You are on page 1of 40

DESIGNING INTERNAL CONTROL SYSTEMS FOR SMALLER ENTITIES

By Larry L. Perry, CPA


CPA Firm Support Services, LLC

LEARNING OBJECTIVES

Understand the fundamental concepts and the components of internal control.


Be able to design and operate effective accounting and internal control systems
for smaller entities.
Learn to prepare flowcharts effectively and efficiently

THE FOUNDATION OF INTERNAL CONTROL

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a


voluntary private-sector organization established in the United States. It is dedicated to
providing guidance on organizational governance, business ethics, internal control,
enterprise risk management, fraud and financial reporting. COSO established a common
internal control model that is used by large and small reporting entities.

COSO defines internal control as a process, effected by an entitys board of directors,


management and other personnel. This process is designed to provide reasonable
assurance regarding the achievement of objectives in effectiveness and efficiency of
operations, reliability of financial reporting, and compliance with applicable laws and
regulations. The COSO framework involves several key concepts:

1. Internal control is a process. It is a means to an end, not an end in itself.


2. Internal control is not merely documented by policy manuals and forms. Rather, it
is put in by people at every level of an organization.
3. Internal control can provide only reasonable assurance, not absolute assurance, to
an entitys management and board.
4. Internal control is geared to the achievement of objectives in one or more separate
but overlapping categories.

A Historical Perspective of Internal Controls

The Committee of Sponsoring Organizations (COSO) of the National Commission on


Fraudulent Financial Reporting (Treadway Commission) issued its first report in 1985
stressing the importance of internal control, the control environment, codes of conduct,
audit committees and internal audit functions. In 1992, a task force of COSO issued a
report entitled Internal ControlIntegrated Framework, called the COSO Report.

Among other things, the COSO Report defines internal control and its components and
provides criteria for evaluating internal control. The report presents these interrelated
components of internal control:

1
Control EnvironmentThe core of any business is its people and the
environment in which they operate. The tone at the top, i.e., managements
attitudes, values and behaviors, provides the control environment for other
employees.
Risk AssessmentThe entity must be aware of and deal with the risks it faces;
identifying the risk of error or fraud and implementing corrective actions is the
primary responsibility of management.
Control ActivitiesControl policies and procedures must be designed and
operated to address risks to the achievement of the entitys objectives.
Information and CommunicationThese systems enable the entitys people to
obtain and use information necessary to conduct, manage and control operations.
MonitoringThe internal control process must be monitored and changed by
management as circumstances and conditions necessitate.

In 2013, COSO updated and issued Internal ControlIntegrated Framework. The


updated report did not change to basic components of internal control but, among other
clarifying issues, the Framework sets out seventeen principles for applying these
components. These principles from COSOs report are presented below as they apply to
these components.

Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exer-
cises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain com-
petent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.

Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be
managed.
8. The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact
the system of internal control.

Control Activities
10. The organization selects and develops control activities that contribute to the miti-
gation of risks to the achievement of objectives to acceptable levels.

2
11. The organization selects and develops general control activities over technology
to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action.

Information and Communication


13. The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control.
14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of
internal control.
15. The organization communicates with external parties regarding matters affecting
the functioning of internal control.

Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present
and functioning.
17. The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.

Internal control is always relevant to the nature, size and complexity of a reporting entity.
Smaller entities will ordinarily have more informal controls that are carried out by one or
a few persons. While the basic components of internal control should be present in
small- and medium-size entities, the 17 principles will ordinarily be subjectively included
in an entitys design and operation of internal controls.

Generally, internal controls over financial reporting include those that are designed to
make sure financial data is recorded, processed, summarized and reported consistent with
managements representations (assertions) in financial statements. Management of an
entity has the primary responsibility for internal control. An auditors responsibilities
include the evaluation of whether the five components are designed and operating
effectively, given the nature, size and complexity of the entity.

Managements Control Objectives

An entitys internal control system provides the machinery used by management to


accomplish these basic objectives:

Effectiveness and efficiency of operationsbasic business objectives,


profitability goals and safeguarding of assets and other resources.
Reliability of financial reportingpreparation of accurate financial statements.
Compliance with laws and regulationsall to which the entity is subject.

3
Understanding the Components of Internal Control

The Tone at the Top and Bottom:

The control environment sets the tone of any organization, i.e., causes its people to be
conscious of the importance of the entitys system of internal control. It is the foundation
for application of all other components of internal control. For small entities, the
character and behavior of the person having top financial responsibility for the entity,
e.g., an owner or manager, sets the tone for employees to follow. For larger entities,
management personnel at various levels are also the primary influence on the control
environment. In all cases, its what management does, not what they say, that directs
employees behavior. The operating philosophies and style of management, their
delegation of responsibility and authority, their emphasis on developing and guiding
employees and their utilization of input from persons charged with governance defines
what employees do.

The Importance of Descriptive Charts of Accounts and Budgeting Controls:

A comprehensive chart of accounts is the foundation of the financial reporting process.


Designed to guide the authorization, initiation, classification, recording and summarizing
of transactions, it is most effective when it includes descriptions of the activity that may
be recorded in each account. The chart of accounts should include accounts in all
functional, departmental and/or job classifications. It should also be designed to facilitate
budget preparation and monitoring as part of an entitys internal control system.

Budgets may be prepared using a base line, such as the prior years operations, or they
may be zero based, that is built from the ground up. Whichever method is used,
participation by department heads and other operating personnel is essential for
producing effective budgets. The final review and approval responsibility for budgets
should rest with persons charged with governance of the organization.

To provide value, the budget should be compared to actual results on a periodic basis by
management and other persons charged with governance, usually monthly. Unusual or
unexpected variances from budgeted amounts should be considered and corrective
actions implemented when necessary.

