Section G
Which of the following situations represents a limitation, rather than a failure, of internal control? a. A purchasing employee and an outside vendor participate in a kickback scheme. b. A jewelry store employee steals a small necklace from a display cabinet. c. A movie theater cashier sells reduced-price tickets to full-paying customers and pockets the difference. d. A bank teller embezzles several hundred dollars from the cash drawer.
a. A purchasing employee and an outside vendor participate in a kickback scheme.
Which of the following statements is correct concerning an auditor's required communication of significant deficiencies in internal control noted during a financial statement audit of a nonissuer? a. An auditor's report on significant deficiencies should include a restriction on the distribution of the report. b. An auditor should communicate significant deficiencies after tests of controls, but before commencing substantive tests. c. A significant deficiency previously communicated during the prior year's audit that remains uncorrected causes a scope limitation. d. An auditor should perform tests of controls on significant deficiencies before communicating them to the client.
a. An auditor's report on significant deficiencies should include a restriction on the distribution of the report.
In most audits of large entities, control risk assessment contributes to audit efficiency, which means that a. Auditors will be able to reduce the cost of substantive procedures by an amount more than the control evaluation costs. b. Auditors will be able to reduce the cost of substantive procedures by an amount less than the cost of tests of controls. c. The cost of substantive procedures will exceed the cost of control evaluation work. d. The cost of control evaluation work will exceed the cost of substantive procedures.
a. Auditors will be able to reduce the cost of substantive procedures by an amount more than the control evaluation costs.
The purpose of separating the duties of hiring personnel and distributing payroll checks is to separate the a. Authorization of transactions from the custody of related assets. b. Operational responsibility from the record-keeping responsibility. c. Administrative controls from the internal accounting controls. d. Human resources function from the controllership function.
a. Authorization of transactions from the custody of related assets.
Which of the following types of evidence would an auditor most likely examine to determine whether internal controls are operating as designed? a. Client records documenting the use of EDP programs. b. Gross margin information regarding the client's industry. c. Anticipated results documented in budgets or forecasts. d. Confirmations of receivables verifying account balances.
a. Client records documenting the use of EDP programs.
Which of the following components of internal control would be considered the foundation for the other components? a. Control environment. b. Information and communication. c. Risk assessment. d. Control activities.
a. Control environment.
On the basis of audit evidence gathered and evaluated, an auditor decides to increase assessed control risk from that originally planned. To achieve an audit risk level that is substantially the same as the planned audit risk level, the auditor will a. Decrease planned detection risk. b. Decrease substantive testing. c. Increase inherent risk. d. Increase materiality levels.
a. Decrease planned detection risk.
The monitoring component of internal control excludes: a. Eliminating controls that are not operating effectively. b. Assessing information derived from external parties. c. Improving controls that are not operating effectively. d. Assessing the quality of internal control performance over time.
a. Eliminating controls that are not operating effectively.
Once the auditor detects a control deficiency, which of the following steps must he or she take first? a. Evaluate the severity of the deficiency on the auditor's control risk assessment for that assertion. b. Perform tests of other controls related to the same assertion as the control deemed ineffective. c. Test the deficient control, assuming a maximum level of risk. d. Modify the planned substantive procedures as a result of the deficiency.
a. Evaluate the severity of the deficiency on the auditor's control risk assessment for that assertion.
If the audit team identifies one or more significant deficiencies in an issuer's internal control over financial reporting and the scope of the engagement is not restricted, the auditors' report would: a. Express an unqualified opinion on internal control over financial reporting without reference to the significant deficiency. b. Express an unqualified opinion on internal control over financial reporting, with a separate section of the report identifying the significant deficiency. c. Express a qualified opinion on internal control over financial reporting, without reference to the significant deficiency. d. Express a qualified opinion on internal control over financial reporting, with a separate section of the report identifying the significant deficiency.
a. Express an unqualified opinion on internal control over financial reporting without reference to the significant deficiency.
Which of the following is not a possible reason why a properly designed system of internal control may fail to prevent or detect fraud? a. Inadequate segregation of duties may allow one person to both perpetrate and conceal fraudulent activity. b. Human error may result in an inappropriate application of controls. c. Collusion by two or more individuals may be used to circumvent controls. d. Management may override controls through its attitude and actions.
a. Inadequate segregation of duties may allow one person to both perpetrate and conceal fraudulent activity.
