Chapter 12

Assessing Control Risk and Reporting

on Internal Controls
Concept Checks

P. 425

1. As illustrated by Figure 12-1, there are four phases in the process of

understanding internal control and assessing control risk. In the first
phase the auditor obtains an understanding of the system of internal
control, which includes an understanding of their design and whether they
have been implemented. Next the auditor must make a preliminary
assessment of control risk (phase 2) and perform tests of controls (phase
3). The auditor uses the results of tests of controls to assess control risk
and to ultimately decide planned detection risk and substantive tests for the
audit of financial statements, which is phase 4.

2. The purpose of a control risk matrix is to assist the auditor in assessing

control risk at the transaction level. The control risk matrix identifies existing
controls and deficiencies for each audit objective in the transaction cycle,
making it easier for the auditor to assess control risk for each transaction-
related audit objective.

3. The four types of procedures used by auditors to test whether internal

controls are operating effectively are (1) inquiring of appropriate personnel
regarding the operation of controls; (2) examine documents and records
when there is a trail of evidence that the control is/is not operating (e.g., a
supervisor’s electronic signature on a time record; (3) observe control-
related activities in process, preferably at various points throughout the year,
and (4) reperform control activities performed by the client.

P. 430

1. The financial statement audit findings are relevant to the auditor’s opinion on
the effectiveness of internal controls over financial reporting because the
auditor may or may not identify misstatements during the audit. If the auditor
identifies material misstatements during the audit that were not prevented or
detected and corrected by the client’s internal controls, this would indicate a
potential material weakness in internal controls. Any identified
misstatements would indicate a potential control deficiency or significant
deficiency.

12-1
© 2023 Pearson Education, Ltd.
Concept Check, P. 430 (continued)

2. Auditors are required to perform integrated audits, an audit of the financial

statements coupled with an audit of internal control over financial reporting,
on audit engagements of large publicly traded companies (accelerated
filers). For integrated audits, the auditor issues an opinion on the
effectiveness of internal control in addition to the opinion on the financial
statements. As a result, the level of understanding and the extent of testing
of internal controls need to be sufficient to express an opinion on the
effectiveness of internal controls. For financial statement-only audits, the
auditor does not issue an opinion on the effectiveness of internal controls,
but rather the focus is on understanding controls that are relevant to the
audit in order to identify and assess the risks of material misstatement.

 Review Questions
12-1 The auditor’s responsibility for obtaining an understanding of the
system of internal control for a large public company, when an opinion is issued
on the effectiveness of internal controls, is significantly greater than the
understanding necessary when the auditor is solely expressing an opinion on
the financial statements. To express an opinion on internal controls for a large
public company, the auditor obtains an understanding of controls for all
significant account balances, classes of transactions, including disclosures
and related assertions in the financial statements. In contrast, for an audit of a
nonpublic company or a smaller public company, the auditor will obtain an
understanding of internal controls that are relevant to the financial statement
audit in order to assess the risks of material misstatement. Thus, the level of
understanding of internal controls required for the audit of internal controls
exceeds the level required for an audit of only the financial statements.

12-2 Maier is correct in her belief that internal controls frequently do not
function in the manner they are supposed to. However, regardless of this,
her approach ignores the value of beginning the understanding of internal
control by preparing or reviewing a rough flowchart or other internal control
descriptions. Obtaining an early understanding of the client’s system of internal
control will provide Maier with a basis for a decision about further audit
procedures and extent of testing based on assessed control risk. By not
obtaining an understanding of the system of internal control until later in the
engagement, Maier risks performing either too much or too little work, or
emphasizing the wrong areas during her audit.

12-3 In a walkthrough of internal control, the auditor selects one or a few

documents for the initiation of a transaction type and traces them through the
entire accounting process, including information systems, until it is reflected in
the financial records using the same documents and IT that the entity personnel
use. At each stage of processing, the auditor makes inquiries and observes
current activities, examines completed documentation, and reperforms specific
controls for the transaction or transactions selected. Thus, the auditor combines
12-2
© 2023 Pearson Education, Ltd.
12-3 (continued)

observation, inspection, inquiry, and reperformance to conduct a walkthrough of

internal control. PCAOB auditing standards require the auditor to perform at
least one walkthrough for each major class of transactions.

12-4 For many control activities, documentation of their performance is more

objectively evaluated in contrast to the evaluation of the control environment.
Due to the nature of the subcomponents that constitute the control environment,
such as integrity and ethical values and commitment to competence, the nature
of evidence used to evaluate the control environment may differ somewhat from
the nature of evidence used to evaluate control activities. While auditors examine
similar types of evidence to assess both the control environment and control
activities, they often perform more extensive inquires and observation to assess
the design and implementation of control environment subcomponents, such as
the entity’s code of conduct and whistleblowing system, so they can evaluate
whether employees understand those policies and procedures, and to gain a
sense as to the overall ethical tone and perception of management’s integrity.
Because of the more judgmental nature of many of the control environment
subcomponents, auditors often make numerous inquiries and perform extensive
observation of client personnel in the performance of policies and procedures to
evaluate those subcomponents of the control environment. While inquiry and
observation may also be performed to evaluate control activities, auditors
frequently inspect documentation that demonstrates a control activity was
performed, such as examining approvals of transactions or matching of
documentation supporting a transaction, and they often reperform certain client
performed procedures, such as the calculation of a transaction amount.

12-5 A significant deficiency exists if there are one or more control

deficiencies that are less severe than a material weakness, but important enough
to merit attention by those responsible for oversight of the company’s financial
reporting. A material weakness exists if a deficiency, by itself or in combination
with other deficiencies, results in a reasonable possibility that internal control will
not prevent or detect material financial statement misstatements. The presence
of one significant deficiency that is not deemed to be a material weakness may
not affect the auditor’s report. In that instance, the auditor’s report on internal
control over financial reporting would contain an unqualified opinion. However, if
the deficiency is deemed to be a material weakness, the auditor must express an
adverse opinion on the effectiveness of internal control over financial reporting.

12-6 The extent of controls tested by auditors for an integrated audit of a large
public company, in which the auditor will express an opinion on internal control, is
significantly greater than the extent of testing solely to express an opinion on the
financial statements. To express an opinion on internal controls for a large public
company, the auditor obtains an understanding of and performs tests of controls
for all significant account balances, classes of transactions, and disclosures and
related assertions in the financial statements.

12-3
© 2023 Pearson Education, Ltd.
12-6 (continued)

In contrast, the extent of controls tested by an auditor of a nonpublic

company or a smaller public company is dependent on the auditor’s assessment
of control risk. Whenever the auditor assesses control risk below maximum, the
auditor must perform tests of controls to support that control risk assessment.
The auditor will not perform tests of controls when the auditor assesses
control risk at maximum. When control risk is assessed below the maximum, the
auditor designs and performs a combination of tests of controls and substantive
procedures. Thus, for a nonpublic company or smaller public company, the tests
of controls vary based on the auditor’s assessment of control risk.

12-7 Auditing standards indicate that reliance can be placed on controls that
were tested in a prior year, except for controls that mitigate significant risks,
which must be tested in the current year. Controls should be tested at least every
three years, and whenever there is a significant change in the control. Continued
reliance on the effectiveness of automated controls is appropriate if the auditor is
satisfied that general controls over the computer applications are adequate to
identify any changes to computerized processes. The ability to rely on prior year
tests of automated controls is due to the systematic nature of IT-based
procedures. That is, once an automated control is programmed to perform
correctly, it should continue performing in that manner until the underlying
software program is changed. In contrast, controls performed manually are
generally tested each year because there is always a risk of human error
occurring in the performance of a manual control.

