ACC 580 SU 5, 9, 14

According to the PCAOB, each of the following statements is true with respect to the auditor's responsibility to communicate material weaknesses in internal control over financial reporting except (a)All such weaknesses must be communicated in writing to all stockholders. (b)All such weaknesses must be communicated in writing to the audit committee. (c)All such weaknesses must be communicated prior to the issuance of the auditor's report on internal control over financial reporting. (d)All such weaknesses must be communicated in writing to management.

(a)All such weaknesses must be communicated in writing to all stockholders. The auditor only needs to communicate material weaknesses in writing to management and those charged with governance, including the audit committee.

Which of the following best describes a CPA's engagement to report on an entity's internal control over financial reporting? (a)An audit engagement that results in issuance of a report relating to the effectiveness of internal control. (b)A consulting engagement to provide constructive advice to the entity on its internal control. (c)An audit of the financial statements that results in communicating significant deficiencies in internal control. (d)A prospective engagement to project, for a period of time not to exceed one year, and report on the expected benefits of the entity's internal control.

(a)An audit engagement that results in issuance of a report relating to the effectiveness of internal control. In such an attest engagement, the auditor issues a report relating to the effectiveness of the entity's internal control over financial reporting. The practitioner, as part of engagement performance, obtains from management a written assessment about such effectiveness. AU-C 940 and AS 2201 define the objective of the engagement to express an opinion on the effectiveness of internal control over financial reporting similarly.

Which of the following statements about significant deficiencies and material weaknesses in internal control is true for an audit of a nonissuer? (a)An auditor may communicate significant deficiencies and material weaknesses during an audit or after the audit's completion. (b)An auditor may report that no significant deficiencies were noted during an audit. (c)An auditor is required to search for significant deficiencies and material weaknesses during an audit. (d)All control deficiencies are also considered to be material weaknesses.

(a)An auditor may communicate significant deficiencies and material weaknesses during an audit or after the audit's completion. When early communication is important, the auditor may communicate significant matters orally during an audit. However, significant deficiencies and material weaknesses are best communicated by the audit report release date. But they are required to be made no later than 60 days after the report release date.

Transaction authorization within an organization may be either specific or general. An example of specific transaction authorization is the (a)Approval of a detailed construction budget for a warehouse. (b)Setting of automatic reorder points for material or merchandise. (c)Establishment of requirements to be met in determining a customer's credit limits. (d)Establishment of sales prices for products to be sold to any customer.

(a)Approval of a detailed construction budget for a warehouse. A specific transaction authorization is applicable to a unique decision. A general authorization establishes criteria and authorizes the routine making of decisions subject to the criteria. Approving a detailed construction budget for a warehouse is a one-time decision.

To ensure that the audit report for an issuer is prepared in accordance with Section 404 of the Sarbanes-Oxley Act of 2002, the report must (a)Attest to and report on the internal control assessment made by the management of the issuer. (b)Be prepared within 60 days of the end of the issuer's fiscal year end unless extenuating circumstances, as outlined in the act, are publicly disclosed. (c)Attest to, and report on, the efficiency and effectiveness of the issuer's system of internal control. (d)Be prepared within 60 days of the issuer's fiscal year end, be certified by the Public Company Accounting Oversight Board, and be publicly disclosed.

(a)Attest to and report on the internal control assessment made by the management of the issuer. Section 404(a) requires an issuer to include in its annual report an internal control report (1) stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and (2) an assessment of the effectiveness of the internal control structure and procedures for financial reporting. Section 404(b) requires the issuer's auditor to report on the effectiveness of internal control over financial reporting. [But the requirement in 404(b) does not apply to nonaccelerated filers (issuers with market equity of less than $75,000,000).]

For which of the following audit tests would an auditor most likely use attribute sampling? (a)Inspecting employee time cards for proper approval by supervisors. (b)Examining invoices in support of the measurement of fixed asset additions. (c)Selecting accounts receivable for confirmation of account balances. (d)Making an independent estimate of the amount of a LIFO inventory.

(a)Inspecting employee time cards for proper approval by supervisors. The auditor uses attribute sampling to test the effectiveness of controls. Attribute sampling enables the auditor to estimate the occurrence rate of deviations and to determine its relation to the tolerable deviation rate. Thus, a control, such as proper approval of time cards by supervisors, can be tested for effectiveness using attribute sampling.

Which of the following passwords would be most difficult to crack? (a)O?Ca!FlSi (b)pass56word (c)12 HOUSE 24 (d)language

(a)O?Ca!FlSi To be effective, passwords should consist of random letters, symbols, and numbers and should not contain words or phrases. Accordingly, computer system users should avoid employing words for or in their passwords.

An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts (a)Provide a visual depiction of clients' activities. (b)Identify internal control deficiencies more prominently. (c)Reduce the need to observe clients' employees performing routine tasks. (d)Indicate whether controls are operating effectively.

(a)Provide a visual depiction of clients' activities. Systems flowcharts provide a visual representation of a series of sequential processes, that is, of a flow of documents, data, and operations. In many instances, a flowchart is preferable to a questionnaire because a picture is usually more easily comprehended.

