Internal Control Over Financial Reporting
5
C a s es inc lu de d in t his Se ction
5.1 Simply Steam, Co.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
177
. . . . . . . . . . . . . . . . . . . . . . . . .
185
Scoping and Evaluation Judgments in the Audit of Internal Control over Financial Reporting
5.7 Société Générale
. . . . . . . . . . . . . . . . . . . . .
Recommending IT Systems Development Controls
5.6 Sarbox Scooter, Inc.
169
Evaluation of Manual and IT-Based Sales Accounting System Risks
5.5 Collins Harp Enterprises
165
Establishing Effective Internal Control in a Small Business
5.4 St. James Clothiers
155
Evaluation of Internal Control Environment
5.3 Red Bluff Inn & Café
155
Evaluation of Internal Control Environment
5.2 Easy Clean, Co.
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
How a Low-Risk Trading Area Caused a $7.2 Billion Loss
Instructor Resource Manual — Do Not Copy or Redistribute
195
Instructor Resource Manual — Do Not Copy or Redistribute
C a s e
Easy Clean/Simply Steam, Co.
5.1-2
Evaluation of Internal Control Environment
Mark S. Beasley · Frank A. Buckless · Steven M. Glover · Douglas F. Prawitt I ns tr uc t ional Ob je c t ive s [1] To
reinforce aspects relevant to the internal control environment. [2] To illustrate the degree of judgment involved in making internal control environment evaluations. [3] To provide students experience in making subjective evaluative judgments. [4] To provide a forum to discuss inquiry techniques as well as inquiry as a form of audit evidence.
To provide students direct experience with, and discovery of, issues surrounding the control environment, making inquiries, and the framing (e.g., positive or negative) of information provided by management. [6] To illustrate the potentially inappropriate effects of information “framing.” [5]
KEY FACTS The instructor has the option of using two versions (i.e., negative and positive) of the case. Simply Steam provides the negative tone or frame while then next case, Easy Clean, provides the positive frame. The cases are identical except for the tone of the interview and some name changes. Easy Clean/Simply Steam (EC/SS), Co. is in the business of providing industrial and domestic carpet steam-cleaning services. EC/SS is a privately-held company and has never been audited. The audit manager recently conducted an interview with management in order to obtain an understanding of EC/SS’s control environment. This interview dialogue is what students rely on to assess EC/SS’s control environment. EC/SS has grown rapidly since it began operations less than six years ago. The case indicates that the instructor will notify the students whether to make all the component assessments or only the overall control environment assessment.
USE OF CASE1 The rich content of the EC/SS case can be used to promote interesting discussions of a wide variety of topics relating to the assessment of a client’s control environment. The EC/SS exercise actively involves students in issues that call for professional judgment. This is a crucial part of their audit education that is not often covered by traditional methods. Involving students in this active learning experience should help develop their competence, heighten their sense of professional skepticism and enhance their ability to exercise professional judgment. This case exercise provides an opportunity 1 This case and the teaching notes have been adapted from the “Steam-Vac, Inc.” case included in the article “Instructional Case: Using Professional Judgment in Control Environment Evaluation,” by R.E. Marden, S.L. Schneider, and G.L. Holstrum, published in Issues in Accounting Education, Vol. 11, No. 2, Fall 1996. The case was prepared by Mark S. Beasley, Ph.D. and Frank A. Buckless, Ph.D. of North Carolina State University and Steven M. Glover, Ph.D. and Douglas F. Prawitt, Ph.D. of Brigham Young University, as a basis for class discussion. Simply Steam is a fictitious company. All characters and names represented are fictitious; any similarity to existing companies or persons is purely coincidental.
Copyright © 2009 by Pearson Education, Inc., Upper Saddle River, NJ 07458
155
Section 5: Internal Control over Financial Reporting to practice making difficult judgments and to critically evaluate the issues surrounding professional judgment. The exercise involves the evaluation of the control environment (CE). Prior to SarbanesOxley and PCAOB Auditing Standard No. 2 (superseded by Auditing Standard No. 5), the evaluation of CE rarely received the attention it deserved in the professional literature and auditor training. However, a proper understanding of CE is one of the most important aspects of the audit. Lack of attention to CE is a potential contributor to several known alleged audit failures. Increased sensitivity to the CE may improve students’ ability to recognize those conditions in which the risks of fraud and material misstatements are high. The EC/SS exercise is intended to demonstrate some of the difficulties that auditors, as well as students, can have in using professional judgment when evaluating the oral assertions of management. The primary function of the exercise is to encourage students to engage in critical thinking about audit judgment and to begin developing a sense of professional skepticism. This case is designed for use in-class. Students should already be familiar with the concepts covered in a textbook chapter covering internal control and/or concepts in AU Section 314, “Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained,” and PCAOB Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements.” In other words, the case exercise is not intended to introduce students to the control environment. Rather, it is intended to allow them to apply what they have already learned. In the exercise, students are told they will be asked to evaluate aspects of a small service company’s CE, relying primarily on the oral assertions provided by management. The students are then presented with a hypothetical scenario portraying an interview with an audit client about the CE of a small carpet cleaning company named either “Easy Clean, Co.” or “Simply Steam, Co.” The Easy Clean and Simply Steam cases are nearly identical with the primary difference being two versions of the interview dialogue. Both interviews include management’s description of the same CE. In Easy Clean, management’s description of the CE is cast in a relatively positive light (i.e., the positive version). In Simply Steam, management’s description is cast in a relatively negative light (i.e., the negative version). Both versions represent the same objective conditions (see example excerpts in Exhibit 1).
E x h ib it 1 A Selected Example of Framing Manipulations from the Positively and Negatively framed Interviews Positive Frame (Easy Clean): “Mr. Day developed this sales system himself and it’s working rather well. He’s currently in the process of creating the user manual for the system. I’ve also noticed that he sometimes makes adjustments to improve the system, which makes the accounting process more efficient. We’ve agreed that he’ll re-evaluate the process at least once every eight weeks.” Negative Frame (Simply Steam): “Mr. Day pieced together this sales system himself, and so far it’s working fairly well. He hasn’t had a chance to finish a user manual for the system yet. I’ve also discovered that he sometimes alters the system. He says he does this to make the accounting process more efficient. I’ve told him to re-evaluate the process at least once every couple of months.”
156
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.1-2: Easy Clean/Simply Steam, Co. Instructors have the option to use one or both versions of the case. Instructors choosing to use both versions will ask that half the class complete Easy Clean and the other half complete Simply Steam. Before asking the students to begin reading the interview scenario, we encourage students to review the CE “decision aid” or evaluation form, which is included in the case. The students are told that the evaluation form consists of an organized series of items describing typical CE factors and a rating scale for evaluating t he impact of the factors within the scenario on EC/SS’s CE. The students are given a minute or two to look over the evaluation form before starting to evaluate the background information and interview evidence. Once the students have had an opportunity to look over the evaluation form, they are asked to read the Easy Clean (or Simply Steam) scenario. The interview dialogue should take students about 10 minutes to read. After having read the scenario, the students are asked to fill out the CE evaluation form. The instructor can ask the students to make all the preliminary assessments (i.e., assess the various components of CE) or ask them to just make the overall evaluation of the control environment (we discuss the potential implications of these different evaluation alternatives below). A fter students have completed their CE ratings, a classroom discussion follows. Students are encouraged to defend their positions with reasoned arguments and based on available evidence. Depending on time constraints and the depth of coverage desired, the discussions can focus on one or all of the content areas suggested below. If the instructor wishes to use less than a full class period on the exercise, he or she would discuss only a subset of the available topics. In the exercise, students must deal with inquiries. The profession recognizes inquiries as important sources of evidence. However, it is all too easy to accept oral evidence at face value, overly trusting its reliability. Especially when dealing with oral assertions, auditors may be susceptible to biases from information framing. Student evaluations at the end of our courses where we have used cases like EC/SS suggest that the vast majority of students find the cases both eye opening and enjoyable. We have received student feedback suggesting that when they study the material from their textbook they sometimes get the sense that auditing is a “cookbook” exercise. In other words, students often believe that the job of an auditor is to follow a list of pre-established audit procedures, not realizing the extent of professional judgment required.
PROFESSIONAL STANDARDS Relevant professional standards for this assignment are AU Section 316, “Consideration of Fraud in a Financial Statement Audit,” AU Section 318, “Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained,” AU Section 333, “Management Representations,” AU Section 326, “Audit Evidence,” and PCAOB AS5, “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements.” (AS5 is relevant from an informational perspective, but is not required since EC/SS is not a public company).
SUGGESTED SOLUTION/DISCUSSION TOPICS Obviously, there is not one “correct” answer to this case. The following three sections provide a foundation for classroom discussion. These discussion areas are not intended to be all-inclusive, but rather should be supplemented by relevant text and other classroom materials. In each section we offer a short introduction to the topic along with highlights to enhance classroom discussion. Suggested questions for discussion are provided in each section. Because the three content areas are closely related, there is likely to be considerable overlap of discussion topics.
Instructor Resource Manual — Do Not Copy or Redistribute
157
Section 5: Internal Control over Financial Reporting
Discussion Topic #1—The Control Environment
Because the CE is a primary component in the evaluation of control risk, it can have a pervasive effect on the entire audit process. Students must realize that the reliability of the accounting system and other internal controls will be tenuous if management’s integrity and ethical values are suspect. If the CE is weak, the opportunity for fraud increases because fraud becomes easier to commit and because detection of the fraud is less likely. In this exercise, students are exposed not only to several CE components, but they are also encouraged to make systematic judgments of CE’s strength using a decision aid. After reading the EC/SS interview and evaluating the CE’s condition, the instructor can raise any of a number of issues to start the discussion. Exhibit 2 provides several examples of questions that can be used to discuss CE topics. In our classes, we have students discuss the underlying aspects of CE to highlight the fact that certain components tend to be more subjective and abstract in nature than others are. For instance, we find that students generally have greater difficulty finding evidence that directly bears on management’s philosophy than they do finding evidence for management control methods. This provides an excellent opportunity to inform students that the more abstract CE components, even though they are harder to document, tend to be the ones that have the most pervasive effect on the strength of the CE. Some of these abstract components combine to form what has been referred to as the “tone at the top” of an organization. A firm’s “tone at the top” may provide the basis on which all other controls are evaluated. For example, auditors can have little faith in a client’s internal controls if there is a reasonable likelihood that these controls can and will be overridden by management for the wrong reasons. In our discussions of the CE, we find that many students substantially underestimate the number of factors that need to be taken into consideration to form accurate conclusions. Students become sensitized to cost-benefit issues surrounding information gathering, and they become aware of the problems associated with the availability and quality of corroborating evidence. This exercise
E x h ib it 2 Discussion Topics for Evaluating the Control Environment 1. How interrelated are the various CE components and items? Find an example in the scenario that illustrates an interrelationship. Why might these interrelationships be important? 2. Does the importance of the different CE components vary across industry and firm size? Do you think the interview should focus on the same issues for EC/SS as it should for a larger firm, or for a firm in another industry (e.g., banking)? 3. What is “tone at the top”? Which CE components and items represent the “tone at the top”? How would you describe EC/SS’s “tone at the top”? 4. Do you think the CE component assessments (e.g., integrity and ethical values, commitment to competence, etc.) helped you in your evaluation of EC/SS’s CE? Why or why not? In general, what are some of the pros and cons of making assessments of the component parts of CE in evaluating a firm’s CE? 5. What evidence from the scenario did you use to evaluate each of the items on the CE decision aid? Are there reasons why different students rated a given item differently? 6. Is it likely that focusing on CE strengths versus CE weaknesses influences the way that evidence is evaluated? Did you find yourself focusing on one or the other? If so, do you think it influenced your evaluation of the CE item? Why or why not? 7. What is the CE’s impact on the evaluation of control risk? What have you learned from the interview about EC/SS’s level of control risk? What else do you need to know?
158
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.1-2: Easy Clean/Simply Steam, Co. helps students gain a more balanced perspective on issues of effectiveness and efficiency in CE information gathering. It is common for students to ask what the correct overall control environment assessment is. Obviously, there is no one correct answer, however assessments within the range of 3 to 5 are better than assessments at the extremes. We ask students if they think different auditors completing the case would make exactly the same assessments. Students quickly respond that they would expect some differences. Then we ask students if they would expect big (e.g., say 5 or 6 point) differences between auditors. This discussion allows us to address issues of consensus, individual differences due to past experience and training, differences in interpreting the scale, etc. While there is no right answer, Exhibit 3 provides attributes of EC/SS’s control environment that students should have considered in their assessment(s).
