Chapter 6
True or false: A substantive strategy requires the auditor to have a sufficient understanding of the entity's internal controls to know whether they are properly designed and implemented.
True
True or false: An entity's mix of manual and automated controls varies with the nature and complexity of the entity's use of IT.
True
True or false: An entity's risk assessment process should consider the possibility of events that threaten the achievement of objectives.
True
True or false: Auditors need to understand how management considers risks because many types of risk can impact financial reporting objectives.
True
True or false: The application systems acquisition, development and maintenance controls are critical for ensuring the reliability of information processing.
True
Locked doors to prevent unauthorized entry, preventing programmers from entering the computer room and an operational disaster recovery plan are examples of ______ controls. output access and security processing data center and network
access and security
The physical protection of computer equipment, software and data as well as loss of assets and information through theft or unauthorized use is the concern of ______ controls. output data center and network processing access and security
access and security
After planned tests of controls have been completed, the auditor should reach a conclusion on the ______ level of control risk. achieved appropriate assessed planned
achieved
Controls that are part of the computer programs used in the accounting system are _____ controls.
application
Data capture, data validation, processing, output and errors controls are all categories of _____ controls.
application
Ensuring the completeness and accuracy of transaction processing, authorization, and validity is the goal of _____ controls.
application
The process of evaluating the effectiveness of an entity's internal control in preventing, or detecting and correcting, material misstatements in the financial statements is called _____ control risk.
assessing
If properly designed, ______ controls should operate more consistently and are not typically subject to human errors or mistakes in its application. detection risk assessment manual automated
automated
For a control system to be considered ______, each of the five components and relevant principles must be present and functioning, and the five components must operate together in an integrated manner.
effective
The integrity and ethical values of management personnel heavily influence the ______ of an entity's internal controls. efficiency effectiveness sufficiency accuracy
effectiveness
Knowledge of the information system is important to understand the related accounting records when they are ______. manual only electronic or manual electronic only
electronic or manual
The competence level for a particular job should be specified and translated into a job description that details the specific knowledge and skills required. This task should be done by ______. the audit committee internal auditors management external auditors
management
The auditor should gain sufficient knowledge about the control environment to understand the attitudes, awareness, and actions concerning the control environment of the ______. internal auditors management board of directors non-management employees
management and BOD
True or false: All communication regarding matters affecting the functioning of internal control within an organization should be internal.
False
True or false: An entity's external auditor does not need to be concerned about the internal control system at service organizations used by the entity.
False
True or false: How the components of internal control are implemented is not impacted by the size of the entity.
False
True or false: Monitoring is an effective component of internal control, whether or not deficiencies are communicated to those with oversight responsibilities in a timely manner.
False
The auditor's understanding of an entity's internal control over financial reporting are documented using diagrammatic representation known as a(n) ___.
Flowcharts
These provide a diagrammatic representation of the entity's accounting system. Internal Control Questionnaires Organizational Charts Flowcharts Procedures Manuals
Flowcharts
Which of the following statements are correct? Good documentation is an important component of managing controls. Auditors are mainly concerned that program changes are properly authorized, tested and implemented. The external auditor should not be involved in the system acquisition or development process.
Good documentation is an important component of managing controls. Auditors are mainly concerned that program changes are properly authorized, tested and implemented.
Identify the fraud risk factors that organizations must consider in assessing risks to the achievement of objectives. Morality Incentives Threats Rationalization Opportunities
Incentives, rationalization, and opportunities
In many entities, this produces much of the knowledge used in monitoring. Information system Accounting system Report manuals Control environment
Information system
An important role in how management meets its stewardship or agency responsibilities is played by _____ _____
Internal Control
Who has the responsibility to design and maintain a system of internal control that provides reasonable assurance that assets and records are properly safeguarded, and that the entity's information system generates information that is reliable for decision making? - External Auditors - Internal Auditors - Management - Audit Committee
Management
What should be used when it is necessary to show the movement of a document or report back to a previous function? On-page connector Off-line storage Communication link Off-page connector
On-page connector
Physical controls: Information processing controls: Performance reviews: segregation of duties
PC: Periodic counting and comparison with amounts shown on control records IPC: Made up of two broad categories referred to as general and application controls PR: Managers should periodically check the quality of subordinates' work SD: Separating the custody of assets, authorization of transactions and recording of transactions
Which of the following communicate policies and procedures to the entity's personnel? Policy manuals Memoranda Personnel manuals Accounting manuals
Policy manuals, memoranda, accounting manuals
Which of the following statements are correct? The internal control system should be designed to provide absolute assurance that objectives are being achieved. The cost of internal controls should not exceed the benefits derived. Lack of management review is one of the primary sources of internal control weakness.
