Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Chap005 tb-sample

17,739 views

Published on

Published in: Art & Photos, Business, Technology
  • Memory Improvement: How To Improve Your Memory In Just 30 Days, click here.. ●●● https://tinyurl.com/brainpill101
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hey Ying Sun, thanks for posting the slide which is really helpful. May you please show me how to access to the rest of other chapters for this book? Or where can I purchase it? Thank you so much.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Chap005 tb-sample

  1. 1. Chapter 05 - Risk Assessment: Internal Control Evaluation Chapter 05 Risk Assessment: Internal Control Evaluation Multiple Choice Questions 1. An audit team's responsibility would not include A. Designing client's internal controls. B. Documentation of understanding of a client's internal controls. C. Communicating internal control deficiencies. D. Assessing the effectiveness a client's internal controls. 2. The appropriate separation of duties does not include A. Authorization to execute transactions. B. Recording of transactions. C. Custody of assets involved in the transactions. D. Data preparation. 3. A set of characteristics that helps to define a seriousness about employees' attitudes about the control activities in a company is referred to as A. Management assertions. B. The control environment. C. Control risk assessment. D. Functional responsibilities. 4. Control activities intended to ensure that transactions are recorded in the right period are designed to achieve the ASB assertion of A. Occurrence. B. Accuracy. C. Valuation or allocation. D. Cutoff. 5-1
  2. 2. Chapter 05 - Risk Assessment: Internal Control Evaluation 5. Sound internal control can described as separating all of the following duties and responsibilities except for A. Transaction authorization. B. Recordkeeping. C. Custody of, or direct access to, assets. D. Hiring of employees. 6. After obtaining an understanding of the entity's internal control and assessing control risk, an auditor of a non public company decided not to perform additional tests of controls. The auditor most likely concluded that the A. Additional evidence to support a further reduction in control risk was not cost beneficial. B. Assessed level of inherent risk exceeded the assessed level of control risk. C. Internal control structure was properly designed and justifiably may be relied on. D. Evidence obtainable through tests of controls would not support an increased level of control risk. 7. Regardless of the assessed level of control risk, an auditor of a non public company would perform some A. Tests of controls to determine the effectiveness of internal control policies. B. Analytical procedures to verify the design of internal control activities. C. Substantive tests to restrict detection risk for significant transaction classes. D. Dual purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk. 8. The "obtaining an understanding" work phase (Phase 1) of internal control evaluation would not give auditors an overall acquaintance with the client's A. Control environment. B. Information and communication system. C. Control activity effectiveness. D. Monitoring activities. 5-2
  3. 3. Chapter 05 - Risk Assessment: Internal Control Evaluation 9. Which of the following is an Information Technology General Control? A. Check digit. B. Run-to-run totals. C. Distribution of computerized output. D. Separation of duties in the IT department. 10. Control strengths and weaknesses should be documented in audit documentation, sometimes called A. Questionnaires, narratives, and flowcharts. B. Bridge working papers. C. Communications of significant deficiencies. D. Internal control letters. 11. The internal control in small business is highly dependent on the A. Separation of functional responsibilities. B. Complexity of the client's internal controls. C. Owner-manager's competence, ethics and integrity. D. Bonding of employees. 12. Which of the following is not an input control activity? A. Reasonableness tests. B. Record counts. C. Financial totals. D. Hash totals. 13. A sales clerk enters a customer's six-number customer account. The computer program uses the first five numbers to calculate a sixth number. This resulting number is then compared to the sixth number entered by the sales clerk. This is an example of a A. A valid character test. B. Missing data test. C. Reasonableness test. D. Check digit. 5-3
  4. 4. Chapter 05 - Risk Assessment: Internal Control Evaluation 14. Which of the following is the least important audit reason for the auditor's obtaining an understanding of a company's internal control? A. To serve as a basis for constructive suggestions. B. To plan subsequent substantive tests. C. To identify types of potential misstatements. D. To consider factors that affect the risk of material misstatement. 15. Tracing bills of lading to sales invoices provides evidence that A. Shipments to customers were invoiced. B. Shipments to customers were recorded as sales. C. Recorded sales were shipped. D. Invoiced sales were recorded as sales. 16. Which of the following client internal control activities is not usually performed in the treasurer's department? A. Verifying the accuracy of checks and vouchers. B. Controlling the mailing of checks to vendors. C. Approving vendors' invoices for payment. D. Canceling payment vouchers when paid. 17. Which of the following audit procedures most likely would provide an auditor with the most assurance about the effectiveness of the operation of an entity's internal control? A. Confirmation with outside parties. B. Inquiry of client personnel. C. Successful re-performance of the control procedure. D. Observation of client personnel. 18. When obtaining an understanding of an entity's internal control in a financial statement audit, an auditor is not obligated to A. Determine whether the control activities have been placed in operation. B. Perform procedures to understand the design of the internal control system. C. Document the understanding of the company's internal control system. D. Search for significant deficiencies in the operation of the internal control system. 5-4
  5. 5. Chapter 05 - Risk Assessment: Internal Control Evaluation 19. After obtaining an understanding of a client's financial reporting control activities, the auditor would next A. Test the client's control activities. B. Assess the control risk. C. Document the understanding obtained. D. Plan the remainder of the audit work. 20. If auditors assess control risk at the maximum level, they will tend to A. Perform a great deal of additional tests of controls. B. Perform a great deal of substantive testing during the audit. C. Perform substantive tests at an interim date. D. Perform more audit procedures using internal evidence. 21. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the A. Factors that raise doubts about the auditability of the financial statements. B. Operating effectiveness of internal control policies and procedures. C. Risk that material misstatements exist in the financial statements. D. Possibility that the nature and extent of substantive tests may be reduced. 22. When the audit team increases the planned assessed level of control risk because certain control activities were determined to be ineffective, the audit team would most likely increase the A. Extent of tests of details. B. Level of inherent risk. C. Extent of tests of controls. D. Level of detection risk. 23. In computer systems, the information technology general controls (ITGC) would not include A. Processing control activities. B. Separation of various computer system functions. C. Documentation of the data processing system. D. Control over physical access to computer hardware. 5-5
  6. 6. Chapter 05 - Risk Assessment: Internal Control Evaluation 24. When auditing financial statements of a private company, the minimum work an auditor must perform in connection with a company's internal control is best described by which of the following statements: A. Perform exhaustive tests of accounting controls and evaluate the company's control system effectiveness. B. Determine whether the company's control policies are designed well enough to prevent material errors. C. Prepare auditing working papers documenting the understanding of the company's internal control. D. Design procedures to search for significant deficiencies in the actual operation of the company's internal control. 25. Which of the following would likely be classified as a material weakness? A. Absence of appropriate separation of duties. B. Absence of appropriate reviews and approvals of transactions. C. Evidence of failure of control activities. D. Ineffective oversight of the financial reporting process by the company's audit committee. 26. If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll IS application? A. Hours worked. B. Total debits and total credits. C. Net pay. D. Department numbers. 5-6