In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements, an auditor would most likely perform which of the following procedures? (a)Risk-assessment procedures to evaluate the design of relevant controls. (b)Tests of key controls to determine whether they are effective. (c)Analytical procedures to determine the need for specific controls. (d)Expanded substantive testing to identify relevant controls.

(a)Risk-assessment procedures to evaluate the design of relevant controls. In all audits, the auditor should obtain an understanding of the components of internal control to identify and assess the RMMs and to design further audit procedures. An understanding is obtained by performing risk assessment procedures to evaluate the design of controls relevant to the audit and determine whether they have been implemented. Risk assessment procedures performed to obtain evidence about the design and implementation of relevant controls include (1) inquiries, (2) observation of the application of specific controls, (3) inspection of documents and reports, and (4) tracing transactions. Inquiries alone are not sufficient.

Which of the following courses of action would an auditor most likely follow in planning a sample of cash disbursements if the auditor is aware of several unusually large cash disbursements? (a)Stratify the cash disbursements population so that the unusually large disbursements are selected. (b)Increase the sample size to reduce the effect of the unusually large disbursements. (c)Set the tolerable rate of deviation at a lower level than originally planned. (d)Continue to draw new samples until all the unusually large disbursements appear in the sample.

(a)Stratify the cash disbursements population so that the unusually large disbursements are selected. Stratifying a population means dividing it into subpopulations, thereby permitting application of different sampling techniques to each subpopulation or stratum. Stratifying allows for greater emphasis on larger or more important items.

When documenting internal control, the independent auditor sometimes uses a systems flowchart, which can best be described as a (a)Symbolic representation of a system or series of sequential processes. (b)Diagram that clearly indicates an organization's internal reporting structure. (c)Graphic illustration of the flow of operations that is used to replace the auditor's internal control questionnaire. (d)Pictorial presentation of the flow of instructions in a client's internal computer system.

(a)Symbolic representation of a system or series of sequential processes. A systems flowchart is a symbolic representation of the flow of documents and procedures through a series of steps in the accounting process of the client's organization.

The auditor's report expressing an opinion on the effectiveness of an entity's internal control over financial reporting should include all the following except (a)That the entity's internal control is consistent with that of the prior year after giving effect to subsequent changes. (b)That, because of inherent limitations, internal control may not prevent, or detect and correct, fraud or errors. (c)That the examination included testing and evaluating the design and operating effectiveness of internal control. (d)That management is responsible for maintaining effective internal control.

(a)That the entity's internal control is consistent with that of the prior year after giving effect to subsequent changes. Neither the AICPA's AU-C 940 nor the PCAOB's AS 2201 requires the opinion on the effectiveness of internal control over financial reporting to contain a statement about consistency. Moreover, lack of consistency is not a basis for modification of the standard report.

If the size of the sample to be used in a particular test of attributes has not been determined by using statistical concepts, but the sample has been chosen in accordance with random selection procedures, (a)The auditor may or may not achieve desired precision at the desired level of confidence. (b)The auditor will have to evaluate the results by reference to the principles of discovery sampling. (c)No inferences can be drawn from the sample. (d)The auditor has caused nonsampling risk to increase.

(a)The auditor may or may not achieve desired precision at the desired level of confidence. The determination of sample size for a test of attributes is a function of (1) the allowable risk of overreliance, (2) the tolerable deviation rate, (3) the expected population deviation rate, and (4) the size of the population. When the auditor does not use these criteria to determine sample size, (s)he risks not meeting the audit objectives.

An auditor is concerned about management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor's concern? (a)Verifying that approved spending limits are not exceeded. (b)Reviewing minutes of board meetings. (c)Tracing sales orders to the revenue account. (d)Matching purchase orders to accounts payable.

(a)Verifying that approved spending limits are not exceeded. To determine whether management has overridden approvals, the auditor should compare actual expenditures with budgeted amounts.

Fact Pattern: An auditor desired to test credit approval on 10,000 sales invoices processed during the year. The auditor designed a statistical sample that would provide 1% risk of overreliance (99% confidence) that not more than 7% of the sales invoices lacked approval. The auditor estimated from previous experience that about 2.5% of the sales invoices lacked approval. A sample of 200 invoices was examined, and seven of them were lacking approval. The auditor then determined the achieved upper deviation limit to be 8%. The allowance for sampling risk was (a)1% (b)4.5% (c)5.5% (d)3.5%

(b)4.5% The allowance for sampling risk equals the achieved upper deviation limit (8%) minus the sample deviation rate (7 ÷ 200 = 3.5%), or 4.5%.

Under the AICPA's auditing standards, which of the following statements about an auditor's communication of significant control deficiencies is true? (a)An auditor should communicate significant control deficiencies after tests of controls, but before commencing substantive tests. (b)An auditor's report on significant control deficiencies should include a restriction on the use of the report. (c)A significant control deficiency previously communicated during the prior year's audit that remains uncorrected causes a scope limitation. (d)An auditor should perform tests of controls on significant control deficiencies before communicating them to the client.

