Chapter 7 Audit

Ace your homework & exams now with Quizwiz!

Which of the following would be least likely to be considered an objective of internal control?

(1) Checking the accuracy and reliability of accounting data. (2) Detecting management fraud. (3) Encouraging adherence to managerial policies. (4) Safeguarding assets. (2) is least likely, management can override (limitation)

The two types of monitoring are

(1) ongoing monitoring activities (2) separate evaluations.

The accounting department uses a manual of accounting policies and procedures. (CRIME)

Accounting information and communication system.

Management surveys customers about their satisfaction with the company's service (CRIME)

Monitoring—ongoing

Under normal circumstances, the assessment of internal control significantly reduces the cost of an audit because

a reduction in the assessed level of control risk permits the auditors to perform much less substantive procedures than would otherwise be necessary.

Corporate governance is the system

by which companies are directed and controlled

management of large public companies are required to

evaluate the company's internal control using suitable control criteria, such as COSO's integrated control framework

the approval function may be omitted in an

extremely simple transaction such as a cash sale not involving a check

Management letter serves as a useful reference document

for management in implementing improvements in internal control and may also serve to limit the auditors' liability to the client in the event the control deficiencies subsequently give rise to defalcations or other losses.

planned assessed level of control risk

for the existence of accounts receivable which requires them to test as a sample of sales transactions

Foreign Corrupt Practices Act makes

illegal payment of bribes to foreign officials -Requires an effective system of internal control (applies to public companies)

external auditors are interested primarily

in the end results of the accounting process

internal auditors are interested

in the processes themselves

The external auditors have a responsibility to

stockholders, creditors, and the public as well as to management.

The four types of control activities are

(1) performance review (2) transaction processing (3) physical controls (4) segregation of duties

404a - Management Report

-Acknowledgment of responsibility for internal control -An assessment of internal control effectiveness as of the last day of the company's fiscal -Support the evaluation with sufficient evidence using suitable criteria

Responses to high risk at the financial statements level

-Assigning more experience staff or those with specialized skills -Providing more supervision and emphasizing the need to maintain professional skepticism -Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed -Increasing the overall scope of audit procedures, including the nature, timing or extent

Procedures to obtain an understanding

-Inquiring of entity personnel -Observing the application of specific controls -Inspecting documents and reports -Tracing transactions through the information system relevant to financial reporting (System Walkthrough) -May also obtain evidence on operating effectiveness of various controls

At least three employees or departments should usually participate in each transaction to achieve strong internal control

-One employee approves the transaction after determining that the details conform to company policies -Another employee records the transaction in the accounting records -Third employee executes the transaction by releasing and/or taking custody of the related assets

Control Activities

-Performance reviews -Transaction control activities -Physical controls -Segregation of duties (authorization, recording, and custody of assets)

Example of ongoing monitoring activities include

-monitoring of customer complaints -reviewing reasonableness of management reports

The primary objective of the internal auditor is

1) Aid corporate management in efficient administration by investigating and reporting upon compliance with company policies 2) Reliability of accounting and statistical records and reports 3) Adequacy of internal control 4) Efficiency of operating procedures 5) Effectiveness of performance in all areas of operation.

Factors that result in increased financial reporting risk are

1) Changes in organizations environment 2) Changes in personnel 3) New information system 4) Rapid growth of the organization 5) Changes in technology 6) New lines of business, products, or processes 7) Corporate restructure 8) Expansion or acquisition of foreign operations 9) New or change in accounting principles

The two subsections of Section 404 of the Sarbanes-Oxley Act are

404a - management 404b - auditor

Preventive

Aimed at avoiding the occurrence of misstatements in the financial statements Example: Segregation of duties

Components of Internal Control

CRIME

Controls overlap

Complementary - function together Redundant - address same assertion or control objective Compensating - reduces risk existing weakness will result in misstatement

Entry into the warehouse is strictly controlled by security personnel. (CRIME)

Control activities—physical controls.

preventive (P), detective (D), or corrective (C). Annual physical inventory. Monthly reconciliation of bank accounts. Segregation of duties over purchasing. Supervisory approval of time cards. Dual signatures for checks. Adjustment of perpetual inventory records to physical counts. Management review of budget/actual information. Internal audits of payroll.

