed by a person and is not automated.
Because the control is manually performed, there is a risk that the
operation of the control may not be consistent with the design or
the control may not have been performed. Thus, the auditor
should test the control’s operating effectiveness in the current
year’s audit.
4. Testing is required in the December 31, 2019, audit because the
control is designed to mitigate a significant risk. Controls that
mitigate significant risks must be tested each year.
5. Testing is required in the December 31, 2019, audit because the
client made changes to the software system during the current
year.

Copy right © 2020 Pearson Education Ltd.

11-14
11-21 The following are deficiencies of internal control, by transaction-related
audit objective.

Occurrence
 The receiving report is not sent to the stores department. A copy
of the receiving report should be sent from the receiving room
directly to the stores department with the materials received. The
stores department, after verifying the accuracy of the recei ving
report, should indicate approval on that copy and send it to the
accounts payable department. The copy sent to accounts payable
will serve as proof that the materials ordered were received by the
company and are in the user department.

 The controller should not be responsible for cash disbursements.

The cash disbursement function should be the responsibility of the
treasurer, not the controller, so as to provide proper segregation of
duties between the custody of assets and the recording of
transactions.
 The purchase requisition is not approved. The purchase
requisition should be approved by a responsible person in the
stores department. The approval should be indicated on the
purchase requisition after the approver is satisfied that it was
properly prepared based on a need to replace stores or the
proper request from a user department.
 Preliminary review should be made before preparing purchase
orders. Prior to preparation of the purchase order, the purchase
office should review the company’s need for the specific materials
requisitioned and approve the request.

Completeness
 Purchase orders and purchase requisitions should not be
combined and filed with the unmatched purchase requisitions, in
the stores department. A separate file should be maintained for
the combined and matched documents. The unmatched purchase
requisitions file can serve as a control over merchandise
requisitioned but not yet ordered.
 There is no indication of control over vouchers in the accounts
payable department. A record of all vouchers submitted to the
cashier should be maintained in the accounts payable department,
and a copy of the vouchers should be filed in an alphabetical
vendor reference file.
 There is no indication of any control over prenumbered
documents. All prenumbered documents should be accounted for.

Copy right © 2020 Pearson Education Ltd.

11-15
11-21 (continued)

Accuracy
 Purchase requisitions and purchase orders are not compared in
the stores department. Although purchase orders are attached to
purchase requisitions in the stores department, there is no
indication that any comparison is made of the two documents.
Prior to attaching the purchase order to the purc hase
requisition, the requisitioner’s functions should include a check
that:

a. Prices are reasonable;

b. The quality of the materials ordered is acceptable;
c. Delivery dates are in accordance with company needs;
d. All pertinent data on the purchase order and purchase
requisition (e.g., quantities, specifications, delivery dates,
etc.) are in agreement.

Because the requisitioner will be charged for the materials

ordered, the requisitioner is the logical person to perform these
steps.
 The purchase office does not review the invoice prior to
processing approval. The purchase office should review the
vendor’s invoice for overall accuracy and completeness,
verifying quantity, prices, specifications, terms, dates, etc., and if
the invoice is in agreement with the purchase order, receiving
report, and purchase requisition, the purchase office should
clearly indicate on the invoice that it is approved for payment
processing. The approved invoice should be sent to the accounts
payable department.
 The copy of the purchase order sent to the receiving room
generally should not show quantities ordered, thus forcing the
department to count goods received. In addition to counting the
merchandise received from the vendor, the receiving department
personnel should examine the condition and quality of the
merchandise upon receipt.
 There is no indication of control over dollar amounts on vouchers.
Accounts payable personnel should prepare and maintain control
information on the dollar amounts of vouchers. Such information
should be sent to departments posting transactions to the general
ledger and master files.
Note: Classification, timing, posting and summarization, and
presentation are not applicable. Recording in journals is not
included in the flowcharts.

Copy right © 2020 Pearson Education Ltd.

11-16
11-22 a

COMPANY APPROPRIATE AUDIT REPORT

Pleasant Luggage Qualified or disclaimer of opinion on internal control
Company over financial reporting.
Queen Mining Unqualified opinion on internal control over financial
Company reporting.
Ranger Supply Adverse opinion on internal control over financial
Company reporting.
System IT Company Adverse opinion on internal control over financial
reporting.

b. 1. As it is unlikely that the deficiency in Ranger Supply

Company leads to material misstatements, it is not considered as
material weakness. Since adverse opinion on the effectiveness of
internal control is only expressed when one or more material
weaknesses exist, the auditor can express an unqualified opinion on
internal control over financial reporting.

2. The auditor’s opinion on the effectiveness of internal controls is as of the

end of the fiscal year. The auditor is attesting to the effectiveness of
internal controls as of that date rather than attesting to the effectiveness
of controls throughout the fiscal year. As the material weaknesses were
remediated and the revised control has been tested to ensure it is
designed, implemented and operating effectively prior to the end of the
fiscal year, the auditor can express an unqualified opinion on internal
control over financial reporting.
11-23 a. The use in grocery stores of bar code scanning technologies impacts
a number of financial statement accounts for a grocery. The bar
code scanner is used to retrieve unit prices for each product
scanned, which is then used to calculate the amount to be posted
to the Revenue, Sales Tax Payable, and Cash accounts (and any
overnight Receivable accounts related to sales paid by debit and
or credit cards that may not be processed until the next business
day). Sometimes bar scanning technologies are used to process
coupons and other discounts, which would be recorded in the
Sales Discount account. Similarly, when goods are returned by
customers to the store, the bar scanning technology is used to
process amounts recorded in the Sales Returns account and related
credit to the Cash account. In addition to recording the transaction
amounts paid by the customer, the bar scanning technologies are
also used to update perpetual inventory records for cost amounts,
which impacts the Inventory and Cost of Goods Sold accounts.

