DESIGNING INTERNAL CONTROL SYSTEMS FOR SMALLER ENTITIES

By Larry L. Perry, CPA

CPA Firm Support Servie!, LLC
LEARNING OB"ECTI#ES
Understand the fundamental concepts and the components of internal control.
Be able to design and operate effective accounting and internal control systems
for smaller entities.
Learn to prepare flowcharts effectively and efficiently
T$E FO%NDATION OF INTERNAL CONTROL
The Committee of Sponsoring Organizations of the Treadway Commission COSO! is a
voluntary private"sector organization established in the United States. #t is dedicated to
providing guidance on organizational governance$ business ethics$ internal control$
enterprise ris% management$ fraud and financial reporting. COSO established a common
internal control model that is used by large and small reporting entities.
COSO defines internal control as a process$ effected by an entity&s board of directors$
management and other personnel. This process is designed to provide reasonable
assurance regarding the achievement of ob'ectives in effectiveness and efficiency of
operations$ reliability of financial reporting$ and compliance with applicable laws and
regulations. The COSO framewor% involves several %ey concepts(
). #nternal control is a process. #t is a means to an end$ not an end in itself.
*. #nternal control is not merely documented by policy manuals and forms. +ather$ it
is put in by people at every level of an organization.
,. #nternal control can provide only reasonable assurance$ not absolute assurance$ to
an entity&s management and board.
-. #nternal control is geared to the achievement of ob'ectives in one or more separate
but overlapping categories.
A $i!toria& Per!petive o' I(ter(a& Co(tro&!
The Committee of Sponsoring Organizations COSO! of the .ational Commission on
/raudulent /inancial +eporting Treadway Commission! issued its first report in )012
stressing the importance of internal control$ the control environment$ codes of conduct$
audit committees and internal audit functions. #n )00*$ a tas% force of COSO issued a
report entitled Internal ControlIntegrated Framework$ called the COSO +eport.
3mong other things$ the COSO +eport defines internal control and its components and
provides criteria for evaluating internal control. The report presents these interrelated
components of internal control(
)
Co(tro& E(viro(me(t)The core of any business is its people and the
environment in which they operate. The tone at the top$ i.e.$ management&s
attitudes$ values and behaviors$ provides the control environment for other
employees.
Ri!* A!!e!!me(t)The entity must be aware of and deal with the ris%s it faces4
identifying the ris% of error or fraud and implementing corrective actions is the
primary responsibility of management.
Co(tro& Ativitie!)Control policies and procedures must be designed and
operated to address ris%s to the achievement of the entity&s ob'ectives.
I('ormatio( a(+ Commu(iatio()These systems enable the entity&s people to
obtain and use information necessary to conduct$ manage and control operations.
Mo(itori(,)The internal control process must be monitored and changed by
management as circumstances and conditions necessitate.
#n *5),$ COSO updated and issued Internal ControlIntegrated Framework. The
updated report did not change to basic components of internal control but$ among other
clarifying issues$ the /ramewor% sets out seventeen principles for applying these
components. These principles from COSO&s report are presented below as they apply to
these components.
Co(tro& E(viro(me(t
). The organization demonstrates a commitment to integrity and ethical values.
*. The board of directors demonstrates independence from management and e6er"
cises oversight of the development and performance of internal control.
,. 7anagement establishes$ with board oversight$ structures$ reporting lines$ and
appropriate authorities and responsibilities in the pursuit of ob'ectives.
-. The organization demonstrates a commitment to attract$ develop$ and retain com"
petent individuals in alignment with ob'ectives.
2. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of ob'ectives.
Ri!* A!!e!!me(t
8. The organization specifies ob'ectives with sufficient clarity to enable the
identification and assessment of ris%s relating to ob'ectives.
9. The organization identifies ris%s to the achievement of its ob'ectives across the
entity and analyzes ris%s as a basis for determining how the ris%s should be
managed.
1. The organization considers the potential for fraud in assessing ris%s to the
achievement of ob'ectives.
0. The organization identifies and assesses changes that could significantly impact
the system of internal control.
Co(tro& Ativitie!
)5. The organization selects and develops control activities that contribute to the miti"
gation of ris%s to the achievement of ob'ectives to acceptable levels.
*
)). The organization selects and develops general control activities over technology
to support the achievement of ob'ectives.
)*. The organization deploys control activities through policies that establish what is
e6pected and procedures that put policies into action.
I('ormatio( a(+ Commu(iatio(
),. The organization obtains or generates and uses relevant$ :uality information to
support the functioning of internal control.
)-. The organization internally communicates information$ including ob'ectives and
responsibilities for internal control$ necessary to support the functioning of
internal control.
)2. The organization communicates with e6ternal parties regarding matters affecting
the functioning of internal control.
Mo(itori(, Ativitie!
)8. The organization selects$ develops$ and performs ongoing and;or separate
evaluations to ascertain whether the components of internal control are present
and functioning.
)9. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for ta%ing corrective action$ including
senior management and the board of directors$ as appropriate.
#nternal control is always relevant to the nature$ size and comple6ity of a reporting entity.
Smaller entities will ordinarily have more informal controls that are carried out by one or
a few persons. <hile the basic components of internal control should be present in
small" and medium"size entities$ the )9 principles will ordinarily be sub'ectively included
in an entity&s design and operation of internal controls.
=enerally$ internal controls over financial reporting include those that are designed to
ma%e sure financial data is recorded$ processed$ summarized and reported consistent with
management&s representations assertions! in financial statements. 7anagement of an
entity has the primary responsibility for internal control. 3n auditor&s responsibilities
include the evaluation of whether the five components are designed and operating
effectively$ given the nature$ size and comple6ity of the entity.
Ma(a,eme(t-! Co(tro& O./etive!
3n entity&s internal control system provides the machinery used by management to
accomplish these basic ob'ectives(
>ffectiveness and efficiency of operations?basic business ob'ectives$
profitability goals and safeguarding of assets and other resources.
+eliability of financial reporting?preparation of accurate financial statements.
Compliance with laws and regulations?all to which the entity is sub'ect.
,
%(+er!ta(+i(, t0e Compo(e(t! o' I(ter(a& Co(tro&
T0e To(e at t0e Top a(+ Bottom1
The control environment sets the tone of any organization$ i.e.$ causes its people to be
conscious of the importance of the entity&s system of internal control. #t is the foundation
for application of all other components of internal control. /or small entities$ the
character and behavior of the person having top financial responsibility for the entity$
e.g.$ an owner or manager$ sets the tone for employees to follow. /or larger entities$
management personnel at various levels are also the primary influence on the control
environment. #n all cases$ it&s what management does$ not what they say$ that directs
employees& behavior. The operating philosophies and style of management$ their
delegation of responsibility and authority$ their emphasis on developing and guiding
employees and their utilization of input from persons charged with governance defines
what employees do.
T0e Importa(e o' De!riptive C0art! o' Aou(t! a(+ Bu+,eti(, Co(tro&!1
3 comprehensive chart of accounts is the foundation of the financial reporting process.
