You are on page 1of 18

Chapter 7 Answers 7 Multiple Chapter Choice 7-1. b 7-2. c 7-3. a 7-4. d 7-5. a 7-6. c 7-7. d 7-8.

b Answer b is most relevant to the types of questions proposed by AS 2 as being helpful. Answer d might give the auditor some indication of whether the person performing the task is doing it carefully. Answer a is perhaps relevant, but a better question would be, How long have you been assigned to do this task? Answer d is not a possibility because the person typically would have no reason to have that information unless they were at a very high organizational level in the company. 7-9. c 7-10. b 7-11. d 7-12. a 7-13.d 7-14. a 7-15. c 7-16. d 7-17. b 7-18. d (Note: this question is not clear cut; should be thought provoking; I would expect students to argue about it if it were included on an exam) 7-19. b 7-20. a 7-21. c Discussion Questions 7-22. [LO 1, 4] To which of the following accounts would the management assertion valuation be relevant, and why? For any accounts that it is not relevant, explain why. Answer: Cash: Cash is the local currency does not normal have any valuation issues, so the auditor would not need to test whether the management assertion of valuation is relevant. The value of cash in the local currency is the face value. 1 Cash when foreign currency translation is involved: When currency of material amounts in other than the local denomination is a part of a companys transactions or end of year balances, the assertion of proper valuation is important to the auditor. Specific accounting methods are used to translate the non-local currency at the year end date, so whether that translation resulting in the local currency value has been performed properly is important. The issue of foreign currency can affect assets such as accounts receivable and liabilities such as accounts payable as well. When a company has receivables and payables as a result of transactions conducted on an international basis the auditor must understand which currencies are to be used to settle the receivables and payables. If the settlement is to be in a non-local currency the company has to deal with the value of the amount in the local currency. This may also require consideration of hedge transactions that have been entered into to offset the risk of currency value fluctuation. Gross amount of accounts receivable: Valuation is not relevant to gross accounts receivable, because gross accounts receivable is the total monetary amounts of the transactions. Net amount of accounts receivable: Net amount of accounts receivable is the result of the gross accounts receivable and the allowance for uncollectibles. The management assertion of valuation is relevant to the uncollectible balance part of net receivables. The account balance of the allowance for uncollectibles is the result of managements estimation, and although based on historical trends and derived through some systematic process, is still an uncertain amount. The question of whether the allowance account results in a proper balance of net accounts receivable that are likely to be collected makes valuation a relevant assertion. 7-23 [LO 1, 2, 4] For a company that sells retail goods to customers both online and in stores located in shopping malls with payment made via cash and bank credit cards, which of the following are important classes of transactions? Why? For those that are not, why not? Online sales In-store sales Purchase of raw materials Purchase of finished goods merchandise Lease expense Payroll expense Costs of goods manufactured Purchase of fixed assets Answer: Online sales: The sales account is clearly an

important/significant account. For a typical retail business such as the one described here, many sales transactions occur throughout the year, making sales transactions an important class of transactions for the ICFR audit. If the online sales make up a significant or material part of the total sales revenue then 2 sales that are made online make up an important class of transactions. If they are of a significant dollar amount, the auditor probably needs to address online sales as a separate class of transactions, since many of the important internal controls differ from those that are important to in-store sales. Online sales are likely to be completed using credit cards, so if they are a separate important class of transactions, credit card sales approval processes will also be a part of the auditors considerations. In store sales: For any retail enterprise that has physical establishments in malls, in-store sales are likely an important part of sales revenue, so these would likely be directly addressed by the auditor. If online sales are minimal, then the auditor might only look at sales transactions and would not break them down into online and in-store sales classes and yet focus the greatest ICFR audit effort on in-store sales transactions, looking at sales as a single consideration from a financial statement audit substantive perspective. In-store sales are likely to be addressed by the auditor, whether or not online sales are broken out separately. Further, it is possible that the auditor may need to separate in-store sales even further, into cash and credit in-store sales, since the important internal controls are different. Purchase of raw materials: This is not an important class of transactions because it is unlikely that a retail business would have any. Purchase of finished goods merchandise: This class of transactions is very important, because it is the source of all inventory both what ends up on the balance sheet and the income statement as cost of goods sold. It is also important because it likely affects both accounts payable as well as cash disbursements. Lease expense: Lease expense is likely to be a major expense of the business, so the amount will probably be material. However, it may be a straightforward transaction of a set amount that occurs twelve times a year, requiring minimal audit effort. Consequently, while the amount may be material to the financial statement audit, the class of transactions may not be considered separately from the payment of other expenses when considered for the ICFR audit. For the ICFR audit, lease expense payments may be grouped with other expense cash disbursement functions as a class of transactions. In contrast, if lease expense requires multiple transactions because of many store locations, it may be an important class of transactions on its own. Further, if the amount of lease expense is based on calculations (such as a percentage of monthly sales) then the added complexity may make lease expense payments an important class of transactions. Payroll expense: Payroll expense is likely to be one of the larger expense items on the income statement for a retail business. Sometimes, a retail establishment, particularly one that does a lot of its business online may not have material payroll expenses. But, for the typical mall-type retail business, payroll expense is probably material. Because payroll transactions require a variety of processes (calculations, controls over proper payment, withholdings, payouts to government and other entities) it is likely to be an important class of transactions for a retail business. In many cases this is a class of transactions that 3 is outsourced, so the auditor considers the controls within the entity and at the service provider. Cost of goods manufactured: A retail establishment will not have costs of goods manufactured, so it is not an important class of transactions. Purchase of fixed assets: Some fixed assets may be purchased for the online sales function, but these are not likely to be frequent or recurring so may not be an important class of transactions for the auditor at least every year -- even if the amount on the balance sheet is material. For the mall location, rather than the purchase of fixed assets, the important account is probably leasehold

