Chapter 5
An entity has the following invoices in a batch: Invoice Number Product Quantity Unit Price 201 F10 150 $ 5.00 202 G15 200 10.00. 203 H20 250 25.00 204 K35 300 30.00 Which of the following most likely represents a hash total? 1. 810 2. FGHK80 3. 204 4. 4
1. 810
1. Control activities 2. Segregation of duties 3. Collusion 4. New personnel 5. Rapid growth 6. Control environment 7. Physical controls 8. Corporate restructurings 9. Management override 10. Flowchart
1. A COSO component of internal control 2. A condition tat decreases control risk 3. An inherent limitation of internal control 4. A condition that increases control risk 5. A condition that increases control risk 6. A COSO component of internal control 7. A condition that decreases control risk 8. A condition that increases control risk 9. An inherent limitation of internal control 10. A form of documentation for internal control
It is important for the auditor to consider the competence of the audit client's employees, because their competence bears directly and importantly upon the 1. Achievement of the objectives of internal control. 2. Relationship of the costs of internal control and its benefits. 3. Comparison of recorded accountability with assets. 4. Timing of the tests to be performed.
1. Achievement of the objectives of internal control.
In an integrated audit of a nonissuer, each of the following identifies an inherent limitation to internal control except 1. An override of internal controls by a low-level employee. 2. Collusion involving two or more employees. 3. Breakdowns in internal control because of employee mistakes. 4. Faulty decision making by employees.
1. An override of internal controls by a low-level employee.
Which of the following factors are included in an entity's control environment? 1. Audit Committee Participation - Yes Integrity and Ethical Values - Yes Organizational Structure - Yes 2. Audit Committee Participation - Yes Integrity and Ethical Values - No Organizational Structure - Yes 3. Audit Committee Participation - No Integrity and Ethical Values - Yes Organizational Structure - Yes 4. Audit Committee Participation - Yes Integrity and Ethical Values - Yes Organizational Structure - No
1. Audit Committee Participation - Yes Integrity and Ethical Values - Yes Organizational Structure - Yes
Which of the following characteristics distinguishes computer processing from manual processing? 1. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. 2. Errors or fraud in computer processing will be detected soon after their occurrence. 3. The potential for systematic error is ordinarily greater in manual processing than in computerized processing. 4. Most computer systems are designed so that transaction trails useful for audit purposes do not exist.
1. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
1. Employees who receive payments from customers do not record the payments in the receipts ledger. 2. The quarterly review made by the internal audit committee. 3. High demand for new products encourages management to move into a new factory. 4. Storing customer receipts in a safe until deposited at the bank. 5. The software system used to record purchases made by the company. 6. Training procedures for new employees. 7. The hiring of a new CEO with a very different management style. 8. A zero tolerance policy that calls for the termination of anyone acting unethically.
1. Control activities 2. Monitoring 3. Risk assessment 4. Control activities 5. Information and communication systems 6. Control environment 7. Risk assessment 8. Control environment
Which of the following is not a component of internal control? 1. Control risk. 2. Monitoring of controls. 3. Information system. 4. The control environment.
1. Control risk.
In obtaining an understanding of internal control, the auditor may trace several transactions through the control process, including how the transactions interface with any service organizations whose services are part of the information system. The primary purpose of this task is to 1. Determine whether the controls have been implemented. 2. Replace substantive procedures. 3. Determine the effectiveness of the control procedures. 4. Detect fraud.
1. Determine whether the controls have been implemented.
In an audit of financial statements of a nonissuer in accordance with GAAS, an auditor is required to 1. Document the auditor's understanding of the entity's internal control components. 2. Search for significant deficiencies in the operation of internal control. 3. Determine whether controls are suitably designed to prevent or detect material misstatements. 4. Perform tests of controls to evaluate the effectiveness of the entity's accounting system.
1. Document the auditor's understanding of the entity's internal control components. Explanation: Documentation of the understanding of the internal control components is required by GAAS. Its form and extent are influenced by the nature and complexity of the entity's controls and the extent of the procedures performed by the auditor.
A client who recently installed a new accounts payable system assigned employees a user identification code (UIC) and a separate password. Each UIC is a person's name, and the individual's password is the same as the UIC. Users are not required to change their passwords at initial log-in nor do passwords ever expire. Which of the following statements does not reflect a limitation of the client's computer-access control? 1. Employees are not required to take regular vacations. 2. Employees are not required to change passwords. 3. Employees can easily guess fellow employees' passwords. 4. Employees can circumvent procedures to segregate duties.
1. Employees are not required to take regular vacations.
When an auditor increases the assessed risks of material misstatement because certain control activities were determined to be ineffective, the auditor most likely would increase the 1. Extent of tests of details. 2. Extent of tests of controls. 3. Level of inherent risk. 4. Level of detection risk.
1. Extent of tests of details.
If accounts receivable turned over 7.1 times in Year 1 as compared with only 5.6 times in Year 2, it is possible that there were 1. Fictitious sales in Year 2. 2. Unrecorded cash receipts in Year 1. 3. Unrecorded credit sales in Year 2. 4. More thorough credit investigations made by the company late in Year 1.
