AUDITING IN A CIS ENVIRONMENT Case Study CONTENTS Audit Committee Role of Internal Auditor Internal Control Evaluation of Controls CULLADO, JANNIELLE MARTINEZ, SHIELA MAY PAGAL, CAROL ANNE SALAPARE, JESSICA BSA 31
AUDITING IN A CIS ENVIRONMENT I. Audit Committee Micro Dynamics, a developer of database software packages, is a publicly held company whose stock is traded over the counter. The company recently received an enforcement release proceeding through an SEC administrative law judge that cited the company for inadequate internal controls. In response, Micro Dynamics has agreed to establish an internal audit function and strengthen its audit committee. A manager of the internal audit department has been hired as a result of the SEC enforcement action to establish an internal audit function. In addition, the composition of the audit committee has been changed to include all outside directors. Micro Dynamics has held its initial planning meeting to discuss the roles of the various participants in the internal control and financial reporting process. Participants at the meeting included the company president, the chief financial officer, a member of the audit committee, a partner from Micro Dynamics’ external audit firm, and the newly appointed manager of the internal audit department. Comments by the various meeting participants are presented below. President: “We want to ensure that Micro Dynamics complies with the SEC’s enforcement release, and that we don’t find ourselves in this position again. The internal audit department should help to strengthen our internal control system by correcting the problems. I would like your thoughts on the proper reporting relationship for the manager of the internal audit department.” CFO: “I think the manager of the internal audit department should report to me since much of the department’s work is related to financial issues. The audit committee should have oversight responsibilities.” Audit committee member: “I believe we should think through our roles more carefully. The Treadway Commission has recommended that the audit committee play a more important role in the financial reporting process; the duties of today’s audit committee have expanded beyond the rubber-stamp approval. We need to have greater assurance that controls are in place and being followed.” External audit firm partner: “We need a close working relationship among all of our roles. The internal audit department can play a significant role in monitoring the control systems on a continuing basis and should have strong ties to your external audit firm.” Internal audit department manager: “The internal audit department should be more involved in operational auditing, but it also should play a significant monitoring role in the financial reporting area.”
AUDITING IN A CIS ENVIRONMENT A. DESCRIBE THE ROLE OF EACH OF THE FOLLOWING IN THE ESTABLISHMENT, MAINTENANCE, AND EVALUATION OF MICRO DYNAMICS’ SYSTEM OF INTERNAL CONTROL. i. Management Management is in charge of establishing and implementing management processes that are based on four core organizational functional areas: planning, organizing, leading, and controlling. Therefore, the management plays a key role in developing, maintaining, and monitoring the internal controls that have been implemented or will be implemented in Micro Dynamics. Moreover, the management is responsible for maintaining an effective system of internal control that provides reasonable assurance that financial data is accurate, assets are protected, and transactions are appropriately authorized and documented in line with rules and regulations. ii. Audit committee The major function of a company's audit committee is to oversee the financial reporting process, audit process, internal control system, and compliance with laws and regulations. The committee reviews and approves internal audit's remit, ensuring that the internal auditor works freely and objectively, has the resources and information it requires to fulfill its mandate and is equipped to act in accordance with relevant professional standards for internal auditors. In addition, the audit committee meets with management and external auditors to discuss the findings of an audit, including topics that must be presented to the committee under generally recognized auditing standards. iii. External auditor An external auditor reviews and verifies that a firm's internal controls, processes, guidelines, and policies are adequate, effective, and compliant with government regulations, industry standards, and corporate policies. The work of internal auditors is evaluated and certified by an external auditor, who also ensures that reporting methods prevent financial statement errors. Any material deficiencies discovered during the audit are also reported to the company by the external auditors. iv. Internal audit department The internal audit department performs both operational and financial audits to determine compliance with established policies and procedures, and reports its findings and recommendations to management or the audit committee for evaluation and corrective action. This department provides members of the board and management with assurance that they can use to fulfill their own duties to the company and its shareholders. Moreover, the internal audit department may also assist the external auditors with their review of the internal control system.
