ACCT 311 - CH. 6 + 7
limitations
(1) Management override of internal control (2) Human errors or mistakes (3) Collusion These are all ___________ of an entity's internal control.
Documenting
(1) Procedures Manuals and Organizational Charts (2) Flowcharts (3) Internal Control questionnaires (4) Narrative Descriptions These are all components of _______ the understanding of internal controls.
Objectives of internal control
(1) Reliability of financial reporting (2) Effectiveness and Efficiency of Operations (3) Compliance with Laws and Regulations
Completeness
(Regarding the test of IC for payroll transactions) Control to mitigate the ROMM: (1) All documents are prenumbered and numerical sequence reviewed (2) Labor costs were reviewed by supervisors and compared to budgets (3) The personnel department notified the payroll department of new hires to include in payroll Tests of control: (1) Inspect numerical sequence of selected job cost tickets and paychecks (2) Examine documentary evidence of supervisor review of labor costs (3) Trace a sample of employees in the personnel file to payroll time logs and the payroll register. What is the relevant assertion being tested?
Classification
(Regarding the test of IC for payroll transactions) Control to mitigate the ROMM: (1) Job cost sheets are posted weekly and summary journal entries of work-in-process and of work completed are prepared monthly (2) Payroll supervisor is required to approve the distribution of payroll expense accounts and to compare payroll costs to budget. Tests of control: (1) Observe that payroll account distribution and job cost sheets agree (2) Examine supervisor signature on payroll reports. Note evidence of comparison to budget. What is the relevant assertion being tested?
Occurrence
(Regarding the test of IC for payroll transactions) Control to mitigate the ROMM: (1) Payroll accounting is separated from personnel and supervision (2) Labor usage reports are compared to job time tickets or lists of amount of time clocked. (3) Payroll supervisor approved labor usage Tests of control: (1) Observe separation of duties (2.a) Vouch labor costs to labor reports (2.b) Vouch labor reports to time tickets authorized by management (3) Examine documentary evidence of supervisor approval What is the relevant assertion being tested?
Accuracy
(Regarding the test of IC for payroll transactions) Control to mitigate the ROMM: (1) Payroll entries are reviewed by a person independent of preparation. (2) Budgeted payroll expenses by department are compared to actual expenses. Tests of control: (1) Examine evidence of review and ensure that a party independent of preparation conducted the review. (2) Examine documentary evidence of budget comparison. What is the relevant assertion being tested?
Cutoff
(Regarding the test of IC for payroll transactions) Control to mitigate the ROMM: (1) Payroll reports are prepared weekly and transmitted to cost accounting Tests of control: (1) Observe that the date of payroll reports agrees with dates in weekly journal entries. What is the relevant assertion being tested?
D
A control deviation caused by an employee performing a control procedure that he or she is not authorized to perform is always considered a A. Deficiency in design. B. Material weakness. C. Significant deficiency. D. Deficiency in operation
A
A walkthrough is one procedure used by an auditor as part of the internal control audit. A walkthrough requires an auditor to A. Trace a transaction from each major class of transactions from origination through the entity's information system until it is reflected in the entity's financial reports. B. Tour the organization's facilities and locations before beginning any audit work. C. Trace a transaction from each major class of transactions from origination through the entity's information system. D. Trace a transaction from every class of transactions from origination through the entity's information system.
Design deficiency
AS #2201 Definition of I/C Deficiencies: __________ deficiency exists when: (a) A control necessary to meet the relevant control objective is MISSING, or (b) An existing control is NOT properly designed so that, even if the control operates as designed, the control objective (i.e., for an assertion) is not always met.
Operating deficiency
AS #2201 Definition of I/C Deficiencies: __________ deficiency exists when: (a) A properly designed control does NOT operate as designed, or (b) A person performing the control does NOT possess the necessary authority or qualifications to perform the control effectively.
Substantive Strategy
After developing an understanding of internal controls and documenting it, the auditor must determine if they intend to rely on controls. If the auditor decides to NOT rely on the controls what strategy will he use?
