Please complete this summary case. Additional information is available if needed (just let me know)

CASE STUDIES Case Study 1: Auditing Entity-Level Controls An illustrative business objective and associated business risk that reflect the company's philosophy regard- ing ethical conduct are expressed as follows: Business Objective: To demonstrate sound ethical conduct in everything we do. Business Risk: Disregard for sound ethical principles, either intentional or unintentional, may cause managers and employees to cut corners, embellish performance results, misuse company resources, or otherwise act in a manner that harms the company and its stakeholders. Use the business objective and business risk stated above as the basis for answering the following ques- tions. As he or she deems necessary, your instructor will facilitate the formulation of collective answers to certain questions that will serve as uniform starting points for answering subsequent questions. Scenario 1 Activities 1. Management asserts that entity-level controls are designed adequately and operating effectively to reduce the above stated risk to an acceptably low level. Identify the key entity-level controls you expect to find in place if management's assertion is true. Keep in mind that entity-level controls may exist in any of the five COSO components of internal control (control environment, risk assessment, controls, information and communication, and monitoring). [Note: Students are encouraged to review exhibit CS 1-4, but answers should be case-specific.] 2. Many elements of the control environment are "soft" in nature. They may, for example, involve senior management behavior that intrinsically leaves little, if any, audit trail. An example of a soft control that you may have included in your answer to question 1 above is expressed as follows: Senior management fosters a strong corporate ethical climate by what they say and what they do. They lead by example when faced with tough business decisions involving ethical ramifications. a. Identify the audit procedures you would use to determine whether this control exists within SHR Corporation. Be specific. b. Assume that this control does in fact exist within SHR Corporation. 1. Identify the audit procedures you would use to determine whether it is operating effectively. Be specific. Keep in mind that you need to build a sufficient body of appropriate evidence to support a valid conclusion. 2. Describe the evidence you might find that would indicate operating effectiveness. 3. The PCAOB's Auditing Standards No. 5 indicates that entity-level controls include both 1) controls to monitor other controls and 2) controls to monitor results of operations. Provide an example of each type of monitoring control that would be useful in mitigating the business risk expressed above. CASE STUDIES Case Study 1: Auditing Entity-Level Controls 4. Study the scenario presented below about SHR Corporation's entity-level controls over the company's ethics program. SHR Corporation has a reputation of sound ethical conduct. In recent years, however, the company has not had to deal with an economic downturn, the level of new competition it is now facing, or the decreasing profitability it has experienced during the first two quarters of 2018 Three years ago, the company put in place a comprehensive, written code of conduct (the Code) that is applicable to directors, management, and employees. The Code is posted on the organization's web- site and intranet. All new employees receive a copy of the Code when they are hired and participate in orientation training that includes coverage of the Code. Some minor revisions were made to the Code during the first few months after its introduction, but no changes have been made since then. A whistleblower program that includes an anonymous hotline was put in place last year for employees and third parties to report suspected violations of the Code. The vice president of internal audit and her direct reports monitor the whistleblower hotline and report suspected violations of the Code to appropriate levels of management and/or the audit committee. Calls on the anonymous hotline have been infrequent, with very few suspected Code violations of a significant nature being reported to senior management or the audit committee. The internal audit function (internal auditing) recently surveyed senior management and the audit committee regarding the company's ethics program and conducted follow-up interviews with the audit committee chair and selected members of the senior management team. These procedures pro- duced the following information: The audit committee's charter does not include an explicit provision for overseeing senior man agement's ethical conduct or monitoring its adherence to prescribed internal control policies and procedures. The audit committee chair is confident, however, that any misconduct on the part of senior management would come to light via the company's whistleblower program and the committee's quarterly meetings with the vice president of internal audit. The senior management team informally holds each other accountable for complying with the Code. Senior management believes that it clearly conveys the importance of ethical conduct and com- pliance with the Code via emails, webcasts, and town hall meetings. Senior management's assessed level of inherent ethical misconduct risk has remained consis- tently low over the past three years. Internal audit separately surveyed a sample of managers and employees regarding the company's eth- ies programs and received responses from 75 percent of the survey recipients. This survey produced the following information: All company personnel are