1. Fictitious sales in Year 2.
1. Test for all numeric or alphabetic data items in a field 2. Test of hours worked over 40 hours 3. Test of employee SSN compared with known employees in the personnel master file 4. Test of payroll checks processed with the number of time cards entered 5. Test of all transactions that fail a test 6. Test that sums the employee identification numbers on time cards and compares the sum with the sum of the identification numbers from personnel records 7. Test of customer invoice numbers for missing invoices 8. Test that all input data is complete
1. Field check 2. Reasonableness test 3. Validity check 4. Record count 5. Error listing 6. Hash total 7. Sequence check 8. Preformatting
A client is concerned that a power outage or disaster could impair the computer hardware's ability to function as designed. The client desires off-site backup hardware facilities that are fully configured and ready to operate within several hours. The client most likely should consider a 1. Hot site. 2. Cool site. 3. Warm site. 4. Cold site.
1. Hot site.
A conceptually logical approach to the auditor's consideration of relevant controls consists of the following four steps: I. Determine whether the relevant controls are capable of preventing, or detecting and correcting, material misstatements and have been implemented. II. Evaluate the operating effectiveness of relevant controls. III. Assess the risks of material misstatement. IV. Design further audit procedures. What is the most logical order in which these four steps are performed? 1. I, III, IV, II. 2. I, II, III, IV. 3. III, I, II, IV. 4. II, IV, I, III.
1. I, III, IV, II Explanation: When obtaining an understanding of internal control, the auditor should perform risk assessment procedures to evaluate the design of relevant controls and to determine whether they have been implemented. This understanding is used to (1) identify types of misstatements, (2) identify factors affecting the risks of material misstatement, and (3) design further audit procedures. After obtaining the understanding, the RMMs should be assessed. In response to the risk assessment, the auditor designs further audit procedures. If the auditor relies on controls (has an expectation of their operating effectiveness), (s)he should perform tests of controls to evaluate their operating effectiveness (AU-C 315 and AU-C 330). Thus, the most logical order of the listed steps is the following: Evaluate the design of relevant controls and determine whether they have been implemented, Assess the RMMs, Design further audit procedures, and Test controls.
The following are steps in the financial statement audit process: I. Prepare flowchart II. Gather exhibits of all documents III. Interview personnel The most logical sequence of steps is 1. III, II, I. 2. I, II, III. 3. II, I, III. 4. I, III, II.
1. III, II, I.
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control? 1. Incompatible duties. 2. Management override. 3. Faulty judgment. 4. Collusion among employees.
1. Incompatible duties. Explanation: Internal control has inherent limitations. The performance of incompatible duties, however, is a failure to assign different people the functions of authorization, recording, and asset custody, not an inevitable limitation of internal control. Segregation of duties is a category of control activities.
The primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with 1. Knowledge necessary for audit planning. 2. Evidence to use in assessing inherent risk. 3. A basis for modifying tests of controls. 4. An evaluation of the consistency of application of management's policies.
1. Knowledge necessary for audit planning.
According to AU-C 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, not all controls are relevant to a financial statement audit. Which one of the following would most likely be considered in an audit? 1. Maintenance of control over unused checks. 2. Marketing analysis of sales generated by advertising projects. 3. Maintenance of statistical production analyses. 4. Timely reporting and review of quality control results.
1. Maintenance of control over unused checks. Explanation: Ordinarily, controls that are relevant to a financial statement audit pertain to the entity's objective of preparing financial statements that are fairly presented in accordance with the applicable reporting framework, including managing the risks of material misstatements. Maintenance of control over unused checks is an example of a relevant control because the objective is to provide assurance about the existence assertion for cash.
1. A written description of a process 2. A logic diagram in matrix form 3. A problem and appropriate actions 4. Diagram of a series of sequential processes 5. Visual depiction of the flow of documents 6. Series of interrelated queries 7. The most flexible documentation method 8. Control strength represented by a "Yes"
1. Narrative memorandum 2. Decision table 3. Decision table 4. Flowchart 5. Flowchart 6. Questionnaire 7. Narrative memorandum 8. Questionnaire
Which of the following statements regarding auditor documentation of the understanding of the client's internal control components obtained to plan the audit is correct? 1. No one particular form of documentation is necessary, and the extent of documentation may vary. 2. Documentation must include flowcharts. 3. Documentation must include procedural write-ups. 4. No documentation is necessary although it is desirable.
1. No one particular form of documentation is necessary, and the extent of documentation may vary.
The auditor observes client employees while obtaining an understanding of internal control to 1. Obtain knowledge of the design and implementation of relevant controls. 2. Update information contained in the organization and procedure manuals. 3. Prepare a flowchart. 4. Determine the extent of compliance with quality control standards.
1. Obtain knowledge of the design and implementation of relevant controls.
An auditor may be able to reduce audit risk to an acceptably low level for some relevant assertions by 1. Performing analytical procedures. 2. Increasing the level of detection risk. 3. Adhering to a system of quality control. 4. Preparing auditor working papers.
