Chapter 11

Internal Control and COSO Framework

 Concept Checks

P. 379

1. Management typically has three broad objectives in designing an effective

system of internal control.

1. Reliability of Reporting While this objective relates to both external

and internal reporting, we focus here on the reliability of external
financial reporting. Management is responsible for preparing financial
statements for investors, creditors, and other users. Management has
both a legal and professional responsibility to be sure that the
information is fairly presented in accordance with reporting
requirements such as GAAP or IFRS. The objective of effective
internal control over financial reporting is to fulfill these financial
reporting responsibilities.

2. Efficiency and Effectiveness of Operations Controls within an

organization are meant to encourage efficient and effective use of its
resources to optimize the company’s goals. An important objective of
these controls is accurate financial and non-financial information about
the entity’s operations for decision making.

3. Compliance with Laws and Regulations Section 404 of the

Sarbanes–Oxley Act requires all public companies to issue a report
about the operating effectiveness of internal control over financial
reporting. In addition to the legal provisions of Section 404, public,
nonpublic, and not-for-profit organizations are required to follow many
laws and regulations. Some relate to accounting only indirectly, such as
environmental protection and civil rights laws. Others are closely
related to accounting, such as income tax regulations and anti-fraud
regulations such as the Foreign Corrupt Practices Act of 1977 and
certain provisions of the Sarbanes–Oxley Act.

2. Section 404(a) of the Sarbanes-Oxley Act requires management of all public

companies to issue an internal control report that includes the following:

 A statement that management is responsible for establishing and

maintaining an adequate internal control structure and procedures
for financial reporting and

11-1
© 2023 Pearson Education, Ltd.
  An assessment of the effectiveness of the internal control
structure and procedures for financial reporting as of the end of
the company’s fiscal year.

Concept Checks (continued)

P. 388

1. The COSO Internal Control – Integrated Framework consists of the following

five components:
 Control environment
 Risk assessment
 Control activities
 Information and communication
 Monitoring

The control environment is the broadest of the five and deals primarily with
the way management implements its attitude about internal controls. The
other four components are closely related to the control environment. In the
context of internal controls related to financial reporting, risk assessment is
management’s identification and analysis of risks relevant to the preparation
of financial statements in accordance with accounting standards.
Management implements control activities and creates the accounting
information and communication system in response to risks identified as
part of its risk assessment to meet its objectives for financial reporting.
Finally, management periodically assesses the quality of internal control
performance to determine that controls are operating as intended and that
they are modified as appropriate for changes in conditions (monitoring). All
five components are necessary for effectively designed and implemented
internal control.

2. The updated COSO Internal Control – Integrated Framework includes

seventeen broad principles that provide more guidance related to the five COSO
components. The components and principles are listed together in Table 11-1.
According to the COSO guidance, all seventeen principles must be present and
functioning for controls to be effective. In assessing whether internal controls are
designed and operating effectively, management should ensure that all of the
principles are present and functioning. For example, in considering whether
monitoring controls are designed and operating effectively, management would
want to perform periodic evaluations of the monitoring controls and also ensure
that identified deficiencies are being communicated to those who can remediate
those deficiencies.

11-2
© 2023 Pearson Education, Ltd.
Concept Checks (continued)

P. 398

1. General controls relate to all aspects of the IT function. They have a global
impact on all software applications. General controls include controls related
to system access, system changes, and IT operations management. An
example of an access control is required use of passwords and user IDs
with access limited to authorized users. An example of a system
management control is appropriate testing and approval by users of
system changes. Application controls apply to the processing of
individual transactions. Examples of application controls include a
programmed control that verifies that all time records submitted are for
valid employee ID numbers included in the electronically accessible
employee database; and a control that recomputes net pay from gross pay
and deductions.

2. The typical duties often segregated within an IT function include systems

development, computer operations, and data control. Systems
development involves the acquisition or programming of application
software. Systems development personnel work with test copies of
programs and data files to develop new or improved application software
programs. Computer operations personnel are responsible for executing live
production jobs in accordance with a job schedule and for monitoring
consoles for messages about computer efficiency and malfunctions. Data
control personnel are responsible for data input and output control. They often
independently verify the quality of input and the reasonableness of output.
By separating these functions, no one IT employee can make changes to
application software or underlying data files and then operate computer
equipment to use those changed programs or data files to process
transactions.

 Review Questions

11-1 Management designs systems of internal control to accomplish three

categories of objectives: reporting, operations, and compliance with laws and
regulations. The auditor’s focus in both the audit of financial statements and the
audit of internal controls is on those controls related to the reliability of financial
reporting plus those controls related to operations and to compliance with laws
and regulations objectives that could materially affect financial reporting.

11-2 Management’s assessment of internal control over financial reporting

consists of two key characteristics. First, management must evaluate the
design of internal control over financial reporting. Second, management must
test the operating effectiveness of those controls. When evaluating the design
of internal control over financial reporting, management evaluates whether the
controls are designed to prevent or detect material misstatements in the
financial statements.
11-3
© 2023 Pearson Education, Ltd.
11-2 (continued)

When testing the operating effectiveness of those controls, the objective

is to determine whether the control is operating as designed and whether the
person performing the control possesses the necessary authority and
qualifications to perform the control effectively.

