auditing and assurance services tb

Chapter 06 - Internal Control in a Financial Statement Audit

Chapter 06Internal Control in a Financial Statement Audit

True / False Questions

1. The concept of internal control includes IT systems and manual systems. True False

2. The auditor must understand internal control before assessing inherent risk. True False

3. The extent of an entity's use of IT can affect any of the components of internal control. True False

4. One of the risks associated with internal control from IT is potential loss of data. True False

5. Internal control consists of six components. True False

6. Internal control includes monitoring of controls. True False

7. A reliance strategy is used when control risk has been set at the maximum level. True False

8. A substantive strategy is used when control risk has been set at the maximum level. True False

6-1


9. Once a level of control risk has been established, it cannot be changed. True False

10. Tests of controls must be performed if control risk is set below the maximum level. True False

Multiple Choice Questions

11. A primary purpose of internal controls is to A. Form a basis for evaluating employeesB. Monitor production qualityC. Avoid clerical errorsD. Meet objectives of maintaining sound documents and records and accurate financial reporting

12. Internal controls are not designed to provide reasonable assurance that A. Transactions are executed in accordance with management's authorizationB. Embezzlement will be eliminatedC. Access to assets is permitted only in accordance with management's authorizationD. Amounts recorded for assets is compared with the actual existing assets at reasonable intervals

13. The basic concept of internal control which recognizes that the cost of internal control should not exceed the benefits expected to be derived is known as A. Reasonable assuranceB. Management responsibilityC. Limited liabilityD. Management by exception

6-2


14. An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about the A. Efficiency of management's decision-making processB. Appropriate prices that the entity should charge for its productsC. Methods of assigning production tasks to employeesD. Entity's ability to accurately process and summarize financial data

15. Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when A. External policies established by parties outside the entity affect its accounting practicesB. Management is dominated by one individualC. Internal auditors have direct access to the board of directors and the entity's managementD. The audit committee is active in overseeing the entity's financial reporting policies

16. Management philosophy and operating style most likely would have a significant influence on an entity's control environment when A. The internal auditor reports directly to managementB. Management is dominated by one individualC. Accurate management job descriptions delineate specific dutiesD. The audit committee actively oversees the financial reporting process

17. Proper monitoring within an internal control framework includes all of the following except A. An external auditorB. An effective audit committeeC. An internal audit departmentD. The internal revenue service

18. An entity's control activities include all of the following except A. Performance reviewsB. Information processingC. External auditor's tests of controlsD. Segregation of duties

6-3


19. Potential benefits of an entity's controls in an IT environment include all of the following except A. Reduction in the risk that controls will be circumventedB. More accurate accounting estimatesC. Consistent application of predefined business rulesD. More timely information

20. An entity's information system infrastructure refers to A. Hardware componentsB. ProgrammersC. SoftwareD. Data provided by the system

21. Auditors are most likely to gather audit evidence solely using substantive procedures A. If transactions are recurringB. For non-recurring, unusual transactionsC. If control risk is very lowD. If the entity has a well-designed automated system

22. Proper segregation of functional responsibilities in an effective system of internal control calls for separation of the functions of A. Authorization, execution, and paymentB. Authorization, recording, and custodyC. Custody, execution, and reportingD. Authorization, payment, and recording

23. Factors that the auditor should consider as increasing the effectiveness of the audit committee include all of the following except whether A. It is independent of managementB. It is comprised almost exclusively of members of management, ensuring detailed knowledge of the company's operationsC. It asks management difficult questionsD. It interacts regularly with internal auditors

6-4


24. The documentation of an auditor's understanding of internal controls A. Is optionalB. Must be exclusively in either narrative, questionnaire, or flowchart formC. Must include flowchartsD. Can use any combination of narratives, questionnaire, or flowcharts

25. A well-prepared flowchart should make it easier for the auditor to A. Prepare audit procedure manualsB. Prepare detailed job descriptionsC. Perform walkthroughsD. Assess the degree of accuracy of financial data

26. A flowchart is most frequently used by an auditor in connection with the A. Preparation of generalized computer audit programsB. Review of the client's internal controlsC. Use of statistical sampling in performing an auditD. Performance of analytical procedures of account balances

27. An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts A. Identify whether segregation of duties prevent collusionB. Provide a visual depiction of clients' activitiesC. Indicate whether controls are operating effectivelyD. Reduce the need to observe clients' employees performing routine tasks

28. Which of the following audit tests would be regarded as a test of controls? A. Tests of the specific items making up the balance in a given general ledger accountB. Tests comparing inventory pricing to vendors' invoicesC. Tests of the signatures on canceled checks to the board of director's authorizationsD. Tests of the additions to property, plant, and equipment by physical inspections

6-5


29. The independent auditor selects several transactions in each functional area and traces them through the entire system, paying special attention to evidence about whether or not the control activities are in operation. This is an example of a(n) A. Analytical procedureB. Test of controlsC. Substantive procedureD. Functional test

30. To obtain evidential matter about control risk, an auditor selects tests from a variety of techniques including A. InquiryB. Analytical proceduresC. CalculationD. Confirmation

31. Which of the following procedures most likely would provide an auditor with evidence about whether an entity's internal control is suitably designed to prevent or detect material misstatements? A. Scanning the journals produced by the internal control systemB. Performing analytical procedures using data aggregated at a high levelC. Vouching a sample of transactions directly related to the controlsD. Observing the entity's personnel applying the controls

32. Reports on service organizations typically A. Provide reasonable assurance that their financial statements are free of material misstatementsB. Ensure that the client will not have any misstatements in areas related to the service organization's activitiesC. Ensure that the client is billed correctlyD. Assess whether the service organization's controls are suitably designed to achieve internal control objectives

6-6


33. Where computer processing is used in significant accounting applications, internal control activities may be defined by classifying control activities into two types: general and A. AdministrativeB. SpecificC. ApplicationD. Authorization

34. Which of the following input controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission? A. Hash totalB. Parity checkC. EncryptionD. Check digit

35. General controls include all of the following except A. Organizational controlsB. Data validation controlsC. Access security controlsD. Application system acquisition controls

36. A limit test is a A. Test to ensure that a numerical value does not exceed some predetermined valueB. Check to ensure that the value in a field falls within an allowable range of valuesC. Check to ensure that the data in a field have the proper arithmetic signD. Check on a field to ensure that it contains either all numeric or alphabetic characters

37. A field test is a A. Test to ensure that a numerical value in a field does not exceed some predetermined valueB. A check to ensure that the value in a field falls within an allowable range of valuesC. A check to ensure that the data in a field have the proper arithmetic signD. A check on a field to ensure that it contains either all numeric or alphabetic characters

6-7


38. An auditor's primary consideration regarding an entity's internal controls is whether the policies and procedures A. Affect the financial statement assertionsB. Prevent management overrideC. Relate to the control environmentD. Reflect management's philosophy and operating style

39. In evaluating internal control, the auditor is basically concerned that the system provides reasonable assurance that A. Operational efficiency has been achieved in accordance with management plansB. Errors and fraud have been prevented or detectedC. Controls have not been circumvented by collusionD. Management can not override the system

