0 evaluări0% au considerat acest document util (0 voturi)
560 vizualizări40 pagini
Internal control is a process$ effected by an entity&s board of directors$ management and other personnel. #nternal control is geared to the achievement of ob'ectives in one or more separate but overlapping categories. COSO established a common internal control model that is used by large and small reporting entities.
Internal control is a process$ effected by an entity&s board of directors$ management and other personnel. #nternal control is geared to the achievement of ob'ectives in one or more separate but overlapping categories. COSO established a common internal control model that is used by large and small reporting entities.
Internal control is a process$ effected by an entity&s board of directors$ management and other personnel. #nternal control is geared to the achievement of ob'ectives in one or more separate but overlapping categories. COSO established a common internal control model that is used by large and small reporting entities.
DESIGNING INTERNAL CONTROL SYSTEMS FOR SMALLER ENTITIES
By Larry L. Perry, CPA
CPA Firm Support Servie!, LLC LEARNING OB"ECTI#ES Understand the fundamental concepts and the components of internal control. Be able to design and operate effective accounting and internal control systems for smaller entities. Learn to prepare flowcharts effectively and efficiently T$E FO%NDATION OF INTERNAL CONTROL The Committee of Sponsoring Organizations of the Treadway Commission COSO! is a voluntary private"sector organization established in the United States. #t is dedicated to providing guidance on organizational governance$ business ethics$ internal control$ enterprise ris% management$ fraud and financial reporting. COSO established a common internal control model that is used by large and small reporting entities. COSO defines internal control as a process$ effected by an entity&s board of directors$ management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of ob'ectives in effectiveness and efficiency of operations$ reliability of financial reporting$ and compliance with applicable laws and regulations. The COSO framewor% involves several %ey concepts( ). #nternal control is a process. #t is a means to an end$ not an end in itself. *. #nternal control is not merely documented by policy manuals and forms. +ather$ it is put in by people at every level of an organization. ,. #nternal control can provide only reasonable assurance$ not absolute assurance$ to an entity&s management and board. -. #nternal control is geared to the achievement of ob'ectives in one or more separate but overlapping categories. A $i!toria& Per!petive o' I(ter(a& Co(tro&! The Committee of Sponsoring Organizations COSO! of the .ational Commission on /raudulent /inancial +eporting Treadway Commission! issued its first report in )012 stressing the importance of internal control$ the control environment$ codes of conduct$ audit committees and internal audit functions. #n )00*$ a tas% force of COSO issued a report entitled Internal ControlIntegrated Framework$ called the COSO +eport. 3mong other things$ the COSO +eport defines internal control and its components and provides criteria for evaluating internal control. The report presents these interrelated components of internal control( ) Co(tro& E(viro(me(t)The core of any business is its people and the environment in which they operate. The tone at the top$ i.e.$ management&s attitudes$ values and behaviors$ provides the control environment for other employees. Ri!* A!!e!!me(t)The entity must be aware of and deal with the ris%s it faces4 identifying the ris% of error or fraud and implementing corrective actions is the primary responsibility of management. Co(tro& Ativitie!)Control policies and procedures must be designed and operated to address ris%s to the achievement of the entity&s ob'ectives. I('ormatio( a(+ Commu(iatio()These systems enable the entity&s people to obtain and use information necessary to conduct$ manage and control operations. Mo(itori(,)The internal control process must be monitored and changed by management as circumstances and conditions necessitate. #n *5),$ COSO updated and issued Internal ControlIntegrated Framework. The updated report did not change to basic components of internal control but$ among other clarifying issues$ the /ramewor% sets out seventeen principles for applying these components. These principles from COSO&s report are presented below as they apply to these components. Co(tro& E(viro(me(t ). The organization demonstrates a commitment to integrity and ethical values. *. The board of directors demonstrates independence from management and e6er" cises oversight of the development and performance of internal control. ,. 7anagement establishes$ with board oversight$ structures$ reporting lines$ and appropriate authorities and responsibilities in the pursuit of ob'ectives. -. The organization demonstrates a commitment to attract$ develop$ and retain com" petent individuals in alignment with ob'ectives. 2. The organization holds individuals accountable for their internal control responsibilities in the pursuit of ob'ectives. Ri!* A!!e!!me(t 8. The organization specifies ob'ectives with sufficient clarity to enable the identification and assessment of ris%s relating to ob'ectives. 9. The organization identifies ris%s to the achievement of its ob'ectives across the entity and analyzes ris%s as a basis for determining how the ris%s should be managed. 1. The organization considers the potential for fraud in assessing ris%s to the achievement of ob'ectives. 0. The organization identifies and assesses changes that could significantly impact the system of internal control. Co(tro& Ativitie! )5. The organization selects and develops control activities that contribute to the miti" gation of ris%s to the achievement of ob'ectives to acceptable levels. * )). The organization selects and develops general control activities over technology to support the achievement of ob'ectives. )*. The organization deploys control activities through policies that establish what is e6pected and procedures that put policies into action. I('ormatio( a(+ Commu(iatio( ),. The organization obtains or generates and uses relevant$ :uality information to support the functioning of internal control. )-. The organization internally communicates information$ including ob'ectives and responsibilities for internal control$ necessary to support the functioning of internal control. )2. The organization communicates with e6ternal parties regarding matters affecting the functioning of internal control. Mo(itori(, Ativitie! )8. The organization selects$ develops$ and performs ongoing and;or separate evaluations to ascertain whether the components of internal control are present and functioning. )9. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for ta%ing corrective action$ including senior management and the board of directors$ as appropriate. #nternal control is always relevant to the nature$ size and comple6ity of a reporting entity. Smaller entities will ordinarily have more informal controls that are carried out by one or a few persons. <hile the basic components of internal control should be present in small" and medium"size entities$ the )9 principles will ordinarily be sub'ectively included in an entity&s design and operation of internal controls. =enerally$ internal controls over financial reporting include those that are designed to ma%e sure financial data is recorded$ processed$ summarized and reported consistent with management&s representations assertions! in financial statements. 