(b)An auditor's report on significant control deficiencies should include a restriction on the use of the report. A communication of significant control deficiencies should (1) state that the purpose of the audit was to report on the financial statements, not to provide assurance on internal control; (2) give the definition of significant control deficiencies and material weaknesses; and (3) state that the report is intended solely for the information and use of those charged with governance, management, and others within the organization (or specified regulatory agency) and is not intended to be, and should not be, used by anyone other than the specified parties.

Which of the following is not a role of the risk assessment in an integrated audit of a nonissuer? (a)Selecting controls to test. (b)Concluding on the effectiveness of a given control. (c)Determining significant classes of transactions, account balances, and relevant assertions. (d)Determining evidence necessary to conclude on the effectiveness of a given control.

(b)Concluding on the effectiveness of a given control. Risk assessment underlies the examination process, including the determination of (1) significant accounts and disclosures, (2) relevant assertions, (3) controls to test, and (4) the evidence necessary to assess the effectiveness of a given control. When an examination of internal control is integrated with an audit of financial statements, the same risk assessment process supports both engagements. But the auditor must test the effectiveness of the design and operation of a control before concluding on its effectiveness.

After obtaining an understanding of the entity and its environment, including its internal control, the auditor assesses (a)Detection risk to determine the acceptable level of inherent risk. (b)Control risk and inherent risk to determine the acceptable level of detection risk. (c)The need to apply auditing standards. (d)Detection risk and inherent risk to determine the acceptable level of control risk.

(b)Control risk and inherent risk to determine the acceptable level of detection risk. The acceptable level of detection risk for a relevant assertion is a function of the assessed RMMs (the combined assessment of inherent risk and control risk) and the given level of audit risk. Thus, as the RMMs increase, the acceptable level of detection risk decreases.

Which of the following issues related to internal control over financial reporting are required to be communicated in writing to management and those charged with governance? I.Deficiencies in internal control II.Significant deficiencies III.Material weaknesses (a)None. (b)II and III only. (c)III only. (d)I, II, and III.

(b)II and III only. Only those control deficiencies considered to be significant deficiencies or material weaknesses are required to be communicated in writing to management and those charged with governance. (But certain deficiencies should not be reported directly to management.) Other control deficiencies that merit management's attention should be reported to management orally or in writing. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of their assigned functions, to prevent misstatements or detect and correct them on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness but merits attention by those charged with governance. A material weakness is a deficiency, or combination of deficiencies, in internal control that results in a reasonable possibility that a material misstatement of the financial statements will not be prevented, or detected and corrected, on a timely basis. A reasonable possibility means that the probability of the event is more than remote.

Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been (a)Authorized. (b)Implemented. (c)Tested. (d)Monitored.

(b)Implemented. In all audits, the auditor should obtain an understanding of internal control. An understanding is obtained by evaluating the design of controls and determining whether they have been implemented. A control has been implemented if it exists and the entity is using it.

In reporting on an audit of an issuer's internal control over financial reporting, an auditor should include a statement that describes the (a)Documentary evidence regarding the control environment factors. (b)Limitations inherent to internal control. (c)Potential benefits from the practitioner's suggested improvements. (d)Changes in internal control since the prior report.

(b)Limitations inherent to internal control. The auditor's report states that because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risks that (1) controls may become inadequate because of changes in conditions or (2) the degree of compliance with the policies or procedures may deteriorate (AU-C 940).

Which of the following is a factor in the control environment? (a)Performance reviews. (b)Management's philosophy and operating style. (c)Segregation of duties. (d)Information processing.

(b)Management's philosophy and operating style. The control environment is the foundation for all other control components. It provides discipline and structure, sets the tone of the organization, and influences the control consciousness of employees. Its components include (1) participation of those charged with governance, (2) integrity and ethical values, (3) organizational structure, (4) management's philosophy and operating style, (5) assignment of authority and responsibility, (6) human resource policies and practices, and (7) commitment to competence.

An advantage of statistical sampling over nonstatistical sampling is that statistical sampling helps an auditor to (a)Minimize the failure to detect errors and fraud. (b)Measure the sufficiency of the evidence obtained. (c)Eliminate the risk of nonsampling errors. (d)Reduce the level of audit risk and materiality to a relatively low amount.

(b)Measure the sufficiency of the evidence obtained. Statistical sampling helps the auditor to design an efficient sample, to measure the sufficiency of the evidence obtained, and to evaluate the sample results. Auditors are required to obtain sufficient appropriate evidence. Sufficiency is the measure of the quantity of evidence. It relates to the design and size of the sample.

In a test of purchase orders, the auditor selected a random sample of 60 items out of a population of 1,200 purchase orders. The auditor discovered $4,000 in overstatement in the sample. The company's materiality is $65,000. The tolerable misstatement for purchases is $50,000. What should the auditor do next? (a)Propose an adjustment to purchases. (b)Project the detected error to the entire population. (c)Consider expanding the size of the sample. (d)Pass on the exceptions.

(b)Project the detected error to the entire population. The auditor should project the results of sampling to the population.

AU-C 530, Audit Sampling, identifies two general approaches to audit sampling. They are (a)Risk and nonrisk. (b)Statistical and nonstatistical. (c)Precision and reliability. (d)Random and nonrandom.

