ABC Retailers — Internal Controls Accounting, Finance Case Study

1. According to PCAOB Auditing Standard (AS 2201)
(https://pcaobus(dot)org/Standards/Auditing/Pages/AS2201.aspx), what factors should auditors consider when evaluating the severity of a deficiency in a control that directly addresses a risk of material misstatement?
2. PCAOB AS 2201 distinguishes the difference between a deficiency in design and a deficiency in operation. Does the Assistant Controller’s failure to adequately review the Vendor Change Form represent a deficiency in the design or operating effectiveness of the control?
3. Based on guidance in AS 2201, determine if the failure in the vendor request change form control indicative of a material weakness in internal control over financial reporting.
4. SEC Regulation S-K requires that management provide a report on a registrant’s ICFR in the company’s Form 10-K. Assuming the company and the auditor concluded that this internal control failure indicates a material weakness in internal control, what information would the company be expected to disclose?
5. In light of the identified deficiency, auditors should consider a possibility that the deficiency may have an impact on other controls, and/or the similar problem may exist in other controls. What implications does the failure to adequately review the Vendor Change Form have on other controls?

1 ABC Retailers — Internal Controls Introduction This case gives students an opportunity to (1) understand the process of evaluating identified control deficiencies; (2) understand the annual disclosure requirements for management’s report on internal control over financial reporting (ICFR); and (3) determine the effect of identified control deficiencies on other controls. Students are required to read the case and address the five questions listed on the last page. Background ABC Retailers Inc. (ABC or the “Company”) is a U.S. public company that files quarterly and annual reports with the Securities and Exchange Commission (SEC). ABC is a leading retail chain operating more than 100 department stores across the continental United States. ABC department stores offer customers a variety of nationally advertised products, including clothing, shoes, jewelry, and other accessories. The Company’s supply chain of products is managed through a single warehouse and distribution facility located in Kansas City, Missouri. ABC has a centralized accounting and finance structure at its corporate headquarters, where all processes and controls related to all substantive account balances occur, including controls related to accounts payable and the Vendor Master File. ABC recognizes revenues from retail sales at the point of sale to its customers. Discounts provided to customers by the Company at the point of sale, including discounts provided in connection with loyalty cards, are recognized as a reduction in sales as the products are sold. Cost of goods sold for the Company primarily consist of inbound freight and costs relating to purchasing and receiving, inspection, depreciation, warehousing, internal transfer, and other costs of distribution. Facts Audit Issue On June 1, 2018, the Accounts Payable (AP) Manager received an e-mail inquiry about the process required for a vendor to change its bank account information. The e-mail was sent from John Smith at a domain address listed as “Watch-Makers.” Watch Makers is a manufacturer that supplies ABC-branded watches to ABC’s west region department stores. In addition, John Smith is the primary contact at Watch Makers with whom the Company typically interacts. The AP Manager responded to the e-mail request on June 15, 2018, with the procedures required of the vendor, which include completing a vendor bank account request form. On June 20, 2018, the AP Manager received a reply e-mail from John Smith at “Watch-Makers” with a completed vendor bank account request form, which included John Smith’s signature, new bank account information, and other related information. Upon receiving the vendor bank account request form, the AP Manager completed a separately required Vendor Change Form for internal processing. The Vendor Change Form is completed for new vendors or changes to existing vendors’ information, including bank account information. The AP Manager sent the completed Vendor Change Form to ABC’s Assistant Controller, who reviewed and approved the request on June 24, 2018. The bank account information was updated within the Vendor Master File on June 26, 2018. 2 Throughout the month of July, valid Watch Makers invoices were processed through the Company’s accounts payable process, and the valid invoices were paid in accordance with the Company’s processes for cash disbursements and wire transfers. However, because the bank account information for Watch Makers was changed (as a result of the June 1, 2018, e-mail request) approximately $2 million in payments was wired to an incorrect bank account. On August 2, 2018, the Company received an inquiry from Watch Makers about the expected timing of the $2 million in outstanding invoices. As a result of the direct interaction with Watch Makers’ employee John Smith, the Company determined that the previous vendor bank account change form was received from a fraudulent domain name with the intent to defraud the Company. The e-mail domain for Watch Makers is “Watch Makers,” with no hyphen, rather than “Watch-Makers,” with a hyphen. Both e-mails received from “Watch-Makers” were determined to be from a fraudulent source (that also fraudulently used John Smith’s name in the e-mail). As noted above, there are two employees within the Company that were involved in processing and approving the Vendor Change Form. The Company’s policy on bank account change requests was communicated by ABC’s Assistant Controller in an August 2017 e-mail that