1. Performing analytical procedures.
1. In the current year, an entity began operations in a foreign country. 2. Management of an entity's various operations is accomplished through the daily interaction between supervisors and line personnel. 3. An entity uses daily and weekly sales revenues as performance indicators. 4. An airplane manufacturer uses a job-order costing system. 5. An entity annually provides to external parties its written policies regarding acceptable ethical behavior. 6. A manager's bonus is dependent on a high rate of growth in revenues. 7. An entity is committed to hiring individuals who display evidence of integrity and ethical behavior. 8. Due to a lengthy recession, an entity undertakes a corporate restructuring. 9. An entity maintains a manual that describes the roles and responsibilities of each employee. 10. Routine operations are reviewed on a weekly basis by supervisors.
1. Risk Assessment 2. Control activities 3. Control activities 4. Information and communication systems 5. Information and communication systems 6. Control environment 7. Control environment 8. Risk assessment
Which of the following is an example of a validity check? 1. The computer flags any transmission for which the control field value did not match that of an existing file record. 2. The computer ensures that a numerical amount in a record does not exceed some predetermined amount. 3. As the computer corrects errors and data are successfully resubmitted to the system, the causes of the errors are printed out. 4. After data for a transaction are entered, the computer sends certain data back to the terminal for comparison with data originally sent.
1. The computer flags any transmission for which the control field value did not match that of an existing file record.
A small client recently put its cash disbursements system on a server. About which of the following internal control features would an auditor most likely be concerned? 1. The server is operated by employees who have cash custody responsibilities. 2. Only one employee has the password to gain access to the cash disbursement system. 3. There are restrictions on the amount of data that can be stored and on the length of time that data can be stored. 4. Programming of the applications are in BASIC, although COBOL is the dominant, standard language for business processing.
1. The server is operated by employees who have cash custody responsibilities.
Which of the following factors is most relevant when an auditor considers the client's organizational structure in the context of the risks of material misstatement? 1. The suitability of the client's lines of reporting. 2. Physical proximity of the accounting function to upper management. 3. Management's attitude toward information processing and accounting departments. 4. The organization's recruiting and hiring practices.
1. The suitability of the client's lines of reporting.
1. Because Lumberjack, Inc., relies more on human labor than computing power, it duplicates its data files at the end of each month. 2. Magma Partnerships is located in an area near an active volcano. Each time a database file is copied for backup, it is moved and stored in a bank vault in another city. 3. Millennium Edge is a software company that cannot afford even one day of downtime. Accordingly, it invested in a separate location that can be used immediately. 4. Century Corner is in the information technology industry. It is planning on investing in a backup facility. Because it does not have enough capital, it can afford only to rent an empty office. Century plans to install the necessary hardware if and when it is needed.
1. Typical backup routine 2. Offsite location 3. Hot-site backup facility 4. Cold-site backup facility
Which of the following constitutes a potential risk associated with the use of information technology in an entity's internal control structure? 1. Unauthorized changes to systems. 2. A reduction in the ability to monitor the entity's activities. 3. A reduction in the circumvention of controls. 4. The facilitation of additional analyses.
1. Unauthorized changes to systems.
Which of the following is the most serious password security problem? 1. Users are assigned passwords when accounts are created, but they do not change them. 2. Users have accounts on several systems with different passwords. 3. Users copy their passwords on note paper, which is kept in their wallets. 4. Users select passwords that are not listed in any online dictionary.
1. Users are assigned passwords when accounts are created, but they do not change them.
An entity has many employees who access a database with numerous access points. The database contains sensitive information about the customers of the entity. Access controls prevent employees from entry to those areas of the database for which they have no authorization. All salespersons have certain access permission to customer information. Which of the following is a true statement about the nature of the controls and risks? 1. Sales department personnel should not have access to any part of the database. 2. A salesperson's access to customer information should extend only to what is necessary to perform his or her duties. 3. Because duties among the salespersons are not segregated, risk of collusion is increased. 4. Only one salesperson should be allowed access permission.
2. A salesperson's access to customer information should extend only to what is necessary to perform his or her duties.
Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization? 1. Requiring accountants to pass a yearly background check. 2. Allowing for greater management oversight of incompatible activities. 3. Replacing personnel every 3 or 4 years. 4. Disclosing lack of segregation of duties to the external auditors during the annual review.
2. Allowing for greater management oversight of incompatible activities.
The following is a section of a system flowchart for a payroll application: -Batched time cards -Input of payroll data - Time card data - Validation of payroll data - time card data - valid time card data - errors - Batched time cards Symbol X could represent 1. Erroneous time cards. 2. An error report. 3. Batched time cards. 4. Unclaimed payroll checks.
2. An error report.
Proper segregation of functional responsibilities to achieve effective internal control calls for separation of the functions of 1. Authorization, execution, and payment. 2. Authorization, recording, and custody. 3. Custody, execution, and reporting. 4. Authorization, payment, and recording.
2. Authorization, recording, and custody.
Which of the following is an example of how specific internal controls in a database environment may differ from controls in a nondatabase environment? 1. The employee who manages the computer hardware should also develop and debug the computer programs. 2. Controls over data sharing by diverse users within an entity should be the same for every user. 3. Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access. 4. Controls can provide assurance that all processed transactions are authorized, but they cannot verify that all authorized transactions are processed.
