The New SAS No. 78

By David R. Frazier and L. Scott Spradling

SAS No. 78 amends SAS No. 55 by replacing its definition and description of the internal control structure with that contained in the COSO report. In addition to a change in the definition of internal control, this change will now require auditors to gain an understanding of five components of internal control rather than the previous three elements. Following is an explanation of these changes together with guidance on how auditors gain and document this new understanding.

Recently, the AICPA's Auditing Standards Board (ASB) issued SAS No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55. SAS No. 78 is effective for audits of financial statement periods beginning on or after January 1, 1997, with earlier application permitted. It replaces the SAS No. 55 definition and description of the internal control structure with the definition and description from Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO or the COSO Report). According to SAS No. 78, the COSO Report is becoming a widely accepted framework for sound internal control, and its acceptance and use will continue to grow. As a result, SAS No. 55 was amended to incorporate the COSO Report framework and terminology to provide timely and useful guidance to auditors.

The COSO Report

The COSO report was issued in an effort to integrate various existing concepts and definitions of internal control and to develop a common reference point. It defines internal control, describes the components of effective internal control, provides criteria against which internal control can be evaluated, and presents guidance that organizations can follow when reporting publicly on internal controls over financial reporting.

Amendments to SAS No. 55

In an effort to conform the auditing standards with the concepts found in the COSO Report, the ASB amended SAS No. 55 to replace the definition of internal control structure with the COSO Report definition. In addition, the three elements of the internal control structure included in SAS No. 55 have been replaced with the five components of internal control from the COSO Report.

SAS No. 55, issued in 1988, contains two primary segments. The first segment is educational in nature, defines an internal control structure, and divides an internal control structure into the following three elements:

* Control environment

* Accounting system

* Control procedures

The second segment prescribes how auditors are to go about obtaining and documenting their understanding of the internal control structure. This segment is procedural in nature.

Basically, SAS No. 78 changes only the first segment described above. Changes to the second segment are minimal and relate primarily to changes in terminology. In essence, the amendments do not change what the auditor does so much as it prescribes a new way of looking at a company's internal control. Exhibit 1 compares the terminology in SAS No. 55 with the terminology in SAS No. 78.

Internal Control Defined

SAS No. 78 picks up the broad definition of internal control from the COSO Report, which is "a process--effected by an entity's board of directors, management, and other personnel--designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) reliability of financial reporting, b) effectiveness and efficiency of operations, and c) compliance with applicable laws and regulations." The term process is used because internal control is viewed not as one event or circumstance, but as a series of actions conducted through basic management of the entity. Because internal control is defined as a process that is considered to be dynamic, the revised SAS uses the term internal control instead of internal control structure. The ASB believes the term structure used in SAS No. 55 is static and does not reflect the COSO definition of internal control.

The Five Components of
Internal Control

In the COSO Report, internal control consists of five interrelated components. Those five components are inherent in the way management runs an organization and serve as the criteria for determining whether an entity's internal control is effective. SAS No. 78 incorporates the following five components of internal control included in the COSO Report:

* Control environment.

* Risk assessment.

* Control activities.

* Information and communication.

* Monitoring.

The five components of internal control are the means in which the entity achieves its objectives. However, SAS No. 78 states "the division of internal control into five components does not necessarily reflect how an entity considers and implements internal control." The components... are intended to provide a useful framework to be used by auditors when considering an entity's internal control. The auditor is primarily concerned with determining whether a specific control affects the financial statement assertions rather than its classification into a particular component.

The five components are applicable to every organization, regardless of size; however, according to SAS No. 78, how they apply should be considered in context of the entity's--

* size;

* organization and ownership characteristics;

* nature of business;

* diversity and complexity of operations;

* methods of transmitting, processing, maintaining, and accessing information; and

* applicable legal and regulatory requirements.

The following paragraphs discuss the components of internal control over financial reporting as defined by SAS No. 78 and COSO and contrast those components with the internal control elements of SAS No. 55. Exhibit 2 presents a comparison of the three elements of internal control structure in SAS No. 55 with the five components of internal control in SAS No. 78.

