Audit Chapter 6 Venus
An accounts payable program posted a payable to a vendor not included in the online vendor master file. A control that would prevent this error is a: (1) Validity check. (2) Range check. (3) Limit test. (4) Control total.
(1) A validity check compares data (for example, vendors or employees) against a master file for authenticity. Accordingly, a validity test will prevent the posting of a payable to a vendor not included in the online vendor master file.
A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with: (1) Knowledge necessary to determine the nature, timing, and extent of further audit procedures. (2) Audit evidence to use in reducing detection risk. (3) A basis for modifying tests of controls. (4) An evaluation of the consistency of application of management policies.
(1) Because the auditors' purposes are for considering internal control, and to obtain the necessary knowledge to (a) assess the risks of material misstatement, and (b) to determine the nature, timing, and extent of the tests to be performed, answer (1) is correct.
When erroneous data are detected by computer program controls, data may be excluded from processing and printed on an exception report. The exception report should probably be reviewed and followed up by the: (1) Data control group. (2) System analyst. (3) Supervisor of IT operations. (4) Computer programmer.
(1) The exception report should be reviewed and followed up on by the data control group, which also tests input procedures, monitors IT processing, handles the reprocessing of exceptions, and reviews and distributes all computer output.
When a CPA decides that the work performed by internal auditors may have an effect on the nature, timing, and extent of the CPA's procedures, the CPA should consider the competence and objectivity of the internal auditors. Relative to objectivity, the CPA should: (1) Consider the organizational level to which the internal auditors report the results of their work. (2) Review the internal auditors' work. (3) Consider the qualifications of the internal audit staff. (4) Review the training program in effect for the internal audit staff.
(1) The internal auditors' objectivity refers to their relative independence from the organizational units they have been evaluating. This may best be determined by considering the organizational level to which the internal auditors report. The other answers address the issues of the internal auditors' competence, not objectivity.
a. Discuss the advantages to CPAs of documenting internal control by using (1) An internal control questionnaire. (2) A written narrative. (3) A flowchart. b. If they are satisfied that no material weaknesses in internal control exist after completing their description of internal control, is it necessary for the CPAs to conduct tests of controls? Explain.
(1) The primary advantage of the internal control questionnaire is that control weaknesses, including the absence of controls, are prominently identified by the "no" answers. Another advantage of the questionnaire is its simplicity. If the questions have been predetermined, as is usual, the auditors' responsibility includes the completion of the questionnaire with yes-or-no answers, and written explanations are required only for the "no" or unfavorable answers. Also, the comprehensive list of questions provides assurance of complete coverage of significant control areas. (2) An advantage of the written narrative approach in reviewing internal control is that the description is designed to explain the precise controls applicable to each examination. In this sense, the working paper description is tailor-made for each engagement and thus offers flexibility in its design and application. A second advantage is that its preparation normally requires a penetrating analysis of the client's system. In requiring a written description of the flow of transactions, records maintained, and the division of responsibilities, the memorandum method minimizes the tendency to perform a perfunctory review. (3) The use of a flowchart in documenting internal control offers the advantage of a graphic presentation of a system or a series of sequential processes. It shows the steps required and the flow of forms or other documents from person to person in carrying out the function depicted. Thus, the tendency to overlook the controls existing between functions or departments is minimized. Another advantage is that the flowchart method avoids the detailed study of written descriptions of procedures without sacrificing the CPAs' ability to appraise the effectiveness of controls under review. An experienced auditor can gain a working understanding of the system much more readily by reviewing a flowchart than by reading questionnaires or lengthy narratives. Information about specific procedures, documents, and accounting records can also be located more quickly in a flowchart. Because of these advantages, flowcharting has become the most widely used method of describing internal control in audit working papers. (b) Even though internal control appears to be strong, the auditors are required to conduct tests of controls. Just because controls are prescribed does not mean that the client's personnel are adhering to those requirements. Employees may not understand their assigned duties, or may perform those duties in a careless manner, or other factors may cause the controls actually in place to differ from those presc ribed. Through tests of controls the CPAs obtain reasonable assurance that controls are in use and are operating as planned, and they may detect material errors of types not susceptible to effective internal control. In addition, such testing enables the CPAs to comply with the third standard of field work that calls for obtaining sufficient competent evidential matter to provide a reasonable basis for an opinion. Note to instructor—Auditors may forego tests of controls if they conclude that controls are so weak as to provide no basis for assessing control risk at a level lower than the maximum.
Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes? (1) Checklist. (2) Confirmation. (3) Flowchart. (4) Questionnaire.
(2) A confirmation is designed to obtain evidence from a third-party. It is not used to document internal control.
The increased presence of user operated computers in the workplace has resulted in an increasing number of persons having access to the system. A control that is often used to prevent unauthorized access to sensitive programs is: (1) Backup of data in the cloud. (2) Authentication procedures. (3) Input validation checks. (4) Record counts of the number of input transactions in a batch being processed.
(2) Authentication procedures for the various users may be used to restrict access to the computer in a manner so as to prevent unauthorized access to sensitive programs.
Which of the following would be least likely to be considered an objective of internal control? (1) Checking the accuracy and reliability of accounting data. (2) Detecting management fraud. (3) Encouraging adherence to managerial policies. (4) Safeguarding assets.
(2) Detecting management fraud is generally not considered to be an objective of internal control. In fact, one of the inherent limitations of internal control is that it is subject to override by management. All of the other answers represent valid objectives of internal control.
Which of the following best describes what is meant by the term "fraud risk factor"? (1) Factors that, when present, indicate that risk exists. (2) Factors often observed in circumstances where frauds have occurred. (3) Factors that, when present, require modification of planned audit procedures. (4) Weaknesses in internal control identified during an audit.
(2) Fraud risk factors are factors that have been observed in circumstances in which fraud has occurred. The fraud risk factors were identified by researchers and practitioners through analyses of many past frauds. Yet, none of the factors was always present in the various individual cases included in the analyses. Answer (1) is incorrect because in any particular circumstance, the existence of a fraud risk factor may or may not indicate that in that circumstance the risk of fraud is high. Answer (3) is incorrect because the existence of a fraud risk factor may not require modification of planned audit procedures (e.g., the audit plan may already have audit procedures that consider the factor). Answer (4) is incorrect because a fraud risk factor may or may not be a significant deficiency.
Which of the following is an advantage of generalized audit software packages? (1) They are all written in one identical computer language. (2) They can be used for audits of clients that use differing computing equipment and file formats. (3) They have reduced the need for the auditor to study input controls for computer-related procedures. (4) Their use can be substituted for a relatively large part of the required tests of controls.
(2) Generalized audit software allows the auditors to independently process their clients' records. The software is flexible and may be used on a variety of IT systems. These packages have not all been written in one language and their use should have no effect on the auditors' need to obtain an understanding of internal control, as indicated in answers (1) and (3). Generalized audit software is primarily used as a tool for performing substantive tests; the software is of limited value in tests of controls.
Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by: (1) Employment of temporary personnel to aid in the separation of duties. (2) Direct participation by the owner in key record-keeping and control activities of the business. (3) Engaging a CPA to perform monthly write-up work. (4) Delegation of full, clear-cut responsibility for a separate major transaction cycle to each employee.
(2) Involvement of the owner in key control functions should be a major step toward preventing material errors or defalcations. Answer (1) would not be cost-effective. Answer (3) would provide some measure of control, but not as much as would daily participation by the owner. If it were feasible to hire additional employees, it would be cheaper to hire permanent employees rather than temporary. The need for internal control is permanent. Answer (4) would weaken, not strengthen internal control.
LAN is the abbreviation for: (1) Large Area Network. (2) Local Area Network. (3) Longitudinal Analogue Network. (4) Low Analytical Nets.
(2) LAN is the abbreviation for local area network, a network that interconnects computers within a limited area, typically a building or a small cluster of buildings.
