understanding internal control and making it pay

advertisement
DESIGNING INTERNAL CONTROL SYSTEMS FOR SMALLER ENTITIES
By Larry L. Perry, CPA
CPA Firm Support Services, LLC
LEARNING OBJECTIVES
 Understand the fundamental concepts and the components of internal control.
 Be able to design and operate effective accounting and internal control systems
for smaller entities.
 Learn to prepare flowcharts effectively and efficiently
THE FOUNDATION OF INTERNAL CONTROL
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a
voluntary private-sector organization established in the United States. It is dedicated to
providing guidance on organizational governance, business ethics, internal control,
enterprise risk management, fraud and financial reporting. COSO established a common
internal control model that is used by large and small reporting entities.
COSO defines internal control as a process, effected by an entity’s board of directors,
management and other personnel. This process is designed to provide reasonable
assurance regarding the achievement of objectives in effectiveness and efficiency of
operations, reliability of financial reporting, and compliance with applicable laws and
regulations. The COSO framework involves several key concepts:
1. Internal control is a process. It is a means to an end, not an end in itself.
2. Internal control is not merely documented by policy manuals and forms. Rather, it
is put in by people at every level of an organization.
3. Internal control can provide only reasonable assurance, not absolute assurance, to
an entity’s management and board.
4. Internal control is geared to the achievement of objectives in one or more separate
but overlapping categories.
A Historical Perspective of Internal Controls
The Committee of Sponsoring Organizations (COSO) of the National Commission on
Fraudulent Financial Reporting (Treadway Commission) issued its first report in 1985
stressing the importance of internal control, the control environment, codes of conduct,
audit committees and internal audit functions. In 1992, a task force of COSO issued a
report entitled Internal Control—Integrated Framework, called the COSO Report.
Among other things, the COSO Report defines internal control and its components and
provides criteria for evaluating internal control. The report presents these interrelated
components of internal control:
1





Control Environment—The core of any business is its people and the
environment in which they operate. The tone at the top, i.e., management’s
attitudes, values and behaviors, provides the control environment for other
employees.
Risk Assessment—The entity must be aware of and deal with the risks it faces;
identifying the risk of error or fraud and implementing corrective actions is the
primary responsibility of management.
Control Activities—Control policies and procedures must be designed and
operated to address risks to the achievement of the entity’s objectives.
Information and Communication—These systems enable the entity’s people to
obtain and use information necessary to conduct, manage and control operations.
Monitoring—The internal control process must be monitored and changed by
management as circumstances and conditions necessitate.
In 2013, COSO updated and issued Internal Control—Integrated Framework. The
updated report did not change to basic components of internal control but, among other
clarifying issues, the Framework sets out seventeen principles for applying these
components. These principles from COSO’s report are presented below as they apply to
these components.
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be
managed.
8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact
the system of internal control.
Control Activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
2
11. The organization selects and develops general control activities over technology
to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control.
14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of
internal control.
15. The organization communicates with external parties regarding matters affecting
the functioning of internal control.
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present
and functioning.
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
Internal control is always relevant to the nature, size and complexity of a reporting entity.
Smaller entities will ordinarily have more informal controls that are carried out by one or
a few persons. While the basic components of internal control should be present in
small- and medium-size entities, the 17 principles will ordinarily be subjectively included
in an entity’s design and operation of internal controls.
Generally, internal controls over financial reporting include those that are designed to
make sure financial data is recorded, processed, summarized and reported consistent with
management’s representations (assertions) in financial statements. Management of an
entity has the primary responsibility for internal control. An auditor’s responsibilities
include the evaluation of whether the five components are designed and operating
effectively, given the nature, size and complexity of the entity.
Management’s Control Objectives
An entity’s internal control system provides the machinery used by management to
accomplish these basic objectives:



