CHAPTER 7

7-1 What is Internal Control?

- Internal control is a process designed by the management, those charged with governance
and other personnel within the entity to provide reasonable assurance that the following
objectives will be met:
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with laws and regulations

7-2 Identify the five components of an organization’s internal control.

- The five components of an organization’s internal control are:

1. The Control Environment
2. Risk Assessment
3. Control Activities
4. The Accounting Information System
5. Monitoring of Controls

7-3 List the principles related to an organization’s control environment.

- The basic principles of the control environment include:

 Commitment to integrity and ethical values.
 Board of directors demonstrate independence from management and exercises
effective oversight of internal control.
 Establishment of effective structure, including reporting lines, and appropriate
authorities and responsibilities.
 Commitment to attract, develop, and retain competent employees.
 Holding employees accountable for internal control responsibilities.

7-4 How does separation of the record keeping function from custody of assests contribute to internal
control?

- Separation of the record keeping function from custody of assets is an important internal
control measure that helps to ensure the accuracy, integrity, and accountability of an
organization’s financial reporting. It provides and independently maintained record that may
periodically be reconciled with assets on hand.

7-5 Name three factors you consider of greatest importance in protecting a business against losses
through embezzlement.

- 1. Strong Internal Controls. Establishing robust internal controls and policies is paramount in
preventing and detecting embezzlement. This includes implementing segregation of duties,
where different individuals are responsible for different parts of financial transactions, thus
reducing the opportunity for one person to carry out and conceal fraudulent activities.
2. Employee Screening and Training. Thorough background checks and screening procedures
should be implemented during the hiring process to identify individuals with a history of
dishonest behavior or financial irregularities. Moreover, ongoing training and awareness
 programs can educate employees about the signs of embezzlement, their roles in preventing
it, and the importance of reporting suspicious activities promptly.
3. Regular Audits and Reviews. Conducting regular audits and reviews of financial records is
essential for uncovering irregularities and deterring potential embezzlement.

7-6 Describe what is meant by the risk assessment component of internal control and how it contributes
to internal control.

- The risk assessment component of internal control relates to the factors that affect the risk
that the organization's reporting objectives will not be achieved. An awareness of this
component contributes to internal control because management's consideration of the
possibility that reports (including financial statements) may be misstated decreases the
likelihood of misstatement.

7-7 Describe the two types of monitoring and provide an example of each.

- The two types of monitoring are:

1. Ongoing monitoring evaluations. It includes regularly performed supervisory and
management activities. Examples of this are continuous monitoring of customer
complaints, or reviewing the reasonableness of management reports.
2. Separating evaluations. These are monitoring activities that are performed on a
nonroutine basis. An example of this would be periodic audits by the internal auditors.

7-8 Identify the four types of control activities and describe how each type contributes to effective
internal control.

- The four types of control activities are:

(1) Performance Reviews. Performance reviews contribute to internal control by providing
management with an overall indication of whether personnel at various levels are effectively
pursuing the organization's objectives.
(2) Transaction Processing. Transaction processing controls are performed to check the
completeness, validity, and authorization of transactions.
(3) Physical Controls. Physical controls contribute by assuring physical security over both
records and other assets.
(4) Segregation of Duties. Segregation of duties reduces the opportunities for any person to
perpetuate and conceal errors or irregularities.

7-9 One basic concept of internal control is that no one employee should handle all aspects of a
transaction. Assuming that a general category of transactions has been authorized by top management,
how many employees (or departments) should participate in each transaction, as a minimum, to achieve
strong internal control? Explain in general terms the function of each of these employees.

- Assuming that the general category of transaction has already been authorized by top
management, at least three employees or departments should usually participate in each
transaction to achieve strong internal control. One employee approves the transaction after
determining that the details conform to company policies, another employee records the
transaction in the accounting records, and the third employee executes the transaction by
releasing and/or taking custody of the related assets.
7-10 Compare the objectives of the internal auditors with those of the independent auditors.

- The primary objective of the internal auditor is to aid corporate management towards an
efficient administration by investigating and reporting upon compliance with company
policies, reliability of accounting and statistical records and reports, adequacy of internal
control, efficiency of operating procedures, and effectiveness of performance in all areas of
operation. Meanwhile, the primary objective of the external (independent) auditors is to
determine whether the financial statements fairly reflect the financial position, operating
results, and cash flows of the business. The external auditors have a responsibility to
stockholders, creditors, and the public as well as to management.

