ACCT 4100 CH 7
Match them: CEO and CFO Board and mgmt with: Implementation of effective internal control system Reliability of ICFR and preparation of financial statement
CEO and CFO: Reliability of ICFR and preparation of financial statement Board and mgmt: Implementation of effective internal control system
True or false: If the auditor determines that elements of management's annual report on ICFR are incomplete or improperly presented, the auditor cannot issue a report on ICFR.
False
True or false: In planning an integrated audit, the auditor should design separate tests of controls to accomplish the objectives of the audit of ICFR and the audit of financial statements.
False
True or false: The audit of Internal Control over Financial Reporting (ICFR) must be completed prior to the audit of the financial statements.
False
Programs that allow the auditor to perform tests on computer files and databases are referred to as GAS or _____ _____ ____.
Generalized Audit Software
Which of the following was developed so that auditors could conduct computer-assisted audit techniques in different IT environments? Generalized audit software Customized audit software Accounting software packages IT customized software
Generalized audit software
Because each audit provides information relevant to the other, the auditor must integrate the audits of ______. ICFR compliance with state wage laws Board of Directors' minutes financial statements
ICFR, financial statements
When auditors want to perform specific audit tasks, _____audit software is generally written.
custom
Management may include additional information in its report on ICFR. In regards to such information the auditor should ______. disclaim an opinion only express an opinion the information includes a material misstatement of fact always express an opinion
disclaim an opinion
Reports accepting responsibility for establishing and maintaining adequate ICFR are issued by _____ of public companies
management
AS 2201 specifies that the "size and complexity of the company, its business processes and business units, ______ affect(s) the way in which the company achieves many of its control objectives." should not always may
may
A material weakness is a deficiency or combination of deficiencies in ICFR such that there is a(n) ______ possibility that a material financial statement misstatement ill not be prevented or detected on a timely basis. significant remote reasonable absolute
reasonable
An unqualified opinion regarding the effectiveness of the entity's ICFR provides ______ assurance that the entity's controls are designed and operating effectively in all material respects as of the balance sheet date. limited reasonable absolute
reasonable
The COSO definition of ICFR is designed to provide ______ assurance regarding the reliability of financial reporting and GAAP financial statement presentation.
reasonable
To provide reasonable assurance, a control system, ______. must be perfect and not allow any material misstatements must prevent fraud and most material misstatements must prevent all large errors from occurring allows for a remote likelihood of material misstatement
-
Management's documentation of ICFR ______. must be in electronic form may exist in any form must be in machine readable format must be in hard copy form
may exist in any form
Compared to the objectives listed in the COSO definition, the PCAOB's objectives of internal control are ______ specific. less more equally
more
Audit evidence supporting effective internal control must be obtained at the level of ______. substantial completion absolute assurance reasonable assurance risk-based assurance
reasonable assurance
When the auditor issues an adverse opinion on internal control, ______ be issued on the financial statement audit. an adverse opinion must an unqualified opinion may at least a qualified opinion must a disclaimer of opinion must
an unqualified opinion may
After auditing the effectiveness of an entity's internal control, an auditor issues a(n) ______ ______ if the entity's internal control is designed and operating effectively in all material respects.
unqualified opinion
To perform a(n) _____ the auditor traces a transaction from origination all the way to its reflection in the entity's financial statements.
walkroughs
When an entity's computer system is not compatible with the auditor's GAS, the auditor should ____. write custom audit software not use software to conduct testing rely on the entity's computer software
write custom audit software
The fact that no system of internal controls is perfect and that there is a remote likelihood that material misstatement will not be prevented or detected in a timely matter even with effective controls is the concept of ______ assurance.
reasonable
According to FASB ASC Topic, "Contingencies", the likelihood of an event is a "reasonable possibility" if it is ______. of significant magnitude remotely probable reasonably possible probable
reasonable possible probable
Management's internal control assessment process involves special consideration of ______. hiring practices internal audit procedures service organizations safeguarding assets
service organizations safeguarding assets
A deficiency or combination of deficiencies in ICFR that is less severe than a material weakness yet important enough to merit attention is a ______ deficiency. remote significant reasonable possible
significant
A deficiency or combination of deficiencies in ICFR that is less severe than a material weakness yet important enough to merit attention is a(n) ____ deficiency.
significant
Direct tests of controls Ongoing monitoring Match With Performed by objective individuals Performed by people using controls
Direct tests of controls: Performed by objective individuals Ongoing monitoring: Performed by people using controls
The auditor must test the effectiveness of _____ _____ controls because they can have a pervasive effective on the entity's ability to meet the COSO control criteria.
