Auditing and Attestation 5-8
b) Transactions are executed in accordance with management's general or specific authorization.
9. The ICS normally would include procedures that are designed to provide reasonable assurance that
True. Two signatures may be required for checks larger than some preset limit.
A standard control over cash disbursements is to require checks for large amounts to have signatures from two authorized persons in the organization.
True. 1.A system access log records uses and attempted uses of a system. 2.The date and time, codes used, modes of access, data involved, and interventions by operators are recorded.
A system access log records uses and attempted uses of a system.
True. Two broad groupings of information systems control activities are general controls and application controls.
Two broad groupings of information systems control activities are general controls and application controls.
True. Typical controls in the investing cycle include (1) written authorizations from the board of directors, (2) segregation of recordkeeping and accountability from physical custody, (3) physical safeguards over assets, (4) specific identification of certificate numbers when possible, (5) periodic reconciliation of subsidiary records and the general ledger control account, and (6) periodic comparisons of physical assets with subsidiary records.
Typical controls in the investing cycle include written authorizations from the board of directors, physical safeguards over assets, and specific identification of certificate numbers.
Approval of the return of defective merchandise. To ensure that the sales returns and allowances function is effective, proper controls must be established, including a segregation of duties. The Sales Department should be responsible for the initial approval of sales returns and allowances.
Under effective internal controls, the Sales Department should be responsible for which of the following activities?
True. An auditor should not only understand the system and controls; (s)he also should document that understanding. Use of flowcharts typically facilitates both understanding and the subsequent documentation.
Understanding how information and documents flow through a sales-receivables cycle helps the auditor determine what controls are in place and whether they may be effective in mitigating errors and fraud.
False. Inventory levels are formally updated upon release of the goods from the Inventory Warehouse.
In an online computer processing system, inventory levels are formally updated upon initial receipt of the customer order.
False. Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. 1.Inherent risk is the susceptibility of an assertion to a material misstatement before consideration of related controls.
Inherent risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated.
Timing of substantive procedures from year end to an interim date. For a given audit risk, the acceptable detection risk (the auditor's risk) is inversely related to the assessed RMMs (the entity's risks) at the assertion level. Detection risk is the risk that audit procedures will not detect a material misstatement. It relates to the nature, timing, and extent of procedures performed to reduce audit risk to an acceptably low level. Thus, it depends on the effectiveness of audit procedures and their application by the auditor (AU-C 330). For example, as the acceptable level of detection risk for a given audit risk increases, the audit effort devoted to substantive procedures may be reduced. The auditor may change the nature, timing, or extent of substantive procedures, for example, by changing the timing to an interim date.
As the acceptable level of detection risk increases for a given audit risk, an auditor may change the
False. Assignment of one clerk to be responsible for sales recording and cash receipts during a work period is a compensating control.
Assignment of one clerk to be responsible for sales recording and cash receipts during a work period is not an effective control when used in conjunction with other compensating controls in a cash sales environment.
Selling of goods for cash. Selling goods for cash is the consummation of a transaction that is likely to be covered by a general authorization. Thus, the risk of loss arising from lack of specific authorization of cash sales is minimal.
At which point in an ordinary sales transaction of a wholesaling business is a lack of specific authorization of least concern to the auditor in the conduct of an audit?
False. Detection risk is the risk that procedures performed to reduce audit risk to an acceptably low level will not detect material misstatements.
Audit risk is the risk that analytical procedures and other relevant substantive tests do not detect misstatements equal to tolerable misstatements that could occur in an assertion.
True. Auditing around the computer may be appropriate for very simple systems that produce appropriate printed outputs for the auditor. 1.The auditor manually processes transactions and compares the results with the client's computer processed results. 2.Because only a small number of transactions can ordinarily be processed, the effectiveness of the tests of controls must be questioned. 3.The computer is treated as a black box, and only inputs and outputs are evaluated.
Auditing around the computer is not appropriate when systems are sophisticated or the major controls are included in the computer programs.
Supplies individually ordered, without considering possible volume discounts. An auditor should communicate to management and those charged with governance significant deficiencies and material weaknesses observed during an audit (AU-C 265). (S)he should discuss procedures that permit the avoidable loss of assets. Thus, an auditor should determine whether the failure to consider possible volume discounts is due to fraud or error.
Based on observations made during an audit, the auditor should discuss with management the effectiveness of the company's controls that protect against the purchase of
False. 1.Batch processing is appropriate when an immediate response is not necessary. 2.Batching transactions is useful for processing large volumes of data.
Batch processing is appropriate when an immediate response is necessary.
a) Valuation or allocation.
1. An auditor tests an entity's policy of obtaining credit approval before shipping goods to customers in support of management's financial statement assertion of
a) Perpetual inventory records are independently compared with goods on hand.
11. Which of the following control procedures most likely would assist in reducing control risk related to the existence or occurrence of manufacturing transactions?
a. Report showing exceptions and control totals
12. Mill Co. uses a batch processing method to process its sales transactions. Data on Mill's sales transaction tape are electronically sorted by customer number and are subjected to programmed edit checks in preparing its invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of this tape most likely would be
b) Those errors that occur will not be detected by the auditor's examination.
12. The ultimate risk against which the auditor requires reasonable protection is a combination of two separate risks. The first of these is that material errors will occur in the accounting process by which the F/S are developed, and the second is that
b) Inspect agreements to determine whether any inventory is pledged as collateral or subject to any liens.
12. Which of the following audit procedures probably would provide the most reliable evidence concerning the entity's assertion of rights and obligations related to inventories?
d) Presentation and disclosure.
13. During an audit of an entity's stockholders' equity accounts, the auditor determines whether there are restrictions on retained earnings resulting from loans, agreements or state law. This audit procedure most likely is intended to verify management's assertion of
c. The sum of cash deposits plus discounts taken by customers
13. In updating a computerized accounts receivable file, which one of the following is used as a batch control to verify the accuracy of posting cash remittances?
a) Consider the organizational level to which internal auditors report the results of their work.
13. When an independent auditor decides that the work performed by internal auditors may have a bearing on the nature, extent and timing of the independent auditor's procedures, the independent auditor should evaluate the competence and objectivity of the internal auditors. Relative to objectivity, the independent auditor should
d. Department numbers
14. If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll computer application?
b) Corporate controller.
14. To provide the greatest degree of independence in performing internal auditing functions, an internal auditor should probably report to the
d) Assessing the allowance for uncollectible accounts for reasonableness.
14. Which of the following most likely would give the most assurance concerning the valuation assertion of accounts receivable?
c) Presentation and disclosure.
15. An auditor most likely would inspect loan agreements under which an entity's inventories are pledged to support management's financial statement assertion of
b) Review the ICS and perform tests of controls.
15. When considering the client's ICS to determine whether the necessary procedures are prescribed and are followed satisfactorily, an auditor must
c. Data control group
15. When erroneous data are detected by computer program controls, such data may be excluded from processing and printed on an error report. This error report should be reviewed and followed up by the
c) Considered to be strengths that the auditor plans to rely on.
16. After the auditor has prepared a flowchart of the I/C surrounding sales and evaluated the design of the ICS, the auditor would perform tests of controls on all internal control procedures
d) Valuation or allocation.
16. An auditor most likely would analyze inventory turnover rates to obtain evidence concerning management's assertions about
b. Verify the amount was entered accurately
16. In the accounting system of Acme Co., the amounts of cash disbursements entered at a computer terminal are transmitted to the computer, which immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables the operator to
c) Only those controls on which an auditor intends to rely are reviewed, tested and evaluated.
17. A consideration of the ICS made in connection with an annual audit is usually not sufficient to express an opinion on an entity's internal control because
c. Manually reperforming, as of a moment in time, the processing of input data and comparing the simulated results with the actual results
17. When an accounting application is processed by computer, an auditor cannot verify the reliable operation of programmed controls by
a) Compare a sample of shipping documents to related sales invoices.
17. Which of the following procedures would an auditor most likely perform to verify management's assertion of completeness?
c) Vouching selected entries in the accounts payable subsidiary ledger to purchase orders and receiving reports.
18. Which of the following is a substantive test that an auditor most likely would perform to verify the existence and valuation of recorded accounts payable?
d. A well-documented audit trail
18. Which of the following is necessary to audit balances in an online computer system in an environment of destructive updating?
c) Differences are always disclosed on a computer exception report.
18. Which of the following would be least likely to suggest to an auditor that the client's management may have overridden the ICS?
d) Completeness.
19. An auditor most likely would review an entity's periodic accounting for the numerical sequence of shipping documents and invoices to support management's financial statement assertion of
b) Tests of controls designed specifically for the client.
19. Which of the following is intended to detect deviation from prescribed Accounting Department procedures?
d. Bit storage capacity
19. Which of the following is likely to be least important to an auditor who is considering the internal control structure for the automated data processing fuction?
b) Direct participation by the owner of the business in the recordkeeping activities of the business.
2. Effective I/C in a small company that has insufficient employees to permit proper division of responsibilities can be best enhanced by
c. Is determined by the engineers who designed the computer
2. The machine language for a specific computer
b) Inspect the entity's reports of prenumbered shipping documents that have not been recorded in the sales journal.
2. Which of the following audit procedures would an auditor most likely perform to test controls relating to management's assertion concerning the completeness of sales transactions?
d. The controls appear effective enough to support a reduced level of control risk
20. After gaining an understanding of a client's computer processing internal control structure, an auditor may decide not to test the effectiveness of the computer processing control procedures. Which of the following is not a valid reason for choosing to omit tests of controls?
c) Completeness.
20. In auditing accounts payable, an auditor's procedures most likely would focus primarily on management's assertion of
b) Tests of controls
20. The independent auditor selects several transactions in each functional area and traces them through the entire system, paying special attention to evidence about whether or not the control features are in operation. This is an example of a
a) Valuation and allocation.
21. An auditor concluded that no excessive costs for idle plant were charged to inventory. This conclusion most likely related to the auditor's objective to obtain evidence about the financial statement assertions regarding inventory, including presentation and disclosure and
c) Errors have been prevented or detected.
21. In the consideration of the ICS, the auditor is basically concerned that the system provides reasonable assurance that
b. Can be performed using actual transactions or simulated transactions
21. Tests of controls in an advanced computer system
b) Completeness.
22. An auditor selected items for test counts while observing a client's physical inventory. The auditor then traced the test counts to the client's inventory listing. This procedure most likely obtained evidence concerning management's assertion of
b) Document the matter in the working papers and consider the effects of the condition on the audit.
22. During the audit, the independent auditor identified the existence of a reportable condition in the client's system of internal controls and orally communicated this finding to the client's senior management and audit committee. The auditor should
d. Test data are processed by the client's computer programs under the auditor's control
22. When an auditor tests a computerized accounting system, which of the following is true of the test data approach?
b) Existence or occurrence.
23. In testing plant and equipment balances, an auditor examines new additions listed on an analysis of plant and equipment. This procedure most likely obtains evidence concerning management's assertion of
c. Enter invalid indentification numbers or passwords to ascertain whether the system rejects them
23. To obtain evidence that online access controls are properly functioning, an auditor is most likely to
d) Although written communication is preferable, the auditor may communicate the findings orally.
23. Which of the following statements concerning the independent auditor's required communication of reportable conditions is correct?
a. Integrated test facility (ITF)
24. Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed together without the knowledge of client operating personnel?
c) Confirmations of accounts receivable.
24. Which of the following is least likely to be evidence the auditor examines to determine whether operations are in compliance with the internal control system?
d) Assessing the reasonableness of the allowance for doubtful accounts.
24. Which of the following most likely would give the most assurance concerning the valuation assertion of accounts receivable?
b. The microcomputer is operated by employees who have other, noncomputer-processing job responsibilites
25. A small client recently put its cash disbursements system on a microcomputer. About which of the following is an auditor most likely to be concerned?
b) Completeness.
25. Cutoff tests designed to detect credit sales made before the end of the year that have been recorded in the subsequent year provide assurance about management's assertion of
c) Incident to the auditor's objective of forming an opinion as to the fair presentation of the financial statements.
25. The auditor's communication of reportable conditions in internal control is
d) Extent of analytical procedures
26. An auditor may compensate for a condition in the ICS by increasing the
b. Part of the audit trail is altered
26. Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The computer system automatically updates all payroll records. Because of this change
c. Access information stored on computer files without a complete understanding of the client's hardware and software features
27. A primary advantage for using generalized audit software (GAS) packages in auditing the financial statements of a client that uses a computer system is that the auditor may
c) Not increase the extent of predetermined substantive tests.
27. After considering the client's internal controls, an auditor has concluded that I/C is well designed and is functioning as intended. Under these circumstances, the auditor would most likely
d. Assess computer control risk
28. An auditor is least likely to use computer software to
d) Reduces the possibility of employing persons with dubious records in positions of trust.
28. The use of fidelity bonds may indemnify a company from embezzlement losses. The use also
a. The appropriate audit tasks for microcomputer applications and the appropriate software to perform the selected audit tasks
29. The two requirements crucial to achieving audit efficiency and effectiveness with a microcomputer are selecting
d) The strength or weakness of internal control in other areas, e.g., sales and accounts receivable.
3. An auditor is considering the internal control system for purchasing and disbursement procedures. The auditor will be least influenced by
a) Daily sales summaries are compared to daily posting to the accounts receivable ledger.
3. Which of the following internal control procedures most likely would assure that all billed sales are correctly posted to the accounts receivable ledger?
a) Competence and objectivity.
30. If the independent auditors decide that the work performed by the internal auditor may have bearing on their own procedures, they should consider the internal auditor's
b. Investigating inventory balances for possible obsolescence
30. Which of the following audit procedures would an auditor be least likely to perform using generalized audit software (GAS)?
b. Develop a program to compare credit limits with account balances and print out the details of any account with a balance exceeding its credit limit
31. Smith Co. has numerous customers. A customer file is kept on disk storage. Each customer record contains the name, address, credit limit and account balance. The auditor wishes to test this file to determine whether credit limits are being exceeded. The best procedure for the auditor to follow is to
b) It is recognized in the Statement on Auditing Standards.
31. Which statement is correct concerning the definition of internal control developed by the Committee of Sponsoring Organizations (COSO)?
a. Economic order quantity
32. An auditor using audit software probably would be least interested in which of the following fields in a computerized perpetual inventory system?
a) A component of internal control.
32. Monitoring is considered
c. Utility programs
33. Auditors often make use of computer programs that perform routine processing functions, such as sorting and merging. These programs are made available by computer companies and others and are specifically referred to as
b) Risk assessment.
33. Which of the following is not a factor included in the control environment?
c) The audit of the annual financial statements.
34. An entity's ongoing monitoring activities often include
a) Compliance with applicable laws and regulations.
35. The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) and included in the professional standards includes the reliability of financial reporting, the effectiveness and efficiency of operations and
b) Controls over the reliability of financial reporting are ordinarily most directly relevant to an audit but other controls may also be relevant.
36. Which statement is correct concerning the relevance of various types of controls to a financial audit?
a) Commissioned sales personnel.
37. Which of the following is not ordinarily considered a factor indicative of increased financial reporting risk when an auditor is considering a client's risk assessment policies?
b) Eliminates significant risks.
38. While obtaining an understanding of a client's risk assessment policies, an auditor does not ordinarily include how management
b) Segregation of duties over payroll.
39. When an auditor considers a client's internal control, which of the following is ordinarily a type of control activity that is considered?
d) Controller
4. In general, material irregularities perpetrated by which of the following are most difficult to detect?
c) Rights & Obligations and existence.
4. Two assertions for which confirmation of accounts receivable balances provides primary evidence are
d. Online, real-time systems
4. What type of computer system is characterized by data that are assembled from more than one location and records that are updated immediately?
b) Equal the planned assessed level of control risk.
40. When tests of controls reveal that controls are operating as anticipated, it is most likely that the assessed level of control risk will
a) Custody over securities should be limited to individuals who have record keeping responsibility over the securities.
41. Which of the following is not a control that is designed to protect investment securities?
d. General control procedures
5. An auditor anticipates assessing control risk at a low level in a computerized environment. Under these circumstances, on which of the following procedures would the auditor initially focus?
b) Presentation and disclosure.