7anagement of an entity has the primary responsibility for internal control. 3n auditor&s responsibilities include the evaluation of whether the five components are designed and operating effectively$ given the nature$ size and comple6ity of the entity. Ma(a,eme(t-! Co(tro& O./etive! 3n entity&s internal control system provides the machinery used by management to accomplish these basic ob'ectives( >ffectiveness and efficiency of operations?basic business ob'ectives$ profitability goals and safeguarding of assets and other resources. +eliability of financial reporting?preparation of accurate financial statements. Compliance with laws and regulations?all to which the entity is sub'ect. , %(+er!ta(+i(, t0e Compo(e(t! o' I(ter(a& Co(tro& T0e To(e at t0e Top a(+ Bottom1 The control environment sets the tone of any organization$ i.e.$ causes its people to be conscious of the importance of the entity&s system of internal control. #t is the foundation for application of all other components of internal control. /or small entities$ the character and behavior of the person having top financial responsibility for the entity$ e.g.$ an owner or manager$ sets the tone for employees to follow. /or larger entities$ management personnel at various levels are also the primary influence on the control environment. #n all cases$ it&s what management does$ not what they say$ that directs employees& behavior. The operating philosophies and style of management$ their delegation of responsibility and authority$ their emphasis on developing and guiding employees and their utilization of input from persons charged with governance defines what employees do. T0e Importa(e o' De!riptive C0art! o' Aou(t! a(+ Bu+,eti(, Co(tro&!1 3 comprehensive chart of accounts is the foundation of the financial reporting process. @esigned to guide the authorization$ initiation$ classification$ recording and summarizing of transactions$ it is most effective when it includes descriptions of the activity that may be recorded in each account. The chart of accounts should include accounts in all functional$ departmental and;or 'ob classifications. #t should also be designed to facilitate budget preparation and monitoring as part of an entity&s internal control system. Budgets may be prepared using a base line$ such as the prior year&s operations$ or they may be zero based$ that is built from the ground up. <hichever method is used$ participation by department heads and other operating personnel is essential for producing effective budgets. The final review and approval responsibility for budgets should rest with persons charged with governance of the organization. To provide value$ the budget should be compared to actual results on a periodic basis by management and other persons charged with governance$ usually monthly. Unusual or une6pected variances from budgeted amounts should be considered and corrective actions implemented when necessary. 3 budget should be designed for use also based on an entity&s nature$ size and comple6ity. 3 medium"size church employed an e6ecutive pastor that was formerly a chief financial officer for a public company. Ae spent most of his time micro"managing wee%ly budgets for department heads. Using a report from the church&s accounting software$ the e6ecutive pastor met with department heads wee%ly to discuss their budget status. Over e6penditures were met with severe cutbac%s in planned future e6penditures. Under e6penditures resulted in reductions of monthly or annual budgeted amounts. <hile this micro"management significantly strengthened the church&s internal control system$ its cost was high$ too high for the size of this organization. The practical side of - internal control is that the cost of operation of a control activity should result in benefits appropriate for the nature$ size and comple6ity of the organization. <hile properly prepared and monitored budgets can significantly improve a small entity&s internal controls$ their use should provide benefits commensurate with the cost of preparation and monitoring. Li%e the design and operation of internal control procedures$ benefits must be measured in terms of the relative costs of implementation and maintenance. T0e Importa(e o' a Co+e o' Co(+ut1 <hile smaller entities don&t normally have a written code of conduct$ larger organizations are establishing these codes. Bublically"held companies$ issuers under the Sarbanes" O6ley 3ct$ are re:uired to establish and communicate codes of conduct. Other privately" held companies$ non"issuers$ are also creating codes of conduct as part of their control environment. <hether written or communicated informally$ a code of conduct defines behavior e6pectations for both management and other employees. <hile such codes do not prevent inappropriate behavior or fraud$ they do provide employees with legal and ethical standards that will influence their performance and commitment to the entity&s system of internal control. 3n entity&s code of conduct will ordinarily include these sections( Use of company assets and resources for business and not personal use Use of telephones$ email and the internet 3voiding actual and potential conflicts of interest Brotecting the company&s confidential information 7aintaining complete and accurate accounting records #nvestigating and reporting any accounting$ auditing and disclosure concerns +etaining and disposing of records and documents Brohibiting discrimination and harassment Brohibiting use of alcohol and illegal drugs Complying with laws$ rules and regulations Brotecting intellectual property and using copyrighted materials =iving and receiving gifts$ meals$ services and entertainment Understanding disciplinary actions for code violations +eporting concerns and code violations T0e E(tity-! Ri!* A!!e!!me(t Proe!!1 +is%s at the entity level may come from e6ternal factors such as changes in technology$ customer&s needs$ competition$ regulations or laws and the economy. 3t the entity level$ ris%s also arise from internal factors such as information systems failures$ personnel 2 practices affecting the :uality of employees$ access to assets and the susceptibility of an entity&s operations to fraud. 3t the activity level$ ris% assessment involves business operations and financial reporting. 3nalyzing operational reports$ financial and non"financial data and observations of employees& activities may bring ris%s to management&s attention. Co(tro& Ativitie!1 Control activities that are established in response to perceived ris%s relate to management&s representations assertions! in the entity&s financial statements. The assertions from section 3U"C ,)2 of the 3uditing Standards Board Clarified 3uditing Standards can be synthesized and organized in this way( Completeness Occurrence and cut"off Caluation and accuracy >6istence +ights Obligations @isclosure and Bresentation 3n entity&s financial reporting and internal control systems should result in financial statement classifications that are appropriate and reasonable. 2ey or E(tity3Leve& Co(tro&! Dey controls are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management&s control ob'ectives. /or smaller entities$ %ey controls are normally performed at the entity level$ although some may e6ist at the activity level. #llustrated in the accompanying Small Audits Internal Control Questionnaire (SAICQ), these controls may be informal and ordinarily carried out by one or a few persons such as an owner;manager. The design and operation of these %ey controls can prevent material misstatements due to error or fraud from occurring and going undetected. <hen these circumstances e6ist$ even a small entity can have a good internal control systemE