40. Of the following statements about an internal control system, which one is correct? A. The maintenance of the system of internal control is an important responsibility of the internal auditorB. Administrative controls relate directly to the safeguarding of assetsC. Because of the cost/benefit relationship, tests of controls may be applied on a test basis in some circumstancesD. Well designed internal control activities always prevent collusion among employees

41. The concept of reasonable assurance in the context of an entity's internal controls recognizes that A. Auditors may fail to detect material misstatementsB. Proper internal controls guarantee that material misstatements will not occurC. Proper internal controls preclude fraudD. The costs of some controls may be too high to implement in relation to potential benefits

42. An effective control environment A. Allows management to identify all relevant risksB. Creates a commitment to competenceC. Guarantees that all controls are followed as prescribedD. Requires an internal audit department

6-8


43. The control environment component of internal controls includes all of the following except A. Management's operating styleB. Access to computer programsC. Organizational structureD. Human resource policies and practices

44. Information and communication includes all of the following except A. Identifying and recording all valid transactionsB. Determining the time period in which transactions occurredC. Communicating price changes to customersD. Properly presenting transactions and related disclosures in the financial statements

45. An organizational structure is important for all of the following reasons except A. Ensuring proper monitoringB. Defining areas of authorityC. Creating clear lines of reportingD. Ensuring a proper commitment to controls

46. The risk assessment component of internal controls refers to A. The auditor's assessment of control riskB. The auditor's assessment of client riskC. The entity's identification and analysis of risks relevant to achievement of its objectivesD. The entity's monitoring of the potential for material misstatements

47. As opposed to a manual control, an automated control A. Can never be circumventedB. Should function consistently in the absence of program changesC. Need not be tested by the auditorD. Must be tested using the same techniques as a manual control

6-9


48. An IT specialist is least likely to be necessary when A. Data is shared extensively among systemsB. The entity participates heavily in electronic commerceC. The system has not changed from the prior yearD. Significant audit evidence is in electronic form

49. In planning an audit of a new client, an auditor most likely would consider the methods used to process accounting information because such methods A. Influence the design of internal controlsB. Affect the auditor's planning materiality levelsC. Assist in evaluating the planned audit assertionsD. Determine the auditor's acceptable level of audit risk

50. A substantive strategy differs from a reliance strategy in that a substantive strategy includes A. Increased implementation of detailed tests of transactions and balancesB. Extra tests of controlsC. Increased emphasis on verbal representations from managementD. Setting control risk at a minimum level

51. Which of the following statements concerning control risk is correct? A. Assessing control risk and obtaining an understanding of an entity's internal controls may be performed concurrentlyB. When control risk is at the maximum level, an auditor is required to document the basis for that assessmentC. Control risk may be assessed sufficiently low to eliminate substantive procedure for significant transaction classesD. When assessing control risk an auditor should not consider evidence obtained in prior audits about the operation of control activities

6-10


52. Assessing control risk at below the maximum most likely would involve: A. Changing the timing of substantive procedures by omitting interim testing and performing the tests at year-endB. Identifying specific internal controls relevant to specific assertionsC. Performing more extensive substantive procedures with larger sample sizes than originally plannedD. Reducing inherent risk for most of the assertions relevant to significant account balances

53. In the audit of financial statements, an auditor's primary consideration regarding an internal control policy or procedure is whether the policy or procedure A. Reflects management's philosophy and operating styleB. Affects management's financial statement assertionsC. Provides adequate safeguards over access to assetsD. Enhances management's decision-making processes

54. Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal controls? A. Incompatible dutiesB. Management overrideC. Mistakes in judgmentD. Collusion among employees

55. It is important for the CPA to consider the competence of the audit clients' employees because their competence bears directly and importantly upon the A. Cost/benefit relationship of the system of internal controlB. Achievement of the objectives of the system of internal controlC. Comparison of recorded accountability with assetsD. Timing of the tests to be performed

6-11


56. As part of gaining an initial understanding internal control, an auditor is required to do all of the following, except: A. Consider factors that affect the risk of material misstatementB. Ascertain whether internal control policies and procedures have been placed in operationC. Identify the types of potential misstatements that can occurD. Obtain knowledge about the operating effectiveness of the internal control

57. Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by A. Employment of temporary personnel to aid in the separation of dutiesB. Direct participation by the owner of the business in the record-keeping activities of the businessC. Engaging a CPA to perform monthly bookkeepingD. Delegation of full, clear-cut responsibility to each employee for the functions assigned to each

58. The independent auditor should acquire an understanding of the internal audit function as it relates to the assessment of control risk because A. Internal auditors' audit programs, audit documents, and reports can eliminate the need for the independent auditor's staffB. The procedures performed by the internal audit staff may eliminate the independent auditor's need for an extensive study and evaluation of internal controlC. The work performed by internal auditors may be a factor in determining the nature, timing, and extent of the independent auditor's proceduresD. The understanding of the internal audit function is an important substantive procedure to be performed by the independent auditor

59. In obtaining an understanding of an entity's internal control in a financial statement audit of a non-public company, an auditor is not obligated to A. Determine whether the control activities have been placed in operationB. Perform procedures to understand the design of the internal control policiesC. Document the understanding of the entity's internal control componentsD. Search for significant deficiencies in the operation of the internal control

6-12


60. After completing the preliminary phase of the review of internal control, the auditor decides not to rely on the system to restrict substantive procedures. Documentation may be limited to the auditor's A. Understanding of the internal controlB. Reasons for deciding not to extend the reviewC. Basis for concluding that errors and fraud will be preventedD. Completed internal control questionnaire

61. In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to A. Identify specific internal control activities relevant to management's financial statement assertionsB. Perform tests of controls to evaluate the effectiveness of the entity's accounting systemC. Determine whether procedures are suitably designed to prevent or detect material misstatementsD. Document the auditor's understanding of the entity's internal control

62. For a complex IT system, auditors are least likely to use which of the following when documenting their understanding of internal controls? A. NarrativesB. Internal control questionnairesC. FlowchartsD. Organization charts

63. Assessing control risk below maximum involves all of the following except A. Identifying specific controls to rely onB. Concluding that controls are ineffectiveC. Performing tests of controlsD. Analyzing the achieved level of control risk after performing tests of controls

6-13


64. When an auditor increases the planned assessed level of control risk because certain control activities were determined to be ineffective, the auditor would most likely increase the A. Extent of tests of detailsB. Level of inherent riskC. Extent of tests of controlsD. Level of detection risk

65. Which of the following procedures most likely would be included as part of an auditor's tests of controls? A. InspectionB. ReconciliationC. ConfirmationD. Analytical procedures

66. An auditor is least likely to test the internal controls that provide for A. Approval of the purchase and sale of marketable securitiesB. Classification of revenue and expense transactions by product lineC. Segregation of the functions of recording disbursements and reconciling the bank accountD. Comparison of receiving reports and vendors' invoices with purchase orders

67. For certain controls, such as segregation of duties, documentary evidence may not exist. An auditor would most likely test the procedures by A. Reperformance and corroborationB. Observation and inquiryC. Inspection and vouchingD. Confirmation and recomputation

68. Walkthroughs usually involve all of the following audit procedures except A. ReperformanceB. InquiryC. ObservationD. Inspection