improvements. Again, these transactions are not frequent or recurring so are not likely to be an important class of transactions every year. If in a given year, there is a large dollar amount or high frequency of these transactions, particularly if financing has to be obtained to purchase fixed assets or leasehold improvements, the auditor may consider the controls associated with approvals, etc. to obtain the financing and make the major purchases. 7-24 [LO 1, 2] A company uses inventory tags that are electronically scanned into its accounting information system to track receipt, movement and removal of items of inventory from the manufacturing floor. Prior to producing quarterly and annual financial statements the company performs a physical count of inventory. The typical outcome of the physical count is that journal entries must be made after the count to correct the inventory accounts and records because some employee theft and unrecorded waste always occurs. Does the occurrence of inventory loss that the company routinely records mean that a deficiency in ICFR exists? Why or why not? Answer: ICFR deals with the ability of the company to produce financial reports and financial statements for outsiders. The inventory count, as described, appears to enable the company to correct its records so that the financial statements reflect the position of the company at the time the reports and financial statements are prepared. If this is the case, then ICFR is effective both in its design and operation. Although the internal controls do not prevent the inventory shrinkage, they detect the shrinkage prior to production of the financial statements. From the larger management view of what internal controls are intended to accomplish, the internal controls may be deficient. In addition to permitting the preparation of appropriate financial statements (ICFR) the broader definition of internal control includes safeguarding assets. If the controls permit an inappropriate amount of shrinkage they may not sufficiently prevent the unauthorized use or disposition of company assets. However, typically, designing an internal control system that would prevent 100% of inventory shrinkage would be cost prohibitive in other words, it would cost more to design and run the inventory controls than the controls would save. Therefore, a company that 4 experiences what it considers and expected an acceptable amount of inventory shrinkage likely concludes that the internal controls sufficiently safeguard the companys assets. 7-25. [LO 2] How does the commitment to competence of the COSO IC control environment relate to the quality control concept of assignment of staff to certain tasks on an audit engagement? Answer: The staff assigned to audit the internal control environment must have the expertise in the area they are auditing. For example, staff assigned to audit the payroll internal controls need to have an adequate understanding of how payroll is processed, what controls should exist, and an ability to determine if there are control deficiencies. Additionally, the staff must be adequately supervised and workpapers reviewed to determine whether staff omitted key procedures or evaluated internal controls incorrectly. 7-26 [LO 2, 4] Exhibit 7-2 discusses Circumstances that Demand Special Risk Assessment attention. Pick four of the eight shown in the exhibit. Explain how these situations might ultimately result in financial statement misstatements. Answer: The eight special risk assessment circumstances and how each affects financial misstatement follow. Changed Operating Environment. A changed regulatory or economic environment can result in increased competitive pressures and significantly different risks. Divestiture in the telecommunications industry and deregulation of commission rates in the brokerage industry for example, thrust entities into a vastly changed competitive environment. New Personnel. A

senior executive new to an entity may not understand the entitys culture or may focus solely on performance to the exclusion of controlrelated activities. High turnover of personnel, in the absence of effective training and supervision, can result in breakdowns. New or Revamped Information Systems. Effective controls can break down when new systems are developed, particularly when done under unusually tight time constraintsfor example, to gain competitive advantage or to make tactical moves. Rapid Growth. When operations expand significantly and quickly, existing systems may be strained to the point where controls break down; where 5 processing shifts or clerical personnel are added, existing supervisors may be unable to maintain adequate control. New Technology. When new technologies are incorporated into production processes or information systems, a high likelihood exists that internal controls will need to be modified. Just-in-time inventory manufacturing technologies, for instance, commonly require changes in cost systems and related controls to ensure reporting of meaningful information. New Lines, Products, Activities. When an entity enters new business lines or engages in transactions with which it is unfamiliar, existing controls may not be adequate. Savings and loan organizations, for example, ventured into investment and lending arenas in which they had little or no previous experience, without focusing on how to control the risks involved. Corporate Restructurings. Restructuringsresulting, for example, from a leveraged buyout, or from significant business declines or cost reduction programsmay be accompanied by staff reductions and inadequate supervision and segregation of duties. Or a job performing a key control function may be eliminated without a compensating control put in its place. A number of companies learned too late that they made rapid, large-scale cutbacks in personnel without adequate consideration of serious control implications. Foreign Operations. The expansion or acquisition of foreign operations carries new and often unique risks that management should address. For instance, the control environment is likely to be driven by the culture and customs of local management. Also, business risks may result from factors unique to the local economy and regulatory environment. Or channels of communication and information systems may not be well established and available to all individuals. 7-27 [LO 3] Compare and contrast the internal control provisions required under the Foreign Corrupt Practices Act (1977) and the Sarbanes Oxley Act (2002) Answer: The Foreign Corrupt Practices Act (FCPA) focused on illegal acts by U.S. corporations involving foreign officials and defined internal control in a relatively narrow fashion. It required that a review system be implemented and maintained with the intent of preventing illegal payments. It did not mandate a review of specific controls nor did it assign responsibility for the financial statements to management; it considered internal control to be an end, rather than a process. By contrast, SOX broadens the definition of internal control, references a control model (COSO), specifically sets out requirements for an internal control system, mandates that auditors are to evaluate ITGC prior to performing tests of details of balances, assigns responsibility for the financial statements to management, provides independent oversight for auditors in the form of the PCAOB, and provides for civil as well as criminal penalties for non compliance. 6 7-28 [LO 5] Explain the importance of a walkthrough, how one is performed, and list 5 relevant questions that the auditor might ask during a walkthrough. What types of responses to your questions might the auditor receive that would cause concern about the effectiveness of ICFR? Answer: A walkthrough is the steps you perform together when evaluating internal control. Student answers may