12-8 When the auditor’s risk assessment procedures identify significant

risks, the auditor is required to test the operating effectiveness of controls that
mitigate these risks in the current year audit, if the auditor plans to rely on those
controls to support a control risk assessment below 100%. Thus, tests of
controls are required in the current year audit for those controls the auditor
plans to rely on to reduce control risk. The greater the risk, the more audit
evidence the auditor should obtain that controls are operating effectively.

12-9 The fact that your client has outsourced the majority of its accounting
information system to a third-party data center does not change your professional
responsibilities. One of the principles underlying auditing standards requires the
auditor to obtain an understanding of the system of internal control in all audits.
Thus, the auditor would need to perform procedures to obtain information to
provide an understanding of internal controls that may reside at the data center.
The auditor would benefit greatly from a service auditor’s report, if one is
available. Because the client has outsourced a majority of the accounting
information system, the auditor is likely to identify controls that may support lower
assessments of control risk that must be tested. Either the auditors may decide
to conduct their own testing of those controls or they may be able to obtain a
service auditor’s SOC 1® Report on Management’s Description of a Service
Organization’s System and the Suitability of the Design and Operating
Effectiveness of Controls (referred to as a Type 2 report).
12-4
© 2023 Pearson Education, Ltd.
12-10 When a client’s sales and accounts receivable system is provided by a
cloud computing service, many of the internal controls related to transaction-
related objectives for sales and cash receipts and controls affecting accounts
receivable balance-related objectives may be performed at the cloud-computing
outsourced service center. That may make it difficult for the user auditor to
obtain an understanding of and test the client’s internal controls for these
objectives. A SOC 1® Report on Management’s Description of a Service
Organization’s System and the Suitability of the Design and Operating
Effectiveness of Controls (referred to as a Type 2 report) may be particularly
useful to the user auditor given the report by the service auditor enables the
user auditor to perform risk assessment procedures and obtain audit evidence
about the design and operating effectiveness of controls at the service
organization.

12-11 The auditor uses the control risk assessments and the results of tests
of controls to determine the appropriate level of detection risk and the nature
and extent of substantive tests for the audit engagement. The auditor links the
control risk assessments at the transaction level to the balance-related audit
objectives for the accounts affected by the transaction cycles.

12-12 If the auditor assesses control risk as high for a transaction-related

audit objective, to maintain the desired level of audit risk the auditor will need to
set a lower level of detection risk. A lower level of detection risk in turn means
more extensive substantive testing.

12-13 The auditor may issue an unqualified opinion on internal control over
financial reporting when two conditions are present:
 there are no identified material weaknesses as of the balance sheet
date; and
 there have been no restrictions on the scope of the auditor’s work.

A scope limitation is the condition that would cause the auditor to

express a qualified opinion or a disclaimer of opinion on internal control over
financial reporting. This type of opinion is issued when the auditor is unable to
determine if there are material weaknesses, due to a restriction on the scope of
the audit of internal control over financial reporting or other circumstances
where the auditor is unable to obtain sufficient appropriate evidence.

12-14 The most significant difference in the assessment of control risk for
integrated audits versus financial statement-only audits is that control risk may
be assessed at maximum for some or all audit objectives for nonpublic
companies receiving a financial statement-only audit. Public companies, even
relatively smaller ones, are expected to have effective internal controls for all
significant transaction cycles and accounts. Thus, it is likely control risk will be
set as low for public companies, whereas that is not necessarily the expectation
for nonpublic companies.

12-5
© 2023 Pearson Education, Ltd.
12-15 The test data approach involves processing the auditor’s test data using
the client’s computer system and the client’s application software program to
determine whether the computer-performed controls correctly process the test
data. Because the auditor designs the test data, the auditor is able to identify
which test items should be accepted or rejected by the computer. When using
this approach, the auditor should assess the following:
 How effectively does the test data represent all relevant conditions
that the auditor wants to test?
 How certain is the auditor that the application programs being tested
by the auditor’s test data are the same programs used by the client
throughout the year to process actual transactions?
 How certain is the auditor that test data is effectively eliminated
from the client’s records once testing is completed?
Parallel simulation with audit software involves the auditor’s use of an
auditor-controlled software program to perform parallel operations to the
client’s software by using the same data files. Because the auditor’s software is
designed to parallel an operation performed by the client’s software, this strategy is
referred to as parallel simulation testing. Parallel simulation could be used in the
audit of payroll by writing a program that calculates the accrued vacation pay
liability for each employee using information contained in the employee
database file. The total liability calculated by the auditor’s software program
would then be compared to the client’s calculation to determine if the liability
for accrued vacation pay is fairly stated at year-end.

 Multiple Choice Questions From CPA Examinations

12-16 a. (3) b. (3) c. (2)

12-17 a. (4) b. (4) c. (3)
12-18 a. (3) b. (3) c. (3)

 Multiple Choice Questions From Becker CPA Exam Review

12-19 a. (4) b. (3) c. (2)

 Discussion Questions and Problems

12-20 a. The size of a company has a significant effect on the nature of the
controls likely to exist. A small company has difficulty establishing
adequate separation of duties and justifying an internal audit staff.
However, a major type of control available in a small company is
the knowledge and concern of the top operating person, who is
frequently an owner-manager. Their ability to understand the

12-6
© 2023 Pearson Education, Ltd.
12-20 (continued)

entire operation of the company is potentially a significant

compensating control. The owner-manager’s interest in the
organization and close relationship with the personnel enable
them to evaluate the competence of the employees and the
effectiveness of internal controls.
While some of the five control activities are unavailable in a
small company, especially adequate segregation of duties, it is still
possible for a small company to have proper authorization of
transactions and activities, adequate documents and records,
physical controls over assets and records, and, to a limited
degree, independent checks on performance.

b. Kumar and Collier take opposite and extreme views as to the

credence given to the system of internal control in a small firm.
Kumar seems to treat a small firm in the same manner as he
would a large firm, which is inefficient. Because many types of
controls are often lacking in a small firm, especially one that is a
nonpublic company, assessed control risk should be increased
and more extensive substantive tests must be used. Because
assessed control risk is higher, less emphasis is needed to
identify the internal controls.
Collier is not meeting the standards of the profession in that
she completely ignores the possibility of a severe deficiency in the
system. She must obtain an understanding of the system of
internal control to determine whether it is possible to conduct an
audit at all. Auditing standards require, at a minimum, an
understanding of the system of internal control.
The auditor must understand the control environment and
the flow of transactions. It is not necessary, however, for the
auditor to prepare flowcharts or internal control questionnaires. The
auditor of a nonpublic company is required to provide a written
report about significant deficiencies or material weaknesses to
those charged with governance, which may be common on many
small audit clients.

c. Collier’s approach is not acceptable when auditing either a public

or nonpublic company. Collier must obtain an understanding of the
system of internal control over financial reporting in all audits.
When the auditor assesses control risk below the maximum,
which is generally the case for public companies, the auditor must
perform tests of controls to determine whether key controls over
financial reporting are operating effectively. Those procedures
must provide Collier a basis to express an opinion about internal
controls over financial reporting for accelerated filer public
companies.