EXHIBIT 3 Strengths and Weaknesses of EC/SS’s Control Environment Control Environment Component 1. Integrity and Ethical Values
2. Commitment to Competence
3. BOD or Audit Committee Participation
Factors that Strengthen • Owners (Phil and Doug) are highly involved in running the business and they appear to be people of integrity • The company has experienced strong growth primarily through word-of-mouth advertising which indicates the company (owners) operates ethically and delivers a valuable service • Employees seem to receive sufficient training and appear to understand their responsibility • Office staff are largely made up of college accounting students. Thus while the staff has little prior work experience they can apply concepts from their business education to EC/SS’s processes • There is an active BOD • Board members are knowledgeable about the business and the industry • BOD have the flexibility to meet when needed
Factors that Weaken • High employee turnover • Sales people are paid on commission and can negotiate special pricing
• Most employees have little or no previous experience • No formal job descriptions have been developed • Office staff experience confusion regarding their job duties
• The BOD meetings are scheduled only once per year • There are no board members independent of management
Continued on next page
Instructor Resource Manual — Do Not Copy or Redistribute
159
Section 5: Internal Control over Financial Reporting
Control Environment Factors that Strengthen Component 4. Management’s • Phil and Doug maintain an “open door” policy Philosophy and • Employees are encouraged to express Operating Style their concerns to management • Doug and Phil are the only people authorized to sign checks • EC/SS is a focused, well-run organization • The engagement of CPAs for a financial statement audit signals management’s (1) desire to produce fair financial statements, (2) interest in controls, (3) desire to monitor business risks, and (4) desire to continuously improve
160
5. Organizational Structure
• Owners and office manager are highly involved in day-to-day operations • Responsibilities and authorities of owners and office manager are clearly established • Office manager directly supervises data processing • Operating policies and procedures are determined by owners and office manager
6. Assignment of Authority and Responsibility
• Owners are highly involved in day-to-day operations • Office manager approves all sales • Exception reports are generated for specially priced sales • Computer system and sales process is re-evaluated every eight weeks
7. Human Resource Policies and Practices
• New hires receive immediate training • New employees in operations are assigned to work with more experienced employees • Owners and office manager are highly involved in day-to-day operations
Factors that Weaken • Phil and Doug have little understanding of accounting and finance issues • Office manager paid a % of sales • Management does not formally specify goals • No budgets are prepared • Management appears to emphasize efficiency and output over controls • Office employees indicate there are problems in processing trade receivables (management does not seem to share the concern) • No separate physical controls over important documents or computer equipment • Sales people are paid on commission and can negotiate special pricing • Office manager is paid a percent of total sales
• Computer system was developed by office manager • No user manual or other system documentation exists for computer system • Office manager makes relatively frequent changes to the system • Office employees experience confusion regarding their job duties and responsibilities • New hires have little or no prior experience • Employee turnover is high • Workloads can get heavy • Office employees have to help “cover” other positions when workload is busy • Office employees experience confusion regarding their job duties and responsibilities
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.1-2: Easy Clean/Simply Steam, Co.
Discussion Topic #2—Inquiries
According to the third GAAS standard of fieldwork, inquiry is one of the four basic types of evidential matter, along with inspections, observations and confirmations. Although inquiries can be informative, they are often less reliable than other forms of evidence because they are subjective and easily manipulated. The nature of inquiries makes it easy to demonstrate that the consideration given to a piece of evidence is likely to differ from one auditor to another, even when they both face the same audit situation. This exercise can help students develop their professional skepticism. Students will have to think through the problem of suggesting ways to corroborate oral assertions with other evidence. The EC/SS case can also be used to increase students’ awareness of (a) the necessity of collecting information systematically and (b) the importance of having structured interviews. Exhibit 4 provides a list of possible questions for opening a discussion on inquiries. E x h ib it 4 Discussion Topics for Using Inquiries as Evidence 1. Why is it important to collect information systematically? What are some of the different ways to make information-gathering more systematic? Was Ted/Tina (the scenario auditor for Easy Clean/Simply Steam) well-organized and systematic in his/her information gathering? 2. Would an interviewer want to ask “yes/no” questions or open-ended questions? Why might the interviewer ask a question such as “What is your biggest headache”? 3. How much reliability can be put on oral assertions? Looking through the interview dialogue, how confident can you be about the accuracy of management’s assertions? Are some kinds of assertions likely to be more reliable than others? 4. Does the quality of oral assertions change with management rank? Is Mr. Day (the manager) likely to be more or less accurate than one of the part-time EC/SS clerks? Are there cues that one might use to help evaluate the quality of oral assertions? 5. Can management consensus be used as a form of validation? For instance, when Doug, EC/SS’s owner, and Mr. Day independently agree on the same oral assertion, does that increase the likelihood that the statement is accurate? 6. What role does professional judgment play in evaluating oral assertions? Is it likely that auditors may disagree about the value of an oral assertion? If so, what implications does this have for the use of inquiries as a form of evidence?
We find that students need to be made aware of the difficulties associated with relying on oral testimony, especially when corroborating evidence is not available. A quick reference to the tactics of the proverbial “used car salesman” instantly makes the point. The interview exercise can be used to illustrate the importance of asking the right questions, maintaining control of the interview, and making sure that questions are pointed and produce sufficient detail. Students come to recognize that the weight of evidential matter is not a matter of absolutes, but a matter of degree of persuasiveness.
Instructor Resource Manual — Do Not Copy or Redistribute
161
Section 5: Internal Control over Financial Reporting
Discussion Topic #3—Framing Effects
Framing effects occur whenever a person is influenced in either thought or behavior by the way in which information is described or framed. The framing of information can influence audit decision making, and framing effects have been documented in a variety of audit contexts.2 Framing effects are most apt to occur when dealing with decision contexts that are ambiguous or lack feedback. These potentially harmful biases seem especially likely given the subjective nature of most CE factors and the need to rely on inquiries as a primary form of evidential matter. Because most information can be communicated in any number of ways, auditors routinely receive client information in a fashion that reflects the perceptions, attitudes and communication habits of the person who supplies the information. This problem is compounded if management is purposely trying to influence the auditor’s judgment. Our exercise demonstrates how the same information can be communicated in different ways, and it shows students that their own judgment can be influenced by these differences. Suggested questions for leading a discussion on framing appear in Exhibit 5. E x h ib it 5 Discussion Topics for Becoming Aware of Biases in Framing and Hypothesis Testing 1. How do the CE ratings for the positively and negatively framed interview versions differ from one another? Should they differ? Why or why not? 2. What are some of the ways one can bias the views of others? Are there examples in the interview? Is it harder to bias some types of information than others? 3. In comparing the interviews, are the two different frames given to a particular piece of information really equivalent? If not, what makes them different? Either way, could the frame influence what the auditor comes to believe about Easy Clean? 4. Are managers and others who communicate information to auditors likely to be sensitive to the subtle differences in meaning that different frames may promote? How about the auditor—will he or she be aware that the information could have been presented in a different way? 5. Using an example of framing from the interview, try to state how the information could be communicated in a completely “objective” fashion. Is the “objective truth” underlying the two interview versions easy to communicate in a neutral fashion? 6. What are some ways to minimize or overcome biases in communication? How can one communicate information in a more “objective” fashion? On a larger scale, how can one avoid biases in hypothesis testing? 7. Should an auditor examine evidence in terms of its strengths or in terms of its weaknesses? 8. Is using a systematic decision aid likely to decrease the influence of framing? Why or why not?
We find that one of the first things students need to be aware of is the meaning of framing. Perhaps the easiest way to illustrate a framing effect is to describe a glass of water as “half full” or “half empty.” In both versions, the objective state or fact situation is identical. It is important for students to recognize that situations or “fact” patterns are communicated from a particular perspective or with a particular “frame.” After the glass example, students can be asked to spend several minutes comparing the Easy Clean and Simply Steam interviews with a neighbor that completed a different version than they did (i.e., as a small group task) to discover all of the places that the information has been framed differently across the “positive’ and “negative” versions. This comparison task is not only fun for the students, but it is a truly eye-opening experience. Some students are excited to 2 For a review of framing research see “Instructional Case: Using Professional Judgment in Control Environment Evaluation,” by R.E. Marden, S.L. Schneider, and G.L. Holstrum, published in Issues in Accounting Education, Vol. 11, No. 2, Fall 1996.
162
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.1-2: Easy Clean/Simply Steam, Co. discover how different frames can be used to communicate the same point, whereas others argue that a change in frame may involve a change in meaning as well as wording. It is also interesting to witness the range of student beliefs and awareness of biases in communication. Some students can provide numerous examples of “framed” communications both in and out of an auditing context, whereas others seem genuinely surprised to learn of the existence or impact of variations in how something is said. As the discussion evolves, the inherent difficulty of trying to communicate information in a completely objective fashion should become readily apparent. The ensuing discussion should make it clear that there often is no one completely objective way to communicate information, and that the inevitable framing of information is likely to have unanticipated effects on judgment. Introducing the role of professional skepticism in auditing adds another important dimension to this discussion. The exercise stimulates critical thinking by challenging students’ assumptions about the inherent objectivity of information. The intensity of discussion we have observed is evidence of this. Students voluntarily search to compare and contrast the different versions of the scenarios to determine if the differences are trivial or substantive. The exercise sensitizes students to subtle differences in perspective and to the value of considering alternative perspectives. As an extension of the case (perhaps an extra credit opportunity), instructors may consider giving students the opportunity to demonstrate what they had learned about framing by finding an example in a newspaper or magazine. Students could then re-write the example from an alternative perspective, and comment on the influence that the original frame was likely to have had on readers. Experience suggests student interest in an extension of this sort is likely to be high. Empirical Evidence and the Impact of the Decision Aid. Our experiences with the Easy Clean/Simply Steam case scenarios have been very rewarding. Results of an empirical study using a case similar to Easy Clean are reported in “Instructional Case: Using Professional Judgment in Control Environment Evaluation,” by R.E. Marden, S.L. Schneider, and G.L. Holstrum, published in Issues in Accounting Education, Vol. 11, No. 2, Fall 1996. In that study, students’ responses to the CE decision aid were analyzed to determine if students who responded to the positively framed scenario evaluated the CE more favorably than students who responded to the negatively framed scenario. The analysis identified significant differences between the positive and the negative versions. Items were rated as contributing more positively to CE strength when the interview was presented in a positive frame rather than a negative frame. In our experience, when we have had students make only the overall evaluation of the control environment the average assessment for the positive (negative) case has been just under 5 (over 3). The difference is significant at the p < .01 level. When we have students make all the assessments, we find that the difference in the overall evaluation of the control environment is less (just over 3 for the negative case and just under 4 for the positive case). While this difference is smaller, it is also highly significant (p < .01). This finding that the difference between the positive and negative frames is smaller when both intermediate and overall assessments are made suggests that making intermediate assessments may be one effective way to mitigate the effects of framing. Such an empirical demonstration can be used in the classroom to (a) provide students with direct evidence of the impact of contrasting perspectives in shaping judgment, and (b) illustrate how responding to detailed intermediate assessments of CE can influence judgment. While the differences are statistically significant, some students will question the economic import of a difference between a 3 and a 5 rating on the scale. We generally ask from a normative perspective whether there should be any difference (assuming the only difference between the positive and negative case is framing). The students understand that there should not be. Then we discuss how a difference in rating could impact an audit. We discuss the possibilities of thresholds. For example suppose ratings over 4 result in audit testing (i.e., nature, timing, extent) that is different when the rating is under 4. After the discussion students generally understand that it is conceivable that framing could actually impact important audit decisions. Instructor Resource Manual — Do Not Copy or Redistribute
163
Instructor Resource Manual — Do Not Copy or Redistribute
Red Bluff Inn & Café
C a s e
5.3
Establishing Effective Internal Control in a Small Business Mark S. Beasley · Frank A. Buckless · Steven M. Glover · Douglas F. Prawitt INS TRUCTIONAL Ob je c t ive s [1] To
help students understand types of frauds that can occur in a small business environment due to the lack of effective internal controls.
[2]
To help students apply their general business knowledge, reasoning abilities, and understanding of internal controls to identify controls that would be effective and efficient in reducing risks of material misstatements due to fraud.
KEY FACTS Matthew Franklin recently invested in a small 18-room motel and café in a remote tourist area in Southern Utah. Matt lives in Northern Utah, some five hours from the motel, and only plans to visit the motel periodically. Matt hired a young couple to manage the motel and café. They will live on-site and will have complete control over daily activities and record keeping. Matt is concerned about having little control over the operations of the motel and café. He has requested help in identifying possible ways the business could be defrauded and in establishing creative internal controls to deter such fraud.
USE OF CASE This case provides an excellent opportunity for students to understand the importance of internal controls in a small business environment and to exercise their reasoning abilities and general business knowledge in generating suggestions for internal control improvements. Generating ideas for developing internal controls helps students deepen their general business intuition when it comes to designing effective tests of controls in a financial statement audit. The case has been designed to help students recognize types of frauds that can occur with the absence of certain internal controls. The case also provides students the opportunity to identify internal controls that specifically address particular fraud risks. In addition, the case allows for a discussion of the limitations and alternatives that small businesses face when trying to implement controls in a cost-effective manner. Finally, the case allows students the opportunity to explore possible effects of identified controls on employee morale. The case is short enough to be used as an in-class activity to promote discussion, but can also be used as a more in-depth out-of-class writing assignment.
PROFESSIONAL STANDARDS Relevant professional standards for this assignment are found in AU Section 314 “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.”
The case was prepared by Mark S. Beasley, Ph.D. and Frank A. Buckless, Ph.D. of North Carolina State University and Steven M. Glover, Ph.D. and Douglas F. Prawitt, Ph.D. of Brigham Young University, as a basis for class discussion. Red Bluff is a fictitious company. All characters and names represented are fictitious; any similarity to existing companies or persons is purely coincidental.
Copyright © 2009 by Pearson Education, Inc., Upper Saddle River, NJ 07458
165
Section 5: Internal Control over Financial Reporting SU G G E S TED S OLUTION [1]
[2]
What are your two biggest concerns relating to possible fraud for the motel part of the business? For each concern, generate two or three controls that could effectively reduce risk related to your concerns. Use common sense and be creative!
Because this assignment is designed to encourage students to use their intuition and common sense in designing internal controls, there will likely be many different responses with respect to possible frauds in the motel. Below are some of the more obvious concerns: The couple could steal some of the revenue collected from the rental of motel rooms. The couple could allow friends/family to stay in the motel without charge or at an unapproved discount. The couple might keep false records that do not accurately show the performance of the motel. The couple might record personal expenses as expenses of the motel.
