ACCT 406 Chapter 6 Quiz
Understanding of IC is used to: (3)
- Identify types of potential misstatements - Pinpoint the factors that affect the risk of material misstatement - Design tests of controls and substantive procedures
Factors Affecting the Control Environment
-Communication and enforcement of integrity and ethical values -A commitment to competence -Participation of those charged with governance (board of directors or audit committee) -Management's philosophy and operating style -Organizational structure -Assignment of authority and responsibility -Human resource policies and practices
Data Validation Controls
-Limit Test: a test to ensure that a numerical value does not exceed some predetermined value. -Range Test: a check to ensure that the value in a field falls within an allowable range of values. -Sequence Check: a check to determine if input data are in proper numerical or alphabetical sequence. -Existence (Validity) Test: a test of an ID number or code by comparison to a file or table containing valid ID numbers or codes. -Field Test: a check on a field to ensure that it contains either all numeric or all alphabetic characters. -Sign Test: a check to ensure that the data in a field have the proper arithmetic sign. -Check-Digit Verification: a numerical value computed to provide assurance that the original value was not altered. -Closed-Loop Verification: a process that takes data entered into the system to find and present other related information, thus enabling the user to verify the correctness of the original data entry.
Why is the risk assessment important for the Company, and not just the auditor?
-Provides direction for needed internal controls -Required by the PCAOB
Interim Test of Controls: When you should? (3)
1. Assertion being tested not significant 2. Control has been effective in prior audits 3. Efficient use of staff time
Interim Substantive Procedures
1. Assertion probably has low control risk 2. May increase the risk of material misstatements 3. Still requires some year-end testing
Match each example of management actions with the control environment principle it affects Examples: 1. The extent of independence of this group is critical 2. The organization must hold individuals accountable for their internal control responsibilities 3. Management is committed to hiring employees with appropriate levels of education, experience, and evidence of integrity and ethical behavior 4. Well designed structure provides a basis for planning, directing, and controlling operations 5. A clearly articulated statement of ethical behaviors Control Environment: 1. Commitment to Integrity and Ethical Values 2. Effective Board of Directors 3. Effective Organizational Structure 4. Attracting, Developing, and Retaining Competent Employees 5. Individual Accountability
1. Commitment to Integrity and Ethical Values: A clearly articulated statement of ethical behaviors 2. Effective Board of Directors: The extent of independence of this group is critical 3. Effective Organizational Structure: Well designed structure provides a basis for planning, directing, and controlling operations 4. Attracting, Developing, and Retaining Competent Employees: Management is committed to hiring employees with appropriate levels of education, experience, and evidence of integrity and ethical behavior 5. Individual Accountability: The organization must hold individuals accountable for their internal control responsibilities
5 Components of Internal Control (5)
1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring Activities
Auditor's Consideration of Internal Control and its Relation to Substantive Procedures (7)
1. Develop an understanding of internal control 2. Evaluate design of controls 3. Determine if controls have been properly implemented 4. Document the understanding of controls 5. Determine level of control reliance 6. Determine the level of control risk 7. Perform substantive procedures based on CR assessment
Types of Controls in an IT Environment (2)
1. General Controls: relate to the overall information processing environment and have a pervasive effect on the entity's computer operations -Data center and network operations -System software acquisition, change, and maintenance -Access security -Application system acquisition, development, and maintenance 2. Application Controls: apply to the processing of specific computer application and are part of the computer programs used in the accounting system -Data capture controls -Data validation controls -Processing controls -Output controls -Error controls
Match the example to the type of control. Examples: 1. A requirement to prepare bank reconciliations 2. Segregation of duties 3. Maintaining backups of data Control: 1. Preventive Control 2. Detective Control 3. Corrective Control
1. Preventive Control: Segregation of duties 2. Detective Control: A requirement to prepare bank reconciliations 3. Corrective Control: Maintaining backups of data
How to gain an understanding of internal controls