11-3 There are eight parts of the planning phase of audits: accept client and
perform initial audit planning, understand the client’s business and industry,
perform preliminary analytical procedures, set preliminary judgment of
materiality and performance materiality, identify significant risks due to fraud or
error, assess inherent risk, understand system of internal control and assess
control risk, and finalize overall audit strategy and audit plan. Understanding
internal control and assessing control risk is therefore part seven of planning.
Only finalizing the audit strategy and audit plan follow understanding internal
control and assessing control risk.

11-4 Assessment of internal control by management: All amounts must be

collected promptly, and internal controls such as weekly control of monies
received must be performed. Management is also likely to be very involved with
the individual invoices and details such as credit notes and refunds or
overpayments.
Assessment of internal control by external auditor: The amount for the year is
included in the financial year and the amount exists, and there is a reasonable
provision that some receivables might not be paid. Internal controls must exist.

11-5 The COSO Internal Control – Integrated Framework is the most widely
accepted internal control framework in the U.S. The COSO framework,
updated in 2013, describes internal control as consisting of five components
that management designs and implements to provide reasonable assurance
that its control objectives will be met. Each component contains many
controls, but auditors concentrate on those designed to prevent or detect
material misstatements in the financial statements.

11-6 The control environment consists of the actions, policies, and

procedures that reflect the overall attitudes of top management, directors, and
owners of an entity about internal control and its importance to the entity.
The control environment serves as the umbrella for the other four components
(risk assessment, control activities, information and communication, and
monitoring). Without an effective control environment, the other four are
unlikely to result in effective internal control, regardless of their quality.
However, all five components are necessary for effectively designed and
implemented internal control.

11-4
© 2023 Pearson Education, Ltd.
11-7 The five categories of control activities are:
 Adequate separation of duties
Example: The following two functions are performed by
different people: processing customer orders and billing of
customers.
 Proper authorization of transactions and activities
Example: The granting of credit is authorized before
shipment takes place.
 Adequate documents and records
Example: Recording of sales is supported by authorized
shipping documents and approved customer orders.
 Physical control over assets and records
Example: A password is required before an entry can be
made into the computerized accounts receivable database.
 Independent checks on performance
Example: Bilingl clerk verifies prices and quantities on sales
invoices before they are sent to customers.

11-8 Separation of operational responsibility from record keeping is

intended to reduce the likelihood of operational personnel biasing the
results of their performance by incorrectly recording information.
Separation of the custody of assets from accounting for these assets is
intended to prevent misappropriation of assets. When one person performs
both functions, the possibility of that individual disposing of the asset for
personal gain and adjusting the records to relieve themself of responsibility for
the asset without detection increases.

11-9 An example of a physical control the client can use to protect each of
the following assets or records is:
1. Computers should be in an area protected by security and should
be protected from extreme temperatures. Access should be
password-protected.
2. Cash received by retail clerks should be entered into a cash
register to record all cash received.
3. Adequate backup copies of computerized accounts receivable
records should be maintained and access to the database files
should be restricted via passwords. Other accounts receivable
records should be stored in a locked, fireproof safe.
4. Raw material inventory should be retained in a locked storeroom
with a reliable and competent employee controlling access.
5. Hand tools should be stored in a locked storeroom under control
of a reliable employee.
6. Manufacturing equipment should be kept in an area protected by
security and fire alarms and kept locked when not in use.
7. Marketable securities should be stored in a safety deposit vault.
11-5
© 2023 Pearson Education, Ltd.
11-10 Independent checks on performance are internal control activities
designed for the continuous internal verification of other controls. Examples of
independent checks include:
 Preparation of the monthly bank reconciliation by an individual
with no responsibility for recording transactions or handling cash.
 Recomputing inventory extensions for a listing of inventory by
someone who did not originally do the extensions.
 The preparation of the sales journal by one person and the
accounts receivable database by a different person, and a
reconciliation of the control account to the database file.
 The counting of inventory by two different count teams.
 The existence of an effective internal audit staff.
11-11 The most important internal control deficiency that permitted the
embezzlement to occur was the failure to adequately segregate the accounting
responsibility of recording billings in the sales journal from the custodial
responsibility of receiving the cash. Regardless of how trustworthy James
appeared, no employee should be given the combined duties of custody of
assets and accounting for those assets.
11-12 Internal auditors, who report directly to the management, perform risks
assessment:
1. Internal auditors go around the business to check and monitor the
internal controls.
2. They have regular townhall meetings with all staff to share the
future strategic views and the importance of internal controls.
3. As part of employees’ annual appraisals, the importance of
internal control needs to be included as a key performance
indicator.
11-13 The primary focus of the monitoring component of internal control is for
management to conduct ongoing and periodic assessments of the quality of
internal control to determine that controls are operating as intended and they
are modified as appropriate for changes in conditions. Thus, the focus is on the
evaluation of effectiveness of all the components of internal control to deter-
mine if there are deficiencies in internal control that management should
remediate.
11-14 The proper installation of IT can lead to internal control enhancements
by replacing manually performed controls with computer-performed controls. IT-
based accounting systems can handle tremendous volumes of complex
business transactions cost effectively. Computer-performed controls can
reduce the potential for human error by replacing manual controls with
programmed controls that apply checks and balances to each transaction
processed. The systematic nature of IT offers greater potential to reduce the risk
of material misstatements resulting from random, human errors in processing.

