My Auditing Exam #3 Study Cards
Which best describes the relationship among the five components of internal control in the COSO internal control framework.
Of the five components, the control environment is the broadest and deals primarily with the way management implements its attitude about internal controls. The other four components are closely related to the control environment. Risk assessment is management's identification and analysis of risks relevant to the preparation of financial statements. Management implements control activities and creates the accounting information and communication system in response to risks identified as part of its risk assessment. Finally, management monitors the quality of internal control performance by determining if controls are operating as intended and that they are modified if needed.
In the audit of a private company, the auditor will test internal controls when control risk is initially assessed at
Low or Moderate
4. A customer order was filled and shipped to a former customer, that had already filed for bankruptcy.
a. Occurrence b. Preprocessing review
The COSO internal control components include the following:
(1) Control environment, (2) risk assessment, (3) control activities, (4) information and communication, (5) monitoring
What sources are used by the auditor to gather information to assess fraud risk?
-Knowledge obtained through other procedures such as client acceptance and retention decisions, interim review of financial statements, and consideration of inherent or control risks. -Information obtained from communications among audit team members about their knowledge of the company and its industry, including how and where the company might be susceptible to material misstatements due to fraud. -Analytical procedures results obtained during planning that indicate possible implausible or unexpected analytical relationships.
Which of the following factors are included in an entity's control environment?
-participation of those charged with governance -integrity and ethical values -organizational structure
How might an auditor use technology to test the operating effectiveness of a bar code scanner based check-out system?
A. The auditor may be able to use audit software to test the accuracy of individual customer transactions and to test the summation of all customer transactions processed by cash register machine, by day, and by store. Your answer is correct. B. The auditor may use audit software to review all unit prices in the price list master file to identify unusual price amounts for further investigation (e.g., negative prices, large unit prices, etc.) Your answer is correct. C. The auditor could select a number of different products and use the bar scanning technology to process the sales amounts for comparison to the auditor's separate calculation of transaction amounts based on items processed. The auditor could perform the same kind of test using coupons and other discount programs. Your answer is correct. D. The auditor may be able to use audit software to identify the most recent date of sale by product number to identify those products that have not been sold to customers for an extended period of time to identify potentially obsolete inventory still on hand. Your answer is correct. E. The auditor may be able to use audit software to test the accuracy of the postings of daily totals to the client's general ledger system.
Various uses of generalized audit software are:
A. to compute, select, and evaluate statistical samples for audit tests. Your answer is correct. B. to print results or sequence that will facilitate an audit step. D. to include, exclude, or summarize items having specified characteristics. Your answer is correct. E. to perform or verify mathematical calculations. Your answer is correct. F. to provide subtotals and final totals. H. to compare, merge, or match the contents of two or more files. Your answer is correct. I. to produce machine-readable files in a format specified by the auditor.
When fraud factors are identified during an audit the auditor's documentation should include:
Both the risk factors identified and the auditor's response to the risk factors identified
Jefferson, CPA, has identified five significant deficiencies in internal control during the audit of Portico Industries, a nonpublic company. Two of these conditions are considered to be material weaknesses. Which best describes Jefferson's communication requirements?
Communicate all five significant deficiencies to Portico's management and those charged with governance, distinguishing between material weaknesses and significant deficiencies.
If the auditor assesses control risk as high for a transaction-related audit objective, what does that imply for detection risk and the level of substantive testing? A. In order to maintain the desired level of audit risk, the auditor will need to set an even higher level of detection risk. A higher level of detection risk in turn means more extensive substantive testing. B. In order to maintain the desired level of audit risk, the auditor will need to set a lower level of detection risk. A lower level of detection risk in turn means less extensive substantive testing. C. In order to maintain the desired level of audit risk, the auditor will need to set an even higher level of detection risk. A higher level of detection risk in turn means less extensive substantive testing. D. In order to maintain the desired level of audit risk, the auditor will need to set a lower level of detection risk. A lower level of detection risk in turn means more extensive substantive testing.