Reliance strategy
After developing an understanding of internal controls and documenting it, the auditor must determine if they intend to rely on controls. If the auditor decides to rely on the controls what strategy will he use?
lower
After obtaining an understanding of internal controls, an auditor may choose to follow a reliance strategy. Thus, the auditor plans to rely on internal controls and assess control risk at a (higher/lower?) level
high
After obtaining an understanding of internal controls, an auditor may choose to follow a substantive strategy. Thus, control risk must be set (high/low?)for some or all assertions of one or all of the following factors: (1) Controls do not pertain to an assertion (2) Controls are assessed as ineffective (3) Testing the effectiveness of controls is inefficient
D
An auditor's flowchart of an entity's accounting system is a diagrammatic representation that depicts the auditor's A. Program for tests of controls. B. Response to tests of controls. C. Documentation of the study and evaluation of the system. D. Understanding of the system.
B
An auditor's primary consideration regarding an entity's internal controls is whether they A. Prevent management override B. Affect the financial statement assertions C. Relate to the control environment D. Reflect management's philosophy and operating style
internal controls and financial statements
An integrated audit is composed of the audits of _____________ and the ________________.
Control Activities
Are performed at all levels of the entity and at various stages within business processes, and over the technology environment. Includes: Performance reviews (independent checks), physical controls, separation of duties, information processing controls, safeguarding of assets, etc.
B
Assessing control risk below high involves all of the following except: A. Performing tests of controls. B. Concluding that controls are ineffective. C. Identifying specific controls to rely on. D. Analyzing the achieved level of control risk after performing tests of controls.
Components of Internal Control
COSO framework: (1) Control Environment (2) Entity's Risk Assessment Process (3) Control Activities (4) Information and Communication (5) Monitoring Activities
Range Test
Common Data Validation Controls: - A Check to ensure that the value in a field falls within an allowable range of values. What is the Data Validation Control?
Field test
Common Data Validation Controls: - A check on a field to ensure that it contains either all numeric or all alphabetic characters. What is the Data Validation Control?
Sequence Check
Common Data Validation Controls: - A check to determine if input data are in proper numerical or alphabetical sequence. What is the Data Validation Control?
Sign Test
Common Data Validation Controls: - A check to ensure that the data in a field have the proper arithmetic sign. What is the Data Validation Control?
Check-digit verification
Common Data Validation Controls: - A numerical value computed to provide assurance that the original value was not altered. What is the Data Validation Control?
Closed Loop verification
Common Data Validation Controls: - A process that takes data entered into the system to find and present other related information, thus enabling the user to verify the correctness of the original data entry. What is the Data Validation Control?
Existence (Validity) test
Common Data Validation Controls: - A test of an ID number or code by comparison to a file or table containing valid ID numbers or codes. What is the Data Validation Control?
Limit Test
Common Data Validation Controls: - A test to ensure that a numerical value does not exceed some predetermined value. What is the Data Validation Control?
purpose of an internal controls audit
From PCAOB AS 2201.03 - "The auditor's objective in an audit of internal control over financial reporting is to express an opinion on the EFFECTIVENESS of the company's internal control over financial reporting".
relevant
Generally, internal controls pertaining to the preparation of financial statements for external purposes are [irrelevant/relevant?] to an audit.
Reliability
ICFR is defined as a process designed to provide reasonable assurance regarding the __________ of financial reporting and the preparation of financial statements in accordance with GAAP. Hint: Think what is the purpose of internal control audit over financial reporting?
C
If Management's report on internal control over financial reporting as part of the 10-K included the following statement: "We did not maintain effective internal control over financial reporting as of December 31, 2021" this suggests that the auditors issued which type of internal controls audit report? A. Qualified B. Unqualified C. Adverse D. Disclaimer
Less, interim, and limited
If detection risk is high, what is the impact on performing substantive procedures? (1) Nature: would more or less rigorous testing be required? (2) Timing: would testing be more likely performed at interim or year-end? (3) Extent: would there be extensive or limited testing of accounts or transactions (e.g., more sampling)?
More, year-end, and extensive
If detection risk is low, what is the impact on performing substantive procedures? (1) Nature: would more or less rigorous testing be required? (2) Timing: would testing be more likely performed at interim or year-end? (3) Extent: would there be extensive or limited testing of accounts or transactions (e.g., more sampling)?
Less
If the auditor's consideration of internal controls is that they are effective, is more or less substantive procedures required?
More
If the auditor's consideration of internal controls is that they are poor, is more or less substantive procedures required?
