Audit Chapter 5 Risk Assessment: Internal Control Evaluation
competence and objectivity
AS 2201 encourages the audit team to use the work of internal auditors but the audit team must evaluate their ______ and ______ and perform some tests of their work.
incompatible
Combinations of duties that place a single person in a position to create and conceal misstatements due to errors or frauds in their normal job are termed ______ responsibilities.
supervisory review of controls periodic evaluation of controls by internal audit self-assessments by boards regarding the effectiveness of their oversight
Common monitoring controls include Blank______. Multiple select question. supervisory review of controls periodic evaluation of controls by internal audit external auditor inquiries of internal auditors and the audit committee self-assessments by boards regarding the effectiveness of their oversight
control environment
Integrity, ethical values and competence of the entity's people are all ______ ______ factors
tend to be inflexible make it less likely for the audit team to forget to cover an important point should be used in combination with other methods
Internal control questionnaires ______. Multiple select question. tend to be inflexible make it less likely for the audit team to forget to cover an important point should be worded so that "yes" answers are always good should be used in combination with other methods
forces different people or departments to deal with different facets of transactions prevents fraud that do not involve collusion prevents incompatible responsibilities
Separation of duties Blank______. Multiple select question. forces different people or departments to deal with different facets of transactions prevents fraud that do not involve collusion increases the chance of innocent errors being overlooked prevents incompatible responsibilities
control activities
Specific actions a client's management and employees take to help ensure management's directives are carried out are called ______ ______.
reasonable assurance
The COSO definition states that internal control is designed to provide ______ ______regarding the achievement of objectives in three categories
must communicate significant deficiencies and material weaknesses identified during the audit. communicates internal control issues to help management carry out internal control monitoring responsibilities.
The audit team: Multiple select question. generally makes recommendations to management regarding ways to improve internal control. must communicate significant deficiencies and material weaknesses identified during the audit. communicates internal control issues to help management carry out internal control monitoring responsibilities.
All of the choices are correct.
The auditor should assess control risk for each relevant assertion by evaluating the evidence obtained from all sources, including The auditor's testing of controls for the audit of internal control on an issuer. Misstatements detected during the financial statement audit Any control deficiencies identified during the audit.. All of the choices are correct.
Financial reporting.
When completing the audit of internal controls for an issuer, the PCAOB requires the audit team to audit internal controls over: Operations. Compliance with regulations. Financial reporting. All of the choices are correct.
detective controls
the activities that detect misstatements after they occur
preventive controls
the activities that prevent misstatements before they occur
narrative description
the audit documentation that describes the environmental elements, the accounting system, and the control activities in an entity's internal control
reasonable assurance
the concept that recognizes that the costs of control activities should not exceed the benefits that are expected from the control activities
entity-level controls (ELCs)
the controls that are persuasive to the financial statements taken as a whole
transaction-level controls
the controls that relate to specific classes of transactions, account balances, and disclosures
substantive procedures
the detailed audit and analytical procedures designed to detect material misstatements in account balances and footnote disclosures
adverse opinion on internal control over financial reporting
the opinion issued when the company has not maintained an effective internal control over financial reporting
control risk
the probability that an entity's controls will fail to prevent or detect errors and frauds that would otherwise have entered the system
unqualified opinion on internal control over financial reporting
the report issued when no material weaknesses in internal control over financial reporting are identified and no scope limitations on the audit of internal control exist
disclaimer of opinion on internal control over financial reporting
the situations in which auditors cannot provide assurance on the effectiveness of internal control over financial reporting; issued when a significant scope limitation exists
control activities
the specific actions taken by a client's management and employees to help ensure that management directives are carried out
integrated audit process
the term used to describe an audit process that is designed to provide an opinion on both the financial statements and internal control system of an entity
walkthrough
the tracing of one or more transactions through the audit trail from initiation of the transaction to its inclusion in the financial statements
business risk
those factors, events, and conditions that could prevent the organization from achieving its business objectives
compliance category
to ensure compliance with laws and regulations that affect the entity
operations category
maintaining a good business reputation, ensuring a positive return on investment, increasing market share, promoting new product innovation, and using assets effectively and efficiently
significant deficiency
A deficiency in internal controls that is less severe than a material weakness yet important enough to merit attention from those charged with governance is a(n) ______ ______
reasonable possibility
A material weakness is a deficiency that results in a(n) ______ ______ that a material misstatement would not be prevented or detected on a timely basis.
It is reasonably possible that a material misstatement would not be detected on a timely basis.
