DESIGNING INTERNAL CONTROL SYSTEMS FOR SMALLER ENTITIES By Larry L. Perry, CPA CPA Firm Support Services, LLC LEARNING OBJECTIVES Understand the fundamental concepts and the components of internal control. Be able to design and operate effective accounting and internal control systems for smaller entities. Learn to prepare flowcharts effectively and efficiently THE FOUNDATION OF INTERNAL CONTROL The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization established in the United States. It is dedicated to providing guidance on organizational governance, business ethics, internal control, enterprise risk management, fraud and financial reporting. COSO established a common internal control model that is used by large and small reporting entities. COSO defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. The COSO framework involves several key concepts: 1. Internal control is a process. It is a means to an end, not an end in itself. 2. Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization. 3. Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board. 4. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. A Historical Perspective of Internal Controls The Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting (Treadway Commission) issued its first report in 1985 stressing the importance of internal control, the control environment, codes of conduct, audit committees and internal audit functions. In 1992, a task force of COSO issued a report entitled Internal Control—Integrated Framework, called the COSO Report. Among other things, the COSO Report defines internal control and its components and provides criteria for evaluating internal control. The report presents these interrelated components of internal control: 1 Control Environment—The core of any business is its people and the environment in which they operate. The tone at the top, i.e., management’s attitudes, values and behaviors, provides the control environment for other employees. Risk Assessment—The entity must be aware of and deal with the risks it faces; identifying the risk of error or fraud and implementing corrective actions is the primary responsibility of management. Control Activities—Control policies and procedures must be designed and operated to address risks to the achievement of the entity’s objectives. Information and Communication—These systems enable the entity’s people to obtain and use information necessary to conduct, manage and control operations. Monitoring—The internal control process must be monitored and changed by management as circumstances and conditions necessitate. In 2013, COSO updated and issued Internal Control—Integrated Framework. The updated report did not change to basic components of internal control but, among other clarifying issues, the Framework sets out seventeen principles for applying these components. These principles from COSO’s report are presented below as they apply to these components. Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 2 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. Information and Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Internal control is always relevant to the nature, size and complexity of a reporting entity. Smaller entities will ordinarily have more informal controls that are carried out by one or a few persons. While the basic components of internal control should be present in small- and medium-size entities, the 17 principles will ordinarily be subjectively included in an entity’s design and operation of internal controls. Generally, internal controls over financial reporting include those that are designed to make sure financial data is recorded, processed, summarized and reported consistent with management’s representations (assertions) in financial statements. Management of an entity has the primary responsibility for internal control. An auditor’s responsibilities include the evaluation of whether the five components are designed and operating effectively, given the nature, size and complexity of the entity. Management’s Control Objectives An entity’s internal control system provides the machinery used by management to accomplish these basic objectives: Effectiveness and efficiency of operations—basic business objectives, profitability goals and safeguarding of assets and other resources. Reliability of financial reporting—preparation of accurate financial statements. Compliance with laws and regulations—all to which the entity is subject. 3 Understanding the Components of Internal Control The Tone at the Top and Bottom: The control environment sets the tone of any organization, i.e., causes its people to be conscious of the importance of the entity’s system of internal control. It is the foundation for application of all other components of internal control. For small entities, the character and behavior of the person having top financial responsibility for the entity, e.g., an owner or manager, sets the tone for employees to follow. For larger entities, management personnel at various levels are also the primary influence on the control environment. In all cases, it’s what management does, not what they say, that directs employees’ behavior. The operating philosophies and style of management, their delegation of responsibility and authority, their emphasis on developing and guiding employees and their utilization of input from persons charged with governance defines what employees do. The Importance of Descriptive Charts of Accounts and Budgeting Controls: A comprehensive chart of accounts is the foundation of the financial reporting process. Designed to guide the authorization, initiation, classification, recording and summarizing of transactions, it is most effective when it includes descriptions of the activity that may be recorded in each account. The chart of accounts should include accounts in all functional, departmental and/or job classifications. It should also be designed to facilitate budget preparation and monitoring as part of an entity’s internal control system. Budgets may be prepared using a base line, such as the prior year’s operations, or they may be zero based, that is built from the ground up. Whichever method is used, participation by department heads and other operating personnel is essential for producing effective budgets. The final review and approval responsibility for budgets should rest with persons charged with governance of the organization. To provide value, the budget should be compared to actual results on a periodic basis by management and other persons charged with governance, usually monthly. Unusual or unexpected variances from budgeted amounts should be considered and corrective actions implemented when necessary. A budget should be designed for use also based on an entity’s nature, size and complexity. A medium-size church employed an executive pastor that was formerly a chief financial officer for a public company. He spent most of his time micro-managing weekly budgets for department heads. Using a report from the