vary but could include the following questions to ask: What do you do when you find an error? What are you looking for to determine if there is an error? What kinds of errors have you found? What happens as a result of finding errors? How are errors resolved? Have you ever been asked to override the process or controls? If so, what happened and why did it occur? The auditor should be concerned if there are no error routines and reporting responsibilities and/or no review of transactions for errors. Problems 7-29 [LO 1, 2, 5] Stan is an auditor for Cartman & Kenny, CPA. He has recently been assigned to a new private client called Southpark Services, a provider of web management services. Cartman and Kenny have clients throughout the United States. The company manages their clients website, keeping them up to date, resolving problems and doing any other programming or troubleshooting that their clients need. The two owners, Bob Cartman and Shelly Kenny are hands-on managers. They, along with 3 other employees provide the website management services for their clients. Although they dont have access to their clients books or bank accounts, they have the ability to alter the website, and any data that flows through the website before it goes to the company or the customer. Carman and Kenny have one office manager with an undergraduate accounting degree and one full time bookkeeper. In discussions with management, Stan learns that Southpark Services doesnt bother to maintain any processes specifically directed toward good internal controls. When Stan asked why, management replied internal control is too expensive for us, and since we are not a public company and Section 404 does not apply to us, we dont see any value internal control can offer our management. Required: a. Develop a list of concerns that Cartman & Kennys clients might have based on managements attitude. Classify those concerns into 2 lists concerns that affect 7 Cartman & Kennys business, and concerns that might affect their productive output, and thus the clients business operations. Some of the concerns you identify might end up on both lists. b. Suggest processes and controls that Cartman & Kenny can implement to limit the risk of the items you listed in (a). c. How would an auditor examine or test each of the processes and controls you list in (b)? Answer: a. Cartman & Kenny Business practices concerns: The most obvious concern is the lack of separation of duties between management and employee at C & K. The second concern is: how can a firm audit its own work? A third concern is the total lack of general controls over web design and access. Clients concerns: The lack of separation of duties at the audit firm; the lack of proper oversight of work performed by C & K; and the total access allowed to C & k personnel by Southpark Services. This is especially problematic if one or more of the managers from C & K becomes unable or unwilling to continue services the client. b: Procedures to limit the risks cited above: First, C & K must document all their work. Second, changes should be made to a prototype web site, not the actual, production site. Changes can be reviewed and approved by the client before the actual site is updated. Third, C & K personnel should not have access to client data servers or files. Indeed, the servers that house the data should be separate from the server that houses the web site and each server should have appropriate router and firewall controls. c: How to audit? First, the auditor should not be from the same firm that provides the service. That said, if this is allowed, then the auditor should report to someone who has no responsibility for maintaining the site. The auditor should review and test access controls; review changes to the web site; obtain a log of transactions in order to form an understanding of transaction origination, approval, and appropriateness; and document any unusual transactions. The auditor should perform detail tests of balances given the poor internal control system, especially over sensitive accounts such as cash and inventory. The auditor should require the client

review transactions in detail and provide corroborating evidence for all unusual or unauthorized transactions. 8 7-30 [LO 2, 5] Natasha is a staff level auditor assigned to evaluate the ICFR for the XYZ corporation audit. Natasha follows her firms audit program to assess ICFR. Step 1.3 of the audit program says the auditor should evaluate the overall attitude and awareness of an entitys board of directors concerning the importance of internal control. (a) With which component of internal control is Step 1.3 concerned? Answer: Control environment (This is an entity level control.) (b) Draft specific audit steps that Natasha might find in her plan, in addition to the general direction. Answer: Examine company policies and procedures regarding the following: Requirements in order to be elected a member of the Audit Committee. Evidence of interaction between the Board of Directors and the audit committee, including all reports between management, the external auditors, and the Committee. Audit Committee charter. Audit Committee qualifications. Reporting structure in place for the Internal Audit Department. Review Board of Directors and audit committee minutes for issues related to ICFR. Specifically identify Board of Directors follow up on internal control ICFR deficiencies identified in prior years. Note that in addition to Natashas work, the partner or manager on the engagement would likely interview the Chair of the Board of Directors and Chair of the Audit Committee. (c) What would Natasha include in her work papers to document her work? Answer: Copies of company policies highlighted and annotated as appropriate. Copies of relevant minutes highlighted and annotated as appropriate. A summary memo that documents and references information in the company documents. Her conclusions, either on the summary work paper or in a separate memo, regarding the attitude and awareness and how the evidence supports the conclusion. 9 7-31 [LO 1, 2, 4] You have been assigned to work on your firms largest client, DOMO Electronics, a publicly traded company with operations in North and South America, Europe, and Asia. In your process of evaluating ICFR, your audit program instructs you to evaluate DOMO Electronics Control Environment, a major component of COSOs Internal Control Framework. In your evaluation you have found the following: DOMO Electronics has a written code of conduct that it requires all employees to understand and follow. Based on this mandate it has never had any ethical conflicts reported and therefore does not have a formal mechanism for top management or the BOD to receive confidential information from employees lower in the organizational hierarchy. All of DOMOs staff are required to complete a certain amount of continuing education credits every year. From what you can see, they seem to be well trained at their tasks, or at least they stay very busy. The Board of Directors and Audit Committee consist of several financially savvy individuals who take their jobs very seriously. Furthermore, all members of its Audit Committee are top managers in the company, so they are intimately familiar with the companys operations. Management stresses an ethical environment. In their weekly meetings each team reports its operating results and the different teams quiz each other and respond with solutions and challenges. In the weekly meetings management encourages the teams to act ethically while achieving their mandatory year-over-year, 40% revenue growth numbers. Due to high industry growth, DOMO has enhanced its market share largely by significant mergers and acquisitions. To keep up with its growth, DOMO is constantly upgrading its internal control system. Fortunately, the well trained staff have been able to continue testing the new programs after they are put in place and

change programming problems as they crop up. The human resource department ensures that workers are assigned to work that they are capable of doing and ensures that every employee understands his/her responsibilities. Required: a. What red flags do you see in the above description concerning DOMOs control environment? b. What accounts and financial statement management assertions might ultimately be affected if the red flags indicate problems? 10 c. Develop an audit step you would use to follow up on the concern raised by the red flags. Answer: a. The red flags are: 1). There is no formal communication channel available to report ethical/internal control issues as proscribed by SOX. 2). The audit committee consists of company personnel, not independent members as required by SOX. 3). Great emphasis is placed on achieving an unrealistic growth rate of 40%- clearly encouraging the very behavior it seeks to discourage orally. Achieving a continuous growth rate of 40% is unlikely, therefore this encourages earnings management, such as recording of sales that did not occur, etc. 4). The company is growing by acquiring businesses; this presents a problem of trying to integrate the businesses into a cohesive whole. Differences are likely to exist in internal controls making lapses in controls more than likely. 5) Changes are made directly to programs in production (e.g. actual programs being used in the company) as opposed to copying programs into a test library and making the changes to the test copy. b. The accounts and assertions affected are virtually every account and all assertions. Since changes to the programs used to process transactions occur routinely, unauthorized changes could occur to any account. The situation is very serious since the ITGC are nonexistent. c. The auditor should consider whether absent significant changes to the internal control environment, he/she want to continue as the auditor. Assuming that he/she does, the first audit step would involve a review of the IT general controls starting with a review of the programs used in production- looking for recent changesespecially frequent changes occurring over a short period of time- which would indicate that previous changes could have been reversed in an attempt to hide unauthorized changes. Then, the auditor should review the transaction register for any unusual activity- or amounts- paying close attention to the sensitive accounts of cash, sales, A/R, and inventory. Since earnings management is a very real possibility, the auditor needs to be alert for unusual transactions affecting accounts linked to sales. The auditor should obtain evidence that the transactions are valid and have been authorized. 7-32 [LO 1, 3, 4] Suppose you are a new auditor with a small audit firm on the audit of Juan Stuarts Daily News, a large private corporation with a significant minority stockholder that operates media outlets across the United States. The majority stockholder manages the day-to-day activities of the business. Because your audit firm is a new, small firm, it has yet to formulate its own guidance concerning the audit of ICFR. You remember hearing a lot about Section 404 of the Sarbanes Oxley Act of 2002 concerning internal control audits. Required: a. Does Section 404 of the Sarbanes Oxley Act pertain to the audit of Juan Stuarts Daily News? Why or why not? 11 b. Is there anything related to ICFR that you are concerned with as the financial statement auditor of Juan Stuarts Daily News? c. Who are the stakeholders related to Juan Stuarts Daily News? How do good financial statements benefit them? What ICFR issues would be of concern to the different stakeholders? d. Develop audit steps to test the ICFR issues of concern. Answer: a. Section 404 would apply if the significant minority stockholder with media outlets across the U.S. is considered a registrant per the SEC (e.g. has a security that is registered with the SEC) and uses the equity method in accounting for the earnings of Juan Stuart. b. The large size of Juan Stuart is a concern regarding audit firm resources and expertise for conducting the audit well.

