Internal controls
Part 1: Introduction to auditing internal controls
1. The COSO Internal Control – Integrated Framework Executive Summary lists these five elements of the control environment. List at least one specific example for each of the five elements that would provide evidence that an organization has a well-managed internal control environment.
1) The organization demonstrates a commitment to integrity and ethical values.
2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3) Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4) The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.
5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
2. List two preventive controls and two detective and corrective controls that you would expect to see in the inventory purchase (cash disbursements) process.
Preventive controls:
Detective and corrective controls:
3. Explain why it is important to identify whether a control is an automated control, IT-dependent manual control or manual control.
4. Designate whether the following controls are automated controls, IT-dependent manual controls or manual controls.
Control description Type of control
Compare this year’s inventory turnover to last year’s inventory turnover
Perpetual inventory records are reconciled to the general ledger each month
Bank reconciliations are performed monthly
Purchases are immediately processed when they are made with vendors on the approved vendor list
Overhead costs are systematically applied to the cost of inventory produced
Control description Type of control
Employees count inventory on hand at the end of each year; perpetual inventory records are updated based on the counts
Prepaid customer orders are processed without credit approval
Exception report generated by the cash disbursement application for invoices, purchase orders and receiving reports that don’t match is reviewed by the cash disbursements manager
5. Auditing Standard (AS) 2201.24 instructs auditors to address the following list of entity-level controls. Give at least two examples of what auditors should consider when evaluating if these controls operate effectively. Refer to the COSO Framework and Auditing Standards to help answer these questions.
a. Controls related to the control environment
b. Controls over management override
c. The company’s risk assessment process
d. Centralized processing and controls, including shared service environments
e. Controls to monitor results of operations
f. Controls to monitor other controls, including activities of the internal audit function, the audit committee and self-assessment programs
g. Controls over the period-end financial reporting process
h. Policies that address significant business control and risk management practices
6. AS 2201.29 instructs auditors to consider this list of qualitative and quantitative risk factors when considering accounts listed on financial statements. Provide an example of what auditors should consider when assessing these factors.
a. Size and composition of the account
b. Susceptibility to misstatement due to errors or fraud
c. Volume of activity, complexity and homogeneity of the individual transactions processed through the account or reflected in the disclosure
d. Nature of the account or disclosure
e. Accounting and reporting complexities associated with the account or disclosure
f. Exposure to losses in the account

g. Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure
h. Existence of related-party transactions in the account
i. Changes from the prior period in account or disclosure characteristics
7. List the management assertion (existence and occurrence, completeness, valuation and allocation, rights and obligations, or presentation and disclosure) affected by the situation described.
Situation Assertion
An invoice for inventory purchased and received was not sent by the vendor. Consequently, a journal entry was not made to reflect this purchase.
Your client holds inventory on consignment for another company. The consigned inventory is included in the client’s inventory balance.
Management doesn’t show a current portion of long-term debt on the financial statements, even though the amount is material.
Management determines that several recorded accounts receivable will not be collected.
Inventory for sales occurring at the end of the year is moved to a separate part of the warehouse where inventory is stored waiting for shipment.
The company recognizes sales revenue when the goods are moved.
A competitor has introduced a new product that is half of the price of one of your client’s products.
The accounts receivable clerk mistakenly records a sale to one of the company’s customers as
$21,000 instead of $12,000.
The cost accountant undercalculated direct labor costs. Consequently, the manufactured inventory balance did not include enough direct labor costs.
Internal controls
Part 2: Designing tests of internal controls
1. Explain how the following processes are completed for the cash receipts transactions portion of the revenue cycle.
? Initiated
? Authorized
? Processed
? Recorded
? Reported
2. Briefly describe the following:
? What is the purpose of a walk-through?
? What are the general walk-through procedures an auditor should follow?
? What does the auditor do when a transaction selected for a walk-through has not yet been recorded in the general ledger?
? Consider the cash receipts process. The auditor selected a cash receipt from Simon and Sons, Inc. Which attributes of this cash receipt transaction will the auditor verify during the walk- through?
? In the cash receipts process, what evidence of the transaction will the auditor want to see for each step of the process?
3. Briefly describe what is meant by the nature, timing and extent of testing controls.
? Nature
? Timing
? Extent
4. Auditors design tests of controls by considering the attributes of the controls. The quality of the attributes is what makes a control effective or not. Describe what you would expect concerning the attributes of the cash receipts.
? Who
? What
? Where
? When
? Why
? How