11-6
© 2023 Pearson Education, Ltd.
11-14 (continued)

The use of IT-based accounting systems also offers the potential for
improved management decisions by providing more and higher-quality information
on a timelier basis than traditional manual systems. IT-based systems are
usually administered effectively because the complexity requires effective
organization, procedures, and documentation. That in turn enhances internal
control.

11-15 When entities rely extensively on IT systems to process financial

information, there are risks specific to IT environments that must be
considered. Key risks include the following:
 Reliance on the functioning capabilities of hardware and software.
The risk of system crashes due to hardware or software failures
must be evaluated when entities rely heavily on IT to produce
financial statement information.
 Systematic versus random errors. Due to the uniformity of processing
performed by IT-based systems, errors in computer software can
result in incorrect processing for all transactions processed. This
increases the risk of many significant misstatements.
 Unauthorized access. The centralized storage of key records and
files in electronic form increases the potential for unauthorized online
access from remote locations.
 Loss of data. Centralized storage of data in electronic form
increases the risk of data loss in the event the data file is altered or
destroyed.
 Visibility of audit trail. The use of IT often converts the traditional
paper trail to an electronic audit trail, eliminating source documents
and paper-based journals and records.
 Reduced human involvement. The replacement of traditional
manual processes with computer-performed processes reduces
opportunities for employees to recognize misstatements resulting
from transactions that might have appeared unusual to experienced
employees.
 Lack of traditional authorization. IT-based systems can be programmed
to initiate certain types of transactions automatically without
obtaining traditional manual approvals.
 Reduced segregation of duties. The installation of IT-based
accounting systems centralizes many of the traditionally segregated
manual tasks under the authority of the IT function now that those
functions are mainly performed by the computer.
 Need for IT experience. As entities rely on IT-based systems to a
greater extent, the need for personnel trained in IT systems
increases in order to install, maintain, and use systems.

11-7
© 2023 Pearson Education, Ltd.
11-16 In most traditional accounting systems, the duties related to authorization
of transactions, recordkeeping, and custody of assets are segregated
across three or more individuals. As accounting systems make greater use of
IT, many of the tasks that were traditionally performed manually are now
performed by the computer. As a result, some of the traditionally segregated
duties, particularly authorization and recordkeeping, fall under the responsibility
of IT personnel. To compensate for the collapsing of duties under the IT
function, key IT tasks related to programming, operation of hardware and soft-
ware, and data control are segregated. Separation of those IT functions
restricts an IT employee’s ability to inappropriately access software and data
files in order to misappropriate assets.
11-17 If general controls are effective, there is an increased likelihood of
placing greater reliance on automated application controls. Stronger general
controls should lead to greater likelihood that automated application
controls operate effectively and data files contain accurate, authorized, and
complete information. If general controls are ineffective, there is a potential
for material misstatement in each computer-based accounting application,
regardless of the quality of automated application controls. If, for example, the
systems development process is not properly controlled, there is a greater risk
that unauthorized and untested modifications to accounting applications software
have occurred that may have affected the automated control.
11-18 Because many companies that operate in a network environment
decentralize their network servers across the organization, there is an increased
risk for a lack of security and lack of overall management of the network
operations. The decentralization may lead to a lack of standardized equipment
and procedures. In many instances responsibility for purchasing equipment and
software, maintenance, administration, and physical security often resides with
key user groups rather than with a centralized IT function. Also, network-related
software often lacks the security features, including segregation of duties,
typically available in traditionally centralized environments because of the ready
access to software and data by multiple users. In database management
systems where many applications share the same data, controls can often be
strengthened as data are more centralized and duplicate files can be
eliminated. However, there are also increased risks in some cases given that
multiple users, including individuals outside accounting, access and update
data files. Without proper database administration and access controls, risks of
unauthorized, inaccurate, and incomplete data files increase. Centralization of
data also increases the need to properly back up data information on a regular
basis.

11-8
© 2023 Pearson Education, Ltd.
11-19 Three risks related to an online sales system that management should
consider:
1. Risk: Large fluctuations
Internal controls: Hedge by purchasing cryptocurrency, so that if it rises
or falls, there will be sufficient cryptocurrency to maintain liquidity.
2. Risk: Exchange rate differences
Internal controls: They could purchase items or make payment for
services using cryptocurrency, so that they will not suffer from the
exchange rate movements between cryptocurrency and fiat currency.
3. Risk: Incorrect entry is made or there is loss on the price between the
fiat and cryptocurrency
Internal control: Internal control could mandate that the customer
chooses the type of currency to make the payment before the transaction
is made to ensure that the correct currency is reflected in the system,
and the exchange differences between cryptocurrency and fiat currency
could also be updated regularly to reflect the movements, so that
customers are aware and the prices are updated accordingly.