Copy right © 2020 Pearson Education Ltd.

11-17
11.23 (Continued)
b.
Risks Inherent to How Bar Scanning
Sales Processing Accounts Affected Technologies Help Reduce Risk
Wrong unit price is used Revenues The system automatically retrieves
to process sale Cash the unit retail price from the
approved price list master file.
Calculation of amounts Revenues The system extends price times
due from customer for Cash quantity and adds each extended
all items purchased is Sales Taxes Payable amount to calculate the total
inaccurate sales price, including sales taxes
due from customer.
Reduction in inventory Inventory The system tracks the number of
accounts for items sold Cost of Goods Sold units removed by product
is inaccurate number, which is used to update
perpetual inventory records.
Not all inventory items Revenues As the system reads each bar
taken by customer are Cash code, it generates a sound to
included in the Inventory indicate to the cashier and
processing of the Cost of Goods Sold customer that each product
customer’s purchase scanned has been captured by
amount the system.
Coupons and discounts Sales Discounts The system retrieves coupon and
are incorrectly Cash discount information from the
calculated master file of promotions and
discounts and automatically
calculates discount amounts.

c. Below are examples of how the auditor might test the operating
effectiveness of the bar code scanner technology:
1. The auditor could select a number of different products and
use the bar scanning technology to process the sales amounts
for comparison to the auditor’s separate calculation of
transaction amounts based on items processed. The auditor
could perform the same kind of test using coupons and other
discount programs.
2. The auditor may be able to use audit software to test the
accuracy of individual customer transactions and to test the
summation of all customer transactions processed by a cash
register machine by day and by store.
3. The auditor may be able to use audit software to test the
accuracy of the postings of daily totals to the client’s general
ledger system.
4. The auditor may use audit software to review all unit prices
in the price list master file to identify unusual price amounts
for further investigation (e.g., negative prices, large unit
prices, etc.).
Copy right © 2020 Pearson Education Ltd.
11-18
 5. The auditor may be able to use audit software to identify
the most recent date of the most recent date of sale by
product number to identify those products that have not
been sold to customers for an extended period of time to
identify potentially obsolete inventory still on hand.

11-24 a. The nature of generalized audit software is to provide computer

programs that can process a variety of file media and record formats
to perform a number of functions using computer technology.
There are several types of generalized audit software
packages. Usually, generalized audit software is a purchased audit
software program that is Windows-based and easily operated on
the auditor’s computer. Other generalized audit software exists
that contain programs that create or generate other programs,
programs that modify themselves to perform requested
functions, or skeletal frameworks of programs that must be
completed by the user.
A package can be used to perform or verify mathematical
calculations; to include, exclude, or summarize items having specified
characteristics; to provide subtotals and final totals; to compute,
select, and evaluate statistical samples for audit tests; to print
results or sequences that will facilitate an audit step; to compare,
merge, or match the contents of two or more files; and to produce
machine-readable files in a format specified by the auditor.

b. Ways in which a generalized audit software package can be used

to assist in the audit of inventory of Boos & Baumkirchner, Inc.,
include the following:
1. Compare data on the CPA’s set of preprinted inventory
count cards to data on the electronic inventory master file
and list all differences. This will assure that the set of count
cards furnished to the CPA is complete.
2. Determine which items and parts are to be test-counted by
selecting a random sample from the audit deck of count
cards or the electronic inventory master file. Exclude from
the population items with a high unit cost or total value that
have already been selected for test counting.
3. Access the client’s electronic inventory master file and list
all items or parts for which the date of last sale or usage
indicates a lack of recent transactions. This list provides
data for determining possible obsolescence.
4. Access the client’s electronic inventory master file and list
all items or parts of which the quantity on hand seems
excessive in relation to quantity used or sold during the
year. This list provides data for determining overstocked or
slow-moving items or parts.

Copy right © 2020 Pearson Education Ltd.

11-19
 11-24 (continued)
5. Access the client’s electronic inventory master file and list all
items or parts where the quantity on hand seems excessive
in relation to economic order quantity. This list should be
reviewed for possible slow-moving or obsolete items.
6. Enter audit test-count quantities onto the cards. Match
cards against the client’s adjusted electronic inventory
master file, comparing the quantities on the cards to the
quantities on the electronic file and list any differences. This
will indicate whether the client’s year-end inventory counts
and the master file are substantially in agreement.
7. Use the adjusted electronic inventory master file and
independently extend and total the year-end inventory and
print the grand total on an output report. When compared to
the balance determined by the client, this will verify the
calculations performed by the client.
8. Use the client’s electronic inventory master file and list all
items with a significant cost per unit. The list should show
cost per unit and both major and secondary vendor codes.
This list can be used to verify the cost per unit.
9. Use the costs per unit on the client’s electronic inventory
master file and extend and total the dollar value of the
counts on the audit test count cards. When compared to
the total dollar value of the inventory, this will permit
evaluation of audit coverage.
11-25
a