@esigned to guide the authorization$ initiation$ classification$ recording and summarizing
of transactions$ it is most effective when it includes descriptions of the activity that may
be recorded in each account. The chart of accounts should include accounts in all
functional$ departmental and;or 'ob classifications. #t should also be designed to facilitate
budget preparation and monitoring as part of an entity&s internal control system.
Budgets may be prepared using a base line$ such as the prior year&s operations$ or they
may be zero based$ that is built from the ground up. <hichever method is used$
participation by department heads and other operating personnel is essential for
producing effective budgets. The final review and approval responsibility for budgets
should rest with persons charged with governance of the organization.
To provide value$ the budget should be compared to actual results on a periodic basis by
management and other persons charged with governance$ usually monthly. Unusual or
une6pected variances from budgeted amounts should be considered and corrective
actions implemented when necessary.
3 budget should be designed for use also based on an entity&s nature$ size and
comple6ity. 3 medium"size church employed an e6ecutive pastor that was formerly a
chief financial officer for a public company. Ae spent most of his time micro"managing
wee%ly budgets for department heads. Using a report from the church&s accounting
software$ the e6ecutive pastor met with department heads wee%ly to discuss their budget
status. Over e6penditures were met with severe cutbac%s in planned future e6penditures.
Under e6penditures resulted in reductions of monthly or annual budgeted amounts.
<hile this micro"management significantly strengthened the church&s internal control
system$ its cost was high$ too high for the size of this organization. The practical side of
-
internal control is that the cost of operation of a control activity should result in benefits
appropriate for the nature$ size and comple6ity of the organization.
<hile properly prepared and monitored budgets can significantly improve a small
entity&s internal controls$ their use should provide benefits commensurate with the cost of
preparation and monitoring. Li%e the design and operation of internal control procedures$
benefits must be measured in terms of the relative costs of implementation and
maintenance.
T0e Importa(e o' a Co+e o' Co(+ut1
<hile smaller entities don&t normally have a written code of conduct$ larger organizations
are establishing these codes. Bublically"held companies$ issuers under the Sarbanes"
O6ley 3ct$ are re:uired to establish and communicate codes of conduct. Other privately"
held companies$ non"issuers$ are also creating codes of conduct as part of their control
environment.
<hether written or communicated informally$ a code of conduct defines behavior
e6pectations for both management and other employees. <hile such codes do not
prevent inappropriate behavior or fraud$ they do provide employees with legal and ethical
standards that will influence their performance and commitment to the entity&s system of
internal control.
3n entity&s code of conduct will ordinarily include these sections(
Use of company assets and resources for business and not personal use
Use of telephones$ email and the internet
3voiding actual and potential conflicts of interest
Brotecting the company&s confidential information
7aintaining complete and accurate accounting records
#nvestigating and reporting any accounting$ auditing and disclosure concerns
+etaining and disposing of records and documents
Brohibiting discrimination and harassment
Brohibiting use of alcohol and illegal drugs
Complying with laws$ rules and regulations
Brotecting intellectual property and using copyrighted materials
=iving and receiving gifts$ meals$ services and entertainment
Understanding disciplinary actions for code violations
+eporting concerns and code violations
T0e E(tity-! Ri!* A!!e!!me(t Proe!!1
+is%s at the entity level may come from e6ternal factors such as changes in technology$
customer&s needs$ competition$ regulations or laws and the economy. 3t the entity level$
ris%s also arise from internal factors such as information systems failures$ personnel
2
practices affecting the :uality of employees$ access to assets and the susceptibility of an
entity&s operations to fraud.
3t the activity level$ ris% assessment involves business operations and financial reporting.
3nalyzing operational reports$ financial and non"financial data and observations of
employees& activities may bring ris%s to management&s attention.
Co(tro& Ativitie!1
Control activities that are established in response to perceived ris%s relate to
management&s representations assertions! in the entity&s financial statements. The
assertions from section 3U"C ,)2 of the 3uditing Standards Board Clarified 3uditing
Standards can be synthesized and organized in this way(
Completeness
Occurrence and cut"off
Caluation and accuracy
>6istence
+ights
Obligations
@isclosure and Bresentation
3n entity&s financial reporting and internal control systems should result in financial
statement classifications that are appropriate and reasonable.
2ey or E(tity3Leve& Co(tro&!
Dey controls are those elements of the five components of internal control that have a
pervasive affect upon the accomplishment of management&s control ob'ectives. /or
smaller entities$ %ey controls are normally performed at the entity level$ although some
may e6ist at the activity level. #llustrated in the accompanying Small Audits Internal
Control Questionnaire (SAICQ), these controls may be informal and ordinarily carried
out by one or a few persons such as an owner;manager. The design and operation of
these %ey controls can prevent material misstatements due to error or fraud from
occurring and going undetected. <hen these circumstances e6ist$ even a small entity can
have a good internal control systemE

Components of %ey controls for both large and small entities are(
7anagement&s integrity and ethical values.
7anagement&s commitment to doing things right.
7anagement&s ways of doing things.
The involvement of persons charged with governance.
The delegation of authority and responsibility.
Bersonnel policies and procedures.
8
Ativity3Leve& Co(tro&!
The COSO +eport states that control activities are the policies and procedures established
to help ensure that management directives are carried out and that management&s
ob'ectives are accomplished. The %ey controls described above are primary to
accomplishing these ob'ectives. 3bsent the design of %ey controls$ or when %ey controls
are designed but not operating$ activity"level controls may be necessary to prevent
misstatements from occurring and going undetected.
These controls may be applied through features in an accounting software system$ by
personnel while performing accounting procedures or by the design of documents or data.
The S3#CF mentioned above also illustrates the activity"level controls for the financial
statement classifications of a small entity. #f %ey controls are not designed or operating$
certain activity"level controls may prevent errors from occurring and going undetected.
I('ormatio( a(+ Commu(iatio(1
Comprising the nature of internal information produced and distributed by an entity$ this
component is intended to enable management and others to operate$ manage and control
the entity&s business. #t is also intended to provide employees an understanding of
financial reporting and safeguarding controls and their operations. /or larger entities$
communication may ta%e the form of policy and procedure manuals$ instructional memos
and oral communications. /or smaller entities$ communication will often be verbal$ face
to face and directed by the owner or a manager.
Communications may also involve outside parties such as auditors$ customers and
vendors. These communications may provide information that can lead to identifying
deficiencies in internal control.
Mo(itori(,1
The monitoring component is intended to cause management to assess the design and
operating effectiveness of the entity&s system of internal control on a short and long"range
basis. 7onitoring can be performed on an on"going basis or be performed on separate
occasions.
7onitoring is the evaluation the effectiveness of other internal control components and
how well management&s and other employees& duties are being performed. 7onitoring in
small entities normally consists of the day"to"day observations of an owner or manager.
Speia& I!!ue! 'or Sma&& E(titie!