 Multiple Choice Questions From CPA Examinations

11-20 a. (3) b. (1) c. (4)

11-21 a. (4) b. (1) c. (3)

 Multiple Choice Questions From Becker CPA Exam Review

11-22 a. (3) b. (2) c. (4)

 Discussion Questions and Problems

11-23

1. a. Control environment
2. c. Control activities
3. d. Information and communication
4. c. Control activities
5. a. Control environment
6. b. Risk assessment
7. e. Monitoring
8. d. Information and communication
9. c. Control activities
10. b. Risk assessment

11-9
© 2023 Pearson Education, Ltd.
 11-10
© 2023 Pearson Education, Ltd.
11-24

a. b.
TRANSACTION-
CONTROL RELATED AUDIT
INTERNAL CONTROL ACTIVITY OBJECTIVE(S)
1. Checks are signed by the company Adequate Occurrence
president, who compares the checks with separation of Accuracy
the underlying supporting documents. duties
Independent
checks on
performance
2. Sales invoices are matched with shipping Adequate Occurrence
documents by the computer system and an documents and
exception report is generated. records
3. Receiving reports are prenumbered and Adequate Completeness
accounted for on a daily basis. documents and Timing
records
4. The accounts receivable data file is Independent Posting and
reconciled to the general ledger on a checks on summarization
monthly basis. performance
5. Sales invoices are independently verified Independent Accuracy
before being sent to customers. checks on
performance
6. Payments by check are received in the Adequate Completeness
mail by the receptionist, who lists the separation of
checks and restrictively endorses them. duties
7. Labor hours for payroll are reviewed for Independent Occurrence
reasonableness by the computer system. checks on Accuracy
performance
Proper
authorization of
transactions
8. Unmatched shipping documents are Physical control Completeness
accounted for on a daily basis. over documents Timing
and records
9. The computer system verifies that all Adequate Occurrence
payroll payments have a valid employee separation of
identification number assigned duties
by the human resources department at the
time of hiring.

11-11
© 2023 Pearson Education, Ltd.
11-25
a.

MISSTATEMENT TYPE OF ABSENT CONTROL

1. On the last day of the year, orders came in Absence of proper inventory management
for 14,000 mobile phones; they were packed but controls and adequate policies and procedures
not yet shipped. So it was recognized as current for recognizing revenue.
inventory. Revenue was recognized as sold in
the year the order came.
2. A customer was wrongly invoiced because Absence of controls for ensuring the accuracy
they put in the wrong data when ordering the of invoices and for issuing debit notes.
mobile phone, so the salesperson edited the
invoice instead of issuing a debit note.

3. Mobile phones were sent to customers before Absence of controls for ensuring that payments
payment was cleared in the bank statement. are cleared before goods are shipped to
customers.
4. Staff obtain a 15% discount on all mobile Absence of controls for monitoring and
phones, so whenever a new product was restricting staff discounts and for accurately
launched, they could keep aside as many recording inventory levels.
mobile phones as they wished. When they kept
the mobile phones aside, they edited the
inventory system.
5. The accounts manager processed payments Absence of proper segregation of duties, such
to his wife by adding a fictitious vendor address as separating the duties of the accounts
to the approved vendor list, and occasionally manager from the duties of the vendor payment
when he felt he needed a bonus, he paid processing.
himself.
6. Pineapple Store also provides services Absence of controls for ensuring that add-ons
through their apps, such as games, and allows are properly billed and recorded.
customers to pay for additional add-ons.
Recently some of their customers have
informed them that they have paid double the
amount for their add-ons.

7. For one of the other apps, Pineapple Store Absence of controls for ensuring the accuracy
was billing customers half the original amount. It of the price of the app and for monitoring and
was only at the end of the month when the reconciling actual revenue to budget.
accounts manager was reviewing the actual
revenue to budget that they realized that the
price of the app was incorrect.

8. The wrong barcode was incorrectly pasted on Absence of proper quality control procedures
a batch of its mobile phones. for ensuring the accuracy of barcodes on
products.

11-12
© 2023 Pearson Education, Ltd.
11-25 (continued)

b.

MISSTATEMENT TRANSACTION-RELATED AUDIT

OBJECTIVE
1. On the last day of the year, orders came in for The misstatement impacts the accuracy of
14,000 mobile phones; they were packed but not inventory levels and the proper recognition of
yet shipped. So it was recognized as current revenue.
inventory. Revenue was recognized as sold in the
year the order came.
2. A customer was wrongly invoiced because The misstatement impacts the accuracy and
they put in the wrong data when ordering the completeness of customer invoices and the
mobile phone, so the salesperson edited the proper issuance of debit notes.
invoice instead of issuing a debit note.
3. Mobile phones were sent to customers before The misstatement impacts the completeness
payment cleared the bank statement. and accuracy of customer payments and the
proper shipment of goods.