church’s accounting software, the executive pastor met with department heads weekly to discuss their budget status. Over expenditures were met with severe cutbacks in planned future expenditures. Under expenditures resulted in reductions of monthly or annual budgeted amounts. While this micro-management significantly strengthened the church’s internal control system, its cost was high, too high for the size of this organization. The practical side of 4 internal control is that the cost of operation of a control activity should result in benefits appropriate for the nature, size and complexity of the organization. While properly prepared and monitored budgets can significantly improve a small entity’s internal controls, their use should provide benefits commensurate with the cost of preparation and monitoring. Like the design and operation of internal control procedures, benefits must be measured in terms of the relative costs of implementation and maintenance. The Importance of a Code of Conduct: While smaller entities don’t normally have a written code of conduct, larger organizations are establishing these codes. Publically-held companies, issuers under the Sarbanes-Oxley Act, are required to establish and communicate codes of conduct. Other privately-held companies, non-issuers, are also creating codes of conduct as part of their control environment. Whether written or communicated informally, a code of conduct defines behavior expectations for both management and other employees. While such codes do not prevent inappropriate behavior or fraud, they do provide employees with legal and ethical standards that will influence their performance and commitment to the entity’s system of internal control. An entity’s code of conduct will ordinarily include these sections: Use of company assets and resources for business and not personal use Use of telephones, email and the internet Avoiding actual and potential conflicts of interest Protecting the company’s confidential information Maintaining complete and accurate accounting records Investigating and reporting any accounting, auditing and disclosure concerns Retaining and disposing of records and documents Prohibiting discrimination and harassment Prohibiting use of alcohol and illegal drugs Complying with laws, rules and regulations Protecting intellectual property and using copyrighted materials Giving and receiving gifts, meals, services and entertainment Understanding disciplinary actions for code violations Reporting concerns and code violations The Entity’s Risk Assessment Process: Risks at the entity level may come from external factors such as changes in technology, customer’s needs, competition, regulations or laws and the economy. At the entity level, risks also arise from internal factors such as information systems failures, personnel practices affecting the quality of employees, access to assets and the susceptibility of an entity’s operations to fraud. 5 At the activity level, risk assessment involves business operations and financial reporting. Analyzing operational reports, financial and non-financial data and observations of employees’ activities may bring risks to management’s attention. Control Activities: Control activities that are established in response to perceived risks relate to management’s representations (assertions) in the entity’s financial statements. The assertions from section AU-C 315 of the Auditing Standards Board Clarified Auditing Standards can be synthesized and organized in this way: Completeness Occurrence and cut-off Valuation and accuracy Existence Rights Obligations Disclosure and Presentation An entity’s financial reporting and internal control systems should result in financial statement classifications that are appropriate and reasonable. Key or Entity-Level Controls Key controls are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management’s control objectives. For smaller entities, key controls are normally performed at the entity level, although some may exist at the activity level. Illustrated in the accompanying Small Audits Internal Control Questionnaire (SAICQ), these controls may be informal and ordinarily carried out by one or a few persons such as an owner/manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected. When these circumstances exist, even a small entity can have a good internal control system! Components of key controls for both large and small entities are: Management’s integrity and ethical values. Management’s commitment to doing things right. Management’s ways of doing things. The involvement of persons charged with governance. The delegation of authority and responsibility. Personnel policies and procedures. Activity-Level Controls 6 The COSO Report states that control activities are the policies and procedures established to help ensure that management directives are carried out and that management’s objectives are accomplished. The key controls described above are primary to accomplishing these objectives. Absent the design of key controls, or when key controls are designed but not operating, activity-level controls may be necessary to prevent misstatements from occurring and going undetected. These controls may be applied through features in an accounting software system, by personnel while performing accounting procedures or by the design of documents or data. The SAICQ mentioned above also illustrates the activity-level controls for the financial statement classifications of a small entity. If key controls are not designed or operating, certain activity-level controls may prevent errors from occurring and going undetected. Information and Communication: Comprising the nature of internal information produced and distributed by an entity, this component is intended to enable management and others to operate, manage and control the entity’s business. It is also intended to provide employees an understanding of financial reporting and safeguarding controls and their operations. For larger entities, communication may take the form of policy and procedure manuals, instructional memos and oral communications. For smaller entities, communication will often be verbal, face to face and directed by the owner or a manager. Communications may also involve outside parties such as auditors, customers and vendors. These communications may provide information that can lead to identifying deficiencies in internal control. Monitoring: The monitoring component is intended to cause management to assess the design and operating effectiveness of the entity’s system of internal control on a short and longrange basis. Monitoring can be performed on an on-going basis or be performed on separate occasions. Monitoring is the evaluation the effectiveness of other internal control components and how well management’s and other employees’ duties are being performed. Monitoring in small entities normally consists of the day-to-day observations of an owner or manager. Special Issues for Small Entities As discussed above, the owner or manager of a small entity is that entity’s control environment. If he or she has good character, is committed to performing key controls and is diligent in carrying out day-to-day responsibilities, it is possible for a small entity to have a good system of internal control. On the other hand, an ineffective owner/manager may increase the risk of material misstatements at both the financial statement and assertion levels. 