Gleim Ch. 6
Which of the following statements about internal control is true? A. A limitation of internal control is that management makes judgments about the extent of controls it implements. B. Properly maintained internal control reasonably ensures that collusion among employees cannot occur. C. The establishment and maintenance of internal control are important responsibilities of the internal auditor. D. Exceptionally effective internal control is enough for the auditor to eliminate substantive procedures on a significant account balance.
A. A limitation of internal control is that management makes judgments about the extent of controls it implements. Because of inherent limitations, internal control, no matter how effective, can provide only reasonable assurance about achieving the entity's objectives. For example, when management designs and implements controls, it makes judgments about the nature and extent of (1) controls it implements and (2) the risks it assumes (AU-C 315).
It is important for the auditor to consider the competence of the audit client's employees, because their competence bears directly and importantly upon the A. Achievement of the objectives of internal control. B. Relationship of the costs of internal control and its benefits. C. Comparison of recorded accountability with assets. D. Timing of the tests to be performed.
A. Achievement of the objectives of internal control. The control environment is the foundation of internal control. A commitment to competence is one of the factors in the control environment.
The purpose of input controls is to ensure the A. Completeness, accuracy, and validity of input. B. Authorization of access to program files. C. Completeness, accuracy, and validity of updating. D. Authorization of access to data files.
A. Completeness, accuracy, and validity of input. Input controls provide reasonable assurance that data received for computer processing have been properly authorized and are in a form suitable for processing, i.e., complete, accurate, and valid. Input controls also relate to rejection, correction, and resubmission of data that were initially incorrect.
An auditor wishes to evaluate the design and perform tests of controls over a client's cash disbursements procedures. If the controls leave no audit trail of documentary evidence, the auditor most likely will test the procedures by A. Observation and inquiry. B. Inquiry and analytical procedures. C. Analytical procedures and confirmation. D. Confirmation and observation.
A. Observation and inquiry. When the auditor obtains an understanding of controls relevant to the audit, (s)he performs risk assessment procedures to obtain evidence about their design and implementation. These procedures may include (1) inquiries, (2) observations of the application of the controls, (3) inspection of documents and reports, and (4) tracing transactions through the financial reporting system. Although risk assessment procedures and tests of controls differ, they may use the same types of procedures. Thus, the auditor may decide that it is efficient to test operating effectiveness and evaluate design and implementation at the same time. Furthermore, some risk assessment procedures may provide evidence about operating effectiveness. For example, the auditor may (1) inquire about the use of budgets, (2) observe comparison of budgets and actual results, and (3) inspect reports on the investigation of variances (AU-C 330 and AS 2301). In the absence of documentary evidence, the auditor performs observation and inquiry procedures and traces transactions through the system.
Effective internal control A. Reduces the need for management to review exception reports on a day-to-day basis. B. Is unaffected by changing circumstances and conditions encountered by the organization. C. Cannot be circumvented by management. D. Eliminates risk and potential loss to the organization.
A. Reduces the need for management to review exception reports on a day-to-day basis. The need for management to spend time on a day-to-day basis reviewing exception reports is reduced when internal control is working effectively. Effective internal control should prevent as well as detect exceptions.
When an auditor plans to rely on controls that have changed since they were last tested, which of the following courses of action would be most appropriate? A. Test the operating effectiveness of such controls in the current audit. B. Document that reliance and proceed with the original audit strategy. C. Report the reliance in the report on internal controls. D. Inquire of management as to the effectiveness of the controls.
A. Test the operating effectiveness of such controls in the current audit. Controls that have changed must be tested for operating effectiveness before they can be relied on.
In an audit of financial statements, an auditor's primary consideration regarding an internal control is whether the control A. Relates to operational objectives. B. Affects management's financial statement assertions. C. Provides adequate safeguards over access to assets. D. Reflects management's philosophy and operating style.
B. Affects management's financial statement assertions. Assertions are management representations embodied in the financial statements. They are used by the auditor to consider the different potential misstatements. A relevant assertion has a reasonable possibility of containing a misstatement that could cause a material misstatement(s) of the financial statements. Thus, a relevant assertion has a meaningful bearing on whether the account is fairly stated. Tests of controls are designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. They should be performed when (1) the auditor's assessment of the RMMs at the relevant assertion level includes an expectation of the operating effectiveness of controls, or (2) substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level. Thus, the auditor is primarily concerned with whether a control affects relevant financial statement assertions.
