ACCT 451 Module 6
Identify two reasons for assessing control risk at the maximum level.
1. The auditor believes that the design of internal control is ineffective. 2. The auditor believes that reliance on internal control (and performing applicable tests of control) is not an efficient audit strategy compared to a wholly substantive audit approach.
An auditor's primary consideration regarding an entity's internal control structure policies and procedures is whether they:
Affect the financial statement assertions.
An auditor would most likely be concerned with internal control structure policies and procedures that provide reasonable assurance about the:
Entity's ability to process and summarize financial data.
Inquiry alone is normally sufficient to test the operating effectiveness of internal controls.
False
Which of the following most accurately describes the process of a walkthrough?
Following a transaction from its origination until it is reflected in the financial statements
Errors may occur due to misunderstandings, carelessness, or fatigue.
Inherent limitations
Define the term "risk assessment procedures."
Procedures performed to obtain an understanding of the entity and its environment, including its internal control
Define the term "significant risks."
Risks that the auditor believes require special audit consideration
"Significant risks" are those that the auditor believes require special audit consideration.
True
Internal control should provide "reasonable assurance" that the entity's control objectives will be achieved, meaning that the costs associated with internal control should not outweigh the benefits.
True
Management is responsible for designing and implementing the system of internal control.
True
List the advantages of internal control questionnaires (ICQs) to document the auditor's understanding of internal controls.
- Can have a standard form for many clients - Deficiencies are easily indicated by "no" answers.
List the advantages of using flowcharts to document the auditor's understanding of internal controls.
- Systematic approach with emphasis on important accounting records - Tailored to client - Fairly easy for others to review and understand - Easy to update from year to year
List the advantages of narratives (memos) to document the auditor's understanding of internal controls.
- Tailored to client - Can be as detailed or as general as desired - Easy to prepare - Easy to read
List the disadvantages of flowcharts to document the auditor's understanding of internal controls.
- Tedious and time consuming to prepare initially - Might fail to recognize deficiencies by getting overly absorbed in details
What specific matters should the auditor document regarding the auditor's assessment of the risks of material misstatement?
- The discussion with key members of the audit team about the risks of material fraud and errors - The major elements of the understanding of the five components of internal control - The assessment of the risks of material misstatement (at the financial statement and relevant assertion levels) and the basis for that assessment - The risks identified and the related controls the auditor evaluated
Identify the five interrelated components of internal controls.
1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication systems 5. Monitoring
Identify three inherent limitations of internal controls.
1. Cost of controls should not exceed expected benefits. 2. Mistakes may occur due to carelessness, fatigue, misjudgments, and so on. 3. Segregation of duties may break down due to collusion or management override of internal controls.
Define "transaction cycle."
A group of essentially homogeneous transactions (i.e., transactions of the same basic type)
AICPA Professional Standards discuss the auditor's responsibility to communicate certain internal control related matters identified in a financial statement audit. Select the appropriate paragraph from the applicable Statement on Auditing Standards that provides specific examples of indicators of material weaknesses in internal control.
AU-C-265-A11
AICPA Professional Standards provide guidance on internal control considerations in a financial statement audit. One of the AICPA's Statements on Auditing Standards (SAS) includes a paragraph that comments on the potential benefits that information technology (IT) has on the effectiveness and efficiency of an entity's internal control. Select the specific paragraph of the SAS that enumerates the potential benefits of IT on internal control.
AU-C-315-A63
After assessing control risk at below the maximum level, an auditor desires to seek a further reduction in the assessed level of control risk. At this time, the auditor would consider whether:
Additional evidential matter sufficient to support a further reduction is likely to be available.
The auditor is required to communicate each of the following items to those charged with governance except:
All control deficiencies detected during the course of the audit.
Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?
Allowing for greater management oversight of incompatible activities.
Which of the following matters in a financial statement audit is most appropriate to communicate with those charged with governance?
An overview of the planned scope and timing of the audit
Which of the following statements concerning an auditor's communication of significant deficiencies is correct?
Any report issued on significant deficiencies should indicate that providing assurance on the internal control structure was not the purpose of the audit.
Which of the following statements concerning control risk is correct?
Assessing control risk and obtaining an understanding of an entity's internal control structure may be performed concurrently.
Which of the following statements is correct concerning an auditor's assessment of control risk?
Assessing control risk may be performed concurrently during an audit with obtaining an understanding of the entity's internal control structure.
