Upload
eza-r
View
242
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Auditing Boynton 8th Solution
Citation preview
CHAPTER 7
Chapter 10Understanding Internal Control
Learning Check
10-1. a.The Foreign Corrupt Practices Act of 1977 is administered by the Securities and Exchange Commission. The Act pertains to management and directors of companies subject to the reporting requirements of the Securities Exchange Act of 1934.
b.The antibribery and accounting standards provisions of the Act require the maintenance of a satisfactory system of internal control.
10-2. a.The National Commission on Fraudulent Financial Reporting reemphasized the importance of internal control and recommended the following:
Of overriding importance in preventing fraudulent financial reporting is the "tone set by top management" that influences the corporate environment within which financial reporting occurs.
All public companies should maintain internal controls that will provide reasonable assurance that fraudulent financial reporting will be prevented or subject to early detection.
The organizations sponsoring the Commission (including the Auditing Standards Board [ASB]) should cooperate in developing additional guidance on internal control systems.
b.COSO is an acronym for Committee of Sponsoring Organizations, a body comprised of representatives from the AICPA, the American Accounting Association, The Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. The two principal purposes of its efforts were to:
Establish a common definition of internal control serving the needs of different parties.
Provide a standard against which business and other entities can assess their control systems and determine how to improve them.
COSO undertook these efforts as a response to the Treadway Commission's recommendation that the organizations represented on COSO should cooperate in developing additional guidance on internal control system.
10-3. a.The COSO report defines internal control as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Reliability of financial reporting.
Compliance with applicable laws and regulations.
Effectiveness and efficiency of operations.
b.The COSO report identifies five interrelated components of internal control which are:
1. The control environment.
2. Risk assessment.
3. Control activities.
4. Information and communication.
5. Monitoring.
c.Of primary relevance in a financial statement audit are an entity's controls that pertain to the reliability of financial information, particularly those that are intended to provide reasonable assurance that financial statements prepared by management for external users are fairly presented in conformity with generally accepted accounting principles. Other objectives and related controls may also be relevant if they pertain to data the auditor uses in applying audit procedures such as (1) nonfinancial data used in analytical procedures and (2) certain financial data developed primarily by management for internal purposes such as budgets and performance data.
10-4.Inherent limitations in any entity's system of internal control include:
Mistakes in judgment may be made by management and other personnel in making business decisions or in performing routine duties because of inadequate information, time constraints, or other pressures.
Breakdowns in controls may occur because experienced, temporary, or new personnel may misunderstand instructions or make errors due to carelessness, distractions, or fatigue.
Collusion, which is individuals acting together, may enable the concealment of an irregularity so as to prevent its detection by the system of internal control.
Management override of prescribed policies or procedures includes making deliberate misrepresentations to auditors and others such as by issuing false documents to support the recording of fictitious transactions.
Costs versus benefits which mitigates against the adoption of controls, the benefits of which, in management's judgment, do not outweigh the costs.
10-5.Several key responsible parties and their roles are as follows:
Management which has the responsibility to establish and maintain an effective system of internal control.
Board of directors and audit committee which, as part of their general governance and oversight responsibilities, should determine that management meets its responsibilities for establishing and maintaining the system of internal control.
Internal auditors who should periodically examine and evaluate the adequacy of an entity's system of internal control and make recommendations for improvements.
Other entity personnel, which includes all other personnel who provide information to, or use information provided by, the system of internal control, have a responsibility to communicate to a higher level in the organization any instances of noncompliance or illegal acts of which they become aware.
Independent auditors who have a responsibility to report to management and the board of directors certain conditions or weaknesses in internal controls found in an audit.
Other external parties such as legislators and regulators who may establish minimum statutory and regulatory requirements for the establishment of internal controls by certain entities.
10-6. a.The five COSO interrelated components of internal control which are:
Control environment.
Risk assessment.
Control activities.
Information and communication.
Monitoring.
In addition, the book adds a sixth component that is based on PCAOB Audit Standard No. 2.
Anti-Fraud Programs and Control. This is sufficiently important that it deserves separate attention and it influences the other five COSO components.
b.The auditor focuses on the aspects of each component and related controls that are designed to prevent or detect material misstatements in the financial statements.
10-7. a.The factors that comprise the control environment are:
Integrity and ethical values.
Commitment to competence.
Board of directors and audit committee.
Management's philosophy and operating style.
Organizational structure.
Assigning of authority and responsibility.
Human resource policies and practices.
b.Four things the CEO and other member of top management can do to emphasize the importance of integrity and ethical values among all personnel are (1) set the tone by example, (2) communicate to all employees that the same is expected of them, (3) provide moral guidance to employees who may be ignorant regarding what is right and wrong, and (4) reduce or eliminate incentives and temptations that might lead individuals to engage in dishonest, illegal, or unethical acts.
c. Important IT aspects of the control environment include:
Involvement of management in setting policies for developing, modifying and using computer programs and data.
Form of organization structure of data processing.
Methods of assigning authority and responsibility over computer systems documentation, including procedures for authorizing transactions and approving systems changes.
10-8. a.Management's risk assessment for financial reporting purposes is similar to the external auditor's concern with inherent risks, i.e., the risk that financial statement assertions will be misstated. However, management's purpose is to manage identified risks, and then design controls to prevent, or detect and correct, misstatements. (Authors note: Managements of private companies may consider cost benefit considerations when designing internal control over financial reporting and may make the decision that the cost of controls is more than the benefits that would be obtained. However, PCAOB Auditing Standard No. 2says that cost benefit considerations are not a reason to have adequate internal controls relevant to a material assertion in the financial statements.) The auditor's purpose is to evaluate the likelihood that material misstatements exist in the financial statements in order to plan the audit.
b.Important IT aspects of risk assessment include the assessment of risks:
Transaction trails may be available for only a short period of time.
Reduced documentary evidence of performance of controls.
Files and records usually cannot be read without a computer.
Decreased human involvement in computer processing can obscure errors that might be observed in manual systems.
IT system vulnerability to physical disaster, unauthorized manipulation, and mechanical malfunction.
IT systems may reduce traditional segregation of duties.
Changes in systems are more difficult to implement and control.
