Sharon Gallagher (audit manager), Josh Thomas (audit senior), Ian Harper, and Suzie Pickering (both audit staff) are meeting to discuss their internal control assessment for Cloud 9. Sharon asks, What is the purpose of understanding Cloud 9s system of internal control? Ian answers, We need to understand the system in order to issue a report on internal controls over financial reporting. Sharon responds, If Cloud 9 were a private company, would we still need to understand the system of internal control? Suzie now jumps into the conversation. In every audit we need to understand the strengths and weaknesses in an entitys system of internal control. For Cloud 9, this helps us understand control risk and which internal controls to test. If Cloud 9 were a private company, we would still need to understand the system of internal controls to evaluate control risk and determine audit strategy. Sharon summarizes, You are right, Suzie. We need to understand internal controls at both the entity level and at the transaction level. This helps us assess risk. We hope to find sound internal control strengths at all levels, so we can test controls and support our opinion on internal controls since it is a public company. However, we should also be alert to any significant deficiencies or material weaknesses in internal controls. Both need to be reported to the board of directors and we need to include a discussion of any material weaknesses in our audit report on internal controls. This process all begins by understanding the internal controls that Cloud 9 has placed in operation. During an interview Josh and Sharon held with David Collier, CFO of Cloud 9, they learned a lot about the tone at the top at Cloud 9. Top-level management and the board of directors adopted a code of conduct that emphasizes the importance of management and other employees acting with integrity. Cloud 9s board members and senior managers attend training and awareness sessions on the code at least annually. In addition, there has been a rigorous process of embedding the codes main points throughout the companys policies and procedures, most of which have been rewritten in the previous two years. Josh intentionally conducts interviews with employees at all levels within Cloud 9. He finds that all employees have attended training on the code of conduct. Several accounting personnel add that while the company has financial goals to achieve, the emphasis from the top has been getting the financial numbers right. Accurate financial reporting is a top priority. A copy of the companys code of conduct and the policies and procedures are included in the audit working papers. Josh also writes a description of the companys efforts to communicate its approach to management integrity in the report. He assesses the control environment at Cloud 9 as likely to be effective. In their interview, Josh and Sharon ask David Collier about Cloud 9s risk assessment process. They want to know which risks management has identified so that they can consider whether those risks could cause a material misstatement in the accounts. They also want to know about the companys methods of responding to the identified risks. David Collier tells them that Cloud 9s management continually monitors its competitors activities. It also considers the risk of interruption to supplies because of shipping problems and labor disputes at production plants or transport companies. Other examples of risks that could have a major impact on the accounts are the use of forward exchange contracts to control the risks caused by purchasing in foreign currencies. Cloud 9 management is also very aware of risks associated with the just-in-time inventory system, which has had some problems lately, and has planned some changes to deal with those problems. Management is monitoring the risks of using a soccer player as a spokesperson for the brand, plus the broader risks arising fromsponsorship of the soccer team, because there has been a lot of adverse publicity about soccer players behavior over the past year. Such adverse publicity could impact negatively on sales. Cloud 9s management ensures that the soccer teams management keeps the companys management informed of players activities, where appropriate. Management has also assessed fraud risks, and it believes that between the companys code of conduct, tone at the top about its code of conduct, and strong system of internal controls, the incentives for fraud and the opportunity to commit fraud are minimal. Josh concludes from the interview and from Suzies review of documents including company plans, board minutes, and significant contracts and agreements that Cloud 9 has a potentially effective system of risk assessment because it actively searches out and considers potential risks to the business, and it has developed action plans to deal with each risk depending on its likely occurrence. Josh has significant experience in understanding information systems and, based on the interview with David Collier, which covered the information systems at a high level, Josh can conclude that the entity-level controls in this area are likely to be effective. Josh will gather further information in an interview with Cloud 9s financial controller, Carla Johnson. Based on this second interview and a review of the companys documents, he and Suzie will write a description of their understanding of the processes used in each of the major transaction cycles. In the interview with David Collier, Sharon and Josh ask questions about both the control activities and the monitoring of those activities at Cloud 9. Sharon and Josh are particularly interested in the systems used at the company to make sure that information about managements plans is transmitted throughout the organization and that there are policies and procedures to ensure that the appropriate actions are taken and reviewed. In addition to asking David Collier about these matters, Suzie reads the policy and procedures manuals. Josh and Suzie then take a tour of the offices and other facilities. For example, Cloud 9 has a tightly structured system of performance reviews. Managers at each level must report financial and operating performance against budgets at regular intervals. Higher-level managers are able to access information about activities within their area of responsibility for monitoring purposes through the information system. Although there have been some issues with theft of goods from the retail store, the losses have been contained following the installation of additional security, including cameras. Josh and Sharon have been particularly impressed with Cloud 9s thorough approach to appropriate segregation of duties. Josh is able to conclude that, at an entity level, there is sufficient evidence that these controls are potentially effective. He asks Suzie to review the specific controls that affect transaction processes