Components of %ey controls for both large and small entities are( 7anagement&s integrity and ethical values. 7anagement&s commitment to doing things right. 7anagement&s ways of doing things. The involvement of persons charged with governance. The delegation of authority and responsibility. Bersonnel policies and procedures. 8 Ativity3Leve& Co(tro&! The COSO +eport states that control activities are the policies and procedures established to help ensure that management directives are carried out and that management&s ob'ectives are accomplished. The %ey controls described above are primary to accomplishing these ob'ectives. 3bsent the design of %ey controls$ or when %ey controls are designed but not operating$ activity"level controls may be necessary to prevent misstatements from occurring and going undetected. These controls may be applied through features in an accounting software system$ by personnel while performing accounting procedures or by the design of documents or data. The S3#CF mentioned above also illustrates the activity"level controls for the financial statement classifications of a small entity. #f %ey controls are not designed or operating$ certain activity"level controls may prevent errors from occurring and going undetected. I('ormatio( a(+ Commu(iatio(1 Comprising the nature of internal information produced and distributed by an entity$ this component is intended to enable management and others to operate$ manage and control the entity&s business. #t is also intended to provide employees an understanding of financial reporting and safeguarding controls and their operations. /or larger entities$ communication may ta%e the form of policy and procedure manuals$ instructional memos and oral communications. /or smaller entities$ communication will often be verbal$ face to face and directed by the owner or a manager. Communications may also involve outside parties such as auditors$ customers and vendors. These communications may provide information that can lead to identifying deficiencies in internal control. Mo(itori(,1 The monitoring component is intended to cause management to assess the design and operating effectiveness of the entity&s system of internal control on a short and long"range basis. 7onitoring can be performed on an on"going basis or be performed on separate occasions. 7onitoring is the evaluation the effectiveness of other internal control components and how well management&s and other employees& duties are being performed. 7onitoring in small entities normally consists of the day"to"day observations of an owner or manager. Speia& I!!ue! 'or Sma&& E(titie! 3s discussed above$ the owner or manager of a small entity is that entity&s control environment. #f he or she has good character$ is committed to performing %ey controls and is diligent in carrying out day"to"day responsibilities$ it is possible for a small entity 9 to have a good system of internal control. On the other hand$ an ineffective owner;manager may increase the ris% of material misstatements at both the financial statement and assertion levels. Boards of directors for small entities$ especially non"profit organizations$ may not be %nowledgeable of business operations$ accounting and ta6 activities or internal control over financial reporting. #n such cases$ the caliber of the owner or manager will be even more important in preventing errors from occurring and going undetected. 3 %nowledgeable board$ on the other hand$ can serve to reduce the ris% of material misstatement when the owner or manager&s capabilities are not strong. 3n informal organization structure of a small entity may result in control deficiencies due to a lac% of segregation of duties in operations and accounting. Because employees may be trained to perform many different functions$ the resources and accounting records could be at ris% of misstatement due to error or fraud. Aighly effective %ey controls at the entity level would be necessary to mitigate these ris%s. 7any of the %ey controls performed by an owner or manager depend on the physical presence of the person. Brolonged absences from the wor% place by the owner or manager decrease the effectiveness of %ey controls and increase the ris% of material misstatements. Ca( a Sma&& E(tity $ave Goo+ I(ter(a& Co(tro&!4 3s discussed above$ the owner or manager C>O$ director$ superintendent$ C/O or other top financial authority! has primary responsibility for the design and operation of internal controls. 7ost of the %ey controls will be informal and they will be performed by the owner or manager. #t is the commitment to accurate financial reporting and the diligence of the responsible person that primarily affects the ris% of material misstatements in financial statements. COSO has recognized that small entities can have good internal controls$ although they will li%ely be informal and carried out by one or a few persons. The design and operation of %ey controls can prevent material misstatements due to error or fraud from occurring and going undetected. So to answer the marginal :uestion above$ effectively designed and operating informal %ey controls may result in a good internal control system for smaller entities. %!i(, a Sma&& Au+it! I(ter(a& Co(tro& 5ue!tio((aire The accompanying Small Audits Internal Control Questionnaire is designed to assist management in formulating an internal control system and to be used on small audits to document internal control and assess control ris%. #t also is a source for identifying control deficiencies by management and auditors. A( Overvie6 o' F&o60art Preparatio( 1 #nformation for preparing flowcharts is usually based on the %nowledge of the top financial authority of an entity. 3dditional information may be obtained by interviewing persons responsible for procedures$ ma%ing in:uiries of each person responsible for document preparation and tracing all documents through the processing procedures. The accompanying Flowcharting Guide can facilitate the flowchart drafting process$ whether in hardcopy or electronic format. The overall ob'ective of flowchart preparation is to produce a complete and understandable flowchart. Aere are some basic rules( Leave two to three inches on the left of the page open for comments. Begin at the upper"left corner and draw down and;or to the right. Show the source and use of every document. Use G%eysH within symbols for footnotes or drop"down bo6es to describe documents. Use a separate memo or drop"down bo6 on the flowchart to e6plain any information that is not self"e6planatory. The flowchart should be divided into columns to separate people or departments with specific areas of responsibility. Use directional arrows only if the information flow contradicts a normal pattern. 