Important Note re: Chapter Review Checkpoint questions:
As you read and study each of chapter content thoroughly, please try to answer the
review checkpoint questions (within chapter content) on your own prior to
reading the following notes.
Answers to Chapter Reading Review Checkpoints-Ch.5
5.1 As stated in the Sarbanes-Oxley Act of 2002, management is responsible for establishing a control
environment, assessing risks it wishes to control, specifying information and communication channels and
content (including the accounting system and its reports), designing and implementing control procedures,
and monitoring, supervising, and maintaining the controls. Business managers can make estimates of
benefits to be derived from controls and weigh them against the cost. Managers are perfectly free to make
their own judgments about the necessary extent of controls. Managers can decide the degree of business
risk they are willing to tolerate.
External auditors are not responsible for designing effective controls for audit clients. They are responsible
for evaluating existing internal control and assessing the control risk in them.
5.2 Control risk is the probability that the client’s internal control procedures will fail to prevent or detect
material errors and frauds, provided any enter the data processing system in the first place. Assessing
control risk is part of using the audit risk model in the planning stage of the audit.
5.3 The primary reason for conducting an evaluation of a client’s existing internal control system is to give the
auditors a basis for finalizing the details of the account balance audit program—to determine the nature,
timing and extent of subsequent substantive audit procedures. For public companies, Sarbanes-Oxley
requires auditors to audit internal controls as part of the financial statement audit.
A secondary purpose for conducting an evaluation of internal control is to be able to make constructive
suggestions for improvements. Officially, the profession considers these suggestions a part of the audit
function and does not define the work as a consulting consultation.
Another purpose of the evaluation is to report to management and the board of directors or its audit
committee any discovery of any significant internal control deficiencies.
5.4 If control risk is low, auditors can perform less effective substantive procedures, earlier in the audit, with
smaller sample sizes, than if control risk is moderate or high.
5.5 Using a numeric evaluation provides a precise level of risk that can be included in statistical sampling
procedures. However, using words recognizes the imprecise nature of evaluating control risk.
5.6 The three categories of control objectives are:
Reliability of financial reporting.
Effectiveness and efficiency of operations.
Compliance with applicable laws and regulations.
Auditors are primarily concerned with reliability of financial reporting; however, some operating and
compliance controls may be important for the financial statement audit.
5.7 Internal control is operated by people. People make the system work at every level of company
management. People establish the objectives, put control mechanisms in place, and operate them.
Since people operate the controls, breakdowns can occur. Human error, deliberate circumvention,
management override, and improper collusion among people who are supposed to act independently can
cause failure to achieve objectives. Hence, a company’s managers can decide that certain controls are too
costly in light of the risk of loss that may occur.
5.8 Four types of breakdowns relate to people-caused failures. The four are: human error, deliberate
circumvention, management override, and improper collusion among people who are supposed to act
independently can cause failure to achieve objectives. Internal control can help prevent and detect these
people-caused failures, but it cannot guarantee that they will never happen.
5.9 The COSO Report states that internal control consists of five interrelated components:
Management’s control environment
Management’s risk assessment
Management’s control procedures
Management information and communication systems.
5.10 The control environment sets the tone of the organization. It is the foundation for all other components of
internal control. It provides discipline and structure. Control environment factors include the integrity,
ethical values, and competence of the company’s people. The following are general elements of an internal
Management’s philosophy and operating style
Management and employee integrity and ethical values
Company organizational structure
Company commitment to competence—job skills and knowledge
Functioning of the board of directors, particularly its audit committee
Methods of assigning authority and responsibility
Presence of an internal audit function
Human resource policies and practices
5.11 The purpose of risk assessment is to identify and control for those factors, events, and conditions that may
prevent the organization from achieving its business objectives. All companies face the risk that their
financial statements may be unreliable. They may report assets that do not exist or ones that are not owned
by the company. Asset and liability amounts may be improperly valued. They may fail to report liabilities
and expenses. They may present information that does not conform to GAAP. The risk of producing
unreliable financial reports arises from control breakdowns.