Reported externally, to audit committee, and to management
If the magnitude is material, and the likelihood is reasonably possible or probable, a material weakness must be reported to: - Reported externally, to audit committee, and to management. - Reported to audit committee and to management - Reported to management
Reported to audit committee and to management
If the magnitude is not material but significant, and the likelihood is reasonably possible or probable, a significant deficiency must be reported to: - Reported externally, to audit committee, and to management. - Reported to audit committee and to management - Reported to management
Reported to management
If the magnitude is not material or significant, and the likelihood is reasonably possible or probable, a control deficiency must be reported to: - Reported externally, to audit committee, and to management. - Reported to audit committee and to management - Reported to management
unqualified
If there is a control deficiency or significant deficiency, what type of audit report on ICFR effectiveness is appropriate? - Unqualified - Qualified - Adverse - Disclaim/Withdraw
Unqualified
If there is a reason for or the seriousness of scope limitation is of minor effect, what type of audit report on ICFR effectiveness is appropriate? - Unqualified - Qualified - Adverse - Disclaim/Withdraw
Disclaim/Withdraw
If there is a reason for or the seriousness of scope limitation is of more than minor effect, what type of audit report on ICFR effectiveness is appropriate? - Unqualified - Qualified - Adverse - Disclaim/Withdraw
Type 2
In some instances, an entity may have some or all of its accounting transactions processed by an outside service organization. Because the entity's transactions are subjected to the controls of the service organization, one of the auditor's concerns is the internal control system in place at the service organization. It not uncommon for service organizations to have an auditor issue one of two types of reports. Type 1: - Describes the service organization's controls and assess whether they are suitably designed to achieve specified internal control objectives. Type 2: - Goes further by providing assurance on the operating effectiveness of the service organization's controls based on the auditor's tests of controls. An auditor may reduce control risk below high ONLY on the basis of a service auditor's type #__ report.
control deficiency
Internal Control Deficiencies Defined: - A _______ _________ exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to PREVENT or DETECT misstatements on a timely basis.
Material Weakness
Internal Control Deficiency Severity: - (Most severe) Exists when there is a reasonable possibility that a material misstatement of the financial statements will not be prevents or detected. Is this a significant deficiency or material weakness?
Significant deficiency
Internal Control Deficiency Severity: - less severe than a material weakness, yet important enough to merit attention by those responsible for the company's financial reporting Is this a significant deficiency or material weakness?
inquiry, inspection, observation, and reperformance
Performing Tests of Controls: _____ of appropriate entity personnel _____ of documents indicating the performance of the control _____ of the application of the control _____ of the application of the control by the auditor. *Used in combination with walkthroughs
control
Planning an Audit Strategy (Audit risk model): AR = IR x CR x DR In applying the audit risk model, the auditor must assess _________ risk.
A
Proper separation of duties reduces the opportunities to allow any one person to be in a position to both: A. Perpetrate and conceal fraud. B. Establish and maintain internal controls. C. Record cash receipts and cash disbursements. D. Journalize entries and prepare financial statements.
Management
Regarding an Entity's Risk Assessment process: ________________ considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives.
tone at the top
Regarding control environment: - The board of directors and senior management establish ______________ regarding the importance of internal control and expected standards of conduct.
true
Regardless of magnitude, if the likelihood of a deficiency is remote, the auditor does not report it. (true or false?)
Tests of controls
Reliance strategy: With more reliance on internal controls, the assurance bucket is filled with less evidence from substantive procedures because ____________ filled some of the bucket.
US publicly-traded companies
SOX Regulation to Improve ICFR: - SOX, Section 404 (Mandatory ICFR audits) for ______________ (accelerated-filers). - E.g., Sox, Section 404 mandates ICFR audits for which companies?
non-accelerated
SOX Regulation to Improve ICFR: - ______________ filers do not need to comply with mandatory ICFR audit requirements of Section 404. - Note: however, these smaller companies must still provide management's annual assessment of internal controls.
D
Separation of duties requires that which 3 functions be separated? A. Auditing, custody, and recording B. Authorization, custody, and review C. Authorization, controls, and recording D. Authorization, custody, and recording
Existence
Significant Account: - Cash What Could go Wrong: - The cash balance may not exist in the company's bank accounts. Internal Control Activity: - The CFO performs a detailed review of the bank reconciliation on a monthly basis. What is the Relevant Assertion being tested?
