CASE STUDY 1
Internal Auditing: Assurance and Consulting Services, 2
© 2009 by The Institute of Internal AuditorsResearch Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA CS1-2
when evaluating and opining on the organization’s overall system of internal controls.Likewise, the internal audit function must consider management’s results, as well as their ownindependent assessment of entity-level controls when developing an internal audit plan anddesigning tests of process-level and transaction-level controls. Since an assessment of anorganization’s entity-level controls is made at periodic intervals, it typically will not benecessary to perform an assessment of the effectiveness of entity-level controls on eachengagement. However, the internal auditor should consider the results of the entity-levelcontrols assessment when planning individual engagements to ensure the approach to testingprocess-level and transaction-level controls is effective and efficient.
Importance of Entity-level Controls
It should be intuitive that not all controls are created equal. For example, as discussed inChapter 13, “Conducting the Assurance Engagement,” a variety of actions make up a process.All may have a role in achieving the final result, but only a few are truly critical to theoutcome; that is, their absence would make it difficult to achieve the desired result. Thesecritical actions are referred to as key controls. Similarly, controls at the organizational levelmay impact the system of internal controls differently than the more tactical controls at theprocess level or transaction level. Therefore, it is important to understand how such controls,particularly those that operate across the entire organization (that is, entity-level controls), mayimpact the system of internal controls.One of the most widely publicized and well known examples of entity-level controls breakingdown is Enron Corporation. While Enron was known to have sophisticated controls and risk management capabilities supporting many of their detailed processes, breakdowns in controlsat the board and senior management levels contributed to one of the most significant companyfailures in history. A closer look at what went wrong at Enron, as well as with some otherhighly publicized financial failures, can provide a glimpse into the importance of strong entity-level controls.
Research Enron Corporation (U.S.A.), WorldCom (U.S.A.), Parmalat SpA(Italy), and Barings Bank (England). Be prepared to answer the following questions:
What were the primary causes for each of these failures?
Which of those causes appear to represent entity-level control breakdowns?
What actions by the board or management may have prevented these breakdowns fromoccurring?After answering the questions in the exercise above, it should be clear why it is so importantfor organizations to establish a strong entity-level control environment.
Historical and Current Perspectives on Entity-level Controls
Most types of entity-level controls have been in existence for many years. Many such controlsare intuitive and would be implemented by organizations whether required by regulations ornot (for example, establishing governance bodies and implementing a code of ethics). Othershave become commonplace in reaction to frauds or other scandals (for example, whistleblower
The first article in this series of two on Paper P7 case study questions discussed question style, what to look for in the requirements, how higher-level skills are tested, and the meaning of professional marks within a question requirement. This second article goes through part of a typical Section A case study question, applying the recommended approach described in the previous article. This approach comprises four stages.
STAGE 1 – UNDERSTANDING THE REQUIREMENT
The first thing to do is to read and fully understand the question requirement. Here is the requirement we will be looking at in this article:
‘Prepare a report, to be used by a partner in your firm, in which you identify and evaluate the professional, ethical, and other issues raised in deciding whether to accept the appointment as provider of an assurance opinion as requested by Petsupply Co.’ (12 marks)
Note: this requirement includes two professional marks.
Having read the requirement, break it down. You are asked to do two things:
- identify, ie state from the information provided
- evaluate, ie discuss from a critical point of view.
The requirement asks you to consider ‘professional, ethical, and other issues’. This could cover a wide range of considerations, such as:
- ethics: independence, competence, conflicts of interest, confidentiality, assessing integrity
- professional issues: the risk profile of the work requested, the fee – and whether it is sufficient to compensate for high risk, availability of staff, managing client expectations, logistical matters such as timing, legal and regulatory matters – such as money laundering, and (in some cases) obtaining professional clearance
- other issues: whether the work ‘fits’ with the commercial strategy of the audit firm, the potential knock-on effect of taking on the work – such as the impact on other clients, or on other work performed for this client.
You are asked to produce a report, so remember that the professional marks available will be awarded for using the correct format, the use of professional business language, and for presenting your comments as a logical flow culminating in a conclusion.
From reading the requirement, you know that the question scenario will be based on a potential assurance assignment and will be broadly based around acceptance issues.
STAGE 2 – READING THE SCENARIO
When reading through the detail of the scenario, you should now be alert to information relevant to this requirement. Highlight important points that you think are relevant to the scenario and remember to focus on issues that could affect your acceptance of a potential assurance assignment.
Now read the following extract from the scenario and highlight the salient points – remember to look out for any factors relevant to the ethical, professional, and other issues described above.
Extract: You are a senior manager in Dyke & Co, a small firm of Chartered Certified Accountants, which specialises in providing audits and financial statement reviews for small to medium-sized companies. You are responsible for evaluating potential assurance engagements, and for producing a brief report on each prospective piece of work to be used by the partners in your firm when deciding whether to accept or decline the engagement. Dyke & Co is keen to expand the assurance services offered, as a replacement for revenue lost from the many small‑company clients choosing not to have a statutory audit in recent years. It is currently May 2007.
Petsupply Co has been an audit client of Dyke & Co for the past three years. The company owns and operates a chain of retail outlets selling pet supplies. The finance director of Petsupply Co recently communicated with your firm to enquire about the provision of an assurance report on data provided in the Environmental Report published on the company’s website. The following is an extract from the e-mail sent to your firm from the finance director of Petsupply Co:
‘At the last board meeting, my fellow directors discussed the content of the Environmental Report. They are keen to ensure that the data contained in the report is credible, and they have asked whether your firm would be willing to provide some kind of opinion verifying the disclosures made. Petsupply Co is strongly committed to disclosing environmental data, and information gathered from our website indicates that our customers are very interested in environmental matters. It is therefore important to us that Petsupply Co reports positive information which should help to retain existing customers, and to attract new customers. I am keen to hear your views on this matter at your earliest convenience. We would like verification of the data as soon as possible.’
You have looked at Petsupply Co’s Environmental Report on the company website, and found a great deal of numerical data provided, some of which is shown below in Table 1.