The two broad groupings of information systems control activities are general controls and application controls. General controls include controls A. Designed to ensure that all data submitted for processing have been properly authorized. B. For developing, modifying, and maintaining computer programs. C. Relating to the correction and resubmission of faulty data. D. Designed to ensure that only authorized users receive output from processing.
B. For developing, modifying, and maintaining computer programs. General controls are policies and procedures that relate to many information systems applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General controls include controls over (1) data center and network operations; (2) systems software acquisition, change, and maintenance; (3) program change; (4) access security; and (5) application systems acquisition, development, and maintenance (AU-C 315).
A CPA's understanding of internal control in a financial statement audit of a nonissuer A. Will usually result in a report on the effectiveness of internal control. B. Is usually more limited than that made in an audit of internal control integrated with an audit of financial statements. C. Will usually be identical to that made in an audit of internal control integrated with an audit of financial statements. D. Is usually more extensive than that made in an audit of internal control integrated with an audit of financial statements.
B. Is usually more limited than that made in an audit of internal control integrated with an audit of financial statements. The scope of the understanding of internal control in a financial statement audit of a nonissuer is usually less than that in an audit of internal control integrated with an audit of financial statements. In the integrated audit, the auditor tests controls to support the opinion on the effectiveness of internal control. To express an opinion on internal control, the auditor obtains evidence about the effectiveness of selected controls over all relevant assertions. When obtaining the understanding of internal control during a financial statement audit, the auditor need not test controls unless (1) the auditor's risk assessment is based on an expectation of the effectiveness of controls or (2) substantive procedures alone do not provide sufficient appropriate evidence.
Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely will significantly increase opportunities for fraudulent financial reporting when A. External policies established by parties outside the entity affect its accounting practices. B. Management is dominated by one individual who is also a shareholder. C. Internal auditors have direct access to the board of directors and the entity's management. D. The audit committee is active in overseeing the entity's financial reporting policies.
B. Management is dominated by one individual who is also a shareholder. One set of opportunity risk factors for misstatements arising from fraudulent financial reporting involves ineffective monitoring of management. One such risk factor is domination of management by a single person or small group (in a non-owner managed business) without compensating controls (Appendix to AU-C 240). A compensating control in that circumstance is effective oversight by the board or audit committee of the financial reporting process and internal control.
The ultimate purpose of understanding internal control is to contribute to the auditor's evaluation of the risk that A. Entity policies may be overridden by senior management. B. Material misstatements may exist in the financial statements. C. Tests of controls may fail to identify controls relevant to assertions. D. Specified controls requiring segregation of duties may be circumvented by collusion.
B. Material misstatements may exist in the financial statements. The understanding of internal control assists the auditor to (1) identify types of potential misstatements; (2) consider factors that affect the RMMs; and (3) design the nature, timing, and extent of further audit procedures (AU-C 315 and AS 2110).
As part of understanding internal control relevant to the audit of a non issuer, an auditor does not need to A. Determine whether controls have been implemented. B. Obtain knowledge about the operating effectiveness of internal control. C. Consider factors that affect the risks of material misstatement. D. Identify the risks of material misstatement.
B. Obtain knowledge about the operating effectiveness of internal control. Understanding internal controls relevant to the audit involves evaluating the design of the controls and determining whether they have been implemented. The auditor of a nonissuer need not obtain an understanding about operating effectiveness as part of understanding internal control. However, (1) the auditor's assessment of the risks of material misstatement (RMMs) may include an expectation of the operating effectiveness of controls, or (2) substantive procedures may not provide sufficient appropriate evidence at the relevant assertion level about operating effectiveness. In these circumstances, the auditor should test controls (AU-C 330).
The risks of material misstatement (RMMs) should be assessed in terms of A. Specific controls. B. Types of potential fraud. C. Financial statement assertions. D. Control environment factors.
C. Financial statement assertions. The auditor's objective is to identify and assess the RMMs, whether due to fraud or error, at the financial statement and relevant assertion levels. This objective is achieved through understanding the entity and its environment, including its internal control. The understanding provides a basis for designing and implementing responses to the assessed RMMs (AU-C 315 and AS 2110).
The organization chart is a graphic representation of the A. Power structure. B. Locus of decision making. C. Formal authority structure. D. Communications channels.
C. Formal authority structure. An organization chart represents pictorially the formal lines of authority within an organization. It depicts the organizational structure and the hierarchical relationships of the functional units in the organization.
