Chapter 7 Answers

7 Multiple Chapter Choice 7-1. b 7-2. c 7-3. a 7-4. d 7-5. a 7-6. c 7-7. d

7-8. b Answer b is most relevant to the types of questions proposed by AS 2 as being helpful. Answer d
might give the auditor some indication of whether the person performing the task is doing it carefully.
Answer a is perhaps relevant, but a better question would be, How long have you been assigned to do
this task? Answer d is not a possibility because the person typically would have no reason to have that
information unless they were at a very high organizational level in the company.

7-9. c 7-10. b 7-11. d 7-12. a 7-13.d 7-14. a 7-15. c 7-16. d 7-17. b 7-18. d (Note: this question is not clear
cut; should be thought provoking; I would expect students to argue about it if it were included on an
exam) 7-19. b 7-20. a 7-21. c

Discussion Questions 7-22. [LO 1, 4] To which of the following accounts would the management
assertion valuation be relevant, and why? For any accounts that it is not relevant, explain why. Answer:
Cash: Cash is the local currency does not normal have any valuation issues, so the auditor would not
need to test whether the management assertion of valuation is relevant. The value of cash in the local
currency is the face value. 1 Cash when foreign currency translation is involved: When currency of
material amounts in other than the local denomination is a part of a companys transactions or end of
year balances, the assertion of proper valuation is important to the auditor. Specific accounting methods
are used to translate the non-local currency at the year end date, so whether that translation resulting
in the local currency value has been performed properly is important. The issue of foreign currency can
affect assets such as accounts receivable and liabilities such as accounts payable as well. When a
company has receivables and payables as a result of transactions conducted on an international basis
the auditor must understand which currencies are to be used to settle the receivables and payables. If
the settlement is to be in a non-local currency the company has to deal with the value of the amount in
the local currency. This may also require consideration of hedge transactions that have been entered
into to offset the risk of currency value fluctuation. Gross amount of accounts receivable: Valuation is
not relevant to gross accounts receivable, because gross accounts receivable is the total monetary
amounts of the transactions. Net amount of accounts receivable: Net amount of accounts receivable is
the result of the gross accounts receivable and the allowance for uncollectibles. The management
assertion of valuation is relevant to the uncollectible balance part of net receivables. The account
balance of the allowance for uncollectibles is the result of managements estimation, and although based
on historical trends and derived through some systematic process, is still an uncertain amount. The
question of whether the allowance account results in a proper balance of net accounts receivable that
are likely to be collected makes valuation a relevant assertion.

7-23 [LO 1, 2, 4] For a company that sells retail goods to customers both online and in stores located in
shopping malls with payment made via cash and bank credit cards, which of the following are important
classes of transactions? Why? For those that are not, why not? Online sales In-store sales Purchase of
raw materials Purchase of finished goods merchandise Lease expense Payroll expense Costs of goods
manufactured Purchase of fixed assets Answer: Online sales: The sales account is clearly an
important/significant account. For a typical retail business such as the one described here, many sales
transactions occur throughout the year, making sales transactions an important class of transactions for
the ICFR audit. If the online sales make up a significant or material part of the total sales revenue then 2
sales that are made online make up an important class of transactions. If they are of a significant dollar
amount, the auditor probably needs to address online sales as a separate class of transactions, since
many of the important internal controls differ from those that are important to in-store sales. Online
sales are likely to be completed using credit cards, so if they are a separate important class of
transactions, credit card sales approval processes will also be a part of the auditors considerations. In
store sales: For any retail enterprise that has physical establishments in malls, in-store sales are likely an
important part of sales revenue, so these would likely be directly addressed by the auditor. If online
sales are minimal, then the auditor might only look at sales transactions and would not break them
down into online and in-store sales classes and yet focus the greatest ICFR audit effort on in-store sales
transactions, looking at sales as a single consideration from a financial statement audit substantive
perspective. In-store sales are likely to be addressed by the auditor, whether or not online sales are
broken out separately. Further, it is possible that the auditor may need to separate in-store sales even
further, into cash and credit in-store sales, since the important internal controls are different. Purchase
of raw materials: This is not an important class of transactions because it is unlikely that a retail business
would have any. Purchase of finished goods merchandise: This class of transactions is very important,
because it is the source of all inventory both what ends up on the balance sheet and the income
statement as cost of goods sold. It is also important because it likely affects both accounts payable as
well as cash disbursements. Lease expense: Lease expense is likely to be a major expense of the
business, so the amount will probably be material. However, it may be a straightforward transaction of a
set amount that occurs twelve times a year, requiring minimal audit effort. Consequently, while the
amount may be material to the financial statement audit, the class of transactions may not be
considered separately from the payment of other expenses when considered for the ICFR audit. For the
ICFR audit, lease expense payments may be grouped with other expense cash disbursement functions as
a class of transactions. In contrast, if lease expense requires multiple transactions because of many store
locations, it may be an important class of transactions on its own. Further, if the amount of lease
expense is based on calculations (such as a percentage of monthly sales) then the added complexity may
make lease expense payments an important class of transactions. Payroll expense: Payroll expense is
likely to be one of the larger expense items on the income statement for a retail business. Sometimes, a
retail establishment, particularly one that does a lot of its business online may not have material payroll
expenses. But, for the typical mall-type retail business, payroll expense is probably material. Because
payroll transactions require a variety of processes (calculations, controls over proper payment,
withholdings, payouts to government and other entities) it is likely to be an important class of
transactions for a retail business. In many cases this is a class of transactions that 3 is outsourced, so the
auditor considers the controls within the entity and at the service provider. Cost of goods manufactured:
A retail establishment will not have costs of goods manufactured, so it is not an important class of
transactions. Purchase of fixed assets: Some fixed assets may be purchased for the online sales function,
but these are not likely to be frequent or recurring so may not be an important class of transactions for
the auditor at least every year -- even if the amount on the balance sheet is material. For the mall
location, rather than the purchase of fixed assets, the important account is probably leasehold
improvements. Again, these transactions are not frequent or recurring so are not likely to be an
important class of transactions every year. If in a given year, there is a large dollar amount or high
frequency of these transactions, particularly if financing has to be obtained to purchase fixed assets or
leasehold improvements, the auditor may consider the controls associated with approvals, etc. to obtain
the financing and make the major purchases.