An auditor has identified the controller's review of the bank reconciliation as a control to test. In connection with this test, the auditor interviews the controller to understand the specific data reviewed on the reconciliation. In addition, the auditor verifies that the bank reconciliation is properly prepared by the accountant and reviewed by the controller as evidenced by their respective sign-offs. Which of the following types of audit procedures do these actions illustrate? a. Inquiry and inspection of records. b. Observation and inspection of records. c. Confirmation and reperformance. d. Analytical procedures and reperformance.
a. Inquiry and inspection of records.
Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed together without client operating personnel being aware of the testing process? a. Integrated test facility. b. Parallel simulation. c. Input controls matrix. d. Data entry monitor.
a. Integrated test facility.
An entity's internal control consists of the policies and procedures established to provide reasonable assurance that specific entity objectives will be achieved. Only some of these objectives, policies, and procedures are relevant to a financial statement audit. Which one of the following would most likely be considered for testing in a financial statement audit? a. Maintenance of control over unused checks. b. Maintenance of statistical production analyses. c. Timely reporting and review of quality control results. d. Marketing analysis of sales generated by advertising projects.
a. Maintenance of control over unused checks.
Which of the following is a factor in the control environment? a. Management's philosophy and operating style. b. Performance reviews. c. Segregation of duties. d. Information processing.
a. Management's philosophy and operating style.
Generally accepted auditing standards (GAAS) give auditors considerable discretion to decide the amount of work required to satisfy auditing standards guiding internal control evaluation and related audit planning. Which of the descriptions below best expresses the minimum amount of work permitted by GAAS for nonpublic companies? a. Obtain an understanding of client environment, accounting, and control activities. Document the decision to assess control risk at maximum. Perform an extensive but not 100% substantive audit on financial statement transactions and balances. b. Do not obtain an understanding of client environment, accounting, or control activities. Do not document the decision to assess control risk at maximum. Perform 100% substantive audit on all financial statement transactions and balances. c. Obtain an understanding of client environment, accounting, and control activities, and perform detail tests of controls. Document the decision to assess control risk at zero. Perform no substantive audit on financial statement transactions and balances, since zero control risk means that no errors or fraud can reach the accounts. d. Obtain an understanding of client environment, accounting, and control activities, and perform detail tests of controls. Document the decision to assess control risk below the maximum. Perform restricted substantive audit on financial statement transactions and balances, considering the control risk assessment.
a. Obtain an understanding of client environment, accounting, and control activities. Document the decision to assess control risk at maximum. Perform an extensive but not 100% substantive audit on financial statement transactions and balances.
Tests of controls in a GAAS audit are required for a. Obtaining evidence about the operating effectiveness of client control activities. b. Accomplishing control over the occurrence of recorded transactions. c. Obtaining evidence about the financial statement assertions. d. Applying analytical procedures to financial statement balances.
a. Obtaining evidence about the operating effectiveness of client control activities.
Which of the following audit techniques ordinarily would provide an auditor with the least assurance about the operating effectiveness of an internal control activity? a. Preparation of system flowcharts. b. Observation of client personnel. c. Inspection of documents and reports. d. Inquiry of client personnel.
a. Preparation of system flowcharts.
An auditor should obtain sufficient knowledge of an entity's information system relevant to financial reporting to understand the: a. Process used to prepare significant accounting estimates. b. Safeguards used to limit access to computer facilities. c. Procedures used to assure proper authorization of transactions. d. Policies used to detect the concealment of fraud.
a. Process used to prepare significant accounting estimates.
Which of the following is a category of general controls? a. Program change controls. b. Processing controls. c. Detective controls. d. Input controls.
a. Program change controls.
In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements, an auditor would most likely perform which of the following procedures? a. Risk-assessment procedures to evaluate the design of relevant controls. b. Expanded substantive testing to identify relevant controls. c. Analytical procedures to determine the need for specific controls. d. Tests of key controls to determine whether they are effective.
a. Risk-assessment procedures to evaluate the design of relevant controls.
Which of the following statements describes an auditor's obligation to identify deficiencies in the design or operation of internal control in a financial statement audit of a nonissuer? a. The auditor need not search for significant deficiencies in internal control but should document and communicate any such deficiencies that are discovered. b. The auditor should search for significant deficiencies in internal control if the auditor expects that controls are operating effectively (i.e., if the auditor plans to rely on controls). c. The auditor need not search for significant deficiencies in internal control unless management requests an attestation that "no significant deficiencies in internal control were noted in the audit." d. The auditor should design and apply tests of controls to discover significant deficiencies in internal control that could result in material misstatements.
a. The auditor need not search for significant deficiencies in internal control but should document and communicate any such deficiencies that are discovered.