3void cross lines of data"flow. /ollowing are some steps to facilitate flowchart preparation( ). @efine the transaction cycle$ system or process to be flowcharted cash receipts or disbursements$ sales$ payroll$ etc.! *. Layout the columns of the flowchart to show the flow of information through the system or process. Consider roughing out the flow of documents and information %nown to you. ,. #nterview accounting personnel using an S3#CF$ Flowcharting Guide or other reference material to gather information. -. @raw or complete the flowchart while interviewing accounting personnel if possible!. 2. Berform a systems wal%"through procedure to verify the accuracy of the flowchart and ma%e a preliminary identification of potential ris%s of material misstatements. 8. Transfer potential ris%s to a control deficiencies wor%sheet for consideration of offsetting %ey controls and a determination of deficiencies. /ollowing are three illustrative flowcharts for common transactions cycles that could be used to identify ris%s by financial statement classification( 0 )5 )) )* DESIGNING COST3EFFECTI#E INTERNAL CONTROL SYSTEMS FOR SMALLER ENTITIES C0arateri!ti! o' Sma&&er E(titie! COSO has led the way to designing cost"effective internal control systems for smaller public companies by the guidance it published in *558. This guidance for smaller public companies presents a pattern for smaller non"public entities as well. Common characteristics for smaller entities include( /ewer lines of business$ fewer products and limited purposes$ particularly for non"profit organizations. 7anagement personnel usually have significant e:uity interests. 7anagement personnel normally have broader responsibilities and control. 3ccounting systems are generally less comple6 than for larger entities. 3ccounting personnel are generally few in number and often have wide ranges of duties. Limited resources often results in lesser :ualified staff persons and fewer consultations with legal and other e6perts. C0a&&e(,e! a(+ Di''iu&tie! These common characteristics create difficulties in designing cost"effective internal control systems. Aere are some of the effects( Segregation of incompatible duties is limited. 7anagement personnel have increased opportunities for override of internal controls. /inding :ualified persons to serve on boards of governance is difficult. Airing and retaining :ualified accounting personnel is a challenge. 3 lac% of resources to maintain appropriate control over #T systems often results in using out"of"the bo6 software that often doesn&t meet all the entity&s needs. #n spite of these challenges$ a smaller company can design and operate an effective internal control system. 3 brief discussion of some of the ways this can be done follows in the ne6t section. E''etive&y De!i,(e+ I(ter(a& Co(tro& Sy!tem! 7. Over!i,0t .y a( o6(er or ma(a,er. The in"depth %nowledge of business and accounting operations by an owner or manager$ and his;her daily presence and oversight of company personnel$ are %ey controls in the entity&s control environment. @iligent performance of %ey controls can also greatly increase the reliability of the entity&s financial reporting process. Since the owner or manger ), generally has an e:uity or compensation interest$ the li%elihood of management override of internal controls is diminished. 8. E''etive .oar+ o' ,over(a(e. Since smaller companies or non"profit organizations ordinarily have less comple6 business structures$ persons charged with governance can have a greater %nowledge of the entity&s activities. This can enable these persons to more effectively accomplish their governance responsibilities. 9. Overomi(, t0e &a* o' !e,re,atio( o' +utie!. Dey controls carried out by management personnel at the entity or activity level can offset the control ris%s from the lac% of segregation of duties. The COSO +eport suggests these %ey controls( a. +eviewing system reports of detailed transactions. .. Selecting transactions for review of supporting documents. . Overseeing periodic counts of physical inventory$ e:uipment or other assets and comparing them with accounting records. +. +eviewing reconciliations of account balances or performing them independently. :. Limiti(, ri!*! a!!oiate+ 6it0 t0e IT !y!tem. <hile using out"of"the"bo6 software can limit the information available for management&s use$ many of the ris%s associated with mid"tier$ user"modifiable systems can be avoided. Standardized reports and reporting formats$ password and processing controls and other application controls can prevent errors from occurring and going undetected. ;. Mo(itori(, o(tro& ativitie!. 7onitoring in small entities is normally the responsibility of an owner or manager. Berforming daily Gwal%"aroundH controls provides feedbac% on the effectiveness of accounting$ internal control$ and operational systems. #n *550$ COSO published its Guidance on Monitoring Internal Control Sstems. This guidance suggests that monitoring for all entities should be based on these three broad elements( a. >stablishing a foundation for monitoring$ including a! a proper tone at the top4 b! an effective organization structure that assigns monitoring roles to people with appropriate capabilities$ ob'ectivity and authority4 and c! a starting point or GbaselineH of %nown effective internal control from which ongoing monitoring and separate evaluations can be implemented4 .. @esigning and e6ecuting monitoring procedures focused on !ersuasi"e in#ormation about the operation of ke controls that address meaning#ul risks to organizational ob'ectives4 and . 3ssessing and reporting results$ which includes evaluating the severity of any identified deficiencies and reporting the monitoring results to the appropriate personnel and the board for timely action and follow"up if needed. <. A0ievi(, 'urt0er e''iie(ie!. The COSO +eport identifies other opportunities to design effective and efficient internal control systems( a. By focusing on the ris%s related to managements& ob'ectives$ a ris%"based approach to designing internal controls systems will consider what could go wrong in the financial reporting process. Using lists of controls that are )- tailored to the nature$ size and comple6ity of an entity and the ob'ectives of its management will facilitate the identification of Gwhat could go wrong.H .. @ocumentation of internal control policies and procedures will also vary with the nature$ size and comple6ity of an entity. Smaller entities normally have informally designed and communicated internal controls. #n other words$ there normally are no policies and procedures manuals$ systems flowcharts$ organization charts and 'ob descriptions. <ith fewer people and levels of management$ more fre:uent contact by an owner or manager enables communication of the informal policies and procedures. . Some documentation of accounting and internal control procedures is ordinarily necessary to demonstrate transaction processes are occurring and being recorded properly. @etermining that all shipments are billed$ that billings only occur after shipments are made and that ban% accounts are being reconciled are e6amples of such procedures. Dey controls performed by owners or managers of small entities should include periodic inspections of records sufficient to determine transactions are being recorded properly. INTERNAL CONTROLS AND FRA%D PRE#ENTION 7uch has been written about forensic accounting and fraud. There are three ma'or categories of fraud that commonly affect entities( 7. Mi!repre!e(tatio(! i( 'i(a(ia& reporti(,. These include intentional misstatements of amounts or disclosures in financials statements that are intended to mislead users of the statements. 