7-24 [LO 1, 2] A company uses inventory tags that are electronically scanned into its accounting
information system to track receipt, movement and removal of items of inventory from the
manufacturing floor. Prior to producing quarterly and annual financial statements the company
performs a physical count of inventory. The typical outcome of the physical count is that journal entries
must be made after the count to correct the inventory accounts and records because some employee
theft and unrecorded waste always occurs. Does the occurrence of inventory loss that the company
routinely records mean that a deficiency in ICFR exists? Why or why not? Answer: ICFR deals with the
ability of the company to produce financial reports and financial statements for outsiders. The inventory
count, as described, appears to enable the company to correct its records so that the financial
statements reflect the position of the company at the time the reports and financial statements are
prepared. If this is the case, then ICFR is effective both in its design and operation. Although the internal
controls do not prevent the inventory shrinkage, they detect the shrinkage prior to production of the
financial statements. From the larger management view of what internal controls are intended to
accomplish, the internal controls may be deficient. In addition to permitting the preparation of
appropriate financial statements (ICFR) the broader definition of internal control includes safeguarding
assets. If the controls permit an inappropriate amount of shrinkage they may not sufficiently prevent the
unauthorized use or disposition of company assets. However, typically, designing an internal control
system that would prevent 100% of inventory shrinkage would be cost prohibitive in other words, it
would cost more to design and run the inventory controls than the controls would save. Therefore, a
company that 4 experiences what it considers and expected an acceptable amount of inventory
shrinkage likely concludes that the internal controls sufficiently safeguard the companys assets.

7-25. [LO 2] How does the commitment to competence of the COSO IC control environment relate to
the quality control concept of assignment of staff to certain tasks on an audit engagement? Answer: The
staff assigned to audit the internal control environment must have the expertise in the area they are
auditing. For example, staff assigned to audit the payroll internal controls need to have an adequate
understanding of how payroll is processed, what controls should exist, and an ability to determine if
there are control deficiencies. Additionally, the staff must be adequately supervised and workpapers
reviewed to determine whether staff omitted key procedures or evaluated internal controls incorrectly.

7-26 [LO 2, 4] Exhibit 7-2 discusses Circumstances that Demand Special Risk Assessment attention. Pick
four of the eight shown in the exhibit. Explain how these situations might ultimately result in financial
statement misstatements. Answer: The eight special risk assessment circumstances and how each
affects financial misstatement follow. Changed Operating Environment. A changed regulatory or
economic environment can result in increased competitive pressures and significantly different risks.
Divestiture in the telecommunications industry and deregulation of commission rates in the brokerage
industry for example, thrust entities into a vastly changed competitive environment. New Personnel. A
senior executive new to an entity may not understand the entitys culture or may focus solely on
performance to the exclusion of controlrelated activities. High turnover of personnel, in the absence of
effective training and supervision, can result in breakdowns. New or Revamped Information Systems.
Effective controls can break down when new systems are developed, particularly when done under
unusually tight time constraintsfor example, to gain competitive advantage or to make tactical moves.
Rapid Growth. When operations expand significantly and quickly, existing systems may be strained to
the point where controls break down; where 5 processing shifts or clerical personnel are added, existing
supervisors may be unable to maintain adequate control. New Technology. When new technologies are
incorporated into production processes or information systems, a high likelihood exists that internal
controls will need to be modified. Just-in-time inventory manufacturing technologies, for instance,
commonly require changes in cost systems and related controls to ensure reporting of meaningful
information. New Lines, Products, Activities. When an entity enters new business lines or engages in
transactions with which it is unfamiliar, existing controls may not be adequate. Savings and loan
organizations, for example, ventured into investment and lending arenas in which they had little or no
previous experience, without focusing on how to control the risks involved. Corporate Restructurings.
Restructuringsresulting, for example, from a leveraged buyout, or from significant business declines or
cost reduction programsmay be accompanied by staff reductions and inadequate supervision and
segregation of duties. Or a job performing a key control function may be eliminated without a
compensating control put in its place. A number of companies learned too late that they made rapid,
large-scale cutbacks in personnel without adequate consideration of serious control implications.
Foreign Operations. The expansion or acquisition of foreign operations carries new and often unique
risks that management should address. For instance, the control environment is likely to be driven by
the culture and customs of local management. Also, business risks may result from factors unique to the
local economy and regulatory environment. Or channels of communication and information systems
may not be well established and available to all individuals.

7-27 [LO 3] Compare and contrast the internal control provisions required under the Foreign Corrupt
Practices Act (1977) and the Sarbanes Oxley Act (2002) Answer: The Foreign Corrupt Practices Act
(FCPA) focused on illegal acts by U.S. corporations involving foreign officials and defined internal control
in a relatively narrow fashion. It required that a review system be implemented and maintained with the
intent of preventing illegal payments. It did not mandate a review of specific controls nor did it assign
responsibility for the financial statements to management; it considered internal control to be an end,
rather than a process. By contrast, SOX broadens the definition of internal control, references a control
model (COSO), specifically sets out requirements for an internal control system, mandates that auditors
are to evaluate ITGC prior to performing tests of details of balances, assigns responsibility for the
financial statements to management, provides independent oversight for auditors in the form of the
PCAOB, and provides for civil as well as criminal penalties for non compliance. 6

7-28 [LO 5] Explain the importance of a walkthrough, how one is performed, and list 5 relevant
questions that the auditor might ask during a walkthrough. What types of responses to your questions
might the auditor receive that would cause concern about the effectiveness of ICFR? Answer: A
walkthrough is the steps you perform together when evaluating internal control. Student answers may
vary but could include the following questions to ask: What do you do when you find an error? What are
you looking for to determine if there is an error? What kinds of errors have you found? What happens as
a result of finding errors? How are errors resolved? Have you ever been asked to override the process or
controls? If so, what happened and why did it occur? The auditor should be concerned if there are no
error routines and reporting responsibilities and/or no review of transactions for errors.

