IT Auditing PDF

Summary

This document provides an overview of IT auditing, different types of audits, and the relationship between attest services and advisory services. It explains the structure of an IT audit, internal controls (COSO framework), Sarbanes-Oxley Act, and the link between general controls, application controls, and financial data integrity.

Full Transcript

CHAPTER 1
Auditing and Internal Control

L E A R NI NG O B J E CT I V E S
After studying this chapter, you should:
Know the difference between attest services and advisory services and be able to
explain the relationship between the two.
Understand the structure of an audit and have a firm grasp of the conceptual elements of
the audit process.
Understand internal control categories presented in the COSO framework.
Be familiar with the key features of Section 302 and 404 of the Sarbanes-Oxley Act.
Understand the relationship between general controls, application controls, and financial
data integrity.

R ecent developments in information technology (IT) have had a tremendous
impact on the field of auditing. IT has inspired the reengineering of tradi-
tional business processes to promote more efficient operations and to improve
communications within the entity and between the entity and its customers and
suppliers. These advances, however, have introduced new risks that require un-
ique internal controls. They have engendered the need for new techniques for
evaluating controls and for assuring the security and accuracy of corporate
data and the information systems that produce it.
This chapter provides an overview of IT auditing. We begin by describing
the various types of audits that organizations commission and distinguish be-
tween the auditor’s traditional attestation responsibility and the emerging field
of advisory services. We go on to explain the structure of an IT audit: the rela-
tionship between management assertions, audit objectives, tests of controls, and
substantive tests are explained. The chapter also outlines the key points of the
COSO control framework, which defines internal controls in both manual and
IT environments. The final section of the chapter examines audit issues and impli-
cations related to Sarbanes-Oxley legislation and provides a conceptual frame-
work that links general controls, application controls, and financial data
integrity. This framework is a model for the remainder of the text.

1
Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
2 Chapter 1: Auditing and Internal Control

OVERVIEW OF AUDITING
Business organizations undergo different types of audits for different purposes. The most
common of these are external (financial) audits, internal audits, and fraud audits. Each of
these is briefly outlined in the following sections.

External (Financial) Audits
An external audit is an independent attestation performed by an expert—the auditor—
who expresses an opinion regarding the presentation of financial statements. This task,
known as the attest service, is performed by Certified Public Accountants (CPA) who
work for public accounting firms that are independent of the client organization being
audited. The audit objective is always associated with assuring the fair presentation of
financial statements. These audits are, therefore, often referred to as financial audits.
The Securities and Exchange Commission (SEC) requires all publicly traded companies
be subject to a financial audit annually. CPAs conducting such audits represent the inter-
ests of outsiders: stockholders, creditors, government agencies, and the general public.
The CPA’s role is similar in concept to a judge who collects and evaluates evidence
and renders an opinion. A key concept in this process is independence. The judge must
remain independent in his or her deliberations. The judge cannot be an advocate of ei-
ther party in the trial, but must apply the law impartially based on the evidence pre-
sented. Likewise, the independent auditor collects and evaluates evidence and renders
an opinion based on the evidence. Throughout the audit process, the auditor must main-
tain independence from the client organization. Public confidence in the reliability of the
company’s internally produced financial statements rests directly on an evaluation of
them by an independent auditor.
The external auditor must follow strict rules in conducting financial audits. These
authoritative rules have been defined by the SEC, the Financial Accounting Standards
Board (FASB), the AICPA, and by federal law (Sarbanes-Oxley [SOX] Act of 2002).
With the passage of SOX, Congress established the Public Company Accounting Over-
sight Board (PCAOB), which has to a great extent replaced the function served by the
FASB, and some of the functions of the AICPA (e.g., setting standards and issuing rep-
rimands and penalties for CPAs who are convicted of certain crimes or guilty of certain
infractions). Regardless, under federal law, the SEC has final authority for financial
auditing.

Attest Service versus Advisory Services
An important distinction needs to be made regarding the external auditor’s traditional
attestation service and the rapidly growing field of advisory services, which many public
accounting firms offer. The attest service is defined as:... an engagement in which a practitioner is engaged to issue, or does issue, a writ-
ten communication that expresses a conclusion about the reliability of a written as-
sertion that is the responsibility of another party. (SSAE No. 1, AT Sec. 100.01)
The following requirements apply to attestation services:
Attestation services require written assertions and a practitioner’s written report.
Attestation services require the formal establishment of measurement criteria or
their description in the presentation.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Overview of Auditing 3

The levels of service in attestation engagements are limited to examination, review,
and application of agreed-upon procedures.
Advisory services are professional services offered by public accounting firms to im-
prove their client organizations’ operational efficiency and effectiveness. The domain of
advisory services is intentionally unbounded so that it does not inhibit the growth of fu-
ture services that are currently unforeseen. As examples, advisory services include actu-
arial advice, business advice, fraud investigation services, information system design and
implementation, and internal control assessments for compliance with SOX.
Prior to the passage of SOX, accounting firms could provide advisory services con-
currently to audit (attest function) clients. SOX legislation, however, greatly restricts the
types of nonaudit services that auditors may render audit clients. It is now unlawful for a
registered public accounting firm that is currently providing attest services for a client to
provide the following services:
bookkeeping or other services related to the accounting records or financial state-
ments of the audit client
financial information systems design and implementation
appraisal or valuation services, fairness opinions, or contribution-in-kind reports
actuarial services
internal audit outsourcing services
management functions or human resources
broker or dealer, investment adviser, or investment banking services
legal services and expert services unrelated to the audit
any other service that the board determines, by regulation, is impermissible
The advisory services units of public accounting firms responsible for providing IT
control-related client support have different names in different firms, but they all engage
in tasks known collectively as IT risk management. These groups often play a dual role
within their respective firms; they provide nonaudit clients with IT advisory services and
also work with their firm’s financial audit staff to perform IT-related tests of controls as
part of the attestation function.
The material outlined in this chapter relates to tasks that risk management profes-
sionals normally conduct during an IT audit. In the pages that follow, we examine what
constitutes an audit and how audits are structured. Keep in mind, however, that in many
cases the purpose of the task, rather than the task itself, defines the service being ren-
dered. For example, a risk management professional may perform a test of IT controls
as an advisory service for a nonaudit client who is preparing for a financial audit by a
different public accounting firm. The same professional may perform the very same test
for an audit client as part of the attest function. Therefore, the issues and procedures
described in this text apply to a broader context that includes advisory services and at-
testation, as well as the internal audit function.

