Team Osprey

Comptronix Case

10/28/10

1. Professional auditing standards present the audit risk model, which is used to determine
the nature, timing, and extent of audit procedures. Describe the components of the model
and discuss how changes in each component affect the auditor’s need for evidence.

The Audit Risk Model (ARM) is defined as:

a. Inherent Risk is the auditor’s measure of assessing whether material misstatements

b. Control Risk is the auditor’s measure of assessing the likelihood that the client’s
internal control system is unable to prevent or detect material misstatements
exceeding a tolerable level. In assessing the level of the Control Risk, the auditor will
assess the effectiveness of the firm’s internal control system during his audit, e.g.
through questionnaires. The lower the effectiveness of internal controls the greater the
frequency of error.
c. Detection Risk is the auditor’s measure of assessing the likelihood that the auditor
won’t detect material misstatements. Auditors will carry out more audit work to
increase the detection rate if Internal Risk and Control Risk are too high in order to
meet the Audit Risk target.

When applying the Audit Risk Model, the auditor has to determine a target level of Audit
Risk that is in accordance with providing reasonable assurance. The Internal Risk and Control
Risk can be pooled together as Occurrence Risk (OR), i.e. the risk of the existence of
misstatements before the actual audit. The Detection Risk on the other hand is the risk of the
existence of misstatements during the actual audit. The first step in applying the Audit Risk
Model is to determine a tolerable level of Audit Risk. In the next step the Audit Risk is
decomposed into its three components. The auditor has no control over the Internal Risk and
Control Risk but must assess their levels in order to determine the level of Detection Risk that
is sufficient to achieve the target Audit Risk. The Detection Risk can be influenced by the
extent of testing.

Applying the formula of the Audit Risk Model, the auditor will need to perform more testing,
that is collect more evidence, and thus reduce the Detection Risk, in case the level of Internal
 Risk and/or Control Risk is high in order to achieve (maintain) the target. The Detection Risk
can be influenced by the nature, timing, and extent of the audit procedures.

2. One of the components of the audit risk model is inherent risk. Describe typical factors
that auditors evaluate assessing inherent risk. With the benefit of hindsight, what inherent
risk factors were present during the audits of the 1989 through 1992 Compronix financial
statements?

Internal Risk is the auditor’s measure of assessing whether material misstatements exist
in the financial statement before considering the effectiveness of internal controls. Besides
factors related to the peculiar assertion, the auditor needs to take external circumstances into
account that might influence the Internal Risk. Those can comprise the nature of business and
industry, the integrity of management, the size of account balances, the existence of related
parties, the lack of sufficient working capital to continue operations, etc. Taking into account
those numerous factors, professional judgment has to be applied by the auditor.

Examples of accounts that pose low Internal Risk comprise traded securities or fixed
assets in contrast to accounts with high Internal Risk such as those for which estimates have to
be used or complex calculation have to be conducted.

With hindsight the following inherent risk factors were present:

• Fictitious purchases of equipment - An audit that would have included a physical inspection
of Comptronix’s equipment might have revealed that certain recognized assets do not exist or
that considering the age of and thus the depreciation for the equipment that certain pieces of
equipment are not worth their book values.

• Fictitious accounts payments for the equipment - Besides auditing in a manner that would
have revealed the nonexistence of certain purchases of equipment the auditors could have also
audited check records and bank statements to see where and by whom the checks were cashed in.
This would have revealed that the checks were never cashed in by a third, outside party, but were
cashed internally.

• Fictitious sales and accounts receivables - In the same manner as with the fictitious accounts
for equipment, the auditor could have checked the inventory to verify the decrease in inventory
of goods for sale as well as the payments by the customers. The former would have revealed the
lack of sales while the latter would have revealed the lack of external customers for no outside
party deposited money in Comptronix’s account. Another approach would have comprised
matching the sales with the order papers and invoices. Here the auditor would have realized that
there are no records for the bogus sales and hence no sales were realized.
3. Another component of the audit risk model is control risk. Describe the five components
of internal control. What characteristics of Comptronix’s internal control increased control
risk for the audits of the1989 – 1992 year-end financial statements?