12-7
© 2023 Pearson Education, Ltd.
12-20 (continued)

d. While Kumar’s approach includes procedures similar to those that

would be performed to obtain an understanding of internal
controls, if Kumar is auditing a public company, he may need to
expand those procedures to ensure that enough information is
obtained about the design and operation of internal controls over
financial reporting. Furthermore, Kumar must perform tests of key
controls over financial reporting to provide a basis for expressing
an opinion on internal controls over financial reporting for
accelerated filer public companies.

12-21 1. a. Automated control (AC).

b. Recorded sales transactions exist (occurrence).
c. Sales could be made to fictitious customers, or sales could
be made to customers with poor credit.
d. The auditor could perform substantive tests of transactions
or confirm year-end receivable balances to verify that they
exist.

2. a. Automated control (AC).

b. Recorded sales transactions exist (occurrence).
c. Sales could be made to fictitious customers, or sales could
be made to customers with poor credit.
d. The auditor could perform substantive tests of transactions
or confirm year-end receivable balances to verify that they
exist. The auditor can test subsequent collections on
outstanding receivables as a test of valuation.

3. a. Manual control with an automated component (MAC).

b. Sales transactions are accurate (accuracy).
c. Quantities invoiced could differ from amounts shipped or
ordered by the customer.
d. Substantive tests of transactions could be performed to
verify that quantities invoiced agree to quantities shipped
and ordered by the customer.

4. a. Manual control with an automated component (MAC).

b. Existing sales transactions are recorded (completeness).
c. Goods could be shipped but not invoiced to customers.
d. Trace from a sample of shipping documents to recorded
sales.

12-8
© 2023 Pearson Education, Ltd.
12-21 (continued)

5. a. Manual control with an automated component (MAC). The

authorization of price changes is a manual control.
b. Sales transactions are accurate (accuracy).
c. Customers could be invoiced at incorrect prices.
d. Substantive tests of transactions could be performed to
verify that invoice prices agree with the approved price
database.

6. a. Manual control if sent by client personnel; automated

control if the statements are sent electronically by the
computer.
b. Recorded sales transactions exist and are accurate
(occurrence, accuracy).
c. Sales could be recorded to incorrect customers or for
incorrect amounts.
d. The auditor could perform substantive tests of transactions
or confirm year-end receivable balances to verify that they
exist and are accurate.

7. a. Automated control (AC).

b. Recorded sales transactions are correctly summarized and
recorded in the general ledger and recorded in correct
customer accounts (posting and summarization).
c. Failure to record sales or record them in customer
accounts.
d. Foot the journal for a test period and verify postings to the
general ledger and subledger. Test monthly reconciliation of
the accounts receivable subledger to the general ledger.

8. a. Manual control (MC).

b. Recorded sales transactions are correctly summarized and
recorded in the general ledger and subledger (posting and
summarization).
c. Failure to record sales or record them in customer
accounts.
d. Foot the journal for a test period and verify postings to the
general ledger and subledger.

12-9
© 2023 Pearson Education, Ltd.
12-22 1. a. Proper authorization of transactions and activities.
b. Recorded transactions exist and recorded transactions are
stated at the correct amounts.
c. Both errors and fraud are likely to be prevented if competent,
trustworthy employees are hired. Hiring honest employees
minimizes a likelihood of fraud. Hiring competent employees
minimizes the likelihood of unintentional errors.
d. Several types of intentional misstatements could occur if a
dishonest person is hired. Several types of unintentional
errors could also occur if an incompetent person is hired.
e. An examination of canceled checks or electronic payroll
deposits and supporting documents, including time records
and personnel records, is a test of the possibility of fraud. A
test of the calculation of payroll is a test for an unintentional
error caused by employees who are not competent.
2. a. Adequate segregation of duties and proper authorization of
transactions and activities.
b. Recorded transactions occurred.
c. An unauthorized or invalid time record turned in by an
existing employee. The time record may be for an employee
who formerly worked for the company or one who is
temporarily laid off.
d. Employees could be claiming too many hours by having a
friend punch them in early, or by making manual changes on
time records.
e. Check to see that all employees reflected in the time system
one day are physically present that day.
3. a. Adequate documents and records.
b. Existing transactions are recorded.
c. A missing time record number never could be identified
before preparation of payroll starts.
d. An employee would not be paid for a time period. (The
employee is almost certain to bring this to management’s
attention.) The primary benefit of the control would be to
prevent misstatements for a short period of time and to
prevent employee dissatisfaction from failure to pay them.
e. Obtain a list of company employees and make sure that
each one has received a paycheck for the time period in
question.
4. a. Independent check on performance.
b. Recorded transactions are stated at the correct amounts.
c. Mechanical errors in adding the number of hours, calculating
the gross payroll incorrectly, or calculating withholding
incorrectly.
d. Payroll checks incorrectly calculated could be paid to
employees.

12-10
© 2023 Pearson Education, Ltd.
12-22 (continued)

e. Recheck the amounts for gross payroll, withholding and net

payroll.

5. a. Proper authorization of transactions and activities.

b. Recorded transactions occurred.
c. A paycheck cannot be processed for an invalid employee
number.
d. A fictitious payroll check could be processed for a
fictitious employee if invalid employee numbers are
included in the employee database.
e. Include test data transactions with invalid employee
numbers to be inputted into the payroll accounting system
and determine that all invalid transactions are automatically
rejected by the software application.

6. a. Adequate separation of duties.

b. Recorded transactions occurred.
c. A fictitious payroll check that is originated by the person
both preparing the payroll checks and distributing the payroll
checks.
d. If one person kept a record of time, prepared the payroll,
and distributed the checks, that person could add a
nonexistent employee to the payroll, process the
information for the employee and deposit the funds
electronically or by paycheck in their own bank account
without detection.
e. Perform a surprise payoff in which the auditor accounts for
all paychecks or notices of electronic payments and
distributes them to the employees, who must provide
identification in order to receive their checks or payroll
direct deposit notifications.

7. a. Proper authorization of transactions and activities, and

adequate documents and records.
b. Recorded transactions occurred.
c. The preparation of an inappropriate payroll check for a
former employee is prevented.
d. A terminated employee could be continued on the payroll
with someone else obtaining the paycheck.
e. Perform a surprise payoff in which the auditor accounts for
all paychecks or payroll direct deposit notifications and
distributes them to the employees, who must provide
identification to receive their checks or payroll direct deposit
notifications.

12-11
© 2023 Pearson Education, Ltd.
12-22 (continued)

8. a. Physical control over assets and records, and adequate

segregation of duties.
b. Recorded transactions occurred.
c. Checks prepared for nonexistent employees or employees
on vacation, or absent for other reasons, are controlled
and safeguarded.
d. Checks could be lost that were intended for absent
employees or a check could be taken by the person
responsible for distributing the checks.
e. Examine canceled checks to make certain that each check
is properly endorsed, supported by a time record, and the
person to whom the check is made out is still working for the
company.

9. a. Proper authorization of transactions and activities and

adequate separation of duties.
b.Recorded transactions occurred and recorded transactions are
stated at the correct amounts.
c.Preparation of a check for a fictitious employee or preparation of
checks using an unapproved pay rate are prevented.
d.A fictitious payroll check could be processed for a fictitious
employee if those with record keeping responsibilities are
allowed to enter new employee numbers into the payroll
database. Also, paychecks to valid employees could be
overstated if unauthorized personnel have the ability to
make changes to the pay rates in the database.
e.Attempt to access the online payroll database file using a
password that is not allowed access to that database file.