10-9. a.The accounting system consists of the methods and records established to identify, assemble, analyze, classify, record, and report entity transactions and maintain accountability for the related assets and liabilities.
b. Attributes of an effective accounting systemc. Related category of financial statement assertions
Identifies and records only the valid transactions of the entity that occurred in the current periodExistence or occurrence
Identifies and records all valid transactions of the entity that occurred in the current periodCompleteness
Ensures that recorded assets and liabilities are the result of transactions that produced entity rights to, or obligations for, those itemsRights and obligations
Measures the value of transactions in a manner that permits recording their proper monetary value in the financial statementsValuation or allocation
Presentation and disclosure
d.Key IT aspects of the information and communication system include:
Transaction may be initiated by computer
Audit trails may be in electronic form
How data is converted from source documents to machine-sensible form
How computer files are accessed and updated
Computer processing involvement from initiation for transaction to inclusion in financial statements.
Computer involvement in reporting process used to prepare financial statements.
10-10. a.The objective of segregation of duties is to ensure that individuals do not perform incompatible duties (i.e., an individual should not be able to commit an error or irregularity and then be in a position to conceal it in the normal course of his or her duties).
b.There are two fundamental concepts associated with segregation of duties. First, responsibility for authorizing a transaction, executing a transaction, recording a transaction, and maintaining custody of assets resulting from the transactions should be assigned to different individuals or departments. Second, there should be proper segregation of duties within the IT department and between IT and user departments.
c.Several functions within IT: systems development, operations, data controls and securities administration should be segregated. In addition, IT should not correct data submitted by user departments, and should be organizationally independent from user departments.
10-11. a.The purpose of general controls is to control program development, program changes, computer operations, and to secure access to programs and data.
b.Because of the pervasive character of general controls, if the auditor is able to obtain evidence that general controls function effectively, then the auditor also has important assurance that individual applications may be properly designed and operate consistently during the period under audit. Effective general controls allow the auditor to conclude that computer applications are likely to operate effectively during periods when they are not directly tested. Alternatively, deficiencies in general controls may affect many applications and may prevent the auditor from assessing control risk below the maximum for many applications and transaction cycles.
10-12. a.The following bullets identify the three categories of application controls and explain the purpose of each.
Input controls are designed to provide reasonable assurance that data received for processing have been properly authorized and converted into machine-sensible form. Input controls also include manual control performed by the people who follow-up on the rejection, correction, and resubmission of data that were initially incorrect.
Processing controls are designed to provide reasonable assurance that the computer processing has been performed as intended for the particular application. Thus, processing controls should preclude data from being lost, added, duplicated or altered during processing.
Output controls are designed to ensure that the processing results are correct, including both updated machine-sensible files and printed output, and that only authorized personnel receive the output.
b.The categories of controls pertaining to the conversion of data are (1) verification controls, (2) computer editing, and (3) control totals.
10-13.Most companies establish good controls over data going into databases. However, when it comes time to prepare financial statements a structured query language (SQL) is used to access the database and download information into a spreadsheet. Spreadsheets may be used to develop information for footnotes or they may be used to develop consolidated financial statements. However, once the data is in a spreadsheet, it may be subject to little or no controls. Data in spreadsheets can be easily accessed and manipulated without leaving an audit trail. If a macro is written incorrectly it might inadvertently omit information from particular general ledger account, or otherwise lose critical financial statement information. This creates a risk that data the is well controlled going into databases, is subject to a new risk of material misstatement as spreadsheets are used in the financial reporting process.
As part of a sound system of internal control companies should limit access to spreadsheets. Furthermore, good controls include testing the completeness of accuracy of inputs, and controlling the accuracy of output (e.g., testing spreadsheets with test data). Some companies perform an independent, manual check on the logic of each spreadsheet and the data that is summarized with spreadsheets. Companies should also maintain an inventory of spreadsheets used in the financial reporting process and keep clear documentation of the function accomplished by each spreadsheet.
10-14. a.Independent checks operate at the transaction level. In an IT environment, application controls execute checks of individual transactions to verify (1) work previously performed by other individuals or departments or (2) the proper valuation of recorded amounts.
Performance reviews represent the review of financial information by management. For example performance reviews include managements review of reports that summarize the detail of account balances (e.g., reports of cash disbursements by department), reports of actual performance versus budgets, forecasts, or prior period amounts or reports comparing nonfinancial operating data and financial data (for example, comparison of hotel occupancy statistics with revenue data).
Monitoring is fundamentally different from the control activities discussed above. Monitoring is the processes of assessing the quality of the entire system of internal control. It involves managements activities in making an ongoing assessment of the effectiveness of the design and operation of internal control.
b. Often management is involved in both executing transactions and reviewing the financial results that show the processing of those transactions. Examples of effective performance reviews include:
The review of cash disbursement charged to a department by a department manager, which is likely to be effective in identifying completeness, valuation or classification problems.
The review of a report of sales transactions which may identify completeness or valuation problems.
c.The monitoring function should involve the audit committee of the board of directors (or other equivalent authority), senior management, and internal auditing (if the function exists). With respect to IT risks, management and the audit committee should be conscious of IT risks associated with IT aspects of the control environment, the information and communication system, and control activities. Accounting officers should be conscious of, and monitor, the same on an ongoing basis. Further, the audit committee might charge internal audit with responsibility for periodic reviews of IT risks and controls. Finally, independent monitoring may occur when comments / complaints are received from customers, employees, and vendors. For example, problems with internal control may come to managements attention through complaints received from customers about billing errors or from suppliers about payment problems. Finally, alert managers may receive reports with information that differs significantly from their first-hand knowledge of operations.