AUDITING IN A CIS ENVIRONMENT INTERNAL CONTROL MANAGEMENT AUDIT EXTERNAL INTERNAL COMITTEE AUDITOR AUDIT DEPARTMENT B. DESCRIBE THE RESPONSIBILITIES THAT MICRO DYNAMICS’ AUDIT COMMITTEE HAS IN THE FINANCIAL REPORTING PROCESS. Micro Dynamics' audit committee is responsible for administering the company's financial reporting, as well as the risks, internal controls, compliances, and ethics that come with it. The committee collaborates with management and auditors to produce financial reports that adhere to accounting standards and rules. The committee also evaluates management's examination of major issues and judgments in the financial reports, the financial statement's impact of accounting and regulatory activities, and examines the audit's progress as well as the final audit results. Furthermore, the audit committee should be aware of the processes and internal controls put in place by the company's management to ensure that the financial reports are accurate.
AUDITING IN A CIS ENVIRONMENT II. Role of Internal Auditor Leigh Industries has an internal audit department consisting of a director and four staff auditors. The director of internal audit, Diane Bauer, reports to the corporate controller, who receives copies of all internal audit reports. In addition, copies of all internal audit reports are sent to the audit committee of the board of directors and the individual responsible for the area of activity being audited. In the past, the company’s external auditors have relied on the work of the internal audit department to a substantial degree. However, in recent months, Bauer has become concerned that the objectivity of the internal audit function is being affected by the non-audit work being performed by the department. This possible loss of objectivity could result in more extensive testing and analysis by the external auditors. The percentage of non-audit work performed by the internal auditors has steadily increased to about 25 percent of the total hours worked. A sample of five recent non- audit activities follows. One of the internal auditors assisted in the preparation of policy statements on internal control. These statements included such things as policies regarding sensitive payments and the safeguarding of assets. Reconciling the bank statements of the corporation each month is a regular assignment of one of the internal auditors. The corporate controller believes this strengthens the internal control function because the internal auditor is not involved in either the receipt or the disbursement of cash The internal auditors are asked to review the annual budget each year for relevance and reasonableness before the budget is approved. At the end of each month, the corporate controller’s staff analyzes the variances from budget and prepares explanations of these variances. These variances and explanations are then reviewed by the internal audit staff. One of the internal auditors has been involved in the design, installation, and initial operation of a new computerized inventory system. The auditor was primarily concerned with the design and implementation of internal accounting controls and conducted the evaluation of these controls during the test runs The internal auditors are sometimes asked to make the accounting entries for complex transactions as the employees in the accounting department are not adequately trained to handle such transactions. The corporate controller believes this gives an added measure of assurance to the accurate recording of these transactions.
AUDITING IN A CIS ENVIRONMENT A. DEFINE OBJECTIVITY AS IT RELATES TO THE INTERNAL AUDIT FUNCTION. The internal audit function is critical as it serves as a key control of an organization. The role of internal auditors is to assess and provide assurance that the firm's internal control and risk management are effectively implemented. Also, some external auditors rely on internal audits in gathering evidence, hence internal auditors must maintain objectivity. In relation to internal audits, objectivity means that the judgment of the auditor is unbiased, based on facts, and not influenced by other individuals and his personal feelings. The said professional must always observe independence especially in rendering an opinion about the firm's controls and governance. B. FOR EACH OF THE FIVE NON-AUDIT ACTIVITIES PRESENTED, EXPLAIN WHETHER THE OBJECTIVITY OF LEIGH INDUSTRIES’ INTERNAL AUDIT DEPARTMENT HAS BEEN MATERIALLY IMPAIRED. CONSIDER EACH SITUATION INDEPENDENTLY The objectivity is not impaired in the first non-audit activity as assisting in the development of internal control and the preparation of policy statements are part of the internal control’s responsibilities. The objectivity of the internal auditor is impaired. The auditor should not do operational tasks that are part of the independent evaluation and verification of a proper system of internal control in order to maintain objectivity. There must be segregation of duties within the organization. The review of the annual budget does not impair Leigh industries’ objectivity as the internal audit department had no role with the budget’s preparation and implementation. The review of the variances on the other hand, will impair the objectivity since they are subject to operational audit of the internal audit department.
