MEMORANDUM

To: John Giles, CPA From: Cilla Okunlola Date: Febuary 9, 2011 Subject: Case 4.2 Comptronix Corp Comptronix Corporation sold all of its remaining assets in September of 1996. A lack of internal controls and a poor assessment of both inherent risk and control risk created a perfect environment for upper management to hide fraud in the form of material financial misstatements. The result of Comptronix Corporation shows why it is important to understand the inherent risks and control risks within a company. Inherent Risk Inherent risk is a measure of the auditors assessment of the likelihood that there are material misstatements in an account balance before considering the effectiveness of internal control. Inherent risk implies that the auditor should attempt to predict where misstatements are likely to appear in the financial statement segments. Typical factors the auditor should consider when assessing inherent risk include: -Nature of the clients business -Results of previous audits -Initial versus repeat engagement -Related parties -Non-routine transactions -Judgment required to correctly record account balances and transactions -Makeup of the population -Factors related to fraudulent financial reporting -Factors related to misappropriation of assets Looking back, there were many inherent risk factors present during the 1989-1992 audits related to fraudulent financial reporting. One factor of inherent risk would be the loss of one of Comptronixs key customers in 1989. Losing the key customer, SCI, meant that Comptronix Corporation faced a significant decrease in revenues with the possibility of performing poorly due to the loss of the significant customer. In addition, inherent risk of manipulating the financial statements to appear profitable should have been a concern since the three executives and founders of the company would want to keep the price of the companys stocks high. Finally, actions by the three executives perpetrating the fraud should have raised red flags (purchases of real estate, marriage failures, dispute with a company founder who was later fired). Internal Control Internal control, as defined by COSOs framework, consists of five components. The first component is control environment. The control environment consists of the policies and procedures that exhibit the attitudes of top management and directors about the companys internal control. Auditors should particularly examine integrity and ethical values, commitment to competence, the board of director or audit committee participation, management philosophy and operating style, organizational structure, and human resource practices. The second

component, risk assessment involves management identification and analysis of relevant risks in preparation of financial statements in conformity with GAAP. Control activities are the third component and involve the policies and procedures that help ensure that actions are taken to address risks to the company in meeting its goals. Five types of control activities include adequate separation of duties, proper authorization of transactions and activities, adequate documents and records, physical control over assets and records, and independent checks on performance. Information and communication is the fourth component and its purpose is to initiate, record, process, and report the companys transactions and to maintain accountability for the related assets. Finally, monitoring deals with ongoing and periodic assessment of internal control quality by management to determine that internal controls are operating effectively. Many characteristics increased Comptronixs control risk. One characteristic of Comptronixs internal controls is that the audit committee and board of directors were not heavily involved with the corporation. This increases control risk on the control environment component of COSOs framework. The board of directors only met four times during 1991, while the audit committee only met twice during 1991. The audit committee would need to meet more often in order to catch the misstatements made by the company, which explains why the quarterly filings of the company went unaudited. Another characteristic involves the companys control activities. Given the power Mr. Hebding, the CEO, Mr. Shifflett, the president and COO, and Mr. Medlin, the treasurer, had within the company, they were able to conduct transactions without proper authorization and adequate documentation. Mr. Shifflett and Mr. Medlin both could approve cash disbursements without proper documentation. Mr. Medlin also had the ability to access the shipping department system and enter bogus sales into the system. Given that the board of directors only oversaw the company transactions periodically, there were no independent checks on the performance of the company, and thus the fraud was conducted unnoticed. Furthermore, there was no mention of any monitoring of the internal control system. Thus we must assume that management did not periodically assess the quality of the internal controls within the company, and thus control risk is increased. Strengths and Weaknesses of Board of Directors There were many weaknesses within the board of directors and the audit committee. Independence is the biggest weakness present within the board of directors. Both Mr. Hebding and Mr. Shifflett served on the board while they worked in upper management within the company. This is a violation of independence. As previously stated, another member of the board served as legal counsel for the company, and another member was vice president of manufacturing for a significant customer of Comptronix. These directors are referred to as gray directors due to their close affiliation with the company. Another weakness of the board of directors, as previously mentioned, is that they met only four times during 1991. The board of directors might be more influential if it met more often. The audit committee also contained several weaknesses. Even though two of the three members of the audit committee were independent of the company, nobody within the committee had any background in accounting, or financial reporting. This is a weakness because an audit committee cannot adequately audit a company if they do not know what they are doing. Also, the audit committee met only twice in 1991. The audit committee should meet more often in order to be more effective.