A budget should be designed for use also based on an entitys nature, size and
complexity. A medium-size church employed an executive pastor that was formerly a
chief financial officer for a public company. He spent most of his time micro-managing
weekly budgets for department heads. Using a report from the churchs accounting
software, the executive pastor met with department heads weekly to discuss their budget
status. Over expenditures were met with severe cutbacks in planned future expenditures.
Under expenditures resulted in reductions of monthly or annual budgeted amounts.
While this micro-management significantly strengthened the churchs internal control
system, its cost was high, too high for the size of this organization. The practical side of

4
internal control is that the cost of operation of a control activity should result in benefits
appropriate for the nature, size and complexity of the organization.

While properly prepared and monitored budgets can significantly improve a small
entitys internal controls, their use should provide benefits commensurate with the cost of
preparation and monitoring. Like the design and operation of internal control procedures,
benefits must be measured in terms of the relative costs of implementation and
maintenance.

The Importance of a Code of Conduct:

While smaller entities dont normally have a written code of conduct, larger organizations
are establishing these codes. Publically-held companies, issuers under the Sarbanes-
Oxley Act, are required to establish and communicate codes of conduct. Other privately-
held companies, non-issuers, are also creating codes of conduct as part of their control
environment.

Whether written or communicated informally, a code of conduct defines behavior


expectations for both management and other employees. While such codes do not
prevent inappropriate behavior or fraud, they do provide employees with legal and ethical
standards that will influence their performance and commitment to the entitys system of
internal control.

An entitys code of conduct will ordinarily include these sections:


Use of company assets and resources for business and not personal use
Use of telephones, email and the internet
Avoiding actual and potential conflicts of interest
Protecting the companys confidential information
Maintaining complete and accurate accounting records
Investigating and reporting any accounting, auditing and disclosure concerns
Retaining and disposing of records and documents
Prohibiting discrimination and harassment
Prohibiting use of alcohol and illegal drugs
Complying with laws, rules and regulations
Protecting intellectual property and using copyrighted materials
Giving and receiving gifts, meals, services and entertainment
Understanding disciplinary actions for code violations
Reporting concerns and code violations

The Entitys Risk Assessment Process:

Risks at the entity level may come from external factors such as changes in technology,
customers needs, competition, regulations or laws and the economy. At the entity level,
risks also arise from internal factors such as information systems failures, personnel

5
practices affecting the quality of employees, access to assets and the susceptibility of an
entitys operations to fraud.

At the activity level, risk assessment involves business operations and financial reporting.
Analyzing operational reports, financial and non-financial data and observations of
employees activities may bring risks to managements attention.

Control Activities:

Control activities that are established in response to perceived risks relate to


managements representations (assertions) in the entitys financial statements. The
assertions from section AU-C 315 of the Auditing Standards Board Clarified Auditing
Standards can be synthesized and organized in this way:

Completeness
Occurrence and cut-off
Valuation and accuracy
Existence
Rights
Obligations
Disclosure and Presentation

An entitys financial reporting and internal control systems should result in financial
statement classifications that are appropriate and reasonable.

Key or Entity-Level Controls

Key controls are those elements of the five components of internal control that have a
pervasive affect upon the accomplishment of managements control objectives. For
smaller entities, key controls are normally performed at the entity level, although some
may exist at the activity level. Illustrated in the accompanying Small Audits Internal
Control Questionnaire (SAICQ), these controls may be informal and ordinarily carried
out by one or a few persons such as an owner/manager. The design and operation of
these key controls can prevent material misstatements due to error or fraud from
occurring and going undetected. When these circumstances exist, even a small entity can
have a good internal control system!

Components of key controls for both large and small entities are:

Managements integrity and ethical values.


Managements commitment to doing things right.
Managements ways of doing things.
The involvement of persons charged with governance.
The delegation of authority and responsibility.
Personnel policies and procedures.

6
Activity-Level Controls

The COSO Report states that control activities are the policies and procedures established
to help ensure that management directives are carried out and that managements
objectives are accomplished. The key controls described above are primary to
accomplishing these objectives. Absent the design of key controls, or when key controls
are designed but not operating, activity-level controls may be necessary to prevent
misstatements from occurring and going undetected.

These controls may be applied through features in an accounting software system, by


personnel while performing accounting procedures or by the design of documents or data.
The SAICQ mentioned above also illustrates the activity-level controls for the financial
statement classifications of a small entity. If key controls are not designed or operating,
certain activity-level controls may prevent errors from occurring and going undetected.

Information and Communication:

Comprising the nature of internal information produced and distributed by an entity, this
component is intended to enable management and others to operate, manage and control
the entitys business. It is also intended to provide employees an understanding of
financial reporting and safeguarding controls and their operations. For larger entities,
communication may take the form of policy and procedure manuals, instructional memos
and oral communications. For smaller entities, communication will often be verbal, face
to face and directed by the owner or a manager.

Communications may also involve outside parties such as auditors, customers and
vendors. These communications may provide information that can lead to identifying
deficiencies in internal control.

Monitoring:

The monitoring component is intended to cause management to assess the design and
operating effectiveness of the entitys system of internal control on a short and long-range
basis. Monitoring can be performed on an on-going basis or be performed on separate
occasions.

Monitoring is the evaluation the effectiveness of other internal control components and
how well managements and other employees duties are being performed. Monitoring in
small entities normally consists of the day-to-day observations of an owner or manager.

Special Issues for Small Entities

As discussed above, the owner or manager of a small entity is that entitys control
environment. If he or she has good character, is committed to performing key controls
and is diligent in carrying out day-to-day responsibilities, it is possible for a small entity

7
to have a good system of internal control. On the other hand, an ineffective
owner/manager may increase the risk of material misstatements at both the financial
statement and assertion levels.