2. Controls over data sharing by diverse users within an entity should be the same for every user.
In an audit of financial statements in accordance with generally accepted auditing standards, an auditor should 1. Determine whether procedures are suitably designed to prevent, or detect and correct, material misstatement. 2. Document the auditor's understanding of the entity's internal control. 3. Perform tests of controls to evaluate the effectiveness of the entity's accounting system. 4. Identify specific controls relevant to management's financial statement assertions.
2. Document the auditor's understanding of the entity's internal control. Explanation: The auditor should document (1) the understanding of the entity and its environment and the components of internal control, (2) the sources of information regarding the understanding, and (3) the risk assessment procedures performed. The form and extent of the documentation are influenced by the nature and complexity of the entity's controls (AU-C 315).
Which of the following items is an example of an inherent limitation in an internal control system? 1. Understaffed internal audit functions. 2. Human error in decision making. 3. Ineffective board of directors. 4. Segregation of employee duties.
2. Human error in decision making.
An auditor is concerned with controls designed to safeguard assets that are relevant to the reliability of financial reporting. Adequate safeguards over access to and use of assets means protection from 1. Any management decision that would unprofitably use company resources. 2. Losses arising from access by unauthorized persons. 3. Losses such as those arising from setting a product price too low and subsequently realizing operating losses from the product's sale. 4. Only those losses arising from fraud.
2. Losses arising from access by unauthorized persons.
When obtaining an understanding of an entity's internal control, an auditor should concentrate on their substance rather than their form because 1. The controls may be operating effectively but may not be documented. 2. Management may establish appropriate controls but not enforce compliance with them. 3. The controls may be so inappropriate that no reliance is expected by the auditor. 4. Management may implement controls whose costs exceed their benefits.
2. Management may establish appropriate controls but not enforce compliance with them.
Which of the following factors represents an inherent limitation of internal control? 1. Inadequate provisions to safeguard assets. 2. Mistakes resulting from human error. 3. Absence of segregation of duties. 4. Failure to perform required tasks.
2. Mistakes resulting from human error.
Which of the following procedures most likely will provide an auditor with sufficient evidence about whether an entity's controls are suitably designed and have been implemented to prevent, or detect and correct, material misstatements? 1. Vouching a sample of transactions from the general ledger to the general journal. 2. Observing the entity's personnel applying the controls. 3. Inquiring of entity personnel about the controls. 4. Performing analytical procedures using data aggregated at a high level.
2. Observing the entity's personnel applying the controls.
First Federal S&L has an online, real-time system, with terminals installed in all of its branches. This system will not accept a customer's cash withdrawal instruction in excess of $1,000 without the use of a "terminal audit key." After the transaction is authorized by a supervisor, the bank teller then processes the transaction with the audit key. This control can be strengthened by 1. Increasing the dollar amount to $1,500. 2. Online recording of the transaction on an audit override sheet. 3. Using parallel simulation. 4. Requiring manual, rather than online, recording of all such transactions.
2. Online recording of the transaction on an audit override sheet.
Which of the following is not a medium that can normally be used by an auditor to record information concerning internal control? 1. Narrative memorandum. 2. Procedures manual. 3. Decision table. 4. Flowchart.
2. Procedures manual.
An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts 1. Identify internal control deficiencies more prominently. 2. Provide a visual depiction of clients' activities. 3. Indicate whether controls are operating effectively. 4. Reduce the need to observe clients' employees performing routine tasks.
2. Provide a visual depiction of clients' activities.
When documenting internal control, the independent auditor sometimes uses a systems flowchart, which can best be described as a 1. Pictorial presentation of the flow of instructions in a client's internal computer system. 2. Symbolic representation of a system or series of sequential processes. 3. Diagram that clearly indicates an organization's internal reporting structure. 4. Graphic illustration of the flow of operations that is used to replace the auditor's internal control questionnaire.
2. Symbolic representation of a system or series of sequential processes.
Which of the following factors would an auditor most likely consider in evaluating the control environment for an audit client? 1. Monthly bank reconciliations with supervisor sign-offs. 2. The ethical values demonstrated by management. 3. Organizational structure used for tax purposes. 4. The number of employees in each department.
2. The ethical values demonstrated by management.
Although substantive procedures may support the accuracy of underlying records, these tests frequently provide no affirmative evidence of segregation of duties because 1. Substantive procedures relate to the entire period under audit, but tests of controls ordinarily are confined to the period during which the auditor is on the client's premises. 2. The records may be accurate even though they are maintained by a person who performs incompatible functions. 3. Substantive procedures rarely guarantee the accuracy of the records if only a sample of the transactions has been tested. 4. Many computerized procedures leave no audit trail of who performed them, so substantive procedures may necessarily be limited to inquiries and observation of office personnel.
2. The records may be accurate even though they are maintained by a person who performs incompatible functions.
The normal sequence of documents and operations on a well-prepared systems flowchart is 1. Top to bottom and right to left. 2. Top to bottom and left to right. 3. Bottom to top and right to left. 4. Bottom to top and left to right.