  7. 7. Chapter 05 - Risk Assessment: Internal Control Evaluation 27. Generally accepted auditing standards (GAAS) give auditors considerable discretion to decide the amount of work required to satisfy auditing standards guiding internal control evaluation and related audit planning. Which of the descriptions below best expresses the minimum amount of work permitted by GAAS for nonpublic companies? A. Do not obtain an understanding of client environment, accounting, or control activities. Do not document the decision to assess control risk at maximum. Perform 100% substantive audit on all financial statement transactions and balances. B. Obtain an understanding of client environment, accounting, and control activities. Document the decision to assess control risk at maximum. Perform an extensive but not 100% substantive audit on financial statement transactions and balances. C. Obtain an understanding of client environment, accounting, and control activities, and perform detail tests of controls. Document the decision to assess control risk below the maximum. Perform restricted substantive audit on financial statement transactions and balances, considering the control risk assessment. D. Obtain an understanding of client environment, accounting, and control activities, and perform detail tests of controls. Document the decision to assess control risk at zero. Perform no substantive audit on financial statement transactions and balances, since zero control risk means that no errors or fraud can reach the accounts. 28. Proper separation of duties reduces the opportunities to allow persons to be in positions to both A. Journalize entries and prepare financial statements. B. Record cash receipts and cash disbursements. C. Establish internal controls and authorize transactions. D. Perpetuate and conceal errors and fraud. 29. In an audit of financial statements, an auditor's primary consideration regarding an internal control policy or activity is whether the policy or activity A. Reflects management's philosophy and operating style. B. Affects management's financial statement assertions. C. Provides adequate safeguards over access to assets. D. Enhances management's decision making processes. 5-7
  8. 8. Chapter 05 - Risk Assessment: Internal Control Evaluation 30. Which of the following is a step in an auditor's decision to assess control risk at below the maximum? A. Apply analytical procedures to both financial data and nonfinancial information to detect conditions that may indicate weak controls. B. Perform tests of details of transactions and account balances to identify potential errors and fraud. C. Identify specific internal control policies and activities that are likely to detect or prevent material misstatements. D. Document that the additional audit effort to perform tests of controls exceeds the potential reduction in substantive testing. 31. Which of the following is not an objective of internal controls over financial reporting as defined by the Sarbanes-Oxley Act? A. Policies and procedures that pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant. B. Policies and procedures that provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant. C. Policies and procedures that provide reasonable assurance regarding the compliance with applicable laws and regulations. D. Policies and procedures that provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements. 32. Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal controls? A. Incompatible duties. B. Management override. C. Mistakes in judgment. D. Collusion among employees. 5-8
  9. 9. Chapter 05 - Risk Assessment: Internal Control Evaluation 33. As part of understanding the internal control, an auditor is not required to A. Consider factors that affect the risk of material misstatement. B. Ascertain whether internal control policies and activities have been placed in operation. C. Identify the types of potential misstatements that can occur. D. Obtain knowledge about the operating effectiveness of the client's internal control activities. 34. The primary objective of procedures performed to obtain an understanding of the entity's internal control is to provide an auditor with A. Knowledge necessary for audit planning. B. Evidential matter to use in assessing inherent risk. C. A basis for modifying tests of controls. D. An evaluation of the consistency of application of management's policies. 35. The overall attitude and awareness of an entity's board of directors concerning the importance of the client's internal control usually is reflected in its A. Computer-based control activities. B. System of separation of duties. C. Control environment. D. Safeguards over access to assets. 36. After obtaining an understanding of the internal controls and assessing control risk on the audit of a non public company, an auditor decided to perform tests of controls. The auditor most likely decided that A. It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests. B. Additional evidence to support a further reduction in control risk is not available. C. An increase in the assessed level of control risk is justified for certain financial statement assertions. D. There were many internal control weaknesses that could allow errors to enter the accounting system. 5-9
  10. 10. Chapter 05 - Risk Assessment: Internal Control Evaluation 37. In an audit of financial statements of a non public company in accordance with generally accepted auditing standards, an auditor is required to A. Document the auditor's understanding of the entity's internal control. B. Search for significant deficiencies in the operation of the internal controls. C. Perform tests of controls to evaluate the effectiveness of the entity's accounting system. D. Determine whether control activities are suitably designed to prevent or detect material misstatements. 38. In testing control activities, an auditor ordinarily selects from a variety of techniques, including A. Inquiry and analytical procedures. B. Reperformance and observation. C. Comparison and confirmation. D. Inspection and verification. 39. Assessing control risk at below the maximum level most likely would involve A. Performing more extensive substantive tests with larger sample sizes than originally planned. B. Reducing inherent risk for most of the assertions relevant to significant account balances. C. Changing the timing of substantive tests by omitting interim-date testing and performing the tests at year end. D. Identifying specific internal control structure policies and procedures relevant to specific assertions. 40. A report on internal control effectiveness by the management team of public companies is required by A. The Sarbanes-Oxley Act of 2002. B. The PCAOB. C. The AICPA. D. Only auditors are required to report on internal control effectiveness. 5-10
  11. 11. Chapter 05 - Risk Assessment: Internal Control Evaluation 41. Management's report on internal controls must include each of the following except A. A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting. B. A statement identifying the framework management uses to evaluate the effectiveness of the company's internal control. C. A statement providing management's assessment of the effectiveness of the company's internal control. D. A statement providing management's evaluation of the company's control environment. 42. Which of the following areas can external auditors rely on internal auditors' work in auditing internal controls? A. Evaluation of the auditing environment. B. Limited documentation and testing of internal control activities. C. All testing of the operating effectiveness of internal control activities. D. As the principle evidence for the external auditors' opinion. 43. The most important fundamental component of an entity's internal control is Refer To: 05-43 A. Effectiveness and efficiency of operations. B. People who operate the control system. C. Reliability of financial reporting. D. Compliance with applicable laws and regulations. 44. The primary purpose for obtaining an understanding of a non public audit client's internal control is to Refer To: 05-43 A. Provide a basis for making constructive suggestions in a management letter. B. Determine the nature, timing, and extent of tests to be performed in the audit. C. Obtain sufficient appropriate audit evidence to afford a reasonable basis for an opinion on the financial statements under examination. D. Provide information for a communication of internal control-related matters to management. 5-11
  12. 12. Chapter 05 - Risk Assessment: Internal Control Evaluation 45. Effectiveness of audit procedures would be reduced by Refer To: 05-43 A. Selecting larger sample sizes for audit. B. Performing audit procedures at the fiscal year-end date, as opposed to the interim period. C. Deciding to obtain external evidence instead of internal evidence. D. Performing procedures during the interim period, as opposed to at the fiscal year-end date. 46. Financial totals can be used for Refer To: 05-43 A. Input controls. B. Processing controls. C. Output controls. D. All of the above. 47. Which of the following is an application control? Refer To: 05-43 A. Locked doors to the central server. B. Change controls over new programs. C. Backup controls. D. An output control department that ensures that reports go to authorized recipients. 48. Which of the following is a preventive control? Refer To: 05-43 A. A reconciliation of a bank account. B. Internal auditors recalculating a sample of payroll entries. C. Separation of duties between the payroll and personnel departments. D. Use of hash totals for the payroll input sheet. 5-12