1. Read prior year control procedure documentation (repeat engagement - audit files) 2. Talk with the client about changes (PCAOB) 3. Interview personnel on how they process transactions 4. Interview / Review work of Internal Audit department 5. Observe personnel performing procedures (PCAOB) 6. Read / Review policy and procedure manuals from client. (PCAOB) 7. Inspect company documents. (PCAOB) 8. Use an Internal Control Questionnaire. 9. Trace transactions through the information system process relevant to financial reporting (perform a walkthrough). (PCAOB)
Match each definition to its key term. Defintion: 1. Perform data processing/computer/IT services, like payroll processing, for various clients 2. Auditors selected by service organizations assess systems 3. A report that documents a service organization's controls and documents their suitability 4. A report that documents a service organization's controls and documents their suitability and effectiveness Term: 1. Type 1 Report 2. Type 2 Report 3. Service Organization 4. Service Auditors
1. Type 1 Report: A report that documents a service organization's controls and documents their suitability 2. Type 2 Report: A report that documents a service organization's controls and documents their suitability and effectiveness 3. Service Organization: Perform data processing/computer/IT services, like payroll processing, for various clients 4. Service Auditors: Auditors selected by service organizations assess systems
After obtaining an understanding of an entity's internal control system, an auditor may set control risk at high for some assertions because the auditor: A. Believes the internal controls are unlikely to be effective. B. Determines that the pertinent internal control components are not well documented. C. Performs tests of controls to restrict detection risk to an acceptable level. D. Identifies internal controls that are likely to prevent material misstatements.
A
An entity's IT infrastructure refers to: A. Hardware components. B. Programmers. C. Software. D. Data provided by the system.
A
Segregation of duties is a control aimed at __________ misstatement. A. preventing B. finding C. resolving D. correcting E. detecting
A
The basic concept of internal control that recognizes the cost of internal control should not exceed the benefits expected to be derived is known as: A. Reasonable assurance. B. Management responsibility. C. Limited liability. D. Management by exception.
A
The requirement to __________ journal entries is an example of a preventive control. A. approve B. correct C. duplicate D. reconcile E. create
A
To obtain evidential matter about control risk, an auditor selects tests from a variety of techniques including: A. Inquiry. B. Analytical procedures. C. Calculation. D. Confirmation.
A
Which of the following audit techniques would most likely provide an auditor with the least assurance about the effectiveness of the operation of a control? A. Inquiry of entity personnel. B. Re-performance of the control by the auditor. C. Observation of entity personnel. D. Walkthrough.
A
__________ auditors are the auditors of a service organization. A. Service B. Control C. Final D. Outside E. External F. Internal
A
__________ should develop a statement of ethical values. A. Senior management B. Auditors C. All employees D. Internal auditors E. Staff
A
Information System and Communication
An effective accounting system gives appropriate consideration to establishing methods and records that will: 1. Identify and record all *valid* transactions. 2. Describe on a timely basis the transactions in sufficient detail to permit proper *classification* of transactions for financial reporting. 3. Measure the *value* of transactions in a manner that permits recording their proper monetary value in the financial statements. 4. Determine the *time period* in which transactions occurred to permit recording of transactions in the proper accounting period. 5. Properly *present* the transactions and related disclosures in the financial statements.
Public companies
Audited on effectiveness of IC
A Type __________ report assesses the controls and their suitability. A. A B. 1 C. B D. 3 E. 2
B
A flowchart is most frequently used by an auditor in connection with the: A. preparation of generalized computer audit programs. B. review of the entity's internal controls. C. use of statistical sampling in performing an audit. D. performance of analytical procedures of account balances.
B
An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts: A. identify whether segregation of duties prevent collusion. B. provide a visual depiction of the entity's activities. C. indicate whether controls are operating effectively. D. reduce the need to observe the entity's employees performing routine tasks.
B
An auditor's flowchart of an entity's accounting system is a diagrammatic representation that depicts the auditor's: A. Program for tests of controls. B. Understanding of the system. C. Understanding of the types of fraud that are probable, given the present system. D. Documentation of the study and evaluation of the system.