6-14


69. Before applying substantive procedures to the details of accounts at an interim date (a date prior to the balance sheet date), an auditor should A. Assess control risk at the maximum for the assertions embodied in the accounts selected for interim testingB. Determine that the accounts selected for interim testing are not material to the financial statements taken as a wholeC. Consider the availability of information at a later date that will be necessary for the auditor's procedures (e.g., electronic data)D. Obtain written representations from management that all financial records and related data will be made available

70. A high detection risk strategy includes all of the following except A. Interim testingB. Reduced testing of transactionsC. Heavy reliance on analytical procedures as substantive proceduresD. Audit work only completed at year-end

71. The auditor should consider all of the following when deciding whether substantive procedures will be performed at an interim date except A. The level of control riskB. Scheduling conflicts in the audit firm that make interim testing more convenientC. Whether business conditions will change after the interim dateD. The ability to examine the remaining period

72. If auditors conduct substantive procedures as of 10/31 for an entity with a 12/31 year-end A. Additional tests are seldom conducted for the remaining periodB. Additional control tests are required in the remaining periodC. The client's controls likely are ineffectiveD. Additional tests likely will be performed in the remaining period

6-15


73. Based on a study and evaluation completed at an interim date, the auditor concludes that no significant internal control weaknesses exist. The records and procedures would most likely be tested again at year-end if A. Compliance tests were not performed by the internal auditor during the remaining periodB. The internal control system provides a basis for reliance in reducing the extent of substantive proceduresC. The auditor used nonstatistical sampling during interim compliance testingD. Inquiries and observations lead the auditor to believe that conditions within the internal control system have changed

74. Which of the following statements is correct concerning an auditor's communication of internal control related matters (significant deficiencies) noted in an audit? A. The auditor may issue a written report to the audit committee representing that no significant deficiencies were noted during the auditB. Significant deficiencies should be recommunicated each year, even if the audit committee has acknowledged its understanding of such deficienciesC. Significant deficiencies that are material weaknesses should be reported separately from other significant deficienciesD. The auditor may choose to communicate significant internal control-related matters either during the course of the audit or after the audit is concluded

75. The auditor's communication of material weaknesses in internal control for a nonpublic company is A. Required to enable the auditor to state that the examination has been made in accordance with generally accepted auditing standardsB. The principle reason for studying and evaluating the system of internal controlsC. Incidental to the auditor's objective of forming an opinion as to the fair presentation of the financial statementsD. Required to be documented in a formal written report to the board of directors or the board's audit committee

6-16


76. Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee because they represent A. Disclosures of information that significantly contradict the auditor's going concern assumptionB. Material fraud or illegal acts perpetrated by high-level managementC. Significant design flaws in internal controls or poor implementation of internal controlsD. Manipulation or falsification of accounting records or documents from which financial statements are prepared

77. All of the following are significant deficiencies except A. Absence of appropriate reviews of transactionsB. Evidence of willful wrongdoing by lower-level employeesC. Inadequate provisions for safeguarding assetsD. Inventory is highly subject to obsolescence

78. The normal sequence of documents and operations on a well-prepared systems flowchart is A. Top to bottom and left to rightB. Bottom to top and left to rightC. Top to bottom and right to leftD. Bottom to top and right to left

79. When preparing a record of a client's internal control, the independent auditor sometimes uses a systems flowchart, which can best be described as a A. Pictorial presentation of the flow of instructions in a client's internal computer systemB. Diagram which clearly indicates an organization's internal reporting structureC. Graphic illustration of the flow of operations which is used to replace the auditor's internal control questionnaireD. Symbolic representation of a system or series of sequential processes

6-17


80. Which of the following is not a characteristic of a batch processed computer system? A. The collection of like transactions which are sorted and processed sequentially against a master fileB. Keypunching of transactions, followed by machine processingC. The production of numerous printoutsD. The posting of a transaction, as it occurs, to several files, without intermediate printouts

81. Which of the following is a general control that would most likely assist an entity whose systems analyst left the entity in the middle of a major project? A. Grandfather-father-son record retentionB. Input and output validation routinesC. Systems documentationD. Check digit verification

82. A customer intended to order 100 units of product Z96014, but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error? A. Check digit verificationB. Record countC. Hash totalD. Redundant data check

83. Assume that an auditor estimates that 10,000 checks were issued during the accounting period. If an IT application control which performs a limit check for each check request is to be subjected to the auditor's test data approach, the sample should include A. Approximately 1,000 test itemsB. A number of test items determined by the auditor to be sufficient under the circumstancesC. A number of test items determined by the auditor's reference to the appropriate sampling tablesD. One transaction

6-18


84. After obtaining an understanding of internal controls and assessing control risk of an entity, an auditor decided not to perform tests of controls for purposes of the audit. The auditor most likely decided that A. The available evidential matter obtained through tests of controls would not support an increased level of control riskB. A reduction in the assessed level of control risk is justified for certain financial statement assertionsC. It would be inefficient to perform tests of controls that would result in a reduction in planned substantive proceduresD. The assessed level of inherent risk exceeded the assessed level of control risk

85. After the auditor has prepared a flowchart of the internal controls surrounding sales and evaluated the design of the system, the auditor would perform tests of controls on all control activities A. Documented in the flowchartB. Considered to be weaknesses that might allow errors to enter the accounting systemC. That the auditor plans to rely onD. That would aid in preventing fraud

86. As the acceptable level of detection risk increases, an auditor may change the A. Assessed level of control risk from below the maximum to the maximum levelB. Assurance provided by tests of controls by using a larger sample size than plannedC. Timing of substantive procedures from year-end to an interim dateD. Nature of substantive procedures from less effective to more effective procedures

87. In a properly designed internal control system, the same employee may be permitted to A. Receive and deposit checks and also approve write-offs of customer accountsB. Approve vouchers for payment and also sign checksC. Reconcile the bank statements and also receive and deposit cashD. Sign checks and also cancel supporting documents

6-19


88. A procedure that would most likely be used by an auditor in performing tests of control activities that involve segregation of functions and that leave no transaction trail is A. InspectionB. ObservationC. ReperformanceD. Reconciliation

89. During consideration of internal control in a financial statement audit of a nonpublic company, an auditor is not obligated to A. Search for significant deficiencies in the operation of internal controlB. Understand the internal control environment and the information systemC. Determine whether the controls relevant to audit planning have been placed in operationD. Perform procedures to understand the design of internal control

90. Audit evidence concerning proper segregation of duties ordinarily is best obtained by A. Preparation of a flowchart of duties performed by available personnelB. Inquiring whether control activities operated consistently throughout the periodC. Reviewing job descriptions prepared by the Personnel DepartmentD. Direct personal observation of the employees who apply control activities

91. While substantive procedures may support the accuracy of underlying records, these tests frequently provide no affirmative evidence of segregation of duties because A. Substantive procedures rarely guarantee the accuracy of the records if only a sample of the transactions has been testedB. The records may be accurate even though they are maintained by persons having incompatible functionsC. Substantive procedures relate to the entire period under audit, but compliance tests ordinarily are confined to the period during which the auditor is on the client's premisesD. Many computerized procedures leave no audit trail of who performed them, so substantive procedures may necessarily be limited to inquiries and observation of office personnel