  13. 13. Chapter 05 - Risk Assessment: Internal Control Evaluation 49. In most audits of large entities, control risk assessment contributes to audit efficiency, which means that Refer To: 05-43 A. The cost of substantive procedures will exceed the cost of control evaluation work. B. Auditors will be able to reduce the cost of substantive procedures by an amount more than the control evaluation costs. C. The cost of control evaluation work will exceed the cost of substantive procedures. D. Auditors will be able to reduce the cost of substantive procedures by an amount less than the cost of tests of controls. 50. Which of the following is a device designed to help the audit team obtain evidence about the accounting and control activities of an audit client? Refer To: 05-43 A. A narrative memorandum describing the control system. B. An internal control questionnaire. C. A flowchart of the documents and procedures used by the company. D. All of the above. 51. A bridge workpaper shows the connection between Refer To: 05-43 A. Control evaluation findings and subsequent audit procedures. B. Management objectives and accounting system procedures. C. Management objectives and entity control activities. D. Financial statement assertions and tests of controls. 52. Tests of controls in a GAAS audit are required for Refer To: 05-43 A. Obtaining evidence about the financial statement assertions. B. Accomplishing control over the occurrence of recorded transactions. C. Applying analytical procedures to financial statement balances. D. Obtaining evidence about the operating effectiveness of client control activities. 5-13
  14. 14. Chapter 05 - Risk Assessment: Internal Control Evaluation 53. A client's financial control activity is Refer To: 05-43 A. An action taken by auditors to obtain evidence. B. An action taken by client personnel for the purpose of preventing, detecting, and correcting errors and frauds in transactions to eliminate or mitigate risks identified by the company. C. A method for recording, summarizing, and reporting financial information. D. The functioning of the board of directors in support of its audit committee. 54. When planning an audit of internal controls under AS 5, the audit team should Refer To: 05-43 A. Identify significant accounts, locations, and assertions. B. Conduct a walkthrough of the internal control process. C. Make inquiries of employees regarding the existence of control activities. D. Re-perform control activities performed by client employees to determine their effectiveness. 55. A material weakness is a situation in which Refer To: 05-43 A. It is probable that an immaterial financial statement misstatement would not be detected on a timely basis B. There is a remote likelihood that a material misstatement would be detected on a timely basis. C. It is reasonably possible that a material misstatement would not be detected on a timely basis. D. It is reasonably possible that an immaterial misstatement would not be detected on a timely basis. 56. Totals of amounts in computer-recorded data fields that are not usually added but are used only for data processing control purposes are called Refer To: 05-43 A. Record totals. B. Hash totals. C. Processing data totals. D. Field totals. 5-14
  15. 15. Chapter 05 - Risk Assessment: Internal Control Evaluation 57. Which of the following does not accurately summarize auditors' requirements regarding internal control? Refer To: 05-43 A. Option A B. Option B C. Option C D. Option D 58. AS 5 requires auditors of public companies to audit internal controls over Refer To: 05-43 A. Operations. B. Compliance with regulations. C. Financial reporting. D. All of the above. 59. AS 5 requires auditors of public companies to report on: Refer To: 05-43 A. Option A B. Option B C. Option C D. Option D 5-15
  16. 16. Chapter 05 - Risk Assessment: Internal Control Evaluation 60. AS 5 requires auditors to test Refer To: 05-43 A. Operating effectiveness only. B. Design effectiveness only. C. Both operating and design effectiveness. D. Neither operating nor design effectiveness. 61. Which of the following would probably not be considered an indication of a material weakness? Refer To: 05-43 A. Evidence of a material misstatement. B. Ineffective oversight by the audit committee. C. An immaterial fraud committed by senior management. D. Overproduction by the manufacturing plant. 62. Which report would not be appropriate for a public accounting firm to provide on financial reporting controls? Refer To: 05-43 A. Unqualified—no material weaknesses found. B. Disclaimer of opinion—unable to perform all necessary procedures. C. Disclaimer of opinion—significant deficiencies exist. D. Adverse—material weaknesses exist. 63. The purpose of separating the duties of hiring personnel and distributing payroll checks is to separate the Refer To: 05-43 A. Authorization of transactions from the custody of related assets. B. Operational responsibility from the record-keeping responsibility. C. Human resources function from the controllership function. D. Administrative controls from the internal accounting controls. 5-16
  17. 17. Chapter 05 - Risk Assessment: Internal Control Evaluation 64. Which of the following statements is not true with respect to the auditors' report on internal control over financial reporting? Refer To: 05-43 A. The report will be dated as of the balance sheet date. B. The report will express an opinion on the effectiveness of internal control over financial reporting. C. If one or more material weaknesses exist, the auditor will issue an adverse opinion. D. The report may be presented with the report on the entity's financial statements as a combined report. 65. If the auditors encounter a significant scope limitation in evaluating a public company's internal control over financial reporting, which of the following types of opinions on the effectiveness of the company's internal control over financial reporting would be appropriate? Refer To: 05-43 A. Unqualified opinion or adverse opinion. B. Qualified opinion or adverse opinion. C. Unqualified opinion or disclaimer of opinion. D. Disclaimer of opinion. 66. Which of the following information would be included in the introductory paragraph of the auditors' report on internal control over financial reporting if the report is presented separately from the auditors' report on the entity's financial statements? Refer To: 05-43 A. The fact that the auditors conducted an audit of the entity's financial statements. B. The definition of a material weakness in internal control over financial reporting. C. Statements identifying the responsibility of the auditors and management for internal control over financial reporting. D. A reference to the auditors' report and opinion on the entity's financial statements. Question also found in Study Guide 5-17
  18. 18. Chapter 05 - Risk Assessment: Internal Control Evaluation 67. Which of the following is not one of COSO's objectives for internal controls? A. Efficiency and effectiveness of operations. B. Reliability of financial reporting. C. Maximization of profit. D. Compliance with applicable laws and regulations. 68. Which of the following is not one of the elements of the control environment? A. Process for recording transactions and preparing financial statements. B. Presence of an internal auditing function. C. A company's organizational structure. D. Methods of assigning authority and responsibility. 69. Which of the following would not be considered a control activity? A. Assessment of control risk B. Performance reviews C. Physical controls D. Information processing controls 70. An edit test that checks data fields to see if any are blank when they must contain data is called a A. Valid sign test. B. Missing data test. C. Limit test. D. Valid character test. 71. An action taken to prevent, detect, and correct errors and frauds in transactions is referred to as a A. Control objective. B. Risk assessment. C. Dual-purpose test. D. Control activity. 5-18
  19. 19. Chapter 05 - Risk Assessment: Internal Control Evaluation 72. Accounting for the numerical sequence of shipping documents is a control procedure designed to achieve the internal control objective of A. Validity. B. Completeness. C. Accounting. D. Accuracy. 73. Auditors obtain an understanding of the internal control through all of the following, except A. Previous experience with the company. B. Responses to inquiries directed to client personnel. C. A substantive testing audit plan. D. A "walk-through" of one or more transactions. 74. The most efficient means of gathering evidence about the internal control is to conduct a formal interview with knowledgeable managers and A. Write a narrative description of each important control. B. Prepare a flowchart illustrating the internal control. C. Prepare a well indexed file of audit documentation. D. Use an internal control questionnaire. 75. The five internal control components do not include A. Control activities. B. Risk assessment. C. Monitoring. D. Control risk. 76. A computerized accounting system would not include which of the following among the processing control activities? A. Limit and reasonableness tests. B. File and operator controls. C. Master file changes. D. Run-to-run total. 5-19
  20. 20. Chapter 05 - Risk Assessment: Internal Control Evaluation 77. Significant deficiencies are defined as conditions that A. Could adversely affect the organization's ability to initiate, record, process, and report financial data in the financial statements. B. Results in a reasonable possibility that a material misstatement exists in financial statements. C. Exists when the design or operation of a control does not allow the company's management or employees to detect or prevent misstatements in a timely fashion. D. Relates to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control's objective. 78. AS 5 requires the audit team to do all the following except A. Evaluate the severity of each control deficiency that comes to his or her attention. B. Document the process used to determine significant accounts and disclosures and major classes of transactions. C. Test all internal controls in the company. D. AS 5 requires all the above. Matching Questions 79. Below are the nine ASB management assertions. 1. Classification Match shipping documents with sales invoices before a sale is recorded. ____ 2. Occurrence Balance total of individual customers' receivables with the control account. ____ 3. Accuracy Sales manager approves taking discounts. ____ 4. Allocation or valuation Computer check for billing the quantity shipped, list price, and total. ____ 5. Completeness Account for numerical sequence of pre-numbered shipping documents. ____ 5-20