8. Mi!appropriatio( o' a!!et!. Theft of an entity&s assets by employees or others is the most common form of misappropriation. /inancial records are usually altered to conceal a theft of assets. 9. E=ter(a& 'rau+!. Bersons outside an entity are normally responsible for e6ternal frauds$ although there may be collusion with certain employees. /inancial gain is the normal motivation. /or small entities$ misappropriation of assets is the most common type of fraud. The Gfraud triangleH contains three factors that indicate circumstances that can cause a person to misappropriate assets and misstate records to conceal the theft( 7. I(e(tive! or pre!!ure! to ommit 'rau+. +easons to commit frauds may include financial pressures such as a spouse out of wor%$ a divorce or separation or the failure of a personal business. 8. Opportu(itie! to ommit 'rau+. #neffective internal controls$ the opportunities and li%elihood for management personnel to override internal controls$ and decentralized operations and accounting are e6amples of circumstances that create opportunities to commit fraud. )2 9. Attitu+e! a(+ ratio(a&i>atio(! 'or ommitti(, 'rau+. Iustifying the fraud because the perpetrator is not paid what he;she is worth or rationalizing that everyone does it are e6amples of a fraudster&s attitudes. FRA%D PRE#ENTION @esigning and operating anti"fraud programs is the responsibility of management and can result in reductions in opportunities for employees to commit fraud. Auman resource policies such as drug tests$ credit chec%s and bac%ground chec%s for prospective employees help eliminate candidates with higher tendencies to commit fraud. Deys controls diligently carried out by owners$ managers or other authorized individuals are also primary means of preventing or reducing the occurrence of asset misappropriation. /raud detection may occur as %ey controls are performed. #n addition$ analytical procedures performed by comparing operating results among periods or by ma%ing calculations using non"financial data can reveal discrepancies. /or e6ample$ an auto parts store discovered a J25$555 fraud perpetrated by a sales cler% when a new software program identified the number of refund slips issued by each cler% on a periodic basis. #n another case$ the C/O of a transportation company compared the miles per gallon of gasoline on trips for each driver and discovered a driver storing and selling gasoline on the side. /raud detection may also occur in anti"fraud programs carried out physically such as lunch bo6 searches at a small tool manufacturing plant or electronic security scanners at e6its from the plant of a computer components manufacturer. A Co(tro& De'iie(ie! ?or*!0eet 3 control deficiencies wor%sheet can facilitate documentation of the evaluation of e6isting internal controls. #t also can be used to identify e6isting deficiencies and the design of additional controls to prevent ris%s from occurring and going undetected. 3 control deficiencies wor%sheet should have at least these column headings( #nternal control deficiency @esign or operating deficiency Offsetting %ey controls /ollowing is an illustrative #nternal Control @eficiency <or%sheet that contains hypothetical information from a small entity to illustrate the internal control design process. @eficiencies identified on this wor%sheet could have been obtained by completing an S3#CF or by preparing a flowchart for ma'or transactions cycles. )8 CPA PRACTICE AIDS, LLC INTERNAL CONTROL DEFICIENCY WORKSHEET ENTITY NAME: ____________________________ DATE:_____________________________ DESCRIBE CONTROL DEFICIENCY WHAT COULD GO WRONG? PREVENTIVE CONTROLS CASH: 1. No s!"!#$%o& o' ()$%s #*o&! o+, *-.o/s, 1. A.. *-.o/s 0#1 #,,ss $o ,#s0 1. O2 s%$ o3&" "1%3s 34./: *#&#!", 5oo44-", #&( ,."4. #&( ",%1#5.s ",o"(s6 ,o).( s$#. #. R1%3s ,o-%s o' s#.s %&1o%,s 7. O1" ,o)&$" #&( *#%. ",%-$s ",%1( 5/ #.. *-.o/s. ,#s0 #&( -os$ ,"(%$s $o ,)s$o*" o" 5. I&s-,$s ,0,4 ,o-%s #&( %&1o%,s 8. O1" ,o)&$" s#.s *#( 5/ #.. o+, *-.o/s. .#- ,)s$o*" -#/*&$s. ,. R1%3s -#/"o.. 9o)"&#.s :. Boo44-" #&( ,."4 5o$0 -os$ #,,o)&$s ",%1#5. 7. Boo44-" ,o).( ,o1" $0'$ 5/ (. R1%3s ,)s$o*" #&( 1&(o" ",o"(s. *#&%-).#$%&! 5#&4 ",o&,%.%#$%o&s o" #,$%1%$/ "-o"$s ;. Boo44-" -os$s !&"#. .(!" #&( -"-#"s 3"%$%&! o2 ,)s$o*" 5#.#&,s. 7. CPA <"* (s%!&( #,,o)&$%&! #&( (.%1"s (-os%$s $o 5#&4. 8. M#&#!" 0#s #,,ss $o so'$3#", -"o,()"s #&( o3&"=s 4/ ,o&$"o.s >. M#&#!" s%!&s -#/"o.. #&( o-"#$%&! ,0,4s. ,o).( 3"%$ #&( s%!& ,0,4s $o s.'. 8. CPA <"* ,o&$"o.s #.. ?)%,4Boo4s -#ss3o"(s, #,,o)&$s 'o" -"@ &)*5"( ,0,4s #&( s#.s %&1o%,s, "1%3s s#.s %&1o%,s #&( ,0,4 s)--o"$, *#%&$#%&s -"so&#. <.s, -"-#"s -#/"o.. "-o"$s, #(9)s$s #&( ,.oss *o&$0./ ",o"(s. :. CPA <"* -"-#"s *o&$0./ <&#&,%#.s 'o" o3&"=s "1%3 ACCOUNTS RECEIVABLE: 1. No s!"!#$%o& o' ()$%s. A.. o+, -"so&&. ",%1s 1. C)s$o*" -#/*&$s ,o).( 5 1. S#* #s #5o1. -#/*&$s %& *#%. #&( o1" ,o)&$". ",%1( #&( *%s#--"o-"%#$(. 7.Boo44-" *#4s (-os%$s #&( -os$s #,,o)&$s 7. L#--%&! ,o).( o,,)". ",%1#5. ",o"(s. 8. A,,o)&$ 5#.#&,s #&( %&1o%,s 8.AR ,."4 ",%1s ,#s0, -os$s #,,o)&$s ",%1#5. ,o).( 5 3"%$$& o2 3%$0o)$ #)$0o"%A#$%o&. ",o"(s #&( *#4s (-os%$s. :. U&#)$0o"%A( s#.s ,o).( 5 *#( :.C"(%$ **os &o$ )s( $o s)--o"$ ,"(%$s $o ,)s$o*"s #,,o)&$s. #&( -"o(),$s s0%--( 3%$0o)$ ",o"(%&!. ;.Y#"( 'o"*#& s0%-s 5#s( o& s#.s %&1o%,s. A.. o+, -"so&&. ,#& %&%$%#$ s#.s %&1o%,s. )9 INVENTORY: 1. No (o,)*&$s o" ",o"(s #" *#%&$#%&( $o ,o&$"o. 1. E*-.o/ o" ,)s$o*" $0'$ ,o).( W"%$$& %&s$"),$%o&s #" -"-#"( 5/ %&1&$o"/ %$*s B-",#s$ ,o&,"$ 5.o,4sC. o,,)". $0 'o"*#& 'o" ,o)&$%&! %&1&$o"/. 7. Y#"( %s o-& ()"%&! $0 (#/ 30%. *-.o/s #" 7. S#.s ,o).( 5 *%ss( 5,#)s o' E*-.o/s #$$&( # $"#%&%&! *$%&! 3o"4%&! 5)$ o'$& &o o& %s -"s&$ %& $0 /#"(. I$ %s %&s)+,%&$ D)#&$%$%s o& 0#&(. o& 0o3 $o ,o)&$. T0 *#&#!" %s .o,4( #$ &%!0$. 8. W%$0 &o %$* ",o"(s *#%&$#%&(, -"s&$ #&( s)-"1%ss $0 ,o)&$, 8. I&1&$o"%s #" -0/s%,#../ ,o)&$( o&./ o&, # /#"6 D)#&$%$%s o' ,"$#%& %$*s 5%&! %&,.)(%&! $s$%&! *-.o/=s ,o)&$s. *#&#!" /@5#..s D)#&$%$%s $o ,o&$"o. -"o(),$%o&. -"o(),( ,o).( 5 )&&,ss#"/ T0 *#&#!" -.#,s #&( -%,4s )- #.. ,o)&$ s0$s. FIEED ASSETS: 1. No ($#%.( s)5@.(!" *#%&$#%&(. 1. Loss o" $0'$ o' #ss$s. S ,#s0 s,$%o&. 7. No &)*"%,#. ,o&$"o. o' <F( #ss$s %s %& -.#,. 7. Ass$s ,o).( 5 -)",0#s( #&( 8. Boo44-" *#%&$#%&s (-",%#$%o& s,0().. ,o&1"$( $o -"so&#. )s. :. No 4/ ,o&$"o.s o1" #,,o)&$%&! o" s#'!)#"(%&! <F( #ss$s. ACCOUNTS PAYABLE: 1. A&/ o+, *-.o/ ,#& o"(" s)--.%s o" "#3 1. Co&1"$%&! -)",0#ss $o -"so&#. S ,#s0 s,$%o&. *#$"%#.s. )s. 7. No -)",0#s o"("s %& )s. O+, *#&#!" %&%$%#.s 7. W"%$%&! )&#)$0o"%A( ,0,4s $o %&1o%, 30& -#%(. fi,$%$%o)s 1&(o"s 8. A.. -#/*&$s #" %&%$%#$( 5/ 5oo44-" 30o 0#s 8. P)",0#s%&! F,ss D)#&$%$%s o' #,,ss $o ,#s0, #,,o)&$s ",%1#5. #&( 5#&4 "#3 *#$"%#.s. ",o&,%.%#$%o&s. :. No #,,o)&$s -#/#5. s)5@.(!" %s *#%&$#%&(. REVENUES: S ,#s0 s,$%o&. U&",o"(( s#.s. S ,#s0 s,$%o&. EEPENSES: S ,#s0 s,$%o& #&( #,,o)&$s -#/#5. s,$%o&. U&#)$0o"%A( o" %&,o"",$ -#/"o.. S ,#s0 s,$%o&. P#/"o..@@*#&#!" 0%"s #&( <"s. No (o)5.