Another concern is that no plan was formulated prior to accepting Juan Stuart as a client. c. The stakeholders would be the minority shareholders; the employees; and the creditors. Good financial statements allow stakeholders to assess their interests and the going concern of the entity with which they are connected. The minority shareholder would be concerned with transaction integrity and controls over financial reporting accuracy; employees would be concerned with safeguarding assets and accuracy of financial reporting; and creditors would be concerned with control over assets and financial reporting accuracy. d. Audit steps would include a review of entity-level controls, such as those surrounding ITGC, specifically separation of duties and access controls. Additional audit steps would include a review of controls surrounding transactions, tracing the entry in the appropriate ledger to its supporting detail, including approvals. 7-33 [LO 2, 5] Lois is evaluating the ICFR for Pawtucket Patriot Brewery. She is examining an activity that occurs periodically, specifically an inventory count. This is not an everyday operation of Pawtucket Patriot Brewery. But they dont have a good IT system to track inventory and the only way the purchasing department knows what it needs to buy and the production manager knows how much and what to make is as the result of the physical count. The company makes and sells beer. Inventory consists of beer that has already been placed in bottles and is ready for distribution; beer in huge vats still being processed, and all the supplies that go into making beer not only the beer ingredients, but also empty bottles and the supplies needed to bottle the beer. Required: a. Classify this inventory observation activity using the AS 2 groupings of: routine, nonroutine, estimating. b. As Lois reads through the clients plan for the inventory count, what processes and procedures should she be looking for? Why? What are the assertions that are important to address for this account? 12 c. What are one or more audit steps you think Lois should conduct while the client counts inventory? Answer: The inventory observation is non-routine. a. Processes. The auditor should look for instructions regarding cut-off procedures; documentation concerning issuance of tag numbers; proper accounting of tag numbers (e.g. issued and used, voided, and not issued/used); the counting of inventory; and the final process of clearing inventory (e.g. ending the physical count and the pulling of inventory tags). The auditor should determine of the product/part number recorded on the inventory tag is accurate by matching to a supplier invoice, production order, etc. The auditor will also check for uncounted product which may be consigned inventory or write-offs. Such items need to be confirmed through additional testing and therefore should be noted by the auditor in the workpapers. These procedures address the accuracy, classification, valuation, existence, cut-off, and rights and obligations assertions. Given the poor inventory system, the risk is that the client may not properly label inventory and therefore not properly assign the correct costs to it. b. Other procedures. Since the product is fungible and subject to spoilage, the auditor should have independent testing of the raw materials, WIP, and finished goods to determine if the product is usable and/or saleable. 7-34. [LO 4, 5] [Adapted from Wiley CPA Review] Suppose you are auditor on the ICFR audit of Big Papi, Inc, a publicly traded company. Your senior has assigned you a significant list of steps to perform testing the operating effectiveness of ICFR. She tells you that before you can perform the list of audit procedures, you obtain an understanding of the entitys processes and controls. Based on the prior years audit she gives you a list of accounts that she believes you will find to be important, and the classes of

transactions that fed into each of those important accounts at least last year. As she walks off to go to another engagement, she reminds you that this years ICFR audit must be very efficient and you should only test the assertions that you need to. Required: a. How will you go about obtaining an understanding of the companys processes and controls? What will you do? What will you look at? Who will you talk to? How will each of the procedures help you? Answer: The information provided by the senior is a good starting point. You can compare the list of accounts she identified with the companys financial statements to determine whether all of the important accounts are included and whether any accounts that are not important should be dropped. You will likely talk to the companys management to be sure your understanding of the important accounts is correct. In this discussion, you also verify the seniors information regarding the important classes of transactions affecting those accounts. You specifically ask if there have been changes to the companys 13 activities or accounting system since the last understanding was obtained. You ask for any documentation management used in assessing the effectiveness of ICFR, and if any is available use this as another source of information. b. After you understand the system, what will you do? Answer: To confirm the information you have already obtained and as a part of understanding the system you will (most likely) perform a walkthrough for each important class of transactions. You know the relevant management assertions for each financial statement account, and after completing the walkthrough you evaluate what the risks are for each of the relevant assertions at the various steps in processing for the class of transactions. You determine whether the company has controls designed in to the system that, if they operate effectively, will prevent or detect misstatements before they become a part of the financial statements. c. How will you decide which accounts and assertions to test for operating effectiveness? Answer: You assess the risk to material misstatement related to each of the relevant assertions for each important account. Based on your walkthrough, you identify controls that deal with those risks to the assertions and evaluate whether they are designed effectively. If so, you test those controls to determine if they operate effectively. d. What will you put in your work papers up through the completion of analyzing design effectiveness? Answer: If management has produced documentation, such as descriptions or process charts, you can use those as a starting point and update them with information obtained in your walkthrough. If management does not have documentation, you may be able to update the documentation the audit team constructed or used in the prior year. Absent either of those documentary resources, you must determine (probably after consulting with your senior) how much documentation to construct of the transaction processing steps you investigated in your walkthrough. At a minimum, from an overall perspective, you need to identify the material accounts, significant classes of transactions, relevant management assertions, risks to those assertions the and misstatements that could affect the financial statements. You must state the source of this information, such as information from prior years audits that you updated with interviewing management. Then, the workpapers you prepare identify the transactions you used in the walkthrough (with enough specific information so that someone else could find exactly the transaction you followed in the walkthrough), questions asked of employees at what point in the 14 walkthrough -- with responses received and your conclusion about the response, documents examined, reperformance conducted on the transactions, and any other steps you performed. Your workpapers should document at which step of the transaction processing a risk to a relevant financial statement assertion exists, the control that is in place (if there is one) and what evidence you obtained that indicates whether or not that control is effectively designed. Based on your