D D P P P C D D

Service organizations example

Outsource processing of payroll or Internet sales; storage of data and records in the service organization's Cloud

Separate evaluations

Periodic audits by internal audit

Management periodically evaluates the threats to preparing reliable financial statements. (CRIME)

Risk assessment

At the completion of the audit, the auditors are least likely to know: (1) The assessed level of control risk. (2) The planned assessed level of control risk. (3) Actual control risk. (4) The scope of tests of controls.

The auditors never know the exact control risk involved—they always simply have an estimate of it.

Which of the following is least likely to be a test of controls? (1) Inquiries of client personnel. (2) Inspection of documents. (3) Observation of confirmations. (4) Reperformance of controls.

While tests of controls involve, inquiry, inspection, observation and re-performance, "observation of confirmations" doesn't have a clear meaning.

Key factors in protecting a business against losses through embezzlement include

adequate internal control, fidelity bonds, and regular audits by independent public accountants

The risk assessment component of internal control relates to the factors that

affect the risk that the organization's reporting objectives will not be achieved

Performance reviews provide management with

an overall indication of whether personnel at various levels are effectively pursuing the objectives of the organization.

firm policies, and "decision aids" or guides assist

auditors in gathering relevant information or combining the information to make decisions about the nature, timing, and extent of substantive procedures.

In conducting audits, internal auditors appraise

company policies, organization, records, and performance, whereas external auditors are essentially concerned with the verification of data affecting the financial statements. Internal auditors are charged with the responsibility of seeing that company accounting policies are being followed

flowcharting has become the most widely used method of

describing internal control in audit working papers

Estimation transactions

determining the allowance for doubtful accounts

COSO Framework

internal control and enterprise risk management

COSO has issued frameworks on both

internal control and enterprise risk management

Internal control

is a process designed to provided reasonable assurance of objectives in 1)operations, 2) reporting, 3) compliance

revised assessed level of control risk

is the level of risk based on the additional tests of controls performed to evaluate control risk for an assertion

Internal control has such other important objectives as assuring the

reliability of accounting data and other types of information needed by management for effective direction of business

An awareness of risk assessment contributes to internal control because management's consideration of the possibility that

reports (including financial statements) may be misstated decreases the likelihood of misstatement.

Section 404b

requires auditors of certain companies to attest to, and report on, internal control over financial reporting.

The major limitations of internal controls include:

(1) Errors in decisions may occur in designing, maintaining, or monitoring controls. (2) Mistakes may be made in the performance of controls as a result of misunderstanding of instructions, mistakes of judgments, carelessness, distraction, or fatigue. (3) Top management can override internal control. (4) Control activities dependent upon separation of duties may be circumvented by collusion among employees. (5) Design of controls is subject to cost-benefit considerations.

The five stages of an audit of internal control performed in accordance with PCAOB requirements are:

(1) Plan the engagement. (2) Obtain an understanding of internal control over financial reporting (internal control). (3) Test and evaluate design effectiveness of internal control. (4) Test and evaluate operating effectiveness of internal control. (5) Form an opinion on the effectiveness of internal control over financial reporting.

The auditors' understanding of the entity and its environment, including internal control allows them to

(1) assess the risks of material misstatements of the financial statements (2) design the nature, timing and extent of further audit procedures.

Risk Assessment

-Clearly specify objectives to allow the identification and assessment of risks related to those objectives. -Identify and analyze risks to the achievement of its objectives to determine how they may be managed. -Consider potential fraud relating to the achievement of objectives. -Identify and assess changes that could impact internal control.

Control Environment

-Commitment to integrity and ethical values. -Board of directors demonstrates independence from management and exercises oversight of internal control. -Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. -Commitment to attract, develop, and retain competent employees. -Holding employees accountable for internal control responsibilities.