7-11 What consideration, if any, may external auditors give to the work of a client's internal audit staff?

- The external auditors should consider the work of the internal auditors as a portion of the
control environment of internal control. After evaluating the competence, objective, and
disciplined approach of the internal auditors, the external auditors will determine the extent
to which the work of the internal auditors may be used in determining the nature, timing,
and extent of their testing.

7-12 Describe the relationship between corporate governance and internal control.

- Corporate governance is the system by which companies are directed and controlled. It
includes the policies, procedures, and mechanisms established to ensure that the company
operates in the best interests of its major stakeholders and society as a whole. The concept
is broader than internal control in that corporate governance is not only concerned with the
effectiveness of financial reporting, but it also encompasses ethical treatment of major
stakeholders, compliance with laws, regulations, customary business practices, and effective
risk management. The control environment of internal control is particularly significant to
corporate governance.

7-13 What are the purposes of the consideration of internal control required by generally accepted
auditing standards?

- Auditors consider internal control because its quality has a major effect on the nature,
timing, and extent and nature of the audit procedures necessary to complete the audit.
More specifically, the auditors' understanding of the entity and its environment, including
internal control allows them to:

(1) assess the risks of material misstatements of the financial statements; and

(2) design the nature, timing and extent of further audit procedures.

7-14 A prospective client informs you that all officers and employees of the company are bonded, and he
requests that under these circumstances you forgo a consideration of internal control in order to reduce
the cost of an audit. Construct a logical reply to this request.

- If the safeguarding of company assets were the only objective of internal control, then some
basis might exist for the argument that the bonding of employees was an acceptable
substitute for good internal control practices. However, internal control has other important
 objectives as assuring the reliability of accounting data and other types of information
needed by management for the effective direction of the business. When internal controls
are weak or absent, the losses from waste and inefficiency are opted to be far greater than
losses from dishonest acts by employees. An assessment of internal control by the auditors
is a prerequisite to the determination of the nature, timing, and extent of the further audit
procedures necessary to express an opinion on the financial statements. Under normal
circumstances, the assessment of internal control significantly reduces the cost of an audit,
because a reduction in the assessed level of control risk permits the auditors to perform
much less substantive procedures than would otherwise be necessary.

7-15 Suggest a number of sources from which you might obtain the information needed to prepare a
description of internal control in the audit working papers.

- Among the sources of information that auditors may use in preparing a working paper
description of internal control are: organization charts, charts of accounts, job descriptions,
interviews and discussions with officers and employees, reports of internal auditors,
accounting reports, and records, inspection of facilities, and working papers and reports
from prior examinations

7-16 "All experienced auditors would design exactly the same audit plan (program) for a particular audit
engagement." Do you agree? Explain.

- No. Designing audit plans involves complex judgments, resulting in the possibility of
inconsistencies in these judgments by auditors in the field. CPA firms attempt to reduce
inconsistencies in judgments by developing firm policies, and "decision aids" or guides, that
assist auditors in gathering relevant information or combining the information to make
decisions about the nature, timing, and extent of substantive procedures.

7-17 Under what circumstances are tests of controls efficient audit procedures?

- Tests of controls are efficient auditing procedures when the reduction in the substantive
procedures that results from a lower assessed level of control risk exceeds the amount of
work involved in performing the tests of controls.

7-18 How is the auditors' understanding of the client's internal control documented in the audit working
papers?

- Documentation is usually in the form of flowcharts, questionnaires, or written narratives of

the system.

7-19 What is a management letter? What is the letter's significance?