Completeness
Significant Account: - Receivable What Could go Wrong: - Not all accounts receivable have been recorded. Internal Control Activity: - Check invoices with shipping documents to A/R ledger. What is the Relevant Assertion being tested?
Existence
Significant Account: - Accounts What Could go Wrong: - Accounts receivable balances are inflated and don't really exist. Internal Control Activity: - Check sales order and shipping documents to make sure sales were earned and a customer owes a balance. What is the Relevant Assertion being tested?
Valuation
Significant Account: - Cash What Could go Wrong: - The cash balance that is held in foreign countries may not have been translated properly. Internal Control Activity: - The treasurer reviews the cash translation adjustment calculation monthly and independently checks that the appropriate spot rate has been used for each foreign currency What is the Relevant Assertion being tested?
Presentation and disclosure
Significant Account: - Cash What Could go Wrong: - There may be restrictions on the cash balance that were not properly disclosed. Internal Control Activity: - The corporate secretary reviews the cash footnote disclosure on a quarterly basis to ensure that all legal restrictions on the cash balance have been properly disclosed. What is the Relevant Assertion being tested?
Valuation
Significant Account: - Receivable What Could go Wrong: - Receivables are not included in financial statements at the appropriate amount, and valuation adjustments are not recorded properly. Internal Control Activity: - Management evaluates the collectability of delinquent receivables on a timely basis. What is the Relevant Assertion being tested?
A
Significant deficiencies and material weaknesses must be communicated to an entity's audit committee because they represent A. Significant deficiencies in the design or operation of internal control. B. Disclosures of information that significantly contradict the auditor's going concern assumption. C. Material fraud or illegal acts perpetrated by high-level management. D. Potential manipulation or falsification of accounting records.
Substantive
Substantive Strategy: With no reliance on internal controls, the assurance bucket is filled primarily with evidence from ______ procedures
Benefit
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Consistent application of predefined business rules and performance of complex calculation in processing large volumes of transactions or data.
Benefit
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Enhanced Segregation of duties through security controls in applications, databases, and operating systems.
Benefit
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Facilitation of data analytics for enhanced internal decision making.
Risk
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Failure to make necessary changes to systems or programs.
Benefit
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Greater ability to monitor the entity's activities, policies, and procedures on a timely basis.
Benefit
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Greater ability to prevent or detect circumvention of controls.
Benefit
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Greater timeliness, availability, and accuracy of information.
Risk
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Inappropriate manual intervention.
Risk
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Potential loss of data.
Risk
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Reliance on systems or programs that, unknown to management, inaccurately process data, process inaccurate data, or both.
Risk
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Unauthorized access to data that may result in the destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.
Risk
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Unauthorized changes to systems or programs.
Risk
The Effect of Information Technology on Internal Control (Benefit or Risk?): - Unauthorized changes to data in master files.
understanding and assess
The auditor has the responsibility to: 1.) obtain an _____________ of internal controls (design & implementation) 2.) ____________ control risk
True
The auditor must obtain written representations from management related to the audit of ICFR. Failure to obtain written representations from management, including management's refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion. (True/False?)
Tests of Controls
The auditor uses risk assessment procedures to: Design ___________ and substantive procedures
Understanding
The auditor uses risk assessment procedures to: Obtain an _____________ of the entity's internal control
effectiveness
The purpose of an internal controls audit is to express an opinion on the ____________ of internal controls
True
The severity of a deficiency does NOT depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement. (True/False?)
Application Controls
Types of Controls in an IT environment (1) Data capture controls (2) Data validation controls (3) Processing controls (4) Output controls (5) Error controls
General Controls
Types of Controls in an IT environment: (1) Data center and network operations (2) System software acquisition, change, and maintenance (3) Access Security (4) Application system acquisition, development, and maintenance
Adverse
Types of Reports Relating to the Audit of ICFR: - An _________ opinion is required if a material weakness is identified.
