Internal Control: Test Your Knowledge

advertisement
Internal Control: Test Your Knowledge
BY JAMES SCHAEFER, CPA, DBA AND JOY V. PELUCHETTE, DBA
MARCH 2010
Today many companies recognize the desirability as well as the requirement to have an effective system
of internal control. Yet, designing and implementing a cost-effective system of internal control is a
daunting, if not overwhelming, task.
One way to overcome resistance to internal control is to educate stakeholders at every level of the
organization about its advantages.
Try the following quiz to test your knowledge of internal control and consider using it as a teaching tool for
others in your organization.
1. Houston Helpers, a faith-based group that offers help to people in need, has hired Janet Wells, a local
CPA, to train its professional staff in the basics of internal control. As Wells begins her presentation, a
participant interrupts by saying, “We are not like other organizations. How can we talk about common
elements of internal control when we are a faith-based service provider?”
a. The participant is correct; there are no generally accepted frameworks for internal control.
b. The participant is incorrect; there are generally accepted frameworks for internal control, regardless of
industry.
2. Internal control is a process designed to provide reasonable assurance regarding the achievement of
which objective?
a. Effectiveness and efficiency of operations
b. Reliability of financial reporting
c. Compliance with applicable laws and regulations
d. All of the above
3. CS Inc. has asked you to join its board of directors. Before agreeing to do so, you realize that it is
important that you understand the company’s approach to Enterprise Risk Management (ERM). Which of
the following is NOT true about ERM?
a. ERM is a bottom-up view of the key risks facing the organization.
b. ERM links growth, risk and return.
c. ERM aligns risk appetite and strategy.
d. ERM identifies and manages cross-enterprise risk.
4. The directors of Evans Corp. are reevaluating their “tone at the top.” They realize the phrase “tone at
the top” is used to describe the example set by directors, officers and executives through their statements
and daily actions. The board members also realize written policies need to reinforce the tone, but are
unsure how to integrate written policies into the “tone at the top.” If you were advising the board, what
would you tell them is the cornerstone of these policies?
a. A comprehensive code of conduct
b. A conflict-of-interest policy
c. Organization communications
d. Protection of the organization’s assets
5. Your employer has asked you to develop controls to help prevent duplicate payments. Which of the
following steps would NOT be appropriate in developing such a policy?
a. Create a form for updates to the master vendor file, which should be completed by the person
requesting the change and signed off by someone at a higher level.
b. Purge inactive vendors.
c. Periodically run reports showing the daily changes to the master vendor file.
d. Prohibit the sharing of passwords for the master vendor file.
6. As part of a training exercise for a corporate controller’s staff, Jeri Lee breaks the group into teams and
asks each team to gain (and document) their understanding of a potential acquisition’s system of internal
control. When she returns to check on their progress, she discovers that one team is working on
integrating the use of narratives, flowcharts and internal control questionnaires. What should Lee tell this
team about using all three approaches simultaneously?
a. The team is correct in using all three approaches simultaneously.
b. The team only needs to use one approach.
c. Combining the use of narratives and flowcharts together is inefficient.
d. Combining the use of flowcharts and internal control questions together is ineffective.
e. b and c
COSO FRAMEWORK
The COSO framework consists of five elements of control: the control environment, risk assessment,
control activities, information and communication, and monitoring. The remaining questions refer to these
elements.
7. The owner of Austin Marina has approached the managing partner of a CPA firm about conducting a
first-time independent audit. While discussing the nature and scope of the audit, the owner of Austin
Marina asks if it is really necessary for the auditor to gain an understanding of Austin Marina’s system of
internal control. Which of the following responses would NOT be correct?
a. The auditor needs to gain an understanding of the client’s internal control in order to assess risk.
b. An understanding of internal control is necessary to support the audit opinion.
c. Audit standards do not require the auditor to gain an understanding of the client’s system of internal
control since risk can be assessed by other means.
d. Independent auditors can no longer assess control risk at a maximum without having support for that
assessment.
8. Risks relevant to financial reporting include which of the following?
a. External events
b. Internal events
c. Circumstances that might affect reliable financial reporting
d. All of the above
9. Control activities can be defined as:
a. A means to an end
b. Authorized procedures
c. The particular category in which a control is placed
d. The actions of people to help ensure that management directives necessary to address risks are
carried out
10. Evans & Co. has been struggling to implement the monitoring component of the COSO Internal
Control—Integrated Framework. Which of the following is NOT correct in how the company can
implement the monitoring component?
a. Monitoring can be an ongoing process.
b. Monitoring can be conducted as a separate evaluation.
c. An adequate internal audit staff can reduce external audit costs.
d. The independent auditor can serve as part of the control environment.