Control Environment

According to COSO, the control environment sets the tone of an organization and influences the control consciousness of its people. It is basically the same as the control environment defined in SAS No. 55. The control environment is the foundation for all other components of internal control and provides structure and discipline. The control environment of an organization includes the following factors:

* Integrity and ethical values

* Commitment to competence

* Attention and direction provided by a board of directors or audit committee

* Management's philosophy and operating style

* Organizational structure

* Manner of assigning authority and responsibility

* Human resource policies and procedures

Considerations for smaller entities. In a small entity, the integrity of the owner/manager or top managers will often play a significant role in establishing a strong control environment. For example, although a small entity might not have a written code of conduct, it might still have a culture that emphasizes the importance of integrity and ethical behavior. That culture will be instilled through the visibility and direct involvement of the owner/manager or top management. Similarly, human resources policies may not be formally documented as they would in a larger entity. Even so, policies and practices can still exist and be communicated orally. While formal documentation may be preferable, it is not always necessary.

SAS No. 78 differs from the COSO Report in relation to the auditor's consideration of the make up of the board of directors when assessing the control environment. The COSO Report indicates entities should maintain a board consisting of a majority of outside directors. This will often be difficult for smaller entities because of the costs involved. Paragraph 4 of the appendix to SAS No. 78 states that "smaller entities may not have an independent or outside member on their board of directors. These conditions may not affect the auditor's assessment of control risk." Based on this guidance, the absence of outside directors on a client's board of directors does not automatically require the auditor to report a reportable condition under SAS No. 60, Communication of Internal Control Structure Related Matters Noted in an Audit.

Risk Assessment

In SAS No. 78, risk assessment for financial reporting purposes refers to the client's "identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles [or
another comprehensive basis of accounting]." More simply, it can be described as identifying types of potential misstatements and designing control policies and procedures to prevent or promptly detect those misstatements. SAS No. 78 also specifically includes the identification and analysis of significant estimates recorded in the financial statements as part of the risk assessment process.

There is no equivalent of risk assessment in SAS No. 55. Risk assessment as defined in COSO is not the same as an auditor's consideration of audit risk (inherent risk, control risk, and detection risk) discussed in SAS No. 47, Audit Risk and Materiality in Conducting an Audit. An auditor assesses inherent and control risks to evaluate the likelihood the financial statements could be materially misstated. An entity's risk assessment, on the other hand, is the process of identifying, analyzing, and managing risks that affect the entity's objectives.

A key step in the risk assessment process is identifying changed conditions and taking necessary actions. This involves identifying and communicating both external and internal events or activities that may affect the organization's objectives and analyzing the associated opportunities and risks. Risks relevant to the financial reporting process may arise due to--

* changes in the organization's operating environment;

* new personnel;

* new or revised information systems;

* rapid growth within the organization;

* new technology;

* new lines, products, or activities;

* restructuring within the organization;

* foreign operations; and

* new accounting pronouncements.

The earlier those risks can be identified, the more effectively they can be dealt with.

Considerations for Smaller Entities. The concept of assessing risk is essentially the same in a small or mid-sized entity; however, the process will usually be much less formal. SAS No. 78 states that all entities should have established objectives for financial reporting. However, for smaller entities, these objectives may be recognized implicitly rather than explicitly. In a small entity, management can learn about risks affecting those objectives through direct personal contact with employees and external parties.

Control Activities

Along with the actions taken for managing risk, an organization will establish policies and procedures to help ensure management directives are carried out. Those policies and procedures represent "control activities." These are generally equivalent to "control procedures" defined in SAS No. 55. Control activities may occur at all levels and in all functions of an organization. They cover a range of activities and may include the following:

* Performance reviews--such as comparison of actual results to budgets, forecasts, and prior period performance.

* Information processing controls--such as controls to check the accuracy, completeness, and authorization of individual transactions. Information processing controls include automated as well as manual controls.

* Physical controls--such as physical security of assets, including adequate safeguards over access to assets and records, authorization for access to computer programs and data files, and periodic counting and comparison with amounts recorded in the accounting records.

* Segregation of duties--such as assigning the responsibility for authorizing transactions, recording transactions, and maintaining custody of assets to different people within the organization.