(b)Statistical and nonstatistical. Statistical sampling has two characteristics: (1) random selection of sample items and (2) use of an appropriate statistical method to evaluate results, including measurement of sampling risk. A sampling method that does not have (1) and (2) is nonstatistical (AU-C 530).

Which of the following statements about an auditor's communication of internal control related matters identified in an audit of a nonissuer is true? (a)Significant deficiencies or material weaknesses need not be recommunicated each year if the audit committee has acknowledged its understanding of such deficiencies. (b)The auditor should communicate significant internal control related matters no later than 60 days after the report release date. (c)The auditor may issue a written report to management and those charged with governance that no significant deficiencies were noted. (d)Significant deficiencies or material weaknesses may not be communicated in a document that contains suggestions regarding activities that concern other topics such as business strategies or administrative efficiencies.

(b)The auditor should communicate significant internal control related matters no later than 60 days after the report release date. Timely communication of significant deficiencies or material weaknesses should be made no later than 60 days after the report release date. But the communication is best made by the report release date. However, early communication may be important because of the significance of the matters noted and the urgency of corrective action.

Which of the following statements is true concerning statistical sampling in tests of controls? (a)The expected population deviation rate has little or no effect on determining sample size except for very small populations. (b)The population size has little or no effect on determining sample size except for very small populations. (c)As the population size doubles, the sample size also should double. (d)For a given tolerable rate, a larger sample size should be selected as the expected population deviation rate decreases.

(b)The population size has little or no effect on determining sample size except for very small populations. A change in the size of the population has a very small effect on the required sample size when the population is large. Tables are available for smaller population sizes providing appropriate smaller sample sizes.

Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately because (a)Errors in some transactions may cause rejection of other transactions in the batch. (b)There are time delays in processing transactions in a batch system. (c)The identification of errors in input data typically is not part of the program. (d)The processing of transactions in a batch system is not uniform.

(b)There are time delays in processing transactions in a batch system. Transactions in a batch computer system are grouped together, or batched, prior to processing. Batches may be processed either daily, weekly, or even monthly. Thus, considerable time may elapse between the initiation of the transaction and the discovery of an error.

Hill has decided to use monetary-unit (MUS) sampling, sometimes called dollar-unit sampling, in the audit of a client's accounts receivable balances. Hill plans to use the following MUS sampling table: What sample size should Hill use? (a)60 (b)120 (c)30 (d)108

(c)30 MUS sampling is appropriate for account balances that may include a few overstated items, such as inventory and receivables. MUS sampling relies on an attribute sampling approach (Poisson distribution) to reach a conclusion regarding the probability of overstating an account balance by a specified amount of dollars. The MUS simplified sample size formula is n=(BV x CF)/TM In the above formula, n equals sample size, BV is the recorded amount of the account, CF is the appropriate confidence factor, and TM is tolerable misstatement. Because the given confidence factor for a risk of incorrect acceptance of 20% and one allowable overstatement is 3.00, the sample size using this formula is 30 [($240,000 × 3.00) ÷ $24,000]. A more sophisticated version of this formula subtracts the product of the dollar amount of anticipated misstatement and an expansion factor from TM. In this case, however, the effect of the expected misstatement has already been subtracted from TM.

Payroll Data Co. (PDC) processes payroll transactions for a retailer. Cook, CPA, is engaged to issue a report on PDC's internal controls implemented as of a specific date. These controls are relevant to the retailer's internal control, so Cook's report may be useful in providing the retailer's independent auditor with information necessary to plan a financial statement audit. Cook's report should (a)Disclose Cook's assessed risks of material misstatement for PDC. (b)Identify PDC's controls relevant to specific financial statement assertions. (c)Contain a disclaimer of opinion on the operating effectiveness of PDC's controls. (d)State whether PDC's controls were suitably designed to achieve the retailer's objectives.

(c)Contain a disclaimer of opinion on the operating effectiveness of PDC's controls. Service auditors may report (1) on the fairness of management's description of the controls and whether the controls have been implemented and are suitably designed (type 1 report) or (2) additionally on operating effectiveness (type 2 report). The type 1 report should include a disclaimer of opinion related to operating effectiveness of the controls. The AICPA has issued additional guidance on service auditor reports. The term System and Organization Controls (SOC) report is used in this guidance. The reports obtained by the user auditor in an audit are called SOC 1 reports (type 1 or type 2). Service auditors also may prepare SOC 2 and SOC 3 reports to provide assurance on more than internal controls over financial reporting (e.g., security, availability, processing integrity, confidentiality, or privacy). SOC 2 reports are to be used by those identified in the report, and SOC 3 reports may be used by any user.

Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by (a)Employment of temporary personnel to aid in the segregation of duties. (b)Delegation of full, clear-cut responsibility to each employee for the functions assigned to each. (c)Direct participation by the owner of the business in the recordkeeping activities of the business. (d)Engaging a CPA to perform monthly write-up work.