12-23 1. a.  The payroll checks should not be returned to the

computer department supervisor but should be
distributed by persons independent of those having a
part in generating the payroll data.
 There is a lack of internal verification of the hours,
rates, extensions, or employees by above.
b.  Padding of payroll with fictitious names and
extracting the checks made out to such names when
they are returned after they have been signed.
 There may be misstatements in hours, rates,
extensions, and the existence of nonworking
employees.
c.  Have the checks handed out by an independent
person and not returned to Strode.
 Internal verification of that information by Lee or
someone else.
12-23 (continued)
12-12
© 2023 Pearson Education, Ltd.
 2. a.  Supplying the receiving department with electronic
access to the purchase order is regarded as a
deficiency in that the department may be less careful
in checking goods than they would be if they were
working without a record of the quantities that should
be received.
 The failure to have the storekeeper receipt for the
materials when they are sent to them from the
receiving department or to tie in the items placed in
storage with the acquisition constitutes a deficiency in
control in that responsibility for shortages cannot be
conclusively placed on either receiving or stores. The
receiving department might, in collusion with a
vendor, report receipts of materials that were never
received. Also, either the receiving department or the
stores department might fraudulently convert some of
the materials and because of the lack of a record of
responsibility, the company would be unable to
determine which department was responsible.
b.  The first deficiency increases the likelihood of
obsolete inventory and the possibility of theft of
shipments larger than the amount ordered. It also
increases the likelihood of inaccurate counts of
inventory actually received and recorded.
 The failure to isolate responsibility for shortages also
increases the likelihood of obsolescence in that
employees are likely to be less concerned when they
are not held accountable. Because the company
cannot isolate responsibility, it might also encourage
receiving or stores to take goods.
c. Use a “blind” copy of the purchase order or a separate
receiving report without a copy of the purchase order. Use
perpetual inventory records to hold the storekeeper
accountable. The storekeeper should also initial the
receiving report or purchase order when they receive the
goods.

3. a. The bank statement should not be reconciled by the

manager but should be sent by the bank directly to the
home office, where the reconciliations should be made
against the manager’s report of cash disbursements.
b. The manager may draw checks to herself or others for
personal purposes and omit them from her list of cash
disbursements or inflate other reported disbursement
amounts.

12-23 (continued)
12-13
© 2023 Pearson Education, Ltd.
 c. Have all bank statements sent directly to the home office
and have Cooper report directly to the home office by use
of a list of cash disbursements and all supporting
documentation.

12-24 1. No testing is required in the December 31, 2023, audit because

the auditor has determined that the automated control has not
been changed since the prior year. The auditor obtains
reasonable assurance that the automated control has not been
changed due to the effective controls over IT security and software
program changes. Thus, the auditor should consider the extent of
testing of IT security and software changes that might be
necessary in the current year audit due to the auditor’s reliance on
them to prevent changes to the underlying automated
reconciliation control.

2. No testing is required in the December 31, 2023, audit because

the auditor has determined that the automated controls have not
been changed since the prior year. The auditor obtains
reasonable assurance that the automated controls have not been
changed due to the effective controls over IT security and
software program changes. Thus, the auditor should consider the
extent of testing of IT security and software changes that might be
necessary in the current year audit due to the auditor’s reliance on
them to prevent changes to the underlying automated purchase
controls.

3. Testing is required in the December 31, 2023, audit because the

underlying control is performed by a person and is not automated.
Because the control is manually performed, there is a risk that the
operation of the control may not be consistent with the design or
the control may not have been performed. Thus, the auditor
should test the control’s operating effectiveness in the current
year’s audit.
4. Testing is required in the December 31, 2023, audit because the
control is designed to mitigate a significant risk. Controls that
mitigate significant risks must be tested each year.
5. Testing is required in the December 31, 2023, audit because the
client made changes to the software system during the current
year.

12-25 The following are deficiencies of internal control, by transaction-related

12-14
© 2023 Pearson Education, Ltd.
audit objective.
Occurrence
 The receiving report is not sent to the stores department. A copy
of the receiving report should be sent from the receiving room
directly to the stores department with the materials received. The
stores department, after verifying the accuracy of the receiving
report, should indicate approval on that copy and send it to the
accounts payable department. The copy sent to accounts payable
will serve as proof that the materials ordered were received by the
company and are in the user department.
 The controller should not be responsible for cash disbursements.
The cash disbursement function should be the responsibility of the
treasurer, not the controller, so as to provide proper segregation of
duties between the custody of assets and the recording of
transactions.
 The purchase requisition is not approved. The purchase
requisition should be approved by a responsible person in the
stores department. The approval should be indicated on the
purchase requisition after the approver is satisfied that it was
properly prepared based on a need to replace stores or the
proper request from a user department.
 Preliminary review should be made before preparing purchase
orders. Prior to preparation of the purchase order, the purchase
office should review the company’s need for the specific materials
requisitioned and approve the request.

Completeness
 Purchase orders and purchase requisitions should not be
combined and filed with the unmatched purchase requisitions, in
the stores department. A separate file should be maintained for
the combined and matched documents. The unmatched purchase
requisitions file can serve as a control over merchandise
requisitioned but not yet ordered.
 There is no indication of control over vouchers in the accounts
payable department. A record of all vouchers submitted to the
cashier should be maintained in the accounts payable department,
and a copy of the vouchers should be filed in an alphabetical
vendor reference file.
 There is no indication of any control over prenumbered
documents. All prenumbered documents should be accounted for.

12-15
© 2023 Pearson Education, Ltd.
12-25 (continued)

Accuracy
 Purchase requisitions and purchase orders are not compared in the
stores department. Although purchase orders are attached to
purchase requisitions in the stores department, there is no
indication that any comparison is made of the two documents.
Prior to attaching the purchase order to the purchase
requisition, the requisitioner’s functions should include a check
that:

a. Prices are reasonable;

b. The quality of the materials ordered is acceptable;
c. Delivery dates are in accordance with company needs;
d. All pertinent data on the purchase order and purchase
requisition (e.g., quantities, specifications, delivery dates,
etc.) are in agreement.

Because the requisitioner will be charged for the materials

ordered, the requisitioner is the logical person to perform these
steps.
 The purchase office does not review the invoice prior to processing
approval. The purchase office should review the vendor’s invoice
for overall accuracy and completeness, verifying quantity,
prices, specifications, terms, dates, etc., and if the invoice is in
agreement with the purchase order, receiving report, and
purchase requisition, the purchase office should clearly indicate
on the invoice that it is approved for payment processing. The
approved invoice should be sent to the accounts payable
department.
 The copy of the purchase order sent to the receiving room generally
should not show quantities ordered, thus forcing the department to
count goods received. In addition to counting the merchandise
received from the vendor, the receiving department personnel
should examine the condition and quality of the merchandise upon
receipt.
 There is no indication of control over dollar amounts on vouchers.
Accounts payable personnel should prepare and maintain control
information on the dollar amounts of vouchers. Such information
should be sent to departments posting transactions to the general
ledger and database files.
Note: Classification, timing, posting and summarization, and
presentation are not applicable. Recording in journals is not
included in the flowcharts.