in more detail and document their understanding of these processes. Josh finds that he is spending a great deal of time with Will Burton, Cloud 9s IT manager. Josh and Suzie have a number of questions for Will about what software programs are designed within the accounting system to process transactions; whether there have been any changes to those programs during the year; how changes are authorized, reviewed, and tested; who has access to programs and data files; and how access to programs and data is protected. Will walks the audit team through Cloud 9s principal data center, showing them various physical controls, and printouts and reports that Will receives regarding changes to system access and changes to various programs. Suzie inspects documentation regarding program changes, their authorization, and testing. The team is focused on adequacy of segregation of duties; controls over program changes, maintenance and updates; access controls, and plans for hardware and software upgrades. At this point, Suzie and Josh are just trying to obtain an understanding of IT general controls at Cloud 9. They know that testing will come later. When they are finished, Josh is satisfied that Cloud 9 has addressed the control issues that he is most concerned about. Overall the system design appears to be operating as planned, based on their questions, observation of Cloud 9 personnel, and preliminary inspection of reports from Cloud 9s IT system. If tests of controls show that IT general controls are effective, this will make testing applications more efficient, and increase the probability that the audit team can use a reliance on controls approach during the audit. Strong IT general controls are also critical to giving Cloud 9 an unqualified opinion on internal controls over financial reporting. Suzie will document their understanding of the various transaction processes. By performing a system walkthrough in each major accounting system, Suzie will document the flow of transactions and the documents that the client uses in the accounting system. Josh is particularly focused on transaction and account balance assertions, what can go wrong for each assertion, and the controls that the client has implemented to identify and correct potential misstatements. Suzie asks questions about what exception reports are generated by the system, and how items appearing on exception reports are cleared. She learns that some exceptions are noted only on computer terminals, and corrections must be made before transactions are processed further. Once the types of potential material misstatements and the controls that Cloud 9 has put in place to detect and correct any misstatements are understood, the audit team will consider the magnitude and likelihood of the misstatement in the financial statements. This will help narrow the risk assessment and determine what audit procedures should be performed. In addition, the audit team considers how errors in each financial statement assertion might occur. This analysis will guide the audit planning for additional substantive testing. Sharon and the audit partner can also decide if there are any material weaknesses that should be included in the management letter. Suzie knows that documenting her understanding of the processes is necessary for the team to identify control strengths that can be relied upon to justify reduced substantive testing. Substantive testing will be reduced if tests of those controls confirm that these design strengths are reflected in actual performance of the control system. Josh thinks he will need to discuss his assessment of control strengths and weaknesses with Sharon before finalizing the audit program. He needs her help to determine if some control weaknesses are compensated for by other strengths. They will also identify the most important controls to test. Some controls may actually be redundant; that is, another control exists that performs the same function. Suzie will prepare a flowchart or narrative to document her understanding of the different transaction processes. This will help her understand the stages at which errors can occur. She will include the entire process from the initiation of the transaction through to recording in the general ledger. Where appropriate, she will link several accounting processes together into one seamless flow of transactions. For example, as a first step she makes a simple diagram of the flow of transactions from initiation of a purchase order through to the cash payment to the supplier. The process comprises three smaller processes: initiating a purchase order through to receiving the goods as they arrive; receiving the purchase invoice from the supplier through to entering the invoice in the general ledger; and requesting cash payment through to recording the payment to the supplier. In the next step, the flow of transaction diagram will be supplemented with additional details of the IT tests and their disposition. Once Suzie has documented the audit teams understanding of Cloud 9s system of internal controls and her preliminary assessment of the systems strengths and weaknesses, Josh presents the document to Jo Wadley, the engagement partner of the audit. The audit team will gather additional evidence about the system of internal controls during the audit, and at the completion of the audit the senior members of the audit team will make a final assessment of Cloud 9s internal controls and write a management letter. Providing a management letter, including recommendations for future changes to the system of internal controls, is an important part of the auditors role. The management letter not only discharges the audit teams responsibilities to the client, but helps the client improve its systems. In turn, this will likely increase the quality of its financial reporting in the future and improve the efficiency and effectiveness of future financial statement audits. Sharon Gallagher and Josh Thomas have assessed the internal controls at Cloud 9 as being effective at an entity level. This means that, at a high level, the company demonstrates an environment where potential material misstatements are prevented or detected.

Question:

1. Prepare a flowchart, logic diagram, or narrative documenting your understanding of the revenue process for wholesale sales from making sales to recording sales invoices in the general ledger.

2. Identify any follow-up questions you should ask the client if aspects of the process are not adequately explained. You could address such questions to Carla Johnson or any other employee you deem appropriate.

3. For each assertion associated with recording wholesale revenue transactions, identify a control related to that assertion. If no controls are identified, recommend a control for the assertion.

4. Draw an overall conclusion about internal controls related to the recording of wholesale revenue transactions.