Auditing
Place the following steps in the top-down, risk-based approach to the audit of ICFR in their proper order: 1. Identify significant accounts and disclosures and their relevant assertions. 2. Select controls to test. 3. Understand likely sources of misstatement. 4. Identify entity level controls. 1, 2, 3, 4. 4, 1, 3, 2. 4, 2, 1, 3. 3, 4, 1, 2.
4, 1, 3, 2.
An auditor desired to test credit approval on 10,000 sales invoices processed during the year. The auditor designed a statistical sample that would provide 1 percent risk of assessing control risk too low for the assertion that not more than 7 percent of the sales invoices lacked approval. The auditor estimated from previous experience that about 2½ percent of the sales invoices lacked approval. A sample of 200 invoices was examined, and 7 of them were lacking approval. The auditor then determined the computed upper deviation rate to be 8 percent. Based on the information above, the planned allowance for sampling risk was: 4½ percent. 1 percent. 3½ percent. 5½ percent.
4½ percent.
AnnaLisa, an auditor for N. M. Neal & Associates, is prevented by the management of Lileah Company from auditing controls over inventory. Lileah is a public company. Management explains that controls over inventory were recently implemented by a highly regarded public accounting firm that the entity hired as a consultant and insists that it is a waste of time for AnnaLisa to evaluate these controls. Inventory is a material account, but procedures performed as part of the financial statement audit indicate the account is fairly stated. AnnaLisa found no material weaknesses in any other area of the entity's internal control relating to financial reporting. What kind of report should AnnaLisa issue on the effectiveness of Lileah's internal control? A disclaimer of opinion. An adverse report. An exculpatory opinion. An unqualified report.
A disclaimer of opinion.
Which of the following best illustrates the concept of sampling risk? An auditor may select audit procedures that are not appropriate to achieve the specific objective. A randomly chosen sample may not be representative of the population as a whole on the characteristic of interest. An auditor may fail to recognize errors in the documents examined for the chosen sample. The documents related to the chosen sample may not be available for inspection.
A randomly chosen sample may not be representative of the population as a whole on the characteristic of interest.
When assessing the tolerable deviation rate (TDR), the auditor should consider that while deviations from control procedures increase the risk of material misstatements, such deviations may not necessarily result in errors. This explains why Deviations from examined control procedures at a given rate would normally be expected to result in a higher rate of dollar errors. A recorded disbursement that is properly authorized may nonetheless contain a material dollar error. A recorded disbursement that is not properly authorized may nonetheless be recorded properly in the cash disbursements journal. Deviations would result in dollar errors in the accounting records only when they occurred in different transactions.
A recorded disbursement that is not properly authorized may nonetheless be recorded properly in the cash disbursements journal.
Internal control is a process designed to provide reasonable assurance regarding the achievement of which objective? Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations. All of these are correct
All of these are correct
In auditing a public company, Natalie, an auditor for N. M. Neal & Associates, identifies four deficiencies in ICFR. Three of the deficiencies are unlikely to result in financial misstatements that are material. One of the deficiencies is reasonably likely to result in misstatements that are not material but significant. What type of audit report should Natalie issue? An unqualified report. An adverse report. A disclaimer of opinion. An exculpatory opinion.
An unqualified report.
Which of the following represents the correct sequence of audit steps that come after first obtaining an understanding and documenting the entity's internal control? Test of Controls, Assess Control Risk, Determine Extent of Substantive Tests, Reassess Control Risk. Assess Control Risk, Test of Controls, Determine Extent of Substantive Testing, Reassess Control Risk. Assess Control Risk, Determine Extent of Substantive Testing, Test of Controls, Reassess Control Risk. Assess Control Risk, Test of Controls, Reassess Control Risk, Determine Extent of Substantive Testing.
Assess Control Risk, Test of Controls, Reassess Control Risk, Determine Extent of Substantive Testing.
Which of the following types of statistical testing is likely to be used for a test of controls? Monetary-unit sampling. Probability-proportional-to-size sampling. Attribute sampling. Classical variables sampling.
Attribute sampling.
A reliance strategy is chosen when the auditor: Plans on conducting tests of controls. Has set the control risk at a high level. Has set the control risk at a lower level. Both a and c.