@ ,0,4s #&( o-"#$%&! F-&(%$)"s. o& -#/"o.. ,o*-)$#$%o&s. OTHER: )1 CONCL%SION #mportant issues to remember that influence the design of internal control systems for smaller entities include( #nternal control and fraud prevention are the responsibilities of management. #nternal control systems are always relevant to the nature$ size and comple6ity of an entity. Dey controls designed and operated by owners or managers of small entities are the primary methods of preventing and detecting errors and fraud. #nternal control procedures should provide reasonable assurance that errors or fraud will not occur and go undetected. The benefits of internal control procedures should outweigh their costs. The design process includes understanding accounting systems and e6isting internal controls$ identifying what could go wrong and designing cost"beneficial control activities and anti"fraud programs that are li%ely to prevent and detect errors and fraud. CPA PRACTICE AIDS, LLC SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ %SE OF 5%ESTIONNAIRE This Fuestionnaire is designed to be used on small audits to document internal control and assess control ris%. #t also is a source for identifying control deficiencies. Combined with a systems wal%"through procedure$ internal control flowcharts or memos, auditors may be able to assess ris% of material misstatement at moderate for certain financial statement classifications. INSTR%CTIONS The Fuestionnaire should be utilized while ma%ing in:uiries of client personnel regarding internal control. #nternal control documentation time can be minimized by completing a systems wal%"through procedure and preparing flowchart or memorandum documentation as this Fuestionnaire is completed. )0 The Fuestionnaire contains space for GyesH$ GnoH or G.;3H responses to %ey controls and activity"level controls generally applicable to a small business or organization. GKesH responses indicate that the control procedure is has been at least informally designed and is operating effectively. G.oH responses indicate the control procedure has not been designed or$ if designed$ is not operating effectively. G.;3H responses indicate the control procedure is not applicable to a client&s internal control system. The GBersonnelH column should be used to identify persons performing the control activities. Dey controls$ a part of entity"level controls$ should drive the control ris% assessment process. Dey controls can mitigate most deficiencies in activity"level controls$ particularly for smaller entities. /or a small business or organization$ %ey controls are normally performed by the owner;manager O;7!$ a member of the entity&s board of directors$ a volunteer or paid consultant. #f %ey controls have not been designed$ or are not operating effectively$ the auditor should consider the activity"level controls to provide the assessment of control ris% for relevant assertions. RELE#ANT ASSERTIONS <hen completing this Fuestionnaire$ the auditor should primarily consider these relevant assertions( Fi(a(ia& Stateme(t C&a!!i'iatio( Re&eva(t Fi(a(ia& Stateme(t A!!ertio(! Cash >6istence;Occurrence4 Completeness4 Cutoff 3ccounts +eceivable >6istence;Occurrence4 Caluation4 Cutoff #nventories >6istence;Occurrence4 Caluation4 Completeness4 3ccuracy4 Cutoff /i6ed 3ssets >6istence4 Caluation4 Completeness4 +ights;Obligations 3ccounts Bayable Completeness4 Cutoff +evenues >6istence;Occurrence4 Caluation4 Completeness4 Cutoff Bayroll >6istence;Occurrence4 Completeness4 3ccuracy >6penses >6istence;Occurrence4 Completeness4 Cutoff( Classification *5 Prepare+ By1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Date Prepare+1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Revie6e+ By1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Date Revie6e+1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ *) SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 ** CONTROL EN#IRONMENT32EY CONTROLS ). O;7 has high integrity. *. O;7 follows e6isting internal controls$ policies and procedures. ,. O;7 is present daily and;or appoints a supervisor in his;her absence. -. O;7 Gwal%s aroundH facility fre:uently each day. 2. O;7 observes employee activity and tal%s with supervisors during wal%s around to evaluate department status. 8. Company uses ade:uate accounting software. 9. 3ccounting records are maintained on a current basis. 1. +eports generated by accounting software are used by management. 0. 3ccounting personnel are reasonably :ualified for their positions. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 *, CAS$)2EY CONTROLS ). O;7 receives ban% and credit card statements directly either by mail or electronically. *. O;7 reviews contents of ban% and credit cards statements and investigates unusual items. ,. O;7 signs vendor chec%s and payroll chec%s. -. O;7 reviews vendor invoices$ receiving reports and;or purchase orders when signing chec%s. 2. O;7 reviews documentation of payroll calculations when signing chec%s. 8. O;7 receives or pic%s up unopened mail or uses a loc% bo6 for receipts. 9. O;7 opens mail$ supervises opening or reads a list of daily cash receipts. 1. O;7 prepares deposit or supervises and reviews its preparation. 0. O;7 ma%es or approves all telephone or online ban% transfers or payments. )5. O;7 reconciles ban% statement or approves preparation by another. )). O;7 reads monthly balance sheet and income statement and investigates unusual items. SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 *- CAS$)ACTI#ITY3LE#EL CONTROLS ). 7ail and cash receipts are recorded as received and deposited intact$ daily. *. @uplicate deposit slips are prepared$ matched with ban% receipt and retained. ,. 7ail and cash receipts are counted by two independent persons other than the person recording the receipts. -. Over"the"counter receipts are controlled by a cash register$ software or pre"numbered receipt tic%ets. 2. 3ll chec%s are signed by the O;7. 8. Chec%s are signed only when disbursement is made not in advance!. 9. The chec% signer compares data on supporting documents to chec%s. 1. Chec%s are recorded in the accounting system when prepared. 0. Only pre"numbered chec%s are used. )5. 3ll 'ournal entries are approved by the O;7. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 *2 ACCO%NTS RECEI#ABLE)2EY CONTROLS ). The O;7 approves all customer re:uests for credit. *. The O;7 accounts for$ and reviews$ numerical copies of sales invoices and;or customer statements. ,. The O;7 reviews the sales 'ournal monthly. -. The O;7 reviews an aged trial balance of accounts receivable monthly. 2. The O;7 receives customer complaints and resolves disputes. ACCO%NTS RECEI#ABLE) ACTI#ITY3LE#EL CONTROLS ). 3 sales 'ournal is prepared and balanced. *. +ecords of customer payments are retained remittance advices$ duplicate deposit slips$ loc% bo6 reports$ prelists! ,. Bre"numbered sales invoices and;or shipping reports with shipping date are prepared. -. Copies of sales invoices or customers& statements are mailed monthly. 2. +eceivables are aged regularly. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 *8 IN#ENTORIES)2EY CONTROLS ). O;7 plans and;or supervises the ta%ing of the physical inventory. *. O;7 prices and compiles records of physical count or reviews wor% of others. ,. O;7 determines all owned goods are counted and that obsolete or consigned goods are e6cluded from the count. IN#ENTORIES)ACTI#ITY3LE#EL CONTROLS ). 