A material weakness is a situation in which It is reasonably possible that an immaterial misstatement would not be detected on a timely basis. It is probable that an immaterial financial statement misstatement would not be detected on a timely basis. It is reasonably possible that a material misstatement would not be detected on a timely basis. There is a remote likelihood that a material misstatement would be detected on a timely basis.
Determine that the company's controls will satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements, if they operate as prescribed.
According to the PCAOB, during the audit of internal controls for an issuer, the ultimate objective of testing the design effectiveness of internal controls is to Determine whether the company's controls are processing company data effectively. Determine that the company's controls will satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements, if they operate as prescribed. Determine that the company's employees are processing the controls according to the policy and procedures manuals at the company. None of the choices are correct.
make a preliminary assessment of control risk
After understanding and documenting internal control, the audit team should be able to ______.
business risk
All entities recognize the need for a formalized process to identify, properly assess and ultimately manage factors, events, and conditions, known as,______ _______ that can prevent the organization from achieving its objectives
inherent
An account's significance is based on its ______ risk.
relevant
An assertion that has a reasonable possibility of containing a material misstatement is considered to be a(n) ______ assertion
deliberate circumvention
An employee knowingly doing something to bypass the internal control system is an act of Blank______. Multiple choice question. human error collusion management override deliberate circumvention
Reliability of financial reporting Compliance with applicable laws and regulations Effectiveness and efficiency of operations
COSO internal control categories include: _____ of financial reporting _____ with applicable laws and regulations and ______ and ______ of operations.
quality assurance review of the internal audit department analysis of and follow up items that might by indicative of a control failure self-assessments by management regarding the tone they set
Common monitoring controls include Blank______. Multiple select question. quality assurance review of the internal audit department regular management and supervisory control activities analysis of and follow up items that might by indicative of a control failure self-assessments by management regarding the tone they set
exception
Comparing all customers' credit limits to the sum of their outstanding credit balance plus a potential sales transaction as a means of checking for potential over-limit conditions is an example of ______ testing. occurrence substantive exception audit sample
entity
Controls that are pervasive to the internal control system and the reliability of the financial statements as a whole are called ______ - level controls. Multiple choice question. design entity operating transaction
Performing procedures during the interim period as opposed to at the fiscal year-end date.
Effectiveness of audit procedures would be reduced by Performing audit procedures at the fiscal year-end date as opposed to the interim period. Performing procedures during the interim period as opposed to at the fiscal year-end date. Deciding to obtain external evidence instead of internal evidence. Selecting larger sample sizes for audit.
can be helpful in identifying missing controls are easy to evaluate after they are completed are time-consuming to construct
Flowcharts ______. Multiple select question. can be helpful in identifying missing controls are easy to evaluate after they are completed are time-consuming to construct must be created from scratch for every audit
entity level
For all relevant assertions for each significant account and disclosure, the audit team begins by examining ______ ______ controls that are pervasive to the internal control system and reliability of the financial statements as a whole.
significant; relevant assertions
Gaining an understanding of internal controls should start by identifying ______ accounts and disclosures and their ______ ______
transaction-level controls related to that risk may not be needed
If the audit-team decides an entity-level control sufficiently reduces a specific risk Blank______.
Obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance.
If the auditor plans to assess control risk at less than the maximum and rely on controls, and the nature, timing, and extent of further audit procedures are based on that lower assessment, the auditor must Perform only substantive procedures. Assess control risk at less than the maximum for all relevant assertions. Obtain evidence that the controls selected for testing are designed effectively and operated effectively during the entire period of reliance. Provide additional examples of responses to assessed fraud risks relating to fraudulent financial reporting.
Disclaimer of opinion.
If the auditors encounter a significant scope limitation in evaluating an issuer's internal control over financial reporting, which of the following types of opinions on the effectiveness of the company's internal control over financial reporting would be appropriate? Qualified opinion or adverse opinion. Disclaimer of opinion. Unqualified opinion or adverse opinion. Unqualified opinion or disclaimer of opinion.
Auditors will be able to reduce the cost of substantive procedures by an amount more than the control evaluation costs.
In most audits of large entities, control risk assessment contributes to audit efficiency, which means that The cost of substantive procedures will exceed the cost of control evaluation work. Auditors will be able to reduce the cost of substantive procedures by an amount more than the control evaluation costs. Auditors will be able to reduce the cost of substantive procedures by an amount less than the cost of tests of controls. The cost of control evaluation work will exceed the cost of substantive procedures.