5.12 A company control procedure is an action taken for the purpose of preventing, detecting, or correcting
errors and frauds in transactions
5.13 Four kinds of functional responsibilities that should be segregated:
1. Authorization to execute transactions.
2. Recording of transactions (bookkeeping).
3. Custody of assets.
4. Periodic reconciliation (comparison) of existing (real) assets to recorded amounts.
5.14 The audit trail is the set of accounting operations from transaction analyses to reports. It starts with the
source documents, proceeds to data entry, then to transaction processing and posting to ledger accounts,
then from ledger accounts to the financial reports.
Auditors often follow this trail forwards and backwards! They will follow it backwards from the financial
reports to the source documents to determine whether everything in the financial reports is supported by
appropriate source documents. They will follow it forward from source documents to reports to determine
that everything that happened (transactions) got recorded in the accounts and reported in the financial
2. Valid sign test All amount fields positive, sales amount greater than zero.
3. Missing data test Bill of lading document number included.
4. Sequence test Invoice numbers are in sequence and none missing.
5. Limit or reasonableness Total invoice less than $25,000 test
5.17 Many financial reporting processes such as final adjusting entries, consolidating entries, and footnote
amounts are performed using spreadsheet applications.
5.18 Everyday monitoring examples:
Operating managers compare internal reports and published financial statements with their
knowledge of the business.
Customer complaints of amounts billed are analyzed.
Vendor complaints of amounts paid are analyzed.
Regulators report to the company on compliance with laws and regulations (e.g., bank examiners’
reports, IRS audits).
Accounting managers supervise the accuracy and completeness of transaction processing.
Recorded amounts are periodically compared to actual assets and liabilities (e.g., internal auditors’
inventory counts, receivables and payables confirmations, bank reconciliations).
External auditors report on control performance and give recommendations for improvement.
Training sessions for management and employees heighten awareness of the importance of
These are monitoring controls when they are used to determine the effectiveness of control procedures.
5.19 The phase 1 understanding must always be followed by a control risk assessment phase and documentation
of control risk less than 100% (compliance phase). However, test of controls procedures are only required
for non public companies if the audit team wants to lower the control risk assessment.
5.20 An audit team can find client’s documentation of the accounting system in the:
Chart of accounts
Accounting manual—definitions and instructions about measuring and classifying transactions
Computer systems documentation
Computer program documentation
Systems and procedures manuals
Flowcharts of transaction processing
Various paper forms
5.23 A test of controls is an audit procedure designed to produce evidence about the effectiveness of a client’s
control activity. A test of control procedure is a two-part statement, consisting of:
Part One: Identification of a data population from which a sample of items will be selected for audit.
Part Two: Expression of an action of either (1) determining whether the selected items correspond to a
standard or (2) determining whether the selected items agree with information in another data population.
A test of control procedure may also consist of a direct observation of a control activity that leaves no
5.24 “Inspection,” in a test of control procedure, refers to auditors looking to see whether client personnel
stamped, initialed, or left other signs that their assigned control procedures had been performed.
“Reperformance,” in a test of control procedure, refers to auditors doing again the control that was
supposed to have been performed by the client personnel (recalculating, looking up the right price,
comparing quantities, and so forth).
5.25 A “dual-purpose test” serves the purposes of (1) obtaining evidence about a client’s control performance
[test of control], (2) obtaining evidence to help detect material misstatements in account balances and
disclosures [substantive procedure].
5.26 Management must (1) acknowledge its responsibility for establishing and maintaining effective internal
control over financial reporting; (2) state that it has performed an evaluation and made a conclusion about
the effectiveness of the entity’s internal control over financial reporting; (3) disclose to the audit team any
frauds resulting in a material misstatement to the entity’s financial statements (as well as any other
immaterial fraud that involves key managers), all significant deficiencies, and any material weaknesses
identified during its evaluation; and (4) state that management did not use the auditors’ procedures
performed during the audits of internal control over financial reporting or the financial statements as part of
the basis for management’s assessment of the effectiveness of internal control over financial reporting.
