Professional Documents
Culture Documents
LEARNING OBJECTIVES
Among other things, the COSO Report defines internal control and its components and
provides criteria for evaluating internal control. The report presents these interrelated
components of internal control:
1
Control EnvironmentThe core of any business is its people and the
environment in which they operate. The tone at the top, i.e., managements
attitudes, values and behaviors, provides the control environment for other
employees.
Risk AssessmentThe entity must be aware of and deal with the risks it faces;
identifying the risk of error or fraud and implementing corrective actions is the
primary responsibility of management.
Control ActivitiesControl policies and procedures must be designed and
operated to address risks to the achievement of the entitys objectives.
Information and CommunicationThese systems enable the entitys people to
obtain and use information necessary to conduct, manage and control operations.
MonitoringThe internal control process must be monitored and changed by
management as circumstances and conditions necessitate.
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exer-
cises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain com-
petent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be
managed.
8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact
the system of internal control.
Control Activities
10. The organization selects and develops control activities that contribute to the miti-
gation of risks to the achievement of objectives to acceptable levels.
2
11. The organization selects and develops general control activities over technology
to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action.
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present
and functioning.
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
Internal control is always relevant to the nature, size and complexity of a reporting entity.
Smaller entities will ordinarily have more informal controls that are carried out by one or
a few persons. While the basic components of internal control should be present in
small- and medium-size entities, the 17 principles will ordinarily be subjectively included
in an entitys design and operation of internal controls.
Generally, internal controls over financial reporting include those that are designed to
make sure financial data is recorded, processed, summarized and reported consistent with
managements representations (assertions) in financial statements. Management of an
entity has the primary responsibility for internal control. An auditors responsibilities
include the evaluation of whether the five components are designed and operating
effectively, given the nature, size and complexity of the entity.
3
Understanding the Components of Internal Control
The control environment sets the tone of any organization, i.e., causes its people to be
conscious of the importance of the entitys system of internal control. It is the foundation
for application of all other components of internal control. For small entities, the
character and behavior of the person having top financial responsibility for the entity,
e.g., an owner or manager, sets the tone for employees to follow. For larger entities,
management personnel at various levels are also the primary influence on the control
environment. In all cases, its what management does, not what they say, that directs
employees behavior. The operating philosophies and style of management, their
delegation of responsibility and authority, their emphasis on developing and guiding
employees and their utilization of input from persons charged with governance defines
what employees do.
Budgets may be prepared using a base line, such as the prior years operations, or they
may be zero based, that is built from the ground up. Whichever method is used,
participation by department heads and other operating personnel is essential for
producing effective budgets. The final review and approval responsibility for budgets
should rest with persons charged with governance of the organization.
To provide value, the budget should be compared to actual results on a periodic basis by
management and other persons charged with governance, usually monthly. Unusual or
unexpected variances from budgeted amounts should be considered and corrective
actions implemented when necessary.
A budget should be designed for use also based on an entitys nature, size and
complexity. A medium-size church employed an executive pastor that was formerly a
chief financial officer for a public company. He spent most of his time micro-managing
weekly budgets for department heads. Using a report from the churchs accounting
software, the executive pastor met with department heads weekly to discuss their budget
status. Over expenditures were met with severe cutbacks in planned future expenditures.
Under expenditures resulted in reductions of monthly or annual budgeted amounts.
While this micro-management significantly strengthened the churchs internal control
system, its cost was high, too high for the size of this organization. The practical side of
4
internal control is that the cost of operation of a control activity should result in benefits
appropriate for the nature, size and complexity of the organization.
While properly prepared and monitored budgets can significantly improve a small
entitys internal controls, their use should provide benefits commensurate with the cost of
preparation and monitoring. Like the design and operation of internal control procedures,
benefits must be measured in terms of the relative costs of implementation and
maintenance.
While smaller entities dont normally have a written code of conduct, larger organizations
are establishing these codes. Publically-held companies, issuers under the Sarbanes-
Oxley Act, are required to establish and communicate codes of conduct. Other privately-
held companies, non-issuers, are also creating codes of conduct as part of their control
environment.