D. The auditor uses control risk assessment and results of tests of controls to determine planned detection risk and the related substantive tests for the financial statement audit.
Describe why auditors generally evaluate entity-level controls before evaluating transaction-level controls.
Entity level controls, such as the effectiveness of the board of directors' and audit committee's oversight, can have a pervasive effect on many transaction-level controls. If entity-level controls are deemed to be deficient, then there is greater likelihood that transaction-level controls may be ineffective in their design or operation. In contrast, if entity-level controls are deemed to be highly effective, the auditor may be able to place greater reliance on those controls, which may provide an opportunity to reduce testing of transaction-level controls thereby increasing the efficiency of the audit procedures.
If the auditor assesses control risk as high for a transaction-related audit objective, what does that imply for detection risk and the level of substantive testing?
In order to maintain the desired level of audit risk, the auditor will need to set a lower level of detection risk. A lower level of detection risk in turn means more extensive substantive testing.
Distinguish management's responsibility from the audit committee's responsibility for designing and implementing antifraud programs and controls within a company.
Management has primary responsibility to design and implement antifraud programs and controls to prevent, deter, and detect fraud. The audit committee has primary responsibility to oversee the organization's financial reporting and internal control processes and to provide oversight of management's fraud risk assessment process and antifraud programs and controls.
Review for reasonableness any manual journal entries made by management to adjust the computer-generated accounting records.
Manual journal entries made by management outside of the accounting information system provide an opportunity to manipulate information outside internal controls embedded in those systems. A number of frauds have occurred through "top-side adjustments." The auditor is performing this procedure to evaluate whether any of the manual journal entries suggest the presence of fraudulent financial reporting.
Understanding internal control and assessing control risk is what part of planning?
Seven
During the planning stage of an audit, the auditor initially assessed both inherent risk and control risk at a high level. Further testing of the client's internal controls led the auditor to reduce the assessment of control risk. Which of the following will most likely occur as a result?
The auditor may reduce the amount of substantive procedures performed.
In which of the following scenarios would an auditor most likely increase tests of controls?
When the client's IT system is extensively integrated throughout the company's accounting system
5. The sales manager approved the price of goods ordered by a customer, but he wrote down the wrong price.
a. Accuracy b. Preprocessing review
8. An accounts payable clerk processed payments to himself by adding a fictitious vendor address to the approved vendor master file.
a. Adequate documents and records b. Occurrence c. Require a receiving report be attached to the vendor's invoice before a payment is made and Require that payments only be made on original invoices.
2. A former computer operator, who is now a programmer, entered information for a fictitious sales return and ran it through the computer system at night. When the money came in, he took it and deposited it in his own account.
a. Occurrence b. Scheduling of computer processing
7. For a sale, a data entry operator erroneously failed to enter the information for the salesman's department. As a result, the salesman received no commission for that sale.
a. Completeness b. Conversion verification
The following are misstatements that can occur in the sales and collection cycle: a. Identify the transaction-related management assertion(s) to which the misstatement pertains. b. Identify one automated control that would have likely prevented each misstatement. (1-8) 1. A customer number on a sales invoice was transposed and, as a result, charged to the wrong customer. By the time the error was found, the original customer was no longer in business.
a. Occurrence + Accuracy b. Check digit
The auditor of a public company must also consider the impact of noted weaknesses when issuing the __________. When noted weaknesses are considered to be ____ weaknesses, whether individually or combined with other weaknesses, the ______ must be modified to reflect the presence of ____ weaknesses.
auditor's report on internal control over financial reporting; material; auditor's report; material
Before processing, the system validates the sequence of items to identify any breaks in sequence of input documents. This automated control is primarily designed to ensure the
completeness of input
As general IT controls weaken, the auditor is most likely to
expand testing of automated application controls used to reduce control risk to cover greater portions of the fiscal year under audit.