- A management letter is the written report to the client describing such deficiencies, along
with the auditors' recommendations for corrective action. This report serves as a useful
reference document for management in implementing improvements in internal control and
may also serve to limit the auditors' liability to the client in the event the control deficiencies
subsequently give rise to defalcations or other losses.
7-20 List and describe the eight components of the COSO Enterprise Risk Management Framework.
 - 1. Internal Environment - The internal environment sets the basis for how risk and control
are viewed and addressed by an entity’s people. Upper management must express the
importance of ERM throughout all levels of an entity.
2. Objective Setting- Objectives must exist before management can identify potential events
affecting their achievement. ERM ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the entity’s mission and are
consistent with its risk appetite.
3. Event Identification - Potential events that might have an impact on the entity must be
identified. Event identification involves identifying potential events from internal or external
sources affecting the achievement of objectives. It includes distinguishing between events
that represent risks, those that represent opportunities, and those that may be both.
4. Risk Assessment - Identified risks are analyzed to form a basis for determining how they
should be managed. Risks are associated with objectives that may be affected. Risks are
assessed on both an inherent and residual basis, with the assessment considering both risk
likelihood and impact. Risk assessment needs to be done continuously and throughout an
entity.
5. Risk Response- Personnel identify and evaluate possible responses to risks, which include
avoiding, accepting, reducing, and sharing risks. Management selects a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities- Policies and procedures are established and executed to help ensure
the risk responses management selects are effectively carried out.
7. Information and Communication - Relevant information is identified, captured, and
communicated in a form and timeframe that enables people to carry out their
responsibilities. Information is needed at all levels of an entity for identifying, assessing, and
responding to risk.
8. Monitoring- The entirety of ERM is monitored, and modifications are made as necessary.
In this way, it can react dynamically, changing as conditions warrant.

7-21 You have discussed with the president of Vista Corporation several material weaknesses in internal
control that have come to your attention during your audit. At the conclusion of this discussion, the
president states that he will personally take steps to remedy these problems and that there is no reason
for you to bring these matters to the attention of the board of directors. He explains that he believes the
board should deal with major policy decisions and not be burdened with day-to-day management
problems. How would you respond to this suggestion? Explain fully.

- You should explain to the president that auditing standards require the auditors to report
significant deficiencies and material weaknesses to the audit committee of the board of
directors. Failure to submit such a report to the board would be a violation of generally
accepted auditing standards.

7-22 Distinguish between the two subsections of Section 404 of the Sarbanes-Oxley Act of 2002.

- The two subsections of Section 404 of the Sarbanes-Oxley Act are 404a and 4040b. Section
404a requires each annual report filed with the SEC to include a report in which
management:
 (1) acknowledges its responsibility for establishing and maintaining adequate internal
control over financial reporting, and;
(2) provides an assessment of internal control effectiveness as of the end of the most
recent fiscal year.
Section 404b requires auditors of certain companies to attest to, and report on, internal
control over financial reporting.

7-23 List the five stages of the auditors' overall approach in an audit of internal control performed in
accordance with PCAOB requirements.

- The five stages of an audit of internal control performed in accordance with PCAOB
requirements are:
(1) Plan the engagement.
(2) Obtain an understanding of internal control over financial reporting (internal control).
(3) Test and evaluate the design effectiveness of internal control.
(4) Test and evaluate the operating effectiveness of internal control.
(5) Form an opinion on the effectiveness of internal control over financial reporting.

QUESTIONS REQUIRING ANALYSIS

7-24 Management is responsible for designing and maintaining its organization’s internal control. In
designing internal control, management must consider controls related to each of the five major intenal
control components: the control environment, risk assessment, the accounting information system,
control activities, and monitoring.