Internal Audits
The Institute of Internal Auditors (IIA) defines internal auditing as an independent ap-
praisal function established within an organization to examine and evaluate its activities
as a service to the organization.1 Internal auditors perform a wide range of activities on
behalf of the organization, including conducting financial audits, examining an operation’s

1 AAA Committee on Basic Auditing Concepts, “A Statement of Basic Auditing Concepts,” Accounting
Review, supplement to vol. 47, 1972.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
4 Chapter 1: Auditing and Internal Control

compliance with organizational policies, reviewing the organization’s compliance with legal
obligations, evaluating operational efficiency, and detecting and pursuing fraud within
the firm.
An internal audit is typically conducted by auditors who work for the organization,
but this task may be outsourced to other organizations. Internal auditors are often certi-
fied as a Certified Internal Auditor (CIA) or a Certified Information Systems Auditor
(CISA). While internal auditors self-impose independence to perform their duties effec-
tively, they represent the interests of the organization. These auditors generally answer to
executive management of the organization or the audit committee of the board of direc-
tors, if one exists. The standards, guidance, and certification of internal audits are gov-
erned mostly by the Institute of Internal Auditors (IIA) and, to a lesser degree, by the
Information Systems Audit and Control Association (ISACA).

External versus Internal Auditors
The characteristic that conceptually distinguishes external auditors from internal auditors
is their respective constituencies: while external auditors represent outsiders, internal
auditors represent the interests of the organization. Nevertheless, in this capacity, inter-
nal auditors often cooperate with and assist external auditors in performing aspects of
financial audits. This cooperation is done to achieve audit efficiency and reduce audit
fees. For example, a team of internal auditors can perform tests of computer controls
under the supervision of a single external auditor.
The independence and competence of the internal audit staff determine the extent to
which external auditors may cooperate with and rely on work performed by internal
auditors. Some internal audit departments report directly to the controller. Under this
arrangement, the internal auditor’s independence is compromised, and the external audi-
tor is prohibited by professional standards from relying on evidence provided by the in-
ternal auditors. In contrast, external auditors can rely in part on evidence gathered by
internal audit departments that are organizationally independent and report to the board
of directors’ audit committee (discussed below). A truly independent internal audit staff
adds value to the audit process. For example, internal auditors can gather audit evidence
throughout a fiscal period, which external auditors may then use at the year’s end to
conduct more efficient, less disruptive, and less costly audits of the organization’s finan-
cial statements.

Fraud Audits
In recent years, fraud audits have, unfortunately, increased in popularity as a corporate
governance tool. They have been thrust into prominence by a corporate environment in
which both employee theft of assets and major financial frauds by management (e.g.,
Enron, WorldCom, etc.) have become rampant. The objective of a fraud audit is to in-
vestigate anomalies and gather evidence of fraud that may lead to criminal conviction.
Sometimes fraud audits are initiated by corporate management who suspect employee
fraud. Alternatively, boards of directors may hire fraud auditors to look into their own
executives if theft of assets or financial fraud is suspected. Organizations victimized by
fraud usually contract with specialized fraud units of public accounting firms or with
companies that specialize in forensic accounting. Typically, fraud auditors have earned
the Certified Fraud Examiner (CFE) certification, which is governed by the Association
of Certified Fraud Examiners (ACFE).

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Financial Audit Components 5

THE ROLE OF THE AUDIT COMMITTEE
The board of directors of publicly traded companies form a subcommittee known as the
audit committee, which has special responsibilities regarding audits. This committee usu-
ally consists of three people who should be outsiders (not associated with the families of
executive management nor former officers, etc.). With the advent of the Sarbanes-Oxley
Act, at least one member of the audit committee must be a “financial expert.” The audit
committee serves as an independent “check and balance” for the internal audit function
and liaison with external auditors. One of the most significant changes imposed by SOX
has been to the relationship between management and the external auditors. Prior to
SOX, external auditors were hired and fired by management. Many believe, with some
justification, that this relationship erodes auditor independence when disputes over audit
practices arise. SOX mandates that external auditors now report to the audit committee
who hire and fire auditors and resolve disputes.
To be effective, the audit committee must be willing to challenge the internal audi-
tors (or the entity performing that function) as well as management, when necessary.
Part of its role is to look for ways to identify risk. For instance, it might serve as a sound-
ing board for employees who observe suspicious behavior or spot fraudulent activities. In
general, it becomes an independent guardian of the entity’s assets by whatever means is
appropriate. Corporate frauds often have some bearing on audit committee failures.
These include lack of independence of audit committee members, inactive audit commit-
tees, total absence of an audit committee, and lack of experienced members on the audit
committee.

FINANCIAL AUDIT COMPONENTS
The product of the attestation function is a formal written report that expresses an opin-
ion about the reliability of the assertions contained in the financial statements. The audi-
tor’s report expresses an opinion as to whether the financial statements are in conformity
with generally accepted accounting principles (GAAP); external users of financial state-
ments are presumed to rely on the auditor’s opinion about the reliability of financial
statements in making decisions. To do so, users must be able to place their trust in the
auditor’s competence, professionalism, integrity, and independence. Auditors are guided
in their professional responsibility by the ten generally accepted auditing standards
(GAAS) presented in Table 1.1.