When an auditor assesses control risk below the maximum level, the auditor is required to document the auditor's:
Basis for concluding that control risk is below the maximum level and understanding of the entities internal control structure elements
When assessing internal auditors' objectivity, an independent auditor should:
Consider the policies that prohibit the internal auditors from auditing areas where they were recently assigned.
Which of the following elements of an entity's internal control structure includes the development of personnel manuals documenting employee promotion and training policies?
Control environment.
An auditor may decide to assess control risk at the maximum level for certain assertions because the auditor believes:
Control policies and procedures are unlikely to pertain to the assertions.
Control performed by person who lacks the necessary authority or competence to perform the control effectively.
Deficiency in operation
In an entity under audit, employees have the opportunity to change their time worked after their time cards have been approved. This is an example of which of the following types of deficiency?
Design
In obtaining an understanding of an entity's internal control structure policies and procedures that are relevant to audit planning, an auditor is required to obtain knowledge about the:
Design of the policies and procedures pertaining to the internal control structure elements.
In assessing the "objectivity" of the internal audit function, the external auditor should consider the level of education and professional certifications of the internal audit staff.
False
Once the auditor has performed the risk assessment procedures in planning the audit, the auditor should not revise that assessment during fieldwork.
False
Tests of control should be performed whenever the auditor assesses control risk at the maximum level.
False
The auditor is required to identify and assess the risks of material misstatement at the financial statement level, but need not consider those risks at the relevant assertion level related to specific classes of transactions, account balances, and disclosures.
False
The auditor primarily obtains the required understanding of internal control by performing tests of control.
False
The auditor should evaluate the participation of those charged with governance, including their interaction with the internal and external auditors, when obtaining an understanding of the "risk assessment" component of internal control.
False
The probability that mistakes are more likely as employees become fatigued is not an inherent limitation of internal control.
False
The purpose of performing "tests of controls" is to evaluate the adequacy of the design of the entity's internal controls.
False
When control risk is assessed below the maximum level, the auditor must document the assessed level of control risk, but does not need to document the basis for that conclusion.
False
When substantive procedures alone cannot provide sufficient appropriate audit evidence, the auditor must disclaim an opinion due to scope limitation.
False
When the auditor perceives control risk to be unusually low for a significant element of the financial statements, the auditor may appropriately choose to omit all substantive audit procedures after performing the appropriate tests of control.
False
Control risk should be assessed in terms of:
Financial statement assertions.
Documentation of the auditor's understanding of an entity's internal controls for major transaction cycles by a symbolic representation of the systems.
Flowcharts
Assessing control risk at below the maximum level most likely would involve:
Identifying specific internal control structure policies and procedures relevant to specific assertions.
Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been:
Implemented.
Why must auditors consider an entity's internal control in planning the audit engagement?
In order to plan an effective and efficient audit, auditors must assess control risk as a basis for setting the appropriate level of detection risk related to their substantive auditing procedures (specifically, to determine the nature, timing, and extent of those substantive procedures).
When should the auditor assess the design effectiveness of internal control?
In planning every audit under generally accepted accounting standards (GAAS), as a basis for determining the nature, timing, and extent of further audit procedures
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control structure?
Incompatible duties
In planning an audit of certain accounts, an auditor may conclude that specific procedures used to obtain an understanding of an entity's internal control structure need not be included because of the auditor's judgments about materiality and assessments of:
Inherent risk.
Which of the following is not a component of internal control?
Inherent risk.
When the operating effectiveness of a control is not evidenced by written documentation, an auditor should obtain evidence about the control's effectiveness by:
Inquiry and other procedures such as observation.
What is the auditor's responsibility for assessing the risk of material misstatement?
The auditor should identify and assess the risks of material misstatement (1) at the financial statement level and (2) at the relevant assertion level related to classes of transactions, account balances, and disclosures.
Which of the following statements is correct concerning significant deficiencies noted in an audit?
The auditor should separately identify and communicate significant deficiencies and material weaknesses.
Which of the following factors should an external auditor obtain updated information about when assessing an internal auditor's competence?
The educational level and professional experiences of the internal auditor.
Which of the following auditor concerns could most likely be so serious that the auditor concludes that a financial statement audit cannot be conducted?
The integrity of the entity's management is suspect.
The "tone set at the top" is an essential aspect of the control environment.
True
When using the internal audit function to provide direct assistance, the external auditor should obtain written acknowledgment from management (or those charged with governance) that the internal auditors will be allowed to follow the external auditor's directives without interference from management.