6-20


92. Before applying principal substantive procedures to the details of asset and liability accounts at an interim date, the auditor should A. Assess the difficulty in controlling audit risk for the remainder of the periodB. Investigate significant fluctuations that have occurred in the asset and liability accounts since the previous balance sheet dateC. Select only those accounts which can effectively be sampled during year-end audit workD. Consider the compliance tests that must be applied at the balance sheet date to extend the audit conclusions reached at the interim date

93. When communicating internal control-related matters noted in an audit of a nonpublic company, an auditor's report issued on significant deficiencies should indicate that A. Errors or fraud may occur and not be detected because there are inherent limitations in any internal control systemB. The issuance of an unqualified opinion on the financial statements may depend on corrective follow-up actionC. The deficiencies noted were not detected within a timely period by employees in the normal course of performing their assigned functionsD. The purpose of the audit was to report on the financial statements and not to provide assurance on internal control

94. The program flowcharting symbol representing a decision is a A. TriangleB. CircleC. RectangleD. Diamond

Short Answer Questions

6-21


95. Internal control has become a very important focus for publicly traded and privately-held companies alike. Internal control is intended to accomplish at least four objectives and consists of five components of internal control. List the four objectives and five components of internal control.

96. What are two potential benefits and two potential risks of using IT for an entity's internal control?

97. In terms of an audit, define substantive strategy and reliance strategy. Include in your definition how the different strategies relate to internal control. Which strategy would best relate to a lower control risk?

98. Describe the limitations of internal control. Why do limitations on internal control exist?

6-22


99. What are four potential tools available to the auditor for documenting their understanding of a client's system of internal control?

100. What are some typical types of evidence that may be collected in testing a client's internal controls?

101. Why might an auditor decide to test controls at an interim date?

102. While performing an audit on the internal controls over financial reporting for AirWaves Corporation, your audit team finds what it considers to be a significant deficiency. AirWaves is a large, private company. What steps would you take to communicate this finding?

6-23


103. Data capture occurs through source documentation, direct data entry, or a combination of the two. List three purposes of data capture controls.

104. What are the differences between document flowcharts, system flowcharts, and program flowcharts?

6-24


Chapter 06 Internal Control in a Financial Statement Audit Answer Key

True / False Questions

1. The concept of internal control includes IT systems and manual systems. TRUE

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: EasyLearning Objective: 4

2. The auditor must understand internal control before assessing inherent risk. FALSE

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: EasyLearning Objective: 1

3. The extent of an entity's use of IT can affect any of the components of internal control. TRUE

AACSB: AnalyticAICPA BB: Leveraging TechnologyAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: EasyLearning Objective: 4

6-25


4. One of the risks associated with internal control from IT is potential loss of data. TRUE

AACSB: AnalyticAICPA BB: Leveraging TechnologyAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: EasyLearning Objective: 4

5. Internal control consists of six components. FALSE

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Decision MakingBloom's: KnowledgeDifficulty: EasyLearning Objective: 5

6. Internal control includes monitoring of controls. TRUE

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Decision MakingBloom's: KnowledgeDifficulty: EasyLearning Objective: 5

7. A reliance strategy is used when control risk has been set at the maximum level. FALSE


6-26


8. A substantive strategy is used when control risk has been set at the maximum level. TRUE


9. Once a level of control risk has been established, it cannot be changed. FALSE

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: EasyLearning Objective: 10

10. Tests of controls must be performed if control risk is set below the maximum level. TRUE

AACSB: AnalyticAICPA BB: Leveraging TechnologyAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: EasyLearning Objective: 10

Multiple Choice Questions

6-27


11. A primary purpose of internal controls is to A. Form a basis for evaluating employeesB. Monitor production qualityC. Avoid clerical errorsD. Meet objectives of maintaining sound documents and records and accurate financial reporting

AACSB: CommunicationsAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: EasyLearning Objective: 1Learning Objective: 2

12. Internal controls are not designed to provide reasonable assurance that A. Transactions are executed in accordance with management's authorizationB. Embezzlement will be eliminatedC. Access to assets is permitted only in accordance with management's authorizationD. Amounts recorded for assets is compared with the actual existing assets at reasonable intervals

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ComprehensionDifficulty: EasyLearning Objective: 2

13. The basic concept of internal control which recognizes that the cost of internal control should not exceed the benefits expected to be derived is known as A. Reasonable assuranceB. Management responsibilityC. Limited liabilityD. Management by exception

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ComprehensionDifficulty: EasyLearning Objective: 2Learning Objective: 7

6-28


14. An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about the A. Efficiency of management's decision-making processB. Appropriate prices that the entity should charge for its productsC. Methods of assigning production tasks to employeesD. Entity's ability to accurately process and summarize financial data

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: EasyLearning Objective: 3Learning Objective: 7

15. Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when A. External policies established by parties outside the entity affect its accounting practicesB. Management is dominated by one individualC. Internal auditors have direct access to the board of directors and the entity's managementD. The audit committee is active in overseeing the entity's financial reporting policies

AACSB: CommunicationsAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: EasyLearning Objective: 5

16. Management philosophy and operating style most likely would have a significant influence on an entity's control environment when A. The internal auditor reports directly to managementB. Management is dominated by one individualC. Accurate management job descriptions delineate specific dutiesD. The audit committee actively oversees the financial reporting process

AACSB: CommunicationsAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: EasyLearning Objective: 5Learning Objective: 7

6-29


17. Proper monitoring within an internal control framework includes all of the following except A. An external auditorB. An effective audit committeeC. An internal audit departmentD. The internal revenue service

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: EasyLearning Objective: 5Learning Objective: 7

18. An entity's control activities include all of the following except A. Performance reviewsB. Information processingC. External auditor's tests of controlsD. Segregation of duties

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: EasyLearning Objective: 5Learning Objective: 7

19. Potential benefits of an entity's controls in an IT environment include all of the following except A. Reduction in the risk that controls will be circumventedB. More accurate accounting estimatesC. Consistent application of predefined business rulesD. More timely information

AACSB: TechnologyAICPA BB: Leveraging TechnologyAICPA FN: Leveraging TechnologyBloom's: KnowledgeDifficulty: EasyLearning Objective: 4

6-30


20. An entity's information system infrastructure refers to A. Hardware componentsB. ProgrammersC. SoftwareD. Data provided by the system

AACSB: TechnologyAICPA BB: Leveraging TechnologyAICPA FN: Leveraging TechnologyBloom's: KnowledgeDifficulty: EasyLearning Objective: 4Learning Objective: 7

21. Auditors are most likely to gather audit evidence solely using substantive procedures A. If transactions are recurringB. For non-recurring, unusual transactionsC. If control risk is very lowD. If the entity has a well-designed automated system

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Decision MakingBloom's: ApplicationDifficulty: EasyLearning Objective: 11Learning Objective: 6

22. Proper segregation of functional responsibilities in an effective system of internal control calls for separation of the functions of A. Authorization, execution, and paymentB. Authorization, recording, and custodyC. Custody, execution, and reportingD. Authorization, payment, and recording