3s discussed above$ the owner or manager of a small entity is that entity&s control
environment. #f he or she has good character$ is committed to performing %ey controls
and is diligent in carrying out day"to"day responsibilities$ it is possible for a small entity
9
to have a good system of internal control. On the other hand$ an ineffective
owner;manager may increase the ris% of material misstatements at both the financial
statement and assertion levels.
Boards of directors for small entities$ especially non"profit organizations$ may not be
%nowledgeable of business operations$ accounting and ta6 activities or internal control
over financial reporting. #n such cases$ the caliber of the owner or manager will be even
more important in preventing errors from occurring and going undetected. 3
%nowledgeable board$ on the other hand$ can serve to reduce the ris% of material
misstatement when the owner or manager&s capabilities are not strong.
3n informal organization structure of a small entity may result in control deficiencies due
to a lac% of segregation of duties in operations and accounting. Because employees may
be trained to perform many different functions$ the resources and accounting records
could be at ris% of misstatement due to error or fraud. Aighly effective %ey controls at the
entity level would be necessary to mitigate these ris%s.
7any of the %ey controls performed by an owner or manager depend on the physical
presence of the person. Brolonged absences from the wor% place by the owner or
manager decrease the effectiveness of %ey controls and increase the ris% of material
misstatements.
Ca( a Sma&& E(tity $ave Goo+ I(ter(a& Co(tro&!4
3s discussed above$ the owner or manager C>O$ director$ superintendent$ C/O or other
top financial authority! has primary responsibility for the design and operation of internal
controls. 7ost of the %ey controls will be informal and they will be performed by the
owner or manager. #t is the commitment to accurate financial reporting and the diligence
of the responsible person that primarily affects the ris% of material misstatements in
financial statements.
COSO has recognized that small entities can have good internal controls$ although they
will li%ely be informal and carried out by one or a few persons. The design and operation
of %ey controls can prevent material misstatements due to error or fraud from occurring
and going undetected. So to answer the marginal :uestion above$ effectively designed
and operating informal %ey controls may result in a good internal control system for
smaller entities.
%!i(, a Sma&& Au+it! I(ter(a& Co(tro& 5ue!tio((aire
The accompanying Small Audits Internal Control Questionnaire is designed to assist
management in formulating an internal control system and to be used on small audits to
document internal control and assess control ris%. #t also is a source for identifying
control deficiencies by management and auditors.
A( Overvie6 o' F&o60art Preparatio(
1
#nformation for preparing flowcharts is usually based on the %nowledge of the top
financial authority of an entity. 3dditional information may be obtained by interviewing
persons responsible for procedures$ ma%ing in:uiries of each person responsible for
document preparation and tracing all documents through the processing procedures. The
accompanying Flowcharting Guide can facilitate the flowchart drafting process$ whether
in hardcopy or electronic format.
The overall ob'ective of flowchart preparation is to produce a complete and
understandable flowchart. Aere are some basic rules(
Leave two to three inches on the left of the page open for comments.
Begin at the upper"left corner and draw down and;or to the right.
Show the source and use of every document.
Use G%eysH within symbols for footnotes or drop"down bo6es to describe
documents.
Use a separate memo or drop"down bo6 on the flowchart to e6plain any
information that is not self"e6planatory.
The flowchart should be divided into columns to separate people or departments
with specific areas of responsibility.
Use directional arrows only if the information flow contradicts a normal pattern.
3void cross lines of data"flow.
/ollowing are some steps to facilitate flowchart preparation(
). @efine the transaction cycle$ system or process to be flowcharted cash
receipts or disbursements$ sales$ payroll$ etc.!
*. Layout the columns of the flowchart to show the flow of information
through the system or process. Consider roughing out the flow of
documents and information %nown to you.
,. #nterview accounting personnel using an S3#CF$ Flowcharting Guide or
other reference material to gather information.
-. @raw or complete the flowchart while interviewing accounting personnel
if possible!.
2. Berform a systems wal%"through procedure to verify the accuracy of the
flowchart and ma%e a preliminary identification of potential ris%s of
material misstatements.
8. Transfer potential ris%s to a control deficiencies wor%sheet for
consideration of offsetting %ey controls and a determination of
deficiencies.
/ollowing are three illustrative flowcharts for common transactions cycles that could be
used to identify ris%s by financial statement classification(
0
)5
))
)*
DESIGNING COST3EFFECTI#E INTERNAL CONTROL SYSTEMS FOR
SMALLER ENTITIES
C0arateri!ti! o' Sma&&er E(titie!
COSO has led the way to designing cost"effective internal control systems for smaller
public companies by the guidance it published in *558. This guidance for smaller public
companies presents a pattern for smaller non"public entities as well.
Common characteristics for smaller entities include(
/ewer lines of business$ fewer products and limited purposes$ particularly for
non"profit organizations.
7anagement personnel usually have significant e:uity interests.
7anagement personnel normally have broader responsibilities and control.
3ccounting systems are generally less comple6 than for larger entities.
3ccounting personnel are generally few in number and often have wide ranges of
duties.
Limited resources often results in lesser :ualified staff persons and fewer
consultations with legal and other e6perts.
C0a&&e(,e! a(+ Di''iu&tie!
These common characteristics create difficulties in designing cost"effective internal
control systems. Aere are some of the effects(
Segregation of incompatible duties is limited.
7anagement personnel have increased opportunities for override of internal
controls.
/inding :ualified persons to serve on boards of governance is difficult.
Airing and retaining :ualified accounting personnel is a challenge.
3 lac% of resources to maintain appropriate control over #T systems often results
in using out"of"the bo6 software that often doesn&t meet all the entity&s needs.
#n spite of these challenges$ a smaller company can design and operate an effective
internal control system. 3 brief discussion of some of the ways this can be done follows
in the ne6t section.
E''etive&y De!i,(e+ I(ter(a& Co(tro& Sy!tem!
7. Over!i,0t .y a( o6(er or ma(a,er. The in"depth %nowledge of business and
accounting operations by an owner or manager$ and his;her daily presence and
oversight of company personnel$ are %ey controls in the entity&s control
environment. @iligent performance of %ey controls can also greatly increase the
reliability of the entity&s financial reporting process. Since the owner or manger
),
generally has an e:uity or compensation interest$ the li%elihood of management
override of internal controls is diminished.
8. E''etive .oar+ o' ,over(a(e. Since smaller companies or non"profit
organizations ordinarily have less comple6 business structures$ persons charged
with governance can have a greater %nowledge of the entity&s activities. This can
enable these persons to more effectively accomplish their governance
responsibilities.
9. Overomi(, t0e &a* o' !e,re,atio( o' +utie!. Dey controls carried out by
management personnel at the entity or activity level can offset the control ris%s
from the lac% of segregation of duties. The COSO +eport suggests these %ey
controls(
a. +eviewing system reports of detailed transactions.
.. Selecting transactions for review of supporting documents.