Which of the following is most likely to be an overall response to fraud risks identified in an audit? (1) Supervise members of the audit team less closely and rely more upon judgment. (2) Use less predictable audit procedures. (3) Use only certified public accountants on the engagement. (4) Place increased emphasis on the audit of objective transactions rather than subjective transactions. (AICPA, adapted)
(2) Less predictable audit procedures are likely to be used when fraud risks are high. SAS 99 also suggest that the auditors have increased skepticism, assign more skilled staff, and consider further management's selection and application of accounting principles. Answer (1) is incorrect because supervision of members of the audit team will be closer, not less. Answer (3) is incorrect because team members may or may not be CPAs (e.g., a fraud specialist who is not a CPA might be added to the team). Answer (d) is incorrect because subjective, rather than objective transactions may often be emphasized—depending upon the nature of the fraud risks identified.
Which of the following is least likely to be considered by the auditors considering engagement of an information technology specialist on an audit? (1) Complexity of the client's systems and IT controls. (2) Number of financial institutions at which the client has accounts. (3) Client's use of emerging technologies. (4) Extent of the client's participation in electronic commerce.
(2) When deciding whether to engage an information technology specialist, it is doubtful that the auditor would consider the number of financial institutions at which the client has accounts as increases in that number itself doesn't necessarily result in a more complex computer application. The other replies all involve factors making such an application more complex.
The auditors would most likely be concerned with which of the following controls in a distributed data processing system? (1) Hardware controls. (2) Systems documentation controls. (3) Access controls. (4) Disaster recovery controls.
(3) A distributed data processing system is one in which communication links are used to share data and programs among various users in remote locations throughout the organization. Accordingly, access controls in such a system gain importance.
Three conditions generally are present when fraud occurs. Select the one below that is not one of those conditions. (1) Incentive or pressure. (2) Opportunity. (3) Supervisory position. (4) Attitude.
(3) AICPA AU-C 240 (PCAOB AS 2401) outlines the three functions generally necessary for fraud as (1) incentive or pressure, (2) opportunity, and (3) attitude. Being in a supervisory position is not one of those conditions, although it may provide the individual an opportunity to commit fraud.
Which of the following is not an advantage of establishing an enterprise risk management system within an organization? (1) Reduces operational surprises. (2) Provides integrated responses to multiple risks. (3) Eliminates all risks. (4) Identifies opportunities.
(3) An enterprise risk management system cannot eliminate all risks.
d. An auditor may compensate for a weakness in internal control by increasing the extent of: (1) Tests of controls. (2) Detection risk. (3) Substantive tests of details. (4) Inherent risk.
(3) An increase in the substantive procedures will decrease detection risk, and thereby compensate for the increased level of control risk due to a weakness in internal control. Answer (1) is incorrect because if the weakness exists, increasing the extent of tests will only provide more evidence on the weakness—not evidence that compensates for the weakness. Answers (2) and (4) are incorrect because a decrease in detection risk or inherent risk, not an increase, would compensate. Also, in the case of inherent risk, it may not be possible to change the assessment since it is a function of the firm's environment.
In planning and performing an audit, auditors are concerned about risk factors for two distinct types of fraud: fraudulent financial reporting and misappropriation of assets. Which of the following is a risk factor for misappropriation of assets? (1) Generous performance-based compensation systems. (2) Management preoccupation with increased financial performance. (3) An unreliable accounting system. (4) Strained relationships between management and the auditors.
(3) An unreliable accounting system provides an opportunity for an individual to misappropriate assets. The other items create risks of fraudulent financial reporting.
End user computing is most likely to occur on which of the following types of computers? (1) Mainframe. (2) Decision support systems. (3) Personal computers. (4) Personal reference assistants.
(3) End-user computing is most likely in a personal computer environment. End user computing involves environments in which a user department is responsible for developing and running an IT system with minimal or no support from the central information systems department.
When an online real-time (OLRT) IT processing system is in use, internal control can be strengthened by: (1) Providing for the separation of duties between data input and error handling operations. (2) Reconciling hash totals to computer runs. (3) Making a validity check of an identification number and password before a user can obtain access to the computer files. (4) Preparing batch totals to provide assurance that file updates are made for the entire input.
(3) In an online, real-time system, users enter individual transactions from remote terminals and files are updated immediately. Therefore, it is important that control be established over computer files through a system of user identification numbers and passwords.