B
Assessing control risk below high involves all of the following except: A. Identifying specific controls to rely on. B. Concluding that controls are ineffective. C. Performing tests of controls. D. Analyzing the achieved level of control risk after performing tests of controls.
B
Auditors are most likely to gather audit evidence solely using substantive procedures: A. if transactions are recurring. B. if the implemented controls are assessed as ineffective. C. if control risk is very low. D. if the entity has a well-designed automated system.
B
Factors that the auditor should consider as increasing the effectiveness of the audit committee include all of the following except whether: A. It is independent of management. B. It is comprised almost exclusively of members of management, ensuring detailed knowledge of the company's operations. C. It asks management difficult questions. D. It interacts regularly with internal audit personnel.
B
Internal controls are not designed to provide reasonable assurance that: A. transactions are executed in accordance with management's authorization. B. embezzlement will be eliminated. C. access to assets is permitted only in accordance with management's authorization. D. amounts recorded for assets are compared with the actual existing assets at reasonable intervals.
B
Management philosophy and operating style most likely would have a significant influence on an entity's control environment when: A. internal audit personnel have direct access to the board of directors and the entity's management. B. the entity does not have sound personnel policies for hiring, training, and evaluating competent individuals. C. accurate management job descriptions delineate specific duties. D. the audit committee actively oversees the financial reporting process.
B
Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when: A. external policies established by parties outside the entity affect its accounting practices. B. management is dominated by one individual. C. internal audit personnel have direct access to the board of directors and the entity's management. D. the audit committee is active in overseeing the entity's financial reporting policies.
B
Potential benefits of an entity's controls in an IT environment include all of the following except: A. reduction in the risk that controls will be circumvented. B. eliminate human errors or mistakes. C. consistent application of predefined business rules. D. more timely information.
B
Proper segregation of functional responsibilities in an effective system of internal control calls for separation of the functions of: A. authorization, execution, and payment. B. authorization, recording, and custody. C. custody, execution, and reporting. D. authorization, payment, and recording.
B
The highest-quality and most reliable audit evidence that segregation of duties is properly implemented is obtained by: A. Inspection of documents prepared by a third party but which contain the initials of those applying entity controls. B. Observation by the auditor of the employees performing control activities. C. Inspection of a flowchart of duties performed and available personnel. D. Inquiries of employees who apply control activities.
B
The independent auditor selects several transactions in each functional area and traces them through the entire system, paying special attention to evidence about whether or not the control activities are in operation. This is an example of a(n): A. Analytical procedure. B. Test of controls. C. Substantive procedure. D. Functional test.
B
__________ controls come into play when a misstatement is found. A. Complementary B. Corrective C. Redundant D. Preventive E. Compensating
B
A well-prepared flowchart should make it easier for the auditor to: A. prepare audit procedure manuals. B. prepare detailed job descriptions. C. perform walkthroughs. D. assess the degree of accuracy of financial data.
C
An entity's control activities include all of the following except: A. Performance reviews. B. Information processing. C. External auditor's tests of controls. D. Segregation of duties.
C
Regardless of the assessed level of control risk, an auditor would perform some: A. Tests of controls to determine the effectiveness of internal controls. B. Analytical procedures to verify the design of internal controls. C. Substantive procedures to restrict detection risk for significant transaction classes. D. Dual-purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk.
C
Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee because they represent: A. Disclosures of information that significantly contradict the auditor's going concern assumption. B. Material fraud or illegal acts perpetrated by high-level management. C. Significant deficiencies in the design or operation of the internal control. D. Manipulation or falsification of accounting records or documents from which financial statements are prepared.
C
Which of the following audit tests would be regarded as a test of controls? A. Tests of the specific items making up the balance in a given general ledger account. B. Tests comparing inventory pricing to vendors' invoices. C. Tests of the signatures on canceled checks to the board of directors' authorizations. D. Tests of the additions to property, plant, and equipment by physical inspections.
C
A Type __________ report assesses the controls, their suitability, and effectiveness. A. 1 B. A C. 3 D. 2 E. B F. 4
D
An auditor anticipates assessing control risk at a low level in an IT environment. Under these circumstances, on which of the following controls would the auditor initially focus? A. Data capture controls. B. Application controls. C. Output controls. D. General controls.