12-16
© 2023 Pearson Education, Ltd.
12-26 Following are the appropriate reporting formats for the six independent
situations:

INDEPENDENT APPROPRIATE
SITUATION AUDIT REPORT REASON FOR REPORT
1. Unqualified The control deficiency was remediated
and the auditor was able to obtain
sufficient appropriate evidence that
the new control operates effectively.
Thus, an unqualified opinion on
internal control is appropriate.
2. Unqualified Because the auditor does not believe
the significant deficiency in internal
control is a material weakness, the
auditor’s report would contain an
unqualified opinion.
3. Adverse The detection of a deficiency that will
not prevent or detect a material
misstatement in the financial
statements meets the definition of a
material weakness, which requires an
adverse opinion.
4. Adverse The auditor considers the combination
of the several significant deficiencies
to be a material weakness requiring
an adverse opinion.
5. Qualified or The auditor’s inability to obtain any
disclaimer evidence about the operating
effectiveness of internal controls
represents a scope limitation.
6. Adverse The presence of a material
misstatement not detected by the
company’s internal controls is
considered at least a significant
deficiency, if not a material weakness,
for purposes of reporting on internal
controls.

12-17
© 2023 Pearson Education, Ltd.
12-27 a. The use in grocery stores of bar code scanning technologies impacts
a number of financial statement accounts for a grocery. The bar
code scanner is used to retrieve unit prices for each product
scanned, which is then used to calculate the amount to be posted
to the Revenue, Sales Tax Payable, and Cash accounts (and any
overnight Receivable accounts related to sales paid by debit and
or credit cards that may not be processed until the next business
day). Sometimes bar scanning technologies are used to process
coupons and other discounts, which would be recorded in the
Sales Discount account. Similarly, when goods are returned by
customers to the store, the bar scanning technology is used to
process amounts recorded in the Sales Returns account and related
credit to the Cash account. In addition to recording the transaction
amounts paid by the customer, the bar scanning technologies are
also used to update perpetual inventory records for cost amounts,
which impacts the Inventory and Cost of Goods Sold accounts.

b.

Risks Inherent to How Bar Scanning

Sales Processing Accounts Affected Technologies Help Reduce Risk
Wrong unit price is used Revenues The system automatically retrieves
to process sale Cash the unit retail price from the
approved price list database file.
Calculation of amounts Revenues The system extends price times
due from customer for Cash quantity and adds each extended
all items purchased is Sales Taxes Payable amount to calculate the total
inaccurate sales price, including sales taxes
due from customer.
Reduction in inventory Inventory The system tracks the number of
accounts for items sold Cost of Goods Sold units removed by product
is inaccurate number, which is used to update
perpetual inventory records.
Not all inventory items Revenues As the system reads each bar
taken by customer are Cash code, it generates a sound to
included in the Inventory indicate to the cashier and
processing of the Cost of Goods Sold customer that each product
customer’s purchase scanned has been captured by
amount the system.
Coupons and discounts Sales Discounts The system retrieves coupon and
are incorrectly Cash discount information from the
calculated database of promotions and
discounts and automatically
calculates discount amounts.

12-18
© 2023 Pearson Education, Ltd.
12-27 (continued)

c. Below are examples of how the auditor might test the operating
effectiveness of the bar code scanner technology:
1. The auditor could select a number of different products and
use the bar scanning technology to process the sales amounts
for comparison to the auditor’s separate calculation of
transaction amounts based on items processed. The auditor
could perform the same kind of test using coupons and other
discount programs.
2. The auditor may be able to use audit software to test the
accuracy of individual customer transactions and to test the
summation of all customer transactions processed by a cash
register machine by day and by store.
3. The auditor may be able to use audit software to test the
accuracy of the postings of daily totals to the client’s general
ledger system.
4. The auditor may use audit software to review all unit prices
in the price list database file to identify unusual price
amounts for further investigation (e.g., negative prices,
large unit prices, etc.).
5. The auditor may be able to use audit software to identify
the most recent date of the most recent date of sale by
product number to identify those products that have not
been sold to customers for an extended period of time to
identify potentially obsolete inventory still on hand.

12-28 a. The nature of generalized audit software is to provide computer

programs that can process a variety of file media and record formats
to perform a number of functions using computer technology.
There are several types of generalized audit software
packages. Usually, generalized audit software is a purchased audit
software program that is Windows-based and easily operated on
the auditor’s computer. Other generalized audit software exists
that contain programs that create or generate other programs,
programs that modify themselves to perform requested
functions, or skeletal frameworks of programs that must be
completed by the user.
A package can be used to perform or verify mathematical
calculations; to include, exclude, or summarize items having specified
characteristics; to provide subtotals and final totals; to compute,
select, and evaluate statistical samples for audit tests; to print
results or sequences that will facilitate an audit step; to compare,
merge, or match the contents of two or more files; and to produce
machine-readable files in a format specified by the auditor.

12-19
© 2023 Pearson Education, Ltd.
12-28 (continued)
b. Ways in which a generalized audit software package can be used
to assist in the audit of inventory of Boos & Baumkirchner, Inc.,
include the following:
1. Compare data in the electronic count record system used on
the physical count day to the data in the inventory database
and list all differences. This will assure that the electronic
count record system being used is complete.
2. Determine which items and parts are to be test-counted by
selecting a random sample from electronic count record
system or the electronic inventory database file. Exclude
from the population items with a high unit cost or total value
that have already been selected for test counting.
3. Access the client’s electronic inventory database and list all
items or parts for which the date of last sale or usage
indicates a lack of recent transactions. This list provides data
for determining possible obsolescence.
4. Access the client’s inventory database and list all items or
parts of which the quantity on hand seems excessive in
relation to quantity used or sold during the year. This list
provides data for determining overstocked or slow-moving
items or parts.
5. Access the client’s electronic inventory database file and list
all items or parts where the quantity on hand seems
excessive in relation to economic order quantity. This list
should be reviewed for possible slow-moving or obsolete
items.
6. Record audit test-count quantities. Match audit test count
quantities against the client’s adjusted inventory database
file, comparing the quantities in the audit test counts to the
quantities in the inventory database and list any differences.
This will indicate whether the client’s year-end inventory
counts and the inventory database are in agreement.
7. Use the adjusted electronic inventory database file and
independently extend and total the year-end inventory and
generate the grand total on an output report. When
compared to the balance determined by the client, this will
verify the calculations performed by the client.
8. Use the client’s electronic inventory database file and list all
items with a significant cost per unit. The list should show
cost per unit and both major and secondary vendor codes.
This list can be used to verify the cost per unit.
9. Use the costs per unit on the client’s electronic inventory
database file and extend and total the dollar value of the
counts on the audit test count records. When compared to
the total dollar value of the inventory, this will permit
evaluation of audit coverage.
12-20
© 2023 Pearson Education, Ltd.
12-29

a. b. c.
OPPORTUNITY TO
INTERNAL TYPE OF TRANSACTION-RELATED RELY ON PRIOR
CONTROL CONTROL AUDIT OBJECTIVE YEAR TESTING
1 AC Recorded payroll transactions Yes
exist for valid employees
2 MC Recorded payroll transactions No, since
exist (i.e., are for time actually manual control
worked)
3 MC Recorded payroll transactions No, since
are at the correct amounts manual control
4 AC Recorded payroll transactions Yes
exist (i.e., for valid work
performed); recorded payroll
transactions are at the correct
amounts
5 AC Recorded payroll transactions Yes
exist (i.e., are for currently
employed personnel)
6 AC Recorded payroll transactions Yes
are classified into the correct
accounts
7 AC Recorded payroll transactions Yes
are at the correct amounts
8 AC Recorded payroll transactions Yes
are summarized and posted
to the correct general ledger
account at the correct amounts
9 MC Recorded payroll transactions No, since
exist; existing payroll manual control
transactions are recorded
10 AC Recorded payroll transactions Yes
exist (i.e., are for time actually
worked)