Entity Level
Material weakness Significant deficiency Control deficiency Match with Report to Mgmt Report to audit committee and to mgmt Report externally, to audit committee, and to mgmt
Material weakness: Report externally, to audit committee, and to management Significant deficiency: Report to the audit committee and to mgmt Control deficiency: Report to mgmt
Management's assessment of the entity's ICFR must be based on ______. prior year's deficiencies the PCAOB framework a framework consistent with industry peers a recognized control framework
a recognized control framework
If the auditor discovers fraud involving senior management while auditing ICFR, the auditor must communicate the matter directly to the _____. appropriate law enforcement agency internal audit department appropriate regulatory agency audit committee
audit committee
The auditor's report on the effectiveness of internal control must ______. be issued as a separate report from the financial statement audit report provide an opinion on whether the entity maintained effective ICFR throughout the financial statement audit period contain the basis of the auditor's opinion be addressed to the shareholders and board of directors
be addressed to the shareholders and board of directors contain the basis of the auditor's opinion
If management remediates a material weakness after the "as of" date the auditor _____. can provide an interim opinion regarding ICFR should go back and revise the opinion originally issued as part of the audit must make the entity wait until the following year to receive a clean opinion regarding ICFR
can provide an interim opinion regarding ICFR
If the auditor fails to obtain written representations from management, the auditor ______ opinion of ICFR. cannot issue an unqualified must issue an adverse must disclaim an
cannot issue an unqualified
If management finds any significant control deficiencies or material weaknesses, they should be reported to the ______. board of directors SEC internal auditor external auditor audit committee
external auditor audit committee
The best way to identify potential sources of misstatements is often _____. identifying controls management has implemented to address misstatements performing walkthroughs using professional judgment to assess management's controls testing entity-level controls
performing walkthroughs
Which of the following statements are correct regarding the timing of tests of controls? Controls over significant nonroutine transactions must be tested continually throughout the year. Some controls may operate after the "as of" date specified in the management report. The auditor may obtain evidence about the operating effectiveness of a control at an interim date.
Some controls may operate after the "as of" date specified in the management report. The auditor may obtain evidence about the operating effectiveness of a control at an interim date.
True or false: The COSO definition of ICFR includes reasonable assurance regarding the safeguarding of assets.
True
If a significant deficiency of material weakness exists because of the audit committee's ineffective oversight, the auditor must communicate the specific deficiency or weakness, in writing, directly to the _____. company CEO appropriate regulatory agency internal audit department board of directors
board of directors
In addition to material weaknesses and significant deficiencies, the auditor should communicate, in writing, to management all _____ deficiencies identified during the audit.
control
Disadvantages of GAS include ______ it requires advance programming skills data that is audited must be available in electronic form it provides limited ability to verify programming logic the time required to develop the application is usually short
data that is audited must be available in electronic form it provides limited ability to verify programming logic
Classification of control deficiencies include ______ deficiencies. design prevention material operation
design and operation
Once key controls have been identified, the auditor starts with evaluating their _____ effectiveness, which may also provide some evidence about _____ effectiveness.
design, operating
A control deficiency exists when the _____ or _____ of a control does not allow management or employees to prevent or detect misstatements on a timely basis.
design, operation
The auditor ______ need to test all controls. does does not
does not
In order for the external auditor to complete an audit of the ICFR, management must present written assessment regarding the ______. completeness of financial transactions effectiveness of the entity's ICFR effectiveness of Internal Audit completeness of the control system
effectiveness of the entity's ICFR
The auditor has a responsibility to report on any changes in internal control that might affect financial reporting between the ______ and the date of the auditor's report. date of the audit of ICFR end of the reporting period beginning of the reporting period date of audit testing
end of the reporting period
Test data _____. ensures the accuracy of computer processing of transactions should include both valid and invalid data is a time-effective method of testing is not used to test processing-logic controls
ensures the accuracy of computer processing of transactions should include both valid and invalid data
When it comes to ICFR documentation management should ______. focus on controls deemed adequate to address financial reporting risk identify and document every control in a process document all of the the business processes impacting ICFR
focus on controls deemed adequate to address financial reporting risk
When deciding on the extent of testing, the auditor should consider the _____. timing of the audit other audit evidence frequency of operation importance of the control nature of the control
frequency of operation importance of the control nature of the control
Due to the nature of spreadsheets, when an entity uses many of them as part of period-end closing financial statement preparation, there is a(n) _____ risk that controls over spreadsheets will not be effective. decreased minimal increased
increased
In evaluating the risk of material misstatement due to fraud and the risk of management override of controls, the auditor should consider controls over _____. journal entries and adjustments made in the period-end financial close recurring transactions that are recorded monthly significant, unusual transactions resulting in unusual journal entries
journal entries and adjustments made in the period-end financial close significant, unusual transactions resulting in unusual journal entries
Controls that are important to the auditor's conclusion about whether the entity's controls sufficiently address the assessed risk of misstatement are often referred as ______ controls.