The cost of internal controls should not exceed the benefits derived. Lack of management review is one of the primary sources of internal control weakness.
General controls play an important role in providing assurance about the quality of _____ controls. data capture output data validation processing
processing
The proper execution of transactions is ensured by ______ controls. processing data validation output data capture
processing
Symbols used in flowcharts are divided into ______ symbols. processing error correction data flow and storage input/output
processing data flow and storage input/output
Flowcharting systems are divided into three groups: input/output symbols, _____ systems and _____ flow and _____ symbols.
processing, data, storage
Internal communication within an organization related to internal control ______. provides clear messages about the importance of how control responsibilities are to be performed is provided by policy manuals involves providing and understanding of roles and responsibilities should always be made by senior management either orally or in writing
provides clear messages about the importance of how control responsibilities are to be performed is provided by policy manuals involves providing and understanding of roles and responsibilities
When deciding whether substantive procedures are to be performed at an interim date, the auditor should consider the ______. purpose of the substantive procedures desired risk of material misstatement nature of the relevant assertions control environment
purpose of the substantive procedures nature of the relevant assertions control environment
The quality of internal control is directly related to the ______ of the personnel operating the system. age experience gender quality
quality
An internal control _____ is generally used for entities with a relatively complex internal control structure.
questionnaire
An effective internal control system provides ______ assurance that the risk of not achieving an entity objective is reduced to an acceptable level. absolute minimal no reasonable
reasonable
In regards to internal control systems, the concept of _____ _____ recognizes that the cost should not exceed the benefits expected to be derived.
reasonable assurenace
Data capture controls must ensure that ______. every transaction entered has appropriate source documentation rejected transactions are identified, controlled, corrected and reentered all transactions are recorded in the application system transactions are only recorded once
rejected transactions are identified, controlled, corrected and reentered all transactions are recorded in the application system transactions are only recorded once
Information that is capable of making a difference in user decisions has the characteristic of _____.
relevance
When an auditor decides to follow a(n) _______strategy, he or she has to understand the control activities that relate to assertions for which a lower level of control risk is expected.
reliance
When the auditor intends to depend on the entity's controls, a(n) _______ strategy is chosen.
reliance
Auditing standards ______ that the auditor document his or her understanding of the entity's internal control components. require recommend suggest
require
Setting an audit strategy ______. requires a detailed understanding of the entity's internal controls should be done based upon the scope of the engagement helps the auditor determine how to evaluate internal controls
requires a detailed understanding of the entity's internal controls
Consideration of possible changes in the internal or external environment because changes can introduce or change risks to the entity's objectives are part of the ______ identification process. detection control fraud risk
risk
As it relates to the external financial reporting objective, the entity's ______ _____process should consider internal and external events and circumstances that may arise and adversely affect the entity's ability to initiate, authorize, record, process and report financial data consistent with management's financial statement assertions
risk assessment
The auditor should obtain sufficient information about the entity's _____ _____ process to understand how management considers risks relevant to financial reporting and decides on appropriate actions to address those risks.
risk assessment
The possibility of events that threaten the achievement of objectives should be considered in an entity's ____ ____.
risk assessment
To obtain an understanding of the entity's internal controls which helps identify key controls, recognize types of potential misstatements and design test of controls and substantive procedures, auditors use _______ ________procedures.
risk assessment
Consideration of possible changes in the internal or external environment because changes can introduce or change risks to the entity's objectives are part of the _____ _____ process.
risk identification
Which of the following statements are correct? senior management may override an entity's internal controls. Violations of control activities by senior management are easy to detect with normal audit procedures. Violations of internal control raise serious questions about management integrity.
senior management may override an entity's internal controls. Violations of internal control raise serious questions about management integrity.
