ACTG 307 - Auditing - Audit of Internal Control and Control Risk (Chapter 10)
Adequate documents and records are important for effective internal control. There are five principles that dictate the proper design and use of documents and records. Identify these 5 principles.
1. Documents and records should be prenumbered consecutively to facilitate control over missing documents, and as an aid in locating documents when they are needed at a later date 2. Prepared at the time a transaction takes place, or as soon thereafter as possible 3. Sufficiently simple to ensure that they are clearly understood 4. Designed for multiple use whenever possible, to minimize the number of different forms 5. Constructed in a manner that encourages correct preparation, such as providing a degree of internal check within the form or record
4 steps in the auditor's process of understanding internal control and assessing control risk for a public company
1. Obtain and document an understanding of internal control: design and operation. 2. Assess control risk 3. Design, perform and evaluate tests of controls 4. Decide planned detection risk and substantive tests
The internal control framework developed by COSO includes five so-called "components" of internal control. The are:
1. The control environment 2. Risk assessment 3. Information and communication. 4. Control activities 5. Monitoring.
An effective accounting information and communication system must satisfy six transactionrelated objectives. What are they
1. Transactions are recorded on the correct dates (timing) 2. Recorded transactions exist (existence) 3. Existing transactions are recorded (completeness) 4. Recorded transactions are stated at the correct amounts (accuracy) 5. Transactions are properly classified (classification) 6. Recorded transactions are properly included in the master files and correctly summarized (posting and summarization)
3 steps that must be completed by the auditor before he/she can conclude that control risk is low
1. obtain an understanding of the control environment, risk assessment procedures, accounting information and communication system, and monitoring methods at a fairly detailed level 2. identify specific controls that will reduce control risk and make an assessment of control risk 3. test the controls for effectiveness.
Which section of the Sarbanes-Oxley Act requires management to issue an internal control report
404
Component of an entity's internal control?
>Control procedures. >The accounting system. >The control environment.
Common steps used to identify internal control deficiencies
>Decide whether there is a significant deficiency or material weakness. >Identify existing controls. >Identify the absence of key controls
What factors may increase risks to an organization?
>Geographic dispersion of company operations. >Decreasing quality of personnel. >Presence of new information technologies
Auditor's tests of operating effectiveness of internal controls might include which types of procedures?
>Inspection of relevant documentation >Inquiries of personnel >Reperformance of the application of controls
Specific assessments must be made to arrive at the preliminary assessment of control risk. What are these assessments?
>Is the entity auditable? >What is the expectation that internal controls will neither prevent material misstatements from occurring nor detect and correct them if they have occurred?
Subcomponents of the control environment?
>Management's philosophy and operating style >Organizational structure >Commitment to competence
3 broad objectives management typically has for internal control
>Reliability of financial reporting >Efficiency and effectiveness of operations >Compliance with laws and regulations
3 primary objectives of effective internal control
>Reliability of financial reporting >Efficiency and effectiveness of operations >Compliance with laws and regulations
What would strengthen a company's internal control?
>Separating accounting from other financial operations. >Fixing responsibility for the performance of employee duties. >Carefully selecting and training employees
To express an opinion on internal controls, an auditor obtains an understanding of and performs tests of controls related to
>Significant account balances >Classes of transactions >Disclosures and related assertions in the financial statements
The purpose of an entity's accounting information and communication system is to ______ and ______
>initiate transactions. >record and process transactions.
The SEC prohibits U.S. stock exchanges from listing securities if a company's audit committee is
>not comprised of solely independent directors. >inadequately funded. >not solely responsible for hiring and firing the company's auditors
Before making the final assessment of internal control at the end of an integrated audit, the auditor must (2 things)
>test controls. >perform substantive tests of details.
Examples of substantive tests
>tests of details of transactions. >tests of details of balances. >analytical procedures
control deficiency
A control deficiency exists if the design or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis
Internal control
A process designed to provide reasonable assurance regarding the achievement of management's objectives in the following categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.