Which of the following statements about internal control is correct? a. The cost-benefit relationship is a primary criterion that should be considered in designing internal control. b. The establishment and maintenance of internal control is an important responsibility of the internal auditor. c. Exceptionally strong internal control is enough for the auditor to eliminate substantive tests on a significant account balance. d. Properly maintained internal control reasonably ensures that collusion among employees cannot occur.
a. The cost-benefit relationship is a primary criterion that should be considered in designing internal control.
An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about a. The entity's ability to process and summarize financial data. b. The efficiency of management's decision‑making process. c. Appropriate prices the entity should charge for its products. d. Methods of assigning production tasks to employees.
a. The entity's ability to process and summarize financial data.
In the integrated audit of an issuer, which of the following would not be considered an entity-level control? a. The outside auditor's assessment process of internal auditor competence and objectivity. b. The board of directors' controls to monitor the activities of the audit committee. c. Management's established controls to monitor results of operations. d. The executive committee's process for assessing business risk.
a. The outside auditor's assessment process of internal auditor competence and objectivity.
Which of the following statements most likely represents a control consideration for an entity that performs its accounting using mobile computing devices? a. Unauthorized persons find it easy to access the computer and alter the data files. b. It is usually difficult to detect arithmetic errors. c. Transactions are coded for account classifications before they are processed on the computer. d. Random errors in report printing are rare in packaged software systems.
a. Unauthorized persons find it easy to access the computer and alter the data files.
To obtain evidence that controls over access to computer programs are properly functioning, audit teams most likely would a. enter invalid identification numbers or passwords to ascertain whether the system rejects them. b. create checkpoints at periodic intervals after data processing to test for unauthorized use of the system. c. vouch a random sample of processed transactions to assure proper authorization. d. examine the transaction log to discover whether any transactions were lost or entered twice due to a system malfunction.
a. enter invalid identification numbers or passwords to ascertain whether the system rejects them.
In testing control activities, an auditor ordinarily selects from a variety of techniques, including: a. reperformance and observation. b. inquiry and analytical procedures. c. inspection and verification. d. comparison and confirmation.
a. reperformance and observation.
When completing the audit of internal controls for a public company, AS 2201 requires auditors to report on a. Management's Report on Internal Control: No An Audit of Internal Control: Yes b. Management's Report on Internal Control: Yes An Audit of Internal Control: No c. Management's Report on Internal Control: Yes An Audit of Internal Control: Yes d. Management's Report on Internal Control: No An Audit of Internal Control: No
a. Management's Report on Internal Control: No An Audit of Internal Control: Yes
A primary advantage of using generalized audit software packages to audit the financial statements of a client that uses an EDP system is that the auditor may: a. Substantiate the accuracy of data through self-checking digits and hash totals. b. Access information stored on computer files while having a limited understanding of the client's hardware and software features. c. Reduce the level of required tests of controls to a relatively small amount. d. Consider increasing the use of substantive tests of transactions in place of analytical procedures.
b. Access information stored on computer files while having a limited understanding of the client's hardware and software features.
The auditor should assess control risk for each relevant assertion by evaluating the evidence obtained from all sources, including a. Misstatements detected during the financial statement audit. b. All of these answers are correct. c. The auditor's testing of controls for the audit of internal control on a public company. d. Any control deficiencies identified during the audit.
b. All of these answers are correct.
Audit teams can obtain evidence of the proper functioning of password access control to a accounting information system by a. Selecting a random sample of the client's completed transactions to check the existence of proper authorization. b. Attempting to sign on to the accounting information system with a false password. c. Writing a computer program that simulates the logic of an effective password control system. d. Obtaining representations from the client's computer personnel that the password control prevents unauthorized entry.
b. Attempting to sign on to the accounting information system with a false password.
Which of the following factors most likely would be considered an inherent limitation to an entity's internal control? a. The complexity of the entity's electronic order-processing system. b. Collusion of employees in circumventing internal controls. c. The ineffectiveness of the entity's audit committee. d. The lack of resources to monitor internal controls.
b. Collusion of employees in circumventing internal controls.
Which of the following categories of general controls includes retention and recovery techniques for data and related programs? a. Access to programs and data. b. Computer operations. c. Data file controls. d. Program change controls.
b. Computer operations.
