SU 5
One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control is the use of
A computer access log.
The primary purpose of obtaining an understanding of the entity and its environment, including its internal control, is to provide an auditor with
A frame of reference within which to plan the audit.
Which of the following situations represents a limitation, rather than a failure, of internal control?
A purchasing employee and an outside vendor participate in a kickback scheme.
An entity has many employees who access a database with numerous access points. The database contains sensitive information about the customers of the entity. Access controls prevent employees from entry to those areas of the database for which they have no authorization. All salespersons have certain access permission to customer information. Which of the following is a true statement about the nature of the controls and risks?
A salesperson's access to customer information should extend only to what is necessary to perform his or her duties.
So that the essential control features of a client's computer system can be identified and evaluated, the auditor of a nonissuer must, at a minimum, have
A sufficient understanding of the entire computer system.
It is important for the auditor to consider the competence of the audit client's employees, because their competence bears directly and importantly upon the
Achievement of the objectives of internal control.
In an audit of financial statements, an auditor's primary consideration regarding an internal control is whether the control
Affects management's financial statement assertions.
Which of the following factors are included in an entity's control environment?
Audit Committee Participation Integrity and Ethical Values Organizational Structure
Proper segregation of functional responsibilities to achieve effective internal control calls for separation of the functions of
Authorization, recording, and custody.
The auditor's understanding of internal control is documented to substantiate
Compliance with generally accepted auditing standards.
Which of the following characteristics distinguishes computer processing from manual processing?
Computer processing virtually eliminates the occurrence of computational error normally associated with manual processing.
Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system?
Continuous monitoring and analysis of transaction processing with an embedded audit module.
Which of the following is not a component of internal control?
Control Risk
The design or operation of a control may not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. According to AU-C 265, this circumstance is a
Control deficiency.
Which of the following is an example of how specific internal controls in a database environment may differ from controls in a nondatabase environment?
Controls should exist to ensure that users have access to and can update only the data elements that they have been authorized to access.
Which of the following best describes an inherent limitation that should be recognized by an auditor when considering the potential effectiveness of internal control?
Controls, whether manual or automated, whose effectiveness depends on segregation of duties can be circumvented by collusion.
If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll computer application?
Department numbers.
In obtaining an understanding of controls that are relevant to audit planning, an auditor is required to obtain knowledge about the
Design of the controls included in the internal control components.
An auditor uses the knowledge provided by the understanding of internal control and the assessed risks of material misstatement primarily to
Determine the nature, timing, and extent of substantive procedures for financial statement assertions.
In obtaining an understanding of internal control, the auditor may trace several transactions through the control process, including how the transactions interface with any service organizations whose services are part of the information system. The primary purpose of this task is to
Determine whether the controls have been implemented.
Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by
Direct participation by the owner of the business in the recordkeeping activities of the business.
In an audit of financial statements of a nonissuer in accordance with GAAS, an auditor is required to
Document the auditor's understanding of the entity's internal control components.
In an audit of financial statements in accordance with generally accepted auditing standards, an auditor should
Document the auditor's understanding of the entity's internal control.
Which of the following activities by small business clients best demonstrates management integrity in the absence of a written code of conduct?
Emphasizing ethical behavior through oral communication and management example.
A client who recently installed a new accounts payable system assigned employees a user identification code (UIC) and a separate password. Each UIC is a person's name, and the individual's password is the same as the UIC. Users are not required to change their passwords at initial log-in nor do passwords ever expire. Which of the following statements does not reflect a limitation of the client's computer-access control?
Employees are not required to take regular vacations.
An auditor would most likely be concerned with controls that provide reasonable assurance about the
Entity's ability to initiate, authorize, record, process, and report financial data.
Which of the following is a management control method that most likely could improve management's ability to supervise company activities effectively?
Establishing budgets and forecasts to identify variances from expectations.
Which of the following is an inherent limitation in internal control?
Faulty human judgment.