Both a and c.
Understanding each of the components of internal control provides knowledge about: The design of tests of controls. The assessment of inherent risks. Factors that affect the risk of material misstatement. Both a and c.
Both a and c.
CHAPTER 8 NUMBER 23, 24,& 25 ON CONNECT
CHAPTER 8 NUMBER 23, 24,& 25 ON CONNECT
CHAPTER 8 NUMBER 6 ON CONNECT
CHAPTER 8 NUMBER 6 ON CONNECT
Which of the following statements best describes how the requirements under Sarbanes-Oxley changed the auditor's responsibility for issuing an opinion in connection with the audits of most public companies? CPA firms are now required to add a second opinion related to the timeliness of the financial information provided to the public in addition to an opinion on the overall fairness of the financial statements. CPA firms are required to rely less on their own direct evidence to support their opinion regarding the effectiveness of controls. CPA firms are now required to issue a second opinion related to their evaluation of the effectiveness of internal controls in addition to an opinion on the overall fairness of the financial statements. While the CPA firm is required to issue an additional opinion, that opinion is for internal use only and does not need to be made available in the entity's annual report.
CPA firms are now required to issue a second opinion related to their evaluation of the effectiveness of internal controls in addition to an opinion on the overall fairness of the financial statements.
Which of the following types of evidence is most likely to utilize sampling? Scanning. Confirmation Observation Analytical procedures.
Confirmation
All of the following controls may mitigate the risk of fraud and management override except: Controls over related-party transactions. Controls over period-end adjusting entries. Controls related to significant management estimates. Controls related to executive compensation.
Controls related to executive compensation.
Which of the following controls would most likely be tested during an interim period? Controls over nonroutine transactions. Controls over the period-end financial reporting process. Controls over transactions that involve a high degree of subjectivity. Controls that operate on a continuous basis.
Controls that operate on a continuous basis.
Entity-level controls can have a pervasive effect on the entity's ability to meet the control criteria. Which one of the following is not an entity-level control? Management's risk assessment process. The period-end financial reporting process. Controls to monitor results of operations. Controls to monitor the inventory taking process.
Controls to monitor the inventory taking process.
"Remediation" refers to Management's required annual communication to the Audit Committee regarding changes in the ICFR. The auditor's required annual communication to the Audit Committee regarding weaknesses found in the ICFR. Management's testing of a new control designed to eliminate a previous material weakness. Corrective actions taken by management to eliminate a material weakness.
Corrective actions taken by management to eliminate a material weakness.
Which of the following combinations results in the greatest decrease in sample size in an attribute sample for a test of controls? 1. Desired Confidence 2. Level Tolerable Deviation Rate 3. Expected Population Deviation Rate Decrease Decrease Increase Decrease Increase Decrease Decrease Increase Increase Increase Increase Decrease
Decrease Increase Decrease
Auditors obtain an understanding of a nonpublic entity's internal control for the primary purpose of: Gathering sufficient evidence to provide a reasonable basis for an opinion on the financial statements. Determining the nature, extent, and timing of subsequent audit procedures to be performed. Determining whether interim audit testing is appropriate. Providing documentary evidence to present to the audit committee.
Determining the nature, extent, and timing of subsequent audit procedures to be performed.
Most of the steps for planning and carrying out a nonstatistical test of controls are the same as those for a statistical test of controls. Which of the following represent the steps that could differ between nonstatistical and statistical sampling as discussed in the text? Defining the control deviation conditions, determining the sample size, calculating the upper deviation rate. Defining the control deviation conditions, defining the sampling unit, calculating the computed upper deviation rate. Determining the sample size, selecting the sample items, calculating the computed upper deviation rate. Defining the sampling unit, selecting the sample items, performing the audit procedures.
Determining the sample size, selecting the sample items, calculating the computed upper deviation rate.
The likelihood of assessing control risk too high is the risk that the sample selected to test controls Does not support the auditor's planned assessed level of control risk when the true operating effectiveness of the control justifies such an assessment. Does support the auditor's planned assessed level of control risk when the true operating effectiveness of the control does not justify such an assessment. Contains misstatements that could be material to the financial statements when aggregated with misstatements in other account balances or transaction classes. Contains proportionately fewer monetary errors or deviations from prescribed internal controls than exist in the balance or class as a whole.