If an independent audit leading to an opinion on financial statements causes the auditor to believe that a material misstatement due to fraud exists, the auditor should first:
make the investigation necessary to determine whether fraud has actually occurred
An auditor will use the test data approach to obtain certain assurances with respect to the
procedures contained within the program.
What parts precede understanding internal control and assessing control risk?
(1) accept client and perform initial audit planning, (2) understand the client's business and industry, (3) perform preliminary analytical procedures, (4) set preliminary judgment of materiality and performance materiality, (5) identify significant risks due to fraud or error, and (6) assess inherent risk.
Which financial statement accounts are impacted by the use of these technologies in a typical grocery store?
- Inventory -Sales Returns -COGS -Revenue -Cash -Sales Discounts -Sales Tax Payable
Auditors are required to make inquiries of individuals in the company when gathering information to assess fraud risk. Identify those with whom the auditor must make inquiries.
-Auditors must make inquires of others within the entity whose duties lie outside the normal financial reporting lines of responsibility about the existence or suspicion of fraud. -Auditors must inquire whether management has knowledge of any fraud or suspected fraud within the company. -Auditors must make inquires to the company's internal auditors to determine if they have performed any procedures to identify or detect fraud during the year. -Auditors must inquire to the audit committee about its views of the risks of fraud and whether the audit committee has knowledge of any fraud or suspected fraud.
You go through the drive-through window of a fast food restaurant and notice a sign that reads "Your meal is free if we fail to give you a receipt." Why would the restaurant post this sign?
-The notice discourages the individuals operating the cash registers from theft because they must account for all sales. -The notice is designed to ensure that every customer is given a receipt and all sales are entered into the register to establish accountability for the sale.
Which of the following correctly describes an internal control component? 1. Monitoring relates to ongoing assessment by management to determine whether controls are operating as intended. 2. Information and communication systems have to do with management's analysis of risk. 3. Control activities set the tone of the organization. 4. Risk assessment relates to assessing the quality of the internal control structure over time.
1. Monitoring relates to ongoing assessment by management to determine whether controls are operating as intended.
During your audit of Wilcoxon Sports, Inc., a retail chain of stores, you learn that a programmer made an unauthorized change to the sales application program even though no work on that application had been approved by IT management. In order for the sales application program to work, the programmer had to make modifications to the operating software security features. The unauthorized change forced the sales program to calculate an automatic discount for a customer who happens to be the brother-in-law of the programmer. The customer and programmer split the savings from the unauthorized discount. The programmer modified the program and returned it to the librarian who placed it into the files for live production use. No other information was forwarded to the librarian. 1. What recommendation do you have for management of Wilcoxon Sports, Inc., to prevent this from recurring? 2. Explain why you believe the suggested internal control improvements will prevent problems in the future.
1. Wilcoxon Sports should strengthen several of its IT general controls. The fact that the programmer was able to access the current live version of the sales application program suggests that there are breakdowns in appropriate segregation of duties among IT personnel. Programmers should be restricted from access to actual software used in production. + For larger IT functions, programmers are split into subgroups with some programmers only authorized to address programming issues for application software (e.g., the sales application) while other programmers are only authorized to address programming issues for systems software, such as operating software. 2. -When the librarian only accepts revised programs for properly authorized changes, the programmer will be prevented from sneaking a changed program into live production. -If programmer functions are separated among programmers, it will require collusion among programmers to implement a change in application software that also requires modification to system software. -Extensive documentation and approvals for changes will make it more difficult for programmers to make an unauthorized change.
Which of the following situations is not an example of an inherent limitation of internal control? 1. A programming error in the design of an automated control allows an employee to give himself an unauthorized pay increase. 2. A fraud scheme whereby an employee orders personal goods and his supervisor, who is in on the scheme, signs the checks to pay for those goods. 3. Management's failure to enforce control policies surrounding access to inventory allows employees to steal assets. 4. A lack of physical controls over the safeguarding of assets allows an employee to steal company assets.