10-15. a.The allowance for doubtful accounts should be controlled the same way that other accounting estimates are controlled. First, the accounting estimate must be based on reliable information. The company must develop a reliable system of aging individual invoices that are outstanding. Second, the decision about the allowance should not rest with one or a few individuals. Ideally, individuals responsible for approving credit, approving charge-offs, operating managers responsible for sales, and accounting personnel should all be involved in the review of the allowance. Finally, some level of oversight by the audit committee is appropriate.b.Oversight of nonroutine transactions often rests with a disclosure committee. This committee is often made up of individuals with strong accounting backgrounds (e.g., internal auditors), others with strong operational background who are familiar with the transactions, and leadership from the audit committee. The committee would make inquiries about nonroutine transactions and review accounting for nonroutine transactions.
c.The selection of and application of new accounting principles often rests with the disclosure committee as well. Again, it is important for the committee to be made up of individuals with strong accounting backgrounds that have some independence from the controller and CFO (e.g., internal auditors), others with strong operational background who are familiar with the transactions, and leadership from the audit committee. The committee would be responsible for reviewing decisions about the selection and application of new accounting policies.10-16. Antifraud programs and controls would normally include the following:
Control Environment
Code of conduct / ethical company culture
Ethics hotline
Audit committee oversight
Hiring, compensation, promotion and retentionFraud Risk Assessment
Systematic assessment of fraud risks Evaluation of likelihood and magnitude of potential misstatement
Information and Communication
Adequacy of the audit trail
Antifraud training
Control Activities
Adequate segregation of duties Linking controls to fraud risks
Monitoring
Developing an effective oversight process
After the fact evaluations by internal audit
10-17. a.In a private company audit the auditor needs a sufficient understanding of internal control to plan the audit. This means that the auditor should have sufficient knowledge to:
Identify the types of potential misstatement that may occur.
Understand the factors that affect the risk of material misstatement
Design the nature, timing, and extent of further audit procedures
b.In addition to the items discussed in (a) above, the auditor of a public company should also have a sufficient understanding to plan and perform an audit to obtain reasonable assurance that internal controls over financial reporting are operating effectively.
10-18. a.Two matters that should be covered in obtaining an understanding of internal controls are:
The design of policies and procedures pertaining to each component of internal control.
Whether the policies and procedures have been placed in operation.
b.Knowledge of internal control components should be used by the auditor to:
Identify types of potential misstatements.
Consider factors that affect the risk of material misstatements.
Design substantive tests to provide reasonable assurance of detecting the misstatements related to specific assertions.
10-19. a.An understanding of the system of internal controls is needed regardless of which strategy is chosen. But normally the level of understanding of the components that is needed under the lower assessed level of control risk approach is greater than that required under the primarily substantive approach. This is particularly true for the control activities component.
b.Other factors besides the preliminary audit strategy that affect the auditor's judgment about the level of understanding required include:
Knowledge of the client from previous audits.
Preliminary assessments of inherent risk and materiality.
An understanding of the industry in which the entity operates.
The complexity and sophistication of the entity's operations and accounting system.
10-20. a.The auditor should obtain sufficient knowledge of the control environment component to understand (1) the attitude, awareness, and actions of management and the board of directors concerning the control environment and (2) the pervasive and specific effects these factors may have on the effectiveness of the other internal control components.
b.The auditor should obtain sufficient knowledge of the information system relevant to financial reporting to understand:
The classes of transactions in the entity's operations that are significant to the financial statements.
How those transactions are initiated.
The accounting records, supporting documents, and specific accounts in the financial statements involved in the processing and reporting of transactions.
The accounting processing involved from the initiation of a transaction to its inclusion in the financial statements, including how the computer is used to process data.
The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures.
10-21. a.An understanding of the system of internal control is normally obtained by the following procedures:
Reviewing previous experience with the client.
Inquiring of appropriate management and supervisory and staff personnel.
Inspecting documents and records.
Observing entity activities and operations.
A transaction walk-through
b.A transaction walk-through review occurs when one or a few transactions within a major class of transactions is traced through the transaction trail and the related internal controls are identified and observed.
10-22. When planning an audit of the financial statements of a private company the auditor needs to have sufficient knowledge of the system of internal control to plan the audit. The auditor may not plan on testing the operating effectiveness of internal controls for many assertions. With respect to a public company where the auditor is testing the effectiveness of internal controls over financial reporting for every financial statement assertion, the level of understanding is much more comprehensive, particularly with respect to control activities.
10-23. a.An auditor may document the understanding of internal controls through completed questionnaires, flowcharts, and narrative memoranda.
b.Yes, documentation may occur concurrently with obtaining an understanding. For example, the auditor may use a questionnaire to obtain the understanding and the completed questionnaire provides the documentation.
10-24. a.The questions on an internal control questionnaire are designed to enable the auditor to determine whether the entity has adopted internal controls that the auditor considers necessary to prevent material misstatements in the financial statements.
b.Questionnaires are easy to use and to complete. Moreover, they significantly reduce the possibility of overlooking important aspects in each of the components of internal control.
10-25. a.Narrative memoranda may supplement other forms of documentation by summarizing the auditor's overall understanding of internal controls, individual components of internal controls, or specific controls.
b.In small audits, a narrative memorandum may serve as the only documentation of the auditor's understanding of internal controls. A narrative may be sufficient to explain the auditors understanding of how transactions are processed and the controls that might be present in the system. In a small audit, the documentation may actually be series of narratives that address the control environment, risk assessment, monitoring, and the documentation of information and communication system and control activities might be documented separately for each major transaction cycle. 10-26. a.A flowchart is a schematic diagram using standardized symbols, interconnecting flow lines, and annotations that graphically portray the steps involved in processing information through the accounting system.
b.A flowchart pertaining to a specific class of transactions should show
All significant operations performed in processing the class of transactions.
The methods of processing (manual or computerized).
The extent of segregation of duties by identifying each operation with a functional area, department, or individual.
The source, flow, and distribution of relevant copies of the documents, records, and reports involved in processing.
10-27. a. Management of a public company is responsible for documenting internal controls over financial reporting. That documentation should include:
The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. The documentation should include the five components of internal control over financial reporting and company-level controls such as:
Controls within the control environment.
Managements risk assessment process.
Centralized process and controls, including shared service environments.
Controls to monitor the results of operations.
Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs.
The period-end financial reporting process.
Board-approved policies that address significant business control and risk management practices.
Information about how significant transactions are initiated, authorized, recorded, processed and reported.
Sufficient information about the flow of transactions to identify the point at which material misstatements due to error or fraud could occur.
Controls designed to prevent or detect fraud, including who performs controls and the related segregation of duties.
Controls over the period-end financial reporting process.
Controls over safeguarding of assets.
The results of managements testing and evaluation.
b.Inadequate documentation by the public company client could cause the independent auditor to conclude that there is a limitation on the scope of the engagement.
10A-1. a.The principal hardware component is the central processing unit (CPU) which consists of a control unit, an internal storage unit, and an arithmetic-logic unit.
b.Peripheral hardware components are input devices, output devices, and auxiliary storage devices.