True
An auditor's flowchart of a client's accounting system is a diagrammatic representation that depicts the auditor's:
Understanding of the system.
When companies use information technology (IT) extensively, evidence may be available only in electronic form. What is an auditor's best course of action in such situations?
Use generalized audit software to extract evidence from client databases.
List some examples of appropriate responses by the auditor to risks of material misstatement at the financial statement level.
- Assign more experienced staff to the engagement. - Provide closer supervision. - Use specialists. - Use more unpredictable audit procedures.
List the disadvantages of internal control questionnaires (ICQs) to document the auditor's understanding of internal controls.
- These are generic and not tailored to any client specifically. - Irrelevant questions may annoy clients. - Client might conceal deficiencies by incorrect answers.
List the disadvantages of narratives (memos) to document the auditor's understanding of internal controls.
- Writing such a memo is rather unstructured, lacking a systematic approach - It may be rather easy to overlook relevant internal control issues
Identify three ways auditors might document their understanding of internal controls.
1. Flowcharts of transaction cycles 2. Internal control questionnaires 3. Narrative write-ups (memos)
Identify three risk assessment procedures that an auditor might used to obtain an understanding of the entity and its environment, including its internal control.
1. Inquiries of management and others 2. Observation and inspection 3. Analytical procedures
Identify three procedures an auditor might perform to obtain an understanding of internal controls.
1. Inquiry of appropriate personnel 2. Observation of client's activities 3. Review of entity's documentation of internal controls
When using the internal audit function to provide direct assistance, what two matters should the external auditor evaluate?
1. Objectivity—the internal audit function's organizational status and the objectivity of the internal auditors 2. Competence of the internal auditors
When using the work of the internal audit function to obtain audit evidence, what three matters should the external auditor evaluate?
1. Objectivity—the internal audit function's organizational status and the objectivity of the internal auditors 2. Competence of the internal auditors 3. Whether the internal audit function applies a "systematic and disciplined approach, including quality control"
What are the three objectives of internal control as identified in the definition of internal control?
1. Reliability of financial reporting 2. Effectiveness and efficiency of operations 3. Compliance with applicable laws and regulations
What are the two ways the external auditor might use the work of an internal audit function?
1. To obtain audit evidence 2. To provide direct assistance
Which of the following factors would the independent auditor most likely consider in assessing the objectivity of an internal auditor? The internal auditor has obtained the Certified Internal Auditor designation. The audit committee reviews employment decisions related to the director of internal auditing. The internal auditor was previously an employee of the auditor's public accounting firm. The internal auditor attends a number of comprehensive continuing professional education courses each year.
?
Define "internal control."
A process—effected by those charged with governance, by management, and by other personnel—designed to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.
Why isn't a "systematic and disciplined approach, including quality control" a relevant consideration when the external auditor uses an internal audit function to provide direct assistance?
Because the work performed by the internal audit function is subject to the external auditor's direction, supervision, and review
After obtaining an understanding of an entity's internal control structure, an auditor may assess control risk at the maximum level for some assertions because the auditor:
Believes the internal control policies and procedures are unlikely to be effective.
When assessing control risk at below the maximum level, an auditor is required to document the auditor's understanding of the I. Entity's control activities that help ensure management directives are carried out. II. Entity's control environment factors that help the auditor plan the engagement.
Both I and II.
Which of the following factors should an auditor consider in making a judgment about whether an internal control deficiency is so significant that it is a significant deficiency? I. Diversity of the entity's business. II. Size of the entity's operations.
Both I and II.
When considering the objectivity of internal auditors, an independent auditor should:
Determine the organizational level to which the internal auditors report.
Which of the following is a management control method that most likely could improve management's ability to supervise company activities effectively?
Establishing budgets and forecasts to identify variances from expectations.
The objective of tests of details of transactions performed as tests of controls is to:
Evaluate whether an internal control structure policy or procedure operated effectively.
The objective of tests of details of transactions performed as tests of controls is to:
Evaluate whether internal control structure procedures operated effectively.
Which of the following matters would an auditor most likely consider to be a significant deficiency to be communicated to the audit committee (or otherwise those charged with governance)?
Evidence of a lack of objectivity by those responsible for accounting decisions.
An internal auditor's work would most likely affect the nature, timing, and extent of an independent CPA's auditing procedures when the internal auditor's work relates to assertions about the:
Existence of fixed asset additions.
"Monitoring" deals with how management identifies risks and establishes priorities in dealing with applicable risk factors.