When obtaining an understanding of an entity's internal control, an auditor should concentrate on their substance rather than their form because A. The controls may be so inappropriate that no reliance is expected by the auditor. B. The controls may be operating effectively but may not be documented. C. Management may establish appropriate controls but not enforce compliance with them. D. Management may establish appropriate controls but not enforce compliance with them.
C. Management may establish appropriate controls but not enforce compliance with them. The auditor must concentrate on the substance rather than the form of controls because management may establish appropriate controls but not apply them. Whether controls have been implemented at a moment in time differs from their operating effectiveness over a period of time. Thus, operating effectiveness concerns not merely whether the entity is using controls but also how the controls (manual or automated) are applied, the consistency of their application, and by whom they are applied.
Which of the following statements regarding auditor documentation of the understanding of the client's internal control components obtained to plan the audit is correct? A. Documentation must include procedural write-ups. B. Documentation must include flowcharts. C. No one particular form of documentation is necessary, and the extent of documentation may vary. D. No documentation is necessary although it is desirable.
C. No one particular form of documentation is necessary, and the extent of documentation may vary. In accordance with the documentation requirements in AU-C 315, the auditor should document such matters as (1) discussions among the engagement team; (2) the understanding of the entity and its environment, including each internal control component, sources of information, and the risk assessment procedures; (3) the risk assessments; and (4) risks requiring special audit consideration. The form and extent of documentation vary with (1) the nature, size, and complexity of the entity and its controls; (2) the availability of information; and (3) the audit methods and technology used (AU-C 315).
The auditor should perform tests of controls when the auditor's risk assessment includes an expectation A. That the controls are not suitably designed. B. Of a low level of inherent risk. C. Of the operating effectiveness of internal control. D. That the controls are not being applied.
C. Of the operating effectiveness of internal control. The purpose of tests of controls is to evaluate the effectiveness of controls in preventing, or detecting and correcting, material misstatements. When the auditor intends to rely on the controls, tests of their effectiveness should be performed.
Which of the following statements about the auditor's response to assessed risks of material misstatement in a financial statement audit is true? A. When assessing the risks of material misstatement, an auditor should not consider evidence obtained in prior audits about the operation of controls. B. Reliance on internal control may be sufficient to allow the auditor to eliminate substantive testing for significant transaction classes. C. Risk assessment procedures performed to obtain an understanding of an entity's internal control also may serve as tests of controls. D. When the risks of material misstatement are high, an auditor should reduce the amount of substantive testing.
C. Risk assessment procedures performed to obtain an understanding of an entity's internal control also may serve as tests of controls. Performing risk assessment procedures to obtain an understanding of the entity and its environment involves, among other things, evaluating the design of controls and determining whether they have been implemented. Tests of controls evaluate their operating effectiveness in preventing, or detecting and correcting, material misstatements at the assertion level. Although risk assessment procedures and tests of controls differ, they may use the same types of procedures. Thus, the auditor may decide that it is efficient to test operating effectiveness and evaluate design and implementation at the same time. Furthermore, some risk assessment procedures may provide evidence about operating effectiveness. For example, the auditor may (1) inquire about the use of budgets, (2) observe comparison of budgets and actual results, and (3) inspect reports on the investigation of variances (AU-C 330 and AS 2301).
In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements, an auditor would most likely perform which of the following procedures? A. Analytical procedures to determine the need for specific controls. B. Tests of key controls to determine whether they are effective. C. Risk-assessment procedures to evaluate the design of relevant controls. D. Expanded substantive testing to identify relevant controls.
C. Risk-assessment procedures to evaluate the design of relevant controls. In all audits, the auditor should obtain an understanding of the components of internal control to identify and assess the RMMs and to design further audit procedures. An understanding is obtained by performing risk assessment procedures to evaluate the design of controls relevant to the audit and determine whether they have been implemented. Risk assessment procedures performed to obtain evidence about the design and implementation of relevant controls include (1) inquiries, (2) observation of the application of specific controls, (3) inspection of documents and reports, and (4) tracing transactions. Inquiries alone are not sufficient.
Basic to a proper control environment are the quality and integrity of personnel who must perform the prescribed procedures. Which is not a factor in providing for competent personnel? A. Hiring practices. B. Performance evaluations. C. Segregation of duties. D. Training programs.