10A-2. a. Computer software consists of the programs and routines that facilitate the programming and operation of a computer.
b.Systems programs perform generalized functions for one or more application programs. In contrast, application programs contain instructions that enable the user to perform data processing tasks appropriate for specific applications, such as payrolls and inventory.
10A-3. a.Under the traditional file method, separate files of data are created for each processing application. The files are organized into master files and transaction files. The database method stores all data in one central file (the database) and allows each user to access the portion of the database that is needed.
b.In sequential file processing, files are arranged sequentially and transaction data are sequenced before processing. Under sequential processing, the entire file must be read by the computer each time a transaction is processed. In direct access processing, file data are not maintained in any particular order. Under this type of processing, the transaction file is not sorted before processing. Moreover, it is not necessary to read the entire master file in updating.
10A-4. a.The essential characteristics of the two methods of EDP processing are:
On-line entry/batch processing in which individual transactions are entered directly into the computer via a terminal as they occur. A machine-readable validated transaction file is accumulated as the transactions are entered and this file is subsequently processed to update the master file.
On-line entry/on-line processing in which data are entered directly via a terminal as described above. It differs from on-line entry/batch processing in that (a) master files are updated concurrently with data entry and (b) a transaction log is produced that provides a chronological record of all transactions.
b.An advantage and a disadvantage for each method are:
On-line entry/batch processing. An advantage is that input data are subjected to immediate validation at the time of entry. A disadvantage is that the master file cannot be updated until the batch data are accumulated. On-line entry/on-line processing. The advantage is that input data are subjected to immediate validation at the time of entry. The disadvantages are (1) the risk of errors in the master file from concurrent updating and (2) the possible loss of part or all of the master files in case of hardware failure.
10A-5. a.The major benefits of IT systems over manual systems include:
IT systems can provide greater consistency in processing than manual systems because they uniformly subject all transactions to the same controls.
More timely computer generated accounting reports may provide management with more effective means of analyzing, supervising and reviewing the operations of the company.
b.Important risks of IT systems over manual systems include:
The IT system may produce a transaction trail that is available for audit for only a short period of time.
There is often less documentary evidence of the performance of control procedures in computer systems.
Files and records in IT systems are usually in machine-sensible form and cannot be read without a computer.
The decrease of human involvement in computer processing can obscure errors that might be observed in manual systems.
IT systems may be more vulnerable to physical disaster, unauthorized manipulation, and mechanical malfunction than information in manual systems.
Various functions may be concentrated in IT systems, with a corresponding reduction in the traditional segregation of duties followed in manual systems.
Changes in the system are often more difficult to implement and control in IT systems than in manual systems.
10A-6. a.The following diagram depicts how important internal controls function in computer systems.
b. The following discussion provides an example of each of the boxes outlined in the diagram above in the context of processing payroll transactions.
Input. Input to the accounting system represents, for example, timecards with information about the number of hours worked and a list from a payroll master file of employees that are authorized to work for the entity.
Computer processing and programmed application control procedures. This represents the computer processing of payroll, including both programmed checks that employees who worked were authorized, that hours worked and amounts paid were reasonable, and the actual processing of payroll withholdings and the writing of payroll checks.
Computer general control procedures. This set of control activities establishes control of the payroll program and access to payroll master files and data. The goal of general controls is to control the computer environment, not specific transactions such as payroll transactions. However, evidence that computer general control procedures are effective will give the auditor some assurance that the payroll programs and computer controls are also effectively designed and that they operate effectively.
Exception reports. If application controls find exceptions they report them either on screen on through printed exception reports. For example, if a time card is submitted that does not match the employee master file, it should be rejected and reported on an exception report. If a paycheck calculates to an amount more than might be considered reasonable by a limit test it would also be rejected and reported on an exception report.
Manual follow-up. Exception reports should be distributed to individuals who were not responsible for authorizing transactions or who do not have custody of assets. They should be responsible for following-up on items reported on exception reports and initiating appropriate corrective action.
Output of processed transactions and reports. The output of the accounting and system will be, in this case, processed payroll checks, a payroll journal, and other reports, such as labor distribution reports.
User controls over assertions. Company may establish manual control over computer output. Performance reviews are one example, where management reviews a summary of transactions charged to their responsibility center. In this way they might identify charges for fictitious employees, or errors in calculating payroll. The auditor may choose to test these manual controls directly without having to test computer general or application controls.
10A-7. a.Computer application controls are programmed control procedures designed to control the transactions. Their purpose is to control the completeness and accuracy of accounting processing of individual transactions in transaction cycles such as sales and collections transactions or payroll transactions.
b.Computer general controls are designed to control computer applications. Their purpose is to control program development, program changes, computer operations, and to secure access to programs and data.
10B-1. a.Information processing controls address risks related to the authorization, completeness, and accuracy of transactions.
b.Two subcategories of information processing controls related to the computer system are (1) general controls and (2) application controls.
c. Five types of general controls are:
Organization and operation controls.
Systems development and documentation controls.
Hardware and system software controls
Access controls
Data and procedural controls
All general controls work together to control program development, program changes, computer operations, and to secure access to programs and data. General controls pertain to the IT environment and all IT activities, rather than to a single IT application. Thus, general controls are pervasive in their effect on application controls and on transaction cycles.
10B-2. a.Documentation controls in an IT department pertain to the documents and records maintained by a company to describe computer processing activities.
b.Documentation enables management and the auditor by providing the primary source of information about the flow of transactions through the system and related accounting controls. It also assists in reviewing the system, training new personnel, and maintaining and revising existing systems and programs.
c. IT documentation should include:
Descriptions and flowcharts of the systems and programs.
Operating instructions for computer operators.
Control procedures to be followed by operators and users.
Descriptions and samples of required inputs and outputs.
10B-3. a.The purpose of access controls is to prevent unauthorized use of IT equipment, data files, and computer programs. Access controls accomplish this purpose through physical access controls (e.g., housing computer equipment in a secured area with restricted access), logical access controls or software controls (e.g., programs that require passwords to be able to process transactions that modify data files or program files), and procedural safeguards (e.g., management review of computer utilization reports).
b.To provide the necessary control with on-line data entry, each user of a remote input device is given a key, code, card or biometric control (voice print, iris scan, finger print) that identifies the holder as an authorized user. Other access controls are (1) computer call-back procedures when the telephone is used to dial the computer, and (2) passwords that are checked by the computer before a person can enter a transaction.