12-21
© 2023 Pearson Education, Ltd.
12-30 a. The following deficiencies in the Parts for Wheels, Inc., online
sales system may lead to material misstatements:
1. Lack of Sales System Interface. The lack of automatic
interface between the online sales ordering system and the
sales accounting system may increase the risk of material
misstatements for sales.
Sales orders printed from the online system may be
lost and not recorded, or they may be recorded more than
once if not properly controlled. Additionally, because each
sale must be manually entered, there is increased risk
that sales may be processed or recorded inaccurately.
2. Lack of Inventory System Interface. The lack of automatic
interface between the online sales ordering system and the
inventory management system may increase the risk that
processed sales may not be properly reflected in the
inventory accounting records. With manual processing,
there may be some risk that shipments occurred without
completion of a proper bill of lading, which is required to
adjust inventory records. As a result, shipments will not be
accurately deducted from inventory records. Also, if bills of
lading are not properly numbered and accounted for, there
is a possibility that completed bills of lading are not entered
or are entered more than once. Furthermore, the manual
process of recording inventory transactions increases the
risk of inaccurate posting of bills of lading into the inventory
records.
3. Manual Credit Approval. The process of verifying credit
authorization with the credit card agency is dependent on
human processing. The lack of automatic electronic credit
authorization may increase the risk of sales to unauthorized
customers. This may lead to an increased risk of collection
problems from credit card receivables.
4. Premature Recording. Currently, sales are entered into the
sales journal on the date credit is authorized, which is often
the date the order is placed. This may result in premature
recording of sales, given that sales are recorded before
shipment has occurred. As a result, sales may be recorded
in accounting periods different from when inventory records
are updated for the shipment. Cutoff problems may occur.
5. Inadequate Tracking of Returns. If systems for tracking and
estimating online sales returns are inadequate, Parts for
Wheels, Inc., may understate estimates of customer returns,
including estimated costs for refunding shipping costs. This
could result in overstated net sales and understated
shipping costs.

12-22
© 2023 Pearson Education, Ltd.
12-30 (continued)

b. Below are suggested changes that could be made to the existing

manual system to enhance internal control, without re-designing
the online system:

1. When the accounting department prints submitted orders

from the online system, each order should be numbered
sequentially with the range of used numbers logged daily.
When the sales orders are recorded, the order number
should be recorded.
2. Prenumbered bills of lading should be used. All bills of
lading should be accompanied by the sales order used by
warehouse personnel to process shipment. All bills of lading
should be forwarded to accounting on the date of shipment.
3. Accounting should match the bills of lading with the accounting
department’s copy of the sales orders before any entries
are recorded in the sales journal and inventory system.
Entries to the sales journal and inventory records should be
made on the same day to ensure consistent cutoff of the
recording of transactions.

c. For the deficiencies identified in part a, the auditors would be most

concerned about the following transaction-related and balance-
related audit objectives:
1. Lack of Sales System Interface. Auditors would be
concerned about occurrence, completeness, accuracy, and
timing of sales as well as occurrence, completeness,
accuracy, and cutoff of accounts receivable.
2. Lack of Inventory System Interface. Auditors would be
concerned about occurrence, completeness, accuracy, and
timing of cost of goods sold as well as occurrence,
completeness, accuracy, and cutoff of inventory.
3. Manual Credit Approval. Auditors would be most concerned
with realizable value of credit card receivables.
4. Premature recognition. Auditors would be most concerned
with timing of sales recognition and cutoff of accounts
receivable.
5. Inadequate Tracking of Returns. The auditor would be
concerned about completeness of sales returns
(occurrence of sales) and shipping costs.

d. Auditors could use generalized audit software in several ways.

First, they could use audit software to match orders made through
the online sales order system to sales recorded manually by
comparing the records. Any unmatched orders or sales could be

12-23
© 2023 Pearson Education, Ltd.
12-30 (continued)

used to compare the date of the shipment according to the bill of

lading to the date the sale is recorded to identify sales recorded
prematurely at year-end.
Audit software could also be used to compare updates to
the inventory system with the sales recorded to ensure all sales
are recorded in the inventory system as well. Each of the
procedures using generalized audit software would be made even
easier by the changes recommended in part b. above.

12-31 a. When an organization outsources its information technology functions

to a third party, there are several inherent risks that arise. For First
Community Bank, management is totally reliant on Technology
Solutions’ internal controls designed to protect IT hardware,
operations, software, and data maintained at the data center. In
essence, the design and operation of most of the IT general
controls necessary to reduce IT related risks to acceptable levels
are under direct control of Technology Solutions. Thus, the bank’s
management is reliant on Technology Solutions’ implementation of
effective IT-related general controls.
Because First Community must transmit transaction related
data between the bank and the Technology Solutions data center,
there is a risk that data may be lost, corrupted, or stolen during the
communication transfer process. Also, like First Community,
other organizations that use Technology Solutions to manage IT
have access to servers located at Technology Solutions. There is
some risk that other customers of Technology Solution might
negatively affect IT operations of First Community.
b. As noted in the answer to part a., the outsourcing of the IT function
to Technology Solutions means that most of the IT general controls
are now under the direct supervision of management at Technology
Solutions. While management at First Community continues to be
responsible for the design and operation of internal controls,
including those related to IT, they are now dependent on Technology
Solutions’ design and operation of effective IT controls, especially
those related to IT general controls.
c. The use of Technology Solutions is likely to have a significant
effect on the audit of the financial statements of First Community
Bank. Because the bank has outsourced all of the bank’s financial
reporting applications to Technology Solutions, most of the IT -
related controls and underlying applications and data files now
reside at Technology Solutions. The auditors for First Community
will need to understand all IT related operations, including those at
Technology Solutions, so that they can understand internal control,
assess the risks of material misstatements, and perform appropriate
tests of controls and substantive tests. Most likely the auditors of

12-24
© 2023 Pearson Education, Ltd.
12-31 (continued)