Which of the following elements underlies the application of generally accepted auditing standards, particularly the standards of fieldwork and reporting? (1) Adequate disclosure. (2) Quality control. (3) Materiality and audit risk. (4) Client acceptance.
(3) Materiality and audit risk underlie the application of generally accepted auditing standard in that so many audit decisions are affected by the amount used as a materiality measure and the level of audit risk assumed on the engagement.
Controls over financial reporting are often classified as preventative, detective, or corrective. Which of the following is an example of a detective control? (1) Segregation of duties over cash disbursements. (2) Requiring approval of purchase transactions. (3) Preparing bank reconciliations. (4) Maintaining backup copies of key transactions.
(3) Preparing bank reconciliations will detect a variety of misstatements related to cash and is a detective control in the sense that it does not prevent the misstatement from occurring, but may detect it. Answers (1) and (2) are incorrect because segregating duties and requiring approvals are primarily designed to prevent misstatements. Answer (4) is incorrect because the primary purpose of keeping backup copies of key transactions (or all transactions) is prevent loss of information in the event of an information system failure.
Which portion of an audit is least likely to be completed before the balance sheet date? (1) Tests of controls. (2) Issuance of an engagement letter. (3) Substantive procedures. (4) Assessment of control risk.
(3) Substantive procedures substantiate the account balances as of the balance sheet date and therefore cannot be completed prior to that date. The other items pertain to the operation of the system during the year under audit and could be completed in the interim period.
The auditors would be least likely to use software to: (1) Access client data files. (2) Prepare spreadsheets. (3) Assess computer control risk. (4) Test application programs.
(3) The assessment of "computer control risk" is a vague term and ordinarily there is no assessment of "computer control risk." In addition, any assessment of risk requires auditor judgment.
Which of the following is not a major component of an information system? (1) People. (2) Data. (3) Review. (4) Software.
(3) The major components of an information system include hardware, software, data, people, procedures and networks. Review is not one of the major components.
The primary objective of tests of details of transactions performed as substantive procedures is to: (1) Comply with generally accepted auditing standards. (2) Attain assurance about the reliability of the accounting system. (3) Detect material misstatements in the financial statements. (4) Evaluate whether management's policies and procedures are operating effectively.
(3) The objective of tests of details of transactions performed as substantive procedures is to detect material misstatements in the financial statements as transactions are tested to determine whether they have been properly recorded.
An auditor will use the computer test data method in order to gain assurances with respect to the: (1) Security of data in a system. (2) IT system capacity. (3) Controls contained within a program. (4) Degree of data entry accuracy for batch input data.
(3) The test data method is used to test controls contained within the program. The audit approach is that of identifying relevant controls within the computer program, and then preparing transactions to run through that program to determine whether the controls operate effectively.
As one step in testing sales transactions, a CPA traces a random sample of sales journal entries to debits in the accounts receivable subsidiary ledger. This test provides evidence as to whether: (1) Each recorded sale represents a bona fide transaction. (2) All sales have been recorded in the sales journal. (3) All debit entries in the accounts receivable subsidiary ledger are properly supported by sales journal entries. (4) Recorded sales have been properly posted to customer accounts.
(4) Because entries in the sales journal represent recorded sales, tracing entries from it to debits in the accounts receivable ledger provides evidence on whether recorded sales have been properly posted to customer accounts.
Which of the following should the auditors obtain from the predecessor auditors before accepting an audit engagement? (1) Analysis of balance sheet accounts. (2) Analysis of income statement accounts. (3) All matters of continuing accounting significance. (4) Facts that might bear on the integrity of management.
(4) Before accepting an engagement the possible successor should ask questions about the integrity of management, disagreements with management, and the reasons for the change in auditors. All of the other replies are incorrect because they represent information that the successor may wish to obtain after accepting the engagement.
The risk that the auditors will conclude, based on substantive procedures, that a material misstatement does not exist in an account balance when, in fact, such misstatement does exist is referred to as (1) Business risk. (2) Engagement risk. (3) Control risk. (4) Detection risk.
(4) Detection risk is the risk that the auditor will conclude, based on substantive procedures, that a material misstatement does not exist in an account balance, when, in fact, such misstatement does exist.
