audit 2 practice
Gaining an understanding of internal controls should start by identifying
-are somewhat unique for each organization -can be useful in detecting internal control weaknesses -help the auditing team obtain evidence about the control environment
Flowcharts ______.
-help the audit team assess the key control points in the process -involve considerable time and effort -have become a popular documentation method for auditors -are time-consuming to construct -are easy to evaluate after they are completed -can be helpful in identifying missing controls
Audit considerations in an IT environment include ______.
-possibility of input errors -possibility of inappropriate access -to computer files and programs lack of an audit trail
Separation of duties ______.
-prevents incompatible responsibilities -prevents fraud that do not involve collusion -forces different people or departments to deal with different facets of transactions
section 302 of the sarbanes-oxley act
-requires management to assess the risks it wishes to control -makes managers responsible for establishing a control environment -makes management responsible for monitoring, supervising and maintaining control activities -is designed to ensure the proper "tone at the top" -allows managers to make their own judgments about the necessity of specific controls
Common monitoring controls include ______.
-self-assessments by boards regarding the effectiveness of their oversight -supervisory review of controls -periodic evaluation of controls by internal audit -self-assessments by management regarding the tone they set -quality assurance review of the internal audit department -analysis of and follow up items that might by indicative of a control failure
internal control questionnaires
-tend to be inflexible -should be used in combination with other methods -make it less likely for the audit team to forget to cover an important point -can be useful in detecting internal control weaknesses -are somewhat unique for each organization -help the auditing team obtain evidence about the control environment
After their understanding of the entity's internal controls have been documented, the audit team may choose not to perform tests on the operating effectiveness of the controls because ______.
-the internal control system is too ineffective to rely on -it is less time consuming to conduct substantive tests -the cost of obtaining a low control risk assessment is high
Obtaining an understanding of the information system relevant to financial reporting includes understanding ______.
-the nature of the underlying accounting records, information and accounts used to execute a transaction -how the information system captures events and conditions other than transactions significant to the financial statements
The five basic components of a properly designed internal control system as defined by COSO are:
1 control environment 2 risk assessment 3 control activities 4 monitoring 5 information and communication
Which of the following is NOT an administrative level control?
Access control software and passwords
Which of the following is NOT a category of general controls?
Automated application
Prenumbered documents are important in testing the ___ and the ___ assertion
Blank 1: completeness Blank 2: occurrence
"The science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media" is the FBI definition of
Computer forensics
Which of the following statements are correct?
Confirming a specific transaction may be more effective than confirming the account balance. Confirmation returned as "undeliverable" are always a red flag.
True or false: Auditing standards recommend but generally do not require the use of confirmations for accounts receivable.
F
Which of the following statements are correct?
For a sample to be representative, all items in the population have an opportunity to be selected. Tests of controls should be applied to samples executed throughout the period under audit.
Which of the following is NOT a computer operations control?
Programs and software support the entity's financial reporting requirements.
Which of the following is NOT a basic activity in the revenue and collection cycle for a typical manufacturing company?
Purchasing raw materials
Which of the following is NOT an input control?
Run-to-run totals ^ its a processing control
Which of the following is NOT a typical end-user computing environment control issue that audit teams must consider?
Separation of programming and operations functions
Which of the following statements are correct?
Someone without access to check-writing should perform the recording function. Individuals outside of normal cash operations should prepare bank reconciliations.
Which of the following statements are correct?
Tests of controls over cash often support a reduction in control risk. Most audit clients have strong controls over cash.
Which of the following statements regarding the revenue cycle are correct?
There is always a presumptive risk of fraud. It consists of routine transactions. Tests of controls often support a reduction in control risk.
Which of the following is NOT a data entry control in end-user computing environments?