(c)Direct participation by the owner of the business in the recordkeeping activities of the business. The manner in which control objectives are achieved varies with the size and complexity of the entity. Thus, direct participation of an owner-manager in the recordkeeping and other activities of the business facilitates monitoring of employee actions. Such effective involvement may preclude the need for extensive accounting procedures, sophisticated information systems, or written policies.

The risk of incorrect acceptance and the risk of overreliance relate to the (a)Tolerable misstatement. (b)Preliminary estimates of materiality levels. (c)Effectiveness of the audit. (d)Efficiency of the audit.

(c)Effectiveness of the audit. If a financial statement amount is erroneously accepted as fairly stated based upon a sample, additional audit work and the chances of exposing the mistake will probably be minimal. However, rejection of a fairly stated amount typically results in further audit investigation and ultimately the acceptance of the amount. Similarly, overreliance on a control leads to an unjustified reduction in substantive testing, thereby decreasing the effectiveness of the audit. However, underreliance on a control results in an unneeded increase in substantive testing but most likely does not decrease ultimate audit effectiveness.

Able Co. uses an online sales order processing system to process its sales transactions. Able's sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a (a)Report of all missing sales invoices. (b)List of all voided shipping documents. (c)File of all rejected sales transactions. (d)Printout of all user code numbers and passwords.

(c)File of all rejected sales transactions. Edit checks test transactions prior to processing. Rejected transactions should be recorded in a file for evaluation, correction, and resubmission. Edit checks are applied to the sales transactions to test for completeness, reasonableness, validity, and other related issues prior to acceptance. A report of missing invoices, a printout of all user code numbers and passwords, and a list of all voided shipping documents are unlikely to be direct outputs of the edit routine.

Which of the following types of control best describes procedures to ensure appropriate systems software acquisition? (a)Application. (b)Physical. (c)General. (d)Monitoring.

(c)General. General controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General controls commonly include controls over data center and network operations; systems software acquisition and maintenance; access security; and application system acquisition, development, and maintenance.

Brown, CPA, has accepted an engagement to audit the effectiveness of the internal control over financial reporting of Crow Company (a nonissuer) and to issue a report on such audit. In what form does Crow present its written assessment about effectiveness? I.In a separate report that accompanies Brown's report II.As a note to the financial statements (a)Neither I nor II. (b)II only. (c)I only. (d)I and II.

(c)I only. An auditor may audit internal control only if certain conditions are met. One condition is that management provide its assessment about the effectiveness of the entity's internal control in a report that accompanies the auditor's report (AU-C 940). Included in the separate report is a condition of accepting the engagement.

Which of the following would an auditor most likely consider in evaluating the control environment of an audit client? (a)Overall employee satisfaction with assigned duties. (b)The number of CPAs in the accounting department. (c)Management's operating style. (d)Management review of monthly financial statements.

(c)Management's operating style. The control environment is the foundation for the other components of internal control. It provides discipline and structure and sets the tone of the organization. The evaluation of the design of the control environment includes such factors as management's philosophy and operating style. They relate to management's approach to taking and managing business risks. They also relate to management's attitudes and actions toward (1) financial reporting, (2) information processing, (3) accounting functions, and (4) personnel.

In communicating with those charged with governance, the auditor must decide whether to communicate with the audit committee or the client's entire board of directors. Which of the following considerations will be least relevant to this decision? (a)Regulatory requirements related to audit communications with those charged with governance. (b)Whether the audit committee will be able to provide further information and explanations that the auditor may require while performing the audit. (c)Management's preference. (d)The nature of the matters to be communicated.

(c)Management's preference. Before communicating with a subgroup (e.g., an audit committee) of those charged with governance, the auditor may consider such matters as (1) the responsibilities of the subgroup and the governing body, (2) the nature of the matter, (3) legal or regulatory requirements, (4) whether the subgroup can (a) act on the information and (b) provide further information and explanations the auditor may need, and (5) whether the auditor is aware of potential conflicts of interest between the subgroup and other members of the governing body. However, management's preference is irrelevant. The auditor's professional judgment, authoritative guidance, and legal requirements determine the matters communicated.

When using classical variables sampling for estimation, an auditor normally evaluates the sampling results by calculating the possible misstatement in either direction. This statistical concept is known as (a)Standard deviation. (b)Reliability. (c)Precision. (d)Projected misstatement.

(c)Precision. The precision or confidence interval (allowance for sampling risk) is an interval around the sample statistic that is expected to include the true value of the population at the specified confidence level. When using classical variables sampling, the allowance for sampling risk is calculated based on the normal distribution.

Although substantive tests may support the accuracy of underlying information used in monitoring, these tests may provide no affirmative evidence of the effectiveness of monitoring controls because (a)When procedures are computerized and leave no audit trail to indicate who performed them, substantive tests may necessarily be limited to inquiries and observation. (b)Substantive tests rarely guarantee the accuracy of information used in monitoring if only a sample has been tested. (c)The information used in monitoring may be accurate even though it is subject to ineffective control. (d)Substantive tests relate to the entire period under audit, but tests of controls ordinarily are confined to the period during which the auditor is on the client's premises.