Control activities usually involve two elements: a policy that establishes what should be done and the procedure that implements the policy. Policies may be communicated either orally or in writing. This will depend to a great extent on the size of the organization and the channels of communication within the organization. Also critical to control activities are the follow-up actions taken in response to identified discrepancies (for example, investigation by the owner/manager of unexpected variances noted while comparing actual sales to budgeted sales). Again, follow-up actions will depend on the size and structure of the organization. Because each organization has its own objectives and implementation strategies, no two organizations will have the same control activities.

Considerations for smaller entities. The concept of control activities is essentially the same in a small entity as in a larger one. However, the formality with which they operate may be different. In addition, smaller entities may find certain control activities will not be necessary because of the active involvement of the owner/manager or other top managers. For example, in a small entity careful review of sales figures and key ratios by the owner/manager may serve the purpose of lower level control activities that might be found in a larger entity. Reasonable assurance that material errors will be detected often comes from the owner/manager's day-to-day involvement in the entity and from relating his or her own direct knowledge of the activities to information presented in the financial statements.

SAS No. 78 states that in a small entity, segregation of duties often presents difficulties due to the limited number of employees. However, even small entities with few employees may be able to assign responsibilities to achieve adequate segregation. If this is not possible, direct oversight by the owner/manager can usually provide the necessary control. For example, in the area of cash, the owner/manager might compensate for a lack of segregation of duties by being the only authorized check signer and by reviewing all bank statements and reconciliations.

Information and Communication

Information Systems. The information system is essentially the equivalent of the accounting system in SAS No. 55. The information system relevant to financial reporting consists of methods established to identify, assemble, analyze, classify, record, and report transactions and conditions and to maintain accountability for the entity's assets and liabilities. In addition, information systems generate information necessary to carry out many control activities. An information system may be computerized, manual, or a combination of the two, depending on the size and complexity of the entity.

According to SAS No. 78, an information system includes methods and records that--

* identify and record all valid transactions,

* provide, on a timely basis, sufficient detailed information about transactions to permit proper classification for financial reporting,

* allow for the recording of transactions at their proper monetary value in the financial statements,

* provide sufficient information to permit recording of transactions in the proper accounting period, and

* properly present the transactions and related disclosures in the financial statements.

Communication. Communication relates to providing a clear understanding of internal control policies and procedures over financial reporting, how they work, and the responsibilities of individuals within the organization related to those policies and procedures. Communication may take the form of policy manuals, memorandums, oral communications, etc., depending on the size and organizational structure of the entity.

Communication also relates to the flow of information upstream in an organization. For control activities to be effective, individuals must be able to report exceptions to the appropriate levels of management. For upstream communication to occur, there must be open channels of communication and a willingness on the part of management to deal with problems as they occur.

Considerations for smaller entities. Information systems are usually less formal in a small or mid-sized entity but are usually just as effective and efficient. In smaller entities with substantial management involvement, there often is no need for extensive descriptions of accounting procedures, complex accounting records, or written policies. In addition, because of the fewer levels of management, effective communication may be easier to achieve. In a smaller entity, communication will often take place through daily discussions with management. Without the formal communication channels usually found in larger organizations, small entities will find communication usually will be more effective and frequent.

Monitoring

Due to changes among personnel and within an organization, it is essential that internal controls be monitored over time to determine whether they continue to be relevant and able to address new risks of the organization. Monitoring is a process that assesses the quality of an organization's internal control over time and involves assessing the design and operation of controls on a timely basis and taking actions as necessary.

Monitoring can be accomplished through a) ongoing activities, b) separate evaluations, or c) a combination of the two. In many ways, this is similar to the monitoring function in the quality control system of a CPA firm. In determining whether separate evaluations are needed, management should consider the nature of changes occurring within an organization and their associated risks and the competence and experience of personnel implementing controls, as well as the results of ongoing monitoring. The greater the effectiveness of ongoing monitoring, the lesser the need for separate evaluations. Ongoing monitoring includes management and supervisory activities and other actions that personnel take in performing their duties. For example, management may question reports that differ significantly from their knowledge of operations.