7 Boards of directors for small entities, especially non-profit organizations, may not be knowledgeable of business operations, accounting and tax activities or internal control over financial reporting. In such cases, the caliber of the owner or manager will be even more important in preventing errors from occurring and going undetected. A knowledgeable board, on the other hand, can serve to reduce the risk of material misstatement when the owner or manager’s capabilities are not strong. An informal organization structure of a small entity may result in control deficiencies due to a lack of segregation of duties in operations and accounting. Because employees may be trained to perform many different functions, the resources and accounting records could be at risk of misstatement due to error or fraud. Highly effective key controls at the entity level would be necessary to mitigate these risks. Many of the key controls performed by an owner or manager depend on the physical presence of the person. Prolonged absences from the work place by the owner or manager decrease the effectiveness of key controls and increase the risk of material misstatements. Can a Small Entity Have Good Internal Controls? As discussed above, the owner or manager (CEO, director, superintendent, CFO or other top financial authority) has primary responsibility for the design and operation of internal controls. Most of the key controls will be informal and they will be performed by the owner or manager. It is the commitment to accurate financial reporting and the diligence of the responsible person that primarily affects the risk of material misstatements in financial statements. COSO has recognized that small entities can have good internal controls, although they will likely be informal and carried out by one or a few persons. The design and operation of key controls can prevent material misstatements due to error or fraud from occurring and going undetected. So to answer the marginal question above, effectively designed and operating informal key controls may result in a good internal control system for smaller entities. Using a Small Audits Internal Control Questionnaire The accompanying Small Audits Internal Control Questionnaire is designed to assist management in formulating an internal control system and to be used on small audits to document internal control and assess control risk. It also is a source for identifying control deficiencies by management and auditors. An Overview of Flowchart Preparation Information for preparing flowcharts is usually based on the knowledge of the top financial authority of an entity. Additional information may be obtained by interviewing 8 persons responsible for procedures, making inquiries of each person responsible for document preparation and tracing all documents through the processing procedures. The accompanying Flowcharting Guide can facilitate the flowchart drafting process, whether in hardcopy or electronic format. The overall objective of flowchart preparation is to produce a complete and understandable flowchart. Here are some basic rules: Leave two to three inches on the left of the page open for comments. Begin at the upper-left corner and draw down and/or to the right. Show the source and use of every document. Use “keys” within symbols for footnotes or drop-down boxes to describe documents. Use a separate memo or drop-down box on the flowchart to explain any information that is not self-explanatory. The flowchart should be divided into columns to separate people or departments with specific areas of responsibility. Use directional arrows only if the information flow contradicts a normal pattern. Avoid cross lines of data-flow. Following are some steps to facilitate flowchart preparation: 1. Define the transaction cycle, system or process to be flowcharted (cash receipts or disbursements, sales, payroll, etc.) 2. Layout the columns of the flowchart to show the flow of information through the system or process. Consider roughing out the flow of documents and information known to you. 3. Interview accounting personnel using an SAICQ, Flowcharting Guide or other reference material to gather information. 4. Draw or complete the flowchart (while interviewing accounting personnel if possible). 5. Perform a systems walk-through procedure to verify the accuracy of the flowchart and make a preliminary identification of potential risks of material misstatements. 6. Transfer potential risks to a control deficiencies worksheet for consideration of offsetting key controls and a determination of deficiencies. Following are three illustrative flowcharts for common transactions cycles that could be used to identify risks by financial statement classification: 9 10 11 12 DESIGNING COST-EFFECTIVE INTERNAL CONTROL SYSTEMS FOR SMALLER ENTITIES Characteristics of Smaller Entities COSO has led the way to designing cost-effective internal control systems for smaller public companies by the guidance it published in 2006. This guidance for smaller public companies presents a pattern for smaller non-public entities as well. Common characteristics for smaller entities include: Fewer lines of business, fewer products and limited purposes, particularly for non-profit organizations. Management personnel usually have significant equity interests. Management personnel normally have broader responsibilities and control. Accounting systems are generally less complex than for larger entities. Accounting personnel are generally few in number and often have wide ranges of duties. Limited resources often results in lesser qualified staff persons and fewer consultations with legal and other experts. Challenges and Difficulties These common characteristics create difficulties in designing cost-effective internal control systems. Here are some of the effects: Segregation of incompatible duties is limited. Management personnel have increased opportunities for override of internal controls. Finding qualified persons to serve on boards of governance is difficult. Hiring and retaining qualified accounting personnel is a challenge. A lack of resources to maintain appropriate control over IT systems often results in using out-of-the box software that often doesn’t meet all the entity’s needs. In spite of these challenges, a smaller company can design and operate an effective internal control system. A brief discussion of some of the ways this can be done follows in the next section. Effectively Designed Internal Control Systems 1. Oversight by an owner or manager. The in-depth knowledge of business and accounting operations by an owner or manager, and his/her daily presence and oversight of company personnel, are key controls in the entity’s control environment. Diligent performance of key controls can also greatly increase the reliability of the entity’s financial reporting process. Since the owner or manger 13 2. 