Sarbanes-Oxley requires management to issue an internal control report that includes two specific items. Which of the following is one of these two requirements?
A statement that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting
Which of the stock exchanges require listed companies to have an audit committee composed entirely of independent directors?
AMEX, NASDAQ, and NYSE
Not one of the subcomponents of the control environment.
Adequate separation of duties
Significant deficiencies and material weaknesses in internal control of a public company must be reported to which
Audit committee of the company's board of director
General authorization
Company-wide policies for the approval of all transactions within stated limits
Is not a component of an entity's internal control?
Control risk
Statement regarding the internal control questionnaire is correct? A questionnaire can lead to a piecemeal view of a client's control without providing an overall view
Correct
Statement regarding the internal control questionnaire is correct? The questionnaire can be prepared reasonably quickly.
Correct
When management is evaluating the design of internal control, management evaluates whether the control can do all but ___________
Correct material misstatements
Adequate documents and records is a subcomponent of the control environment
False
As a client's information system becomes more complex, it is likely that an auditor will decrease reliance on controls and increase substantive tests to support a control risk assessment
False
Auditing standards prohibit reliance on the work of internal auditors due to the lack of independence of the internal auditors
False
Employees should not have temporary and permanent custody of assets.
False
For proper internal control, the custodianship of cash, including receipts and disbursements, should be the responsibility of the accounting department
False
If, when obtaining an understanding of control activities of a relatively small client, the auditor identified no control activities, the auditor would probably set a low assessment of control risk
False
Is this statement correct with respect to the design and use of business documents? Documents should be designed for single purposes only to avoid confusion in their use
False
Is this statement correct with respect to the design and use of business documents? Documents should be designed to be understandable only to those responsible for their use.
False
Is this statement correct with respect to the design and use of business documents? Only documents used for internal purposes must be prenumbered
False
It is permissible to allow an employee to open cash receipts and record those receipts
False
Regarding auditor documentation of the client's internal controls: Documentation must include flow charts
False
Regarding auditor documentation of the client's internal controls: Documentation must include procedural write-ups
False
Regarding auditor documentation of the client's internal controls: No documentation is necessary although it is desirable.
False
Regarding internal controls: Control procedures reasonably ensure that collusion among employees cannot occur.
False
Smaller companies usually have more extensive internal controls than larger companies which result in fewer frauds being committed at small companies
False
The NASDAQ market recommends, but does not require, listed companies to have audit committees
False
The NASDAQ market recommends, but does not require, listed companies to have audit committees that have a minority of the positions held by independent directors.
False
The NASDAQ market requires listed companies to have audit committees that have a minority of the positions held by independent directors
False
The Sarbanes-Oxley Act of 2002 requires that private and public companies issue an internal control report
False
The most important component of internal control is risk assessment
False
The primary emphasis by auditors when evaluating and testing internal control is on controls over account balances rather than controls over classes of transactions.
False
The two primary determinants of an entity's auditability are the integrity of management and the competency of personnel.
False
When a company designs and implements internal controls, cost of the controls is not a valid consideration
False
When documenting their understanding of a client's internal controls, auditors are required to use narratives
False
When internal controls are not effective, then substantive audit tests are less reliable; thus, the extent of substantive tests should be reduced
False
When internal controls over a given financial statement account are assessed by the auditor as highly effective, the auditor need not obtain audit evidence for that account beyond testing the controls
False
Statement regarding the internal control questionnaire is correct? A questionnaire is usually applicable to a wide variety of companies, especially smaller ones
Incorrect
Internal control reports issued by public companies must identify the framework used to evaluate the effectiveness of internal control. What is the most common in the U.S.
Internal Control - Integrated Framework - COSO
Not one of the levels of an absence of internal controls.
Internal control weakness
Specific assessments must be made to arrive at the preliminary assessment of control risk. What is not one of these assessments?
Is management committed to internal control?
Risk assessment
Management's identification and analysis of risks relevant to the preparation of financial statements in accordance with generally accepted accounting principles.
Monitoring
Management's ongoing and periodic assessment of the quality of internal control performance to determine that controls are operating as intended and modified when needed.