  21. 21. Chapter 05 - Risk Assessment: Internal Control Evaluation 80. For each of the descriptions below, match the correct control, A to G. 1. sequence tests Programmed tests to ensure that illogical conditions do not occur. ____ 2. limit/reasonableness tests Test that checks data fields for appropriate plus or minus. ____ 3. check digit Test that checks data fields to see if any are blank. ____ 4. missing data tests An extra number tagged on to the end of a basic identification. ____ 5. valid sign test Test that can check for missing documents in a prenumbered series. ____ True / False Questions Question also Found in Study Guide 81. The primary reason for conducting an evaluation of a company's internal control is to provide a basis for communicating significant deficiencies. True False 82. The audit task of control risk assessment involves finding out what the company does to prevent, detect, and correct errors and fraud. True False 83. The audit team is responsible for the client's internal control. True False 84. The attitudes of managers and directors are probably the most pervasive influences on the control environment. True False 5-21
  22. 22. Chapter 05 - Risk Assessment: Internal Control Evaluation 85. The most important feature of an internal control system is the people who make the system work. True False 86. A control activity is an action taken to prevent, detect, and correct errors and frauds in transactions. True False 87. The COSO report indicates that internal control should be considered a process, not an end in itself. True False 88. Auditors of public companies do not need to determine the quality of a client's internal control; they only need to know enough to plan the audit work. True False 89. The primary reason to evaluate internal control is to formulate constructive suggestions for improvement. True False 90. The most efficient means of gathering evidence about a client's internal control is to prepare a flowchart of the system. True False 91. The strengths and weaknesses of a control system should be documented in bridge working papers connecting the control evaluation to subsequent audit procedures. True False 5-22
  23. 23. Chapter 05 - Risk Assessment: Internal Control Evaluation 92. Auditors do not need to perform tests of controls audit procedures on internal control weaknesses just to prove the weaknesses actually exist. True False 93. To reduce the final control risk assessment to a low level, auditors need only to determine the required degree of compliance with the control policies and procedures. True False 94. Auditors perform tests of control activities to determine how the company's controls actually functioned during the period under audit. True False 95. Control systems generally provide absolute assurance that the objectives of internal control are satisfied. True False 96. Dual-purpose audit tests are procedures that produce both control and substantive evidence. True False 97. The key person in the internal control system of a small business is the independent auditor. True False 98. Evaluation of internal control systems on a nonpublic entity should not be subject to cost/benefit considerations. True False 5-23
  24. 24. Chapter 05 - Risk Assessment: Internal Control Evaluation 99. Tests of controls consist of procedures designed to produce evidence of how effectively the client's controls work in practice. True False 100. Auditors can stop the assessment of control risk for nonpublic entities for either effectiveness or efficiency reasons. True False 101. PCAOB Auditing Standard No. 5 only applies to public companies. True False 102. The auditor's opinion on internal control under AS 5 relates only to controls existing at the end of the year. True False 103. Auditors should begin their evaluation of internal controls over financial reporting on a bottom-up basis—starting with the account level assertion and working up to entity-level controls. True False Fill in the Blank Questions Questions also Found in Study Guide 104. _____________________________ _____________________________ are the set of policies and procedures that are designed to insure that transactions are recorded properly. ________________________________________ 5-24
  25. 25. Chapter 05 - Risk Assessment: Internal Control Evaluation 105. _____________________________ _____________________________ in internal control are matters the auditors believe should be communicated to the clients' audit committee. ________________________________________ 106. The audit team is responsible for designing an evaluation of _____________________________ internal control systems, and _____________________________ the control _____________________________ of that system. ________________________________________ 107. The COSO report identifies the objectives to be achieved by internal control as (1) effectiveness and efficiency of _____________________________, (2) reliability of _____________________________ _____________________________, and (3) compliance with _____________________________ and _____________________________. ________________________________________ 108. _____________________________ _____________________________ are specific actions taken by a client's management and employees to help ensure that management directives are carried out. ________________________________________ 109. _____________________________ _____________________________ to assets and important records, documents, and blank forms should be limited to authorized personnel only in a well controlled company. ________________________________________ 110. Internal control systems generally provide _____________________________ assurance that the objectives of internal control are satisfied. ________________________________________ 5-25
  26. 26. Chapter 05 - Risk Assessment: Internal Control Evaluation 111. In connection with control activities used in a client's internal control system, a _____________________________ _____________________________ is a tally of the number of transactions submitted at a particular time and it is used to determine whether the proper number was processed in a data conversion or computer accounting application. ________________________________________ 112. Control activities in a computerized accounting system may be classified into two types-- _____________________________ controls and _____________________________ controls. ________________________________________ 113. Significant deficiencies in internal control also include the more serious condition called a _____________________________ _____________________________. ________________________________________ 114. To reduce the control risk level to a low level, auditors must determine (1) the _____________________________ _____________________________ of company compliance with control policies, and (2) the _____________________________ _____________________________ of company compliance. ________________________________________ 115. Auditors perform _____________________________ _____________________________ _____________________________ to determine how well the company's controls actually functioned during the period under audit. ________________________________________ 116. The concept of _____________________________ _____________________________ recognizes that the cost of an entity's internal control should not exceed the benefits that are expected to be derived. ________________________________________ 5-26
  27. 27. Chapter 05 - Risk Assessment: Internal Control Evaluation 117. In gathering evidence about the client's internal control, auditors may use a (n) _____________________________ _____________________________ _____________________________, which is a checklist of internal control related questions. ________________________________________ 118. _____________________________ _____________________________ _____________________________ reduce opportunities for a person to be in a position to perpetrate and conceal errors and frauds when performing their normal duties. ________________________________________ 119. A(n) _____________________________ _____________________________ _____________________________ is a single procedure that produces both control and substantive evidence. ________________________________________ 120. A(n) _____________________________ _____________________________ is an extra number, precisely calculated, that is tagged onto the end of a basic identification number such as an employee number. ________________________________________ 121. Computerized checks to see whether data values exceed or fall below some predetermined limit are called limit or _____________________________ _____________________________. ________________________________________ 122. Techniques used to check errors in accounting data in computer based accounting systems can be categorized as _____________________________ _____________________________, _____________________________ _____________________________, and _____________________________ _____________________________. ________________________________________ 5-27