10B-4. a.Data and procedural controls provide a framework for controlling daily computer operations, minimizing the likelihood of processing errors, and assuring the continuity of operations in the event of a physical disaster or computer failure.
b.The activities of included in a data control function usually include receiving and screening all data to be processed, accounting for all input data, following-up on processing errors, and verifying the proper distribution of output.
Comprehensive Questions
10-28.(Estimated time - 35 minutes)
a.Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting; (2) compliance with applicable laws and regulations; and (3) effectiveness and efficiency of operations.
b.Four fundamental embodied in the definition of internal control are:
Internal control is a process. It is a means to an end, not an end in itself. It consists of a series of actions that are pervasive and integrated with, not added onto, an entity's infrastructure.
Internal control is effected by people. It is not merely policy manuals and forms, but people at every level of an organization, including the board of directors, management, and other personnel.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board because of limitations inherent in all internal control systems and the need to consider the relative costs and benefits of establishing controls.
Internal control is geared to the achievement of objectives in the overlapping categories of financial reporting, compliance, and operations.
c.The five components of an internal control are (1) control environment, (2) risk assessment, (3) information and communication, (4) control activities, and (5) monitoring.
d.Inherent limitations that should be considered in evaluating any entity's system of internal control include:
Mistakes in judgment may be made by management and other personnel in making business decisions or in performing routine duties because of inadequate information, time constraints, or other pressures.
Breakdowns in controls may occur because experienced, temporary, or new personnel may misunderstand instructions or make errors due to carelessness, distractions, or fatigue.
Collusion, which is individuals acting together, may enable the concealment of an irregularity so as to prevent its detection by internal controls.
Management override of prescribed internal controls includes making deliberate misrepresentations to auditors and others such as by issuing false documents to support the recording of fictitious transactions.
Costs versus benefits which mitigates against the adoption of controls, the benefits of which, in management's judgment, do not outweigh the costs.
e.Six parties who have a role or responsibility regarding an entity's internal controls are:
Management which has the responsibility to establish and maintain an effective internal controls.
Board of directors and audit committee which, as part of their general governance and oversight responsibilities, should determine that management meets its responsibilities for establishing and maintaining internal controls.
Internal auditors who should periodically examine and evaluate the adequacy of an entity's internal controls and make recommendations for improvements.
Other entity personnel, which includes all other personnel who provide information to, or use information provided by, internal controls, have a responsibility to communicate to a higher level in the organization any instances of noncompliance or illegal acts of which they become aware.
Independent auditors who have a responsibility to report to management and the board of directors certain conditions or weaknesses in internal controls found in an audit.
Other external parties such legislators and regulators (e.g., the SEC) who may establish minimum statutory and regulatory requirements for the establishment of internal controls by certain entities.
10-29.(Estimated time - 20 minutes)
a.The auditor should gain an understanding of (1) the design of policies and procedures pertaining to each internal control component and (2) whether the policies and procedures have been placed in operation. In obtaining the understanding, the auditor should obtain sufficient knowledge about the internal control components to be able to:
Identify types of potential misstatements.
Consider factors that affect the risk of material misstatement.
Design substantive tests to provide reasonable assurance of detecting the misstatementsrelated to specific assertions.
b.The auditor obtains the understanding through:
Reviewing prior experience with the client
Inquiry of appropriate management and supervisory and staff personnel.
Inspecting documents and records.
Observing entity activities and operations.
c.Yes, documenting the understanding of internal control components is required in all audits.
d.The auditor's documentation in the working papers may be made through completed questionnaires, flowcharts, and narrative memoranda. Advantages of questionnaires include that they (1) are usually developed by very experienced professionals and provide excellent guidance to less experienced staff who may be obtaining the understanding on a particular engagement, (2) are relatively easy to use, and (3) significantly reduce the possibility of overlooking important internal control matters. A disadvantage may involve the need to customize the questionnaires for a particular client. Another disadvantage is the potential for response bias where respondents answer in a manner most favorable to good internal controls. In other instances, respondents may not know the answer to a question, yet answer anyway.Flowcharts should enable the auditor to see the relationships that exist between controls, and facilitate the identification of key controls related to specific financial statement assertions. They can be prepared in varying degrees of detail by the auditor or obtained from the client. Once thought to be difficult to prepare, flowcharting software for personal computers now eases the task of preparing and amending flowcharts for the auditor's working papers.
Narrative memoranda are perhaps the easiest form of documentation to prepare and are particularly effective on audits of smaller entities with fairly simple system of internal controls. In such audits, they may constitute the only form of documentation of the understanding of the system of internal control. For larger entities with more complex systems of internal control, narrative memoranda are generally used only as supplements to questionnaires and flowcharts. The problem with narrative memoranda is that they may not be updated and kept current to reflect changes in the system. Each year, narrative memoranda should be critically evaluated to ascertain whether the system described is still the system in use.10-30.(Estimated time - 25 minutes)
a.The control environment factors that can affect the effectiveness of specific policies and procedures related to the other components of an internal control are:
Integrity and ethical values.
Commitment to competence.
Board of directors and audit committee.
Management's philosophy and operating style.
Organizational structure.
Assigning of authority and responsibility.
Human resource policies and practices.
b.The auditor should obtain sufficient knowledge of the control environment component to understand (1) the attitude, awareness, and actions of management and the board of directors concerning the control environment and (2) the pervasive and specific effects these factors may have on the effectiveness of the other internal control components.
c.The required level of understanding of several of the control environment factors, such as management's philosophy and operating style, organizational structure, and board of directors or audit committee, will ordinarily be the same for each audit strategy. For some factors, however, such as human resource policies and practices, additional knowledge may be necessary when the lower assessed level of control risk approach is used.
10-31. (Estimated Time 25 Minutes)
Itema. Component of Internal Controlb. Additional example of component
of internal control.
1.Control environmentAn audit committee is formed comprised of outside directors
2.Control activitiesAccess to mainframe computers, inventories, and cash and securities is restricted (physical controls).
3.Control environmentManagement is involved in setting policies for developing , modifying and using computer programs and data.