3. 4. 5. 6. generally has an equity or compensation interest, the likelihood of management override of internal controls is diminished. Effective board of governance. Since smaller companies or non-profit organizations ordinarily have less complex business structures, persons charged with governance can have a greater knowledge of the entity’s activities. This can enable these persons to more effectively accomplish their governance responsibilities. Overcoming the lack of segregation of duties. Key controls carried out by management personnel at the entity or activity level can offset the control risks from the lack of segregation of duties. The COSO Report suggests these key controls: a. Reviewing system reports of detailed transactions. b. Selecting transactions for review of supporting documents. c. Overseeing periodic counts of physical inventory, equipment or other assets and comparing them with accounting records. d. Reviewing reconciliations of account balances or performing them independently. Limiting risks associated with the IT system. While using out-of-the-box software can limit the information available for management’s use, many of the risks associated with mid-tier, user-modifiable systems can be avoided. Standardized reports and reporting formats, password and processing controls and other application controls can prevent errors from occurring and going undetected. Monitoring control activities. Monitoring in small entities is normally the responsibility of an owner or manager. Performing daily “walk-around” controls provides feedback on the effectiveness of accounting, internal control, and operational systems. In 2009, COSO published its Guidance on Monitoring Internal Control Systems. This guidance suggests that monitoring for all entities should be based on these three broad elements: a. Establishing a foundation for monitoring, including (a) a proper tone at the top; (b) an effective organization structure that assigns monitoring roles to people with appropriate capabilities, objectivity and authority; and (c) a starting point or “baseline” of known effective internal control from which ongoing monitoring and separate evaluations can be implemented; b. Designing and executing monitoring procedures focused on persuasive information about the operation of key controls that address meaningful risks to organizational objectives; and c. Assessing and reporting results, which includes evaluating the severity of any identified deficiencies and reporting the monitoring results to the appropriate personnel and the board for timely action and follow-up if needed. Achieving further efficiencies. The COSO Report identifies other opportunities to design effective and efficient internal control systems: a. By focusing on the risks related to managements’ objectives, a risk-based approach to designing internal controls systems will consider what could go wrong in the financial reporting process. Using lists of controls that are 14 tailored to the nature, size and complexity of an entity and the objectives of its management will facilitate the identification of “what could go wrong.” b. Documentation of internal control policies and procedures will also vary with the nature, size and complexity of an entity. Smaller entities normally have informally designed and communicated internal controls. In other words, there normally are no policies and procedures manuals, systems flowcharts, organization charts and job descriptions. With fewer people and levels of management, more frequent contact by an owner or manager enables communication of the informal policies and procedures. c. Some documentation of accounting and internal control procedures is ordinarily necessary to demonstrate transaction processes are occurring and being recorded properly. Determining that all shipments are billed, that billings only occur after shipments are made and that bank accounts are being reconciled are examples of such procedures. Key controls performed by owners or managers of small entities should include periodic inspections of records sufficient to determine transactions are being recorded properly. INTERNAL CONTROLS AND FRAUD PREVENTION Much has been written about forensic accounting and fraud. There are three major categories of fraud that commonly affect entities: 1. Misrepresentations in financial reporting. These include intentional misstatements of amounts or disclosures in financials statements that are intended to mislead users of the statements. 2. Misappropriation of assets. Theft of an entity’s assets by employees or others is the most common form of misappropriation. Financial records are usually altered to conceal a theft of assets. 3. External frauds. Persons outside an entity are normally responsible for external frauds, although there may be collusion with certain employees. Financial gain is the normal motivation. For small entities, misappropriation of assets is the most common type of fraud. The “fraud triangle” contains three factors that indicate circumstances that can cause a person to misappropriate assets and misstate records to conceal the theft: 1. Incentives or pressures to commit fraud. Reasons to commit frauds may include financial pressures such as a spouse out of work, a divorce or separation or the failure of a personal business. 2. Opportunities to commit fraud. Ineffective internal controls, the opportunities and likelihood for management personnel to override internal controls, and decentralized operations and accounting are examples of circumstances that create opportunities to commit fraud. 15 3. Attitudes and rationalizations for committing fraud. Justifying the fraud because the perpetrator is not paid what he/she is worth or rationalizing that everyone does it are examples of a fraudster’s attitudes. FRAUD PREVENTION Designing and operating anti-fraud programs is the responsibility of management and can result in reductions in opportunities for employees to commit fraud. Human resource policies such as drug tests, credit checks and background checks for prospective employees help eliminate candidates with higher tendencies to commit fraud. Keys controls diligently carried out by owners, managers or other authorized individuals are also primary means of preventing or reducing the occurrence of asset misappropriation. Fraud detection may occur as key controls are performed. In addition, analytical procedures performed by comparing operating results among periods or by making calculations using non-financial data can reveal discrepancies. For example, an auto parts store discovered a $50,000 fraud perpetrated by a sales clerk when a new software program identified the number of refund slips issued by each clerk on a periodic