If the auditor determines that internal controls are not properly designed or not implemented the auditor will ______. set the level of control risk at high use substantive procedures to reduce the risk of material misstatement to an acceptable level perform tests of controls to obtain audit evidence that controls are operating effectively make an assessment of control risk based on the result of tests of control
set the level of control risk at high use substantive procedures to reduce the risk of material misstatement to an acceptable level
The components of internal controls as defined by the COSO Framework are ______. entity's risk assessment detection activities information and communication monitoring activities control environment
All except detection activities
These apply to the processing of individual applications and help ensure the occurrence, completeness and accuracy of transaction processing. Control activities Application controls General controls
Application controls
People that significantly influence the control consciousness of the entity and must take their fiduciary responsibilities seriously and actively oversee the entity's accounting and reporting policies and procedures include the ______. external auditors internal auditors board of directors audit committee
BOD and audit committee
The purpose of the ______ Framework is to help management better control the organization and to provide boards of directors an added ability to oversee internal control.
COSO
According to COSO, a system of internal controls is designed to provide reasonable assurance about the achievement of entity objectives in which of the following categories? Maximization of management compensation Accuracy of internal and external financial and non-financial reporting Compliance with applicable laws and regulations Effectiveness and efficiency of operations Reliability, timeliness, and transparency of internal and external financial and non-financial reporting
Compliance with applicable laws and regulations Effectiveness and efficiency of operations Reliability, timeliness, and transparency of internal and external financial and non-financial reporting
This exists in internal controls when the design or operation of a control does not allow management or employees to prevent, detect or correct misstatements on a timely basis. Material weakness Significant deficiency Control deficiency
Control deficiency
The tone of a organization is set an the control consciousness of its people is influenced by the ______, COSO Framework Monitoring of controls Risk assessment procedures Control environment
Control environment
Which of the following statements are correct? Errors must be corrected and resubmitted at the correct point in processing. Most transaction errors are identified by processing or output controls. Errors can be identified at any point in the system. Proper segregation of duties is important in preventing errors from processing.
Errors must be corrected and resubmitted at the correct point in processing. Errors can be identified at any point in the system. Proper segregation of duties is important in preventing errors from processing.
Which of the following statements are correct? Understanding the information system requires knowing how IT is involved in data processing. The auditor should understand the control procedures used by the entity to provide financial statement assurance. The auditor must learn about each business process that affects all account balances in the financial statements.
Understanding the information system requires knowing how IT is involved in data processing. The auditor should understand the control procedures used by the entity to provide financial statement assurance.
Monitoring _________. should only be done through separate evaluations must be included in ongoing activities to be effective can be done through ongoing activities or separate evaluations
can be done through ongoing activities or separate evaluations
Within an entity, there is always a risk of the fraud of _____ between individuals will destroy the effectiveness of segregation of duties.
collusion
Controls that may be relevant to the audit when they have an impact on data the auditor uses to apply audit procedures include ______ controls. planning compliance management decision operations
compliance and operations
Approvals, authorizations, verification, reconciliations, review of operating performance, and segregation of duties are all examples of _____ activities
control
Assignment of authority and responsibility for operating activities and the establishment of reporting relationships and authorization hierarchies are part of the ______ environment principle. control risk financial detection
control
The policies and procedures that help ensure that management's directives are carried out and implemented to address risks identified in the risk assessment process are ______ activities. control detection risk fraud
control
Based upon its risk assessment, management determines which relevant business processes require ______ ______.
control activities
The tone of an organization is set and the foundation for implementing the entity's system of internal control is established by the ________ _______.