Which of the following would reduce the effectiveness of internal control in an accounting information system? a. The computer librarian maintains custody of computer program instructions and detailed lists. b. Computer operators have access to operator instructions and detailed program lists. c. The control group is solely responsible for the distribution of all computer output. d. Computer programmers write and debug programs that perform routines designed by the systems analyst.
b. Computer operators have access to operator instructions and detailed program lists.
Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system? a. Extensive testing of firewall boundaries that restrict the recording of outside network traffic. b. Continuous monitoring and analysis of transaction processing with an embedded audit module. c. Increased reliance on internal control activities that emphasize the segregation of duties. d. Verification of encrypted digital certificates used to monitor the authorization of transactions.
b. Continuous monitoring and analysis of transaction processing with an embedded audit module.
When completing the audit of internal controls for a public company, the PCAOB requires auditors to audit internal controls over a. All of these answers are correct. b. Financial reporting. c. Operations. d. Compliance with regulations.
b. Financial reporting.
Which of the following levels would most likely address the risk of material misstatement by the auditor's consideration of an entity's control environment? a. Specific account balances. b. Financial statements. c. Classes of transactions. d. Disclosures.
b. Financial statements.
Which of the following most accurately describes the process of a walkthrough? a. Testing and documenting the results of tests of selected controls. b. Following a transaction from its origination until it is reflected in the financial statements. c. Observation of an entity's activities and operations. d. Inspection of selected documents, records, and internal control documentation.
b. Following a transaction from its origination until it is reflected in the financial statements.
Which of the following would most likely be classified as a material weakness? a. Absence of appropriate reviews and approvals of transactions. b. Ineffective oversight of the financial reporting process by the company's audit committee. c. Absence of appropriate separation of duties. d. Evidence of failure of control activities.
b. Ineffective oversight of the financial reporting process by the company's audit committee.
The primary responsibility for establishing and maintaining internal controls rests with a. The internal auditors. b. Management. c. The external auditors. d. The Public Company Accounting Oversight Board.
b. Management.
An auditor of a large public company identifies a material weakness in internal control. The auditor a. Must issue a qualified or a disclaimer of opinion on internal control over financial reporting. b. May still be able to issue an unqualified opinion on internal control over financial reporting. c. Must issue an adverse opinion on internal control over financial reporting. d. Will be unable to issue an unqualified opinion on the financial statements.
b. May still be able to issue an unqualified opinion on internal control over financial reporting.
Which of the following procedures most likely would provide an auditor with evidence about whether an entity's internal control activities are suitably designed to prevent or detect material misstatements? a. Performing analytical procedures using data aggregated at a high level. b. Observing the entity's personnel applying the activities. c. Reperforming the activities for a sample of transactions. d. Vouching a sample of transactions directly related to the activities
b. Observing the entity's personnel applying the activities.
In an environment that is highly automated, an auditor determines that it is not possible to reduce detection risk solely by using substantive tests of transactions. Under these circumstances, the auditor most likely would a. Apply analytical procedures and consider the effect on control risk. b. Perform tests of controls to support a lower level of assessed control risk. c. Adjust the materiality level and consider the effect on inherent risk. d. Increase the sample size to reduce sampling risk and detection risk.
b. Perform tests of controls to support a lower level of assessed control risk.
In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor most likely would: a. Analyze monthly production reports to identify variances and unusual transactions. b. Review the entity's descriptions of inventory controls. c. Analyze inventory turnover statistics to identify slow-moving and obsolete items. d. Perform test counts of inventory during the entity's physical count.
b. Review the entity's descriptions of inventory controls.
Which of the following does not accurately summarize auditors' requirements regarding internal control? a. Understanding. Public Entity: Yes Nonpublic Entity: Yes b. Test controls. Public Entity: Yes Nonpublic Entity: Yes c. Documenting. Public Entity: Yes Nonpublic Entity: Yes d. Evaluating control risk. Public Entity: Yes Nonpublic Entity: Yes
b. Test controls. Public Entity: Yes Nonpublic Entity: Yes
When there are numerous property and equipment transactions during the year, an auditor who plans to assess control risk at a low level usually performs: a. Tests of controls and extensive tests of property and equipment balances at the end of the year. b. Tests of controls and limited tests of current year property and equipment transactions. c. Analytical procedures for current year property and equipment transactions. d. Analytical procedures for property and equipment balances at the end of the year.
b. Tests of controls and limited tests of current year property and equipment transactions.