2. Top to bottom and left to right.
An entity has the following invoices in a batch: Invoice Number Product Quantity Unit Price 201 F10 150 $ 5.00 202 G15 200 10.00 203 H20 250 25.00 204 K35 300 30.00 Which of the following numbers represents the record count? 1. 900 2. 1 3. 4 4. 810
3. 4
Which of the following situations represents a limitation, rather than a failure, of internal control? 1. A jewelry store employee steals a small necklace from a display cabinet. 2. A bank teller embezzles several hundred dollars from the cash drawer. 3. A purchasing employee and an outside vendor participate in a kickback scheme. 4. A movie theater cashier sells reduced-price tickets to full-paying customers and pockets the difference.
3. A purchasing employee and an outside vendor participate in a kickback scheme. Explanation: Because of the inherent limitations of internal control, it can be designed to provide only reasonable assurance that the entity's objectives are met. For example, (1) controls may fail because of human error, (2) management may override controls inappropriately, or (3) manual or automated controls may be circumvented by collusion (e.g., a kickback scheme involving a purchasing employee and an outside vendor).
Which of the following statements is correct regarding internal control? 1. A well-designed internal control environment ensures the achievement of an entity's control objectives. 2. Internal control is a necessary business function and should be designed and operated to detect all fraud and error. 3. An inherent limitation of internal control is that controls can be circumvented by management override. 4. A well-designed and operated internal control environment should detect collusion.
3. An inherent limitation of internal control is that controls can be circumvented by management override.
Which of the following characteristics distinguishes computer processing from manual processing? 1. Most computer systems are designed so that transaction trails useful for audit purposes do not exist. 2. Errors or fraud in computer processing will be detected soon after their occurrence. 3. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. 4. The potential for systematic error is ordinarily greater in manual processing than in computerized processing.
3. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
Some data processing controls relate to all computer processing activities (general controls) and some relate to specific tasks (application controls). General controls include 1. Controls designed to assure the accuracy of the processing results. 2. Controls designed to ascertain that all data submitted to computer processing have been properly authorized. 3. Controls for documenting and approving programs and changes to programs. 4. Controls that relate to the correction and resubmission of data that were initially incorrect.
3. Controls for documenting and approving programs and changes to programs.
Which of the following is a management control method that most likely could improve management's ability to supervise company activities effectively? 1. Monitoring compliance with internal control requirements imposed by regulatory bodies. 2. Limiting direct access to assets by physical segregation and protective devices. 3. Establishing budgets and forecasts to identify variances from expectations. 4. Supporting employees with the resources necessary to discharge their responsibilities.
3. Establishing budgets and forecasts to identify variances from expectations.
While performing procedures in planning an audit, the auditor's comparison of expectations with recorded amounts yield unusual and unexpected relationships. The auditor should consider the results of the analytical procedures in which of the following? 1. Determining planning materiality a and acceptable error. 2. Identifying significant accounts. 3. Identifying the risks of material misstatement due to fraud. 4. Determining which controls to test.
3. Identifying the risks of material misstatement due to fraud.
Decision tables differ from program flowcharts in that decision tables emphasize 1. Ease of manageability for complex programs. 2. Cost-benefit factors justifying the program. 3. Logical relationships among conditions and actions. 4. The sequence in which operations are performed.
3. Logical relationships among conditions and actions.
In an audit of financial statements for which an auditor's assessment of risk is judgmental and may not be sufficiently precise to identify all risks of material misstatement, the auditor should take which of the following actions? 1. Consider whether risk assessment procedures are appropriate given preliminary levels of materiality and tolerable misstatement. 2. Discuss strategies to eliminate such risks with top management or those with equivalent authority and responsibility. 3. Perform substantive procedures for all relevant assertions related to each material class of transactions. 4. Determine the effectiveness of general controls over classes of transactions characterized by high transaction volume.
3. Perform substantive procedures for all relevant assertions related to each material class of transactions.
Which of the following audit techniques ordinarily would provide an auditor with the least assurance about the operating effectiveness of an internal control activity? 1. Inspection of documents and reports. 2. Inquiry of client personnel. 3. Preparation of system flowcharts. 4. Observation of client personnel.
3. Preparation of system flowcharts.
In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor most likely would 1. Analyze monthly production reports to identify variances and unusual transactions. 2. Analyze inventory turnover statistics to identify slow-moving and obsolete items. 3. Review the entity's descriptions of inventory policies and procedures. 4. Perform test counts of inventory during the entity's physical count.
3. Review the entity's descriptions of inventory policies and procedures.
In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements, an auditor would most likely perform which of the following procedures? 1. Expanded substantive testing to identify relevant controls. 2. Tests of key controls to determine whether they are effective. 3. Risk-assessment procedures to evaluate the design of relevant controls. 4. Analytical procedures to determine the need for specific controls.
3. Risk-assessment procedures to evaluate the design of relevant controls.
Which of the following controls most likely could prevent computer personnel from modifying programs to bypass programmed controls? 1. Periodic management review of computer utilization reports and systems documentation. 2. Physical security of computer facilities in limiting access to computer equipment. 3. Separation of duties for computer programming and computer operations. 4. Participation of user department personnel in designing and approving new systems.