D
An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about the: A. efficiency of management's decision-making process. B. appropriate prices that the entity should charge for its products. C. methods of assigning production tasks to employees. D. entity's ability to accurately process and summarize financial data.
D
An auditor's primary consideration regarding an entity's internal controls is whether they: A. Prevent management override. B. Relate to the control environment. C. Reflect management's philosophy and operating style. D. Affect the financial statement assertions.
D
If employees lack __________, they may be ineffective in performing their duties. A. supervision B. incentive C. bank statements D. skills E. fraud
D
Internal control is a process designed to provide reasonable assurance regarding the achievement of which objective? A. Effectiveness and efficiency of operations. B. Reliability of financial reporting. C. Compliance with applicable laws and regulations. D. All of the above are correct.
D
Monitoring is a major component of the COSO Internal Control— Integrated Framework. Which of the following is not correct in how the company can implement the monitoring component? A. Monitoring can be an ongoing process. B. Monitoring can be conducted as a separate evaluation. C. Monitoring and other audit work conducted by internal audit staff can reduce external audit costs. D. The independent auditor can serve as part of the entity's control environment and continuous monitoring.
D
Proper monitoring within an internal control framework may include all of the following except: A. an external auditor. B. an effective audit committee. C. an internal audit function. D. the internal revenue service.
D
Reports on service organizations typically: A. provide reasonable assurance that their financial statements are free of material misstatements. B. ensure that the entity will not have any misstatements in areas related to the service organization's activities. C. ensure that the auditee is billed correctly. D. assess whether the service organization's controls are suitably designed to achieve internal control objectives.
D
SOC 1, Type 2 reports issued by the service organization's auditor typically: A. Provide reasonable assurance that their financial statements are free of material misstatements. B. Ensure that the entity will not have any misstatements in areas related to the service organization's activities. C. Ensure that the entity is billed correctly. D. Assess whether the service organization's controls are suitably designed and operating effectively.
D
The audit committee should be composed of directors who are not __________ of the organization. A. aware B. customers C. auditors D. employees E. visitors
D
The documentation of an auditor's understanding of internal controls: A. is optional. B. must be exclusively in narrative, questionnaires, or flowchart form. C. must include flowcharts. D. can include any combination of narratives, questionnaires, or flowcharts.
D
To enhance the control environment, management develops job __________. A. duplicates B. misstatements C. labels D. descriptions E. names
D
Type 2 reports address operating __________; type 1 do not. A. issues B. controls C. challenges D. effectiveness E. roadblocks F. concern
D
Which of the following procedures most likely would provide an auditor with evidence about whether an entity's internal control is suitably designed to prevent or detect material misstatements? A. Scanning the journals produced by the internal control system. B. Performing analytical procedures using data aggregated at a high level. C. Vouching a sample of transactions directly related to the controls. D. Observing the entity's personnel applying the controls.
D
Which of the following statements about internal control is correct? A. A properly maintained internal control system reasonably ensures that collusion among employees cannot occur. B. The establishment and maintenance of internal control is an important responsibility of the internal auditor. C. An exceptionally strong internal control system is enough for the auditor to eliminate substantive procedures on a significant account balance. D. The cost-benefit relationship is a primary criterion that should be considered in designing an internal control system.
D
SOC 1, Type 1 Report
Describes the service organization's controls and assesses whether they are suitably designed to achieve specified internal control objectives. -Satisfies GAAS understanding of IC: properly designed & implemented
Organizational structure provides a basis for planning, directing, and controlling __________. A. customers B. auditors C. employees D. exams E. operations
E
Preparing bank __________ can help detect misstatements that have been made. A. controls B. checks C. deposits D. statements E. reconciliations
E
The goal to find a misstatement that has already been made is a type of __________ control. A. compensating B. complementary C. preventive D. redundant E. detective
E
There are __________ types of reports that auditors of service organizations (service auditors) can provide. A. ten B. twelve C. four D. three E. two F. five
E
Important notes to consider when developing an understanding of management's internal controls:
Effect of Entity Size on IC Limitations of Internal Controls -Override of internal control by management (senior officer forcing an employee to book an entry), Human Errors or Mistakes, Collusion
Effective design vs. properly implemented
Effectively Designed: controls designed properly to prevent/detect misstatement Properly Implemented: entity is actually performing the control
T/F: A reliance strategy is used when control risk has been set at high.