Problems 7-29 [LO 1, 2, 5] Stan is an auditor for Cartman & Kenny, CPA. He has recently been assigned
to a new private client called Southpark Services, a provider of web management services. Cartman and
Kenny have clients throughout the United States. The company manages their clients website, keeping
them up to date, resolving problems and doing any other programming or troubleshooting that their
clients need. The two owners, Bob Cartman and Shelly Kenny are hands-on managers. They, along with
3 other employees provide the website management services for their clients. Although they dont have
access to their clients books or bank accounts, they have the ability to alter the website, and any data
that flows through the website before it goes to the company or the customer. Carman and Kenny have
one office manager with an undergraduate accounting degree and one full time bookkeeper. In
discussions with management, Stan learns that Southpark Services doesnt bother to maintain any
processes specifically directed toward good internal controls. When Stan asked why, management
replied internal control is too expensive for us, and since we are not a public company and Section 404
does not apply to us, we dont see any value internal control can offer our management. Required: a.
Develop a list of concerns that Cartman & Kennys clients might have based on managements attitude.
Classify those concerns into 2 lists concerns that affect 7 Cartman & Kennys business, and concerns that
might affect their productive output, and thus the clients business operations. Some of the concerns you
identify might end up on both lists. b. Suggest processes and controls that Cartman & Kenny can
implement to limit the risk of the items you listed in (a). c. How would an auditor examine or test each
of the processes and controls you list in (b)? Answer: a. Cartman & Kenny Business practices concerns:
The most obvious concern is the lack of separation of duties between management and employee at C &
K. The second concern is: how can a firm audit its own work? A third concern is the total lack of general
controls over web design and access. Clients concerns: The lack of separation of duties at the audit firm;
the lack of proper oversight of work performed by C & K; and the total access allowed to C & k personnel
by Southpark Services. This is especially problematic if one or more of the managers from C & K
becomes unable or unwilling to continue services the client. b: Procedures to limit the risks cited above:
First, C & K must document all their work. Second, changes should be made to a prototype web site, not
the actual, production site. Changes can be reviewed and approved by the client before the actual site is
updated. Third, C & K personnel should not have access to client data servers or files. Indeed, the
servers that house the data should be separate from the server that houses the web site and each
server should have appropriate router and firewall controls. c: How to audit? First, the auditor should
not be from the same firm that provides the service. That said, if this is allowed, then the auditor should
report to someone who has no responsibility for maintaining the site. The auditor should review and
test access controls; review changes to the web site; obtain a log of transactions in order to form an
understanding of transaction origination, approval, and appropriateness; and document any unusual
transactions. The auditor should perform detail tests of balances given the poor internal control system,
especially over sensitive accounts such as cash and inventory. The auditor should require the client
review transactions in detail and provide corroborating evidence for all unusual or unauthorized
transactions. 8

7-30 [LO 2, 5] Natasha is a staff level auditor assigned to evaluate the ICFR for the XYZ corporation audit.
Natasha follows her firms audit program to assess ICFR. Step 1.3 of the audit program says the auditor
should evaluate the overall attitude and awareness of an entitys board of directors concerning the
importance of internal control. (a) With which component of internal control is Step 1.3 concerned?
Answer: Control environment (This is an entity level control.) (b) Draft specific audit steps that Natasha
might find in her plan, in addition to the general direction. Answer: Examine company policies and
procedures regarding the following: Requirements in order to be elected a member of the Audit
Committee. Evidence of interaction between the Board of Directors and the audit committee, including
all reports between management, the external auditors, and the Committee. Audit Committee charter.
Audit Committee qualifications. Reporting structure in place for the Internal Audit Department. Review
Board of Directors and audit committee minutes for issues related to ICFR. Specifically identify Board of
Directors follow up on internal control ICFR deficiencies identified in prior years. Note that in addition to
Natashas work, the partner or manager on the engagement would likely interview the Chair of the
Board of Directors and Chair of the Audit Committee. (c) What would Natasha include in her work
papers to document her work? Answer: Copies of company policies highlighted and annotated as
appropriate. Copies of relevant minutes highlighted and annotated as appropriate. A summary memo
that documents and references information in the company documents. Her conclusions, either on the
summary work paper or in a separate memo, regarding the attitude and awareness and how the
evidence supports the conclusion. 9

7-31 [LO 1, 2, 4] You have been assigned to work on your firms largest client, DOMO Electronics, a
publicly traded company with operations in North and South America, Europe, and Asia. In your process
of evaluating ICFR, your audit program instructs you to evaluate DOMO Electronics Control
Environment, a major component of COSOs Internal Control Framework. In your evaluation you have
found the following: DOMO Electronics has a written code of conduct that it requires all employees to
understand and follow. Based on this mandate it has never had any ethical conflicts reported and
therefore does not have a formal mechanism for top management or the BOD to receive confidential
information from employees lower in the organizational hierarchy. All of DOMOs staff are required to
complete a certain amount of continuing education credits every year. From what you can see, they
seem to be well trained at their tasks, or at least they stay very busy. The Board of Directors and Audit
Committee consist of several financially savvy individuals who take their jobs very seriously.
Furthermore, all members of its Audit Committee are top managers in the company, so they are
intimately familiar with the companys operations. Management stresses an ethical environment. In their
weekly meetings each team reports its operating results and the different teams quiz each other and
respond with solutions and challenges. In the weekly meetings management encourages the teams to
act ethically while achieving their mandatory year-over-year, 40% revenue growth numbers. Due to high
industry growth, DOMO has enhanced its market share largely by significant mergers and acquisitions.
To keep up with its growth, DOMO is constantly upgrading its internal control system. Fortunately, the
well trained staff have been able to continue testing the new programs after they are put in place and
change programming problems as they crop up. The human resource department ensures that workers
are assigned to work that they are capable of doing and ensures that every employee understands
his/her responsibilities. Required: a. What red flags do you see in the above description concerning
DOMOs control environment? b. What accounts and financial statement management assertions might
ultimately be affected if the red flags indicate problems? 10 c. Develop an audit step you would use to
follow up on the concern raised by the red flags. Answer: a. The red flags are: 1). There is no formal
communication channel available to report ethical/internal control issues as proscribed by SOX. 2). The
audit committee consists of company personnel, not independent members as required by SOX. 3).
Great emphasis is placed on achieving an unrealistic growth rate of 40%- clearly encouraging the very
behavior it seeks to discourage orally. Achieving a continuous growth rate of 40% is unlikely, therefore
this encourages earnings management, such as recording of sales that did not occur, etc. 4). The
company is growing by acquiring businesses; this presents a problem of trying to integrate the
businesses into a cohesive whole. Differences are likely to exist in internal controls making lapses in
controls more than likely. 5) Changes are made directly to programs in production (e.g. actual programs
being used in the company) as opposed to copying programs into a test library and making the changes
to the test copy. b. The accounts and assertions affected are virtually every account and all assertions.
Since changes to the programs used to process transactions occur routinely, unauthorized changes could
occur to any account. The situation is very serious since the ITGC are nonexistent. c. The auditor should
consider whether absent significant changes to the internal control environment, he/she want to
continue as the auditor. Assuming that he/she does, the first audit step would involve a review of the IT
general controls starting with a review of the programs used in production- looking for recent
changesespecially frequent changes occurring over a short period of time- which would indicate that
previous changes could have been reversed in an attempt to hide unauthorized changes. Then, the
auditor should review the transaction register for any unusual activity- or amounts- paying close
attention to the sensitive accounts of cash, sales, A/R, and inventory. Since earnings management is a
very real possibility, the auditor needs to be alert for unusual transactions affecting accounts linked to
sales. The auditor should obtain evidence that the transactions are valid and have been authorized.