5. An auditor's purpose in reviewing the renewal of a note payable shortly after the balance sheet date most likely is to obtain evidence concerning management's assertions about
d) The audit committee of the board of directors.
5. If, during the course of an annual audit of a publicly held manufacturing company, an independent auditor becomes aware of a reportable condition in the company's internal control, the auditor is required to communicate the reportable condition to
c. Systems development
6. For control purposes, which of the following should be organizationally segregated from the computer operations function?
c) Accounting records to the supporting evidence.
6. In testing the existence assertion for an asset, an auditor ordinarily works from the
d) To record the auditor's understanding of the client's I/C.
6. Which of the following best describes the primary reason for the auditor's use of flowcharts during an audit engagement?
d) Valuation or allocation.
7. An auditor's purpose in reviewing credit ratings of customers with delinquent accounts receivable most likely is to obtain evidence concerning management's assertions about
d. A computer log
7. One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control is the use of
c) The work performed by internal auditors may be a factor in determining the nature, timing and extent of the independent auditor's procedures.
7. The independent auditor should acquire an understanding of the internal audit function as it relates to the independent auditor's consideration of the I/C because
b) Compliance with generally accepted auditing standards.
8. The auditor's understanding of the client's I/C is documented in order to substantiate
b) Examine the audited financial statements of the investee company.
8. To satisfy the valuation assertion when auditing an investment accounted for by the equity method, an auditor most likely would
b) Completeness.
9. Cutoff tests designed to detect credit sales made before the end of the year that have been recorded in the subsequent year provide assurance about management's assertion of
d. The process of updating old records is destructive
9. When disk files are used, the grandfather-father-son updating backup concept is relatively difficult to implement because
True. 1.Cash Disbursements is a component of the treasury function. 2.Cash Disbursements also cancels the documentation to prevent duplicate vouchers and checks.
Cash Disbursements evaluates the documentation to support a payment voucher and signs and mails the check.
The sales order department. The customer directly communicates the order via the Internet site. Thus, a sales order department is not needed to handle and process the order. Acceptance of the order, collection of payment, and scheduling of products for shipment are largely independent of human involvement.
A CPA is gaining an understanding of the internal controls for a client that sells garden products using an Internet site. Which of the following is not likely to be found on the client's organization chart?
Encryption. Encryption technology converts data into a code. Encoding data before transmission over communications lines makes it more difficult for someone with access to the transmission to understand or modify its contents.
A client communicates sensitive data across the Internet. Which of the following controls would be most effective to prevent the use of the information if it were intercepted by an unauthorized party?
Observe whether the data center is monitored. Physically observing that the data center is being monitored provides direct evidence that the control is in place and is being utilized effectively. The auditor will be able to see, first hand, if the control is preventing unauthorized access.
A client maintains a large data center where access is limited to authorized employees. How may an auditor best determine the effectiveness of this control activity?
Request the client to schedule the physical inventory count at the end of the year. If the assessment of the RMMs is high, the acceptable detection risk for a given level of audit risk decreases. The auditor should change the nature, timing, or extent of substantive procedures to increase the reliability and relevance of the evidence they provide. Thus, extending work done at an interim date to year end might be appropriate. Observation of inventory at year end provides more reliable and relevant evidence.
A client maintains perpetual inventory records in both quantities and dollars. If the assessment of the risks of material misstatement is high, an auditor will probably
Evaluate the reliability of information generated by the purchasing process. The auditor should obtain an understanding of internal control. The purpose of internal control is to address business risks that threaten the achievement of the following entity objectives: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with laws and regulations (AU-C 315).
A client's materials purchasing cycle begins with requisitions from user departments and ends with the receipt of materials and the recognition of a liability. An auditor's primary objective in reviewing this cycle is to
The receiving department clerk entered the quantity of the product received as 0. Reasonableness or limit tests are used to test quantities received to determine if they are within acceptable limits. Entry of a product number with 0 received is identified as probable error.
A client's program that recorded receiving report information entered directly by the receiving department on vendor shipment receipt included a reasonableness or limit test. Which of the following errors would this test likely detect?
Clerk 3 mails the checks and remittances after they have been signed. Certain duties should be segregated so that an individual cannot perpetrate and conceal fraud or error. The ideal structure segregates authorization of the transaction, recording of the transaction, and custody of the assets from the transaction. Clerk 3 should not both post the invoices to accounts payable (recording the transaction) and mail the checks after they have been signed (custody of the assets).
A company employs three accounts payable clerks and one treasurer. Their responsibilities are as follows: Employee Responsibility Clerk 1 Reviews vendor invoices for proper signature approval. Clerk 2 Enters vendor invoices into the accounting system and verifies payment terms. Clerk 3 Posts entered vendor invoices to the accounts payable ledger for payment and mails checks. Treasurer Reviews the vendor invoices and signs each check. Which of the following would indicate a weakness in the company's internal control?
Check digit verification. Check digit verification is used to identify incorrect identification numbers. The digit is generated by applying an algorithm to the ID number. During input, the check digit is recomputed by applying the same algorithm to the entered ID number.
A customer intended to order 100 units of product Z96014 but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error?
True. 1.Organizations such as the American National Standards Institute (ANSI) have defined virtually every type of business transaction in terms of their fields and information content. These are termed transmission sets. 2.By using such standards, communication between trading partners can be facilitated. When a trading partner sends a transmission set, the receiving computer can expect to receive the specified information in a specified format.
A distinction of EDI is that EDI transactions are formatted using strict standards that have been agreed to worldwide.
True. A hot site is a fully operational processing facility that is immediately available (e.g., a service bureau).
A hot site is an off-site backup hardware facility that is fully configured and ready to operate.
True. The controls over sales returns and allowances should assure proper approval and processing. The key controls include 1.Approval by the sales department to return goods 2.Receipt of the returned goods by the receiving department and preparation of a receiving report 3.The separate approval of the credit memo related to a sales return or allowance, that is, approval by someone not in the sales department.
A key control for sales returns is approval of the credit memo related to the sales return by someone not in the sales department.
Detect any fictitious employee who may have been placed on the payroll. A follow-up of unclaimed checks may result in identification of fictitious or terminated employees, thus eliminating an employee's opportunity to claim a paycheck belonging to a terminated employee. The unclaimed checks should then be turned over to a custodian so the internal audit function does not assume operating responsibilities.
A large retail enterprise has established a policy that requires the paymaster to deliver all unclaimed payroll checks to the internal audit department at the end of each payroll distribution day. This policy was most likely adopted to
False. 1.Lapping occurs when an employee with access to both the accounts receivable subsidiary ledger and customer payments steals a portion of the receipts without recording them in the customer accounts. To conceal the theft, subsequent receipts are posted to the accounts of customers whose payments were stolen. 2.A lockbox system provides for customer payments to be sent to a post office box and collected directly by the bank. 3.This system can assure that cash receipts are not abstracted by mail clerks or other employees.
A lockbox system cannot prevent lapping.
Add the program code that will sort orders by area, compute taxes in the aggregate, and compare the amount with the sum of individual taxes charged for each area. Sales taxes vary from one jurisdiction to another. Thus, the program should sort orders by area. Verification of the accuracy of the tax charges then can be obtained by calculating the total taxes for each area in two ways: applying the tax rate to total sales or adding the taxes charged on individual sales.
A mail-order retailer has just modified its processing programs to charge each customer the appropriate sales tax. The best approach for detecting whether sales taxes are applied correctly is to
Adopt a substantive audit approach. The assessment of risks is a basis for choosing the audit approach. A substantive audit approach is based only on substantive procedures. A combined audit approach applies tests of controls and substantive procedures. For example, the risk assessment procedures may not identify effective controls for the relevant assertion, or testing controls may be inefficient, e.g., because client documentation is not available. The result is that controls are not a factor in the risk assessment. In these cases, if the auditor adopts the substantive audit approach, (s)he needs to be satisfied that it will be effective in reducing audit risk to an acceptable level. For example, the substantive audit approach may not be feasible when the processing of routine transactions is highly automated with little manual intervention. In this case, the combined audit approach is chosen. Moreover, the auditor should design and perform some substantive procedures for all relevant assertions related to each material transaction class, account balance, or disclosure regardless of the assessment of the RMMs or the choice of audit approach.
A nonissuer audit client failed to maintain copies of its procedures manuals and organizational flowcharts. What should the auditor do in an audit of financial statements?
True. Reasonableness tests are made when appropriate, e.g., testing at the end of the week to assure that total hours recorded for an employee are not in excess of 40 hours or the acceptable limit.
A reasonableness test could be used to test the total hours recorded for each employee.
True. A remittance advice contains the customer's name, the invoice number, and its amount.
A remittance advice is part of or a copy of the sales invoice sent to a customer and intended to be returned with the payment.
True. A computer may print checks, record disbursements, and generate information for reconciling the account balance, which are activities customarily segregated in a manual system.
A separation of functions (authorization, recording, and access to assets) may not be feasible in a computer environment.
Reasonableness test. Reasonableness tests are used to test quantities received to determine whether they are comparable to an acceptable amount.
A test of a payroll system involved comparing an individual's number of overtime hours a week with an average of weekly overtime during a similar period in a prior year and evaluating the results. This is an example of what type of test?
File of all rejected sales transactions. Edit checks test transactions prior to processing. Rejected transactions should be recorded in a file for evaluation, correction, and resubmission. Edit checks are applied to the sales transactions to test for completeness, reasonableness, validity, and other related issues prior to acceptance. A report of missing invoices, a printout of all user code numbers and passwords, and a list of all voided shipping documents are unlikely to be direct outputs of the edit routine.
Able Co. uses an online sales order processing system to process its sales transactions. Able's sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a
False. The Mail Room receives all customer receipts, opens the mail, separates the checks from the remittance advices, and prepares the daily remittance list.
Accounts Receivable receives all customer receipts, opens the mail, separates the checks from the remittance advices, and prepares a daily listing of the checks received (the daily remittance list).
True. E-commerce consideration includes additional controls such as 1.A firewall between the customer and internally stored client data. 2.Passwords for authorized or preferred customers. 3.Encryption procedures for transmission of sensitive information.
Additional controls for an e-commerce firm include a firewall, passwords, and encryption.
The assessment of the risks of material misstatement permits the auditor to rely on the controls. Although controls appear to be effective based on the understanding of internal control, the auditor should perform tests of controls when the assessment of the risks of material misstatement at the relevant assertion level includes an expectation of their operating effectiveness. This expectation reflects the auditor's intention to rely on the controls in determining the nature, timing, and extent of substantive procedures.
After gaining an understanding of a client's computer processing internal control, a financial statement auditor may decide not to test the effectiveness of the computer processing control procedures. Which of the following is not a valid reason for choosing to omit tests of controls?
Not increase the extent of substantive procedures. The auditor should obtain reasonable assurance about whether the financial statements are free from material misstatement to permit expression of an opinion on whether they are fairly presented. To obtain reasonable assurance, the auditor collects sufficient appropriate evidence to reduce audit risk to an acceptable level. For the given audit risk and the assessed inherent risk, a lower assessed control risk results in lower assessed risks of material misstatement and a higher acceptable detection risk. Detection risk relates to the nature, timing, and extent of audit procedures. For a higher acceptable detection risk, the less persuasive the audit evidence the auditor requires and the less need to increase the extent of substantive procedures (AU-C 200).
After obtaining an understanding of internal control in a financial statement audit, an auditor has concluded that it is well designed and is operating effectively. Under these circumstances, the auditor would most likely
Believes the controls are unlikely to be effective. The assessment of risks is a basis for choosing the audit approach. A substantive audit approach is based only on substantive procedures. A combined audit approach applies tests of controls and substantive procedures. For example, the risk assessment procedures may not identify effective controls for the relevant assertion, or testing controls may be inefficient, e.g., because client documentation is not available. The result is that controls are not a factor in the risk assessment. In these cases, if the auditor adopts the substantive audit approach, (s)he needs to be satisfied that it will be effective in reducing audit risk to an acceptable level. For example, the substantive audit approach may not be feasible when the processing of routine transactions is highly automated with little manual intervention. In this case, the combined audit approach is chosen.
After obtaining an understanding of internal control, an auditor of a nonissuer's financial statements may place no reliance on controls for some assertions because the auditor
True. The Controller reconciles the validated deposit ticket with the daily remittance list of cash received from the Mail Room.
After the receipts are deposited by Cash Receipts, the validated deposit ticket is returned to the Controller.
True. Depositing cash intact daily assures that the cash received and recorded on the daily remittance list can be reconciled with the deposit ticket validated by the bank.
All cash should be deposited intact daily.
Understatement of revenues and receivables and an overstatement of inventory. If goods are shipped before the sales are invoiced, inventory will not be credited for the shipments, thus overstating inventory. Moreover, if the accounting function does not receive copies of the invoices, sales and receivables will not be recorded, with the consequent understatement of those accounts.
Alpha Company uses its sales invoices for posting perpetual inventory records. Inadequate internal control over the invoicing function allows goods to be shipped that are not invoiced. The inadequate controls could cause an
The information used in monitoring may be accurate even though it is subject to ineffective control. When obtaining an understanding of each of the five components of internal control (including monitoring), the auditor must perform procedures to understand the design of relevant controls and must determine whether controls have been implemented. If (s)he intends to rely on the controls, (s)he must also determine their effectiveness. However, when controls based on monitoring leave no audit trail, for example, documentation of design or operation, evidence about effectiveness of design or operation may be obtained only by inquiries, observations, and computer-assisted audit methods. Moreover, substantive procedures likewise may provide no affirmative evidence of the effectiveness of monitoring controls because the information may be accurate even though controls over its creation are ineffective. Thus, the ineffectiveness of monitoring would not be revealed by substantive procedures unless the detection of material misstatements resulted in performance of additional audit procedures directed at the controls.
Although substantive tests may support the accuracy of underlying information used in monitoring, these tests may provide no affirmative evidence of the effectiveness of monitoring controls because
Provide a visual depiction of clients' activities. Systems flowcharts provide a visual representation of a series of sequential processes, that is, of a flow of documents, data, and operations. In many instances, a flowchart is preferable to a questionnaire because a picture is usually more easily comprehended.
An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts
True. 1.Vouchers will be pulled from the file on the due date and sent to Cash Disbursements for signing and mailing the check. 2.At the time the check is signed, the documentation, (i.e., payment voucher, approved invoice, requisition, purchase order, and receiving report) is canceled so that it cannot be used to support a duplicate payment.
An approved voucher would be placed in a tickler file arranged by due date based on the vendor's terms.
Branch office employees may access the server with a single call via modem. The system should employ automatic dial-back to prevent intrusion by unauthorized parties. This procedure accepts an incoming modem call, disconnects, and automatically dials back a prearranged number to establish a permanent connection for data transfer or inquiry.
An audit of the electronic data interchange (EDI) area of a purchasing department revealed the facts listed below. Which one indicates the need for improved internal control?
General controls. Relying on controls involves (1) identifying specific controls that are suitably designed to prevent, or detect and correct, material misstatements in relevant assertions; (2) performing tests of controls; and (3) assessing the RMMs. Some computer controls relate to all computer activities (general controls), and some relate to specific tasks (application controls). Because general controls have pervasive effects, they should be tested before application controls. If the general controls are ineffective, tests of the application controls over input, processing, and output are unlikely to permit the auditor to rely on controls.
An auditor anticipates relying on the operating effectiveness of controls in a computerized environment. Under these circumstances, on which of the following activities would the auditor initially focus?
Personal inquiry and observation. The segregation of duties reduces the opportunity for an individual to perpetrate and conceal fraud or error in the normal course of his/her duties. Authorization of transactions, recording of transactions, and custody of assets should be segregated. The best evidence that controls based on segregation of duties are operating as planned is provided by the auditor's own observation and inquiries.
