E.1. Transaction and Safeguarding Controls

Question 1

What are the commonly accepted transaction control objectives?

Answer 1

1. Transactions are approved by an authorized person
2. All valid transactions are included
3. All valid transactions are accurate
4. All recorded transactions fairly represent the economic events that occurred
5. Access to physical assets and information systems are controlled
6. Errors are promptly corrected and reported to management
7. Duties are assigned to ensure that no one is in a position to both perpetrate and conceal an irregularity

Question 2

Transaction control activities include authorization. What is the purpose of authorization in transaction control activities?

Answer 2

Authorization confirms that the transaction is valid and represents an actual economic event.

Authorization is often in the form of approval by higher management or verification, such as comparing an invoice to a purchase order.

Question 3

Transaction control activities include verifications. What role do verifications play in transaction control activities?

Answer 3

Verifications involve comparing items with one another or with a policy and following up if inconsistencies are found.

Question 4

Transaction control activities include physical controls. How do physical controls contribute to transaction control?

Answer 4

They secure assets in locked or guarded areas, restrict access to authorized personnel, and involve periodic counts and comparisons with control records.

Question 5

Transaction control activities include controls over standing data, such as in master files. Why are controls needed over the process of populating, updating, and maintaining data in master files such as on-hand inventory?

Answer 5

Data in master files is used when processing transactions.

Question 6

What is a master data file?

Answer 6

A data file that persists over time and is subject to file updating and query processing.

A master file is distinct from, for instance, a transaction file.

Examples of master files are files containing customer or vendor IDs, names, and addresses; and inventory on hand with inventory IDs, item names, and prices.

Question 7

Transaction control activities include reconciliations. What is the significance of reconciliations in transaction control?

Answer 7

They generally address the completeness and accuracy of processing transactions. They compare two or more data elements that should be the same. Differences that cannot be explained must be investigated and corrective action taken.

Question 8

Transaction control activities include supervisory controls. What is the role of supervisory controls in transaction control?

Answer 8

They determine whether other transaction control activities are being performed completely, accurately, and according to policy and procedures.

Question 9

What is segregation of duties?

Answer 9

This involves assigning different steps in a process to different people so no one person is able to both perpetrate and conceal theft or other fraudulent activities.

Question 10

What are the four functions that should be segregated to ensure effective internal control?

Answer 10

• Authorizing a transaction
• Recording a transaction
• Keeping physical custody of the related asset such as checks received
• Periodic reconciliation of physical assets to recorded amounts

Question 11

What does the physical protection of assets include?

Answer 11

• Segregation of duties
• Controlled access to records and documents
• Restriction of access to assets
• Effective supervision, independent checks and verifications

Question 12

What is the Foreign Corrupt Practices Act?

(FCPA)

Answer 12

A U.S. law that prohibits bribery of foreign officials and requires companies to maintain accurate books and records and implement internal controls.

Question 13

To whom do the anti-bribery provisions of the FCPA apply?

Answer 13

To all companies, regardless of whether they are publicly traded or privately held.

Question 14

To whom do the accounting provisions of the FCPA apply?

Answer 14

The accounting provisions (the books and records provision and the internal controls provision) apply only to companies that are publicly traded and are thus subject to SEC regulation.

Question 15

What are the two main provisions of the FCPA?

Answer 15

• Anti-bribery provisions
• Accounting provisions

Question 16

What do the anti-bribery provisions of the FCPA prohibit?

Answer 16

They prohibit offering, paying, promising to pay, or authorizing payment of money or anything of value to a foreign official to influence their actions or secure an improper advantage in order to obtain or retain business.

The prohibition is against corrupt payments to a foreign official, a foreign political party or party official, or any candidate for foreign political office.

Question 17

What is the purpose of the accounting provisions of the FCPA?

Answer 17

They operate as an enforcement mechanism for the Act’s anti-bribery provisions. They are intended to prevent fraudulent accounting that may be used to disguise bribes as legitimate expenditures.

Question 18

What is the role of the Public Company Accounting Oversight Board?

(PCAOB)

Answer 18

To oversee the auditing of public companies that are subject to the securities laws, to protect the interests of investors, and to enhance the public’s confidence in independent audit reports.

Question 19

What is the approach prescribed by the PCAOB for auditing internal control over financial reporting?

Answer 19

The PCAOB prescribes a top-down, risk-based approach to evaluating internal control over financial reporting.

It begins with identification and assessment of risks that a material misstatement of the financial statements would not be prevented or detected in a timely manner, in order to focus on higher-risk areas.

Question 20

What is required under the Books and Records Provision of the FCPA?

Answer 20

Issuers must make and keep books, records, and accounts that accurately and fairly reflect transactions and dispositions of assets.

Question 21

What is the purpose of the Internal Controls Provision of the FCPA?

Answer 21

To provide reasonable assurance that transactions are authorized by management; that they are recorded properly so that financial statements conform to GAAP; that access to assets is authorized by management; and that asset records are reconciled to physical assets at reasonable intervals and action is taken with respect to differences.

Question 22

What does Section 302 of the Sarbanes-Oxley Act require from signing officers to each annual (10K) or quarterly (10Q) financial report filed with or submitted to the SEC?