Boards of directors for small entities, especially non-profit organizations, may not be
knowledgeable of business operations, accounting and tax activities or internal control
over financial reporting. In such cases, the caliber of the owner or manager will be even
more important in preventing errors from occurring and going undetected. A
knowledgeable board, on the other hand, can serve to reduce the risk of material
misstatement when the owner or managers capabilities are not strong.

An informal organization structure of a small entity may result in control deficiencies due
to a lack of segregation of duties in operations and accounting. Because employees may
be trained to perform many different functions, the resources and accounting records
could be at risk of misstatement due to error or fraud. Highly effective key controls at the
entity level would be necessary to mitigate these risks.

Many of the key controls performed by an owner or manager depend on the physical
presence of the person. Prolonged absences from the work place by the owner or
manager decrease the effectiveness of key controls and increase the risk of material
misstatements.

Can a Small Entity Have Good Internal Controls?

As discussed above, the owner or manager (CEO, director, superintendent, CFO or other
top financial authority) has primary responsibility for the design and operation of internal
controls. Most of the key controls will be informal and they will be performed by the
owner or manager. It is the commitment to accurate financial reporting and the diligence
of the responsible person that primarily affects the risk of material misstatements in
financial statements.

COSO has recognized that small entities can have good internal controls, although they
will likely be informal and carried out by one or a few persons. The design and operation
of key controls can prevent material misstatements due to error or fraud from occurring
and going undetected. So to answer the marginal question above, effectively designed
and operating informal key controls may result in a good internal control system for
smaller entities.

Using a Small Audits Internal Control Questionnaire

The accompanying Small Audits Internal Control Questionnaire is designed to assist


management in formulating an internal control system and to be used on small audits to
document internal control and assess control risk. It also is a source for identifying
control deficiencies by management and auditors.

An Overview of Flowchart Preparation

8
Information for preparing flowcharts is usually based on the knowledge of the top
financial authority of an entity. Additional information may be obtained by interviewing
persons responsible for procedures, making inquiries of each person responsible for
document preparation and tracing all documents through the processing procedures. The
accompanying Flowcharting Guide can facilitate the flowchart drafting process, whether
in hardcopy or electronic format.

The overall objective of flowchart preparation is to produce a complete and


understandable flowchart. Here are some basic rules:

Leave two to three inches on the left of the page open for comments.
Begin at the upper-left corner and draw down and/or to the right.
Show the source and use of every document.
Use keys within symbols for footnotes or drop-down boxes to describe
documents.
Use a separate memo or drop-down box on the flowchart to explain any
information that is not self-explanatory.
The flowchart should be divided into columns to separate people or departments
with specific areas of responsibility.
Use directional arrows only if the information flow contradicts a normal pattern.
Avoid cross lines of data-flow.

Following are some steps to facilitate flowchart preparation:

1. Define the transaction cycle, system or process to be flowcharted (cash


receipts or disbursements, sales, payroll, etc.)
2. Layout the columns of the flowchart to show the flow of information
through the system or process. Consider roughing out the flow of
documents and information known to you.
3. Interview accounting personnel using an SAICQ, Flowcharting Guide or
other reference material to gather information.
4. Draw or complete the flowchart (while interviewing accounting personnel
if possible).
5. Perform a systems walk-through procedure to verify the accuracy of the
flowchart and make a preliminary identification of potential risks of
material misstatements.
6. Transfer potential risks to a control deficiencies worksheet for
consideration of offsetting key controls and a determination of
deficiencies.

Following are three illustrative flowcharts for common transactions cycles that could be
used to identify risks by financial statement classification:

9
10
11
12
DESIGNING COST-EFFECTIVE INTERNAL CONTROL SYSTEMS FOR
SMALLER ENTITIES

Characteristics of Smaller Entities

COSO has led the way to designing cost-effective internal control systems for smaller
public companies by the guidance it published in 2006. This guidance for smaller public
companies presents a pattern for smaller non-public entities as well.

Common characteristics for smaller entities include:

Fewer lines of business, fewer products and limited purposes, particularly for
non-profit organizations.
Management personnel usually have significant equity interests.
Management personnel normally have broader responsibilities and control.
Accounting systems are generally less complex than for larger entities.
Accounting personnel are generally few in number and often have wide ranges of
duties.
Limited resources often results in lesser qualified staff persons and fewer
consultations with legal and other experts.

Challenges and Difficulties

These common characteristics create difficulties in designing cost-effective internal


control systems. Here are some of the effects:

Segregation of incompatible duties is limited.


Management personnel have increased opportunities for override of internal
controls.
Finding qualified persons to serve on boards of governance is difficult.
Hiring and retaining qualified accounting personnel is a challenge.
A lack of resources to maintain appropriate control over IT systems often results
in using out-of-the box software that often doesnt meet all the entitys needs.

In spite of these challenges, a smaller company can design and operate an effective
internal control system. A brief discussion of some of the ways this can be done follows
in the next section.