An entity's ongoing monitoring activities often include: (1) Periodic audits by internal auditors. (2) The audit of the annual financial statements. (3) Approval of cash disbursements. (4) Management review of weekly performance reports.
(4) Management review of weekly performance reports is an ongoing monitoring activity that may detect errors or fraud. Answer (1) is incorrect because while periodic audits by internal audit represent a monitoring activity, they are best classified as separate evaluations, and not ongoing monitoring activities. Answer (2) is incorrect because the audit of the annual financial statements is the function of the external auditors. Answer (3) is incorrect because approvals of cash disbursements represent a control activity.
Which of the following should not normally be included in the engagement letter for an audit? (1) A description of the responsibilities of client personnel to provide assistance. (2) An indication of the amount of the audit fee. (3) A description of the limitations of an audit. (4) A listing of the client's branch offices selected for testing.
(4) Management should not be informed about which branches were selected for testing at all or at least not until just before testing is to be done.
The audit committee of a company must be made up of: (1) Representatives from the client's management, investors, suppliers, and customers. (2) The audit partner, the chief financial officer, the legal counsel, and at least one outsider. (3) Representatives of the major equity interests, such as preferred and common stockholders. (4) Members of the board of directors who are not officers or employees.
(4) Members of the audit committee should be independent of management. Therefore, the individuals should be board members who are not employees or officers, and who have no relationship with management that might impair their objectivity.
Define and give the purpose of each of the following controls: a. Record counts b. Limit test c. Validity test d. Hash totals e. Missing data test
(a) Record counts are totals that indicate the number of documents or transactions processed; the record counts are compared with totals determined before processing. The purpose of the record count control is to compare the computer-developed totals with the predetermined totals to detect the loss or omission of transactions or records during processing. Unauthorized transactions may also be detected by record counts. (b) The limit test control in the computer program compares the result of computer processing against a minimum or maximum amount. The purpose of the limit test is to determine whether certain predetermined limits have been exceeded. Violations are usually printed out for follow-up action. (c) A validity test involves the comparison of data against a master file or table for accuracy. For example, employee numbers may be compared with a master file of all valid employees. The purpose of validity tests is to determine that only legitimate data is processed. (d) Hash totals are sums of data that would ordinarily not be added, such as unit prices, invoice numbers, etc. These items are added before processing for later comparison with a total of the same items accumulated by the computer. The purpose of the hash total control is to provide assurance that all, and only authorized, records were processed. (e) A missing data test is an input control that prevents the acceptance of a set of input if required data is missing.
What are the purposes of the audit procedures of (a) tracing a sample of journal entries forward to the ledgers
(a) The purpose of tracing journal entries forward into the ledgers is to verify the completeness of the client's posting procedures.
What are the purposes of the audit procedures of (b) vouching a sample of ledger entries back to the journals?
(b) The purpose of vouching ledger entries to the journals is to provide the auditor with assurance that entries in the ledger are supported by journal entries. This procedure addresses the existence assertion.
6-32e
Identifying related parties is performed to determine the appropriate financial statement presentation and disclosure of the assets.
When the auditors are performing a first-time internal control audit in accordance with the Sarbanes-Oxley Act and PCAOB standards, they should: (1) Modify their report for any significant deficiencies identified. (2) Use a "bottom-up" approach to identify controls to test. (3) Test controls for all significant accounts. (4) Perform a separate assessment of controls over operations.
In an audit of internal control performed under PCAOB standards the auditors must test controls for all significant accounts.
To have an adequate basis to issue a management report on internal control under Section 404(a) of the Sarbanes-Oxley Act, management must do all of the following, except: (1) Establish internal control with no material weakness. (2) Accept responsibility for the effectiveness of internal control. (3) Evaluate the effectiveness of internal control using suitable control criteria. (4) Support the evaluation with sufficient evidence.
Management may issue a report on internal control regardless of whether the system has a material weakness.
6-32a
Observation of the client's physical inventory primarily provides evidence related to the existence assertion. To a lesser degree it establishes valuation in that damaged or slow-moving inventory items may be identified for possible lower-of-cost-or-market testing. It may also provide evidence about cut-off of purchases and sales.