Auditing Standards
Auditing standards are divided into three classes: general qualification standards, field
work standards, and reporting standards. GAAS establishes a framework for prescribing
auditor performance, but it is not sufficiently detailed to provide meaningful guidance in
specific circumstances. To provide specific guidance, the American Institute of Certified
Public Accountants (AICPA) issues Statements on Auditing Standards (SASs) as authori-
tative interpretations of GAAS. SASs are often referred to as auditing standards, or
GAAS, although they are not the ten generally accepted auditing standards.
The first SAS (SAS 1) was issued by the AICPA in 1972. Since then, many SASs
have been issued to provide auditors with guidance on a spectrum of topics, including
methods of investigating new clients, procedures for collecting information from

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
6 Chapter 1: Auditing and Internal Control

TABLE 1.1 Generally Accepted Auditing Standards
General Standards Standards of Field Work Reporting Standards
1. The auditor must have adequate technical 1. Audit work must be adequately 1. The auditor must state in the report
training and proficiency. planned. whether financial statements were prepared
in accordance with generally accepted
accounting principles.
2. The auditor must have independence of 2. The auditor must gain a sufficient 2. The report must identify those circum-
mental attitude. understanding of the internal control stances in which generally accepted
structure. accounting principles were not applied.
3. The auditor must exercise due professional 3. The auditor must obtain sufficient, 3. The report must identify any items
care in the performance of the audit and the competent evidence. that do not have adequate informative
preparation of the report. disclosures.
4. The report shall contain an expression
of the auditor’s opinion on the financial
statements as a whole.

attorneys regarding contingent liability claims against clients, and techniques for obtain-
ing background information on the client’s industry.
Statements on Auditing Standards are regarded as authoritative pronouncements be-
cause every member of the profession must follow their recommendations or be able to
show why a SAS does not apply in a given situation. The burden of justifying departures
from the SASs falls upon the individual auditor.

A Systematic Process
Conducting an audit is a systematic and logical process that applies to all forms of
information systems. While important in all audit settings, a systematic approach is
particularly important in the IT environment. The lack of physical procedures that
can be visually verified and evaluated injects a high degree of complexity into the IT
audit (e.g., the audit trail may be purely electronic, in a digital form, and thus invisible
to those attempting to verify it). Therefore, a logical framework for conducting an audit
in the IT environment is critical to help the auditor identify all-important processes and
data files.

Management Assertions and Audit Objectives
The organization’s financial statements reflect a set of management assertions about the
financial health of the entity. The task of the auditor is to determine whether the finan-
cial statements are fairly presented. To accomplish this goal, the auditor establishes audit
objectives, designs procedures, and gathers evidence that corroborate or refute manage-
ment’s assertions. These assertions fall into five general categories:
1. The existence or occurrence assertion affirms that all assets and equities contained
in the balance sheet exist and that all transactions in the income statement actually
occurred.
2. The completeness assertion declares that no material assets, equities, or transactions
have been omitted from the financial statements.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Financial Audit Components 7

3. The rights and obligations assertion maintains that assets appearing on the balance
sheet are owned by the entity and that the liabilities reported are obligations.
4. The valuation or allocation assertion states that assets and equities are valued in
accordance with GAAP and that allocated amounts such as depreciation expense
are calculated on a systematic and rational basis.
5. The presentation and disclosure assertion alleges that financial statement items are
correctly classified (e.g., long-term liabilities will not mature within one year) and
that footnote disclosures are adequate to avoid misleading the users of financial
statements.
Generally, auditors develop their audit objectives and design audit procedures based
on the preceding assertions. The example in Table 1.2 outlines these procedures.
Audit objectives may be classified into two general categories. Those in Table 1.2
relate to transactions and account balances that directly impact financial reporting. The
second category pertains to the information system itself. This category includes the
audit objectives for assessing controls over manual operations and computer technologies
used in transaction processing. In the chapters that follow, we consider both categories of
audit objectives and the associated audit procedures.

Obtaining Evidence
Auditors seek evidential matter that corroborates management assertions. In the IT envi-
ronment, this process involves gathering evidence relating to the reliability of computer
controls as well as the contents of databases that have been processed by computer pro-
grams. Evidence is collected by performing tests of controls, which establish whether in-
ternal controls are functioning properly, and substantive tests, which determine whether
accounting databases fairly reflect the organization’s transactions and account balances.

Ascertaining Materiality
The auditor must determine whether weaknesses in internal controls and misstatements
found in transactions and account balances are material. In all audit environments,

TABLE 1.2 Audit Objectives and Audit Procedures Based on
Management Assertions
Management Assertion Audit Objective Audit Procedure
Existence of Occurrence Inventories listed on the balance sheet exist. Observe the counting of physical inventory.
Completeness Accounts payable include all obligations to Compare receiving reports, supplier invoices,
vendors for the period. purchase orders, and journal entries for the
period and the beginning of the next period.
Rights and Obligations Plant and equipment listed in the balance Review purchase agreements, insurance policies,
sheet are owned by the entity. and related documents.
Valuation or Allocation Accounts receivable are stated at net Review entity’s aging of accounts and evaluate
realizable value. the adequacy of the allowance for uncorrectable
accounts.
Presentation and Disclosure Contingencies not reported in financial Obtain information from entity lawyers about the
accounts are properly disclosed in footnotes. status of litigation and estimates of potential loss.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
8 Chapter 1: Auditing and Internal Control

assessing materiality is an auditor judgment. In an IT environment, however, this
decision is complicated further by technology and a sophisticated internal control
structure.

Communicating Results
Auditors must communicate the results of their tests to interested users. An independent
auditor renders a report to the audit committee of the board of directors or stockholders
of a company. The audit report contains, among other things, an audit opinion. This
opinion is distributed along with the financial report to interested parties both internal
and external to the organization. IT auditors often communicate their findings to inter-
nal and external auditors, who can then integrate these findings with the non-IT aspects
of the audit.

AUDIT RISK
Audit risk is the probability that the auditor will render an unqualified (clean) opinion
on financial statements that are, in fact, materially misstated. Material misstatements
may be caused by errors or irregularities or both. Errors are unintentional mistakes. Ir-
regularities are intentional misrepresentations associated with the commission of a fraud
such as the misappropriation of physical assets or the deception of financial statement
users.

Audit Risk Components
The auditor’s objective is to achieve a level of audit risk that is acceptable to the auditor.
Acceptable audit risk (AR) is estimated based on the ex ante value of the components of
the audit risk model. These are inherent risk, control risk, and detection risk.

Inherent Risk
Inherent risk is associated with the unique characteristics of the business or industry of
the client.2 Firms in declining industries have greater inherent risk than firms in stable or
thriving industries. Likewise, industries that have a heavy volume of cash transactions
have a higher level of inherent risk than those that do not. Furthermore, placing a value
on inventory when the inventory value is difficult to assess due to its nature is associated
with higher inherent risk than in situations where inventory values are more objective.
For example, the valuation of diamonds is inherently more risky than assessing the value
of automobile tires. Auditors cannot reduce the level of inherent risk. Even in a system
protected by excellent controls, financial data and, consequently, financial statements,
can be materially misstated.
Control risk is the likelihood that the control structure is flawed because controls
are either absent or inadequate to prevent or detect errors in the accounts.3 To illustrate

2 Institute of Internal Auditors, Standards of Professional Practice of Internal Auditing (Orlando, FL.:
Institute of Internal Auditors, 1978).
3 Auditing Standards Board, AICPA Professional Standards (New York: AICPA, 1994), AU Sec. 312.20.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Audit Risk 9

control risk, consider the following partial customer sales record, which is processed by
the sales order system.