After obtaining an understanding of the entity and its environment, including its internal control, an auditor decided to perform tests of controls. This is likely because: a. An increase in the assessed level of control risk is justified for certain financial statement assertions. b. The auditor's risk assessment is based on the effective operation of controls. c. Evidence to support a reduction in control risk is not available. d. There were many internal control weaknesses that could allow errors to enter the accounting system.
b. The auditor's risk assessment is based on the effective operation of controls.
An auditor should obtain knowledge of a client's information and communication system in order to understand each of the following, except: a. The means used by an entity to communicate financial reporting roles to its staff. b. The means used by an entity to ensure that management directives are carried out. c. The process used to prepare financial statements. d. How transactions are initiated, processed, and reported.
b. The means used by an entity to ensure that management directives are carried out.
When companies use information technology (IT) extensively, evidence may be available only in electronic form. What is an auditor's best course of action in such situations? a. Use audit software to perform analytical procedures. b. Use generalized audit software to extract evidence from client databases. c. Perform limited tests of controls over electronic data. d. Assess the control risk as high.
b. Use generalized audit software to extract evidence from client databases.
Audit teams would most likely introduce test data into a computerized payroll system to test internal controls related to the a. existence of unclaimed payroll checks held by supervisors. b. discovery of invalid employee identification numbers. c. proper approval of overtime by supervisors. d. early cashing of payroll checks by employees.
b. discovery of invalid employee identification numbers.
After obtaining an understanding of internal controls and assessing control risk on the audit of a non-public company, an auditor decided to perform tests of controls. The auditor most likely decided that: a. an increase in the assessed level of control risk is justified for certain financial statement assertions. b. it would be efficient to perform tests of controls that would result in a reduction in planned substantive tests. c. additional evidence to support a further reduction in control risk is not available. d. there were many internal control weaknesses that could allow errors to enter the accounting system.
b. it would be efficient to perform tests of controls that would result in a reduction in planned substantive tests.
The primary objective of procedures performed to obtain an understanding of the entity's internal control is to provide an auditor with: a. evidential matter to use in assessing inherent risk. b. knowledge necessary for audit planning. c. a basis for modifying tests of controls. d. an evaluation of the consistency of application of management's policies.
b. knowledge necessary for audit planning.
The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the: a. factors that raise doubts about the auditability of the financial statements. b. risk that material misstatements exist in the financial statements. c. possibility that the nature and extent of substantive tests may be reduced. d. operating effectiveness of internal control policies and procedures.
b. risk that material misstatements exist in the financial statements.
When obtaining an understanding of an entity's internal control in a financial statement audit at a non-public company, an auditor is not obligated to: a. document the understanding of the company's internal control system. b. search for significant deficiencies in the operation of the internal control system. c. determine whether the control activities have been placed in operation. d. perform procedures to understand the design of the internal control system.
b. search for significant deficiencies in the operation of the internal control system.
Which of the following are considered control environment factors? a. Detection risk: Yes Human resource policies and practices: No b. Detection risk: No Human resource policies and practices: Yes c. Detection risk: No Human resource policies and practices: No d. Detection risk: Yes Human resource policies and practices: Yes
b. Detection risk: No Human resource policies and practices: Yes
According to the PCAOB, each of the following statements is true with respect to the auditor's responsibility to communicate material weaknesses in internal control over financial reporting, except: a. All such weaknesses must be communicated in writing to the audit committee. b. All such weaknesses must be communicated in writing to management. c. All such weaknesses must be communicated in writing to all stockholders. d. All such weaknesses must be communicated prior to the issuance of the auditor's report on internal control over financial reporting.
c. All such weaknesses must be communicated in writing to all stockholders.
Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization? a. Requiring accountants to pass a yearly background check. b. Disclosing lack of segregation of duties to the external auditors during the annual review. c. Allowing for greater management oversight of incompatible activities. d. Replacing personnel every three or four years.
c. Allowing for greater management oversight of incompatible activities.
Which of the following statements correctly describes the "top-down approach" used during an audit of internal control over financial reporting? a. Begin reviewing balance sheet accounts and then review income statement accounts. b. Begin by understanding the overall risks to internal control over financial reporting at the general ledger level. c. Begin by understanding the overall risks to internal control over financial reporting at the financial statement level. d. Begin reviewing income statement accounts and then review balance sheet accounts.
c. Begin by understanding the overall risks to internal control over financial reporting at the financial statement level.
An auditor uses assessed control risk to a. Evaluate the effectiveness of the entity's controls. b. Indicate whether materiality thresholds for planning and evaluation purposes are sufficiently high. c. Determine the acceptable level of detection risk for financial statement assertions. d. Identify transactions and account balances where inherent risk is at maximum.
c. Determine the acceptable level of detection risk for financial statement assertions.