audit work you also conclude which controls are effectively designed to prevent or detect material misstatements to assertions in the financial statements and therefore which should be tested for operating effectiveness. 7-35 [LO 4] [Adapted from Wiley CPA Review] Dana, an auditor for the audit firm C&C, recently finished up testing controls relating to managements assertion concerning the completeness of sales transactions. In her audit work papers, Dana included the following: I inspected the entitys reports of prenumbered shipping documents that have not been recorded in the sales journal In the course of my testing, I have found 0 items that have been sold but have not recorded in the sales journal. Since testing was performed without exception, I have determined that the controls to address the completeness of sales transactions are operating effectively. Which essential element of AS 3s documentation requirements did Dana omit from her documentation? Answer: Summary information from the chapter helps to answer the question: The audit documentation must tie the evidence collected to the risks being addressed that is specific to the relevant management assertion; Audit documentation must include the basis for the auditors conclusions; Audit documentation includes Planning and performance of the work; What the audit procedures were, when they were performed, by whom; Evidence is obtained; and Conclusions are reached. Assume the audit plan describes the step Dana is to perform and links it to the risk and assertion. The assertion is that all sales have been recorded all items that were shipped have been recorded as sales. (The assertion could equally be that no items that have not yet been shipped have been recorded as sales, although her conclusion relates to the risk of unrecorded sales.). Her work papers should include the following information: In the first bullet the problem is that she provides insufficient information to identify the items she examined. What numbers were the prenumbered shipping documents she inspected? From what source did she select them? Electronic or paper documents? How 15 did she know these would represent all the shipping documents associated with potentially unrecorded sales? Was it a sample or 100 % of the items? If the test was related to cutoff, did she examine before documents before and after the fiscal year end? Was a part of her test to determine whether all the prenumbered documents could be accounted for that there were no gaps in the numbering sequence? (If she was testing to see that no inappropriate sales were recorded, she would start from the sales journal, select sales, find the corresponding shipping document numbers, then examine the documents to be sure that the items had in fact been shipped and the sales transaction billed.) The second bullet appears to be a conclusion but there is no basis for the conclusion. How did she determine that 0 items were sold but not recorded? The workpapers should include the document numbers of the documents that had been used for shipment. She should examine the shipping document, and agree the information on the shipping document to what is recorded in the sales journal, specifying all the information that she compared, such as name of purchaser, date of transaction and amount, indicating whether all the information agreed between the shipping document and the recorded information. If she found no conflicting evidence, she can conclude that none of the shipping documents she tested were unrecorded or recorded improperly. In the third bullet, her conclusion is too broad. What control was she testing? Was she testing an automated control? Was she simply testing that the clients mechanism for getting shipping documents into the sales journal was effective? Was she testing that the cutoff at year end was effective, and that at year end no items were shipped in one year and not recorded until the next? If she

is testing for the processing of the control at year end she needs to clearly state the period covered. If she is covering a period of time, then she is likely using a sample and would state that based on the sample of transactions in the time period (for example) for the month of December, the control that was designed to be sure that all items shipped were booked as sales, operated effectively. She might also conclude that, as a result of the correspondence between shipping document and sales journal information, the control operated effectively at year end. If she was also trying to establish whether the control could be relied upon and could therefore alter the nature, timing or extent of procedures for the financial statement audit, she clearly states the period of time covered by her test and (assuming all the shipping documents were properly posted) that during that period of time the control establishing that all shipments were properly posted to the sales journal operated effectively. 7-36 [LO 2] Separate and assign the following activities to employee A, B and C to accomplish the best control. Explain why. a. Assemble supporting documents for cash disbursements. b. Maintain custody of the signature plates used for the computer processes when checks are produced. 16 c. Authorize the update of the general ledger each month and review all accounts for unexpected balances. d. Cancel supporting documents for cash disbursements to prevent their reuse. e. Approve customers applications for credit. f. Approve the write off of accounts receivable determined to be uncollectible. g. Input the shipping and billing information resulting from sales and shipments. Answer: Employee A a, g Employee B b, c, f, Employee C d, e, Rationale: separate cash disbursements document prep from custody of signature plates, and cancellation of documentation in order to prevent unauthorized use/reuse of documentation. Also, separate approval of credit to prevent account write-off (and possible hiding) of poor credit decisions. 7-37 [LO 4, 5] Joan Hacker, CPA, is the CFO of Smooth Ride, a publicly-held boat trailer manufacturer. At the close of the second quarter of 2009, Joan received the physical count of raw materials inventory amounting to $2,695,872. At the same time, Joans self-designed computer model for deriving inventory figures showed a raw materials inventory calculation of $3,374,024, which was $678,152 higher than the physical count calculation. Since Joan was rushed to prepare the financial statements, she used the computer model figure, resulting in $181,000 net income and $0.03 per share earnings. She adjusted the inventory to equal the correct count for the end of the third quarter when she had more time. The result for Quarter 3 was a net loss of $253,000 and a loss of $0.04 per share. Required: What are the control ramifications of Joans actions? Answer: As CFO, Joan was ultimately responsible for ensuring that the company had an adequate system of internal controls in place and that those controls were maintained and properly utilized. By recording materially incorrect inventory results in Smooth Rides books and records, Joan failed to assure that the company maintained an adequate system of internal accounting controls to properly account for inventory. By using the incorrect higher figure, the financial statements for Quarter 2 reflected a lower cost of goods sold and correspondingly higher net income than if the lower (correct) inventory figure had been used. Despite the fact that she used the correct physical inventory figures in the third quarter, this caused Smooth Ride to file a false and misleading quarterly report with the SEC that misrepresented the second quarter financial results of the company, overstating net income and earnings, and also caused a misstatement effect in the third quarter. 17