key
If the work of others is to be used, the auditor should assess the ______ and ______ of the persons whose work will be used.
objectivity, competence
The auditor's written communication about control deficiencies may indicate _____. only that no significant deficiencies were noted during an audit of internal controls only that no material weaknesses were identified both that no material weaknesses were identified and no significant deficiencies were noted
only that no material weaknesses were identified
Tests of controls for ______ effectiveness include procedures such as inquiry, documentation inspection, observation and reperformance of the application of the control.
operating
The evaluation of the _____ effectiveness of a control considers whether the person performing the control possesses the necessary authority and competence to perform the control effectively.
operating
The auditor must perform tests of controls over a period of time that is adequate to determine whether the significant controls were ______ as of the date indicated in management's report. documented completely operating effectively designed effectively
operating effectively
If a misstatement is detected by substantive procedures, the auditor should consider whether the control deficiency might affect the ______ on the audit of ICFR.
opinion
In assessing financial reporting risks, management must evaluate ______. other pervasive elements of ICFR entity-level controls planned controls internal audit department management
other pervasive elements of ICFR entity-level controls
Entity-level controls that require specific evaluation by the auditor are the _____. interim financial reporting process management compensation and evaluation processes period-end financial reporting process control environment
period-end financial reporting process control environment
The auditor's report on the effectiveness of internal control must ______. provide an opinion on effective ICFR as of the specified date contain the basis of management's opinion on the effectiveness of ICFR have the same date as the financial statement audit report be addressed to the management of the company
provide an opinion on effective ICFR as of the specified date have the same date as the financial statement audit report
In evaluating the risk of material misstatement due to fraud and the risk of management override of controls, the auditor should consider controls ______. related to significant management estimates that increase incentives for management to inappropriately manage financial results over related party transactions
related to significant management estimates over related party transactions
A benchmarking strategy allows the auditor to _____. rely on industry benchmarks for effectiveness of control compare results to other clients within the firm rely on previously tested automated control compare to controls at other locations within the organization
rely on previously tested automated control
When evaluating the control environment, the auditor should assess whether ______. the audit committee's philosophy and operating style promote effective ICFR sound integrity and ethical values are developed and understood the board understands and exercises oversight responsibility over financial reporting and internal control
sound integrity and ethical values are developed and understood the board understands and exercises oversight responsibility over financial reporting and internal control
Unless a longer period of time is required, PCAOB standards require the auditor to retain audit documentation for the ICFR and financial statement audit for ______ years. 5 10 7 3
7
Which of the following statements is correct? The way a company achieves its control objectives is not affected by company size and complexity. A small, less-complex company may achieve control objectives differently than a large company. An auditor should not consider the size of the company when considering the company's internal control effectiveness.
A small, less-complex company may achieve control objectives differently than a large company.
Which of the following statements is correct? A single set of audit procedures should be used to test both the design and operating effectiveness of controls. Evidence about the operating effectiveness of controls should never be based on procedures used to test design effectiveness. Audit procedures to test and evaluate the design effectiveness of controls might also provide some evidence about operating effectiveness.
Audit procedures to test and evaluate the design effectiveness of controls might also provide some evidence about operating effectiveness.
Which of the following statements are correct? Auditors must evaluate whether to test preventive controls, detective controls or a combination of both. When testing, auditors should focus on key controls. Auditors must make decisions regarding which locations to test based on the presence of entity-level controls and financial reporting risk. Identifying controls to be tested is an objective task that requires little professional judgment
Auditors must evaluate whether to test preventive controls, detective controls or a combination of both. When testing, auditors should focus on key controls. Auditors must make decisions regarding which locations to test based on the presence of entity-level controls and financial reporting risk
True or false: Auditors of publicly traded companies must issue a report that accepts responsibility for establishing and maintaining adequate ICFR.
False
Which of the following statements are correct? The severity of a control deficiency depends on its likelihood and magnitude. Auditors are required to evaluate the severity of each control deficiency. The assessment of the significance of a control deficiency depends on whether or not a misstatement has occurred.
The severity of a control deficiency depends on its likelihood and magnitude. Auditors are required to evaluate the severity of each control deficiency.
Which of the following statements are true about the financial statement and ICFR audits? Work must be planned to achieve both objectives. Tests of controls should be done separately for the audits. They must be performed at different times. They have different objectives.