indicated that for each Vendor Change Form requesting a vendor bank account change, the accounts payable department was required to (1) obtain a previously processed and paid invoice from the vendor requesting the bank account change, (2) call the vendor using the contact information obtained from the prior invoice, (3) verify the authenticity of the requested bank account change request by directly contacting the vendor, and (4) include all relevant information obtained in steps (1) through (3) as an attachment to the Vendor Change Form. The Company’s control description relating to the review of a Vendor Change Form by the Assistant Controller is not explicit regarding the specific attributes of the review. However, because the policy was distributed by the Assistant Controller and the Assistant Controller is also the control owner (e.g., performs the review), there is a presumption that the Assistant Controller would understand that as part of her review, she should evaluate whether the AP Manager obtained sufficient information to confirm the authenticity of the bank account change request. Other Relevant Facts • Materiality — $8 million. • The Company processed approximately 105 vendor requested bank account changes during 2016 before the realization that the request from “Watch-Makers” was fraudulent (from September 25, 2017, to August 2, 2018). After the identification of the misappropriation of assets, the Company’s internal audit department obtained and reviewed all 105 Vendor Change Forms reviewed by the Assistant Controller, noting that only five Vendor Change Forms contained the information required by the policy. In addition, internal audit determined that the primary review procedure performed by the Assistant Controller related to the verification that the bank account number was appropriately included on the Vendor Change Form. This procedure was performed in all cases before the bank account information was input into the accounts payable system. • The total wire transfer payments made to the 105 vendors that requested bank account changes in FY16 totaled approximately $56.2 million (based on an analysis prepared by Internal Audit of the invoices processed and paid by the Company after the processing of a Vendor Change Form for the 105 vendors). 3 There are more than 30 vendors with annual purchase activity of over $20 million (12 of which have purchase activity of over $40 million); thus, the amount of payments made to any single vendor in a payables cycle could approximate $2 million, assuming a cycle of 30 days. • The Company’s Chief Security Officer completed an internal investigation and concluded that there was no indication that the AP Manager and Assistant Controller were involved in the scheme that resulted in the $2 million misappropriation. • After the determination on August 2, 2018, that the Vendor Change Form was from a fraudulent source, the Company ceased processing additional Vendor Change Forms until it could understand the root cause of the deficiency. On September 10, 2018, the Assistant Controller sent a reminder regarding the importance of following the vendor bank account request change policy. The e-mail also highlighted an enhancement to the process, which primarily included an enhancement to the Vendor Change Form. The form was revised to include the following three new, explicit sections that are required to be completed: (1) contact phone number pulled from previously processed and paid vendor invoice, (2) name of individual at the vendor (from a previous invoice) that was contacted, and (3) date discussed/contacted. The policy e-mail reiterated the requirement to include a copy of the previously processed vendor invoice with the Vendor Change Form. • Internal Audit performed a thorough evaluation of the competency of the Assistant Controller and concluded that notwithstanding the Assistant Controller’s lack of historical performance, the Assistant Controller was suitably competent to perform the control. Engagement Team Note In planning the 2018 audit, the engagement team obtained an understanding of the internal controls related to cash disbursements. This understanding was developed through the engagement team’s walkthrough of the cash disbursements process. As part of its walkthrough procedures, the engagement team made inquiries of appropriate personnel, inspected relevant documentation, and in certain cases, observed the control performers carrying out required control procedures. As a result, the engagement team concluded that there were no significant changes to the cash disbursements process in the current year. The engagement team identified four risks of material misstatement relating to the cash disbursements process. For each risk identified, the team documented the control activity that addresses the risk of material misstatement in the excerpted worksheet (see Appendix 1). As a result of the ‘Audit Issue’ described above, the engagement team identified a control deficiency in the following control: CD5C — The accounts payable department is required to complete the following for each Vendor Change Form requesting a bank account change: 1. Obtain a previously processed and paid invoice from the vendor requesting the bank account change. 2. Call the vendor using the contact information from the obtained invoice. Spring 2020 4 3. Verify the authenticity of the requested bank account change request. 4. Attach all relevant information obtained in steps (1) through (3) to the Vendor Change Form for review and approval. The Company’s control description regarding the Assistant Controller’s review of the Vendor Change Form is not prescriptive regarding the specific attributes of the review. However, there is a presumption that the Assistant Controller would understand the primary objective of the control, which is to evaluate whether sufficient information was obtained by the AP Manager to confirm that the bank account change request was authentic. Required: 1. According to PCAOB Auditing Standard (AS 2201) (https://pcaobus.org/Standards/Auditing/Pages/AS2201.aspx), what factors should auditors consider when evaluating the severity of a deficiency in a control that directly addresses a risk of material misstatement? 