First Community will seek service auditor’s SOC 1® Type 2

report on controls that have been implemented and tested for
operating effectiveness.
12-32 a. 1. Automated control embedded in computer software
2. Manual control with effectiveness based significantly on IT-
generated information
3. Automated control embedded in computer software
4. Manual control with effectiveness based significantly on IT-
generated information
5. Manual control with effectiveness not significantly reliant on
IT-generated information
b. 1. The extent of testing of this control could be significantly
reduced in subsequent years if effective controls over program
and database changes are in place. Such controls would
increase the likelihood that the inventory software program
that contains the automated control and the related inventory
database are not subject to an unauthorized change. If the
auditor determines that no changes have been made to the
automated control, the auditor can rely on prior year audit
tests of the controls as long as the control is tested at least
once every third audit year. If the control mitigates a
significant risk, the control must be tested in the current
year’s audit.
2. The extent of testing of this control could be moderately
reduced in subsequent years if effective controls over
program and database changes are in place. Such controls
would increase the likelihood that the printout of reorder
points accurately reflects actual inventory use. Adequate
controls over the database decrease the likelihood that
reorder points have been changed without authorization.
However, because this control is also dependent on
manager review of computer-generated output, some
testing may be required each year, although the amount of
testing may be reduced by effective general controls.
3. The extent of testing of this control could be significantly
reduced in subsequent years if effective controls over
program and database changes are in place. Such controls
would increase the likelihood that the inventory software
program that processes the automatic purchase order and
the related inventory database of product numbers are not
subject to an unauthorized change.
4. The extent of testing of this control could be moderately
reduced in subsequent years if effective controls over
program changes are in place. Such controls would
increase the likelihood that the purchasing system software
12-25
© 2023 Pearson Education, Ltd.
12-32 (continued)

program that identifies purchases exceeding $10,000 per

vendor functions accurately. However, because this control
is also dependent on manager review of the computer-
generated exception listing, some testing may be required
each year.
5. Because this control is not dependent on technology
processes, the strength of general controls over program and
database changes is not likely to have an impact on the extent
of testing of this review by the sales department manager.

12-33 a. The guidance in AS 1305 applies only to an audit of financial

statements. For an integrated audit of financial statements and
internal control over financial reporting, auditors should refer to
paragraphs .78-.84 of AS 2201, Audit of Internal Control Over
Financial Reporting That is Integrated with An Audit of Financial
Statements.
b. Paragraph .04 of the standard indicates that the auditor should
communicate in writing to management and the audit committee
all significant deficiencies and material weaknesses identified
during the audit. The written communication should be made prior
to the issuance of the auditor’s report on the financial statements.
If there is no audit committee, the communications should be
made to the entire board of directors of the company.
c. As discussed in paragraph .04 the auditor should communicate in
writing all significant deficiencies and material weaknesses
identified during the audit. The auditor’s communication should
distinguish clearly between those matters considered significant
deficiencies and those considered material weaknesses.
Paragraph .06 indicates the communications should include the
following:
 Definitions of significant deficiencies and material weaknesses.
 A statement that the objective of the audit was to report on the
financial statements and not to provide assurance on internal
control.
 A statement that the communication is intended solely for the
information and use of the board of directors, audit committee,
management, and others within the organization.
d. Paragraph .08 indicates the auditor may not communicate that no
significant deficiencies or material weaknesses were identified
because of the potential that the limited degree of assurance
associated with such a report may be misunderstood.

12-26
© 2023 Pearson Education, Ltd.
12-34 Students should have located the Form 10-K for Peloton for the year
ended June 30, 2021 by either visiting the company’s website or by
visiting the SEC’s website to use the EDGAR Full-Text Search option to
identify the company’s filings more efficiently.

1. Management’s Annual Report on Internal Control Over Financial

Reporting is found on page 131. Management notes that they
excluded from their assessment of internal control over
financial reporting the operations and assets related to Precor,
Inc., which represented 12 percent and 2 percent of Peloton’s
total assets and revenues, respectively. Management reports
that they did not maintain effective internal control over
financial reporting with respect to the identification and
valuation of inventory.
 Controls were not effectively designed, documented, and
maintained to verify that the existence of all inventories
subject to physical inventory counts were correctly counted,
and our process for compiling and communicating inventory
data to ensure accurate reporting in our financial
statements was not effective, including inadequate
verification for completeness and accuracy of key reports
used to review and monitor inventory balances.
2. The company reported the following remediation activities:
 Evaluating the effectiveness of their current cycle count program
and controls, including IT general controls over systems
facilitating cycle counts, to automate inventory count and
reporting.
 Implementing a global inventory count policy and standard
operating procedures to ensure consistent communication of the
inventory count process and adherence to these policies at
facilities managed by them and third party logistics service
providers.
 Providing training of standard operating procedures and internal
controls to key stakeholders within the supply chain, logistics,
and inventory processes.
 Implementing enhanced documentation associated with
management review controls and validation of the completeness
and accuracy of key reports used across the inventory process.

3. The report on internal control over financial reporting of the

independent registered is found on page 98 and is separate from
the report on the financial statements. The auditor expressed an
adverse opinion on internal control over financial reporting due to
the material weakness.

12-27
© 2023 Pearson Education, Ltd.
 Case

12-35 1. Strengths in lines of reporting from IT to senior management at

Jacobsons:
 Melinda Cullen (IT Manager) and the chief operating officer
(COO) work closely on identifying hardware and software
needs.
 Melinda’s boss, the COO, has access to the board of directors
and provides periodic updates about IT issues, if needed.
Deficiencies in lines of reporting from IT to senior management:
 The chief IT person (Melinda) is relegated to a manager level
and is not considered a part of the senior executive team.
This signals a potential lack of adequate support extended
by top management to the IT function.
 The IT Manager reports to a key user, the COO. The COO
may place undue pressure on IT to work on IT related projects
that affect the COO’s areas of responsibility. Thus, other
areas, such as those under the chief financial officer’s control
(e.g., the accounting system), may not receive adequate
IT resources.
 Melinda and the COO make all major hardware and software
decisions without input from other user personnel and the
board of directors.
 There does not appear to be a written IT strategic plan that
sets direction for the IT function.
Recommendations related to the lines of reporting from IT to senior
management:

 The IT Manager should report directly to the president and

be considered a part of senior management (e.g., on equal
footing relative to the COO, CFO, etc.).
 The board of directors should receive regular input from the
IT Manager about the status of IT projects.
 A written strategic plan should be developed and reviewed
annually by the board.
 Significant hardware and software changes should be approved
by the board or its IT Steering Committee. Other changes
to application software should also be approved by affected
user departments.

2. Assessment of Melinda’s fulfillment of IT Manager responsibilities,

including her strengths:
 Melinda is actively involved in the IT function and closely
monitors day-to-day IT activities.

12-28
© 2023 Pearson Education, Ltd.
12-35 (continued)

 Melinda is experienced in Jacobson’s IT function, having been

employed by the company for 12 years. She has served in
several IT roles at Jacobsons. Thus, she offers stability for
the IT function.
 Melinda performs extensive background checks before offering
candidates employment in IT functions.
 Melinda has successfully maintained a fairly stable IT staff.
 Melinda conducts weekly IT departmental meetings to discuss
issues affecting the performance of the department.
 Apparently, the IT department is functioning well, given that
few IT-related problems must be reported by the COO to the
board.
Concerns about current management of the IT function:
 Melinda may be over-delegating tasks to IT personnel without
maintaining close accountability for employee actions. For
example, programmers are given extensive leeway in
programming changes to software and operators check each
other’s work to ensure that Melinda’s job schedule was
properly followed.
 Melinda spends too much of her time in the systems analyst
role, which leaves little time for her to adequately monitor
all IT tasks.
Recommendations for change related to the management of the
IT department:
 Consider assigning systems analyst responsibilities to a
senior programmer.
 Establish standardized programming procedures and have
Melinda review changed programs for compliance with those
procedures.
 Melinda should reconcile the Job Processed Log to the job
schedule developed by her.
 Melinda should assign or at least approve the assignment of
programmer staff responsibilities

3. Assessment of the strengths of the programming function at

Jacobsons:
 The programming staff is experienced with both systems
software and Jacobsons’ application software.
 The assignment of projects based on time availability of
programmers ensures that each programmer stays familiar
with all types of software in use at Jacobsons.
 Programmers regularly attend continued professional
education courses.
12-29
© 2023 Pearson Education, Ltd.
12-35 (continued)

 Extensive logs of changes made to programs are maintained.