ANSWERS
1. (b) While the staff at Houston Helpers may not be aware of it, there are frameworks available to
evaluate the effectiveness of internal control in any type of organization. The industry standard used by
most U.S. companies is Internal Control—Integrated Framework, which was issued in 1992 by the
Committee of Sponsoring Organizations (COSO), and is a blueprint for organizations to assess and
enhance internal control systems. COSO was formed in 1985. The sponsoring organizations are the
American Accounting Association, the AICPA, Financial Executives International, the Institute of
Management Accountants, and the Institute of Internal Auditors.
2. (d) Effectiveness relates to the ability of the entity to accomplish its goals. Efficiency is concerned with
maximizing the best use of resources. Reliability of financial reporting includes the accuracy of financial
statement balances and adequate and complete disclosure. Compliance with applicable laws and
regulations refers to all laws and regulations that apply to the entity.
3. (a) ERM provides “a process that provides a robust and holistic top-down view of key risks facing the
organization.” (Effective Enterprise Risk Oversight: The Role of the Board of Directors, COSO, 2009).
Thus ERM is significantly different from the more traditional risk management approaches. Board
members need to understand the entity’s strategy for managing risks to ensure that day-to-day operations
are aligned with stakeholder expectations. The other answers are true.
4. (a) “The code of conduct should be a source of guidance on daily behavior and set the minimum
standards for that behavior,” according to the AICPA On-Site Training course Financial Fraud, Forensics,
and the CPA. The “tone at the top” applies to everyone as they carry out their business and personal
responsibilities. The other answers (a conflict-of-interest policy, organization communications, and
protection of the organization’s assets) are normally considered for inclusion in the code of conduct.
5. (b) Accounts payable expert Mary Schaeffer recommends that inactive vendors be deactivated, not
purged. This allows vendor activity to be researched if needed. The other steps are appropriate. Using
forms for updates to the master vendor file allows accountability for changes. Schaeffer also recommends
executive review of reports, which show daily changes to the master vendor file. Passwords to the master
vendor file should never be shared. For more information, see “Fight Fraud and Duplicate Payments”
(Dec. 4, 2008), by Mary Schaeffer, available at tinyurl.com/yfc7jog.
6. (e) A narrative is a written description of a system of internal control. A flowchart is a diagram of the
documents and their sequential flow within an organization. A narrative and a flowchart present the same
information. While one well-executed approach can be sufficient to gaining an understanding of internal
control, a flowchart and an internal control questionnaire can be used together effectively, as the internal
control questionnaire offers checklists that include the many types of controls available.
7. (c) Current audit standards require the independent auditor to obtain an understanding of the entity and
its environment, including internal control. Moreover, the auditor is required to evaluate the design of
controls and whether or not they have been implemented. Also, the auditor must document significant
processes and their basis for assessing control risk.
8. (d) Risk assessment is the process of identifying and analyzing relevant risks in order to manage and
mitigate the risks. External and internal events, as well as any other circumstance that could affect
reliable financial reporting should play a part in risk assessment.
9. (d) The COSO definition of control activities recognizes that internal control is affected by people at
every level of the organization. Control activities are more than a means to an end, and are not limited to
authorized procedures. Control activities are often in overlapping categories.
10. (d) Management is responsible for establishing and maintaining the entity’s internal control, and an
independent auditor cannot perform management functions. Monitoring can be an ongoing process or be
conducted as a separate evaluation. For many larger entities, internal audit departments are essential for
effective monitoring. In fact, AU section 322 addresses the effect of internal auditors on the external
auditor’s evidence accumulation, provided the internal audit function is performed by staff independent of
both the operating and accounting departments and reports either to top management or the audit
committee.
SCORING
An effective system of internal control is one of the best ways to prevent the fraudulent misstatement of
financial statements. If you answered all 10 questions correctly, you are an internal control guru. If you
answered eight or nine questions correctly, your knowledge of internal control is competent.
If you answered seven or fewer questions correctly, you may want to build on your internal control skills.
Fortunately, no one needs to “reinvent the wheel” when implementing or upgrading a system of internal
controls. The resources listed on the previous page will help you stay competent in internal control.
James Schaefer (js2@evansville.edu) is a professor of accounting at the University of Evansville, and
Joy V. Peluchette (jpeluche@usi.edu) is a professor of management at the University of Southern
Indiana.
Download