With respect to the concerns listed above, below are some possible controls that could effectively, but with varying levels of efficiency, mitigate the possibility of fraud at the motel: Require the couple and the cleaning staff to keep separate records of the motel’s occupancy and periodically check to make sure these records match. The cleaning staff could directly mail a copy of the cleaning reports to Matthew on a weekly basis. The couple’s occupancy records should match with the cleaning staff ’s records of rooms cleaned. Establish a set of policies and procedures that require good record keeping and that clearly specify appropriate uses of motel resources. Require all checks (including payroll) over $500 to be signed by Matthew. Require a bank account ledger to be kept on all deposits and checks. Mathew could use this information along with the monthly bank statement, which could be sent directly to him from the bank, to perform the monthly bank account reconciliation. An imprest bank account could also be used. During his periodic visits to the motel, Matthew can review the records and other evidence of the motel’s expenses to verify everything was used for legitimate business purposes. Require receipts to be given to all customers and that a copy of all receipts be kept at the motel. Require all checks, when received, to be immediately stamped with information instructing that the check be deposited only in the motel’s account. Install a security camera that continuously records a view of the customer and register areas. Hire an assurance provider to perform periodic, unannounced “independent checks.”
What are your two biggest concerns relating to possible fraud for the café part of the business? For each concern, generate two or three controls that could effectively reduce risk related to your concerns. Use common sense and be creative!
166
Again, because this assignment encourages students to use their creativity many different responses will be provided with respect to possible fraud in the café. Below are some of the more likely concerns: The couple could steal some of the revenue brought in from the sale of food in the café. The couple could allow friends/family to eat in the café without charge or at an unapproved discount. The couple might keep false records that do not accurately show the performance of the café. Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.3: Red Bluff Inn & Café The couple might record personal expenses as expenses of the café. The couple could use food items from the restaurant for their own personal use. The couple could purchase and serve cheaper, poor quality food and make records appear as if they had purchased more expensive, higher quality food.
With respect to the concerns listed above, below are some possible controls that could effectively, but with varying levels of efficiency, mitigate the possibility of fraud in the café: Require a receipt to be given to all customers. Place a sign in the café notifying customers that if they do not receive a receipt, they can call Matthew’s telephone number for a free meal and a $10 gift certificate. Establish a set of policies and procedures that require good record keeping and that clearly specify appropriate uses of café resources. Require all food and supplies received from suppliers to be recorded. A periodic inventory can be performed and compared against purchases and estimated usage based on records of meals served to identify misallocation of inventory. Periodically reconcile waiters’/waitresses’ records of meals served with the chef ’s records of meals cooked and with register receipts. Require all checks (including payroll) over $500 to be signed by Matthew. Require a bank account ledger to be kept on all deposits and checks. Mathew can use this information along with the monthly bank statement to perform the monthly bank account reconciliation. During his periodic visits to the café, Matthew can review records and other evidence of the café’s expenses to verify everything was used for legitimate business purposes. Do not allow the cashier to be the same person responsible for recording daily cash receipts. Require all checks, when received, to be immediately stamped with information instructing the check be deposited only in the café’s account. Contract separately with a food supplier to deliver food to the restaurant, and have the food supplier send copies of invoices and listings of food supplied directly to Matthew. Hire an assurance provider to perform periodic, unannounced “independent checks.”
[3]
Briefly describe the impact each proposed control would have on the efficiency of running the business. Are the controls you generated both effective and efficient?
While the students will come up with many suggested controls, it is important for them to consider whether the controls implemented are cost-beneficial. In order for a control to be effective, it cannot place an undue burden on the operation of the business. If the cost of implementing a control is greater than the cost of the possible error or fraud it helps prevent or detect, then the control is not efficient. However, the cost of possible fraud losses should not be underestimated. With each suggested control, the owner must weigh the associated costs and benefits before deciding whether it is effective and efficient for the company. For example, one recommended internal control would require that receipts be provided to all customers. The substantive cost to that recommended control would likely relate to the free meal and $10 gift certificate that would be provided, if the customer failed to receive the receipt. Another potential cost would be incurred if customers falsely claimed failure to receive a receipt, when in fact the clerk provided the receipt. These costs would need to be weighed against the benefit of a potential reduction of fraud.
[4]
Describe the potential impact of your proposed controls on the morale of the couple in charge of the day-to-day operations. How might Matt deal with your concerns?
Another cost to consider with each potential control is the effect it could have on employee morale. While it is necessary to minimize opportunity and temptation, it is also important to not
Instructor Resource Manual — Do Not Copy or Redistribute
167
Section 5: Internal Control over Financial Reporting portray a complete lack of trust in the employees. Constant, intrusive monitoring or surveillance could damage morale and result in detrimental effects. The benefit of each control must be carefully weighed against the possible negative effect it could have on employee morale. Matthew might be able to best deal with the morale issue by explaining to the couple the importance of implementing the controls. He should demonstrate to them that the controls are not a showing of his lack of trust in them, but rather, they are designed to help the business run as efficiently as possible no matter who is running the business today or 20 years from now. Additionally, he could point out to the couple that the controls protect them from being inappropriately accused of wrong doing by all other parties involved with the business. Given the nature of a small business environment, and the fact that no set of internal controls can be absolutely effective, Matthew will have to show a reasonable level of trust in the couple and their management of the motel and café. Consider, for example, that if employees were to collude, many of the controls suggested above would be ineffective. Thus, as in larger businesses, hiring quality employees with integrity is of critical importance.
168
Instructor Resource Manual — Do Not Copy or Redistribute
Instructor Resource Manual — Do Not Copy or Redistribute
St. James Clothiers
C a s e
5.4
Evaluation of Manual and IT-Based Sales Accounting System Risks Mark S. Beasley · Frank A. Buckless · Steven M. Glover · Douglas F. Prawitt INS TRUCTIONAL Ob je c t ive s [1] To
provide experience with assessing risks of material misstatements arising from accounting system deficiencies. [2] To illustrate that while new information technology (IT)-based accounting systems reduce many existing manual system risks they also introduce new risks.
To illustrate issues associated with the process of converting from manual to IT-based accounting systems. [4] To provide experience in preparing a formal business memorandum. [3]
KEY FACTS • The St. James Clothiers is a small, one-location clothing store located in a small Tennessee town. The store caters to customers interested in purchasing high-end clothing. • The store is wholly owned by Sally St. James, who has operated the store for 20 years. • Sally recently decided to convert from a relatively simple manual sales system to an IT-based sales accounting package to be purchased from a software vendor. • Prior year audit files contain a narrative describing the manual sales system. The narrative is included in the case materials. • Joe McSweeney, a staff auditor, recently visited with the client and prepared a narrative summarizing the features of the proposed new IT-based sales system. The narrative is included in the case materials. • St. James’ fiscal period ends December 31, 2009. Conversion to the new IT-based accounting system is scheduled for the fourth quarter of 2009. A Nashville, Tennessee based computer consultant will assist with the implementation.
USE OF CASE This case assignment provides students the opportunity to evaluate risks of material misstatements related to both manual and IT-based sales accounting systems. As a result, students develop skills at analyzing strengths and deficiencies of internal controls by encouraging them to think through “what could go wrong” within a particular accounting system. The case helps students practice assessing how IT-based accounting system features reduce risks frequently associated with manual accounting systems. Additionally, this case points out that while many manual-system risks are eliminated, the use of an IT-based system introduces new risks that must be considered. Finally, this case highlights issues associated with client installations of purchased off-the-shelf accounting software. The case was prepared by Mark S. Beasley, Ph.D. and Frank A. Buckless, Ph.D. of North Carolina State University and Steven M. Glover, Ph.D. and Douglas F. Prawitt, Ph.D. of Brigham Young University, as a basis for class discussion. St. James is a fictitious company. All characters and names represented are fictitious; any similarity to existing companies or persons is purely coincidental.
Copyright © 2009 by Pearson Education, Inc., Upper Saddle River, NJ 07458
169
Section 5: Internal Control over Financial Reporting Because St. James Clothiers is not a public company, the auditor would most likely not be separately reporting on internal controls over financial reporting. However, this case can also be used to illustrate how auditors of public companies must evaluate existing internal control processes for design deficiencies as part of their responsibilities in PCAOB Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements.” Completion of this case can help students improve skills at identifying internal control design deficiencies. We have used this case in graduate level auditing classes to highlight audit planning issues associated with assessing control risk for the revenue cycle. The case would also be effective for use in an undergraduate auditing class when discussing the consideration of internal controls during audit planning or when discussing the revenue cycle. The case can be completed by students individually or in groups as an in-class or out-ofclass assignment. For in-class use, we recommend assigning the reading of the case background and related internal control narratives as an out-of-class reading assignment to be completed before the day scheduled for in-class use. Generally, students enjoy reviewing the narrative to identify risks associated with the existing manual system. Many of them have shopped in small, “hometown” stores with similar simple accounting systems. Students are also effective at identifying ways in which the proposed new ITsystem reduces or even eliminates many of the manual-system risks. In our experience, we find that students are less effective at identifying how the new IT-based accounting system introduces new risks. Students often focus on the benefits of technology and believe all information must be correct given that “the computer processed it” without focusing on risks associated with that technology. This case helps point out those risks. The case also helps students think through issues associated with converting to new systems, such as the reliance on software vendor reputation, dependence on consultants for installation, and installation during peak operating seasons. Finally, this case provides students an opportunity to develop formal professional writing skills when used as an out-of-class assignment. Students are asked assume the role of audit senior on the engagement responsible for preparing a memorandum to the audit partner outlining the issues they identify. We believe it is important to encourage students to work on the conciseness of their written response, which will be expected of them in most professional settings. Our solution contains a comprehensive set of the case answers, which increased the length of our memorandum response. If you chose to restrict students to a set page limit for their response, you should not expect the students’ responses to contain a comprehensive solution including all requested items. We believe that students benefit as much from constructive feedback about their writing style as they do from feedback about the substantive content of their response. There may be a need to explain the format of typical internal memos. Some students may not be familiar with the traditional “To/From/Subject” format of preparing a memo to be circulated internally within an organization. Optional additional requirements that can be tailored for this assignment: You can require them, either individually or in groups, to flowchart the manual and/or IT-based • accounting systems that are described in narrative form in the case materials. Flowcharting software can be downloaded free from the Internet (for example, obtain a trial version of EDGE Diagrammer software by Pacestar Software at www.pacestar.com). To provide students an exposure to related issues in the “real world,” you can require them • to visit with a small local retail or service business to learn about that business’ existing sales and cash receipts system. This assignment could formally require the students to interview business representatives about the existing system. Alternatively, you might ask students to evaluate current systems from a customer perspective at a business where they currently shop. For example, while standing in line at a local fast food restaurant, students could observe how sales orders are captured and cash is handled and then evaluate potential risks for misstatements in recording sales transactions for that establishment. 170
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.4: St. James Clothiers
PROFESSIONAL STANDARDS Relevant professional standards for this assignment are AU Section 312 “Audit Risk and Materiality in Conducting an Audit,” AU Section 314 “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” and AU Section 318, “Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained,” and PCAOB Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements.” Q UE S TIONS AND SUGG ESTED SOLUTIONS As noted in the student version of the case, one effective method for responding to questions 1 and 2 is to combine those responses. Thus, the suggested solution is prepared in that manner. The suggested solution attempts to identify all issues present and, as a result, the solution is long. [1]
What aspects of the current manual sales accounting system create risks that increase the likelihood of material misstatements in the financial statements? Specifically identify each risk and how it might lead to a misstatement. For example, don’t just put “Risk: Sales tickets are manually prepared by the cashier.” Rather, you should state why this increases risks of material misstatements by adding “This increases the risk of material misstatements because it increases the risk of random mathematical errors by the cashier.”
[2]
What features, if any, of the proposed IT-based sales accounting system will help minimize the risks identified in question 1? If a deficiency exists that is expected to persist under the new system, indicate that “no computer controls reduce this risk.”
The suggested solution follows.
Instructor Resource Manual — Do Not Copy or Redistribute
171
Section 5: Internal Control over Financial Reporting
Memorandum Date:
July 20, 2009
To:
Betty Watergate
From:
Audit Senior
Subject: Evaluation of St. James Clothiers’ Current and Proposed Sales Accounting Systems I reviewed the narrative describing St. James Clothiers’ current manual sales accounting system and the narrative describing their proposed new IT-based accounting sales system, which is scheduled for fourth quarter 2009 implementation. The following table highlights risks I identified as being associated with the manual system. For each category of manual risk, I noted how the proposed ITbased system should reduce that risk. Manual System Risks The manual recording of the sales clerk’s name, product number, quantity sold, and sales price increases the risk of random human error by the cashier.
172
Related Impact on the Financial Statements This may lead to an increased risk of material misstatements in sales.
IT System Solutions The new system requires the sales clerks to enter their unique password, which should minimize errors associated with entering the sales clerk’s name. The sales clerks will continue to input product number and quantity. Invalid product numbers and products without prices in the Price List master file will automatically be rejected by the computer, thereby reducing errors. Price input errors should be reduced given that the computer uses the unit price in the Price List master file to compute the sales total.
The reliance on price tags, newspaper ads, or sales clerks to identify unit prices for products sold increases the risk that customers may be charged incorrect prices.
This may lead to an incorrect valuation of sales transactions.
Sales clerks will no longer input unit prices. Instead, the computer will automatically identify unit prices for each product number in the Price List master file.
The manual extension by sales clerks of price times quantity and the entering of extended price, sales tax, and total sales price increases the risks of random mathematical errors in computing sales amounts. The cash drawer can be easily opened by pressing the “Total” button thereby increasing the risk of cash theft.
This may lead to an incorrect valuation of sales transactions.
The computer will automatically extend price times quantity and compute the pre-tax sales amount, sales tax amount, and total sales amount, thereby reducing the risk of random error.
This may lead to a misstatement of the cash balance.
The cash drawer, which is controlled by the computer, remains locked until a sale is processed. Only the store manager has a special password to open the cash drawer at other times.
