Management Executive Team
What does the term "management override" mean?
Management or individuals with governance manipulate records or controls in a way that go against an organization's internal controls or to intentionally create false financial statements.
Describe typical responsibilities of audit committees.
Typical responsibilities regarding the audit committee include managing the communications and hiring of the external auditors. The committee also has the responsibility to review and access the company’s internal control and internal accounting
What is the top-down approach? Hint – AS 2201
AS 2201.21 - “the top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to the internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions”
*This directs attention to assertions/accounts/disclosures that can have a reasonable possibility of a material misstatement.
**NOT the order of performing procedures, but the thought process of identifying risks and controls to test.
Identify three required auditor responses to address the risk of management override of internal controls.
1.) Revise the risk assessment
2.) Modify planned audit procedures
3.) Perform additional procedures
What is audit risk?
The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated and not presented fairly in conformity with the applicable financial reporting framework.
What are the two components of the risk of material misstatement at the assertion level?
Inherent Risk: susceptibility of an assertion to a misstatement, due to error or fraud, that could be material, individually or incombination with other misstatements, before consideration of any related controls.
Control Risk: risk that a material misstatement due to error or fraud that could accur in an assertion and that could be material will not be prevented or detected on a timely basis by the company’s internal controls.
Discuss the pros of allowing inside directors to serve on the board.
The inside directors will have a strong understanding of the company and have an increased desire and care that the company succeeds.
What are entity-level controls? Hint – AS 2201
AS 2201.23 - entity level controls have important and indirect effect on the likelihood that a material misstatement will be detected/prevented. They can affect other controls selected for testing as well. They can monitor the effectiveness of other controls and can ultimately reduce testing of other controls. If an entity-level control addresses the risk of misstatement sufficiently, the auditor may not have to test additional controls relating to that risk.
Describe whether you think Comptronix's executive team was inherently dishonest from the beginning?
Yes, Comptronix’s executive team was inherently dishonest from the beginning. They began misstating the financial statements knowing they wouldn’t get caught since it was not a requirement to get audited, but after they went public, the executives went deeper into the misstatements to hide and cover up the fraud they originally created. When realized they were not being caught, the misstatements became increasingly larger through the years.
Audit risk is a function of what other types of risk?
It is a function of the risk of material misstatement and detection risk.
Describe typical factors that auditors evaluate when assessing inherent risk.
Susceptibility to theft or fraudulent reporting
Complex accounting or calculations
Size and volume of accounts balance or transactions
Prior year period adjustments or changes
Subjective estimates
Non-routine transactions
Management and personnel integrity and competence
Economic environment
List the five components of internal control.
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring
Discuss the cons of allowing inside directors to serve on the board.
There is a lack of independence and/or objectivity. Inside directors benefited from the fraud committed and would have more motivation to ignore possible signs of fraud.
What is the auditor’s responsibility regarding the testing of entity-level controls?
The auditor has to test entity-level controls important to the conclusion whether or not the company has effective internal controls. The evaluation can result in increasing or decreasing the amount of testing performed for other controls.
How is it possible for otherwise honest people to become involvedin frauds like the one at Comptronix?
It is possible for honest people to get involved in frauds like Comptronix due to the fraud triangle. If there is an opportunity to commit fraud, it makes it accessible to misstate statements, there can be an increasing pressure in needing to meet certain goals and projections, and rationalization can stem from anywhere. Once fraud goes undetected once, it is easy for an individual to get caught up in it and want more.
Describe the three fraud conditions per auditing standards.
1.) Management or other employees have an incentive or are under PRESSURE to commit fraud.
2.) Circumstances exist – absence of controls, ineffective controls, or ability of management to override controls – provide an OPPORTUNITY to commit fraud
3.) Those involved in committing a fraudulent act are able to RATIONALIZE their decisions and actions. Some people possess an attitude, character, or set of ethical values that allow them to knowingly and intentionally commit a dishonest act
How does detection risk differ from the two components of the risk of material misstatement?