AUDITING IN A CIS ENVIRONMENT Internal control’s objectivity has been impaired. The auditor was involved in the design and implementation of internal control. As it will be assessed by the same person involved in the design and implementation of the system, this will result in little confidence in the audit findings. Objectivity will be impaired if the internal auditor is involved in the day-to-day operations. Auditors are not responsible for the financial statements on which they form an opinion. C. THE DIRECTOR OF INTERNAL AUDIT REPORTS DIRECTLY TO THE CORPORATE CONTROLLER. DOES THIS REPORTING RELATIONSHIP AFFECT THE OBJECTIVITY OF THE INTERNAL AUDIT DEPARTMENT? EXPLAIN YOUR ANSWER. The internal audit department's objectivity is harmed by this reporting relationship. The reason for this is that the corporate controller is in charge of overseeing all accounting and financial processes within a company. They create and implement financial policies, assess financial risk, and create annual budgets and forecasts. The director of internal audit, on the other hand, is in charge of the entire internal audit function, which necessitates independence and objectivity. As a result, the director of internal audit's independence and objectivity may be compromised because he is responsible for assessing the work of the corporate controller, to whom it reports. D. WOULD YOUR EVALUATION OF THE FIVE SITUATIONS IN QUESTION B CHANGE IF THE DIRECTOR OF INTERNAL AUDIT REPORTED TO THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS? EXPLAIN YOUR ANSWER. No, since if the case presented is instead of reporting to the corporate controller, an audit committee is consulted. Then, it would have no bearing on the conclusions reached in each of the cases presented prior to this one. It is obvious that maintaining objectivity may be achieved by preventing the internal audit performance to be unbiased regarding non-audit functions such as in management decision making, system selection and design, record keeping, and operational activities, and some others.
AUDITING IN A CIS ENVIRONMENT III. Internal Control Oakdale, Inc., is a subsidiary of Solomon Publishing and specializes in the publication and distribution of reference books. Oakdale’s sales for the past year exceeded $18 million, and the company employed an average of 65 employees. Solomon periodically sends a member of its internal audit department to audit the operations of each of its subsidiaries, and Katherine Ford, Oakdale’s treasurer, is currently working with Ralph Johnson of Solomon’s internal audit staff. Johnson has just completed a review of Oakdale’s investment cycle and prepared the following report. General Throughout the year, Oakdale has made both short-term and long-term investments in securities; all securities are registered in the company’s name. According to Oakdale’s bylaws, long-term investment activity must be approved by its board of directors, while short-term investment activity may be approved by either the president or the treasurer. Transactions Oakdale has a computer link with its broker; thus, all buy and sale orders are transmitted electronically. Only individuals with authorized passwords may initiate certain types of transactions. All purchases and sales of short-term securities in the year were made by the treasurer. In addition, two purchases and one sale of long-term securities were executed by the treasurer. The long-term security purchases were approved by the Board. The president, having online authorization access to all transactions, was able to approve a sale of a long- term security. The president is given access to authorize all transactions engaged in by the firm. Because the treasurer is listed with the broker as the company’s contact, all revenue from these investments is received by this individual, who then forwards the checks to accounting for processing. Documentation Purchase and sales authorizations, along with broker’s advices, are maintained in an electronic file with authorized access by the treasurer. Brokers’ advice is received verbally on the phone, and this advice is noted on a broker advice form. This form is filed by the treasurer. The certificates for all long-term investments are kept in a safe deposit box at the local bank; only the president of Oakdale has access to this box. An inventory of this box was made, and all certificates were accounted for. Certificates for short-term investments are kept in a locked metal box in the accounting office. Other documents such as long-term contracts and legal agreements are also kept in this box. There are three keys to the box held by the president, treasurer, and the accounting manager. The accounting manager’s key is available to all accounting personnel, should they require documents kept in this box.