Transaction logs
Individuals employed by the entity and limitations or limits on the nature and scope of activities they perform are the focus of
administrative
When an auditor receives an oral response to a confirmation ______.
alternative audit procedures may be warranted a written response still needs to be requested
Substantive procedures over cash will ______.
always be performed
Substantive procedures are ______.
always performed in the revenue cycle
According to professional standards, the audit team's evaluation of the sufficiency of management's control activities is ______.
always required
At the end of each day a copy of the check listing, a report of payments recorded in accountants receivable and a copy of the bank deposit slip should be received by ______.
an independent employee
fidelity bonds
are a type of insurance policy may include employee background checks are often recommended by auditors
Detection risk is set based on the level of _______and risk of material misstatement.
audit risk
When a material misstatement is not prevented or detected by the client's internal controls or auditors' substantive procedures,_____ has been manifested
audit risk
In an IT environment, a chain of evidence and documentation known as a(n) ----- does not exist
audit trail
Controls applied to specific business activities within an accounting information system to achieve financial reporting objectives are called
automated application controls
The primary document used to test the cash balance in the financial statements is the company's
bank reconciliation
An entity's auditors, accountants and security personnel must be acquainted with the basics of fraud awareness ______.
because not all fraud schemes can be thwarted or detected
The form the carrier signs to verify goods are shipped is a(n) ______.
bill of lading
All entities recognize the need for a formalized process to identify, assess and manage factors, events and conditions, known as___that can prevent the organization from achieving it objectives.
business risks
all the debits to the cash accounts are found in the
cash receipts journal
Difficulties in estimating the allowance for doubtful accounts can be due to ______.
change in customer base changing economic conditions revised credit policies Need help? Review these concept resources.Read About the Concept Feedback
Two or more people working together to circumvent the internal control system is called____ and it cannot be prevented by separation of duties.
collusion
the audit team
communicates internal control issues to help management carry out internal control monitoring responsibilities must communicate significant deficiencies and material weaknesses identified during the audit
AS 2201 encourages the audit team to use the work of internal auditors but the audit team must evaluate their___ and ___
competence/objectivity
Auditors review items in the pending order file for evidence of the_____ of recorded sales and accounts receivable
completeness
Experts have two definitions related to computer chicanery
computer abuse computer fraud
The use of information technology by a perpetrator to achieve a gain at the expense of a victim is called
computer abuse or computer fraud
Impeaching a president, terrorist tracking and child pornographer prosecution have all been helped by
computer forensics
Providing reasonable assurance that processing failures do not affect or delay the processing of other transactions is one objective of
computer operation
Having an appropriate disaster recovery plan to ensure files are secured and protected from loss is a major objective of_____
computer operations
Justifications for not using confirmations may include ______.
confirmations would be ineffective other procedures provide sufficient, competent evidence receivables are not material
Specific actions a client's management and employees take to help ensure management's directives are carried out are called
control activities
Integrity, ethical values and competence of the entity's people are all___factors The foundation for all other components of internal control
control environment
It is important to maintain an up-to-date customer master file to ensure ______.
credit limits are appropriate files are accurate
proper separation of duties involves different people and departments handling______ of checks, cash disbursement ____ record keeping for payments and bank ___
custody authorization, reconciliaiton
Which of the following documents should be matched before recording revenue?
customer invoice evidence of shipment customer sales order
For current status, including up-to-date credit limit information, auditors may test a sample of the
customer master file
The auditors' information source for validating the bank reconciliation is typically a(n)_____ bank statement
cutoff
Tracing shipping documents before and after year-end to the sales journal and vouching credit memos for returns after year end to receiving reports are done to test the
cutoff
Verifying the dates on sales documents helps reduce the risk of misstatement related to the____ assertion of revenue
cutoff
To ensure sales are recorded in the proper period, auditors use sales
cutoff tests
Restrictions on access to input devices and standard screens and computer prompting are examples of _____ controls in end-user computing environments
data entry
Standardized formats and screens are examples of ______ controls.
data entry and formatting
When either the design or operation of the control under consideration does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion an internal control___ exits
deficiency
An employee knowingly doing something to bypass the internal control system is an act of ______.
deliberate circumvention
In determining whether an audit team can rely on IT controls, auditors must determine the scope of the IT testing plan completed by carefully identifying each of the IT
dependency
In a computerized environment, proper separation of duties is ______.