control environment
To understand management's and the board of directors' attitudes, awareness, and actions concerning it, the auditor should gain sufficient knowledge about the _____ ____.
control environment
Controls over data preparation, work flow control and library functions are included in ______ controls. processing output access security data center and network
data center and network
Rotation of duties and mandatory vacations, review of the operating system log and regular updates of anti-virus software are examples of ______ controls. processing data center and network access security output
data center and network
Controls that can be applied at various stages and are mainly concerned with the accuracy assertion are ______ controls. processing data capture output data validation
data validation
The information gathered by performing risk assessment procedures is used to evaluate the ________of controls and to determine whether they have been ________.
design, implemented
The level of _____ risk is used to determine the nature, timing, and extent of substantive tests.
detection
An effective accounting system establishes methods and records that will ______. present transaction and disclosures in a manner than ensures profitability for the entity determine the proper time period in which transactions occurred describe transactions in sufficient detail to permit proper classification identify and record all valid transactions
determine the proper time period in which transactions occurred describe transactions in sufficient detail to permit proper classification identify and record all valid transactions
Procedures manuals, organization charts, internal control questionnaires, flowcharts and narrative descriptions are all tools for _____ the auditor's understanding of internal controls.
documenting
Communication with external parties regarding matters affecting the functioning of internal control ______. should only be done between the entity and its external auditors enables inbound receipt of relevant information can assist in meeting outside requirements and expectations
enables inbound receipt of relevant information can assist in meeting outside requirements and expectations
After _______ have been identified, they must be corrected and resubmitted to the application system at the correct point in processing. errors management overrides fraudulent activities
errors
In determining whether an IT specialist is needed, the auditor should consider the ______. existence of the entity's participation in electronic commerce complexity of the IT systems and controls and how they are used total revenue the entity generates in a typical year extent to which data are shared among systems entity's use of existing, common IT technologies
existence of the entity's participation in electronic commerce complexity of the IT systems and controls and how they are used extent to which data are shared among systems
Large public companies are required to engage a(n) _______auditor to express an opinion as to the effectiveness of their systems of internal control over financial reporting.
external
How management identifies risks relevant to the preparation of financial statements, estimates their significance, assesses the likelihood of their occurrence and decides on how to manage them is most directly relevant to the ______. audit committee internal auditors board of directors external auditors
external auditors
Information that is complete, neutral and free from error has the characteristic of _____ _____
faithful representation
On a flowchart, the movement of documents, records or information is shown using ______. annotation online storage flow arrows display
flow arrows
From the auditor's perspective, a(n) _____ is a diagrammatic representation of the entity's accounting system.
flowchart
The assessment of ______ ______ includes consideration of incentives and pressures, opportunities and how personnel might rationalize or justify inappropriate actions.
fraud risk
Controls over network operations are included as part of _______controls which relate to the overall information processing environment.
general
Controls that relate to the overall information processing environment, have a pervasive effect on the entity's computer operation and are sometimes referred to as supervisory, management or information technology controls are called ____ controls
general
The two broad categories of information systems controls are _____ controls and_______ controls.
general, application
Management and the board of directors are responsible for ______. implementing corrective actions related to internal control responsibilities hiring the external auditors to evaluate internal controls establishing performance measures evaluating performance of internal control responsibilities
implementing corrective actions related to internal control responsibilities establishing performance measures evaluating performance of internal control responsibilities
The infrastructure, software, people, procedures and data used to support the functioning of internal control is known as a(n) ______, _____.
information system
The extent of an entity's use of ______ can affect internal controls because this function affects the way transactions are initiated, authorized, recorded, processed and reported. - industry specialists - information technology - internal auditors - managerial estimates
information technology
To obtain an understanding of an entity's internal controls auditors may use ______. recalculation of account balances inspection of entity documents and reports reperformance of control activities inquiry of appropriate personnel observation of entity activities and operations
inspection of entity documents and reports inquiry of appropriate personnel observation of entity activities and operations
Types of tests of controls include ______. inspection recalculation inquiry observation
inspection, inquiry, observation
The approach to taking and monitoring business risks and attitudes and actions toward financial reporting are characteristics that may signal important information to the auditor about management's _______and _____values.