Audit evidence concerning proper segregation of duties ordinarily is best obtained by: a. Preparation of a flowchart of duties performed by available personnel. b. Reviewing job descriptions prepared by the personnel department. c. Direct personal observation of the employees who apply control activities. d. Inquiring whether control activities operated consistently throughout the period.
c. Direct personal observation of the employees who apply control activities.
In general, a material internal control weakness may be defined as a condition in which material errors or fraud would ordinarily not be detected within a timely period by a. A controller when reconciling accounts in the general ledger. b. An auditor during the normal study and evaluation of the system of internal control. c. Employees in the normal course of performing their assigned functions. d. The chief financial officer when reviewing interim financial statements.
c. Employees in the normal course of performing their assigned functions.
Controls used in the management of a computer center to minimize the possibility of using an incorrect file or program are a. Control totals. b. Record counts. c. External labels. d. Limit checks.
c. External labels.
Which of the following items is an example of an inherent limitation in an internal control system? a. Segregation of employee duties. b. Ineffective board of directors. c. Human error in decision making. d. Understaffed internal audit functions.
c. Human error in decision making.
Which of the following computer controls would provide the best evidence that unauthorized users are not accessing specific computer programs and files? a. Periodically reviewing and confirming access rights for the organization's users. b. Using passwords requiring access to those programs and files. c. Monitoring actual user activity through a program log and comparing that activity to authorized levels. d. Ensuring that access to programs and files is removed for recently-terminated employees.
c. Monitoring actual user activity through a program log and comparing that activity to authorized levels.
A client maintains a large data center where access is limited to authorized employees. How may an auditor best determine the effectiveness of this control activity? a. Inspect the policy manual establishing this control activity. b. Obtain a list of current data center employees. c. Observe whether the data center is monitored. d. Ask the chief technology officer about known problems.
c. Observe whether the data center is monitored.
When auditing financial statements of a private company, the minimum work an auditor must perform in connection with a company's internal control is best described by which of the following statements? a. Perform exhaustive tests of accounting controls and evaluate the company's control system effectiveness. b. Determine whether the company's control policies are designed well enough to prevent material misstatements. c. Prepare auditing working papers that document the auditor's understanding of the company's internal control. d. Design procedures to search for significant deficiencies in the actual operation of the company's internal control.
c. Prepare auditing working papers that document the auditor's understanding of the company's internal control.
In a computerized payroll system environment, an auditor would be least likely to use test data to test controls related to: a. Time tickets with invalid job numbers. b. Agreement of hours per clock cards with hours on time tickets. c. Proper approval of overtime by supervisors. d. Missing employee numbers.
c. Proper approval of overtime by supervisors.
Which of the following input controls would not be effective in identifying the erroneous input of numeric fields in a transaction? a. Batch totals. b. Hash totals. c. Record counts. d. Check digits.
c. Record counts.
Which of the following areas can external auditors rely on internal auditors' work in auditing internal controls? a. Evaluation of the auditing environment. b. All testing of the operating effectiveness of internal control activities. c. Testing of low risk internal control activities. d. As providing the principle evidence for the external auditors' opinion.
c. Testing of low risk internal control activities.
Which of the following represents an inherent limitation of internal controls? a. Customer credit checks are not performed. b. Bank reconciliations are not performed on a timely basis. c. The CEO can request a check with no purchase order. d. Shipping documents are not matched to sales invoices.
c. The CEO can request a check with no purchase order.
Which of the following best describes the responsibility of the auditor to report significant deficiencies and material weaknesses in an engagement to audit the effectiveness of a nonissuer's internal control? a. Neither significant deficiencies nor material weaknesses are required to be communicated. b. The auditor must communicate significant deficiencies, but need not separately identify material weaknesses. c. The auditor must communicate both significant deficiencies and material weaknesses. d. The auditor must communicate material weaknesses, but need not disclose significant deficiencies.
c. The auditor must communicate both significant deficiencies and material weaknesses.
An auditor is concerned about a policy of management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor's concern? a. Reviewing minutes of board meetings. b. Tracing sales orders to the revenue account. c. Verifying that approved spending limits are not exceeded. d. Matching purchase orders to accounts payable.
c. Verifying that approved spending limits are not exceeded.