basis. In another case, the CFO of a transportation company compared the miles per gallon of gasoline on trips for each driver and discovered a driver storing and selling gasoline on the side. Fraud detection may also occur in anti-fraud programs carried out physically such as lunch box searches at a small tool manufacturing plant or electronic security scanners at exits from the plant of a computer components manufacturer. A Control Deficiencies Worksheet A control deficiencies worksheet can facilitate documentation of the evaluation of existing internal controls. It also can be used to identify existing deficiencies and the design of additional controls to prevent risks from occurring and going undetected. A control deficiencies worksheet should have at least these column headings: Internal control deficiency Design or operating deficiency Offsetting key controls Following is an illustrative Internal Control Deficiency Worksheet that contains hypothetical information from a small entity to illustrate the internal control design process. Deficiencies identified on this worksheet could have been obtained by completing an SAICQ or by preparing a flowchart for major transactions cycles. 16 CPA PRACTICE AIDS, LLC INTERNAL CONTROL DEFICIENCY WORKSHEET ENTITY NAME: ____________________________ DATE:_____________________________ DESCRIBE CONTROL DEFICIENCY WHAT COULD GO WRONG? PREVENTIVE CONTROLS CASH: 1. No segregation of duties among office employees, 1. All employees have access to cash 1. Off site owner reviews weekly: manager, bookkeeper, and clerk. and receivables records; could steal a. Reviews copies of sales invoices 2. Over counter and mail receipts received by all employees. cash and post credits to customer or b. Inspects check copies and invoices 3. Over counter sales made by all office employees. lap customer payments. c. Reviews payroll journals 4. Bookkeeper and clerk both post accounts receivable 2. Bookkeeper could cover theft by d. Reviews customer and vendor records. manipulating bank reconciliations or activity reports 5. Bookkeeper posts general ledger and prepares writing off customer balances. 2. CPA firm designed accounting and delivers deposits to bank. 3. Manager has access to software, procedures and owner's key controls 6. Manager signs payroll and operating checks. could write and sign checks to self. 3. CPA firm controls all QuickBooks passwords, accounts for prenumbered checks and sales invoices, reviews sales invoices and check support, maintains personal files, prepares payroll reports, adjusts and closes monthly records. 4. CPA firm prepares monthly financials for owner's review ACCOUNTS RECEIVABLE: 1. No segregation of duties. All office personnel receives 1. Customer payments could be payments in mail and over counter. received and misappropriated. 2.Bookkeeper makes deposits and posts accounts 2. Lapping could occur. receivable records. 3. Account balances and invoices 3.AR clerk receives cash, posts accounts receivable could be written off without authorization. records and makes deposits. 4. Unauthorized sales could be made 4.Credit memos not used to support credits to customers accounts. and products shipped without recording. 1. Same as above. 5.Yard foreman ships based on sales invoices. All office personnel can initiate sales invoices. INVENTORY: 1. No documents or records are maintained to control 1. Employee or customer theft could Written instructions are prepared by inventory items (precast concrete blocks). occur. the foreman for counting inventory. 2. Yard is open during the day while employees are 2. Sales could be missed because of Employees attend a training meeting working but often no one is present in the yard. It is insufficient quantities on hand. on how to count. The manager is locked at night. 3. With no item records maintained, present and supervises the count, 3. Inventories are physically counted only once a year; quantities of certain items being including testing employee's counts. manager eye-balls quantities to control production. The manager places and picks up all count sheets. produced could be unnecessary 17 FIXED ASSETS: 1. No detailed sub-ledger maintained. 1. Loss or theft of assets. 2. No numerical control of fixed assets is in place. 2. Assets could be purchased and 3. Bookkeeper maintains depreciation schedule. converted to personal use. See cash section. 4. No key controls over accounting or safeguarding fixed assets. ACCOUNTS PAYABLE: 1. Any office employee can order supplies or raw 1. Converting purchases to personal materials. use. 2. No purchase orders in use. Office manager initials 2. Writing unauthorized checks to invoice when paid. fictitious vendors 3. All payments are initiated by bookkeeper who has 3. Purchasing excess quantities of access to cash, accounts receivable and bank raw materials. See cash section. reconciliations. 4. No accounts payable sub-ledger is maintained. REVENUES: See cash section. Unrecorded sales. See cash section. Unauthorized or incorrect payroll See cash section. EXPENSES: See cash section and accounts payable section. Payroll--manager hires and fires. No double-checks and operating expenditures. on payroll computations. OTHER: CONCLUSION Important issues to remember that influence the design of internal control systems for smaller entities include: Internal control and fraud prevention are the responsibilities of management. Internal control systems are always relevant to the nature, size and complexity of an entity. Key controls designed and operated by owners or managers of small entities are the primary methods of preventing and detecting errors and fraud. Internal control procedures should provide reasonable assurance that errors or fraud will not occur and go undetected. The benefits of internal control procedures should outweigh their costs. The design process includes understanding accounting systems and existing internal controls, identifying what could go wrong and designing cost-beneficial 18 control activities and anti-fraud programs that are likely to prevent and detect errors and fraud. CPA PRACTICE AIDS, LLC SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ USE OF QUESTIONNAIRE This Questionnaire is designed to be used on small audits to document internal control and assess control risk. It also is a source for identifying control deficiencies. Combined with a systems walk-through procedure, internal control flowcharts or memos, auditors may be able to assess risk of material misstatement at moderate for certain financial statement classifications. INSTRUCTIONS The Questionnaire should be utilized while making inquiries of client personnel regarding internal control. Internal control documentation time can be minimized by completing a systems walk-through procedure and preparing flowchart or memorandum documentation as this Questionnaire is completed. The Questionnaire contains space for “yes”, “no” or “N/A” responses to key controls and activity-level controls generally applicable to a small business or organization. “Yes” responses indicate that the control procedure is has been at least informally designed and is operating effectively. “No” responses indicate the control procedure has not been designed or, if designed, is not operating effectively. “N/A” responses indicate the control procedure is not applicable to a client’s internal control system. The “Personnel” column should be used to identify persons performing the control activities. Key controls, a part of entity-level controls, should drive the control risk assessment process. Key controls can mitigate most deficiencies in activity-level controls, particularly for smaller entities. For a small business or organization, key controls are normally performed by the owner/manager (O/M), a member of the entity’s board of directors, a volunteer or paid consultant. 