Responsibility of:
How Performed or Communicated Wages and salaries are approved by
management.
Senior management Written document
Salaries of senior management are based on written authorization of the board of directors.
Board of Directors Written document
Maintenance of personnel files is under the control of the personnel department.
Senior management Written document
Proper authorization is obtained for all payroll deductions.
Employee/Personnel Dept. Signs documents
Access to personnel files is limited to those who are independent of the payroll or cash functions.
Personnel department Written document
Wage and salary rates and payroll deductions are reported promptly to employees who perform the payroll processing function.
Personnel department Written document
Responsibility of:
How Performed or Communicated Periodic governmental reports are filed on a
timely basis.
Payroll department Complete forms
Adequate time records are maintained for employees paid by the hour.
Time Clock
---Time records for hourly employees are approved by a supervisor.
Department manager Signs time card
Payroll is calculated using authorized pay rates, payroll deductions, and time records.
Payroll accounting department
---Payroll registers are reviewed for accuracy. Check signer Reviews, Signs Payroll cost distributions are reconciled to
gross pay.
Payroll accounting department
Written document
Net pay is distributed by persons who are independent of personnel, payroll preparation, time-keeping, and check preparation functions.
Treasurer
---The responsibility for custody and follow-up of unclaimed wages is assigned to someone who is independent of personnel, payroll processing, and cash disbursement functions.
Treasurer
---Diagrammed View of Transaction Cycles
Purchase Requisition
Purchase Receiving Vendor Time Time
Order Report Invoice Cards Tickets Source
Sales Sales Bill of Documents
Order Invoice Lading
Deposit Remittance Voucher
Check Slip Listing Package Check
BOOKS OF ORIG-INAL ENTRY
Accounts Receivable CASH Purchases Accounts Payroll Exp. Affected
SALES Accounts Receivable Accounts Payable CASH Accounts
Payable CASH
Balance Income Cash
SALES JOURNAL BY INVOICE
NO.
SUBSIDIARY LEDGER
BY CUSTOMER
CASH RECEIPTS JOURNAL BY
DATE SUBSIDIARY
LEDGER BY CUSTOMER
PURCHASES JOURNAL OR
VOUCHER REGISTER
CASH
DISBURSE-MENTS JOURNAL
PAYROLL JOURNAL
BY PAYROLL EMPLOYEE
EARNINGS CARDS BY EMPLOYEE
General Ledger
Trial Balance
Financial Statements
Sheet Statement Flows
VIII. Application of Internal Control Concepts to Small and Mid-sized Entities
A. The way internal control components apply will vary based upon an entity's size and complexity.
B. Internal Control components consideration in small and mid-sized entities 1. Control Environment
x May be implemented differently than larger companies.
x For example, small entities may not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and management example.
2. Risk Assessment
x Basic concepts of risk assessment should be present in every entity, but formalized risk assessment procedures may be lacking.
x Management may learn about risks through direct personal involvement with employees and outside parties.
3. Control Activities
x Extensive control activities, especially those involving segregation of duties, may be absent in smaller entities.
x Management may compensate for lack of control activities by exercising oversight responsibility in those areas where control activities are lacking.
4. Information and Communication
x Communication may be less formal but easier to achieve in a smaller organization due primarily to the entity's size and fewer levels of employees.
x Also greater visibility of and availability of management in a smaller organization usually contributes to adequate information and communication goals.
5. Monitoring
x Ongoing management activities in small and mid-sized entities are likely to contribute to the achievement of adequate monitoring procedures.
x Management's close involvement in operations will often identify significant variance from expectations and inaccuracies in financial data.
IX. Effect of Information Technology – Auditor’s Consideration of Internal Control A. Definition of Information Technology
Information technology (IT) encompasses automated means of originating, processing, storing, and communicating information, and includes recording devices, communication systems, computer systems, and other electronic devices.
B. The auditor is primarily interested in the entity’s use of IT to initiate, record, process, and report transactions or other financial data.
C. IT can affect internal control, evidential matter, and the auditor’s understanding of internal control and the assessment of control risk.
D. Auditor’s Considerations of IT
1. The auditor may determine that assessing control risk below maximum for certain assertions may be effective and more efficient than performing only substantive tests.