Effectively Designed Internal Control Systems

1. Oversight by an owner or manager. The in-depth knowledge of business and


accounting operations by an owner or manager, and his/her daily presence and
oversight of company personnel, are key controls in the entitys control
environment. Diligent performance of key controls can also greatly increase the
reliability of the entitys financial reporting process. Since the owner or manger

13
generally has an equity or compensation interest, the likelihood of management
override of internal controls is diminished.
2. Effective board of governance. Since smaller companies or non-profit
organizations ordinarily have less complex business structures, persons charged
with governance can have a greater knowledge of the entitys activities. This can
enable these persons to more effectively accomplish their governance
responsibilities.
3. Overcoming the lack of segregation of duties. Key controls carried out by
management personnel at the entity or activity level can offset the control risks
from the lack of segregation of duties. The COSO Report suggests these key
controls:
a. Reviewing system reports of detailed transactions.
b. Selecting transactions for review of supporting documents.
c. Overseeing periodic counts of physical inventory, equipment or other
assets and comparing them with accounting records.
d. Reviewing reconciliations of account balances or performing them
independently.
4. Limiting risks associated with the IT system. While using out-of-the-box
software can limit the information available for managements use, many of the
risks associated with mid-tier, user-modifiable systems can be avoided.
Standardized reports and reporting formats, password and processing controls and
other application controls can prevent errors from occurring and going
undetected.
5. Monitoring control activities. Monitoring in small entities is normally the
responsibility of an owner or manager. Performing daily walk-around controls
provides feedback on the effectiveness of accounting, internal control, and
operational systems. In 2009, COSO published its Guidance on Monitoring
Internal Control Systems. This guidance suggests that monitoring for all entities
should be based on these three broad elements:
a. Establishing a foundation for monitoring, including (a) a proper tone at the
top; (b) an effective organization structure that assigns monitoring roles to
people with appropriate capabilities, objectivity and authority; and (c) a
starting point or baseline of known effective internal control from which
ongoing monitoring and separate evaluations can be implemented;
b. Designing and executing monitoring procedures focused on persuasive
information about the operation of key controls that address meaningful
risks to organizational objectives; and
c. Assessing and reporting results, which includes evaluating the severity of
any identified deficiencies and reporting the monitoring results to the
appropriate personnel and the board for timely action and follow-up if
needed.
6. Achieving further efficiencies. The COSO Report identifies other opportunities
to design effective and efficient internal control systems:
a. By focusing on the risks related to managements objectives, a risk-based
approach to designing internal controls systems will consider what could
go wrong in the financial reporting process. Using lists of controls that are

14
tailored to the nature, size and complexity of an entity and the objectives
of its management will facilitate the identification of what could go
wrong.
b. Documentation of internal control policies and procedures will also vary
with the nature, size and complexity of an entity. Smaller entities
normally have informally designed and communicated internal controls.
In other words, there normally are no policies and procedures manuals,
systems flowcharts, organization charts and job descriptions. With fewer
people and levels of management, more frequent contact by an owner or
manager enables communication of the informal policies and procedures.
c. Some documentation of accounting and internal control procedures is
ordinarily necessary to demonstrate transaction processes are occurring
and being recorded properly. Determining that all shipments are billed,
that billings only occur after shipments are made and that bank accounts
are being reconciled are examples of such procedures. Key controls
performed by owners or managers of small entities should include periodic
inspections of records sufficient to determine transactions are being
recorded properly.

INTERNAL CONTROLS AND FRAUD PREVENTION

Much has been written about forensic accounting and fraud. There are three major
categories of fraud that commonly affect entities:

1. Misrepresentations in financial reporting. These include intentional


misstatements of amounts or disclosures in financials statements that are intended
to mislead users of the statements.
2. Misappropriation of assets. Theft of an entitys assets by employees or others is
the most common form of misappropriation. Financial records are usually altered
to conceal a theft of assets.
3. External frauds. Persons outside an entity are normally responsible for external
frauds, although there may be collusion with certain employees. Financial gain is
the normal motivation.

For small entities, misappropriation of assets is the most common type of fraud. The
fraud triangle contains three factors that indicate circumstances that can cause a person
to misappropriate assets and misstate records to conceal the theft:

1. Incentives or pressures to commit fraud. Reasons to commit frauds may


include financial pressures such as a spouse out of work, a divorce or separation
or the failure of a personal business.
2. Opportunities to commit fraud. Ineffective internal controls, the opportunities
and likelihood for management personnel to override internal controls, and
decentralized operations and accounting are examples of circumstances that create
opportunities to commit fraud.

15
3. Attitudes and rationalizations for committing fraud. Justifying the fraud
because the perpetrator is not paid what he/she is worth or rationalizing that
everyone does it are examples of a fraudsters attitudes.

FRAUD PREVENTION

Designing and operating anti-fraud programs is the responsibility of management and can
result in reductions in opportunities for employees to commit fraud. Human resource
policies such as drug tests, credit checks and background checks for prospective
employees help eliminate candidates with higher tendencies to commit fraud. Keys
controls diligently carried out by owners, managers or other authorized individuals are
also primary means of preventing or reducing the occurrence of asset misappropriation.

Fraud detection may occur as key controls are performed. In addition, analytical
procedures performed by comparing operating results among periods or by making
calculations using non-financial data can reveal discrepancies. For example, an auto
parts store discovered a $50,000 fraud perpetrated by a sales clerk when a new software
program identified the number of refund slips issued by each clerk on a periodic basis. In
another case, the CFO of a transportation company compared the miles per gallon of
gasoline on trips for each driver and discovered a driver storing and selling gasoline on
the side. Fraud detection may also occur in anti-fraud programs carried out physically
such as lunch box searches at a small tool manufacturing plant or electronic security
scanners at exits from the plant of a computer components manufacturer.

A Control Deficiencies Worksheet

A control deficiencies worksheet can facilitate documentation of the evaluation of


existing internal controls. It also can be used to identify existing deficiencies and the
design of additional controls to prevent risks from occurring and going undetected. A
control deficiencies worksheet should have at least these column headings:

Internal control deficiency


Design or operating deficiency
Offsetting key controls

Following is an illustrative Internal Control Deficiency Worksheet that contains


hypothetical information from a small entity to illustrate the internal control design
process. Deficiencies identified on this worksheet could have been obtained by
completing an SAICQ or by preparing a flowchart for major transactions cycles.