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.4: St. James Clothiers Manual System Risks Sales returns are processed by filling out another sales ticket using negative amounts. No matching of the return slip with returned merchandise is required, and an inventory count is made only once a month. These risks may lead to material misstatements because inventory is poorly tracked and sales returns are poorly monitored. Cash could be misappropriated and disguised by recording fictitious sales returns.
Related Impact on the Financial Statements This risk could lead to the theft of cash and inventory, resulting in potential misstatements to those accounts. Additionally, fictitious sales returns recorded to cover up the theft of cash may lead to overstatements of the sales returns account (a contra revenue account).
IT System Solutions Sales returns can only be processed by the store manager using a special password option. The computer also updates perpetual inventory records daily. Furthermore, the store accountant (McGlomm) will now be able to more closely monitor perpetual inventory records by performing more frequent physical counts.
Original sales tickets are maintained in a box next to the cash register where they could easily be misplaced/ altered. This increases the risk of recording errors for sales and bonuses. While the accountant’s reconciliation of the Sales Journal daily sales totals to the validated deposit slip should ultimately detect discrepancies, the potential for lost sales tickets adds to the difficulty of resolving noted discrepancies.
This risk could lead to a misstatement of the sales and bonus accounts.
The cashier can manually alter sales tickets. This increases the risk that perceived “errors” may be incorrectly processed. The ability to alter transactions manually without any audit trail also increases the potential for sales to be “voided” in order to cover up a misappropriation of cash from the cash drawer.
This risk could lead to If the cashier makes a mistake while entering a sale, misstatements in the sales the store manager will have to enter a password to and cash accounts. void the sale.
Instructor Resource Manual — Do Not Copy or Redistribute
The IT-based system will no longer prepare sales tickets. A paper cash receipt will be generated for the customer. However, no cash receipt tape will be maintained by the computer. Rather, all sales will be recorded internally on the computer hard drive, which is later used to automatically post sales totals to the Sales Journal and to automatically calculate bonuses.
173
Section 5: Internal Control over Financial Reporting Manual System Risks The store accountant (McGlomm) manually prepares daily sales records by sales clerk based on sales ticket information and enters daily totals by clerk in separate columns of a spreadsheet. She also accumulates the subtotals of sales by sales clerk to determine daily store sales totals, which she manually enters into the Sales Journal. Monthly, the store accountant foots the Sales Journal and posts the account totals to the General Ledger. These manual procedures increase the risk of random, human error in the accounting records. The store owner will only become aware of discrepancies between the daily recorded sales total and the validated deposit slip by periodically comparing the deposit slip to the Sales Journal recorded amounts. In addition, there is opportunity for the store accountant (McGlomm) and the store manager (Thornberg) to collude to misappropriate cash without detection by the store owner (St. James), given that the store owner only periodically compares the deposit slips with the Sales Journal entries and does not check the cash register tape. Any employee can operate the cash register without any record of who prepared an individual transaction. The lack of audit trail back to specific employees responsible for processing sales transactions increases the difficulty in resolving errors or discrepancies noted. A perpetual inventory record is not maintained thereby increasing the risk of inventory shrinkage and error.
174
Related Impact on the Financial Statements This risk could result in errors affecting the sales and bonus accounts, if incorrectly processed by McGlomm.
IT System Solutions The computer automatically posts individual transactions to the Sales Journal by sales clerk, thereby eliminating the manual preparation of the Sales Journal and individual salesperson sales totals. The computer also automatically posts sales and inventory transactions on a monthly basis to the General Ledger. These automatic functions reduce the potential for random, human error.
There is a risk that sales will be misstated to coverup a misappropriation of cash.
The store accountant must enter the validated deposit total into the system, which then reconciles that amount to the daily recorded sales totals. All differences are listed on an exception report automatically forwarded via email to the store owner (St. James). While there is still some potential for collusion among the store manager (Thornberg) and store accountant (McGlomm), the automatic preparation of the Sales Journal based on inputted information decreases the store accountant’s ability to alter accounting records to disguise an impropriety.
This risk could result in misstatements of cash and sales transactions.
To process a sale, the cashier must input a three-digit password, which the computer records on an internal storage device that can only be accessed by the store manager.
This risk could result in misstatements to the inventory and cost of goods sold accounts.
The new system updates a perpetual inventory record daily and the elimination of former responsibilities for the store accountant allows her to test the perpetual inventory records on a daily basis. Discrepancies are forwarded to the store manager daily and to the owner on a test basis, at the owner’s discretion.
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.4: St. James Clothiers [3]
How does the IT-based system create new risks for material misstatements? A proposed memorandum solution to this question is provided below: New Risks Introduced by New IT-Based Accounting System While the new IT-based accounting system provides numerous features that reduce many of the manual-based system risks, the following features of the IT-based system create new risks: The computer automatically pulls unit prices from the Price List master file. If that file is not regularly updated and monitored for accuracy, systematic pricing errors could occur leading to material misstatements in sales amounts. The special password for performing the maintenance application to update the master file must not be disclosed to others by either the store owner (St. James) or the store manager (Thornberg). While the use of unique passwords for all who operate the computer and the recording of passwords for each transaction restricts access and improves the audit trail for each transaction, it will be especially critical that passwords not be shared or disclosed by employees. In addition, the passwords are only three digits in length, which increases the potential for them to be guessed. Password maintenance policies need to be established and employees should be encouraged to not use familiar passwords (e.g., initials, birthdate, nicknames, etc.). The computer does not generate a duplicate paper copy of the cash register tape. Instead, the daily sales figures are stored internally on the hard drive. Similarly, a Daily Sales Journal will not be produced in hardcopy form. Without regular backups throughout the day, there is a risk that sales transaction data may be lost in the event a hard drive or other equipment fails. The computer will perform all calculations of sales amounts, sales taxes, and total sales for individual transactions. Additionally, the computer will update perpetual inventory records, summarize sales by sales agent, and update the related General Ledger accounts. There is some risk that the calculations or postings may be in error. Thorough testing of the application before and after implementation should be done to ensure that the application programming has been done properly. Periodic testing after installation will also help detect errors that might arise as a result of subsequent changes. The store manager (Thornberg) has several key responsibilities. The store manager will be the only person who is allowed to correct transaction errors, update the Price List master file, and process sales returns. Additionally, the store manager will continue to make the nightly deposit. Furthermore, the store manager can access all employee passwords on the internal storage device. Thus, the store manager has record-keeping and custody responsibilities that provide him the opportunity to misappropriate cash and alter accounts. The store owner (St. James) should consider reassigning some of the store manager’s responsibilities. Perhaps the store owner should assume the cash handling responsibilities.
[4]
What recommendations do you have related to plans for the actual conversion to this new system? A proposed memorandum solution to this question is provided below: Concerns About the Proposed Implementation of the IT-based System The selection of the proposed IT-based sales system was made solely by the store owner (St. James) based on information she obtained at a recent industry meeting. The lack of involvement by sales clerks, cashiers, the store accountant, and store manager causes some concern. The store owner may fail to identify certain features of the IT-based system that will not work well for processing transactions at St. James, and necessary features may be missing. It would be beneficial to have those individuals review the IT-based system features before implementation, if possible, given they are familiar with handling day-to-day transactions at St. James. The lack
Instructor Resource Manual — Do Not Copy or Redistribute
175
Section 5: Internal Control over Financial Reporting of up-front participation may also lead to resistance and lack of buy-in on the part of the system users, who may thus intentionally circumvent certain of its features and controls. St. James appears to be relying solely on the abilities and expertise of the computer consultant for the implementation. While the store owner received recommendations about the consultant’s abilities from others, there is some concern that the consultant is insufficiently qualified to handle the installation of this particular software. A more formal reference check that involves inquiries of individuals in the industry would provide more reliable information about the consultant’s abilities. Furthermore, a formal arrangement (i.e., a contract) that specifies the availability, commitment, and subsequent support that will be provided by the consultant should be established. Such an arrangement will increase the likelihood that the consultant will be responsive to St. James needs as they arise. It does not appear that St. James has conducted any formal testing and evaluation of the proposed IT-based system. Thorough analysis of the capabilities, using realistic volumes of St. James data, should be conducted before installation to ensure that the proposed IT-based system can accurately handle the nature and extent of transactions at St. James. St. James is planning for an abrupt change to the new system. This could create tremendous pressure and confusion, particularly given that the current sales staff is most familiar with a manual system. Instead, St. James should consider running the manual system in parallel to the new system for a reasonable period of time to ensure that all IT features are properly functioning before abandoning the manual system. While parallel operations increase the time demands on employees when performing normal operations, that cost is minimal in comparison to an inability to process any transactions in the event of an implementation failure. The conversion is scheduled to occur during two weeks of the fourth quarter of the calendar year, which falls in or near the busy holiday shopping season. Deferral of the implementation until after the busy holiday retail season would decrease the risk of system failure during the most critical part of the year for St. James. They should also plan for the implementation lasting beyond two weeks. Regardless of the level of implementation planning, unexpected “surprises” are a component of most IT-conversions. There has been no discussion of the training of employees to use the new system. St. James should train all employees on the key features of the system before reliance is placed on the new system. The lack of training may lead to improper use or lack of user “buy-in,” which may ultimately lead to sales processing errors. As mentioned previously, St. James needs to establish formal backup and password procedures to ensure that all data are properly safeguarded.
176
Instructor Resource Manual — Do Not Copy or Redistribute
Instructor Resource Manual — Do Not Copy or Redistribute
Collins Harp Enterprises
C a s e
5.5
Recommending IT Systems Development Controls Mark S. Beasley · Frank A. Buckless · Steven M. Glover · Douglas F. Prawitt INS TRUCTIONAL Ob je c t ive s [1] To
illustrate risks associated with developing and implementing new information technology (IT)based accounting system applications. [2] To highlight effective general controls that management can implement to reduce risks associated with the IT systems development process.
[3]
To provide students with an opportunity to communicate negative information in a written communication to a potential client.
KEY FACTS • The students assume the role of a hypothetical IT audit specialist who works for the accounting firm of Townsend and Townsend, LLP. • One of the accounting firm’s partners, Harold Mobley, requested that the IT audit specialist review the systems development process at a potential new audit client, Collins Harp Enterprises. • Collins Harp Enterprises develops most of its computer application software internally. The IT function, which is managed by Linda Seth the IT vice president, consists of five in-house programmers. • The programmers develop and modify both applications and systems software. Linda provides relatively free latitude to programmers because she believes that allowing that type of creativity increases the quality of the software developed. • Most of the ideas for software developments come from Linda Seth based upon her interactions with IT personnel at other companies. Relatively few requests for software changes come from non-IT personnel at Collins Harp. • Minimal documentation is generated during the software development process. • Programmers have access to live copies of program tapes and disks stored in secondary storage. And, those programmers have the ability to compile source code programs into object code, and they regularly forward object code versions of those programs to the Librarian in charge of secondary storage. • While new programs and changes to existing programs are tested, only the programming staff assists in the testing process. • An executive at Collins Harp asked the audit partner to have someone with good IT training review the systems development process to identify weaknesses and recommendations for improvements.
The case was prepared by Mark S. Beasley, Ph.D. and Frank A. Buckless, Ph.D. of North Carolina State University and Steven M. Glover, Ph.D. and Douglas F. Prawitt, Ph.D. of Brigham Young University, as a basis for class discussion. Collins Harp is a fictitious company. All characters and names represented are fictitious; any similarity to existing companies or persons is purely coincidental.
Copyright © 2009 by Pearson Education, Inc., Upper Saddle River, NJ 07458
177
Section 5: Internal Control over Financial Reporting
USE OF CASE This case is appropriate when covering the importance of considering risks associated with the reliance on information technologies to produce financial statement information. Generally, this case is best used when the impact of information technology on internal controls is discussed. Some auditing textbooks have one chapter devoted to the auditor’s basic consideration of internal controls in a financial statement audit and another chapter devoted to more complex issues that arise when client internal controls are largely dependent on more complex IT systems. That second chapter often describes the importance of IT general controls and application controls as effective internal controls to address unique risks associated with IT-based accounting systems. This case is most appropriate when discussing those IT general controls, given that IT systems development processes are largely affected by IT general controls. Even if those issues are not explicitly discussed in an introductory auditing course, the case presents a relatively simple IT function loaded with potential risks that provides the instructor a simple illustration of the importance of considering basic IT risks and controls. A student not explicitly trained in general controls should be able to recognize many of the risks present at Collins Harp. This case provides an excellent vehicle for highlighting obvious concerns related to IT without covering an entire textbook chapter on the subject. Others may find this case more appropriate for an advanced auditing course or a systems course where this topic tends to be covered in more detail. This case is also useful for emphasizing public company auditor considerations of IT general controls as part of their audits of internal control over financial reporting required by Section 404 of the Sarbanes-Oxley Act. PCAOB Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements,” requires the auditor to consider IT general controls as part of their assessment of internal control design. This case provides an illustration of IT general control issues that public company auditors may need to consider. The case is relatively short. As a result, the case can easily be assigned as an in-class activity. Students can read the background information relatively quickly (in 5-10 minutes). They then can work on answering the three case questions in class by working either in groups or individually. This case can also be assigned as an out-of-class group or individual activity. A benefit of assigning this case outside-of-class is that it will help students develop their written communication skills. The case instructions ask students to prepare a draft letter to Linda Seth describing deficiencies in the current system and related recommendations for improvement. Because there are several deficiencies in the potential audit client’s IT processes, students face the difficulty of preparing a letter to a client that contains potentially negative information. We observe that students often struggle with effectively communicating bad news in a non-offensive manner. We believe that the more they practice developing written communication skills, the better communicators they will be in their professional careers. One approach to the out-of-class assignment is to have students work together during class to identify deficiencies and recommendations for improvements in the IT systems development process. Then, students can individually prepare their draft letters to the client outside-of-class. Alternatively students could be asked to work in pairs to prepare a draft letter. With this approach, one student should prepare the initial draft of the letter while the other student serves as detailed editor/reviewer. The instructor should require each pair to turn in the initial draft marked with changes noted by the reviewer along with the final draft of the proposed letter to ensure the process is followed.