7-32 [LO 1, 3, 4] Suppose you are a new auditor with a small audit firm on the audit of Juan Stuarts Daily
News, a large private corporation with a significant minority stockholder that operates media outlets
across the United States. The majority stockholder manages the day-to-day activities of the business.
Because your audit firm is a new, small firm, it has yet to formulate its own guidance concerning the
audit of ICFR. You remember hearing a lot about Section 404 of the Sarbanes Oxley Act of 2002
concerning internal control audits. Required: a. Does Section 404 of the Sarbanes Oxley Act pertain to
the audit of Juan Stuarts Daily News? Why or why not? 11 b. Is there anything related to ICFR that you
are concerned with as the financial statement auditor of Juan Stuarts Daily News? c. Who are the
stakeholders related to Juan Stuarts Daily News? How do good financial statements benefit them? What
ICFR issues would be of concern to the different stakeholders? d. Develop audit steps to test the ICFR
issues of concern. Answer: a. Section 404 would apply if the significant minority stockholder with media
outlets across the U.S. is considered a registrant per the SEC (e.g. has a security that is registered with
the SEC) and uses the equity method in accounting for the earnings of Juan Stuart. b. The large size of
Juan Stuart is a concern regarding audit firm resources and expertise for conducting the audit well.
Another concern is that no plan was formulated prior to accepting Juan Stuart as a client. c. The
stakeholders would be the minority shareholders; the employees; and the creditors. Good financial
statements allow stakeholders to assess their interests and the going concern of the entity with which
they are connected. The minority shareholder would be concerned with transaction integrity and
controls over financial reporting accuracy; employees would be concerned with safeguarding assets and
accuracy of financial reporting; and creditors would be concerned with control over assets and financial
reporting accuracy. d. Audit steps would include a review of entity-level controls, such as those
surrounding ITGC, specifically separation of duties and access controls. Additional audit steps would
include a review of controls surrounding transactions, tracing the entry in the appropriate ledger to its
supporting detail, including approvals.

7-33 [LO 2, 5] Lois is evaluating the ICFR for Pawtucket Patriot Brewery. She is examining an activity that
occurs periodically, specifically an inventory count. This is not an everyday operation of Pawtucket
Patriot Brewery. But they dont have a good IT system to track inventory and the only way the
purchasing department knows what it needs to buy and the production manager knows how much and
what to make is as the result of the physical count. The company makes and sells beer. Inventory
consists of beer that has already been placed in bottles and is ready for distribution; beer in huge vats
still being processed, and all the supplies that go into making beer not only the beer ingredients, but
also empty bottles and the supplies needed to bottle the beer. Required: a. Classify this inventory
observation activity using the AS 2 groupings of: routine, nonroutine, estimating. b. As Lois reads
through the clients plan for the inventory count, what processes and procedures should she be looking
for? Why? What are the assertions that are important to address for this account? 12 c. What are one or
more audit steps you think Lois should conduct while the client counts inventory? Answer: The
inventory observation is non-routine. a. Processes. The auditor should look for instructions regarding
cut-off procedures; documentation concerning issuance of tag numbers; proper accounting of tag
numbers (e.g. issued and used, voided, and not issued/used); the counting of inventory; and the final
process of clearing inventory (e.g. ending the physical count and the pulling of inventory tags). The
auditor should determine of the product/part number recorded on the inventory tag is accurate by
matching to a supplier invoice, production order, etc. The auditor will also check for uncounted product
which may be consigned inventory or write-offs. Such items need to be confirmed through additional
testing and therefore should be noted by the auditor in the workpapers. These procedures address the
accuracy, classification, valuation, existence, cut-off, and rights and obligations assertions. Given the
poor inventory system, the risk is that the client may not properly label inventory and therefore not
properly assign the correct costs to it. b. Other procedures. Since the product is fungible and subject to
spoilage, the auditor should have independent testing of the raw materials, WIP, and finished goods to
determine if the product is usable and/or saleable.

7-34. [LO 4, 5] [Adapted from Wiley CPA Review] Suppose you are auditor on the ICFR audit of Big Papi,
Inc, a publicly traded company. Your senior has assigned you a significant list of steps to perform testing
the operating effectiveness of ICFR. She tells you that before you can perform the list of audit
procedures, you obtain an understanding of the entitys processes and controls. Based on the prior years
audit she gives you a list of accounts that she believes you will find to be important, and the classes of
transactions that fed into each of those important accounts at least last year. As she walks off to go to
another engagement, she reminds you that this years ICFR audit must be very efficient and you should
only test the assertions that you need to. Required: a. How will you go about obtaining an
understanding of the companys processes and controls? What will you do? What will you look at? Who
will you talk to? How will each of the procedures help you? Answer: The information provided by the
senior is a good starting point. You can compare the list of accounts she identified with the companys
financial statements to determine whether all of the important accounts are included and whether any
accounts that are not important should be dropped. You will likely talk to the companys management to
be sure your understanding of the important accounts is correct. In this discussion, you also verify the
seniors information regarding the important classes of transactions affecting those accounts. You
specifically ask if there have been changes to the companys 13 activities or accounting system since the
last understanding was obtained. You ask for any documentation management used in assessing the
effectiveness of ICFR, and if any is available use this as another source of information. b. After you
understand the system, what will you do? Answer: To confirm the information you have already
obtained and as a part of understanding the system you will (most likely) perform a walkthrough for
each important class of transactions. You know the relevant management assertions for each financial
statement account, and after completing the walkthrough you evaluate what the risks are for each of
the relevant assertions at the various steps in processing for the class of transactions. You determine
whether the company has controls designed in to the system that, if they operate effectively, will
prevent or detect misstatements before they become a part of the financial statements. c. How will you
decide which accounts and assertions to test for operating effectiveness? Answer: You assess the risk to
material misstatement related to each of the relevant assertions for each important account. Based on
your walkthrough, you identify controls that deal with those risks to the assertions and evaluate
whether they are designed effectively. If so, you test those controls to determine if they operate
effectively. d. What will you put in your work papers up through the completion of analyzing design
effectiveness? Answer: If management has produced documentation, such as descriptions or process
charts, you can use those as a starting point and update them with information obtained in your
walkthrough. If management does not have documentation, you may be able to update the
documentation the audit team constructed or used in the prior year. Absent either of those
documentary resources, you must determine (probably after consulting with your senior) how much
documentation to construct of the transaction processing steps you investigated in your walkthrough. At
a minimum, from an overall perspective, you need to identify the material accounts, significant classes
of transactions, relevant management assertions, risks to those assertions the and misstatements that
could affect the financial statements. You must state the source of this information, such as information
from prior years audits that you updated with interviewing management. Then, the workpapers you
prepare identify the transactions you used in the walkthrough (with enough specific information so that
someone else could find exactly the transaction you followed in the walkthrough), questions asked of
employees at what point in the 14 walkthrough -- with responses received and your conclusion about
the response, documents examined, reperformance conducted on the transactions, and any other steps
you performed. Your workpapers should document at which step of the transaction processing a risk to
a relevant financial statement assertion exists, the control that is in place (if there is one) and what
evidence you obtained that indicates whether or not that control is effectively designed. Based on your
audit work you also conclude which controls are effectively designed to prevent or detect material
misstatements to assertions in the financial statements and therefore which should be tested for
operating effectiveness.