Quantity Unit Price Total
10 Units $20 $2,000

Assuming the Quantity and Unit Price fields in the record are correctly presented, the
extended amount (Total) value of $2,000 is in error. An accounting information system
(AIS) with adequate controls should prevent or detect such an error. If, however, con-
trols are lacking and the value of Total in each record is not validated before processing,
then the risk of undetected errors entering the data files increases.
Auditors assess the level of control risk by performing tests of internal controls. In
the preceding example, the auditor could create test transactions, including some with
incorrect Total values, which are processed by the application in a test run. The results
of the test will indicate that price extension errors are not detected and are being incor-
rectly posted to the accounts receivable file.

Detection Risk
Detection risk is the risk that auditors are willing to take that errors not detected or
prevented by the control structure will also not be detected by the auditor. Auditors set
an acceptable level of detection risk (planned detection risk) that influences the level of
substantive tests that they perform. For example, more substantive testing would be re-
quired when the planned detection risk is 10 percent than when it is 20 percent.

Audit Risk Model
Financial auditors use the audit risk components in a model to determine the scope,
nature, and timing of substantive tests. The audit risk model is
AR IR × CR × DR
Assume that acceptable audit risk is assessed at a value of 5 percent, consistent with the
95 percent confidence interval associated with statistics. By illustration, assume IR is assessed
at 40 percent, and CR is assessed at 60 percent. What would be the level of planned detec-
tion risk (DR) needed to achieve the acceptable audit risk (AR) of 5 percent?
5% 40% × 60% × DR
DR 05 24
DR 20
Let’s now reduce the control risk (CR) value to 40 percent and recalculate DR.
5% 40% × 40% × DR
DR 31
Notice that to achieve an acceptable level of audit risk in the first example. the auditor
must set planned detection risk lower (20 percent) than in the second example (31 per-
cent). This is because the internal control structure in the first example is more risky
(60 percent) than it is in the second case (40 percent). To achieve the planned detection
of 20 percent in the first example, the auditor will need to perform more substantive tests
than in the second example, where the risk is lower. This relationship is explained below.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
10 Chapter 1: Auditing and Internal Control

The Relationship Between Tests of Controls and Substantive Tests
Tests of controls and substantive tests are auditing techniques used for reducing audit
risk to an acceptable level. The stronger the internal control structure, as determined
through tests of controls, the lower the control risk and the less substantive testing the
auditor must do. This relationship is true because the likelihood of errors in the account-
ing records is reduced when controls are strong. In other words, when controls are in
place and effective, the auditor may limit substantive testing. In contrast, the weaker
the internal control structure, the greater the control risk and the more substantive test-
ing the auditor must perform to reduce total audit risk. Evidence of weak controls forces
the auditor to extend substantive testing to search for misstatements.
In summary, the more reliable the internal controls, the lower the CR probability.
That leads to a lower DR, which will lead to fewer substantive tests being required. Be-
cause substantive tests are labor intensive and time-consuming, they drive up audit costs
and exacerbate the disruptive effects of an audit. Thus, management’s best interests are
served by having a strong internal control structure.

THE IT AUDIT
The public expression of the auditor’s opinion is the culmination of a systematic financial
audit process that involves three conceptual phases: audit planning, tests of controls, and
substantive testing. Figure 1.1 illustrates the steps involved in these phases. An IT audit
focuses on the computer-based aspects of an organization’s information system; and mod-
ern systems employ significant levels of technology. For example, transaction processing is
automated and performed in large part by computer programs. Similarly source docu-
ments, journals, and ledgers that traditionally were paper-based are now digitized and
stored in relational databases. As we will see later, the controls over these processes and
databases become central issues in the financial audit process.

The Structure of an IT Audit

Audit Planning
The first step in the IT audit is audit planning. Before the auditor can determine the
nature and extent of the tests to perform, he or she must gain a thorough understanding

FIGURE 1.1 Audit Planning Tests of Substantive
Phase Controls Phase Testing Phase
Phases of an IT Review
Perform
Audit START
Organization’s
Policies, Practices,
Perform Tests
of Controls
Substantive
Tests
and Structure

Review General Evaluate Results
Evaluate
Controls and and Issue
Test Results
Application Controls Auditor's Report

Plan Tests
Determine Degree
of Controls and Audit Report
of Reliance
Substantive Testing
on Controls
Procedures

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Internal Control 11

of the client’s business. A major part of this phase of the audit is the analysis of audit
risk. The auditor’s objective is to obtain sufficient information about the firm to plan
the other phases of the audit. The risk analysis incorporates an overview of the organiza-
tion’s internal controls. During the review of controls, the auditor attempts to under-
stand the organization’s policies, practices, and structure. In this phase of the audit, the
auditor also identifies the financially significant applications and attempts to understand
the controls over the primary transactions that are processed by these applications.
The techniques for gathering evidence at this phase include conducting question-
naires, interviewing management, reviewing systems documentation, and observing ac-
tivities. During this process, the IT auditor must identify the principal exposures and
the controls that attempt to reduce these exposures. Having done so, the auditor pro-
ceeds to the next phase, where he or she tests the controls for compliance with pre-
established standards.

Tests of Controls
The objective of the tests of controls phase is to determine whether adequate internal
controls are in place and functioning properly. To accomplish this, the auditor performs
various tests of controls. The evidence-gathering techniques used in this phase may
include both manual techniques and specialized computer audit techniques. We shall ex-
amine several such methods later in this text.
At the conclusion of the tests-of-controls phase, the auditor must assess the quality
of the internal controls by assigning a level for control risk. As previously explained, the
degree of reliance that the auditor can ascribe to internal controls will affect the nature
and extent of substantive testing that needs to be performed.

