Chapter 6

Internal control consists of six components.

False

A substantive strategy is used when control risk has been set at high.

True

One of the risks associated with internal control from IT is potential loss of data.

True

Tests of controls must be performed if control risk is set at a lower level.

True

The concept of internal control includes IT systems and manual systems.

True

The extent of an entity's use of IT can affect internal control.

True

An entity's IT infrastructure refers to: A) Hardware components. B) Programmers. C) Software. D) Data provided by the system.

A) Hardware components.

The control environment component of internal control includes all of the following except: A) Management's philosophy and operating style. B) Access to computer programs. C) Organizational structure. D) Human resource policies and practices.

B) Access to computer programs.

Which of the following data validation controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission? A) Hash total. B) Parity check. C) Encryption. D) Check digit.

D) Check digit.

The program flowcharting symbol representing a decision is a: A) Triangle. B) Circle. C) Rectangle. D) Diamond.

D) Diamond.

The concept of reasonable assurance in the context of an entity's internal controls recognizes that: A) auditors may fail to detect material misstatements. B) proper internal controls guarantee that material misstatements will not occur. C) proper internal controls preclude fraud. D) the costs of some controls may be too high to implement in relation to potential benefits.

D) the costs of some controls may be too high to implement in relation to potential benefits.

A customer intended to order 100 units of product Z96014, but incorrectly ordered 100 units of a nonexistent product Z96015. Which of the following controls most likely would detect this error? A) Existence (validity) test. B) Limit test. C) Field test. D) Sign test.

A) Existence (validity) test.

Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal controls? A) Incompatible duties. B) Management override. C) Mistakes in judgment. D) Collusion among employees.

A) Incompatible duties.

To obtain evidential matter about control risk, an auditor selects tests from a variety of techniques including: A) Inquiry. B) Analytical procedures. C) Calculation. D) Confirmation

A) Inquiry.

Which of the following procedures most likely would be included as part of an auditor's tests of controls? A) Inspection. B) Reconciliation. C) Confirmation. D) Analytical procedures.

A) Inspection.

For a complex IT system, auditors are least likely to use which of the following when documenting their understanding of internal controls? A) Narratives. B) Internal control questionnaires. C) Flowcharts. D) Organization charts.

A) Narratives.

The basic concept of internal control that recognizes the cost of internal control should not exceed the benefits expected to be derived is known as: A) Reasonable assurance. B) Management responsibility. C) Limited liability. D) Management by exception.

A) Reasonable assurance.

Walkthroughs usually involve all of the following audit procedures except: A) Reperformance. B) Inquiry. C) Observation. D) Inspection.

A) Reperformance.

An entity's internal controls are most relevant to the auditor when the policies and procedures: A) affect the financial statement assertions. B) relate to management's planning decisions. C) address management's operating decisions. D) reflect management's philosophy and operating style.

A) affect the financial statement assertions.

Before applying substantive procedures to the details of asset and liability accounts at an interim date, the auditor should: A) consider the ability of the auditor to perform appropriate substantive procedures to cover the remaining period. B) investigate significant fluctuations that have occurred in the asset and liability accounts since the previous balance sheet date. C) select only those accounts which can effectively be sampled during year-end audit work. D) consider the compliance tests that must be applied at the balance sheet date to extend the audit conclusions reached at the interim date.

A) consider the ability of the auditor to perform appropriate substantive procedures to cover the remaining period.

When an auditor increases the planned assessed level of control risk because certain control activities were determined to be ineffective, the auditor would most likely increase the: A) extent of tests of details. B) level of inherent risk. C) extent of tests of controls. D) level of detection risk.

A) extent of tests of details.

A substantive strategy differs from a reliance strategy in that a substantive strategy includes: A) increased implementation of detailed tests of transactions and balances. B) extra tests of controls. C) increased emphasis on verbal representations from management. D) setting control risk at a minimum level.

A) increased implementation of detailed tests of transactions and balances.

A limit test is a: A) test to ensure that a numerical value does not exceed some predetermined value. B) check to ensure that the value in a field falls within an allowable range of values. C) check to ensure that the data in a field have the proper arithmetic sign. D) check on a field to ensure that it contains either all numeric or alphabetic characters.

A) test to ensure that a numerical value does not exceed some predetermined value.

The normal sequence of documents and operations on a well-prepared systems flowchart is: A) top to bottom and left to right. B) bottom to top and left to right. C) top to bottom and right to left. D) bottom to top and right to left.