Internal auditors or personnel performing similar functions may contribute to an entity's monitoring of controls through separate evaluations. These personnel provide information about the functioning of the entity's internal controls by focusing considerable attention on evaluating the design and operation of controls.

External parties may provide information to assist the entity in monitoring controls. For example, external auditors may provide recommendations on improving controls as a result of their audit of the financial statements. Customers, by implicitly corroborating billing information

(Continues on page 72)
through payment of invoices, are another example of external parties that may assist management in their monitoring activities.

Considerations for smaller entities. Ongoing monitoring activities of a small entity are likely to be performed by the owner/manager or other key managers as a by-product of managing the organization. While small and mid-sized entities might have internal personnel or external auditors perform separate evaluations of their internal controls, the need for separate evaluations is generally less in a smaller entity due to effective ongoing monitoring activities.

Safeguarding Controls

A 1994 addendum to the COSO Report addresses the issue of controls over the safeguarding of assets (safeguarding controls) in management reports on internal control. The COSO Report defines three broad categories of controls--operations, compliance, and financial reporting. Although safeguarding controls relate primarily to operations, certain aspects of them can fall under the other two categories as well. The relevance of safeguarding controls to financial reporting has been a controversial and confusing issue. SAS No. 78 states that for purposes of a financial statements audit, auditors generally limit their understanding of safeguarding controls to those that are relevant to financial reporting. As an example, the SAS states that use of a lockbox system to collect cash receipts may be relevant in a financial statement audit. However, the auditor may not be concerned with operational controls that prevent the excess use of materials in the production process.

In discussing physical controls (defined as controls over the physical security of assets, including adequate safeguards), SAS No. 78 states that the extent to which they are relevant to an audit depends on the circumstances. For example, physical controls over inventory ordinarily would not be relevant because any inventory losses would be detected by periodic physical counts. However, if management relies solely on perpetual records for financial reporting purposes, the physical controls become relevant to an audit.

SAS No. 78 also points out that controls related to operations and compliance should not be completely ignored. They may be relevant if they pertain to data the auditor uses to apply auditing procedures, for example, nonfinancial data such as production statistics used in analytical procedures. Also, controls relating to compliance with laws and regulations that have a direct and material effect on the financial statements may also be relevant in an audit. Examples include controls over compliance with income tax laws and regulations or compliance with Federal or state laws and regulations related to grants to governmental or nonprofit organizations.

Limitations of Internal Control

Like SAS No. 55, SAS No. 78 acknowledges the limitations of internal control. An entity's internal control, no matter how well designed and operated, can only provide reasonable assurance as to the achievement of the entity's objectives. These limitations exist due to cost-benefit considerations and such factors as faulty human judgment in decision making or simple error or mistake. In addition, controls can be overridden by management or circumvented by collusion of two or more people. The effectiveness of an entity's internal control might also be affected by changes in ownership or management, turnover in other personnel, or developments in the entity's business or operating environment.

SAS No. 78 points out that if one of the components of internal control is ineffective, it may negate the effects of another component considered to be effective. For example, an entity may have good control activities relating to the financial reporting process; however, a poor control environment evidenced by a strong management bias to maximize bonuses by inflating reported earnings may result in materially misstated financial statements.

Auditor Understanding of
Internal Control

As previously discussed, the amendments to SAS No. 55 do not significantly affect the procedural guidance on how auditors go about obtaining and documenting their understanding of internal control. Similar to the SAS No. 55 requirement that the auditor obtain an understanding of the three elements of the internal control structure, SAS No. 78 requires the auditor to obtain an understanding of the five components of internal control. The purpose of this understanding has not changed. In both SAS No. 55 and SAS No. 78, the purpose is to--

* identify types of potential misstatements,

* consider factors that affect the risk of material misstatements, and

* design substantive tests.

Control Environment. SAS No. 78 requires the auditor to obtain a sufficient understanding of the control environment that allows the auditor to understand management's (and the board of director's) attitudes, awareness, and actions toward the control environment. SAS No. 78 cautions the auditor to concentrate on the substance rather than form of management's policies, procedures, and actions. In some cases, for example, management may have established appropriate policies and procedures, but management's actions may indicate a lack of control
consciousness.