6-32c
Obtaining a listing of inventory and reconciling the total to the general ledger establishes a population to be tested for valuation.
6-32b
Physical inspection of equipment items listed in the plant ledger serves to establish the existence of the assets. It does not, however, establish rights to those assets.
How does separation of the record-keeping function from custody of assets contribute to internal control?
Separating recordkeeping from custody of the related assets provides an independently maintained record that may periodically be reconciled with assets on hand. This independent record holds the personnel of a custodial department accountable for assets entrusted to their care. If the custodial department maintained the accounting records, opportunity would exist for that department to conceal its errors or shortages by manipulating the records.
Can a standard audit plan be used for most engagements?
The audit procedures to be followed in a given engagement depend upon such factors as the risks of material misstatement of the financial statements, the assumption about the effectiveness of internal control, the auditors' estimates of materiality, the nature of the accounting records, the caliber of accounting personnel, and any special objectives of the engagement. Consequently, even standard audit plans are modified for details of each audit.
List and describe the major components of an information system.
The major components of an information system include: (1) Hardware - The computer and peripheral equipment for input, output, storage of data. (2) Software - The programs that tell the computer equipment what to do. (3) Data - The inputs and outputs of the computer system. (4) People - The users and information systems professionals. (5) Procedures - The policies within a company for operating and maintaining the information system. (6) Networks - Specialized hardware and software that allows different IT devices to connect with each other to share data, software, and other hardware resources.
The number of personnel in an information systems department may limit the extent to which segregation of duties is feasible. What is the minimum amount of segregation of duties that will permit satisfactory internal control?
The minimum amount of segregation of duties in an information systems department requires that programming be separate from the functions of operating the computer and controlling input to the computer. Also, computer operators should not have custody or detailed knowledge of computer programs.
Assume that you are auditing the financial statements of Wexler, Inc. As you are reviewing the work on internal control, you become concerned about the adequacy of documentation. Describe the required documentation of internal control matters.
The required documentation related to internal control in a financial statement audit include: (1) Documentation of understanding of internal control (flowcharts, written narratives, questionnaires, etc.). (2) The overall responses to address the risks of material misstatement at the financial statement level. (3) The nature, timing, and extent of further audit procedures (including additional tests of controls and substantive procedures). (4) The linkage of further audit procedures with assessed risks at the relevant assertion level. (5) The results of audit procedures (including tests of controls). (6) The conclusions reached with regard to the use of the current audit evidence about the operating effectiveness of controls that was obtained in prior audits.
Distinguish between the two subsections of Section 404 of the Sarbanes-Oxley Act of 2002.
The two subsections of Section 404 of the Sarbanes-Oxley Act are 404a and 4040b. Section 404a requires each annual report filed with the SEC to include a report in which management (1) acknowledges its responsibility for establishing and maintaining adequate internal control over financial reporting, and (2) provides an assessment of internal control effectiveness as of the end of the most recent fiscal year. Section 404b requires auditors of certain companies to attest to, and report on, internal control over financial reporting.
6-32d
Tracing shipping documents to recorded sales is designed to establish the completeness of recorded accounts receivable. It also provides evidence about the cut-off of sales transactions.
6-32f
Vouching selected purchases of securities establishes existence of, rights to, and valuation (cost) of the securities. It may also provide some evidence about the cut-off of security transactions.
Read and summarize the internal control requirements of Section 13(b)(2) of the act.
· Section 13(b)(2) of the Securities and Exchange Act of 1934 indicates that every issuer with securities registered under Section 12 and every issuer which is required to file reports under section 15(d) must: · · (1) Keep records which accurately reflect the transactions and dispositions of the assets, and · (2) Devise and maintain a system of internal control sufficient to provide reasonable assurance that: · (a) transactions are executed in accordance with management's authorization, · (b) transactions are recorded as necessary to permit preparation of financial statements in · accordance with appropriate accounting principles and maintain accountability for · assets, · (c) access to assets is restricted to authorized individuals, and · (d) the recorded accountability for assets is compared with assets at reasonable intervals · and appropriate action is taken with respect to differences.