7-35 [LO 4] [Adapted from Wiley CPA Review] Dana, an auditor for the audit firm C&C, recently finished
up testing controls relating to managements assertion concerning the completeness of sales
transactions. In her audit work papers, Dana included the following: I inspected the entitys reports of
prenumbered shipping documents that have not been recorded in the sales journal In the course of my
testing, I have found 0 items that have been sold but have not recorded in the sales journal. Since
testing was performed without exception, I have determined that the controls to address the
completeness of sales transactions are operating effectively. Which essential element of AS 3s
documentation requirements did Dana omit from her documentation? Answer: Summary information
from the chapter helps to answer the question: The audit documentation must tie the evidence
collected to the risks being addressed that is specific to the relevant management assertion; Audit
documentation must include the basis for the auditors conclusions; Audit documentation includes
Planning and performance of the work; What the audit procedures were, when they were performed, by
whom; Evidence is obtained; and Conclusions are reached. Assume the audit plan describes the step
Dana is to perform and links it to the risk and assertion. The assertion is that all sales have been
recorded all items that were shipped have been recorded as sales. (The assertion could equally be that
no items that have not yet been shipped have been recorded as sales, although her conclusion relates to
the risk of unrecorded sales.). Her work papers should include the following information: In the first
bullet the problem is that she provides insufficient information to identify the items she examined.
What numbers were the prenumbered shipping documents she inspected? From what source did she
select them? Electronic or paper documents? How 15 did she know these would represent all the
shipping documents associated with potentially unrecorded sales? Was it a sample or 100 % of the
items? If the test was related to cutoff, did she examine before documents before and after the fiscal
year end? Was a part of her test to determine whether all the prenumbered documents could be
accounted for that there were no gaps in the numbering sequence? (If she was testing to see that no
inappropriate sales were recorded, she would start from the sales journal, select sales, find the
corresponding shipping document numbers, then examine the documents to be sure that the items had
in fact been shipped and the sales transaction billed.) The second bullet appears to be a conclusion but
there is no basis for the conclusion. How did she determine that 0 items were sold but not recorded?
The workpapers should include the document numbers of the documents that had been used for
shipment. She should examine the shipping document, and agree the information on the shipping
document to what is recorded in the sales journal, specifying all the information that she compared,
such as name of purchaser, date of transaction and amount, indicating whether all the information
agreed between the shipping document and the recorded information. If she found no conflicting
evidence, she can conclude that none of the shipping documents she tested were unrecorded or
recorded improperly. In the third bullet, her conclusion is too broad. What control was she testing? Was
she testing an automated control? Was she simply testing that the clients mechanism for getting
shipping documents into the sales journal was effective? Was she testing that the cutoff at year end was
effective, and that at year end no items were shipped in one year and not recorded until the next? If she
is testing for the processing of the control at year end she needs to clearly state the period covered. If
she is covering a period of time, then she is likely using a sample and would state that based on the
sample of transactions in the time period (for example) for the month of December, the control that was
designed to be sure that all items shipped were booked as sales, operated effectively. She might also
conclude that, as a result of the correspondence between shipping document and sales journal
information, the control operated effectively at year end. If she was also trying to establish whether the
control could be relied upon and could therefore alter the nature, timing or extent of procedures for the
financial statement audit, she clearly states the period of time covered by her test and (assuming all the
shipping documents were properly posted) that during that period of time the control establishing that
all shipments were properly posted to the sales journal operated effectively.

7-36 [LO 2] Separate and assign the following activities to employee A, B and C to accomplish the best
control. Explain why. a. Assemble supporting documents for cash disbursements. b. Maintain custody of
the signature plates used for the computer processes when checks are produced. 16 c. Authorize the
update of the general ledger each month and review all accounts for unexpected balances. d. Cancel
supporting documents for cash disbursements to prevent their reuse. e. Approve customers applications
for credit. f. Approve the write off of accounts receivable determined to be uncollectible. g. Input the
shipping and billing information resulting from sales and shipments. Answer: Employee A a, g Employee
B b, c, f, Employee C d, e, Rationale: separate cash disbursements document prep from custody of
signature plates, and cancellation of documentation in order to prevent unauthorized use/reuse of
documentation. Also, separate approval of credit to prevent account write-off (and possible hiding) of
poor credit decisions.