Effectiveness and efficiency of operations—basic business objectives,
profitability goals and safeguarding of assets and other resources.
Reliability of financial reporting—preparation of accurate financial statements.
Compliance with laws and regulations—all to which the entity is subject.
3
Understanding the Components of Internal Control
The Tone at the Top and Bottom:
The control environment sets the tone of any organization, i.e., causes its people to be
conscious of the importance of the entity’s system of internal control. It is the foundation
for application of all other components of internal control. For small entities, the
character and behavior of the person having top financial responsibility for the entity,
e.g., an owner or manager, sets the tone for employees to follow. For larger entities,
management personnel at various levels are also the primary influence on the control
environment. In all cases, it’s what management does, not what they say, that directs
employees’ behavior. The operating philosophies and style of management, their
delegation of responsibility and authority, their emphasis on developing and guiding
employees and their utilization of input from persons charged with governance defines
what employees do.
The Importance of Descriptive Charts of Accounts and Budgeting Controls:
A comprehensive chart of accounts is the foundation of the financial reporting process.
Designed to guide the authorization, initiation, classification, recording and summarizing
of transactions, it is most effective when it includes descriptions of the activity that may
be recorded in each account. The chart of accounts should include accounts in all
functional, departmental and/or job classifications. It should also be designed to facilitate
budget preparation and monitoring as part of an entity’s internal control system.
Budgets may be prepared using a base line, such as the prior year’s operations, or they
may be zero based, that is built from the ground up. Whichever method is used,
participation by department heads and other operating personnel is essential for
producing effective budgets. The final review and approval responsibility for budgets
should rest with persons charged with governance of the organization.
To provide value, the budget should be compared to actual results on a periodic basis by
management and other persons charged with governance, usually monthly. Unusual or
unexpected variances from budgeted amounts should be considered and corrective
actions implemented when necessary.
A budget should be designed for use also based on an entity’s nature, size and
complexity. A medium-size church employed an executive pastor that was formerly a
chief financial officer for a public company. He spent most of his time micro-managing
weekly budgets for department heads. Using a report from the church’s accounting
software, the executive pastor met with department heads weekly to discuss their budget
status. Over expenditures were met with severe cutbacks in planned future expenditures.
Under expenditures resulted in reductions of monthly or annual budgeted amounts.
While this micro-management significantly strengthened the church’s internal control
system, its cost was high, too high for the size of this organization. The practical side of
4
internal control is that the cost of operation of a control activity should result in benefits
appropriate for the nature, size and complexity of the organization.
While properly prepared and monitored budgets can significantly improve a small
entity’s internal controls, their use should provide benefits commensurate with the cost of
preparation and monitoring. Like the design and operation of internal control procedures,
benefits must be measured in terms of the relative costs of implementation and
maintenance.
The Importance of a Code of Conduct:
While smaller entities don’t normally have a written code of conduct, larger
organizations are establishing these codes. Publically-held companies, issuers under the
Sarbanes-Oxley Act, are required to establish and communicate codes of conduct. Other
privately-held companies, non-issuers, are also creating codes of conduct as part of their
control environment.
Whether written or communicated informally, a code of conduct defines behavior
expectations for both management and other employees. While such codes do not
prevent inappropriate behavior or fraud, they do provide employees with legal and ethical
standards that will influence their performance and commitment to the entity’s system of
internal control.
An entity’s code of conduct will ordinarily include these sections:
 Use of company assets and resources for business and not personal use
 Use of telephones, email and the internet
 Avoiding actual and potential conflicts of interest
 Protecting the company’s confidential information
 Maintaining complete and accurate accounting records
 Investigating and reporting any accounting, auditing and disclosure concerns
 Retaining and disposing of records and documents
 Prohibiting discrimination and harassment
 Prohibiting use of alcohol and illegal drugs
 Complying with laws, rules and regulations
 Protecting intellectual property and using copyrighted materials
 Giving and receiving gifts, meals, services and entertainment
 Understanding disciplinary actions for code violations
 Reporting concerns and code violations
The Entity’s Risk Assessment Process:
Risks at the entity level may come from external factors such as changes in technology,
customer’s needs, competition, regulations or laws and the economy. At the entity level,
risks also arise from internal factors such as information systems failures, personnel
practices affecting the quality of employees, access to assets and the susceptibility of an
entity’s operations to fraud.
5
At the activity level, risk assessment involves business operations and financial reporting.
Analyzing operational reports, financial and non-financial data and observations of
employees’ activities may bring risks to management’s attention.
Control Activities:
Control activities that are established in response to perceived risks relate to
management’s representations (assertions) in the entity’s financial statements. The
assertions from section AU-C 315 of the Auditing Standards Board Clarified Auditing
Standards can be synthesized and organized in this way:







Completeness
Occurrence and cut-off
Valuation and accuracy
Existence
Rights
Obligations
Disclosure and Presentation
An entity’s financial reporting and internal control systems should result in financial
statement classifications that are appropriate and reasonable.
Key or Entity-Level Controls
Key controls are those elements of the five components of internal control that have a
