Topic 7 - Multiple Choice
10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures
Control Activities
While auditors may consider all three objectives of internal control, they are primarily concerned with the compliance objective of internal control a. true b. false
Answer: False Auditors are primarily concerned with the reporting objective of internal control. While compliance is also an important objective of internal control, the auditor would mainly be concerned with compliance insofar as it impacted the financial statements.
The auditor has primary responsibility for the proper functioning of their client's internal control. a. true b. false
Answer: False Management, not the auditor, has primary responsibility for the proper functioning of their client's internal control.
A significant deficiency is more serious than a material weakness. a. true b. false
Answer: False Material weaknesses are more serious than significant deficiencies.
The materiality threshold used for the audit of financial statements is different from the materiality threshold used for determining whether a control deficiency is a material weakness or a significant deficiency. a. true b. false
Answer: False The auditor uses the same materiality threshold for these two purposes.
Using the COSO internal control framework as a benchmark for quality is mandatory for the audit of internal control over financial reporting. a. true b. false
Answer: False This statement is not true. Auditors use as a benchmark whichever internal control framework that was used by the client. The company is free to adopt any high quality framework.
The auditor must become familiar with the client's controls even if he or she is only engaged to audit the financial statements. a. true b. false
Answer: True The auditor has to obtain an understanding of their client's controls whether performing an internal control audit or an audit of financial statements only.
The Control Environment component of internal control relates to client integrity, proper board oversight and reporting channels, commitment to hiring competent employees, and proper accountability for internal control related actions. a. true b. false
Answer: True These are each principles outlined in the COSO framework regarding the Control Environment component.
Management is ultimately responsible for establishing and maintaining internal controls at the company. a. true b. false
Answer: True This is one of management's roles and one of the certifications they must make to the public.
The audit of financial statements and the audit of internal control over financial reporting should be conducted by the SAME external auditor. a. true b. false
Answer: True This is true. Doing so allows the auditor to learn important information about financial statements through testing controls, and important information about controls through testing financial statement accounts and transactions. Thus, this approach is called an integrated audit.
Control activities include both preventive controls and detective controls. a. true b. false
Answer: True This statement is true.
Monitoring activities can include both separate activities as well as ongoing activities to evaluate the effectiveness of controls. a. true b. false
Answer: True This statement is true.
The COSO framework is by far the most popular internal control framework used by companies in the United States. a. true b. false
Answer: True This statement is true.
The approach to documenting the auditor's understanding of internal control varies depending on the complexity of the system of internal control. a. true b. false
Answer: True This statement is true.
The auditor can issue either combined or separate audit reports when reporting on both the audit of financial statements and the audit of internal control. a. true b. false
Answer: True This statement is true.
The auditor must communicate ALL deficiencies she discovers; whether deficiencies, significant deficiencies, or material weaknesses; to the client. a. true b. false
Answer: True This statement is true.
The internal audit function at the client often plays a significant role in evaluating the company's internal controls. a. true b. false
Answer: True This statement is true. This makes sense think about your internal audit project, basically it's what we are doing.
If the auditor uses a pure substantive approach, he or she will typically not test the client's controls. a. true b. false
Answer: True This statement is true. Using a pure substantive approach means that the auditor is not going to rely on controls for any evidence. Therefore, the auditor would not test controls.
The auditor's report on internal control quality can express which of the following opinions regarding the quality of internal control? a. Qualified or Adverse only b. Unqualified or Qualified only c. Unqualified or Adverse only d. Unqualified, Qualified, or Adverse
Answer: Unqualified or Adverse only The auditors opinions can be either unqualified or adverse. No other audit opinions are available for the report on the audit of internal control.
Which answer below best describes the difference between a material weakness in internal control and a significant deficiency in internal control? a. The difference between the two is the size of the resulting potential misstatement that could get through the control systems undetected. b. The difference between the two is the probability that a material misstatement will flow through the controls undetected to the financial statements. c. The difference between the two is that significant deficiencies have to be reported to the public and material weaknesses do not d. The difference is that significant deficiencies are larger in magnitude than material misstatements
Answer: a. The difference between the two is the size of the resulting potential misstatement that could get through the control systems undetected. The main difference between significant deficiencies and material weaknesses is the *size* of the potential misstatements that could flow through the system of controls undetected. If it is at least reasonably possible that material misstatements could result it is a material weakness, whereas if it is at least reasonably possible that *significant, but not material*, misstatements could result it is a significant deficiency.
If the auditor believes the client's internal controls are not effective, she should issue which type of audit opinion? a. Unqualified b. Adverse c. Qualified
Answer: b. Adverse The auditor should issue an adverse opinion on internal controls if she believes the controls are not effective.