PURCHASE TRANSACTION-RELATED
TEST OF CONTROL AUDIT OBJECTIVE

1. Examine indication of  Recorded acquisitions are for goods

approval on both the and services received, consistent with
requisition form and the the best interests of the client
purchase order. (Occurrence)
2. Input number of items  Recorded acquisitions are for goods
exceeding the parameters to and services received, consistent with
see if the order is rejected by the best interests of the client
the inventory system. (Occurrence)
3. Account for a sequence of  Existing acquisitions are recorded
purchase orders and goods (Completeness).
received notes.
4. Examine indication of  Recorded acquisitions are for goods
checking (initials of the staff). and services received (Occurrence);
Recorded acquisition transactions are
accurate (Accuracy).
Copy right © 2020 Pearson Education Ltd.
11-20
5. Compare totals to summary  Existing acquisitions are recorded
reports (Completeness).
6. Examine indication of  Recorded acquisitions are for goods
cancellation (i.e. marked as and services received (Occurrence).
“PAID).
7. Examine indication of  Recorded acquisitions are for goods
review/approval. and services received (Occurrence);
Recorded acquisition transactions are
accurate (Accuracy).

b. Among the audit procedures that a CPA will use in an audit of

purchasing transactions in order to assess the operating
effectiveness of internal controls are the following:

1. The acquisition is properly authorized by first the production

manager, and then the purchasing director. This ensures that
the goods and services acquired are for authorized company
purposes.
2. Orders cannot be made outside the parameters set in the
inventory system. This prevents acquisition of excessive or
unnecessary items.
3. Purchase orders and goods received notes are prenumbered
and accounted for.
4. The accounts payable department compares the details on
the purchase order, the goods received notes and the
vendor’s invoice to determine that the descriptions, prices,
quantities, terms etc. are correct.
5. Hash total of daily processing matched to hash and control
totals generated.
6. Documents (e.g. vendor’s invoices) are cancelled (marked
as “PAID”) to prevent duplicate payment.
7. Payment transactions are independently reviewed.

(Other answers are also acceptable, such as the use of approved supplier list
and the checking of the quality and quantity of goods received by the
warehouse department.)

11-26 a. The following deficiencies in the Parts for Wheels, Inc. , online
sales system may lead to material misstatements:
1. Lack of Sales System Interface . The lack of automatic
interface between the online sales ordering system and the
sales accounting system may increase the risk of material
misstatements for sales.

Copy right © 2020 Pearson Education Ltd.

11-21
11-26 (continued)
Sales orders printed from the online system may be
lost and not recorded, or they may be recorded more than
once if not properly controlled. Additionally, because each
sale must be manually entered, there is increased risk
that sales may be processed or recorded inaccurately.
2. Lack of Inventory System Interface. The lack of automatic
interface between the online sales ordering system and the
inventory management system may increase the risk that
processed sales may not be properly reflected in the
inventory accounting records. With manual processing,
there may be some risk that shipments occurred without
completion of a proper bill of lading, which is required to
adjust inventory records. As a result, shipments will not be
accurately deducted from inventory records. Also, if bills of
lading are not properly numbered and accounted for, there
is a possibility that completed bills of lading are not entered
or are entered more than once. Furthermore, the manual
process of recording inventory transactions increases the
risk of inaccurate posting of bills of lading into the inventory
records.
3. Manual Credit Approval. The process of verifying credit
authorization with the credit card agency is dependent on
human processing. The lack of automatic electronic credit
authorization may increase the risk of sales to unauthorized
customers. This may lead to an increased risk of collection
problems from credit card receivables.
4. Premature Recording. Currently, sales are entered into the
sales journal on the date credit is authorized, which is often
the date the order is placed. This may result in premature
recording of sales, given that sales are recorded before
shipment has occurred. As a result, sales may be recorded
in accounting periods different from when inventory records
are updated for the shipment. Cutoff problems may occur.
5. Inadequate Tracking of Returns. If systems for tracking and
estimating online sales returns are inadequate, Parts for
Wheels, Inc., may understate estimates of customer returns,
including estimated costs for refunding shipping costs. This
could result in overstated net sales and understated
shipping costs.

b. Below are suggested changes that could be made to the existing

manual system to enhance internal control, without re-designing
the online system:

Copy right © 2020 Pearson Education Ltd.

11-22
11-26 (continued)

1. When the accounting department prints submitted orders

from the online system, each order should be numbered
sequentially with the range of used numbers logged daily.
When the sales orders are recorded, the order number
should be recorded.
2. Prenumbered bills of lading should be used. All bills of
lading should be accompanied by the sales order used by
warehouse personnel to process shipment. All bills of lading
should be forwarded to accounting on the date of shipment.
3. Accounting should match the bills of lading with the accounting
department’s copy of the sales orders before any entries
are recorded in the sales journal and inventory system.
Entries to the sales journal and inventory records should be
made on the same day to ensure consistent cutoff of the
recording of transactions.

c. For the deficiencies identified in part a, the auditors would be most

concerned about the following transaction-related and balance-
related audit objectives:
1. Lack of Sales System Interface. Auditors would be
concerned about occurrence, completeness, accuracy, and
timing of sales as well as occurrence, completeness,
accuracy, and cutoff of accounts receivable .
2. Lack of Inventory System Interface. Auditors would be
concerned about occurrence, completeness, accuracy, and
timing of cost of goods sold as well as occurrence,
completeness, accuracy, and cutoff of inventory.
3. Manual Credit Approval. Auditors would be most concerned
with realizable value of credit card receivables.
4. Premature recognition. Auditors would be most concerned
with timing of sales recognition and cutoff of accounts
receivable.
5. Inadequate Tracking of Returns. The auditor would be
concerned about completeness of sales returns
(occurrence of sales) and shipping costs.

d. Auditors could use generalized audit software in several ways.