Does not support the auditor's planned assessed level of control risk when the true operating effectiveness of the control justifies such an assessment.
Which of the following steps or procedures is LEAST likely to be performed as part of management's assessment of the effectiveness of internal controls? Engaging the external auditors to conduct cutoff tests. Determining the locations or business units to be evaluated. Evaluating the design effectiveness and operating effectiveness of selected controls. Communication of its findings to the external auditors.
Engaging the external auditors to conduct cutoff tests.
For which of the following audit tests would an auditor most likely use attribute sampling? Observation of employees who control mailroom receipts. Examining supporting documentation for purchases for evidence of proper authorization. Examining invoices in support of the valuation of equipment additions. Selected accounts receivable for confirmation of account balances.
Examining supporting documentation for purchases for evidence of proper authorization.
The role of the registered independent auditing firm relative to its clients' internal controls under the Sarbanes-Oxley Act of 2002 is to Express an opinion on whether the entity is subject to all provisions of the Securities Exchange Act of 1934. Express an opinion on the effectiveness of the entity's internal control. Report to both the PCAOB and SEC those entities with unsatisfactory internal controls. Provide report feedback but disclaim an opinion on management's assessment.
Express an opinion on the effectiveness of the entity's internal control.
Which of the following is not a requirement for management under Section 404 of the Sarbanes-Oxley Act of 2002? Guarantee effectiveness of the entity's ICFR. Accept responsibility for the effectiveness of the entity's ICFR. Support the evaluation of the entity's ICFR with sufficient evidence, including documentation. Present a written assessment regarding the effectiveness of the entity's ICFR as of the end of the most recent fiscal year.
Guarantee effectiveness of the entity's ICFR.
The effectiveness of internal control is reduced by: Computerized accounting records. Flowcharts Human errors or mistakes. Both a and c.
Human errors or mistakes.
Which of the following is not one of the five major components of internal control? Risk assessment. Control activities. Information and communication system. Human resource background checks.
Human resource background checks.
In order to be able to set control risk at a lower level, the auditor must do all of the following except: Identify all general IT controls. Identify specific controls that will be relied upon. Perform tests of controls. Conclude on the achieved level of control risk.
Identify all general IT controls.
The requirements of Section 404 of the Sarbanes-Oxley Act of 2002 apply to All companies that are subject to an independent audit. Most publicly-held companies. All privately-held companies. All companies with sales in excess of $500 million.
Most publicly-held companies.
With regard to entities that have locations or business units that are judged to have financial reporting risks, the auditor Need not perform any audit procedures. Must first determine whether those risks are adequately addressed by entity-level controls. Must first determine whether the internal audit staff has performed testing at such locations. Must first evaluate the risk of financial reporting fraud.
Must first determine whether those risks are adequately addressed by entity-level controls.
Which of the following statements regarding auditor documentation of the entity's internal control is correct? Documentation must include narrative memorandums. No documentation is necessary to satisfy GAAS, however, oral inquiry is required at minimum. Internal control questionnaires are specifically tailored to meet the needs of each individual entity. No one particular form of documentation is necessary, and the extent of documentation may vary.
No one particular form of documentation is necessary, and the extent of documentation may vary.
Which of the following types of audit reports would not be appropriate for an auditor to issue on the effectiveness of an entity's internal controls? Unqualified [no material weaknesses identified]. Adverse [a material weakness exists]. Qualified [a significant deficiency exists]. Disclaimer [unable to perform key audit procedures].
Qualified [a significant deficiency exists].
Internal controls are designed to achieve company objectives in all of the following areas except: Safeguarding of assets. Reliability of financial reporting. Reduction of debt financing costs. Compliance with laws and regulations.
Reduction of debt financing costs.
Which of the following best illustrates the components that make up the upper deviation rate [UDR]? Sample deviation rate + allowance for sampling risk. Sample deviation rate + risk of assessing control risk too high. Tolerable deviation rate + allowance for sampling risk. Expected population deviation rate + allowance for sampling risk.