The relevance and reliability of the audit evidence to be obtained to test the operating effectiveness of a control activity.
Matters that could affect the necessary extent of testing for a control activity as it related to the degree of auditor reliance on a control activity would not include the following: The length of time that the auditor is planning to rely on the operating efficiency of the control activity. The relevance and reliability of the audit evidence to be obtained to test the operating effectiveness of a control activity. The expected rate of deviation for a control activity. The frequency of the performance of the control by the company during the period being audited.
Evaluate the severity of the deficiency on the auditor's control risk assessment for that assertion.
Once the auditor detects a control deficiency, which of the following steps must he or she take first? Test the deficient control, assuming a maximum level of risk. Perform tests of other controls related to the same assertion as the control deemed ineffective. Modify the planned substantive procedures as a result of the deficiency. Evaluate the severity of the deficiency on the auditor's control risk assessment for that assertion.
far more extensive
Procedures related to internal control in an integrated audit performed under AS 2201 are ______ than those in a GAAS audit for a nonpublic entity.
timely, reliable, and relevant
Professional standards recognize that to make effective decisions, managers must have access to _____ ,_____ , and _____ information.
allows managers to make their own judgments about the necessity of specific controls is designed to ensure the proper "tone at the top" makes management responsible for monitoring, supervising and maintaining control activities
Section 302 of the Sarbanes-Oxley Act ______. Multiple select question. allows managers to make their own judgments about the necessity of specific controls is designed to ensure the proper "tone at the top" makes management responsible for monitoring, supervising and maintaining control activities stipulates criminal penalties for the Board of Directors of firm's issuing materially misleading financial statements
makes managers responsible for establishing a control environment requires management to assess the risks it wishes to control
Section 302 of the Sarbanes-Oxley Act ______. Multiple select question. makes managers responsible for establishing a control environment requires management to assess the risks it wishes to control requires certain specific controls regardless of benefits versus costs makes internal auditors responsible for monitoring and maintaining control activities
(1) control environment (2) risk assessment (3) control activities (4) monitoring (5) information and communication
The five basic components of a properly designed internal control system as defined by COSO are: (1) control ______, (2) ______ assessment, (3) ______ activities, (4) ______ and (5) information and ______ .
material weakness
The focus of AS 2201 is to determine whether a(n) ______ ______ exists at the end of the year being reported on. If it does, the entity's internal control over financial reporting cannot be considered effective.
control environment
The foundation for all other components of internal control is the ______ ______.
material weakness and significant deficiency
The magnitude of the potential misstatement that could occur and would not be detected on a timely basis is the primary difference between a(n) ______. Multiple choice question. design deficiency and operating deficiency internal control deficiency and material weakness operating deficiency and material weakness material weakness and significant deficiency
The control environment.
The most important fundamental component of an entity's internal control is Effectiveness and efficiency of operations. The control environment. Reliability of financial reporting. Compliance with applicable laws and regulations.
Authorization of transactions from the custody of related assets.
The purpose of separating the duties of hiring personnel and distributing payroll checks is to separate the Operational responsibility from the record-keeping responsibility. Human resources function from the controllership function. Authorization of transactions from the custody of related assets. Administrative controls from the internal accounting controls.
Inherent and control
The risk of material misstatement is composed of ______ risk and ______ risk
operating deficiency
When a properly designed control is either ignored or inappropriately applied, a(n) Blank______ has occurred. Multiple choice question. design deficiency operating deficiency significant deficiency material weakness
F - the audit of internal control is as of the end of the fiscal year, whereas, for audits of the financial statements, the audit team must understand and evaluate internal control for the entire period.
True or false: For audits of internal control, the audit team must understand and evaluate internal controls for the entire period.
False - these same standards apply to nonissuer audits under GAAS standard.
True or false: The audit team is only required to communicate significant deficiencies and material weaknesses in internal control that come to their attention during the performance of a PCAOB audit for an issuer.
collusion
Two or more people working together to circumvent the internal control system is called ______ and it cannot be prevented by separation of duties.
exception
Using an automated test procedure designed to test all items in a population as a means to identify a violation of control activities is an example of ______ testing.
Both the magnitude of the potential misstatement resulting from the deficiency or the deficiencies and whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement of an account balance or disclosure.
