Internal Control: Test Your Knowledge BY JAMES SCHAEFER, CPA, DBA AND JOY V. PELUCHETTE, DBA MARCH 2010 Today many companies recognize the desirability as well as the requirement to have an effective system of internal control. Yet, designing and implementing a cost-effective system of internal control is a daunting, if not overwhelming, task. One way to overcome resistance to internal control is to educate stakeholders at every level of the organization about its advantages. Try the following quiz to test your knowledge of internal control and consider using it as a teaching tool for others in your organization. 1. Houston Helpers, a faith-based group that offers help to people in need, has hired Janet Wells, a local CPA, to train its professional staff in the basics of internal control. As Wells begins her presentation, a participant interrupts by saying, “We are not like other organizations. How can we talk about common elements of internal control when we are a faith-based service provider?” a. The participant is correct; there are no generally accepted frameworks for internal control. b. The participant is incorrect; there are generally accepted frameworks for internal control, regardless of industry. 2. Internal control is a process designed to provide reasonable assurance regarding the achievement of which objective? a. Effectiveness and efficiency of operations b. Reliability of financial reporting c. Compliance with applicable laws and regulations d. All of the above 3. CS Inc. has asked you to join its board of directors. Before agreeing to do so, you realize that it is important that you understand the company’s approach to Enterprise Risk Management (ERM). Which of the following is NOT true about ERM? a. ERM is a bottom-up view of the key risks facing the organization. b. ERM links growth, risk and return. c. ERM aligns risk appetite and strategy. d. ERM identifies and manages cross-enterprise risk. 4. The directors of Evans Corp. are reevaluating their “tone at the top.” They realize the phrase “tone at the top” is used to describe the example set by directors, officers and executives through their statements and daily actions. The board members also realize written policies need to reinforce the tone, but are unsure how to integrate written policies into the “tone at the top.” If you were advising the board, what would you tell them is the cornerstone of these policies? a. A comprehensive code of conduct b. A conflict-of-interest policy c. Organization communications d. Protection of the organization’s assets 5. Your employer has asked you to develop controls to help prevent duplicate payments. Which of the following steps would NOT be appropriate in developing such a policy? a. Create a form for updates to the master vendor file, which should be completed by the person requesting the change and signed off by someone at a higher level. b. Purge inactive vendors. c. Periodically run reports showing the daily changes to the master vendor file. d. Prohibit the sharing of passwords for the master vendor file. 6. As part of a training exercise for a corporate controller’s staff, Jeri Lee breaks the group into teams and asks each team to gain (and document) their understanding of a potential acquisition’s system of internal control. When she returns to check on their progress, she discovers that one team is working on integrating the use of narratives, flowcharts and internal control questionnaires. What should Lee tell this team about using all three approaches simultaneously? a. The team is correct in using all three approaches simultaneously. b. The team only needs to use one approach. c. Combining the use of narratives and flowcharts together is inefficient. d. Combining the use of flowcharts and internal control questions together is ineffective. e. b and c COSO FRAMEWORK The COSO framework consists of five elements of control: the control environment, risk assessment, control activities, information and communication, and monitoring. The remaining questions refer to these elements. 7. The owner of Austin Marina has approached the managing partner of a CPA firm about conducting a first-time independent audit. While discussing the nature and scope of the audit, the owner of Austin Marina asks if it is really necessary for the auditor to gain an understanding of Austin Marina’s system of internal control. Which of the following responses would NOT be correct? a. The auditor needs to gain an understanding of the client’s internal control in order to assess risk. b. An understanding of internal control is necessary to support the audit opinion. c. Audit standards do not require the auditor to gain an understanding of the client’s system of internal control since risk can be assessed by other means. d. Independent auditors can no longer assess control risk at a maximum without having support for that assessment. 