178
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.5: Collins Harp Enterprises
PROFESSIONAL STANDARDS Relevant professional standards for this assignment include AU Section 314 “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” AU Section 318, “Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained,” and PCAOB Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements.” Q UE S TIONS AND SUGG ESTED SOLUTIONS In this case, students are required to prepare a draft letter to Linda Seth, IT vice president at Collins Harp. The partner would like a letter that: [1]
Describes deficiencies in the Collins Harp IT system development and program change process.
[2]
Provides a brief description explaining your primary concern for each deficiency noted in question 1.
[3]
Includes a recommendation of an IT system development control that could be implemented to minimize your concern for each deficiency in question 1. A suggested draft letter follows.
Instructor Resource Manual — Do Not Copy or Redistribute
179
Section 5: Internal Control over Financial Reporting
Townsend and Townsend, LLP July 12, 20XX Ms. Linda Seth IT Vice President Collins Harp Enterprises Anytown, USA Dear Ms. Smith: My firm is pleased to assist Collins Harp management in identifying risks related to its information technology (IT) systems development process. This letter highlights several suggestions for potential IT improvements that I identified during my review of information Harold Mobley obtained from his recent meeting with you. Formal Written Systems Development Process One of the strengths of the current IT systems development process at Collins Harp is that all five programmers possess the skills that enable them to handle most application and systems software development tasks from start to finish, with minimal involvement of others in the process. While that kind of versatility increases the speed in which programming changes can be implemented, such streamlining poses a potential risk that errors in software programming may occur and not be detected before being placed into live production. The lack of a formal team approach involving others outside the programming function increases the risk that inaccurate and unauthorized changes are made to application and systems software. As a result, Collins Harp executives may inadvertently be relying on information generated by the IT system that may not be at the desired level of reliability. The following recommendations are provided to help reduce that overriding risk: The development and use of a formal written set of systems development procedures, frequently referred to as a Systems Development Methodology (SDM), would encourage a structured approach to systems development. A consistently employed structured approach to systems development would help ensure that appropriate systems development procedures are performed and that all processes and approvals are extensively documented throughout the entire systems development process. Extensive documentation, including evidence that all checkpoints and reviews occurred as planned, serves to strengthen and control the entire systems development process. A written SDM should require that all program development projects involve a team of users, programmers, systems analysts, quality assurance personnel, internal auditors and other affected parties who participate in all aspects of the systems development project. Representation of others outside the programming staff, particularly the involvement of key non-IT systems personnel who will rely on the system to perform day-today tasks, helps ensure that all systems development projects improve the reliability of IT-based processes. For example, user personnel in non-IT positions are more likely to identify the need for system changes. And, they are more likely than programmers to develop a complete and relevant set of test data for testing application developments since they work with the related systems and data on a day-to-day basis. The involvement of users in the review, approval, and testing of new and revised programs increases the potential for early identification of programming mistakes while at the same time increasing the potential for effective user buy-in of the final system upon implementation.
180
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.5: Collins Harp Enterprises The SDM procedures should encourage users of the IT system to submit written requests for changes to existing systems. The identification of needs for changes by key users of the system will complement other suggestions for changes identified from your interactions with other IT personnel in other organizations. Together, you and the users are more likely to identify the most effective IT solutions to current information needs. And, requiring all requests to be made in writing and numerically controlled decreases the potential for unauthorized changes being made to existing applications. Once a request is received, then the systems development team can document its assessment of the feasibility of the proposed project. SDM procedures should encourage the use of a standardized programming language and style across all application programs. A standardized approach to software programming will aid in the independent review of existing program changes and increase the accuracy of future changes. The SDM should include formal processes for converting from the old system to the newly developed system. The conversion procedures should address issues such as the length of time old system programs should be retained for backup purposes. Additionally, the procedures should ensure that programs developed specifically for the conversion process have been thoroughly evaluated and tested before use. Segregation of Key IT Duties The programming staff currently has the ability to work on all types of software development tasks, and the programming staff has access to live copies of program tapes, disks, and data files located in secondary storage. Again, while these authorizations may lead to certain efficiencies, the lack of adequate segregation of key IT duties may increase the potential for unauthorized changes to software and master files. I recommend that Collins Harp management consider implementing the following policies and procedures to reduce the risk that unauthorized changes are being made to existing applications: The duties of systems programmers and applications programmers should be kept separate. The five programmers should be consistently assigned to either systems software development projects or application software development projects. Given that certain application software changes also require modification to systems software, strict separation of these programming tasks decreases the potential that unauthorized program changes may be made and placed into live production by the programming staff. Programmers should be restricted from any access to live copies of program and data files. Rather, the Librarian should be the only employee allowed to provide copies of existing program tapes or disks maintained in secondary storage. And, those copies should only be provided for approved systems development changes. Otherwise, programmers have an unlimited ability to make changes to existing programs without the knowledge of anyone else in the organization. Programmers should be required to submit source code versions of changed programs, along with documented approvals of all parties involved in the systems development process, to the Librarian who is responsible for maintaining all programs tapes and disks used in lived production. Upon review of all required signatures, the Librarian should be responsible for compiling the source code version into the machine readable, object code version.
Instructor Resource Manual — Do Not Copy or Redistribute
181
Section 5: Internal Control over Financial Reporting Adequate Documentation of the SDM Process One of the benefits of employing a formal SDM process is that such use encourages the generation of adequate documentation of the entire systems development process. Generation of adequate documentation aids in the review of existing changes for accuracy and completeness and increases the accuracy and completeness of future changes to existing software. Currently, however, minimal documentation of the entire SDM process is generated. Here are several examples of critical documentation that should be developed and maintained: All requests for IT system change should be written, with formal approval or denial of the proposed change documented. Documentation of required changes in procedures should be added to operator and user manuals to ensure that changed programs are properly used by employees on a day-to-day basis after implementation. Details of the programming logic should be maintained so that future changes to program code are more likely to be properly implemented. Written training materials should be developed to assist operators and users in their effective use of newly implemented software procedures. I would be happy to meet with you to discuss these issues. If you have any questions, please do not hesitate to contact me. Sincerely, IT Audit Specialist
182
Instructor Resource Manual — Do Not Copy or Redistribute
Changes to software could go undetected because the entire development process is unstructured and not documented.
Description of the Noted Deficiency Programmers have the ability to handle all types of programming tasks, including both application and systems software changes.
Instructor Resource Manual — Do Not Copy or Redistribute The SDM should include formal processes for converting from the old system to the newly developed system. The conversion procedures should address issues such as the length of time old system programs should be retained for backup purposes. Additionally, the procedures should ensure that programs developed specifically for the conversion process have been thoroughly evaluated and tested before use.
SDM procedures should encourage the use of a standardized programming language and style across all application programs. A standardized approach to software programming will aid in the independent review of existing program changes and increase the accuracy of future changes.
The SDM procedures should encourage users of the IT system to submit written requests for changes to existing systems. Requiring all requests to be made in writing and numerically controlled decreases the potential for unauthorized changes being made to existing applications. Once a request is received, then the systems development team can document its assessment of the feasibility of the proposed project.
A written SDM should require that all program development projects involve a team of users, programmers, systems analysts, quality assurance personnel, internal auditors and other affected parties who participate in all aspects of the systems development project. Representation of others outside the programming staff, particularly the involvement of key non-IT systems personnel who will rely on the system to perform day-to-day tasks, helps ensure that all systems development projects improve the reliability of IT-based processes.
Recommendation to Mitigate Noted Deficiency The use of a formal written set of systems development procedures, frequently referred to as a Systems Development Methodology (SDM), would encourage a structured approach to systems development. A consistently employed structured approach to systems development would help ensure that appropriate systems development procedures are performed and that all processes and approvals are extensively documented throughout the entire systems development process.
This is a solution if students are instructed to use the Worksheet for Answering Questions 1 – 3
Deficiencies in IT Systems Development and Program Change Process There is no formal systems development process.
Case 5.5: Collins Harp Enterprises
183
184
The systems development process is poorly documented.
Deficiencies in IT Systems Development and Program Change Process There is poor segregation of duties among IT functions.
Minimal documentation of the entire SDM process is generated. As a result, the lack of adequate documentation makes it difficult to properly review existing changes for accuracy and completeness. The lack of documentation also affects the accuracy and completeness when future changes to existing software need to occur.
Written training materials should be developed to assist operators and users in their effective use of newly implemented software procedures.
Details of the programming logic should be maintained so that future changes to program code are more likely to be properly implemented.
Documentation of required changes in procedures should be added to operator and user manuals to ensure that changed programs are properly used by employees on a day-to-day basis after implementation.
All requests for IT system change should be written, with formal approval or denial of the proposed change documented.
Programmers should be required to submit source code versions of changed programs, along with documented approvals of all parties involved in the systems development process, to the Librarian who is responsible for maintaining all programs tapes and disks used in lived production. Upon review of all required signatures, the Librarian should be responsible for compiling the source code version into the machine readable, object code version.
Description of the Noted Deficiency Recommendation to Mitigate Noted Deficiency The duties of systems programmers and applications programmers should be The programming staff currently has kept separate. The five programmers should be consistently assigned to either the ability to work on all types of systems software development projects or application software development software development tasks, and the projects. Given that certain application software changes also require programming staff has access to live modification to systems software, strict separation of these programming tasks copies of program tapes, disks, and decreases the potential that unauthorized program changes may be made and data files located in secondary storage. placed into live production by the programming staff. Thus, unauthorized changes to software could occur and go undetected. Programmers should be restricted from any access to live copies of program and data files. Rather, the Librarian should be the only employee allowed to provide copies of existing program tapes or disks maintained in secondary storage.
Section 5: Internal Control over Financial Reporting
Instructor Resource Manual — Do Not Copy or Redistribute
Instructor Resource Manual — Do Not Copy or Redistribute
Sarbox Scooter, Inc.
C a s e
5.6
Scoping and Evaluation Judgments in the Audit of Internal Control over Financial Reporting Mark S. Beasley · Frank A. Buckless · Steven M. Glover · Douglas F. Prawitt ins tr uc t ional Ob je c t ive s [1] To help students gain an understanding of the
steps involved in the scoping process for the audit of internal control over financial reporting. [2] To provide an opportunity for students to determine the significance of accounts and locations based on both quantitative and qualitative metrics in order to plan the nature and extent of the testing of controls.
To help students understand the role of testing coverage in terms of significant accounts and locations and also in regards to the overall financial statement picture. [4] To allow students to understand and apply an evaluation methodology to determine the likelihood and magnitude of control deficiencies. [5] To help students appreciate the judgment involved in evaluating internal control deficiencies. [3]
KEY FACTS Sarbox Scooter, Inc. is a publicly traded manufacturing firm specializing in motorized scooters and G.P. (Grand Prix) pocket bikes. The company was founded in 1999 and is headquartered in Basking Bridge, New Jersey. Sarbox Scooters business units are segmented by geographical region into the U.S., Mexico, and Europe. The U.S. region is further sub-divided into five business units: Northeast, Southeast, Central, Southwest, and Northwest. Sarbox Scooter’s management is striving to increase brand share, by 1% each year for the next five years, to 30% of the market. However, increases in brand share will be not be easy as competition in the industry is very intense. The Finance Director of the company’s Mexican division recently resigned following deep scrutiny from Sarbox Scooter’s internal audit team of his control, monitoring, and reporting practices. Sarbox Scooter’s customer base consists primarily of dealerships both domestically and internationally. Sales to the dealerships account for approximately 90% of Sarbox Scooter’s annual sales. The Company also sells bulk orders directly to rental agencies and vacation resorts, which account for the remaining 10% of sales. The company has continued to progress in the areas of corporate governance and social responsibility by strengthening its Board of Directors and its internal audit function.
The case was prepared by Mark S. Beasley, Ph.D. and Frank A. Buckless, Ph.D. of North Carolina State University and Steven M. Glover, Ph.D. and Douglas F. Prawitt, Ph.D. of Brigham Young University, as a basis for class discussion. Sarbox is a fictitious company. All characters and names represented are fictitious; any similarity to existing companies or persons is purely coincidental.
Copyright © 2009 by Pearson Education, Inc., Upper Saddle River, NJ 07458
185
Section 5: Internal Control over Financial Reporting
USE OF CASE This case is designed primarily to expose students to the basic scoping and evaluation judgments that are involved in the planning stage of the audit of internal control over financial reporting and in the evaluation of internal control deficiencies. It contains two parts that can be assigned independently according the to the instructor’s discretion. Specifically, in Part A students are introduced to the quantitative and qualitative factors that must be addressed when deciding which locations and accounts will be tested and also when determining the extent, nature, and timing of the testing. In addition, students are required to consider the coverage of accounts and locations necessary to achieve a high level of assurance. In Part B, students are introduced to the considerations and steps used by auditing firms to evaluate the likelihood and magnitude of possible misstatement for the various levels of internal control deficiency. The firm policy provided in the case is designed to present the major issues involved in the scoping and evaluation judgments and does not necessarily address every possible factor that might be considered. If this case is used for an in-class discussion, we recommend that students read the case as an out-of-class reading assignment prior to the in-class discussion. “Roundtable” activities are a useful cooperative learning technique for in-class discussion. To implement the Roundtable activity, divide students into small groups. Have each group discuss and record their answers, important ideas, and issues for each question assigned. Once all students have had an opportunity to state their ideas and arrive at a group consensus, the instructor can randomly call on individual students to share their group’s answers with the class. The class time allocated to the group discussion can be shortened by assigning groups responsibility for different case questions. Randomly calling on individual students to share their group’s answers with the class helps to ensure that all students take responsibility for learning the material. If the case is used as an out-of-class assignment, we recommend discussing the case requirements with students prior to their completing the assignment. While most of the material needed to complete the case is included in the firm policy, students should have the necessary background in basic auditing concepts and theory in order to fully understand the process that is being demonstrated. Instructors may also want to include information regarding the events leading up to the new auditing standards and any changes or guidance that may have been given to the profession that is not included in this case.