integrity, ethical
Auditors may test controls at an ______ date because the assertion being tested may not be significant, the control has been effective in prior audits, or it may be more efficient to conduct the tests at that time.
interim
The auditor's understanding of ______ is used to identify the controls that are likely to prevent, or detect and correct, material misstatement in specific assertions. management objectives the control environment fraudulent activities internal controls
internal controls
An internal control questionnaire ______. is one of many types of questionnaires used by auditors contains questions about the five internal control components is generally used for entities with a relatively simplistic internal control structure provides a systematic means to investigate internal control
is one of many types of questionnaires used by auditors contains questions about the five internal control components provides a systematic means to investigate internal control
Interim tests of controls give auditors time to inform the ______ so that likely misstatements can be located and corrected before the rest of the audit is performed. board of directors internal auditors audit committee management
management
Responsibility for establishing mechanisms to communicate and hold individuals accountable for the performance of internal control responsibilities across the organization rests with ______, the external auditors the internal auditors management the board of directors
management and the board of directors
A deficiency, or combination of deficiencies, in internal controls, such that there is a reasonable possibility that a material misstatement of the entity's financial statement will not be prevented, or detected and corrected on a timely basis is a ______. control deficiency material weakness significant deficiency
material weakness
Monitoring the operating effectiveness of internal controls ______. should only be done by management should involve the external auditors may be done by internal auditors
may be done by internal auditors
The operating effectiveness of a control ______. may be tested using computer-assisted audit techniques if the control is manual should not be affected by whether it is performed manually or is automated may be tested using audit data analytics if the control is automated
may be tested using audit data analytics if the control is automated
Auditors ____. should only rely on controls that have a pervasive effect on many assertions should only rely on controls that affect an individual assertion may rely on any control likely to prevent or detect and correct material misstatements
may rely on any control likely to prevent or detect and correct material misstatements
The understanding of internal control may be documented in a(n) _____which is most appropriate when then entity has a simple internal control system.
memorandum
Assessing the quality of internal control performance over time is the intention of ______ of controls. enforcement monitoring communication creation
monitoring
When audit risk is low and the risk of material misstatement is high, substantive tests should be performed ______. mostly at interim dates throughout the year mostly at year-end consistently thought the year at interim dates and year end
mostly at year--end
Factors that can impact the effectiveness of the board of directors or audit committee include ______. compensation packages nature and extent of interactions with auditors stock performance experience of members information availability
nature and extent of interactions with auditors experience of members information availability
If an entity's accounting system has control weaknesses that result in a high level of assessed control risk, substantive procedures will probably ______. not be conducted at interim dates only be conducted at interim dates be conducted at both interim dates and year end
not be conducted at interim dates
A direct relationship exists between _________which reflect what an entity is trying to achieve, ________which represent what the entity needs to do to achieve them, and the ______of the entity.
objectives, components, structure
Data capture controls are concerned primarily with the ______ assertions. authorization occurrence completeness accuracy reliability
occurrence completeness accuracy
Tests of controls directed toward _____ _____ are concerned with assessing how the control was applied, the consistency with which it was applied during the audit period and by whom it was applied.
operating effectiveness
An effective system of internal controls allows management to focus on _____ while maintaining compliance with relevant laws and minimizing surprises. operations compensation compliance financial performance goals stock price fluctuations
operations and compensation compliance
Designated lines of authority and responsibility are presented on an entity's _____ _____.