AUDITING IN A CIS ENVIRONMENT Certificates of investments may take up to four weeks to receive after the purchase of the investment. An electronic inventory list is kept perpetually. The data are keyed in by accounting personnel who receive a buy/sale transaction sheet from the treasurer. The president, treasurer, and accounting manager all have passwords to access and update this inventory list. The accounting manager’s password is know by two of the accounting supervisors in case the inventory list needs to be updated when the accounting manager is not available. Documentation for two of the current short-term investments could not be located in this box; the accounting manager explained that some of the investments are for such short periods of time that formal documentation is not always provided by the broker. Accounting Records Deposits of checks for interest and dividends earned on investments are recorded by the accounting department, but these checks could not be traced to the cash receipts journal maintained by the individual who normally opens, stamps, and logs incoming checks. These amounts are journalized monthly to an account for investment revenue. Electronic payments for investment purchases are authorized by the treasurer. If the amount is in excess of $15,000, an authorization code given by the treasurer or president is necessary. Each month, the accounting manager and the treasurer prepare the journal entries required to adjust the short-term investment account. There was insufficient backup documentation attached to the journal entries reviewed to trace all transactions; however, the balance in the account at the end of last month closely approximates the amount shown on the statement received from the broker. The amount in the long-term investment account is correct, and the transactions can be clearly traced through the documentation attached to the journal entries. No attempts are made to adjust either account to the lower of aggregate cost or market. B. & C. IDENTIFY AN AREA IN OAKDALE’S INVESTMENT PROCEDURES THAT POTENTIALLY VIOLATES SOUND INTERNAL CONTROLS & DESCRIBE HOW OAKDALE CAN CORRECT IT. I. Violation: “The president, having online authorization access to all transactions, was able to approve a sale of a long- term security.” According to Oakdale’s bylaws, long- term investment activities must be approved by the board of directors, while short term investment activities can be approved by either the president or the treasurer. In this case, since the president has access to all transactions he was able to approve a long term security. This is a violation to the company’s authorization procedures as long-term investments activities should only be approved by the board of directors.
AUDITING IN A CIS ENVIRONMENT Correction: Implement a stricter security and policy wherein different types of transactions have specified access; for long term investment activities, only the board of directors are authorized to access the transactions, and for short term investment activities, the access can either be the president and treasurer. This will ensure that only those who are authorized can approve the transactions. II. Violation: The certificates for short-term investments kept in the metal box in the accounting office are accessible to all accounting personnel. Correction: Short-term securities should be kept in a secure location, such as a bank safe or a company safe, and should only be accessible to a few personnel. In addition, any securities disposition should be recorded in a log book. III. Violation: The treasurer has access to journalizing entries related to securities, receives revenues, and buy/sell securities. Correction: Internal controls should be strengthened so that the treasurer's responsibilities are not in conflict. IV. Violation: “Deposits of checks for interest and dividends earned on investments are recorded by the accounting department, but these checks could not be traced to the cash receipts journal” Correction: The checks should be recorded in the cash receipts journal once it has been received. It should also be forwarded to the individual who normally opens, stamps, and logs incoming checks. The accounting department should reconcile the interest and dividend checks to the monthly broker's statements. To ensure that all checks have been received, deposited, and accounted for, these statements should be retained on file. V. Violation: \"the balance in the account at the end of last month closely approximates the amount shown on the statement received from the broker.” Correction: The accounting department must reconcile the differences and put in place the necessary procedures to ensure that the accounts and brokerage statements are reconciled on a monthly basis.