19 If key controls have not been designed, or are not operating effectively, the auditor should consider the activity-level controls to provide the assessment of control risk for relevant assertions. RELEVANT ASSERTIONS When completing this Questionnaire, the auditor should primarily consider these relevant assertions: Financial Statement Classification Relevant Financial Statement Assertions Cash Existence/Occurrence; Completeness; Cutoff Accounts Receivable Existence/Occurrence; Valuation; Cutoff Inventories Existence/Occurrence; Valuation; Completeness; Accuracy; Cutoff Fixed Assets Existence; Valuation; Completeness; Rights/Obligations Accounts Payable Completeness; Cutoff Revenues Existence/Occurrence; Valuation; Completeness; Cutoff Payroll Existence/Occurrence; Completeness; Accuracy Expenses Existence/Occurrence; Completeness; Cutoff: Classification Prepared By: ______________________________________________________ Date Prepared: __________________________________________________________ Reviewed By: __________________________________________________________ Date Reviewed: __________________________________________________________ 20 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ CONTROL ENVIRONMENT-KEY CONTROLS PERSONNEL 1. O/M has high integrity. 2. O/M follows existing internal controls, policies and procedures. 3. O/M is present daily and/or appoints a supervisor in his/her absence. 4. O/M “walks around” facility frequently each day. 5. O/M observes employee activity and talks with supervisors during walks around to evaluate department status. 6. Company uses adequate accounting software. 7. Accounting records are maintained on a current basis. 8. Reports generated by accounting software are used by management. 9. Accounting personnel are reasonably qualified for their positions. Control Risk Evaluation (circle one): Low Moderate High 21 YES NO N/A SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ CASH—KEY CONTROLS 1. O/M receives bank and credit card statements directly either by mail or electronically. PERSONNEL 2. O/M reviews contents of bank and credit cards statements and investigates unusual items. 3. O/M signs vendor checks and payroll checks. 4. O/M reviews vendor invoices, receiving reports and/or purchase orders when signing checks. 5. O/M reviews documentation of payroll calculations when signing checks. 6. O/M receives or picks up unopened mail or uses a lock box for receipts. 7. O/M opens mail, supervises opening or reads a list of daily cash receipts. 8. O/M prepares deposit or supervises and reviews its preparation. 9. O/M makes or approves all telephone or online bank transfers or payments. 10. O/M reconciles bank statement or approves preparation by another. 11. O/M reads monthly balance sheet and income statement and investigates unusual items. 22 YES NO N/A SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ CASH—ACTIVITY-LEVEL CONTROLS 1. Mail and cash receipts are recorded as received and deposited intact, daily. PERSONNEL 2. Duplicate deposit slips are prepared, matched with bank receipt and retained. 3. Mail and cash receipts are counted by two independent persons other than the person recording the receipts. 4. Over-the-counter receipts are controlled by a cash register, software or pre-numbered receipt tickets. 5. All checks are signed by the O/M. 6. Checks are signed only when disbursement is made (not in advance). 7. The check signer compares data on supporting documents to checks. 8. Checks are recorded in the accounting system when prepared. 9. Only pre-numbered checks are used. 10. All journal entries are approved by the O/M. Control Risk Evaluation (circle one): Low Moderate High 23 YES NO N/A SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ ACCOUNTS RECEIVABLE—KEY CONTROLS 1. The O/M approves all customer requests for credit. PERSONNEL 2. The O/M accounts for, and reviews, numerical copies of sales invoices and/or customer statements. 3. The O/M reviews the sales journal monthly. 4. The O/M reviews an aged trial balance of accounts receivable monthly. 5. The O/M receives customer complaints and resolves disputes. ACCOUNTS RECEIVABLE— ACTIVITY-LEVEL CONTROLS 1. A sales journal is prepared and balanced. 2. Records of customer payments are retained (remittance advices, duplicate deposit slips, lock box reports, prelists) 3. Pre-numbered sales invoices and/or shipping reports with shipping date are prepared. 4. Copies of sales invoices or customers’ statements are mailed monthly. 5. Receivables are aged regularly. Control Risk Evaluation (circle one): Low Moderate High 24 YES NO N/A SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ INVENTORIES—KEY CONTROLS SMALL AUDITS PERSONNEL YES NO N/A PERSONNEL YES NO N/A 1. O/M plans and/or supervises the INTERNAL CONTROL taking of the physical inventory. QUESTIONNAIRE FOR 2. MAJOR O/M prices AUDIT and compiles records of AREAS physical count or reviews work of others. CLIENT: 3. _____________________________ O/M determines all owned goods are counted and that obsolete or consigned ____________________________ goods are excluded from the count. ENGAGEMENT DATE: INVENTORIES—ACTIVITY-LEVEL _____________________________ CONTROLS _______________ 1. An annual physical inventory is taken and adequate count records (tags or sheets) are maintained. 2. Adequate records of inventory pricing and compilation are maintained. 3. The inventory count is taken, checked or supervised by a supervisor. 4. Obsolete and consigned goods are excluded from the count. Control Risk Evaluation (circle one): Low Moderate High 25 FIXED ASSETS—KEY CONTROLS 1. Only the O/M can open accounts with vendors and approve the purchase of equipment, tools or other property. 2. O/M periodically inspects and/or inventories capitalized fixed assets. 3. O/M makes or approves all make, buy, lease, repair decisions. FIXED ASSETS—ACTIVITYLEVEL CONTROLS 1. Supporting documents are retained for all purchases of fixed assets. 2. A detailed depreciation schedule is prepared and depreciation is entered in the records at least annually. 