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: EasyLearning Objective: 7

6-31


23. Factors that the auditor should consider as increasing the effectiveness of the audit committee include all of the following except whether A. It is independent of managementB. It is comprised almost exclusively of members of management, ensuring detailed knowledge of the company's operationsC. It asks management difficult questionsD. It interacts regularly with internal auditors

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Decision MakingBloom's: ApplicationDifficulty: EasyLearning Objective: 5

24. The documentation of an auditor's understanding of internal controls A. Is optionalB. Must be exclusively in either narrative, questionnaire, or flowchart formC. Must include flowchartsD. Can use any combination of narratives, questionnaire, or flowcharts

AACSB: CommunicationsAICPA BB: Critical ThinkingAICPA FN: ReportingBloom's: ApplicationDifficulty: EasyLearning Objective: 8

25. A well-prepared flowchart should make it easier for the auditor to A. Prepare audit procedure manualsB. Prepare detailed job descriptionsC. Perform walkthroughsD. Assess the degree of accuracy of financial data


6-32


26. A flowchart is most frequently used by an auditor in connection with the A. Preparation of generalized computer audit programsB. Review of the client's internal controlsC. Use of statistical sampling in performing an auditD. Performance of analytical procedures of account balances


27. An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts A. Identify whether segregation of duties prevent collusionB. Provide a visual depiction of clients' activitiesC. Indicate whether controls are operating effectivelyD. Reduce the need to observe clients' employees performing routine tasks


28. Which of the following audit tests would be regarded as a test of controls? A. Tests of the specific items making up the balance in a given general ledger accountB. Tests comparing inventory pricing to vendors' invoicesC. Tests of the signatures on canceled checks to the board of director's authorizationsD. Tests of the additions to property, plant, and equipment by physical inspections

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Decision MakingBloom's: ApplicationDifficulty: EasyLearning Objective: 10

6-33


29. The independent auditor selects several transactions in each functional area and traces them through the entire system, paying special attention to evidence about whether or not the control activities are in operation. This is an example of a(n) A. Analytical procedureB. Test of controlsC. Substantive procedureD. Functional test

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Decision MakingBloom's: ApplicationDifficulty: EasyLearning Objective: 10

30. To obtain evidential matter about control risk, an auditor selects tests from a variety of techniques including A. InquiryB. Analytical proceduresC. CalculationD. Confirmation

AACSB: CommunicationsAICPA BB: Critical ThinkingAICPA FN: Decision MakingBloom's: ApplicationDifficulty: EasyLearning Objective: 10

31. Which of the following procedures most likely would provide an auditor with evidence about whether an entity's internal control is suitably designed to prevent or detect material misstatements? A. Scanning the journals produced by the internal control systemB. Performing analytical procedures using data aggregated at a high levelC. Vouching a sample of transactions directly related to the controlsD. Observing the entity's personnel applying the controls

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: EasyLearning Objective: 10

6-34


32. Reports on service organizations typically A. Provide reasonable assurance that their financial statements are free of material misstatementsB. Ensure that the client will not have any misstatements in areas related to the service organization's activitiesC. Ensure that the client is billed correctlyD. Assess whether the service organization's controls are suitably designed to achieve internal control objectives

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: ReportingBloom's: KnowledgeDifficulty: EasyLearning Objective: 13

33. Where computer processing is used in significant accounting applications, internal control activities may be defined by classifying control activities into two types: general and A. AdministrativeB. SpecificC. ApplicationD. Authorization


34. Which of the following input controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission? A. Hash totalB. Parity checkC. EncryptionD. Check digit


6-35


35. General controls include all of the following except A. Organizational controlsB. Data validation controlsC. Access security controlsD. Application system acquisition controls


36. A limit test is a A. Test to ensure that a numerical value does not exceed some predetermined valueB. Check to ensure that the value in a field falls within an allowable range of valuesC. Check to ensure that the data in a field have the proper arithmetic signD. Check on a field to ensure that it contains either all numeric or alphabetic characters


37. A field test is a A. Test to ensure that a numerical value in a field does not exceed some predetermined valueB. A check to ensure that the value in a field falls within an allowable range of valuesC. A check to ensure that the data in a field have the proper arithmetic signD. A check on a field to ensure that it contains either all numeric or alphabetic characters


6-36


38. An auditor's primary consideration regarding an entity's internal controls is whether the policies and procedures A. Affect the financial statement assertionsB. Prevent management overrideC. Relate to the control environmentD. Reflect management's philosophy and operating style

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 1Learning Objective: 3

39. In evaluating internal control, the auditor is basically concerned that the system provides reasonable assurance that A. Operational efficiency has been achieved in accordance with management plansB. Errors and fraud have been prevented or detectedC. Controls have not been circumvented by collusionD. Management can not override the system

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 1Learning Objective: 2Learning Objective: 3

6-37


40. Of the following statements about an internal control system, which one is correct? A. The maintenance of the system of internal control is an important responsibility of the internal auditorB. Administrative controls relate directly to the safeguarding of assetsC. Because of the cost/benefit relationship, tests of controls may be applied on a test basis in some circumstancesD. Well designed internal control activities always prevent collusion among employees

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 2

41. The concept of reasonable assurance in the context of an entity's internal controls recognizes that A. Auditors may fail to detect material misstatementsB. Proper internal controls guarantee that material misstatements will not occurC. Proper internal controls preclude fraudD. The costs of some controls may be too high to implement in relation to potential benefits

AACSB: CommunicationsAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 2Learning Objective: 7

42. An effective control environment A. Allows management to identify all relevant risksB. Creates a commitment to competenceC. Guarantees that all controls are followed as prescribedD. Requires an internal audit department

AACSB: EthicsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 5Learning Objective: 7

6-38


43. The control environment component of internal controls includes all of the following except A. Management's operating styleB. Access to computer programsC. Organizational structureD. Human resource policies and practices

AACSB: EthicsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: ModerateLearning Objective: 5Learning Objective: 7

44. Information and communication includes all of the following except A. Identifying and recording all valid transactionsB. Determining the time period in which transactions occurredC. Communicating price changes to customersD. Properly presenting transactions and related disclosures in the financial statements

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: ModerateLearning Objective: 5Learning Objective: 7

45. An organizational structure is important for all of the following reasons except A. Ensuring proper monitoringB. Defining areas of authorityC. Creating clear lines of reportingD. Ensuring a proper commitment to controls

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ComprehensionDifficulty: ModerateLearning Objective: 5Learning Objective: 7

6-39


46. The risk assessment component of internal controls refers to A. The auditor's assessment of control riskB. The auditor's assessment of client riskC. The entity's identification and analysis of risks relevant to achievement of its objectivesD. The entity's monitoring of the potential for material misstatements

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: ModerateLearning Objective: 5Learning Objective: 7

47. As opposed to a manual control, an automated control A. Can never be circumventedB. Should function consistently in the absence of program changesC. Need not be tested by the auditorD. Must be tested using the same techniques as a manual control

AACSB: TechnologyAICPA BB: Leveraging TechnologyAICPA FN: Leveraging TechnologyBloom's: KnowledgeDifficulty: ModerateLearning Objective: 4

48. An IT specialist is least likely to be necessary when A. Data is shared extensively among systemsB. The entity participates heavily in electronic commerceC. The system has not changed from the prior yearD. Significant audit evidence is in electronic form