7-37 [LO 4, 5] Joan Hacker, CPA, is the CFO of Smooth Ride, a publicly-held boat trailer manufacturer. At
the close of the second quarter of 2009, Joan received the physical count of raw materials inventory
amounting to $2,695,872. At the same time, Joans self-designed computer model for deriving inventory
figures showed a raw materials inventory calculation of $3,374,024, which was $678,152 higher than the
physical count calculation. Since Joan was rushed to prepare the financial statements, she used the
computer model figure, resulting in $181,000 net income and $0.03 per share earnings. She adjusted the
inventory to equal the correct count for the end of the third quarter when she had more time. The result
for Quarter 3 was a net loss of $253,000 and a loss of $0.04 per share. Required: What are the control
ramifications of Joans actions? Answer: As CFO, Joan was ultimately responsible for ensuring that the
company had an adequate system of internal controls in place and that those controls were maintained
and properly utilized. By recording materially incorrect inventory results in Smooth Rides books and
records, Joan failed to assure that the company maintained an adequate system of internal accounting
controls to properly account for inventory. By using the incorrect higher figure, the financial statements
for Quarter 2 reflected a lower cost of goods sold and correspondingly higher net income than if the
lower (correct) inventory figure had been used. Despite the fact that she used the correct physical
inventory figures in the third quarter, this caused Smooth Ride to file a false and misleading quarterly
report with the SEC that misrepresented the second quarter financial results of the company,
overstating net income and earnings, and also caused a misstatement effect in the third quarter. 17
7-38 [LO 2, 4] Greg Norman is the auditor in charge of the Rogers Pharmaceutical Company audit. In
assessing the internal controls for the company, Greg finds that the company bills customers and
receives payments at three offices in three separate states using three different and incompatible
software systems for tracking payments. Rogers terms of sale varies with the customer and varies from
thirty days to ninety days. Open invoices are aged based on when they were booked to the receivables,
but cash, chargebacks, or rebates are aged based on when they were applied to the account. Thus, a
credit could be posted to the customers account when it was received, but the related invoice(s)
remains open as a receivable and continues to age. Chargebacks are significant and linked to batch of
product rather than invoice. Most similar companies have credit limits or credit checks but Rogers does
not because all wholesalers are board certified M.D.s, like the companys founder. Rogers total accounts
receivable was $25,276,025. Rogers total accounts receivable part due over sixty one days $17,434,500.
Rogers top-five wholesalers had accounts receivable of $13,457,516. Rogers top-five wholesale
customers had $5,428,850 past due over sixty-one days. Rogers allowance for doubtful accounts of
$266,000 did not include any estimates for the top-five wholesale customers, because it was
managements belief at the time was that the top-five wholesalers did not present a collection risk.
Required: Based on these control issues and findings, explain some of the most likely sources of
misstatement that exist. Answer: There are a number of significant problems, but some of these include:
The current system does not allow for accurate reconciling of accounts receivable. There are insufficient
credit efforts M.D.s can default or have bad credit to begin with. There is a potential for chargebacks to
be posted to the wrong accounts. The system opens up the possibility for a lot of old items to remain in
accounts receivable. Aging reports are likely of little or no value. Transaction reporting likely increases
the possibility of duplicate accounts in the system. There is a lack of company-wide controls due to
diverse IT systems. Based on faulty reconciliation and credit function, there is no way to set collection
priorities. A legacy of A/R reports likely exists that have not been worked by collections. 18 The
allowance for doubtful accounts is understated, since nearly 69% of all accounts receivable are overdue
and 40% of the top five customers are overdue There appears to be a lack of coordinated sales term
policy.

7-39 [LO 5] Hammer Orthopedic Corporation periodically invests large sums in marketable equity
securities. The investment policy is established by the investment committee of the board of directors
and the treasurer is responsible for carrying out the directives of the investment committee. All
securities are stored in a bank safe-deposit box. The following issues are included in the independent
auditors plan for auditing internal control with respect to the companys investments in marketable
equity securities. To understand the design of the system, the audit procedure is to make the following
inquiries of management: 1. Are all securities stored in a bank safe-deposit box? 2. Is investment policy
established by the investment committee of the board of directors? 3. Is the treasurer solely responsible
for carrying out the investment committees directives? Required: In addition to these questions, what
other questions should the auditor ask with respect to Hammers marketable equity security
investments? Answer: Student answers may vary. However, some questions include: Are marketable
security investment supported by invoices with brokers? Are subsidiary records of investment kept and
reconciled periodically with a control account? Do cash disbursement procedures contain directions for
accounting for investments in market able securities?
7-40 [LO 2] Simmons Optics Company is a medical device manufacturing company in Florida. As such, it
has a number of new products at various stages of development, with many swings notable in its
Research and Development budget aimed at taking advantage of tax credits. With the downswing in the
economy and change in the optics technology, a new competitor, Bright Eyes Instruments, Inc., is taking
a larger percent of the optical market. As a result, the CEO is pushing supervisors to reduce product
development time from 24 months to 10 months, but without any new capital expenditures. The Board
of 19 Directors almost always agrees with the CEOs initiatives and has rubber-stamped this course of
action. The new CFO of the company has only been at his job for six months. He is a hands-off CFO and
sees this position as a way to enjoy sunshine, golf, and the ocean. However, during this period he has
realigned the reporting responsibilities of the company, so that the credit and collections department
reports to the Sales Controller, rather than the head of the treasury department. He also gave the Sales
Controller increased authority to develop business by negotiating the terms of sales transactions and
the authority to recognize revenue. The Sales Controller developed and negotiated new type of
agreements called Guaranteed Profit agreements that relieve Simmon's direct customers (primarily
optometrists) of any obligation to pay for goods unless they were sold through to end users or patients.
In these agreements, Simmons books the revenue, but the CFO is not aware of any reversals for unsold
goods, but admits that the information system has had significant disruptions in processing during his
tenure. Required: Identify the Entity Level - External and Internal Risk Factors in this scenario. Answer:
Within this scenario, a number of external entity level risk factors exist: External Factors Technological
developments and tax credits are affecting the nature and timing of research and development. Tax
regulations seem to be forcing changes in operating policies and strategies. Competition and a change in
the optics technology are driving the CEOs mandate to decrease R & D time. Competition has caused the
Sales Controller to alter marketing or service activities with guaranteed profit agreements. Economic
changes have had an impact on the CEOs decision to require dramatic cuts in R & D time without
proportional increases in capital expenditures. Within this scenario, a number of internal risk factors
exist: Internal Factors There has been a disruption in information systems processing that adversely
affects the monitoring of the entitys sales agreements and operations. The hiring of the CFO appears to
be a better deal for the CFO than the company, since he has a mentality of on-the-job retirement. This
has more than likely influenced the level of control consciousness within the entity. Likewise, the
realignment of the reporting seems to have weakened controls by eliminating segregation of duties (i.e.,
the Sales Controller has too much power) and doublechecks (i.e., the treasury department is out of the
loop) on the revenue recognition area. 20 An unassertive board of directors rubber-stamps
management strategies, which can provide opportunities for indiscretions. The nature of the entitys
activities, like the Guaranteed Profit agreement, is appears to be a misappropriation of resources under
GAAP.