What party is responsible for establishing an entity's internal controls
Management.
A proper narrative of an accounting system and related controls? There should be an indication of all controls affecting the applicable process.
No
Authorizations can be either general or specific. Is this an example of a general authorization? A sales price list for merchandise
No
Authorizations can be either general or specific. Is this an example of a general authorization? Automatic reorder points for raw materials inventory
No
Authorizations can be either general or specific. Is this an example of a general authorization? Credit limits for various classes of customers.
No
Typically one of management's concerns in designing effective internal controls: Obtaining the best internal control possible
No
Would tests of the additions to property, plant, and equipment by physical inspections be regarded as a test of a control?
No
Would tests of the inventory pricing to vendors' invoices be regarded as a test of a control?
No
Would tests of the specific items making up the balance in a given general ledger account be regarded as a test of a control?
No
Control activities
Policies and procedures that help ensure necessary actions are taken to address risks in the achievement of the entity's objectives.
Best describes the inherent limitations that should be recognized by an auditor when considering the potential effectiveness of internal control
Procedures whose effectiveness depends on segregation of duties can be circumvented by collusion
What is management's concerns with respect to implementing internal controls is the auditor primarily concerned?
Reliability of financial reporting
Separation of duties
Segregation of the following activities in an organization: custody of assets, accounting, authorization, and operational responsibility.
An internal control narrative indicates that an approved voucher is required to support every check request for payment of merchandise. What procedures provides the greatest assurance that this control is operating effectively?
Select and examine canceled checks and ascertain that the related vouchers are dated no later than the checks
Control environment
The actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity.
which aspect of internal control are auditors primarily concerned
The aspect of internal control that auditors are primarily concerned with is the reliability of financial reporting
What is meant by the term "control environment" and identify control environment subcomponents that the auditor should consider
The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about control and its importance to the entity. Subcomponents include: • Integrity and ethical values. • Commitment to competence. • Board of directors or audit committee participation. • Management's philosophy and operating style. • Organizational structure. • Assignment of authority and responsibility. • Human resource policies and practices.
Auditors of financial statements issued by a public company are required to report on internal control over financial reporting. Briefly describe the auditor's responsibility
The report on internal control over financial reporting must include the auditor's opinion as to whether management's assessment of the design and operating effectiveness of internal control over financial reporting is fairly stated in all material respects. This involves an evaluation of management's assessment process to determine whether internal controls are effective and the auditor's independent assessment of the internal control's design and operating effectiveness
Management's identification and analysis of risk is an ongoing process and is a critical component of effective internal control. An important first step is for management to identify factors that may increase risk. Identify the factors that may lead to increased risk in an organization.
There are many, a few examples though: • failure to meet prior objectives. • decreasing quality of personnel. • increasing geographic dispersion of company operations. • increasing significance and complexity of core business processes. • introduction of new information technologies. • entrance of new competitors.
For most uses, flowcharts are superior to narratives as a method of communicating the characteristics of internal control.
True
For proper internal control, there should be adequate separation of duties. However, the extent of separation of duties considered "adequate" depends heavily on the size of the organization.
True
In an audit of a non-public company, the auditor's assessment of control risk and the extent of tests of controls are inversely related; that is, if the auditor's assessment of control risk decreases, more extensive tests of controls are applied.
True
In an audit of a non-public company, the less control risk there is, the smaller the amount of planned substantive evidence required
True
It is desirable to prevent employees who authorize transactions from having custody of related assets.
True
PCAOB Standard 2 requires auditors to perform walkthroughs to assist in understanding internal control
True
Procedures used to obtain an understanding of internal control are normally performed on fewer transactions than procedures used to test controls.
True
Regarding auditor documentation of the client's internal controls: No one particular form of documentation is necessary
True
Regarding internal controls: Because of the cost benefit relationship, a client may apply control procedures on a test basis.
True
Regarding internal controls: No one person should be responsible for the custodial responsibility and the recording responsibility for an asset.