First, they could use audit software to match orders made through
the online sales order system to sales recorded manually by
comparing the records. Any unmatched orders or sales could be
identified for follow-up. Second, the generalized audit software
could be used to compare the date of the shipment according to
the bill of lading to the date the sale is recorded to identify sales
recorded prematurely at year-end.

Copy right © 2020 Pearson Education Ltd.

11-23
11-26 (continued)

Audit software could also be used to compare updates to

the inventory system with the sales recorded to ensure all sales
are recorded in the inventory system as well. Each of the
procedures using generalized audit software would be made even
easier by the changes recommended in part b. above.

11-27 (Objectives 11-2, 11-3) Taylor Electronics Company is engaging in

manufacturing of electronic components. The company purchases its raw
materials from various suppliers. The following is a description of the purchasing
system of Taylor Electronics:
1. Production supervisors complete a requisition form when they are in need
of raw materials. This is triggered by checking the current level of
inventory on the inventory system which has been updated to record the
minimum and maximum required levels of raw materials. Orders cannot
be made if it is outside of the range set in the inventory system. The
requisition form is then authorized by the production manager.
2. The authorized requisition form is submitted to the purchase ordering
department of which the staff will raise sequentially numbered purchase
orders, in multiple copies, based on the approved supplier list. The copies
are sent to:

(a) the selected supplier, after obtaining the authorization of the

purchasing director;
(b) the accounts payable department;
(c) the warehouse department.
It is the department’s policy to update the supplier list with reference to the
suppliers’ quality and price on an annual basis. The purchasing director
authorizes the orders prior to submitting to the selected supplier.
3. Upon receipt of goods, the warehouse department verifies the quantity to
the suppliers despatch note and the purchase order sent to the warehouse
department earlier. The staff in warehouse department also checks that
the quality of the goods received is satisfactory. A sequentially numbered
goods received note is then generated which will be sent to the accounts
payable department.
4. The accounts payable department matches the goods received note (from
warehouse department) with the purchase order (from purchase ordering
department) and invoice (from suppliers) to ensure the agreed prices and
discounts have been honoured. After the checking process, the staff
initials on the invoice to indicate the matching process is completed.

Copy right © 2020 Pearson Education Ltd.

11-24
11-27 (continued)

5. Another accounts payable clerk enters the “matched” invoices onto the
purchase system in batches. In this process, the clerk uses a batch control
sheet which shows the number of invoices and the total value to be
entered. Such information will then be checked against the system batch
report. After inputting the information into the purchase system, the invoice
will be marked as “LOGGED”. The assistant accounts payable manager
inspects the file of invoices on a weekly basis to ensure that all invoices
have been recorded.
6. The logged invoices are then reviewed and authorized for payment by the
finance director. Payments are made by the accounts department via bank
transfer on a weekly basis. After payment, the invoice will be marked as
“PAID” to avoid duplicate payments.
Required
a. Identify the important controls and related purchase transaction-related
audit objectives.
b. List the procedures that a CPA will use in an audit of purchasing
transactions in order to assess the operating effectiveness of internal
controls.

11-28 a. 1. Automated control

2. Manual control
3. Automated control
4. Manual control
5. Automated control
6. Manual control
7. Automated control
8. Manual control

b. Manual controls are mainly used as reviews of transactions,

reconciliations and follow-up of reconciling items, while automated
controls are used to initiate, record, process and report the
transactions. It is difficult to automate all controls especially those
requiring human judgment.

c. For manual controls, the auditor will select a sample of

transactions and test whether the control is operating effectively.
The key reason why sampling is required is that manual controls
are performed by people and they are always subject to random
error or manipulation. For automated controls, as long as the
computer is programmed accurately and that program remains
unchanged, automated controls will consistently perform as
Copy right © 2020 Pearson Education Ltd.
11-25
11-28 (continued)
programmed, until the software application is changed. When there
are effective general controls and an automated application control,
the auditor may be able to justify testing only one transaction and
may not need to select a sample of transactions to verify. The
extent of testing will therefore be different for automated and
manual controls.

11-29 a. Paragraph .04 of AU-C 265 notes that the AU-C 940, An Audit of
Internal Control Over Financial Reporting That Is Integrated With
an Audit of Its Financial Statements applies when an auditor
performs an audit of internal control that is integrated with the
audit of the financial statements.
b. Paragraphs .11 and .12 of the standard indicate that the auditor
should communicate in writing on a timely basis to those charged
with governance and management significant deficiencies and
material weaknesses identified during the audit, including those
that were remediated during the audit. The communication should
occur no later than 60 days following the report release date.
c. As discussed in paragraph .12 and .13 the auditor should
communicate orally or in writing other deficiencies to management
no later than 60 days following the report release date. If
communicated orally, the auditor should document the
communication.
d. Paragraph .15 indicates the audi tor may communicate that no
material weaknesses were identified, as long as the auditor
provides definitions of the terms material weakness and significant
deficiency; provides sufficient information for management and
those charged with governance to understand the context of the
communication; notes that the auditor is not expressing an opinion
on the effectiveness of internal control; and the auditor's
consideration of internal control was not designed to identify all
deficiencies in internal control that might be material weaknesses
or significant deficiencies, and therefore, material weaknesses or
significant deficiencies may exist that were not identified.
Paragraph .16 notes the auditor should not issue a written
communication stating that no significant deficiencies were
identified during the audit.

11-30 Students should have located the Form 10-K for MetLife for the year
ended December 31, 2017 by either visiting the company’s website or
by visiting the SEC’s website to use the EDGAR Full-Text Search
option to identify the company’s filings more efficiently.