Risk Assessment. The auditor should gain an understanding of how management identifies and takes action to address risks relevant to the entity's financial reporting objectives. This includes gaining an understanding about how management estimates the significance of those risks and assesses the likelihood of their occurrence. For example, if the entity is expanding its operations, the auditor should gain an understanding of management's assessment of the impact on internal control and the steps management is taking to address that impact.

Control Activities. SAS No. 78 requires the auditor to "obtain an understanding of those control activities relevant to planning the audit." This is essentially the same as the SAS No. 55 requirement for obtaining an understanding of control procedures. As a by-product of obtaining an understanding of the other four components of internal control, the auditor is likely to obtain an understanding of the control activities. For example, when obtaining an understanding of the documents, records, and processing steps in the financial reporting system related to accounts payable, the auditor is likely to become aware that invoices require supervisory approval before payment.

As a result, in many cases additional procedures to gain an understanding of control activities will not be necessary to plan the audit. SAS No. 78 indicates that ordinarily, the auditor does not need to obtain an understanding of control activities related to each account balance, transaction class, or financial statement disclosure component to plan the audit.

Information and Communication. To plan an audit, the auditor should gain an understanding of the information system relevant to financial reporting. As previously discussed, the information system relevant to financial reporting is essentially the same as the accounting system defined in SAS No. 55. As a result, the auditor's procedures should not change significantly in this area as a result of the amendments to SAS No. 55.

SAS No. 78 states that to obtain sufficient knowledge of the information system relevant to financial reporting, the auditor should understand the following:

* Transaction classes in the entity's operations that are significant to the financial statements;

* How significant transactions are
initiated;

* Accounting records, supporting information, and specific financial statement accounts involved in transaction processing and reporting;

* The accounting processing involved from when a transaction is initiated to its inclusion in the financial statements, including electronic methods (such as computers and electronic data interchange) used to transmit, process, maintain, and access information;

* The financial reporting process used by management to prepare the entity's financial statements, including significant accounting estimates and disclosures.

In addition, SAS No. 78 requires the auditor to obtain knowledge of how management communicates financial reporting roles and responsibilities and other significant matters relating to financial reporting.

Monitoring. A new requirement of SAS No. 78 is for the auditor to obtain knowledge of the activities management uses to monitor internal control over financial reporting. In addition, the auditor should understand how those activities are used to initiate corrective action when necessary. As previously discussed, internal auditors or personnel performing similar functions may contribute to an entity's monitoring of controls. When obtaining an understanding of the internal audit function, the SAS refers auditors to guidance in SAS No. 65, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements.

Documenting the Understanding

Like SAS No. 55, SAS No. 78 requires auditors to document their--

* understanding of internal control, and

* the basis for conclusions about the assessed level of control risk. (However, for those assertions where control risk is assessed at maximum, the conclusion must be documented, but documenting the basis for the conclusion is not required.)

The only significant documentation change caused by the SAS No. 55 amendments will be that auditors must obtain an understanding of five components, rather than three elements, of internal control. This will affect the structure of the auditor's documentation, but it will not significantly affect the auditor's procedures to obtain the understanding or the auditor's documentation methods.

The three methods most commonly used by auditors to document their understanding of internal control are narratives, flowcharts, and questionnaires. Often, a combination of these methods is used. The method used also depends on the nature and complexity of the internal control process. For an entity with a simple internal control process, a memorandum may be sufficient. Questionnaires and flowcharts may be more effective and efficient for documenting more complex systems. Many auditors use practice aids published by third-party providers such as Practitioners Publishing Company (PPC), the AICPA, or others. Practitioners should ensure that those practice aids will be updated on a timely basis to reflect the changes required by SAS No. 78.

Control Environment, Risk Assessment, and Monitoring. Generally, the authors believe the auditor's understanding of the control environment, risk assessment, and monitoring components can be documented in a similar fashion. These three components under SAS No. 78 are similar to the control environment element under SAS No. 55. Auditors often use a memorandum or questionnaire to document their understanding of the control environment. Either of these methods can still be used to document the control environment, risk assessment, and monitoring components when implementing SAS No. 78.

If the auditor currently uses a questionnaire to document his or her understanding of the control environment, additional inquiries may be needed to address the risk assessment and monitoring components of internal control. However, questions currently used by auditors to document their understanding of the control environment may also relate to the risk assessment or monitoring components. For example, questions related to the internal audit function also relate to the monitoring component.

Exhibit 3 illustrates questions that could be used to document the auditor's understanding of the control environment, risk assessment, and monitoring components. This Audit Planning Form is from PPC's Guide to Audits of Small Businesses.

Information and Communication. As previously discussed, the information and communication component of SAS No. 78 is similar to the accounting system element of SAS No. 55. As a result, there should not be a significant change in the auditor's documentation for gaining an understanding of the information and communication component. Memoranda or flowcharts combined with a questionnaire are efficient and effective ways to document the auditor's understanding of the information and communication component. The memorandum or flowchart can be used to document the information systems and the questionnaire can be used to document the auditor's understanding of how management communicates financial reporting roles and responsibilities.

The memorandum or flowchart will basically contain the same information included in the auditor's documentation of his or her understanding of the accounting system under SAS No. 55. Exhibit 4 is an excerpt from the Audit Planning Form in PPC's Guide to Audits of Small Businesses that illustrates example questions that could be included in a questionnaire to document the auditor's understanding of the communication process.

Control Activities. As previously discussed, SAS No. 78 only requires the auditor to obtain an understanding of control activities sufficient to plan the audit. In most cases, this understanding will be obtained as a by-product of the auditor obtaining an understanding of the other four components of internal control. Documentation of the auditor's understanding of the other four components should adequately document the auditor's understanding of control activities. As a result, the auditor need not separately document his or her understanding of control activities unless a further understanding is necessary to plan the audit.

If the auditor decides additional procedures are necessary to gain an understanding of control activities for audit planning, questionnaires are often used to document that understanding. For example, PPC's Guide to Audits of Small Businesses provides a detailed questionnaire for each accounting application that can be used to document the individual control activities. An excerpt from this internal control questionnaire for accounts receivable is presented in Exhibit 5.

The level of documentation discussed in the preceding two paragraphs is appropriate for gaining an understanding of control activities for audit planning. If the auditor decides it is more efficient to assess control risk at less than the maximum and perform tests of controls, additional documentation of control activities may be necessary. Internal control questionnaires such as the example in Exhibit 5 can also be used when the auditor needs a further understanding of controls to design appropriate tests of controls. However, the auditor may be able to design appropriate tests of controls based solely on the knowledge obtained from gaining an understanding of the control environment, risk assessment, monitoring and information, and communication components. If so, additional documentation of control activities is unnecessary.

Audit Guide Revised

To provide further guidance on the implementation of SAS No. 55 and SAS No. 78, the ASB has revised the audit guide Consideration of Internal Control in a Financial Statement Audit. The guide illustrates how auditors might apply SAS No. 55 (as amended by SAS No. 78) when using two different strategies: a primarily substantive approach when the auditor has assessed control risk at maximum and when the auditor has assessed control risk below maximum. The guide also includes illustrations of the audits of three hypothetical companies with internal control systems of varying complexity.

Other Standards Conformed

In addition to amending SAS No. 55, the ASB has also amended SAS No. 60, Communication of Internal Control Structure Related Matters Noted in an Audit; SAS No. 70, Reports on the Processing of Transactions by Service Organizations; and SSAE No. 2, Reporting on an Entity's Internal Control Structure over Financial Reporting to incorporate the five components of internal control and other terminology from the COSO Report. *

David R. Frazier, CPA, is a senior technical editor and L. Scott Spradling, CPA, an executive editor, both
with Practitioners Publishing
Company.

EXHIBIT 1

COMPARISON OF TERMINOLOGY BETWEEN SAS NO. 55 AND SAS NO. 78

EXHIBIT 2

COMPARISON OF THE INTERNAL CONTROL STRUCTURE ELEMENTS IN

SAS NO. 55 WITH THE INTERNAL CONTROL COMPONENTS IN SAS No. 78

SAS No. 55

Control environment. This is collective effect of certain internal and external factors on the effectiveness of specific control policies and procedures.