When completing the audit of internal controls for an issuer, the severity of an internal control deficiency depends on: Whethsure.er there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement of an account balance or disclo Whether the account has a history of errors. The magnitude of the potential misstatement resulting from the deficiency or the deficiencies. Both the magnitude of the potential misstatement resulting from the deficiency or the deficiencies and whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement of an account balance or disclosure. All of the choices are correct.
sampling
When control activities do not lend themselves to automated testing, the audit team is likely to use audit ______ to test the population.
deficiency
When either the design or operation of the control under consideration does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion an internal control _____exists.
identify significant accounts, locations, and relevant assertions.
When planning the audit of internal controls for an issuer, the audit team should: make inquiries of employees regarding the existence of control activities. reperform control activities performed by client employees to determine their effectiveness. identify significant accounts, locations, and relevant assertions. conduct a walkthrough of the internal control process.
Inquiry of appropriate personnel and reperformance of the control activity.
When testing a control activity's operating effectiveness, procedures the auditor performs to test operating effectiveness would likely include Inquiry of appropriate personnel and reperformance of the control activity. Inquiry of appropriate personnel. Reading over the company's code of conduct. Reperformance of the control activity.
Both operating and design effectiveness.
WhenWhen completing the audit of internal controls for an issuer, AS 2201 requires auditors to test: Neither operating nor design effectiveness. Both operating and design effectiveness. Operating effectiveness only. Design effectiveness only. completing the audit of internal controls for an issuer, AS 2201 requires auditors to test: Neither operating nor design effectiveness. Both operating and design effectiveness. Operating effectiveness only. Design effectiveness only.
D - Test of Controls Yes/Yes
Which of the following does not accurately summarize auditors' requirements regarding internal control? Issuer/Nonissuer a.Understanding Yes/Yes b.Documenting Yes/Yes c.Evaluating control risk Yes/Yes d.Test controls Yes/Yes
An internal control questionnaire.
Which of the following is a device designed to help the audit team obtain evidence about the accounting and control activities of an audit client? A narrative memorandum describing the control system. An internal control questionnaire. A flowchart of the documents and procedures used by the company. A detailed description of entity and transaction level controls.
For a sample to be representative, all items in the population have an opportunity to be selected. Tests of controls should be applied to samples executed throughout the period under audit.
Which of the following statements are correct? Multiple select question. Audit evidence for tests of controls should not be obtained during an interim period. For a sample to be representative, all items in the population have an opportunity to be selected. Tests of controls should be applied to samples executed throughout the period under audit. The audit team should never rely on tests from previous periods.
Overproduction by the manufacturing plant.
Which of the following would probably not be considered an indication of a material weakness? Evidence of a material misstatement. Immaterial fraud committed by senior management. Overproduction by the manufacturing plant. Ineffective oversight by the audit committee.
Disclaimer of opinion—significant deficiencies exist.
Which report would not be appropriate for a public accounting firm to provide on financial reporting controls? Adverse—material weaknesses exist. Disclaimer of opinion—significant deficiencies exist. Disclaimer of opinion—unable to perform all necessary procedures. Unqualified—no material weaknesses found.
internal control questionnaires
______ ______ ______ are designed to help the audit team obtain evidence about the control environment of a client organization.
internal control questionnaire
a checklist of internal control-related questions used to gain and document an understanding of the client's internal control
operation effectiveness
a condition expressing whether a control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively
design effectiveness
a condition expressing whether controls would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements
internal control deficiency
a condition that exists when the design or operation of a control does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion
significant deficiency
a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance
material weakness
a deficiency or combination of deficiencies that results in a reasonable possibility that a material misstatement would not prevented or detected on a timely basis
internal control
a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting, the effectiveness and efficiency of operations, and compliance with applicable laws and regulations
auditor's report on internal control over financial reporting
a report required by the Sarbanes-Oxley Act that provides an opinion on the effectiveness of the entity's internal control over financial reporting
management's annual report on internal control over financial reporting
a report required by the Sarbanes-Oxley Act that states that management is responsible for establishing and maintaining adequate internal control over financial reporting, identifies the framework management uses to evaluate the effectiveness of the entity's internal control, and provides management's assessment of the effectiveness of the entity's internal control
audit committee
a subcommittee of the board of directors that is generally composed of three to six "outside" members of the organization's board of directors
dual-purpose test
an audit procedure that can be used as both a test of controls and a substantive test
information system
an entity's system, usually built on some type of technological platform that has been designed to produce the information necessary for the entity to operate and control its business operations
financial reporting category
producing reliable financial reports and safeguarding assets
three objectives of internal control
reliability of financial reporting effectiveness and efficiency of operations compliance with applicable laws and regulations