Sample deviation rate + allowance for sampling risk.
Which of the following statements is true regarding nonstatistical sampling? It quantifies the auditor's exposure to sampling risk. Its use is required by the Public Company Accounting Oversight Board for small public company audits. Sample sizes for non-statistical sampling should be comparable to statistical sampling. It gives greater assurance than statistical sampling that samples are randomly selected.
Sample sizes for non-statistical sampling should be comparable to statistical sampling.
If the financial reporting risks for a location are low and the entity has good entity-level controls, management may rely on which of the following for its assessment? Selective control test at that location. Documentation and test entity-level controls over the entire entity. Documentation and test controls over specific risks. Self-assessment processes in conjunction with entity-level controls.
Self-assessment processes in conjunction with entity-level controls.
The auditor must report the following to the audit committee or others charged with governance: Only material weaknesses. Only significant deficiencies. Significant deficiencies and material weaknesses. All control deficiencies identified during the audit.
Significant deficiencies and material weaknesses.
Which of the following statements is true in an attribute sampling plan where the tolerable deviation rate is 7%, the computed upper deviation rate is 6.5%, the sample deviation rate is 2%, and the risk of assessing control risk too low is 5%? The auditor is likely to increase control risk because the computed upper deviation rate is less than the risk of assessing control risk too low. The auditor is likely to decrease control risk because the computed upper deviation rate is less than the risk of assessing control risk too low. The auditor is likely to determine that the results do not support reliance on the control because the computed upper deviation rate plus the sample deviation rate is greater than the tolerable deviation rate. The auditor is likely to determine that the results do support reliance on the control because the computed upper deviation rate is less than the tolerable deviation rate.
The auditor is likely to determine that the results do support reliance on the control because the computed upper deviation rate is less than the tolerable deviation rate.
Which of the following statements concerning control deficiencies is true? An auditor must immediately report material weaknesses and significant deficiencies discovered during an audit to the PCAOB. All significant deficiencies are material weaknesses. The auditor should communicate to management, in writing, all control deficiencies in internal control identified during the audit. All control deficiencies are significant deficiencies.
The auditor should communicate to management, in writing, all control deficiencies in internal control identified during the audit.
The Sarbanes-Oxley Act of 2002 requires management to include a report on the effectiveness of ICFR in the entity's annual report. It also requires auditors to report on the effectiveness of ICFR. Which of the following statements concerning these requirements is false? Management's report should state its responsibility for establishing and maintaining an adequate internal control system. Management should identify material weaknesses in its report. The auditor should provide recommendations for improving internal control in the audit report. The auditor should evaluate whether internal controls over financial reporting are designed and operating effectively.
The auditor should provide recommendations for improving internal control in the audit report.
Which of the following statements about internal control is correct? An exceptionally strong internal control system is enough for the auditor to eliminate substantive procedures on a significant account balance. A properly maintained internal control system reasonably ensures that collusion among employees cannot occur. The cost-benefit relationship is a primary criterion that should be considered in designing an internal control system. The establishment and maintenance of internal control is an important responsibility of the internal auditor.
The cost-benefit relationship is a primary criterion that should be considered in designing an internal control system.
As a result of sampling procedures applied as tests of controls, an auditor incorrectly assesses control risk (CR) lower than appropriate. The most likely explanation for this situation is that The deviation/failure rates of both the auditor's sample and the population exceed the tolerable deviation rate [TDR]. The deviation/failure rate in the auditor's sample is less than the TDR, but the deviation/failure rate in the population exceeds the TDR. The deviation/failure rate in the auditor's sample exceeds the TDR, but the deviation/failure rate in the population is less than the TDR. The deviation/failure rates of both the auditor's sample and the population are less than the TDR.
The deviation/failure rate in the auditor's sample is less than the TDR, but the deviation/failure rate in the population exceeds the TDR.
Which of the following is NOT a factor that might affect the likelihood that a control deficiency could result in a misstatement in an account balance? The financial statement amounts exposed to the deficiency. The interaction or relationship of the control with other controls. The nature of the financial statement accounts, disclosures, and assertions involved. The susceptibility of the related assets or liability to loss or fraud.