4. A lack of physical controls over the safeguarding of assets allows an employee to steal company assets.
Which of the following is least likely to suggest to an auditor that the client's management may have overridden internal control? 1. Management does not correct internal control weaknesses that it knows about. 2. There have been two new controllers this year. 3. There are numerous delays in preparing timely internal financial reports. 4. Differences are always disclosed on a computer exception report.
4. Differences are always disclosed on a computer exception report.
4. During the current year, Harris has entered into a joint venture partnership with a company that serves similar customers, but makes an entirely different product than Harris. Inquire of management about the business rationale for this transaction.
Auditing standards emphasize the importance of understanding the underlying rationale for significant unusual transactions that might be outside the normal course of business for the company for purposes of evaluating whether the transactions have been entered into to engage in fraudulent financial reporting.
What parts follow understanding internal control and assessing control risk?
Only finalizing the audit strategy and audit plan follow understanding internal control and assessing control risk.
The two components of professional skepticism are a questioning mind and a critical assessment of the audit evidence. How do these components help an auditor distinguish an unintentional misstatement from an intentional (fraudulent) misstatement?
Professional skepticism suggests the auditor should neither assume that management is dishonest, nor assume unquestioned honesty, and an auditor should remain professionally skeptical throughout the entire audit process. A questioning mind will encourage the auditor to gather more persuasive evidence to corroborate management responses which would help the auditor distinguish intentional from unintentional misstatements. Critically assessing the evidence means the auditor evaluates each piece of evidence separately, but also evaluates all of the evidence gathered as a whole.
2. Examine the estimate for the Allowance for Doubtful Accounts recorded in the prior year audited financial statements. Obtain information about receivable writeoffs recorded during the current fiscal year for receivables included in the prior year audited financial statements and obtain other information to perform a hindsight evaluation of the reasonableness of the allowance account included in the prior year audited financial statements.
The auditor is performing a "look back" evaluation of the prior year allowance to determine whether there is any evidence of bias in management's prior year estimation of potential uncollectible accounts. The auditor is evaluating the extent to which current year write-offs differed from management's prior year estimate to evaluate whether there is any evidence that management might have intentionally understated or overstated the allowance estimate.
How might each audit procedure in 1 through 5 help the auditor identify fraud risk? 1. Use audit software to examine journal entries in the sales, cash receipts, purchases, cash disbursements, payroll, and general journals for any amounts exceeding $1 million and for any entries with unusual account codings. Review related supporting documentation for reasonableness.
The auditor is using audit software to facilitate the examination of journal entries recorded in the various accounting journals. The auditor is particularly interested in examining large transactions (those greater than $1 million) and those with unusual account codings, to determine if any of these transactions suggest the possibility of fraud, including management override of controls to perpetrate fraud.
Why are the financial statement audit findings relevant to the auditor's opinion on the effectiveness of internal controls over financial reporting?
The auditor may or may not identify misstatements during the audit. If the auditor identifies material misstatements during the audit that were not prevented or detected by the client's internal controls, this would indicate a potential material weakness in internal controls. Any identified misstatements would indicate a potential control deficiency or significant deficiency.
What is the auditor's responsibility for discovering embezzlement?
The auditor must conduct the audit to detect errors and fraud, including embezzlement, that are material to the financial statements.
In general and without regard to the facts in this case, discuss the nature of generalized audit software and list the various types and uses.
The nature of generalized audit software is to provide computer programs that can process a variety of file media and record formats to perform a number of functions using computer technology. There are several types of generalized audit software packages. Usually, generalized audit software is a purchased audit software program that is Windows-based and easily operated on the auditor's desktop or laptop computer. Other generalized audit software exists that contain programs that create or generate other programs, programs that modify themselves to perform requested functions, or skeletal frameworks of programs that must be completed by the user.