Substantive Testing
The third phase of the audit process focuses on financial data. This phase involves a de-
tailed investigation of specific account balances and transactions through what are called
substantive tests. For example, a customer confirmation is a substantive test sometimes
used to verify account balances. The auditor selects a sample of accounts receivable bal-
ances and traces these back to their source—the customers—to determine if the amount
stated is in fact owed by a bona fide customer. By so doing, the auditor can verify the
accuracy of each account in the sample. Based on such sample findings, the auditor is
able to draw conclusions about the fair value of the entire accounts receivable asset.
Some substantive tests are physical, labor-intensive activities, such as counting cash,
counting inventories in the warehouse, and verifying the existence of stock certificates in
a safe. In an IT environment, the data needed to perform substantive tests (such as ac-
count balances and names and addresses of individual customers) are contained in data
files that often must be extracted using Computer-Assisted Audit Tools and Techniques
(CAATTs) software. In a later chapter of this text, we will examine the role of CAATTs in
performing traditional substantive tests and other data analysis and reporting tasks.

INTERNAL CONTROL
Organization management is required by law to establish and maintain an adequate sys-
tem of internal control. Consider the following Securities and Exchange Commission
statement on this matter:
The establishment and maintenance of a system of internal control is an important man-
agement obligation. A fundamental aspect of management’s stewardship responsibility

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
12 Chapter 1: Auditing and Internal Control

is to provide shareholders with reasonable assurance that the business is adequately
controlled. Additionally, management has a responsibility to furnish shareholders and
potential investors with reliable financial information on a timely basis.4

Brief History of Internal Control Legislation
Since much of the internal control system relates directly to transaction processing, ac-
countants are key participants in ensuring control adequacy. This section begins with a
brief history of internal controls, and then provides a conceptual overview of internal
control. Lastly, it presents the COSO control framework.

SEC Acts of 1933 and 1934
Following the stock market crash of 1929, and a worldwide financial fraud by Ivar
Kruegar, the U.S. legislature passed two acts to restore confidence in the capital market.
The first was the Securities Act of 1933, which had two main objectives: (1) require that
investors receive financial and other significant information concerning securities being
offered for public sale; and (2) prohibit deceit, misrepresentations, and other fraud in the
sale of securities. The second act, the Securities Exchange Act, 1934, created the Securi-
ties and Exchange Commission (SEC) and empowered it with broad authority over all
aspects of the securities industry, which included authority regarding auditing standards.
The SEC acts also required publicly traded companies to be audited by an independent
auditor (i.e., CPA). But is also required all companies that report to the SEC to maintain
a system of internal control that is evaluated as part of the annual external audit. That
portion of the Act has been enforced on rare occasions. That leniency changed with the
passage of Sarbanes-Oxley Act in July 2002, discussed later.

Copyright Law–1976
This law, which has had multiple revisions, added software and other intellectual proper-
ties into the existing copyright protection laws. It is of concern to IT auditors because
management is held personally liable for violations (e.g., software piracy) if “raided” by
the software police (a U.S. marshal accompanied by software vendors’ association repre-
sentatives), and sufficient evidence of impropriety is found.

Foreign Corrupt Practices Act (FCPA) of 1977
Corporate management has not always lived up to its internal control responsibility.
With the discovery that U.S. business executives were using their organizations’ funds
to bribe foreign officials, internal control issues, formerly of little interest to stockholders,
quickly became a matter of public concern. From this issue came the passage of the For-
eign Corrupt Practices Act of 1977 (FCPA). Among its provisions, the FCPA requires
companies registered with the SEC to do the following:
1. Keep records that fairly and reasonably reflect the transactions of the firm and its
financial position.
2. Maintain a system of internal control that provides reasonable assurance that the
organization’s objectives are met.
The FCPA has had a significant impact on organization management. With the knowl-
edge that violation of the FCPA could lead to heavy fines and imprisonment, managers
have developed a deeper concern for control adequacy.

4 Ibid.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Internal Control 13

Committee of Sponsoring Organizations–1992
Following the series of S&L scandals of the 1980s, a committee was formed to address
these frauds. Originally, the committee took the name of its chair, Treadway, but eventu-
ally the project became known as COSO (Committee of Sponsoring Organizations).
The sponsoring organizations included Financial Executives International (FEI), the In-
stitute of Management Accountants (IMA), the American Accounting Association
(AAA), AICPA, and the IIA. The Committee spent several years promulgating a re-
sponse. Because it was determined early on that the best deterrent to fraud was strong
internal controls, the committee decided to focus on an effective model for internal con-
trols from a management perspective. The result was the COSO Model. The AICPA
adopted the model into auditing standards and published SAS No. 78—Consideration of
Internal Control in a Financial Statement Audit.

Sarbanes-Oxley Act of 2002
As a result of several large financial frauds (e.g., Enron, Worldcom, Adelphia, etc.) and
the resulting losses suffered by stockholders, pressure was brought by the U.S. Congress
to protect the public from such events. This led to the passage of the Sarbanes-Oxley Act
(SOX) on July 30, 2002. In general, the law supports efforts to increase public confidence
in capital markets by seeking to improve corporate governance, internal controls, and
audit quality.
In particular, SOX requires management of public companies to implement an ade-
quate system of internal controls over their financial reporting process. This includes
controls over transaction processing systems that feed data to the financial reporting sys-
tems. Management’s responsibilities for this are codified in Sections 302 and 404 of SOX.
Section 302 requires that corporate management (including the CEO) certify their
organization’s internal controls on a quarterly and annual basis. Section 302 also carries
significant auditor implications. Specifically, external auditors must perform the follow-
ing procedures quarterly to identify any material modifications in controls that may im-
pact financial reporting:
Interview management regarding any significant changes in the design or operation
of internal control that occurred subsequent to the preceding annual audit or prior
review of interim financial information.
Evaluate the implications of misstatements identified by the auditor as part of the
interim review that relate to effective internal controls.
Determine whether changes in internal controls are likely to materially affect inter-
nal control over financial reporting.
In addition, Section 404 requires the management of public companies to assess the
effectiveness of their organization’s internal controls. This entails providing an annual
report addressing the following points:
1. Understand the flow of transactions, including IT aspects, in sufficient detail to
identify points at which a misstatement could arise.
2. Using a risk-based approach, assess both the design and operating effectiveness of
selected internal controls related to material accounts.5
3. Assess the potential for fraud in the system and evaluate the controls designed to
prevent or detect fraud.
4. Evaluate and conclude on the adequacy of controls over the financial statement re-
porting process.