4. Staff obtain a 15% discount on all mobile The misstatement impacts the accuracy and
phones, so whenever a new product was completeness of inventory records, and the
launched, they could keep aside as many mobile proper calculation of staff discounts.
phones as they wished. When they kept the
mobile phones aside, they edited the inventory
system.
5. The accounts manager processed payments to The misstatement impacts the accuracy and
his wife by adding a fictitious vendor address to completeness of vendor payments and the
the approved vendor list, and occasionally when proper segregation of duties.
he felt he needed a bonus, he paid himself.

6. Pineapple Store also provides services through The misstatement impacts the accuracy and
their apps, such as games, and allows customers completeness of customer billing and the
to pay for additional add-ons. Recently, some of proper recording of add-ons.
their customers have informed them that they
have paid double the amount for their add-ons.
7. For one of the other apps, Pineapple Store has The misstatement impacts the accuracy and
been billing customers half the original amount. It completeness of revenue and the proper
was only at the end of the month when the reconciliation of actual revenue to budget.
accounts manager was reviewing the actual
revenue to budget that they realized that the price
of the app was incorrect.
8. The wrong barcode was incorrectly pasted on The misstatement impacts the accuracy and
a batch of its mobile phones. completeness of product information and the
proper quality control of products.

11-13
© 2023 Pearson Education, Ltd.
11-25 (continued)
c.

MISSTATEMENT RECOMMENDED CONTROL

1. On the last day of the year, orders came Proper inventory management procedures, regular
in for 14,000 mobile phones; they were physical inventory counts, and a clear policy for
packed but not yet shipped. So it was recognizing revenue when goods are shipped,
recognized as current inventory. Revenue rather than when orders are received, could have
was recognized as sold in the year the prevented this misstatement.
order came.
2. A customer was wrongly invoiced Adequate controls for ensuring the accuracy of
because they put in the wrong data when customer invoices and for issuing debit notes when
ordering the mobile phone, so the sales necessary could have prevented this
person edited the invoice instead of issuing misstatement.
a debit note.
3. Mobile phones were sent to customers Adequate controls for ensuring that payments are
before payment cleared the bank cleared before goods are shipped, such as
statement. reconciling customer payments with the bank
statement, could have prevented this
misstatement.
4. Staff obtain a 15% discount on all mobile Adequate controls for monitoring and restricting
phones, so whenever a new product was staff discounts and for accurately recording
launched, they could keep aside as many inventory levels could have prevented this
mobile phones as they wished. When they misstatement.
kept the mobile phones aside, they edited
the inventory system.
5. The accounts manager processed Proper segregation of duties, such as separating
payments to his wife by adding a fictitious the duties of the accounts manager from the duties
vendor address to the approved vendor list, of the vendor payment processing, could have
and occasionally when he felt he needed a prevented this misstatement.
bonus, he paid himself.
6. Pineapple Store also provides services Adequate controls for ensuring that add-ons are
through their apps, such as games, and properly billed and recorded, such as regular
allows customers to pay for additional add- reconciliation of customer payments, could have
ons. Recently, some of their customers prevented this misstatement.
have informed them that they have paid
double the amount for their add-ons.
7. For one of the other apps, Pineapple Adequate controls for ensuring the accuracy of the
Store has been billing customers half the price of the app and for monitoring and reconciling
original amount. It was only at the end of actual revenue to budget could have prevented this
the month when the accounts manager was misstatement.
reviewing the actual revenue to budget that
they realized that the price of the app was
incorrect.
8. The wrong barcode was incorrectly Proper quality control procedures, such as
pasted on a batch of its mobile phones. regularly checking and verifying product
information, could have prevented this
misstatement.

11-14
© 2023 Pearson Education, Ltd.
11-25 (continued)
The five components of the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) internal control framework are the following:
● Control environment: This component refers to the tone at the top
and the overall culture of an organization, including management’s
attitude toward internal control, ethics and integrity, and how risks are
managed.
● Risk assessment: This component refers to the ongoing process of
identifying and assessing the risks facing an organization. It includes
identifying the potential impact of these risks and determining the
likelihood of their occurrence.
● Control activities: This component refers to the policies and
procedures put in place to help ensure that the organization’s objectives
are met. Examples of control activities include approvals, authorizations,
verifications, and reconciliation processes.
● Information and communication: This component refers to the flow of
information within an organization and the communication of that
information to those who need it. It includes the accuracy, timeliness, and
completeness of information.
● Monitoring: This component refers to the ongoing assessment of the
internal control system to ensure that it is functioning effectively and to
identify any areas that need improvement. It can be performed by
management, internal audit, or an independent external audit.