Auditors should obtain understanding of the outsourced function by following one or more of:

-Contacting service organization to obtain information -Visiting service organization an performing necessary procedures -Obtaining a report from the auditors of the service organization

Ongoing monitoring activities

-Continuous monitoring of customer complaints -Management review control in which the Controller reviews gross profit on revenue transactions for unusual relationships

Responses to risk at the Assertion Level

-Decisions are made here as to the appropriate combination of tests of controls and substantive procedures that respond specifically to the risk

Area of reporting

-Detailed level applied to accounts receivable sub-objectives -All goods shipped are accurately billed in the proper period -Invoices are accurately recorded for all authorized shipments and only for such shipments -Authorized and only authorized sales returns and allowances are accurately recorded -The continued completeness and accuracy of accounts receivable is ensured -Accounts receivable records are safeguarded

Limitations of Internal Control

-Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. -Controls that depend on the segregation of duties may be circumvented by collusion -Management may override internal controls -Compliance may deteriorate over time

Assessing Risks at the Assertion Level example

-Failure to recognize an impairment losses on a long-lived assets affects only the valuation assertion -Inaccurate counting of inventory at year-end affects the valuation of inventory and the accuracy of cost of goods sold

Test of controls address

-How controls were applied -The consistency with which controls were applied -By whom -By what means (e.g., electronically) the controls were applied

Objectives of an accounting system

-Identify and record valid transactions -Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions -Measure the value of transactions appropriately -Determine the time period in which the transactions occurred to permit recording in the proper period -Present properly the transactions and related disclosures in the financial statement

Test of controls approach

-Identify controls likely to prevent or detect material misstatements -Perform tests of controls to determine whether they are operating effectively

Assess the risks of material misstatement include

-Identify risks while obtaining an understanding of the client and its environment, including its internal control -Relate the identified risks to what can go wrong at the relevant assertion level -Consider whether the risks are of a magnitude that could result in a material misstatement -Consider the likelihood that the risks could result in a material misstatement

The understanding of internal control is used to help the auditors to

-Identify types of potential misstatements -Consider factors that affect the risks of material misstatement -Design tests of controls (when applicable) and substantive procedures

Test of controls include

-Inquiries of appropriate client personnel -Inspection of documents and reports -Observation of the application of controls -Reperformance of the controls

Control environment includes

-Integrity and ethical values -independent board of directors -effective structure (reporting lines, authorities) -commitment to attract, develop, and retain employees -employee accountability

Assessing risk at the financial statements level examples

-Preparing the period-end financial statements, including the development of significant accounting estimates and preparation of the notes -The selection and application of significant accounting policies -IT general controls -The control environment

Due to lack of employees, internal control is seldom strong in small businesses. Specific practices for small businesses:

-Record all cash receipts immediately -Deposit all cash receipts intact daily -Make all payments by serially numbered checks, with exception of petty cash disbursements -Reconcile bank accounts monthly and retain copies -Use serially numbered purchase orders, invoices, and receiving reports -Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports -Balance subsidiary ledger with control accounts -Prepare comparative financial statements monthly to disclose significant variations in any category of revenue or expense

The use of a flowchart in documenting internal control offers the advantage of

-a graphic presentation of a system or a series of sequential processes. -It shows the steps required and the flow of forms or other documents from person to person in carrying out the function depicted -avoids the detailed study of written descriptions of procedures without sacrificing the CPAs' ability to appraise the effectiveness of controls under review

Transaction processing controls are performed to check the

-completeness, -validity -authorization of transactions.

The primary objective of the external (independent) auditors is to

1) Determine whether the financial statements fairly reflect the financial position 2) operating results 3) Cash flows of the business

Five major objectives of an accounting information system:

1) Identify and record all valid transactions 2) Describe on a timely basis the transactions in sufficient detail to permit proper classification 3) Measure the value that records in monetary value 4) Determine the time period in which transactions occurred to recording in the proper accounting period 5) Properly present the transactions and related disclosures

Deficiency in Internal Control

1) Less than Significant 2) Significant Deficiency 3) Material Weakness

Work of Internal Auditors may be used in two ways:

1) Obtaining audit evidence by using the internal auditors' work performed as a part of their normal responsibilities 2) Using internal auditors to provide direct assistance on the external audit.

Monitoring

1) Ongoing monitoring activities -Regularly performed supervisory and management activities 2) Separate evaluations -Performed on nonroutine basis

Documenting the Understanding of Internal Control

1) Questionnaires -Typically standardized by firm or industry 2) Written Narratives -Memos that describe flow of transactions and controls 3) Flowcharts

CPA firms attempt to reduce inconsistencies in judgments by developing

1) firm policies 2) "decision aids" or guides

Among the sources of information which auditors may use in preparing a working paper description of internal control are:

1) organization charts 2) charts of accounts 3) job descriptions 4) interviews and discussions with officers and employees 5) reports of internal auditors 6) accounting reports and records 7) inspection of facilities 8) working papers and reports from prior examinations.

