Topic 7- Internal Controls
Which of the following is NOT one of the key components of internal control? a. Compliance b. Control activities c. Control environment d. Monitoring
A Compliance is one of the objectives of internal control, it is not one of the key components of internal control.
In every annual and quarterly filing, management has to state to the public that they evaluated effectiveness of the company's internal controls within __________ prior to the report issued to the public. a. 30 days b. 90 days c. 180 days d. 1 year
B In every annual and quarterly filing, management has to state to the public that they evaluated effectiveness of the company's internal controls within 90 days prior to the report issued to the public.
The primary objectives achieved by a high quality system of internal control are: a. Reporting and accuracy b. Operations, reporting, and compliance c. Operations and compliance d. Accuracy and compliance
B Operations, reporting, and compliance are the three objectives achieved by a high quality system of internal control.
Which of the following is the correct sequence with regards to the auditor's reliance on the client's internal controls? a. Assess design and implementation of controls, decision to rely on controls, testing controls b. Assess design and implementation of controls, testing controls, decision to rely on controls c. Decision to rely on controls, assess design and implementation of controls, testing controls
B The auditor first assesses the quality of the design and implementation of controls, then makes a decision to rely on controls. After deciding to rely on controls, the auditor will test the controls.
Which of the following is not one of the five components of the COSO Framework for internal conrol? a. Risk Assessment b. Fraud Prevention c. Control Activities d. Control Environment
B The five components of the COSO framework are: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring.
If the auditor believes the client's internal controls are effective, she should issue which type of audit opinion? a. Adverse b. Qualified c. Unqualified
C
COSO was originally founded by each of the following organizations except... a. American Accounting Association b. American Institute of Certified Public Accountants c. Association of Certified Fraud Examiners d. Institute of Internal Auditors
C COSO was originally founded by five organizations: AICPA, AAA, FEI, IMA, IIA.
The auditor's report on internal control quality can express which of the following opinions regarding the quality of internal control? a. Unqualified or Qualified only b. Qualified or Adverse only c. Unqualified or Adverse only d. Unqualified, Qualified, or Adverse
C The auditors opinions can be either unqualified or adverse. No other audit opinions are available for the report on the audit of internal control.
Which of the following is not one of the five components of the COSO Framework for internal conrol? a. Control Environment b. Control Activities c. Fraud Prevention d. Risk Assessment
C The five components of the COSO framework are: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring.
COSO was originally founded by ______ organizations, including the AICPA. a. Five b. Seven c. Two d. Three
COSO was originally founded by five organizations, all of which are still involved with COSO.
Each of the following is an example of control activities except? a. Physical controls b. Reconciliations c. Authorizations and approvals d. Each of the above is an example of a control activity
D Control activities are the processes, actions, and physical safeguards, employed to address risks identified earlier in the internal control process. Each of the items listed is a type of control activity.
Which answer below best describes the difference between a material weakness in internal control and a significant deficiency in internal control? a. The difference is that significant deficiencies are larger in magnitude than material misstatements b. The difference between the two is the probability that a material misstatement will flow through the controls undetected to the financial statements. c. The difference between the two is that significant deficiencies have to be reported to the public and material weaknesses do not d. The difference between the two is the size of the resulting potential misstatement that could get through the control systems undetected.
D The main difference between significant deficiencies and material weaknesses is the size of the potential misstatements that could flow through the system of controls undetected. If it is at least reasonably possible that material misstatements could result it is a material weakness, whereas if it is at least reasonably possible that significant, but not material, misstatements could result it is a significant deficiency.
Which of the following is NOT a reason the auditor may choose to not rely on internal controls for audit evidence? a. The design of controls is not adequate, but controls are implented well b. Testing controls is more time consuming than testing account balances or transactions directly c. The implementation of controls is lacking, but controls are designed effectively d. They are going to use a reliance approach instead e. Each of the above is a reason the auditor may choose to not rely on controls as audit evidence
D Using a reliance approach means the auditor IS going to rely on controls for audit evidence. If either design or implementation is lacking, the auditor may choose to not rely on controls for audit evidence. Similarly, if testing controls is more time consuming than directly testing the transactions or account balances, the auditor may choose to not rely on controls for audit evidence.