No equivalent.

Accounting system. The accounting system consists of the methods and records used to keep the organization's books.

Control procedures. Control procedures are the procedures established by the organization to maintain complete, accurate accounting records and control over assets.

No equivalent.

SAS No. 78

Control environment. The control environment sets the tone of an organization, influencing the control consciousness of its people. Control environment factors include--

1. integrity and ethical values,

2. commitment to competence,

3. board of directors or audit
committee,

4. management's philosophy and operating style,

5. organizational structure,

6. assignment of authority and responsibility,

7. human resources policies, and practices.

Risk assessment. Risk assessment refers to the organization's process of identifying potential risks to its financial reporting objectives and developing actions to address those risks.

Information and communication. The information system is essentially equivalent to the accounting system. It consists of the methods and records established to (a) identify, assemble, analyze, classify, record, and report the organization's transactions, events, and conditions and (b) maintain accountability for the related assets and liabilities. Communication relates to policy manuals, accounting manuals, or other means used to give the employees an understanding of their roles and responsibilities regarding financial reporting controls.

Control activities. These are the policies and procedures that help ensure management directives are carried out. They are generally equivalent to control procedures, as defined in SAS No. 55.

Monitoring. This is the process of assessing the quality of internal control performance over time. This is accomplished through specific evaluations or as a by-product of normal supervisory activities (such as oversight by the owner/manager)

Control Environment

The purpose of completing this portion of the questionnaire is to gain an understanding of the control environment and assess its overall effectiveness to plan the audit, i.e., to identify types of potential misstatements and factors that affect the risk of material misstatement, and to consider the effect on the audit plan. Unsatisfactory ("No") responses to particular questions do not necessarily mean that the control environment is not effective. The combined effect of responses should be considered in making an assessment of overall effectiveness. The auditor may gain an understanding of certain control activities related to significant audit areas while obtaining an understanding of the control environment. If the auditor believes that the understanding of those control activities may be necessary to plan the audit, they should be documented in the comments column of this form.

A. Does management communicate to employees acceptable business practices, conduct, and policies (on conflicts of interest, etc.)?

B. Does the company take appropriate action for known departures from approved policies, unacceptable business practices, or conduct that might significantly affect the financial reporting process?

C. Is management satisfied that all employees are honest?

D. Does previous experience with the client indicate competence and integrity on the part of client personnel?

E. Does it appear that management demonstrates integrity in its everyday dealings with customers, employees, suppliers, and other parties?

F. Do accounting personnel have the background, education, and experience appropriate
for their duties?

G. Does management or the owner/manager demonstrate a concern for control by perform-
ing important internal control procedures such as approvals, regular preparation or review of reconciliations, review of accounts receivable trial balances, etc.?

H. Does management or the owner/manager have a conservative attitude toward financial reporting?

I. Does the workload of the owner/manager and accounting personnel appear to permit
them to be mindful of controlling the quality of their work?

J. Has management been responsive to prior recommendations from the company's auditors?

K. Has management established policies and procedures that provide reasonable assurance
of reliable accounting estimates?

L. Are controls over authorization of transactions established at an appropriate level?

Risk Assessment

Risk assessment is management's process for identifying, analyzing, and managing risks relevant to the preparation of financial statements that are fairly presented in conformity with GAAP or an OCBOA. Unsatisfactory ("No") responses to particular questions do not necessarily mean that the entity's risk assessment process is ineffective. The combined effect of responses should be considered when making that assessment. If the entity operates in a relatively stable environment, the auditor's understanding of risk assessment needed to plan the audit may be limited.

A. Has management or the owner/manager assessed the effect of the following conditions on the company's ability to prepare financial statements that are free from material misstatement:

* Changes in the company's operating environment?

* New personnel?

* New or revised information systems?

* Rapid growth?

* New technologies in the production process or information systems?

* New lines, products, or other business activities?

* Restructuring or reorganization and resulting staff reductions, changes in supervision, or
segregation of duties?