Corporate governance includes

1) policies 2) procedures 3) mechanism Established to ensure that the company operates in the best interests of its major stakeholders and society as a whole

Documentation is usually in the form of

1)flowcharts 2)questionnaire3)written narratives of the system.

1. Compensating control 2. Complementary control 3. Corrective control 4. Deficiency in internal control 5. Material weakness in internal control 6. Walk-through 7. Transaction cycle

1. A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective 2. A control that functions together with another control to achieve the same control objective 3. A control established to remedy misstatements that are discovered 4. A situation in which a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis 5. A deficiency in internal control such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis 6. A procedure in which an auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records 7. The sequence of procedures applied by the client in processing a particular type of recurring transaction

Five components of internal controls (CRIME)

1. Control activities 2. Risk assessment 3. Information 4. Monitoring 5. Control Environment

Controls Over Accounting Estimates:

1. Control environment policies and procedures that encourage proper estimates. 2. Risk assessment consideration of the risks of inaccurate accounting estimates. 3. Policies that ensure that qualified personnel are involved in developing the estimates. 4. Policies and procedures that ensure that relevant, sufficient and reliable data is considered in the development of the estimates, and the model used is appropriate. 5. Management review of sources of data, processes used to develop the assumptions, changes in the methods used, and the reasonableness of assumptions and estimates. 6. Policies to ensure use of the work of specialists when considered necessary. 7. Policies to improve estimation processes by comparison of prior estimates with subsequent results.

AICPA document on Antifraud Programs and Control Measures:

1. Create and maintain a culture of honesty and high ethics § Set tone at the top § Create a positive workplace environment § Hire and promote appropriate employees § Properly train employees § Discipline 2. Evaluate the risks of fraud and implement processes, procedures, and controls to mitigate those risks § Identify and measure fraud risks § Mitigate fraud risks § Implement and monitor controls and other measures 3. Develop an appropriate oversight process

Overall approach of an audit

1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report -Steps 2-4 relate to internal control of financial statement audits

1. Control environment 2. Less severe than a material weakness 3. Monitoring 4. Performance review 5. Walk-through 6. Reasonable assurance 7. Flowchart 8. Risk assessment 9. Operating effectiveness 10. Control activities

1. Tone at the top 2. Significant deficiency 3. Ongoing and separate evaluations 4. Comparison of actual performance to expectations 5. Determine implementation 6. Relationship of costs and benefits 7. Relationship of costs and benefits 8. Risk responses 9. Test of controls 10. Policies and procedures to mitigate risk

Which of the following is not ordinarily a procedure for documenting an auditor's understanding of internal control for planning purposes? (1) Checklist. (2) Confirmation. (3) Flowchart. (4) Questionnaire.

A confirmation is designed to obtain evidence from a third-party. It is not used to document internal control.

An auditor may compensate for a weakness in internal control by increasing the extent of: (1) Tests of controls. (2) Detection risk. (3) Substantive tests of details. (4) Inherent risk.

An increase in the substantive procedures will decrease detection risk, and thereby compensate for the increased level of control risk due to a weakness in internal control. Answer (1) is incorrect because if the weakness exists, increasing the extent of tests will only provide more evidence on the weakness—not evidence that compensates for the weakness. Answers (2) and (4) are incorrect because a decrease in detection risk or inherent risk, not an increase, would compensate. Also, in the case of inherent risk, it may not be possible to change the assessment since it is a function of the firm's environment.

Tests of controls do not address: (1) How controls were applied. (2) How controls were originated. (3) The consistency with which controls were applied. (4) By what means the controls were applied

Auditors are not in general concerned with how controls originated

A primary objective of procedures performed to obtain an understanding of internal control is to provide the auditors with: (1) Knowledge necessary to determine the nature, timing, and extent of further audit procedures. (2) Audit evidence to use in reducing detection risk. (3) A basis for modifying tests of controls. (4) An evaluation of the consistency of applicatio

Because the auditors' purposes are for considering internal control, and to obtain the necessary knowledge to (a) assess the risks of material misstatement, and (b) to determine the nature, timing, and extent of the tests to be performed, answer (1) is correct

Corporate governance is not only concerned with the effectiveness of financial reporting

But it also encompasses 1) ethical treatment of major stakeholders 2) compliance with laws, regulations, 3) customary business practices and effective risk management

Management compares actual performance with budgets and forecasts. (CRIME)

Control activities—performance reviews

Invoices are reviewed for accuracy before they are mailed to customers. (CRIME)

Control activities—transaction processing (or application) control.