Management's report on internal controls must include each of the following except: a. a statement providing management's assessment of the effectiveness of the company's internal control. b. statement that management is responsible for establishing and maintaining adequate internal control over financial reporting. c. a statement providing management's evaluation of the company's control environment. d. statement identifying the framework management uses to evaluate the effectiveness of the company's internal control.
c. a statement providing management's evaluation of the company's control environment.
When the audit team increases the planned assessed level of control risk because certain control activities were determined to be ineffective, the audit team would most likely increase the: a. level of detection risk. b. extent of tests of controls. c. extent of substantive tests of details. d. level of inherent risk.
c. extent of substantive tests of details.
Assessing control risk at below the maximum level most likely would involve: a. performing more extensive substantive tests with larger sample sizes than originally planned. b. reducing inherent risk for most of the assertions relevant to significant account balances. c. identifying specific internal control activities that are relevant to specific financial statement assertions. d. changing the timing of substantive tests by omitting interim-date testing and performing the tests at year-end.
c. identifying specific internal control activities that are relevant to specific financial statement assertions.
An auditor's primary consideration in evaluating controls is whether specific controls: a. Reduce detection risk to a sufficiently low level. b. Improve the efficiency of the client's operations. c. Can be classified into one of the five internal control components. d. Affect financial statement assertions.
d. Affect financial statement assertions.
In an audit of financial statements, an auditor's primary consideration regarding internal control is whether the control: a. Enhances management's decision-making processes. b. Reflects management's philosophy and operating style. c. Provides adequate safeguards over access to assets. d. Affects management's financial statement assertions
d. Affects management's financial statement assertions
Which of the following statements is correct regarding internal control? a. A well-designed internal control environment ensures the achievement of an entity's control objectives. b. Internal control is a necessary business function and should be designed and operated to detect all errors and fraud. c. A well-designed and operated internal control environment should detect collusion perpetrated by two people. d. An inherent limitation to internal control is the fact that controls can be circumvented by management override.
d. An inherent limitation to internal control is the fact that controls can be circumvented by management override.
Which of the following automated application controls would offer reasonable assurance that inventory data were completely and accurately entered? a. Limit tests. b. Check digits. c. Sequence checking. d. Batch totals.
d. Batch totals.
Which of the following characteristics distinguishes computer processing from manual processing? a. Errors or irregularities in computer processing will be detected soon after their occurrences. b. The potential for systematic error is ordinarily greater in manual processing than in computerized processing. c. Most computer systems are designed so that transaction trails useful for audit purposes do not exist. d. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
d. Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
When planning the audit of internal controls for an issuer, the audit team should a. Make inquiries of employees regarding the existence of control activities. b. Conduct a walkthrough of the internal control process. c. Reperform control activities performed by client employees to determine their effectiveness. d. Identify significant accounts, locations, and assertions.
d. Identify significant accounts, locations, and assertions.
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal controls? a. Management override. b. Collusion among employees. c. Mistakes in judgment. d. Incompatible duties.
d. Incompatible duties
Which of the following would an auditor most likely consider in evaluating the control environment of an audit client? a. The number of CPAs in the accounting department. b. Management reviews of monthly financial statements. c. Overall employee satisfaction with assigned duties. d. Management's operating style.
d. Management's operating style.
Which of the following is not an objective of internal controls over financial reporting as defined by the Sarbanes-Oxley Act? a. Policies and procedures that provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant. b. Policies and procedures that provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements. c. Policies and procedures that pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant. d. Policies and procedures that provide reasonable assurance regarding the compliance with applicable laws and regulations.
d. Policies and procedures that provide reasonable assurance regarding the compliance with applicable laws and regulations.
Which of the following controls is least likely to be relevant to a financial statement audit? a. Use of computer passwords to limit access to data files. b. Policies that relate to compliance with income tax regulations. c. Generation of production statistics used to evaluate variances. d. Procedures that prevent the excess use of materials in production.
d. Procedures that prevent the excess use of materials in production.
Which of the following is an inherent limitation of any client's internal control? a. The competence and integrity of client personnel provide an environment conducive to control and provides assurance that effective control will be achieved. b. Procedures designed to assure the execution and recording of transactions in accordance with proper authorizations are effective against frauds perpetrated by management. c. The benefits expected to be derived from effective internal controls usually do not exceed the costs of effective internal controls. d. Procedures whose effectiveness depends on separation of duties can be circumvented by collusion.
d. Procedures whose effectiveness depends on separation of duties can be circumvented by collusion.
Each of the following types of controls is considered to be an entity-level control, except those a. Relating to the control environment. b. Pertaining to the company's risk assessment process. c. Addressing policies over significant risk management practices. d. Regarding the company's annual stockholder meeting.
d. Regarding the company's annual stockholder meeting.