7-38 [LO 2, 4] Greg Norman is the auditor in charge of the Rogers Pharmaceutical Company audit. In assessing the internal controls for the company, Greg finds that the company bills customers and receives payments at three offices in three separate states using three different and incompatible software systems for tracking payments. Rogers terms of sale varies with the customer and varies from thirty days to ninety days. Open invoices are aged based on when they were booked to the receivables, but cash, chargebacks, or rebates are aged based on when they were applied to the account. Thus, a credit could be posted to the customers account when it was received, but the related invoice(s) remains open as a receivable and continues to age. Chargebacks are significant and linked to batch of product rather than invoice. Most similar companies have credit limits or credit checks but Rogers does not because all wholesalers are board certified M.D.s, like the companys founder. Rogers total accounts receivable was $25,276,025. Rogers total accounts receivable part due over sixty one days $17,434,500. Rogers top-five wholesalers had accounts receivable of $13,457,516. Rogers top-five wholesale customers had $5,428,850 past due over sixty-one days. Rogers allowance for doubtful accounts of $266,000 did not include any estimates for the top-five wholesale customers, because it was managements belief at the time was that the top-five wholesalers did not present a collection risk. Required: Based on these control issues and findings, explain some of the most likely sources of misstatement that exist. Answer: There are a number of significant problems, but some of these include: The current system does not allow for accurate reconciling of accounts receivable. There are insufficient credit efforts M.D.s can default or have bad credit to begin with. There is a potential for chargebacks to be posted to the wrong accounts. The system opens up the possibility for a lot of old items to remain in accounts receivable. Aging reports are likely of little or no value. Transaction reporting likely increases the possibility of duplicate accounts in the system. There is a lack of company-wide controls due to diverse IT systems. Based on faulty reconciliation and credit function, there is no way to set collection priorities. A legacy of A/R reports likely exists that have not been worked by collections. 18 The allowance for doubtful accounts is understated, since nearly 69% of all accounts receivable are overdue and 40% of the top five customers are overdue There appears to be a lack of coordinated sales term policy. 7-39 [LO 5] Hammer Orthopedic Corporation periodically invests large sums in marketable equity securities. The investment policy is established by the investment committee of the board of directors and the treasurer is responsible for carrying out the directives of the investment committee. All securities are stored in a bank safe-deposit box. The following issues are included in the independent auditors plan for auditing internal control with respect to the companys investments in marketable equity securities. To understand the design of the system, the audit procedure is to make the following inquiries of management: 1. Are all securities stored in a bank safe-deposit box? 2. Is investment policy established by the investment committee of the board of directors? 3. Is the treasurer solely responsible for carrying out the investment committees directives? Required: In addition to these questions, what other questions should the auditor ask with respect to Hammers marketable equity security investments? Answer: Student answers may vary. However, some questions include: Are marketable security investment supported by invoices with brokers? Are subsidiary records of investment kept and reconciled periodically with a control account? Do cash disbursement procedures contain directions for accounting for investments in market able securities?

7-40 [LO 2] Simmons Optics Company is a medical device manufacturing company in Florida. As such, it has a number of new products at various stages of development, with many swings notable in its Research and Development budget aimed at taking advantage of tax credits. With the downswing in the economy and change in the optics technology, a new competitor, Bright Eyes Instruments, Inc., is taking a larger percent of the optical market. As a result, the CEO is pushing supervisors to reduce product development time from 24 months to 10 months, but without any new capital expenditures. The Board of 19 Directors almost always agrees with the CEOs initiatives and has rubber-stamped this course of action. The new CFO of the company has only been at his job for six months. He is a hands-off CFO and sees this position as a way to enjoy sunshine, golf, and the ocean. However, during this period he has realigned the reporting responsibilities of the company, so that the credit and collections department reports to the Sales Controller, rather than the head of the treasury department. He also gave the Sales Controller increased authority to develop business by negotiating the terms of sales transactions and the authority to recognize revenue. The Sales Controller developed and negotiated new type of agreements called Guaranteed Profit agreements that relieve Simmon's direct customers (primarily optometrists) of any obligation to pay for goods unless they were sold through to end users or patients. In these agreements, Simmons books the revenue, but the CFO is not aware of any reversals for unsold goods, but admits that the information system has had significant disruptions in processing during his tenure. Required: Identify the Entity Level - External and Internal Risk Factors in this scenario. Answer: Within this scenario, a number of external entity level risk factors exist: External Factors Technological developments and tax credits are affecting the nature and timing of research and development. Tax regulations seem to be forcing changes in operating policies and strategies. Competition and a change in the optics technology are driving the CEOs mandate to decrease R & D time. Competition has caused the Sales Controller to alter marketing or service activities with guaranteed profit agreements. Economic changes have had an impact on the CEOs decision to require dramatic cuts in R & D time without proportional increases in capital expenditures. Within this scenario, a number of internal risk factors exist: Internal Factors There has been a disruption in information systems processing that adversely affects the monitoring of the entitys sales agreements and operations. The hiring of the CFO appears to be a better deal for the CFO than the company, since he has a mentality of on-the-job retirement. This has more than likely influenced the level of control consciousness within the entity. Likewise, the realignment of the reporting seems to have weakened controls by eliminating segregation of duties (i.e., the Sales Controller has too much power) and doublechecks (i.e., the treasury department is out of the loop) on the revenue recognition area. 20 An unassertive board of directors rubber-stamps management strategies, which can provide opportunities for indiscretions. The nature of the entitys activities, like the Guaranteed Profit agreement, is appears to be a misappropriation of resources under GAAP. 7-41 [LO 2, 3, 4] You are engaged to audit the financial statements of Sebastian Construction Company. The company specializes in the construction of medical clinics. The percentage-of-completion method is used by Sebastian to account for all construction projects. As Sebastian completes a project, the building and property are sold to the clinic operator, who makes a 20% down payment and gives an installation note for the balance. Sebastian discounts the note with First State Bank and receives the proceeds minus the bank discount. Sebastian remains contingently liable of the discounted notes. With the