organizational chart
How authority and responsibility are delegated and monitored and the framework within which the entity's activities for achieving entity wide objectives are planned, executed, controlled and reviewed are defined by the entity's ____ ____
organizational structure
Report distribution logs, transmittal sheets, reasonableness reviews and reconciliations to control or batch totals are examples of ______ controls. data validation output processing error
output
The main concern of ______ controls is that computer reports, checks, documents or other printed or displayed information may be distributed or displayed to unauthorized users. data validation output processing error
output
If the auditor determines that internal controls are properly designed and implemented and the auditor intends to rely on those controls, the auditor will ______. set the level of control risk at high use substantive procedures to reduce the risk of material misstatement to an acceptable level perform tests of controls to obtain audit evidence that controls are operating effectively make an assessment of control risk based on the result of tests of control
perform tests of controls to obtain audit evidence that controls are operating effectively make an assessment of control risk based on the result of tests of controls
Commonly categorized control activities include ______. performance reviews segregation of duties information processing controls physical controls fraud controls risk identification controls
performance reviews segregation of duties information processing controls physical controls
Authorization requirements for access to computer programs and periodic counting and comparison with amounts shown on control records are examples of ______. fraud controls risk identification controls information processing controls physical controls segregation of duties controls
physical controls
A rule or guideline that calls for certain activities to take place in certain circumstances is knowns as a(n) ____.
policy
A policy might call for two people to sign all checks over a certain dollar amount and the _______is the action of having two people sign a check.
procedure
Many organizations prepare ______ which include documentation of the accounting system and related control activities. procedures manuals flowcharts organizational charts internal control questionnaires
procedures manuals
Monitoring of internal controls ______. should be done to determine operating effectiveness is intended to assess quality of performance over time has received decreased attention in recent years may identify the need for control redesign
should be done to determine operating effectiveness is intended to assess quality of performance over time may identify the need for control redesign
Less severe than a material weakness, a(n) _____ _____ is still important enough to merit attention by those charged with governance.
significant deficiency
Documenting the understanding of internal control in a memorandum is most appropriate when the entity has a(n) ______ internal control system. extensive complex simple
simple
Small to midsize entities ______. sometimes use alternative approaches to achieve effective internal control generally do not need a system of internal control generally achieve internal control objectives using the same methods as large entities
sometimes use alternative approaches to achieve effective internal control
In deciding on the nature and extent of the understanding of internal control needed for the audit, the auditor should consider the entity's operations and systems ______. sophistication accuracy complexity effectiveness
sophistication and complexity
The last step in the decision process is performing _____ procedures.
substantive
The risk that material misstatements are present in financial statements may be increased by conducting _____ procedures only at an interim date.
substantive
When an auditor decides to follow a(n) _______strategy, little work is done on understanding specific control activities.
substantive
When the auditors sets control risk at high, he or she documents that control risk assessment and performs _____ procedures.
substantive
Processing steps and computer processing are included in a ______ flowchart. document systems program
systems
The auditor may decide to follow a substantive strategy for some or all assertions because ______. tests of controls have been used to assess control risk testing the operating effectiveness of the controls would be inefficient implemented controls are assessed as ineffective implemented controls do not pertain to the assertion under consideration
testing the operating effectiveness of the controls would be inefficient implemented controls are assessed as ineffective implemented controls do not pertain to the assertion under consideration
In order to provide evidence to support the lower level of control risk when using a reliance strategy, the auditor performs _____ _____ _____.
tests of controls
When a reliance strategy is chosen, ______. tests of controls are used to assess the achieved level of control risk a detailed understanding of internal control is not required substantive test procedures are not required
tests of controls are used to assess the achieved level of control risk
When a service organization provides accounting services to an entity and those services affect the entity's accounting records, ______. the entity's external auditor must rely on the control assessment provided by the service organization's auditor control risk must be assessed at high the entity's external auditor must be concerned with the internal control system at the service organization they are considered part of the entity's information system
the entity's external auditor must be concerned with the internal control system at the service organization they are considered part of the entity's information system
The controls that are of most direct relevance to a financial statement audit are those that contribute to financial statement ______. accuracy transparency effectiveness reliability timeliness
transparency reliability timeliness
Output documents from the application that are used as source documents in later processing are called _____ documents.
turnaround
When an auditor traces a sales transaction from its origination to its inclusion in the financial statements, he or she is performing a(n) ______.
walkthroughs