2. PCAOB AS 2201 distinguishes the difference between a deficiency in design and a deficiency in operation. Does the Assistant Controller’s failure to adequately review the Vendor Change Form represent a deficiency in the design or operating effectiveness of the control? 3. Based on guidance in AS 2201, determine if the failure in the vendor request change form control indicative of a material weakness in internal control over financial reporting. 4. SEC Regulation S-K requires that management provide a report on a registrant’s ICFR in the company’s Form 10-K. Assuming the company and the auditor concluded that this internal control failure indicates a material weakness in internal control, what information would the company be expected to disclose? 5. In light of the identified deficiency, auditors should consider a possibility that the deficiency may have an impact on other controls, and/or the similar problem may exist in other controls. What implications does the failure to adequately review the Vendor Change Form have on other controls? 5 Format  Length of the paper: minimum 2000 words (no more than 2500) (on double-spaced pages) PLUS a list of references (make sure you follow an appropriate introduction, conclusion and reference format).  Follow APA formatting guidelines: The guidelines are described at https://owl.english.purdue.edu/owl/resource/560/01/  Margins: 1” (Left justification ONLY).  Font: Times New Roman, 12 point.  Headings and Subheadings: Use them as appropriate.  Do not forget Page Numbers. References You must provide proper citations for all references used to avoid plagiarism. Any direct quotes must be indicated as such. You must include at least FOUR unique references (Note: PCAOB Auditing Standards are counted as one reference even if you cite different sections of the standards). Wikipedia.com, random blogs, and class lecture notes do NOT count as references! Include references in your paper using the author/year (e.g. Smith 2015) parenthetical citation method with the full citation listed in the reference section (i.e., do not use footnotes to list your references). In additional to AICPA/PCAOB Auditing Standards, a wealth of excellent resources exists at your disposal. I encourage you to use popular and business press articles (New York Times, Wall Street Journal, Financial Times, Business Week, The Economist, etc.) practitioner journals (Journal of Accountancy, CPA Journal, Accounting Today, etc.) and academic journals (The Accounting Review, Accounting Horizons, Auditing, etc.) to inform your research. You have access to these and many more through George Mason University’s Library website. Grading You will be graded on content, grammar, and compliance with instructions. Your paper should be professional in tone and free from grammatical errors. Other Instructions/Suggestions  Write a clear, concise Introduction: Your introduction should summarize your arguments and conclusion.  Show your analytical skills. This assignment is not about how well you summarize what you read.  Do not use lists, bullet points, contractions or the second person (e.g., “you”) in your writing.  Be clear and direct! Professional writing must be as unambiguous as possible.  Paragraphs need at least three sentences. 6  You may only use up to three (3) SHORT direct quotes, which should be properly anchored in your paper (i.e., quotes should not disrupt the flow of your essay).  Use passive voice sparingly. ACCT 461 Writing Assignment 2 Spring 2020 7 Appendix 1 Control Deficiency Evaluation Identified Risks of Material Misstatement Cash Disbursement 1 Incorrect vendor set. Cash Disbursement 2 Invoice is received for goods or services never received; therefore, a liability and expense are recorded when ABC has no obligation. Cash Disbursement 3 Payments are not appropriately authorized and accurate. Controls in Cash Disbursement Process CD1C Bank statements are reconciled to the general ledger regularly and differences are investigated and resolved on a timely basis. CD2C Cash disbursements are generated through the ERP system. The ERP system automatically records the journal entry for cash disbursements to the accounts payable and cash sub-ledgers. CD3C All manually generated checks, including supporting documentation and the related journal entry, are reviewed and approved by management before the journal entry is recorded. CD4C Finance personnel record bank account activity to the general ledger on a daily basis; management reviews recorded entries and cash position regularly for unusual activity and investigates and resolves issues on a timely basis. CD5C Each Vendor Change Form requesting a bank account change, the accounts payable department is required to complete the following for each Vendor Change Form requesting a bank account change: 1. Obtain a previously processed and paid invoice from the vendor requesting the bank account change 2. Call the vendor using the contact information from the obtained invoice 3. Verify the authenticity of the requested bank account change request Attach all relevant information obtained in steps (1) – (3) to the Vendor Change Form for review and approval. FR1C At month-end, corporate accounting performs variance analysis for all financial statement line items as compared to prior month and prior year to identify variances in excess of $5 million or 10 percent period to period. All variances in excess of this threshold are to be explained.