3. A capitalization limit has been set and is used to determine capitalizable items. Control Risk Evaluation (circle one): Low Moderate High 26 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ ACCOUNTS PAYABLE—KEY CONTROLS 1. O/M approves all vendors and accounts with creditors. PERSONNEL 2. O/M approves all vendor payments. 3. O/M receives and reviews unpaid vendor invoices and statements monthly. ACCOUNTS PAYABLE— ACTIVITY-LEVEL CONTROLS 1. Vendor invoices are entered in the purchases journal when received. 2. Vendor invoices and supporting documents are reviewed by the check signer. 3. Vendor invoices are cancelled when checks are signed. 4. Vendor invoices or receiving reports contain the date goods were received. 5. Unpaid vendor invoices are maintained in a file separate from paid invoices. Control Risk Evaluation (circle one): Low Moderate High 27 YES NO N/A SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ SALES/REVENUES—KEY CONTROLS PERSONNEL 1. O/M approves all credit sales. 2. O/M reviews copies of all sales invoices and shipping reports. 3. O/M reviews customers’ statements before mailing. 4. O/M reviews monthly aged trial balance, calls past due customers and resolves customer complaints. SALES/REVENUES—ACTIVITYLEVEL CONTROLS 1. Sales are recorded in the period made or shipped (considering shipping terms). 2. Pre-numbered sales invoices and shipping reports are prepared. 3. Copies of sales invoices or customer statements are mailed at least monthly. 4. All returns, allowances, discounts and account adjustments are approved by a supervisor. Control Risk Evaluation (circle one): Low Moderate High 28 YES NO N/A SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ PAYROLL—KEY CONTROLS PERSONNEL 1. O/M approves all hires and fires. 2. O/M authorizes wage rates. 3. Payroll checks are distributed by the O/M. 4. O/M reviews and signs all payroll tax returns and other related documents. 5. O/M responds to all inquiries by state and federal regulatory bodies. PAYROLL—ACTIVITY-LEVEL CONTROLS 1. Payroll checks are pre-numbered and prepared and recorded with accounting software, or by a service bureau. 2. W-4s. I-9s and other required payroll documents are maintained. 3. Employees time records are maintained and used to calculate paychecks. 4. Payroll checks are distributed by department heads or other supervisors. 5. Hires, fires, wage rates, time off are approved by department heads or supervisors. Control Risk Evaluation (circle one): Low Moderate High 29 YES NO N/A SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ EXPENSES—KEY CONTROLS PERSONNEL 1. O/M reviews and approves all disbursements’ supporting documents. 2. When signing checks, O/M determines account classifications are proper. 3. O/M investigates any unapproved or unusual disbursements. 4. O/M investigates duplicate payments and inadequate documentation. EXPENSES—ACTIVITY-LEVEL CONTROLS: 1. A descriptive chart of accounts is used. 2. Checks are prepared only when appropriate supporting documents have been received. 3. The person recording and summarizing transactions cannot sign checks. 4. The person preparing deposits and posting customer payments cannot sign checks. 5. Vendor invoices are cancelled by the check signer. Control Risk Evaluation (circle one): Low Moderate High 30 YES NO N/A SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT: _________________________________________________________ ENGAGEMENT DATE: ____________________________________________ EXPLANATION OF “NO” ANSWERS (POTENTIAL CONTROL DEFICIENCIES): CASH: ACCOUNTS RECEIVABLE: INVENTORIES: FIXED ASSETS: ACCOUNTS PAYABLE: SALES/REVENUE: 31 PAYROLL: EXPENSES: OTHER: 32 CPA PRACTICE AIDS, LLC AUDIT FLOWCHARTING GUIDE USE OF GUIDE This Guide is designed to facilitate preparation of flowcharts documenting accounting and internal control systems for use on small audit engagements. The Guide is designed by major audit area and will facilitate the preparation of flowcharts that will result in identification of control deficiencies and the assessment of control risk. Control risks will be combined with inherent risks to assess the level of risk of material misstatements for relevant assertions. The Guide should be used in connection with the Small Audits Internal Control Questionnaire for Major Audit Area (SAICQ). INSTRUCTIONS Client Inquiries The SAICQ and the flowcharts resulting from this Guide should be used while making inquiries of appropriate client personnel. While a flowchart is being prepared, or after it is prepared if it is more convenient, a systems walk-through procedure should be performed to determine that information on the flowcharts is accurate. Documents examined and procedures performed during the walk-through may be recorded on the flowcharts or described in an accompanying memorandum. Control deficiencies should be documented in the last section of the SAICQ. Flowchart and/or Memoranda Memoranda may be prepared for documenting the accounting and internal control procedures in lieu of flowcharts at the option of the audit engagement leader. The author recommends using flowcharts since they are usually more effective for identifying control deficiencies and they often take less time to carry forward, to discuss with client personnel and to update. Memoranda may be used to supplement the flowcharts to enhance explanations of accounting system procedures, internal control activities or other information as the auditor considers necessary. Key Controls—the Heart of Error and Fraud Prevention Key controls, a part of entity-level controls, should drive the control risk assessment process and should be clearly indicated on the flowcharts. Key controls can mitigate most deficiencies in activity-level controls, particularly for smaller entities. For a small business or organization, key controls are normally performed by the owner/manager (O/M), a member of the entity’s board of directors, a volunteer or a paid consultant. Key controls are presented first in each section of the SAICQ. Financial Statement Assertions 33 When control risk is evaluated at the financial statement classification level, the auditor should primarily consider relevant assertions described in the SAICQ. Flowcharts should, therefore, focus primarily on controls that affect the relevant assertions in each financial statement classification. All controls that are operating, however, should be evidenced on the flowchart to provide an accurate evaluation of control risk. Flowchart Preparation Flowcharts may be prepared using manual templates or flowcharting software. The hardcopies or the electronic copies may be carried forward with changes reflected in different color pencils or software fonts. All accounting systems software applications, procedures, documents and data, and all internal controls, should be reflected on the flowcharts. 