Risks at the entity level may come from external factors such as changes in technology,
customers needs, competition, regulations or laws and the economy. At the entity level,
risks also arise from internal factors such as information systems failures, personnel
5
practices affecting the quality of employees, access to assets and the susceptibility of an
entitys operations to fraud.
At the activity level, risk assessment involves business operations and financial reporting.
Analyzing operational reports, financial and non-financial data and observations of
employees activities may bring risks to managements attention.
Control Activities:
Completeness
Occurrence and cut-off
Valuation and accuracy
Existence
Rights
Obligations
Disclosure and Presentation
An entitys financial reporting and internal control systems should result in financial
statement classifications that are appropriate and reasonable.
Key controls are those elements of the five components of internal control that have a
pervasive affect upon the accomplishment of managements control objectives. For
smaller entities, key controls are normally performed at the entity level, although some
may exist at the activity level. Illustrated in the accompanying Small Audits Internal
Control Questionnaire (SAICQ), these controls may be informal and ordinarily carried
out by one or a few persons such as an owner/manager. The design and operation of
these key controls can prevent material misstatements due to error or fraud from
occurring and going undetected. When these circumstances exist, even a small entity can
have a good internal control system!
Components of key controls for both large and small entities are:
6
Activity-Level Controls
The COSO Report states that control activities are the policies and procedures established
to help ensure that management directives are carried out and that managements
objectives are accomplished. The key controls described above are primary to
accomplishing these objectives. Absent the design of key controls, or when key controls
are designed but not operating, activity-level controls may be necessary to prevent
misstatements from occurring and going undetected.
Comprising the nature of internal information produced and distributed by an entity, this
component is intended to enable management and others to operate, manage and control
the entitys business. It is also intended to provide employees an understanding of
financial reporting and safeguarding controls and their operations. For larger entities,
communication may take the form of policy and procedure manuals, instructional memos
and oral communications. For smaller entities, communication will often be verbal, face
to face and directed by the owner or a manager.
Communications may also involve outside parties such as auditors, customers and
vendors. These communications may provide information that can lead to identifying
deficiencies in internal control.
Monitoring:
The monitoring component is intended to cause management to assess the design and
operating effectiveness of the entitys system of internal control on a short and long-range
basis. Monitoring can be performed on an on-going basis or be performed on separate
occasions.
Monitoring is the evaluation the effectiveness of other internal control components and
how well managements and other employees duties are being performed. Monitoring in
small entities normally consists of the day-to-day observations of an owner or manager.
As discussed above, the owner or manager of a small entity is that entitys control
environment. If he or she has good character, is committed to performing key controls
and is diligent in carrying out day-to-day responsibilities, it is possible for a small entity
7
to have a good system of internal control. On the other hand, an ineffective
owner/manager may increase the risk of material misstatements at both the financial
statement and assertion levels.
Boards of directors for small entities, especially non-profit organizations, may not be
knowledgeable of business operations, accounting and tax activities or internal control
over financial reporting. In such cases, the caliber of the owner or manager will be even
more important in preventing errors from occurring and going undetected. A
knowledgeable board, on the other hand, can serve to reduce the risk of material
misstatement when the owner or managers capabilities are not strong.
An informal organization structure of a small entity may result in control deficiencies due
to a lack of segregation of duties in operations and accounting. Because employees may
be trained to perform many different functions, the resources and accounting records
could be at risk of misstatement due to error or fraud. Highly effective key controls at the
entity level would be necessary to mitigate these risks.
Many of the key controls performed by an owner or manager depend on the physical
presence of the person. Prolonged absences from the work place by the owner or
manager decrease the effectiveness of key controls and increase the risk of material
misstatements.
As discussed above, the owner or manager (CEO, director, superintendent, CFO or other
top financial authority) has primary responsibility for the design and operation of internal
controls. Most of the key controls will be informal and they will be performed by the
owner or manager. It is the commitment to accurate financial reporting and the diligence
of the responsible person that primarily affects the risk of material misstatements in
financial statements.