(c)The information used in monitoring may be accurate even though it is subject to ineffective control. When obtaining an understanding of each of the five components of internal control (including monitoring), the auditor must perform procedures to understand the design of relevant controls and must determine whether controls have been implemented. If (s)he intends to rely on the controls, (s)he must also determine their effectiveness. However, when controls based on monitoring leave no audit trail, for example, documentation of design or operation, evidence about effectiveness of design or operation may be obtained only by inquiries, observations, and computer-assisted audit methods. Moreover, substantive procedures likewise may provide no affirmative evidence of the effectiveness of monitoring controls because the information may be accurate even though controls over its creation are ineffective. Thus, the ineffectiveness of monitoring would not be revealed by substantive procedures unless the detection of material misstatements resulted in performance of additional audit procedures directed at the controls.

An auditor is evaluating a client's internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect? (a)The technology department writes a program that does not properly implement the control due to a lack of understanding. (b)Someone erroneously disables edit checks in a software program designed to identify control exceptions. (c)Two employees, who work in different departments, are circumventing an internal control. (d)The accounting staff neglects the control due to increased transactions to be processed.

(c)Two employees, who work in different departments, are circumventing an internal control. Because of its inherent limitations, internal control can provide only reasonable assurance that the entity's objectives are met. Thus, manual or automated controls can be circumvented by collusion of two or more people or by management override (AU-C 315). Fraud perpetrated by collusion may be difficult to detect because of schemes designed to conceal it.

An auditor randomly samples 50 out of 1,000 items and discovers an overstatement of $3,000. What is the projected misstatement for the entire population? (a)$120,000 (b)$48,000 (c)$150,000 (d)$60,000

(d)$60,000 An auditor generally extrapolates the misstatement identified for the audit sample to the total population from which the audit sample was selected. The 50 items sampled had a total overstatement of $3,000 or an average overstatement of $60 per item ($3,000 ÷ 50). Projecting to the population results in an estimated misstatement of $60,000 (1,000 × $60).

Fact Pattern: An auditor has been assigned to take a monetary-unit sample of a population of vouchers in the purchasing department. The population has a total recorded amount of $300,000. The auditor believes that a maximum misstatement of $900 is acceptable and would like to have 95% confidence in the results. (The confidence factor at 95% and zero misstatements = 3.00.) Additional information is provided in the opposite column. Given a random start of $50 as the first dollar amount, what is the number of the fourth voucher to be selected, assuming that the sample size will be 1,000? (a)7 (b)4 (c)6 (d)8

(d)8 The vouchers have a recorded amount of $300,000, and 1,000 items are to be sampled, so every 300th dollar will be chosen. Given a random start of $50, the vouchers containing the 50th, 350th, 650th, and 950th dollars will be selected. The cumulative amount of the first eight vouchers is $1,030. Accordingly, voucher 8 should be the fourth voucher audited because it contains the 950th dollar.

Which of the following matters is an auditor required to communicate to those charged with governance? (a)The results of the auditor's analytical procedures performed in the review stage of the engagement that indicate significant variances from expected amounts. (b)Changes in the auditor's preliminary judgment about materiality that were caused by projecting the results of statistical sampling for tests of transactions. (c)The auditor's consideration of risk factors in assessing the risk of material misstatement arising from the misappropriation of assets. (d)Adjustments that were suggested by the auditor and recorded by management that have a significant effect on the entity's financial reporting process.

(d)Adjustments that were suggested by the auditor and recorded by management that have a significant effect on the entity's financial reporting process. Certain matters should be communicated to those charged with governance (e.g., the audit committee) if all such individuals are not involved in management. These matters include material, corrected misstatements that were brought to the attention of management as a result of audit procedures (AU-C 260).

In an audit of internal control over financial reporting, which deficiencies in control should be communicated in writing to those charged with governance? (a)Only material weaknesses. (b)All deficiencies. (c)Only significant deficiencies. (d)Both material weaknesses and significant deficiencies.

(d)Both material weaknesses and significant deficiencies. The auditor should communicate, in writing, to management and to those charged with governance all material weaknesses and significant deficiencies identified during the audit. The written communication should be made prior to the report release date. The auditor also should communicate to management, in writing, all lesser deficiencies in internal control and inform those charged with governance when such a communication has been made.

In attribute sampling, a 25% change in which of the following factors will have the smallest effect on the size of the sample? (a)Tolerable population rate of deviation. (b)Risk of overreliance. (c)Degree of assurance desired. (d)Number of items in the population.

(d)Number of items in the population. Generally, the population size has very little effect on the sample size when the population is large. According to the AICPA Audit Guide Audit Sampling, a population greater than 2,000 sampling units is large. If the population has between 200 and 2,000 sampling units, the effect on the sample size is small. For smaller populations, sample size is reduced by the effect of population size.

The risk of underreliance is that the sample selected to test controls (a)Contains misstatements that could be material to the financial statements when aggregated with misstatements in other account balances or transaction classes. (b)Contains proportionately fewer errors or deviations from prescribed controls than exist in the balance or class as a whole. (c)Does not support the tolerable misstatement for some or all of management's assertions. (d)Does not support the auditor's planned reliance on controls when the true operating effectiveness of controls justifies such an assessment.

