Chapter 7, Chapter 7, Audit - Chapter 7
To have an adequate basis to issue a management report on internal control under Section 404(a) of the Sarbanes-Oxley Act, management must do all of the following, except: (1) Establish internal control with no material weakness. (2) Accept responsibility for the effectiveness of internal control. (3) Evaluate the effectiveness of internal control using suitable control criteria. (4) Support the evaluation with sufficient evidence.
(1) Establish internal control with no material weakness. Management may issue a report on internal control regardless of whether the system has a material weakness.
A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with: (1) Knowledge necessary to determine the nature, timing, and extent of further audit procedures. (2) Audit evidence to use in reducing detection risk. (3)A basis for modifying tests of controls. (4) An evaluation of the consistency of application of management policies.
(1) Knowledge necessary to determine the nature, timing, and extent of further audit procedures. Because the auditors' purposes for considering internal control are to obtain the necessary knowledge to (a) assess the risks of material misstatement, and (b) to determine the nature, timing, and extent of the tests to be performed, answer (1) is correct.
Tests of controls do not address: (1) How controls were applied. (2) How controls were originated. (3) The consistency with which controls were applied. (4) By what means the controls were applied.
(2) How controls were originated Auditors are not in general concerned with how controls originated.
The preliminary assessments of control risk are often referred to as: (1) The assessed level of control risk. (2) The planned assessed level of control risk. (3) Control risk. (4) Internal control objectives risk.
(2) The planned assessed level of control risk. The planned assessed level of control risk is determined during planning.
Tests of controls ordinarily are designed to provide evidence of: (1) Balance correctness. (2) Control implementation. (3) Disclosure adequacy. (4) Operating effectiveness.
(4) Operating effectiveness. Tests of controls address operating effectiveness of controls.
C. Corrective control
1. A control established to remedy misstatements that are discovered
G. Transaction cycle
10. The sequence of procedures applied by the client in processing a particular type of recurring transaction
F. Walk-through
11. A procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records
B. Complementary control
2. A control that functions together with another control to achieve the same control objective
A. Compensating control
3. A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. Management surveys customers about their satisfaction with the company's service. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
A. Monitoring—ongoing.
At the completion of the audit the auditors are least likely to know
Actual control risk
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. The human resources department investigates the educational background of prospective employees. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
B. Control environment—commitment to attract, develop and retain competent employees.
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
B. Control environment—effective structure, reporting lines, and authority and responsibility.
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. Management has developed and distributed a code of conduct. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
B. Control environment—integrity and ethical values.
1. Accounting information system
C. Component of internal control
2. Control environment
C. Component of internal control
6. Monitoring
C. Component of internal control
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. Budgets and forecasts are used by the production departments to control expenses. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
C. Control activities—performance reviews.
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. Entry into the warehouse is strictly controlled by security personnel. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
C. Control activities—physical controls.
You are performing an audit of Systex Corporation and evaluating various controls. Classify the following controls as being primarily preventive (P), detective (D), or corrective (C). Explain your answers. Adjustment of perpetual inventory records to physical counts.
Corrective Adjustments of perpetual inventory records to physical counts would serve to correct the inventory records.
3. Flowchart
D. Documentation
7. Questionnaire
D. Documentation
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. Management periodically evaluates the threats to preparing reliable financial statements. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
D. Risk assessment.
Which of the following would be LEAST likely to be considered an objective of internal control?
Detecting management fraud
9. Allows a reasonable possibility of a material misstatement
F. Material weakness
4. Controls over operating effectiveness
G. Test of control
5. Less severe than a material weakness
H. Significant deficiency
Test of controls do not address
How controls were originated
10. Reasonable assurance
I. Relationship of costs and benefits
A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with
Knowledge necessary to determine the nature timing and extent of further audit procedures
An entity's ongoing monitoring activities often include
Management review of weekly performance reports
Which of the following is least likely to be a test of controls?
Observation of confirmations
Tests of controls ordinarily are designed to provide evidence of
Operating effectiveness
Tests of controls ordinarily are designed to provide evidence of:
Operating effectiveness. Tests of controls address operating effectiveness of controls.
Controls over financial reporting are often classified as preventative, detective, or corrective. Which of the following is an example of a detective control?