AACSB: TechnologyAICPA BB: Leveraging TechnologyAICPA FN: Leveraging TechnologyBloom's: ApplicationDifficulty: ModerateLearning Objective: 4Learning Objective: 7

6-40


49. In planning an audit of a new client, an auditor most likely would consider the methods used to process accounting information because such methods A. Influence the design of internal controlsB. Affect the auditor's planning materiality levelsC. Assist in evaluating the planned audit assertionsD. Determine the auditor's acceptable level of audit risk

AACSB: TechnologyAICPA BB: Leveraging TechnologyAICPA FN: Leveraging TechnologyBloom's: ApplicationDifficulty: ModerateLearning Objective: 4Learning Objective: 6Learning Objective: 7

50. A substantive strategy differs from a reliance strategy in that a substantive strategy includes A. Increased implementation of detailed tests of transactions and balancesB. Extra tests of controlsC. Increased emphasis on verbal representations from managementD. Setting control risk at a minimum level

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Decision MakingBloom's: ApplicationDifficulty: ModerateLearning Objective: 6

6-41


51. Which of the following statements concerning control risk is correct? A. Assessing control risk and obtaining an understanding of an entity's internal controls may be performed concurrentlyB. When control risk is at the maximum level, an auditor is required to document the basis for that assessmentC. Control risk may be assessed sufficiently low to eliminate substantive procedure for significant transaction classesD. When assessing control risk an auditor should not consider evidence obtained in prior audits about the operation of control activities

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: ModerateLearning Objective: 6Learning Objective: 8Learning Objective: 9

52. Assessing control risk at below the maximum most likely would involve: A. Changing the timing of substantive procedures by omitting interim testing and performing the tests at year-endB. Identifying specific internal controls relevant to specific assertionsC. Performing more extensive substantive procedures with larger sample sizes than originally plannedD. Reducing inherent risk for most of the assertions relevant to significant account balances

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: ModerateLearning Objective: 11Learning Objective: 12Learning Objective: 6Learning Objective: 9

6-42


53. In the audit of financial statements, an auditor's primary consideration regarding an internal control policy or procedure is whether the policy or procedure A. Reflects management's philosophy and operating styleB. Affects management's financial statement assertionsC. Provides adequate safeguards over access to assetsD. Enhances management's decision-making processes

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Decision MakingBloom's: ApplicationDifficulty: ModerateLearning Objective: 6Learning Objective: 7

54. Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal controls? A. Incompatible dutiesB. Management overrideC. Mistakes in judgmentD. Collusion among employees

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 7

55. It is important for the CPA to consider the competence of the audit clients' employees because their competence bears directly and importantly upon the A. Cost/benefit relationship of the system of internal controlB. Achievement of the objectives of the system of internal controlC. Comparison of recorded accountability with assetsD. Timing of the tests to be performed

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ComprehensionDifficulty: ModerateLearning Objective: 7

6-43


56. As part of gaining an initial understanding internal control, an auditor is required to do all of the following, except: A. Consider factors that affect the risk of material misstatementB. Ascertain whether internal control policies and procedures have been placed in operationC. Identify the types of potential misstatements that can occurD. Obtain knowledge about the operating effectiveness of the internal control

AACSB: CommunicationsAICPA BB: LegalAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: ModerateLearning Objective: 7

57. Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by A. Employment of temporary personnel to aid in the separation of dutiesB. Direct participation by the owner of the business in the record-keeping activities of the businessC. Engaging a CPA to perform monthly bookkeepingD. Delegation of full, clear-cut responsibility to each employee for the functions assigned to each


6-44


58. The independent auditor should acquire an understanding of the internal audit function as it relates to the assessment of control risk because A. Internal auditors' audit programs, audit documents, and reports can eliminate the need for the independent auditor's staffB. The procedures performed by the internal audit staff may eliminate the independent auditor's need for an extensive study and evaluation of internal controlC. The work performed by internal auditors may be a factor in determining the nature, timing, and extent of the independent auditor's proceduresD. The understanding of the internal audit function is an important substantive procedure to be performed by the independent auditor

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ComprehensionDifficulty: ModerateLearning Objective: 7Learning Objective: 9

59. In obtaining an understanding of an entity's internal control in a financial statement audit of a non-public company, an auditor is not obligated to A. Determine whether the control activities have been placed in operationB. Perform procedures to understand the design of the internal control policiesC. Document the understanding of the entity's internal control componentsD. Search for significant deficiencies in the operation of the internal control

AACSB: CommunicationsAICPA BB: LegalAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 10Learning Objective: 7Learning Objective: 8

6-45


60. After completing the preliminary phase of the review of internal control, the auditor decides not to rely on the system to restrict substantive procedures. Documentation may be limited to the auditor's A. Understanding of the internal controlB. Reasons for deciding not to extend the reviewC. Basis for concluding that errors and fraud will be preventedD. Completed internal control questionnaire

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 7Learning Objective: 8

61. In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to A. Identify specific internal control activities relevant to management's financial statement assertionsB. Perform tests of controls to evaluate the effectiveness of the entity's accounting systemC. Determine whether procedures are suitably designed to prevent or detect material misstatementsD. Document the auditor's understanding of the entity's internal control

AACSB: CommunicationsAICPA BB: LegalAICPA FN: ReportingBloom's: KnowledgeDifficulty: ModerateLearning Objective: 7Learning Objective: 8

6-46


62. For a complex IT system, auditors are least likely to use which of the following when documenting their understanding of internal controls? A. NarrativesB. Internal control questionnairesC. FlowchartsD. Organization charts

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Decision MakingBloom's: ApplicationDifficulty: ModerateLearning Objective: 8

63. Assessing control risk below maximum involves all of the following except A. Identifying specific controls to rely onB. Concluding that controls are ineffectiveC. Performing tests of controlsD. Analyzing the achieved level of control risk after performing tests of controls


64. When an auditor increases the planned assessed level of control risk because certain control activities were determined to be ineffective, the auditor would most likely increase the A. Extent of tests of detailsB. Level of inherent riskC. Extent of tests of controlsD. Level of detection risk

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: ModerateLearning Objective: 11Learning Objective: 9

6-47


65. Which of the following procedures most likely would be included as part of an auditor's tests of controls? A. InspectionB. ReconciliationC. ConfirmationD. Analytical procedures


66. An auditor is least likely to test the internal controls that provide for A. Approval of the purchase and sale of marketable securitiesB. Classification of revenue and expense transactions by product lineC. Segregation of the functions of recording disbursements and reconciling the bank accountD. Comparison of receiving reports and vendors' invoices with purchase orders


67. For certain controls, such as segregation of duties, documentary evidence may not exist. An auditor would most likely test the procedures by A. Reperformance and corroborationB. Observation and inquiryC. Inspection and vouchingD. Confirmation and recomputation

AACSB: CommunicationsAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 10

6-48


68. Walkthroughs usually involve all of the following audit procedures except A. ReperformanceB. InquiryC. ObservationD. Inspection

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: ModerateLearning Objective: 10