a. Management is considering controls for the following three control environment factors. For
each, describe how the factor contributes to effective internal control.
(1) Integrity and ethical values - Since controls are typically conducted by a group of authorized
individuals rather than a technology, the necessity of individual integrity is highlighted to
avoid the possibility of conspiring personnel committing fraud and theft. An organization
that effectively communicates its ethical principles and places a value on them by developing
programs that dissuade individuals from engaging in illegal activity contributes to the
development of effective internal control.
(2) Commitment to competence - Employees hired by the organization should be competent
and committed to their jobs, particularly if they are responsible for conducting controls and
are involved in accounting tasks. If employees lack the appropriate skills and knowledge for
the job, this results in poor performance, which has a negative impact on the effectiveness
of internal control.
(3) Board independence and effective oversight - By efficiently carrying out their assigned
obligations under the standard, both the Board of directors and the audit committee
contribute to the effectiveness of internal control. They are responsible for the quality of
management and audit procedures, financial reporting accuracy, audit results, risk
management processes, ethical concerns, and regulatory compliance.
b. Explain how risk assessment contributes to the effective internal control, and identify four
factors that result in increased financial reporting risk.
 - Risk assessment is the process of detecting and analyzing risks and determining how to
respond to them. Risks negatively influence the effectiveness of internal control, hindering
the achievement of the organization’s goal. By evaluating these risks, the probability of
material misstatements in financial statements can be recognized, and a course of action can
be taken to limit such risk and establish effective internal control. Furthermore, the four
factors that result in increased financial reporting risk are:
 Modifications in the regulatory or operating environment of the organization
 Staff changes
 Investing in new or redesigned information systems; and
 The organization’s continued expansion
c. Identify the five major objectives of an accounting information system.
- An accounting information system's primary objectives are as follows:
1. To track and record all credible transactions.
2. To accurately and timely describe the transaction in sufficient detail to properly classify
transactions for financial reporting.
3. To measure the monetary worth of transactions to record an accurate value in the
financial statements.
4. To ascertain the period during which transactions occurred to record them in the
appropriate accounting period.
5. To ensure that financial statements accurately reflect transactions and related
disclosures.
d. Describe the purpose of the following two types of control activities.
(1) Performance Reviews
(2) Transaction Processing
- Performance reviews are controls that involve the comparison of actual performance to
forecasted or prior performance; the evaluation of reports and reconciliations for
consistency; and the analysis of the link between data sets. The purpose of this control is to
monitor how far the organization's objectives are being met, to determine the strengths and
weaknesses of its employees, to determine whether or not the performance is in line with
the organization's long-term goals, to record and provide feedback on the performance, to
facilitate performance development, and to identify unusual results that may necessitate
further investigation. Transaction processing controls are controls used to guarantee that
processed transactions are correct, complete, and approved; that information processing
activities are reliable; and that forms and documents are well-designed for easy tracking.
e. Explain the two types of monitoring and provide an example of each.
- The two types of monitoring are:
1. Ongoing monitoring activities - give timely information and are carried out in the
ordinary course of business. These activities include typical management and
supervision. The continual monitoring of customer complaints is an example of
continuing monitoring activity.
2. Separate evaluations - are less common and are used to determine how effectively a
program or organization is in meeting its objectives and expectations. The extent and
timing of this evaluation will vary according to risk assessment, the quality of ongoing
 assessments, and other management factors. Internal audits performed periodically are
one example of this examination.

7-25 The definition of internal control as contained in COSO’s Internal Control-Integrated Framework and
the professional standards is quite broad and comprehensive.

a. Define internal control and its purpose.

- Internal control is a process, effected by an entity’s board of directors, management, and
other personnel designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting and compliance.
b. Explain the major concepts that are included in the definition of internal control.
- The definition emphasizes that internal control is a process and not an end in itself. It also
states that internal controls provide reasonable assurance and not absolute assurance that
an organization's objectives will be achieved. Also, the costs should not exceed the benefits
of internal controls. Finally, the definition addresses the achievement of objectives in the
areas of effectiveness and efficiency of operations, internal and external reporting, and
compliance.
c. List and describe the five components of internal control.
- The five components of internal control include:
(1) The control environment - The control environment of a company describes its culture
and ethics that provide the framework inside it to work effectively. The control
environment relates to the management’s style and the way it delegates authority, the
organization of its staff, and their commitment to the internal control policies.
(2) The risk assessment process - By evaluating the risks of a company, it understands how
these risks relate to its objectives. Therefore, it can identify and implement controls
against these risks. The goal of the risk assessment process is to identify risks, whether
internal or external to the company, which it faces due to its business. Both internal and
external factors require attention when it comes to risk assessment.
(3) Control activities - Control activities define all the processes or procedures that
companies implement against the identified risks. Based on the type of risk, there are
various control activities that companies can implement. Some commonly used control
activities include authorizations, approvals, reviews, physical and digital security
measures, verifications, reconciliations, segregation of duties, management,
organization, etc.
(4) The information system relevant to financial reporting and communication - It refers to
the flow of information of the control activities to the relevant authorities or personnel
so that they can implement those activities. Similar to the control environment, the
implementation of control activities depends on communication with personnel.
(5) The monitoring activities - Once companies implement control activities and
communicate them with the management, they should have procedures in place to
monitor the activities. Therefore, every company should have a reviewing and
monitoring process that it carries out regularly. Monitoring can also help companies
identify deficiencies in the control activities and find solutions for them.
d. Identify the major limitations of internal control.
 - The major limitations of internal control include custom, culture, and the corporate
governance system, which can inhibit fraud. Also, mistakes may be made in the performance
of the controls, and errors in judgment may occur.

