Professional standards indicate that an entity’s internal controls consist of five interrelated components. (a) What responsibility does an auditor have related to each of these five components? (b) One component of internal control is the entity’s control environment. What factors should an auditor consider when evaluating the control environment? (c) What red flags were present during the

1995 through 1997 audits of CUC that may have suggested weaknesses in CUC’s control environment?

What will be an ideal response?

---

[a] Internal controls consist of five interrelated components including the control environment, risk
assessment, control activities, information and communication, and monitoring. In all audits, the auditor
must obtain a sufficient understanding of internal controls to identify the types of misstatements that
can occur, determine the risk of misstatement, and determine the design of substantive tests.
The control environment sets the tone of the organization towards controls. It is the
foundation for all other components of internal control. This component has a pervasive effect
on internal control. Therefore, auditors should obtain an understanding of this component on all
audits to determine the risk of misstatement and the design of substantive tests.
Risk assessment is concerned with the process used by management to identify, analyze,
and manage risks relevant to the preparation of the financial statements. Auditors must obtain an
understanding of this component on all audits to determine the risk of misstatement and the design of
substantive tests.
Control activities are the specific policies and procedures established by management to
ensure that management directives are carried out. Auditors need to obtain an understanding of control
activities as they relate to identifying the type of misstatements that can occur, determining the risk of
misstatement, and determining the design of substantive tests.
The information and communication system consists of the methods and records established
to record, process, summarize, and report transactions and events and maintain accountability for
assets, liabilities, and equity. Auditors must obtain knowledge of the information system to understand
the major classes of transactions, how transactions are initiated, the types of accounting records and
documents used, processes from initiation to inclusion in financial statements, and processes used to
determine significant account estimates and disclosures. This information is needed to determine the
type of misstatements that can occur, risk of misstatement, and design of substantive tests.
Monitoring is concerned with the process used by management to assess the quality of internal
controls over time. Auditors must obtain an understanding of the monitoring system on all audits to
determine the risk of misstatement and design of substantive tests.
[b] As noted in the professional standards, factors to consider when evaluating the control environment
include:
Integrity and ethical values
Commitment to competence
Board of directors and audit committee participation
Management’s philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
[c] Factors present during the CUC audits suggesting a weaker control environment include:
Lack of appropriate board oversight because of the close financial ties of four of CUC’s board of
directors with Walter Forbes, chairman and chief executive officer
The aggressive management philosophy and operating style of CUC management as suggested by
the Securities and Exchange Commission’s previous requirement that CUC’s financial statements
be restated because of aggressive accounting practices
The aggressive management philosophy and operating style of CUC management as suggested by its emphasis on meeting analyst expectations
Many students will indicate that management lacked integrity and ethical values. When this factor
is raised, students can be asked to indicate the information that was present at the time the fraud
occurred that would have suggested management lacked integrity and ethical values. Students normally
note the fraud as evidence. At this point, students can be told in hindsight it appears that management
lacked integrity and ethical values. Again, it is useful to ask students how would the auditor know this
before discovery of the fraud?