  28. 28. Chapter 05 - Risk Assessment: Internal Control Evaluation 123. A material weakness results in a _____________________________ _____________________________ that a _____________________________ _____________________________ would not be prevented or detected on a timely basis. ________________________________________ Essay Questions 124. What is the difference between an information technology general control and an information technology application control? 125. What is the difference between an internal control's design effectiveness and its operating effectiveness? 126. List several elements of a company's control environment. 5-28
  29. 29. Chapter 05 - Risk Assessment: Internal Control Evaluation 127. List and explain briefly the phases of an internal control evaluation. 128. What are some of the problems in establishing an internal control system in small business? 129. The Sunny Company is computerizing its accounting function. It would like to separate the duties of the systems analyst, programmer, and computer operator by hiring three different people for these jobs. However, they can only afford to hire two people. Required: A. Briefly describe the functions of the systems analyst, programmer, and computer operator. B. If Sunny Company can afford only two positions, which two of the three would you combine into one job? Explain. 5-29
  30. 30. Chapter 05 - Risk Assessment: Internal Control Evaluation 130. Explain the different opinions that auditors can issue for an entity's internal control over financial reporting. 131. Auditors are required to obtain a sufficient understanding of an entity's internal control. This understanding is required by the performance principle of GAAS. Required: A. What are some of the goals (purposes) for conducting an evaluation of an entity's internal control? B. What audit work is required for an auditor to assess control risk below the "maximum" level? C. Should auditors always try to obtain enough evidence to assess control risk below the "maximum" level? Explain. 132. What are the six steps auditors of public companies should use to audit internal control over financial reporting (ICOFR)? 5-30
  31. 31. Chapter 05 - Risk Assessment: Internal Control Evaluation 133. What constitutes a material weakness? 134. What is the difference between a significant deficiency and a material weakness? Question is also Found in Study Guide 5-31
  32. 32. Chapter 05 - Risk Assessment: Internal Control Evaluation 135. Each of the five cases illustrates specific control activities from a client's revenue cycle (accounts receivable/sales). For each of the procedures, (a) identify which management assertions apply, and (b) what potential category of errors and frauds can be prevented. 5-32
  33. 33. Chapter 05 - Risk Assessment: Internal Control Evaluation Chapter 05 Risk Assessment: Internal Control Evaluation Answer Key Multiple Choice Questions 1. An audit team's responsibility would not include A. Designing client's internal controls. B. Documentation of understanding of a client's internal controls. C. Communicating internal control deficiencies. D. Assessing the effectiveness a client's internal controls. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 2. The appropriate separation of duties does not include A. Authorization to execute transactions. B. Recording of transactions. C. Custody of assets involved in the transactions. D. Data preparation. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 5-33
  34. 34. Chapter 05 - Risk Assessment: Internal Control Evaluation 3. A set of characteristics that helps to define a seriousness about employees' attitudes about the control activities in a company is referred to as A. Management assertions. B. The control environment. C. Control risk assessment. D. Functional responsibilities. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 4. Control activities intended to ensure that transactions are recorded in the right period are designed to achieve the ASB assertion of A. Occurrence. B. Accuracy. C. Valuation or allocation. D. Cutoff. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 5-34
  35. 35. Chapter 05 - Risk Assessment: Internal Control Evaluation 5. Sound internal control can described as separating all of the following duties and responsibilities except for A. Transaction authorization. B. Recordkeeping. C. Custody of, or direct access to, assets. D. Hiring of employees. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 6. After obtaining an understanding of the entity's internal control and assessing control risk, an auditor of a non public company decided not to perform additional tests of controls. The auditor most likely concluded that the A. Additional evidence to support a further reduction in control risk was not cost beneficial. B. Assessed level of inherent risk exceeded the assessed level of control risk. C. Internal control structure was properly designed and justifiably may be relied on. D. Evidence obtainable through tests of controls would not support an increased level of control risk. AICPA AACSB: Analytic AICPA BB: Resource Management AICPA FN: Risk Analysis Bloom's: Application Difficulty: Hard 5-35
  36. 36. Chapter 05 - Risk Assessment: Internal Control Evaluation 7. Regardless of the assessed level of control risk, an auditor of a non public company would perform some A. Tests of controls to determine the effectiveness of internal control policies. B. Analytical procedures to verify the design of internal control activities. C. Substantive tests to restrict detection risk for significant transaction classes. D. Dual purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Knowledge Difficulty: Hard 8. The "obtaining an understanding" work phase (Phase 1) of internal control evaluation would not give auditors an overall acquaintance with the client's A. Control environment. B. Information and communication system. C. Control activity effectiveness. D. Monitoring activities. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-36
  37. 37. Chapter 05 - Risk Assessment: Internal Control Evaluation 9. Which of the following is an Information Technology General Control? A. Check digit. B. Run-to-run totals. C. Distribution of computerized output. D. Separation of duties in the IT department. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Easy 10. Control strengths and weaknesses should be documented in audit documentation, sometimes called A. Questionnaires, narratives, and flowcharts. B. Bridge working papers. C. Communications of significant deficiencies. D. Internal control letters. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 11. The internal control in small business is highly dependent on the A. Separation of functional responsibilities. B. Complexity of the client's internal controls. C. Owner-manager's competence, ethics and integrity. D. Bonding of employees. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Knowledge Difficulty: Medium 5-37
  38. 38. Chapter 05 - Risk Assessment: Internal Control Evaluation 12. Which of the following is not an input control activity? A. Reasonableness tests. B. Record counts. C. Financial totals. D. Hash totals. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Medium 13. A sales clerk enters a customer's six-number customer account. The computer program uses the first five numbers to calculate a sixth number. This resulting number is then compared to the sixth number entered by the sales clerk. This is an example of a A. A valid character test. B. Missing data test. C. Reasonableness test. D. Check digit. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Medium 5-38
  39. 39. Chapter 05 - Risk Assessment: Internal Control Evaluation 14. Which of the following is the least important audit reason for the auditor's obtaining an understanding of a company's internal control? A. To serve as a basis for constructive suggestions. B. To plan subsequent substantive tests. C. To identify types of potential misstatements. D. To consider factors that affect the risk of material misstatement. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Comprehension Difficulty: Medium 15. Tracing bills of lading to sales invoices provides evidence that A. Shipments to customers were invoiced. B. Shipments to customers were recorded as sales. C. Recorded sales were shipped. D. Invoiced sales were recorded as sales. Original AACSB: Analytic AICPA BB: Critical Thinking AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Medium 5-39
  40. 40. Chapter 05 - Risk Assessment: Internal Control Evaluation 16. Which of the following client internal control activities is not usually performed in the treasurer's department? A. Verifying the accuracy of checks and vouchers. B. Controlling the mailing of checks to vendors. C. Approving vendors' invoices for payment. D. Canceling payment vouchers when paid. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Application Difficulty: Medium 17. Which of the following audit procedures most likely would provide an auditor with the most assurance about the effectiveness of the operation of an entity's internal control? A. Confirmation with outside parties. B. Inquiry of client personnel. C. Successful re-performance of the control procedure. D. Observation of client personnel. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-40