7-26 Auditors may restrict substantive procedures based on the results of tests of controls.

a. Discuss and contrast the concepts of the planned assessment of control risk and the revised
assessment of the risk after tests of controls have been performed.
- Planned assessed level of control risk is the level of control risk the auditors assume in
designing further audit procedures, which include an appropriate combination of tests of
controls and substantive procedures. After the test of controls is completed, auditors should
determine if it is necessary to revise their assessed levels of control risk based on the results
of those tests. If the results reveal that controls are less effective than had been originally
thought, the auditors will revise their planned assessments.
b. Using internal control for the existence assertion for accounts receivable, provide an
example that distinguishes among the concepts discussed in part (a) above.
- While obtaining an understanding of internal control, the auditors may determine a planned
assessed level of control risk for the existence of accounts receivable that requires them to
test as a sample of sales transactions. Based on the results of the tests of controls for sales,
the auditors may arrive at a revised assessed level of control risk that is either higher or
lower than the level planned. The actual level of control risk for existence of receivables is,
as always, at an unknown level.

7-27 The auditor’s consideration of internal control begins with obtaining an understanding of the
client’s internal control.

a. Describe the remaining stages of the auditors’ consideration.

- The remaining stages of the auditor’s consideration of internal control include:
(1) Assessing Control Risk: After obtaining an understanding of the client's internal control,
the auditor assesses the control risk. This involves evaluating the effectiveness of the
internal controls in preventing or detecting material misstatements in the financial
statements.
(2) Testing Controls: Once the control risk has been assessed, the auditor performs tests of
controls to determine whether the controls are operating effectively. This may involve
testing the design and implementation of controls, as well as their operating effectiveness.
(3) Substantive Procedures: If the auditor determines that the controls are effective, they
may rely on them and perform fewer substantive procedures. However, if the controls are
not effective or if the auditor decides not to rely on them, they will perform substantive
procedures to obtain sufficient appropriate audit evidence directly from the underlying
accounting records and transactions.
b. Provide examples of audit procedures that are performed at each stage (including the stage
of obtaining an understanding).
- Examples of audit procedures that are performed at each stage include:
1. Obtaining an Understanding of Internal Control:
 Reviewing documentation such as policies, procedures manuals, and
organizational charts.
  Conducting inquiries with management and staff responsible for internal
control.
 Observing control activities in operation.
2. Assessing Control Risk:
 Evaluating the design and implementation of key controls, such as
segregation of duties, authorization procedures, and reconciliation
processes.
 Assessing the competence and integrity of personnel responsible for
internal control.
 Considering the results of prior audits and any identified deficiencies in
internal control.
3. Testing Controls:
 Selecting a sample of transactions and testing the effectiveness of
controls related to those transactions.
 Reperforming control activities to confirm their accuracy and
completeness.
 Inspecting documentary evidence supporting control activities.
4. Substantive Procedures:
 Performing analytical procedures to assess the reasonableness of
account balances and transactions.
 Conducting tests of details such as confirmation of account balances
with third parties, examination of supporting documentation, and
physical inspection of assets.
 Reviewing subsequent events and transactions occurring after the
balance sheet date.

7-28 Henry Bailey, CPA, is planning the audit of The Neighborhood Store, a local grocery cooperative.
Because The Neighborhood Store is a small business operated entirely by part-time volunteer personnel,
internal control is weak. Bailey has decided that he will assess control risk at the highest level for all
assertions and not restrict audit procedures in any area. Under these circumstances, may Bailey omit the
consideration of internal control in this engagement? Explain.

- Henry Bailey should not omit the consideration of internal controls because even though the
company is small and operated by volunteers, they still can put internal controls into place.
Bailey can make a valuable contribution to the small company by encouraging them to install
practical controls. Some of these controls include recording all cash receipts immediately,
depositing all cash receipts daily, and making payments by serially numbered checks.
Additionally, he has to consider and document internal controls to assess the RMM. He does
not have to test controls if control risk is assessed at the maximum.