COSO has recognized that small entities can have good internal controls, although they
will likely be informal and carried out by one or a few persons. The design and operation
of key controls can prevent material misstatements due to error or fraud from occurring
and going undetected. So to answer the marginal question above, effectively designed
and operating informal key controls may result in a good internal control system for
smaller entities.
8
Information for preparing flowcharts is usually based on the knowledge of the top
financial authority of an entity. Additional information may be obtained by interviewing
persons responsible for procedures, making inquiries of each person responsible for
document preparation and tracing all documents through the processing procedures. The
accompanying Flowcharting Guide can facilitate the flowchart drafting process, whether
in hardcopy or electronic format.
Leave two to three inches on the left of the page open for comments.
Begin at the upper-left corner and draw down and/or to the right.
Show the source and use of every document.
Use keys within symbols for footnotes or drop-down boxes to describe
documents.
Use a separate memo or drop-down box on the flowchart to explain any
information that is not self-explanatory.
The flowchart should be divided into columns to separate people or departments
with specific areas of responsibility.
Use directional arrows only if the information flow contradicts a normal pattern.
Avoid cross lines of data-flow.
Following are three illustrative flowcharts for common transactions cycles that could be
used to identify risks by financial statement classification:
9
10
11
12
DESIGNING COST-EFFECTIVE INTERNAL CONTROL SYSTEMS FOR
SMALLER ENTITIES
COSO has led the way to designing cost-effective internal control systems for smaller
public companies by the guidance it published in 2006. This guidance for smaller public
companies presents a pattern for smaller non-public entities as well.
Fewer lines of business, fewer products and limited purposes, particularly for
non-profit organizations.
Management personnel usually have significant equity interests.
Management personnel normally have broader responsibilities and control.
Accounting systems are generally less complex than for larger entities.
Accounting personnel are generally few in number and often have wide ranges of
duties.
Limited resources often results in lesser qualified staff persons and fewer
consultations with legal and other experts.
In spite of these challenges, a smaller company can design and operate an effective
internal control system. A brief discussion of some of the ways this can be done follows
in the next section.
13
generally has an equity or compensation interest, the likelihood of management
override of internal controls is diminished.
2. Effective board of governance. Since smaller companies or non-profit
organizations ordinarily have less complex business structures, persons charged
with governance can have a greater knowledge of the entitys activities. This can
enable these persons to more effectively accomplish their governance
responsibilities.
3. Overcoming the lack of segregation of duties. Key controls carried out by
management personnel at the entity or activity level can offset the control risks
from the lack of segregation of duties. The COSO Report suggests these key
controls:
a. Reviewing system reports of detailed transactions.
b. Selecting transactions for review of supporting documents.
c. Overseeing periodic counts of physical inventory, equipment or other
assets and comparing them with accounting records.
d. Reviewing reconciliations of account balances or performing them
independently.
4. Limiting risks associated with the IT system. While using out-of-the-box
software can limit the information available for managements use, many of the
risks associated with mid-tier, user-modifiable systems can be avoided.
Standardized reports and reporting formats, password and processing controls and
other application controls can prevent errors from occurring and going
undetected.
5. Monitoring control activities. Monitoring in small entities is normally the
responsibility of an owner or manager. Performing daily walk-around controls
provides feedback on the effectiveness of accounting, internal control, and
operational systems. In 2009, COSO published its Guidance on Monitoring
Internal Control Systems. This guidance suggests that monitoring for all entities
should be based on these three broad elements:
a. Establishing a foundation for monitoring, including (a) a proper tone at the
top; (b) an effective organization structure that assigns monitoring roles to
people with appropriate capabilities, objectivity and authority; and (c) a
starting point or baseline of known effective internal control from which
ongoing monitoring and separate evaluations can be implemented;
b. Designing and executing monitoring procedures focused on persuasive
information about the operation of key controls that address meaningful
risks to organizational objectives; and
c. Assessing and reporting results, which includes evaluating the severity of
any identified deficiencies and reporting the monitoring results to the
appropriate personnel and the board for timely action and follow-up if
needed.