Work must be planned to achieve both objectives. They have different objectives.
In order for the external auditor to complete an audit of ICFR, management must ______. accept responsibility for the effectiveness of ICFR accept responsibility for preparation of the financial statements present documentation of remediation of control deficiencies of last year's audit evaluate the effectiveness of ICFR
accept responsibility for the effectiveness of ICFR evaluate the effectiveness of ICFR
If one or more unremediated material weaknesses is identified, the auditor issues a(n) ______ opinion on the entity's internal control. disclaimer of qualified unqualified adverse
adverse
The presence of a material weakness in ICFR at the end of the period necessitates a(n) ______ assessment by management and a(n) ______ opinion by the auditor. qualified, qualified qualified, adverse adverse, qualified adverse, adverse
adverse, adverse
When considering financial reporting risks, management should generally include _____ business units. all only the smallest only the largest the two major business
all
Test data can be used to check ______. arithmetic calculations data validation controls the exclusion of transactions in records, files and reports error detection routines
arithmetic calculations data validation controls error detection routines
Evidence on the operating effectiveness of a control may be obtained from ______. both direct testing and ongoing monitoring direct testing of the control only ongoing monitoring only neither direct testing nor ongoing monitoring
both direct testing and ongoing monitoring
When companies use service organizations to process transactions, _____. both management and the auditor must consider the service organization activities the auditor cannot express an opinion about the effectiveness of operating controls the service organization is considered part of the information and communication component of the entity's ICFR an audit only can only be expressed if the auditor performs tests of controls at the service organization
both management and the auditor must consider the service organization activities the service organization is considered part of the information and communication component of the entity's ICFR
If a material weakness cannot be corrected and/or properly tested before the "as of" date, ______.
both management and the auditor should issue a report that the ICFR is not operating effectively.
The auditor _____ use the work performed by internal auditors, entity personnel, and third parties hired by management or the audit committee. can cannot should must
can
If the auditor believes that additional management information in its report of ICFR contains a material misstatement of fact the auditor should immediately ______. discuss the matter with management consult his or her legal counsel notify the audit committee in writing
discuss the matter with management
The approach followed by management in choosing which locations to include in its assessment of internal control is a function of ______. entity-level controls when the locations were previously assessed the number and size of existing locations financial reporting risks at the locations
entity-level controls financial reporting risks at the locations
In assessing material weaknesses in ICFR management must ______. centralize processing of controls evaluate evidence about the operating effectiveness of ICFR identify financial reporting risks and related controls consider which locations to include in the evaluation notify the auditor of locations to include in the evaluation
evaluate evidence about the operating effectiveness of ICFR identify financial reporting risks and related controls consider which locations to include in the evaluation
The risk that a misstatement could result in a material misstatement of the financial statements is called a(n) _____ _____ risk.
financial reporting
The evaluation of the operating effectiveness of a control considers whether the person performing the control ______. has the necessary level of experience with the company to perform the control effectively has the necessary competence to perform the control effectively is in a management or non-management position has the necessary authority to perform the control effectively
has the necessary competence to perform the control effectively has the necessary authority to perform the control effectively
If the auditor determines that elements of management's annual report on ICFR are incomplete or improperly presented, the auditor should ______. issue an adverse opinion modify management's report so that it is complete and correct disclaim an opinion include an explanatory paragraph in the audit report
include an explanatory paragraph in the audit report
The audit of internal control uses ______ extensively, but it does not provide sufficient evidence to support the operating effectiveness of a control. inquiry inspection reperformance walkthrough
inquiry
If management remediates a material weakness after the "as of" date, the auditor can provide a(n) _____ opinion
interim
The phrase "All material respects" means that the entity's ICFR ______. is free of any material weakness has prevented and/or detected all material errors does not have any significant deficiencies
is free of any material weakness
The severity of a control deficiency depends on ______. likelihood & number of misstatements number of misstatements & magnitude likelihood & magnitude
likelihood & magnitude
In judging the significance of a control deficiency, management and auditors must consider two dimensions, the ______and _____ of misstatements that could result from the deficiencies.
likelihood, magnitude
Advantages of GAS include ______ limited IT expertise is required ease of use auditing can be done as the entity processes data entire populations can be examined
limited IT expertise is required ease of use entire populations can be examined
If the results for testing a particular control were favorable in the prior year, and no changes were made to the control, the auditor might assess risk ______ testing this year. lower and increase higher and increase lower and reduce higher and reduce
lower and reduce
The difference between a control deficiency, a significant deficiency, and a material weakness is determined solely based on ______. auditor judgment likelihood magnitude management judgment
magnitude
When evaluating the control environment, the auditor should assess whether _____. management's philosophy and operating style promote effective ICFR management understands and exercises oversight responsibility over financial reporting and internal control sound integrity and ethical values are developed and understood
management's philosophy and operating style promote effective ICFR sound integrity and ethical values are developed and understood
A deficiency in ICFR, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis is defined as a(n) _____ _____ by the PCAOB.