. Overseeing periodic counts of physical inventory$ e:uipment or other
assets and comparing them with accounting records.
+. +eviewing reconciliations of account balances or performing them
independently.
:. Limiti(, ri!*! a!!oiate+ 6it0 t0e IT !y!tem. <hile using out"of"the"bo6
software can limit the information available for management&s use$ many of the
ris%s associated with mid"tier$ user"modifiable systems can be avoided.
Standardized reports and reporting formats$ password and processing controls and
other application controls can prevent errors from occurring and going
undetected.
;. Mo(itori(, o(tro& ativitie!. 7onitoring in small entities is normally the
responsibility of an owner or manager. Berforming daily Gwal%"aroundH controls
provides feedbac% on the effectiveness of accounting$ internal control$ and
operational systems. #n *550$ COSO published its Guidance on Monitoring
Internal Control Sstems. This guidance suggests that monitoring for all entities
should be based on these three broad elements(
a. >stablishing a foundation for monitoring$ including a! a proper tone at the
top4 b! an effective organization structure that assigns monitoring roles to
people with appropriate capabilities$ ob'ectivity and authority4 and c! a
starting point or GbaselineH of %nown effective internal control from which
ongoing monitoring and separate evaluations can be implemented4
.. @esigning and e6ecuting monitoring procedures focused on !ersuasi"e
in#ormation about the operation of ke controls that address meaning#ul
risks to organizational ob'ectives4 and
. 3ssessing and reporting results$ which includes evaluating the severity of
any identified deficiencies and reporting the monitoring results to the
appropriate personnel and the board for timely action and follow"up if
needed.
<. A0ievi(, 'urt0er e''iie(ie!. The COSO +eport identifies other opportunities
to design effective and efficient internal control systems(
a. By focusing on the ris%s related to managements& ob'ectives$ a ris%"based
approach to designing internal controls systems will consider what could
go wrong in the financial reporting process. Using lists of controls that are
)-
tailored to the nature$ size and comple6ity of an entity and the ob'ectives
of its management will facilitate the identification of Gwhat could go
wrong.H
.. @ocumentation of internal control policies and procedures will also vary
with the nature$ size and comple6ity of an entity. Smaller entities
normally have informally designed and communicated internal controls.
#n other words$ there normally are no policies and procedures manuals$
systems flowcharts$ organization charts and 'ob descriptions. <ith fewer
people and levels of management$ more fre:uent contact by an owner or
manager enables communication of the informal policies and procedures.
. Some documentation of accounting and internal control procedures is
ordinarily necessary to demonstrate transaction processes are occurring
and being recorded properly. @etermining that all shipments are billed$
that billings only occur after shipments are made and that ban% accounts
are being reconciled are e6amples of such procedures. Dey controls
performed by owners or managers of small entities should include periodic
inspections of records sufficient to determine transactions are being
recorded properly.
INTERNAL CONTROLS AND FRA%D PRE#ENTION
7uch has been written about forensic accounting and fraud. There are three ma'or
categories of fraud that commonly affect entities(
7. Mi!repre!e(tatio(! i( 'i(a(ia& reporti(,. These include intentional
misstatements of amounts or disclosures in financials statements that are intended
to mislead users of the statements.
8. Mi!appropriatio( o' a!!et!. Theft of an entity&s assets by employees or others is
the most common form of misappropriation. /inancial records are usually altered
to conceal a theft of assets.
9. E=ter(a& 'rau+!. Bersons outside an entity are normally responsible for e6ternal
frauds$ although there may be collusion with certain employees. /inancial gain is
the normal motivation.
/or small entities$ misappropriation of assets is the most common type of fraud. The
Gfraud triangleH contains three factors that indicate circumstances that can cause a person
to misappropriate assets and misstate records to conceal the theft(
7. I(e(tive! or pre!!ure! to ommit 'rau+. +easons to commit frauds may
include financial pressures such as a spouse out of wor%$ a divorce or separation
or the failure of a personal business.
8. Opportu(itie! to ommit 'rau+. #neffective internal controls$ the opportunities
and li%elihood for management personnel to override internal controls$ and
decentralized operations and accounting are e6amples of circumstances that create
opportunities to commit fraud.
)2
9. Attitu+e! a(+ ratio(a&i>atio(! 'or ommitti(, 'rau+. Iustifying the fraud
because the perpetrator is not paid what he;she is worth or rationalizing that
everyone does it are e6amples of a fraudster&s attitudes.
FRA%D PRE#ENTION
@esigning and operating anti"fraud programs is the responsibility of management and can
result in reductions in opportunities for employees to commit fraud. Auman resource
policies such as drug tests$ credit chec%s and bac%ground chec%s for prospective
employees help eliminate candidates with higher tendencies to commit fraud. Deys
controls diligently carried out by owners$ managers or other authorized individuals are
also primary means of preventing or reducing the occurrence of asset misappropriation.
/raud detection may occur as %ey controls are performed. #n addition$ analytical
procedures performed by comparing operating results among periods or by ma%ing
calculations using non"financial data can reveal discrepancies. /or e6ample$ an auto
parts store discovered a J25$555 fraud perpetrated by a sales cler% when a new software
program identified the number of refund slips issued by each cler% on a periodic basis. #n
another case$ the C/O of a transportation company compared the miles per gallon of
gasoline on trips for each driver and discovered a driver storing and selling gasoline on
the side. /raud detection may also occur in anti"fraud programs carried out physically
such as lunch bo6 searches at a small tool manufacturing plant or electronic security
scanners at e6its from the plant of a computer components manufacturer.
A Co(tro& De'iie(ie! ?or*!0eet
3 control deficiencies wor%sheet can facilitate documentation of the evaluation of
e6isting internal controls. #t also can be used to identify e6isting deficiencies and the
design of additional controls to prevent ris%s from occurring and going undetected. 3
control deficiencies wor%sheet should have at least these column headings(
#nternal control deficiency
@esign or operating deficiency
Offsetting %ey controls
/ollowing is an illustrative #nternal Control @eficiency <or%sheet that contains
hypothetical information from a small entity to illustrate the internal control design
process. @eficiencies identified on this wor%sheet could have been obtained by
completing an S3#CF or by preparing a flowchart for ma'or transactions cycles.
)8
CPA PRACTICE AIDS, LLC
INTERNAL CONTROL DEFICIENCY WORKSHEET
ENTITY NAME: ____________________________
DATE:_____________________________
DESCRIBE CONTROL DEFICIENCY WHAT COULD GO WRONG? PREVENTIVE CONTROLS
CASH:
1. No s!"!#$%o& o' ()$%s #*o&! o+,
*-.o/s,
1. A.. *-.o/s 0#1 #,,ss $o
,#s0
1. O2 s%$ o3&" "1%3s
34./:
*#&#!", 5oo44-", #&( ,."4.
#&( ",%1#5.s ",o"(s6 ,o).(
s$#.