PROFESSIONAL STANDARDS Relevant professional standards for this assignment include the Sarbanes Oxley Act of 2002 Section 404, and PCAOB Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements.”
186
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.6: Sarbox Scooter, Inc. S U G G E S TED SOLUTION
PART A [1]
Section 404 of the Sarbanes-Oxley Act of 2002 requires management to assess and evaluate the effectiveness of their internal controls. Management of Sarbox has decided to consider all accounts reported in the financial statements as significant. The PCAOB’s AS5 requires the auditor to arrive at their own conclusion about which accounts are significant as part of evaluating management’s assessment. Referring to Delmoss Watergrant’s policy on identifying significant accounts and Sarbox Scooter Inc.’s consolidated balance sheet and income statement information, identify Sarbox’s significant accounts. In your response, include the planning materiality threshold you applied (to determine materiality you may refer to your textbook or footnote 1 in Delmoss Watergrant’s policy on identifying significant accounts). If an account is considered significant for qualitative, but not quantitative reasons, please include the qualitative factors you considered. Similarly, if an account is not considered significant, even though it is quantitatively over the planning materiality threshold, please include the qualitative factors you considered.
STEP 1: DETERMINE PLANNING MATERIALTY The first step students should take to identify significant accounts is to determine a threshold of planning materiality. The case provides guidance on materiality (see footnote 1), but also suggests that students may use guidance from their auditing textbook. If the footnote metrics are used students’ planning materiality will vary depending on the level of risk and the metric chosen. The ranges are provided below. Planning materiality (in thousands) Sales High Risk 1.00% $1,987,174 Moderate Risk 1.50% $1,987,174 Low Risk 2.00% $1,987,174
Pre-tax Earnings High Risk Moderate Risk Low Risk
$19,872 $29,808 $39,744
3.0% 4.0% 5.0%
$ 589,602 $ 589,602 $ 589,602
$17,688 $23,584 $29,480
For purposes of this solution, we will use pre-tax earnings with a moderate level of risk to determine a planning materiality threshold of about $23.5 million. This seems reasonable given both positive pre-tax earnings and the information provided regarding Sarbox’s relative risk. STEP 2: IDENTIFY QUANTITATIVELY SIGNIFICANT ACCOUNTS Students should compare the amount of planning materiality they have chosen with the various line items on the consolidated income statement and balance sheet to determine whether or not they are quantitatively significant. The case indicates that the client considered all accounts significant. This approach by clients was relatively common in the early application of section 404.
Instructor Resource Manual — Do Not Copy or Redistribute
187
Section 5: Internal Control over Financial Reporting On the income statement and balance sheet the majority of accounts will be identified as significant. Using our estimate of planning materiality, all of the accounts would be determined initially to be quantitatively significant with the exception of Cash and Cash Equivalents, Severance Charges, Interest Income (net), Other (net), Suspense, Miscellaneous Receivables, Notes Receivable, and Work in Progress Inventory. Depending on the students’ evaluation of planning materiality, other accounts may or may not be selected. STEP 3: IDENTIFY QUALITATIVELY SIGNIFICANT ACCOUNTS While all accounts that exceed the planning materiality threshold will be considered for the individually important designation, auditing standards also require the auditor to consider qualitative factors. While answers may vary somewhat depending on individual student opinion, it is likely the following accounts would be considered significant for qualitative reasons: Severance Charges: These charges typically relate to restructuring initiatives, which involves relatively complex accounting rules. Because of potential misstatement as well as insights that can be gained regarding potential issues with operations and with employees the account should be considered significant. Suspense Account: While the consolidated balance is zero, balances in the divisional suspense accounts can be an indicator that controls and processes are not operating effectively at those locations. Suspense account balances also are potential misstatement indicators due to increased risk of error or fraud. Sometimes a suspense account balances represent transactions that the client accounting staff does not know how to resolve or properly account for. Cash: Cash is typically considered significant because of the volume of transactions and the fact that controls and processes related to the receipt and disposition of cash relate to so many other accounts. The balance in cash is also often related contractually to debt covenants and is an important input in liquidity ratios. The auditor should also consider qualitative factors to determine if there are qualitatively low risk accounts that present a remote likelihood of material misstatement even if the account is larger than the quantitative hurdle of planning materiality. For example, fixed assets at a service corporation may be just over the quantitatively significant level, but if the account typically has little to no activity during the year the auditor may decide not to test controls over this account because the account poses a qualitatively remote risk of material misstatement.1 For the purposes of this case, the student is only given the information presented in the introduction and in the consolidated financial statements. Given the information provided, some students may determine that there are no qualitatively low risk accounts, others may consider accounts such as amortization, and prepaid expenses & other current assets as qualitatively low risk. Student answers may vary, but for an account to not require testing, a specific reason should be given based on size, risk factors, the complexity of the transactions, and the nature of the account.
Evaluating qualitatively low risk accounts as not significant may not actually bring much testing relief because the controls around the account are typically not hard to evaluate and test.
1
188
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.6: Sarbox Scooter, Inc. [2]
Section 404 of the Sarbanes-Oxley Act of 2002 requires management to assess and evaluate the effectiveness of their internal controls. Sarbox’s management has decided to consider every location as a significant location. The auditor must arrive at his or her own assessment as to which locations should be tested. Referring to Delmoss Watergrant’s policy on identifying significant locations and Sarbox Scooter Inc.’s financial information by location, identify Sarbox’s individually significant locations. If a location is considered significant for qualitative, but not quantitative reasons, please include the qualitative factors you considered. Delmoss Watergrant’s policy for identifying significant locations requires the student to identify the following types of business units/locations:
[a]
[a]
Individually important locations.
[b]
Locations that contain specific risks that by themselves could create a material misstatement in the consolidated financial statements.
[c]
Locations that when aggregated could represent a level of financial significance that could create a material misstatement in the consolidated financial statements.
INDIVIDUALLY IMPORTANT BUSINESS UNITS/LOCATIONS The table below lists the specific metrics identified by Delmoss Watergrant to determine individually significant locations. If either condition is met, the business unit/location must be considered significant. Individually Important Business Units/Locations (in thousands) Metric 1 Units/Locations > $38,480 (10% of Total Net Income $384,796) Metric 2 Units/Locations > $342,207 (10% of Total Assets of $3,422,067)
Under these conditions, students should have selected all of the locations except U.S. Northeast and Mexico as individually significant. [b]
IDENTIFY BUSINESS UNITS/LOCATIONS WITH SPECIFIC RISKS A location or business unit might present specific risks that, by themselves, could create a material misstatement in the company’s financial statements, even though the unit might not be individually financially significant. Students should consider the two remaining business units for inherent and fraud risks that could lead to material misstatement. As noted in the introduction about Sarbox Scooter, Inc., the Mexico Finance Director recently resigned following deep scrutiny from Sarbox Scooter’s internal audit team regarding his control, monitoring, and reporting practices. This scenario constitutes a specific control and fraud risk in regards to the control environment and therefore Mexico should be identified as a specific risk and considered significant for testing purposes. From the details given the in the case, there appears to be no reason to include the U.S. Northeast location.
[c]
IDENTIFY BUSINESS UNITS/LOCATIONS THAT ARE SIGNIFICANT WHEN AGGREGATED As noted in the Delmoss Watergrant’s policy, this category contains all locations that are not individually significant, but are material when aggregated. In practice, firms typically leave this category as the “catch all.” In other words, once the individually significant units/ locations are identified, then the firm would remove all units/locations that in aggregate are less than 5 to 10% of total assets and revenues and the units/locations left over are considered “significant when aggregated.” In the case of Sarbox Scooter, Inc., the only location not deemed individually significant is the U.S. Northeast unit so there are no aggregation issues and in this case there are no units/locations considered “significant when aggregated.”
Instructor Resource Manual — Do Not Copy or Redistribute
189
Section 5: Internal Control over Financial Reporting [3]
Referring to Delmoss Watergrant’s policy on coverage by account and location, determine if adequate coverage of all significant accounts is achieved by testing at the significant locations. If not, what additional testing do you recommend? Assuming we have concluded that all locations, except the U.S. Northeast have been selected for testing, we should now examine the percentage of coverage for each significant account. With the exception of “Prepaid expenses & other current assets,” all significant accounts achieve a minimum of 50% of the consolidated account balances (assuming the student considered “Prepaid expenses & other current assets” significant, see #1 above). As we have only covered approximately 46% of “Prepaid expenses & other current assets,” the auditor would typically want to conduct additional testing specifically at the U.S. Northeast location, but only for this account. In other words, at the U.S. Northeast location, the auditor would only be required to test controls related to the “Prepaid expenses & other assets” account. Obviously for large, complex organizations this coverage test may result in a number of situations where the auditor must supplement the initial testing plan in order to obtain sufficient coverage.
[4]
Auditing standards require the identification and testing of entity-level controls. What are examples of entity-level controls? What are the auditor’s responsibilities with respect to evaluating and testing a client’s period-end financial reporting process? AS5.24 indicates that “Entity-level controls include – • Controls related to the control environment; • Controls over management override; Note: Controls over management override are important to effective internal control over financial reporting for all companies, and may be particularly important at smaller companies because of the increased involvement of senior management in performing controls and in the period-end financial reporting process. For smaller companies, the controls that address the risk of management override might be different from those at a larger company. For example, a smaller company might rely on more detailed oversight by the audit committee that focuses on the risk of management override. • The company’s risk assessment process; • Centralized processing and controls, including shared service environments; • Controls to monitor results of operations; • Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; • Controls over the period-end financial reporting process; and • Policies that address significant business control and risk management practices. The period-end financial reporting process is a significant process and must be evaluated by the auditor because of its importance to financial reporting in general and to the auditor’s opinion on the effectiveness of internal control over financial reporting and the financial statements as a whole.
190
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.6: Sarbox Scooter, Inc. The period-end financial reporting process includes the following – • Procedures used to enter transaction totals into the general ledger; • Procedures related to the selection and application of accounting policies; • Procedures used to initiate, authorize, record, and process journal entries in the general ledger; • Procedures used to record recurring and nonrecurring adjustments to the annual and quarterly financial statements; and • Procedures for preparing annual and quarterly financial statements and related disclosures. Note: Because the annual period-end financial reporting process normally occurs after the “as-of ” date of management’s assessment, those controls usually cannot be tested until after the as-of date. (AS5.26) As part of evaluating the period-end financial reporting process, the auditor should assess: • Inputs, procedures performed, and outputs of the processes the company uses to produce its annual and quarterly financial statements; • The extent of information technology (“IT”) involvement in the period-end financial reporting process; • Who participates from management; • The locations involved in the period-end financial reporting process; • The types of adjusting and consolidating entries; and • The nature and extent of the oversight of the process by management, the board of directors, and the audit committee. Note: The auditor should obtain sufficient evidence of the effectiveness of those quarterly controls that are important to determining whether the company’s controls sufficiently address the assessed risk of misstatement to each relevant assertion as of the date of management’s assessment. However, the auditor is not required to obtain sufficient evidence for each quarter individually. (AS5.27)
Instructor Resource Manual — Do Not Copy or Redistribute
191
Section 5: Internal Control over Financial Reporting R eq u i r ed - Pa rt B ( Can b e c o m p l eted in d epen d en tly of Part A) [1]
What are the definitions of a control deficiency, significant deficiency, and material weakness as contained in AS5? Which, if any, of these deficiency categories must the external auditor include in the audit report? A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. • A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. • A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. (AS5.A3) A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting. (AS5.A11) A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. (AS5.A7) Note: There is a reasonable possibility of an event, as used in this standard, when the likelihood of the event is either “reasonably possible” or “probable,” as those terms are used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies (“FAS 5”). A material weakness must be included in the auditors’ report of the effectiveness of internal control over financial reporting.
[2]
Referring to Delmoss Watergrant’s policy for evaluating control deficiencies, determine if the following three deficiencies represent a control deficiency, significant deficiency, or a material weakness. Please consider each case separately and justify your answers. [a]
While examining Sarbox’s period-end financial reporting process, you discover that revenue has been recognized on orders that were received and completed, but not yet shipped to the customer. No specific goods were set aside for these orders; however, there is sufficient inventory on hand to fill them. Also, you observe that some orders were shipped before being recorded as sales, so that your best estimate of total revenue cutoff error at year-end was approximately $2.3 million. Significant Deficiency: The scenario appears to represent only a control deficiency as $2.3 million is below the $2.35 million “not significant” threshold (10% of planning materiality) required by Delmoss Watergrant’s firm policy for the magnitude to be “more than inconsequential.” However, students should notice that there is also another issue to consider. This form of revenue recognition does not meet specific factors set out in SAB 101 and is considered a violation of GAAP. Most auditors would consider deficiencies involving the controls over the selection and application of accounting policies that are in conformity with GAAP be more serious, particularly revenue recognition. Given the closeness of the
192
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.6: Sarbox Scooter, Inc. dollar amount to the significant threshold and the misapplication of GAAP, this deficiency would most likely be considered a significant deficiency (Note: AS 2 required that deficiencies involving the “controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles” be considered at least a significant deficiency, AS2.139.) [b]
Sarbox’s revenue recognition policy requires that all nonroutine sales (i.e. sales to clients other than dealerships) receive authorization from management in order to verify proper pricing and terms of sale. However, after examining a sample of nonroutine sales records you find that this control is not closely adhered to and that sales representatives offered discounts or altered sales terms that were not properly recorded in Sarbox’s records. As a result, in instances when the control is not followed the recorded sales prices tend to be too high and/or terms are not correctly reflected in the sales invoice and the customers complain. In some situations, customers have cancelled orders due to the over-billing or changed sales terms. Nonroutine sales represent about 10% of Sarbox’s sales revenue. From your sample testing of the authorization control, you find that the control doesn’t operate 4% of the time, with an upper bound of 9% (i.e., based on your sample, you can be 95% confident that the exception rate does not exceed 9%). Significant Deficiency: This scenario allows students the opportunity to examine gross and adjusted exposure. The gross exposure would be the full amount of possible misstatement if the nonrountine sales were 100% misstated. This amount is calculated by multiplying the total sales revenue by the 10%, because nonrountine sales constitute 10% of sales. Therefore gross exposure equals $198,717,400 ($1,987,174,000 x 10%). Adjusted exposure is calculated by multiplying gross exposure by the upper bound of the control deviation confidence interval. Adjusted exposure is $17,884,566 ($198,717,400 x .09) which is less than materiality but more than inconsequential; therefore it is a significant deficiency.