required to certify in writing on an annual basis that they under stand and are in compliance with the Code. Follow-up procedures performed by internal audit indicated that 80 percent of managers and 90 percent of employees submitted the fiscal 2017 certification. CASE STUDIES Case Study 1: Auditing Entity-Level Controls 50 percent of the respondents said that they referred to the Code one or more times during 2017, Managers commonly discuss business ethics during employee performance evaluations, but written performance evaluation standards do not include ethical conduct criteria. No formal pro- visions exist for rewarding personnel who demonstrate sound ethical behavior or for disciplining those who demonstrate unethical behavior. Managers and employees are unenthusiastic about using the anonymous whistleblower hotline, largely because they see no evidence that appropriate actions will be taken to address unethical conduct. Periodic ethics training is encouraged but not required. The company offers no ethics training in-house, other than that provided to new employees. Managers and employees in general believe that senior management is ethical. They also believe, however, that senior management does very little to inform them about the company's ethical policies. Less than 50 percent of the respondents could recall hearing or reading anything about business ethics from senior management during the first six months of 2018. A smaller percent age was aware of senior management's ethics is good business statement in the 2017 annual report. One manager included a written comment in his survey response indicating a perception that senior management appears to be preoccupied with the lackluster performance results the com- pany is achieving. a. Identify the strengths and weaknesses in SHR Corporation's entity-level controls over the com- pany's ethics program. Be sure to consider both governance and management-oversight controls. Propose specific recommendations to rectify the weaknesses noted. Based on the information provided, formulate an overall conclusion about the effectiveness of SHR's entity-level controls over its ethics program. b. Discuss how the entity-level controls relating to the company's ethics program might affect senior management's decisions given the nature of the risks the company now faces. Provide some examples. c. Discuss how the entity-level controls relating to the company's ethics program might affect man agers and employees' behavior at the business process level. Provide some examples. d. Discuss how SHR's entity-level controls over the company's ethics program may impact your sub- sequent audit of controls over the company's purchases and accounts payable process. More spe- cifically, discuss how your conclusion would affect your: 1. Professional skepticism. 2. Assessment of process-level inherent risks. 3. Approach to evaluating the design adequacy of process-level controls. 4. Inclination to perform direct tests of transactions in search of indirect evidence to support your conclusion about the design adequacy and operating effectiveness of process-level con- trols. CASE STUDIES Case Study 1: Auditing Entity-Level Controls 3. Assume that internal audit concludes that the effectiveness of SHR's entity-level controls over its ethies program is significantly deficient but not to the level of a material weakness. Prepare a scenario in which the combination of the deficiencies in the entity-level controls over the company's ethics pro- grams and deficiencies in related entity-level controls could rise to the level of a material weakness. Hint: consider entity-level controls pertaining to the company's hiring and compensation practices. Scenario 2: Using IT to Gain a Competitive Edge Judiciously leveraging advances in IT is a fundamental enabler of SHR's business strategy. In fact, SHR is recognized within the industry as a leader in the use of IT to gain operational efficiencies. For example, SHR implemented electronic data interchange (EDI) with its primary vendors several years ago to stream line its purchasing process and to maintain an uninterrupted flow of incoming inventory to its distribution centers and retail stores. The company places special emphasis on IT controls. Illustrative business objectives and associated risks pertinent to SHR's heavy reliance on IT are expressed as follows: Business Objective 1: Align the company's IT strategies with its business strategies. Judiciously lever age advances in IT to streamline the company's business processes and information systems, gain oper ational efficiencies, and increase shareholder value. Business Risk la: Insufficient, irrelevant, unreliable, inaccurate, and/or untimely information may cause management to make poor IT investment decisions. Business Risk ib: Failure to effectively and efficiently integrate acquired IT resources into business processes may adversely affect operational performance and cause unacceptable returns on IT invest ments. Business Objective 2: Safeguard the company's resources against misuse and loss. Business Risk 2: Unauthorized company personnel and/or outside parties may access the company's information systems and misuse or misappropriate proprietary information and other assets. Business Objective 8: Accurately record all valid, and only valid, purchase transactions on a timely basis. Business Risk Sa: Failure to record a valid purchase transaction may cause inventory and accounts payable to be understated. Business Risk 3b: Recording an invalid purchase transaction may cause inventory and accounts pay able to be overstated. Business Risk Se: Recording a valid purchase transaction in the wrong accounting period may cause inventory and