16
CPA PRACTICE AIDS, LLC

INTERNAL CONTROL DEFICIENCY WORKSHEET


ENTITY NAME: ____________________________
DATE:_____________________________
DESCRIBE CONTROL DEFICIENCY WHAT COULD GO WRONG? PREVENTIVE CONTROLS

CASH:
1. No segregation of duties among office 1. All employees have access to 1. Off site owner reviews
employees, cash weekly:
and receivables records; could a. Reviews copies of sales
manager, bookkeeper, and clerk. steal invoices
2. Over counter and mail receipts received by cash and post credits to customer b. Inspects check copies and
all employees. or invoices
3. Over counter sales made by all office
employees. lap customer payments. c. Reviews payroll journals
4. Bookkeeper and clerk both post accounts 2. Bookkeeper could cover theft
receivable by d. Reviews customer and vendor
manipulating bank reconciliations
records. or activity reports
5. Bookkeeper posts general ledger and
prepares writing off customer balances. 2. CPA firm designed accounting
3. Manager has access to procedures and owner's key
and delivers deposits to bank. software, controls
could write and sign checks to 3. CPA firm controls all
6. Manager signs payroll and operating checks. self. QuickBooks
passwords, accounts for pre-
numbered
checks and sales invoices,
reviews
sales invoices and check
support,
maintains personal files,
prepares payroll
reports, adjusts and closes
monthly
records.
4. CPA firm prepares monthly
financials for owner's review
ACCOUNTS RECEIVABLE:
1. No segregation of duties. All office personnel
receives 1. Customer payments could be 1. Same as above.
payments in mail and over counter. received and misappropriated.
2.Bookkeeper makes deposits and posts
accounts 2. Lapping could occur.
receivable records. 3. Account balances and invoices
3.AR clerk receives cash, posts accounts could be written off without
receivable authorization.
4. Unauthorized sales could be
records and makes deposits. made
4.Credit memos not used to support credits to and products shipped without
customers accounts. recording.

5.Yard foreman ships based on sales invoices. All


office
personnel can initiate sales invoices.

17
INVENTORY:
1. No documents or records are maintained to 1. Employee or customer theft Written instructions are
control could prepared by
the foreman for counting
inventory items (precast concrete blocks). occur. inventory.
2. Yard is open during the day while employees 2. Sales could be missed because Employees attend a training
are of meeting
working but often no one is present in the yard. on how to count. The manager
It is insufficient quantities on hand. is
3. With no item records present and supervises the
locked at night. maintained, count,
3. Inventories are physically counted only once including testing employee's
a year; quantities of certain items being counts.
manager eye-balls quantities to control The manager places and picks
production. produced could be unnecessary up all count sheets.

FIXED ASSETS:
1. No detailed sub-ledger maintained. 1. Loss or theft of assets. See cash section.
2. No numerical control of fixed assets is in
place. 2. Assets could be purchased and
3. Bookkeeper maintains depreciation schedule. converted to personal use.
4. No key controls over accounting or
safeguarding
fixed assets.

ACCOUNTS PAYABLE:
1. Converting purchases to
1. Any office employee can order supplies or raw personal See cash section.
materials. use.
2. No purchase orders in use. Office manager
initials 2. Writing unauthorized checks to
invoice when paid. fictitious vendors
3. All payments are initiated by bookkeeper who
has 3. Purchasing excess quantities of
access to cash, accounts receivable and bank raw materials.
reconciliations.
4. No accounts payable sub-ledger is maintained.

REVENUES:
See cash section. Unrecorded sales. See cash section.

EXPENSES:
See cash section and accounts payable section. Unauthorized or incorrect payroll See cash section.
Payroll--manager hires and fires. No double-
checks and operating expenditures.
on payroll computations.

OTHER:

18
CONCLUSION

Important issues to remember that influence the design of internal control systems for
smaller entities include:

Internal control and fraud prevention are the responsibilities of management.


Internal control systems are always relevant to the nature, size and complexity of
an entity.
Key controls designed and operated by owners or managers of small entities are
the primary methods of preventing and detecting errors and fraud.
Internal control procedures should provide reasonable assurance that errors or
fraud will not occur and go undetected.
The benefits of internal control procedures should outweigh their costs.
The design process includes understanding accounting systems and existing
internal controls, identifying what could go wrong and designing cost-beneficial
control activities and anti-fraud programs that are likely to prevent and detect
errors and fraud.

CPA PRACTICE AIDS, LLC


SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

USE OF QUESTIONNAIRE

This Questionnaire is designed to be used on small audits to document internal control


and assess control risk. It also is a source for identifying control deficiencies.

Combined with a systems walk-through procedure, internal control flowcharts or memos,


auditors may be able to assess risk of material misstatement at moderate for certain
financial statement classifications.

INSTRUCTIONS

The Questionnaire should be utilized while making inquiries of client personnel


regarding internal control. Internal control documentation time can be minimized by
completing a systems walk-through procedure and preparing flowchart or memorandum
documentation as this Questionnaire is completed.

19
The Questionnaire contains space for yes, no or N/A responses to key controls and
activity-level controls generally applicable to a small business or organization. Yes
responses indicate that the control procedure is has been at least informally designed and
is operating effectively. No responses indicate the control procedure has not been
designed or, if designed, is not operating effectively. N/A responses indicate the
control procedure is not applicable to a clients internal control system. The Personnel
column should be used to identify persons performing the control activities.

Key controls, a part of entity-level controls, should drive the control risk assessment
process. Key controls can mitigate most deficiencies in activity-level controls,
particularly for smaller entities. For a small business or organization, key controls are
normally performed by the owner/manager (O/M), a member of the entitys board of
directors, a volunteer or paid consultant.