[c]
Sarbox Scooter requires that all credit sales to new customers or to customers with a current balance over their pre-approved credit limit be approved by the credit manager prior to shipment. However, during peak seasons this policy is not strictly followed in order to accommodate the need of both the company and its customers to have orders processed rapidly. Because of these findings, you estimate that the allowance for doubtful accounts is materially understated. While the client does not dispute that the authorization control was not operating effectively during peak seasons, the client has pointed out compensating controls that it feels should reduce the magnitude of the deficiency below a material weakness. The first compensating control is that an accounts receivable aging schedule is reviewed each quarter by management and accounts that are older than 180 days are written-off. Also, management distributes a list of companies that default or fail to pay on time to all sales staff on a monthly basis to prohibit such companies from making additional purchases on credit. Material Weakness: The question indicates that the deficiency would be considered material unless there are compensating or redundant controls that reduce the likelihood and/or the potential exposure below a material amount. In the case of Sarbox Scooter, the compensating controls described would not be considered effective in reducing the potential magnitude of the deficiency below a material level because (1) the controls are not timely (only performed on a quarterly basis) and (2) the controls do not appear to be sufficiently detailed to reduce the levels of magnitude and likelihood below that of a material weakness.
Instructor Resource Manual — Do Not Copy or Redistribute
193
Instructor Resource Manual — Do Not Copy or Redistribute
Société Générale
C a s e
5.7
How a Low-Risk Trading Area Caused a $7.2 Billion Loss Mark S. Beasley · Frank A. Buckless · Steven M. Glover · Douglas F. Prawitt I ns tr uc t ional Ob je c t ive s [1] To
illustrate the importance of internal controls, control environment, proper risk assessment and risk management. [2] To provide students with a real-world example of consequences of lack of proper control design and operating effectiveness. [3] To identify aspects of the fraud triangle that existed at Société Générale.
To illustrate risks involved with control reliance. [5] To provide students with an opportunity to identify control deficiencies (both design and operating effectiveness deficiencies) and recommend remediated controls. [6] To illustrate the potential magnitude of loss associated with poor controls and a reliance strategy. [4]
KEY FACTS Société Générale, the second largest bank in France, lost $7.2 billion in 2008 due to the actions of rouge trader Jérôme Kerviel. Kerviel began work at Société Générale in the “back office” where he gained detailed knowledge of the bank’s controls. Kerviel used his knowledge of the controls to exploit weaknesses in design and operations. Kerviel wanted to prove his skills as a trader, but he was assigned to the low-risk, low-return trading desk, known as the Delta One desk. Kerviel perpetrated the fraud by recording false transactions, which allowed him to bypass controls and hide the risks of his open contracts. A report released on May 23, 2008 by Société Générale identified 947 such fictitious transactions.
USE OF CASE This case is typically assigned as an out-of-class individual or group exercise. The case is based largely on newspaper articles and the internal investigative report published by Société Générale. This case illustrates the importance of effective internal controls and control environment as well as the risks the audit faces when they apply a “risk-based” controls reliance audit approach. In this particular case, an area considered “low risk” resulted in a massive loss. This high-profile factual case will help students see the real-world application of what they are learning in the classroom. The case also provides useful insights into the characteristics of fraud. The facts and descriptions in the case are very rich and can lead to a nice discussion of each of the five COSO components. For instance: Control environment—tone at the top and management’s views on risk taking and the importance of strong controls. Risk assessment—the bank did not properly assess and manage the risk inherent at the Delta One trading desk. Delta One was considered low-level and low-risk. It raises questions The case was prepared by Mark S. Beasley, Ph.D. and Frank A. Buckless, Ph.D. of North Carolina State University and Steven M. Glover, Ph.D. and Douglas F. Prawitt, Ph.D. of Brigham Young University, as a basis for class discussion. It is not intended to illustrate either effective or ineffective handling of an administrative situation.
Copyright © 2009 by Pearson Education, Inc., Upper Saddle River, NJ 07458
195
Section 5: Internal Control over Financial Reporting about the bank’s risk assessment processes; what else has the bank assessed incorrectly? The bank also admitted that their trading businesses grew faster than risk management signifying a lack of sufficient investment in risk management. Control activities—the system allowed Kerviel to approve, record, and have custody of his trades. His access was not restricted allowing him to create fictitious transactions. Some of the controls may have been properly designed, but were not operating effectively (e.g., management failed to follow-up on alerts). In other cases, controls were not properly designed. For example, the bank’s risk management group looked at Kerviel’s net position, but not the level of his trades or his total positions, and they did not investigate patterns of discrepancies by trader. Information and Communication—the system communicated alerts, but failed to provide the true nature of the underlying information. Kerviel understood the information and communication policies and processes and he exploited weaknesses. Monitoring—the system was unable to distinguish between real and fictitious trades. Kerviel was able to spread his trades and risk across different types of securities knowing that each group only focused on its own area and no one was examining the pattern of alerts and discrepancies across trading areas. Also, the monitoring checks were predictable and exploitable—Kerviel knew when reconciliations and other systems checks took place and was able to remove his fictitious transactions just before the system checks and restore them just after the checks had been completed. The case details also provide adequate information for addressing other common approaches to internal controls such as: Information Processing Objectives—In order to produce useful and reliable information for decision makers, information systems must have each of the information processing objectives (completeness, accuracy, validity and restricted access) throughout the activities and sub-processes. The instructor could lead a discussion regarding what objectives were apparently breached and how properly maintained information processing objectives could have prevented the fraud. The Nature of a Control Deficiency—Design versus Operating Effectiveness—students are asked to characterize the most serious deficiencies as either a design or operating effectiveness deficiency. Additional instructor-led discussion on this topic may be warranted.
PROFESSIONAL STANDARDS Relevant professional standards for this assignment are AU 314, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” and AS5 “An Audit of Internal Control Over Financial Reporting That Is Integrated With An Audit Of Financial Statements.” Q UE S TION S AND SUGG ESTED SOLUTION S [1]
Using auditing standards or your textbook, define the following control-related terms: Control environment – The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. Segregation of duties – This is an important control characteristic for all businesses and is intended to ensure that no single individual has control over two or more phases of a transaction or operation (e.g., custody and record keeping). Segregation of duties attempts
196
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.7: Société Générale
[2]
to prohibit the ability of one person to misappropriate assets or commit financial statement fraud. Restricted access – Restricted access improves data confidentiality and helps to enforce segregation of duties. Restricted access can imply both physical and electronic safeguards of data. Examples are sufficient password protection, well-documented access matrix, security badges, etc. Preventative controls – Preventative Controls have the objective of preventing errors or fraud that could result in a misstatement of the financial statements from occurring. Detective controls – Detective controls have the objective of detecting errors or fraud that have already occurred that could result in a misstatement of the financial statements. Design effectiveness – Controls are effectively designed when they prevent or detect errors or fraud that could result in material misstatements in the financial statements. Design effectiveness involves determining whether a control necessary to meet the relevant control objective is missing or an existing control, even if operating as designed, does not meet management’s desired objectives for the control. Operating effectiveness – A control is operating effectively if the control is properly designed, operates as designed, and the person performing the control possesses the necessary authority and competence to perform the control activity.
The term “tone at the top” is typically associated with a firm’s control environment. How would you characterize Société Générale’s tone at the top and what effect do you believe that had on oversight at the trading-desk level? Students’ responses will vary and should include a negative or weak view of the control environment. Some of the factors in the case linked to control environment are listed below. The bank’s leadership knew that controls were not as strong as they should have been, but they put profits first. In meetings with investors in recent days, Société Générale’s chief executive officer, Daniel Bouton, has admitted his bank’s internal systems did not keep up with the pace of growth in the derivatives business. “He told them while our derivatives business was going 130 miles an hour, risk control was only going 80,” according to one analyst who covers Société Générale but insisted on anonymity.1 Leadership encouraged risk-taking bets as long as they were profitable. Kinner Lakhani, an analyst with ABN Amro in London: said, “Unlike some of their peers, Société Générale was not shy about taking proprietary trading risks. Perhaps such businesses grew faster than risk management could cope.” Within Société Générale’s corporate and investment bank, according to Mr. Lakhani, the percentage of revenue from market-making and proprietary trading rose to about 35 percent by mid-2007 from 29 percent in 2004. “If this scam had been uncovered in November, when he [Kerviel] was still up, he would have been fired but I suspect we would have heard very little about it,” The damage wrought by Mr. Kerviel comes in the wake of two trends that reshaped Société Générale: the explosive growth of its derivatives business and its use of its own money to make bets on the market, known as proprietary trading.1 Société Générale had a poor tone at the top and should have led auditors to increase the inherent risk of the audit. Management had been known to encourage risk above that which should have been accepted. Throughout Société Générale’s sprawling derivatives business, said one current employee who used to work with Mr. Kerviel, traders were encouraged to make proprietary bets, even on desks that specialized in what top executives called “plain vanilla products,”
Nelson Schwartz and Katrin Bennhold, “A Trader’s Secrets, A Bank’s Missteps,” The New York Times, February 5, 2008.
1
Instructor Resource Manual — Do Not Copy or Redistribute
197
Section 5: Internal Control over Financial Reporting like the team where Mr. Kerviel worked, Delta One. “You must take positions, even if you are not a proprietary trader,” said this employee, who insisted on anonymity because he was not authorized to talk to the press. “During appraisals by bosses, they made it clear you were judged by how well you did your basic job, as well as how much money you made on prop trades.”2 This attitude of management prompted traders to take unnecessary risk, which was not part of their job descriptions. This attitude bred competition between traders and traders began to bend and break the rules, as Kerviel did, just to get ahead. Bank leadership was slow to replace the manager of the Delta One trading desk, leaving the trading desk with little effective control. Further, when a replacement manager was hired, he apparently was inadequately trained as he did not carry out any detailed analyses of traders’ earnings or positions. Other factors student’s responses may include: àà Management ignored red flags, both external (Eurex) and internal (75 alerts) àà When supervisors or risk-management officers found errors, Kerviel was allowed to “fix” them without further investigation àà Another employee knew about it (Bakir) but didn’t report it—suggesting a lack of ethical leadership and perhaps management’s tolerance for ignoring the rules. In order to bolster controls after the discovery of the fraud, Société Générale has set up a dedicated internal fraud investigation group of around 20 people that will be independent of the front- and back-office operations. The security of its computer systems has also been enhanced, making it more difficult for employees to borrow the logins and passwords of colleagues. [3]
Fraud research indicates three conditions must exist before a fraud occurs: (1) Pressure/ Incentive, (2) Rationalization, and (3) Opportunity. What do you think were Jérôme Kerviel’s incentives and rationalizations for committing fraud? What created the opportunity for fraud? (1) Pressure/Incentive: The key incentive appears to be Kerviel’s desire to be acknowledged and appreciated by his peers and superiors as a skilled and valued trader. According to the articles outlining the fraud, in France, if a person does not go to one of the top schools, it is almost impossible to get a top job. Approximately half of France’s top 40 companies are run by graduates of two schools, the Ecole Polytechnique and ENA. Kerviel did not attend a top school. In fact, in Kerviel’s small home town of Pont L’Abbe, it is an “us versus them” mentality. “If you talk to anybody here they will tell you their feeling is that it is Paris or the big people ganging up on the small [town]. We don’t like it,” says Jean-Pierre Le Gall, the deputy mayor of Pont L’Abbe.3 Kerviel is the son of a hairdresser and a metal worker. He is looked at as somewhat of a hero from his hometown because he was able to get out and get an education. Kerviel studied business at Quimper, Nantes and Lyons universities. He felt his education was always contrasted with those traders at Société Générale who went to the top colleges. Those who went to the top colleges and had advanced degrees were nurtured at Société Générale and given special treatment. Kerviel wanted to prove he could make more money than these top traders. Although Kerviel was not trying to benefit directly from his fraudulent trading, he, “was able to take advantage of his fraudulent activities in order to significantly increase his ‘official’ earnings and therefore to increase indirectly the amount of bonus that he could hope to receive.”4 Another incentive was Kerviel’s desire to earn a larger bonus by posting improved trading returns.