6. Achieving further efficiencies. The COSO Report identifies other opportunities
to design effective and efficient internal control systems:
a. By focusing on the risks related to managements objectives, a risk-based
approach to designing internal controls systems will consider what could
go wrong in the financial reporting process. Using lists of controls that are
14
tailored to the nature, size and complexity of an entity and the objectives
of its management will facilitate the identification of what could go
wrong.
b. Documentation of internal control policies and procedures will also vary
with the nature, size and complexity of an entity. Smaller entities
normally have informally designed and communicated internal controls.
In other words, there normally are no policies and procedures manuals,
systems flowcharts, organization charts and job descriptions. With fewer
people and levels of management, more frequent contact by an owner or
manager enables communication of the informal policies and procedures.
c. Some documentation of accounting and internal control procedures is
ordinarily necessary to demonstrate transaction processes are occurring
and being recorded properly. Determining that all shipments are billed,
that billings only occur after shipments are made and that bank accounts
are being reconciled are examples of such procedures. Key controls
performed by owners or managers of small entities should include periodic
inspections of records sufficient to determine transactions are being
recorded properly.
Much has been written about forensic accounting and fraud. There are three major
categories of fraud that commonly affect entities:
For small entities, misappropriation of assets is the most common type of fraud. The
fraud triangle contains three factors that indicate circumstances that can cause a person
to misappropriate assets and misstate records to conceal the theft:
15
3. Attitudes and rationalizations for committing fraud. Justifying the fraud
because the perpetrator is not paid what he/she is worth or rationalizing that
everyone does it are examples of a fraudsters attitudes.
FRAUD PREVENTION
Designing and operating anti-fraud programs is the responsibility of management and can
result in reductions in opportunities for employees to commit fraud. Human resource
policies such as drug tests, credit checks and background checks for prospective
employees help eliminate candidates with higher tendencies to commit fraud. Keys
controls diligently carried out by owners, managers or other authorized individuals are
also primary means of preventing or reducing the occurrence of asset misappropriation.
Fraud detection may occur as key controls are performed. In addition, analytical
procedures performed by comparing operating results among periods or by making
calculations using non-financial data can reveal discrepancies. For example, an auto
parts store discovered a $50,000 fraud perpetrated by a sales clerk when a new software
program identified the number of refund slips issued by each clerk on a periodic basis. In
another case, the CFO of a transportation company compared the miles per gallon of
gasoline on trips for each driver and discovered a driver storing and selling gasoline on
the side. Fraud detection may also occur in anti-fraud programs carried out physically
such as lunch box searches at a small tool manufacturing plant or electronic security
scanners at exits from the plant of a computer components manufacturer.
16
CPA PRACTICE AIDS, LLC
CASH:
1. No segregation of duties among office 1. All employees have access to 1. Off site owner reviews
employees, cash weekly:
and receivables records; could a. Reviews copies of sales
manager, bookkeeper, and clerk. steal invoices
2. Over counter and mail receipts received by cash and post credits to customer b. Inspects check copies and
all employees. or invoices
3. Over counter sales made by all office
employees. lap customer payments. c. Reviews payroll journals
4. Bookkeeper and clerk both post accounts 2. Bookkeeper could cover theft
receivable by d. Reviews customer and vendor
manipulating bank reconciliations
records. or activity reports
5. Bookkeeper posts general ledger and
prepares writing off customer balances. 2. CPA firm designed accounting
3. Manager has access to procedures and owner's key
and delivers deposits to bank. software, controls
could write and sign checks to 3. CPA firm controls all
6. Manager signs payroll and operating checks. self. QuickBooks
passwords, accounts for pre-
numbered
checks and sales invoices,
reviews
sales invoices and check
support,
maintains personal files,
prepares payroll
reports, adjusts and closes
monthly
records.