True
Regarding internal controls: Transactions must be properly authorized before such transactions are processed.
True
The NASDAQ market requires listed companies to have audit committees that have only independent directors
True
The chart of accounts is a control and is closely related to the controls related to adequate documents and records
True
During which part of an audit examination is the preparation of flowcharts most appropriate?
When reviewing the system of internal control
A proper narrative of an accounting system and related controls? All processing that takes place should be described
Yes
A proper narrative of an accounting system and related controls? The disposition of every document and record in the system should be stated
Yes
A proper narrative of an accounting system and related controls? The origin of every document and record in the system should be stated
Yes
Authorizations can be either general or specific. Is this an example of a general authorization? A sales manager's authorization for a sales return.
Yes
Typically one of management's concerns in designing effective internal controls: Compliance with applicable laws and regulations.
Yes
Typically one of management's concerns in designing effective internal controls: Efficiency and effectiveness of operations.
Yes
Typically one of management's concerns in designing effective internal controls: Reliability of financial reporting.
Yes
Would tests of the signatures on canceled checks to management's authorizations be regarded as a test of a control?
Yes
The PCAOB states that reasonable assurance allows for
a remote likelihood that material misstatements will not be prevented or detected by internal control
When the auditor attempts to understand the operation of the accounting system by tracing a few transactions through the accounting system, this is referred to as
a walk-through
It is important for the CPA to consider the competence of the audit clients' employees because their competence bears directly and importantly upon the
achievement of the objectives of internal control
Having an audit committee composed of outside directors is a requirement of
all companies that are listed on the NYSE, AMEX, and NASDAQ
Internal controls are not designed to provide reasonable assurance that
all frauds will be eliminated
The Sarbanes-Oxley Act requires
all public companies to issue an internal control report
When planning an audit, the auditor's assessed level of control risk is
an economic issue, trading off the costs of testing controls against the cost of testing balances
The essence of an effectively controlled organization lies in the
attitude of its management
Proper segregation of functional responsibilities calls for separation of the functions of
authorization, recording, and custody
An auditor's primary emphasis is internal controls over
classes of transactions
The primary emphasis by auditors is on controls over
classes of transactions
An act of two or more employees to steal assets or misstate records is frequently referred to a
collusion
Internal controls can never be regarded as completely effective. Even if company personnel could design an ideal system, its effectiveness depends on the
competency and dependability of the people using it
The ______ consists of the actions, policies, and procedures that reflect the overall attitudes of top management
control environment
When considering internal control, an auditor should be aware of the concept of reasonable assurance, which recognizes that the
costs of internal control should not exceed the benefits expected to be derived from internal control.
When considering the objectivity of internal auditors, an independent auditor should
determine the organizational level to which the internal auditors report
Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by
direct participation by the owner of the business in the record-keeping activities of the business
Evidential matter concerning proper segregation of duties ordinarily is best obtained by
direct personal observation of the employee who applies control procedures
Narratives, flowcharts, and internal control questionnaires are three common methods of
documenting the auditor's understanding of internal controls
To comply with the second standard of fieldwork, the auditor need not be concerned with all five areas of internal control that apply to management. The auditor's primary concerns are with the internal control's ability to
ensure reliability of financial reporting for external purposes
To issue a report on internal control over financial reporting for a public company, an auditor must
evaluate management's assessment process and independently assess the design and operating effectiveness of internal control.
Management must disclose material weaknesses in internal control
even if just one weakness is found
The most important difference in a nonpublic company in assessing control risk is the ability to assess control risk at _______ for any or all control-related objectives
high
Significant deficiencies are matters that come to an auditor's attention, which should be communicated to an entity's audit committee because they represent
internal control deficiencies that could adversely affect a company's ability to initiate, record, process, or report external financial statements reliably
When a compensating control exists, the absence of a key control
is no longer a concern because there is no longer a significant deficiency or material weakness
When obtaining an understanding of an entity's control environment, an auditor should concentrate on the substance of management's policies and procedures rather than their form because
management may establish appropriate policies and procedures but not act on them.