2. Alternatively, the auditor may determine that it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such circumstances, the auditor should obtain evidential matter about the effectiveness of both the
design and operation of controls to reduce the assessed level of control risk. Such evidential matter may be obtained from several sources including:
o Testing the controls planned and performed concurrent with or subsequent to obtaining the understanding.
o Performing procedures that were not specifically planned as tests of controls but that provide evidential matter about the effectiveness of the design and operation of the controls.
o For certain assertions, the auditor may desire to further reduce the assessed level of control risk.
In such cases, the auditor considers whether evidential matter sufficient to support a further reduction is likely to be available and whether performing additional tests of controls to obtain such evidential matter would be efficient.
3. The auditor may assess control risk at the maximum level because he or she believes controls are unlikely to pertain to an assertion, or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient.
o However, the auditor needs to be satisfied that performing only substantive tests would be effective in restricting detection risk to an acceptable level. When evidence of an entity’s initiation, recording, or processing of financial data exists only in electronic form, the ability of the auditor to obtain the desired assurance only from substantive tests would significantly diminish.
o The auditor uses the understanding of internal control and the assessed level of control risk to determine the nature, timing and extent of substantive tests to be performed.
X. Communication of Internal Control Related Matters Noted in an Audit (S.A.S. No. 60)
A. During the course of an audit of an entity's financial statement, the auditor may become aware of matters related to internal control that may be of interest to the audit committee of the Board of Directors or others of equivalent authority. These items are referred to as "reportable conditions" (specifically, a reportable condition relates to significant deficiencies in the design or operation of internal control).
B. Examples of reportable conditions:
Deficiencies in internal control design
• Inadequate overall internal control design
• Absence of appropriate segregation of duties consistent with appropriate control objectives
• Absence of appropriate reviews and approvals of transactions, accounting entries, or systems output
• Inadequate procedures for appropriately assessing and applying accounting principles
• Inadequate provisions for the safeguarding of assets
• Absence of other control techniques considered appropriate for the type and level of transaction activity
• Evidence that a system fails to provide complete and accurate output that is consistent with objectives and current needs because of design flaws
Failures in the operation of internal control
• Evidence of failure of identified controls in preventing or detecting misstatements of accounting information
• Evidence that a system fails to provide complete and accurate output consistent with the entity's control objectives because of the misapplication of control procedures
• Evidence of failure to safeguard assets from loss, damage or misappropriation
• Evidence of intentional override of the internal control structure by those in authority to the detriment of the overall objectives of the system
• Evidence of failure to perform tasks that are part of the internal control structure, such as reconciliations not prepared or not timely prepared
• Evidence of willful wrongdoing by employees or management
• Evidence of manipulation, falsification, or alteration of accounting records or supporting documents
• Evidence of intentional misapplication of accounting principles
• Evidence of misrepresentation by client personnel to the auditor
C. Reporting—Form and Content
1. Conditions noted by the auditor that are considered reportable or that are the result of agreement with the client should be reported, preferably in writing.
2. If information is communicated orally, the auditor should document the communication by appropriate memoranda or notations in the working papers.
3. The report should state that the communication is intended solely for the information and the use of the audit committee, management, and others within the organization. When there are requirements established by governmental authorities to furnish such reports, specific reference to such regulatory authorities may be made.
4. Any report issued on reportable conditions should:
a. Indicate that the purpose of the audit was to report on the financial statements and not to provide assurance on the internal control structure.
b. Include the definition of reportable conditions.
c. Include the restriction on distribution.
5. The following is an illustration of the report encompassing the above requirements:
In planning and performing our audit of the financial statements of the ABC Corporation for the year ended December 31, 19XX, we considered its internal control in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide assurance on the internal control structure. However, we noted certain matters involving internal control and its operation that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of internal control that, in our judgment, could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.
(Include paragraphs to describe the reportable conditions noted.)
This report is intended solely for the information and use of the audit committee (board of directors, board of trustees, or owners in owner-managed enterprises), management, and others within the organization (or specified regulatory agency or other specified third party).
6. Because of the potential for misrepresentation of the limited degree of assurance associated with the auditor issuing a written report representing that no reportable conditions were noted during an audit, the auditor should not issue such representations.