material weakness
Factors that affect whether the magnitude of a misstatement might result in a(n) _____ _____ include (1) the financial statement amounts or total of transactions exposed to the deficiency and the (2) volume of transactions involved or expected.
material weakness
If the auditor determines that a deficiency might prevent prudent officials in the conduct of their own affairs from concluding they have reasonable assurance that transactions are recorded as necessary to prepare financial statements in accordance with GAAP, the auditor should treat the deficiency as indication of a(n) ______ _____.
material weakness
Prior to the issuance of the auditor's report on ICFR, the auditor must communicate in writing to both management and the audit committee identified _____. material weaknesses control deficiencies compensating controls significant deficiencies
material weaknesses significant deficiencies
Evidence about the operating effectiveness of controls at service organizations that are to relevant to management's assessment and the auditor's opinion ______ must be obtained from a service auditor's report on the design and operating effectiveness of of controls in operation at the service organization must be obtained by performing tests of the user organization's controls over the activities of the service organization must be obtained by performing tests of controls at the service organization may be obtained by performing tests of obtaining a service auditor's report
may be obtained by performing tests of obtaining a service auditor's report
The failure of a preventive control (such as inventory tags) to safeguard assets ______ result in a significant deficiency or material weakness. will always may or may not will never
may or may not
When compared to automated controls, manual controls should be subjected to _____ testing. less extensive more extensive the same level of
more extensive
To identify significant accounts and disclosures and their relevant assertions, the auditor assesses risk factors including _____. range of values nature of the disclosure account size and composition target earnings per share susceptibility to misstatement
nature of the disclosure account size and composition susceptibility to misstatement
When an entity has a material weakness, it should take steps to correct it, which is referred to as _____.
remediation
A control issue does not rise to the level of control deficiency if the likelihood is ______. reasonably possible likely probable remote
remote
To identify significant accounts and disclosures and their relevant assertions, the auditor assesses risk factors including _____. reporting complexities volume of activity related party transactions gains from asset disposals changes from prior periods
reporting complexities volume of activity related party transactions changes from prior periods
Written representations from management related to the audit of ICFR include management ______. reliance on the work of the auditor in forming its assessment of ICFR effectiveness responsibility for establishing and maintaining effective ICFR conclusion about the effectiveness of the entity's ICFR as of a specified date disclosure to the audit committee of all design and operational deficiencies
responsibility for establishing and maintaining effective ICFR conclusion about the effectiveness of the entity's ICFR as of a specified date
A major premise of AS 2201 is that _____ _____ underlines the entire audit of ICFR.
risk assessment
AS5 defines policies and procedures that "provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposal of the entity's assets that could have a material effect on the financial statements as the _____ of assets.
safeguarding
If circumstances beyond the control of management or the auditor limit the ____ of the auditor's work, the auditor should disclaim an opinion or withdraw from the engagement.
scope
The auditor's treatment of a(n) _____ event depends on whether the event reveals information about a material weakness that existed at the end of the reporting period or about a new condition that did not exist at the end of the reporting period.
subsequent
The auditor's evaluation of the period-end financial reporting process should consider _____. the extent of IT involvement only the outputs of the processes used to produce financial statements the number of locations involved management oversight of the process
the extent of IT involvement the number of locations involved management oversight of the process
Audit documentation related to the audit of internal controls must include ______. the extent of reliance on work performed by others the evaluation of deficiencies discovered the scope of testing a discussion of PCAOB documentation standards
the extent of reliance on work performed by others the evaluation of deficiencies discovered the scope of testing
If a control deficiency is a material weakness, management must disclose it in its assessment of the effectiveness of ICFR, including ______. the nature of the material weakness(es) the cost of management's current plans for remediating the weakness its impact on the entity's financial reporting and its ICFR management's current plans, if any, for remediating the weakness
the nature of the material weakness(es) its impact on the entity's financial reporting and its ICFR management's current plans, if any, for remediating the weakness
If the scope of the auditor's work is limited because of circumstances beyond the control of management or the auditor, the auditor's option are to ______. withdraw from the engagement disclaim an opinion issue an adverse opinion issue an unqualified opinion
withdraw from the engagement disclaim an opinion