5 Securities and Exchange Commission, Securities Release 34-13185 (19 January 1977).

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
14 Chapter 1: Auditing and Internal Control

5. Evaluate entity-wide (general) controls that correspond to the components of the
COSO framework.
Regarding the control framework, the SEC has made specific reference to COSO as a
recommended model. Furthermore, the PCAOB Auditing Standard No. 5 endorses the
use of COSO as the framework for control assessment. Although other suitable frame-
works have been published, any framework used should encompass all of COSO’s gen-
eral themes.6 The key elements of the COSO framework are presented in a later section.

INTERNAL CONTROL OBJECTIVES, PRINCIPLES, AND MODELS
An organization’s internal control system comprises policies, practices, and procedures
to achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures.7

Modifying Principles
Inherent in these control objectives are four modifying principles that guide designers
and auditors of internal control systems.8

Management Responsibility
This concept holds that the establishment and maintenance of a system of internal con-
trol is a management responsibility. Although the FCPA supports this principle, SOX
legislation makes it law!

Methods of Data Processing
The internal control system should achieve the four broad objectives regardless of the
data processing method used (whether manual or computer based). However, the
specific techniques used to achieve these objectives will vary with different types of
technology.

Limitations
Every system of internal control has limitations on its effectiveness. These include
(1) the possibility of error—no system is perfect, (2) circumvention—personnel may
circumvent the system through collusion or other means, (3) management override—
management is in a position to override control procedures by personally distorting
transactions or by directing a subordinate to do so, and (4) changing conditions—condi-
tions may change over time so that existing effective controls may become ineffectual.

6 A popular competing control framework is Control Objectives for Information and related Technology
(COBIT®) published by the IT Governance Institute (ITGI). This framework maps into COSO’s general
themes.
7 American Institute of Certified Public Accountants, AICPA Professional Standards, vol. 1 (New York:
AICPA, 1987) AU Sec. 320.30–35.
8 American Institute of Certified Public Accountants, Committee on Auditing Procedure, Internal
Control—Elements of a Coordinated System and Its Importance to Management and the Independent
Public Accountant, Statement on Auditing Standards No. 1, Sec. 320 (New York: AICPA, 1973).

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Internal Control Objectives, Principles, and Models 15

Reasonable Assurance
The internal control system should provide reasonable assurance that the four broad
objectives of internal control are met. This reasonableness means that the cost of achiev-
ing improved control should not outweigh its benefits.
To illustrate the limitations and reasonable-assurance principles, Figure 1.2 portrays
the internal control system as a shield that protects the firm’s assets from numerous un-
desirable events that bombard the organization. These include attempts at unauthorized
access to the firm’s assets (including information); fraud perpetrated by persons both in
and outside the firm; errors due to employee incompetence, faulty computer programs,
and corrupted input data; and mischievous acts, such as unauthorized access by com-
puter hackers and threats from computer viruses that destroy programs and databases.

FIGURE 1.2 Undesirable Events
Access
Internal Control Fraud
Shield Errors
Mischief

Exposure

INTERNAL CONTROL

Assets

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
16 Chapter 1: Auditing and Internal Control

Absence of or weakness in controls are illustrated in Figure 1.2 as holes in the con-
trol shield. Some weaknesses are immaterial and tolerable. Under the principle of reason-
able assurance, these control weaknesses may not be worth fixing. Material weaknesses in
controls, however, increase the firm’s risk to financial loss or injury from the undesirable
events. The cost of correcting these weaknesses is offset by the benefits derived.

The PDC Model
Figure 1.3 illustrates that the internal control shield represented in Figure 1.2 actually
consists of three levels of control: preventive controls, detective controls, and corrective
controls. This is called the PDC control model.

Preventive Controls
Prevention is the first line of defense in the control structure. Preventive controls
are passive techniques designed to reduce the frequency of occurrence of undesirable
events. Preventive controls force compliance with prescribed or desired actions and
thus screen out aberrant events. When designing internal control systems, an ounce of
prevention is most certainly worth a pound of cure. Preventing errors and fraud is far
more cost-effective than detecting and correcting problems after they occur. The vast
majority of undesirable events can be blocked at this first level. For example, a well-
designed data entry screen is an example of a preventive control. The logical layout of
the screen into zones that permit only specific types of data, such as customer name,
address, items sold, and quantity, forces the data entry clerk to enter the required data
and prevents necessary data from being omitted.

FIGURE 1.3 Undesirable Events

Preventive,
Detective, and
Corrective
Controls

Preventive Preventive Preventive Preventive

Levels Detective Detective Detective
of
Control

Corrective Corrective Corrective

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Internal Control Objectives, Principles, and Models 17

Detective Controls
Detection of problems is the second line of defense. Detective controls are devices, tech-
niques, and procedures designed to identify and expose undesirable events that elude
preventive controls. Detective controls reveal specific types of errors by comparing actual
occurrences to preestablished standards. When the detective control identifies a depar-
ture from standard, it sounds an alarm to attract attention to the problem. For example,
assume that because of a data entry error, a customer sales order record contains the
following data:

Quantity Unit Price Total
10 $10 $1,000

Before processing this transaction and posting to the accounts, a detective control should
recalculate the total value using the price and quantity. Thus, this error above would be
detected.

Corrective Controls
Corrective actions must be taken to reverse the effects of detected errors. There is an
important distinction between detective controls and corrective controls. Detective con-
trols identify undesirable events and draw attention to the problem; corrective controls
actually fix the problem. For any detected error, there may be more than one feasible
corrective action, but the best course of action may not always be obvious. For example,
in viewing the preceding error, your first inclination may have been to change the total
value from $1,000 to $100 to correct the problem. This presumes that the quantity and
price values in the record are correct; they may not be. At this point, we cannot deter-
mine the real cause of the problem; we know only that one exists.
Linking a corrective action to a detected error, as an automatic response, may result
in an incorrect action that causes a worse problem than the original error. For this rea-
son, error correction should be viewed as a separate control step that should be taken
cautiously.
The PDC control model is conceptually pleasing but offers little practical guidance
for designing or auditing specific controls. The current authoritative document for speci-
fying internal control objectives and techniques is the Statement on Auditing Standards
No. 109, which is based on the COSO framework. SAS 109 describes the complex rela-
tionship between the firm’s internal controls, the auditor’s assessment of risk, and the
planning of audit procedures. SAS 109 provides guidance to auditors in their application
of the COSO framework when assessing the risk of material misstatement. We now dis-
cuss the key elements of this framework.