Preparing bank reconciliations
Which of the following would be least likely to be considered an objective of internal control?
detecting management fraud
Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by
direct participation by the owner in key record keeping control activities of the business
Controls over financial reporting are often classified as preventative, detective or corrective. Which of the following is an example of detective control?
preparing bank reconciliations
Which of the following symbols indicate that a file has been consulted?
squre - triangle
Which of the following symbols indicate that a file has been consulted
trapezoid to a triangle with a <-> in between it
Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes? (1) Checklist. (2) Confirmation. (3) Flowchart. (4) Questionnaire.
(2) Confirmation. A confirmation is designed to obtain evidence from a third-party. It is not used to document internal control.
Which of the following is not an advantage of establishing an enterprise risk management system within an organization? (1) Reduces operational surprises. (2) Provides integrated responses to multiple risks. (3) Eliminates all risks. (4) Identifies opportunities.
(3) Eliminates all risks. An enterprise risk management system cannot eliminate all risks.
Which of the following is least likely to be a test of controls? (1) Inquiries of client personnel. (2) Inspection of documents. (3) Observation of confirmations. (4) Reperformance of controls.
(3) Observation of confirmations. While tests of controls involve, inquiry, inspection, observation and re-performance, "observation of confirmations" doesn't have a clear meaning.
8. Walk-through
E. Implemented
A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with
Knowledge necessary to determine the nature, timing, and extent of further audit procedures
An auditor may compensate for a weakness in internal control by increasing the extent of
Substantive tests of details
The preliminary assessments of control risks are often referred to as
The planned assessed level of control risk
The have an adequate basis to issue a management report on internal control under section 404 of the sarbanes oxley act management must do all of the following except :
establish internal control with no material weakness
When the auditors are performing a first time internal control audit in accordance with the sarbanes oxley act and PCAOB standards they should
test controls for all significant accounts.
When the auditors are performing a first-time internal control audit in accordance with the Sarbanes-Oxley Act and PCAOB standards, they should: (1) Modify their report for any significant deficiencies identified. (2) Use a "bottom-up" approach to identify controls to test. (3) Test controls for all significant accounts. (4) Perform a separate assessment of controls over operations.
(3) Test controls for all significant accounts. In an audit of internal control performed under PCAOB standards, the auditors must test controls for all significant accounts.
Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by
Direct participation by the owner in key record keeping and control activities of the business
You are performing an audit of Systex Corporation and evaluating various controls. Classify the following controls as being primarily preventive (P), detective (D), or corrective (C). Explain your answers. Dual signatures for checks.
Preventive Requiring dual signatures for checks is a preventative control because it would serve to prevent errors and fraud with respect to cash disbursements.
You are performing an audit of Systex Corporation and evaluating various controls. Classify the following controls as being primarily preventive (P), detective (D), or corrective (C). Explain your answers. Segregation of duties over purchasing.
Preventive Segregation of duties over purchasing would serve to prevent errors and fraud relating to purchase transactions. Segregation of duties prevents individuals from perpetrating errors and fraud and covering them up in the course of performing their assigned duties.
When the auditors are performing a first-time internal control audit in accordance with the Sarbanes-Oxley Act and PCAOB standards, they must
Test controls for all significant accounts.
When a CPA decides that the work performed by internal auditors may have an effect on the nature, timing, and extent of the CPA's procedures, the CPA should consider the competence and objectivity of the internal auditors. Relative to objectivity, the CPA should: (1) Consider the organizational level to which the internal auditors report the results of their work. (2) Review the internal auditors' work. (3) Consider the qualifications of the internal audit staff. (4) Review the training program in effect for the internal audit staff.
(1) Consider the organizational level to which the internal auditors report the results of their work. The internal auditors' objectivity refers to their relative independence from the organizational units they have been evaluating. This may best be determined by considering the organizational level to which the internal auditors report. The other answers address the issues of the internal auditors' competence, not objectivity.
At the completion of the audit, the auditors are least likely to know: (1) The assessed level of control risk. (2) The planned assessed level of control risk. (3) Actual control risk. (4) The scope of tests of controls.
(3) Actual control risk. The auditors never know the exact control risk involved—they always simply have an estimate of it.