1. Management’s Annual Report on Internal Control Over Financial

Reporting found on page 399. Management reports that they
did not maintain effective control over financial reporting due to
a material weakness in calculating reserves .
Copy right © 2020 Pearson Education Ltd.
11-26
11-30 (continued)
2. The company reported the following remediation activities:

RIS Group Annuity Reserves:

 The Company is implementing immediate changes to its
administrative and accounting procedures and search
practices to identify, contact, and record responses from
“unresponsive and missing” plan annuitants and to otherwise
locate missing annuitants.
 The Company is reviewing its practices regarding timely
communication and escalation of issues throughout the
Company.
 The Company will engage third party advisors to undertake a
comprehensive examination and analysis of the facts and
circumstances giving rise to the material weakness, under the
supervision of MetLife, Inc.’s Chief Risk Officer.

Assumed Variable Annuity Guarantee Reserves:

 The Company is implementing immediate changes to how data
for MetLife Holdings assumed variable annuity guarantee
reserves is controlled and reviewed.
 The Company will engage third party advisors to undertake a
comprehensive examination and analysis of the facts and
circumstances giving rise to the material weakness.

3. The report on internal control over financial reporting of the

independent registered is found on page 401-402 and is a
separate from the report on the financial statements. The auditor
expressed an adverse on internal control over financial reporting
due to the material weakness.

11-31 ACL Problem

a. There are 5,298 records in the “Purchase_orders ” dataset, with a

total dollar value for the purchase order amount column of
$62,047,339.67. (Use the Total command under the Analyze for the
Purchase Order Amount column).

b. Below is the ACL output from the Stratify command for the
Purchase Order Amount column. The first strata with purchase
order amounts ranging from $100 to $10,089.99 accounts for the
largest number of purchase transactions at 3,783 transactions.
STRATIFY ON po_amount SUBTOTA L po_amount MINIMUM 100
Command:
MAXIMUM 100000 INTERVA LS 10 TO SCREEN
Table: Purchase_orders

Minimu m encountered was 100.32

Maximu m encountered was 273,698.86

Copy right © 2020 Pearson Education Ltd.

11-27
 Percent of Percent of Purcha se Order
Purcha se Order Amount Count
Count Field Amount
100.00 - 10, 089. 99 3,783 71.4% 17.66% 10,959,684.20
10,090.00 - 20,079.99 655 12.36% 15.15% 9,399, 478.68
20,080.00 - 30,069.99 282 5.32% 11.14% 6,913, 537.96
30,070.00 - 40,059.99 182 3.44% 10.19% 6,320, 381.51
40,060.00 - 50,049.99 106 2% 7.64% 4,741, 547.94
50,050.00 - 60,039.99 87 1.64% 7.57% 4,695, 597.55
60,040.00 - 70,029.99 56 1.06% 5.82% 3,608, 147.20
70,030.00 - 80,019.99 38 0.72% 4.6% 2,854, 213.35
80,020.00 - 90,009.99 17 0.32% 2.31% 1,435, 789.51
90,010.00 - 100, 000. 00 26 0.49% 3.98% 2,469, 222.55
>100,000.00 66 1.25% 13.94% 8,649, 739.22
Totals 5,298 100% 100% 62,047,339.67

c. Highlighting the Purchase Order Number column and using the

“Gaps” command under Analyze, there are 343 gap ranges
detected in the “Purchase_orders” dataset. In addition, it appears
based on scanning the purchase order numbers and purchase
dates, the purchase orders appear to be used out of order. This
suggests poor internal controls over purchasing activity. The auditor
would want to know why there are 343 purchase orders missing,
and whether they were used but not recorded. If they were used but
not recorded, the auditor would be concerned about a potentially
material understatement of purchases. It is possible the purchase
orders are canceled if an employee makes an error while filling one
out; however, it would be important for the client to keep track of
any voided purchase orders so they can ensure purchases are
complete. Using the “Duplicates” command under Analyze, there
are no duplicate purchase orders identified in the dataset. If there
had been duplicates, the auditor would be concerned about an
overstatement of purchases if they were being recorded more than
once.

d. Highlighting the “Requisition Number” column, and using the

“Summarize” command, there are 3,097 purchase transactions (out
of the 5,298 total transactions) that do not have a requisition. The
total dollar value of purchases without requisitions is
$35,228,641.28, which represents 57% of the total dollar amount of
purchases. It would be important for the auditor to understand the
client’s policy related to purchases, and when a requisition is
required. Internal control over purchasing would be strengthened if
the client required a purchase requisition for all purchase
transactions, or an indication of why that policy may be violated
(e.g., if a purchase needs to be expedited and no one is available
to approve a requisition). The concern when there is no requisition
Copy right © 2020 Pearson Education Ltd.
11-28
11-31 (continued)
is that the purchase may not have been approved, or may not be
for a legitimate business purpose.

e. Use the “Classify” command to classify by vendor number with a

subtotal for purchase amount and save the output to “file.” That
indicates there are 2,823 unique vendor numbers. Performing a
“Quick Sort” of the percent of field column (in descending order) in
the file created by the Classify command shows there are no
vendors that account for more than 5% of purchases. The
maximum percent of total purchases is 1.1% for vendor number
VN-0010390476508.

f. Below is the output from filtering on purchases greater than

$100,000. There are a total of 66 purchase transactions greater
than $100,000. Not all output columns are included below.