#. R1%3s ,o-%s o' s#.s
%&1o%,s
7. O1" ,o)&$" #&( *#%. ",%-$s ",%1( 5/
#.. *-.o/s.
,#s0 #&( -os$ ,"(%$s $o ,)s$o*"
o"
5. I&s-,$s ,0,4 ,o-%s #&(
%&1o%,s
8. O1" ,o)&$" s#.s *#( 5/ #.. o+,
*-.o/s. .#- ,)s$o*" -#/*&$s. ,. R1%3s -#/"o.. 9o)"&#.s
:. Boo44-" #&( ,."4 5o$0 -os$ #,,o)&$s
",%1#5.
7. Boo44-" ,o).( ,o1" $0'$
5/ (. R1%3s ,)s$o*" #&( 1&(o"
",o"(s.
*#&%-).#$%&! 5#&4 ",o&,%.%#$%o&s
o" #,$%1%$/ "-o"$s
;. Boo44-" -os$s !&"#. .(!" #&(
-"-#"s 3"%$%&! o2 ,)s$o*" 5#.#&,s. 7. CPA <"* (s%!&( #,,o)&$%&!
#&( (.%1"s (-os%$s $o 5#&4.
8. M#&#!" 0#s #,,ss $o
so'$3#",
-"o,()"s #&( o3&"=s 4/
,o&$"o.s
>. M#&#!" s%!&s -#/"o.. #&( o-"#$%&! ,0,4s.
,o).( 3"%$ #&( s%!& ,0,4s $o
s.'.
8. CPA <"* ,o&$"o.s #..
?)%,4Boo4s
-#ss3o"(s, #,,o)&$s 'o" -"@
&)*5"(
,0,4s #&( s#.s %&1o%,s,
"1%3s
s#.s %&1o%,s #&( ,0,4
s)--o"$,
*#%&$#%&s -"so&#. <.s,
-"-#"s -#/"o..
"-o"$s, #(9)s$s #&( ,.oss
*o&$0./
",o"(s.
:. CPA <"* -"-#"s *o&$0./
<&#&,%#.s 'o" o3&"=s "1%3
ACCOUNTS RECEIVABLE:
1. No s!"!#$%o& o' ()$%s. A.. o+, -"so&&.
",%1s 1. C)s$o*" -#/*&$s ,o).( 5 1. S#* #s #5o1.
-#/*&$s %& *#%. #&( o1" ,o)&$". ",%1( #&( *%s#--"o-"%#$(.
7.Boo44-" *#4s (-os%$s #&( -os$s
#,,o)&$s 7. L#--%&! ,o).( o,,)".
",%1#5. ",o"(s. 8. A,,o)&$ 5#.#&,s #&( %&1o%,s
8.AR ,."4 ",%1s ,#s0, -os$s #,,o)&$s
",%1#5.
,o).( 5 3"%$$& o2 3%$0o)$
#)$0o"%A#$%o&.
",o"(s #&( *#4s (-os%$s.
:. U&#)$0o"%A( s#.s ,o).( 5
*#(
:.C"(%$ **os &o$ )s( $o s)--o"$ ,"(%$s $o
,)s$o*"s #,,o)&$s.
#&( -"o(),$s s0%--( 3%$0o)$
",o"(%&!.
;.Y#"( 'o"*#& s0%-s 5#s( o& s#.s %&1o%,s. A..
o+,
-"so&&. ,#& %&%$%#$ s#.s %&1o%,s.
)9
INVENTORY:
1. No (o,)*&$s o" ",o"(s #" *#%&$#%&( $o
,o&$"o.
1. E*-.o/ o" ,)s$o*" $0'$
,o).(
W"%$$& %&s$"),$%o&s #"
-"-#"( 5/
%&1&$o"/ %$*s B-",#s$ ,o&,"$ 5.o,4sC. o,,)".
$0 'o"*#& 'o" ,o)&$%&!
%&1&$o"/.
7. Y#"( %s o-& ()"%&! $0 (#/ 30%. *-.o/s
#"
7. S#.s ,o).( 5 *%ss( 5,#)s
o'
E*-.o/s #$$&( # $"#%&%&!
*$%&!
3o"4%&! 5)$ o'$& &o o& %s -"s&$ %& $0 /#"(.
I$ %s %&s)+,%&$ D)#&$%$%s o& 0#&(.
o& 0o3 $o ,o)&$. T0 *#&#!"
%s
.o,4( #$ &%!0$.
8. W%$0 &o %$* ",o"(s
*#%&$#%&(,
-"s&$ #&( s)-"1%ss $0
,o)&$,
8. I&1&$o"%s #" -0/s%,#../ ,o)&$( o&./ o&,
# /#"6 D)#&$%$%s o' ,"$#%& %$*s 5%&!
%&,.)(%&! $s$%&! *-.o/=s
,o)&$s.
*#&#!" /@5#..s D)#&$%$%s $o ,o&$"o.
-"o(),$%o&. -"o(),( ,o).( 5 )&&,ss#"/
T0 *#&#!" -.#,s #&( -%,4s
)- #.. ,o)&$ s0$s.
FIEED ASSETS:
1. No ($#%.( s)5@.(!" *#%&$#%&(. 1. Loss o" $0'$ o' #ss$s. S ,#s0 s,$%o&.
7. No &)*"%,#. ,o&$"o. o' <F( #ss$s %s %&
-.#,. 7. Ass$s ,o).( 5 -)",0#s( #&(
8. Boo44-" *#%&$#%&s (-",%#$%o& s,0().. ,o&1"$( $o -"so&#. )s.
:. No 4/ ,o&$"o.s o1" #,,o)&$%&! o"
s#'!)#"(%&!
<F( #ss$s.
ACCOUNTS PAYABLE:
1. A&/ o+, *-.o/ ,#& o"(" s)--.%s o" "#3
1. Co&1"$%&! -)",0#ss $o
-"so&#. S ,#s0 s,$%o&.
*#$"%#.s. )s.
7. No -)",0#s o"("s %& )s. O+, *#&#!"
%&%$%#.s 7. W"%$%&! )&#)$0o"%A( ,0,4s $o
%&1o%, 30& -#%(. fi,$%$%o)s 1&(o"s
8. A.. -#/*&$s #" %&%$%#$( 5/ 5oo44-" 30o
0#s 8. P)",0#s%&! F,ss D)#&$%$%s o'
#,,ss $o ,#s0, #,,o)&$s ",%1#5. #&( 5#&4 "#3 *#$"%#.s.
",o&,%.%#$%o&s.
:. No #,,o)&$s -#/#5. s)5@.(!" %s *#%&$#%&(.
REVENUES:
S ,#s0 s,$%o&. U&",o"(( s#.s. S ,#s0 s,$%o&.
EEPENSES:
S ,#s0 s,$%o& #&( #,,o)&$s -#/#5. s,$%o&. U&#)$0o"%A( o" %&,o"",$ -#/"o.. S ,#s0 s,$%o&.