  41. 41. Chapter 05 - Risk Assessment: Internal Control Evaluation 18. When obtaining an understanding of an entity's internal control in a financial statement audit, an auditor is not obligated to A. Determine whether the control activities have been placed in operation. B. Perform procedures to understand the design of the internal control system. C. Document the understanding of the company's internal control system. D. Search for significant deficiencies in the operation of the internal control system. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 19. After obtaining an understanding of a client's financial reporting control activities, the auditor would next A. Test the client's control activities. B. Assess the control risk. C. Document the understanding obtained. D. Plan the remainder of the audit work. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 5-41
  42. 42. Chapter 05 - Risk Assessment: Internal Control Evaluation 20. If auditors assess control risk at the maximum level, they will tend to A. Perform a great deal of additional tests of controls. B. Perform a great deal of substantive testing during the audit. C. Perform substantive tests at an interim date. D. Perform more audit procedures using internal evidence. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Application Difficulty: Easy 21. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the A. Factors that raise doubts about the auditability of the financial statements. B. Operating effectiveness of internal control policies and procedures. C. Risk that material misstatements exist in the financial statements. D. Possibility that the nature and extent of substantive tests may be reduced. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Knowledge Difficulty: Medium 5-42
  43. 43. Chapter 05 - Risk Assessment: Internal Control Evaluation 22. When the audit team increases the planned assessed level of control risk because certain control activities were determined to be ineffective, the audit team would most likely increase the A. Extent of tests of details. B. Level of inherent risk. C. Extent of tests of controls. D. Level of detection risk. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Application Difficulty: Medium 23. In computer systems, the information technology general controls (ITGC) would not include A. Processing control activities. B. Separation of various computer system functions. C. Documentation of the data processing system. D. Control over physical access to computer hardware. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Medium 5-43
  44. 44. Chapter 05 - Risk Assessment: Internal Control Evaluation 24. When auditing financial statements of a private company, the minimum work an auditor must perform in connection with a company's internal control is best described by which of the following statements: A. Perform exhaustive tests of accounting controls and evaluate the company's control system effectiveness. B. Determine whether the company's control policies are designed well enough to prevent material errors. C. Prepare auditing working papers documenting the understanding of the company's internal control. D. Design procedures to search for significant deficiencies in the actual operation of the company's internal control. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Hard 25. Which of the following would likely be classified as a material weakness? A. Absence of appropriate separation of duties. B. Absence of appropriate reviews and approvals of transactions. C. Evidence of failure of control activities. D. Ineffective oversight of the financial reporting process by the company's audit committee. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Application Difficulty: Hard 5-44
  45. 45. Chapter 05 - Risk Assessment: Internal Control Evaluation 26. If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll IS application? A. Hours worked. B. Total debits and total credits. C. Net pay. D. Department numbers. AICPA AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Medium 27. Generally accepted auditing standards (GAAS) give auditors considerable discretion to decide the amount of work required to satisfy auditing standards guiding internal control evaluation and related audit planning. Which of the descriptions below best expresses the minimum amount of work permitted by GAAS for nonpublic companies? A. Do not obtain an understanding of client environment, accounting, or control activities. Do not document the decision to assess control risk at maximum. Perform 100% substantive audit on all financial statement transactions and balances. B. Obtain an understanding of client environment, accounting, and control activities. Document the decision to assess control risk at maximum. Perform an extensive but not 100% substantive audit on financial statement transactions and balances. C. Obtain an understanding of client environment, accounting, and control activities, and perform detail tests of controls. Document the decision to assess control risk below the maximum. Perform restricted substantive audit on financial statement transactions and balances, considering the control risk assessment. D. Obtain an understanding of client environment, accounting, and control activities, and perform detail tests of controls. Document the decision to assess control risk at zero. Perform no substantive audit on financial statement transactions and balances, since zero control risk means that no errors or fraud can reach the accounts. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Application Difficulty: Medium 5-45
  46. 46. Chapter 05 - Risk Assessment: Internal Control Evaluation 28. Proper separation of duties reduces the opportunities to allow persons to be in positions to both A. Journalize entries and prepare financial statements. B. Record cash receipts and cash disbursements. C. Establish internal controls and authorize transactions. D. Perpetuate and conceal errors and fraud. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 29. In an audit of financial statements, an auditor's primary consideration regarding an internal control policy or activity is whether the policy or activity A. Reflects management's philosophy and operating style. B. Affects management's financial statement assertions. C. Provides adequate safeguards over access to assets. D. Enhances management's decision making processes. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Hard 5-46
  47. 47. Chapter 05 - Risk Assessment: Internal Control Evaluation 30. Which of the following is a step in an auditor's decision to assess control risk at below the maximum? A. Apply analytical procedures to both financial data and nonfinancial information to detect conditions that may indicate weak controls. B. Perform tests of details of transactions and account balances to identify potential errors and fraud. C. Identify specific internal control policies and activities that are likely to detect or prevent material misstatements. D. Document that the additional audit effort to perform tests of controls exceeds the potential reduction in substantive testing. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Knowledge Difficulty: Hard 31. Which of the following is not an objective of internal controls over financial reporting as defined by the Sarbanes-Oxley Act? A. Policies and procedures that pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant. B. Policies and procedures that provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant. C. Policies and procedures that provide reasonable assurance regarding the compliance with applicable laws and regulations. D. Policies and procedures that provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-47
  48. 48. Chapter 05 - Risk Assessment: Internal Control Evaluation 32. Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal controls? A. Incompatible duties. B. Management override. C. Mistakes in judgment. D. Collusion among employees. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Comprehension Difficulty: Hard 33. As part of understanding the internal control, an auditor is not required to A. Consider factors that affect the risk of material misstatement. B. Ascertain whether internal control policies and activities have been placed in operation. C. Identify the types of potential misstatements that can occur. D. Obtain knowledge about the operating effectiveness of the client's internal control activities. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-48
  49. 49. Chapter 05 - Risk Assessment: Internal Control Evaluation 34. The primary objective of procedures performed to obtain an understanding of the entity's internal control is to provide an auditor with A. Knowledge necessary for audit planning. B. Evidential matter to use in assessing inherent risk. C. A basis for modifying tests of controls. D. An evaluation of the consistency of application of management's policies. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 35. The overall attitude and awareness of an entity's board of directors concerning the importance of the client's internal control usually is reflected in its A. Computer-based control activities. B. System of separation of duties. C. Control environment. D. Safeguards over access to assets. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 5-49