po_number po_date vendor_number po_amount created_on

028493214615 1/19/2014 VN-0010090307334 115183.06 1/19/2014
028493215666 3/26/2014 VN-0010000259877 109933.27 3/26/2014
028493215782 4/5/2014 VN-0010340106140 149638.15 4/5/2014
028493215789 4/1/2014 VN-0010230187330 127375.73 4/1/2014
028493215811 4/7/2014 VN-0010000394772 108840.26 4/7/2014
028493215837 4/5/2014 VN-0010090260265 105883.12 4/5/2014
028493215843 4/6/2014 VN-0010260172176 128973.34 4/6/2014
028493215844 4/7/2014 VN-0010070247341 101968.05 4/7/2014
028493215924 4/14/2014 VN-0010000024372 111524.37 4/14/2014
028493215931 4/9/2014 VN-0010000271470 109810.9 4/9/2014
028493216120 4/20/2014 VN-0010000110409 114456.03 4/20/2014
028493216185 4/26/2014 VN-0010000433003 137635.35 4/26/2014
028493216189 4/26/2014 VN-0010260179830 115138.1 4/26/2014
028493216213 4/28/2014 VN-0010000195648 165841.62 4/28/2014
028493216220 4/30/2014 VN-0010000245035 227778.89 4/30/2014
028493216221 4/27/2014 VN-0010390088981 150800.65 4/27/2014
028493216250 5/3/2014 VN-0010000147105 102095.08 5/3/2014
028493216432 5/12/2014 VN-0010090203173 126002.08 5/12/2014
028493216438 5/7/2014 VN-0010450022589 115068.47 5/7/2014
028493216439 5/10/2014 VN-0010390190953 140503.18 5/10/2014
028493216467 5/12/2014 VN-0010450113576 132830.82 5/12/2014
028493216559 5/18/2014 VN-0010000256594 106881.05 5/18/2014
028493216591 5/20/2014 VN-0010090193739 138132.97 5/20/2014
028493216596 5/18/2014 VN-0010160206123 102713.45 5/18/2014
028493216597 5/18/2014 VN-0010000269163 104790.21 5/18/2014
028493216619 5/19/2014 VN-0010070241895 108725.19 5/19/2014
028493216718 5/26/2014 VN-0010210023460 106386.5 5/26/2014

Copy right © 2020 Pearson Education Ltd.

11-29
028493216747 5/26/2014 VN-0010410272994 125765.85 5/26/2014
028493216752 5/27/2014 VN-0010480512685 152527.65 5/27/2014
028493216753 5/25/2014 VN-0010070502023 148475.86 5/25/2014
028493216914 5/31/2014 VN-0010000268675 155921.72 5/31/2014
028493216922 6/4/2014 VN-0010250311629 117570.63 6/4/2014
028493217004 6/7/2014 VN-0010070108651 103041.69 6/7/2014
028493217009 6/4/2014 VN-0010200427270 108830.02 6/4/2014
028493217050 6/8/2014 VN-0010090260265 135321.12 6/8/2014
028493217057 6/8/2014 VN-0010480078505 117350.22 6/8/2014
028493217135 6/15/2014 VN-0010000267717 200945.74 6/15/2014
028493217142 6/14/2014 VN-0010330031684 199494.08 6/14/2014
028493217274 6/21/2014 VN-0010070241895 110073.07 6/21/2014
028493217278 6/18/2014 VN-0010000259361 117540.23 6/18/2014
028493217392 6/28/2014 VN-0010000087814 111687.45 6/28/2014
028493217398 6/24/2014 VN-0010000102912 101973.45 6/24/2014
028493217423 6/29/2014 VN-0010000147105 108972.1 6/29/2014
028493217431 7/1/2014 VN-0010100020125 107515.38 7/1/2014
028493217544 7/2/2014 VN-0010450319216 139761.96 7/2/2014
028493217715 7/12/2014 VN-0010000281402 164763.19 7/12/2014
028493217722 7/14/2014 VN-0010160228550 122279.13 7/14/2014
028493217723 7/12/2014 VN-0010070052167 127611.4 7/12/2014
028493217815 7/21/2014 VN-0010000108791 143510.51 7/21/2014
028493217822 7/21/2014 VN-0010460029032 141854.71 7/21/2014
028493217823 7/20/2014 VN-0010070059858 102233.56 7/20/2014
028493217938 7/22/2014 VN-0010000273841 115415.65 7/22/2014
028493218094 8/3/2014 VN-0010270141534 127599.74 8/3/2014
028493218180 8/9/2014 VN-0010000430933 101012.03 8/9/2014
028493218187 8/9/2014 VN-0010000282973 149550.22 8/9/2014
028493218224 8/13/2014 VN-0010000270884 148361.72 8/13/2014
028493218231 8/11/2014 VN-0010070344773 104780.65 8/11/2014
028493218275 8/16/2014 VN-0010090168632 118950.76 8/16/2014
028493218346 8/16/2014 VN-0010380323702 273698.86 8/16/2014
028493218353 8/19/2014 VN-0010290049720 143706.72 8/19/2014
028493218354 8/17/2014 VN-0010000268420 132859.03 8/17/2014
028493218453 8/24/2014 VN-0010000233061 119706.99 8/24/2014
028493218549 9/1/2014 VN-0010070241895 142498.05 9/1/2014
028493218555 9/1/2014 VN-0010000249805 182623.85 9/1/2014
028493218556 9/2/2014 VN-0010150116435 145616.81 9/2/2014
028493218579 9/2/2014 VN-0010000207185 113427.53 9/2/2014

Copy right © 2020 Pearson Education Ltd.