If key controls have not been designed, or are not operating effectively, the auditor should
consider the activity-level controls to provide the assessment of control risk for relevant
assertions.

RELEVANT ASSERTIONS

When completing this Questionnaire, the auditor should primarily consider these relevant
assertions:

Financial Statement Classification Relevant Financial Statement Assertions

Cash Existence/Occurrence; Completeness;


Cutoff

Accounts Receivable Existence/Occurrence; Valuation; Cutoff

Inventories Existence/Occurrence; Valuation;


Completeness; Accuracy; Cutoff

Fixed Assets Existence; Valuation; Completeness;


Rights/Obligations

Accounts Payable Completeness; Cutoff

Revenues Existence/Occurrence; Valuation;


Completeness; Cutoff

Payroll Existence/Occurrence; Completeness;


Accuracy

Expenses Existence/Occurrence; Completeness;


Cutoff: Classification

20
Prepared By: ______________________________________________________
Date Prepared: __________________________________________________________
Reviewed By: __________________________________________________________
Date Reviewed: __________________________________________________________

21
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

CONTROL ENVIRONMENT-KEY PERSONNEL YES NO N/A


CONTROLS

1. O/M has high integrity.

2. O/M follows existing internal


controls, policies and procedures.

3. O/M is present daily and/or appoints a


supervisor in his/her absence.

4. O/M walks around facility


frequently each day.

5. O/M observes employee activity and


talks with supervisors during walks
around to evaluate department status.

6. Company uses adequate accounting


software.

7. Accounting records are maintained on


a current basis.

8. Reports generated by accounting


software are used by management.

9. Accounting personnel are reasonably


qualified for their positions.

Control Risk Evaluation (circle one):


Low Moderate High

22
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

CASHKEY CONTROLS PERSONNEL YES NO N/A


1. O/M receives bank and credit card
statements directly either by mail or
electronically.

2. O/M reviews contents of bank and


credit cards statements and investigates
unusual items.
3. O/M signs vendor checks and payroll
checks.

4. O/M reviews vendor invoices,


receiving reports and/or purchase orders
when signing checks.

5. O/M reviews documentation of


payroll calculations when signing checks.

6. O/M receives or picks up unopened


mail or uses a lock box for receipts.

7. O/M opens mail, supervises opening


or reads a list of daily cash receipts.

8. O/M prepares deposit or supervises


and reviews its preparation.

9. O/M makes or approves all telephone


or online bank transfers or payments.

10. O/M reconciles bank statement or


approves preparation by another.

11. O/M reads monthly balance sheet


and income statement and investigates
unusual items.

23
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

CASHACTIVITY-LEVEL PERSONNEL YES NO N/A


CONTROLS
1. Mail and cash receipts are recorded as
received and deposited intact, daily.

2. Duplicate deposit slips are prepared,


matched with bank receipt and retained.

3. Mail and cash receipts are counted by


two independent persons other than the
person recording the receipts.
4. Over-the-counter receipts are
controlled by a cash register, software or
pre-numbered receipt tickets.

5. All checks are signed by the O/M.

6. Checks are signed only when


disbursement is made (not in advance).

7. The check signer compares data on


supporting documents to checks.

8. Checks are recorded in the accounting


system when prepared.

9. Only pre-numbered checks are used.

10. All journal entries are approved by


the O/M.

Control Risk Evaluation (circle one):


Low Moderate High

24
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

ACCOUNTS RECEIVABLEKEY PERSONNEL YES NO N/A


CONTROLS
1. The O/M approves all customer
requests for credit.

2. The O/M accounts for, and reviews,


numerical copies of sales invoices and/or
customer statements.

3. The O/M reviews the sales journal


monthly.

4. The O/M reviews an aged trial


balance of accounts receivable monthly.

5. The O/M receives customer


complaints and resolves disputes.

ACCOUNTS RECEIVABLE
ACTIVITY-LEVEL CONTROLS

1. A sales journal is prepared and


balanced.

2. Records of customer payments are


retained (remittance advices, duplicate
deposit slips, lock box reports, prelists)

3. Pre-numbered sales invoices and/or


shipping reports with shipping date are
prepared.

4. Copies of sales invoices or customers


statements are mailed monthly.

5. Receivables are aged regularly.

Control Risk Evaluation (circle one):


Low Moderate High

25
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

INVENTORIESKEY CONTROLS PERSONNEL YES NO N/A

1. O/M plans and/or supervises the


taking of the physical inventory.

2. O/M prices and compiles records of


physical count or reviews work of others.

3. O/M determines all owned goods are


counted and that obsolete or consigned
goods are excluded from the count.

INVENTORIESACTIVITY-LEVEL
CONTROLS
1. An annual physical inventory is taken
and adequate count records (tags or
sheets) are maintained.

2. Adequate records of inventory pricing


and compilation are maintained.

3. The inventory count is taken, checked


or supervised by a supervisor.

4. Obsolete and consigned goods are


excluded from the count.

Control Risk Evaluation (circle one):


Low Moderate High

26
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

FIXED ASSETSKEY CONTROLS PERSONNEL YES NO N/A


1. Only the O/M can open accounts with
vendors and approve the purchase of
equipment, tools or other property.

2. O/M periodically inspects and/or


inventories capitalized fixed assets.

3. O/M makes or approves all make,


buy, lease, repair decisions.

FIXED ASSETSACTIVITY-LEVEL
CONTROLS

1. Supporting documents are retained for


all purchases of fixed assets.

2. A detailed depreciation schedule is


prepared and depreciation is entered in
the records at least annually.