A) top to bottom and left to right.

After completing the preliminary phase of the review of internal control, the auditor decides not to rely on the system to restrict substantive procedures. Documentation may be limited to the auditor's: A) understanding of the internal control. B) reasons for deciding not to extend the review. C) basis for concluding that errors and fraud will be prevented. D) completed internal control questionnaire.

A) understanding of the internal control.

General controls include all of the following except: A) Data center and network operations controls. B) Data validation controls. C) Access security controls. D) Application system acquisition controls.

B) Data validation controls.

Factors that the auditor should consider as increasing the effectiveness of the audit committee include all of the following except whether: A) It is independent of management. B) It is comprised almost exclusively of members of management, ensuring detailed knowledge of the company's operations. C) It asks management difficult questions. D) It interacts regularly with internal audit personnel.

B) It is comprised almost exclusively of members of management, ensuring detailed knowledge of the company's operations.

A procedure that would most likely be used by an auditor in performing tests of control activities that involve segregation of functions but which leave no transaction trail is: A) Inspection. B) Observation. C) Reperformance. D) Reconciliation.

B) Observation.

The independent auditor selects several transactions in each functional area and traces them through the entire system, paying special attention to evidence about whether or not the control activities are in operation. This is an example of a(n): A) Analytical procedure. B) Test of controls. C) Substantive procedure. D) Functional test.

B) Test of controls.

It is important for the CPA to consider the competence of the entity's employees because their competence bears directly and importantly upon the: A) cost/benefit relationship of the system of internal control. B) achievement of the objectives of the system of internal control. C) comparison of recorded accountability with assets. D) timing of the tests to be performed.

B) achievement of the objectives of the system of internal control.

In the audit of financial statements, an auditor's primary consideration regarding an internal control policy or procedure is whether the policy or procedure: A) reflects management's philosophy and operating style. B) affects management's financial statement assertions. C) provides adequate safeguards over access to assets. D) enhances management's decision-making processes.

B) affects management's financial statement assertions.

Proper segregation of functional responsibilities in an effective system of internal control calls for separation of the functions of: A) authorization, execution, and payment. B) authorization, recording, and custody(관리). C) custody, execution, and reporting. D) authorization, payment, and recording.

B) authorization, recording, and custody.

Assessing control risk at a lower level involves all of the following except: A) identifying specific controls to rely on. B) concluding that controls are ineffective. C) performing tests of controls. D) analyzing the achieved level of control risk after performing tests of controls.

B) concluding that controls are ineffective.

An effective control environment: A) identifies and responds to business risks. B) creates a commitment to competence. C) guarantees that all controls are followed as prescribed. D) does not need an effective board of directors or internal audit function.

B) creates a commitment to competence.

Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by: A) employment of temporary personnel to aid in the separation of duties. B) direct participation by the owner of the business in the recordkeeping activities of the business. C) engaging a CPA to perform monthly bookkeeping. D) delegation(위임) of full, clear-cut responsibility to each employee for the functions assigned to each.

B) direct participation by the owner of the business in the recordkeeping activities of the business.

Potential benefits of an entity's controls in an IT environment include all of the following except: A) reduction in the risk that controls will be circumvented. B) eliminate human errors or mistakes. C) consistent application of predefined business rules. D) more timely information.

B) eliminate human errors or mistakes.

Internal controls are not designed to provide reasonable assurance that: A) transactions are executed in accordance with management's authorization. B) embezzlement will be eliminated. C) access to assets is permitted only in accordance with management's authorization. D) amounts recorded for assets are compared with the actual existing assets at reasonable intervals.

B) embezzlement will be eliminated.

Assessing control risk at a lower level most likely would involve: A) changing the timing of substantive procedures by omitting interim testing and performing the tests at year-end. B) identifying specific internal controls relevant to specific assertions. C) performing more extensive substantive procedures with larger sample sizes than originally planned. D) reducing inherent risk for most of the assertions relevant to significant account balances.

B) identifying specific internal controls relevant to specific assertions.

Auditors are most likely to gather audit evidence solely using substantive procedures: A) if transactions are recurring. B) if the implemented controls are assessed as ineffective. C) if control risk is very low. D) if the entity has a well-designed automated system.

B) if the implemented controls are assessed as ineffective.

Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when: A) external policies established by parties outside the entity affect its accounting practices. B) management is dominated by one individual. C) internal audit personnel have direct access to the board of directors and the entity's management. D) the audit committee is active in overseeing the entity's financial reporting policies.

B) management is dominated by one individual.

In evaluating internal control, the auditor is basically concerned that the system provides reasonable assurance that: A) operational efficiency has been achieved in accordance with management plans. B) material misstatements have been prevented, or detected and corrected. C) controls have not been circumvented by collusion. D) management cannot override the system.

B) material misstatements have been prevented, or detected and corrected.

For certain controls, such as segregation of duties, documentary evidence may not exist. An auditor would most likely test the procedures by: A) reperformance and corroboration. B) observation and inquiry. C) inspection and vouching. D) confirmation and recomputation.

B) observation and inquiry.

An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts: A) identify whether segregation of duties prevent collusion. B) provide a visual depiction of the entity's activities. C) indicate whether controls are operating effectively. D) reduce the need to observe the entity's employees performing routine tasks.

B) provide a visual depiction of the entity's activities.

A flowchart is most frequently used by an auditor in connection with the: A) preparation of generalized computer audit programs. B) review of the entity's internal controls. C) use of statistical sampling in performing an audit. D) performance of analytical procedures of account balances.

B) review of the entity's internal controls.

The auditor should consider all of the following when deciding whether substantive procedures will be performed at an interim date except: A) the control environment and other relevant controls. B) scheduling conflicts in the audit firm that make interim testing more convenient. C) the purpose of the substantive procedure. D) the assessed risk of material misstatement.

B) scheduling conflicts in the audit firm that make interim testing more convenient.

As opposed to a manual control, an automated control: A) can never be circumvented. B) should function consistently in the absence of program changes. C) need not be tested by the auditor. D) must be tested using the same techniques as a manual control.

B) should function consistently in the absence of program changes.

Management philosophy and operating style most likely would have a significant influence on an entity's control environment when: A) internal audit personnel have direct access to the board of directors and the entity's management. B) the entity does not have sound personnel policies for hiring, training, and evaluating competent individuals. C) accurate management job descriptions delineate(상세하게 설명하다) specific duties. D) the audit committee actively oversees the financial reporting process.

B) the entity does not have sound personnel policies for hiring, training, and evaluating competent individuals.

While substantive procedures may support the accuracy of underlying records, these tests frequently provide no affirmative evidence of segregation of duties because: A) substantive procedures rarely guarantee the accuracy of the records if only a sample of the transactions has been tested. B) the records may be accurate even though they are maintained by persons having incompatible functions. C) substantive procedures relate to the entire period under audit, but compliance tests ordinarily are confined to the period during which the auditor is on the entity's premises. D) many computerized procedures leave no audit trail of who performed them, so substantive procedures may necessarily be limited to inquiries and observation of office personnel.

B) the records may be accurate even though they are maintained by persons having incompatible functions.

An auditor is least likely to test the internal controls that provide for: A) approval of the purchase and sale of marketable securities. B) vouching a sample of sales transactions to make sure each one has an accompanying shipping document. C) segregation of the functions of recording disbursements and reconciling the bank account. D) comparison of receiving reports and vendors' invoices with purchase orders.

B) vouching a sample of sales transactions to make sure each one has an accompanying shipping document.

Where computer processing is used in significant accounting applications, internal control activities may be defined by classifying control activities into two types: general and A) Administrative. B) Specific. C) Application. D) Authorization.

C) Application.

An entity's control activities include all of the following except: A) Performance reviews. B) Information processing. C) External auditor's tests of controls. D) Segregation of duties.

C) External auditor's tests of controls.

Which of the following is an IT general control that would most likely assist an entity whose systems analyst left the entity in the middle of a major project? A) Processing controls. B) Input and output validation routines. C) Systems documentation. D) Error controls.

C) Systems documentation.

Which of the following audit tests would be regarded as a test of controls? A) Tests of the specific items making up the balance in a given general ledger account. B) Tests comparing inventory pricing to vendors' invoices. C) Tests of the signatures on canceled checks to the board of directors' authorizations. D) Tests of the additions to property, plant, and equipment by physical inspection

C) Tests of the signatures on canceled checks to the board of directors' authorizations.

The risk assessment component of internal control refers to: A) The auditor's assessment of control risk. B) The auditor's assessment of client risk. C) The entity's identification and analysis of risks relevant to achievement of its objectives. D) The entity's monitoring of the potential for material misstatements.