Risk that procedures performed by the AUDITOR will not detect a misstatement that exists or could be material
Detection risk is affected by the effectiveness of the substantive procedures and their application by the auditor (whether the procedures were performed with due professional care)
Higher the risk of material misstatement, the lower the level of detection risk needs to be in order to reduce audit risk
The auditor reduces the level of detection risk through the nature, timing, and extent of the substantive procedures performed. As the appropriate level of detection risk decreases, the evidence from substantive procedures that the auditor should obtain increases
Describe each component of internal control.
1. CONTROL ENVIRONMENT sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
2. RISK ASSESSMENT is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
3. CONTROL ACTIVITIES are the policies and procedures that help ensure that management directives are carried out.
4. INFORMATION AND COMMUNICATION systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
5. MONITORING is a process that assesses the quality of internal control performance over time.
What strengths were present related to Comptronix’s board of directors and audit committee?
Board of Directors had some variety when it came to the level of affiliation each had with the company. Some board members had previous experience serving on other boards.
Research the content in PCAOB’s AS 4105 and briefly describe the key requirements for reviews of interim financial information of a public company.
The SEC’s requirement to engage an independent accountant to review the registrant’s interim financial information does not require the accountant to issue a written report on the review. A review report must only be filed if the entity states that the financial information has been reviewed by an independent public accountant.
Provide two examples of where management override of controls occurred in the Comptronix fraud.
1.) For the falsified equipment purchases, no paper trail documents were created. Mr. Shifflett and Mr. Medlin were able to approve payments based only on an invoice, allowing them to bypass internal controls over cash disbursements.
2.) Mr. Medlin was the controller and treasurer and had access to the shipping department system. He’d enter fake sales into the system and got rid of documents and invoices automatically generated so they wouldn’t be mailed to the respective customers.
Provide an example from the Comptronix fraud of each of the three fraud conditions.
Pressure: The company suffered losses through 1986 and lost one of their biggest customers to their old employer SCI Systems
Opportunity: Management override controls – Mr. Medlin, as controller and treasurer, had access to the shipping department system and he could enter bogus sales into the system and would destroy shipping documents and sales invoices before they were mailed by the system out to related customers
Rationalization: he more that Comptronix was losing profits and the pressure to perform was building, the three executives were able to rationalize overstating sales and understating costs to convince the small town of Guntersville that the company was a success and the city’s investment in the company was not a failure
What inherent risk factors were present during the audits of the 1989 through 1992 Comptronix financial statements?
Rapid changes and innovation in the technology industry which could lead to inherent risks related to complex accounting.
Economic pressures such as recessionary pressures seeing as the company was operating at consistent losses.
A new business has expected rapid growth and expansion which also leads to complex accounting.
Management integrity and competence can increase inherent risks due to poor judgments and applications of accounting principles.
What characteristics of Comptronix’s internal control increased control risk for the audits of the 1989 – 1992 year-end financial statements?
Control risk was increased because the implantation of the controls was not monitored. As stated in the case, the three executives’ fraud scheme was dependent on their ability to bypass the accounting system put into place.
The executives could override controls in many ways, but especially with Mr. Medlin’s ability to access the shipping department system and destroy all shipping documents and sales invoices related to the bogus sales.
The control activities regarding Mr. Shifflett’s and Mr. Medlin's ability to approve payments with the use of an invoice alone rather than with a related purchase order and receiving report as well exposed a gap in the company’s control activities.
What weaknesses were present related to Comptronix’s board of directors and audit committee?
It can be argued that the too many of the directors are too closely affiliated. The members of the audit committee also did not have an accounting background. Directors were aware of the actual financial position and profited off of it instead of doing something to correct it . One member was fired for trying to start looking into the fraudulent activity and this shows impairment in management's integrity and competence.
Why wouldn’t all companies (public and private) engage their auditors to perform timely reviews of interim financial statements?
Not all companies would want to engage their auditors to perform interim financial statement reviews due to the cost, lack of regulations for some companies, or lack of complexity for some companies’ financial statements. Some companies might not have the available time and resources as well to justify the need for interim reviews.