False
A disadvantage of preparing written memoranda relative to using flow charts to document the auditor's understanding of internal control is that such memoranda may be more difficult for supervisors to review.
False
All engagement personnel must participate in any discussion among audit teams members performed in connection with the auditor's risk assessment procedures.
False
Auditors are normally equally concerned about all 3 objectives in the definition of internal control (regarding the reliability of financial reporting, the effectiveness and efficiency of operations, and the compliance with applicable laws and regulations).
False
Auditors can always choose to assess control risk at the maximum level and limit detection risk to an acceptably low level by performing substantive audit procedures.
False
The auditor should perform tests of control whenever the auditor concludes that the design of internal control appears to be effective.
False
The work of internal auditors may affect the independent auditor's I. Procedures performed in obtaining an understanding of the internal control structure. II. Procedures performed in assessing the risk of material misstatement. III. Substantive procedures performed in gathering direct evidence.
I, II, and III.
In assessing the objectivity of internal auditors, the independent CPA who is auditing the entity's financial statements would most likely consider the:
Internal auditing standards developed by The Institute of Internal Auditors.
To what degree, if at all, is a significant deficiency related to a material weakness?
It is less severe than a material weakness.
After obtaining an understanding of the internal control structure and assessing control risk, an auditor decided to perform tests of controls. The auditor most likely decided that:
It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests.
After obtaining an understanding of the internal control structure and assessing control risk of an entity, an auditor decided not to perform tests of controls. The auditor most likely decided that:
It would be inefficient to perform tests of controls that would result in a reduction in planned substantive tests.
Decision tables differ from program flowcharts in that decision tables emphasize:
Logical relationships among conditions and actions.
Which of the following actions should the auditor take in response to discovering a deviation from the prescribed control procedure?
Make inquiries to understand the potential consequence of the deviation.
Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when:
Management is dominated by one individual who is also a shareholder.
When obtaining an understanding of an entity's internal control procedures, an auditor should concentrate on the substance of the procedures, rather than their form, because:
Management may establish appropriate procedures but not enforce compliance with them.
For which of the following judgments may an independent auditor share responsibility with an entity's internal auditor who is assessed to be both competent and objective?
Not materiality of misstatements or evaluation of accounting estimates
For certain controls, such as segregation of duties, documentary evidence may not exist. An auditor would most likely test the procedures by:
Observation and inquiry.
Which of the following audit techniques most likely would provide an auditor with the most assurance about the effectiveness of the operation of an internal control procedure?
Observation of client personnel.
Miller Retailing, Inc. maintains a staff of three full-time internal auditors who report directly to the controller. In planning to use the internal auditors to provide assistance in performing the audit, the independent auditor will most likely:
Place limited reliance on the work performed by the internal auditors.
An auditor should obtain sufficient knowledge of an entity's accounting system to understand the:
Process used to prepare significant accounting estimates.
An advantage of using systems flowcharts to document information about internal control, instead of using internal control questionnaires, is that systems flowcharts:
Provide a visual depiction of clients' activities.
When assessing the competence of the internal auditors, an independent CPA should obtain information about the:
Quality of the internal auditors' working paper documentation.
A letter issued regarding significant deficiencies relating to an entity's internal control observed during an audit of financial statements should include a:
Restriction on the distribution of the report.
When reporting on conditions relating to an entity's internal control observed during an audit of the financial statements, the auditor should include a:
Restriction on the distribution of the report.
The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the:
Risk that material misstatements exist in the financial statements.
During consideration of the internal control structure in a financial statement audit, an auditor is not obligated to:
Search for significant deficiencies in the operation of the internal control structure.
In obtaining an understanding of an entity's internal control structure in a financial statement audit, an auditor is not obligated to:
Search for significant deficiencies in the operation of the internal control structure.
A deficiency (or combination of deficiencies) in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
Significant deficiencies
Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee (or those charged with governance) because they represent:
Significant deficiencies in the design or operation of internal control.
Audit procedures that must be performed when evaluating the operating effectiveness of internal control.
Tests of control
Which of the following factors would the independent auditor most likely consider in assessing the objectivity of an internal auditor?
The audit committee reviews employment decisions related to the director of internal auditing.
An entity has an internal audit staff that the independent auditor assessed to be both competent and objective. Which of the following statements is correct about the independent auditor's use of the internal auditors to provide direct assistance in performing tests of controls?
The auditor should supervise, review, evaluate, and test the work performed by the internal auditors.
When considering the internal control structure, an auditor should be aware of the concept of reasonable assurance, which recognizes that:
The cost of an entity's internal control structure should not exceed the benefits expected to be derived.