An auditor generally tests the segregation of duties related to inventory by
Classification of revenue and expense transactions by product line. The auditor is primarily concerned with the fairness of external financial reporting and therefore with controls relevant to a financial statement audit. (S)he is less likely to test controls over records used solely for internal management purposes than those used to prepare financial statements for external distribution. Assertions about the presentation of transactions by product line are not typically made. Thus, the auditor is unlikely to expend significant audit effort in testing such classifications.
An auditor is least likely to test controls that provide for
The client requires users to share potentially useful downloaded programs from public electronic sources with only authorized employees. Sharing programs from public electronic sources with authorized employees is an ineffective control. The programs are available to anyone with access to the public electronic sources.
An auditor is obtaining an understanding of a client's Internet controls. Which of the following is most likely the least effective control?
Increasing the extent of substantive analytical procedures. When designing further audit procedures, the auditor obtains more persuasive evidence the higher the risk assessment. Thus, the auditor may increase the quantity of evidence or obtain more relevant or reliable evidence. Furthermore, the extent of audit procedures generally increases as the risks of material misstatement increase. For example, the auditor may increase sample sizes or perform more detailed substantive analytical procedures (AU-C 330).
An auditor may compensate for a high assessed risk of material misstatement by
Controls are not relevant to the assertions. The auditor's risk assessment procedures may not have identified any suitably designed and implemented controls that are relevant to the assertions. Another possibility is that testing of controls may be inefficient. But the auditor needs to be satisfied that performing only substantive procedures will be effective in reducing audit risk to an acceptable level.
An auditor may decide to perform only substantive procedures for certain assertions because the auditor believes
Source code comparison program. The best way to test for unauthorized computer program changes is to examine the program itself. By comparing a program under his/her control with the program used for operations, the auditor can determine whether unauthorized changes have been made.
An auditor most likely should test for the presence of unauthorized computer program changes by running a
Authorizing payroll rate changes for all employees. The payroll department should be independent of the human resources department, which would be responsible for authorizing all payroll rate changes for the employees of the entity. A supervisor would be authorized, however, to initiate requests for rate increases for supervised employees.
An auditor most likely would assess the risks of material misstatement as unacceptable if the payroll department supervisor is responsible for
Write-offs of delinquent accounts. The accounts receivable manager has the ability to perpetrate fraud because (s)he performs incompatible functions. Authorization and recording of transactions should be segregated. Thus, someone outside the accounts receivable department should authorize write-offs.
An auditor noted that the accounts receivable department is separate from other accounting activities. Credit is approved by a separate credit department. Control accounts and subsidiary ledgers are balanced monthly. Similarly, accounts are aged monthly. The accounts receivable manager writes off delinquent accounts after 1 year, or sooner if a bankruptcy or other unusual circumstances are involved. Credit memoranda are prenumbered and must correlate with receiving reports. Which of the following areas could be viewed as an internal control deficiency of the above organization?
Tests for and accumulates all amounts for items with style numbers indicating consigned merchandise. Given that items on the inventory file are marked appropriately with style numbers, the auditor can best determine whether consigned merchandise is included by using a program that identifies and accumulates those items with style numbers corresponding to consigned merchandise.
An auditor obtains a digital file that contains the dollar amounts of all client inventory items by style number. The auditor is aware that the client holds certain inventory styles on consignment for others. The auditor can best ascertain that the client's inventory is not overstated by using a computer program that
Valuation. The proper approval of credit provides assurance that the account receivable is collectible. Thus, it is related to the valuation assertion that balances are reported at appropriate amounts, e.g., accounts receivable at net realizable value.
An auditor tests an entity's policy of obtaining credit approval before shipping goods to customers in support of management's financial statement assertion of
Determine the acceptable level of detection risk for financial statement assertions. For a given audit risk, the acceptable detection risk (the auditor's risk) is inversely related to the assessed RMMs (the entity's risks) at the assertion level. Detection risk is the risk that audit procedures will not detect a material misstatement. It relates to the nature, timing, and extent of procedures performed to reduce audit risk to an acceptably low level. Thus, it depends on the effectiveness of audit procedures and their application by the auditor (AU-C 330).
An auditor uses the assessed risks of material misstatement to
Further audit procedures. The auditor uses the understanding of internal control and the assessment of the RMMs to design further audit procedures. These include tests of controls, if relevant, and substantive procedures.
An auditor uses the audit evidence provided by the understanding of internal control and the assessment of the risks of material misstatement to determine the nature, timing, and extent of
Time tickets with invalid job numbers. The auditor will most likely test computer controls for detection of time tickets with invalid job numbers. The validity of codes can be determined by the computer system. Testing of approvals, authorizations, and signatures usually require manual procedures.
An auditor who is testing computer controls in a payroll system will most likely use test data that contain conditions such as
Embedded audit module. Continuous monitoring and analysis of transaction processing can be achieved with an embedded audit module. An audit module embedded in the client's software routinely selects and abstracts certain actual transactions and other information with audit significance. They may be tagged and traced through the information system. A disadvantage is that audit hooks must be programmed into the operating system and applications. An alternative is recording in an audit log, i.e., in a file accessible only by the auditor.
An auditor who wishes to capture an entity's data as transactions are processed and continuously test the entity's computerized information system most likely would use which of the following techniques?
The payroll register. Ordinarily, the auditor examines the endorsements on payroll checks while obtaining an understanding of and testing the payroll cycle, which includes consideration of the payroll register.
An auditor will ordinarily ascertain whether payroll checks are properly endorsed during the audit of
Observation and inquiry. For some controls, documentation may not be available or relevant. For example, documentation of operation may not exist for (1) some factors in the control environment, such as assignment of authority and responsibility, or (2) some controls, such as computer controls. In such cases, evidence about effectiveness of operation may be obtained through inquiry combined with other procedures, e.g., observation or computer-assisted audit techniques.
An auditor wishes to perform tests of controls on a client's cash disbursements procedures. If the controls leave no audit trail of documentary evidence, the auditor most likely will test the controls by
Daily deposit slip. Preparing the bank deposit slip is a part of the custodial function, which is the primary responsibility of a cashier. The cashier is an assistant to the CFO and thus performs an asset custody function. The preparation of a bank deposit slip is an integral part of the custodial function, along with the depositing of remittances daily at a local bank.
An auditor would consider a cashier's job description to contain compatible duties if the cashier receives remittances from the mail room and also prepares the
True. Audit trails are essential to the processing of all transactions. In an EDI system, the trail should maintain information such as who has access to a transaction, time of access, the use of the transaction, etc. An activity log would provide this information and is an important component of the audit trail.
An auditor would consider failure to maintain an audit trail of EDI transactions a risk regarding an entity's use of electronic data interchange (EDI).
Understanding of the system. The auditor should document (1) the understanding of the entity and its environment and the components of internal control, (2) the sources of information regarding the understanding, and (3) the risk assessment procedures performed. The form and extent of this documentation are influenced by the nature and complexity of the entity's controls (AU-C 315). For example, documentation of the understanding of internal control of a complex information system in which many transactions are electronically initiated, authorized, recorded, processed, or reported may include questionnaires, flowcharts, or decision tables.
An auditor's flowchart of a client's accounting system is a diagrammatic representation that depicts the auditor's
An invoice is prepared for each shipping document. Tests of completeness determine whether all assets, liabilities, and equity interests are recorded properly. They emphasize the events rather than the existence of the documents. When a shipping document does not have a matching invoice, the relevant revenue is not recorded. The invoice is used to prepare the necessary journal entries.
An auditor's tests of controls for completeness of the revenue cycle usually include determining whether
True. An embedded audit module is an integral part of an application system that is designed to identify and report actual transactions and other information that meet criteria having audit significance.
An embedded audit module is part of an application system that is designed to identify and report actual transactions and other information that meet criteria having audit significance.
810. Input controls in batch computer systems are used to determine that no data are lost or added to the batch. Depending on the sophistication of a particular system, control may be accomplished by using record counts, financial totals, or hash totals. The hash total is a control total without a defined meaning, such as the total of employee numbers or invoice numbers, that is used to verify the completeness of data. The hash total of the invoice numbers is 810.
An entity has the following invoices in a batch: Invoice Number Product Quantity Unit Price 201 F10 150 $ 5.00 202 G15 200 10.00 203 H20 250 25.00 204 K35 300 30.00 Which of the following most likely represents a hash total?
A bank lockbox system. A lockbox system assures that cash receipts are not stolen by mail clerks or other employees. This system provides for customer payments to be sent to a post office box and collected directly by the bank.
An entity with a large volume of customer remittances by mail most likely can reduce the risk of employee misappropriation of cash by using
True. An information system consists of physical and hardware elements (infrastructure), people, software, data, and manual and automated procedures and often uses IT extensively.
An information system includes manual and automated procedures and often uses IT extensively.
Canceled checks and ascertain that the related receiving reports are dated no later than the checks. The best procedure is to test whether any checks have been issued without receiving reports. An appropriate sample of canceled checks and the related supporting documentation should be examined. The checks should not have been written before the dates on the receiving reports.
An internal control questionnaire indicates that an approved receiving report is required to accompany every check request for payment of merchandise. Which of the following procedures provides the greatest assurance that this control is operating effectively? Select and examine
Enabling shipment of customer orders to be initiated as soon as the orders are received. An online processing system can handle transactions as they are entered because of its direct connection to a computer network. Thus, shipment of customer orders may be initiated instantaneously as they are received. Batch processing is the accumulation and grouping of transactions for processing on a delayed basis.
An online sales order processing system most likely would have an advantage over a batch sales order processing system by
True. Application controls may be further classified as input controls, processing controls, and output controls.
Application controls may be further classified as input controls, processing controls, and output controls.
False. Console operators should not be assigned programming duties or responsibility for systems design and should have no opportunity to make changes in programs and systems as they operate the equipment.
Console operators should be assigned programming duties and make changes in programs and systems as they operate the equipment.
True. Custom, culture, the corporate governance system, and an effective control environment are not absolute deterrents to fraud. For example, if the nature of management incentives increases the risk of material misstatements, the effectiveness of controls may be diminished.
Corporate culture and an effective control environment are not absolute deterrents to management fraud.
False. Digital signatures represent a form of encryption technology used by businesses to authenticate documents.
Digital signatures are controls that use biometric technology.
False. Documentation of the understanding of internal control is required by GAAS.
Documentation of the understanding of internal control is not required by GAAS.
True. Computer processing ordinarily replaces the activities of clerks performing recording functions (e.g., updating the inventory file to record goods received from vendors and updating the open purchase order file).
Due to technological advancements, most of the record-keeping and filing for the purchases-payables-cash disbursements cycle are conducted by computer systems.
The owner reviews credit memos after they are recorded. The clerk can both perpetrate and conceal a fraud in the normal course of his/her duties. The clerk has custody of cash, performs the recordkeeping function for accounts receivable, and authorizes credit memos. Thus, the clerk could conceal a theft of cash collected from customers on account by authorizing sales returns. In a small business, cost-benefit considerations ordinarily preclude establishment of formal control activities. In this situation, effective owner-management involvement may compensate for the absence of certain control activities. Accordingly, the owner should determine that credit memos are genuine.
During the consideration of a small business client's internal control, the auditor discovered that the accounts receivable clerk approves credit memos and has access to cash. Which of the following controls would be most effective in offsetting this weakness?
Regarding the company's annual stockholder meeting. Control regarding the entity's annual shareholders' meeting is not a basic component of internal control. It does not affect every aspect of the operations of an entity.
Each of the following types of controls is considered to be an entity-level control, except those
Each employee should be asked to sign a receipt. Under a cash payroll system, the receipt signed by the employee is the only document in support of payment. The signed receipt is essential to verify proper payment.
Effective control over the cash payroll function would mandate which of the following?
Direct participation by the owner of the business in the recordkeeping activities of the business. The manner in which control objectives are achieved varies with the size and complexity of the entity. Thus, direct participation of an owner-manager in the recordkeeping and other activities of the business facilitates monitoring of employee actions. Such effective involvement may preclude the need for extensive accounting procedures, sophisticated information systems, or written policies.
Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by
Deter dishonesty by making employees aware that insurance companies may investigate and prosecute dishonest acts. Effective internal control, including human resources practices that stress the hiring of trustworthy people, does not guarantee against losses from embezzlement and other fraudulent acts committed by employees. Accordingly, an employer may obtain a fidelity bond to insure against losses arising from fraud by the covered employees. Prior to issuing this form of insurance, the underwriters investigate the individuals to be covered. Also, employees should be informed that bonding companies are diligent in prosecuting bonded individuals who commit fraud.
Employers bond employees who handle cash receipts because fidelity bonds reduce the possibility of employing dishonest individuals and
False. 1.Encryption technology converts data into a code. 2.Unauthorized users may be able to access the data, but without the encryption key, they will be unable to decode the information.
Encrypted data allow unauthorized users to access and read information.
False. 1.Preformatted screens are a way to ensure that employees enter complete information about a customer order. 2.Encryption is used to transmit sensitive information, so unauthorized users do not have access to it.
Encryption ensures that clerks properly and completely enter a customer order.
Investigation of variances within a formal budgeting system. A formal planning and budgeting system that estimates maintenance expense at a certain level will report a significant variance if capital expenditures are charged to the account. Investigation of the variance is likely to disclose the misclassification.
Equipment acquisitions that are misclassified as maintenance expense most likely would be detected by an internal control activity that provides for
False. Establishing and maintaining internal control is management's, not the auditor's, responsibility.
Establishing and maintaining internal control is the auditor's responsibility.
False. Evidence may be obtained through the auditor's direct observation of an individual who applies a control. This evidence is usually more reliable than that which is gathered through inquiries about the application of the control.
Evidence about the effectiveness of the operation of controls obtained directly by the auditor usually provides less assurance than evidence obtained indirectly or by inference, such as through inquiry.
True. Evidence obtained in prior audits may be considered in a new audit.
Evidence obtained in prior audits may be considered in a new audit.
For selected days, reconciling the total of customer food checks to daily bank deposits. Using the total of the customer food checks as a confirmation of sales would have detected the shortage in the bank deposit.
Fact Pattern: Management discovers that a supervisor at one of its restaurant locations removes excess cash and resets sales totals throughout the day on the point-of-sale (POS) system. At closing, the supervisor deposits cash equal to the recorded sales on the POS system and keeps the rest. The supervisor forwards the close-of-day POS reports from the POS system along with a copy of the bank deposit slip to the company's revenue accounting department. The revenue accounting department records the sales and the cash for the location in the general ledger and verifies the deposit slip to the bank statement. Any differences between sales and deposits are recorded in an over/short account and, if necessary, followed up with the location supervisor. The customer food order checks are serially numbered, and it is the supervisor's responsibility to see that they are accounted for at the end of each day. Customer checks and the transaction journal tapes from the POS system are kept by the supervisor for 1 week at the location and then destroyed. Which of the following audit procedures would have detected the fraud?
False. Firewalls do not provide adequate protection against computer viruses.
Firewalls provide adequate protection against computer viruses.
Observation and inquiry. When documentary evidence does not exist, evidence about the effectiveness of the operation of controls may be obtained through such methods as observation, inquiry, or computer-assisted techniques. Inquiry alone, however, will not ordinarily provide sufficient appropriate evidence to support the conclusion that the control is operating effectively.
For certain controls, such as assignment of authority and responsibility, documentary evidence may not exist. An auditor would most likely test the controls by
Systems development. Systems analysts survey the existing system, analyze the organization's information requirements, and design new computer systems to meet those needs. These design specifications guide the preparation of specific programs by computer programmers. The console operator should not be assigned programming duties, much less responsibility for systems design, and should not have the opportunity to make changes in programs and systems as (s)he operates the equipment.
For control purposes, which of the following should be organizationally separated from the computer operations function?
Write-offs of customer accounts. An employee who authorizes a transaction, such as the write-off of a receivable, ordinarily should not be responsible for recording the same transaction. Segregating the functions of authorization, recordkeeping, and custody of assets reduces the possibility that an employee may be able to perpetrate and conceal fraud or error in the normal course of his/her duties.
For effective internal control, employees maintaining the accounts receivable subsidiary ledger should not also approve
Establish the agreement of the vendor's invoice with the receiving report and purchase order. The accounts payable department is responsible for matching the vendor's invoice against the corresponding purchase order and receiving report. This procedure provides assurance that a valid transaction has occurred and that the parties have agreed on the terms, such as price and quantity.
For effective internal control, the accounts payable department ordinarily should
Data processing. The CFO (chief financial officer) performs the custodianship function. For a proper separation of functions, the CFO should not perform a recording function such as data processing.
For effective internal control, which of the following functions should not be the responsibility of the CFO's department?
True. Substantive procedures are performed for all relevant assertions related to material account balances, transaction classes, and disclosures.
For material balances, the risks of material misstatement cannot be sufficiently low to eliminate the need for all substantive procedures.
Purchases returned to vendors. Purchases returned to the vendor but not recorded overstate inventory records. The goods are reflected in inventory but are not on hand.
For several years a client's physical inventory count has been lower than what was shown on the books at the time of the count, and downward adjustments of the inventory account have been required. Contributing to the inventory problem could be material weaknesses in internal control that led to the failure to record some
Restrictively endorsed. All checks received from customers should be restrictively endorsed with the phrase "For Deposit Only" in the company account regardless of their date. They should be physically safeguarded until deposit.
For the purpose of effective internal control, postdated checks received from customers should be
Parallel simulation. Parallel simulation is a test of the controls in a client's application program. An auditor-developed program is used to process actual client data, and the output and exceptions report is compared with those of the client's application program. If the client's programmed controls are operating effectively, the two sets of results should be reconcilable.
For which of the following computer-assisted auditing techniques does the auditor use a controlled program?
False. 1.General controls are the umbrella under which the IT function operates. They support the application controls by helping to ensure the proper functioning of information systems. 2.They should be tested prior to evaluation of application controls.
General controls should be tested after evaluation of application controls.
Hot site. A company uses a hot site backup when fast recovery is critical. The hot site includes all software, hardware, and other equipment necessary for a company to carry out operations. Hot sites are expensive to maintain and may be shared with other organizations with similar needs.
If High Tech Corporation's disaster recovery plan requires fast recovery with little or no downtime, which of the following backup sites should it choose?
True. If the goods received are nonconforming, the Shipping Department will return them to the vendor and notify the Purchasing Agent so arrangements can be made with the vendor for another shipment.
If the goods received are nonconforming, they should be returned to the vendor, and the Purchasing Agent should be notified so arrangements can be made with the vendor for another shipment.
False. The auditor should document the following: 1.Overall responses to the assessed RMMs at the statement level 2.Nature, timing, and extent of further audit procedures and their connection with assessed risks at the relevant assertion level 3.Results of audit procedures 4.Audit conclusions if not otherwise clear 5.Conclusions about relying on controls based on audit evidence of their operating effectiveness obtained in previous audits
If the risks of material misstatement are assessed at a low level, the auditor need not document the conclusion or the response to the assessments.
Prepare a remittance listing. Effective control of cash requires that receipts be recorded promptly. For mail receipts, a listing of remittance advices by an employee not performing incompatible functions is a standard control procedure. If the customer does not return the remittance advice, one should be prepared at the time the mail is opened. If remittance advices are not used, a listing of receipts should still be made when the mail is opened.
Immediately upon receipt of cash, a responsible employee should
True. Validity checks are made to ensure that an employee record exists on the personnel file before any transactions are accepted.
In a computer payroll application, validity checks would be made to assure that an employee record exists.
Proper approval of overtime by supervisors. Approval of overtime by supervisors most likely entails initialing of time cards. Inspection by the auditor is the appropriate test of this control.
In a computerized payroll system environment, an auditor is least likely to use test data to test controls related to
False. 1.The auditor is not obligated to search for deficiencies in internal control, although (s)he must communicate any significant deficiencies and material weaknesses noted. 2.Internal control knowledge should be used to identify types of potential misstatements, consider factors that affect the risk of material misstatements, design tests of controls if appropriate, and design substantive tests.
In a financial statement audit, the auditor is obligated to search for deficiencies in internal control.
Recompute the calculations on vendors' invoices. The vouchers payable clerk (1) matches purchase orders, vendors' invoices, and receiving reports; (2) tests the calculations and terms on the vendors' invoices; and (3) prepares a disbursement voucher.
In a properly designed internal control system, the same employee most likely would match vendors' invoices with receiving reports and also
Separation of functions. In the usual retail cash sales situation, the sales clerk authorizes and records the transactions and takes custody of assets. However, management ordinarily employs other compensating controls to minimize the effects of the failure to separate functions. The cash receipts function is closely supervised, cash registers provide limited access to assets, and an internal recording function maintains control over cash receipts.
In a retail cash sales environment, which of the following controls is often absent?
Negotiate terms with vendors. To prevent or detect fraud or error in the performance of assigned responsibilities, duties are often segregated. Approving purchase orders and negotiating terms with vendors are part of the authorization process performed by the purchasing department.
In a well-designed internal control system, employees in the same department most likely would approve purchase orders, and also
Mail signed checks and also cancel supporting documents. The cash disbursements department has an asset custody function. Consequently, this department is responsible for signing checks after verification of their accuracy by reference to the supporting documents. The supporting documents should then be canceled and the checks mailed. Cancelation prevents the documentation from being used to support duplicate payments. Moreover, having the party who signs the checks place them in the mail reduces the risk that they will be altered or diverted.
In a well-designed internal control system, the same employee may be permitted to
Document the auditor's understanding of the entity's internal control. The auditor should document (1) the understanding of the entity and its environment and the components of internal control, (2) the sources of information regarding the understanding, and (3) the risk assessment procedures performed. The form and extent of the documentation are influenced by the nature and complexity of the entity's controls (AU-C 315).
In an audit of financial statements in accordance with generally accepted auditing standards, an auditor should
Document the auditor's understanding of the entity's internal control components. Documentation of the understanding of the internal control components is required by GAAS. Its form and extent are influenced by the nature and complexity of the entity's controls and the extent of the procedures performed by the auditor.
In an audit of financial statements of a nonissuer in accordance with GAAS, an auditor is required to
Affect the financial statement assertions. Assertions are management representations embodied in the financial statements. A relevant assertion has reasonable possibility of containing a misstatement that could cause material misstatements of the financial statements. Thus, a relevant assertion has a meaningful bearing on whether the account is materially misstated. Tests of controls are designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. They should be performed when (1) the auditor's assessment of the RMMs at the relevant assertion level includes an expectation of the operating effectiveness of controls, or (2) substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level. Thus, the auditor is primarily concerned with whether a control affects relevant financial statement assertions.
In an audit of the financial statements, an auditor's primary consideration regarding an entity's controls is whether they
False. Transmission protocols are rules on how each envelope or package of information is structured and processed by the communications devices so that messages are kept separate.
In an electronic data interchange (EDI) system, transaction protocols are paths that a message takes as it is sent from a sender to a recipient.
Control and distribution of unclaimed checks. If wages are not directly deposited into employees' bank accounts, paper checks must be physically distributed by the cash disbursements function. Any unclaimed checks should be turned over to an appropriate custodian for safe storage. Accordingly, the test data approach does not apply to the control and distribution of unclaimed checks. It is a method of testing computerized controls by processing dummy transactions, some of which should result in error listings.
In auditing an entity's computerized payroll transactions, an auditor would be least likely to use test data to test controls concerning
Tagging and tracing. Tagging and tracing describes the selection of specific transactions to which an indicator is attached at input. A computer trail of all relevant processing steps of these tagged transactions in the application system can be printed or stored in a computer file for auditor evaluation.
In auditing an online perpetual inventory system, an auditor selected certain file-updating transactions for detailed testing. The audit technique that will provide a computer trail of all relevant processing steps applied to a specific transaction is described as
True. 1.Implemented means the entity is using the control. 2.Operating effectiveness is concerned with how and by whom the control (manual or automated) was applied and the consistency of application.
In considering internal control, implemented differs from operating effectiveness.
True. Typical controls in the PPE cycle include (1) a periodic reconciliation of subsidiary records and the general ledger control account and (2) periodic comparisons of physical assets with subsidiary records.
In considering property, plant, and equipment (PPE), subsidiary records and the general ledger control account should be periodically reconciled.
Observe the segregation of duties concerning human resources responsibilities and payroll disbursement. In considering whether transactions actually occurred, the auditor is most concerned about the proper segregation of duties between the human resources department (authorization) and the payroll disbursement (custody function).
In determining the effectiveness of an entity's policies and procedures relating to the existence or occurrence assertion for payroll transactions, an auditor most likely would inquire about and
True. In evaluating the degree of assurance provided by various types of evidence relating to an assertion, the auditor should consider the interrelationship between them.
In evaluating the degree of assurance provided by various types of evidence relating to an assertion, the auditor should consider the interrelationship between them.
Review the entity's descriptions of inventory policies and procedures. The auditor makes inquiries of personnel, observes activities and operations, and reviews an entity's documentation of controls relevant to the management of inventories to obtain an understanding of internal control.
In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor most likely would
The size of the sample can be greatly expanded at relatively little additional cost. Parallel simulation uses a controlled program to reprocess sets of client transactions and compares those results with those of the client. The primary disadvantages are the initial cost of obtaining the software and the need for coordination with client personnel to gain access to transactions. However, the auditors have the freedom to process transactions (1) at their convenience, (2) using their own equipment, and (3) taking as long as necessary. Thus, the auditors can greatly increase the sample size at relatively little marginal cost.
In parallel simulation, actual client data are reprocessed using an auditor software program. An advantage of using parallel simulation, instead of performing tests of controls without a computer, is that
Verify the amount was entered accurately. The display of the amounts entered is an input control that permits visual verification of the accuracy of the input by the operator. This is termed "closed-loop verification."
In the accounting system of Acme Company, the amounts of cash disbursements entered at a computer terminal are transmitted to the computer, which immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables the operator to
Verify that the amount was entered accurately. The display of the amounts entered is an input control that permits visual verification of the accuracy of the input by the operator. This is termed closed-loop verification.
In the accounting system of Apogee Company, the quantities counted by the receiving department and entered at a terminal are transmitted to the computer, which immediately transmits the amounts back to the terminal for display on the terminal screen. This display enables the operator to
False. The auditor obtains an understanding of internal control, including evaluating the design of controls and determining whether they have been implemented. The auditor also judges whether to apply tests of controls and assesses the risks of material misstatement.
In the audit of the financial statements, management is charged with obtaining an understanding of internal control, determining that controls are in place, judging whether to apply tests of controls, and ultimately assessing risks of material misstatement associated with the sales-receivables-cash receipts cycle.
True. In the integrated test facility (ITF) method, the auditor creates a dummy record within the client's actual system. Dummy and actual transactions are then processed. The auditor can test the edit checks by altering the dummy transactions and evaluating error listings.
In the integrated test facility (ITF) method, the auditor creates a dummy record within the client's actual system. Dummy and actual transactions are then processed. The auditor can test the edit checks by altering the dummy transactions and evaluating error listings.
True. The auditor can expect the controls to be applied to the transactions in the prescribed manner. Thus, the auditor is testing the effectiveness of the controls.
In the test data approach, the auditor prepares a set of dummy transactions specifically designed to test the control activities that management claims to have incorporated into the processing programs.
When transactions are high-volume and recurring. Automated controls are cost effective when they are applied to high-volume, recurring transactions. For example, credit limit checks on customer orders could be automated to relieve management from evaluating each customer order as it is received.
In which of the following circumstances would an auditor expect to find that an entity implemented automated controls to reduce risks of misstatement?
The firm uses a cash payment payroll function. Under a cash payroll system, the receipt signed by the employee is the only document in support of payment. The signed receipt is essential to verify proper payment.
In which of the following situations would it be most important to have employees sign for their pay?
Responsibility for the performance of each duty must be fixed. Effective internal control may be obtained by decentralization of responsibilities and duties. Fixing the responsibility for each performance or duty makes it easier to trace problems to the person(s) responsible and hold them accountable for their actions.
Internal control is a function of management, and effective control is based upon the concept of charge and discharge of responsibility and duty. Which of the following is one of the overriding principles of internal control?
False. The Purchasing Agent provides additional authorization and determines the appropriate vendor, often through bidding, to supply the appropriate quantity and quality of goods at the optimal price.
Inventory Control provides additional authorization and determines the appropriate vendor, often through bidding.
Achievement of the objectives of internal control. The control environment is the foundation of internal control. A commitment to competence is one of the factors in the control environment.
It is important for the auditor to consider the competence of the audit client's employees, because their competence bears directly and importantly upon the
True. The auditor need not test the operating effectiveness of controls when obtaining an understanding of internal control. However, the auditor should evaluate the design of controls and determine whether they have been implemented.
Knowledge about the operating effectiveness of controls need not be obtained as part of the understanding of internal control.
Signs the checks last. Checks for disbursements should be signed by a responsible person in the cash disbursements department after necessary supporting evidence has been examined. This individual also should be responsible for mailing the signed checks and remittance advices.
Mailing disbursement checks and remittance advices should be controlled by the employee who
False. Management's philosophy and operating style are critical parts of the internal control component of the control environment, which sets the tone of the organization.
Management's philosophy and operating style are critical parts of the internal control component of risk assessment.
Part of the audit trail is altered. In a manual payroll system, a paper trail of documents would be created to provide audit evidence that controls over each step in processing were operating effectively. One element of a computer system that differentiates it from a manual system is that a transaction trail useful for auditing purposes might exist only for a brief time or only in computer-readable form.
Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The computer system automatically updates all payroll records. Because of this change
Report showing exceptions and control totals. Batch processing is useful for processing large volumes of data, especially when sorted in sequential order, for example, by customer number. Editing (validation) of data should produce a cumulative automated error listing that includes not only errors found in the current processing run but also uncorrected errors from earlier runs. Each error should be identified and described, and the date and time of detection should be given. The creation of the file also generates various totals that serve as controls over the accuracy of the processing.
Mill Co. uses a batch processing method to process its sales transactions. Data on Mill's sales transaction file are electronically sorted by customer number and are subjected to programmed edit checks in preparing its invoices, sales journals, and updated customer account balances. One of the direct outputs of the creation of this file most likely would be a
True. 1.Significant and rapid changes in information systems can affect control risk, but IT is important to the risk assessment process because it provides timely information for identifying and managing risks. 2.A shift in the regulatory or operating environment may require reconsideration of risks. 3.Integrating new technology into production or information processes may change risk.
New or revamped information systems, changes in the operating environment, and new technology are factors that affect risk for internal control.
True. 1.Control objectives and concepts are the same in a computer environment and a manual system. 2.Many procedures are the same. These procedures include (a) inquiries of entity personnel, (b) inspection of documents and reports, (c) observation of the application of specific controls, and (d) reperformance by the auditor.
Numerous controls in a computer environment are outside the computer system and can be tested using procedures applicable to a manual system.
Implemented. In all audits, the auditor should obtain an understanding of internal control. An understanding is obtained by evaluating the design of controls and determining whether they have been implemented. A control has been implemented if it exists and the entity is using it.
Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been
Most construction is performed in-house. The risks of material misstatement for in-house construction are high. For example, the entity must allocate overhead, allocate labor costs between regular and construction labor, and estimate the interest cost to be capitalized. An outside construction company would send an invoice, and determining the amount to record would be relatively easy.
One objective of internal control is to record property, plant, and equipment (PPE) additions correctly as to account, amount, and period. Which of the following environmental considerations indicates that the risks of material misstatement of these additions are high?
False. Two clerks should be present in the Mail Room during the opening and recording of the receipts.
Only one clerk needs to be present in the Mail Room during the opening and recording of the receipts.
True. 1.Access controls are used requiring passwords and identification numbers. 2.Departments are limited to the changes that can be made to files.
Only the Human Resources department has access to the personnel master file and can make changes.
True. The key in a parallel simulation is for the auditor's program to include the client's edit checks. Thus, the client's results of processing, rejected transactions, and error listing should be the same as the auditor's.
Parallel simulation uses a controlled program to reprocess sets of client transactions and compares the auditor-achieved results with those of the client.
True. Payroll does not authorize transactions or handle (take custody of) assets.
Payroll accounting calculates pay but does not sign the paychecks.
False. 1.Periodic reconciliation of the accounts receivable subsidiary ledger and the accounts receivable control account in the general ledger establishes agreement of the total amounts posted. 2.However, the reconciliation cannot determine whether an amount was posted to the wrong account in the subsidiary ledger.
Periodic reconciliation of the accounts receivable subsidiary ledger and the accounts receivable control account in the general ledger can determine whether an amount was posted to the wrong account in the subsidiary ledger.
True. 1.Cross-footing compares an amount to the sum of its components. 2.A zero-balance check adds the positive and negative amounts posted. The result should be zero.
Processing controls include cross-footing and zero-balance checks.
An integrated test facility. The ITF or minicompany technique is a development of the test data method. It permits dummy transactions to be processed at the same time as live transactions but requires additional programming to ensure that programs will recognize the specially coded test data. Also, dummy files must be established (the test facility or dummy entity). Nevertheless, output (for example, control totals) is affected by the existence of the ITF transactions.
Processing data through the use of simulated files provides an auditor with information about the operating effectiveness of controls. One of the techniques involved in this approach makes use of
CFO. The write-off of uncollectible accounts requires effective controls. The initiation of the write-off is performed by the credit manager. However, authorization should be by an independent party, typically the CFO. The credit manager is evaluated, in part, on the amount of bad debt written off and should require significant evidence before initiating a write-off.
Proper authorization of write-offs of uncollectible accounts should be approved in which of the following departments?
Chief Financial Officer (CFO). The credit manager, who reports to the CFO, usually is responsible for authorizing write-offs of bad debts based on evidence such as aging reports and collection agency reports. The CFO, or another official not involved with sales transactions and recordkeeping, will also approve the write-off.
Proper authorization procedures in the revenue cycle usually provide for the approval of bad debt write-offs by an employee in which of the following departments?
Record and conceal fraudulent transactions in the normal course of assigned tasks. Proper segregation of duties and responsibilities reduces the opportunity for an individual to commit and conceal fraud in the normal course of his/her duties. Hence, different people should be assigned the responsibilities for authorizing transactions, recordkeeping, and asset custody.
Proper segregation of duties reduces the opportunities to allow any employee to be in a position to both
Substantive procedures to restrict detection risk for significant transaction classes. Regardless of the assessed risks of material misstatement (or the effectiveness of the relevant controls), the auditor should design and perform substantive procedures for all relevant assertions related to each material transaction class, account balance, and disclosure.
Regardless of the assessed risks of material misstatement, an auditor should perform some
False. A checklist is a series of steps that are performed. Systems (document) flowcharts represent a series of sequential processes. They provide a visual (pictorial) representation of the system.
Related to auditor documentation, a checklist is a series of sequential processes represented in pictorial form.
True. The auditor's understanding of relevant controls involves evaluating their design and determining whether they have been implemented. Tests of controls determine whether they are operating effectively to prevent, or detect and correct, material misstatements. Relying on controls ordinarily permits the auditor to reduce the audit effort devoted to performing substantive procedures.
Relying on controls to reduce the risks of material misstatement for relevant assertions requires auditors to obtain evidence about the design and operation of controls.
True. RMMs related to significant judgmental matters may be greater if they involve accounting estimates resulting from, among other things, the following: 1.Accounting principles subject to different interpretations 2.Subjective or complex judgments 3.Significant assumptions
Risks of material misstatement related to significant judgmental matters may be greater if they involve accounting estimates.
False. Routing the sales order copy through the Credit Manager would assure that goods are shipped only to customers who are likely to pay.
Routing the sales order copy through Billing assures that goods are shipped only to customers who are likely to pay.
The controls are operating effectively. Tests of controls obtain evidence about the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. Tests of controls address (1) how they were applied at relevant times during the period, (2) by whom or by what means they were applied, and (3) the consistency of their application during the period. Prior to performing tests of controls, the auditor evaluates whether they are suitably designed to prevent, or detect and correct, material misstatements in relevant assertions (AU-C 330).
Samples to test controls are intended to provide a basis for an auditor to conclude whether
Develop a program to compare credit limits with account balances and list the details of any account with a balance exceeding its credit limit. The auditor should consider developing a program to compare the balances with the credit limits and to list the exceptions. The auditor then can focus on those customers whose credit limits may have been exceeded.
Smith Corporation has numerous customers. A customer file is kept digitally. Each customer record contains the name, address, credit limit, and account balance. The auditor wishes to test this file to determine whether credit limits are being exceeded. The best procedure for the auditor to follow is to
Develop a program to compare credit limits with account balances and print out the details of any account with a balance exceeding its credit limit. The auditor should consider developing a program to compare the balances with the credit limits and to print out the exceptions. The auditor can then focus on those customers whose credit limits may have been exceeded.
Smith Corporation has numerous customers. A customer file is kept on disk storage. Each customer record contains the name, address, credit limit, and account balance. The auditor wishes to test this file to determine whether credit limits are being exceeded. The best procedure for the auditor to follow is to
Controls for documenting and approving programs and changes to programs. General controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General controls commonly include controls over data center and network operations; systems software acquisition and maintenance; access security; and application system acquisition, development, and maintenance. Accordingly, they include (1) controls over operations to ensure efficient and effective operations of the computer activity; (2) the procedures for acquiring, developing, testing, documenting, and approving systems or programs and changes thereto; (3) controls over access to equipment and data files; and (4) other data and procedural controls affecting overall computer operations.
Some data processing controls relate to all computer processing activities (general controls) and some relate to specific tasks (application controls). General controls include
Receiving clerk. For control purposes, all receipts of goods or materials should be handled by the receiving clerk. Receiving reports should be prepared for all items received.
Sound internal control activities dictate that defective merchandise returned by customers be presented initially to the
False. Substantive procedures should be performed that respond specifically and with a high degree of reliability to significant risks of material misstatement.
Substantive procedures should be performed that respond specifically and with a low degree of reliability to significant risks.
True. The auditor tests the operating effectiveness of relevant controls if (1) the auditor has an expectation of their effectiveness, i.e., the auditor intends to rely on the controls to determine the nature, timing, and extent of the substantive procedures, or (2) substantive procedures alone cannot provide sufficient appropriate evidence at the relevant assertion level.
Tests of controls are performed when the auditor intends to rely on their operating effectiveness, or substantive procedures alone cannot provide sufficient appropriate evidence at the assertion level.
Can be performed using actual transactions or simulated transactions. Tests of controls, that is, determining whether the prescribed controls are operating effectively at the assertion level, can be performed using either actual or simulated transactions. For example, the integrated test facility (ITF) method uses both actual and simulated transactions.
Tests of controls in an advanced computer system
False. 1.The Credit Manager authorizes credit and initiates write-offs. 2.The Credit Manager should report to the CFO.
The Accounts Receivable department authorizes customer credit and initiates write-off of bad debts.
False. 1.Inventory Control provides authorization for the purchase of goods and performs an accountability function. 2.The Purchasing Agent issues purchase orders for required goods.
The Purchasing Agent provides authorization for the purchase of goods and performs an accountability function.
False. 1.The general ledger maintains the accounts receivable control account and records sales. 2.Daily summaries of sales are recorded in a sales journal. 3.Totals of details from the sales journal are posted periodically to the general ledger.
The accounts receivable subsidiary ledger maintains the accounts receivable control account and records sales.
True. GAAS generally refer to the assessment of the risks of material misstatement. But an auditor may separately assess the components of the RMMs: inherent risk and control risk. The assessed level of control risk is an evaluation of the effectiveness of internal control in preventing, or detecting and correcting, material misstatements. 1.The auditor assesses the RMMs at the relevant assertion level.
The assessed level of control risk is an evaluation of the effectiveness of internal control in preventing, or detecting and correcting, material misstatements.
True. The auditor inspects documentation and observes operations demonstrating that the computer processing department is operating as a service department independently of users and reporting to senior-level management. 1.Computer processing should be a service department. It should not initiate transactions or have responsibility for the custody of operating assets.
The auditor inspects documentation and observes operations demonstrating that the computer processing department is operating as a service department independently of users and reporting to senior-level management.
True. If the auditor determines that controls are effective by applying tests of controls, the auditor may decide to rely on the controls.
The auditor is charged with (1) evaluating the design of controls, (2) determining that controls have been implemented, (3) judging whether to apply tests of controls, and (4) assessing the risks of material misstatement associated with the purchases-payables-cash disbursement cycle accounts to plan the audit.
False. Management is responsible for the establishment of the controls over the sales-receivables-cash receipts cycle to ensure 1.Proper acceptance of the customer order 2.Granting of credit approval in accordance with credit limits 3.Safeguarding of assets associated with the sale 4.Timely shipment of goods to customers 5.Billing for shipments at authorized prices 6.Accounting for and collection of receivables 7.The recording, safeguarding, and depositing intact of cash (checks) received
The auditor is responsible for the establishment of the controls over the sales-receivables-cash receipts cycle.
True. 1.Tests of details may be dual-purpose tests. As substantive procedures, tests of details of transactions are designed to detect material misstatements at the assertion level. 2.As tests of controls, tests of details evaluate whether a control operated effectively.
The auditor may use tests of details of transactions concurrently as tests of controls.
True. The auditor should understand the information system relevant to financial reporting, that is, the classes of significant transactions; the automated and manual procedures applied from the occurrence of transactions to their inclusion in the statements; the related accounting records, supporting information, and specific accounts, how the system captures other significant events and conditions; and the financial reporting process, including significant accounting estimates and disclosures.
The auditor should gain an understanding of the IT systems, programs, and controls in the financial reporting process.
True. In all audits, the auditor should obtain an understanding of the entity and its environment, including internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements and to determine whether they have been implemented. The understanding includes consideration of how the use of IT and manual procedures affects controls.
The auditor should obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud and to design the nature, timing, and extent of further audit procedures.
Substantive procedures alone cannot provide sufficient appropriate audit evidence at the relevant assertion level. For some RMMs, the auditor may determine that it is not feasible to obtain sufficient appropriate audit evidence only from substantive procedures. These RMMs may relate to routine, significant transactions subject to highly automated processing with no documentation except what is recorded in the IT system. In such circumstances, the controls over the RMMs are relevant to the audit. Thus, the auditor should obtain an understanding of, and test, the controls.
The auditor should perform tests of controls when the auditor's assessment of the risks of material misstatement includes an expectation of the operating effectiveness of internal control or when
True. The auditor tests access controls by (1) attempting to sign on to the computer system using various passwords and ID numbers, (2) inspecting the system access log for completeness and appropriate use and follow-up (passwords required to be consistent with employees' responsibilities), and (3) observing that disposal of sensitive documents and printouts is controlled so that unauthorized persons cannot obtain information about passwords or ID numbers.
The auditor tests access controls by attempting to sign on to the computer system using various passwords and ID numbers.
True. The auditor tests the effectiveness of suitably designed controls at the relevant assertion level in two circumstances: 1.The assessment of the risks of material misstatement at the assertion level is based on the expectation that controls are operating effectively, or 2.Substantive procedures cannot provide sufficient appropriate evidence at the assertion level.
The auditor tests suitably designed controls at the relevant assertion level when the risk assessment is based on the expectation that controls are operating effectively.
False. 1.The auditor's controlled program in a parallel simulation may be a copy of the client's program that has been tested. 2.An expensive alternative is for the auditor to write a program that includes management's controls. Also, a program may be created from generalized audit software.
The auditor's controlled program in a parallel simulation cannot be a copy of the client's program.
Compliance with generally accepted auditing standards. The auditor should prepare audit documentation that is sufficient to permit an experienced auditor to understand (1) the nature, timing, and extent of audit procedures performed to comply with GAAS and other requirements; (2) the results and evidence obtained; and (3) significant findings or issues, the conclusions reached, and judgments made (AU-C 230). Thus, the auditor should document, among other things, his/her understanding of the components of internal control and the assessed risks of material misstatement at the financial statement and assertion levels (AU-C 315).
The auditor's understanding of internal control is documented to substantiate
True. The authorized employees, rates, and deductions from Human Resources, together with the authorized hours from Timekeeping, are used to calculate the payroll for the period.
The authorized employees from Human Resources together with the authorized hours from Timekeeping are used to calculate the payroll for the period.
True. When the goods arrive, the Receiving Department accepts the goods based on the authorization by the Purchasing Agent contained in the blind copy of the purchase order.
The blind copy of the purchase order prepared by the Purchasing Agent is the sole authorization required for the Receiving Department to accept goods when they arrive.
True. 1.The processing of records and maintenance of files are typically performed on a daily basis. 2.However, the calculation of the payroll is normally batch oriented because checks to employees are prepared periodically (e.g., weekly).
The calculation of the payroll is normally batch oriented.
The determination of the fair value measurements of the securities. The auditor should obtain an understanding of (1) the client's process for the determination of fair value measurements and disclosures and (2) the relevant controls. Available-for-sale and trading securities are required to be reported at fair value by U.S. GAAP.
The client has equity securities classified as available for sale. The auditor is most concerned about controls related to
Highlights abnormal conditions. The exception reporting system highlights abnormal conditions and allows the auditor to focus on problem areas. Exception reports, also called error listings, suspense listings, and edit reports indicate the errors discovered by the controls. They permit the auditor to evaluate the effectiveness with which errors are investigated and corrected and the corrected transactions resubmitted.
The client's computer exception reporting system helps an auditor to conduct a more efficient audit because it
True. Authorization, recording transactions, and asset custody should be performed by different departments to ensure proper segregation of duties.
The division of the duties of the transactions in the sales-receivables-cash receipts cycle is as follows: authorization, recording, and custody of assets.
True. Major transactions are authorized by the board of directors or others charged with governance.
The financing cycle concerns obtaining and repaying capital through noncurrent debt and shareholders' equity transactions.
True. Internal control consists of the following five interrelated components (a mnemonic to help recall these would be "CRIME," with the E representing Control Environment): 1.Control activities are the policies and procedures that help ensure management directives are carried out. 2.Risk assessment is the entity's identification, analysis, and management of relevant risks. 3.Information systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. 4.Monitoring of controls is a process that assesses the quality of internal control performance over time. 5.Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components.
The five internal control components are control activities, risk assessment, information and communication, monitoring, and the control environment.
An error report. Symbol X is a document, that is, hard copy output of the validation routine shown. The time card data, the validated data, and the errors are recorded on magnetic disk after the validation process. Thus, either an error report or the valid time card information is represented by Symbol X.
The following is a section of a system flowchart for a payroll application: Symbol X could represent
True. 1.Accounts Payable (vouchers payable) assembles proper documentation to support a payment voucher. 2.Once a payment is authorized, it is recorded in the general ledger.
The general ledger maintains the accounts payable control account and other related general ledger accounts.
Appropriate goods are ordered so that sales can be made. The revenue cycle consists of the activities involving exchanges with customers and the collection in cash of the amounts paid for the goods or services provided. Ordering appropriate goods, an objective of the purchases-payables cycle, is only indirectly related to the revenue cycle.
The internal control objectives of the revenue cycle include all of the following except
False. 1.Reasonableness tests are used to test inventory quantities and billing amounts. 2.The inventory reasonableness test can be employed in conjunction with a validity check.
The inventory reasonableness test cannot be employed in conjunction with a validity check.
False. 1.The job time tickets, once used by Timekeeping, are sent to Cost Accounting to charge the work-in-process recorded on job cost sheets for the direct labor used in production. 2.The nonproductive labor is accumulated and reported as overhead incurred.
The job time tickets, once used by Timekeeping, are sent to Payroll to charge the work-in-process recorded on job cost sheets for the direct labor used in production.
Evaluate the reliability and integrity of financial information. Information systems provide data for decision making, control, and compliance with external requirements. Thus, auditors should examine information systems and, as appropriate, determine (1) whether financial records and reports contain accurate, reliable, timely, complete, and useful information and (2) controls over recordkeeping and reporting are adequate and effective.
The major purpose of the auditor's study and evaluation of the company's computer processing operations is to
Evaluate whether internal controls operated effectively. The auditor may use tests of details of transactions concurrently as tests of controls (i.e., as dual-purpose tests). As substantive procedures, their objective is to support relevant assertions or detect material misstatements in the financial statements. As tests of controls, their objective is to evaluate whether a control operated effectively.
The objective of tests of details of transactions performed as tests of controls is to
Custody of work-in-process and of finished goods is properly maintained. A principal objective of internal control is to safeguard assets. In the production cycle, control activities should be implemented to ensure that inventory is protected from misuse and theft. Accordingly, inventories should be in the custody of a storekeeper, and transfers should be properly documented and recorded to establish accountability.
The objectives of internal control for a production cycle are to provide assurance that transactions are properly executed and recorded, and that
True. The ideal segregation of duties is 1.Authorization of the transaction 2.Recording of the transaction 3.Custody over the assets (e.g., inventory, receivables, and cash) associated with the transaction
The organizational structure should segregate duties and responsibilities so that an individual is not in the position to perpetrate and conceal errors or fraud.
Understanding of the entity's internal control has been completed. The audit plan develops over the course of the audit. Thus, planning for risk assessment procedures occurs early in the audit. However, the nature, timing, and extent of further audit procedures cannot be determined until the auditor has performed risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement at the statement and assertion levels.
The portion of the audit plan for a financial statement audit that describes further audit procedures usually cannot be developed until the
True. 1.The results of a parallel simulation can be compared with the client's results to provide assurance that the edit checks (controls) have been applied during the period. 2.The primary disadvantages of this method are the cost of obtaining the program and the coordination effort required to obtain transactions to reprocess.
The primary advantage of parallel simulation is that transactions from throughout the period may be reprocessed.
False. The primary disadvantage is that it tests processing at only one moment in time.
The primary advantage of the test data approach is that it tests processing at one moment in time.
Authorization of transactions from the custody of related assets. In principle, the payroll function should be divided into its authorization, recording, and custody functions. Authorization of hiring, wage rates, and deductions is provided by human resources. Authorization of hours worked (executed by employees) is provided by production. Based upon these authorizations, accounting calculates and records the payroll. Based on the calculated amounts, the CFO prepares and distributes payroll checks.
The purpose of segregating the duties of hiring personnel and distributing payroll checks is to segregate the
Financial statement assertions. The auditor's objective is to identify and assess the RMMs, whether due to fraud or error, at the financial statement and relevant assertion levels. This objective is achieved through understanding the entity and its environment, including its internal control. The understanding provides a basis for designing and implementing responses to the assessed RMMs (AU-C 315 and AS No. 12).
The risks of material misstatement (RMMs) should be assessed in terms of
Payroll register entry. Determining whether payroll transactions occurred is an internal control objective of the human resources and payroll cycle. The payroll register records each payroll transaction for each employee. Thus, an entry in the payroll register is reconciled to time cards to test whether the recorded transaction actually occurred.
The sampling unit in a test of controls pertaining to the occurrence of payroll transactions ordinarily is a(n)
Material misstatements may exist in the financial statements. The auditor's objective is to identify and assess the RMMs, whether due to fraud or error, at the financial statement and relevant assertion levels. This objective is achieved through understanding the entity and its environment, including its internal control. The understanding provides a basis for designing and implementing responses to the assessed RMMs (AU-C 315 and AS No. 12). Moreover, the auditor's overall objectives in an audit include obtaining reasonable assurance about whether the statements as a whole are free from material misstatement (AU-C 200).
The ultimate purpose of understanding the entity and its environment and assessing the risks of material misstatement is to contribute to the auditor's assessment of the risk that
Increases system processing costs. Encryption software uses a fixed algorithm to manipulate plain text and an encryption key (a set of random data bits used as a starting point for the application of the algorithm) to introduce variation. The machine instructions necessary to encrypt and decrypt data require additional processing. As a result, processing costs increase.
The use of message encryption software
False. The voucher-disbursement system is applicable to virtually all required payments by the entity, not just purchases of inventory.
The voucher-disbursement system is applicable solely to the purchase of inventory.
True. The write-off of bad debts requires strong controls.
The write-off of bad debts requires strong controls.
Ascertain that production budgets and economic order quantities are integrated and have been used in determining quantities purchased. An economic order quantity (EOQ) model can be used to determine the order quantity (or production run) that minimizes the sum or order costs (or setup costs for production) and carrying costs, given annual demand. Production needs and the EOQ model should be coordinated to ascertain the optimal levels of raw materials purchases.
To determine whether an organization is purchasing excess raw materials, an internal auditor should
Enter invalid identification numbers or passwords to ascertain whether the system rejects them. Employees with access authority to process transactions that change records should not also have asset custody or program modification responsibilities. The auditor should determine that password authority is consistent with other assigned responsibilities. The auditor can directly test whether password controls are working by attempting entry into the system by using invalid identifications and passwords.
To obtain evidence that online access controls are properly functioning, an auditor most likely will
Examine a sample of password holders and access authority to determine whether they have access authority incompatible with their other responsibilities. Employees with access authority to process transactions that change records should not also have asset custody or program modification responsibilities. The auditor should determine that password authority is consistent with other assigned responsibilities. In addition, the auditor can directly test whether password controls are working by attempting entry into the system by using invalid identifications and passwords.
To obtain evidence that user identification and password controls are functioning as designed, an auditor should
Stamped "paid" by the check signer. To provide assurance that voucher documentation is not used to support a duplicate payment, the individual responsible for cash disbursements should examine the voucher and determine the appropriateness of the supporting documents, sign the check, cancel the payment documents, and mail the check to the vendor.
To provide assurance that each voucher is submitted and paid only once, an auditor most likely would examine a sample of paid vouchers and determine whether each voucher is
A separate ledger. Accounts receivable that are written off should be transferred to a separate ledger. This ledger should be maintained by the accounting department and periodically reviewed to determine if any of the accounts have become collectible.
To safeguard the assets through effective internal control, accounts receivable that are written off should be transferred to
Reperformance and observation. The auditor selects tests of controls from a variety of techniques such as inquiry, observation, inspection, recalculation, and reperformance of a control that pertains to an assertion. No one specific test of controls is always necessary, applicable, or equally effective in every circumstance.
To test the effectiveness of controls, an auditor ordinarily selects from a variety of techniques, including
Accounts receivable bookkeeper to update the subsidiary accounts receivable records. The individuals with recordkeeping responsibility should not have custody of cash. Hence, they should use either the remittance advices or a listing of the remittances to make entries to the cash and accounts receivable control account and to the subsidiary accounts receivable records. Indeed, having different people make entries in the control account and in the subsidiary records is an effective control.
Upon receipt of customers' checks in the mail room, a responsible employee should prepare a remittance listing that is forwarded to the cashier. A copy of the listing should be sent to the
True. The terminal makes a permanent record of the event that the clerk cannot erase.
Use of a cash register or sales terminal to record the sale is a compensating control for a cash sale environment.
True. Validity tests can also be used to determine that ordered part numbers exist on the inventory master file.
Validity tests can be used to determine that a customer exists in the accounts receivable master file.
The employee could pledge corporate investments as security for a short-term personal bank loan. The bank should maintain a record, which can be inspected by company personnel, of all safe-deposit box visits. Access should be limited to authorized officers. Firms typically require the presence of two authorized persons for access to the box. This precaution provides supervisory control over, for example, the temporary removal of the securities to serve as a pledge for a loan (hypothecation of securities).
What is a possible consequence of an employee's being able to visit the safe-deposit box unaccompanied?
Perform only substantive procedures on inventory. According to AU-C 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, the auditor may in some cases perform only substantive procedures and exclude the effect of controls from the relevant risk assessment. For example, (1) testing the operating effectiveness of controls may be inefficient, or (2) risk assessment procedures may not have identified effective controls relevant to the assertions. In these cases, the auditor does not intend to rely on controls.
What is the most likely course of action that an auditor would take after determining that performing substantive procedures on inventory will take less time than performing tests of controls?
False. Routine credit decisions are replaced by a computer program.
When a computer processing system is used to account for sales and receivables, routine credit decisions are typically made by the Credit Manager.
True. 1.Likely changes in an e-commerce environment include direct entry of the order by the customer, elimination of the sales order department, and payment by credit card. 2.Thus, accounts receivable will not be maintained. 3.Acknowledgment of the order acceptance would be immediately communicated to the customer via an email or other Internet response. 4.However, shipping department procedures and controls would be largely unaltered.
When a firm uses an Internet website to conduct sales and the payment is made by credit card, accounts receivable will not be maintained.
Manually reperforming, as of a moment in time, the processing of input data and comparing the simulated results with the actual results. This procedure describes what is termed auditing around the computer. The computer is treated as a black box, and only the inputs and outputs are evaluated. Because the actual controls may not be understood or tested, the technique is ordinarily inappropriate if the effectiveness of automated controls is important to the understanding of internal control and the assessment of control risk. Moreover, the auditor is concerned with the reliable operation of the controls throughout the audit period, not at a single moment in time.
When an accounting application is processed by computer, an auditor cannot verify the reliable operation of automated controls by
Extent of tests of details. An auditor should obtain an understanding of internal control to assess the RMMs. The greater (lower) the assessment of the RMMs, the lower (greater) the acceptable detection risk for a given level of audit risk. In turn, the acceptable audit risk affects substantive testing. For example, as the acceptable audit risk decreases, the auditor changes the nature, timing, or extent of substantive procedures to increase the reliability and relevance of the evidence they provide.
When an auditor increases the assessment of the risks of material misstatement because certain controls were determined to be ineffective, the auditor will most likely increase the
Test the operating effectiveness of such controls in the current audit. Controls that have changed must be tested for operating effectiveness before they can be relied on.
When an auditor plans to rely on controls that have changed since they were last tested, which of the following courses of action would be most appropriate?
Test data are processed by the client's computer programs under the auditor's control. In using the test data approach, the auditor prepares a set of dummy transactions specifically tailored to test the control procedures that management claims to have incorporated into the processing program. The auditor then processes these transactions using management's program and compares the expected results with the actual output of the program.
When an auditor tests a computerized accounting system, which of the following is true of the test data approach?
Test data are processed with the client's computer and the results are compared to the auditor's predetermined results. The test data are processed by the client's computer programs under the control of the auditor. These results are then compared to the auditor's expectations.
When an auditor tests the internal controls of a computerized system, which of the following is true of the test data approach?
Yes; Yes The understanding of the components of internal control, including the control environment, should be documented regardless of the degree of risk (AU-C 315). The overall responses to the assessed risks of material misstatement at the financial statement level also should be documented (AU-C 330).
When assessing the risks of material misstatement at a low level, an auditor is required to document the auditor's Understanding of the Entity's Control Environment; Overall Responses to Assessed Risks
Potential for computer disruptions in recording sales. Processing sales on the Internet (often called e-commerce) creates new and additional risks for clients. The client should use effective controls to ensure proper acceptance, processing, and storage of sales transactions. Threats include not only attacks from hackers but also system overload and equipment failure.
When evaluating internal control of an entity that processes sales transactions on the Internet, an auditor would be most concerned about the
Tests of controls and limited tests of current-year property and equipment transactions. The auditor usually performs tests of controls and substantive procedures (the combined audit approach). The auditor must make decisions about the nature, timing, and extent of substantive procedures that are most responsive to the assessment of the RMMs. These decisions are affected by whether the auditor has tested controls. Thus, the extent of relevant substantive procedures may be reduced when control is found to be effective.
When numerous property and equipment transactions occur during the year, an auditor who assesses the risks of material misstatement at a low level usually performs
Management may establish appropriate controls but not act on them. In obtaining an understanding of the control environment, the auditor seeks to understand the attitude, awareness, and actions concerning the control environment on the part of management and the directors. For this purpose, the auditor must concentrate on the substance of controls rather than their form because controls may be established but not acted upon. For example, management may adopt a code of ethics but condone violations of the code.
When obtaining an understanding of an entity's control environment, an auditor should concentrate on the substance of controls rather than their form because
Management may establish appropriate controls but not enforce compliance with them. The auditor must concentrate on the substance rather than the form of controls because management may establish appropriate controls but not apply them. Whether controls have been implemented at a moment in time differs from their operating effectiveness over a period of time. Thus, operating effectiveness concerns not merely whether the entity is using controls but also how the controls (manual or automated) are applied, the consistency of their application, and by whom they are applied.
When obtaining an understanding of an entity's internal control, an auditor should concentrate on their substance rather than their form because
False. When obtaining evidence about the operation of internal control during period remaining after an interim date, the auditor should consider 1.Assessed RMMs 2.Controls tested 3.The evidence about operating effectiveness 4.The duration of the remaining period 5.Any intended reduction of substantive procedures 6.The control environment 7.Significant changes in internal control
When obtaining evidence about the operation of internal control during an interim period, the auditor need not determine what additional evidence should be obtained for the remaining period.
False. Compensating controls can be established when the segregation of duties is not maintained.
When segregation of duties is not feasible, a company has no other way to establish controls.
False. 1.Several of the accounting clerk's functions are replaced by computer programs. 2.These include some of the duties of the timekeeping and payroll departments. 3.The objectives of control do not change.
When using a computer system to replace manual functions, the internal control objectives are modified for those functions.
True. To ensure that the sales returns and allowances function is effective, proper controls must be established, including a segregation of duties. The Sales Department should be responsible for the initial approval of sales returns and allowances.
When using effective internal controls, the Sales Department should be responsible for approval of the return of defective merchandise.
A segregation of duties between those authorized to dispose of equipment and those authorized to approve removal work orders. Segregation of duties reduces the opportunity for an individual both to perpetrate and to conceal fraud or error. Accordingly, the authorization, recording, and asset custody functions should be separated. Thus, the same individual should not approve removal work orders (authorization) and dispose of equipment (asset custody).
Which of the following activities is most likely to prevent the improper disposition of equipment?
Using test data to verify the performance of edit routines. The test data approach uses the computer to test the processing logic and controls within the system and the records produced. The auditor prepares a set of dummy transactions specifically designed to test the control activities that management claims to have incorporated into the processing programs. The auditor can expect the controls to be applied to the transactions in the prescribed manner. Thus, the auditor is testing the effectiveness of the controls over the payroll data.
Which of the following activities most likely would detect whether payroll data were altered during processing?
Reconciling the control totals for sales invoices with the accounts receivable subsidiary ledger. The accounts receivable subsidiary ledger contains all receivables outstanding to date. It is not feasible to attempt to reconcile current sales invoices with the accounts receivable subsidiary ledger. However, the accounts receivable subsidiary ledger should be reconciled to the general ledger control account periodically.
Which of the following activities most likely would not be an internal control activity designed to reduce the risk of errors in the billing process?
Approving a summary of hours each employee worked during the pay period. The department supervisor is in the best position to determine that employees are present and performing the assigned functions.
Which of the following activities performed by a department supervisor most likely would help in the prevention or detection of a payroll fraud?
No Yes Commitment to competence is a control environment element. It relates to the knowledge and skills needed to do the tasks included in a job and management's consideration of required competence levels.
Which of the following are considered control environment elements? Detection Risk; Commitment to Competence
Receiving department clerk. The receiving department clerk is involved in the purchases-payables cycle. The clerk counts the goods and prepares receiving reports that provide partial authorization for invoice payment.
Which of the following are not directly involved in the revenue cycle?
Sales orders are sent to the credit department for approval. The credit department should investigate potential customers and approve sales orders.
Which of the following best represents a key control for ensuring sales are properly authorized when assessing risks of material misstatement for sales?
Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing. Computer processing uniformly subjects like transactions to the same processing instructions. A computer program defines the processing steps to accomplish a task. Once the program is written and tested appropriately, it will perform the task repetitively and without error. However, if the program contains an error, all transactions will be processed incorrectly.
Which of the following characteristics distinguishes computer processing from manual processing?
Integrated test facility (ITF). The ITF or minicompany technique is a development of the test data method. It permits dummy transactions to be processed at the same time as live transactions but requires additional programming to ensure that programs will recognize the specially coded test data. The test transactions may be submitted without the computer operators' knowledge.
Which of the following computer-assisted auditing techniques allows fictitious and real transactions to be processed together without the knowledge of client operating personnel?
Parallel simulation. Parallel simulation is a test of the controls in a client's application program. An auditor-developed program, not the client's program, is used to process actual client data and compare the outputs and exceptions report with those of the client's application program. If the client's programmed controls are operating effectively, the two sets of results should be reconcilable.
Which of the following computer-assisted auditing techniques processes client input data on a controlled program under the auditor's control to test controls in the computer system?
Controlling the mailing of the check and remittance advice. The cash disbursements department, which is responsible to the CFO, has an asset custody function that should be segregated from the recording function of the accounting department. Consequently, checks for disbursements should be signed by a responsible person in that department after necessary supporting evidence has been examined. This individual also should be responsible for canceling the supporting documentation and mailing the signed checks and remittance advices. The documentation typically consists of a payment voucher, requisition, purchase order, receiving report, and vendor invoice.
Which of the following control activities is not usually performed with regard to vouchers payable in the accounting department?
Comparison of daily journal entries with factory labor summary. Daily journal entries are made to record labor, materials, and overhead. Direct labor is posted from the daily factory labor summary. If the latter has been properly recorded, tracing the amounts to the journal entries will determine whether manufacturing overhead was incorrectly charged with direct rather than indirect labor.
Which of the following controls could best prevent direct labor from being charged to manufacturing overhead?
A validity check. A validity check tests the relationships among input items and other parts of the system, e.g., that customer 1272 on the sales order is included in the customer file.
Which of the following controls is most likely to detect an invalid customer number entered into the sales order entry screen?
Separation of duties for computer programming and computer operations. Programmers and analysts can modify programs, data files, and controls, so they should have no access to programs used to process transactions. Separation of programming and operations is necessary to prevent unauthorized modifications of programs.
Which of the following controls most likely could prevent computer personnel from modifying programs to bypass programmed controls?
Perpetual inventory records are independently compared with goods on hand. The recorded accountability for assets should be compared with existing assets at reasonable intervals. If assets are susceptible to loss through fraud or error, the comparison should be made independently. An independent comparison is one made by persons not having responsibility for asset custody or the authorization or recording of transactions.
Which of the following controls most likely would assist in reducing the risks of material misstatement related to the existence or occurrence of manufacturing transactions?
The check signer reviews and cancels the voucher packets. A control should be implemented to prevent an invoice from being paid twice. This can be accomplished by canceling the voucher and supporting documents.
Which of the following controls should prevent an invoice for the purchase of merchandise from being paid twice?
Write-offs must be approved by a responsible officer after review of credit department recommendations and supporting evidence. The CFO usually is responsible for authorizing write-offs of bad debts based on evidence such as receiving reports for the returned goods, correspondence with customers, collection agency reports, and recommendations by the credit department.
Which of the following controls will most likely prevent the concealment of a cash shortage resulting from the improper write-off of a trade account receivable?
An independent trust company that has no direct contact with the employees who have record-keeping responsibilities has possession of the securities. Assigning custody of trading securities to a bank or trust company provides the greatest security because such an institution normally has strict controls over assets entrusted to it and access to its vaults.
Which of the following controls would an entity most likely use in safeguarding against the loss of trading securities?
Select more effective substantive procedures. The nature, timing, and extent of the auditor's further audit procedures should respond to the assessed RMMs at the relevant assertion level. The greater the assessed RMMs, the more persuasive audit evidence should be. To obtain more persuasive audit evidence, the auditor may increase its quantity or obtain evidence that is more relevant or reliable. Accordingly, for high RMMs, the evidence should be more appropriate (relevant and reliable), and the auditor should select more effective substantive procedures.
Which of the following courses of action is the most appropriate if an auditor concludes that there is a high risk of material misstatement?
Salespeople are responsible for evaluating and monitoring the financial condition of prospective and continuing customers. Salespeople should be responsible for generating sales and providing service to customers. For effective control purposes, the credit department should be responsible for monitoring the financial condition of prospective and continuing customers in the credit approval process.
Which of the following credit approval procedures would be the basis for developing a deficiency finding for a wholesaler?
Credit manager. The CFO's primary responsibility is to safeguard assets. Although credit approval is an authorization process, assets are lost if credit is improperly granted. Thus, the credit manager should be responsible to one who has no vested interest in the granting of credit.
Which of the following employees should report to the chief financial officer?
Yes; Yes; Yes The control environment is the foundation for all other control components. It provides discipline and structure, sets the tone of the organization, and influences the control consciousness of employees. Its components include (1) participation of those charged with governance, (2) integrity and ethical values, (3) organizational structure, (4) management's philosophy and operating style, (5) assignment of authority and responsibility, (6) human resource policies and practices, and (7) commitment to competence.
Which of the following factors are included in an entity's control environment? Audit Committee Participation; Integrity and Ethical Values; Organizational Structure
The amount of time budgeted to complete the engagement. The understanding of internal control relevant to the audit helps the auditor to (1) identify types of potential misstatements, (2) identify factors affecting the risks of material misstatement, and (3) design further audit procedures. Thus, the auditor should understand the nature and characteristics of internal control, including its (1) purpose, (2) inherent limitations, (3) division into five components, and (4) manual and automated elements. Internal control addresses (1) the reliability of reporting, (2) the effectiveness and efficiency of operations, and (3) compliance with laws and regulations. How internal control is designed, implemented, and maintained to achieve its purpose varies with the entity's size and complexity. The understanding of internal control also (1) identifies the controls relevant to the audit and (2) involves performing risk assessment procedures to (a) evaluate the design of controls and (b) determine whether they have been implemented (AU-C 315). Accordingly, the time budgeted for the audit is the factor least likely to affect the understanding of internal control.
Which of the following factors is least likely to affect the extent of the auditor's understanding of the entity's internal controls?
The degree to which information technology is used in the accounting function. As internal control becomes more sophisticated, the documentation becomes more complex and extensive.
Which of the following factors is most likely to affect the extent of the documentation of the auditor's understanding of a client's system of internal controls?
Human judgment in the decision making process. Human judgment is faulty, and controls may fail because of simple error or mistake. For example, design changes for an automated order entry system may be faulty because the designers did not understand the system or because programmers did not correctly code the design changes. Errors also may arise when automated reports are misinterpreted by users. Furthermore, manual or automated controls can be circumvented by collusion, and management may inappropriately override internal control.
Which of the following factors would most likely be considered an inherent limitation to an entity's internal control?
Authorization of credit memos by personnel who receive cash may permit the misappropriation of cash. Ineffective controls in the revenue cycle, such as inappropriate segregation of duties and responsibilities, inadequate supervision, or deficient authorization, may result in the ability of employees to perpetrate fraud. Thus, sales personnel should approve sales returns and allowances but not the related credit memos. Moreover, no authorization for the return of goods, defective or otherwise, should be considered complete until the goods are returned as evidenced by a receiving report.
Which of the following fraudulent activities most likely could be perpetrated due to the lack of effective internal controls in the revenue cycle?
Approving vendors' invoices for payment. The accounts payable department is responsible for compiling documentation to support an account payable. This approval process is performed in the accounting department.
Which of the following internal control activities is not usually performed in the CFO's department?
Periodic physical inspection of plant and equipment by the internal audit staff. A periodic physical inspection by the internal audit staff is the best activity for verifying the existence of plant and equipment. Direct observation by an independent, competent, and objective internal audit staff helps to reduce the potential for fictitious acquisitions or other fraudulent activities. The result is a lower assessment of the RMMs.
Which of the following internal control activities most likely justifies reducing the assessment of the risks of material misstatement for plant and equipment acquisitions?
Daily sales summaries are compared with daily postings to the accounts receivable ledger. Daily sales summaries represent billed sales. Reconciliation with the postings to the accounts receivable ledger would provide assurance that billed sales were posted.
Which of the following internal control activities most likely would assure that all billed sales are correctly posted to the accounts receivable ledger?
Separation of duties between receiving cash and posting the accounts receivable ledger. Lapping is the delayed recording of cash receipts to cover a cash shortage. Current receipts are posted to the accounts of customers who paid one or two days previously to avoid complaints (and discovery) when monthly statements are mailed. The best protection is for the customers to send payments directly to the company's depository bank. The next best procedure is to ensure that the accounts receivable clerk has no access to cash received by the mail room. Thus, the duties of receiving cash and posting the accounts receivable ledger are separated.
Which of the following internal control activities most likely would deter lapping of collections from customers?
Use of time tickets to record actual labor worked on production orders. Time tickets should specifically identify labor hours as direct or indirect.
Which of the following internal control activities most likely would prevent direct labor hours from being charged to manufacturing overhead?
A bank lockbox system. A lockbox system ensures that cash receipts are not stolen by mail clerks or other employees. Customer payments are mailed to a post office box and collected directly by the bank.
Which of the following internal controls most likely would reduce the risk of diversion of customer receipts by an entity's employees?
The human resources department promptly sends employee termination notices to the payroll supervisor. The human resources department should forward personnel changes to payroll promptly to ensure that proper authorizations are used to calculate the payroll.
Which of the following is a control activity that most likely could help prevent employee payroll fraud?
Establishing budgets and forecasts to identify variances from expectations. The control activities component of internal control includes performance reviews. Performance reviews involve comparison of actual performance with budgets, forecasts, or prior performance. Identifying variances alerts management to the need for investigative and corrective actions. Such actions are necessary for effective supervision.
Which of the following is a management control method that most likely could improve management's ability to supervise company activities effectively?
Firewall. A firewall separates an internal from an external network (e.g., the Internet) and prevents passage of specific types of traffic. It identifies names, Internet Protocol (IP) addresses, applications, etc., and compares them with programmed access rules.
Which of the following is a network node that is used to improve network traffic and to set up a boundary that prevents traffic from one segment from crossing over to another?
Identify specific controls that are likely to prevent, or detect and correct, material misstatements and perform tests of controls. An auditor should obtain an understanding of controls relevant to the audit. Thus, the auditor should evaluate their design and determine whether they have been implemented. The evaluation of design considers whether the controls can effectively prevent, or detect and correct, material misstatements (AU-C 315 and AS No. 12). The auditor then tests relevant controls to obtain sufficient appropriate evidence about their operating effectiveness if (1) the auditor intends to rely on them in determining the nature, timing, and extent of substantive procedures, or (2) substantive procedures alone cannot provide sufficient appropriate evidence at the relevant assertion level (AU-C 330 and AS No. 13).
Which of the following is a step in an auditor's decision to rely on internal controls?
Activity logs that indicate failed transactions. Because an audit trail allows for the tracing of a transaction from initiation to its disposition, an activity log provides a key link in the process. Such a log provides information about users who have accessed the system, the files accessed, the processing accomplished, the time of access, and the amount of time the processing required.
Which of the following is an essential element of the audit trail in an electronic data interchange (EDI) system?
The computer flags any transmission for which the control field value did not match that of an existing file record. Validity checks test identification numbers or transaction codes for validity by comparison with items already known to be correct or authorized. For example, a validity check may identify a transmission for which the control field value did not match a pre-existing record in a file.
Which of the following is an example of a validity check?
Faulty human judgment. Human judgment is faulty, and controls may fail because of human error.
Which of the following is an inherent limitation in internal control?
A decrease in the assessed inherent risk. Substantive procedures are performed to detect material misstatements in management's assertions. The nature, timing, and extent of substantive procedures are determined by the acceptable level of audit risk. For a given audit risk, the acceptable detection risk is inversely related to the assessed risks of material misstatement. The assessed RMMs are combined assessments of control risk and inherent risk. Thus, a decrease in the assessed inherent risk (1) decreases the assessed RMMs for a given assessed control risk, (2) increases the acceptable detection risk, and (3) does not indicate a need for more persuasive audit evidence (AU-C-200).
Which of the following is least likely to indicate the need to increase the assurance provided by substantive testing?
Procedures manual. A procedures manual is one source of information about the client's internal control. However, the auditor normally does not prepare this manual and record information in it. The accounting procedures manual is a client document that explains the client's accounting system and how to implement it.
Which of the following is not a medium that can normally be used by an auditor to record information concerning internal control?
Allowing for greater management oversight of incompatible activities. Complete segregation may not be feasible due to cost-benefit restraints. Compensating controls most likely are established when segregation of duties is not feasible. Typical compensating controls may include more management oversight.
Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?
A compressed business cycle with lower year-end receivables balances. EDI transactions are typically transmitted and processed in real time. Thus, EDI compresses the business cycle by eliminating delays. The time required to receive and process an order, ship goods, and receive payment is greatly reduced compared with that of a typical manual system. Accordingly, more rapid receipt of payment minimizes receivables and improves cash flow.
Which of the following is usually a benefit of transmitting transactions in an electronic data interchange (EDI) environment?
Reduction of the frequency of data entry errors. The processing and transmission of electronic transactions, such as EFTs, virtually eliminates human interaction. This process not only helps eliminate errors but also allows for the rapid detection and recovery from errors when they do occur.
Which of the following is usually a benefit of using electronic funds transfer for international cash transactions?
Inspection. The auditor should perform other procedures in combination with inquiry to obtain evidence about the operating effectiveness of controls. Thus, inquiry by itself is not sufficient. Accordingly, inquiry combined with inspection, recalculation, or reperformance may be preferable to inquiry and observation. An observation is relevant only at a moment in time (AU-C 330). Inspection is an examination of internal or external records or documents in any medium. Inspection also includes physical examination of an asset (AU-C 500).
Which of the following most likely should be included as part of an auditor's tests of controls?
Final authorization of credit memos by personnel in the sales department could permit an employee defalcation scheme. Ineffective controls in the revenue cycle, such as inappropriate segregation of duties and responsibilities, inadequate supervision, or deficient authorization, may result in the ability of employees to perpetrate fraud. Thus, sales personnel should approve sales returns and allowances but not the related credit memos. Moreover, no authorization for the return of goods, defective or otherwise, should be considered complete until the goods are returned as evidenced by a receiving report.
Which of the following most likely would be the result of ineffective internal control in the revenue cycle?
Incompatible duties. Internal control has inherent limitations. The performance of incompatible duties, however, is a failure to assign different people the functions of authorization, recording, and asset custody, not an inevitable limitation of internal control. Segregation of duties is a category of control activities.
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control?
O?Ca!FlSi. To be effective, passwords should consist of random letters, symbols, and numbers and should not contain words or phrases. Accordingly, computer system users should avoid employing words for or in their passwords.
Which of the following passwords would be most difficult to crack?
Observing an entity's employee prepare the schedule of past due accounts receivable. To test the effectiveness of controls, an auditor performs procedures such as inquiry, observation, inspection, recalculation, and reperformance of a control. Thus, observing an entity's employee prepare the schedule of past due accounts receivable provides evidence of the effectiveness of certain controls over accounts receivable.
Which of the following procedures concerning accounts receivable is an auditor most likely to perform to obtain evidence in support of the effectiveness of controls?
Canceling supporting documentation after payment. Checks for disbursements should be signed by a responsible person in the cash disbursements department after necessary supporting evidence has been examined. This individual therefore should be responsible for canceling the supporting documentation after payment.
Which of the following procedures in the cash disbursements cycle should not be performed by the accounts payable department?
Observe the consistency of the employee's use of cash registers and tapes. An assertion about completeness of transactions addresses whether all transactions that should be presented are included in the financial statements. To determine that controls are operating effectively to ensure that all cash receipts are being recorded for cash sales in a retail environment, the auditor may observe the activities of the employees. Controls should provide assurance that employees use cash registers that contain internal functions (e.g., tapes) to record all sales.
Which of the following procedures would an auditor most likely perform to test controls relating to management's assertion about the completeness of cash receipts for cash sales at a retail outlet?
Store duplicate copies of critical files in a location away from the computer center. Off-site storage of duplicate copies of critical files protects them from a fire or other disaster at the computing facility. The procedure is part of an overall disaster recovery plan.
Which of the following procedures would an entity most likely include in its computer disaster recovery plan?
Store duplicate copies of files in a location away from the computer center. Off-site storage of duplicate copies of critical files protects them from a fire or other disaster at the computing facility. The procedure is part of an overall disaster recovery plan.