11-30
 Case

11-32 1. Strengths in lines of reporting from IT to senior management at

Jacobsons:
 Melinda Cullen (IT Manager) and the chief operating officer
(COO) work closely on identifying hardware and software
needs.
 Melinda’s boss, the COO, has access to the board of directors
and provides periodic updates about IT issues, if needed.
Deficiencies in lines of reporting from IT to senior management:
 The chief IT person (Melinda) is relegated to a manager level
and is not considered a part of the senior executive team.
This signals a potential lack of adequate support extended
by top management to the IT function.
 The IT Manager reports to a key user, the COO. The COO
may place undue pressure on IT to work on IT related projects
that affect the COO’s areas of responsibility. Thus, other
areas, such as those under the chief financial officer’s control
(e.g., the accounting system), may not receive adequate
IT resources.
 Melinda and the COO make all major hardware and software
decisions without input from other user personnel and the
board of directors.
 There does not appear to be a written IT strategic plan that
sets direction for the IT function.
Recommendations related to the lines of reporting from IT to senior
management:

 The IT Manager should report directly to the president and

be considered a part of senior management (e.g., on equal
footing relative to the COO, CFO, etc.).
 The board of directors should receive regular input from the
IT Manager about the status of IT projects.
 A written strategic plan should be developed and reviewed
annually by the board.
 Significant hardware and software changes should be approved
by the board or its IT Steering Committee. Other changes
to application software should also be approved by affected
user departments.

Copy right © 2020 Pearson Education Ltd.

11-31
11-32 (continued)

2. Assessment of Melinda’s fulfillment of IT Manager responsibilities,

including her strengths:
 Melinda is actively involved in the IT function and closely
monitors day-to-day IT activities.
 Melinda is experienced in Jacobson’s IT function, having been
employed by the company for 12 years. She has served in
several IT roles at Jacobsons. Thus, she offers stability for
the IT function.
 Melinda performs extensive background checks before offering
candidates employment in IT functions.
 Melinda has successfully maintained a fairly stable IT staff.
 Melinda conducts weekly IT departmental meetings to discuss
issues affecting the performance of the department.
 Apparently, the IT department is functioning well, given that
few IT-related problems must be reported by the COO to the
board.
Concerns about current management of the IT function:
 Melinda may be over-delegating tasks to IT personnel without
maintaining close accountability for employee actions. For
example, programmers are given extensive leeway in
programming changes to software and operators check each
other’s work to ensure that Melinda’s job schedule was
properly followed.
 Melinda spends too much of her time in the systems analyst
role, which leaves little time for her to adequately monitor
all IT tasks.
Recommendations for change related to the management of the
IT department:
 Consider assigning systems analyst responsibilities to a
senior programmer.
 Establish standardized programming procedures and have
Melinda review changed programs for compliance with those
procedures.
 Melinda should reconcile the Job Processed Log to the job
schedule developed by her.
 Melinda should assign or at least approve the assignment of
programmer staff responsibilities

Copy right © 2020 Pearson Education Ltd.

11-32
11-32 (continued)

3. Assessment of the strengths of the programming function at

Jacobsons:
 The programming staff is experienced with both systems
software and Jacobsons’ application software.
 The assignment of projects based on time availability of
programmers ensures that each programmer stays familiar
with all types of software in use at Jacobsons.
 Programmers regularly attend continued professional
education courses.
 Extensive logs of tape use and of changes made to programs
are maintained.

Concerns about the programming function:

 Programmers work with both systems and application software
program changes. Thus, a programmer is more likely to be
able to implement an unauthorized change to an application
program that also requires an unauthori zed change to
systems software.
 Programmers are responsible for maintaining secondary
storage of live programs and data files. Thus, programmers
are able to make unauthorized changes to live production
copies of programs and data files.

Recommendations for change related to the programming function

at Jacobsons:
 Divide programmers into systems programmers and application
programmers. Only assign system software changes to systems
programmers and application software changes to application
programmers.
 Reassign responsibility for maintaining secondary storage
to either the computer operators or to data control personnel.

4. Assessment of the strengths of the IT operations function at

Jacobsons:
 Melinda prepares a job schedule which operators follow to
process transactions. Day-shift operators reconcile Job
Processed Logs generated during the night shift to the job
schedule, and night shift operators do the same type of
reconciliation for jobs processed during the day.
 Operators perform routine monthly backup procedures.
 Input batch controls are generated to verify the accuracy
and completeness of processing.

Copy right © 2020 Pearson Education Ltd.

11-33
11-32 (continued)

Concerns about the IS operations function:

 Backup procedures only occur monthly, which increases the
risk of data loss.
 No one, other than operators, verifies that only jobs included
on the job schedule are processed. Melinda depends totally
on the completeness of the operators ’ identification of
exceptions noted by operators.
 Jobs Processed Logs are generally discarded, unless the
output does not reconcile to the job schedule.
 Operators have the authority to make small changes to
application programs.
 Comparison of batch input control totals to computer processing
is not performed by someone independent of the operator
responsible for the processing.

Recommendations for change related to the management of the

IS operations function:
 Update key data files and program tapes on a more periodic
basis (perhaps daily). Store backup copies offsite.
 Prohibit operators from performing any programming tasks.
Restrict access to program files to a READ/USE only capability.

5. Assessment of the strengths of the IT data control function at

Jacobsons:
 Data control personnel review exception listings and submit
requests for correction on a timely basis.
 Data control clerks monitor the distribution of output.

Concerns about the IT data control function:

 Data control personnel have the authority to approve changes
to master files. Thus, they could add a fictitious employee
to the employee master file to generate a payroll check for
a non-existent employee.