P#/"o..@@*#&#!" 0%"s #&( <"s. No (o)5.@
,0,4s #&( o-"#$%&! F-&(%$)"s.
o& -#/"o.. ,o*-)$#$%o&s.
OTHER:
)1
CONCL%SION
#mportant issues to remember that influence the design of internal control systems for
smaller entities include(
#nternal control and fraud prevention are the responsibilities of management.
#nternal control systems are always relevant to the nature$ size and comple6ity of
an entity.
Dey controls designed and operated by owners or managers of small entities are
the primary methods of preventing and detecting errors and fraud.
#nternal control procedures should provide reasonable assurance that errors or
fraud will not occur and go undetected.
The benefits of internal control procedures should outweigh their costs.
The design process includes understanding accounting systems and e6isting
internal controls$ identifying what could go wrong and designing cost"beneficial
control activities and anti"fraud programs that are li%ely to prevent and detect
errors and fraud.
CPA PRACTICE AIDS, LLC
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
%SE OF 5%ESTIONNAIRE
This Fuestionnaire is designed to be used on small audits to document internal control
and assess control ris%. #t also is a source for identifying control deficiencies.
Combined with a systems wal%"through procedure$ internal control flowcharts or memos,
auditors may be able to assess ris% of material misstatement at moderate for certain
financial statement classifications.
INSTR%CTIONS
The Fuestionnaire should be utilized while ma%ing in:uiries of client personnel
regarding internal control. #nternal control documentation time can be minimized by
completing a systems wal%"through procedure and preparing flowchart or memorandum
documentation as this Fuestionnaire is completed.
)0
The Fuestionnaire contains space for GyesH$ GnoH or G.;3H responses to %ey controls and
activity"level controls generally applicable to a small business or organization. GKesH
responses indicate that the control procedure is has been at least informally designed and
is operating effectively. G.oH responses indicate the control procedure has not been
designed or$ if designed$ is not operating effectively. G.;3H responses indicate the
control procedure is not applicable to a client&s internal control system. The GBersonnelH
column should be used to identify persons performing the control activities.
Dey controls$ a part of entity"level controls$ should drive the control ris% assessment
process. Dey controls can mitigate most deficiencies in activity"level controls$
particularly for smaller entities. /or a small business or organization$ %ey controls are
normally performed by the owner;manager O;7!$ a member of the entity&s board of
directors$ a volunteer or paid consultant.
#f %ey controls have not been designed$ or are not operating effectively$ the auditor should
consider the activity"level controls to provide the assessment of control ris% for relevant
assertions.
RELE#ANT ASSERTIONS
<hen completing this Fuestionnaire$ the auditor should primarily consider these relevant
assertions(
Fi(a(ia& Stateme(t C&a!!i'iatio( Re&eva(t Fi(a(ia& Stateme(t A!!ertio(!
Cash >6istence;Occurrence4 Completeness4
Cutoff
3ccounts +eceivable >6istence;Occurrence4 Caluation4 Cutoff
#nventories >6istence;Occurrence4 Caluation4
Completeness4 3ccuracy4 Cutoff
/i6ed 3ssets >6istence4 Caluation4 Completeness4
+ights;Obligations
3ccounts Bayable Completeness4 Cutoff
+evenues >6istence;Occurrence4 Caluation4
Completeness4 Cutoff
Bayroll >6istence;Occurrence4 Completeness4
3ccuracy
>6penses >6istence;Occurrence4 Completeness4
Cutoff( Classification
*5
Prepare+ By1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Date Prepare+1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Revie6e+ By1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Date Revie6e+1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
*)
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
**
CONTROL EN#IRONMENT32EY
CONTROLS
). O;7 has high integrity.
*. O;7 follows e6isting internal
controls$ policies and procedures.
,. O;7 is present daily and;or appoints a
supervisor in his;her absence.
-. O;7 Gwal%s aroundH facility
fre:uently each day.
2. O;7 observes employee activity and
tal%s with supervisors during wal%s
around to evaluate department status.
8. Company uses ade:uate accounting
software.
9. 3ccounting records are maintained on
a current basis.
1. +eports generated by accounting
software are used by management.
0. 3ccounting personnel are reasonably
:ualified for their positions.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
*,
CAS$)2EY CONTROLS
). O;7 receives ban% and credit card
statements directly either by mail or
electronically.
*. O;7 reviews contents of ban% and
credit cards statements and investigates
unusual items.
,. O;7 signs vendor chec%s and payroll
chec%s.
-. O;7 reviews vendor invoices$
receiving reports and;or purchase orders
when signing chec%s.
2. O;7 reviews documentation of
payroll calculations when signing chec%s.
8. O;7 receives or pic%s up unopened
mail or uses a loc% bo6 for receipts.
9. O;7 opens mail$ supervises opening
or reads a list of daily cash receipts.
1. O;7 prepares deposit or supervises
and reviews its preparation.
0. O;7 ma%es or approves all telephone
or online ban% transfers or payments.
)5. O;7 reconciles ban% statement or
approves preparation by another.
)). O;7 reads monthly balance sheet
and income statement and investigates
unusual items.
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
*-
CAS$)ACTI#ITY3LE#EL
CONTROLS
). 7ail and cash receipts are recorded as
received and deposited intact$ daily.
*. @uplicate deposit slips are prepared$
matched with ban% receipt and retained.
,. 7ail and cash receipts are counted by
two independent persons other than the
person recording the receipts.
-. Over"the"counter receipts are
controlled by a cash register$ software or
pre"numbered receipt tic%ets.
2. 3ll chec%s are signed by the O;7.
8. Chec%s are signed only when
disbursement is made not in advance!.
9. The chec% signer compares data on
supporting documents to chec%s.
1. Chec%s are recorded in the accounting
system when prepared.
0. Only pre"numbered chec%s are used.
)5. 3ll 'ournal entries are approved by
the O;7.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
*2
ACCO%NTS RECEI#ABLE)2EY
CONTROLS
). The O;7 approves all customer
re:uests for credit.
*. The O;7 accounts for$ and reviews$
numerical copies of sales invoices and;or
customer statements.
,. The O;7 reviews the sales 'ournal
monthly.
-. The O;7 reviews an aged trial
balance of accounts receivable monthly.
2. The O;7 receives customer
complaints and resolves disputes.
ACCO%NTS RECEI#ABLE)
ACTI#ITY3LE#EL CONTROLS
). 3 sales 'ournal is prepared and
balanced.
*. +ecords of customer payments are
retained remittance advices$ duplicate
deposit slips$ loc% bo6 reports$ prelists!
,. Bre"numbered sales invoices and;or
shipping reports with shipping date are
prepared.
-. Copies of sales invoices or customers&
statements are mailed monthly.
2. +eceivables are aged regularly.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
*8
IN#ENTORIES)2EY CONTROLS
). O;7 plans and;or supervises the
ta%ing of the physical inventory.
*. O;7 prices and compiles records of
physical count or reviews wor% of others.