7-41 [LO 2, 3, 4] You are engaged to audit the financial statements of Sebastian Construction Company.
The company specializes in the construction of medical clinics. The percentage-of-completion method is
used by Sebastian to account for all construction projects. As Sebastian completes a project, the building
and property are sold to the clinic operator, who makes a 20% down payment and gives an installation
note for the balance. Sebastian discounts the note with First State Bank and receives the proceeds
minus the bank discount. Sebastian remains contingently liable of the discounted notes. With the
economic downturn, sixty percent of the notes are now in default and Sebastian has constructed
virtually nothing within the last 10 months. When you arrive to discuss the upcoming audit, you notice
that the parking lot, which was full last year, is nearly empty. The CFO assures you that the slowdown is
merely temporary and that the company is starting to get in new contracts every day. In fact, the CFO
brags that they have hired new crews to begin five new projects next week. As you begin the audit, you
notice the following: 1. Of the 250 requests for confirmations of accounts receivable that were mailed,
only 30 were returned after two mailings. 2. A number of the general ledger transactions lacked
documentary support. 3. The companys property and equipment ledgers for depreciation could not be
reconciled to the general ledger. 4. The internal control report represented and signed by the CFO as
Excellent showed a significant number of compliance deviations. Required: (a) Based on this
information, discuss the circumstances demanding special risk assessment attention. (b) What are the
most important assertions for Sebastian Construction? (c) Based on the Sarbanes-Oxley Act of 2002,
what corporate responsibility for financial reports does the CFO appear to have violated? Answer: (a)
There are changed operating environment circumstances due to the economic downturn. (b) While all
of the assertions are important, they do not all have the same level of importance for each account on
the financial statements. 1. With respect to the lack of confirmation, we would wonder about the
occurrence assertion relating to whether the transactions that have taken place 21 and existence
whether the accounts receivable exist. If they dont exist, the valuation of the accounts receivable is in
error. 2. Regarding the unsupported transactions, we must question their existence. 3. Regarding the
lack of reconciling depreciation, we would question if the company owns the equipment (rights and
obligations) and the valuation or allocation of including necessary depreciation for equipment used. 4.
The CFOs apparent misrepresentation of internal controls calls into question the presentation and
disclosure of the companys records. 5. Regarding the defaulted discounted notes, the auditor would also
have to question the companys ability to continue as a going concern if so many notes are uncollectible
and specifically would address the valuation assertion. (c) Regarding SOX and the CFOs certification of
internal controls, it appears that he may have violated: (1) review of the report; (2) represented an
untrue material fact or omitted to state a material fact that resulted in misleading; (3) did not provide
sufficient guidance for establishing and maintaining internal controls; (4) did not sufficiently design
internal controls to ensure that material information what in financial statements; (5) may not have
evaluated controls recently (within 90 days prior to the report; or (6) did not disclose significant
deficiencies of internal controls.

7-42 [LO 1,2] Think about the businesses and other entities with which you interact in your everyday life.
Select a particular business that you know to complete the following. Required: (a) Identify some
process about the way the entity does business that is carried out for control purposes. Consider the
following example, "If you do not get a receipt your purchase is free." This note, frequently seen by a
sales terminal adds the consumer as a control element to be sure the sales person enters the
transaction. (b) Identify some aspect of the entity for which there should be a control and a control
activity does not exist. (Hint: One way to find these controls that are lacking is to evaluate how a
customer could get in free, or receive their product or service and "get away" without paying.) Answer:
Student answers will vary. Their answers should address the concepts noted above.
7-43 [LO 3] Milton Baxter is the in-charge auditor for Apex Company, a long-time client of the Baxter
CPA Group. The company has expanded into a new industry by acquiring equipment that will be used to
manufacture several types of products. The CEO has indicated that as one of the conditions for providing
financing for the new 22 equipment, the bank must receive a copy of the annual financial statements.
Another condition is that the total assets cannot fall below $300,000. The loan will be called for
immediate repayment, if this happens. Currently, the total assets are reported at $308,000 (including
the new machine but prior to making the adjustment for depreciation). The CEO of Apex has asked
Baxter to examine the facts and provide audited financial statements that are acceptable to the bank.
The depreciation method for the machinery has not been adopted yet. Equipment in other parts of the
company uses the double-declining balance method. The cost of the new equipment is $60,000 and it is
estimated to be worth $5,000 at the end of five years. Because the new products have not yet begun to
catch on with consumers, the company produced just 5,000 units this year and it is expected that a total
of 40,000 units will be made over the 5 year period. Required: Based on this information, calculate
straight-line, double-declining balance, and unit of production depreciation for the new machine. Which
depreciation method would allow Apex to stay within the banks threshold? Is it ethical to recommend
that method to the company prior to audit? Answer: Straight line = ($60,000 5,000)5 = $11,000 Double-
declining = $60,000 x 40% = $24,000 Units of production = (5,00040,000) x ($60,000 5,000) = $6,875 The
auditor uses managements assertions to plan the audit procedures conducted in an integrated audit.
The auditor carries out audit procedures, collecting evidence which gives the auditor a basis to conclude
whether ICFR is effective and managements financial statement assertions are appropriate. The controls
ultimately relate to the company producing financial statements that are not materially misstated. In
this case, it would be unethical for the auditor to tell the CEO which method would beat the banks
threshold for the loan and also audit the books. This is especially true since he knows that this
depreciation method is not typically used by the company for any other equipment and that
depreciation amount is not representative of the normal depreciation for the machine.

7-44. Go to the 10K report for Starbucks. Find the following: managements Section 404, 302, and 906
reports and the auditors report. Compare the management reports to the examples provided in the
text. Do you note any differences? Read the auditors report. Is there a separate report providing the
internal control opinions? Or are all the internal control and financial statement audit opinions provided
in one report? Answer: Student answers will vary depending on the fiscal year of the report.

7-45. Go to the COSO Web site. Find the IC Framework and ERM Framework. What is 23 the major
difference between the two frameworks, in terms of their stated purposes? Compare the components
of the two frameworks. (Hint: Appendix B to this chapter will help.) Answer: The ERM Framework
encompasses the IC Framework. The ERM Framework was developed with the intent of providing a
logical and orderly way for management to identify, analyze, and manage all of a companys risks. These
risks extend beyond the risks contemplated by the COSO IC Framework. Thus, the ERM Framework
offers management something additional by providing guidance on managing all of a companys risks
and uncertainties.

7-46. Go to the SEC Web site and access the Sarbanes-Oxley Act, Section 906. What are the monetary
and criminal penalties specified, and for what type of wrongdoing? Answer: Section 906 details the chief
executive officer's responsibility to submit written statements along with the periodic financial reports.
Executives who submit reports not in compliance with the act are able to be fined up to $1 million or
imprisoned for not more than 10 years, or both. Executives who willfully submit such statements are
subject to possible fines up to $5 million and imprisonment of no more than 20 years, or both.

7-47. Go the SEC Web site. Access 33-8810; 34-55929.What title do you see? Read the first few pages.
How does this relate to what is covered in this chapter? Answer: Internal Control Reporting and Auditing
Provisions are contained in this release.

7-48. Search for management reports that utilize internal control frameworks other than COSO
(probably found in reports of companies in countries other than the United States). Answer: Student
answers may vary, depending upon the reports accessed. Besides COSO, students may list: CoCo, CobiT
and the Basle Committee on Banking Supervision [BCBS].