34 CPA FIRM PRACTICE AIDS, LLC AUDIT FLOWCHARTING GUIDE INSTRUCTIONS AND QUESTIONS BY MAJOR AUDIT AREA The instructions and questions below will enhance the preparation of flowcharts and completion of the SAICQ. Answers to questions should first consider key controls and, if no key controls are present, activity-level controls should be considered to determine if misstatements can be prevented and not result in control deficiencies. CASH The flowchart should contain documentation of: All types of cash receipts, such as receipts received by mail, over-the-counter, or by sales representatives. Receipts from periodic sales of fixed assets, scrap or other items to employees or others. All types of cash disbursements such as disbursements made with and without purchase orders, made from petty cash or a cash register and made for customer refunds. All accounting records, documents, data and procedures. Consider the entity’s key controls and activity-level controls when preparing flowchart documentation. These questions can facilitate the identification of accounting and internal control procedures: Can cash or checks be received and not documented? Can receipts from over-the-counter sales be misappropriated? Can miscellaneous receipts be overlooked and not recorded? Can disbursements be made for routine or non-routine purchase of goods or services without proper support? Can petty cash be misappropriated? ACCOUNTS RECEIVABLE The flowchart should contain documentation of: All types of sales on account including customer written orders received by mail, phone or email, sales orders from sales representatives, C.O.D., consignment, etc. Different types of customers such wholesale, retail, distributor, consumer, and related parties. 35 All accounting records, documents, data and procedures. Consider the entity’s key controls and activity-level controls when preparing flowchart documentation. These questions can facilitate the identification of accounting and internal control procedures: Can goods be shipped to customers with bad credit? Can sales be invoiced but not recorded? Can adjustments to customers’ accounts be made without approval? Could lapping occur and go undetected? Can past due accounts go undetected? INVENTORIES AND COSTS OF GOODS SOLD The flowchart should contain documentation of: All job, process or retail costing procedures. All inventory classifications such as raw materials, work-in-process and finished goods. Standard costs calculations, applications, adjustments and revisions. All inventory records, documents data or procedures. Consider the entity’s key controls and activity-level controls when preparing flowchart documentation. These questions can facilitate the identification of accounting and internal control procedures: Can inventory items be stolen, misappropriated or inaccurately transferred to work in process or costs of good sold? Can inventory be used, damaged or wasted without being recorded? Can inventory be received and not recorded accurately? FIXED ASSETS The flowchart should contain documentation of: The fixed asset acquisition, disposal and control processes. All fixed asset records, documents, data or procedures. Consider the entity’s key controls and activity-level controls when preparing flowchart documentation. These questions can facilitate the identification of accounting and internal control procedures: Can fixed assets acquisitions or disposals be made and not approved or recorded? Are capitalization limits in place? 36 Does accounting personnel understand when to capitalize additions or repairs to fixed assets (when the life or capacity is increased)? ACCOUNTS PAYABLE The flowchart should contain documentation of: All types of products, vendors and shipment. Acquisitions and payments requiring purchase orders. Payments not requiring purchase orders. All phases of the purchases/payables transaction such as ordering, product receiving, invoice recording and payments processing. Consider the entity’s key controls and activity-level controls when preparing flowchart documentation. These questions can facilitate the identification of accounting and internal control procedures: Can unauthorized purchases be made? Can payables be recorded if goods or services are not received? Can obligations be incurred and not recorded? Can payables be recorded in the wrong account? Do petty cash policies prevent its improper use or misappropriation? SALES: The flowchart should contain documentation of: Different types of shipping terms such as F.O.B. shipping point or destination, different shipping locations, different types of carriers, drop ships from suppliers, customer pick up, etc. Different types of customers such wholesale, retail, distributor, consumer, and related parties. All accounting records, documents, data and procedures. Consider the entity’s key controls and activity-level controls when preparing flowchart documentation. These questions can facilitate the identification of accounting and internal control procedures: Can goods be shipped without invoices being prepared? Can sales be invoiced but not recorded? Can sales be made and recorded without inventory being relieved? Can customer invoice errors be made and go undetected? PAYROLL 37 The flowchart should contain documentation of: Different methods of compensation such as hourly, salaried, commission, piece work, contract, etc. Methods of payment such as check or direct deposit. Hiring decisions, firing actions, payroll documents, cost distribution and all other records, documents, data and procedures in the payroll accounting and internal control systems. Consider the entity’s key controls and activity-level controls when preparing flowchart documentation. These questions can facilitate the identification of accounting and internal control procedures: Can fictitious employees be added to the payroll? Can terminated employees be kept on the payroll and their checks prepared after their termination? Are paychecks distributed, or direct deposits made, under the supervision of an administrative person? Are time cards, timesheets or electronic records required to support paychecks preparation? Can other inadvertent or intentional errors occur? FINANCIAL REPORTING SYSTEM The flowchart should contain documentation of: All modules of the general ledger software, data entry personnel, source documents and all related accounting system and internal control procedures. Controls over general journal entries, bank reconciliations and financial statement preparation. Consider the entity’s key controls and activity-level controls when preparing flowchart documentation. These questions can facilitate the identification of accounting and internal control procedures: Can journal entries or unusual transactions be posted to the general ledger without approval of a supervisor? Are there effective administrative controls such as regular vacations, crosstraining, bonding insurance, timely financial statement preparation and budget utilization? Is internal control affected by busy or slack periods, illnesses, vacations, etc.? Is internal control affected by the competence of any employee or group of employees? Are appropriate internal checks in place, provided either by software, hardware or administrative procedures? 38 Are any assets improperly safeguarded? 39