Able Co. uses an online sales order processing system to process its sales transactions. Able's sales data are electronically sorted and subjected to edit checks. A direct output of the edit checks most likely would be a
File of all rejected sales transactions.
Internal control cannot be designed to provide reasonable assurance that
Fraud will be eliminated
Internal control cannot be designed to provide reasonable assurance that
Fraud will be eliminated.
An auditor anticipates relying on the operating effectiveness of controls in a computerized environment. Under these circumstances, on which of the following activities would the auditor initially focus?
General controls.
The client's computer exception reporting system helps an auditor to conduct a more efficient audit because it
Highlights abnormal conditions.
A client is concerned that a power outage or disaster could impair the computer hardware's ability to function as designed. The client desires off-site backup hardware facilities that are fully configured and ready to operate within several hours. The client most likely should consider a
Hot site
If High Tech Corporation's disaster recovery plan requires fast recovery with little or no downtime, which of the following backup sites should it choose?
Hot site
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control?
Incompatible duties.
The following are steps in the financial statement audit process:
Interview personnel Gather exhibits of all documents Prepare flowchart
Which of the following statements most likely represents a disadvantage for an entity that keeps digital computer files rather than manually prepared files?
It is usually easier for unauthorized persons to access and alter the files.
The primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with
Knowledge necessary for audit planning.
For the audit of a nonissuer, the primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with
Knowledge necessary to plan the audit.
Which of the following controls is an input control designed to ensure the reliability and accuracy of data processing?
Limit Test and Validity Check Test
Decision tables differ from program flowcharts in that decision tables emphasize
Logical relationships among conditions and actions.
When obtaining an understanding of an entity's control environment, an auditor should concentrate on the substance of controls rather than their form because
Management may establish appropriate controls but not act on them.
Which of the following statements regarding auditor documentation of the understanding of the client's internal control components obtained to plan the audit is correct?
No one particular form of documentation is necessary, and the extent of documentation may vary.
As part of understanding internal control relevant to the audit of a non issuer, an auditor does not need to
Obtain knowledge about the operating effectiveness of internal control.
The auditor observes client employees while obtaining an understanding of internal control to
Obtain knowledge of the design and implementation of relevant controls.
First Federal S&L has an online, real-time system, with terminals installed in all of its branches. This system will not accept a customer's cash withdrawal instruction in excess of $1,000 without the use of a "terminal audit key." After the transaction is authorized by a supervisor, the bank teller then processes the transaction with the audit key. This control can be strengthened by
Online recording of the transaction on an audit override sheet.
A client installed sophisticated controls using the biometric attributes of employees to authenticate user access to the computer system. This technology most likely replaced which of the following controls?
Password
Which of the following audit techniques ordinarily would provide an auditor with the least assurance about the operating effectiveness of an internal control activity?
Preparation of system flowcharts.
Which of the following is not a medium that can normally be used by an auditor to record information concerning internal control?
Procedures manual.
An auditor should obtain an understanding of an entity's information system, including
Process used to prepare significant accounting estimates.
An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts
Provide a visual depiction of clients' activities.
The auditor should document the understanding of internal control. For example, a narrative memorandum may be used to
Provide a written description of the process and flow of documents and of the control points.
Proper segregation of duties reduces the opportunities to allow any employee to be in a position to both
Record and conceal fraudulent transactions in the normal course of assigned tasks.
A proper segregation of duties requires that an individual
Recording a transaction not compare the accounting record of the asset with the asset itself.
Each of the following types of controls is considered to be an entity-level control, except those
Regarding the company's annual stockholder meeting.
Internal control is a function of management, and effective control is based upon the concept of charge and discharge of responsibility and duty. Which of the following is one of the overriding principles of internal control?
Responsibility for the performance of each duty must be fixed.
In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor most likely would
Review the entity's descriptions of inventory policies and procedures.
Which of the following is a component of internal control?
Risk assessment.
In obtaining an understanding of internal control in a financial statement audit, an auditor is not obligated to
Search for significant deficiencies in the operation of internal control.