The controls over the development of significant accounting estimates include:

Control environment policies and procedures that encourage proper estimates. (2) Policies that ensure that qualified personnel are involved in developing the estimates. (1) Policies and procedures that ensure that relevant, sufficient and reliable data is considered in the development of the estimates, and the model used can produce estimates consistent with the financial reporting framework (e.g., generally accepted accounting principles). (4) Management review of sources of data, processes used to development the assumptions, changes in the methods used, and the reasonableness of assumptions and estimates. (5) Policies to ensure consideration of the need to use the work of specialists. (6)Policies to improve estimation processes by comparison of prior estimates with subsequent results.

The human resources department investigates the educational background of prospective employees. (CRIME)

Control environment—commitment to attract, develop and retain competent employees

Management has prepared and distributed an organizational chart. (CRIME)

Control environment—effective structure, reporting lines, and authority and responsibility.

Management has developed and distributed a code of conduct. (CRIME)

Control environment—integrity and ethical values

Detective

Designed to discover misstatements after they have occurred Example: Monthly bank reconciliations

When the auditors are performing a first-time internal control audit in accordance with the Sarbanes-Oxley Act and PCAOB standards, they should: (1) Modify their report for any significant deficiencies identified. (2) Use a "bottom-up" approach to identify controls to test. (3) Test controls for all significant accounts. (4) Perform a separate assessment of controls over operations.

In an audit of internal control performed under PCAOB standards the auditors must test controls for all significant accounts.

Effective internal control in a small company that has an insufficient number of employees to permit proper separation of responsibilities can be improved by: (1) Employment of temporary personnel to aid in the separation of duties. (2) Direct participation by the owner in key record-keeping and control activities of the business. (3) Engaging a CPA to perform monthly write-up work. (4) Delegation of full, clear-cut responsibility for a separate major transaction cycle to each employee.

Involvement of the owner in key control functions should be a major step toward preventing material errors or defalcations. Answer (1) would not be cost-effective. Answer (3) would provide some measure of control, but not as much as would daily participation by the owner. If it were feasible to hire additional employees, it would be cheaper to hire permanent employees rather than temporary. The need for internal control is permanent. Answer (4) would weaken, not strengthen internal control.

To have an adequate basis to issue a management report on internal control under Section 404(a) of the Sarbanes-Oxley Act, management must do all of the following, except: (1) Establish internal control with no material weakness. (2) Accept responsibility for the effectiveness of internal control. (3) Evaluate the effectiveness of internal control using suitable control criteria. (4) Support the evaluation with sufficient evidence.

Management may issue a report on internal control regardless of whether the system has a material weakness.

An entity's ongoing monitoring activities often include: (1) Periodic audits by internal auditors. (2) The audit of the annual financial statements. (3) Approval of cash disbursements. (4) Management review of weekly performance reports.

Management review of weekly performance reports is an ongoing monitoring activity that may detect errors or fraud. Answer (1) is incorrect because while periodic audits by internal audit represent a monitoring activity, they are best classified as separate evaluations, and not ongoing monitoring activities. Answer (2) is incorrect because the audit of the annual financial statements is the function of the external auditors. Answer (3) is incorrect because approvals of cash disbursements represent a control activity.

Type 1

Management's description of the system and the auditor's assessment of the suitability of the design of controls

Type 2

Management's description of the system and the auditor's assessment of the suitability of the design of controls plus assurance on the operating effectiveness of controls

The internal auditors periodically evaluate the controls in the various departments of the company (CRIME)

Monitoring—separate evaluations.

Corrective

Needed to remedy the situation uncovered by detective controls Example: Backups of master file used to reconstruct erroneous records

Foreign Corrupt Practices Act

Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business

Controls over financial reporting are often classified as preventative, detective, or corrective. Which of the following is an example of a detective control? (1) Segregation of duties over cash disbursements. (2) Requiring approval of purchase transactions. (3) Preparing bank reconciliations. (4) Maintaining backup copies of key transactions.