economic downturn, sixty percent of the notes are now in default and Sebastian has constructed virtually nothing within the last 10 months. When you arrive to discuss the upcoming audit, you notice that the parking lot, which was full last year, is nearly empty. The CFO assures you that the slowdown is merely temporary and that the company is starting to get in new contracts every day. In fact, the CFO brags that they have hired new crews to begin five new projects next week. As you begin the audit, you notice the following: 1. Of the 250 requests for confirmations of accounts receivable that were mailed, only 30 were returned after two mailings. 2. A number of the general ledger transactions lacked documentary support. 3. The companys property and equipment ledgers for depreciation could not be reconciled to the general ledger. 4. The internal control report represented and signed by the CFO as Excellent showed a significant number of compliance deviations. Required: (a) Based on this information, discuss the circumstances demanding special risk assessment attention. (b) What are the most important assertions for Sebastian Construction? (c) Based on the Sarbanes-Oxley Act of 2002, what corporate responsibility for financial reports does the CFO appear to have violated? Answer: (a) There are changed operating environment circumstances due to the economic downturn. (b) While all of the assertions are important, they do not all have the same level of importance for each account on the financial statements. 1. With respect to the lack of confirmation, we would wonder about the occurrence assertion relating to whether the transactions that have taken place 21 and existence whether the accounts receivable exist. If they dont exist, the valuation of the accounts receivable is in error. 2. Regarding the unsupported transactions, we must question their existence. 3. Regarding the lack of reconciling depreciation, we would question if the company owns the equipment (rights and obligations) and the valuation or allocation of including necessary depreciation for equipment used. 4. The CFOs apparent misrepresentation of internal controls calls into question the presentation and disclosure of the companys records. 5. Regarding the defaulted discounted notes, the auditor would also have to question the companys ability to continue as a going concern if so many notes are uncollectible and specifically would address the valuation assertion. (c) Regarding SOX and the CFOs certification of internal controls, it appears that he may have violated: (1) review of the report; (2) represented an untrue material fact or omitted to state a material fact that resulted in misleading; (3) did not provide sufficient guidance for establishing and maintaining internal controls; (4) did not sufficiently design internal controls to ensure that material information what in financial statements; (5) may not have evaluated controls recently (within 90 days prior to the report; or (6) did not disclose significant deficiencies of internal controls. 7-42 [LO 1,2] Think about the businesses and other entities with which you interact in your everyday life. Select a particular business that you know to complete the following. Required: (a) Identify some process about the way the entity does business that is carried out for control purposes. Consider the following example, "If you do not get a receipt your purchase is free." This note, frequently seen by a sales terminal adds the consumer as a control element to be sure the sales person enters the transaction. (b) Identify some aspect of the entity for which there should be a control and a control activity does not exist. (Hint: One way to find these controls that are lacking is to evaluate how a customer could get in free, or receive their product or service and "get away" without paying.) Answer: Student answers will vary. Their answers should address the concepts noted above.

7-43 [LO 3] Milton Baxter is the in-charge auditor for Apex Company, a long-time client of the Baxter CPA Group. The company has expanded into a new industry by acquiring equipment that will be used to manufacture several types of products. The CEO has indicated that as one of the conditions for providing financing for the new 22 equipment, the bank must receive a copy of the annual financial statements. Another condition is that the total assets cannot fall below $300,000. The loan will be called for immediate repayment, if this happens. Currently, the total assets are reported at $308,000 (including the new machine but prior to making the adjustment for depreciation). The CEO of Apex has asked Baxter to examine the facts and provide audited financial statements that are acceptable to the bank. The depreciation method for the machinery has not been adopted yet. Equipment in other parts of the company uses the double-declining balance method. The cost of the new equipment is $60,000 and it is estimated to be worth $5,000 at the end of five years. Because the new products have not yet begun to catch on with consumers, the company produced just 5,000 units this year and it is expected that a total of 40,000 units will be made over the 5 year period. Required: Based on this information, calculate straight-line, double-declining balance, and unit of production depreciation for the new machine. Which depreciation method would allow Apex to stay within the banks threshold? Is it ethical to recommend that method to the company prior to audit? Answer: Straight line = ($60,000 5,000)5 = $11,000 Doubledeclining = $60,000 x 40% = $24,000 Units of production = (5,00040,000) x ($60,000 5,000) = $6,875 The auditor uses managements assertions to plan the audit procedures conducted in an integrated audit. The auditor carries out audit procedures, collecting evidence which gives the auditor a basis to conclude whether ICFR is effective and managements financial statement assertions are appropriate. The controls ultimately relate to the company producing financial statements that are not materially misstated. In this case, it would be unethical for the auditor to tell the CEO which method would beat the banks threshold for the loan and also audit the books. This is especially true since he knows that this depreciation method is not typically used by the company for any other equipment and that depreciation amount is not representative of the normal depreciation for the machine. 7-44. Go to the 10K report for Starbucks. Find the following: managements Section 404, 302, and 906 reports and the auditors report. Compare the management reports to the examples provided in the text. Do you note any differences? Read the auditors report. Is there a separate report providing the internal control opinions? Or are all the internal control and financial statement audit opinions provided in one report? Answer: Student answers will vary depending on the fiscal year of the report. 7-45. Go to the COSO Web site. Find the IC Framework and ERM Framework. What is 23 the major difference between the two frameworks, in terms of their stated purposes? Compare the components of the two frameworks. (Hint: Appendix B to this chapter will help.) Answer: The ERM Framework encompasses the IC Framework. The ERM Framework was developed with the intent of providing a logical and orderly way for management to identify, analyze, and manage all of a companys risks. These risks extend beyond the risks contemplated by the COSO IC Framework. Thus, the ERM Framework offers management something additional by providing guidance on managing all of a companys risks and uncertainties. 7-46. Go to the SEC Web site and access the Sarbanes-Oxley Act, Section 906. What are the monetary and criminal penalties specified, and for what type of wrongdoing? Answer: Section 906 details the chief