  50. 50. Chapter 05 - Risk Assessment: Internal Control Evaluation 36. After obtaining an understanding of the internal controls and assessing control risk on the audit of a non public company, an auditor decided to perform tests of controls. The auditor most likely decided that A. It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests. B. Additional evidence to support a further reduction in control risk is not available. C. An increase in the assessed level of control risk is justified for certain financial statement assertions. D. There were many internal control weaknesses that could allow errors to enter the accounting system. AICPA AACSB: Analytic AICPA BB: Critical Thinking AICPA FN: Risk Analysis Bloom's: Application Difficulty: Medium 37. In an audit of financial statements of a non public company in accordance with generally accepted auditing standards, an auditor is required to A. Document the auditor's understanding of the entity's internal control. B. Search for significant deficiencies in the operation of the internal controls. C. Perform tests of controls to evaluate the effectiveness of the entity's accounting system. D. Determine whether control activities are suitably designed to prevent or detect material misstatements. AICPA AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-50
  51. 51. Chapter 05 - Risk Assessment: Internal Control Evaluation 38. In testing control activities, an auditor ordinarily selects from a variety of techniques, including A. Inquiry and analytical procedures. B. Reperformance and observation. C. Comparison and confirmation. D. Inspection and verification. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 39. Assessing control risk at below the maximum level most likely would involve A. Performing more extensive substantive tests with larger sample sizes than originally planned. B. Reducing inherent risk for most of the assertions relevant to significant account balances. C. Changing the timing of substantive tests by omitting interim-date testing and performing the tests at year end. D. Identifying specific internal control structure policies and procedures relevant to specific assertions. AICPA AACSB: Analytic AICPA BB: Critical Thinking AICPA FN: Risk Analysis Bloom's: Comprehension Difficulty: Hard 5-51
  52. 52. Chapter 05 - Risk Assessment: Internal Control Evaluation 40. A report on internal control effectiveness by the management team of public companies is required by A. The Sarbanes-Oxley Act of 2002. B. The PCAOB. C. The AICPA. D. Only auditors are required to report on internal control effectiveness. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 41. Management's report on internal controls must include each of the following except A. A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting. B. A statement identifying the framework management uses to evaluate the effectiveness of the company's internal control. C. A statement providing management's assessment of the effectiveness of the company's internal control. D. A statement providing management's evaluation of the company's control environment. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Communication Difficulty: Medium 5-52
  53. 53. Chapter 05 - Risk Assessment: Internal Control Evaluation 42. Which of the following areas can external auditors rely on internal auditors' work in auditing internal controls? A. Evaluation of the auditing environment. B. Limited documentation and testing of internal control activities. C. All testing of the operating effectiveness of internal control activities. D. As the principle evidence for the external auditors' opinion. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Application Difficulty: Medium 43. The most important fundamental component of an entity's internal control is Refer To: 05-43 A. Effectiveness and efficiency of operations. B. People who operate the control system. C. Reliability of financial reporting. D. Compliance with applicable laws and regulations. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 5-53
  54. 54. Chapter 05 - Risk Assessment: Internal Control Evaluation 44. The primary purpose for obtaining an understanding of a non public audit client's internal control is to Refer To: 05-43 A. Provide a basis for making constructive suggestions in a management letter. B. Determine the nature, timing, and extent of tests to be performed in the audit. C. Obtain sufficient appropriate audit evidence to afford a reasonable basis for an opinion on the financial statements under examination. D. Provide information for a communication of internal control-related matters to management. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 45. Effectiveness of audit procedures would be reduced by Refer To: 05-43 A. Selecting larger sample sizes for audit. B. Performing audit procedures at the fiscal year-end date, as opposed to the interim period. C. Deciding to obtain external evidence instead of internal evidence. D. Performing procedures during the interim period, as opposed to at the fiscal year-end date. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Application Difficulty: Easy 5-54
  55. 55. Chapter 05 - Risk Assessment: Internal Control Evaluation 46. Financial totals can be used for Refer To: 05-43 A. Input controls. B. Processing controls. C. Output controls. D. All of the above. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Medium 47. Which of the following is an application control? Refer To: 05-43 A. Locked doors to the central server. B. Change controls over new programs. C. Backup controls. D. An output control department that ensures that reports go to authorized recipients. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Medium 5-55
  56. 56. Chapter 05 - Risk Assessment: Internal Control Evaluation 48. Which of the following is a preventive control? Refer To: 05-43 A. A reconciliation of a bank account. B. Internal auditors recalculating a sample of payroll entries. C. Separation of duties between the payroll and personnel departments. D. Use of hash totals for the payroll input sheet. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 49. In most audits of large entities, control risk assessment contributes to audit efficiency, which means that Refer To: 05-43 A. The cost of substantive procedures will exceed the cost of control evaluation work. B. Auditors will be able to reduce the cost of substantive procedures by an amount more than the control evaluation costs. C. The cost of control evaluation work will exceed the cost of substantive procedures. D. Auditors will be able to reduce the cost of substantive procedures by an amount less than the cost of tests of controls. Original AACSB: Analytic AICPA BB: Resource Management AICPA FN: Risk Analysis Bloom's: Application Difficulty: Medium 5-56
  57. 57. Chapter 05 - Risk Assessment: Internal Control Evaluation 50. Which of the following is a device designed to help the audit team obtain evidence about the accounting and control activities of an audit client? Refer To: 05-43 A. A narrative memorandum describing the control system. B. An internal control questionnaire. C. A flowchart of the documents and procedures used by the company. D. All of the above. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Knowledge Difficulty: Easy 51. A bridge workpaper shows the connection between Refer To: 05-43 A. Control evaluation findings and subsequent audit procedures. B. Management objectives and accounting system procedures. C. Management objectives and entity control activities. D. Financial statement assertions and tests of controls. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Knowledge Difficulty: Medium 5-57
  58. 58. Chapter 05 - Risk Assessment: Internal Control Evaluation 52. Tests of controls in a GAAS audit are required for Refer To: 05-43 A. Obtaining evidence about the financial statement assertions. B. Accomplishing control over the occurrence of recorded transactions. C. Applying analytical procedures to financial statement balances. D. Obtaining evidence about the operating effectiveness of client control activities. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 53. A client's financial control activity is Refer To: 05-43 A. An action taken by auditors to obtain evidence. B. An action taken by client personnel for the purpose of preventing, detecting, and correcting errors and frauds in transactions to eliminate or mitigate risks identified by the company. C. A method for recording, summarizing, and reporting financial information. D. The functioning of the board of directors in support of its audit committee. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-58
  59. 59. Chapter 05 - Risk Assessment: Internal Control Evaluation 54. When planning an audit of internal controls under AS 5, the audit team should Refer To: 05-43 A. Identify significant accounts, locations, and assertions. B. Conduct a walkthrough of the internal control process. C. Make inquiries of employees regarding the existence of control activities. D. Re-perform control activities performed by client employees to determine their effectiveness. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 55. A material weakness is a situation in which Refer To: 05-43 A. It is probable that an immaterial financial statement misstatement would not be detected on a timely basis B. There is a remote likelihood that a material misstatement would be detected on a timely basis. C. It is reasonably possible that a material misstatement would not be detected on a timely basis. D. It is reasonably possible that an immaterial misstatement would not be detected on a timely basis. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Knowledge Difficulty: Medium 5-59