Basic to a proper control environment are the quality and integrity of personnel who must perform the prescribed procedures. Which is not a factor in providing for competent personnel?
Segregation of duties.
When documenting internal control, the independent auditor sometimes uses a systems flowchart, which can best be described as a
Symbolic representation of a system or series of sequential processes.
Which of the following represents an example of an inherent limitation of internal controls?
The CEO can override a control and request a check with no purchase order.
Which of the following factors is least likely to affect the extent of the auditor's understanding of the entity's internal controls?
The amount of time budgeted to complete the engagement.
Internal control can provide only reasonable assurance of achieving an entity's control objectives. The likelihood of achieving those objectives is affected by which limitation inherent to internal control?
The cost of internal control should not exceed its benefits.
The online data entry control called preformatting is
The display of a document with blanks for data items to be entered by the terminal operator.
A small client recently put its cash disbursements system on a server. About which of the following internal control features would an auditor most likely be concerned?
The server is operated by employees who have cash custody responsibilities.
Which of the following factors is most relevant when an auditor considers the client's organizational structure in the context of the risks of material misstatement?
The suitability of the client's lines of reporting.
Which of the following could be difficult to determine because electronic evidence may not be retrievable after a specific period?
The timing of control and substantive tests.
Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately because
There are time delays in processing transactions in a batch system.
The normal sequence of documents and operations on a well-prepared systems flowchart is
Top to bottom and left to right.
Which of the following is a computer program that appears to be legitimate but performs some illicit activity when it is run?
Trojan horse.
An auditor is evaluating a client's internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect?
Two employees, who work in different departments, are circumventing an internal control.
Which of the following is the most logical order of performing steps I through III below?
Understanding of internal control Tests of controls Substantive procedures
Which of the following is the most serious password security problem?
Users are assigned passwords when accounts are created, but they do not change them.
An auditor is concerned about management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor's concern?
Verifying that approved spending limits are not exceeded.
Which of the following is not a valid concept of internal control?
When one person is responsible for all phases of a transaction, there should be a clear designation of that person's responsibility.
In which of the following circumstances would an auditor expect to find that an entity implemented automated controls to reduce risks of misstatement?
When transactions are high-volume and recurring.
Which of the following statements is correct regarding internal control?
Which of the following statements is correct regarding internal control?
Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?
Allowing for greater management oversight of incompatible activities.
Control activities constitute one of the five components of internal control described in the COSO model. Control activities do not encompass
An internal auditing function.
Transaction authorization within an organization may be either specific or general. An example of specific transaction authorization is the
Approval of a detailed construction budget for a warehouse.
A customer intended to order 100 units of product Z96014 but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error?
Check digit verification.
Which of the following is an inherent limitation of internal control?
Collusion
Which of the following are considered control environment elements?
Commitment to competence
Which of the following components of internal control would be considered the foundation for the other components?
Control environment
Which of the following components of internal control includes development and use of training policies that communicate prospective roles and responsibilities to employees?
Control environment.
Which of the following best describe the interrelated components of internal control?
Control environment; risk assessment process; control activities; the information system, including related business processes; and monitoring of controls.
After obtaining an understanding of the entity and its environment, including its internal control, the auditor assesses
Control risk and inherent risk to determine the acceptable level of detection risk.
Some data processing controls relate to all computer processing activities (general controls) and some relate to specific tasks (application controls). General controls include
Controls for documenting and approving programs and changes to programs.
A conceptually logical approach to the auditor's consideration of relevant controls consists of the following four steps:
Determine whether the relevant controls are capable of preventing, or detecting and correcting, material misstatements and have been implemented. Assess the risks of material misstatement. Design further audit procedures. Evaluate the operating effectiveness of relevant controls.
An auditor uses the audit evidence provided by the understanding of internal control and the assessment of the risks of material misstatement to determine the nature, timing, and extent of
Further audit procedures.
Which of the following types of control best describes procedures to ensure appropriate systems software acquisition?
General
Which of the following are considered control environment factors?