Recommendations for change related to the management of the

IT data control function:

 Restrict data control personnel from being able to authorize

changes to master files. Only allow the respective user
department to authorize changes to master files. Data control
clerks should be held accountable for only inputting user
department authorized changes to master files.

Copy right © 2020 Pearson Education Ltd.

11-34
11-32 (continued)

6. Users should be responsible for approving changes to master

files. They should actively compare authorized input to output to
ensure the accuracy, completeness, and authorization of output.
Users should also be an active participant in the program systems
development process. They should participate in program development
design, testing, and implementation. In addition, users should have
a voice in establishing the job schedule, given that users understand
their processing needs best.

 Integrated Case Application

11-33 (see text Web site for Excel solution - Filename P1237.xls)

PINNACLE MANUFACTURING―PART IV

Following are control risk matrices and related notes that are used to direct a
discussion of the requirements of the case. It should be understood that
judgment is a critical element in this case, and accordingly, there often is no
single right answer.
Computer-prepared matrices using Excel (P1237.xls) are contained on
the text web site. They are essentially the same as the matrices on the next
two pages.

Copy right © 2020 Pearson Education Ltd.

11-35
 11-33 (continued)
PINNACLE MANUFACTURING - Part IV
Control Risk Matrix – Acquisitions

Transaction-Related Recorded
Audit Objective acquisition Acquisition
Existing Recorded transactions are transactions are
Recorded acquisition acquisition properly included Acquisition Acquisition properly
acquisitions trans- transactions in the master files transactions transactions aggregated and
are for goods actions are are stated at and are properly are properly are recorded disclos ures are
and services recorded the correct summarized classified on the relevant and
Internal received (complete- amounts (posting and (classifica- correct dates understandable
Controls (occurrence). ness). (accuracy). summarization). tion). (timing). (presentation).

1. Required use of PO and

receiving report with check C
of completeness

2. Proper approval C C

3. Segregation of functions C

4. Cancellation of documents C
12-37

5. Prenumbered documents
C
are accounted for

6. Internal verification of
C C C C C
documents/records

7. Use of chart of accounts C

8. Procedures requiring
C
prompt processing

9. Monthl y reconciliation of
A/P master file with general C
ledger

10. Treasurer reviews for major

vendors and commitments C
requiring disclosure

Assessed control risk Low Low Low Low Low Low Low

Copy right © 2020 Pearson Education Ltd.

11-36
 11-33 (continued)
PINNACLE MANUFACTURING - Part IV
Control Matrix - Cash Disbursements
Transaction-Related Recorded cash
Audit Objecties disbursement
Recorded transactions are Dis bursement
cash properly Cash transactions
disbursements Existing cash Recorded cash included in the Cash disbursement are properly
are for goods disbursement disbursement master file and disbursement transactions aggregated and
and services transactions transactions are are properly transactions are recorded disclos ures are
actually are recorded stated at the summarized are properly on the relevant and
Internal received (complete- correct amounts (posting and classified correct dates understandable
Controls (occurrence). ness). (accuracy). summarization). (classification). (timing). (presentation).

1. Segregation of functions C
2. Review of support, signing of
C
checks by authori zed person
3. Prenumbered checks;
C
accounted for

4. Use of chart of accounts C

12-38

5. Procedures for prompt

C
recording
6. Monthl y reconciliation of A/P
C
master file with G/L
7. Treasurer reviews for major
vendors and commitments
requiring disclosure
Deficiencies
1. Lack of an independent bank D D
reconciliation (Done by
Treasurer)

2. Lack of internal verifica tion of

documentation package by D D D
cash disbursements clerk.

3. Lack of internal verifica tion of

key entry into cash D D D
disbursements file.

Copy right © 2020 Pearson Education Ltd.

11-37
 PINNACLE MANUFACTURING - Part IV
Control Matrix - Cash Disbursements
Transaction-Related Recorded cash
Audit Objecties disbursement
Recorded transactions are Dis bursement
cash properly Cash transactions
disbursements Existing cash Recorded cash included in the Cash disbursement are properly
are for goods disbursement disbursement master file and disbursement transactions aggregated and
and services transactions transactions are are properly transactions are recorded disclos ures are
actually are recorded stated at the summarized are properly on the relevant and
Internal received (complete- correct amounts (posting and classified correct dates understandable
Controls (occurrence). ness). (accuracy). summarization). (classification). (timing). (presentation).

1. Segregation of functions C

Assessed control risk Medium Medium High Low Low Low

Copy right © 2020 Pearson Education Ltd.

11-38
11-33 (continued)

Notes to 12-37, Part IV

1. The purpose of Part IV is to have the students:

(a) develop specific transaction-related audit objectives for a
cycle,
(b) obtain controls from a flowchart description,
(c) relate controls to objectives,
(d) evaluate a set of controls as a syste m.

2. Control is quite good for acquisitions. If misstatements in

acquisitions occur, they will result from the incorrect application of
controls, not their absence. This demonstrates the inherent
deficiencies in any control system. It explains the reasons why
some misstatements were found last year. However, they were not
material. It also indicates the need for tests of controls and
substantive tests of details of balances and/or transactions.

Controls for cash disbursements are not nearly as good, given the
three deficiencies. This provides an opportunity to discuss both
fraud and errors. Given the deficiencies, there is potential for fraud
in cash.

3. It is appropriate to use the matrices to consider whether all

controls shown are important to both the client and to the
auditor. Is it necessary to have all controls (e.g., prenumbering of
requisitions)? Are the controls costly (e.g., internal verification of
all acquisitions)? Should all controls be tested (e.g., cancellation
of documents)?

Copy right © 2020 Pearson Education Ltd.

11-39