dependent on proper password controls
A problem relating to either a necessary control that is missing or an existing control so poorly constructed that it fails to satisfy the control's objective is called a(n) ______.
design deficiency
The major phases that need to be completed in order to determine whether an audit team can rely on IT controls are ______
determining the scope of the IT testing plan by identifying each IT dependency testing the IT controls understanding the IT controls and processes that need to be tested
Auditors must gain an understanding of internal controls that are in place to mitigate assessed fraud risk and, at a minimum,______.
document that understanding in the workpapers
COSO internal control categories include ______and_____ of operations.
effectiveness/efficiency
missappropriation of assets is another term for
employee fraud
COSO developed a(n) ______ framework to facilitate the assessment and mitigation of business risks a company faces.
enterprise risk management
Audit professionals generally categorize------- level controls as either general controls or application controls.
entity
Controls that are pervasive to the internal control system and the reliability of the financial statements as a whole are called ______ - level controls.
entity
Within a client's IT environment, there are essential, general IT controls that apply to all applications that are called
entity level controls
For all relevant assertions for each significant account and disclosure, the audit team begins by examining___-___controls that are pervasive to the internal control system and reliability of the financial statements as a whole.
entity-level
The audit team's first step in gaining an understand of the client's internal control system should focus on ______.
entity-level controls
When computerized processing is used ______.
errors will result in all similar transactions between processed incorrectly
Using an automated test procedure designed to test all items in a population as a means to identify a violation of control activities is an example of ___ testing Comparing all customers' credit limits to the sum of their outstanding credit balance plus a potential sales transaction as a means of checking for potential over-limit conditions is an example of ______ testing.
exception
When customers are not willing or able to return confirmations, examining subsequent cash receipts, sales orders, invoices, and shipping documents, and correspondence files for past-due accounts are alternative procedures that may be performed to ensure
existence
Accounts receivable confirmation is a substantive procedure designed to obtain evidence of the _____and rights & obligations of customers' balances directly from the
existence rights and obligations
True or false: A walkthrough can be used to provide evidence of whether the client's control activities were operating effectively during the period under audit.
false
True or false: All passwords should be at least six characters long to make hacking by computer-generated algorithms difficult.
false Reason: A six character lower case alphabetic password of 6 characters can be hacked in 10 minutes.
True or false: There is no such thing as a typical revenue and collection cycle.
false Reason: Companies come in many different sizes and there are also differences between industries.
True or false: Small entities often fail to separate the functions of programming and operations due to indifference with respect to internal control.
false Reason: While it is true these functions are not always separated, it often occurs because of a lack of resources, not indifference.
True or false: To achieve the specific objectives of each of the three goals, the COSO framework defines five components of a properly designed internal control system that work independently of each other to support the system's overall effectiveness.
false The components work in an integrated manner
True or false: When doing a WCGW analysis, the question the auditor should ask is, "Has the client designed and implemented a control that, if operating perfectly, would mitigate the identified risk of material misstatement?"
false ^ perfection is not an option, settle for effective
True or false: For audits of internal control, the audit team must understand and evaluate internal controls for the entire period.
false they are as of the end of the fiscal year
Procedures related to internal control in an integrated audit performed under AS 2201 are ______ than those in a GAAS audit for a nonpublic entity.
far more expensive
An insurance policy that covers most kinds of cash embezzlement losses is called a(n)
fidelity bond
A safe and secure computing environment that allows the operating controls to operate effectively is provided by the
general IT controls
a typical white collar criminal is
generally acting alone socially conforming attended college some type of religious affiliation no arrest record
The cutoff bank statement ______.
helps search for unrecorded liabilities verifies the existence of year-end deposits in transit qualifies as external evidence
An audit team's assessment of control risk as low ______.
implies controls are effective allows auditors to use smaller sample sizes may limit the use of substantive tests of details
An audit team's assessment of control risk as high ______.
implies controls are ineffective implies controls cannot be relied upon
Combinations of duties that place a single person in a position to create and conceal misstatements due to errors or frauds in their normal job are___ responsibilities
incompatible
An account's significance is based on its ______ risk.