(d)Does not support the auditor's planned reliance on controls when the true operating effectiveness of controls justifies such an assessment. The risk of underreliance is one aspect of sampling risk. It is the risk of the erroneous conclusion based on a sample that controls are less effective than they actually are. This kind of error most likely diminishes the efficiency, but not the effectiveness, of the audit. Underreliance ordinarily leads to devoting greater and possibly unnecessary effort to substantive procedures.

As lower acceptable levels of the risk of incorrect acceptance and performance materiality are established, the auditor should plan more work on individual accounts to (a)Decrease the risk of overreliance. (b)Find larger misstatements. (c)Increase the tolerable misstatement in the accounts. (d)Find smaller misstatements.

(d)Find smaller misstatements. A lower performance materiality means that the tolerable misstatement in an account is smaller. As a result, the auditor must plan for a larger sample size and more audit work on the accounts to discover smaller misstatements. For substantive tests of details, the sample size depends on the auditor's desired assurance (1.0 - the risk of incorrect acceptance) that tolerable misstatement is not less than actual misstatement in the population. The desired assurance may be based on, among other things, the following: (1) the assessed risk of material misstatement, (2) the assurance provided by other substantive procedures related to the same assertion, (3) tolerable misstatement, and (4) expected misstatement for the population. Accordingly, as the acceptable risk of incorrect acceptance decreases, the desired assurance increases, and the auditor decreases the tolerable misstatement.

In planning an audit, the auditor's knowledge about the design of relevant internal control activities should be used to (a)Assess the operational efficiency of internal control. (b)Document the assessed risks of material misstatement. (c)Determine whether controls have been circumvented by collusion. (d)Identify the types of potential misstatements that could occur.

(d)Identify the types of potential misstatements that could occur. The understanding (1) evaluates the design of relevant controls and (2) determines whether they have been implemented. This knowledge is used to (1) identify the types of potential misstatements, (2) identify the factors that affect the risks of material misstatements, and (3) design further audit procedures.

Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control? (a)Management override. (b)Collusion among employees. (c)Faulty judgment. (d)Incompatible duties.

(d)Incompatible duties. Internal control has inherent limitations. The performance of incompatible duties, however, is a failure to assign different people the functions of authorization, recording, and asset custody, not an inevitable limitation of internal control. Segregation of duties is a category of control activities.

In addition to evaluating the frequency of deviations in tests of controls, an auditor should also consider certain qualitative aspects of the deviations. The auditor most likely would give broader consideration to the implications of a deviation if it was (a)Caused by an employee's misunderstanding of instructions. (b)The only deviation discovered in the sample. (c)Identical to a deviation discovered during the prior year's audit. (d)Initially concealed by a forged document.

(d)Initially concealed by a forged document. The discovery of a fraud ordinarily requires broader consideration than the discovery of an error. The discovery of an initially concealed forged document indicates that the integrity of employees may be in doubt.

Decision tables differ from program flowcharts in that decision tables emphasize (a)Cost-benefit factors justifying the program. (b)Ease of manageability for complex programs. (c)The sequence in which operations are performed. (d)Logical relationships among conditions and actions.

(d)Logical relationships among conditions and actions. A decision table identifies the contingencies considered in the description of a problem and the appropriate actions to be taken relative to those contingencies. Decision tables are logic diagrams presented in matrix form. Unlike flowcharts, they do not present the sequence of the actions described.

Section 404 of the Sarbanes-Oxley Act of 2002 requires each annual report of an issuer to include which of the following? (a)Representations from the company's external auditors that the company has effective internal control over operations. (b)Reasonable assurances that fraud will be identified before the issuance of the company's annual report. (c)Management representations that the company's external auditors have examined its internal control over compliance with laws and regulations. (d)Management's assessment of the effectiveness of internal control over financial reporting.

(d)Management's assessment of the effectiveness of internal control over financial reporting. Every public company (an issuer) must include in its annual report management's assessment of the design and effectiveness of internal control over financial reporting. An accelerated filer (a company with market equity of at least $75 million) also must annually obtain an auditor's report on internal control over financial reporting.

A CPA's test of accuracy of inventory counts involves two storehouses. Storehouse A contains 10,000 inventory items and Storehouse B contains 5,000 items. The CPA plans to use sampling without replacement to test for an estimated 5% deviation rate. If the CPA's sampling plan calls for a specified reliability of 95% and a tolerable rate of 7.5% for both storehouses, the ratio of the size of the CPA's sample from Storehouse A to the size of the sample from Storehouse B should be (a)1:1. (b)2:1. (c)More than .5:1 but less than 1:1. (d)More than 1:1 but less than 2:1.

(d)More than 1:1 but less than 2:1. The relationship between population size and sample size is direct. As the population size increases, so does the necessary sample size, although not proportionally. Generally, the population size has very little effect on the sample size when the population is large. According to the AICPA Audit Guide Audit Sampling, a population greater than 2,000 sampling units is large. If the population has between 200 and 2,000 sampling units, the effect on the sample size is small. For smaller populations, sample size is reduced by the effect of population size. Thus, more items would have to be sampled from Storehouse A than from Storehouse B, but not twice as many.