69. Before applying substantive procedures to the details of accounts at an interim date (a date prior to the balance sheet date), an auditor should A. Assess control risk at the maximum for the assertions embodied in the accounts selected for interim testingB. Determine that the accounts selected for interim testing are not material to the financial statements taken as a wholeC. Consider the availability of information at a later date that will be necessary for the auditor's procedures (e.g., electronic data)D. Obtain written representations from management that all financial records and related data will be made available

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 11Learning Objective: 12

6-49


70. A high detection risk strategy includes all of the following except A. Interim testingB. Reduced testing of transactionsC. Heavy reliance on analytical procedures as substantive proceduresD. Audit work only completed at year-end


71. The auditor should consider all of the following when deciding whether substantive procedures will be performed at an interim date except A. The level of control riskB. Scheduling conflicts in the audit firm that make interim testing more convenientC. Whether business conditions will change after the interim dateD. The ability to examine the remaining period


72. If auditors conduct substantive procedures as of 10/31 for an entity with a 12/31 year-end A. Additional tests are seldom conducted for the remaining periodB. Additional control tests are required in the remaining periodC. The client's controls likely are ineffectiveD. Additional tests likely will be performed in the remaining period

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 11Learning Objective: 12

6-50


73. Based on a study and evaluation completed at an interim date, the auditor concludes that no significant internal control weaknesses exist. The records and procedures would most likely be tested again at year-end if A. Compliance tests were not performed by the internal auditor during the remaining periodB. The internal control system provides a basis for reliance in reducing the extent of substantive proceduresC. The auditor used nonstatistical sampling during interim compliance testingD. Inquiries and observations lead the auditor to believe that conditions within the internal control system have changed

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: ModerateLearning Objective: 12

74. Which of the following statements is correct concerning an auditor's communication of internal control related matters (significant deficiencies) noted in an audit? A. The auditor may issue a written report to the audit committee representing that no significant deficiencies were noted during the auditB. Significant deficiencies should be recommunicated each year, even if the audit committee has acknowledged its understanding of such deficienciesC. Significant deficiencies that are material weaknesses should be reported separately from other significant deficienciesD. The auditor may choose to communicate significant internal control-related matters either during the course of the audit or after the audit is concluded

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: ReportingBloom's: ApplicationDifficulty: ModerateLearning Objective: 14

6-51


75. The auditor's communication of material weaknesses in internal control for a nonpublic company is A. Required to enable the auditor to state that the examination has been made in accordance with generally accepted auditing standardsB. The principle reason for studying and evaluating the system of internal controlsC. Incidental to the auditor's objective of forming an opinion as to the fair presentation of the financial statementsD. Required to be documented in a formal written report to the board of directors or the board's audit committee


76. Significant deficiencies are matters that come to an auditor's attention that should be communicated to an entity's audit committee because they represent A. Disclosures of information that significantly contradict the auditor's going concern assumptionB. Material fraud or illegal acts perpetrated by high-level managementC. Significant design flaws in internal controls or poor implementation of internal controlsD. Manipulation or falsification of accounting records or documents from which financial statements are prepared


6-52


77. All of the following are significant deficiencies except A. Absence of appropriate reviews of transactionsB. Evidence of willful wrongdoing by lower-level employeesC. Inadequate provisions for safeguarding assetsD. Inventory is highly subject to obsolescence

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Decision MakingBloom's: ApplicationDifficulty: ModerateLearning Objective: 14

78. The normal sequence of documents and operations on a well-prepared systems flowchart is A. Top to bottom and left to rightB. Bottom to top and left to rightC. Top to bottom and right to leftD. Bottom to top and right to left

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 16

79. When preparing a record of a client's internal control, the independent auditor sometimes uses a systems flowchart, which can best be described as a A. Pictorial presentation of the flow of instructions in a client's internal computer systemB. Diagram which clearly indicates an organization's internal reporting structureC. Graphic illustration of the flow of operations which is used to replace the auditor's internal control questionnaireD. Symbolic representation of a system or series of sequential processes

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: ModerateLearning Objective: 16

6-53


80. Which of the following is not a characteristic of a batch processed computer system? A. The collection of like transactions which are sorted and processed sequentially against a master fileB. Keypunching of transactions, followed by machine processingC. The production of numerous printoutsD. The posting of a transaction, as it occurs, to several files, without intermediate printouts


81. Which of the following is a general control that would most likely assist an entity whose systems analyst left the entity in the middle of a major project? A. Grandfather-father-son record retentionB. Input and output validation routinesC. Systems documentationD. Check digit verification

AACSB: TechnologyAICPA BB: Leveraging TechnologyAICPA FN: Leveraging TechnologyBloom's: ApplicationDifficulty: ModerateLearning Objective: 15

82. A customer intended to order 100 units of product Z96014, but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error? A. Check digit verificationB. Record countC. Hash totalD. Redundant data check


6-54


83. Assume that an auditor estimates that 10,000 checks were issued during the accounting period. If an IT application control which performs a limit check for each check request is to be subjected to the auditor's test data approach, the sample should include A. Approximately 1,000 test itemsB. A number of test items determined by the auditor to be sufficient under the circumstancesC. A number of test items determined by the auditor's reference to the appropriate sampling tablesD. One transaction


84. After obtaining an understanding of internal controls and assessing control risk of an entity, an auditor decided not to perform tests of controls for purposes of the audit. The auditor most likely decided that A. The available evidential matter obtained through tests of controls would not support an increased level of control riskB. A reduction in the assessed level of control risk is justified for certain financial statement assertionsC. It would be inefficient to perform tests of controls that would result in a reduction in planned substantive proceduresD. The assessed level of inherent risk exceeded the assessed level of control risk

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: HardLearning Objective: 6Learning Objective: 7Learning Objective: 9

6-55


85. After the auditor has prepared a flowchart of the internal controls surrounding sales and evaluated the design of the system, the auditor would perform tests of controls on all control activities A. Documented in the flowchartB. Considered to be weaknesses that might allow errors to enter the accounting systemC. That the auditor plans to rely onD. That would aid in preventing fraud

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: HardLearning Objective: 6Learning Objective: 7Learning Objective: 9

86. As the acceptable level of detection risk increases, an auditor may change the A. Assessed level of control risk from below the maximum to the maximum levelB. Assurance provided by tests of controls by using a larger sample size than plannedC. Timing of substantive procedures from year-end to an interim dateD. Nature of substantive procedures from less effective to more effective procedures

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: HardLearning Objective: 12Learning Objective: 6Learning Objective: 9

87. In a properly designed internal control system, the same employee may be permitted to A. Receive and deposit checks and also approve write-offs of customer accountsB. Approve vouchers for payment and also sign checksC. Reconcile the bank statements and also receive and deposit cashD. Sign checks and also cancel supporting documents

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: HardLearning Objective: 7

6-56


88. A procedure that would most likely be used by an auditor in performing tests of control activities that involve segregation of functions and that leave no transaction trail is A. InspectionB. ObservationC. ReperformanceD. Reconciliation

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: HardLearning Objective: 10Learning Objective: 7

89. During consideration of internal control in a financial statement audit of a nonpublic company, an auditor is not obligated to A. Search for significant deficiencies in the operation of internal controlB. Understand the internal control environment and the information systemC. Determine whether the controls relevant to audit planning have been placed in operationD. Perform procedures to understand the design of internal control