For each term in the first column, find the closest definition (or portion of a definition) in the second column. Each definition may be used only once or not at all. A. Compensating control B. Complementary control C. Corrective control D. Deficiency in internal control E. Material weakness in internal control F. Walk-through G. Transaction cycle
1. A control established to remedy misstatements that are discovered 2. A control that functions together with another control to achieve the same control objective 3. A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective 4. A control that reduces the risk of misstatement by remediating control deficiencies through automated means 5. A deficiency in internal control such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis 6. A deficiency in internal control that is less severe than a material weakness, but more severe than a significant deficiency 7. A situation in which a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis 8. Duplicate controls that achieve a control objective 9. Procedures cycled periodically through the auditors' internal control deviation analysis 10. The sequence of procedures applied by the client in processing a particular type of recurring transaction 11. A procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records
E. Material weakness in internal control
5. A deficiency in internal control such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis
You are performing an audit of Systex Corporation and evaluating various controls. Classify the following controls as being primarily preventive (P), detective (D), or corrective (C). Explain your answers. Internal audits of payroll.
Detective Internal audits of payroll would serve to detect errors and fraud in payroll after they have occurred. Therefore, it is a detective control.
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. The accounting department uses a manual of accounting policies and procedures. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
E. Accounting information and communication system.
You are performing an audit of Systex Corporation and evaluating various controls. Classify the following controls as being primarily preventive (P), detective (D), or corrective (C). Explain your answers. Supervisory approval of time cards.
Preventive Supervisory approval of time cards is a preventative control because it would serve to prevent errors and fraud with respect to payroll transactions. The supervisor approval would help to prevent errors or fraud in the time records.
Which of the following would be least likely to be considered an objective of internal control? (1) Checking the accuracy and reliability of accounting data. (2) Detecting management fraud. (3) Encouraging adherence to managerial policies. (4) Safeguarding assets.idered an objective of internal control?
(2) Detecting management fraud. Detecting management fraud is generally not considered to be an objective of internal control. In fact, one of the inherent limitations of internal control is that it is subject to override by management. All of the other answers represent valid objectives of internal control.
Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by: (1)Employment of temporary personnel to aid in the separation of duties. (2) Direct participation by the owner in key record keeping and control activities of the business. (3) Engaging a CPA to perform monthly write-up work. (4) Delegation of full, clear-cut responsibility for a separate major transaction cycle to each employee.
(2) Direct participation by the owner in key record keeping and control activities of the business. Involvement of the owner in key control functions should be a major step toward preventing material errors or defalcations. Answer (1) would not be cost-effective. Answer (3) would provide some measure of control, but not as much as would daily participation by the owner. If it were feasible to hire additional employees, it would be cheaper to hire permanent employees rather than temporary. The need for internal control is permanent. Answer (4) would weaken, not strengthen internal control
Controls over financial reporting are often classified as preventative, detective, or corrective. Which of the following is an example of a detective control? (1) Segregation of duties over cash disbursements. (2) Requiring approval of purchase transactions. (3) Preparing bank reconciliations. (4) Maintaining backup copies of key transactions.
(3) Preparing bank reconciliations. Preparing bank reconciliations will detect a variety of misstatements related to cash and is a detective control in the sense that it does not prevent the misstatement from occurring, but may detect it. Answers (1) and (2) are incorrect because segregating duties and requiring approvals are primarily designed to prevent occurrence of misstatements. Answer (4) is incorrect because the primary purpose of keeping backup copies of key transactions (or all transactions) is to prevent loss of information in the event of an information system failure and hence a corrective control.
An auditor may compensate for a weakness in internal control by increasing the extent of: (1) Tests of controls. (2) Detection risk. (3) Substantive tests of details. (4) Inherent risk.
(3) Substantive tests of details. An increase in the substantive procedures will decrease detection risk, and thereby compensate for the increased level of control risk due to a weakness in internal control. Answer (1) is incorrect because if the weakness exists, increasing the extent of tests will only provide more evidence on the weakness—not evidence that compensates for the weakness. Answers (2) and (4) are incorrect because a decrease in detection risk or inherent risk, not an increase, would compensate. Also, in the case of inherent risk, it may not be possible to change the assessment since it is a function of the firm's environment.