Which of the following is a preventive control? a. Detailed fluctuation analysis completed by the CFO for revenue. b. Reconciliation of a bank account. c. Recalculation of a sample of payroll entries by internal auditors. d. Separation of duties between the payroll and personnel departments.
d. Separation of duties between the payroll and personnel departments.
Which of the following control procedures most likely could prevent computer personnel from modifying programs to bypass computer controls? a. Physical security of computer facilities in limiting access to computer equipment. b. Participation of user department personnel in designing and approving new systems. c. Periodic management review of computer utilization reports and systems documentation. d. Separation of duties for computer programming and computer operations.
d. Separation of duties for computer programming and computer operations.
Which of the following factors is most relevant when an auditor considers the client's organizational structure in the context of control risk? a. Management's attitude toward information processing and accounting departments. b. Physical proximity of the accounting function to upper management. c. The organization's recruiting and hiring practices. d. The suitability of the client's lines of reporting.
d. The suitability of the client's lines of reporting.
Which of the following factors affecting the risk associated with a control is not a consideration when designing the current-year audit procedures in an audit of internal control over financial reporting for an issuer? a. The nature, timing, and extent of procedures performed in previous audits. b. The results of the previous years' testing of the control. c. Whether there have been changes in the operation of a key control since the previous audit. d. Whether the control has been documented in flowchart or narrative form.
d. Whether the control has been documented in flowchart or narrative form.
Audit teams would least likely use computer-assisted audit techniques to a. construct and perform parallel simulations. b. access client data files. c. prepare spreadsheets. d. assess control risk related to computerized processing systems.
d. assess control risk related to computerized processing systems.
Control strengths and weaknesses should be documented in audit documentation, sometimes called: a. questionnaires, narratives, and flowcharts. b. communications of significant deficiencies. c. internal control letters. d. bridge working papers.
d. bridge working papers.
The appropriate separation of duties does not include: a. authorization to execute transactions. b. custody of assets involved in the transactions. c. recording of transactions. d. data preparation.
d. data preparation.
In an audit of financial statements of a non-public company in accordance with generally accepted auditing standards, an auditor is required to: a. search for significant deficiencies in the operation of the internal controls. b. perform tests of controls to evaluate the effectiveness of the entity's accounting system. c. determine whether control activities are operating effectively to prevent or detect material misstatements. d. document the auditor's understanding of the entity's internal control.
d. document the auditor's understanding of the entity's internal control.
Regardless of the assessed level of control risk, an auditor of a non-public company would perform some: a. analytical procedures to verify the design of internal control activities. b. dual purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk. c. tests of controls to determine the effectiveness of internal control policies. d. substantive tests to restrict detection risk for significant transaction classes.
d. substantive tests to restrict detection risk for significant transaction classes.
Which of the following are considered control environment factors? a. Assignment of authority and responsibility: Yes Detection risk: Yes Integrity and ethical values: Yes b. Assignment of authority and responsibility: No Detection risk: No Integrity and ethical values: No c. Assignment of authority and responsibility: No Detection risk: Yes Integrity and ethical values: No d. Assignment of authority and responsibility: Yes Detection risk: No Integrity and ethical values: Yes
d. Assignment of authority and responsibility: Yes Detection risk: No Integrity and ethical values: Yes
Objectives of an entity include: a. Information and Communication Systems: Yes Reliable Financial Reporting: No Effective and Efficient Operations: No b. Information and Communication Systems: Yes Reliable Financial Reporting: Yes Effective and Efficient Operations: Yes c. Information and Communication Systems: No Reliable Financial Reporting: Yes Effective and Efficient Operations: No d. Information and Communication Systems: No Reliable Financial Reporting: Yes Effective and Efficient Operations: Yes
d. Information and Communication Systems: No Reliable Financial Reporting: Yes Effective and Efficient Operations: Yes
Which of the following opinions are appropriate when there is a restriction on the scope in which the auditor is unable to obtain sufficient appropriate evidence regarding internal control over financial reporting? a. Unqualified: Yes Adverse: Yes Qualified: No b. Unqualified: Yes Adverse: No Qualified: Yes c. Unqualified: No Adverse: Yes Qualified: Yes d. Unqualified: Yes Adverse: Yes Qualified: Yes e. Unqualified: No Adverse: No Qualified: No
e. Unqualified: No Adverse: No Qualified: No