Answer 22

Signing officers must certify:

1. They have reviewed the financial statements filed with the SEC;
2. To their knowledge there are no material misstatements or omissions;
3. To their knowledge, the financial statements fairly present the company’s condition and results;
4. They have established and evaluated internal controls over financial reporting (within 90 days);
5. They have disclosed all significant internal control deficiencies and material weaknesses to auditors and the audit committee;
6. They have disclosed any fraud involving management or employees with significant internal control roles to auditors and the audit committee; and
7. They have disclosed in the report any significant changes in internal controls.

Question 23

What must be included in the management’s assessment of internal control over financial reporting (ICFR) under Section 404(a) of Sarbanes-Oxley, according to the SEC’s final rule?

Answer 23

1. Statement of management’s responsibility for internal control
2. Identification of the control framework used to evaluate the effectiveness of ICFR
3. Assessment of the effectiveness of ICFR
4. Statement that the registered public accounting firm that audited the financial statements has issued an attestation report on the effectiveness of the company’s ICFR

Question 24

What is a top-down, risk-based approach in evaluating internal controls?

Answer 24

It focuses on those controls that are needed to adequately address the risk of a material misstatement of its financial statements.

A top-down approach ensures the proper testing of the controls for the assessed risk of misstatement to each relevant assertion.

Question 25

What are the four types of tests used to test the adequacy of internal controls?

Answer 25

* **Inquiry** of management and staff * **Observation** of control procedures being performed * **Inspection** of documents related to control procedures * **Re-performance** such as recalculating an automated or manual control

Question 26

What is re-performance in control testing?

Answer 26

Re-performance involves independently executing the control to verify its effectiveness, such as recalculating a bank reconciliation or attempting to input a transaction that does not conform to standards, to see if the computer application controls cause the transaction to be properly rejected. ## Footnote Re-performance is considered the most reliable method of control testing but is time-consuming and typically used on small samples, which can introduce sampling risk.

Question 27

Why should inquiry not be used alone to test a control?

Answer 27

Inquiry alone is inadequate to evaluate control effectiveness; it should be combined with observation, inspection, or re-performance.

Question 28

When testing controls, a deficiency can be classified as either a deficiency in design or a deficiency in operation. What is a deficiency in design?

Answer 28

It occurs when a necessary control is missing or an existing control is not properly designed to meet the control objective.

Question 29

When testing controls, a deficiency can be classified as either a deficiency in design or a deficiency in operation. What is a deficiency in operation?

Answer 29

It occurs when a properly designed control does not operate as intended or the person performing the control lacks the necessary authority or qualifications to perform it effectively.

Question 30

When testing controls, any deficiencies identified need to be classified as either control deficiencies, significant deficiencies, or material weaknesses. What is a control deficiency?

Answer 30

It exists when a control's design or operation does not allow management or employees, in the normal course of performing their duties, to prevent or detect misstatements on a timely basis.

Question 31

When testing controls, any deficiencies identified need to be classified as either control deficiencies, significant deficiencies, or material weaknesses. What is a significant deficiency?

Answer 31

It is a control deficiency or combination of control deficiencies that is less severe than a material weakness but important enough to merit attention by those responsible for oversight of the company’s financial reporting.

Question 32

When testing controls, any deficiencies identified need to be classified as either control deficiencies, significant deficiencies, or material weaknesses. What is a material weakness?

Answer 32

It is a deficiency or combination of deficiencies in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.

Question 33

When testing controls, what must a company do if a material weakness is identified?

Answer 33

Report it in its SEC filings, such as its annual 10-K and quarterly 10-Q reports, and include information on remediation efforts, implementation timelines, and progress toward remediating the deficiency or deficiencies. If a material weakness has caused a material misstatement on previously issued financial statements, amended financial statements will need to be filed along with explanatory disclosures.

Question 34

What is the first step in remediating deficiencies identified in testing?

Answer 34

Prioritize deficiencies for remediation according to their severity classification. Priority is: 1. Material weaknesses 2. Significant deficiencies 3. Control deficiencies

Question 35

What should a remediation plan include?

Answer 35

* Determine the root cause of the material weakness or deficiency * Identify tasks, responsible persons, and deadlines to correct the root cause * Inclusion of all identified deficiencies * Necessary investments in IT, personnel, and resources * Monitor progress and accountability * Keep all stakeholders informed of progress * Reevaluate all identified material weaknesses at least quarterly in order to update the disclosures * Monitor the remediated control to determine whether it is operating effectively * If necessary, make further changes

Question 36

Section 407 of the Sarbanes-Oxley Act requires each issuer of publicly traded securities to disclose whether its audit committee has at least one financial expert and if not, why not. What qualifies someone as a financial expert under Section 407?

Answer 36

* Understanding of GAAP and financial statements * Experience in preparation or auditing of financial statements * Understanding of internal accounting controls and financial accounting procedures * Understanding of audit committee functions

Question 37

Section 407 of the Sarbanes-Oxley Act requires each issuer of publicly traded securities to disclose whether its audit committee has at least one financial expert. If a company discloses that it has a financial expert on its audit committee, what must it further disclose?

Answer 37

The name of the financial expert and whether that person is independent.