Preparing bank reconciliations will detect a variety of misstatements related to cash and is a detective control in the sense that it does not prevent the misstatement from occurring, but may detect it. Answers (1) and (2) are incorrect because segregating duties and requiring approvals are primarily designed to prevent misstatements. Answer (4) is incorrect because the primary purpose of keeping backup copies of key transactions (or all transactions) is prevent loss of information in the event of an information system failure.

Classification of Controls over Financial Reporting:

Preventive Detective Corrective Controls overlap

The auditors test the controls over the development of accounting estimates may include:

Review and test environment policies and procedures that communicate the need to develop proper estimates. (2) Review the documentation of the qualifications of individuals involved in developing accounting estimates. (3) Review the documentation of managements policies regarding the data considered in the development of estimates. (4) Consider the relevance and completeness of data used to develop estimates. (5) Test the control procedures over the accuracy of the data used to develop estimates. (6) Review documentation of management's consideration of the use of specialists to assist in the development of the estimates. (7) Review and test management's documentation of comparisons of prior estimates to subsequent results.

Tests of controls ordinarily are designed to provide evidence of: (1) Balance correctness. (2) Control implementation. (3) Disclosure adequacy. (4) Operating effectiveness.

Tests of controls address operating effectiveness of controls.

When a CPA decides that the work performed by internal auditors may have an effect on the nature, timing, and extent of the CPA's procedures, the CPA should consider the competence and objectivity of the internal auditors. Relative to objectivity, the CPA should: (1) Consider the organizational level to which the internal auditors report the results of their work. (2) Review the internal auditors' work. (3) Consider the qualifications of the internal audit staff. (4) Review the training program in effect for the internal audit staff.

The internal auditors' objectivity refers to their relative independence from the organizational units they have been evaluating. This may best be determined by considering the organizational level to which the internal auditors report. The other answers address the issues of the internal auditors' competence, not objectivity.

The preliminary assessments of control risk are often referred to as: (1) The assessed level of control risk. (2) The planned assessed level of control risk. (3) Control risk. (4) Internal control objectives risk.

The planned assessed level of control risk is determined during planning.

404b- Auditor

This section applies to public companies with a market capitalization of $75 million or more. For those companies, the auditors audit internal control as a part of an integrated audit. In doing so auditors: -Plan the engagement -Use a top-down approach to identify the controls to test -Test and evaluate design effectiveness of internal control -Test and evaluate operating effectiveness of internal control -Form an opinion on effectiveness of internal control over financial reporting

Types of service audit reports

Type 1 and Type 2

User auditor

Uses that report

The external auditors should consider the work of the internal auditors

as a portion of the control environment of internal control

The actual level of control risk for existence of receivables is,

as always, at an unknown level.

independent record holds the personnel of a custodial department accountable for

assets entrusted to their care

The overall auditing objective of the internal auditors is to

assist management in achieving the most efficient administration of the operations of organization

the comprehensive list of questions provides

assurance of complete coverage of significant control areas

Physical controls contribute by

assuring physical security over both records and other assets

Assuming that the general category of transaction has already been authorized by top management

at least three employees or departments should usually participate in each transaction to achieve strong internal control.

Control is more effective if the employees are

competent in performing their duties

The effectiveness of internal control depends

directly on the integrity and ethical values of the personnel responsible for creating, administering, and monitoring control of the organization.

The primary advantage of the internal control questionnaire

is that control weaknesses, including the absence of controls, are prominently identified by the "no" answers. Another advantage of the questionnaire is its simplicity

Control risk

is the actual, but unknown, level of risk pertaining to an assertion

Planned assessed level of control risk

is the level the auditors intend to use in performing the audit for a particular financial statement assertion

A management letter

is the written report to the client describing such deficiencies, along with the auditors' recommendations for corrective action.

Auditors consider internal control because

its quality has a major effect on the nature, timing, and extent of the audit procedures necessary to complete the audit

Public companies are required to

maintain effective internal control

In obtaining an understanding auditors

must consider all 5 components of internal controls (CRIME)

Auditors may forego tests of controls if they conclude that controls are so weak as to provide

no basis for assessing control risk at a level lower than the maximum.