3n annual physical inventory is ta%en and ade:uate count records tags or sheets! are maintained. *. 3de:uate records of inventory pricing and compilation are maintained. ,. The inventory count is ta%en$ chec%ed or supervised by a supervisor. -. Obsolete and consigned goods are e6cluded from the count. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 *9 FICED ASSETS)2EY CONTROLS ). Only the O;7 can open accounts with vendors and approve the purchase of e:uipment$ tools or other property. *. O;7 periodically inspects and;or inventories capitalized fi6ed assets. ,. O;7 ma%es or approves all ma%e$ buy$ lease$ repair decisions. FICED ASSETS)ACTI#ITY3LE#EL CONTROLS ). Supporting documents are retained for all purchases of fi6ed assets. *. 3 detailed depreciation schedule is prepared and depreciation is entered in the records at least annually. ,. 3 capitalization limit has been set and is used to determine capitalizable items. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 *1 ACCO%NTS PAYABLE)2EY CONTROLS ). O;7 approves all vendors and accounts with creditors. *. O;7 approves all vendor payments. ,. O;7 receives and reviews unpaid vendor invoices and statements monthly. ACCO%NTS PAYABLE)ACTI#ITY3 LE#EL CONTROLS ). Cendor invoices are entered in the purchases 'ournal when received. *. Cendor invoices and supporting documents are reviewed by the chec% signer. ,. Cendor invoices are cancelled when chec%s are signed. -. Cendor invoices or receiving reports contain the date goods were received. 2. Unpaid vendor invoices are maintained in a file separate from paid invoices. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 *0 SALESDRE#EN%ES)2EY CONTROLS ). O;7 approves all credit sales. *. O;7 reviews copies of all sales invoices and shipping reports. ,. O;7 reviews customers& statements before mailing. -. O;7 reviews monthly aged trial balance$ calls past due customers and resolves customer complaints. SALESDRE#EN%ES)ACTI#ITY3 LE#EL CONTROLS ). Sales are recorded in the period made or shipped considering shipping terms!. *. Bre"numbered sales invoices and shipping reports are prepared. ,. Copies of sales invoices or customer statements are mailed at least monthly. -. 3ll returns$ allowances$ discounts and account ad'ustments are approved by a supervisor. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 ,5 PAYROLL)2EY CONTROLS ). O;7 approves all hires and fires. *. O;7 authorizes wage rates. ,. Bayroll chec%s are distributed by the O;7. -. O;7 reviews and signs all payroll ta6 returns and other related documents. 2. O;7 responds to all in:uiries by state and federal regulatory bodies. PAYROLL)ACTI#ITY3LE#EL CONTROLS ). Bayroll chec%s are pre"numbered and prepared and recorded with accounting software$ or by a service bureau. *. <"-s. #"0s and other re:uired payroll documents are maintained. ,. >mployees time records are maintained and used to calculate paychec%s. -. Bayroll chec%s are distributed by department heads or other supervisors. 2. Aires$ fires$ wage rates$ time off are approved by department heads or supervisors. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ B>+SO..>L K>S .O .;3 ,) ECPENSES)2EY CONTROLS ). O;7 reviews and approves all disbursements& supporting documents. *. <hen signing chec%s$ O;7 determines account classifications are proper. ,. O;7 investigates any unapproved or unusual disbursements. -. O;7 investigates duplicate payments and inade:uate documentation. ECPENSES)ACTI#ITY3LE#EL CONTROLS1 ). 3 descriptive chart of accounts is used. *. Chec%s are prepared only when appropriate supporting documents have been received. ,. The person recording and summarizing transactions cannot sign chec%s. -. The person preparing deposits and posting customer payments cannot sign chec%s. 2. Cendor invoices are cancelled by the chec% signer. Co(tro& Ri!* Eva&uatio( Air&e o(eB1 Lo6 Mo+erate $i,0 SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE FOR MAJOR AUDIT AREAS CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ECPLANATION OF ENOF ANS?ERS APOTENTIAL CONTROL DEFICIENCIESB1 CAS$1 ACCO%NTS RECEI#ABLE1 IN#ENTORIES1 FICED ASSETS1 ACCO%NTS PAYABLE1 SALESDRE#EN%E1 ,* PAYROLL1 ECPENSES1 OT$ER1
,, CPA PRACTICE AIDS, LLC AUDIT FLOWCHARTING GUIDE %SE OF G%IDE This =uide is designed to facilitate preparation of flowcharts documenting accounting and internal control systems for use on small audit engagements. The =uide is designed by ma'or audit area and will facilitate the preparation of flowcharts that will result in identification of control deficiencies and the assessment of control ris%. Control ris%s will be combined with inherent ris%s to assess the level of ris% of material misstatements for relevant assertions. The =uide should be used in connection with the Small Audits Internal Control Questionnaire #or Ma$or Audit Area S3#CF!. INSTR%CTIONS C&ie(t I(Guirie! The S3#CF and the flowcharts resulting from this =uide should be used while ma%ing in:uiries of appropriate client personnel. <hile a flowchart is being prepared$ or after it is prepared if it is more convenient$ a systems wal%"through procedure should be performed to determine that information on the flowcharts is accurate. @ocuments e6amined and procedures performed during the wal%"through may be recorded on the flowcharts or described in an accompanying memorandum. Control deficiencies should be documented in the last section of the S3#CF. F&o60art a(+Dor Memora(+a 7emoranda may be prepared for documenting the accounting and internal control procedures in lieu of flowcharts at the option of the audit engagement leader. The author recommends using flowcharts since they are usually more effective for identifying control deficiencies and they often ta%e less time to carry forward$ to discuss with client personnel and to update. 7emoranda may be used to supplement the flowcharts to enhance e6planations of accounting system procedures$ internal control activities or other information as the auditor considers necessary. 2ey Co(tro&!)t0e $eart o' Error a(+ Frau+ Preve(tio( Dey controls$ a part of entity"level controls$ should drive the control ris% assessment process and should be clearly indicated on the flowcharts. Dey controls can mitigate most deficiencies in activity"level controls$ particularly for smaller entities. /or a small business or organization$ %ey controls are normally performed by the owner;manager O;7!$ a member of the entity&s board of directors$ a volunteer or a paid consultant. Dey controls are presented first in each section of the S3#CF. Fi(a(ia& Stateme(t A!!ertio(! ,- <hen control ris% is evaluated at the financial statement classification level$ the auditor should primarily consider relevant assertions described in the S3#CF. /lowcharts should$ therefore$ focus primarily on controls that affect the relevant assertions in each financial statement classification. 3ll controls that are operating$ however$ should be evidenced on the flowchart to provide an accurate evaluation of control ris%. F&o60art Preparatio( /lowcharts may be prepared using manual templates or flowcharting software. The hardcopies or the electronic copies may be carried forward with changes reflected in different color pencils or software fonts. 