7-29 Adherence to generally accepted auditing standards requires, among other things, a proper
understanding of the existing internal control. The most common approaches to documenting the
understanding of internal control include the use of a questionnaire, preparation of a written narrative,
preparation of a flowchart, or a combination of these methods.

a. Discuss the advantages to CPAs of documenting internal control by using:

 (1) An internal questionnaire - Easy to complete and simple
•Made to show where no answers lead to weaknesses
• Prepared list
• Help control weaknesses
(2) A written narrative - Made for each engagement
• Written Memos
• Details of internal control
• Analysis of weaknesses
• Requires detailed analysis
(3) A flowchart - Graph makes it easier to understand
• Usually, unlikely areas will be overlooked
• Uses symbols to explain procedures
• Each section has different symbols
b. If they are satisfied that no material weaknesses in internal control exist after completing
their description of internal control, is it necessary for the CPAs to conduct tests of controls?
Explain.
- If no material weaknesses in internal controls exist CPAs should:
• Test of controls is used to verify that the control is operating effectively
• Even when controls are strong it does not guarantee employees are doing their assigned
job or performing properly
• When doing a test of controls, it shows if the organization's controls that are in place are
working properly and if they will detect material errors
If you are going to rely on Internal Controls, test them.

7-30 Management is responsible for establishing effective internal control for its organization including
measures to prevent, deter, and detect fraud. Appendix 7a on pages 300-302 describes antifraud
programs and measures.

a. What are the three major categories of antifraud measures and the measures that should be
established under each category?
- The three major categories of antifraud measures are the following:
(1) Create and maintain a culture of honesty and high ethics. The measures to be
established under this category are:
 Set tone at the top
 Create a positive workplace environment
 Hire and promote appropriate employees
 Discipline
(2) Evaluate the risks of fraud and implement processes, procedures, and controls to
mitigate those risks.
 Identify and measure fraud risks
 Mitigate fraud risks
 Implement and monitor controls and other measures
(3) Develop an appropriate oversight process.
 Management
 Audit Committee (or board of directors where no audit committee exists)
  Internal Auditors
 Independent Auditors
b. Under the measure of “create a positive workplace environment” provide:
(1) Two examples of antifraud controls
 Allow employees to contribute to the development and revision of the code of
conduct.
 Encourage employees and provide them with the means to communicate
concerns about possible code of conduct violations without getting in trouble.
(2) Two examples of factors that detract from a positive workplace environment.
 Top management that appears unconcerned about or unmotivated to reward
appropriate behavior.
 Ineffective communication practices or methods within the organization.

7-31 Assume that you are auditing the financial statements of Wexler, Inc. As you are reviewing the work
on internal control, you become concerned about the adequacy of documentation. Describe the
required documentation of internal control matters.

- The overall risk assessment includes the documentation of the auditor's consideration of
internal control. The auditor must include in the documentation the following matters:
 The auditor's understanding of the internal control.
 The general measures to address the assessed risks of material misstatement at the
financial statement level.
 The nature, timing, and scope of additional audit procedures.
 The connection of those procedures with the evaluated risks at the relevant
assertion level.
 The outcome of the audit procedures.
 The conclusions reached concerning the utilization of the current audit evidence
about the operating effectiveness of controls gathered in a preceding audit.

7-32 During your first audit of a medium-sized manufacturing company, the owner, John Bell, explains
that in order to establish clear-cut lines of responsibility for various aspects of the business, he has made
one employee responsible for the purchasing, receiving, and storing of merchandise. A second employee
has full responsibility for maintenance of accounts receivable records and collections from customers. A
third employee is responsible for personnel records, timekeeping preparation of payrolls, and
distribution of payroll checks. Bell asks your opinion concerning this plan of organization. Explain fully
the reasons supporting your opinion.

- John Bell's plan to delegate responsibilities among employees, aiming for a clear line of
duties, is likely ineffective because it disregards the fundamental principle of internal
control: the segregation of duties. This principle dictates that one person should not handle
a transaction from start to finish. The client's medium-sized business assigned single
employees to tasks like acquiring, receiving, and storing merchandise, maintaining accounts
receivable and credit collection, and managing payroll-related functions. Such concentrated
responsibilities increase the risk of fraud or errors, including unauthorized transactions,
budget overruns, payment discrepancies, and payroll irregularities. To mitigate these risks,
it's advisable to distribute tasks among multiple employees, empowering them to work
 autonomously and with integrity. Proper job segregation is critical to prevent fraud or errors,
ensuring clear oversight of organizational duties and avoiding situations where one
department or individual performs multiple interconnected functions, which could become
targets for concealment and fraud.