inherent
The risk of material misstatement is a combination of ___ risk and __ risk
inherent/ control
Controls that provide the opportunity for entity personnel to correct and resubmit data initially rejected as erroneous are called
input
Which type of controls are designed to provide reasonable assurance that data received for processing by the computer department have been properly authorized and accurately entered or converted for processing?
input
Automated application controls are organized under three categories,
input processing output
When testing controls, the audit team often uses----- about the existence of the activity and then corroborate the evidence by observing the control activities are actually being performed.
inquiry
The four methods of testing controls are ___ ___ document examination and ___
inquiry/ observation/reperformance
For each relevant assertion identified by the auditor, professional standards require auditors to first gain an understanding of the ______ that have been designed to mitigate the risk of material misstatement.
internal controls
The audit team's decision that it would take more time to test the operating effectiveness of the control activities than it would take to perform the substantive tests necessary for a relevant assertion ______.
is equivalent to assessing control risk at 100%
When scoping the IT audit procedures that need to be completed, auditors need to be concerned with ______
key control activities being relied on the mitigate the RMM
After understanding and documenting internal control, the audit team should be able to ______.
make a preliminary assessment of control risk
Control activities over cash disbursements are designed to ______.
make it difficult for a fraudster to steal cash detect fraudulent activity if it occurs prevent or detect misappropriations of cash
The focus of AS 2201 is to determine whether a(n)____ exists at the end of the year being reported on. If it does, the entity's internal control over financial reporting cannot be considered effective.
material weakness
The magnitude of the potential misstatement that could occur and would not be detected on a timely basis is the primary difference between a(n) ______.
material weakness and significant deficiency
Because of the nature of cash, auditors ______ need to expand substantive audit procedures to ensure the cash balance is not materially misstated and to identify possible fraudulent activities.
may
The preliminary assessment of control risk ______.
may be made after understanding and documenting internal control includes identifying activities explicitly designed to support reliable financial statement reporting
The audit team must adjust the substantive procedures accordingly in order to obtain enough evidence to mitigate the risk of material misstatements to a low level for the relevant assertions being tested if the assessment of control risk is ______.
moderate
If a customer confirms that an account exists, the auditor ______.
must still review the account for collectability
The accountant who record cash receipts and credits to customer accounts should ______.
never handle the cash
Common procedures used in tests of controls are_____, inspection and reperformance
observation inquiry
When a properly designed control is either ignored or inappropriately applied, a(n) ______ has occurred.
operating deficiency
Reasonable assurance that only authorized persons have access to files produced by the system is one concern of______
output
Which type of controls are concerned with detecting rather than preventing errors?
output
A strong entity-level control in the revenue process is ______.
overall review by management
A description of the goods being shipped as well as the quantity shipped is found on the ______.
packing slip
The most common form of control related to access is the use of
passwords
When evaluating tests of controls within an IT environment, auditors need to consider the ______.
possibility of temporary transactions trails potential for errors and frauds potential for increased management supervision
the objectives ___ parallel are to provide reasonable assurances regarding modifications to existing programs
pprogram change
Errors and frauds are kept from entering the system by
preventive controls
an important general control is the separation of duties erformed by system analysts ____ and ___
programmers - computer operators
Due to the lack of predictability of the cash balance, auditors ______ use substantial analytical procedures to test cash.
rarely
According to accounting standards, to be recognized, revenue must be __ and earned
realized or realizable
A material weakness is a deficiency that results in a(n)_____ ___ that a material misstatement would not be prevented or detected on a timely basis.
reasonable / possibility
The COSO definition states that internal control is designed to provide ___regarding the achievement of objectives in three categories.
reasonable assurance
Adjusting and correcting entries that result from bank reconciliations are found in the cash ______ journal.
receipts disbursements
Access to accounts receivable records gives an individual ______,
recording responsibility authorization
An assertion that has a reasonable possibility of containing a material misstatement is considered to be a(n) ____assertion.