Which of the following is the correct sequence with regards to the auditor's reliance on the client's internal controls? a. Decision to rely on controls, assess design and implementation of controls, testing controls b. Assess design and implementation of controls, decision to rely on controls, testing controls c. Assess design and implementation of controls, testing controls, decision to rely on controls
Answer: b. Assess design and implementation of controls, decision to rely on controls, testing controls The auditor first assesses the quality of the design and implementation of controls, then makes a decision to rely on controls. After deciding to rely on controls, the auditor will test the controls.
COSO was originally founded by ______ organizations, including the AICPA. a. Seven b. Five c. Two d. Three
Answer: b. Five COSO was originally founded by five organizations, all of which are still involved with COSO.
The primary objectives achieved by a high quality system of internal control are: a. Operations and compliance b. Operations, reporting, and compliance c. Reporting and accuracy d. Accuracy and compliance
Answer: b. Operations, reporting, and compliance Operations, reporting, and compliance are the three objectives achieved by a high quality system of internal control.
Which of the following best describes the Risk Assessment component of internal control as outlined in the COSO framework? a. The auditor performs high quality risk assessment procedures to identify risky areas in the client's internal control systems b. The company maintains a robust risk assessment process which helps identify risks that might keep them from achieving the objectives of operations, reporting, and compliance c. The auditor performs regular fraud risk assessments of the client to identify client fraud d. Each of the above describes the Risk Assessment component of internal control as outlined in the COSO framework
Answer: b. The company maintains a robust risk assessment process which helps identify risks that might keep them from achieving the objectives of operations, reporting, and compliance The Risk Assessment component of internal control relates to the client's risk assessment procedures, not the auditor's. The role of the Risk Assessment component of control is to identify areas of risk that might prevent the company from achieving the objectives of operations, reporting, and compliance.
Which of the following is not true regarding the role of the COSO internal control framework? a. It is used to provide guidance regarding best practices for designing and implementing strong systems of internal control b. It is used as a benchmark, or "established criteria" for the audit of internal control over financial reporting c. It is used as the primary source for auditors to establish *quality control* procedures for their firm d. All of the above are true regarding the role of the COSO internal control framework
Answer: c. It is used as the primary source for auditors to establish quality control procedures for thier firm The COSO framework provides guidance regarding best practices for designing and implementing strong internal controls. It also serves as the established criteria against which auditors perform the audit of internal control over financial reporting. The COSO framework does not relate to quality control procedures for audit firms.
In every annual and quarterly filing, management has to state to the public that they evaluated effectiveness of the company's internal controls within __________ prior to the report issued to the public. a. 1 year b. 30 days c. 90 days d. 180 days
Answer: d. 90 days In every annual and quarterly filing, management has to state to the public that they evaluated effectiveness of the company's internal controls within 90 days *prior to the report issued to the public*.
Which of the following is NOT one of the key components of internal control? a. Control activities b. Compliance c. Control environment d. Monitoring
Answer: d. Compliance Compliance is one of the objectives of internal control, it is not one of the key components of internal control.
Each of the following is an example of control activities except? a. Physical controls b. Authorizations and approvals c. Reconciliations d. Monitoring
Answer: d. Monitoring Recall that, like control activities, monitoring is one of the control components in the COSO framework. Each of the others is a type of control activity. Authorization and approvals Verification Physical Controls Controls over standing data Reconciliations Supervisory controls
Which of the following is NOT a reason the auditor may choose to not rely on internal controls for audit evidence? a. The design of controls is not adequate, but controls are implemented well b. Testing controls is more time consuming than testing account balances or transactions directly c. The implementation of controls is lacking, but controls are designed effectively d. They are going to use a reliance approach instead e. Each of the above is a reason the auditor may choose to not rely on controls as audit evidence
Answer: d. They are going to use a reliance approach instead Using a reliance approach means the auditor *IS* going to rely on controls for audit evidence. If *either* (need both) design or implementation is lacking, the auditor may choose to not rely on controls for audit evidence. Similarly, if testing controls is more time consuming than directly testing the transactions or account balances, the auditor may choose to not rely on controls for audit evidence.
1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability
Control Environment
If the auditor chooses not to rely on internal controls for audit evidence, he or she would still need to thoroughly test the controls to obtain a proper understanding of the appropriateness of the design and implementation of controls. a. true b. false
Answer: False The auditor only performs thorough tests of controls when he or she decides to rely on the controls for audit evidence. The auditor evaluates the design and implementation of the controls in the process of deciding whether to rely on controls (i.e. prior to internal control testing). farhat says not to waste time and resources on ineffective controls move on to substantive evidence.
13. Uses relevant information 14. Communicates internally 15. Communicates externally
Information and communication
16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
Monitoring activities
6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change
Risk Assessment