7-33 Internal auditing is a staff function found in virtually every large corporation. The internal audit
function is also performed in many smaller companies as a part-time activity of individuals who may or
may not be called “internal auditors.” The differences between the audits by external auditors and the
work of internal auditors are more basic than is generally recognized.

a. Briefly discuss the auditing work performed by the independent public accountant and the
internal auditor with regard to:
(1) Auditing objectives - The objective of an independent auditor when conducting an audit
is to attain reasonable confidence that financial statements are accurately depicted,
devoid of significant errors, and adhere to generally accepted accounting principles. This
is achieved through an examination of the company's financial documents, procedures,
and transactions. The assurance gained enables the independent auditor to form an
opinion on the comprehensive assessment of the financial statements and convey their
findings to shareholders, rather than solely to the management. Meanwhile, an internal
auditor is a professional employed by the firm to ensure optimal efficiency and smooth
functioning of business operations. Internal audits conducted by these professionals
assess the probability of significant errors, scrutinize the company's internal controls,
ensure compliance with relevant laws and regulations, and offer suggestions for
corrective measures preemptively before any issues are identified by an external auditor.
The findings and recommendations of the internal auditor are communicated directly to
the top management.
(2) General nature of auditing work – As part of the audit process, an independent auditor
examines the company's operations, financial reporting, and management of internal
control, verifying the accuracy of provided data through tests and procedures.
Discrepancies found in account balances are reported to shareholders and external
parties. On the other hand, internal auditors concentrate on specific activities such as
assessing measurement methods for financial information, confirming account
existence, evaluating departmental performance, monitoring control implementation,
and proposing enhancements to operational processes.
b. In conducting their audit, the independent auditors may use the work of the internal
auditors. Identify the two ways the external auditors may use the work of internal auditors.
- Independent auditors may review the work of internal auditors during their own audits
because some of the audit techniques used by both parties are similar, and the internal audit
work can yield valuable insights. Internal audit functions play a crucial role in evaluating
internal control, so the quality of their work is assessed to determine its impact on the
independent auditor's evaluation of control risk. Additionally, the work of internal auditors
can influence the type, timing, and scope of audit procedures performed by independent
auditors. It may allow independent auditors to conduct less extensive procedures. However,
before relying on the internal auditor's work, independent auditors must conduct their own
thorough examinations, investigations, and reviews.
7-34 Randall, Inc., is a private company that manufactures heavy machinery. The company has an active
audit committee and board of directors. The audit committee consists of two outside directors and
Howard Kress, the company chief financial officer. The audit committee meets quarterly to provide
oversight of financial reporting, including reviewing new accounting policies and unusual transactions.
Howard Kress personally reviews and approves any related party transactions. Internal audits of
operating units are performed by the internal auditor, who reports directly to Laura Howe, the chief
operating officer.
The company has a written code of conduct, and employees agree to adhere to the code when
they are hired. The company also has a hotline for confidential reporting of unethical behavior that is
staffed by the corporate controller. The audit committee reviews summaries of all incidents and
investigations performed.
Identify the weaknesses in Randall’s system of corporate governance and provide suggestions for
improvement in the system. Organize your answer as follows.
Weakness Recommended Improvement
The audit committee includes two outside The company should establish an audit
directors and the company’s chief financial committee composed of three non-executive
officer. directors who are both independent. These
members should not be involved in the day-to-
day operations of the business to ensure that
they perform their duties effectively and uphold
the financial statements’ integrity.
Any related party transaction is reviewed and Howard Kres should be excluded from the
approved personally by the chief financial officer. committee in the first place since he is
responsible for financial planning and
management which is part of the normal course
of business.
The internal auditor reports directly to Lara The internal auditor should report directly to the
Howe, the chief operating officer. audit committee.
Employees agree to abide by the company’s code The code of conduct must be communicated to
of conduct upon being hired. the employees in advance, so they understand
what is expected of them once hired.
The corporate controller is in charge of A third party or an auditor preferably should
monitoring the confidential hotline for reporting oversee the whistle blowing hotline to reassure
unethical behavior. employees and relieve their fear of retribution.