5.27 The six steps for auditing internal controls are:
1. Plan the engagement
2. Evaluate management’s assessment process
3. Gain an understanding of internal control over financial reporting
4. Test and evaluate design effectiveness of internal control over financial reporting
5. Test and evaluate operating effectiveness of internal control over financial reporting
6. Form an opinion on the effectiveness of internal control over financial reporting
5.28 An internal control deficiency exists when the design or operation of a control does not allow the
company’s management or employees to detect or prevent misstatements in a timely fashion. A significant
deficiency is defined as a condition that could adversely affect the organization’s ability to initiate, record,
process, and report financial data in the financial statements. A material weakness in internal control is
defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a
material misstatement would not be prevented or detected on a timely basis.
5.29 Auditors can issue one of three types of reports on internal controls:
Unqualified—no material weaknesses
Qualified or disclaimer—audit team cannot perform all of the procedures considered necessary
Adverse opinion—material weakness exists.
5.30 The major components of the auditor’s standard, unqualified report on internal control over financial
A title that includes the word independent.
Statements regarding the responsibility of the auditors and management with respect to the
assessment and evaluation of internal control, as well as the title of management’s report on
internal control over financial reporting.
A paragraph indicating that the engagement was conducted in accordance with standards
established by the Public Company Accounting Oversight Board, with a brief description of the
procedures performed in the engagement.
The definition of internal control over financial reporting.
An identification of the inherent limitations of internal control over financial reporting.
The auditors’ opinion on whether the entity maintained effective internal control over financial
reporting. The opinion in the above report represents an unqualified opinion on internal control
over financial reporting.
A reference to the auditors’ opinion on the financial statements, indicating the type of opinion
The date of the report.
5.31 Major reasons for departing from the standard, unqualified report on internal control over financial
1. Material weaknesses in internal control over financial reporting.
2. A limitation in the scope of the engagement.
3. Management’s disclosures of the effectiveness of its internal control over financial reporting are
4. Other auditors have audited the financial statements and internal control over financial reporting
of one or more components of the entity.
5. Changes in internal control have occurred that materially and adversely affect the effectiveness of
the company’s internal control over financial reporting.
6. Management provides other information in its report on internal control over financial reporting.
5.32 The auditors should issue an adverse opinion on the effectiveness of internal control over financial
reporting if a material weakness exists.
If a material weakness in internal control is identified, the auditor’s standard, unqualified opinion on
internal control over financial reporting would be modified to:
Include a paragraph immediately following the inherent limitations paragraph that defines a
material weakness and describes any material weakness(es) identified during the audit.
Modify the opinion paragraph to indicate that because of the effect of the material weakness(es)
identified, the Company has not maintained an effective internal control over financial reporting.
5.33 If a scope limitation exists, disclaimer of opinion would be issued or the auditors would withdraw from the
engagement, depending upon the significance of the limitation.
5.34 Auditors must communicate significant deficiencies and material weaknesses that come to their attention in
the performance of the audit to management, the board of directors, or its audit committee. Auditors often
issue another type of report to management called a management letter. This letter may contain
commentary and suggestions on a variety of matters in addition to internal control matters.
5.35 Internal control cannot provide absolute assurance that financial statements will not contain a material
The effectiveness of controls will be limited by the realities of human frailty.
Internal controls can break down due to misunderstanding, mistakes, and errors due to
carelessness, distraction or fatigue.
Management can often override controls.
The collusive activities of two or more individuals can result in control failures.
Controls must be subjected to cost-benefit analysis
5.36 Reasonable assurance is closely related to cost-benefit analysis. By definition, reasonable assurance
recognizes that the cost of an organization’s internal control should not exceed the benefits obtained by the
Management is responsible for assessing the cost and benefits of controls, hence their reasonable assurance.
Auditors get into the act of reasonable assurance assessment when they consider whether to make
recommendations about control improvement in a management letter. Both parties must consider that the
SEC regards reasonable assurance is a high standard that means the probability of controls not detecting or
preventing material misstatements is remote.