Case
17-10 ABC Retailers — Internal Controls ABC Retailers Inc. (ABC or
the "Company") is a U.S. public company that files quarterly and
annual reports with the Securities and Exchange Commission (SEC).
ABC is a leading retail chain operating more than 100 department
stores across the continental United States. ABC department stores
offer customers a variety of nationally advertised products,
including clothing, shoes, jewelry, and other accessories. The
Company's supply chain of products is managed through a single
warehouse and distribution facility located in Kansas City,
Missouri. ABC has a centralized accounting and finance structure at
its corporate headquarters, where all processes and controls
related to all substantive account balances occur, including
controls related to accounts payable and the Vendor Master File.
ABC recognizes revenues from retail sales at the point of sale to
its customers. Discounts provided to customers by the Company at
the point of sale, including discounts provided in connection with
loyalty cards, are recognized as a reduction in sales as the
products are sold. Cost of goods sold for the Company primarily
consist of inbound freight and costs relating to purchasing and
receiving, inspection, depreciation, warehousing, internal
transfer, and other costs of distribution. Case Facts Audit Issue
On June 1, 20X2, the Accounts Payable (AP) Manager received an
e-mail inquiry about the process required for a vendor to change
its bank account information. The e-mail was sent from John Smith
at a domain address listed as "Watch-Makers." Watch Makers is a
manufacturer that supplies ABC-branded watches to ABC's west region
department stores. In addition, John Smith is the primary contact
at Watch Makers with whom the Company typically interacts. The AP
Manager responded to the e-mail request on June 15, 20X2, with the
procedures required of the vendor, which include completing a
vendor bank account request form. On June 20, 20X2, the AP Manager
received a reply e-mail from John Smith at "WatchMakers" with a
completed vendor bank account request form, which included John
Smith's signature, new bank account information, and other related
information. Upon receiving the vendor bank account request form,
the AP Manager completed a separately required Vendor Change Form
for internal processing. The Vendor Change Form is completed for
new vendors or changes to existing vendors' information, including
bank account information. The AP Manager sent the completed Vendor
Change Form to ABC's Assistant Controller, who reviewed and
approved the request on June 24, 20X2. The bank account information
was updated within the Vendor Master File on June 26, 20X2.
Throughout the month of July, valid Watch Makers invoices were
processed through the Company's accounts payable process, and the
valid invoices were paid in accordancewith the Company's processes
for cash disbursements and wire transfers. However, because the
bank account information for Watch Makers was changed (as a result
of the June 1, 20X2, e-mail request) approximately $2 million in
payments was wired to an incorrect bank account. On August 2, 20X2,
the Company received an inquiry from Watch Makers about the
expected timing of the $2 million in outstanding invoices. As a
result of the direct interaction with Watch Makers' employee John
Smith, the Company determined that the previous vendor bank account
change form was received from a fraudulent domain name with the
intent to defraud the Company. The e-mail domain for Watch Makers
is "Watch Makers," with no hyphen, rather than "Watch-Makers," with
a hyphen. Both e-mails received from "Watch-Makers" were determined
to be from a fraudulent source (that also fraudulently used John
Smith's name in the e-mail). As noted above, there are two
employees within the Company that were involved in processing and
approving the Vendor Change Form. The Company's policy on bank
account change requests was communicated by ABC's Assistant
Controller in an August 20X1 e-mail that indicated that for each
Vendor Change Form requesting a vendor bank account change, the
accounts payable department was required to (1) obtain a previously
processed and paid invoice from the vendor requesting the bank
account change, (2) call the vendor using the contact information
obtained from the prior invoice, (3) verify the authenticity of the
requested bank account change request by directly contacting the
vendor, and (4) include all relevant information obtained in steps
(1) through (3) as an attachment to the Vendor Change Form. The
Company's control description relating to the review of a Vendor
Change Form by the Assistant Controller is not explicit regarding
the specific attributes of the review. However, because the policy
was distributed by the Assistant Controller and the Assistant
Controller is also the control owner (e.g., performs the review),
there is a presumption that the Assistant Controller would
understand that as part of her review, she should evaluate whether
the AP Manager obtained sufficient information to confirm the
authenticity of the bank account change request. Other Relevant
Facts • Materiality — $8 million. • The Company processed
approximately 105 vendor requested bank account changes during FYX2
before the realization that the request from "Watch-Makers" was
fraudulent (from September 25, 20X1, to August 2, 20X2). After the
identification of the misappropriation of assets, the Company's
internal audit department obtained and reviewed all 105 Vendor
Change Forms reviewed by the Assistant Controller, noting that only
five Vendor Change Forms contained the information required by the
policy. In addition, internal audit determined that the primary
review procedure performed by the Assistant Controller related to
the verification that the bank account number was appropriately
included on the Vendor Change Form. This procedure was performed in
all cases before the bank account information was input into the
accounts payable system. • The total wire transfer payments made to
the 105 vendors that requested bank account changes in FYX2 totaled
approximately $56.2 million (based on an analysis prepared by
Internal Audit of the invoices processed and paid by the Company
after the processing of a Vendor Change Form for the 105 vendors).