,. O;7 determines all owned goods are
counted and that obsolete or consigned
goods are e6cluded from the count.
IN#ENTORIES)ACTI#ITY3LE#EL
CONTROLS
). 3n annual physical inventory is ta%en
and ade:uate count records tags or
sheets! are maintained.
*. 3de:uate records of inventory pricing
and compilation are maintained.
,. The inventory count is ta%en$ chec%ed
or supervised by a supervisor.
-. Obsolete and consigned goods are
e6cluded from the count.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
*9
FICED ASSETS)2EY CONTROLS
). Only the O;7 can open accounts with
vendors and approve the purchase of
e:uipment$ tools or other property.
*. O;7 periodically inspects and;or
inventories capitalized fi6ed assets.
,. O;7 ma%es or approves all ma%e$
buy$ lease$ repair decisions.
FICED ASSETS)ACTI#ITY3LE#EL
CONTROLS
). Supporting documents are retained for
all purchases of fi6ed assets.
*. 3 detailed depreciation schedule is
prepared and depreciation is entered in
the records at least annually.
,. 3 capitalization limit has been set and
is used to determine capitalizable items.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
*1
ACCO%NTS PAYABLE)2EY
CONTROLS
). O;7 approves all vendors and
accounts with creditors.
*. O;7 approves all vendor payments.
,. O;7 receives and reviews unpaid
vendor invoices and statements monthly.
ACCO%NTS PAYABLE)ACTI#ITY3
LE#EL CONTROLS
). Cendor invoices are entered in the
purchases 'ournal when received.
*. Cendor invoices and supporting
documents are reviewed by the chec%
signer.
,. Cendor invoices are cancelled when
chec%s are signed.
-. Cendor invoices or receiving reports
contain the date goods were received.
2. Unpaid vendor invoices are
maintained in a file separate from paid
invoices.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
*0
SALESDRE#EN%ES)2EY
CONTROLS
). O;7 approves all credit sales.
*. O;7 reviews copies of all sales
invoices and shipping reports.
,. O;7 reviews customers& statements
before mailing.
-. O;7 reviews monthly aged trial
balance$ calls past due customers and
resolves customer complaints.
SALESDRE#EN%ES)ACTI#ITY3
LE#EL CONTROLS
). Sales are recorded in the period made
or shipped considering shipping terms!.
*. Bre"numbered sales invoices and
shipping reports are prepared.
,. Copies of sales invoices or customer
statements are mailed at least monthly.
-. 3ll returns$ allowances$ discounts and
account ad'ustments are approved by a
supervisor.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
,5
PAYROLL)2EY CONTROLS
). O;7 approves all hires and fires.
*. O;7 authorizes wage rates.
,. Bayroll chec%s are distributed by the
O;7.
-. O;7 reviews and signs all payroll ta6
returns and other related documents.
2. O;7 responds to all in:uiries by state
and federal regulatory bodies.
PAYROLL)ACTI#ITY3LE#EL
CONTROLS
). Bayroll chec%s are pre"numbered and
prepared and recorded with accounting
software$ or by a service bureau.
*. <"-s. #"0s and other re:uired payroll
documents are maintained.
,. >mployees time records are
maintained and used to calculate
paychec%s.
-. Bayroll chec%s are distributed by
department heads or other supervisors.
2. Aires$ fires$ wage rates$ time off are
approved by department heads or
supervisors.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
B>+SO..>L K>S .O .;3
,)
ECPENSES)2EY CONTROLS
). O;7 reviews and approves all
disbursements& supporting documents.
*. <hen signing chec%s$ O;7 determines
account classifications are proper.
,. O;7 investigates any unapproved or
unusual disbursements.
-. O;7 investigates duplicate payments
and inade:uate documentation.
ECPENSES)ACTI#ITY3LE#EL
CONTROLS1
). 3 descriptive chart of accounts is used.
*. Chec%s are prepared only when
appropriate supporting documents have
been received.
,. The person recording and summarizing
transactions cannot sign chec%s.
-. The person preparing deposits and
posting customer payments cannot sign
chec%s.
2. Cendor invoices are cancelled by the
chec% signer.
Co(tro& Ri!* Eva&uatio( Air&e o(eB1
Lo6 Mo+erate $i,0
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ENGAGEMENT DATE1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ECPLANATION OF ENOF ANS?ERS APOTENTIAL CONTROL
DEFICIENCIESB1
CAS$1
ACCO%NTS RECEI#ABLE1
IN#ENTORIES1
FICED ASSETS1
ACCO%NTS PAYABLE1
SALESDRE#EN%E1
,*
PAYROLL1
ECPENSES1
OT$ER1

,,
CPA PRACTICE AIDS, LLC
AUDIT FLOWCHARTING GUIDE
%SE OF G%IDE
This =uide is designed to facilitate preparation of flowcharts documenting accounting
and internal control systems for use on small audit engagements. The =uide is designed
by ma'or audit area and will facilitate the preparation of flowcharts that will result in
identification of control deficiencies and the assessment of control ris%. Control ris%s
will be combined with inherent ris%s to assess the level of ris% of material misstatements
for relevant assertions. The =uide should be used in connection with the Small Audits
Internal Control Questionnaire #or Ma$or Audit Area S3#CF!.
INSTR%CTIONS
C&ie(t I(Guirie!
The S3#CF and the flowcharts resulting from this =uide should be used while ma%ing
in:uiries of appropriate client personnel. <hile a flowchart is being prepared$ or after it
is prepared if it is more convenient$ a systems wal%"through procedure should be
performed to determine that information on the flowcharts is accurate. @ocuments
e6amined and procedures performed during the wal%"through may be recorded on the
flowcharts or described in an accompanying memorandum. Control deficiencies should
be documented in the last section of the S3#CF.
F&o60art a(+Dor Memora(+a
7emoranda may be prepared for documenting the accounting and internal control
procedures in lieu of flowcharts at the option of the audit engagement leader. The author
recommends using flowcharts since they are usually more effective for identifying
control deficiencies and they often ta%e less time to carry forward$ to discuss with client
personnel and to update. 7emoranda may be used to supplement the flowcharts to
enhance e6planations of accounting system procedures$ internal control activities or other
information as the auditor considers necessary.
2ey Co(tro&!)t0e $eart o' Error a(+ Frau+ Preve(tio(
Dey controls$ a part of entity"level controls$ should drive the control ris% assessment
process and should be clearly indicated on the flowcharts. Dey controls can mitigate
most deficiencies in activity"level controls$ particularly for smaller entities. /or a small
business or organization$ %ey controls are normally performed by the owner;manager
O;7!$ a member of the entity&s board of directors$ a volunteer or a paid consultant. Dey
controls are presented first in each section of the S3#CF.
Fi(a(ia& Stateme(t A!!ertio(!
,-
<hen control ris% is evaluated at the financial statement classification level$ the auditor
should primarily consider relevant assertions described in the S3#CF. /lowcharts
should$ therefore$ focus primarily on controls that affect the relevant assertions in each
financial statement classification. 3ll controls that are operating$ however$ should be
evidenced on the flowchart to provide an accurate evaluation of control ris%.