Control activities include preventive controls, but not detective controls.
FALSE Control activities involve both preventive and detective controls.
Monitoring activities include separate activities, but not ongoing activities to evaluate the effectiveness of controls.
FALSE Monitoring includes both separate and ongoing monitoring activities.
When reporting on both the audit of financial statements and the audit of internal control, the auditor must include both opinions in a single report.
FALSE The auditor may issue a joint opinion or issue two separate opinions.
If the auditor chooses not to rely on internal controls for audit evidence, he or she would still need to thoroughly test the controls to obtain a proper understanding of the appropriateness of the design and implementation of controls.
FALSE The auditor only performs thorough tests of controls when he or she decides to rely on the controls for audit evidence. The auditor evaluates the design and implementation of the controls in the process of deciding whether to rely on controls (i.e. prior to internal control testing).
The internal audit function does not play a significant role in evaluating the company's internal controls.
FALSE The internal audit function typically plays a significant role in evaluating a company's system of internal control.
The audit of financial statements and the audit of internal control over financial reporting should not be conducted by the same external auditor.
FALSE The same auditor is required by the Sarbanes-Oxley Act of 2002 to conduct both the audit of internal control and the audit of the client's financial statements. Thus, this approach is called an integrated audit.
The COSO framework is used by relatively few public companies in the United States to evaluate the effectiveness of their internal controls.
FALSE The vast majority of U.S. public companies use the COSO framework to evaluate their internal controls.
Using the COSO internal control framework as a benchmark for quality is mandatory for the audit of internal control over financial reporting.
FALSE This statement is not true. Auditors use as a benchmark whichever internal control framework that was used by the client. The company is free to adopt any high quality framework.
If the auditor uses a pure substantive approach, he or she will typically still invest signficant effort to test the client's controls.
FALSE Using a pure substantive approach means that the auditor is not going to rely on controls for any evidence. Therefore, the auditor would not spend significant resources to test controls.
Control activities include both preventive controls and detective controls.
TRUE
Monitoring activities can include both separate activities as well as ongoing activities to evaluate the effectiveness of controls.
TRUE
The approach to documenting the auditor's understanding of internal control varies depending on the complexity of the system of internal control.
TRUE
The auditor can issue either combined or separate audit reports when reporting on both the audit of financial statements and the audit of internal control.
TRUE
Auditors are not required to use the COSO internal control framework as a benchmark for auditing their clients' internal control over financial reporting.
TRUE Although the COSO framework is used by the majority of U.S. public companies, auditors use as a benchmark whichever internal control framework that was used by the client. The company is free to adopt any high quality framework.
While auditors may consider all three objectives of internal control, they are primarily concerned with the financial reporting objective of internal control.
TRUE Auditors are primarily concerned with the reporting objective of internal control.
The audit of financial statements and the audit of internal control over financial reporting should be conducted by the SAME external auditor.
TRUE Doing so allows the auditor to learn important information about financial statements through testing controls, and important information about controls through testing financial statement accounts and transactions. Thus, this approach is called an integrated audit.
The auditor is not primarily responsible for the proper functioning of his client's system of internal control.
TRUE Management, not the auditor, has primary responsibility for the proper functioning of a company's system of internal control.
The materiality threshold used for the audit of financial statements is the same as the materiality threshold used for determining whether a control deficiency is a material weakness or a significant deficiency.
TRUE The auditor uses the same materiality threshold for these two purposes.
Management is ultimately responsible for establishing and maintaining internal controls at the company.
TRUE This is one of management's roles and one of the certifications they must make to the public.
If the auditor uses a pure substantive approach, he or she will typically not test the client's controls.
TRUE Using a pure substantive approach means that the auditor is not going to rely on controls for any evidence. Therefore, the auditor would not test controls.