7-49. Conduct a search in the business journals and print media regarding increased audit costs for
companies as a result of the Sarbanes-Oxley Act. Look particularly for internal costs associated with
management documenting and testing internal control. Answer: 24 Student answers will vary depending
on the journals and articles accessed. Chapter 7 Appendix A Multiple Choice

7-50. a 7-51. b 7-52. c 7-53. d 7-54. c 7-55. b 7-56. a 7-57. d

Discussion Questions 7-58. Why is the auditor concerned about whether a company has controls over
the development or changes it makes to computer software? What impact do these controls have over
the auditors conclusions for the ICFR audit? The financial statement audit? Answer: Because the ability
to change programs is an entity-level control, this control is crucial to the internal control system.
Unauthorized access to computer programs provides unauthorized access to the entire organizations
records, including accounting and financial records. Unauthorized access to programs is usually not
apparent and users with unauthorized access can make changes directly to the transaction data and
master files, thereby allowing material misstatements and fraud to occur without timely detection. This
is a very real possibility since unauthorized program access can allow a user to eliminate or change the
audit trail.

7-59. What concerns does the auditor have over access controls and their impact on data security?
What impact would a problem with access controls have on the auditors conclusions in an ICFR audit of
a company with an extensive IT system? Do you think management could assert that the financial
statements are accurate and complete if access controls are insufficient? Why? Answer: Access controls
determine who is allowed to perform certain functions. Access controls are at the heart of separation of
duties, and thus provide a significant function in controlling data security; they are considered entity-
level controls meaning that poor access controls place the I/C system at high risk. A problem with access
controls would represent a material internal control deficiency and require significantly more testing of
balances and transactions during the substantive audit work. If access controls were insufficient in an
organization with an integrated IT system, the auditor would not be 25 able to rely on the I/C system to
detect or prevent material misstatements in the financial statements. The auditor would either have to
expand substantive testing significantly or withdraw from the engagement.
7-60. If all of a companys ITGC are effective except its contingency controls, would the auditor be able to
conclude that the ICFR is effective? What if other controls are lacking but contingency controls are
effective? How would the auditor modify plans for the financial statement audit if the conclusion in the
ICFR audit is that many general controls are lacking but contingency controls are consistently effective?
Answer: No; contingency controls, such as back-up and recovery in case of a disaster, are an integral
part of the ITGC (e.g. entity level). If the ITGC are effective, but no safeguard exists to provide for data
recovery and a disaster occurs, all the ITGC are essentially meaningless. If other controls are lacking
would depend on the nature of the other controls, such as whether the controls were material to the
overall ITGC and whether there were compensating controls. If many of the other controls are lacking,
the auditor would have to satisfy himself that there were compensating controls for those missing. The
auditor would also need to substantially expand the nature and timing of substantive testing.

7-61. If the head of the IT department and the CFO have complete access to all aspects of the IT system
and the ability to input, change and delete transactions, is this a weakness in ICFR? If so, how important
is it? Would this situation have any impact on the audit procedures of the financial statement audit?
Given the positions these individuals hold, how might their authority and activities be changed to
enhance the control environment while still permitting them to do their jobs? Answer: Yes, this is a
material weakness. It could be material enough to warrant withdrawal from the audit. This would have
significant impact on the procedures for a F/S audit since there would be no reasonable assurance that
the transactions which comprise the financial statements are valid, authorized, etc. The easiest way to
correct the problem is to eliminate access to the programs and transactions by the IT department head,
separating the duties for program changes, program change authorization, and transaction data access.
Generally, IT does not need access to the data files, so such access should be eliminated. 26

Problem 7-62. AS 2, paragraph 11 defines preventive controls as having, the objective of preventing
errors or fraud from occurring in the first place that could result in a misstatement of the financial
statements. Detective controls, have the objective of detecting errors or fraud that have already
occurred that could result in a misstatement of the financial statements. Required: Set up a work paper
with two columns, one labeled preventive and the other labeled detective. Using the discussion of ITGC
presented in Appendix A, classify the various controls discussed as preventive or detective controls. Are
there any you placed in both columns because they serve both a preventive (P) and detective function
(D)? Examine your controls and answer the following. (a) Are there any preventive controls that you
believe are less important if a related detective control is effective? What would the related detective
control be? Explain how it would compensate. (b) Are there any detective controls that you believe are
less important if the related preventive controls are effective? What would the related preventive
control be? Explain who it would compensate. Answer: IT control environment P&D Policy development
and communication P&D Segregation of duties P&D Monitoring procedures P&D Software acquisition
P&D Hardware acquisition P&D Network technology acquisition P&D Program development P&D
Program changes P&D Computer operations P&D Policies and procedures P&D Batch processing and
end user computing D Backup management P&D Data center controls P&D Capacity planning and
performance issue management Recovery procedures for operational failures Access to programs and
data Security policies and procedures Testing security measures Authorization decisions for access
Monitoring security measures Application software access P&D P&D P&D P&D P&D P&D P&D P&D 27
Operating system security P&D Network security administration P&D Data security P&D Software and
interface controls Contingency controls Backup procedures Service interruption, disaster, and recovery
Human resources Hiring policies Training Termination policies and controls Physical facilities controls
Protected environment Controlled climate Fire suppression and evacuation plans Inconspicuous facilities
P&D P&D P&D P&D P&D P P&D P P&D P P P P NOTE: Most controls can be either-depending on how
they are configured! a) Preventive controls less important if a related detective control is important? A:
None; preventive control is always better than detective control. b) Detective controls less important if
the preventive control is important? A: Batch processing; if the processing went to on-line with input
edit controls, then batch controls would not be necessary since errors would be prevented and not need
to be detected.

Activity Assignment 7-63 View or review the movie, Catch Me If You Can (Leonardo DiCaprio,
Dreamworks, 2002). Investigate information on Frank Abagnale Jr., the individual whose early life is
portrayed in the movie, including his current occupation. (a) Explain how the main character in the
movie used social engineering. (b) Although the events of the movie occurred before much of todays
information technology was developed, many of the processes used by the villain could be successfully
used today. Give examples and explain why this is the case. (c) Why are the knowledge and skills used by
Frank Abagnale Jr. during his early life applicable to what he does now? 28 Answer: (a) & (b) Student
answers may vary but should focus on information about how, during the 1960s and without the
assistance of the Internet or other digital conveniences, Frank Abagnale, Jr., made his mark as a social
engineer. He portrayed himself as a variety of imposters and used techniques that would build
confidence with his victims. Combining those talents with his forgery skills, he pulled off some of the
most deceptive scams of all time everything from impersonating a chief resident pediatrician at a
hospital for almost a year to posing as an airline pilot to fly for free. While Abagnale used his knowledge
and expertise for purposes of deceit, he later served his time. (c) Currently, he is currently a millionaire
and lives in Tulsa, Oklahoma with his wife, whom he married one year after becoming legitimate. They
have three sons; he works as a security consultant helping the FBI by teaching at the FBI Academy and
lecturing for FBI field offices throughout the country. One of his sons currently works for the FBI, also.