Express in general terms the most important difference between the nature of the potential controls available for large and small companies.
The size of a company has a significant effect on the nature of the controls likely to exist. A small company has difficulty establishing adequate segregation of duties and justifying an internal audit staff. However, a major type of control available in a small company is the knowledge and concern of the top operating person, who is frequently an owner-manager. His or her ability to understand the entire operation of the company is potentially a significant compensating control. The owner-manager's interest in the organization and close relationship with the personnel enable him or her to evaluate the competence of the employees and the effectiveness of internal controls. While some of the five control activities are unavailable in a small company, especially adequate segregation of duties, it is still possible for a small company to have controls, some limited, in place.
What is the overarching purpose for performing all of the audit procedures?
These procedures are examples of techniques auditors employ to address the risk material misstatement due to fraud. Most of the procedures are intended to directly address the risk of management override of controls.
3. Continue to observe inventories at Harris' two main distribution centers, but for this year examine inventories at its two smaller warehouses not examined in prior years. Management does not expect you to examine those additional warehouses.
The auditor's decision to examine inventories at two of the smaller warehouses is an example of how the auditor is including an element of unpredictability in the audit strategy. Management might be familiar with audit procedures used by the auditor in prior years and thus embed a fraud in areas not typically examined by the auditor. An element of unpredictability in the audit strategy may deter management from such behavior.
What is the auditor's responsibility for obtaining an understanding of internal control? How does that responsibility differ for audits of public and nonpublic companies?
The auditor's responsibility for obtaining an understanding of internal control for a large public company, when an opinion is issued on the effectiveness of internal controls, is significantly greater than the understanding necessary when the auditor is solely expressing an opinion on the financial statements. To express an opinion on internal controls for a large public company, the auditor obtains an understanding of controls for all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements. In contrast, for an audit of a nonpublic company or a smaller public company, the auditor will obtain an understanding of internal controls that are relevant to the financial statement audit in order to assess the risks of material misstatement. Thus, the level of understanding of internal controls required for the audit of internal controls exceeds the level required for an audit of only the financial statements.
4. Employees in the receiving department took sides of beef for their personal use. When a shipment of meat was received, the receiving department filled out a receiving report and forwarded it to the accounting department for the amount of goods actually received. At that time, two sides of beef were put in an employee's pickup truck rather than in the storage freezer.
a. Adequate documents and records, Physical control over assets and records, Independent checks on performance b. Occurrence c. Fence in the physical facilities and prohibit employees from parking inside the fencing and Require the accounting department to maintain perpetual inventory records and take physical counts of actual sides of beef periodically.
2. The incorrect price was used on sales invoices for billing shipments to customers because the wrong price was entered into the computer master file of prices.
a. Adequate documents and records, independent checks on performance b. Accuracy c. Changes to the computer master file of prices are reviewed when the master file is updated.
For each misstatement, a. identify one or more types of controls that were absent b. identify the transaction-related management assertions that have not been met. c. suggest a control that may have prevented or detected the misstatement. (1-8) 1. On the last day of the year, a truckload of beef was set aside for shipment but was not shipped. Because it was still on hand the inventory was counted. The shipping document was dated the last day of the year, so it was also included as a current-year sale.
a. Adequate documents and records, independent checks on performance b. Cutoff c. Carefully coordinate the physical count of inventory on the last day of the year with the recording of sales to make certain counted inventory has not been billed and billed inventory has not been counted.
5. An accounts payable clerk processed payments to himself by adding a fictitious vendor address to the approved vendor master file.
a. Adequate separation of duties b. Occurrence c. Restrict the accounts payable clerk from being able to make changes to the approved vendor master file. Only allow purchasing personnel to input changes to that master file.