Which of the following statements about internal control structure is correct?
The cost-benefit relationship is a primary criterion that should be considered in designing an internal control structure.
What is meant by the term "risk assessment"?
The policies and procedures involving the identification, prioritization, and analysis of relevant risks as a basis for managing those risks
What is meant by the term "monitoring" (as it relates to internal controls)?
The policies and procedures involving the ongoing assessment of the effectiveness of internal controls over time
What is meant by the term "information and communication systems"?
The policies and procedures related to the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities
What is meant by the term "control environment"?
The policies and procedures that determine the overall control consciousness of the entity, sometimes called "the tone at the top"
What is meant by the term "control activities"?
The policies and procedures that help ensure that management directives are carried out, especially those related to (1) segregation of duties, (2) physical controls, (3) authorization of transactions, (4) performance reviews, and (5) information processing
In assessing the competence and objectivity of an entity's internal auditor, an independent auditor would be least likely to consider information obtained from
The results of analytical procedures.
Which of the following representations should not be included in a report on internal control related matters noted in an audit?
There are no significant deficiencies in the design or operation of the internal control structure.
Which of the following auditor concerns most likely could be so serious that the auditor concludes that a financial statement audit cannot be performed?
There is a substantial risk of intentional misapplication of accounting principles.
What is the purpose of performing a walkthrough?
To obtain some feedback as to whether the way the auditor has understood (and documented) the entity's internal controls is consistent with the way the entity is actually processing such transactions
According to AICPA standards, internal control includes consideration of the entity's objectives related to compliance with applicable laws and regulations.
True
An advantage of preparing flow charts of transaction cycles relative to preparing written memoranda is that flow charts by nature are less likely to permit overlooking important internal control considerations.
True
An advantage of preparing flow charts of transaction cycles relative to using internal control questionnaires is that the flow charts are tailored to client-specific circumstances.
True
Auditors must obtain a sufficient understanding of internal control in planning the audit primarily because control risk affects the level of detection risk that is appropriate in the circumstances.
True
Detection risk is effectively set by the auditor when decisions about the nature, timing, and extent of substantive audit procedures are made.
True
Determining whether the controls of interest to the auditor have been placed in operation is associated with obtaining an understanding of the design of controls relevant to the financial statements.
True
The auditor can appropriately document the understanding of internal control by using flow charts of transaction cycles, completing internal control questionnaires, or by preparing written memoranda.
True
The auditor is primarily concerned with internal controls that affect the risk of material misstatement to the financial statements.
True
The auditor is required to document the assessment of the risks of material misstatement both at the financial statement level and at the relevant assertion level and the basis for those assessments.
True
The auditor primarily obtains an understanding of the entity and its environment, including internal control, by performing "risk assessment procedures."
True
The definition of internal control recognizes that management has multiple objectives in designing the entity's internal controls, including the reliability of financial reporting, the effectiveness and efficiency of operations, and compliance with applicable laws and regulations.
True
The educational background, professional certifications, and performance evaluations of the internal audit staff would be applicable to the external auditor's assessment of the "competence" of the internal auditors.
True
The primary purpose for obtaining an understanding of internal control is to determine the nature, timing, and extent of further audit procedures, including tests of control and substantive procedures.
True
The purpose of performing "tests of controls" is to evaluate the operating effectiveness of the entity's internal controls.
True
Using the internal audit function to obtain audit evidence means substituting the internal auditors' work in place of work that would otherwise be performed by the external auditor.
True
When an ineffective control environment is viewed as having pervasive effects on the risk of material misstatement at the financial statement level, the auditor may assign more experienced staff to the engagement and perform more unpredictable audit procedures.
True
When the external auditor perceives the internal audit function as relevant to the audit of the entity's financial statements, the external auditor may be able to justify a reduction of the substantive auditing procedures.
True
When using members of the internal audit staff to provide direct assistance to the external auditor in performing audit fieldwork, the external auditor is fully responsible for all conclusions reached.
True
When must tests of control be performed?
When the auditor's risk assessment includes an "expectation of the operating effectiveness of controls." Note that this is frequently referred to as "relying" on internal control as a partial basis for the auditor's conclusions, or "assessing control risk at less than the maximum level."
When should the auditor assess the operating effectiveness of internal control?
Whenever the auditor contemplates a reliance strategy (which means the same thing as "assessing control risk at less than the maximum level") and only after performing the appropriate tests of control