pervasive affect upon the accomplishment of management’s control objectives. For
smaller entities, key controls are normally performed at the entity level, although some
may exist at the activity level. Illustrated in the accompanying Small Audits Internal
Control Questionnaire (SAICQ), these controls may be informal and ordinarily carried
out by one or a few persons such as an owner/manager. The design and operation of
these key controls can prevent material misstatements due to error or fraud from
occurring and going undetected. When these circumstances exist, even a small entity can
have a good internal control system!
Components of key controls for both large and small entities are:






Management’s integrity and ethical values.
Management’s commitment to doing things right.
Management’s ways of doing things.
The involvement of persons charged with governance.
The delegation of authority and responsibility.
Personnel policies and procedures.
Activity-Level Controls
6
The COSO Report states that control activities are the policies and procedures established
to help ensure that management directives are carried out and that management’s
objectives are accomplished. The key controls described above are primary to
accomplishing these objectives. Absent the design of key controls, or when key controls
are designed but not operating, activity-level controls may be necessary to prevent
misstatements from occurring and going undetected.
These controls may be applied through features in an accounting software system, by
personnel while performing accounting procedures or by the design of documents or data.
The SAICQ mentioned above also illustrates the activity-level controls for the financial
statement classifications of a small entity. If key controls are not designed or operating,
certain activity-level controls may prevent errors from occurring and going undetected.
Information and Communication:
Comprising the nature of internal information produced and distributed by an entity, this
component is intended to enable management and others to operate, manage and control
the entity’s business. It is also intended to provide employees an understanding of
financial reporting and safeguarding controls and their operations. For larger entities,
communication may take the form of policy and procedure manuals, instructional memos
and oral communications. For smaller entities, communication will often be verbal, face
to face and directed by the owner or a manager.
Communications may also involve outside parties such as auditors, customers and
vendors. These communications may provide information that can lead to identifying
deficiencies in internal control.
Monitoring:
The monitoring component is intended to cause management to assess the design and
operating effectiveness of the entity’s system of internal control on a short and longrange basis. Monitoring can be performed on an on-going basis or be performed on
separate occasions.
Monitoring is the evaluation the effectiveness of other internal control components and
how well management’s and other employees’ duties are being performed. Monitoring in
small entities normally consists of the day-to-day observations of an owner or manager.
Special Issues for Small Entities
As discussed above, the owner or manager of a small entity is that entity’s control
environment. If he or she has good character, is committed to performing key controls
and is diligent in carrying out day-to-day responsibilities, it is possible for a small entity
to have a good system of internal control. On the other hand, an ineffective
owner/manager may increase the risk of material misstatements at both the financial
statement and assertion levels.
7
Boards of directors for small entities, especially non-profit organizations, may not be
knowledgeable of business operations, accounting and tax activities or internal control
over financial reporting. In such cases, the caliber of the owner or manager will be even
more important in preventing errors from occurring and going undetected. A
knowledgeable board, on the other hand, can serve to reduce the risk of material
misstatement when the owner or manager’s capabilities are not strong.
An informal organization structure of a small entity may result in control deficiencies due
to a lack of segregation of duties in operations and accounting. Because employees may
be trained to perform many different functions, the resources and accounting records
could be at risk of misstatement due to error or fraud. Highly effective key controls at the
entity level would be necessary to mitigate these risks.
Many of the key controls performed by an owner or manager depend on the physical
presence of the person. Prolonged absences from the work place by the owner or
manager decrease the effectiveness of key controls and increase the risk of material
misstatements.
Can a Small Entity Have Good Internal Controls?
As discussed above, the owner or manager (CEO, director, superintendent, CFO or other
top financial authority) has primary responsibility for the design and operation of internal
controls. Most of the key controls will be informal and they will be performed by the
owner or manager. It is the commitment to accurate financial reporting and the diligence
of the responsible person that primarily affects the risk of material misstatements in
financial statements.
COSO has recognized that small entities can have good internal controls, although they
will likely be informal and carried out by one or a few persons. The design and operation
of key controls can prevent material misstatements due to error or fraud from occurring
and going undetected. So to answer the marginal question above, effectively designed
and operating informal key controls may result in a good internal control system for
smaller entities.
Using a Small Audits Internal Control Questionnaire
The accompanying Small Audits Internal Control Questionnaire is designed to assist
management in formulating an internal control system and to be used on small audits to
document internal control and assess control risk. It also is a source for identifying
control deficiencies by management and auditors.
An Overview of Flowchart Preparation
Information for preparing flowcharts is usually based on the knowledge of the top
financial authority of an entity. Additional information may be obtained by interviewing
8
persons responsible for procedures, making inquiries of each person responsible for
document preparation and tracing all documents through the processing procedures. The
accompanying Flowcharting Guide can facilitate the flowchart drafting process, whether
in hardcopy or electronic format.
The overall objective of flowchart preparation is to produce a complete and
understandable flowchart. Here are some basic rules:








Leave two to three inches on the left of the page open for comments.
Begin at the upper-left corner and draw down and/or to the right.
Show the source and use of every document.
Use “keys” within symbols for footnotes or drop-down boxes to describe
documents.
Use a separate memo or drop-down box on the flowchart to explain any
information that is not self-explanatory.
The flowchart should be divided into columns to separate people or departments
with specific areas of responsibility.
Use directional arrows only if the information flow contradicts a normal pattern.
Avoid cross lines of data-flow.
Following are some steps to facilitate flowchart preparation:
1. Define the transaction cycle, system or process to be flowcharted (cash
receipts or disbursements, sales, payroll, etc.)
2. Layout the columns of the flowchart to show the flow of information
through the system or process. Consider roughing out the flow of
documents and information known to you.
3. Interview accounting personnel using an SAICQ, Flowcharting Guide or
other reference material to gather information.
4. Draw or complete the flowchart (while interviewing accounting personnel
if possible).
5. Perform a systems walk-through procedure to verify the accuracy of the
flowchart and make a preliminary identification of potential risks of
material misstatements.
6. Transfer potential risks to a control deficiencies worksheet for
consideration of offsetting key controls and a determination of
deficiencies.
Following are three illustrative flowcharts for common transactions cycles that could be
used to identify risks by financial statement classification:
9
10
11
12
DESIGNING COST-EFFECTIVE INTERNAL CONTROL SYSTEMS FOR
SMALLER ENTITIES
Characteristics of Smaller Entities
COSO has led the way to designing cost-effective internal control systems for smaller
public companies by the guidance it published in 2006. This guidance for smaller public
companies presents a pattern for smaller non-public entities as well.
Common characteristics for smaller entities include:
 Fewer lines of business, fewer products and limited purposes, particularly for
non-profit organizations.
 Management personnel usually have significant equity interests.
 Management personnel normally have broader responsibilities and control.
 Accounting systems are generally less complex than for larger entities.
 Accounting personnel are generally few in number and often have wide ranges of
duties.
 Limited resources often results in lesser qualified staff persons and fewer
consultations with legal and other experts.
Challenges and Difficulties
These common characteristics create difficulties in designing cost-effective internal
control systems. Here are some of the effects:
 Segregation of incompatible duties is limited.
 Management personnel have increased opportunities for override of internal
controls.
 Finding qualified persons to serve on boards of governance is difficult.
 Hiring and retaining qualified accounting personnel is a challenge.
 A lack of resources to maintain appropriate control over IT systems often results
in using out-of-the box software that often doesn’t meet all the entity’s needs.
In spite of these challenges, a smaller company can design and operate an effective
internal control system. A brief discussion of some of the ways this can be done follows
in the next section.
Effectively Designed Internal Control Systems
1. Oversight by an owner or manager. The in-depth knowledge of business and
accounting operations by an owner or manager, and his/her daily presence and
oversight of company personnel, are key controls in the entity’s control
environment. Diligent performance of key controls can also greatly increase the
reliability of the entity’s financial reporting process. Since the owner or manger
13
2.
3.
4.
5.
6.
generally has an equity or compensation interest, the likelihood of management
override of internal controls is diminished.
Effective board of governance. Since smaller companies or non-profit
organizations ordinarily have less complex business structures, persons charged
with governance can have a greater knowledge of the entity’s activities. This can
enable these persons to more effectively accomplish their governance
responsibilities.
Overcoming the lack of segregation of duties. Key controls carried out by
management personnel at the entity or activity level can offset the control risks
from the lack of segregation of duties. The COSO Report suggests these key
controls:
a. Reviewing system reports of detailed transactions.
b. Selecting transactions for review of supporting documents.
c. Overseeing periodic counts of physical inventory, equipment or other
assets and comparing them with accounting records.
d. Reviewing reconciliations of account balances or performing them
independently.
Limiting risks associated with the IT system. While using out-of-the-box
software can limit the information available for management’s use, many of the
risks associated with mid-tier, user-modifiable systems can be avoided.
Standardized reports and reporting formats, password and processing controls and
other application controls can prevent errors from occurring and going
undetected.
Monitoring control activities. Monitoring in small entities is normally the
responsibility of an owner or manager. Performing daily “walk-around” controls
provides feedback on the effectiveness of accounting, internal control, and
operational systems. In 2009, COSO published its Guidance on Monitoring
Internal Control Systems. This guidance suggests that monitoring for all entities
should be based on these three broad elements:
a. Establishing a foundation for monitoring, including (a) a proper tone at the
top; (b) an effective organization structure that assigns monitoring roles to
people with appropriate capabilities, objectivity and authority; and (c) a
starting point or “baseline” of known effective internal control from which
ongoing monitoring and separate evaluations can be implemented;
b. Designing and executing monitoring procedures focused on persuasive
information about the operation of key controls that address meaningful
risks to organizational objectives; and
c. Assessing and reporting results, which includes evaluating the severity of
any identified deficiencies and reporting the monitoring results to the
appropriate personnel and the board for timely action and follow-up if
needed.
Achieving further efficiencies. The COSO Report identifies other opportunities
to design effective and efficient internal control systems:
a. By focusing on the risks related to managements’ objectives, a risk-based
approach to designing internal controls systems will consider what could
go wrong in the financial reporting process. Using lists of controls that are
14
tailored to the nature, size and complexity of an entity and the objectives
of its management will facilitate the identification of “what could go
wrong.”
b. Documentation of internal control policies and procedures will also vary
with the nature, size and complexity of an entity. Smaller entities
normally have informally designed and communicated internal controls.
In other words, there normally are no policies and procedures manuals,
systems flowcharts, organization charts and job descriptions. With fewer
people and levels of management, more frequent contact by an owner or
manager enables communication of the informal policies and procedures.
c. Some documentation of accounting and internal control procedures is
ordinarily necessary to demonstrate transaction processes are occurring
and being recorded properly. Determining that all shipments are billed,
that billings only occur after shipments are made and that bank accounts
are being reconciled are examples of such procedures. Key controls
performed by owners or managers of small entities should include periodic
inspections of records sufficient to determine transactions are being
recorded properly.
INTERNAL CONTROLS AND FRAUD PREVENTION
Much has been written about forensic accounting and fraud. There are three major
categories of fraud that commonly affect entities:
1. Misrepresentations in financial reporting. These include intentional
misstatements of amounts or disclosures in financials statements that are intended
to mislead users of the statements.
2. Misappropriation of assets. Theft of an entity’s assets by employees or others is
the most common form of misappropriation. Financial records are usually altered
to conceal a theft of assets.
3. External frauds. Persons outside an entity are normally responsible for external
frauds, although there may be collusion with certain employees. Financial gain is
the normal motivation.
For small entities, misappropriation of assets is the most common type of fraud. The
“fraud triangle” contains three factors that indicate circumstances that can cause a person
to misappropriate assets and misstate records to conceal the theft:
1. Incentives or pressures to commit fraud. Reasons to commit frauds may
include financial pressures such as a spouse out of work, a divorce or separation
or the failure of a personal business.
2. Opportunities to commit fraud. Ineffective internal controls, the opportunities
and likelihood for management personnel to override internal controls, and
decentralized operations and accounting are examples of circumstances that create
opportunities to commit fraud.
15
3. Attitudes and rationalizations for committing fraud. Justifying the fraud
because the perpetrator is not paid what he/she is worth or rationalizing that
everyone does it are examples of a fraudster’s attitudes.
FRAUD PREVENTION
Designing and operating anti-fraud programs is the responsibility of management and can
result in reductions in opportunities for employees to commit fraud. Human resource
policies such as drug tests, credit checks and background checks for prospective
employees help eliminate candidates with higher tendencies to commit fraud. Keys
controls diligently carried out by owners, managers or other authorized individuals are
also primary means of preventing or reducing the occurrence of asset misappropriation.
Fraud detection may occur as key controls are performed. In addition, analytical
procedures performed by comparing operating results among periods or by making
calculations using non-financial data can reveal discrepancies. For example, an auto
parts store discovered a $50,000 fraud perpetrated by a sales clerk when a new software
program identified the number of refund slips issued by each clerk on a periodic basis. In
another case, the CFO of a transportation company compared the miles per gallon of
gasoline on trips for each driver and discovered a driver storing and selling gasoline on
the side. Fraud detection may also occur in anti-fraud programs carried out physically
such as lunch box searches at a small tool manufacturing plant or electronic security
scanners at exits from the plant of a computer components manufacturer.
A Control Deficiencies Worksheet
A control deficiencies worksheet can facilitate documentation of the evaluation of
existing internal controls. It also can be used to identify existing deficiencies and the
design of additional controls to prevent risks from occurring and going undetected. A
control deficiencies worksheet should have at least these column headings:



Internal control deficiency
Design or operating deficiency
Offsetting key controls
Following is an illustrative Internal Control Deficiency Worksheet that contains
hypothetical information from a small entity to illustrate the internal control design
process. Deficiencies identified on this worksheet could have been obtained by
completing an SAICQ or by preparing a flowchart for major transactions cycles.
16
CPA PRACTICE AIDS, LLC
INTERNAL CONTROL DEFICIENCY WORKSHEET
ENTITY NAME: ____________________________
DATE:_____________________________
DESCRIBE CONTROL DEFICIENCY
WHAT COULD GO WRONG?
PREVENTIVE CONTROLS
CASH:
1. No segregation of duties among office employees,
1. All employees have access to cash
1. Off site owner reviews weekly:
manager, bookkeeper, and clerk.
and receivables records; could steal
a. Reviews copies of sales invoices
2. Over counter and mail receipts received by all
employees.
cash and post credits to customer or
b. Inspects check copies and
invoices
3. Over counter sales made by all office employees.
lap customer payments.
c. Reviews payroll journals
4. Bookkeeper and clerk both post accounts receivable 2. Bookkeeper could cover theft by
d. Reviews customer and vendor
records.
manipulating bank reconciliations or
activity reports
5. Bookkeeper posts general ledger and prepares
writing off customer balances.
2. CPA firm designed accounting
and delivers deposits to bank.
3. Manager has access to software,
procedures and owner's key
controls
6. Manager signs payroll and operating checks.
could write and sign checks to self.
3. CPA firm controls all QuickBooks
passwords, accounts for prenumbered
checks and sales invoices, reviews
sales invoices and check support,
maintains personal files, prepares
payroll
reports, adjusts and closes monthly
records.
4. CPA firm prepares monthly
financials for owner's review
ACCOUNTS RECEIVABLE:
1. No segregation of duties. All office personnel
receives
1. Customer payments could be
payments in mail and over counter.
received and misappropriated.
2.Bookkeeper makes deposits and posts accounts
2. Lapping could occur.
receivable records.
3. Account balances and invoices
3.AR clerk receives cash, posts accounts receivable
could be written off without
authorization.
records and makes deposits.
4. Unauthorized sales could be made
4.Credit memos not used to support credits to
customers accounts.
and products shipped without
recording.
1. Same as above.
5.Yard foreman ships based on sales invoices. All office
personnel can initiate sales invoices.
INVENTORY:
1. No documents or records are maintained to control
1. Employee or customer theft could
Written instructions are prepared by
inventory items (precast concrete blocks).
occur.
the foreman for counting inventory.
2. Yard is open during the day while employees are
2. Sales could be missed because of
Employees attend a training
meeting
working but often no one is present in the yard. It is
insufficient quantities on hand.
on how to count. The manager is
locked at night.
3. With no item records maintained,
present and supervises the count,
3. Inventories are physically counted only once a year; quantities of certain items being
including testing employee's counts.
manager eye-balls quantities to control production.
The manager places and picks up
all count sheets.
produced could be unnecessary
17
FIXED ASSETS:
1. No detailed sub-ledger maintained.
1. Loss or theft of assets.
2. No numerical control of fixed assets is in place.
2. Assets could be purchased and
3. Bookkeeper maintains depreciation schedule.
converted to personal use.
See cash section.
4. No key controls over accounting or safeguarding
fixed assets.
ACCOUNTS PAYABLE:
1. Any office employee can order supplies or raw
1. Converting purchases to personal
materials.
use.
2. No purchase orders in use. Office manager initials
2. Writing unauthorized checks to
invoice when paid.
fictitious vendors
3. All payments are initiated by bookkeeper who has
3. Purchasing excess quantities of
access to cash, accounts receivable and bank
raw materials.
See cash section.
reconciliations.
4. No accounts payable sub-ledger is maintained.
REVENUES:
See cash section.
Unrecorded sales.
See cash section.
Unauthorized or incorrect payroll
See cash section.
EXPENSES:
See cash section and accounts payable section.
Payroll--manager hires and fires. No double-checks
and operating expenditures.
on payroll computations.
OTHER:
CONCLUSION
Important issues to remember that influence the design of internal control systems for
smaller entities include:
 Internal control and fraud prevention are the responsibilities of management.
 Internal control systems are always relevant to the nature, size and complexity of
an entity.
 Key controls designed and operated by owners or managers of small entities are
the primary methods of preventing and detecting errors and fraud.
 Internal control procedures should provide reasonable assurance that errors or
fraud will not occur and go undetected.
 The benefits of internal control procedures should outweigh their costs.
 The design process includes understanding accounting systems and existing
internal controls, identifying what could go wrong and designing cost-beneficial
18
control activities and anti-fraud programs that are likely to prevent and detect
errors and fraud.
CPA PRACTICE AIDS, LLC
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
USE OF QUESTIONNAIRE
This Questionnaire is designed to be used on small audits to document internal control
and assess control risk. It also is a source for identifying control deficiencies.
Combined with a systems walk-through procedure, internal control flowcharts or memos,
auditors may be able to assess risk of material misstatement at moderate for certain
financial statement classifications.
INSTRUCTIONS
The Questionnaire should be utilized while making inquiries of client personnel
regarding internal control. Internal control documentation time can be minimized by
completing a systems walk-through procedure and preparing flowchart or memorandum
documentation as this Questionnaire is completed.
The Questionnaire contains space for “yes”, “no” or “N/A” responses to key controls and
activity-level controls generally applicable to a small business or organization. “Yes”
responses indicate that the control procedure is has been at least informally designed and
is operating effectively. “No” responses indicate the control procedure has not been
designed or, if designed, is not operating effectively. “N/A” responses indicate the
control procedure is not applicable to a client’s internal control system. The “Personnel”
column should be used to identify persons performing the control activities.
Key controls, a part of entity-level controls, should drive the control risk assessment