4.MonitoringManagement receives information from external auditors about weaknesses in internal controls and recommended improvements.
5.Risk assessmentManagement carefully assesses the impact of new laws and regulations on its business and reporting practices.
6.Control activitiesControls are in place to review, test, and approve all new systems, control program changes, and to document procedures.
7.Control activitiesPhysical controls limit direct access to assets and records and limit indirect access through the preparation or processing of documents that authorize the disposition of assets.
8.Control activitiesManagement responsibilities include performance reviews where the appropriate level of management reviews disbursements charged to their responsibility center.
9.Control environmentAuthority and responsibility is assigned in such a way that each individual knows how his or her actions interrelate with those of others in contributing to the achievement of the entitys objectives, and how he or she will be held accountable for the entitys performance.
10.Information and communicationThe accounting system includes a provision for properly measuring and recording the value of transactions in the financial statements.
10-32 (Estimated Time 25 minutes)
ControlCategoryAssertion(s)
a. Management has established a code of conduct that includes rules regarding conflicts of interest for purchasing agents.1Existence and Occurrence
b. Waterfront has established a disclosure committee to review the selection of new accounting policies.4.6Valuation and Allocation, Presentation and Disclosure
c. Any computer program revision must be approved by user departments after testing the entire program with test data.4.3.1Virtually any assertion
d. The managers of each of Waterfronts manufacturing departments must review and expenditures charged to their responsibility center weekly.4.3.5Existence and Occurrence, Completeness, Valuation and Allocation
e. The CEO, CFO, and controller review the financial consequences of business risks annually to ensure that controls are in place to address significant business risks.2Valuation and Allocation
f. Human resources focuses on ensuring that accounting personnel have adequate qualifications for work performed in billing and accounts receivable.1Virtually any assertion
g. Security software limits access to programs and data files, and keeps a log of programs and files that have been accessed which is reviewed by the security manager daily.4.3.1Existence and Occurrence
h. A computer program prints a daily report of all shipments that have not yet been billed to customers.4.3.2Completeness
i. The controller reviews sales and collections bi-monthly.
4.5Valuation, Completeness
j. The computer compares the information on the sales invoice with underlying shipping information.4.3.2Existence and Occurrence
k. Customer billing complaints are directed to internal audit for follow-up and resolution.5Virtually any assertion
l. The documentary transaction trail for all credit sales is documented in company policy manuals.3Virtually any assertion
m. A committee of the board of directors evaluates and monitors business risks.1Virtually any assertion
n. Access to spreadsheets used in the financial reporting process is limited and spreadsheets are tested with test data on a quarterly basis.4.3.3Virtually any assertion
10-33.(Estimated Time 20 minutes)
a.Assignment of functions
Employee No. 1--Accountant
Maintain general ledger (1)
Maintain disbursements journal (5)
Issue credits on returns and allowances (6)
Employee No. 2--Cashier
Prepare checks for signature (4)
Handle and deposit cash receipts (8)
Employee No. 3--Bookkeeper (subsidiary ledger)
Maintain accounts payable ledger (2)
Maintain accounts receivable ledger (3)
Reconcile the bank account (7)
b.Undesirable combinations are
Handle cash receipts (8) and maintain accounts receivable ledger (3)
Handle cash receipts (8) and issue credit memos (6)
Prepare checks (4) and maintain accounts payable ledger (2)
Maintain accounts receivable ledger (3) and issue credit memos (6)
Handle cash receipts (8) and reconcile bank (7)
Prepare checks (4) and reconcile bank (7)
10-34.(Estimated Time 25 minutes).
Itema. Category of Control Activitiesb. Assertion
1. The computer must match information from a vendors invoices with information from receiving and information from the purchase order before a check is issued.Computer application controlsExistence and occurrence
2. A knowledgeable audit committee reviews and approves new applications of GAAP.Control over management discretion in financial reportingPresentation and disclosure
3. Two authorized signatures are required on every check over $100,000.AuthorizationExistence and occurrence
4. Each month management carefully reviews the aged trial balance of accounts receivable to identify past-due balances and follows up for collection.Performance reviewsValuation and allocation
5. A supervisor must approve overtime workAuthorizationCompleteness
6. The computer assigns sequential numbers to sales invoices used in the billing system.
Computer application controlsValuation and allocation
7. The computer verifies the mathematical accuracy of each voucher and prints an exception report for items with mathematical errors.Computer application controlsExistence and occurrence
Completeness
Valuation and allocation
8. Employee payroll records are kept on a computer file that can only be accessed by certain terminals and are password protected.Performance reviewsPresentation and disclosure
9. Internal auditors review journal entries periodically for reasonableness of account classifications.Control over management discretion in financial reportingPresentation and disclosure
10. The chairman of the audit committee directly accepts confidential e-mails or other submissions concerning questionable accounting and auditing matters.Controls over management discretion in financial reportingExistence and occurrence
11. Checks received from customers and related remittance advices are separated in the mailroom and subsequently processed by different individualsSegregation of dutiesExistence and occurrence
Completeness
Valuation and allocation
12. All vouchers must be stamped paid on payment.
Physical controlsValuation and allocation
13. Department managers review accounting for warranty claims on a weekly basis.Performance reviewsValuation and allocation
14. On a quarterly basis, warranty expenses are compared with actual warranty claims.
Control over management discretion in financial reportingValuation and allocation
15. Only computer operators are allowed in the computer room.Computer general controlsPervasive affect on multiple assertions
16. The computer will not complete the processing of a batch when the accounts receivable control account does not match the total of the subsidiary ledgersComputer application controlsExistence or occurrence or completeness
10-35. (Estimated Time 25 minutes)
a.The quantity of serially numbered tickets issued during the shift of each cashier is multiplied by the price per ticket to determine the amount of cash the cashier should have on hand at the end of the shift. Two employees participate in each transaction. The withholding of cash receipts would require collusion between the cashier and door person because the door person does not have access to cash and the cashier cannot cause a patron to be admitted without issuing a serially numbered ticket.
b.The following steps should be taken by the manager to make these controls work effectively:
Maintain a careful control over unused rolls of tickets.
Make a record of the serial number of the first and last ticket issued on each cashier's shift.
Count the cash in possession of cashier at beginning and end of shift.