3. Separation of duties for computer programming and computer operations.
In connection with an audit of a nonissuer, the auditor would ordinarily use an engagement letter to 1. Mutually agree upon contingent fees between the company and the auditor. 2. Determine which of the company's financial statement notes will be compiled by the auditor during the audit. 3. Specify any arrangements concerning the involvement of the company's internal auditors on the audit. 4. Assert that a properly planned audit will detect and identify all material misstatements.
3. Specify any arrangements concerning the involvement of the company's internal auditors on the audit.
In auditing an online perpetual inventory system, an auditor selected certain file-updating transactions for detailed testing. The audit technique that will provide a computer trail of all relevant processing steps applied to a specific transaction is described as 1. Simulation. 2. Code comparison. 3. Tagging and tracing. 4. Snapshot.
3. Tagging and tracing.
Which of the following factors is least likely to affect the extent of the auditor's understanding of the entity's internal controls? 1. The size and complexity of the entity. 2. The nature of specific relevant controls. 3. The amount of time budgeted to complete the engagement. 4. The inherent limitations of an audit.
3. The amount of time budgeted to complete the engagement.
Which of the following factors is most likely to affect the extent of the documentation of the auditor's understanding of a client's system of internal controls? 1. The industry and the business and regulatory environments in which the client operates. 2. The relationship between management, the board of directors, and external stakeholders. 3. The degree to which information technology is used in the accounting function. 4. The degree to which the auditor intends to use internal audit personnel to perform substantive procedures.
3. The degree to which information technology is used in the accounting function.
Although substantive tests may support the accuracy of underlying information used in monitoring, these tests may provide no affirmative evidence of the effectiveness of monitoring controls because 1. When procedures are computerized and leave no audit trail to indicate who performed them, substantive tests may necessarily be limited to inquiries and observation. 2. Substantive tests relate to the entire period under audit, but tests of controls ordinarily are confined to the period during which the auditor is on the client's premises. 3. The information used in monitoring may be accurate even though it is subject to ineffective control. 4. Substantive tests rarely guarantee the accuracy of information used in monitoring if only a sample has been tested.
3. The information used in monitoring may be accurate even though it is subject to ineffective control.
An auditor is evaluating a client's internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect? 1. The technology department writes a program that does not properly implement the control due to a lack of understanding. 2. Someone erroneously disables edit checks in a software program designed to identify control exceptions. 3. Two employees, who work in different departments, are circumventing an internal control. 4. The accounting staff neglects the control due to increased transactions to be processed.
3. Two employees, who work in different departments, are circumventing an internal control.
An entity has the following invoices in a batch: Invoice Number Product Quantity Unit Price 201 F10 150 $ 5.00 202 G15 200 10.00 203 H20 250 25.00 204 K35 300 30.00 Which of the following most likely represents a hash total? 1. FGHK80 2. 4 3. 204 4. 810
4. 810
One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control is the use of 1. Echo checks. 2. Computer-generated hash totals. 3. A check digit system. 4. A computer access log.
4. A computer access log.
In an audit of financial statements, an auditor's primary consideration regarding an internal control is whether the control 1. Provides adequate safeguards over access to assets. 2. Reflects management's philosophy and operating style. 3. Relates to operational objectives. 4. Affects management's financial statement assertions.
4. Affects management's financial statement assertions.
Transaction authorization within an organization may be either specific or general. An example of specific transaction authorization is the 1. Establishment of requirements to be met in determining a customer's credit limits. 2. Establishment of sales prices for products to be sold to any customer. 3. Setting of automatic reorder points for material or merchandise. 4. Approval of a detailed construction budget for a warehouse.
4. Approval of a detailed construction budget for a warehouse.
Which of the following factors are included in an entity's control environment? 1. Audit Committee Participation - Yes Integrity and Ethical Values - Yes Organizational Structure - No 2. Audit Committee Participation - Yes Integrity and Ethical Values - No Organizational Structure - Yes 3. Audit Committee Participation - No Integrity and Ethical Values - Yes Organizational Structure - Yes 4. Audit Committee Participation - Yes Integrity and Ethical Values - Yes Organizational Structure - Yes
4. Audit Committee Participation - Yes Integrity and Ethical Values - Yes Organizational Structure - Yes
The auditor's understanding of internal control is documented to substantiate 1. Conformity of the accounting records with generally accepted accounting principles. 2. Adherence to procedures for effective and efficient management decision making. 3. The fairness of the financial statement presentation. 4. Compliance with generally accepted auditing standards.
4. Compliance with generally accepted auditing standards. Explanation: The auditor should prepare audit documentation that is sufficient to permit an experienced auditor to understand (1) the nature, timing, and extent of audit procedures performed to comply with GAAS and other requirements; (2) the results and evidence obtained; and (3) significant findings or issues, the conclusions reached, and judgments made (AU-C 230). Thus, the auditor should document, among other things, his or her understanding of the components of internal control and the assessed risks of material misstatement at the financial statement and assertion levels (AU-C 315).
Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system? 1. Extensive testing of firewall boundaries that restrict the recording of outside network traffic. 2. Increased reliance on internal control activities that emphasize the segregation of duties. 3. Verification of encrypted digital certificates used to monitor the authorization of transactions. 4. Continuous monitoring and analysis of transaction processing with an embedded audit module.