process. Key controls can mitigate most deficiencies in activity-level controls,
particularly for smaller entities. For a small business or organization, key controls are
normally performed by the owner/manager (O/M), a member of the entity’s board of
directors, a volunteer or paid consultant.
19
If key controls have not been designed, or are not operating effectively, the auditor
should consider the activity-level controls to provide the assessment of control risk for
relevant assertions.
RELEVANT ASSERTIONS
When completing this Questionnaire, the auditor should primarily consider these relevant
assertions:
Financial Statement Classification
Relevant Financial Statement Assertions
Cash
Existence/Occurrence; Completeness;
Cutoff
Accounts Receivable
Existence/Occurrence; Valuation; Cutoff
Inventories
Existence/Occurrence; Valuation;
Completeness; Accuracy; Cutoff
Fixed Assets
Existence; Valuation; Completeness;
Rights/Obligations
Accounts Payable
Completeness; Cutoff
Revenues
Existence/Occurrence; Valuation;
Completeness; Cutoff
Payroll
Existence/Occurrence; Completeness;
Accuracy
Expenses
Existence/Occurrence; Completeness;
Cutoff: Classification
Prepared By: ______________________________________________________
Date Prepared: __________________________________________________________
Reviewed By: __________________________________________________________
Date Reviewed: __________________________________________________________
20
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
CONTROL ENVIRONMENT-KEY
CONTROLS
PERSONNEL
1. O/M has high integrity.
2. O/M follows existing internal
controls, policies and procedures.
3. O/M is present daily and/or appoints a
supervisor in his/her absence.
4. O/M “walks around” facility
frequently each day.
5. O/M observes employee activity and
talks with supervisors during walks
around to evaluate department status.
6. Company uses adequate accounting
software.
7. Accounting records are maintained on
a current basis.
8. Reports generated by accounting
software are used by management.
9. Accounting personnel are reasonably
qualified for their positions.
Control Risk Evaluation (circle one):
Low Moderate
High
21
YES
NO
N/A
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
CASH—KEY CONTROLS
1. O/M receives bank and credit card
statements directly either by mail or
electronically.
PERSONNEL
2. O/M reviews contents of bank and
credit cards statements and investigates
unusual items.
3. O/M signs vendor checks and payroll
checks.
4. O/M reviews vendor invoices,
receiving reports and/or purchase orders
when signing checks.
5. O/M reviews documentation of
payroll calculations when signing checks.
6. O/M receives or picks up unopened
mail or uses a lock box for receipts.
7. O/M opens mail, supervises opening
or reads a list of daily cash receipts.
8. O/M prepares deposit or supervises
and reviews its preparation.
9. O/M makes or approves all telephone
or online bank transfers or payments.
10. O/M reconciles bank statement or
approves preparation by another.
11. O/M reads monthly balance sheet
and income statement and investigates
unusual items.
22
YES
NO
N/A
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
CASH—ACTIVITY-LEVEL
CONTROLS
1. Mail and cash receipts are recorded as
received and deposited intact, daily.
PERSONNEL
2. Duplicate deposit slips are prepared,
matched with bank receipt and retained.
3. Mail and cash receipts are counted by
two independent persons other than the
person recording the receipts.
4. Over-the-counter receipts are
controlled by a cash register, software or
pre-numbered receipt tickets.
5. All checks are signed by the O/M.
6. Checks are signed only when
disbursement is made (not in advance).
7. The check signer compares data on
supporting documents to checks.
8. Checks are recorded in the accounting
system when prepared.
9. Only pre-numbered checks are used.
10. All journal entries are approved by
the O/M.
Control Risk Evaluation (circle one):
Low Moderate
High
23
YES
NO
N/A
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
ACCOUNTS RECEIVABLE—KEY
CONTROLS
1. The O/M approves all customer
requests for credit.
PERSONNEL
2. The O/M accounts for, and reviews,
numerical copies of sales invoices and/or
customer statements.
3. The O/M reviews the sales journal
monthly.
4. The O/M reviews an aged trial
balance of accounts receivable monthly.
5. The O/M receives customer
complaints and resolves disputes.
ACCOUNTS RECEIVABLE—
ACTIVITY-LEVEL CONTROLS
1. A sales journal is prepared and
balanced.
2. Records of customer payments are
retained (remittance advices, duplicate
deposit slips, lock box reports, prelists)
3. Pre-numbered sales invoices and/or
shipping reports with shipping date are
prepared.
4. Copies of sales invoices or customers’
statements are mailed monthly.
5. Receivables are aged regularly.
Control Risk Evaluation (circle one):
Low Moderate
High
24
YES
NO
N/A
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
INVENTORIES—KEY CONTROLS
SMALL AUDITS
PERSONNEL
YES
NO
N/A
PERSONNEL
YES
NO
N/A
1. O/M plans and/or supervises the
INTERNAL CONTROL
taking of the physical inventory.
QUESTIONNAIRE FOR
2. MAJOR
O/M prices AUDIT
and compiles
records of
AREAS
physical count or reviews work of others.
CLIENT:
3. _____________________________
O/M determines all owned goods are
counted
and that obsolete or consigned
____________________________
goods are excluded from the count.
ENGAGEMENT DATE:
INVENTORIES—ACTIVITY-LEVEL
_____________________________
CONTROLS
_______________
1. An annual physical inventory is taken
and adequate count records (tags or
sheets) are maintained.
2. Adequate records of inventory pricing
and compilation are maintained.
3. The inventory count is taken, checked
or supervised by a supervisor.
4. Obsolete and consigned goods are
excluded from the count.
Control Risk Evaluation (circle one):
Low Moderate
High
25
FIXED ASSETS—KEY CONTROLS
1. Only the O/M can open accounts with
vendors and approve the purchase of
equipment, tools or other property.
2. O/M periodically inspects and/or
inventories capitalized fixed assets.
3. O/M makes or approves all make,
buy, lease, repair decisions.
FIXED ASSETS—ACTIVITYLEVEL CONTROLS
1. Supporting documents are retained for
all purchases of fixed assets.
2. A detailed depreciation schedule is
prepared and depreciation is entered in
the records at least annually.
3. A capitalization limit has been set and
is used to determine capitalizable items.
Control Risk Evaluation (circle one):
Low Moderate
High
26
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
ACCOUNTS PAYABLE—KEY
CONTROLS
1. O/M approves all vendors and
accounts with creditors.
PERSONNEL
2. O/M approves all vendor payments.
3. O/M receives and reviews unpaid
vendor invoices and statements monthly.
ACCOUNTS PAYABLE—
ACTIVITY-LEVEL CONTROLS
1. Vendor invoices are entered in the