The financial statement amounts exposed to the deficiency.
Monitoring is a major component of the COSO Internal Control—Integrated Framework. Which of the following is NOT correct in how the company can implement the monitoring component? Monitoring and other audit work conducted by internal audit staff can reduce external audit costs. Monitoring can be an ongoing process. The independent auditor can serve as part of the entity's control environment and continuous monitoring. Monitoring can be conducted as a separate evaluation.
The independent auditor can serve as part of the entity's control environment and continuous monitoring.
Assume an auditor is evaluating a statistical attribute sample of 50 items that resulted in three deviations. What should the auditor conclude if the tolerable deviation rate is 7 percent, the expected population deviation rate is 5 percent, and the allowance for sampling risk is 2 percent? The sample results should be accepted as support for the planned assessed level of control risk because the sample deviation rate plus the allowance for sampling risk exceeds the tolerable deviation rate. The planned assessed level of control risk should be modified because the tolerable deviation rate plus the allowance for sampling risk exceeds the expected population deviation rate. The planned assessed level of control risk should be modified because the sample deviation rate plus the allowance for sampling risk exceeds the tolerable deviation rate. The sample results should be accepted as support for the planned assessed level of control risk because the tolerable deviation rate less the allowance for sampling risk equals the expected population deviation rate.
The planned assessed level of control risk should be modified because the sample deviation rate plus the allowance for sampling risk exceeds the tolerable deviation rate.
Which of the following is a proper reason for not conducting tests of controls for nonpublic companies? The internal control structure appears very strong. The procedures require more audit effort than the projected benefits to be obtained from lowering the control risk. The company does not have any flowcharts of its system available for review. The auditor prefers the control risk to be the minimum.
The procedures require more audit effort than the projected benefits to be obtained from lowering the control risk.
All of the following factors should be considered by the auditor when deciding on the extent of controls testing except: The nature of the control to be tested. The time the auditor has to test controls before a report must be issued. The frequency with which the control is applied. The importance of the control.
The time the auditor has to test controls before a report must be issued.
When auditors report on the effectiveness of internal control "as of" a specific date and obtain evidence about the operating effectiveness of controls at an interim date, which of the following items would be the LEAST helpful in evaluating the additional evidence to gather for the remaining period? The walkthrough of the control system conducted at interim. The specific controls tested prior to the "as of" date and the results of those tests. The length of the remaining period. Any significant changes that occurred in internal control subsequent to the interim date.
The walkthrough of the control system conducted at interim.
Which of the following statements is correct concerning statistical sampling in tests of controls? There is an inverse relationship between the sample size and the tolerable deviation rate. Deviations from controls at a given rate usually result in misstatements at a higher rate. As the population size doubles, the sample size should also double. The qualitative aspects of deviations are not considered by the auditor.
There is an inverse relationship between the sample size and the tolerable deviation rate.
Sample size varies indirectly with which of the following: Desired level of confidence. Expected population deviation rate. Tolerable deviation rate. All of the above.
Tolerable deviation rate.
An auditor plans to examine a sample of 40 accounts payable invoices for proper approval as prescribed by the entity's internal accounting control procedures. One of the invoices in the chosen sample cannot be found, and the auditor is unable to use alternative procedures to determine whether the invoice was properly approved. The auditor should Choose another invoice to replace the missing one in the sample. Consider this compliance test invalid and proceed with substantive tests because internal control cannot be relied upon. Treat the missing invoice as a deviation for the purpose of evaluating the sample. Select a completely new random set of 40 invoices.
Treat the missing invoice as a deviation for the purpose of evaluating the sample.
An auditor's primary consideration regarding an entity's internal controls is whether they: relate to the control environment. prevent management override. affect the financial statement assertions. reflect management's philosophy and operating style.
affect the financial statement assertions.
SOC 1, Type 2 reports issued by the service organization's auditor typically: assess whether the service organization's controls are suitably designed and operating effectively. ensure that the entity will not have any misstatements in areas related to the service organization's activities. provide reasonable assurance that their financial statements are free of material misstatements. ensure that the entity is billed correctly.
assess whether the service organization's controls are suitably designed and operating effectively.