4. Continuous monitoring and analysis of transaction processing with an embedded audit module.
An auditor uses the knowledge provided by the understanding of internal control and the assessed risks of material misstatement primarily to 1.Determine whether procedures and records concerning the safeguarding of assets are reliable. 2. Determine whether the opportunities to allow any person to both perpetrate and conceal fraud are minimized. 3. Modify the initial assessments of inherent risk and judgments about materiality levels for planning purposes. 4. Determine the nature, timing, and extent of substantive procedures for financial statement assertions.
4. Determine the nature, timing, and extent of substantive procedures for financial statement assertions. Explanation: The auditor is required to obtain an understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement of the financial statements, whether due to fraud or error, to provide a basis for responding to the assessed RMMs. Regardless of the assessed RMMs, the auditor performs substantive procedures for all relevant assertions for material classes of transactions, account balances, and disclosures. Moreover, the auditor designs and performs further audit procedures whose nature, timing, and extent respond to the assessed RMMs at the relevant assertion level.
A primary objective of analytical procedures used to form an overall conclusion is to 1. Detect fraud that may cause the financial statements to be misstated. 2. Gather evidence from tests of details to corroborate financial statement assertions. 3. Identify account balances that represent specific risks relevant to the audit. 4. Determine whether the financial statements are consistent with the auditor's understanding.
4. Determine whether the financial statements are consistent with the auditor's understanding.
In an audit of financial statements in accordance with generally accepted auditing standards, an auditor should 1. Identify specific controls relevant to management's financial statement assertions. 2. Perform tests of controls to evaluate the effectiveness of the entity's accounting system. 3. Determine whether procedures are suitably designed to prevent, or detect and correct, material misstatement. 4. Document the auditor's understanding of the entity's internal control.
4. Document the auditor's understanding of the entity's internal control.
Which of the following activities by small business clients best demonstrates management integrity in the absence of a written code of conduct? 1. Documenting internal control procedures using flowcharts rather than narratives. 2. Developing and maintaining formal descriptions of accounting procedures. 3. Reporting regularly to the board of directors about operations and finances. 4. Emphasizing ethical behavior through oral communication and management example.
4. Emphasizing ethical behavior through oral communication and management example. Explanation: Audit evidence for elements of the control environment of a small business client may not be documented, especially when management communication with other employees is informal but effective. Thus, a small business may not have a written code of conduct. However, it may have a culture emphasizing integrity and ethical behavior by means of oral communication and management example.
An auditor would most likely be concerned with controls that provide reasonable assurance about the 1. Efficiency of management's decision-making process. 2. Appropriate prices the entity should charge for its products. 3. Decision to make expenditures for certain advertising activities. 4. Entity's ability to initiate, authorize, record, process, and report financial data.
4. Entity's ability to initiate, authorize, record, process, and report financial data.
An auditor anticipates relying on the operating effectiveness of controls in a computerized environment. Under these circumstances, on which of the following activities would the auditor initially focus? 1. Output controls. 2. Application controls. 3. Programmed controls. 4. General controls.
4. General controls. Explanation: Relying on controls involves (1) identifying specific controls that are suitably designed to prevent, or detect and correct, material misstatements in relevant assertions; (2) performing tests of controls; and (3) assessing the RMMs. Some computer controls relate to all computer activities (general controls), and some relate to specific tasks (application controls). Because general controls have pervasive effects, they should be tested before application controls. If the general controls are ineffective, tests of the application controls over input, processing, and output are unlikely to permit the auditor to rely on controls.
A client is concerned that a power outage or disaster could impair the computer hardware's ability to function as designed. The client desires off-site backup hardware facilities that are fully configured and ready to operate within several hours. The client most likely should consider a 1. Cold site. 2. Cool site. 3. Warm site. 4. Hot site.
4. Hot site.
If High Tech Corporation's disaster recovery plan requires fast recovery with little or no downtime, which of the following backup sites should it choose? 1. Quick site. 2. Warm site. 3. Cold site. 4. Hot site.
4. Hot site.
In the course of the audit of financial statements for the purpose of expressing an opinion, the auditor will normally prepare a schedule of uncorrected misstatements. The primary purpose served by this schedule is to 1. Summarize the misstatements made by the entity so that corrections can be made after the audited financial statements are released. 2. Point out to the responsible entity officials the errors made by various entity personnel. 3. Summarize the corrections that must be made before the entity can prepare and submit its federal tax return. 4. Identify the potential financial statement effects of misstatements that were not considered clearly trivial when discovered.
4. Identify the potential financial statement effects of misstatements that were not considered clearly trivial when discovered.
An entity should consider the cost of a control in relationship to the risk. Which of the following controls best reflects this philosophy for a large dollar investment in heavy machine tools? 1. Conducting a weekly physical inventory. 2. Placing security guards at every entrance 24 hours a day. 3. Having all dispositions approved by the vice president of sales. 4. Imprinting a controlled identification number on each tool.