purchases journal when received.
2. Vendor invoices and supporting
documents are reviewed by the check
signer.
3. Vendor invoices are cancelled when
checks are signed.
4. Vendor invoices or receiving reports
contain the date goods were received.
5. Unpaid vendor invoices are
maintained in a file separate from paid
invoices.
Control Risk Evaluation (circle one):
Low Moderate
High
27
YES
NO
N/A
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
SALES/REVENUES—KEY
CONTROLS
PERSONNEL
1. O/M approves all credit sales.
2. O/M reviews copies of all sales
invoices and shipping reports.
3. O/M reviews customers’ statements
before mailing.
4. O/M reviews monthly aged trial
balance, calls past due customers and
resolves customer complaints.
SALES/REVENUES—ACTIVITYLEVEL CONTROLS
1. Sales are recorded in the period made
or shipped (considering shipping terms).
2. Pre-numbered sales invoices and
shipping reports are prepared.
3. Copies of sales invoices or customer
statements are mailed at least monthly.
4. All returns, allowances, discounts and
account adjustments are approved by a
supervisor.
Control Risk Evaluation (circle one):
Low Moderate
High
28
YES
NO
N/A
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
PAYROLL—KEY CONTROLS
PERSONNEL
1. O/M approves all hires and fires.
2. O/M authorizes wage rates.
3. Payroll checks are distributed by the
O/M.
4. O/M reviews and signs all payroll tax
returns and other related documents.
5. O/M responds to all inquiries by state
and federal regulatory bodies.
PAYROLL—ACTIVITY-LEVEL
CONTROLS
1. Payroll checks are pre-numbered and
prepared and recorded with accounting
software, or by a service bureau.
2. W-4s. I-9s and other required payroll
documents are maintained.
3. Employees time records are
maintained and used to calculate
paychecks.
4. Payroll checks are distributed by
department heads or other supervisors.
5. Hires, fires, wage rates, time off are
approved by department heads or
supervisors.
Control Risk Evaluation (circle one):
Low Moderate
High
29
YES
NO
N/A
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
EXPENSES—KEY CONTROLS
PERSONNEL
1. O/M reviews and approves all
disbursements’ supporting documents.
2. When signing checks, O/M determines
account classifications are proper.
3. O/M investigates any unapproved or
unusual disbursements.
4. O/M investigates duplicate payments
and inadequate documentation.
EXPENSES—ACTIVITY-LEVEL
CONTROLS:
1. A descriptive chart of accounts is used.
2. Checks are prepared only when
appropriate supporting documents have
been received.
3. The person recording and summarizing
transactions cannot sign checks.
4. The person preparing deposits and
posting customer payments cannot sign
checks.
5. Vendor invoices are cancelled by the
check signer.
Control Risk Evaluation (circle one):
Low Moderate
High
30
YES
NO
N/A
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ENGAGEMENT DATE: ____________________________________________
EXPLANATION OF “NO” ANSWERS (POTENTIAL CONTROL
DEFICIENCIES):
CASH:
ACCOUNTS RECEIVABLE:
INVENTORIES:
FIXED ASSETS:
ACCOUNTS PAYABLE:
SALES/REVENUE:
31
PAYROLL:
EXPENSES:
OTHER:
32
CPA PRACTICE AIDS, LLC
AUDIT FLOWCHARTING GUIDE
USE OF GUIDE
This Guide is designed to facilitate preparation of flowcharts documenting accounting
and internal control systems for use on small audit engagements. The Guide is designed
by major audit area and will facilitate the preparation of flowcharts that will result in
identification of control deficiencies and the assessment of control risk. Control risks
will be combined with inherent risks to assess the level of risk of material misstatements
for relevant assertions. The Guide should be used in connection with the Small Audits
Internal Control Questionnaire for Major Audit Area (SAICQ).
INSTRUCTIONS
Client Inquiries
The SAICQ and the flowcharts resulting from this Guide should be used while making
inquiries of appropriate client personnel. While a flowchart is being prepared, or after it
is prepared if it is more convenient, a systems walk-through procedure should be
performed to determine that information on the flowcharts is accurate. Documents
examined and procedures performed during the walk-through may be recorded on the
flowcharts or described in an accompanying memorandum. Control deficiencies should
be documented in the last section of the SAICQ.
Flowchart and/or Memoranda
Memoranda may be prepared for documenting the accounting and internal control
procedures in lieu of flowcharts at the option of the audit engagement leader. The author
recommends using flowcharts since they are usually more effective for identifying
control deficiencies and they often take less time to carry forward, to discuss with client
personnel and to update. Memoranda may be used to supplement the flowcharts to
enhance explanations of accounting system procedures, internal control activities or other
information as the auditor considers necessary.
Key Controls—the Heart of Error and Fraud Prevention
Key controls, a part of entity-level controls, should drive the control risk assessment
process and should be clearly indicated on the flowcharts. Key controls can mitigate
most deficiencies in activity-level controls, particularly for smaller entities. For a small
business or organization, key controls are normally performed by the owner/manager
(O/M), a member of the entity’s board of directors, a volunteer or a paid consultant. Key
controls are presented first in each section of the SAICQ.
Financial Statement Assertions
33
When control risk is evaluated at the financial statement classification level, the auditor
should primarily consider relevant assertions described in the SAICQ. Flowcharts
should, therefore, focus primarily on controls that affect the relevant assertions in each
financial statement classification. All controls that are operating, however, should be
evidenced on the flowchart to provide an accurate evaluation of control risk.
Flowchart Preparation
Flowcharts may be prepared using manual templates or flowcharting software. The
hardcopies or the electronic copies may be carried forward with changes reflected in
different color pencils or software fonts. All accounting systems software applications,
procedures, documents and data, and all internal controls, should be reflected on the
flowcharts.
34
CPA FIRM PRACTICE AIDS, LLC
AUDIT FLOWCHARTING GUIDE
INSTRUCTIONS AND QUESTIONS BY MAJOR AUDIT AREA
The instructions and questions below will enhance the preparation of flowcharts and
completion of the SAICQ. Answers to questions should first consider key controls and, if
no key controls are present, activity-level controls should be considered to determine if
misstatements can be prevented and not result in control deficiencies.
CASH
The flowchart should contain documentation of:




All types of cash receipts, such as receipts received by mail, over-the-counter, or
by sales representatives.
Receipts from periodic sales of fixed assets, scrap or other items to employees or
others.
All types of cash disbursements such as disbursements made with and without
purchase orders, made from petty cash or a cash register and made for customer
refunds.
All accounting records, documents, data and procedures.
Consider the entity’s key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and
internal control procedures:





Can cash or checks be received and not documented?
Can receipts from over-the-counter sales be misappropriated?
Can miscellaneous receipts be overlooked and not recorded?
Can disbursements be made for routine or non-routine purchase of goods or
services without proper support?
Can petty cash be misappropriated?
ACCOUNTS RECEIVABLE
The flowchart should contain documentation of:


All types of sales on account including customer written orders received by mail,
phone or email, sales orders from sales representatives, C.O.D., consignment, etc.
Different types of customers such wholesale, retail, distributor, consumer, and
related parties.
35

All accounting records, documents, data and procedures.
Consider the entity’s key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and
internal control procedures:





Can goods be shipped to customers with bad credit?
Can sales be invoiced but not recorded?
Can adjustments to customers’ accounts be made without approval?
Could lapping occur and go undetected?
Can past due accounts go undetected?
INVENTORIES AND COSTS OF GOODS SOLD
The flowchart should contain documentation of:




All job, process or retail costing procedures.
All inventory classifications such as raw materials, work-in-process and finished
goods.
Standard costs calculations, applications, adjustments and revisions.
All inventory records, documents data or procedures.
Consider the entity’s key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and
internal control procedures:



Can inventory items be stolen, misappropriated or inaccurately transferred to
work in process or costs of good sold?
Can inventory be used, damaged or wasted without being recorded?
Can inventory be received and not recorded accurately?
FIXED ASSETS
The flowchart should contain documentation of:


The fixed asset acquisition, disposal and control processes.
All fixed asset records, documents, data or procedures.
Consider the entity’s key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and
internal control procedures:


Can fixed assets acquisitions or disposals be made and not approved or recorded?
Are capitalization limits in place?
36

Does accounting personnel understand when to capitalize additions or repairs to
fixed assets (when the life or capacity is increased)?
ACCOUNTS PAYABLE
The flowchart should contain documentation of:




All types of products, vendors and shipment.
Acquisitions and payments requiring purchase orders.
Payments not requiring purchase orders.
All phases of the purchases/payables transaction such as ordering, product
receiving, invoice recording and payments processing.
Consider the entity’s key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and
internal control procedures:





Can unauthorized purchases be made?
Can payables be recorded if goods or services are not received?
Can obligations be incurred and not recorded?
Can payables be recorded in the wrong account?
Do petty cash policies prevent its improper use or misappropriation?
SALES:
The flowchart should contain documentation of:



Different types of shipping terms such as F.O.B. shipping point or destination,
different shipping locations, different types of carriers, drop ships from suppliers,
customer pick up, etc.
Different types of customers such wholesale, retail, distributor, consumer, and
related parties.
All accounting records, documents, data and procedures.
Consider the entity’s key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and
internal control procedures:




Can goods be shipped without invoices being prepared?
Can sales be invoiced but not recorded?
Can sales be made and recorded without inventory being relieved?
Can customer invoice errors be made and go undetected?
PAYROLL
37
The flowchart should contain documentation of:



Different methods of compensation such as hourly, salaried, commission, piece
work, contract, etc.
Methods of payment such as check or direct deposit.
Hiring decisions, firing actions, payroll documents, cost distribution and all other
records, documents, data and procedures in the payroll accounting and internal
control systems.
Consider the entity’s key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and
internal control procedures:





Can fictitious employees be added to the payroll?
Can terminated employees be kept on the payroll and their checks prepared after
their termination?
Are paychecks distributed, or direct deposits made, under the supervision of an
administrative person?
Are time cards, timesheets or electronic records required to support paychecks
preparation?
Can other inadvertent or intentional errors occur?
FINANCIAL REPORTING SYSTEM
The flowchart should contain documentation of:


All modules of the general ledger software, data entry personnel, source
documents and all related accounting system and internal control procedures.
Controls over general journal entries, bank reconciliations and financial statement
preparation.
Consider the entity’s key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and
internal control procedures:





Can journal entries or unusual transactions be posted to the general ledger without
approval of a supervisor?
Are there effective administrative controls such as regular vacations, crosstraining, bonding insurance, timely financial statement preparation and budget
utilization?
Is internal control affected by busy or slack periods, illnesses, vacations, etc.?
Is internal control affected by the competence of any employee or group of
employees?
Are appropriate internal checks in place, provided either by software, hardware or
administrative procedures?
38

Are any assets improperly safeguarded?
39
Download