AUDITING IN A CIS ENVIRONMENT IV. Internal Control Arlington Industries manufactures and sells component engine parts for large industrial equipment. The company employs over 1,000 workers for three shifts, and most employees work overtime when necessary. Arlington has had major growth in its production and has purchased a mainframe computer to handle order processing, inventory management, production planning, distribution operations, and accounting applications. Michael Cromley, president of Arlington, suspects that there may be internal control weaknesses due to the quick implementation of the computer system. Cromley recently hired Kathleen Luddy as the internal control accountant. Cromley asked Luddy to review the payroll processing system first. Luddy has reviewed the payroll process, interviewed the individuals involved, and compiled the flowchart shown on page 38 in the text. The following additional information concerns payroll processing. The personnel department determines the wage rate of all employees at Arlington. Personnel starts the process by sending an authorization form for adding an employee to the payroll to Marjorie Adams, the payroll coordinator. After Adams inputs this information into the system, the computer automatically determines the overtime and shift differential rates for the individual, updating the payroll master files. Arlington uses an external service to provide monthly payroll tax updates. The company receives a magnetic tape every month, which the data processing department installs to update the payroll master file for tax calculations. Employees at Arlington use a time clock to record the hours worked. Every Monday morning, Adams collects the previous week’s time cards and begins the computerized processing of payroll information to produce paychecks the following Friday. Adams reviews the time cards to ensure that the hours worked are correctly totaled; the system will determine whether overtime has been worked or a shift differential is required. All the other processes displayed on the flowchart are performed by Adams. The system automatically assigns a sequential number to each payroll check produced. The checks are stored in a box next to the computer printer to provide immediate access. After the checks are printed, Adams uses an automatic check-signing machine to sign the checks with an authorized signature plate that Adams keeps locked in a safe. After the check processing is completed, Adams distributes the checks to the employees, leaving the checks for the second and third-shift employees with the appropriate shift supervisor. Adams then notifies the data processing department that she is finished with her weekly processing, and data processing makes a backup of the payroll master file to magnetic tape for storage on the tape shelves in the computer room.
AUDITING IN A CIS ENVIRONMENT A. FIVE DIFFERENT AREAS IN ARLINGTON’S PAYROLL PROCESSING SYSTEM WHERE THE SYSTEM CONTROLS ARE INADEQUATE. The payroll processing system breaches the segregation of duties principle. The time cards are verified, payroll information is entered into the master file, checks are printed, machine-signed, distributed, and the payroll journal entry is prepared by the same person, which might lead to fraud. Employees' time cards are not authorized by a supervisor or anyone with authority, such as a timekeeper, as the unbiased person of authority. The payroll paychecks were not pre-numbered and aren't kept in the proper area. As a consequence, there is no method of verifying check usage without an audit record. There is no control over the check-signing machine, as well as the risk in storing the authorized signature plate such as for utilization, there is no record book to track usage. The payroll files and checks appear to be in the hands of the data processing department, which might lead to the leakage of confidential payroll information. B. TWO DIFFERENT AREAS IN ARLINGTON’S PAYROLL PROCESSING SYSTEM WHERE THE SYSTEM CONTROLS ARE SATISFACTORY. The personnel department sets the compensation rate and starts the payroll record-keeping process, which is a great indicator of segregation of duties. After each weekly payroll processing, a backup of the master file is made.