4. Imprinting a controlled identification number on each tool.
Which of the following statements most likely represents a disadvantage for an entity that keeps digital computer files rather than manually prepared files? 1. It is usually more difficult to compare recorded accountability with physical count of assets. 2. Attention is focused on the accuracy of the programming process rather than errors in individual transactions. 3. Random error associated with processing similar transactions in different ways is usually greater. 4. It is usually easier for unauthorized persons to access and alter the files.
4. It is usually easier for unauthorized persons to access and alter the files. Explanation: In a manual system, one individual is assigned responsibility for maintaining and safeguarding the records. However, in a computer environment, the data files may be subject to change by others without documentation or indication of who made the changes.
Which of the following components of internal control contributes most to a strong control environment? 1. Controls are assessed through ongoing activities and evaluations. 2. Policy manuals provide a clear understanding of internal controls. 3. Duties are clearly defined and separated. 4. Management adheres to internal control policies.
4. Management adheres to internal control policies.
When obtaining an understanding of an entity's control environment, an auditor should concentrate on the substance of controls rather than their form because 1. The controls may be so ineffective that the auditor may assess control risk at a high level. 2. The board of directors may not be aware of management's attitude toward the control environment. 3. The auditor may believe that the controls are inappropriate for that particular entity. 4. Management may establish appropriate controls but not act on them.
4. Management may establish appropriate controls but not act on them.
Which of the following would an auditor most likely consider in evaluating the control environment of an audit client? 1. The number of CPAs in the accounting department. 2. Overall employee satisfaction with assigned duties. 3. Management review of monthly financial statements. 4. Management's operating style.
4. Management's operating style.
As part of understanding internal control relevant to the audit of a non issuer, an auditor does not need to 1. Consider factors that affect the risks of material misstatement. 2. Determine whether controls have been implemented. 3. Identify the risks of material misstatement. 4. Obtain knowledge about the operating effectiveness of internal control.
4. Obtain knowledge about the operating effectiveness of internal control.
Proper segregation of duties reduces the opportunities to allow persons to be in positions both to 1. Journalize entries and prepare financial statements. 2. Record cash receipts and cash disbursements. 3. Establish internal control and authorize transactions. 4. Perpetrate and conceal fraud and error.
4. Perpetrate and conceal fraud and error.
Risks relevant to financial reporting can arise due to which of the following circumstances? 1. Corrective actions implemented by management. 2. Performance reviews of employees. 3. Board of directors' commitment to competence. 4. Rapid growth in the entity's operations.
4. Rapid growth in the entity's operations.
In obtaining an understanding of internal control in a financial statement audit, an auditor is not obligated to 1. Determine whether the controls have been implemented. 2. Perform procedures to understand the design of internal control. 3. Document the understanding of the entity's internal control components. 4. Search for significant deficiencies in the operation of internal control.
4. Search for significant deficiencies in the operation of internal control.
An auditor's flowchart of a client's accounting system is a diagrammatic representation that depicts the auditor's 1. Assessment of the risks of material misstatement. 2. Identification of weaknesses in the system. 3. Assessment of the control environment's effectiveness. 4. Understanding of the system.
4. Understanding of the system.
Which of the following factors affecting the risk associated with a control is not a consideration when designing the current-year audit procedures in an audit of internal control over financial reporting for an issuer? 1. The results of the previous years' testing of the control. 2. The nature, timing, and extent of procedures performed in previous audits. 3. Whether there have been changes in the operation of a key control since the previous audit. 4. Whether the control has been documented in flowchart or narrative form.
4. Whether the control has been documented in flowchart or narrative form.
Cody, CPA, is gaining an understanding of internal control for a nonissuer audit client. Cody has concluded that certain client personnel seem to lack appropriate judgment to make appropriate decisions. Which section of the generally accepted auditing standards best addresses the limitations of a client's internal control related to faulty judgment and human error? Enter your response in the answer fields below. Guidance on correctly structuring your response appears above and below the answer fields.
AU-C 315.A53
An auditor is developing an in-house training program that will focus on a client's use of information technology and the associated integration of internal controls. Which section of the AICPA's generally accepted auditing standards best outlines the internal control risks of information technology (IT)? Enter your response in the answer fields below. Guidance on correctly structuring your response appears above and below the answer fields.
AU-C 315.A64
1. Al's General Store recently started recording its daily activities in a computer system. Management never thought to copy files onto a backup drive.
Data Vulnerability Periodic backup of computer files
5. Seth enters cash receipts into a computer program. Those data are sent to a terminal in the banking department of the company, and Seth never sees that the receipt was transmitted properly.
Decreased human invovlement Periodic review of the results of the computer program
4. Jack's Retail tracks the sale of each product. When inventory drops below a certain level, an order is automatically placed with the vendor.
Reduced individual authorization of transactions Accurate coding of the computer program
2. Boxing, Inc. was completing many of its year-end activities when a severe thunderstorm knocked down power lines, cutting off electricity and transaction processing for 2 days.
System availability Hot-site backup facilities
3. Treasure Holdings, LP stores valuable data on a server that can be accessed by employees at all of Treasure's office locations. The information is valuable enough to be targeted by hackers on a regular basis.
Unauthorized access Enhancement of the computer system's firewall