Ch. 6: Gaining an Understanding of the Client's System of Internal Control
In an entity under audit, employees have the opportunity to change their time worked after their time cards have been approved. This is an example of which of the following types of deficiency? a) Design b) Operating c) Accounting d) Procedural
a) Design - This would be considered a deficiency in design, since a necessary control to prevent the unauthorized alteration of employee time cards is missing.
The internal control component that addresses how an organization holds an individual accountable for his or her internal control responsibilities in pursuit of objectives is related to: a) The control environment b) Control activities c) Risk assessment d) Information and communication
a) The control environment
Transaction-level controls are those controls that ______ a) respond to things that can go wrong with transactions b) are used reactively to determine where problems have occurred c) management have suggested the auditor implement d) deal with the financial statements in general
a) respond to things that can go wrong with transactions
An auditor's understanding of a client's system of internal control _____ a) will help the auditor to determine areas of risk to direct audit attention and resources to b) is optional, and should only be conducted for larger clients c) is unrelated to the level of substantive procedures an auditor will conduct d) is a helpful tool to determine the accuracy of account balances and transactions
a) will help the auditor to determine areas of risk to direct audit attention and resources to
Key assertions pertaining to the audit of credit sales are ______ a) completeness and valuation b) accuracy and occurrence c) rights and obligations d) valuation and allocation
b) accuracy and occurrence
A control ensuring that sales are recorded in the sales ledger is a(n) _______-level control a) division b) transaction c) entity d) function
b) transaction
Controlling program development, program changes, computer operations, and securing access to programs and data is the purpose of ______ a) tech controls b) manual controls c) IT general controls d) independent controls
c) IT general controls
Which of the following is a general control that would most likely assist an entity whose systems analyst left the entity in the middle of a major project? a) Grandfather-father-son record retention b) Input and output validation routines c) Systems documentation d) Check digit verification
c) Systems documentation - Systems documentation is a general control that would assist an entity whose system analyst left in the middle of a major project. Such documentation would be prepared for each application system and would include narratives and flowcharts. It would document the work completed to date on the project (ideally) and enable an analyst to take over.
A deficiency in internal control is described as _______ a) a deficiency, or combination of deficiencies in internal control b) a deficiency that has created a reasonable possibility of a material misstatement c) a deficiency in the design or operation of a single control that does not allow management to prevent and correct misstatements on a timely basis d) a combination of deficiencies in internal control which are as severe as a material weakness
c) a deficiency in the design or operation of a single control that does not allow management to prevent or correct misstatements on a timely basis
Which of the following factors is most likely to affect the extent of the documentation of the auditor's understanding of a client's system of internal controls? a) The degree to which the auditor intends to use internal audit personnel to perform substantive tests b) The industry and the business and regulatory environments in which the client operates c) The relationship between management, the board of directors, and external stakeholders d) The degree to which information technology is used in the accounting function.
d) The degree to which information technology is used in the accounting function. - This answer is correct because differences in information technology use will have a major effect. - Example: Documentation of the understanding of a complex information system with a large volume of transactions may include flowcharts, questionnaires, and/or decision tables; documentation of an information system with limited or no use of IT and few transactions may be in the form of a memorandum.
A deficiency in an operation exists when ______ a) an improperly designed control does not operate as designed or the person performing the control possesses the necessary authority or competence to perform the control effectively b) it has become clear to the auditor that performance of the operation creates significant risk that a material misstatement will not be detected by the client system c) properly designed control operates as designed and the person performing the control possesses the necessary authority or competence to perform the control effectively d) a properly designed control does not operate as designed or the person performing the control does not possess the necessary authority or competence to perform the control effectively
d) a properly designed control does not operate as designed or the person performing the control does not possess the necessary authority or competence to perform the control effectively.
It is important for an auditor to understand a public company's system of internal control in order to: a) audit internal control over financial reporting b) make a preliminary assessment of control risk c) develop an audit strategy d) all of these answers are correct.
d) all of these answers are correct
If an employee who has access to the custody of assets steals a cash remittance and covers the theft by recording a bad-debt write off, there was likely a failure. in the category of ______ a) physical controls b) performance reviews c) authorization control d) segregation of duties
d) segregation of duties
In obtaining an understanding of an entity's internal control relevant to audit planning, an auditor is required to obtain knowledge about the a) Design of the controls pertaining to internal control components b) Effectiveness of controls that have been implemented c) Consistency with which controls are currently being applied d) Controls related to each principal transaction class and account balance
a) Design of controls pertaining to internal control components - The requirement is to identify the knowledge that an auditor must obtain when obtaining an understanding of an entity's internal control sufficient for audit planning. - a) is correct because an auditor must obtain an understanding that includes knowledge about the design of relevant controls and records and whether the client has placed those controls in operation. - Answers b) and c) are incorrect because auditors may choose not to obtain information on operating effectiveness of controls and their consistency in application. Answer d) is incorrect because there is no such explicit requirement relating to controls; see AU-C 315 for the necessary understanding of internal control.
Which of the following types of control best describes procedures to ensure appropriate systems software acquisition? a) General b) Physical c) Application d) Monitoring
a) General - Understanding the entity and its environment and assessing the risks of material misstatement (AICPA Professional Standards) point out that general IT controls include controls over: (1) data center and network operations (2) system software acquisition (3) program change (4) access security (5) application system acquisition, development, and maintenance (AU-C 315.A107)
Those charged with governance of an organization _____ a) Have an obligation to be concerned with the entity's financial reporting to shareholders and the investing public b) Cannot be legally held responsible for those actions of the company c) Should rely on the auditors for guidance d) Should always be sure to look out for their own interests as well as those of the company
a) Have an obligation to be concerned with the entity's financial reporting to shareholders and the investing public
An entity's risk assessment process: a) is the entity's process for identifying and responding to business risks and the results of those risks b) is designed to help an entity think about risk in the same way that an auditor thinks about risk c) never allows management of the entity to decide to accept a risk without taking any action d) is established only if the entity is subject to unusually high risk
a) Is the entity's process for identifying and responding to business risks and the results of those risks
The purpose of the management letter is to ______ a) meet the auditor's responsibility for communicating internal control matters in writing on a timely basis with those charged with governance b) meeting an auditor's responsibility for communicating external control matters in writing on a timely basis with those charged with governance c) request management confirm the makeup and composition of its board of directors and any associated conflicts of interest d) inform management of the auditor's pending desire to withdraw from the engagement
a) Meet the auditor's responsibility for communicating internal control matters in writing on a timely basis with those charged with governance
Which process involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions? a) Monitoring b) Information and communication c) Control activities d) Risk assessment
a) Monitoring
The objectives of internal control should include: a) operations objectives, reporting objectives, and compliance objectives b) operations, control environment, and financial reporting objectives c) operations, internal control, and financial reporting objectives d) risk assessment, compliance, and reporting objectives
a) Operations, reporting, and compliance objectives
Reports that summarize the detail of account balances such as an aged trial balance of accounts receivable are an example of which category of control activities? a) Performance reviews b) Information processing controls c) Physical controls d) Segregation of duties
a) Performance reviews
An auditor normally obtains an understanding of transaction-level controls by: a) Performing a system walkthrough b) Testing the entity's risk assessment process c) Reading the prior year's management letter d) Conducting an interview with senior management
a) Performing a system walkthrough
An auditor's documentation of the client's system of internal controls _____ a) should always be written and updated regularly as the auditor gains further understanding b) should be jointly drafted by the auditor and the client c) is the client's responsibility, and should be provided to the auditor by the client d) should be retained in the permanent audit file and never shared with the client.
a) Should always be written and updated regularly as the auditor gains further understanding
When considering the internal control structure, an auditor should be aware of the concept of reasonable assurance, which recognizes that a) The cost of an entity's internal control structure should not exceed the benefits expected to be derived. b) Internal control policies and procedures may be ineffective due to mistakes in judgement and personal carelessness. c) Establishing and maintaining internal control structure is an important responsibility of management. d) Adequate safeguards over access to assets and records should permit an entity to maintain proper accountability.
a) The cost of an entity's internal control structure should NOT exceed the benefits expected to be derived. - Internal control can provide only reasonable assurance as a limiting factor is the cost/benefit ratio (the cost should not exceed the benefits derived therefrom)
Upon consideration of a client's system of internal control, when an auditor identifies areas with weaknesses, ______ a) increased substantive testing in this area will be appropriate to reach the desired level of assurance b) the auditor should document the weaknesses and refer to them during next year's audit c) the auditor should disclaim an opinion on those areas d) reduced substantive testing in this area will be appropriate to reach the desired level of assurance
a) increased substantive testing in this area will be appropriate to reach the desired level of assurance
Access controls include a combination of ________ safeguards. a) physical, software, and procedural b) transaction-level c) administrative and legal d) software and hardware
a) physical, software, and procedural
Compared to other types of entity-level controls, the auditor finds _______the easiest to test because their operation is readily verifiable. a) risk assessment b) control activities c) control environment d) information and communication
b) Control activities
When the auditor identifies internal control weaknesses, ____________ a) control risk is decreased b) control risk is increased c) inherent risk is decreased d) risk of material misstatement decreases
b) Control risk is increased
What group or groups of application controls are widely recognized? a) Timing, service, and processing controls b) Input, processing, and output controls c) Input, timing, and service controls d) Processing, output, and service controls
b) Input, processing, and output controls
A letter issued regarding significant deficiencies relating to an entity's internal control observed during an audit of financial statements should include a: a) Description of tests performed to search for material weaknesses b) Restriction on the distribution of the report c) Statement of compliance with applicable laws and regulations d) Paragraph describing management's evaluation of the effectiveness of the control structure
b) Restriction on the distribution of report - Letters on significant deficiencies are restricted as to distribution. The letters are intended solely for the use of the audit committee (or those charged with governance), management, and others within the organization.
Which of the following is an example of validity check? a) As the computer corrects errors and data are successfully resubmitted to the system, the causes of the errors are printed out. b) The computer flags any transmissions for which the control field value did not match that of an existing file record. c) After data for a transaction are entered, the computer sends certain data back to the terminal for comparison with data originally sent. d) The computer ensures that a numerical amount in a record does not exceed some predetermined amount.
b) The computer flags any transmissions for which the control field value did not match that of an existing file record. - A validity check is a check to see if the data carry valid values. - Of the items listed, this item is the only validity check-- the computer matches a control field value to an existing file record and highlights those which do not match.
A deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis is best described as ________. a) a significant deficiency b) a material weakness c) a material deficiency d) a deficiency
b) a material weakness
Internal control is defined as: a) a process, implemented by management, to ensure the integrity of the entity's management information system b) a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting, and compliance c) the entity's system to prevent, or detect and correct, misstatements in the financial statements d) the entity's system to ensure that management and those charged with governance of the entity have quality information for decision making.
b) a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting, and compliance.
An integrated audit focuses on ______ a) Integrating component auditors b) Integrating the internal and external audit functions c) Auditing both internal control over financial reporting (ICFR) and the financial statements d) Comparing prior year results with the current year to look for abnormalities
c) Auditing both internal control for financial reporting (ICFR) and the financial statements
Which of the following represent a common categorization of control activities? a) Authorization controls, control over human error, information-processing controls, physical controls, and segregation of duties b) Authorization controls, information-processing controls, physical controls, and segregation of duties c) Authorization controls, performance reviews, information-processing controls, physical controls, and segregation of duties d) Authorization controls, control over human error, information-processing controls, and segregation of duties
c) Authorization controls, performance reviews, information-processing controls, physical controls, and segregation of duties
In a good system of segregation of duties, which of the following duties should be segregated? a) Authorization of transactions, recording transactions, and management b) Authorization of transactions, physical access to assets, and management c) Authorization of transactions, physical access to assets, and recording transactions d) Physical access to assets, recording of transactions, and consideration
c) Authorization of transactions, physical access to assets, and recording transactions
Which of the following matters would an auditor most likely consider to be a significant deficiency to be communicated to the audit committee (or otherwise those charged with governance)? a) Recurring operating losses that may indicate going concern problems. b) Management's current plans to reduce its ownership equity in the entity. c) Evidence of a lack of objectivity by those responsible for accounting decisions d) Management's failure to renegotiate unfavorable long-term purchase commitments.
c) Evidence of a lack of objectivity by those responsible for accounting decisions. - A significant deficiency = control deficiency in the design or operation of internal control that can adversely affect the financial statements. - If those responsible for accounting decisions appear to lack objectivity, the resultant accounting decisions may result in material misstatements of the financial statements - Example: Revenue recognition decisions might be made to increase current period net income (and managerial bonuses)
Assessing control risk at a low level most likely would involve: a) Performing more extensive substantive tests with larger sample sizes than originally planned b) Changing the timing of substantive tests by omitting interim-date testing and performing the tests at year-end c) Identifying specific controls relevant to specific assertions. d) Reducing inherent risk for most of the assertions relevant to significant account balances
c) Identifying specific controls relevant to specific assertions. - Assessing control risk at a low level involves: (1) identifying specific controls relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions and (2) performing tests of controls to evaluate the effectiveness of such controls - Answer a) is incorrect because assessing control risk at a low level may lead to less extensive, not more extensive substantive tests - Answer d) is incorrect because the actual level of inherent risk is not affected by the level of control risk; also, one would not expect a change in the assessed level of control risk to result in a change in the assessed level of inherent risk - Answer b) is incorrect because assessing control risk at a low level may lead to interim-date substantive testing rather than year-end testing
PCAOB Audit Standard No. 2201 requires that _______ a) The audit partner should solely make the determination as to whether any material weaknesses have been identified as part of the audit. b) An auditor issues a qualified opinion on all accounts that were not tested in their entirety c) In an audit of ICFR, material weaknesses are reported to the public in the auditor report on ICFR d) All companies with a market capitalization of $75,000,000 or more file documentation with the Securities and Exchange Commission (SEC) detailing all deficiencies identified as part of the audit.
c) In an audit of ICFR, material weaknesses are reported to the public in the auditor report on ICFR
A primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with _____ a) Audit evidence to use in reducing detection risk b) Information necessary to prepare flowcharts c) Knowledge necessary to assess the risk of misstatement d) A basis from which to modify tests of controls.
c) Knowledge necessary to assess the risk of misstatement - The auditor should obtain a sufficient understanding of an entity's control to assess the risk of material misstatement
Immediately upon receipt of cash, a responsible employee should: a) Update the subsidiary accounts receivable records. b) Record the amount in the cash receipts journal. c) Prepare a remittance listing. d) Prepare a deposit slip in triplicate
c) Prepare a remittance listing - The immediate preparation of a remittance listing upon receipt of cash ensures that a control over cash received is established.
The control environment: a) Only applies to public companies b) Directly addresses adequacy of segregation of duties c) Sets the tone of an entity with respect to internal control and influences the control consciousness of its people d) Is focused on how the entity addresses information technology risks
c) Sets the tone of an entity with respect to internal control and influences the control consciousness of its people
When an auditor identifies internal control deficiencies, what levels of internal control deficiencies must be reported to those charged with governance of the entity? a) Significant deficiencies only b) Deficiencies and significant deficiencies in internal control c) Significant deficiencies and material weaknesses in internal control d) Material weaknesses only
c) Significant deficiencies and material weaknesses in internal control
If the auditor is able to collect evidence that IT general controls are strong, then the auditor can conclude that: a) the risk of batch totals failing to detect misstatements is low b) IT transactions are adequately supported by source documents c) Software applications are more likely to operate consistently over time d) Application controls function properly and put the correct transactions on exception reports
c) Software applications are more likely to operate consistently over time
Key assertions pertaining to the delivery of goods are _____ a) accuracy, occurrence, and rights and obligations b) completeness, occurrence, and cutoff c) accuracy, occurrence, and completeness d) presentation and disclosure
c) accuracy, occurrence, and completeness
In an audit, the purpose of risk assessment is to _____ a) form an ultimate opinion on the financial statements based on management's directives b) audit the system of internal control only c) ultimately ensure that the internal audit function is performing properly d) assess the combined inherent, control, and detection risks to evaluate the likelihood that material misstatements could occur in the financial statements
d) Assess the combined inherent, control, and detection risks to evaluate the likelihood that material misstatements could occur in the financial statements
By whose standards are internal control weaknesses commonly categorized into three groups? a) Neither PCAOB nor U.S. GAAS b) U.S. GAAS only c) PCAOB only d) Both PCAOB and U.S. GAAS
d) Both PCAOB and U.S. GAAS
Documenting internal controls: a) is not done for smaller clients because of the risk of management override b) is always handled through the use of checklists and pre-formatted questionnaires c) is done after internal controls are tested so that the results can be included in the documentation d) can be handled with a combination of narratives and flowcharts or logic diagrams
d) Can be handled with a combination of narratives and flowcharts or logic diagrams.
IT dependent manual controls are controls that chiefly involve manual review of the _____ of computer-generated information. a) Cutoff and classification b) Valuation and allocation c) Rights and obligations d) Completeness and accuracy
d) Completeness and accuracy
Policies and procedures enacted by the entity which help ensure that management's directives are carried out are generally referred to as ______ a) management activities b) legislative activities c) company procedures d) control activities
d) Control activities
Which of the following is comprised of the attitudes, awareness, and actions of management and those charged with governance concerning the entity's internal control and its importance in the entity? a) information and communication b) monitoring activities c) entity-level controls d) control environment
d) Control environment
A major benefit of an IT system is _____ a) elimination of the need for personnel b) increased workload created by exception reports c) elimination of mistakes d) greater consistency in processing than manual systems
d) Greater consistency in processing than manual systems
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control structure? a) Collusion among employees b) Mistakes in judgement c) Management override d) Incompatible duties
d) Incompatible duties - A system of internal control can provide only reasonable assurance of achieving an entity's control objectives because of inherent limitations. These include the fallibility of human judgement and performances and the possibility of collusion or management override
What does COSO define as a process effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting and compliance? a) Compliance b) Reporting c) Risk assessment d) Internal control
d) Internal control
Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when a) Internal auditors have direct access to the board of directs and entity management b) The audit committee is active in overseeing the entity's financial reporting policies. c) External policies established by parties outside the entity affect its accounting practices d) Management is dominated by one individual who is also a shareholder.
d) Management is dominated by one individual who is also a shareholder - Control environment sets the tone for the entire org. and is the basis for all other components of internal control - Significant factors in the control environment include integrity and ethical values, commitment to competence, board of directors or audit committee participation, management philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices. - If management is dominated by one person who is also a shareholder, the opportunity is present for management's attitude toward financial reporting to significantly influence an entity's control environment.
Sound internal control procedures dictate that defective merchandise returned by customers should be presented initially to the a) Shipping department supervisor b) Sales clerk c) Accounts receivable supervisor d) Receiving clerk
d) Receiving clerk - Defective merchandise returned by customers should be presented initially to the receiving clerk. The accounts receivable supervisor has record-keeping responsibilities which should NOT be combined with custodial duties.