6. Use audit software to search purchase transactions to identify any with nonstandard vendor numbers or with vendor names reflecting related parties.
a. Assets that were misappropriated may be concealed by recording purchase transactions using nonstandard, fictitious vendor numbers. b. AP and a related asset c. Occurrence
3. A nonexistent part number was included in the description of goods on a shipping document. Therefore, no charge was made for those goods.
a. Completeness b. Preprocessing review
8. Several remittance advices were batched together for inputting. The cash receipts clerk stopped for coffee, set them on a box, and failed to deliver them to the data input personnel.
a. Completeness + Cutoff b. Control totals reconciled to manual totals of all batches
8. Use audit software to search for journal entries posted to the sales revenue account from a nonstandard source (other than the daily sales journal).
a. Fictitious sales transactions may have been entered to increase sales revenue, possibly by management overriding internal controls. b. AR and Sales c. Occurence
6. During the physical count of inventory of the retail grocery, one counter wrote down the wrong description of several products and miscounted the quantity.
a. Independent checks on performance b. Accuracy c. Counts by qualified personnel and independent checks on performance.
4. Engage an actuarial specialist to examine management's assumptions about average length of employment and average life expectancy of retirees used in pension accounting decisions.
a. Management may have manipulated key assumptions so that expense and liability amounts would be lower. b. Pension liability and Pension expense c. Accuracy
6. A computer operator picked up a computer-based data file for sales of the wrong week and processed them through the system a second time.
a. Occurrence + Cutoff b. Cutoff procedures
7. A salesperson sold an entire carload of lamb at a price below cost because she did not know the cost of lamb had increased in the past week.
a. Proper authorization of transactions and activities b. Accuracy c. Make sure that the salesperson has a current price list and Require independent approval of all transactions, including the price, before shipment is made.
3. A vendor invoice was paid even though no merchandise was ever received. The accounts payable software application does not require the input of a valid receiving report number before payment can be made.
a. Proper authorization of transactions and activities, Adequate documents and records b. Occurrence c. Include a control in the accounts payable software that requires the input of a valid receiving report number before the software will process a payment on an accounts payable.
7. Search sales databases for missing bill of lading numbers.
a. Sales may be fictitiously recorded before any goods were shipped. b. AR and Sales c. Occurrence
3. Use audit software to create a list of all credits to the repair and maintenance expense account for follow-up testing.
a. The client may be removing expenditures from the expense account and capitalizing them instead. b. Repair and maintenance expense and FA c. Completeness and Existence
5. Send confirmations to customers for large sales transactions made in the fourth quarter of the year to obtain customer responses about terms related to the transfer of title and ability to return merchandise.
a. The client may have shipped and recorded large amounts of goods close to year end to third parties who may hold the goods on consignment or who have full rights of return. These shipments were made to record a fictitious sale and related receivable. b. AR, Inventory, Sales, and COGS c. Occurrence
2. Search the accounts receivable master file for account balances with missing or unusual customer numbers.
a. There may be fictitious accounts receivable accounts included in the master file. b. AR and sales c. Existence
For each audit procedure: a. Describe the type of fraud risk that is likely associated with the need for this audit procedure. b. Identify the related accounts likely affected by the potential fraud misstatement. c. Identify the related audit objective(s) that this procedure addresses. (1-8) 1. Use audit software to search cash disbursement master files for missing check numbers.
a. There may be unrecorded cash disbursement transactions. b. cash and either a liability, expense, or asset c. Completeness
Frank James, a highly competent employee of Brinkwater Sales Corporation, had been responsible for accounting-related matters for two decades. His devotion to the firm and his duties had always been exceptional, and over the years, he had been given increased responsibility. Both the president of Brinkwater and the partner of an independent CPA firm in charge of the audit were shocked and dismayed to discover that James had embezzled more than $500,000 over a 10-year period by not recording billings in the sales journal and subsequently diverting the cash receipts. What major factors permitted the embezzlement to take place? The most important internal control deficiency which permitted the embezzlement was:
adequate segregation of accounting for assets from custody of assets.