relevant
COSO internal control categories include_____ of financial reporting and _____ with applicable laws and regulations.
reliability/compliance
When testing cash, auditors typically ______.
rely exclusively on tests of detail
In many situations an employee initially receives cash and thus has custody. Because this cannot be avoided, good control dictates that ______.
remittance advices should be sent to the controller's office for recording cash should be deposited daily and intact two people should open the mail checks should be endorsed immediately Need help? Review these concept resources.Read About the Concept Feedback Next Question Reading
A key factor in audit sampling is that, for a sample to be considered____ all items in a population must have an opportunity to be selected
representative
In a computerized environment, proper separation of duties ______.
requires proper permissions
Sales must be realized or realizable and earned in order to be recorded under the accounting standards related to
revenue recognition
Regarding the revenue process, management should ______.
review merchandise returns continually review revenues and compare them to budgeted and forecasts scrutinize total write-offs of accounts receivables
Accounts receivable confirmation is a substantive procedure designed to obtain evidence of the ______ of customers' balances directly from the customer.
rights & obligations existence
When control activities do not lend themselves to automated testing, the audit team is likely to use audit____ to test the population
sampling
user entities may outsource specialized data processing to other companies referred to as
service organizations
Emergency change requests and the migration of new programs into operations, ______.
should be subject to standard approval procedures after they are made require appropriate documentation should be migrated by appropriate individuals
Gaining an understanding of internal controls should start by identifying___ accountd and disclosures and their ___ ___
significant / relevant assertions
A deficiency in internal controls that is less severe than a material weakness yet important enough to merit attention from those charged with governance is a(n)
significant deficiency
serious internal control deficiencies can be categotized as either ____ decifiencies or __ __
significant/material/weakness
The most effective alternative procedure to confirmations to ensure existence is examining ______.
subsequent cash receipts
If controls are not in place or personnel are not performing control activities effectively, auditors need to design____procedures to try to detect whether control failures have produced material misstatements in the financial statements.
substantive
If the internal control activities over cash are not operating effectively, auditors may need to expand ______.
substantive audit procedures
In an information technology environment, audit teams need to be concerned with ______ errors.
systematic processing input
If a control is missing or ineffective ______.
the risk of material misstatement increases fraud may or may not exist auditors need to design substantive procedures related to control failure
When companies process payments electronically, the required separation of duties is ______ for companies that write paper checks.
the same as
Professional standards recognize that to make effective decisions, managers must have access to ________ and ___ information
timely/reliable/relevant
The audit team's focuses on threats to the integrity of the external financial reporting process by taking a _____- approach to evaluating the effectiveness of the internal control system over financial reporting.
top-down
If the audit-team decides an entity-level control sufficiently reduces a specific risk ______.
transaction-level controls related to that risk may not be needed
True or false: Prenumbered documents are an example of an internal control.
true
True or false: The bank reconciliation is an opportunity for management to monitor the separation of duties between cash receipts and disbursements.
true
True or false: When a user entity employs a service organization for specialized processing, the user entity's auditors must still evaluate controls related to the service organization's computerized processing for the user entity.
true
Computer operations controls are implemented for files and data used in processing with the major objectives of ensuring files ______.
used in automated processing are appropriate can be reconstructed from earlier versions of processing information are appropriately secured and protected from loss
employee fraud
usually involves some type of falsification generally includes a cover-up is also called misappropriation of assets
When the auditor evaluates the reasonableness of the allowance for doubtful accounts,___________is a high risk assertion.
valuation
Reviewing accounts for collectability and determining the adequacy of the allowance for doubtful accounts is done in support of the
valuation assertion
Cash disbursements are typically authorized by an accounts payable department's assembly of supporting documents which is called a(n)____
voucher
The auditor selects examples of a transaction and traces them from initial receipt to the recording in the accounting records when performing a(n)
walkthrough
The identification of IT applications and systems typically occurs during the______ of each financial reporting process
walkthrough
Fraudsters behaviors often include ______.
working late drinking too much irritability defensiveness working standing up inability to relax