F
T/F: Internal control consists of six components.
F
T/F: Once a level of control risk has been established, it cannot be changed.
F
T/F: The auditor must understand internal control before assessing inherent risk.
F
SOC 1, Type 2 Report
Goes further by testing whether the controls provide reasonable assurance that the related control objectives were achieved during the period. -An auditor may reduce control risk below the max only on the basis of a service auditor's Type 2 report
Auditing Accounting Applications Processed by Service Organizations
In some instances, an entity may have *some or all of its accounting transactions processed by an outside service organization* Because the entity's transactions are subjected to the controls of the service organization, one of *the auditor's concerns is the internal control system in place at the service organization.*
Segregation of Duties: separate which functions (4)?
Minimizes the chance of fraud or theft. Separate the following 4 functions • Custody • Authorization • Record keeping • IT Function
Monitoring of Controls -Effective Monitoring (3)
Monitoring of controls is a process that assesses the quality of internal control performance over time. Effective Monitoring: 1. Establishing a foundation for control effectiveness 2. Designing and executing monitoring procedures based on business risks 3. Assessing and reporting results *the auditor is not part of the control environment or monitoring control. Client cannot say that being audited is their monitoring function
COSO: Control Activities
Performance Reviews •Check how controls are working Information Processing •Proper authorization of Transactions and Activities •Adequate documents and records Controls: any physical controls -Segregation of Duties
T/F: A substantive strategy is used when control risk has been set at high.
T
T/F: Internal control includes monitoring of controls.
T
T/F: One of the risks associated with internal control from IT is potential loss of data.
T
T/F: Tests of controls must be performed if control risk is set at a lower level.
T
T/F: The concept of internal control includes IT systems and manual systems.
T
T/F: The extent of an entity's use of IT can affect internal control.
T
Private Companies
The auditor must communicate, in writing, any discovered significant deficiencies and material weaknesses to management and those charged with governance.
COSO: Risk Assessment
The risk assessment process should consider *external and internal events and circumstances* that may arise and *adversely affect* the entity's ability to initiate, record, process, and report financial data consistent with the *assertions of management in the financial statements*
Management Responsibilities
To maintain controls that provides reasonable assurance that adequate control exists over the entity's assets and records. The Internal Control System should: •Ensure that assets and records are safeguarded •Generate reliable information for decision making
Test at ___________ period, if appropriate. Why?
interim •Material Weakness can be corrected before year-end •Substantive audit procedures might be changed based on results of tests of controls •Can be efficient use of staff time (more profitable for firm) Perform Tests of Transactions at the same time when appropriate to be efficient •Dual Purpose Testing
Client business risk can arise or change due to:
•Changes in the operating environment •Corporate restructuring •Rapid growth •International growth •New business models, products, or activities •New personnel •New technology •New or revamped information systems •New accounting pronouncements
Auditor's Responsibilities
•Obtain an understanding of internal control •Assess control risk. The auditor uses risk assessment procedures to: •Obtain an understanding of the entity's internal control •Identify key controls •Recognize the types of potential misstatements •Design tests of controls and substantive procedures The auditor's understanding of the internal control is a major factor in determining the overall audit strategy.
Examples of Segregation of Duties
•The person who *requisitions the purchase* of goods or services should not be the person who *approves* the purchase. •The person who *opens the mail and prepares a listing of checks received* should not be the person who *makes the deposit* •Employees who are responsible for the *receipt of goods from vendors* should not be involved in the *purchasing or cash disbursement process* •Employees should not be able to both *initiate and approve inventory disposals* and *record these adjustments* in the inventory records.