4. CPA firm prepares monthly
financials for owner's review
ACCOUNTS RECEIVABLE:
1. No segregation of duties. All office personnel
receives 1. Customer payments could be 1. Same as above.
payments in mail and over counter. received and misappropriated.
2.Bookkeeper makes deposits and posts
accounts 2. Lapping could occur.
receivable records. 3. Account balances and invoices
3.AR clerk receives cash, posts accounts could be written off without
receivable authorization.
4. Unauthorized sales could be
records and makes deposits. made
4.Credit memos not used to support credits to and products shipped without
customers accounts. recording.
17
INVENTORY:
1. No documents or records are maintained to 1. Employee or customer theft Written instructions are
control could prepared by
the foreman for counting
inventory items (precast concrete blocks). occur. inventory.
2. Yard is open during the day while employees 2. Sales could be missed because Employees attend a training
are of meeting
working but often no one is present in the yard. on how to count. The manager
It is insufficient quantities on hand. is
3. With no item records present and supervises the
locked at night. maintained, count,
3. Inventories are physically counted only once including testing employee's
a year; quantities of certain items being counts.
manager eye-balls quantities to control The manager places and picks
production. produced could be unnecessary up all count sheets.
FIXED ASSETS:
1. No detailed sub-ledger maintained. 1. Loss or theft of assets. See cash section.
2. No numerical control of fixed assets is in
place. 2. Assets could be purchased and
3. Bookkeeper maintains depreciation schedule. converted to personal use.
4. No key controls over accounting or
safeguarding
fixed assets.
ACCOUNTS PAYABLE:
1. Converting purchases to
1. Any office employee can order supplies or raw personal See cash section.
materials. use.
2. No purchase orders in use. Office manager
initials 2. Writing unauthorized checks to
invoice when paid. fictitious vendors
3. All payments are initiated by bookkeeper who
has 3. Purchasing excess quantities of
access to cash, accounts receivable and bank raw materials.
reconciliations.
4. No accounts payable sub-ledger is maintained.
REVENUES:
See cash section. Unrecorded sales. See cash section.
EXPENSES:
See cash section and accounts payable section. Unauthorized or incorrect payroll See cash section.
Payroll--manager hires and fires. No double-
checks and operating expenditures.
on payroll computations.
OTHER:
18
CONCLUSION
Important issues to remember that influence the design of internal control systems for
smaller entities include:
USE OF QUESTIONNAIRE
INSTRUCTIONS
19
The Questionnaire contains space for yes, no or N/A responses to key controls and
activity-level controls generally applicable to a small business or organization. Yes
responses indicate that the control procedure is has been at least informally designed and
is operating effectively. No responses indicate the control procedure has not been
designed or, if designed, is not operating effectively. N/A responses indicate the
control procedure is not applicable to a clients internal control system. The Personnel
column should be used to identify persons performing the control activities.
Key controls, a part of entity-level controls, should drive the control risk assessment
process. Key controls can mitigate most deficiencies in activity-level controls,
particularly for smaller entities. For a small business or organization, key controls are
normally performed by the owner/manager (O/M), a member of the entitys board of
directors, a volunteer or paid consultant.
If key controls have not been designed, or are not operating effectively, the auditor should
consider the activity-level controls to provide the assessment of control risk for relevant
assertions.
RELEVANT ASSERTIONS
When completing this Questionnaire, the auditor should primarily consider these relevant
assertions:
20
Prepared By: ______________________________________________________
Date Prepared: __________________________________________________________
Reviewed By: __________________________________________________________
Date Reviewed: __________________________________________________________
21
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
22
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
23
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
24
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ACCOUNTS RECEIVABLE
ACTIVITY-LEVEL CONTROLS
25
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
INVENTORIESACTIVITY-LEVEL
CONTROLS
1. An annual physical inventory is taken
and adequate count records (tags or
sheets) are maintained.