B. If there are risks relevant to financial reporting that management has decided to accept because of cost or other considerations, are the effects considered to be immaterial to the financial statements?

C. Does management consult with its auditors on (or make independent assessments of) new accounting issues or pronouncements?

Monitoring

The following questions are designed to assist the auditor in gaining an understanding of how the entity monitors the continued effectiveness of its internal controls. Unsatisfactory ("No") responses to particular questions do not necessarily mean that the entity's monitoring process is ineffective. The combined effect of responses should be considered when making that assessment.

A. Is senior management or the owner/manager sufficiently involved in the day-to-day operations of the business to identify significant variances from expectations?

B. Does management exercise reasonable control over operations so that there is
an absence of crisis conditions in operations or accounting? (For example, well-organized work areas, no unusual delays, adequate documentation for all significant
transactions, etc.)

C. Do company personnel, in carrying out their regular activities, obtain evidence as to the adequacy of the company's internal controls? (For example, is data used to
manage operations periodically compared to financial reporting information?)

D. Does management or the owner/manager have a business or profit plan, budget,
forecast, etc.?

E. Does management or the owner/manager understand and use the financial statements and required reports such as tax returns?

F. Does management owner/manager periodically review operating results or budget variations?

G. Is management or the owner/manager adequately involved in designing and
approving accounting system procedures?

H. Does management or the owner/manger take appropriate follow-up action for
identified problems or weaknesses in internal controls (including matters communicated by the auditors)?

I. Is information received from external parties (for example, customers or suppliers)
compared to internally generated information?

J. Are there periodic comparisons of amounts recorded by the accounting system with physical assets?

EXHIBIT 3

EXAMPLE QUESTIONNAIRE FOR DOCUMENTING THE AUDITOR'S CONSIDERATION OF THE

CONTROL ENVIRONMENT, RISK ASSESSMENT, AND MONITORING (EXCERPT)

Yes No N/A CommentsYes No N/A CommentsEXHIBIT 3 (continued from page 43)Yes No N/A Comments

EXHIBIT 4

EXAMPLE QUESTIONS FOR DOCUMENTING THE AUDITOR'S

CONSIDERATION OF THE ENTITY'S COMMUNICATION PROCESS

A. Do accounting and key management personnel understand the duties and control responsibilities applicable to their jobs and the fact that their responsibilities contribute to the company's financial reporting objectives?

B. Do company personnel have a clear understanding of the types of problems that should be reported upstream to management or the owner/manager?

C. Are employees encouraged to report suspected improprieties to management or the owner/manager?

D. Are there established accounting policies and a current chart of accounts?

EXHIBIT 5

EXAMPLE QUESTIONNAIRE FOR DOCUMENTING THE AUDITOR'S

CONSIDERATIONS OF CONTROL ACTIVITIES (EXCERPT)

Accounts Receivable

(Receivable Balances and Sales)

Company: Balance Sheet Date:

CONTROL OBJECTIVES

1. Sales represent valid transactions (i.e., products shipped or services provided).

2. Sales of goods or services are recorded timely and accurately as to account, amount, and period.

3. Cash receipts are properly applied to customer accounts.

4. Customer returns or other allowances are approved and recorded accurately as to account, amount, and period.

5. All orders are appropriately approved for acceptance of credit risk, and doubtful accounts are recognized and
provided for on a timely basis.

COMMON CONTROL PROCEDURES

Separation of Incompatible Duties and Restricted Access

1. Is the credit function independent of the billing function?

2. Are recording and approval of credit memos independent of handling cash and other accounts receivable bookkeeping?

3. Are billing and shipping independent of handling cash and accounts receivable bookkeeping?

4. Is billing independent of shipping and inventory custody?

5. Is customer-complaint follow-up independent of accounts receivable, bookkeeping, and handling cash?

6. Is maintenance of the accounts receivable subsidiary ledger independent of general ledger maintenance?

Recording

7. Documents:

a. Are prenumbered shipping documents, invoices, and credit memos maintained
with the sequence checked?

b. Are voided and unused forms controlled?

c. Are approved price lists utilized for billing?

d. Are aged accounts receivable listings prepared (and periodically reviewed by an appropriate person)?