Chapter 5 Auditing and Assurance Smartbook
COSO internal control categories include______of financial reporting and______with applicable laws and regulations.
reliability compliance
True or false: Document examination alone is never considered an adequate test of controls.
false
True or false: To achieve the specific objectives of each of the three goals, the COSO framework defines five components of a properly designed internal control system that work independently of each other to support the system's overall effectiveness.
false
An audit team's assessment of control risk as low ______.
may limit the use of substantive tests of details allows auditors to use smaller sample sizes implies controls are effective
Duties that should be separated are ______.
reconciliation recording authorization custody
The final assessment of control risk should ______.
assist in determining the list of substantive procedures required be coordinated with the final audit plan
Controls that are pervasive to the internal control system and the reliability of the financial statements as a whole are called ______ - level controls.
entity
The risk of material misstatement is composed of_____ risk and____ risk.
inherent control
An opinion of the entity's financial statements and a second opinion on management's assessment of the effectiveness of the entity's internal control over financial reported are issued as part of a(n)______
integrated audit
Regarding a client's internal control system, external auditors are ______.
primarily concerned with the financial reporting category
For all relevant assertions for each significant account and disclosure, the audit team begins by examining _____ -_____ controls that are pervasive to the internal control system and reliability of the financial statements as a whole
entity level
When audit teams reach the third phase of an evaluation of internal control they ______.
have set an acceptable rate of compliance for an activity to be considered effective have identified controls on which they intend to rely
Section 302 of the Sarbanes-Oxley Act ______.
makes managers responsible for establishing a control environment requires management to assess the risks it wishes to control
Using an automated test procedure designed to test all items in a population as a means to identify a violation of control activities is an example of ______testing.
exception
Flowcharts ______.
involve considerable time and effort have become a popular documentation method for auditors help the audit team assess the key control points in the process
All entities recognize the need for a formalized process to identify, assess and manage factors, events and conditions, known as_____ , that can prevent the organization from achieving it objectives.
business risks
Generally a reassessment of control risk ______.
can only go upwards
Comparing all customers' credit limits to the sum of their outstanding credit balance plus a potential sales transaction as a means of checking for potential over-limit conditions is an example of ______ testing.
exception
The audit team's decision that it would take more time to test the operating effectiveness of the control activities than it would take to perform the substantive tests necessary for a relevant assertion ______.
is equivalent to assessing control risk at 100%
After their understanding of the entity's internal controls have been documented, the audit team may choose not to perform tests on the operating effectiveness of the controls because ______.
it is less time consuming to conduct substantive tests the internal control system is too ineffective to rely on the cost of obtaining a low control risk assessment is high
Separation of duties ______.
prevents fraud that do not involve collusion prevents incompatible responsibilities forces different people or departments to deal with different facets of transactions
A well-functioning internal control environment requires ______.
supportive human resource policies and practices support as shown by management's philosophy and operating style competent individuals in financial reporting and oversight roles
If the audit-team decides an entity-level control sufficiently reduces a specific risk ______.
transaction-level controls related to that risk may not be needed
True or false: In today's environment, it is essential that organizations have a robust set of cyber security control activities in place and operating effectively.
true
According to professional standards, the audit team's evaluation of the sufficiency of management's control activities is ______.
always required
COSO developed a(n) ______ framework to facilitate the assessment and mitigation of business risks a company faces.
enterprise risk management
Performance reviews ______.
include the study of budget variances with follow up actions require management's active participation in the supervision of operations can help lower the risk of material misstatements
Combinations of duties that place a single person in a position to create and conceal misstatements due to errors or frauds in their normal job are _______ responsibilities
incompatible
An account's significance is based on its ______ risk.
inherent
The least persuasive type of control test evidence is _____
inquiry
Duties of the audit committee include ______.
oversight of the public accounting firm conducting the entity's audit overseeing the anonymous fraud hotline engaging legal council in the event of management fraud
When documenting their understanding of the internal control system, the audit team should consider questions related to ______
policies and procedures documentation and communicaiton information technology integration with the risk assessment process selection and development of control activities
In some sense, all controls can be thought of as ______ controls.
preventive
The key difference between document examination and _____ is that the former provides evidence employees completed the activity and the later provides evidence it was done correctly.
reperformance
The most persuasive type of control test evidence is
reperformance
A key factor in audit sampling is that, for a sample to be considered , all items in a population must have an opportunity to be selected.
representative
Internal control questionnaires ______.
tend to be inflexible make it less likely for the audit team to forget to cover an important point should be used in combination with other methods
In order to assess control risk below the maximum ______.
tests of controls must be performed
Controls that pertain to specific classes of entries, account balances and disclosures are called ______ - level controls.
transaction
The audit team identifies _____ - ____ controls that pertain to specific classes of entries, account balances and disclosures.
transaction level
A combination of personnel inquiry, operation observation and document examination while tracing a single transaction through the entire audit trail is a(n) _____
walkthrough
Physical access should be limited to authorized personnel. This limitation should include:
inventory payroll records securities
The acceptable rate of compliance for an internal control to be considered effective ______.
is a matter of professional judgment may be based on internal firm guidelines
Section 302 of the Sarbanes-Oxley Act ______.