In attribute sampling, a 10% change in which of the following factors normally will have the least effect on the size of a statistical sample? (a)Risk of overreliance. (b)Tolerable population deviation rate. (c)Expected population deviation rate. (d)Population size.

(d)Population size. A change in the size of the population has a very small effect on the required sample size when the population is large. As the population increases, the sample size also increases but at a decreasing rate.

The Sarbanes-Oxley Act of 2002 (SOX) requires management of issuers to do all of the following except (a)Establish and document internal control procedures and to include in their annual reports a report on the company's internal control over financial reporting. (b)Provide a report to include a statement of management's responsibility for and assessment of internal control. (c)Provide an identification of the framework used to evaluate the effectiveness of internal control. (d)Provide a statement that the board approves changes in internal control procedures.

(d)Provide a statement that the board approves changes in internal control procedures. SOX imposes many requirements on management, boards of directors, and auditors. Section 404 applies to internal controls and reports on them. Section 404 requires management to establish and document internal control procedures and to include in their annual reports a report on the entity's internal control over financial reporting. The report is to include (1) a statement of management's responsibility for internal control, (2) management's assessment of the effectiveness of internal control as of the end of the most recent fiscal year, and (3) identification of the framework used to evaluate the effectiveness of internal control (such as the COSO report). Because of this requirement, PCAOB AS 2201 states that audit opinions are to be expressed on the effectiveness of those controls and on the financial statements. Section 301 addresses activities of the board but does not require the board to approve changes in controls.

Which of the following statements is true about an auditor's communication with those charged with governance? (a)If matters are communicated in writing, the report is required to be distributed to both the audit committee and management. (b)If matters are communicated orally, it is necessary to repeat the communication of recurring matters each year. (c)This communication is required to occur after the auditor's report on the financial statements is released. (d)This communication should include disagreements with management about audit adjustments, whether or not satisfactorily resolved.

(d)This communication should include disagreements with management about audit adjustments, whether or not satisfactorily resolved. The matters to be discussed with those charged with governance include (1) the auditors' responsibility under GAAS; (2) significant accounting policies; (3) sensitive accounting estimates; (4) uncorrected and material corrected misstatements; (5) the quality of the accounting principles used by management; (6) auditor disagreements with management, whether or not satisfactorily resolved; (7) management's consultations with other accountants; (8) issues discussed with management prior to the auditors' retention; and (9) any serious difficulties the auditors may have had with management during the audit.

Which of the following sampling methods is used to estimate a numerical measurement of a population, such as a dollar value? (a)Random-number sampling. (b)Stop-or-go sampling. (c)Attribute sampling. (d)Variables sampling.

(d)Variables sampling. Variables sampling samples dollar amounts or other quantities. The purpose of variables sampling is to estimate a measure of a population.

In an audit engagement, should an auditor communicate the following matters to those charged with governance? 1. Auditors' Judgments about the Quality of the Client's Accounting Principles 2. Issues Discussed with Management Prior to the Auditor's Retention (a)No, No (b)No, Yes (c)Yes, No (d)Yes, Yes

(d)Yes, Yes The matters to be discussed with those charged with governance include the quality of the accounting principles used by management. Management is normally a participant in the discussion. Matters covered may include the auditor's views on the entity's significant accounting practices, e.g., policies, estimates, and disclosures. Furthermore, in any audit engagement, the auditor and those charged with governance should discuss any major issues discussed with management in connection with the initial or recurring retention of the auditors, for example, issues concerning the application of accounting principles and auditing standards.

An auditor is conducting an integrated audit of internal control with the audit of a nonissuer's financial statements. In applying the top-down approach, the auditor first (a)Focuses on entity-level controls and then significant classes of transactions, account balances, and disclosures. (b)Determines the type of opinion to be expressed. (c)Applies substantive procedures to test financial statement (d)Communicates material weaknesses and significant deficiencies to those charged with governance.

a)Focuses on entity-level controls and then significant classes of transactions, account balances, and disclosures. The top-down approach to evaluating internal control begins at the financial statement level by understanding overall risks, focusing on entity-level controls, and then working down to significant classes of transactions, account balances, and disclosures. Examples of entity-level controls are controls (1) related to the control environment, (2) over management override, (3) to monitor results of operations, (4) over the period-end financial reporting process, and (5) to monitor other controls.

The online data entry control called preformatting is (a)A check to determine if all data items for a transaction have been entered by the terminal operator. (b)The display of a document with blanks for data items to be entered by the terminal operator. (c)A program initiated prior to regular input to discover errors in data before entry so that the errors can be corrected. (d)A series of requests for required input data that requires an acceptable response to each request before a subsequent request is made.

b)The display of a document with blanks for data items to be entered by the terminal operator. To avoid data entry errors in online systems, a preformatted screen approach may be used. It is a screen prompting approach that involves the display on a monitor of a set of boxes for entry of specified data items. The format may even be in the form of a copy of a transaction document. This technique is best suited to conversion of data from a source document.