An entity's ongoing monitoring activities often include: (1)Periodic audits by internal auditors. (2)The audit of the annual financial statements. (3)Approval of cash disbursements. (4)Management review of weekly performance reports.
(4)Management review of weekly performance reports. Management review of weekly performance reports is an ongoing monitoring activity that may detect errors or fraud. Answer (1) is incorrect because while periodic audits by internal audit represent a monitoring activity, they are best classified as separate evaluations, and not ongoing monitoring activities. Answer (2) is incorrect because the audit of the annual financial statements is the function of the external auditors. Answer (3) is incorrect because approvals of cash disbursements represent a control activity.
Auditors should have an understanding of the various terms that relate to their consideration of internal control of an organization. For each term presented below, select the category that most clearly defines or includes the term. The categories may be selected once, more than once, or not at all. 1. Accounting information system 2. Control environment 3. Flowchart 4. Controls over operating effectiveness 5. Less severe than a material weakness 6. Monitoring 7. Questionnaire 8. Walk-through 9. Allows a reasonable possibility of a material misstatement 10. Reasonable assurance
A. Generally of no concern to auditors B. Control condition C. Component of internal control D. Documentation E. Implemented F. Material weakness G. Test of control H. Significant deficiency I. Relationship of costs and benefits
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. The internal auditors periodically evaluate the controls in the various departments of the company. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
A. Monitoring—separate evaluations.
You are performing an audit of Systex Corporation and evaluating various controls. Classify the following controls as being primarily preventive (P), detective (D), or corrective (C). Explain your answers. Management review of budget/actual information.
Detective Management review of budget versus actual performance would serve to highlight potential errors and fraud after they have occurred. Therefore, it is a detective control.
You are performing an audit of Systex Corporation and evaluating various controls. Classify the following controls as being primarily preventive (P), detective (D), or corrective (C). Explain your answers. Annual physical inventory.
Detective The annual physical inventory is a detective control because it would serve to detect misstatements of inventory after they have occurred.
You are performing an audit of Systex Corporation and evaluating various controls. Classify the following controls as being primarily preventive (P), detective (D), or corrective (C). Explain your answers. Monthly reconciliation of bank accounts.
Detective The monthly reconciliation of bank accounts is a detective control because it would serve to detect misstatements of cash after they have occurred.
Which of the following is not an advantage of establishing an enterprise risk management system within an organization
eliminates all risks
D. Deficiency in internal control
7. A situation in which a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis
When a CPA decides that the work performed by internal auditors may have an effect on the nature, timing, and extent of the CPA's procedures, the CPA should consider the competence and objectivity of the internal auditors. Relative to objectivity, the CPA should
Consider the organizational level to which the internal auditors report the results of their work
Which of the following is not an advantage of establishing an enterprise risk management system within an organization?
Eliminates all risks
At the completion of the audit, the auditors are least likely to know:
Actual control risk. The auditors never know the exact control risk involved—they always simply have an estimate of it.
Management of Warren Company has decided to respond to a particular risk by hedging the risk with futures contracts. This is an example of :
Avoidance
Listed below are controls that have been developed by the management of Cirus Manufacturing Co. Invoices are reviewed for accuracy before they are mailed to customers. A. Monitoring B. Control Environment C. Control Activities D. Risk Assessment E. Accounting information
C. Control activities—transaction processing (or application) control.
Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes?
Confirmation
When a CPA decides that the work performed by internal auditors may have an effect on the nature timing and extent of the CPAS, the CPA should consider the competence and objectivity of the internal auditors. Relative to objectivity, the CPA should:
Consider the organizational level to which the internal auditors report the results of their work.
To have an adequate basis to issue a management report on internal control under Section 404(a) of the Sarbanes-Oxley Act, management must do all of the following, except
Establish internal control with no material weakness.
A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with:
Knowledge necessary to determine the nature, timing, and extent of further audit procedures.
Which of the following is least likely to be a test of controls?
Observation of confirmations. While tests of controls involve, inquiry, inspection, observation and reperformance, "observation of confirmations" doesn't have a clear meaning.
The preliminary assessments of control risk are often referred to as:
The planned assessed level of control risk. The planned assessed level of control risk is determined during planning.