Even with the most effectively designed internal control, the auditor must obtain audit evidence, beyond testing the controls, for every
material financial statement account
A procedure that would most likely be used by an auditor in performing tests of control procedures that involve segregation of functions and that leave no transaction trail is
observation.
Taylor Sales Corp. maintains a large full-time internal audit staff that reports directly to the chief accountant. Audit reports prepared by the internal auditors indicate that the system is functioning as it should and that the accounting records are reliable. The independent auditor will probably
place limited reliance on the work performed by the internal audit staff.
The auditor's study of a nonpublic client's internal control is
required by GAAS
The financial statements are not likely to correctly reflect generally accepted accounting principles if
the controls affecting the reliability of financial reporting are inadequate
An auditor should consider two key issues when obtaining an understanding of a client's internal controls. These issues are
the design and utilization of the controls
A major control available in a small company, which might not be feasible in a large company, is
the owner-manager's personal interest and close relationship with personnel
The most important type of protective measure for safeguarding assets and records is
the use of physical precautions
The independent auditor should acquire an understanding of the internal audit function as it relates to the independent auditor's study and evaluation of internal accounting control because
the work performed by internal auditors may be a factor in determining the nature, timing, and extent of the independent auditor's procedures
Internal controls can never be considered as absolutely effective because
their effectiveness is limited by the competency and dependability of employees
Most audits of a company are done annually by the same CPA firm. Except for initial engagements, the auditor begins the audit with a great deal of information about the internal controls developed in prior years. Because systems and controls usually do not change often,
this information can be updated and carried forward to the current year's audit
When auditing a nonpublic company, the auditor should obtain an understanding of internal control sufficient
to assess control risk
Internal controls normally include procedures designed to provide reasonable assurance that
transactions are executed in accordance with management's general or specific authorization
Control activities, one of the five components of internal control, are defined as "the policies and procedures, in addition to those included in the other four components, that help ensure necessary actions are taken to address risks in the achievement of the entity's objectives." There are five categories of control activities. Please describe the five categories of control activities
• Adequate separation of duties. a. Custody of assets should be separated from accounting. b. Authorizing transactions should be separated from custody of related assets. c. Operational responsibility should be separated from record-keeping. d. Duties within IT should be separated from user departments. • Proper authorization of transactions and activities. a. General authorization is given for transactions meeting established criteria. b. Specific authorization is required for individual transactions that don't confirm to the criteria. • Adequate document and records. a. Documents should be prenumbered and simple to understand and use. b. A chart of accounts should be available. c. Systems manuals should be available. • Physical control over assets and records. These should include fireproof safes and limited access storerooms. • Independent checks on performance by internal verification should be used.
What two specific assessments must be made to arrive at the preliminary assessment of control risk during the audit of a public company?
• Assessment of whether the entity is auditable • Determine assessed control risk supported by the understanding obtained assuming the controls are being followe
Adequate separation of duties is an important control activity. The 4 general guidelines for separation of duties to prevent both intentional and unintentional misstatements that are of significance to auditors.
• Custody of assets should be separated from accounting. • Authorizing transactions should be separated from custody of related assets. • Operational responsibility should be separated from record-keeping. • Duties within IT should be separated from user departments.
A proper narrative of an accounting system and related controls should possess several key characteristics. What are such characteristics?
• The origin of every document and record in the system. • All processing that takes place. • The disposition of every document and record in the system. • An indication of the controls relevant to the assessment of control risk.
In addition to understanding the design of internal control, the auditor must also evaluate whether the designed controls are actually placed in operation. List 5 common methods auditors use to fulfill this requirement during the audit of a public company:
• Update and evaluate auditors' previous experience with the entity. • Make inquiries of client personnel. • Examine documents and records. • Observe entity activities and operations. • Perform walkthroughs of the accounting system. • Read client's policy and systems manual
The effectiveness of internal controls depends on the competency and dependability of the people using it. Inherent limitations of internal control include
• employee carelessness, • lack of understanding, • management override, and • collusion.