3ll accounting systems software applications$ procedures$ documents and data$ and all internal controls$ should be reflected on the flowcharts. ,2 CPA FIRM PRACTICE AIDS, LLC AUDIT FLOWCHARTING GUIDE INSTR%CTIONS AND 5%ESTIONS BY MA"OR A%DIT AREA The instructions and :uestions below will enhance the preparation of flowcharts and completion of the S3#CF. 3nswers to :uestions should first consider %ey controls and$ if no %ey controls are present$ activity"level controls should be considered to determine if misstatements can be prevented and not result in control deficiencies. CAS$ The flowchart should contain documentation of( 3ll types of cash receipts$ such as receipts received by mail$ over"the"counter$ or by sales representatives. +eceipts from periodic sales of fi6ed assets$ scrap or other items to employees or others. 3ll types of cash disbursements such as disbursements made with and without purchase orders$ made from petty cash or a cash register and made for customer refunds. 3ll accounting records$ documents$ data and procedures. Consider the entity&s %ey controls and activity"level controls when preparing flowchart documentation. These :uestions can facilitate the identification of accounting and internal control procedures( Can cash or chec%s be received and not documentedL Can receipts from over"the"counter sales be misappropriatedL Can miscellaneous receipts be overloo%ed and not recordedL Can disbursements be made for routine or non"routine purchase of goods or services without proper supportL Can petty cash be misappropriatedL ACCO%NTS RECEI#ABLE The flowchart should contain documentation of( 3ll types of sales on account including customer written orders received by mail$ phone or email$ sales orders from sales representatives$ C.O.@.$ consignment$ etc. ,8 @ifferent types of customers such wholesale$ retail$ distributor$ consumer$ and related parties. 3ll accounting records$ documents$ data and procedures. Consider the entity&s %ey controls and activity"level controls when preparing flowchart documentation. These :uestions can facilitate the identification of accounting and internal control procedures( Can goods be shipped to customers with bad creditL Can sales be invoiced but not recordedL Can ad'ustments to customers& accounts be made without approvalL Could lapping occur and go undetectedL Can past due accounts go undetectedL IN#ENTORIES AND COSTS OF GOODS SOLD The flowchart should contain documentation of( 3ll 'ob$ process or retail costing procedures. 3ll inventory classifications such as raw materials$ wor%"in"process and finished goods. Standard costs calculations$ applications$ ad'ustments and revisions. 3ll inventory records$ documents data or procedures. Consider the entity&s %ey controls and activity"level controls when preparing flowchart documentation. These :uestions can facilitate the identification of accounting and internal control procedures( Can inventory items be stolen$ misappropriated or inaccurately transferred to wor% in process or costs of good soldL Can inventory be used$ damaged or wasted without being recordedL Can inventory be received and not recorded accuratelyL FICED ASSETS The flowchart should contain documentation of( The fi6ed asset ac:uisition$ disposal and control processes. 3ll fi6ed asset records$ documents$ data or procedures. Consider the entity&s %ey controls and activity"level controls when preparing flowchart documentation. These :uestions can facilitate the identification of accounting and internal control procedures( ,9 Can fi6ed assets ac:uisitions or disposals be made and not approved or recordedL 3re capitalization limits in placeL @oes accounting personnel understand when to capitalize additions or repairs to fi6ed assets when the life or capacity is increased!L ACCO%NTS PAYABLE The flowchart should contain documentation of( 3ll types of products$ vendors and shipment. 3c:uisitions and payments re:uiring purchase orders. Bayments not re:uiring purchase orders. 3ll phases of the purchases;payables transaction such as ordering$ product receiving$ invoice recording and payments processing. Consider the entity&s %ey controls and activity"level controls when preparing flowchart documentation. These :uestions can facilitate the identification of accounting and internal control procedures( Can unauthorized purchases be madeL Can payables be recorded if goods or services are not receivedL Can obligations be incurred and not recordedL Can payables be recorded in the wrong accountL @o petty cash policies prevent its improper use or misappropriationL SALES1 The flowchart should contain documentation of( @ifferent types of shipping terms such as /.O.B. shipping point or destination$ different shipping locations$ different types of carriers$ drop ships from suppliers$ customer pic% up$ etc. @ifferent types of customers such wholesale$ retail$ distributor$ consumer$ and related parties. 3ll accounting records$ documents$ data and procedures. Consider the entity&s %ey controls and activity"level controls when preparing flowchart documentation. These :uestions can facilitate the identification of accounting and internal control procedures( Can goods be shipped without invoices being preparedL Can sales be invoiced but not recordedL Can sales be made and recorded without inventory being relievedL Can customer invoice errors be made and go undetectedL ,1 PAYROLL The flowchart should contain documentation of( @ifferent methods of compensation such as hourly$ salaried$ commission$ piece wor%$ contract$ etc. 7ethods of payment such as chec% or direct deposit. Airing decisions$ firing actions$ payroll documents$ cost distribution and all other records$ documents$ data and procedures in the payroll accounting and internal control systems. Consider the entity&s %ey controls and activity"level controls when preparing flowchart documentation. These :uestions can facilitate the identification of accounting and internal control procedures( Can fictitious employees be added to the payrollL Can terminated employees be %ept on the payroll and their chec%s prepared after their terminationL 3re paychec%s distributed$ or direct deposits made$ under the supervision of an administrative personL 3re time cards$ timesheets or electronic records re:uired to support paychec%s preparationL Can other inadvertent or intentional errors occurL FINANCIAL REPORTING SYSTEM The flowchart should contain documentation of( 3ll modules of the general ledger software$ data entry personnel$ source documents and all related accounting system and internal control procedures. Controls over general 'ournal entries$ ban% reconciliations and financial statement preparation. Consider the entity&s %ey controls and activity"level controls when preparing flowchart documentation. These :uestions can facilitate the identification of accounting and internal control procedures( Can 'ournal entries or unusual transactions be posted to the general ledger without approval of a supervisorL 3re there effective administrative controls such as regular vacations$ cross" training$ bonding insurance$ timely financial statement preparation and budget utilizationL #s internal control affected by busy or slac% periods$ illnesses$ vacations$ etc.L ,0 #s internal control affected by the competence of any employee or group of employeesL 3re appropriate internal chec%s in place$ provided either by software$ hardware or administrative proceduresL 3re any assets improperly safeguardedL -5