Control risk is an auditors’ assessment of the internal control systems of a company. This also
includes the attitude and expertise directors and management have towards internal controls. If
control risk is high then the amount of substantive procedures that have to be conducted
increases accordingly.

The internal control: Integrated Framework published 1994 by COSO breaks effective internal
control into five interrelated components:

• control environment

• risk assessment

• control activities

• information and communication

• monitoring

The control environment encompasses the internal control framework and is considered a
foundation for all other elements. Included factors are integrity, ethical values, competence,
management’s philosophy, operating cycles, assignment of authority and the attention and
direction provided by the board. Generally the control environment materializes in a written
statement being the code of conduct.

The risk assessment is best described as the means of identifying and analysing internal and
external risks to the achievement of financial reporting control objectives. Control activities are
developed to address each control objective and to minimize risks identified.

Information and communication from management to personnel must be clearly stated and
should stress that control responsibilities must be taken seriously. The personnel must understand
its role in the internal control system. Thus the company identifies methods and procedures by
which right information is provided to the right people.

Finally, monitoring is the process (internal or external) to evaluate the performance of the
internal control system over time.

At Comptronix various factors increased the control risk for the company. First, the loss of one
of the major customers is a circumstance that increases control risk as management has an
incentive to misstate earnings and other accounts to stay profitable. Second, the accounting
system could be bypassed by management with factious manual entries. This increases control
risk as it grants unlimited authority to top management for changing and manipulating accounts.
Also cash disbursements could be approved by management based solely on an invoice. Finally
the computerized accounting system in the shipping department, which constitutes a good
internal control device, could be accessed and manipulated by the controller. In summary
management had too much authority to enter and change the electronic accounting systems of the
company, while there were no double checks in place to verify and control manual changes in
the system.

4. The board of directors, and its audit committee, can be an effective corporate
governance mechanism.

a) Discuss the pros and cons of allowing inside directors to serve on the board. Describe
typical responsibilities of audit committees.

Inside directors on the board can facilitate its effectiveness by establishing strong connections
between the board and day to day business. However, inside directors can also comprise the
independence of the board when it comes to personal interests. For example, the ability of the
board to set bonuses that are tied to performance and salaries of management is an important
argument against inside directors. Another common topic in research is that adding insiders to
the board of directors reduces board monitoring. On the other hand, a study by George
Drymiotes shows that a less independent board, one that also looks after the agent’s interests to
some degree, can sometimes fulfil its monitoring role more effectively than a board that is
completely independent. A fully independent board’s inability to commit to a specific level of
monitoring effort makes monitoring ineffective. Having insiders as part of the board, however,
shifts the board’s interests closer to those of the agent and mitigates the board’s incentives to
short-change the agent (Drymiotes, 2007). The paper also suggests that any other mechanisms
that align the board’s interests, to some extent, with those of the manager may be beneficial to
organizations. For instance, board and management interests can become more aligned when
management owns a portion of the firm. Giving management a share of the firm means that a
group of shareholders is managing the firm. Importantly, this particular group of shareholders
finds ex post monitoring desirable, the same way inside directors do. Thus, a board representing
shareholder interests may have stronger incentives to monitor the agent ex post.

The audit committees’ responsibilities can be summarized as assisting the board of directors in
verifying:

• the integrity of the company’s financial statements

• the independence, integrity, qualification and performance of the external auditors

• the performance of the company’s internal audit functions

• the appropriateness of the internal control systems

• the monitoring of compliance with laws and regulatory requirements and the code of conduct
 b) What strengths or weaknesses were present related to Comptronix’s board of directors
and audit committee?