C) The entity's identification and analysis of risks relevant to achievement of its objectives.

Information and communication includes all of the following except: A) identifying and recording all valid transactions. B) determining the time period in which transactions occurred. C) communicating price changes to customers. D) properly presenting transactions and related disclosures in the financial statements.

C) communicating price changes to customers.

Before applying substantive procedures to the details of accounts at an interim date (a date prior to the balance sheet date), an auditor should: A) assess control risk at high for the assertions embodied in the accounts selected for interim testing. B) determine that the accounts selected for interim testing are not material to the financial statements taken as a whole. C) consider the availability of information at a later date that will be necessary for the auditor's procedures (e.g., electronic data). D) obtain written representations from management that all financial records and related data will be made available.

C) consider the availability of information at a later date that will be necessary for the auditor's procedures (e.g., electronic data).

Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee because they represent: A) disclosures of information that significantly contradict the auditor's going concern assumption. B) material fraud or illegal acts perpetrated by high-level management. C) deficiencies in the design of controls or failures in the operation of internal controls. D) manipulation or falsification of accounting records or documents from which financial statements are prepared.

C) deficiencies in the design of controls or failures in the operation of internal controls.

After obtaining an understanding of internal controls and assessing control risk of an entity, an auditor decided not to perform tests of controls for purposes of the audit. The auditor most likely decided that: A) the available evidential matter obtained through tests of controls would not support an increased level of control risk. B) a reduction in the assessed level of control risk is justified for certain financial statement assertions. C) it would be inefficient to perform tests of controls that would result in a reduction in planned substantive procedures. D) the assessed level of inherent risk exceeded the assessed level of control risk.

C) it would be inefficient to perform tests of controls that would result in a reduction in planned substantive procedures.

A well-prepared flowchart should make it easier for the auditor to: A) prepare audit procedure manuals. B) prepare detailed job descriptions. C) perform walkthroughs. D) assess the degree of accuracy of financial data.

C) perform walkthroughs.

The auditor's communication of material weaknesses in internal control for a nonpublic company is: A) required to enable the auditor to state that the examination has been made in accordance with generally accepted auditing standards. B) the principle reason for studying and evaluating the system of internal controls. C) required even though the financial statement audit for private companies does not require an audit of the entity's system of internal control. D) required to be included as part of the audit opinion.

C) required even though the financial statement audit for private companies does not require an audit of the entity's system of internal control.

After the auditor has prepared a flowchart of the internal controls surrounding sales and evaluated the design of the system, the auditor would perform tests of controls on all control activities: A) documented in the flowchart. B) considered to be weaknesses that might allow errors to enter the accounting system. C) that the auditor plans to rely on. D) that would aid in preventing fraud.

C) that the auditor plans to rely on.

An IT specialist is least likely to be necessary when: A) data are shared extensively among systems. B) the entity participates heavily in electronic commerce. C) the system has not changed from the prior year. D) significant audit evidence is in electronic form.

C) the system has not changed from the prior year.

As the acceptable level of detection risk increases, an auditor may change the: A) assessed level of control risk from a lower level to a higher level. B) assurance provided by tests of controls by using a larger sample size than planned. C) timing of substantive procedures from year-end to an interim date. D) nature of substantive procedures from less effective to more effective procedures.

C) timing of substantive procedures from year-end to an interim date.

Which of the following procedures most likely would provide an auditor with evidence about whether an entity's internal control is suitably designed to prevent or detect material misstatements? A) Scanning the journals produced by the internal control system. B) Performing analytical procedures using data aggregated at a high level. C) Vouching a sample of transactions directly related to the controls. D) Observing the entity's personnel applying the controls.

D) Observing the entity's personnel applying the controls.

If auditors conduct substantive procedures as of 10/31 for an entity with a 12/31 year-end: A) additional tests are seldom conducted for the remaining period. B) additional control tests are required in the remaining period. C) the entity's controls likely are ineffective. D) additional tests likely will be performed in the remaining period.

D) additional tests likely will be performed in the remaining period.

Reports on service organizations typically: A) provide reasonable assurance that their financial statements are free of material misstatements. B) ensure that the entity will not have any misstatements in areas related to the service organization's activities. C) ensure that the auditee is billed correctly. D) assess whether the service organization's controls are suitably designed to achieve internal control objectives.