2 3 4
198
Nelson Schwartz and Katrin Bennhold, “A Trader’s Secrets, A Bank’s Missteps,” The New York Times, February 5, 2008. Richard Milne, “Bretons unite to defend one of their own,” FT.com (Financial Times), Feb 8, 2008. Société Générale General Inspection Department, “Report Part 3,” May 20, 2008
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.7: Société Générale (2) Rationalization: Kerviel rationalized his trades in many ways. He was convinced that he was a skilled trader and that his fictitious transactions as well as his large and risky positions would not only prove his skills, but also reap profits for the bank. Kerviel also allowed himself to believe that management approved of his activities. Kerviel stated, “I cannot believe that my superiors did not realize the amount I was risking. It is impossible to generate such profit with small positions. That’s what leads me to say that while I was in the black, my supervisors closed their eyes on the methods I was using and the volumes I was trading.” 5 Kerviel believed he was as good at earning returns as the top traders. In order to prove his skills he had to circumvent controls and take trading positions. His fictitious trades actually were quite profitable initially. In fact, Kerviel’s earnings placed him the fifteenth best trader of the 143 traders in the arbitrage division.6 He was proud when his positions made profits for the bank. However, in some instances he was told he would not receive a bonus for his trades as he had not complied with the policies of the Delta One trading desk. This retribution fueled his desire to get noticed; thus, his trades kept growing in size eventually exposing the bank to more than its market value. Kerviel did not embezzle or misappropriate assets, as he was convinced he was doing the bank a favor. Management apparently established a culture of risk taking…Kerviel was following their lead. Kerviel’s position at the Delta One desk was a step up from his years in the “back office.” However, the Delta One desk was “boring” and Kerviel thought he could do better. (3) Opportunities. Flaws in the design and effectiveness of internal controls enabled Kerviel to create fictitious trades and take overly risky trading positions (control weaknesses are outlined in the case). Kerviel spent his first 5 years with the bank in the “back office.” Here, he became intimately acquainted with the company’s control policies and procedures. This experience provided the knowledge regarding what and when controls would take place. For example, an internal report on the fraud stated Kerviel, “knew that they [certain trades] were only monitored at the end of the month and cancelled them before the control took place.” His knowledge of the back office’s actions gave him the opportunity to circumvent controls and hide his actions for years.
[4]
5 6
Control weaknesses that allowed Kerviel to have “secret” accounts and create fictitious trades included: Poor segregation of duties as Kerviel was able to both authorize and record trades. He also managed his own records and would make multiple revisions and corrections without supervisor approval. Delta One is not watched (monitored) like the A-league traders The system could not distinguish between real and fictitious transactions. Furthermore, the system provided traders the ability to enter temporary transactions and revise past transactions without additional approval from a supervisor. Restricted access was weak, unauthorized access was provided through “borrowed” passwords. There was no manager over the Delta One trading desk for 2½ months. Compliance officers only performed “routine” checks and did not dig deep in their followup of alerts. The system did not capture and report evidence of alerts and discrepancies associated with a trader across different types of securities. In an independent audit of the financial statements of a large bank, why do auditors typically follow a controls reliance strategy (i.e., obtaining some audit assurance via controls testing)? In the case of Société Générale, do you believe the external auditors gathered much controlsrelated evidence regarding the Delta One trading desk? Why or why not? David Gauthier-Villars and Stacy Meichtry, “Kerviel felt out of his league,” Wall Street Journal, January 31, 2008. Société Générale General Inspection Department, “Report Part 3,” May 20, 2008
Instructor Resource Manual — Do Not Copy or Redistribute
199
Section 5: Internal Control over Financial Reporting In addition to regulatory requirements discussed below, auditors typically follow a reliance strategy because it would be difficult to obtain sufficient appropriate evidence via substantive testing as banks process thousands, if not millions, of similar transactions daily. AU 314 also indicates circumstances where a reliance approach is required: .68 In circumstances where a significant amount of information supporting one or more financial statement assertions is electronically initiated, recorded, processed, or reported, the auditor may determine that it is not possible to design effective substantive tests that by themselves would provide sufficient evidence that the assertions are not materially misstated. For such assertions, significant audit evidence may be available only in electronic form. In such cases, its competence and sufficiency as evidential matter usually depend on the effectiveness of controls over its accuracy and completeness. Furthermore, the potential for improper initiation or alteration of information to occur and not be detected may be greater if information is initiated, recorded, processed, or reported only in electronic form and appropriate controls are not operating effectively. In such circumstances, the auditor should perform tests of controls to gather evidential matter to use in assessing control risk. The Delta One desk was designed to make profits on large volumes of transactions. Auditors could not test each transaction individually and all the transactions were recorded electronically; thus, a reliance strategy should have been taken. However, Delta One is supposedly a very lowrisk area. While some limited controls testing may have taken place, the Delta One desk was most likely assess as a low risk, low priority are, particularly when compared to the complex trades of the other areas within Société Générale. National banks in the United States are under additional scrutiny for their internal controls as they are subject to additional standards and regulations regarding controls. These requirements direct banks to operate in a safe and sound manner, accurately prepare their financial statements, and comply with other banking laws and regulations. The laws and regulations that establish minimum requirements for internal control are 12 CFR 30, Safety and Soundness Standards; 12 CFR 363, Annual Independent Audits and Reporting Requirements; and 15 USC 78m, Securities Exchange Act of 1934.7 In February of 2008 the Federal Deposit Insurance Corporation (FDIC) issued Financial Institution Letter (FIL) FIL-5-2008 that indicates that the new requirements of AS5 meet the internal control standards previously required Part 363 of the FDIC regulations. This letter highlights the fact that the new internal controls requirements of public companies have long been required in the financial sector. The additional internal-control related regulatory requirements banks face are intended to ensure banks have adequate internal controls to match their size and have audited statements of the adequacy of their internal controls. [5]
What do you believe were the three most serious control deficiencies at Société Générale? For each deficiency listed, indicate whether the deficiency related to poor design or poor operating effectiveness. Describe how you would remediate or fix each of the deficiencies listed. Student responses will vary. Some of the more important deficiencies are outlined in the table that follows.
7
200
Administrator of National Banks, “Internal Control; Comptroller’s handbook,” January 2001.
Instructor Resource Manual — Do Not Copy or Redistribute
Instructor Resource Manual — Do Not Copy or Redistribute
Focus on net trading positions: One of the major failings of the bank’s control processes was that controllers where encouraged to only monitory the net trading positions, rather than trader’s gross exposure.
10 Nicola Clark, “Société Générale tightens controls after trading scandal,” The international Herald Tribune, April 10, 2008.
Lack of analysis of trader’s activities or patterns of trading discrepancies: As mentioned in the case, Kerviel spread his fictitious trades over many different financial instruments so alerts in any one trading area would look like an isolated incidence. The bank’s chief executive Bouton said. “…what we lacked was cross-checking of controls, something manual that would have shown that one trader was canceling a lot of positions. That is something we lacked and that now we have.” 10
9 Société Générale General Inspection Department, “Report Part 3,” May 20, 2008
Lack of controls over cancelled, modified or unusual trades: The internal report indicated, “At that time, no controls existed in this area over cancelled or modified trades, over trades with a deferred start date, over trades with technical counterparties, over positions with a high nominal value, or over non-trading flows during any given month, all analysis which would probably have allowed the identification of the fraud.”9
8 Société Générale General Inspection Department, “Report Part 3,” May 20, 2008
Lack of appropriate follow-up on alerts: The internal report found the bank’s controls did properly trigger alerts in some cases that could have helped to identify the fraud, but compliance officers conducted only routine reviews and “did not systematically carry out more detailed checks” of Kerviel’s trades. According to the internal report, again and again, Société Générale’s employees whose job it was to process and verify Kerviel’s trades failed to dig deep enough when they noticed something was amiss. Insufficient initiative was taken to validate Kerviel’s assertions, even when they lacked plausibility. There was no follow-up on cancelled or modified transactions. For example, “his two hierarchical supervisors failed to carry out an in-depth analysis of the high amounts of brokerage commissions at year end.”8
Control Deficiency
This deficiency relates to poor design effectiveness.
This deficiency relates to poor design effectiveness.
This deficiency appears to be one of poor design effectiveness.
This deficiency relates primarily to poor operating effectiveness, but also has aspects of poor design if the bank’s policies did not encourage follow-up and/or if the officers were not trained.
Design/Operating Effectiveness
Policy, training and tools need to be put into place to allow for effective monitoring the gross exposure as well as the net positions. After the fraud, the bank said it changed procedures so that all outstanding gross positions are now routinely tracked in addition to net.
Rather than monitor trades only by type of instrument, a system needs to be put in place to capture and analyze trading patterns across instruments. A relatively simple crosscheck across the different security departments at the bank would have shown that Kerviel had been flagged numerous times. According to the report, Société Générale was in the process of remediating this deficiency in the wake of the fraud.
As traders enter their data into their computer, field checks, range checks, drop-down menus, etc. could be designed ensure traders are not allowed to process a trade that does not meet certain criteria. For example, the internal report gives many examples of trades to unknown parties. A simple control comparing the trading partner to an approved list could have prevented these false trades.
Appropriate alert tracking and resolution policies need to be put into place, officers need to be trained in their responsibilities to investigate and resolve alerts, and there should be appropriate monitoring by supervisors and internal audit that appropriate investigations are being performed. Kerviel’s supervisors had alerts that should have led them to Kerviel had they investigated them thoroughly.
Remediation
Case 5.7: Société Générale
201
202
11 Société Générale General Inspection Department, “Report Part 3,” May 20, 2008
Vacation time should be monitored regularly to ensure employees are taking their mandatory vacation days. The vacation policy should be enforced and a system should be put into place that will alert superiors to any violations of the policy. In addition, a policy of temporary job or role rotation could be an effective remediation approach.
It is not uncommon for companies to focus first on operations and the bottom line. However, as Société Générale found out, if controls do not keep pace with growth, a company can be exposed to serious loses. Proper risk assessment, risk management and investment in control processes are crucial. Leadership, those that set the “tone at the top,” need to insist on the appropriate balance of risk, growth and controls.
This deficiency relates to poor design effectiveness.
Insufficient investment in risk management: Risk management and related controls could not keep up with the fast pace of growth in the trading businesses. The internal report stated: “Against a backdrop of strong growth in trading volumes in the Equities division, there was a mismatch between the resources allocated to support and control functions and the level of front office activities. A lack of seniority also diminished the effectiveness of the back and middle office teams. Furthermore, despite the level of investment made, information systems were unable to keep pace with the growing complexity of the general trading environment and process transactions effectively. A heavy reliance on manual processing and the workload of operating staff meant that certain of the existing controls in place were not operating effectively.” No mandatory vacations: The case makes only passing reference to vacation, but as in other fraud situations, Kerviel did not follow the bank’s vacation policy. Kerviel’s “reluctance to take any vacation, raised formally by the Delta One manager on four occasions (Feb 2007, Nov 2007, and during his 2006 and 2007 annual appraisals), without concrete effect, did not alert his hierarchical superiors.”11 Kerviel stated that they should have known he was up to something since he had not taken required vacation. This deficiency relates to poor operating effectiveness.
Access control matrices and require that employees frequently change passwords to minimize the inappropriate use of others’ access codes. After the fraud, the bank enhanced the security of computer systems by making it more difficult for employees to use the logins and passwords of colleagues.
Based on the internal report, this deficiency appears to be both poor design and poor operating effectiveness.
Poor password protection: Kerviel was able to conceal his fictitious transactions more easily because he would use the login IDs and passwords of colleagues. The bank had inadequate controls over restricted access and even when they had policies in place with respect to login IDs and passwords, the Bank created a culture where protection of logins and passwords was not a priority to employees.
Remediation
Design/Operating Effectiveness
Control Deficiency
Section 5: Internal Control over Financial Reporting
Instructor Resource Manual — Do Not Copy or Redistribute
Case 5.7: Société Générale [6]
What are the advantages and disadvantages of promoting personnel across functional areas within a company (e.g., from risk and controls to operations)? Advantages Employees with a deeper knowledge of the nature of the company’s business and industry Employees who have developed relationships with other employees, departments, and potentially with clients Employees that are cross-trained can fill in during vacations or unexpected needs Reduced recruiting and training costs—rather than lose an employee seeking new challenges, internal transfers or promotions retain existing employees Disadvantages Employees who know the systems and controls can use that knowledge to exploit internal control weaknesses Lack of synergy, less diversity in thinking and working practices. Sometimes a policy of promotion from within results in retaining and even promoting underqualified and underperforming employees.
[7]
This question can lead into a discussion regarding the hiring of former external auditors and the use of internal audit as a training area to expose future management candidates to many facets of the organization. The loss from Kerviel’s rogue trading resulted in a loss many times greater than audit materiality. The external auditor did not discover the misstatement. Was this an audit failure? Conduct internet research to determine if the external auditors, Ernst & Young Audit and Deloitte & Associés, were named in law suits associated with the loss due to the trading fraud. Was it an audit failure? There is no right answer here, but this question typically leads to a good classroom discussion. On one hand, you could argue that the auditors missed a fraud that lead to a $7.2 billion loss. On the other hand, Kerviel had closed his trading positions for a net gain in December 2007. Obviously, in hindsight, it appears that both the bank and the auditors would like to go back in time and correct their risk assessment of the Delta One desk and dig a little deeper. Auditing textbooks typically define an audit failure to be a situation when the auditor issues a clean audit opinion when the financials were materially misstated. Because the fraud was discovered before the 2007 financial statements were released, the company invoked the “true and fair” provision of international accounting standard which allows the company to adjust the 2007 financial statements for the losses caused by the fraud due to closing Kerviel’s positions in 2008. Even though the losses occurred in 2008, the company argued that 2007 financial statements would be misleading without the adjustment. The auditors issued an unqualified audit opinion on the 2007 financial statements, but they indicate there was a failure in internal controls (even though the auditor did not issue an opinion on internal controls over financial reporting) and the auditor’s report references several important notes in the financial statements regarding failures in internal control. However, the users of the financial statements may attempt to argue that the unqualified opinion issued for the 2006 financial statements represented an audit failure as the fraudulent trades also occurred in 2006. As of the writing of this case, there were no legal proceedings against the auditors. The law firm Cohen, Milstein, Hausfeld & Toll, P.L.L.C. has filed a class action lawsuit directly against Société Générale and its management.
Instructor Resource Manual — Do Not Copy or Redistribute
203