26
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
FIXED ASSETSACTIVITY-LEVEL
CONTROLS
27
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
ACCOUNTS PAYABLEACTIVITY-
LEVEL CONTROLS
28
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
SALES/REVENUESACTIVITY-
LEVEL CONTROLS
29
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
PAYROLLACTIVITY-LEVEL
CONTROLS
EXPENSESACTIVITY-LEVEL
CONTROLS:
31
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________
CASH:
ACCOUNTS RECEIVABLE:
INVENTORIES:
FIXED ASSETS:
ACCOUNTS PAYABLE:
SALES/REVENUE:
32
PAYROLL:
EXPENSES:
OTHER:
33
CPA PRACTICE AIDS, LLC
AUDIT FLOWCHARTING GUIDE
USE OF GUIDE
INSTRUCTIONS
Client Inquiries
The SAICQ and the flowcharts resulting from this Guide should be used while making
inquiries of appropriate client personnel. While a flowchart is being prepared, or after it
is prepared if it is more convenient, a systems walk-through procedure should be
performed to determine that information on the flowcharts is accurate. Documents
examined and procedures performed during the walk-through may be recorded on the
flowcharts or described in an accompanying memorandum. Control deficiencies should
be documented in the last section of the SAICQ.
Memoranda may be prepared for documenting the accounting and internal control
procedures in lieu of flowcharts at the option of the audit engagement leader. The author
recommends using flowcharts since they are usually more effective for identifying
control deficiencies and they often take less time to carry forward, to discuss with client
personnel and to update. Memoranda may be used to supplement the flowcharts to
enhance explanations of accounting system procedures, internal control activities or other
information as the auditor considers necessary.
Key controls, a part of entity-level controls, should drive the control risk assessment
process and should be clearly indicated on the flowcharts. Key controls can mitigate
most deficiencies in activity-level controls, particularly for smaller entities. For a small
business or organization, key controls are normally performed by the owner/manager
(O/M), a member of the entitys board of directors, a volunteer or a paid consultant. Key
controls are presented first in each section of the SAICQ.
34
When control risk is evaluated at the financial statement classification level, the auditor
should primarily consider relevant assertions described in the SAICQ. Flowcharts
should, therefore, focus primarily on controls that affect the relevant assertions in each
financial statement classification. All controls that are operating, however, should be
evidenced on the flowchart to provide an accurate evaluation of control risk.
Flowchart Preparation
35
CPA FIRM PRACTICE AIDS, LLC
AUDIT FLOWCHARTING GUIDE
INSTRUCTIONS AND QUESTIONS BY MAJOR AUDIT AREA
The instructions and questions below will enhance the preparation of flowcharts and
completion of the SAICQ. Answers to questions should first consider key controls and, if
no key controls are present, activity-level controls should be considered to determine if
misstatements can be prevented and not result in control deficiencies.
CASH
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
ACCOUNTS RECEIVABLE
All types of sales on account including customer written orders received by mail,
phone or email, sales orders from sales representatives, C.O.D., consignment, etc.
36
Different types of customers such wholesale, retail, distributor, consumer, and
related parties.
All accounting records, documents, data and procedures.
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
FIXED ASSETS
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
37
Can fixed assets acquisitions or disposals be made and not approved or recorded?
Are capitalization limits in place?
Does accounting personnel understand when to capitalize additions or repairs to
fixed assets (when the life or capacity is increased)?
ACCOUNTS PAYABLE
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
SALES:
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
38
PAYROLL
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
All modules of the general ledger software, data entry personnel, source
documents and all related accounting system and internal control procedures.
Controls over general journal entries, bank reconciliations and financial statement
preparation.
Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:
Can journal entries or unusual transactions be posted to the general ledger without
approval of a supervisor?
Are there effective administrative controls such as regular vacations, cross-
training, bonding insurance, timely financial statement preparation and budget
utilization?
Is internal control affected by busy or slack periods, illnesses, vacations, etc.?
39
Is internal control affected by the competence of any employee or group of
employees?
Are appropriate internal checks in place, provided either by software, hardware or
administrative procedures?
Are any assets improperly safeguarded?
40