Coso Internal Control Framework
The COSO framework consists of five components: the control environment, risk assess-
ment, information and communication, monitoring, and control activities.

The Control Environment
The control environment is the foundation for the other four control components. The
control environment sets the tone for the organization and influences the control awareness
of its management and employees. Important elements of the control environment are:
The integrity and ethical values of management.
The structure of the organization.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
18 Chapter 1: Auditing and Internal Control

The participation of the organization’s board of directors and the audit committee, if
one exists.
Management’s philosophy and operating style.
The procedures for delegating responsibility and authority.
Management’s methods for assessing performance.
External influences, such as examinations by regulatory agencies.
The organization’s policies and practices for managing its human resources.
SAS 109 requires that auditors obtain sufficient knowledge to assess the attitude and
awareness of the organization’s management, board of directors, and owners regarding
internal control. The following paragraphs provide examples of techniques that may be
used to obtain an understanding of the control environment.
1. Auditors should assess the integrity of the organization’s management and may
use investigative agencies to report on the backgrounds of key managers. Some
of the “Big Four” public accounting firms employ former FBI agents whose pri-
mary responsibility is to perform background checks on existing and prospective
clients. If cause for serious reservations comes to light about the integrity of the
client, the auditor should withdraw from the audit. The reputation and integrity
of the company’s managers are critical factors in determining the auditability of
the organization. Auditors cannot function properly in an environment in which
client management is deemed unethical and corrupt.
2. Auditors should be aware of conditions that would predispose the management of
an organization to commit fraud. Some of the obvious conditions may be lack of
sufficient working capital, adverse industry conditions, bad credit ratings, and
the existence of extremely restrictive conditions in bank or indenture agreements.
If auditors encounter any such conditions, their examination should give due
consideration to the possibility of fraudulent financial reporting. Appropriate
measures should be taken, and every attempt should be made to uncover any
fraud.
3. Auditors should understand a client’s business and industry and should be aware of
conditions peculiar to the industry that may affect the audit. Auditors should read
industry-related literature and familiarize themselves with the risks that are inherent
in the business.
4. The board of directors should adopt, as a minimum, the provisions of SOX. In ad-
dition, the following guidelines represent established best practices.
Separate CEO and chairman. The roles of CEO and board chairman should be
separate. Executive sessions give directors the opportunity to discuss issues
without management present, and an independent chairman is important in fa-
cilitating such discussions.
Set ethical standards. The board of directors should establish a code of ethical
standards from which management and staff will take direction. At a minimum,
a code of ethics should address such issues as outside employment conflicts,
acceptance of gifts that could be construed as bribery, falsification of financial
and/or performance data, conflicts of interest, political contributions, confidenti-
ality of company and customer data, honesty in dealing with internal and external
auditors, and membership on external boards of directors.
Establish an independent audit committee. The audit committee is responsible for
selecting and engaging an independent auditor, ensuring that an annual audit is
conducted, reviewing the audit report, and ensuring that deficiencies are ad-
dressed. Large organizations with complex accounting practices may need to cre-
ate audit subcommittees that specialize in specific activities.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Internal Control Objectives, Principles, and Models 19

Compensation committees. The compensation committee should not be a rubber
stamp for management. Excessive use of short-term stock options to compen-
sate directors and executives may result in decisions that influence stock prices
at the expense of the firm’s long-term health. Compensation schemes should be
carefully evaluated to ensure that they create the desired incentives.
Nominating committees. The board nominations committee should have a plan
to maintain a fully staffed board of directors with capable people as it moves
forward for the next several years. The committee must recognize the need for
independent directors and have criteria for determining independence. For ex-
ample, under its newly implemented governance standards, General Electric
(GE) considers directors independent if the sales to, and purchases from, GE
total less than 1 percent of the revenue of the companies for which they serve
as executives. Similar standards apply to charitable contributions from GE to
any organization on which a GE director serves as officer or director. In addi-
tion, the company has set a goal that two-thirds of the board will be indepen-
dent nonemployees.9
Access to outside professionals. All committees of the board should have access
to attorneys and consultants other than the corporation’s normal counsel and
consultants. Under the provisions of SOX, the audit committee of an SEC re-
porting company is entitled to such representation independently.

Risk Assessment
Organizations must perform a risk assessment to identify, analyze, and manage risks rel-
evant to financial reporting. Risks can arise or change from circumstances such as:
Changes in the operating environment that impose new or changed competitive
pressures on the firm.
New personnel who have a different or inadequate understanding of internal
control.
New or reengineered information systems that affect transaction processing.
Significant and rapid growth that strains existing internal controls.
The implementation of new technology into the production process or information
system that impacts transaction processing.
The introduction of new product lines or activities with which the organization has
little experience.
Organizational restructuring resulting in the reduction and/or reallocation of per-
sonnel such that business operations and transaction processing are affected.
Entering into foreign markets that may impact operations (that is, the risks associ-
ated with foreign currency transactions).
Adoption of a new accounting principle that impacts the preparation of financial
statements.
SAS 109 requires that auditors obtain sufficient knowledge of the organization’s risk
assessment procedures to understand how management identifies, prioritizes, and man-
ages the risks related to financial reporting.

Information and Communication
The accounting information system consists of the records and methods used to initiate,
identify, analyze, classify, and record the organization’s transactions and to account for

9 Rachel E. Silverman, “GE Makes Changes in Board Policy,” The Wall Street Journal (New York:
November 8, 2002).

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
20 Chapter 1: Auditing and Internal Control

the related assets and liabilities. The quality of information that the accounting informa-
tion system generates impacts management’s ability to take actions and make decisions
in connection with the organization’s operations and to prepare reliable financial state-
ments. An effective accounting information system will:
Identify and record all valid financial transactions.
Provide timely information about transactions in sufficient detail to permit proper
classification and financial reporting.
Accurately measure the financial value of transactions so their effects can be re-
corded in financial statements.
Accurately record transactions in the time period in which they occurred.
SAS 109 requires that auditors obtain sufficient knowledge of the organization’s in-
formation system to understand:
The classes of transactions that are material to the financial statements and how
those transactions are initiated.
The accounting records and accounts that are used in the processing of material
transactions.
The transaction processing steps involved from the initiation of a transaction to its
inclusion in the financial statements.
The financial reporting process used to prepare financial statements, disclosures, and
accounting estimates.