11-26 The criteria for dividing duties is to keep all asset custody duties with
one person (Cooper). Document preparation and recording is done by the other
person (Sanchez). Singh will perform independent verification. The two most
important independent verification duties are the bank reconciliation and
reconciling the accounts receivable database file with the control account;
therefore, they are assigned to Singh. The duties should be divided among the
three as follows:

Roberta Sanchez: †2 †
4 †
5 †
7 †
9 †
11 14 16 17
† † † † † †
James Cooper: 1 3 6 8 10 12 13
Mohini Singh: 15 18

11-15
© 2023 Pearson Education, Ltd.
11-27 A schedule showing the pertinent transaction-related management
assertions and application controls for each type of misstatement is below
and on the following page.

a. b.
TRANSACTION- AUTOMATED
MISSTATEMENT RELATED ASSERTION CONTROLS
1. A customer order was  Recorded transactions  Preprocessing
filled and shipped to a exist (occurrence) authorization
former customer that had  Preprocessing review
already filed bankruptcy.
 Programmed controls
(e.g., comparison
to customer file)
2. For a sale, a data entry  Existing transactions  Conversion
operator erroneously are recorded verification (e.g.,
failed to enter the (completeness) key verification)
information for the  Programmed controls
salesperson’s (e.g., check field for
department. As a result, completeness)
the salesperson received
no commission for that
sale.
3.A customer number  Recorded transactions  Key entry verification
on a sales invoice was exist (occurrence)  Check digit
transposed and, as a result,  Amounts and other
charged to the wrong  Reconciliation to
data relating to customer number on
customer. By the time the recorded transactions
error was found, the original purchase order and
and events have been bill of lading
customer was no longer in recorded appropriately
business. (accuracy)

11-16
© 2023 Pearson Education, Ltd.
11-27 (continued)

4. A former computer  Recorded transactions  Input security

operator, who is now exist (occurrence) controls over cash
a programmer, entered receipts records
information for a fictitious  Scheduling of
sales return and ran it computer processing
through the computer
system at night. When  Controls over
the money came in, he access to equipment
took it and deposited it  Controls over access
in his own account. to live application
programs
5. A nonexistent part  Existing transactions  Preprocessing
number was included in are recorded review
the description of goods (completeness)  Programmed controls
on a shipping document. (e.g., compare part
Therefore, no charge no. to parts list
was made for those goods. database file)
6. The sales manager  Amounts and other  Preprocessing review
approved the price of data relating to  Programmed controls
goods ordered by a recorded transactions (e.g., comparison
customer, but he wrote and events have been to the online
down the wrong price. recorded appropriately authorized price list)
(accuracy)
7. A computer operator  Recorded transactions  Correct file controls
accessed a computer- exist (occurrence)  Cutoff procedures
based data file for sales  Transactions are
of the wrong week and  Programmed controls
recorded in the correct (e.g., check for
processed them through accounting period
the system a second time. sequence of dates)
(cutoff)
8. Several remittance  Existing transactions  Control totals
advices were batched are recorded reconciled to manual
together for inputting. (completeness) totals of all batches
The cash receipts clerk  Transactions are  Computer
stopped for coffee, set recorded in the correct accounts for
them on a box, and failed accounting period numerical sequence
to deliver them to the (cutoff) of batches submitted
data input personnel.

11-17
© 2023 Pearson Education, Ltd.
11-28

PERSON 1 PERSON 2 PERSON 3

a.  Systems analyst  Computer operator Data control group
 Programmer

b.  Systems analyst  Computer operator N/A

 Programmer
 Data control
group*

* This solution assumes the data control procedures will serve as a check on
the computer operator and will allocate work across both persons.

c. If all four functions were performed by one person, internal control

would certainly be weakened. However, the College would not
necessarily be unauditable, for two reasons: First, there may be
controls outside the IT function that constitute effective control.
For example, users may reconcile all input and output data on a
regular basis. Second, the auditor of a non-public entity is not
required to rely on internal control. He or she may take a
substantive approach to the audit assuming adequate evidence
is available in support of transactions and balances.

11-29 1. Wilcoxon Sports should strengthen several of its IT general controls.

The fact that the programmer was able to access the current live
version of the sales application program suggests that there are
breakdowns in appropriate segregation of duties among IT personnel.
Programmers should be restricted from access to actual software
used in production. Access to live versions of the programs should
only be allowed for computer operators.
Wilcoxon should consider strengthening its processes for
authorizing and approving software changes. More extensive
procedures should be implemented regarding requests and approvals
for software changes. Only upon the presentation of adequate
documentation and approvals should the individual with oversight
of computer operations provide access of a test copy of the
software programs to the programmers. Without adequate
documentation and approvals, the programmers should not be
granted access to software. Furthermore, revised programs
should not be accepted from the programmers when there is no
supporting documentation that a change was authorized.
Approvals for software changes should include user department
approvals, such as those responsible for the sales function.

11-18
© 2023 Pearson Education, Ltd.
11-29 (continued)
For larger IT functions, programmers are split into subgroups
with some programmers only authorized to address programming
issues for application software (e.g., the sales application) while
other programmers are only authorized to address programming
issues for systems software, such as operating software.

2. Strengthening IT general controls over program changes, restricting

access to live software versions, and enhancing segregation of
duties will significantly reduce the programmer’s ability to make
unauthorized changes to software as was done at Wilcoxon Sports.
If all program changes must be accompanied by extensive
documentation and approvals for those changes, it will be more
difficult for programmers to make an unauthorized change.
Furthermore, restricting programmer access to only test
copies of software that have been approved for modification
makes it much more difficult for programmers to implement a
change in software without someone’s knowledge. If operations
only accepts revised programs for properly authorized changes,
then the programmer will be prevented from sneaking a
changed program back into live production.
If programmer functions are separated among programmers
such that only a subset is authorized to modify application
programs and not system software, then it will require collusion
among programmers to implement a change in application software
that also requires modification to system software. That segregation
would prevent situations like the one at Wilcoxon whereby the
programmer was able to make unauthorized changes to both the
sales application and the operating system software.