Human Resources Policies and Practices
Which of the following items is an example of an inherent limitation in an internal control system?
Human error in decision making.
Which of the following factors would most likely be considered an inherent limitation to an entity's internal control?
Human judgment in the decision making process.
In planning an audit, the auditor's knowledge about the design of relevant controls should be used to
Identify the types of potential misstatements that could occur.
Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been
Implemented
An entity should consider the cost of a control in relationship to the risk. Which of the following controls best reflects this philosophy for a large dollar investment in heavy machine tools?
Imprinting a controlled identification number on each tool.
Manual controls would most likely be more suitable than automated controls for which of the following?
Large, unusual, or nonrecurring transactions.
An auditor is concerned with controls designed to safeguard assets that are relevant to the reliability of financial reporting. Adequate safeguards over access to and use of assets means protection from
Losses arising from access by unauthorized persons.
According to AU-C 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, not all controls are relevant to a financial statement audit. Which one of the following would most likely be considered in an audit?
Maintenance of control over unused checks.
The control environment may decrease the effectiveness of control activities when
Management has substantial incentives for meeting earnings projections.
A small private entity may use less formal means to ensure that internal control objectives are achieved. For example, extensive accounting procedures, sophisticated accounting records, or formal controls are least likely to be needed if
Management is closely involved in operations.
When obtaining an understanding of an entity's internal control, an auditor should concentrate on their substance rather than their form because
Management may establish appropriate controls but not enforce compliance with them.
Which of the following would an auditor most likely consider in evaluating the control environment of an audit client?
Management's operating style.
Which of the following is a factor in the control environment?
Management's philosophy and operating style.
Internal controls are designed to provide reasonable assurance that
Material errors or fraud will be prevented, or detected and corrected, within a timely period by employees in the course of performing their assigned duties.
The ultimate purpose of understanding internal control is to contribute to the auditor's evaluation of the risk that
Material misstatements may exist in the financial statements.
Which of the following procedures most likely will provide an auditor with sufficient evidence about whether an entity's controls are suitably designed and have been implemented to prevent, or detect and correct, material misstatements?
Observing the entity's personnel applying the controls.
Which of the following procedures is an auditor most likely to include in the planning phase of a financial statement audit?
Obtain an understanding of the entity's risk assessment process.
Proper segregation of duties reduces the opportunities to allow persons to be in positions both to
Perpetrate and conceal fraud and error.
Internal control has five components: the control environment, risk assessment, information and communication, monitoring, and control activities. Control activities relevant to an audit may be categorized as policies and procedures that pertain to
Reviewing actual performance.
In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements, an auditor would most likely perform which of the following procedures?
Risk-assessment procedures to evaluate the design of relevant controls.
Which of the following controls most likely could prevent computer personnel from modifying programs to bypass programmed controls?
Separation of duties for computer programming and computer operations.
For control purposes, which of the following should be organizationally separated from the computer operations function?
Systems development.
In auditing an online perpetual inventory system, an auditor selected certain file-updating transactions for detailed testing. The audit technique that will provide a computer trail of all relevant processing steps applied to a specific transaction is described as
Tagging and tracing.
An auditor is obtaining an understanding of a client's Internet controls. Which of the following is most likely the least effective control?
The client requires users to share potentially useful downloaded programs from public electronic sources with only authorized employees.
Which of the following is an example of a validity check?
The computer flags any transmission for which the control field value did not match that of an existing file record.
Which of the following statements about internal control is correct?
The cost-benefit relationship is a primary criterion that should be considered in designing internal control.
Which of the following factors is most likely to affect the extent of the documentation of the auditor's understanding of a client's system of internal controls?
The degree to which information technology is used in the accounting function.
Although substantive procedures may support the accuracy of underlying records, these tests frequently provide no affirmative evidence of segregation of duties because
The records may be accurate even though they are maintained by a person who performs incompatible functions.
An auditor's flowchart of a client's accounting system is a diagrammatic representation that depicts the auditor's
Understanding of the system.