3. A capitalization limit has been set and


is used to determine capitalizable items.

Control Risk Evaluation (circle one):


Low Moderate High

27
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

ACCOUNTS PAYABLEKEY PERSONNEL YES NO N/A


CONTROLS
1. O/M approves all vendors and
accounts with creditors.

2. O/M approves all vendor payments.

3. O/M receives and reviews unpaid


vendor invoices and statements monthly.

ACCOUNTS PAYABLEACTIVITY-
LEVEL CONTROLS

1. Vendor invoices are entered in the


purchases journal when received.

2. Vendor invoices and supporting


documents are reviewed by the check
signer.

3. Vendor invoices are cancelled when


checks are signed.

4. Vendor invoices or receiving reports


contain the date goods were received.

5. Unpaid vendor invoices are


maintained in a file separate from paid
invoices.

Control Risk Evaluation (circle one):


Low Moderate High

28
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

SALES/REVENUESKEY PERSONNEL YES NO N/A


CONTROLS

1. O/M approves all credit sales.

2. O/M reviews copies of all sales


invoices and shipping reports.

3. O/M reviews customers statements


before mailing.

4. O/M reviews monthly aged trial


balance, calls past due customers and
resolves customer complaints.

SALES/REVENUESACTIVITY-
LEVEL CONTROLS

1. Sales are recorded in the period made


or shipped (considering shipping terms).

2. Pre-numbered sales invoices and


shipping reports are prepared.

3. Copies of sales invoices or customer


statements are mailed at least monthly.

4. All returns, allowances, discounts and


account adjustments are approved by a
supervisor.

Control Risk Evaluation (circle one):


Low Moderate High

29
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

PAYROLLKEY CONTROLS PERSONNEL YES NO N/A

1. O/M approves all hires and fires.

2. O/M authorizes wage rates.

3. Payroll checks are distributed by the


O/M.

4. O/M reviews and signs all payroll tax


returns and other related documents.

5. O/M responds to all inquiries by state


and federal regulatory bodies.

PAYROLLACTIVITY-LEVEL
CONTROLS

1. Payroll checks are pre-numbered and


prepared and recorded with accounting
software, or by a service bureau.

2. W-4s. I-9s and other required payroll


documents are maintained.

3. Employees time records are


maintained and used to calculate
paychecks.

4. Payroll checks are distributed by


department heads or other supervisors.

5. Hires, fires, wage rates, time off are


approved by department heads or
supervisors.

Control Risk Evaluation (circle one):


Low Moderate High
30
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

EXPENSESKEY CONTROLS PERSONNEL YES NO N/A

1. O/M reviews and approves all


disbursements supporting documents.

2. When signing checks, O/M determines


account classifications are proper.

3. O/M investigates any unapproved or


unusual disbursements.

4. O/M investigates duplicate payments


and inadequate documentation.

EXPENSESACTIVITY-LEVEL
CONTROLS:

1. A descriptive chart of accounts is used.

2. Checks are prepared only when


appropriate supporting documents have
been received.

3. The person recording and summarizing


transactions cannot sign checks.

4. The person preparing deposits and


posting customer payments cannot sign
checks.

5. Vendor invoices are cancelled by the


check signer.

Control Risk Evaluation (circle one):


Low Moderate High

31
SMALL AUDITS INTERNAL CONTROL QUESTIONNAIRE
FOR MAJOR AUDIT AREAS
CLIENT: _________________________________________________________

ENGAGEMENT DATE: ____________________________________________

EXPLANATION OF NO ANSWERS (POTENTIAL CONTROL


DEFICIENCIES):

CASH:

ACCOUNTS RECEIVABLE:

INVENTORIES:

FIXED ASSETS:

ACCOUNTS PAYABLE:

SALES/REVENUE:

32
PAYROLL:

EXPENSES:

OTHER:

33
CPA PRACTICE AIDS, LLC
AUDIT FLOWCHARTING GUIDE
USE OF GUIDE

This Guide is designed to facilitate preparation of flowcharts documenting accounting


and internal control systems for use on small audit engagements. The Guide is designed
by major audit area and will facilitate the preparation of flowcharts that will result in
identification of control deficiencies and the assessment of control risk. Control risks
will be combined with inherent risks to assess the level of risk of material misstatements
for relevant assertions. The Guide should be used in connection with the Small Audits
Internal Control Questionnaire for Major Audit Area (SAICQ).

INSTRUCTIONS

Client Inquiries

The SAICQ and the flowcharts resulting from this Guide should be used while making
inquiries of appropriate client personnel. While a flowchart is being prepared, or after it
is prepared if it is more convenient, a systems walk-through procedure should be
performed to determine that information on the flowcharts is accurate. Documents
examined and procedures performed during the walk-through may be recorded on the
flowcharts or described in an accompanying memorandum. Control deficiencies should
be documented in the last section of the SAICQ.

Flowchart and/or Memoranda

Memoranda may be prepared for documenting the accounting and internal control
procedures in lieu of flowcharts at the option of the audit engagement leader. The author
recommends using flowcharts since they are usually more effective for identifying
control deficiencies and they often take less time to carry forward, to discuss with client
personnel and to update. Memoranda may be used to supplement the flowcharts to
enhance explanations of accounting system procedures, internal control activities or other
information as the auditor considers necessary.

Key Controlsthe Heart of Error and Fraud Prevention

Key controls, a part of entity-level controls, should drive the control risk assessment
process and should be clearly indicated on the flowcharts. Key controls can mitigate
most deficiencies in activity-level controls, particularly for smaller entities. For a small
business or organization, key controls are normally performed by the owner/manager
(O/M), a member of the entitys board of directors, a volunteer or a paid consultant. Key
controls are presented first in each section of the SAICQ.