Information Produced by the Entity (IPE)
Example 1 – Examples of IPE from a transaction process
Complete the following table, indicating whether the item is an example of IPE from a transaction process and explain why or why not.
Item IPE? Why or why not?
Accounts payable listing
Fixed asset rollforward
A listing of invoices for goods and services
A bank statement
Income tax reconciliation
A bad debt reserve calculation
Inventory and sales information that is
used as the basis for determining the excess and obsolete inventory reserve
An exception report
A report of changes to payroll data
A vendor invoice
A list of product liability claims
Headcount data used in a cost allocation model
Legal contracts produced by a third party
A payroll register from a service
organization that processes payroll for the entity
Information Produced by the Entity
Example 2 – Audit risks associated with IPE from a transaction process
Complete the following table, indicating which risk (by number and description) is associated with each processing error.
Processing error Risk number
Risk description
Information about shipments is input manually into the information technology (IT) application. The shipping clerk mistypes the quantity shipped and the edit check designed to check the quantity entered did not function correctly, resulting in an error in the quantity recorded as
shipped in the IT application.
The excess and obsolete inventory reserve computation begins with inventory reports and sales reports generated from a separate IT application. These reports are output from the IT application into Excel. The Excel formulas are supposed to match the sales and inventory on hand data for each inventory item and compute inventory turns, which are then used in the calculation of the excess and obsolete inventory reserve. Incorrect formulas in Excel result in
errors in the matching and computation process.
For an aged customer list of unpaid amounts produced by the accounts payable IT application, the aged columns are not totaled
accurately.
Processing error Risk number
Risk description
A list of shipments for the last five days of the period and the first five days of the next period (the IPE) is obtained from the IT application used on the shipping dock. This list is used in an audit procedure to determine that revenue is stated accurately at period-end. The instructions for the report generator that produces the IPE erroneously excludes shipments of inventory through al service and includes only
those shipments sent using freight carriers.
For an aged customer list of unpaid amounts at year-end that is exported into Excel, the data extracted from the IT application into Excel incorrectly combined the current month’s unpaid amounts with unpaid amounts from the previous
month.
Information Produced by the Entity
Example 3 – Audit procedures to address audit risks related to IPE from a transaction process
Complete the following table, indicating the audit procedure that would be performed to address the identified risk.
Risk 1: The IT application is not processing data correctly (incomplete or inaccurate).
Information about ABC’s shipments is input manually into the IT application by the shipping clerk. The risk is that the shipping clerk mistypes the quantity shipped.
Audit procedure to address the risk:
Risk 2: The IT application is not collecting data correctly for output (incomplete or inaccurate).
The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts. The risks include that the data extracted includes paid invoices, does not include all unpaid invoices (e.g., excludes the unpaid invoices for one line of business) or includes all unpaid
invoices but excludes unmatched credit notes.
Audit procedure to address the risk:
Risk 3: The IT application is not computing or categorizing data correctly for output (inaccurate).
The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts. The risk includes that the invoices may be aged differently than expected or the aging columns may not be totaled accurately (e.g., the aging column content may be different than expected because the user expects aging of the invoice date but the IT application ages according to the due date, or the user expects the total to be the sum of the numbers in the column but the IT application obtains the total number from a summary data table rather than creating the sum of the details displayed).
Audit procedure to address the risk:

Risk 4: The output from the IT application into the EUC tool is modified or lost in the transfer to the tool (incomplete or inaccurate).
The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts that was exported from the accounts payable application into Excel. The risk is that the data did not transfer correctly, including such issues as larger numbers being truncated when exported or lines of information being dropped in the transfer.
Audit procedure to address the risk:
Risk 5: The output from the IT application into the EUC tool or the output from the EUC tool is incomplete (data is missing) or inaccurate (data has been added, changed, computed or categorized incorrectly).
The auditor obtains from the accounts receivable clerk an aged customer list of unpaid amounts that was exported from the accounts payable application into Excel. The risk is that fictitious unpaid invoices are inserted into the spreadsheet or formulas intended to calculate a provision for old, unpaid amounts are incorrect.
Audit procedure to address the risk:

Information Produced by the Entity (IPE)
Example 4 – Examples of IPE from an IT process
Complete the following table, indicating whether the item is an example of IPE from an IT process and explain why or why not.
Item IPE? Why or why not?
An Excel log of actions by programmers who have access to production programs
that comprise IT applications
An email exchange evidencing approval for a program change
A report of IT system settings of a particular financial reporting system
A listing of all program changes made during a given period of the year, from which the auditor plans to select a
sample for testing
Information Produced by the Entity
Example 5 – Audit risks associated with IPE from an IT process
Complete the following table, indicating which risk (by number and description) is associated with each processing error.
Processing error Risk number
Risk description
The quarterly user access review is initiated by the business analyst, who generates a report from the IT application and exports it into Excel. The Excel spreadsheet then separates the listing into five different reports based on the user’s business unit (BU). In categorizing the user by BU, Excel excludes all new employees from the listing and, thus, those individuals are not subject to the review by the respective BU
director.
You have requested a system-generated listing of PeopleSoft users with a create date from 1/1/2XX2 through 6/30/2XX2. The company runs a report, but mistakenly inputs the end date as
6/1/2XX2.
You have requested a system-generated listing of production directories and files for a UNIX server that supports an in-scope application. The client exports the results of the query to an Excel file. The client uses Excel 2003 and, because there is a limit of 65,000 rows, all remaining rows
are dropped in the transfer process.
Information Produced by the Entity (IPE)
1. Information produced by the entity (IPE) is any information created by the entity using the entity’s:
a. Information technology (IT) applications
b. End-user computing (EUC) tools
c. Other means (including manually prepared information)
d. All of the above
2. In order for the auditor to utilize IPE as reliable audit evidence, the auditor needs to perform testing to determine that the IPE is:
a. Electronically processed
b. Sufficiently complete and accurate
c. Tested by the entity’s management
d. Used in the performance of the entity’s internal controls
3. Which of the following is not IPE?
a. A report showing the detail of an account balance
b. A listing showing vendor master file changes
c. A legal contract
d. An analysis of an accounts receivable account balance
4. The concepts related to IPE also apply to information produced by service organizations.
a. True
b. False
5. Which of the following is a not a risk associated with IPE?
a. The computations or categorizations performed in the creation of the IPE from the IT application are inaccurate.
b. A response to a legal letter request provided to the auditor by outside counsel is missing certain information.
c. The data processed by the IT application from which the IPE is produced is not complete or accurate.
d. Information added or changed (including computations and categorizations) using the EUC tool is incomplete, inaccurate or inappropriate.

6. Which of the following is an example of the IPE risk that “the data extracted from the IT application into the IPE is not the intended data or is not complete”?
a. Information about shipments is input manually into the IT application. The shipping clerk mistypes the quantity shipped.
b. In an electronic list of shipments for the last five days of the period and the first five days of the next period, the list erroneously excludes shipments of inventory through al service and includes only those shipments sent using freight carriers.
c. On a report of investments held at the end of the period, the total presented is not the actual total of the investment detail.
d. For an aged customer list of unpaid amounts that is exported into Excel, the formulas intended to calculate a provision for old unpaid amounts are incorrect.
7. The auditor may encounter IPE when:
a. It is used by management in the performance of controls being tested by the auditor.
b. The auditor uses IPE as audit evidence in performing substantive tests.
c. The auditor uses IPE as a population from which to select items to test.
d. All of the above.
8. Which of the following is not an example of procedures that an auditor could perform to test an inventory subledger printed on paper?
a. Tracing a sample of information about the inventory to invoices and information from a sample of invoices for the goods received
b. Including a copy of the listing in the auditor’s workpaper file
c. Testing controls over the relevant inventory significant class of transactions (SCOTs), including the underlying IT processes
d. Adding the detail on the report to see that the total is correct
9. A company maintains a list of environmental issues, potential exposures and reserves maintained only in Excel. The auditor could address IPE risks by agreeing samples of information to and from other documentation sources (for example, legal letter responses and the entity’s environmental issues files) and verifying the totals on the listing.
a. True
b. False
10. Name three things an auditor must ensure the completeness and accuracy of when IPE is extracted from data that originates from an IT application and is then output into an EUC tool.

QUALITY: 100% ORIGINAL - NO PLAGIARISM

(USA, AUS, UK & CA PhD. Writers)

CLICK HERE TO GET A PROFESSIONAL WRITER TO WORK ON THIS PAPER AND OTHER SIMILAR PAPERS

The Best Custom Essay Writing Service

About Our Service

We are an online academic writing company that connects talented freelance writers with students in need of their services. Unlike other writing companies, our team is made up of native English speakers from countries such as the USA, UK, Canada, Australia, Ireland, and New Zealand.

Qualified Writers

Our Guarantees:

CLICK TO SUBMIT YOUR ORDER