• There are more than 30 vendors with annual purchase activity of
over $20 million (12 of which have purchase activity of over $40
million); thus, the amount of payments made to any single vendor in
a payables cycle could approximate $2 million, assuming a cycle of
30 days. • The Company's Chief Security Officer completed an
internal investigation and concluded that there was no indication
that the AP Manager and Assistant Controller were involved in the
scheme that resulted in the $2 million misappropriation. • After
the determination on August 2, 20X2, that the Vendor Change Form
was from a fraudulent source, the Company ceased processing
additional Vendor Change Forms until it could understand the root
cause of the deficiency. On September 10, 20X2, the Assistant
Controller sent a reminder regarding the importance of following
the vendor bank account request change policy. The e-mail also
highlighted an enhancement to the process, which primarily included
an enhancement to the Vendor Change Form. The form was revised to
include the following three new, explicit sections that are
required to be completed: (1) contact phone number pulled from
previously processed and paid vendor invoice, (2) name of
individual at the vendor (from a previous invoice) that was
contacted, and (3) date discussed/contacted. The policy e-mail
reiterated the requirement to include a copy of the previously
processed vendor invoice with the Vendor Change Form. • Internal
Audit performed a thorough evaluation of the competency of the
Assistant Controller and concluded that notwithstanding the
Assistant Controller's lack of historical performance, the
Assistant Controller was suitably competent to perform the control
Engagement Team Note In planning the 20X2 audit, the engagement
team obtained an understanding of the internal controls related to
cash disbursements. This understanding was developed through the
engagement team's walkthrough of the cash disbursements process. As
part of its walkthrough procedures, the engagement team made
inquiries of appropriate personnel, inspected relevant
documentation, and in certain cases, observed the control
performers carrying out required control procedures. As a result,
the engagement team concluded that there were no significant
changes to the cash disbursements process in the current year. The
engagement team identified four risks of material misstatement
relating to the cash disbursements process. For each risk
identified, the team documented the control activity that addresses
the risk of material misstatement in the excerpted worksheet (see
Handout 1). As a result of the Audit Issue described above, the
engagement team identified a control deficiency in the following
control: CD5C — The accounts payable department is required to
complete the following for each Vendor Change Form requesting a
bank account change: 1. Obtain a previously processed and paid
invoice from the vendor requesting the bank account change. 2. Call
the vendor using the contact information from the obtained invoice.
3. Verify the authenticity of the requested bank account change
request. 4. Attach all relevant information obtained in steps (1)
through (3) to the Vendor Change Form for review and approval. The
Company's control description regarding the Assistant Controller's
review of the Vendor Change Form is not prescriptive regarding the
specific attributes of the review. However, there is a presumption
that the Assistant Controller would understand the primary
objective of the control, which is to evaluate whether sufficient
information was obtained by the AP Manager to confirm that the bank
account change request was authentic. Required: 1. What are the key
considerations when evaluating the severity of a deficiency in a
control that directly addresses a risk of material misstatement? 2.
Does the Assistant Controller's failure to adequately review the
Vendor Change Form represent a deficiency in the design or
operating effectiveness of the control? 3. Is the failure in the
vendor request change form control indicative of a material
weakness in internal control over financial reporting? 4. Would the
deficiency warrant disclosure in the Company's Form 10-K, Item 9A?
If so, what information would the Company be expected to disclose?
5. What implications does the deficiency have on other direct or
indirect controls
what are the key considerations when evaluating the severity of a
deficiency in a control that directly addresses a risk of material
misstatement?
2. does the assistant controller’s failure to adequately
review the vendor change form represent a deficiency in the design
or operating effectiveness of the control?
3. is the failure in the vendor request change form control
indicative of a material weakness in internal control over
financial reporting?
4. would the deficiency warrant disclosure in the company’s
form 10-k, item 9a? if so, what information would the company
b