Concerns about the programming function:

 Programmers work with both systems and application software
program changes. Thus, a programmer is more likely to be
able to implement an unauthorized change to an application
program that also requires an unauthorized change to
systems software.

 Programmers are responsible for maintaining the library

of programs and data files. Thus, programmers are able to
make unauthorized changes to live production copies of
programs and data files.

Recommendations for change related to the programming function

at Jacobsons:
 Divide programmers into systems programmers and application
programmers. Only assign system software changes to systems
programmers and application software changes to application
programmers.
 Reassign responsibility for maintaining program storage to
either the computer operators or to data control personnel.

4. Assessment of the strengths of the IT operations function at

Jacobsons:
 Melinda prepares a job schedule which operators follow to
process transactions. Day-shift operators reconcile Job
Processed Logs generated during the night shift to the job
schedule, and night shift operators do the same type of
reconciliation for jobs processed during the day.
 Operators perform routine monthly backup procedures.
 Input batch controls are generated to verify the accuracy
and completeness of processing.

Concerns about the IT operations function:

 Backup procedures only occur monthly, which increases the
risk of data loss.
 No one, other than operators, verifies that only jobs included
on the job schedule are processed. Melinda depends totally
on the completeness of the operators’ identification of
exceptions noted by operators.
 Jobs Processed Logs are generally discarded, unless the
output does not reconcile to the job schedule.

12-30
© 2023 Pearson Education, Ltd.
12-35 (continued)

 Operators have the authority to make small changes to

application programs.
 Comparison of batch input control totals to computer processing
is not performed by someone independent of the operator
responsible for the processing.
Recommendations for change related to the management of the
IT operations function:
 Update key data and program files on a more periodic basis
(perhaps daily). Store backup copies offsite.

 Prohibit operators from performing any programming tasks.

Restrict access to program files to a READ/USE only
capability.
5. Assessment of the strengths of the IT data control function at
Jacobsons:
 Data control personnel review exception listings and submit
requests for correction on a timely basis.
 Data control clerks monitor the distribution of output.
Concerns about the IT data control function:
 Data control personnel have the authority to approve changes
to database files. Thus, they could add a fictitious employee
to the employee database to generate a payroll check for a
non-existent employee.
Recommendations for change related to the management of the
IT data control function:

 Restrict data control personnel from being able to authorize

changes to database files. Only allow the respective
user department to authorize changes to database files. Data
control clerks should be held accountable for only inputting
user department authorized changes to database files.
6. Users should be responsible for approving changes to database
files. They should actively compare authorized input to output to
ensure the accuracy, completeness, and authorization of output.
Users should also be an active participant in the program systems
development process. They should participate in program development
design, testing, and implementation. In addition, users should have
a voice in establishing the job schedule, given that users understand
their processing needs best.

12-31
© 2023 Pearson Education, Ltd.
 Integrated Case Application

12-36 (see text Web site for Excel solution - Filename P1236.xls)

PINNACLE MANUFACTURING―PART IV

Following are control risk matrices and related notes that are used to direct a
discussion of the requirements of the case. It should be understood that
judgment is a critical element in this case, and accordingly, there often is no
single right answer.
Computer-prepared matrices using Excel (P1236.xls) are contained on
the text web site. They are essentially the same as the matrices on the next
two pages.

12-32
© 2023 Pearson Education, Ltd.
12-36 (continued)
PINNACLE MANUFACTURING - Part IV
Control Risk Matrix – Acquisitions

Recorded
Transaction-Related acquisition
Audit Objective transactions are Acquisition
Existing Recorded properly included transactions are
Recorded acquisition acquisition in the database Acquisition Acquisition properly
acquisitions trans- transactions files and are transactions transactions aggregated and
are for goods actions are are stated at properly are properly are recorded disclosures are
and services recorded the correct summarized classified on the relevant and
Internal received (complete- amounts (posting and (classifica- correct dates understandable
Controls (occurrence). ness). (accuracy). summarization). tion). (timing). (presentation).

1. Required use of PO and

receiving report with check C
of completeness

2. Proper approval C C

3. Segregation of functions C

4. Cancellation of documents C

5. Prenumbered documents
C
are accounted for

6. Internal verification of
C C C C C
documents/records

7. Use of chart of accounts C

8. Procedures requiring
C
prompt processing

9. Monthly reconciliation of
A/P database file with C
general ledger

10. Treasurer reviews for major

vendors and commitments C
requiring disclosure

Assessed control risk Low Low Low Low Low Low Low

12-33
Copyright © 2024 Pearson Education, Inc.
12-36 (continued)
PINNACLE MANUFACTURING - Part IV
Control Matrix - Cash Disbursements
Transaction-Related Recorded cash
Audit Objectives disbursement
Recorded transactions are Disbursement
cash properly Cash transactions
disbursements Existing cash Recorded cash included in the Cash disbursement are properly
are for goods disbursement disbursement database file disbursement transactions aggregated and
and services transactions transactions are and are properly transactions are recorded disclosures are
actually are recorded stated at the summarized are properly on the relevant and
Internal received (complete- correct amounts (posting and classified correct dates understandable
Controls (occurrence). ness). (accuracy). summarization). (classification). (timing). (presentation).

1. Segregation of functions C
2. Review of support, signing of
C
checks by authorized person
3. Prenumbered checks;
C
accounted for

4. Use of chart of accounts C

5. Procedures for prompt
C
recording
6. Monthly reconciliation of A/P
C
database with G/L
7. Treasurer reviews for major
vendors and commitments
requiring disclosure
8. Bank reconciliation is
performed by an independent C C
bank reconciliation
Deficiencies
1. Lack of internal verification of D D D
documentation package by
cash disbursements clerk.
2. Lack of internal verification of
key entry into cash D D D
disbursements file.

Assessed control risk Medium Medium Medium Low Low Low N/A

12-34
Copyright © 2024 Pearson Education, Inc.
12-36 (continued)

Notes to 12-36, Part IV

1. The purpose of Part IV is to have the students:

(a) develop specific transaction-related audit objectives for a
cycle,
(b) obtain controls from a flowchart description,
(c) relate controls to objectives,
(d) evaluate a set of controls as a system.

2. Control is quite good for acquisitions. If misstatements in

acquisitions occur, they will result from the incorrect application of
controls, not their absence. This demonstrates the inherent
deficiencies in any system of internal control. It explains the
reasons why some misstatements were found last year. However,
they were not material. It also indicates the need for tests of
controls and substantive tests of details of balances and/or
transactions.

Controls for cash disbursements are also good, even given the
two deficiencies.

3. It is appropriate to use the matrices to consider whether all

controls shown are important to both the client and to the
auditor. Is it necessary to have all controls (e.g., prenumbering of
requisitions)? Are the controls costly (e.g., internal verification of
all acquisitions)? Should all controls be tested (e.g., cancellation
of documents)?

12-35
Copyright © 2024 Pearson Education, Inc.