First of all the CEO and COO of Comptronix represented management of the board which
constitutes already for 28.6% of the board of directors. Despite the evidence above and
considering that the managers engaged in fraud, the high percentage of inside directors on the
board is a considerable weakness. Moreover, the remaining five outside board directors, rather
undermined than strengthened the board’s independence: Two of them had close affiliations with
management, the other maintained relations that were not that apparent at first glance, but
nevertheless substantial. One, for example, was the partner in the venture capital firm that owned
over 5% of Comptronix. Finally four annual board meetings seem to not have been sufficient to
exert control over management.

Concerning the audit committee it can be maintained that it was neither independent nor
qualified. The committee members, two outside and one gray director, were drawn from the
board of directors which was already evaluated as not being independent. Furthermore, not any
of the members had accounting or financial reporting backgrounds, therefore lacking crucial
expertise and experience in their function as an audit committee.

5. Public Companies must file quarterly financial statements in Form 10-Qs, that have been
reviewed by the company’s external auditor. Briefly describe the key requirements of
Auditing Standards (AU) Section 722, Interim Financial Information. Why wouldn’t all
companies (public and private) engage their auditors to perform timely reviews of interim
financial statements?

The SEC requires all public companies to have quarterly financial statements reviewed
by the external auditor on a timely basis. SAS No. 71 provides guidance on the nature,
timing, and extent of procedures to be applied by the independent accountant in
conducting a review of interim financial information. The objective of a review of
interim financial information is to determine whether material modifications should be
made for such information to conform with GAAP. A review of interim financial
information consists principally of inquiries and analytical procedures. It does not
include (1) tests of accounting records, (2) the evaluation of corroborating evidential
matter in response to inquiries, or (3) other normal procedures ordinarily performed
during an audit. Thus, the accountant does not obtain reasonable assurance that would
serve as the basis for an opinion on that financial information.
In performing a review of interim financial information, the accountant needs to have
sufficient knowledge of a client’s internal control as it relates to the preparation of both
interim and annual financial statements. That knowledge assists the accountant in
identifying the likelihood of potential material misstatements in interim financial
information and in selecting the inquiries and analytical procedures that will provide the
accountant a basis for reporting whether material modifications should be made to the
interim financial information in order for it to conform to GAAP.
 Non-public companies are not required to engage independent accountants to perform a
review of interim financial statements. Thus, a private company’s decision to engage an
independent accountant to conduct a review of interim financial information is a cost-
benefit decision. The services associated with obtaining such a review require time and
money. If top executives and the board of directors do not believe the related benefits
exceed the costs, then they are not likely to engage independent accountants. The
guidance in SAS No. 71 applies to interim financial information that is included in a note
to the audited financial statements of a non-public company. If the interim financial
information for the non-public company is presented in a separate complete set of interim
financial statements, the accountant should comply with the AICPA’s Statements on
Standards for Accounting and Review Services.
Recently, there has been increased attention on interim reviews because of alleged
financial reporting fraud involving interim financial statements. The SEC requirement
for timely interim reviews for public companies was sparked by the February 1999
Report and Recommendations of the Blue Ribbon Committee on Improving the
Effectiveness of Corporate Audit Committees (the Blue Ribbon Report). That report
included a recommendation that the SEC require a reporting company’s outside auditor to
conduct a SAS No. 71 interim review prior to the company’s filing of its Form 10-Q with
the SEC. According to the Blue Ribbon Panel’s report, the “increased involvement by
the outside auditors and the audit committee in the interim financial reporting process
should result in more accurate interim reporting.”
.

7. Provide a brief summary of each of the three fraud conditions. Additionally, provide an
example from the Comptronix fraud of each of the three fraud conditions.

1) Incentive or pressure to perpetrate fraud – Bonus for superb performance. Company award
stock incentive to key employees
2) An opportunity to carry out the fraud – Executive positions that may bypass existing account
system. Internal controls are insufficient. Board of directors composes of mostly internal
directors and acquaintances.
3) Attitude or rationalization to justify the fraudulent action. – helped company avoiding
reporting net losses.