Unqualified
Types of Reports Relating to the Audit of ICFR: - An _____________ opinion signifies that the entity's internal control is designed and operating effectively (no material (weaknesses)
Disclaim
Types of Reports Relating to the Audit of ICFR: - A serious (more than minor) scope limitation requires the auditor to ___________ an opinion
phases of internal control evaluation
Understand and document the Client's internal control --> Assess the control risk (preliminary) --> Identify controls to test and perform tests of control
lack of internal controls, overriding existing internal controls, lack of management review, and poor tone at the top
What are the four primary internal control weaknesses observed by CFE?
Authorization, record keeping, and custody of assets
What are the three functions that must be separate to have an adequate separation of duties?
Control Activities
What is the following component of internal control? Are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.
Entity's Risk Assessment Process
What is the following component of internal control? Involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity's objectives, thereby forming a basis for determining how risks should be managed.
Information and Communication
What is the following component of internal control? Is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives And, Occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities. It enables personnel to understand internal control responsibilities and their importance to the achievement of objectives and allows for upward flow of operating information to management.
Monitoring Activities
What is the following component of internal control? Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board. Includes: Internal audit function, regular management and supervisory activities, etc.
Control Environment
What is the following component of internal control? The set of standards, processes, and structures that provides the basis for carrying out internal control across the organization. Key Points: Integrity, management philosophy, organizational structure, assignment of responsibility, human resource policies, etc.
Inverse
What is the relationship between an auditor's consideration of internal control and its relation to substantive procedures? AR = IR x CR x DR Note: Substantive procedures relate to detection risk (think nature, extent, and timing); the lower the detection risk, the more substantive procedures need to be done - while the higher the detection risk, the less substantive procedures will need to be done.
Likelihood and magnitude
What two dimensions of the control deficiency does the auditor have to consider to determine the severity?
Compensating Controls
When determining the severity of internal controls, aside from likelihood and magnitude - what other aspect should be considered (and that reduces the level of magnitude depending on the outcome)? E.g., back up controls
C
When the auditor decides to use a substantive strategy, he/she will plan to set control risk at A. the lowest level possible. B. a moderate level. C. the highest level possible. D. None of the above.
A
Which of the following audit techniques would most likely provide an auditor with the LEAST assurance about the effectiveness of the operation of a control? A. Inquiry of entity personnel. B. Reperformance of the control by the auditor. C. Observation of entity personnel. D. Walkthrough
A
Which of the following is NOT a factor that might affect the likelihood that a control deficiency could result in a misstatement in an account balance? A. The financial statement amounts exposed to the deficiency. B. The interaction or relationship of the control with other controls. C. The susceptibility of the related assets or liability to loss or fraud. D. The nature of the financial statement accounts, disclosures, and assertions involved.
D
Which of the following is NOT an internal control component of the COSO framework? A. Information and Communication B. Entity's Risk Assessment Process C. Control Environment D. Auditor's Risk Assessment Process
Type 1
Which of the following is the type of service organization controls report? Type 1 or Type 2? Describes the service organization's controls and assess whether they are suitably designed to achieve specified internal control objectives.
Type 2
Which of the following is the type of service organization controls report? Type 1 or Type 2? Goes further by providing assurance on the operating effectiveness of the service organization's controls based on the auditor's tests of controls.
Magnitude
Which of the two dimensions of internal control deficiency, when determining severity, relates to: - amount: Insignificant, significant, or material.
Likelihood
Which of the two dimensions of internal control deficiency, when determining severity, relates to: - possibility: Remote, reasonably possible, or probable.
C
Which part of the COSO framework depicts how management of a company considers possible changes in the external environment and within its own business model that may impede its ability to achieve its objectives? A. Control activities B. Information and communication C. Entity's risk assessment process D. Control environment E. Monitoring
Management
_______________ of publicly traded companies must comply with the following requirements in order for the external auditor to complete an audit of ICFR: 1.Accept responsibility for the effectiveness of the entity's ICFR 2.Evaluate the effectiveness of the entity's ICFR using suitable control criteria (i.e., COSO Framework) 3.Support the evaluation with sufficient evidence, including documentation 4.Present a written assessment regarding the effectiveness of the entity's ICFR as of the end of the entity's most recent fiscal year (included in 10-K)
Adverse
if there is a material weakness deficiency, what type of audit report on ICFR effectiveness is appropriate? - Unqualified - Qualified - Adverse - Disclaim/Withdraw