Financial Statement Assertions

34
When control risk is evaluated at the financial statement classification level, the auditor
should primarily consider relevant assertions described in the SAICQ. Flowcharts
should, therefore, focus primarily on controls that affect the relevant assertions in each
financial statement classification. All controls that are operating, however, should be
evidenced on the flowchart to provide an accurate evaluation of control risk.

Flowchart Preparation

Flowcharts may be prepared using manual templates or flowcharting software. The


hardcopies or the electronic copies may be carried forward with changes reflected in
different color pencils or software fonts. All accounting systems software applications,
procedures, documents and data, and all internal controls, should be reflected on the
flowcharts.

35
CPA FIRM PRACTICE AIDS, LLC
AUDIT FLOWCHARTING GUIDE
INSTRUCTIONS AND QUESTIONS BY MAJOR AUDIT AREA

The instructions and questions below will enhance the preparation of flowcharts and
completion of the SAICQ. Answers to questions should first consider key controls and, if
no key controls are present, activity-level controls should be considered to determine if
misstatements can be prevented and not result in control deficiencies.

CASH

The flowchart should contain documentation of:

All types of cash receipts, such as receipts received by mail, over-the-counter, or


by sales representatives.
Receipts from periodic sales of fixed assets, scrap or other items to employees or
others.
All types of cash disbursements such as disbursements made with and without
purchase orders, made from petty cash or a cash register and made for customer
refunds.
All accounting records, documents, data and procedures.

Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:

Can cash or checks be received and not documented?


Can receipts from over-the-counter sales be misappropriated?
Can miscellaneous receipts be overlooked and not recorded?
Can disbursements be made for routine or non-routine purchase of goods or
services without proper support?
Can petty cash be misappropriated?

ACCOUNTS RECEIVABLE

The flowchart should contain documentation of:

All types of sales on account including customer written orders received by mail,
phone or email, sales orders from sales representatives, C.O.D., consignment, etc.

36
Different types of customers such wholesale, retail, distributor, consumer, and
related parties.
All accounting records, documents, data and procedures.

Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:

Can goods be shipped to customers with bad credit?


Can sales be invoiced but not recorded?
Can adjustments to customers accounts be made without approval?
Could lapping occur and go undetected?
Can past due accounts go undetected?

INVENTORIES AND COSTS OF GOODS SOLD

The flowchart should contain documentation of:

All job, process or retail costing procedures.


All inventory classifications such as raw materials, work-in-process and finished
goods.
Standard costs calculations, applications, adjustments and revisions.
All inventory records, documents data or procedures.

Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:

Can inventory items be stolen, misappropriated or inaccurately transferred to


work in process or costs of good sold?
Can inventory be used, damaged or wasted without being recorded?
Can inventory be received and not recorded accurately?

FIXED ASSETS

The flowchart should contain documentation of:

The fixed asset acquisition, disposal and control processes.


All fixed asset records, documents, data or procedures.

Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:

37
Can fixed assets acquisitions or disposals be made and not approved or recorded?
Are capitalization limits in place?
Does accounting personnel understand when to capitalize additions or repairs to
fixed assets (when the life or capacity is increased)?

ACCOUNTS PAYABLE

The flowchart should contain documentation of:

All types of products, vendors and shipment.


Acquisitions and payments requiring purchase orders.
Payments not requiring purchase orders.
All phases of the purchases/payables transaction such as ordering, product
receiving, invoice recording and payments processing.

Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:

Can unauthorized purchases be made?


Can payables be recorded if goods or services are not received?
Can obligations be incurred and not recorded?
Can payables be recorded in the wrong account?
Do petty cash policies prevent its improper use or misappropriation?

SALES:

The flowchart should contain documentation of:

Different types of shipping terms such as F.O.B. shipping point or destination,


different shipping locations, different types of carriers, drop ships from suppliers,
customer pick up, etc.
Different types of customers such wholesale, retail, distributor, consumer, and
related parties.
All accounting records, documents, data and procedures.

Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:

Can goods be shipped without invoices being prepared?


Can sales be invoiced but not recorded?
Can sales be made and recorded without inventory being relieved?
Can customer invoice errors be made and go undetected?

38
PAYROLL

The flowchart should contain documentation of:

Different methods of compensation such as hourly, salaried, commission, piece


work, contract, etc.
Methods of payment such as check or direct deposit.
Hiring decisions, firing actions, payroll documents, cost distribution and all other
records, documents, data and procedures in the payroll accounting and internal
control systems.

Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:

Can fictitious employees be added to the payroll?


Can terminated employees be kept on the payroll and their checks prepared after
their termination?
Are paychecks distributed, or direct deposits made, under the supervision of an
administrative person?
Are time cards, timesheets or electronic records required to support paychecks
preparation?
Can other inadvertent or intentional errors occur?

FINANCIAL REPORTING SYSTEM

The flowchart should contain documentation of:

All modules of the general ledger software, data entry personnel, source
documents and all related accounting system and internal control procedures.
Controls over general journal entries, bank reconciliations and financial statement
preparation.

Consider the entitys key controls and activity-level controls when preparing flowchart
documentation. These questions can facilitate the identification of accounting and internal
control procedures:

Can journal entries or unusual transactions be posted to the general ledger without
approval of a supervisor?
Are there effective administrative controls such as regular vacations, cross-
training, bonding insurance, timely financial statement preparation and budget
utilization?
Is internal control affected by busy or slack periods, illnesses, vacations, etc.?

39
Is internal control affected by the competence of any employee or group of
employees?
Are appropriate internal checks in place, provided either by software, hardware or
administrative procedures?
Are any assets improperly safeguarded?

40

You might also like