D) assess whether the service organization's controls are suitably designed to achieve internal control objectives.

A high detection risk strategy includes all of the following except: A) interim testing. B) reduced testing of transactions. C) heavy reliance on analytical procedures as substantive procedures. D) audit work only completed at year-end.

D) audit work only completed at year-end.

The documentation of an auditor's understanding of internal controls: A) is optional. B) must be exclusively in narrative, questionnaires, or flowchart form. C) must include flowcharts. D) can include any combination of narratives, questionnaires, or flowcharts.

D) can include any combination of narratives, questionnaires, or flowcharts.

A field test is a: A) test to ensure that a numerical value in a field does not exceed some predetermined value. B) check to ensure that the value in a field falls within an allowable range of values. C) check to ensure that the data in a field have the proper arithmetic sign. D) check on a field to ensure that it contains either all numeric or all alphabetic characters.

D) check on a field to ensure that it contains either all numeric or all alphabetic characters.

Audit evidence concerning proper segregation of duties ordinarily is best obtained by: A) preparation of a flowchart of duties performed by available personnel. B) inquiring whether control activities operated consistently throughout the period. C) reviewing job descriptions prepared by the Personnel Department. D) direct personal observation of the employees who apply the control activities

D) direct personal observation of the employees who apply the control activities

An organizational structure is important for all of the following reasons except: A) ensuring proper accountability. B) defining areas of authority. C) creating clear lines of reporting. D) ensuring a proper commitment to controls.

D) ensuring a proper commitment to controls.

An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about the: A) efficiency of management's decision-making process. B) appropriate prices that the entity should charge for its products. C) methods of assigning production tasks to employees. D) entity's ability to accurately process and summarize financial data.

D) entity's ability to accurately process and summarize financial data.

Based on a study and evaluation completed at an interim date, the auditor concludes that no significant internal control weaknesses exist. The records and procedures would most likely be tested again at year-end if: A) compliance tests were not performed by the internal audit staff during the remaining period. B) the internal control system provides a basis for reliance in reducing the extent of substantive procedures. C) the auditor used nonstatistical sampling during interim compliance testing. D) inquiries and observations lead the auditor to believe that conditions within the internal control system have changed.

D) inquiries and observations lead the auditor to believe that conditions within the internal control system have changed.

All of the following are significant deficiencies except: A) inadequate design of internal control over a significant account or process. B) management override of controls. C) inadequate provisions for safeguarding assets. D) inventory is highly subject to obsolescence.

D) inventory is highly subject to obsolescence.

As part of gaining an initial understanding of internal control, an auditor is required to do all of the following except: A) consider factors that affect the risk of material misstatement. B) ascertain whether internal control policies and procedures have been placed in operation. C) identify the types of potential misstatements that can occur. D) obtain knowledge about the operating effectiveness of the internal control.

D) obtain knowledge about the operating effectiveness of the internal control.

In obtaining an understanding of an entity's internal control in a financial statement audit of a nonpublic company, an auditor is not obligated to: A) determine whether the control activities have been placed in operation. B) perform procedures to understand the design of the internal control policies. C) document the understanding of the entity's internal control components. D) search for significant deficiencies in the operation of the internal control.

D) search for significant deficiencies in the operation of the internal control.

In a properly designed internal control system, the same employee may be permitted to: A) receive and deposit checks and also approve write-offs of customer accounts. B) approve vouchers for payment and also sign checks. C) reconcile the bank statements and also receive and deposit cash. D) sign checks and also cancel supporting documents.

D) sign checks and also cancel supporting documents.

When documenting an entity's internal control, the independent auditor sometimes uses a systems flowchart, which can best be described as a: A) pictorial presentation of the flow of instructions in an entity's internal computer system. B) diagram which clearly indicates an organization's internal reporting structure. C) graphic illustration of the flow of operations which is used to replace the auditor's internal control questionnaire. D) symbolic representation that represents the flow of documents and the processing steps among departments in the entity.

D) symbolic representation that represents the flow of documents and the processing steps among departments in the entity.

Proper monitoring within an internal control framework may include all of the following except: A) an external auditor. B) an effective audit committee. C) an internal audit function. D) the internal revenue service.

D) the internal revenue service.

A reliance strategy is used when control risk has been set at high.

False

Once a level of control risk has been established, it cannot be changed.

False

The auditor must understand internal control before assessing inherent risk.

False

Internal control includes monitoring of controls.

True