C. Segregation of duties. Human resource policies and practices are an element in the control environment component of internal control. They affect the entity's ability to employ sufficient competent personnel to accomplish its objectives. Policies and practices include those for recruitment, orientation, training, evaluation, promotion, compensation, and remedial actions. Although control activities based on the segregation of duties are important to internal control, they do not in themselves promote employee competence.
Control activities constitute one of the five components of internal control described in the COSO model. Control activities do not encompass A. Performance reviews. B. Information processing. C. Physical controls. D. An internal auditing function.
D. An internal auditing function. The COSO model describes control activities as policies and procedures that help ensure that management directives are carried out. They are intended to ensure that necessary actions are taken to address risks to achieve the entity's objectives. Control activities have various objectives and are applied at various organizational and functional levels. However, an internal auditing function is part of the monitoring component.
A financial statement auditor is considering internal control for a client with an information system that makes extensive use of information technology. Which of the following statements related to the understanding of internal control for this client is false? A. A lack of control at a single user entry point might compromise the security of a single database. B. The auditor may find it necessary to have an expectation of the operating effectiveness of controls for certain relevant assertions. C. The auditor must possess all the information technology skills necessary to complete the engagement. D. Because of the inherent consistency of computer processing, the auditor may be able to reduce the extent of testing an automated control.
C. The auditor must possess all the information technology skills necessary to complete the engagement. The auditor should consider whether specialized skills are needed to determine the effect of IT on the audit, to understand the IT controls, and to design and perform tests of IT controls or substantive procedures. A member of the auditor's staff or an auditor's external specialist with IT skills can be employed to provide technical guidance.
In which of the following circumstances would an auditor expect to find that an entity implemented automated controls to reduce risks of misstatement? A. When large, unusual, or nonrecurring transactions require judgment. B. When errors are difficult to predict. C. When transactions are high-volume and recurring. D. When misstatements are difficult to define.
C. When transactions are high-volume and recurring. Automated controls are cost effective when they are applied to high-volume, recurring transactions. For example, credit limit checks on customer orders could be automated to relieve management from evaluating each customer order as it is received.
Which of the following best describe the interrelated components of internal control? A. Assignment of authority and responsibility, management philosophy, and organizational structure. B. Organizational structure, management philosophy, and planning. C. Risk assessment process, backup facilities, responsibility accounting, and natural laws. D. Control environment; risk assessment process; control activities; the information system, including related business processes; and monitoring of controls.
D. Control environment; risk assessment process; control activities; the information system, including related business processes; and monitoring of controls. Internal control has five components: the control environment, risk assessment process, control activities, information systems, and monitoring of controls. The control environment sets the tone of an organization, influences control consciousness, and provides a foundation for the other components. The risk assessment process is the identification, analysis, and management of risks relevant to achievement of objectives. Control activities help ensure that management directives are executed. The information system, including the related business processes relevant to financial reporting and communication, consists of (1) physical and hardware components, (2) software, (3) people, (4) procedures, and (5) data. Monitoring assesses the performance of internal control over time (AU-C 315 and AS 2110).
Which of the following items is an example of an inherent limitation in an internal control system? A. Segregation of employee duties. B. Understaffed internal audit functions. C. Ineffective board of directors. D. Human error in decision making.
D. Human error in decision making. Because of its inherent limitations, internal control can be designed and operated to provide only reasonable assurance that the entity's objectives are met. Thus, (1) human judgment is faulty, (2) controls may fail because of human error, (3) manual or automated controls can be circumvented by collusion, and (4) management may inappropriately override internal control. Moreover, custom, culture, the corporate governance system, and an effective control environment are not absolute deterrents to fraud. For example, if the nature of management incentives increases the RMMs, the effectiveness of controls may be reduced. A factor that is an inherent limitation of an audit as well as internal control is the need to balance benefit and cost. Although the ability to provide only reasonable assurance is a primary design criterion for internal control, the precise measurement of costs and benefits is not feasible. However, costs should not exceed the benefits of control. Thus, the cost constraint limits internal control.
What type of computer processing system is characterized by data that are assembled from more than one location and records that are updated immediately? A. Data compression systems. B. Personal computer systems. C. Batch processing systems. D. Online, real-time systems.
D. Online, real-time systems. Real-time processing involves processing an input record and receiving the output soon enough to affect a current decision-making process. In a real-time system, the user interacts with the system to control an ongoing activity. Online indicates that the decision maker is in direct communication with the computer. Online, real-time systems usually permit access to the server computer system from multiple remote terminals.