AUDITING IN A CIS ENVIRONMENT V. Evaluation of Controls Gaurav Mirchandaniis is the warehouse manager for a large office supply wholesaler. Mirchandaniis receives two copies of the customer sales order from the sales department. He elects the goods from the shelves and sends them and one copy of the sales order to the shipping department. He then files the second copy in a temporary file. Mirchandaniis retrieves the sales orders from the temporary file and updates the inventory subsidiary ledger from a terminal in his office. At that time, he identifies items that have fallen to low levels, selects a supplier, and prepares three copies of a purchase order. Once copy is sent to the supplier, one is sent to the accounts payable clerk, and one is files in the warehouse. When the goods arrive from the supplier, Mirchandaniis reviews the attached packing slip, counts and inspects the goods, places them on the shelves, and updates the inventory ledger to reflect the receipt. He then prepares a receiving report and sends it to the accounts payable department. A. IDENTIFY ANY CONTROL PROBLEMS IN THE SYSTEM. The control problem in the system of the wholesaling business is within its physical controls, specifically the lack of the segregation of duties. As observed, the same person, the warehouse manager, has control over the different processes involved in the selling and purchasing of office supplies. He performs the custodian function of the assets and documents and is also responsible for updating the inventory subsidiary ledgers. The authorization process is also not present, which is supposed to be a good control to prevent frauds and conflicts. He is also the person deciding what to purchase and at the same time the one placing the order. Given that the company is small, division of roles is unlikely, but at the very least, hire or assign other employees to the warehouse manager's other responsibilities. It should be that the asset custody function is separate from that of the recordkeeping and the authorization process must also be included in the system. Moreover, supervision and monitoring is the alternative internal control in the absence of adequate segregation of duties.
AUDITING IN A CIS ENVIRONMENT B. WHAT SORTS OF FRAUD ARE POSSIBLE IN THE SYSTEM? Due to the lack of segregation of duties in the sales and purchasing systems, inventory frauds are possible to happen most especially when employees are unethical or experiencing situational pressures. Depending on the situation, the perpetrator could engage in the crime by himself or by conspiring with other employees or the supplier. Taking advantage of the weak internal control of the business and for personal benefit, various frauds could happen. First, the theft of inventories and subsequently selling them to other parties. Since the warehouse manager has control over the said assets, if theft happened, it would be easy for him to conceal his crime and avoid detection. It could include the manipulation of records, which is the second fraud that could occur. The warehouse custodian is responsible for recording in the inventory subsidiary ledger which he has ease of falsifying. The third fraud would be billing schemes that require the involvement of other employees or departments like the sales, shipping, and accounts payable clerk. They would create a false supplier to deceive and make schemes such as issuing invoices of fictitious goods and making personal purchases. At the end of the day, whatever fraud occurred, it will be the company that's going to suffer, especially if the value and amounts are material. Matt Demko is the loading dock supervisor for a dry cement packaging company. His work crew is composed of unskilled workers who load large transport trucks with bags of cement, gravel, and sand. The work is hard, and the employee turnover rate is high. Employees record their attendance on separate time cards. Demko authorizes payroll payments each week by signing the time cards and submitting them to the payroll department. Payroll then prepares the paychecks and gives them to Demko, who distributes them to his work crew. A. IDENTIFY ANY CONTROL PROBLEMS IN THE SYSTEM. The control problem present is the same as the case of the office supply wholesaler above. The dry cement packaging company also has inadequacy in its segregation of duties, and the difference with the former is that it has the authorization process. Nevertheless, it can be noticed that there was no separation between the authorization function and the asset custody. The supervisor is responsible for signing the timecards as well as submitting them to the payroll. Afterward, he receives the remuneration and distributes them to the respective workers. As much as possible, these functions should be designated to different employees to mitigate risks and avoid fraud.
AUDITING IN A CIS ENVIRONMENT B. WHAT SORTS OF FRAUD ARE POSSIBLE IN THE SYSTEM? The inadequacy in the separation of duties could give an opportunity for the supervisor and other employees to do unethical actions. The first fraud that could occur is the data tampering in the timecards. It could be done solely by Demko or with the participation of the workers. As can be recalled, the computation of wages is based on their working hours. Thus, the perpetrator(s) could increase the number of hours worked written on the timecard, especially if the recording is done manually. The extra money received from the misstatement will be pocketed by the culprits. The second fraud that could happen is done alone by the supervisor. As mentioned, the employee turnover rate is high which means that many employees often leave the company. Demko could take advantage of this by continuing to submit the timecards of those workers who quit already. To prevent these schemes, it is suggested to adopt electronic devices in recording the attendance of the workers and assign another person in the remuneration of paychecks.
Search
Read the Text Version
- 1 - 15
Pages: