Ch 6 Internal Control
The requirement that purchases be made from suppliers on an approved vendor list is an example of a: *a.* Preventive control. *b.* Detective control. *c.* Compensating control. *d.* Monitoring control.
*a.* Preventive control. Preventive controls are actions taken prior to the occurrence of transactions with the intent of stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of unacceptable suppliers. Answer B is incorrect because a detective control identifies errors after they have occurred. Answer C is incorrect because compensating controls are designed to supplement key controls that are either ineffective or cannot fully mitigate risks by themselves to acceptable levels. Answer D is incorrect because monitoring controls are designed to ensure the quality of the control system's performance over time.
Which of the following best exemplifies a control activity referred to as independent verification? *a.* Reconciliation of bank accounts by someone who does not handle cash or record cash transactions. *b.* Identification badges and security codes used to restrict entry to the production facility. *c.* Accounting records and documents that provide a trail of sales and cash receipt transactions. *d.* Separating the physical custody of inventory from inventory accounting.
*a.* Reconciliation of bank accounts by someone who does not handle cash or record cash transactions. A reconciliation performed by someone not otherwise involved in processing a transaction is an example of an independent verification control activity. Answer B is incorrect because it is a physical access control. Answer C is incorrect because it is an accounting records and documentation, or audit trail, control activity. Answer D is incorrect because it is a segregation of duties control activity.
Appropriate internal control for a multinational corporation's branch office that has a department responsible for the transfer of money requires that: *a.* The individual who initiates wire transfers does not reconcile the bank statement. *b.* The branch manager must receive all wire transfers. *c.* Foreign currency rates must be computed separately by two different employees. *d.* Corporate management approves the hiring of employees in this department.
*a.* The individual who initiates wire transfers does not reconcile the bank statement. Independent reconciliation of bank accounts is necessary for good internal control. Answer B is incorrect because it is not an important internal control consideration. Answer C is incorrect because foreign currency translation rates are not computed, but instead verified. Having two employees in the same department perform the same task will not significantly enhance internal control. Answer D is incorrect because it is not an important internal control consideration.
What is residual risk? *a.* Impact of risk. *b.* Risk that is under control. *c.* Risk that is not managed. *d.* Underlying risk in the environment.
*c.* Risk that is not managed. Answer A is incorrect because the impact of risk is its consequence. Answer B is incorrect because risk that is under control is managed risk. Answer D is incorrect because the underlying risk is the absolute risk.
An effective system of internal controls is most likely to detect a fraud perpetrated by a: *a.* Group of employees in collusion. *b.* Single employee. *c.* Group of managers in collusion. *d.* Single manager.
*b.* Single employee. An effective system of internal controls is likely to expose a fraud if it is perpetrated by one employee without the aid of others. Answer A is incorrect because a group has a better chance of successfully perpetrating an irregularity than does an individual employee. Answers C and D are incorrect because management can often override controls, singularly or in groups. Note that the question asks who is most likely to *get caught*, not who is most likely to *perpetrate* a fraud.
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? *a.* Determine whether policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may invest. *b.* Determine the extent of management oversight over investments in sophisticated instruments. *c.* Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations. *d.* Determine the nature of monitoring activities related to the investment portfolio.
*c.* Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations. Although this might be informational, there is no need to develop a comparison of investment returns with other organizations. Indeed, some financial investment scandals show that such comparisons can be highly misleading because high returns were due to taking on a high level of risk. Also, this is not a test of the adequacy of the controls. Answer A is incorrect because new financial instruments are very risky and the first step of such an engagement should be to determine the nature of policies established for the investments. Answer B is incorrect because oversight by a management committee is an important control. Therefore, the auditor should determine the nature of the oversight set up to monitor and authorize such investments. Answer D is incorrect because a fundamental control concept over cash-like assets is that someone establishes a mechanism to monitor the risks.
Reasonable assurance, as it pertains to internal control, means that: *a.* The objectives of internal control vary depending on the method of data processing used. *b.* A well-designed system of internal controls will prevent or detect all errors and fraud. *c.* Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved. *d.*Management cannot override controls and employees cannot circumvent controls through collusion.
*c.* Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved. Inherent limitations of internal control do, in fact, preclude a system of internal control from providing absolute assurance that objectives will be achieved. Answer A is incorrect because it does not pertain to the concept of reasonable assurance and because the objectives of internal control do not vary depending on the method of data processing used. Answer B is incorrect because inherent limitations of internal control preclude even a well-designed system of internal controls from preventing or detecting all errors and fraud. Answer D is incorrect because management override of controls and employee collusion are examples of inherent limitations that preclude a system of internal control from providing absolute assurance that objectives will be achieved.
The risk assessment component of internal control involves the: *a.* Independent outside auditor's assessment of residual risk. *b.* Internal audit function's assessment of control deficiencies. *c.* Organization's identification and analysis of the risks that threaten the achievement of its objectives. *d.* Organization's monitoring of financial information for potential material misstatements.
*c.* Organization's identification and analysis of the risks that threaten the achievement of its objectives. The risk assessment component of internal control involves an organization's identification and analysis of the risks that threaten the achievement its objectives. Answer A is incorrect because the COSO components of internal control, including risk assessment, are internal to an organization. Answer B is incorrect because it does not pertain directly to the risk assessment component of internal control. Answer D is incorrect because monitoring is a separate component of internal control.
The control that would most likely ensure that payroll checks are written only for authorized amounts is to: *a.* Conduct periodic floor verification of employees on the payroll. *b.* Require the return of undelivered checks to the cashier. *c.* Require supervisory approval of employee timecards. *d.* Periodically witness the distribution of payroll checks.
*c.* Require supervisory approval of employee timecards. The employee's supervisor would be in the best position to ensure payment of the proper amount. Answer A is incorrect because employees may be properly included on payroll, but the amounts paid may be unauthorized. Answer B is incorrect because undelivered checks provide no evidence regarding validity of the amounts. Answer D is incorrect because witnessing a payroll distribution would not assure that amounts paid are authorized.
Who has primary responsibility for the monitoring component of internal control? *a.* The organization's independent outside auditor. *b.* The organization's internal audit function. *c.* The organization's management. *d.* The organization's board of directors.
*c.* The organization's management. The organization's management has primary responsibility for the monitoring component of internal control. Answer A is incorrect because independent outside auditors perform financial statement audits to ensure that organizations meet their financial reporting obligations. Answer B is incorrect because the internal audit function performs an independent assessment of the system of internal controls. Answer D is incorrect because the organization's board of directors is responsible for governance and oversight, but not monitoring.
Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? *a.* To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. *b.* To ensure that weaknesses in the internal control system are corrected. *c.* To provide reasonable assurance that the process will enable the organization's objectives and goals to be met efficiently and economically. *d.* To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated.
*c.* To provide reasonable assurance that the process will enable the organization's objectives and goals to be met efficiently and economically. Answer A is incorrect because it is a purpose of audit planning. Answer B is incorrect because correcting control weaknesses is a function of management, not of the internal auditor. Answer D is incorrect because it is a basic objective from a financial accounting and auditing perspective, but is not broad enough to cover the internal auditor's entire purpose for review.
12. COSO's Internal Control Framework consists of five internal control components and 17 principles for achieving effective internal control. Which of the following is/are (a) principle(s)? I. The organization demonstrates a commitment to integrity and ethical values. II. Monitoring activities III. A level of assurance that is supported by GAAP and judgements IV. A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices V. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
I is principle 1 under Control Environment. V is principle 16 under Monitoring Activities. II is one of the five elements. III is the definition of reasonable assurance. IV is the definition of a framework.
13. When assessing the risk associated with an activity, an internal auditor should: a. determine how the risk should best be managed b. provide assurance on the management of the risk c. update the risk management process based on risk exposures d. design controls to mitigate the identifies risks
b. provide assurance on the management of the risk The other choices reflect activities that should be performed by management.
An adequate system of internal controls is most likely to detect an irregularity perpetrated by a: a. group of employees in collusion b. single employee c. group of managers in collusion d. single manager
b. single employee To be designed adequately and operating effectively, ICFR should address the concepts of initiation, authorization, recording, processing, and reporting. Seeking is not addressed by ICFR.
14. Determining that engagement objectives have been met is ultimately the responsibility of the: a. Internal auditor b. audit committee c. internal audit supervisor d. CAE
d. CAE The CAE has ultimate responsibility for all activities performed by the internal audit function. Internal auditors and internal audit supervisors do not have the same level of responsibility as the CAE. The audit committee doesn't have this level of responsibility.