In addition to these regular routines, the manager should take the following steps at unannounced intervals:
Observe that the cashier never has loose tickets in his/her possession and does not sell tickets in any manner other than ejecting them from the ticket machine.
Verify by inspection of tickets being presented by patrons to the door person that only recently. issued tickets (current serial numbers) are being used.
c.Collusion by the cashier and door person to abstract cash receipts often consists of the door person pocketing whole tickets presented by patrons rather than tearing the ticket in half. The door person may then give these used tickets to the cashier (perhaps in off-duty hours); the cashier may then resell the tickets to customers at the box office rather than punching out new tickets on the machines. The cashier withholds the cash received from sales of these "used tickets" and divides it with the doorperson.
d.Observation on a surprise basis by the manager of the serial numbers of tickets being presented at the door by customers may reveal that these tickets are not freshly issued ones. Observation of the cashier's work may reveal that he or she is handling loose tickets.
Cases
10-36.(Estimated Time - 30 minutes)
a.Examples of poor internal control:
1. No credit checks are made of contract clients.
2. Accounts receivable are not recorded nor controlled.
3. Weak control is exerted over cash transactions.
4. No control is effected between production type work and potential revenues due.
5. Examples: bookkeeping services, design and printing services, and tax work.
6. No forms are prenumbered and, thus, accounted for.
7. No controls are in effect to assure that all receivables that are due are paid.
8. The control over slow or delinquent payments is very poor.
9. All remittances and cash are not deposited daily.
10. There are no running controls to prevent contract services from exceeding thecontract ceiling.
11. No controls are in effect to assure that all work was billed.
b.Examples of good internal control:
1. Some cash is deposited daily.
2. A cash log is maintained though not used effectively.
3. Bank reconciliation's are made.
4. Monthly analyses of cost percentages of revenue items (though improperly performed as not considering the effect of accounts receivable).
5. Historical evidence is maintained of all production type work.Periodic analyses are performed of unpaid bills.
6. Copy work paid in cash is balanced to the cash register.
7. Close tics are available for production type work to cash received.
10-37. (Estimated Time - 45 minutes)
The flowchart for the sales system for SummerVoice, Inc. is displayed on the following page. The flowchart is most effective when accompanied by a discussion similar to that presented in the problem.
a.
b.
AssertionControl Activity
Existence and occurrenceThe sales program compares invoice information with information on the shipping files for quantities and dates shipped.
CompletenessReview and follow-up of daily report of unfilled orders and back orders.
Rights and obligationsThe sales program ensures that all sales invoices for credit sales are supported by actual goods shipped.
Valuation and allocationCredit is approved prior to customer being put on customer master file. Credit is checked against customer master file by order program.
Invoice pricing information is checked against sales order file.
Run-to-run totals check accuracy of sales and receivable files.
Presentation and disclosureNo significant controls exist.
Professional Simulation
Research
SituationCommunicationInternal
Controls
The following paragraphs of AU 319 address the professional standards that apply to any audit regarding the understanding of internal controls that is necessary to plan the audit.
.25In all audits, the auditor should obtain an understanding of each of the five components of internal control sufficient to plan the audit. A sufficient understanding is obtained by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been placed in operation. In planning the audit, such knowledge should be used to
Identify types of potential misstatement.
Consider factors that affect the risk of material misstatement.
Design tests of controls, when applicable. Paragraphs .65 through .69 of this section discuss factors the auditor considers in determining whether to perform tests of controls.
Design substantive tests.
.26The nature, timing, and extent of procedures the auditor chooses to perform to obtain the understanding will vary depending on the size and complexity of the entity, previous experience with the entity, the nature of the specific controls used by the entity including the entitys use of IT, the nature and extent of changes in systems and operations, and the nature of the entity's documentation of specific controls. For example, the understanding of risk assessment needed to plan an audit for an entity operating in a relatively stable environment may be limited. Also, the understanding of monitoring needed to plan an audit for a small, noncomplex entity may be limited. Similarly, the auditor may need only a limited understanding of control activities to plan an audit for a noncomplex entity that has significant owner-manager approval and review of transactions and accounting records. On the other hand, the auditor may need a greater understanding of control activities to plan an audit for an entity that has a large volume of revenue transactions and that relies on IT to measure and bill for services based on a complex, frequently changing rate structure.
.27Whether a control has been placed in operation at a point in time is different from its operating effectiveness over a period of time. In obtaining knowledge about whether controls have been placed in operation, the auditor determines that the entity is using them. Operating effectiveness, on the other hand, is concerned with how the control (whether manual or automated) was applied, the consistency with which it was applied, and by whom it was applied. The auditor determines whether controls have been placed in operation as part of the understanding of internal control necessary to plan the audit. The auditor evaluates the operating effectiveness of controls as part of assessing control risk, as discussed in paragraphs .62 through .83 of this section. Although understanding internal control and assessing control risk are discussed separately in this section, they may be performed concurrently in an audit. Furthermore, some of the procedures performed to obtain the understanding may provide evidential matter about the operating effectiveness of controls relevant to certain assertions.
.28The auditor's understanding of internal control may sometimes raise doubts about the auditability of an entity's financial statements. Concerns about the integrity of the entity's management may be so serious as to cause the auditor to conclude that the risk of management misrepresentation in the financial statements is such that an audit cannot be conducted. Concerns about the nature and extent of an entity's records may cause the auditor to conclude that it is unlikely that sufficient competent evidential matter will be available to support an opinion on the financial statements.
Understanding of Internal Control Necessary to Plan the Audit
.29In making a judgment about the understanding of internal control necessary to plan the audit, the auditor considers the knowledge obtained from other sources about the types of misstatement that could occur, the risk that such misstatements may occur, and the factors that influence the design of tests of controls, when applicable, and substantive tests. Other sources of such knowledge include information from previous audits and the auditors understanding of the industry and market in which the entity operates. The auditor also considers his or her assessment of inherent risk, judgments about materiality, and the complexity and sophistication of the entity's operations and systems, including the extent to which the entity relies on manual controls or on automated controls.