Which of the following procedures would an entity most likely include in its disaster recovery plan?
Are direct borrowings on notes payable authorized by the board of directors? Control is enhanced when different persons or departments authorize, record, and maintain custody of assets for a class of transactions. Authorization of notes payable transactions is best done by the board of directors.
Which of the following questions would an auditor most likely include on an internal control questionnaire for notes payable?
Are purchase orders, receiving reports, and vouchers prenumbered and periodically accounted for? The completeness assertion concerns whether all transactions and accounts that should be presented are so included. Thus, management asserts that all purchases are recorded and included in the accounts. A standard control related to the completeness assertion for purchases is the use of prenumbered documents. Items missing from the numerical sequence may represent unrecorded transactions and accounts.
Which of the following questions would most likely be included in an internal control questionnaire concerning the completeness assertion for purchases?
The cost-benefit relationship is a primary criterion that should be considered in designing internal control. Internal control reflects the quantitative and qualitative estimates and judgments of management in evaluating the cost-benefit relationship. The cost of internal control should not exceed its benefits. Although the cost-benefit relationship is a primary criterion in designing controls, precise measurement of costs and benefits is usually impossible.
Which of the following statements about internal control is correct?
Testing the operating effectiveness of the relevant controls would not be efficient. The assessment of risks is a basis for choosing the audit approach. The risk assessment procedures may not identify effective controls for the relevant assertion, or testing controls may be inefficient. In these cases, the auditor may wish to use a substantive audit approach.
Which of the following statements best describes why an auditor would use only substantive procedures to evaluate specific relevant assertions and risks?
Transactions are reprocessed only by the client's computer programs. Parallel simulation is a test of the controls in a client's application program. An auditor-developed program, not the client's program, is used to process actual client data and compare the outputs and exceptions report with those of the client's application program. If the client's programmed controls are operating effectively, the two sets of results should be reconcilable.
Which of the following statements concerning the parallel simulation approach when testing a computerized accounting system is false?
Preventive controls generally are more important than detective controls in EDI systems. In general, preventive controls are more important than detective controls because the benefits typically outweigh the costs. In electronic processing, once a transaction is accepted, the opportunity to apply detective controls is often limited. Thus, preventing fraud or error is important.
Which of the following statements is correct concerning internal control in an electronic data interchange (EDI) system?
ITF reprocesses only actual, not fictitious, transactions. The ITF or minicompany technique is a development of the test data method. It permits dummy transactions to be processed at the same time as live transactions but requires additional programming to ensure that programs will recognize the specially coded test data. The auditor can test the controls by including various types of transactions to be processed.
Which of the following statements is false about the integrated test facility (ITF) method for testing a computerized accounting system?
Several transactions of each type must be tested. The test data approach includes preparation of dummy transactions by the auditor. These transactions are processed by the client's computer programs under the auditor's control. The test data consist of one transaction for each valid and invalid condition that interests the auditor. The computer processes all similar transactions in the same way. Accordingly, only one transaction needs to be tested to determine whether a control is working effectively.
Which of the following statements is false about the test data approach when testing a computerized accounting system?
The test data must consist of all possible valid and invalid conditions. The test data approach includes preparation of dummy transactions by the auditor. These transactions are processed by the client's computer programs under the auditor's control. The test data consist of one transaction for each valid and invalid condition that interests the auditor. Consequently, the test data need not consist of all possible valid and invalid conditions.
Which of the following statements is not true of the test data approach to testing an accounting system?
Encryption performed by physically secure hardware devices is more secure than encryption performed by software. Physically secure hardware for performing encryption is under the direct control of the client. Software is not easily controlled because it is portable. More control is achieved with the hardware approach. However, in the business environment, most encryption applications rely on software.
Which of the following statements is true concerning the security of messages in an electronic data interchange (EDI) system?
No one particular form of documentation is necessary, and the extent of documentation may vary. In accordance with the documentation requirements in AU-C 315, the auditor should document such matters as (1) discussions among the engagement team; (2) the understanding of the entity and its environment, including each internal control component, sources of information, and the risk assessment procedures; (3) the risk assessments; and (4) risks requiring special audit consideration. The form and extent of documentation vary with (1) the nature, size, and complexity of the entity and its controls; (2) the availability of information; and (3) the audit methods and technology used (AU-C 315).
Which of the following statements regarding auditor documentation of the understanding of the client's internal control components obtained to plan the audit is correct?
Translation software is needed to convert transactions from the entity's internal format to a standard EDI format. The conversion cost of transactions into a standard EDI format is a cost that must be incurred for an EDI process in order to transmit the transaction.
Which of the following statements represents an additional cost of transmitting business transactions by means of electronic data interchange (EDI) rather than in a traditional paper environment?
Continuous monitoring and analysis of transaction processing with an embedded audit module. An audit module embedded in the client's software routinely selects and abstracts certain transactions. They may be tagged and traced through the information system. An alternative is recording in an audit log, that is, in a file accessible only by the auditor.
Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system?
Examine shipping documents for matching sales invoices. The proper starting point to determine whether all goods shipped were properly billed is the shipping documents. Tracing the shipping documents to the matching sales invoices provides assurance that controls worked effectively to ensure that all goods shipped were billed.
Which of the following tests of controls most likely will help assure an auditor that goods shipped are properly billed?
Have customers send payments directly to the company's depository bank. Lapping is the delayed recording of cash receipts to cover a cash shortage. Current receipts are posted to the accounts of customers who paid one or two days previously to avoid complaints (and discovery) when monthly statements are mailed. The best protection is for the customers to send payments directly to the company's depository bank. This procedure precludes client personnel from having access to the money.
Which of the following would be the best protection for a company that wishes to prevent the lapping of trade accounts receivable?
c. There are time delays in processing transactions in a batch system
3. Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately because
c) Employees in the normal course of performing their assigned duties.
10. In general, a reportable condition may be defined as a condition in which material errors or irregularities ordinarily would not be detected within a timely period by
d) Valuation.
10. Inquiries of warehouse personnel concerning possible obsolete or slow-moving inventory items provide assurance about management's assertion of
b. Logical relationships among conditions and actions
11. Decision tables differ from program flowcharts in that decision tables emphasize
d) Authorization, recording and custodial functions.
11. Proper segregation of functional responsibilities calls for separation of the
b. Conversion of information to machine-readable form
8. Which of the following activities would most likely be performed in the computer department?
c) Consideration of the internal control structure.
1. The independent auditor should acquire an understanding of a client's internal audit function to determine whether the work of internal auditors will be a factor in determining the nature, timing and extent of the independent auditor's procedures. The work performed by internal auditors might be such a factor when the work includes
b. It is usually easier for unauthorized persons to access and alter the files
1. Which of the following statements most likely represents a disadvantage for an entity that keeps microcomputer-prepared data files rather than manually prepared files?
b. Unscheduled maintenance
10. Any assessment of the operational capabilities of a computer system must consider downtime. Even in a fully protected system, downtime will happen because of
a) Inspection.
29. Which of the following procedures most likely would be included as part of an auditor's tests of controls?
True. The device authorization table will deny access to unauthorized terminals even when a valid password is used. For example, a person trying to access the accounts receivable file from a manufacturing terminal would be denied.
A device authorization table restricts access to those physical devices that should logically need access.
True. Management's assertions are included in the account balance, transaction class, and preparation and disclosure components of financial statements. They are used by the auditor to determine the types of potential misstatements.
A financial statement audit involves obtaining and evaluating evidence about management's assertions.
False. Areas of responsibility on a flowchart are usually depicted in vertical columns or areas.
Areas of responsibility on a flowchart are usually depicted in horizontal rows.
True. Cash Disbursements signs and deposits a check based on the payment voucher into a separate payroll account, prepares individual employee paychecks, and distributes paychecks.
Cash Disbursements prepares and distributes employee paychecks.
Understating the sales journal. Not recording sales on account in the books of original entry is the most effective way to conceal a subsequent theft of cash receipts. The accounts will be incomplete but balanced, and procedures applied to the accounting records will not detect the defalcation.
Cash receipts from sales on account have been misappropriated. Which of the following acts would conceal this defalcation and be least likely to be detected by an auditor?
Compare the daily cash receipts totals with the bank deposits. A standard control over the cash receipts function is to require that daily cash receipts be deposited promptly and intact. Thus, the total of cash receipts for a day should equal the bank deposit because no cash disbursements are made from the daily receipts. To determine whether cash receipts are promptly deposited, the auditor should compare the daily cash receipts totals with bank deposits.
Cash receipts should be deposited on the day of receipt or the following business day. What is the most appropriate audit procedure to determine that cash is promptly deposited?
True. For example, the sales clerk often authorizes the sale (e.g., acceptance of a check), records the sale (i.e., enters it on the sales terminal), and has custody of the assets related to the sale (i.e., cash and inventory).
Cash sales cycles often lack the segregation of duties necessary for the proper framework of control.
True. 1.Cost-benefit considerations typically affect the organizational structure and complete segregation may not be feasible. 2.Typical compensating controls may include more supervision and owner involvement in the process.
Compensating controls will likely be established when the segregation of duties is not maintained.
Logical relationships among conditions and actions. A decision table identifies the contingencies considered in the description of a problem and the appropriate actions to be taken relative to those contingencies. Decision tables are logic diagrams presented in matrix form. Unlike flowcharts, they do not present the sequence of the actions described.
Decision tables differ from program flowcharts in that decision tables emphasize
Obtaining third-party written quality and quantity reports prior to payment for the raw materials. Obtaining third-party written quality and quantity reports prior to payment for raw materials is unnecessary. Only in exceptional cases when client personnel are not sufficiently knowledgeable about the purchased goods would outside advice be necessary.
Effective controls relevant to purchasing of raw materials should usually include all of the following except
True. Advantages of EDI include reduction of clerical errors, speed, and the elimination of repetitive clerical tasks. EDI also eliminates document preparation, processing, filing, and mailing costs.
Elimination of document preparation, processing, and mailing costs are advantages of EDI.
A validity check. A validity check can be used to determine the consistency of one field with another.
Fact Pattern: A sales transaction record designed to contain the information presented below. Column Information 1-10 Customer account number 11-30 Customer name 31-38 Amount of sale 39-44 Sales date 45-46 Store code number 47-49 Sales clerk number 50-59 Invoice number If a record is rejected during computer processing because the sales clerk whose identification number appears on the record does not work at the store indicated by the numbers in columns 45 and 46, the error was probably detected by which of the following?
A field check. The erroneous entry of a customer's name into the field that should contain the amount of the sale is detected by a field check. This control identifies an alphabetic character in a field that should contain only numeric characters.
Fact Pattern: A sales transaction record designed to contain the information presented below. Column Information 1-10 Customer account number 11-30 Customer name 31-38 Amount of sale 39-44 Sales date 45-46 Store code number 47-49 Sales clerk number 50-59 Invoice number If the last letter of a customer's name is erroneously entered in column 31, which of the following is most likely to detect the error during an input edit run?
The accounting for customer food checks by the supervisor. An inappropriate segregation of duties existed because the supervisor was responsible for accounting for customer food checks and depositing receipts and had the ability to reset POS totals throughout the day.
Fact Pattern: Management discovers that a supervisor at one of its restaurant locations removes excess cash and resets sales totals throughout the day on the point-of-sale (POS) system. At closing, the supervisor deposits cash equal to the recorded sales on the POS system and keeps the rest. The supervisor forwards the close-of-day POS reports from the POS system along with a copy of the bank deposit slip to the company's revenue accounting department. The revenue accounting department records the sales and the cash for the location in the general ledger and verifies the deposit slip to the bank statement. Any differences between sales and deposits are recorded in an over/short account and, if necessary, followed up with the location supervisor. The customer food order checks are serially numbered, and it is the supervisor's responsibility to see that they are accounted for at the end of each day. Customer checks and the transaction journal tapes from the POS system are kept by the supervisor for 1 week at the location and then destroyed.
False. Misstatements detected by substantive procedures may imply that controls are ineffective. However, nondetection of misstatements is not evidence of effectiveness.
Failure to detect misstatements by performing substantive procedures implies that controls are effective.
Online recording of the transaction on an audit override sheet. Control over large cash withdrawals can be improved further by separately recording these transactions. The additional documentation provides an audit trail that the auditor may follow to determine whether the special procedures have been followed.
First Federal S&L has an online, real-time system, with terminals installed in all of its branches. This system will not accept a customer's cash withdrawal instruction in excess of $1,000 without the use of a "terminal audit key." After the transaction is authorized by a supervisor, the bank teller then processes the transaction with the audit key. This control can be strengthened by
False. 1.Input controls are critical to auditors because they represent the most prevalent type of control. 2.Input system activities are the most error prone and are often the targets of fraud.
Input system activities are the least error prone and are rarely the targets of fraud.
False. 1.The inherent limitations of internal control mean that it can be designed and operated to provide only reasonable assurance that control objectives are met. 2.Inherent limitations include human judgment, circumvention of manual or automated controls by collusion, and the ability of management to inappropriately override internal control.
Internal control can be designed and operated to provide absolute assurance that control objectives are met.
False. Intranets and extranets are defined by who has access.
Intranets and extranets are defined by the physical area over which they provide communications.
Using predetermined totals to control posting routines. A control total should be generated for the transactions to be posted. It then should be compared with the total of items posted to the individual accounts.
One of two office clerks in a small company prepares a sales invoice for $4,300; however, the invoice is incorrectly entered by the bookkeeper in the general ledger and the accounts receivable subsidiary ledger as $3,400. The customer subsequently remits $3,400, the amount on the monthly statement. Assuming there are only three employees in the department, the most effective control to prevent this type of error is
False. Paychecks are distributed by Cash Disbursements, usually by the paymaster.
Paychecks are distributed by Accounts Payable.
Authorization, recording, and custody. One person should not be responsible for all phases of a transaction, i.e., for authorization of transactions, recording of transactions, and custodianship of the related assets. These duties should be performed by separate individuals to reduce the opportunities to allow any person to be in a position both to perpetrate and conceal fraud or error in the normal course of his/her duties.
Proper segregation of functional responsibilities to achieve effective internal control calls for separation of the functions of
Approved purchase order. A receiving department should accept merchandise only if a purchase order or approval granted by the purchasing department is on hand.
The authority to accept incoming goods in receiving should be based on a(n)
True. Cost and benefit considerations may affect the organizational structure, and complete segregation may not be feasible.
The ideal organizational structure should segregate duties and responsibilities into authorization of the transaction, recording of the transaction, and custody over the assets associated with the transaction.
Knowledge necessary for audit planning. The auditor is required to obtain an understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement of the financial statements, whether due to fraud or error, to provide a basis for responding to the assessed RMMs. The auditor obtains the understanding and assesses the RMMs to plan the audit. The audit plan describes (1) the risk assessment procedures, (2) further audit procedures at the assertion level, and (3) other procedures required by GAAS.
The primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with
False. The processing is presented sequentially from the point of origin to final output distribution.
The processing in a flowchart is presented sequentially from the final output distribution to the point of origin
True. The degree of assurance provided is a function of the type of evidence, its source, its timeliness, and the availability of other evidence related to the conclusion.
The sufficiency of evidence is a matter of auditor judgment.
True. The evidence obtained by some tests of controls, such as observation, pertains only to the moment in time at which the audit procedure was performed. Thus, such evidence may be insufficient for periods not subjected to such tests.
Timeliness of evidence concerns when it was obtained and the portion of the audit period to which it applies.
Cash disbursements and vendor invoice verification. The functions of cash disbursements (custody of assets) and invoice verification (recordkeeping) should be segregated for effective internal control. Invoice verification should be done by an employee outside the CFO's department.
To avoid potential errors and fraud, well-designed internal control in the accounts payable area should include a segregation of which of the following functions?
Sales returns. To conceal a theft of customer payments on account, a bookkeeper debits sales returns and credits accounts receivable. If accounts receivable are not credited, the customer will continue to be billed and will complain.
To conceal defalcations involving receivables, the auditor would expect an experienced bookkeeper to charge which of the following accounts?