AACSB: CommunicationsAICPA BB: LegalAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: HardLearning Objective: 10Learning Objective: 7Learning Objective: 8

90. Audit evidence concerning proper segregation of duties ordinarily is best obtained by A. Preparation of a flowchart of duties performed by available personnelB. Inquiring whether control activities operated consistently throughout the periodC. Reviewing job descriptions prepared by the Personnel DepartmentD. Direct personal observation of the employees who apply control activities

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: HardLearning Objective: 10Learning Objective: 7

6-57


91. While substantive procedures may support the accuracy of underlying records, these tests frequently provide no affirmative evidence of segregation of duties because A. Substantive procedures rarely guarantee the accuracy of the records if only a sample of the transactions has been testedB. The records may be accurate even though they are maintained by persons having incompatible functionsC. Substantive procedures relate to the entire period under audit, but compliance tests ordinarily are confined to the period during which the auditor is on the client's premisesD. Many computerized procedures leave no audit trail of who performed them, so substantive procedures may necessarily be limited to inquiries and observation of office personnel


92. Before applying principal substantive procedures to the details of asset and liability accounts at an interim date, the auditor should A. Assess the difficulty in controlling audit risk for the remainder of the periodB. Investigate significant fluctuations that have occurred in the asset and liability accounts since the previous balance sheet dateC. Select only those accounts which can effectively be sampled during year-end audit workD. Consider the compliance tests that must be applied at the balance sheet date to extend the audit conclusions reached at the interim date

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ApplicationDifficulty: HardLearning Objective: 11Learning Objective: 12

6-58


93. When communicating internal control-related matters noted in an audit of a nonpublic company, an auditor's report issued on significant deficiencies should indicate that A. Errors or fraud may occur and not be detected because there are inherent limitations in any internal control systemB. The issuance of an unqualified opinion on the financial statements may depend on corrective follow-up actionC. The deficiencies noted were not detected within a timely period by employees in the normal course of performing their assigned functionsD. The purpose of the audit was to report on the financial statements and not to provide assurance on internal control

AACSB: CommunicationsAICPA BB: LegalAICPA FN: ReportingBloom's: ApplicationDifficulty: HardLearning Objective: 14

94. The program flowcharting symbol representing a decision is a A. TriangleB. CircleC. RectangleD. Diamond


Short Answer Questions

6-59


95. Internal control has become a very important focus for publicly traded and privately-held companies alike. Internal control is intended to accomplish at least four objectives and consists of five components of internal control. List the four objectives and five components of internal control.

Objectives of internal control include reliability of financial reporting, effectiveness and efficiency of operations, compliance with applicable laws and regulations and safeguarding of assets. The five components of internal control are the control environment, the entity's risk assessment process, the information system and related business processes relevant to financial reporting and communication, control activities and monitoring of controls.

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: EasyLearning Objective: 2Learning Objective: 5

6-60


96. What are two potential benefits and two potential risks of using IT for an entity's internal control?

Student answers should include two benefits and two risks from following:Benefits Consistent application of predefined business rules and performance of complex calculations in processing large volumes of transactions or data. Enhancement of the timeliness, availability, and accuracy of information. Facilitation of additional analysis of information. Enhancement of the ability to monitor the performance of the entity's activities and its policies and procedures. Reduction in the risk that controls will be circumvented. Enhancement of the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.Risks Reliance on systems or programs that inaccurately process data, process inaccurate data, or both. Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. Unauthorized changes to data in master files. Unauthorized changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data.


6-61


97. In terms of an audit, define substantive strategy and reliance strategy. Include in your definition how the different strategies relate to internal control. Which strategy would best relate to a lower control risk?

A substantive strategy means that the auditor has decided not to rely on the entity's controls to reduce audit risk, but rather to reduce audit risk solely by obtaining sufficient evidence from substantive procedures and procedures. The reliance strategy requires a more detailed understanding of internal control than the substantive strategy does because the auditor intends to rely on the controls. Further, tests of controls are necessary to implement the reliance strategy.A reliance strategy relates with lower control risk as the auditor would be able to rely more heavily on the controls if the control risk is lower.

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: AnalysisDifficulty: EasyLearning Objective: 6

98. Describe the limitations of internal control. Why do limitations on internal control exist?

The effectiveness of any internal control system is limited by potential for any of the following: management override of internal control, personnel errors or mistakes, and collusion. Further, internal control effectiveness is limited by cost. The cost of the control system must be balanced with the related benefits.

AACSB: AnalyticAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: ComprehensionDifficulty: ModerateLearning Objective: 7

6-62


99. What are four potential tools available to the auditor for documenting their understanding of a client's system of internal control?

1. Copies of the entity's procedures manuals and organizational charts.2. A narrative description of internal control, which is often in the form of a memorandum.3. Internal control questionnaires4. Flowcharts

AACSB: CommunicationsAICPA BB: Critical ThinkingAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: EasyLearning Objective: 8

100. What are some typical types of evidence that may be collected in testing a client's internal controls?

Applicable procedures include inquiry of appropriate entity personnel and inspection of documents, reports or electronic files indicating the performance of the control. The auditor might also observe application of the control, reperform the application of the control or perform a walkthrough. A walkthrough involves tracing a transaction from its origination to its inclusion in the financial statements through a combination of audit procedures including inquiry, observation, and inspection.

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: ModerateLearning Objective: 10

6-63


101. Why might an auditor decide to test controls at an interim date?

An auditor might test controls at an interim date because the assertion being tested may be important, but not crucial to internal control, the control has been effective in prior audits or it may be more efficient to conduct the tests at that time because of less busy staff accountants and less year-end overtime. Additionally, if the controls are found not to be operating effectively, testing them at an interim date gives the auditor more time to reassess the control risk and modify the audit plan. It also gives the auditor time to inform management so that likely misstatements can be located and corrected before the rest of the audit is performed.

AACSB: AnalyticAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: ComprehensionDifficulty: EasyLearning Objective: 12

102. While performing an audit on the internal controls over financial reporting for AirWaves Corporation, your audit team finds what it considers to be a significant deficiency. AirWaves is a large, private company. What steps would you take to communicate this finding?

Auditing standards require that the auditor communicate a significant deficiency to the audit committee or to a similar level of authority when the entity does not have an audit committee. The auditor can communicate with the audit committee via writing or orally. If the communication is oral, the auditor should document the communication in the working papers.

AACSB: CommunicationsAICPA BB: LegalAICPA FN: ReportingBloom's: ApplicationDifficulty: EasyLearning Objective: 14

6-64


103. Data capture occurs through source documentation, direct data entry, or a combination of the two. List three purposes of data capture controls.

Data capture controls ensure that (1) all transactions are recorded in the application system, (2) transactions are recorded only once and (3) rejected transactions are identified, controlled, corrected, and reentered into the system.


104. What are the differences between document flowcharts, system flowcharts, and program flowcharts?

A document flowchart represents the flow of documents among departments in the entity. A systems flowchart extends this approach by including the processing steps, including computer processing, in the flowchart. A program flowchart illustrates the operations performed by the computer in executing a program.

AACSB: CommunicationsAICPA BB: IndustryAICPA FN: Risk AnalysisBloom's: KnowledgeDifficulty: ModerateLearning Objective: 16

6-65