executive officer's responsibility to submit written statements along with the periodic financial reports. Executives who submit reports not in compliance with the act are able to be fined up to $1 million or imprisoned for not more than 10 years, or both. Executives who willfully submit such statements are subject to possible fines up to $5 million and imprisonment of no more than 20 years, or both. 7-47. Go the SEC Web site. Access 33-8810; 34-55929.What title do you see? Read the first few pages. How does this relate to what is covered in this chapter? Answer: Internal Control Reporting and Auditing Provisions are contained in this release. 7-48. Search for management reports that utilize internal control frameworks other than COSO (probably found in reports of companies in countries other than the United States). Answer: Student answers may vary, depending upon the reports accessed. Besides COSO, students may list: CoCo, CobiT and the Basle Committee on Banking Supervision [BCBS]. 7-49. Conduct a search in the business journals and print media regarding increased audit costs for companies as a result of the Sarbanes-Oxley Act. Look particularly for internal costs associated with management documenting and testing internal control. Answer: 24 Student answers will vary depending on the journals and articles accessed. Chapter 7 Appendix A Multiple Choice 7-50. a 7-51. b 7-52. c 7-53. d 7-54. c 7-55. b 7-56. a 7-57. d Discussion Questions 7-58. Why is the auditor concerned about whether a company has controls over the development or changes it makes to computer software? What impact do these controls have over the auditors conclusions for the ICFR audit? The financial statement audit? Answer: Because the ability to change programs is an entity-level control, this control is crucial to the internal control system. Unauthorized access to computer programs provides unauthorized access to the entire organizations records, including accounting and financial records. Unauthorized access to programs is usually not apparent and users with unauthorized access can make changes directly to the transaction data and master files, thereby allowing material misstatements and fraud to occur without timely detection. This is a very real possibility since unauthorized program access can allow a user to eliminate or change the audit trail. 7-59. What concerns does the auditor have over access controls and their impact on data security? What impact would a problem with access controls have on the auditors conclusions in an ICFR audit of a company with an extensive IT system? Do you think management could assert that the financial statements are accurate and complete if access controls are insufficient? Why? Answer: Access controls determine who is allowed to perform certain functions. Access controls are at the heart of separation of duties, and thus provide a significant function in controlling data security; they are considered entitylevel controls meaning that poor access controls place the I/C system at high risk. A problem with access controls would represent a material internal control deficiency and require significantly more testing of balances and transactions during the substantive audit work. If access controls were insufficient in an organization with an integrated IT system, the auditor would not be 25 able to rely on the I/C system to detect or prevent material misstatements in the financial statements. The auditor would either have to expand substantive testing significantly or withdraw from the engagement.

7-60. If all of a companys ITGC are effective except its contingency controls, would the auditor be able to conclude that the ICFR is effective? What if other controls are lacking but contingency controls are effective? How would the auditor modify plans for the financial statement audit if the conclusion in the ICFR audit is that many general controls are lacking but contingency controls are consistently effective? Answer: No; contingency controls, such as back-up and recovery in case of a disaster, are an integral part of the ITGC (e.g. entity level). If the ITGC are effective, but no safeguard exists to provide for data recovery and a disaster occurs, all the ITGC are essentially meaningless. If other controls are lacking would depend on the nature of the other controls, such as whether the controls were material to the overall ITGC and whether there were compensating controls. If many of the other controls are lacking, the auditor would have to satisfy himself that there were compensating controls for those missing. The auditor would also need to substantially expand the nature and timing of substantive testing. 7-61. If the head of the IT department and the CFO have complete access to all aspects of the IT system and the ability to input, change and delete transactions, is this a weakness in ICFR? If so, how important is it? Would this situation have any impact on the audit procedures of the financial statement audit? Given the positions these individuals hold, how might their authority and activities be changed to enhance the control environment while still permitting them to do their jobs? Answer: Yes, this is a material weakness. It could be material enough to warrant withdrawal from the audit. This would have significant impact on the procedures for a F/S audit since there would be no reasonable assurance that the transactions which comprise the financial statements are valid, authorized, etc. The easiest way to correct the problem is to eliminate access to the programs and transactions by the IT department head, separating the duties for program changes, program change authorization, and transaction data access. Generally, IT does not need access to the data files, so such access should be eliminated. 26 Problem 7-62. AS 2, paragraph 11 defines preventive controls as having, the objective of preventing errors or fraud from occurring in the first place that could result in a misstatement of the financial statements. Detective controls, have the objective of detecting errors or fraud that have already occurred that could result in a misstatement of the financial statements. Required: Set up a work paper with two columns, one labeled preventive and the other labeled detective. Using the discussion of ITGC presented in Appendix A, classify the various controls discussed as preventive or detective controls. Are there any you placed in both columns because they serve both a preventive (P) and detective function (D)? Examine your controls and answer the following. (a) Are there any preventive controls that you believe are less important if a related detective control is effective? What would the related detective control be? Explain how it would compensate. (b) Are there any detective controls that you believe are less important if the related preventive controls are effective? What would the related preventive control be? Explain who it would compensate. Answer: IT control environment P&D Policy development and communication P&D Segregation of duties P&D Monitoring procedures P&D Software acquisition P&D Hardware acquisition P&D Network technology acquisition P&D Program development P&D Program changes P&D Computer operations P&D Policies and procedures P&D Batch processing and end user computing D Backup management P&D Data center controls P&D Capacity planning and performance issue management Recovery procedures for operational failures Access to programs and data Security policies and procedures Testing security measures Authorization decisions for access

Monitoring security measures Application software access P&D P&D P&D P&D P&D P&D P&D P&D 27 Operating system security P&D Network security administration P&D Data security P&D Software and interface controls Contingency controls Backup procedures Service interruption, disaster, and recovery Human resources Hiring policies Training Termination policies and controls Physical facilities controls Protected environment Controlled climate Fire suppression and evacuation plans Inconspicuous facilities P&D P&D P&D P&D P&D P P&D P P&D P P P P NOTE: Most controls can be either-depending on how they are configured! a) Preventive controls less important if a related detective control is important? A: None; preventive control is always better than detective control. b) Detective controls less important if the preventive control is important? A: Batch processing; if the processing went to on-line with input edit controls, then batch controls would not be necessary since errors would be prevented and not need to be detected. Activity Assignment 7-63 View or review the movie, Catch Me If You Can (Leonardo DiCaprio, Dreamworks, 2002). Investigate information on Frank Abagnale Jr., the individual whose early life is portrayed in the movie, including his current occupation. (a) Explain how the main character in the movie used social engineering. (b) Although the events of the movie occurred before much of todays information technology was developed, many of the processes used by the villain could be successfully used today. Give examples and explain why this is the case. (c) Why are the knowledge and skills used by Frank Abagnale Jr. during his early life applicable to what he does now? 28 Answer: (a) & (b) Student answers may vary but should focus on information about how, during the 1960s and without the assistance of the Internet or other digital conveniences, Frank Abagnale, Jr., made his mark as a social engineer. He portrayed himself as a variety of imposters and used techniques that would build confidence with his victims. Combining those talents with his forgery skills, he pulled off some of the most deceptive scams of all time everything from impersonating a chief resident pediatrician at a hospital for almost a year to posing as an airline pilot to fly for free. While Abagnale used his knowledge and expertise for purposes of deceit, he later served his time. (c) Currently, he is currently a millionaire and lives in Tulsa, Oklahoma with his wife, whom he married one year after becoming legitimate. They have three sons; he works as a security consultant helping the FBI by teaching at the FBI Academy and lecturing for FBI field offices throughout the country. One of his sons currently works for the FBI, also.