After obtaining an understanding of an entity's internal control system, an auditor may set control risk at high for some assertions because the auditor: believes the internal controls are unlikely to be effective. determines that the pertinent internal control components are not well documented. performs tests of controls to restrict detection risk to an acceptable level. identifies internal controls that are likely to prevent material misstatements.
believes the internal controls are unlikely to be effective.
Assessing control risk below high involves all of the following except: identifying specific controls to rely on. performing tests of controls. analyzing the achieved level of control risk after performing tests of controls. concluding that controls are ineffective.
concluding that controls are ineffective.
A control deviation caused by an employee performing a control procedure that he or she is not authorized to perform is always considered a: material weakness. significant deficiency. deficiency in design. deficiency in operation.
deficiency in operation.
An advantage of statistical sampling over nonstatistical sampling is that statistical sampling helps an auditor to: eliminate the risk of nonsampling errors. minimize the failure to detect errors and fraud. reduce audit risk and materiality to a relatively low level. measure the sufficiency of the evidential matter obtained.
measure the sufficiency of the evidential matter obtained.
Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee because they represent: disclosures of information that significantly contradict the auditor's going concern assumption. manipulation or falsification of accounting records or documents from which financial statements are prepared. significant deficiencies in the design or operation of the internal control. material fraud or illegal acts perpetrated by high-level management.
significant deficiencies in the design or operation of the internal control.
Regardless of the assessed level of control risk, an auditor would perform some: analytical procedures to verify the design of internal controls. tests of controls to determine the effectiveness of internal controls. dual-purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk. substantive procedures to restrict detection risk for significant transaction classes.
substantive procedures to restrict detection risk for significant transaction classes.
Samples to test internal controls are intended to provide a basis for an auditor to conclude whether: the controls are operating effectively. the risk of incorrect acceptance is too high. the financial statements are materially misstated. materiality for planning purposes is at a sufficiently low level.
the controls are operating effectively.
As a result of sampling procedures applied as tests of controls, an auditor incorrectly assesses control risk lower than appropriate. The most likely explanation for this situation is that: the deviation rates of both the auditor's sample and the population are less than the tolerable deviation rate. the deviation rate in the auditor's sample is less than the tolerable deviation rate, but the deviation rate in the population exceeds the tolerable deviation rate. the deviation rates of both the auditor's sample and the population exceed the tolerable deviation rate. the deviation rate in the auditor's sample exceeds the tolerable deviation rate, but the deviation rate in the population is less than the tolerable deviation rate.
the deviation rate in the auditor's sample is less than the tolerable deviation rate, but the deviation rate in the population exceeds the tolerable deviation rate.
An auditor desired to test credit approval on 10,000 sales invoices processed during the year. The auditor designed a statistical sample that would provide 1 percent risk of assessing control risk too low for the assertion that not more than 7 percent of the sales invoices lacked approval. The auditor estimated from previous experience that about 2½ percent of the sales invoices lacked approval. A sample of 200 invoices was examined, and 7 of them were lacking approval. The auditor then determined the computed upper deviation rate to be 8 percent. In the evaluation of this sample, the auditor decided to increase the level of the preliminary assessment of control risk because the: tolerable deviation rate (7 percent) was less than the computed upper deviation rate (8 percent). expected population deviation rate (7 percent) was more than the percentage of errors in the sample (3½ percent). expected population deviation rate (2½ percent) was less than the tolerable deviation rate (7 percent). computed upper deviation rate (8 percent) was more than the percentage of errors in the sample (3½ percent).
tolerable deviation rate (7 percent) was less than the computed upper deviation rate (8 percent).
A walkthrough is one procedure used by an auditor as part of the internal control audit. A walkthrough requires an auditor to: trace a transaction from each major class of transactions from origination through the entity's information system. trace a transaction from each major class of transactions from origination through the entity's information system until it is reflected in the entity's financial reports. tour the organization's facilities and locations before beginning any audit work. trace a transaction from every class of transactions from origination through the entity's information system.
trace a transaction from each major class of transactions from origination through the entity's information system until it is reflected in the entity's financial reports.