Monitoring
Management must determine that internal controls are functioning as intended. Moni-
toring is the process by which the quality of internal control design and operation can
be assessed. This may be accomplished by separate procedures or by ongoing activities.
An organization’s internal auditors may monitor the entity’s activities in separate
procedures. They gather evidence of control adequacy by testing controls and then com-
municate control strengths and weaknesses to management. As part of this process, in-
ternal auditors make specific recommendations for improvements to controls.
Ongoing monitoring may be achieved by integrating special computer modules into
the information system that capture key data and/or permit tests of controls to be con-
ducted as part of routine operations. Embedded modules thus allow management and
auditors to maintain constant surveillance over the functioning of internal controls. In
Chapter 7, we examine a number of embedded module techniques and related audit
tools.
Another technique for achieving ongoing monitoring is the judicious use of manage-
ment reports. Timely reports allow managers in functional areas such as sales, purchas-
ing, production, and cash disbursements to oversee and control their operations. By
summarizing activities, highlighting trends, and identifying exceptions from normal per-
formance, well-designed management reports provide evidence of internal control func-
tion or malfunction.

Control Activities
Control activities are the policies and procedures used to ensure that appropriate actions
are taken to deal with the organization’s identified risks. Control activities can be
grouped into two distinct categories: physical controls and information technology (IT)
controls. Figure 1.4 illustrates control activities in their respective categories.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Internal Control Objectives, Principles, and Models 21

FIGURE 1.4 GENERAL
CONTROLS
Categories of
Control IT
Activities APPLICATION
CONTROLS

CONTROL
ACTIVITIES Independent
Verification

Transaction
Authorization

Segregation
of Duties

PHYSICAL Supervision

Accounting
Records

Access Control

Physical Controls
This class of controls relates primarily to the human activities employed in accounting
systems. These activities may be purely manual, such as the physical custody of assets,
or they may involve the physical use of computers to record transactions or update
accounts. Physical controls do not relate to the computer logic that actually performs
accounting tasks. Rather, they relate to the human activities that trigger and utilize the
results of those tasks. In other words, physical controls focus on people, but are not
restricted to an environment in which clerks update paper accounts with pen and ink.
Virtually all systems, regardless of their sophistication, employ human activities that
need to be controlled.
Our discussion will address the issues pertaining to six categories of physical control
activities: transaction authorization, segregation of duties, supervision, accounting re-
cords, access control, and independent verification.
Transaction Authorization. The purpose of transaction authorization is to ensure
that all material transactions processed by the information system are valid and in accor-
dance with management’s objectives. Authorizations may be general or specific. General
authority is granted to operations personnel to perform day-to-day activities. An exam-
ple of general authorization is the procedure to authorize the purchase of inventories
from a designated vendor only when inventory levels fall to their predetermined reorder
points. This is called a programmed procedure (not necessarily in the computer sense of
the word) in which the decision rules are specified in advance, and no additional ap-
provals are required. On the other hand, specific authorizations deal with case-by-case
decisions associated with nonroutine transactions. An example of this is the decision to
extend a particular customer’s credit limit beyond the normal amount. Specific authority
is usually a management responsibility.

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
22 Chapter 1: Auditing and Internal Control

FIGURE 1.5 TRANSACTION

Segregation of
Duties Control Objective 1 Authorization Processing
Objectives

Control Objective 2 Authorization Custody Recording

Subsidiary General
Control Objective 3 Journals Ledgers Ledger

Segregation of Duties. One of the most important control activities is the segrega-
tion of employee duties to minimize incompatible functions. Segregation of duties can
take many forms, depending on the specific duties to be controlled. However, the follow-
ing three objectives provide general guidelines applicable to most organizations. These
objectives are illustrated in Figure 1.5.
Objective 1. The segregation of duties should be such that the authorization for a
transaction is separate from the processing of the transaction. For example, the pur-
chasing department should not initiate purchases until the inventory control depart-
ment gives authorization. This separation of tasks is a control to prevent individuals
from purchasing unnecessary inventory.
Objective 2. Responsibility for asset custody should be separate from the record-
keeping responsibility. For example, the department that has physical custody of
finished goods inventory (the warehouse) should not keep the official inventory
records. Accounting for finished goods inventory is performed by inventory control,
an accounting function. When a single individual or department has responsibility
for both asset custody and record keeping, the potential for fraud exists. Assets can
be stolen or lost and the accounting records falsified to hide the event.
Objective 3. The organization should be structured so that a successful fraud
requires collusion between two or more individuals with incompatible responsibili-
ties. For example, no individual should have sufficient access to accounting records
to perpetrate a fraud. Thus, journals, subsidiary ledgers, and the general ledger
are maintained separately. For most people, the thought of approaching another
employee with the proposal to collude in a fraud presents an insurmountable psycho-
logical barrier. The fear of rejection and subsequent disciplinary action discourages
solicitations of this sort. However, when employees with incompatible responsibili-
ties work together daily in close quarters, the resulting familiarity tends to erode
this barrier. For this reason, the segregation of incompatible tasks should be physi-
cal as well as organizational. Indeed, concern about personal familiarity on the job
is the justification for establishing rules prohibiting nepotism.

Supervision. Implementing adequate segregation of duties requires that a firm em-
ploy a sufficiently large number of employees. Achieving adequate segregation of duties

Copyright 2011 Cengage Learning, Inc. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
 Internal Control Objectives, Principles, and Models 23

often presents difficulties for small organizations. Obviously, it is impossible to separate
five incompatible tasks among three employees. Therefore, in small organizations or in
functional areas that lack sufficient personnel, management must compensate for the ab-
sence of segregation controls with close supervision. For this reason, supervision is often
called a compensating control.
An underlying assumption of supervision control is that the firm employs compe-
tent and trustworthy personnel. Obviously, no company could function for long on the
alternative assumption that its employees are incompetent and dishonest. The competent
and trustworthy employee assumption promotes supervisory efficiency. Firms can thus
establish a managerial span of control whereby a sin