11-19
© 2023 Pearson Education, Ltd.
11-30
a. The strengths of Hardwood Lumber Company’s computerized accounting
system include the following:
 Separate departments for systems programming, applications
programming, operations, and data control.
 Some employees have READ ONLY capabilities, and others have
CHANGE or RUN capabilities.
 The computer room is locked and requires a key-card for access
which enhances security surrounding unauthorized access.
 Network operations is responsible for maintaining program files.
 Backup copies of program files and data files are maintained.
 Programmers are restricted to READ ONLY access to all live
application software program files.
 Data control clerks have no access to software program files.
b. Recommendations to improve Hardwood Lumber Company’s
Information Systems function:
 The Vice President of Information Systems Technology (VP of IT)
should report on a day-to-day basis to senior management (e.g.,
the president) and should not be under the authority of user
personnel. This ensures that the IT function is not subordinate to
a user function, which might inappropriately allocate IT
resources to that user function’s projects.
 The VP of IT should have access to the board of directors and
should be responsible for periodically updating the board on
significant IT projects. Perhaps, the board should create an IT
Steering Committee to oversee IT activities (like the Audit Committee
oversees the financial reporting process).
 Operations staff should not have responsibility for maintaining the
operating software security features. This responsibility should be
assigned to a more senior, trusted IT individual, such as the VP
of IT.
 Video monitors should be examined continually. The actual monitors
could be viewed on an ongoing basis by building security guards.
Hardwood should consider taping what the cameras are viewing
for subsequent retrieval in the event of a security breach.
 Hardwood may consider purchasing a vendor-developed access
security software package to strengthen online security beyond
the features currently provided by the operation software’s security
features.
 Restrict programmer access to test copies of software programs
for only those programs that have been authorized for program
change. Access to copies of other programs may not be necessary
when those programs have not been authorized for change.
 Grant systems programmers access only to approved test copies
of systems software, and grant application programmers access
only to approved copies of application software.

11-20
© 2023 Pearson Education, Ltd.
11-30 (continued)

 Consider hiring a systems analyst to coordinate all program development

projects. Systems analysts can strengthen communications between
user and programming personnel, and they can increase the
likelihood that a strong systems development process is followed.
 Develop a weekly Job Schedule that outlines the order in which
operators should process jobs. The VP of IT should review computer
output to determine that it reconciles to the approved Job Schedule.
This will increase the likelihood that only approved jobs are
processed and that they are processed in the correct sequence.
 Relocate the backup program and data storage to a physically secure
room separate from the computer room but offsite or to the cloud
to avoid having both the computer room and the backup data
being destroyed in the event of damage to the building. Only
grant the network administrator access to this room. This will
prevent the unauthorized removal of program and data files.
 Remove the network operator’s CHANGE rights to program and
data files. The network operator should not be able to make
changes to those files. The network operator should only be able
to copy the contents of those files.
 Consider purchasing a vendor-developed software package to assist
the network operator in maintaining complete and accurate records
of secondary storage programs and data files.
 Make sure only user department personnel have the ability to
authorize additions or changes to data files.
11-31 a. The Maxwell Technologies financial statements for 2011 and 2012
improperly overstated revenues by prematurely recording sales.
The SEC alleged that the company’s Senior Vice President of
Sales, Van Andrews, generated sales that were recorded and
included in the financial statements but then modified the terms of
the transactions through the issuance of side agreements to make
the payment terms contingent on the customer selling the
products and to allow the customer a full right of return. Those
modifications meant that the transactions no longer satisfied
revenue recognition criteria. In addition, Andrews engaged in
channel stuffing by pressuring distributors to order more products
than they needed or wanted, and he extended credit terms,
generated fictitious customer purchase orders, and encouraged a
key customer to falsify confirmations returned to the auditors.
b. There were several noted deficiencies in Maxwell Technologies’
control environment.
 Andrews was hired because he was a close personal friend of
the CEO. While Andrews did have prior sales experience, the
company’s hiring practices did not demonstrate a desire to
attract and hire highly qualified and competent sales
personnel.