8. Auditing Standards (AU) Section 316, Consideration of Fraud in a Financial Statement

a) What do you think is meant by the term “management override”?

Management override can be defined as the possibility for management to circumvent internal
controls that appear to work efficiently, in order to manipulate accounting records and preparing
fraudulent financial statements directly or indirectly. As the internal control system is expected
to function properly, the ways in which management can override controls are unpredictable.

b) Provide two examples of where management override of controls occurred in the

The executives were able to bypass the existing accounting system. They could record fictitious
journal entries of sales and purchases manually inventing some customer order numbers and
quantities that did not exist and obviously were not cross-checked with other internal systems,
like the customer order- or inventory system.

Next to that it was possible to record fictitious purchases of equipment without creating the
necessary documents accompanying such purchases. The internal control failed to detect this
irregularity.

Another example is the possibility of overriding control systems over cash disbursements. With a
fictitious vendor invoice it was possible to make an accountant payable clerk prepare a check
without the necessity to crosscheck whether the delivery of the goods actually took place or an
order number generated by the vendor existed that should have been found on the invoice later
on.

c) Research AU Section 316 to identify the three required auditor responses to further
address the risk of management override of internal controls

Paragraphs 58 – 67 in Section 316 of the Auditing Standards by the PCAOB describe procedures
that should be performed to further address the risk of management override of controls. The
three main responses that should be undertaken by the auditor are as follows:

1. Examining journal entries and other adjustments for evidence of possible material
misstatement due to fraud.

Material misstatements due to fraud mostly occur by:

a. recording inappropriate or unauthorized journal entries throughout the year or at period

b. making adjustments to amounts reported in the financial statements that are not reflected
in formal journal entries due to consolidating adjustments, report combinations and
reclassifications.

Therefore, the auditor should test the appropriateness of journal entries recorded in the general
ledger and other adjustments. In particular, the auditor should:

• Obtain an understanding of the entity's financial reporting process and the controls over
journal entries and other adjustments
 • Identify and select journal entries and other adjustments for testing

• Determine the timing of the testing

• Inquire of individuals involved in the financial reporting process about inappropriate or

2. Reviewing accounting estimates for biases that could result in material misstatement due to
fraud.

The assumptions and resulting accounting estimates that management has to make to prepare the
financial statements affect the underlying accounting techniques and figures. Therefore, a lot of
fraudulent financial reporting is done by intentional false estimations of management. The
auditor’s task is to consider retrospectively whether single estimates are supported by audit
evidence and whether the ones that underlie the reported financial figures widely diverge and, if
so, investigate whether the assumptions and accounting estimates were intentionally biased in
part of management. Thereby, the auditor should test those accounting estimates that are based
on highly sensitive assumptions or are otherwise significantly affected by management
judgements. If single management estimates were biased, affecting the financial figures
materially, the auditor should investigate whether there have been circumstances that led to this
bias and if these circumstances can constitute a risk for financial statement fraud. Also the
estimates taken as a whole should then be re-considered by the auditor.

3. Evaluating the business rationale for significant unusual transactions.

Transactions that are outside the normal course of business for the company or entity
investigated or that appear to be unusual should be investigated by the auditor .It should also be
evaluated whether there is an underlying rationale behind those transactions or whether they are
possibly an indication of fraudulent financial reporting

To understand the underlying rationale for the transactions in question, the auditor should
investigate:

• Whether the form of such transactions is overly complex (e.g. whether it involves multiple
entities within a consolidated group or unrelated third parties)

• Whether management has discussed the nature of and accounting for such transactions with
the audit committee or board of directors

• Whether management is placing more emphasis on the need for a particular accounting
treatment than on the underlying economics of the transaction

• Whether transactions that involve unconsolidated related parties, including special purpose
entities, have been properly reviewed and approved by the audit committee or board of directors
 • Whether the transactions involve previously unidentified related parties or parties that do not
have the substance or the financial strength to support the transaction without assistance from the
entity under audit