accounts payable to be understated or overstated. CASE STUDIES Case Study 1: Auditing Entity-Level Controls An illustrative business objective and associated business risk that reflect the company's philosophy regard- ing ethical conduct are expressed as follows: Business Objective: To demonstrate sound ethical conduct in everything we do. Business Risk: Disregard for sound ethical principles, either intentional or unintentional, may cause managers and employees to cut corners, embellish performance results, misuse company resources, or otherwise act in a manner that harms the company and its stakeholders. Use the business objective and business risk stated above as the basis for answering the following ques- tions. As he or she deems necessary, your instructor will facilitate the formulation of collective answers to certain questions that will serve as uniform starting points for answering subsequent questions. Scenario 1 Activities 1. Management asserts that entity-level controls are designed adequately and operating effectively to reduce the above stated risk to an acceptably low level. Identify the key entity-level controls you expect to find in place if management's assertion is true. Keep in mind that entity-level controls may exist in any of the five COSO components of internal control (control environment, risk assessment, controls, information and communication, and monitoring). [Note: Students are encouraged to review exhibit CS 1-4, but answers should be case-specific.] 2. Many elements of the control environment are "soft" in nature. They may, for example, involve senior management behavior that intrinsically leaves little, if any, audit trail. An example of a soft control that you may have included in your answer to question 1 above is expressed as follows: Senior management fosters a strong corporate ethical climate by what they say and what they do. They lead by example when faced with tough business decisions involving ethical ramifications. a. Identify the audit procedures you would use to determine whether this control exists within SHR Corporation. Be specific. b. Assume that this control does in fact exist within SHR Corporation. 1. Identify the audit procedures you would use to determine whether it is operating effectively. Be specific. Keep in mind that you need to build a sufficient body of appropriate evidence to support a valid conclusion. 2. Describe the evidence you might find that would indicate operating effectiveness. 3. The PCAOB's Auditing Standards No. 5 indicates that entity-level controls include both 1) controls to monitor other controls and 2) controls to monitor results of operations. Provide an example of each type of monitoring control that would be useful in mitigating the business risk expressed above. CASE STUDIES Case Study 1: Auditing Entity-Level Controls 4. Study the scenario presented below about SHR Corporation's entity-level controls over the company's ethics program. SHR Corporation has a reputation of sound ethical conduct. In recent years, however, the company has not had to deal with an economic downturn, the level of new competition it is now facing, or the decreasing profitability it has experienced during the first two quarters of 2018 Three years ago, the company put in place a comprehensive, written code of conduct (the Code) that is applicable to directors, management, and employees. The Code is posted on the organization's web- site and intranet. All new employees receive a copy of the Code when they are hired and participate in orientation training that includes coverage of the Code. Some minor revisions were made to the Code during the first few months after its introduction, but no changes have been made since then. A whistleblower program that includes an anonymous hotline was put in place last year for employees and third parties to report suspected violations of the Code. The vice president of internal audit and her direct reports monitor the whistleblower hotline and report suspected violations of the Code to appropriate levels of management and/or the audit committee. Calls on the anonymous hotline have been infrequent, with very few suspected Code violations of a significant nature being reported to senior management or the audit committee. The internal audit function (internal auditing) recently surveyed senior management and the audit committee regarding the company's ethics program and conducted follow-up interviews with the audit committee chair and selected members of the senior management team. These procedures pro- duced the following information: The audit committee's charter does not include an explicit provision for overseeing senior man agement's ethical conduct or monitoring its adherence to prescribed internal control policies and procedures. The audit committee chair is confident, however, that any misconduct on the part of senior management would come to light via the company's whistleblower program and the committee's quarterly meetings with the vice president of internal audit. The senior management team informally holds each other accountable for complying with the Code. Senior management believes that it clearly conveys the importance of ethical conduct and com- pliance with the Code via emails, webcasts, and town hall meetings. Senior management's assessed level of inherent ethical misconduct risk has remained consis- tently low over the past three years. Internal audit separately surveyed a sample of managers and employees regarding the company's eth- ies programs and received responses from 75 percent of the survey recipients. This survey produced the following information: All company personnel are required to certify in writing on an annual basis that