11-21
© 2023 Pearson Education, Ltd.
11-31 (continued)

 While sales goals and earnings expectations are established in

most organizations, those set by Maxwell Technologies’ CEO
seem to have been unrealistic, creating excessive pressure for
sales personnel. That pressure from the CEO did not reinforce a
commitment to integrity and ethical values.
 The company’s controller (DeWitt) knew that the original
purchase order from the German Distributor contained
contingent payment terms, but when he challenged Andrews
about this he accepted Andrews’ explanation that the purchase
orders were incorrect and that corrected copies would be
obtained from the German Distributor. DeWitt’s failure to
exercise professional skepticism when red flags were noted
demonstrated his lack of a commitment to competence.
Similarly, the failure of the finance and accounting team to
highlight to the auditors (1) the fact that the original purchase
orders were replaced with corrected ones and (2) the fact that
one of Maxwell’s key customers (Global Automotive Customer)
had refused to accept receipt of goods shipped by Maxwell
Technologies demonstrated a lack of commitment to
competence and a lack of integrity and ethics.
 While the company’s audit committee did discuss the large
outstanding receivable due from the German Distributor, the
audit committee mostly focused on the collectibility of the
receivable but did not require management to provide more in-
depth information about the details of the transaction and the
related payment terms. The audit committee did not appear to
be exercising appropriate oversight of management in its review
of this unusual receivable.
c. When Andrews arranged for the German Distributor to “purchase”
$3.7 million of products that would later be sold to the Global
Automotive Customer, the automated accounting system rejected
the sales transaction given that the transaction far exceeded the
credit limit of $500,000 for the German Distributor. Maxwell
Technologies’ finance and accounting department overrode the
credit limit and initially increased it to $4 million so that the
transaction could be processed. They did not obtain any
documentation to assess the German Distributor’s credit-
worthiness. Even after the credit limit was initially overridden, the
company continued to increase that limit up to $8 million without
any effort to evaluate creditworthiness.
d. Andrews ignored the importance of maintaining adequate
documents and records by falsifying customer purchase orders and
by modifying terms of the transactions through side agreements.
e. As the receivable from the German Distributor continued to grow
throughout 2012, Maxwell’s senior finance personnel failed to act
on a number of red flags that should have caused them to question
11-22
© 2023 Pearson Education, Ltd.
11-31 (continued)

the legitimacy of the sales and related receivables due from the
German Distributor. According to the SEC, the finance personnel
failed to follow-up on issues identified in emails they received and
they appeared to overlook key trends in the accounts receivable
reports and key collection ratios that seemed to indicate that
collection from the German Distributor was unlikely. They also
appeared to overlook the fact that a large volume of sales took
place the last few days of each quarter.

■ Case

11-32 a. Sales

TRANSACTION-RELATED
ASSERTION CONTROL

Occurrence  Supervisor approves all invoices.

 Accounts receivable clerk has no access to
cash.
 Monthly statements are sent to customers.
 Supervisor approves all credit based on
approved credit list.
 Computer generates two copies of invoice, with
one retained and other provided to customer.
 Store owner approves all write-offs of accounts
receivable.

Completeness  Cash register is at the front of the store.

 Sales clerks handle no cash.
 Supervisor summarizes daily sales in total and
by sales clerk, which also determines sales
commission. This summary is compared daily
to total sales.
 Sales transactions are used to update
perpetuals and monthly physical inventory is
taken.
 Computer register calculates sales amounts.
Accuracy
 Accountant reconciles all computer totals to
sales staff summary totals and supervisor’s
sales summary.
 Monthly statements are sent to customers.
 Computer is used to update records.
 The aged trial balance is compared to the
general ledger.

11-23
© 2023 Pearson Education, Ltd.
11-32 (continued)

TRANSACTION-RELATED
ASSERTION CONTROL

Classification None listed

Cutoff  Sales transactions are recorded daily.

Presentation None listed

b. Cash Receipts

TRANSACTION-RELATED
AUDIT OBJECTIVE CONTROL
Occurrence  Monthly bank reconciliation is prepared.
 Accounts receivable clerk compares
electronic copy of the deposit slip from
bank to sales and cash receipts journal.
 Cash receipts are prelisted when mail opened.
Completeness  Cash register is used for cash sales.
 Cash collected on receivables is prelisted.
 Only supervisor operates computer cash register.
 Supervisor deposits money in a locked box.
 Store owner approves all write-offs of accounts
receivable.
 All correspondence and complaints are resolved
by the owner.
Accuracy  Supervisor recaps credit and cash sales and
compares totals to the daily computer-generated
summary.
 Monthly bank reconciliation prepared.
 Accounts receivable clerk compares the
electronic deposit slip from bank to cash sales
and cash receipts journal.
 Monthly statements are sent to customers.
 Computer is used to update records.
 An aged trial balance is generated by the
computer weekly and reviewed by the owner.
Classification None listed
Cutoff  Cash is deposited daily.
Presentation None listed

11-24
© 2023 Pearson Education, Ltd.
11-32 (continued)

c. Sales and Cash Receipts

Deficiencies
 Supervisor enters all sales in the cash register, recaps
sales and cash, and compares the totals to the computer-
generated summary. (This deficiency is offset by the
computer generating the sales summary by sales clerks
who will note any missing sales since this determines their
commission.)
 Lack of accounting for a numerical sequence of sales
invoices. (Partially offset by the computer generating the
sales summary by sales clerks who will note any missing
sales.)
 No internal verification of key entry for customer name,
date, and sales classifications on either cash receipts or
sales.
 There is no internal verification of general totals, posting to
accounts receivable database, or posting to the general
ledger.
 There is a lack of internal verification of all of the
accounting work done by the accounts receivable clerk.

11-25
© 2023 Pearson Education, Ltd.