.30In making a judgment about the understanding of internal control necessary to plan the audit, the auditor also considers IT risks that could result in misstatements. For example, if an entity uses IT to perform complex calculations, the entity receives the benefit of having the calculations consistently performed. However, the use of IT also presents risks, such as the risk that improperly authorized, incorrectly defined, or improperly implemented changes to the system or programs performing the calculations, or to related program tables or master files, could result in consistently performing those calculations inaccurately. As an entity's operations and systems become more complex and sophisticated, it becomes more likely that the auditor would need to increase his or her understanding of the internal control components to obtain the understanding necessary to design tests of controls, when applicable, and substantive tests.
.31The auditor should consider whether specialized skills are needed for the auditor to determine the effect of IT on the audit, to understand the IT controls, or to design and perform tests of IT controls or substantive tests. A professional possessing IT skills may be either on the auditors staff or an outside professional. In determining whether such a professional is needed on the audit team, the auditor considers factors such as the following:
The complexity of the entitys systems and IT controls and the manner in which they are used in conducting the entitys business
The significance of changes made to existing systems, or the implementation of new systems
The extent to which data is shared among systems
The extent of the entitys participation in electronic commerce
The entitys use of emerging technologies
The significance of audit evidence that is available only in electronic form
.32Procedures that the auditor may assign to a professional possessing IT skills include inquiring of an entitys IT personnel how data and transactions are initiated, recorded, processed, and reported and how IT controls are designed; inspecting systems documentation; observing the operation of IT controls; and planning and performing tests of IT controls. If the use of a professional possessing IT skills is planned, the auditor should have sufficient IT-related knowledge to communicate the audit objectives to the professional, to evaluate whether the specified procedures will meet the auditors objectives, and to evaluate the results of the procedures as they relate to the nature, timing, and extent of other planned audit procedures. fn9
Communication
SituationResearchInternal Controls
To: Michelle Driscoll, Partner
Re: Inherent Limitations of an Entitys Internal Control
From:CPA Candidate
The professional standards directly address the limitations of any system of internal control in paragraphs 319.21-.24. In general these paragraphs make the following points.
No matter how well the system of internal control is designed and operated, it can provide only reasonable assurance of achieving an entity's control objectives.
Human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human failures such as simple errors or mistakes.
Internal controls, whether manual or automated, can be circumvented by the collusion of two or more people or inappropriate management override of internal control.
Internal control is often influenced by cost- benefit decisions.
Custom, culture, and the corporate governance system may inhibit fraud, but they are not absolute deterrents. An effective control environment, too, may help reduce the risk of fraud.
For additional discussion, these paragraphs are directly quoted below.
.21 Internal control, no matter how well designed and operated, can provide only reasonable assurance of achieving an entity's control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human failures such as simple errors or mistakes. For example, errors may occur in designing, maintaining, or monitoring automated controls. If an entitys IT personnel do not completely understand how an order entry system processes sales transactions, they may erroneously design changes to the system to process sales for a new line of products. On the other hand, such changes may be correctly designed but misunderstood by individuals who translate the design into program code. Errors also may occur in the use of information produced by IT. For example, automated controls may be designed to report transactions over a specified dollar limit for management review, but individuals responsible for conducting the review may not understand the purpose of such reports and, accordingly, may fail to review them or investigate unusual items.
.22Additionally, controls, whether manual or automated, can be circumvented by the collusion of two or more people or inappropriate management override of internal control. For example, management may enter into side agreements with customers that alter the terms and conditions of the entitys standard sales contract in ways that would preclude revenue recognition. Also, edit routines in a software program that are designed to identify and report transactions that exceed specified credit limits may be overridden or disabled.
.23Internal control is influenced by the quantitative and qualitative estimates and judgments made by management in evaluating the cost-benefit relationship of an entitys internal control. The cost of an entity's internal control should not exceed the benefits that are expected to be derived. Although the cost-benefit relationship is a primary criterion that should be considered in designing internal control, the precise measurement of costs and benefits usually is not possible.
.24Custom, culture, and the corporate governance system may inhibit fraud, but they are not absolute deterrents. An effective control environment, too, may help reduce the risk of fraud. For example, an effective board of directors, audit committee, and internal audit function may constrain improper conduct by management. Alternatively, the control environment may reduce the effectiveness of other components. For example, when the nature of management incentives increases the risk of material misstatement of financial statements, the effectiveness of control activities may be reduced.
Internal Controls
SituationResearchCommunication
a.b.c.d.e.
1. The computer verifies an employee authorization code in order to enter a purchase order(((((
2. The computer produces a report of all receiving reports that have not resulted in a voucher.(((((
3. The computer matches information on the voucher regarding quantities and prices of goods purchased with underlying receiving reports and purchase orders.(((((
4. The computer compares the account coding on a voucher with the account coding on the purchase order.(((((
5. The computer checks the mathematical accuracy of the voucher and supporting vendors invoice.(((((
6. The computer has a unique account coding for the receipt and acquisition of consignment inventory.(((((
7. The computer matches each voucher with an underlying receiving report and cancels the related vendors invoice to prevent duplicate payment.(((((
User controls
over assertions
Manual follow-up
Output of processed transactions and reports
Exception reports
Computer general control procedures
Computer processing and programmed application control procedures
Input
Daily Sales
Reports
Monthly
Statements
Gross Margin
Reports
Accounts Receivable
Master File
General Ledger
Master File
General
Ledger
Sales
Journal
SALES REPORTS PROGRAM:
Produces reports for analysis.
Record
Sales
Sales
Transaction
File
Exception
Reports
Sales
Invoice
SALES PROGRAM:
Retrieve shipped order data: prepare invoices;
perform edit checks; enter
data in sale transaction file, Master files are updated, and sale journal, G/l,, monthly statements, are produced..
Deliver
Goods
Unfilled Orders
and Back
Orders
Enter data
on Goods Shipped
Shipping
Document
Authorization
to Pick
Goods
Shipping
File
Perpetual
Inventory
SHIPPING PROGRAM:
Retrieve open orders:
add shipping data; transfer
to shipping file; print
shipping documents
Open
Orders
Sales
Order
Authorized
Price List
Perpetual
Inventory
Customer
Master File
ORDER PROGRAM:
Perform edit and
credit checks; print
sales orders
Enter
Sales Order
Computer Programs and Files
Key Reports
Documentary
Audit Trail
Initiate
Sales
Functions
SummerVoice, Inc. -- Credit Sales Transactions
Open
Orders
Inventory
On-hand
Perpetual
Inventory