they under stand and are in compliance with the Code. Follow-up procedures performed by internal audit indicated that 80 percent of managers and 90 percent of employees submitted the fiscal 2017 certification. CASE STUDIES Case Study 1: Auditing Entity-Level Controls 50 percent of the respondents said that they referred to the Code one or more times during 2017, Managers commonly discuss business ethics during employee performance evaluations, but written performance evaluation standards do not include ethical conduct criteria. No formal pro- visions exist for rewarding personnel who demonstrate sound ethical behavior or for disciplining those who demonstrate unethical behavior. Managers and employees are unenthusiastic about using the anonymous whistleblower hotline, largely because they see no evidence that appropriate actions will be taken to address unethical conduct. Periodic ethics training is encouraged but not required. The company offers no ethics training in-house, other than that provided to new employees. Managers and employees in general believe that senior management is ethical. They also believe, however, that senior management does very little to inform them about the company's ethical policies. Less than 50 percent of the respondents could recall hearing or reading anything about business ethics from senior management during the first six months of 2018. A smaller percent age was aware of senior management's ethics is good business statement in the 2017 annual report. One manager included a written comment in his survey response indicating a perception that senior management appears to be preoccupied with the lackluster performance results the com- pany is achieving. a. Identify the strengths and weaknesses in SHR Corporation's entity-level controls over the com- pany's ethics program. Be sure to consider both governance and management-oversight controls. Propose specific recommendations to rectify the weaknesses noted. Based on the information provided, formulate an overall conclusion about the effectiveness of SHR's entity-level controls over its ethics program. b. Discuss how the entity-level controls relating to the company's ethics program might affect senior management's decisions given the nature of the risks the company now faces. Provide some examples. c. Discuss how the entity-level controls relating to the company's ethics program might affect man agers and employees' behavior at the business process level. Provide some examples. d. Discuss how SHR's entity-level controls over the company's ethics program may impact your sub- sequent audit of controls over the company's purchases and accounts payable process. More spe- cifically, discuss how your conclusion would affect your: 1. Professional skepticism. 2. Assessment of process-level inherent risks. 3. Approach to evaluating the design adequacy of process-level controls. 4. Inclination to perform direct tests of transactions in search of indirect evidence to support your conclusion about the design adequacy and operating effectiveness of process-level con- trols. CASE STUDIES Case Study 1: Auditing Entity-Level Controls 3. Assume that internal audit concludes that the effectiveness of SHR's entity-level controls over its ethies program is significantly deficient but not to the level of a material weakness. Prepare a scenario in which the combination of the deficiencies in the entity-level controls over the company's ethics pro- grams and deficiencies in related entity-level controls could rise to the level of a material weakness. Hint: consider entity-level controls pertaining to the company's hiring and compensation practices. Scenario 2: Using IT to Gain a Competitive Edge Judiciously leveraging advances in IT is a fundamental enabler of SHR's business strategy. In fact, SHR is recognized within the industry as a leader in the use of IT to gain operational efficiencies. For example, SHR implemented electronic data interchange (EDI) with its primary vendors several years ago to stream line its purchasing process and to maintain an uninterrupted flow of incoming inventory to its distribution centers and retail stores. The company places special emphasis on IT controls. Illustrative business objectives and associated risks pertinent to SHR's heavy reliance on IT are expressed as follows: Business Objective 1: Align the company's IT strategies with its business strategies. Judiciously lever age advances in IT to streamline the company's business processes and information systems, gain oper ational efficiencies, and increase shareholder value. Business Risk la: Insufficient, irrelevant, unreliable, inaccurate, and/or untimely information may cause management to make poor IT investment decisions. Business Risk ib: Failure to effectively and efficiently integrate acquired IT resources into business processes may adversely affect operational performance and cause unacceptable returns on IT invest ments. Business Objective 2: Safeguard the company's resources against misuse and loss. Business Risk 2: Unauthorized company personnel and/or outside parties may access the company's information systems and misuse or misappropriate proprietary information and other assets. Business Objective 8: Accurately record all valid, and only valid, purchase transactions on a timely basis. Business Risk Sa: Failure to record a valid purchase transaction may cause inventory and accounts payable to be understated. Business Risk 3b: Recording an invalid purchase transaction may cause inventory and accounts pay able to be overstated. Business Risk Se: Recording a valid purchase transaction in the wrong accounting period may cause inventory and accounts payable to be understated or overstated