F&o60art Preparatio(
/lowcharts may be prepared using manual templates or flowcharting software. The
hardcopies or the electronic copies may be carried forward with changes reflected in
different color pencils or software fonts. 3ll accounting systems software applications$
procedures$ documents and data$ and all internal controls$ should be reflected on the
flowcharts.
,2
CPA FIRM PRACTICE AIDS, LLC
AUDIT FLOWCHARTING GUIDE
INSTR%CTIONS AND 5%ESTIONS BY MA"OR A%DIT AREA
The instructions and :uestions below will enhance the preparation of flowcharts and
completion of the S3#CF. 3nswers to :uestions should first consider %ey controls and$ if
no %ey controls are present$ activity"level controls should be considered to determine if
misstatements can be prevented and not result in control deficiencies.
CAS$
The flowchart should contain documentation of(
3ll types of cash receipts$ such as receipts received by mail$ over"the"counter$ or
by sales representatives.
+eceipts from periodic sales of fi6ed assets$ scrap or other items to employees or
others.
3ll types of cash disbursements such as disbursements made with and without
purchase orders$ made from petty cash or a cash register and made for customer
refunds.
3ll accounting records$ documents$ data and procedures.
Consider the entity&s %ey controls and activity"level controls when preparing flowchart
documentation. These :uestions can facilitate the identification of accounting and internal
control procedures(
Can cash or chec%s be received and not documentedL
Can receipts from over"the"counter sales be misappropriatedL
Can miscellaneous receipts be overloo%ed and not recordedL
Can disbursements be made for routine or non"routine purchase of goods or
services without proper supportL
Can petty cash be misappropriatedL
ACCO%NTS RECEI#ABLE
The flowchart should contain documentation of(
3ll types of sales on account including customer written orders received by mail$
phone or email$ sales orders from sales representatives$ C.O.@.$ consignment$ etc.
,8
@ifferent types of customers such wholesale$ retail$ distributor$ consumer$ and
related parties.
3ll accounting records$ documents$ data and procedures.
Consider the entity&s %ey controls and activity"level controls when preparing flowchart
documentation. These :uestions can facilitate the identification of accounting and internal
control procedures(
Can goods be shipped to customers with bad creditL
Can sales be invoiced but not recordedL
Can ad'ustments to customers& accounts be made without approvalL
Could lapping occur and go undetectedL
Can past due accounts go undetectedL
IN#ENTORIES AND COSTS OF GOODS SOLD
The flowchart should contain documentation of(
3ll 'ob$ process or retail costing procedures.
3ll inventory classifications such as raw materials$ wor%"in"process and finished
goods.
Standard costs calculations$ applications$ ad'ustments and revisions.
3ll inventory records$ documents data or procedures.
Consider the entity&s %ey controls and activity"level controls when preparing flowchart
documentation. These :uestions can facilitate the identification of accounting and internal
control procedures(
Can inventory items be stolen$ misappropriated or inaccurately transferred to
wor% in process or costs of good soldL
Can inventory be used$ damaged or wasted without being recordedL
Can inventory be received and not recorded accuratelyL
FICED ASSETS
The flowchart should contain documentation of(
The fi6ed asset ac:uisition$ disposal and control processes.
3ll fi6ed asset records$ documents$ data or procedures.
Consider the entity&s %ey controls and activity"level controls when preparing flowchart
documentation. These :uestions can facilitate the identification of accounting and internal
control procedures(
,9
Can fi6ed assets ac:uisitions or disposals be made and not approved or recordedL
3re capitalization limits in placeL
@oes accounting personnel understand when to capitalize additions or repairs to
fi6ed assets when the life or capacity is increased!L
ACCO%NTS PAYABLE
The flowchart should contain documentation of(
3ll types of products$ vendors and shipment.
3c:uisitions and payments re:uiring purchase orders.
Bayments not re:uiring purchase orders.
3ll phases of the purchases;payables transaction such as ordering$ product
receiving$ invoice recording and payments processing.
Consider the entity&s %ey controls and activity"level controls when preparing flowchart
documentation. These :uestions can facilitate the identification of accounting and internal
control procedures(
Can unauthorized purchases be madeL
Can payables be recorded if goods or services are not receivedL
Can obligations be incurred and not recordedL
Can payables be recorded in the wrong accountL
@o petty cash policies prevent its improper use or misappropriationL
SALES1
The flowchart should contain documentation of(
@ifferent types of shipping terms such as /.O.B. shipping point or destination$
different shipping locations$ different types of carriers$ drop ships from suppliers$
customer pic% up$ etc.
@ifferent types of customers such wholesale$ retail$ distributor$ consumer$ and
related parties.
3ll accounting records$ documents$ data and procedures.
Consider the entity&s %ey controls and activity"level controls when preparing flowchart
documentation. These :uestions can facilitate the identification of accounting and internal
control procedures(
Can goods be shipped without invoices being preparedL
Can sales be invoiced but not recordedL
Can sales be made and recorded without inventory being relievedL
Can customer invoice errors be made and go undetectedL
,1
PAYROLL
The flowchart should contain documentation of(
@ifferent methods of compensation such as hourly$ salaried$ commission$ piece
wor%$ contract$ etc.
7ethods of payment such as chec% or direct deposit.
Airing decisions$ firing actions$ payroll documents$ cost distribution and all other
records$ documents$ data and procedures in the payroll accounting and internal
control systems.
Consider the entity&s %ey controls and activity"level controls when preparing flowchart
documentation. These :uestions can facilitate the identification of accounting and internal
control procedures(
Can fictitious employees be added to the payrollL
Can terminated employees be %ept on the payroll and their chec%s prepared after
their terminationL
3re paychec%s distributed$ or direct deposits made$ under the supervision of an
administrative personL
3re time cards$ timesheets or electronic records re:uired to support paychec%s
preparationL
Can other inadvertent or intentional errors occurL
FINANCIAL REPORTING SYSTEM
The flowchart should contain documentation of(
3ll modules of the general ledger software$ data entry personnel$ source
documents and all related accounting system and internal control procedures.
Controls over general 'ournal entries$ ban% reconciliations and financial statement
preparation.
Consider the entity&s %ey controls and activity"level controls when preparing flowchart
documentation. These :uestions can facilitate the identification of accounting and internal
control procedures(
Can 'ournal entries or unusual transactions be posted to the general ledger without
approval of a supervisorL
3re there effective administrative controls such as regular vacations$ cross"
training$ bonding insurance$ timely financial statement preparation and budget
utilizationL
#s internal control affected by busy or slac% periods$ illnesses$ vacations$ etc.L
,0
#s internal control affected by the competence of any employee or group of
employeesL
3re appropriate internal chec%s in place$ provided either by software$ hardware or
administrative proceduresL
3re any assets improperly safeguardedL
-5