8. Risks relevant to financial reporting include which of the following? a. External events b. Internal events c. Circumstances that might affect reliable financial reporting d. All of the above 9. Control activities can be defined as: a. A means to an end b. Authorized procedures c. The particular category in which a control is placed d. The actions of people to help ensure that management directives necessary to address risks are carried out 10. Evans & Co. has been struggling to implement the monitoring component of the COSO Internal Control—Integrated Framework. Which of the following is NOT correct in how the company can implement the monitoring component? a. Monitoring can be an ongoing process. b. Monitoring can be conducted as a separate evaluation. c. An adequate internal audit staff can reduce external audit costs. d. The independent auditor can serve as part of the control environment. ANSWERS 1. (b) While the staff at Houston Helpers may not be aware of it, there are frameworks available to evaluate the effectiveness of internal control in any type of organization. The industry standard used by most U.S. companies is Internal Control—Integrated Framework, which was issued in 1992 by the Committee of Sponsoring Organizations (COSO), and is a blueprint for organizations to assess and enhance internal control systems. COSO was formed in 1985. The sponsoring organizations are the American Accounting Association, the AICPA, Financial Executives International, the Institute of Management Accountants, and the Institute of Internal Auditors. 2. (d) Effectiveness relates to the ability of the entity to accomplish its goals. Efficiency is concerned with maximizing the best use of resources. Reliability of financial reporting includes the accuracy of financial statement balances and adequate and complete disclosure. Compliance with applicable laws and regulations refers to all laws and regulations that apply to the entity. 3. (a) ERM provides “a process that provides a robust and holistic top-down view of key risks facing the organization.” (Effective Enterprise Risk Oversight: The Role of the Board of Directors, COSO, 2009). Thus ERM is significantly different from the more traditional risk management approaches. Board members need to understand the entity’s strategy for managing risks to ensure that day-to-day operations are aligned with stakeholder expectations. The other answers are true. 4. (a) “The code of conduct should be a source of guidance on daily behavior and set the minimum standards for that behavior,” according to the AICPA On-Site Training course Financial Fraud, Forensics, and the CPA. The “tone at the top” applies to everyone as they carry out their business and personal responsibilities. The other answers (a conflict-of-interest policy, organization communications, and protection of the organization’s assets) are normally considered for inclusion in the code of conduct. 5. (b) Accounts payable expert Mary Schaeffer recommends that inactive vendors be deactivated, not purged. This allows vendor activity to be researched if needed. The other steps are appropriate. Using forms for updates to the master vendor file allows accountability for changes. Schaeffer also recommends executive review of reports, which show daily changes to the master vendor file. Passwords to the master vendor file should never be shared. For more information, see “Fight Fraud and Duplicate Payments” (Dec. 4, 2008), by Mary Schaeffer, available at tinyurl.com/yfc7jog. 6. (e) A narrative is a written description of a system of internal control. A flowchart is a diagram of the documents and their sequential flow within an organization. A narrative and a flowchart present the same information. While one well-executed approach can be sufficient to gaining an understanding of internal control, a flowchart and an internal control questionnaire can be used together effectively, as the internal control questionnaire offers checklists that include the many types of controls available. 7. (c) Current audit standards require the independent auditor to obtain an understanding of the entity and its environment, including internal control. Moreover, the auditor is required to evaluate the design of controls and whether or not they have been implemented. Also, the auditor must document significant processes and their basis for assessing control risk. 8. (d) Risk assessment is the process of identifying and analyzing relevant risks in order to manage and mitigate the risks. External and internal events, as well as any other circumstance that could affect reliable financial reporting should play a part in risk assessment. 9. (d) The COSO definition of control activities recognizes that internal control is affected by people at every level of the organization. Control activities are more than a means to an end, and are not limited to authorized procedures. Control activities are often in overlapping categories. 10. (d) Management is responsible for establishing and maintaining the entity’s internal control, and an independent auditor cannot perform management functions. Monitoring can be an ongoing process or be conducted as a separate evaluation. For many larger entities, internal audit departments are essential for effective monitoring. In fact, AU section 322 addresses the effect of internal auditors on the external auditor’s evidence accumulation, provided the internal audit function is performed by staff independent of both the operating and accounting departments and reports either to top management or the audit committee. SCORING An effective system of internal control is one of the best ways to prevent the fraudulent misstatement of financial statements. If you answered all 10 questions correctly, you are an internal control guru. If you answered eight or nine questions correctly, your knowledge of internal control is competent. If you answered seven or fewer questions correctly, you may want to build on your internal control skills. Fortunately, no one needs to “reinvent the wheel” when implementing or upgrading a system of internal controls. The resources listed on the previous page will help you stay competent in internal control. James Schaefer (js2@evansville.edu) is a professor of accounting at the University of Evansville, and Joy V. Peluchette (jpeluche@usi.edu) is a professor of management at the University of Southern Indiana.