The primary auditing objective of the external auditors is to

obtain sufficient appropriate evidence to express an opinion as to the fairness of the financial statements in accordance with generally accepted accounting principles. A secondary objective is to determine that the client recognizes the objectives

The external auditors may use the work of the internal auditors in

obtaining audit evidence, or they may use the internal auditors to provide direct assistance under direction, supervision, and review of the external auditors.

If the custodial department maintained the accounting records

opportunity would exist for that department to conceal its errors or shortages by manipulating the records

The board of directors oversees

oversees the quality of the organization's financial reporting, and acts as a deterrent to management override of controls and management fraud

Example of separate evaluations include

periodic audits by the internal auditors

Top level objective

prepare and issue reliable financial information

Separating record keeping from custody of the related assets

provides an independently maintained record that may periodically be reconciled with assets on hand

Service auditor

provides examination of service organizations controls

Performance reviews contribute to internal controls by

providing management with an overall indication of whether personnel at various levels are effectively pursuing the objectives of the organization

Segregation of duties

reduces the opportunities for any one person to both perpetuate and conceal errors or irregularities

Routine transactions

regular revenue, purchases, and cash receipts and disbursements -Have the strongest controls

Ongoing monitoring activities include

regularly performed supervisory and management activities, such as continuous monitoring of customer complaints, transactions, or reviewing the reasonableness of management reports

Section 404a

requires each annual report filed with the SEC to include a report in which management: (1) acknowledges its responsibility for establishing and maintaining adequate internal control over financial reporting (2) provides an assessment of internal control effectiveness as of the end of the most recent fiscal year.

the working paper description is

tailor-made for each engagement and thus offers flexibility in its design and application

Non-routine transactions

taking of inventory, calculating depreciation expense

Separate evaluations are monitoring activities

that are performed on a nonroutine basis, such as periodic audits by the internal auditors.

Based on the results of the tests of controls for sales, the auditors may arrive at an revised assessed level of control risk

that is either higher or lower than the level planned

The internal auditors are also a monitoring control

that serves as the eyes and ears of the audit committee of the board of directors. They help assure that management does not override other internal controls.

Even though internal control appears to be strong

the auditors are required to conduct tests of controls

During their consideration of internal control

the auditors will inevitably encounter some deficiencies that should be brought to the attention of management

To effectively exercise oversight

the board must be independent

Internal control is effected by

the board of directors, management, and other personnel

For a questionnaire, If the questions have been predetermined, as is usual, the auditors' responsibility includes

the completion of the questionnaire with yes-or-no answers, and written explanations are required only for the "no" or unfavorable answers.

An advantage of the written narrative approach in reviewing internal control is that

the description is designed to explain the precise controls applicable to each examination. A second advantage is that its preparation normally requires a penetrating analysis of the client's system

An assessment of internal control by the auditors is a prerequisite to

the determination of the nature, timing, and extent of the further audit procedures necessary to express an opinion on the financial statements

After evaluating the competence, objective, and disciplined approach of the internal auditors

the external auditors will determine the extent to which the work of the internal auditors may be used in determining the nature, timing, and extent of their testing

When internal controls are weak or absent

the losses from waste and inefficiency are apt to be far greater than losses from dishonest acts by employees.

In requiring a written description of the flow of transactions, records maintained, and the division of responsibilities, the memorandum method

the memorandum method minimizes the tendency to perform a perfunctory review.

The results of the tests of controls are used to determine

the nature, timing and extent of substantive procedures

Tests of controls are efficient auditing procedures when

the reduction in the substantive procedures that results from a lower assessed level of control risk exceeds the amount of work involved in performing the tests of controls.

A Type 2 report may provide

the user auditor with a basis for assessing control risk below the maximum

If the safeguarding of company assets were the only objective of internal control

then some basis might exist for the argument that the bonding of employees was an acceptable substitute for good internal control practices

Transaction processing controls are designed

to check the completeness, validity and authorization of transactions


Related study sets

Physics 104 Final Multiple Choice

View Set

Lesson 6: Contract Law: Pop Quiz

View Set

Genetics Chapter 12, 13, 15, 16, 17, 19

View Set

Ch 36: Management of of Patients with Musculoskeletal Disorders

View Set