is designed to ensure the proper "tone at the top" makes management responsible for monitoring, supervising and maintaining control activities allows managers to make their own judgments about the necessity of specific controls
Narrative descriptions tend to be ______.
most efficient for audits of small businesses
Tests of controls ______.
must be performed to obtain evidence that controls can be relied on
The audit committee ______.
must have one member who is a financial expert members must all be financially literate is a subcommittee of the board of directors
A method for documenting the audit team's understanding of internal controls that describes all environmental elements, the accounting system and all control activities is called a(n) _____
narrative description
Internal control questionnaires ______.
are somewhat unique for each organization can be useful in detecting internal control weaknesses help the auditing team obtain evidence about the control environment
The audit team must adjust the substantive procedures accordingly in order to obtain enough evidence to mitigate the risk of material misstatements to a low level for the relevant assertions being tested if the assessment of control risk is ______.
moderate
Flowcharts ______.
should flow from left to right and top to bottom must be understandable to an audit supervisor should include narrative explanations
Gaining an understanding of internal controls should start by identifying _____accounts and disclosures and their_____ .
significant relevant assertions
A well-functioning internal control environment requires ______.
appropriate assignment of authority and responsibility top management with sound integrity and ethical values clear and unambiguous reporting lines
Duties of the audit committee include ______.
approving nonaudit services provided by the external auditor appointing the public accounting firm conducting the entity's audit compensating the public accounting firm conducting the entity's audit
Flowcharts ______.
are easy to evaluate after they are completed can be helpful in identifying missing controls are time-consuming to construct
Duties that should be separated are the _____to execute _____transactions,____ transactions, _____of assets involved in the transactions and periodic ____ of existing assets to recorded amounts.
authority recording custody reconciling
When testing controls, the audit team often uses ______ about the existence of the activity and then corroborate the evidence by observing the control activities are actually being performed
inquiry
The four methods of testing controls are ____ , ____ ,document examination and _____
inquiry observation reperformance
External auditors complete an audit on the financial statements and one on internal control as part of a(n)
integrated audit
Section 404 of the Sarbanes-Oxley Act requires an entity's annual report to include a statement that ______.
management is responsible for establishing and maintaining adequate internal control over financial reporting identifies the framework used as a benchmark for evaluating the entity's internal control effectiveness
The risk assessment element of the COSO framework is ______ responsibility.
management's
When gaining an understanding of internal controls, assertions should ______.
only be considered if they are relevant
Whether a control is working as designed and whether the person performing the control has the authority and qualifications to perform the control is referred to as _____
operating effectiveness
Internal control is a set of policies and procedures designed to achieve management objectives in three different categories. Maintaining a good business reputation and increasing market share are objectives of the_____ category.
operations
True or false: An understanding of the design of controls or how they are intended to function provides the audit team complete evidence as to the operating effectiveness of controls.
false
The assessment of risk of material misstatement at the assertion level is completed to give the audit team a basis for planning the audit and determining the _____, _____, and ______of further audit procedures to be conducted for the financial statement audit.
nature time extent
Which of the following statements are correct?
For a sample to be representative, all items in the population have an opportunity to be selected. Tests of controls should be applied to samples executed throughout the period under audit.
Which of the following statements are correct?
If a control activity has high risk, more persuasive evidence is needed. It may be more efficient for the auditor to choose not to rely on controls.
Which of the following statements are correct?
Spreadsheet "errors" can pose risks to an entity's internal control system. Using and accounting for prenumbered documents helps support the completeness assertion.
Specific actions a client's management and employees take to help ensure management's directives are carried out are called _____
control activities
Integrity, ethical values and competence of the entity's people are all________ factors
control environment
The foundation for all other components of internal control is the____
control environment
Whether the controls over financial reporting, if operating as they should, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements is determined by ______
design effectiveness
When a single audit test produces both control testing and substantive testing evidence, it is called a(n) _____ test
dual purpose
An audit procedure that selects recorded payroll entries to vouch payroll to time cards and calculate the correct dollar amount of payroll is an example of a ______.
dual-purpose test
COSO internal control categories include ____and____ of operations
effectiveness efficiency
When documenting their understanding of the internal control system, the auditor should consider if the client has taken full advantage of their existing technological platform by using ______ control activities whenever it is efficient and effective.
entirely automated
True or false: Periodic management reviews are critically important to demonstrate that controls are operating in an effective manner.
false
The professional standards require the auditor to gain an understanding of the client's risk assessment process related to ______.
financial reporting risks fraud risk
Each member of the audit committee must be financially _____ and one member must be a financial ______
literate expert
After understanding and documenting internal control, the audit team should be able to ______.
make a preliminary assessment of control risk
Management may not be able to conclude that the entity's internal controls over financial reporting is effective if any _______exist.
material weaknesses
The preliminary assessment of control risk ______.
may be made after understanding and documenting internal control includes identifying activities explicitly designed to support reliable financial statement reporting
Procedures that prevent misstatements before they occur are ____ controls which are preferable to _____ controls that find misstatements after they occur.
preventive detective
To be considered appropriate audit evidence, an audit sample must be ______.
representative of the population being sampled from a population that covers the entire period of reliance
The five basic components of a properly designed internal control system as defined by COSO are: (1) control environment, (2) ______assessment, (3) _____activities, (4) and (5) information and _____.
risk control monitoring communication