  60. 60. Chapter 05 - Risk Assessment: Internal Control Evaluation 56. Totals of amounts in computer-recorded data fields that are not usually added but are used only for data processing control purposes are called Refer To: 05-43 A. Record totals. B. Hash totals. C. Processing data totals. D. Field totals. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Hard 57. Which of the following does not accurately summarize auditors' requirements regarding internal control? Refer To: 05-43 A. Option A B. Option B C. Option C D. Option D Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Hard 5-60
  61. 61. Chapter 05 - Risk Assessment: Internal Control Evaluation 58. AS 5 requires auditors of public companies to audit internal controls over Refer To: 05-43 A. Operations. B. Compliance with regulations. C. Financial reporting. D. All of the above. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 59. AS 5 requires auditors of public companies to report on: Refer To: 05-43 A. Option A B. Option B C. Option C D. Option D Original AACSB: Communication AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-61
  62. 62. Chapter 05 - Risk Assessment: Internal Control Evaluation 60. AS 5 requires auditors to test Refer To: 05-43 A. Operating effectiveness only. B. Design effectiveness only. C. Both operating and design effectiveness. D. Neither operating nor design effectiveness. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 61. Which of the following would probably not be considered an indication of a material weakness? Refer To: 05-43 A. Evidence of a material misstatement. B. Ineffective oversight by the audit committee. C. An immaterial fraud committed by senior management. D. Overproduction by the manufacturing plant. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Comprehension Difficulty: Medium 5-62
  63. 63. Chapter 05 - Risk Assessment: Internal Control Evaluation 62. Which report would not be appropriate for a public accounting firm to provide on financial reporting controls? Refer To: 05-43 A. Unqualified—no material weaknesses found. B. Disclaimer of opinion—unable to perform all necessary procedures. C. Disclaimer of opinion—significant deficiencies exist. D. Adverse—material weaknesses exist. Original AACSB: Communication AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 63. The purpose of separating the duties of hiring personnel and distributing payroll checks is to separate the Refer To: 05-43 A. Authorization of transactions from the custody of related assets. B. Operational responsibility from the record-keeping responsibility. C. Human resources function from the controllership function. D. Administrative controls from the internal accounting controls. AICPA adapted AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Application Difficulty: Easy 5-63
  64. 64. Chapter 05 - Risk Assessment: Internal Control Evaluation 64. Which of the following statements is not true with respect to the auditors' report on internal control over financial reporting? Refer To: 05-43 A. The report will be dated as of the balance sheet date. B. The report will express an opinion on the effectiveness of internal control over financial reporting. C. If one or more material weaknesses exist, the auditor will issue an adverse opinion. D. The report may be presented with the report on the entity's financial statements as a combined report. Original AACSB: Communication AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Hard 65. If the auditors encounter a significant scope limitation in evaluating a public company's internal control over financial reporting, which of the following types of opinions on the effectiveness of the company's internal control over financial reporting would be appropriate? Refer To: 05-43 A. Unqualified opinion or adverse opinion. B. Qualified opinion or adverse opinion. C. Unqualified opinion or disclaimer of opinion. D. Disclaimer of opinion. Original AACSB: Communication AICPA BB: Legal AICPA FN: Research Bloom's: Application Difficulty: Medium 5-64
  65. 65. Chapter 05 - Risk Assessment: Internal Control Evaluation 66. Which of the following information would be included in the introductory paragraph of the auditors' report on internal control over financial reporting if the report is presented separately from the auditors' report on the entity's financial statements? Refer To: 05-43 A. The fact that the auditors conducted an audit of the entity's financial statements. B. The definition of a material weakness in internal control over financial reporting. C. Statements identifying the responsibility of the auditors and management for internal control over financial reporting. D. A reference to the auditors' report and opinion on the entity's financial statements. Original AACSB: Communication AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Hard Question also found in Study Guide 67. Which of the following is not one of COSO's objectives for internal controls? A. Efficiency and effectiveness of operations. B. Reliability of financial reporting. C. Maximization of profit. D. Compliance with applicable laws and regulations. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 5-65
  66. 66. Chapter 05 - Risk Assessment: Internal Control Evaluation 68. Which of the following is not one of the elements of the control environment? A. Process for recording transactions and preparing financial statements. B. Presence of an internal auditing function. C. A company's organizational structure. D. Methods of assigning authority and responsibility. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 69. Which of the following would not be considered a control activity? A. Assessment of control risk B. Performance reviews C. Physical controls D. Information processing controls Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 70. An edit test that checks data fields to see if any are blank when they must contain data is called a A. Valid sign test. B. Missing data test. C. Limit test. D. Valid character test. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Medium 5-66
  67. 67. Chapter 05 - Risk Assessment: Internal Control Evaluation 71. An action taken to prevent, detect, and correct errors and frauds in transactions is referred to as a A. Control objective. B. Risk assessment. C. Dual-purpose test. D. Control activity. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 72. Accounting for the numerical sequence of shipping documents is a control procedure designed to achieve the internal control objective of A. Validity. B. Completeness. C. Accounting. D. Accuracy. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Comprehension Difficulty: Easy 5-67
  68. 68. Chapter 05 - Risk Assessment: Internal Control Evaluation 73. Auditors obtain an understanding of the internal control through all of the following, except A. Previous experience with the company. B. Responses to inquiries directed to client personnel. C. A substantive testing audit plan. D. A "walk-through" of one or more transactions. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Application Difficulty: Medium 74. The most efficient means of gathering evidence about the internal control is to conduct a formal interview with knowledgeable managers and A. Write a narrative description of each important control. B. Prepare a flowchart illustrating the internal control. C. Prepare a well indexed file of audit documentation. D. Use an internal control questionnaire. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Application Difficulty: Medium 5-68
  69. 69. Chapter 05 - Risk Assessment: Internal Control Evaluation 75. The five internal control components do not include A. Control activities. B. Risk assessment. C. Monitoring. D. Control risk. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Easy 76. A computerized accounting system would not include which of the following among the processing control activities? A. Limit and reasonableness tests. B. File and operator controls. C. Master file changes. D. Run-to-run total. Original AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Medium 5-69
  70. 70. Chapter 05 - Risk Assessment: Internal Control Evaluation 77. Significant deficiencies are defined as conditions that A. Could adversely affect the organization's ability to initiate, record, process, and report financial data in the financial statements. B. Results in a reasonable possibility that a material misstatement exists in financial statements. C. Exists when the design or operation of a control does not allow the company's management or employees to detect or prevent misstatements in a timely fashion. D. Relates to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control's objective. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 78. AS 5 requires the audit team to do all the following except A. Evaluate the severity of each control deficiency that comes to his or her attention. B. Document the process used to determine significant accounts and disclosures and major classes of transactions. C. Test all internal controls in the company. D. AS 5 requires all the above. Original AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium Matching Questions 5-70
  71. 71. Chapter 05 - Risk Assessment: Internal Control Evaluation 79. Below are the nine ASB management assertions. 1. Classification Match shipping documents with sales invoices before a sale is recorded. 2 2. Occurrence Balance total of individual customers' receivables with the control account. 1 3. Accuracy Sales manager approves taking discounts. 4 4. Allocation or valuation Computer check for billing the quantity shipped, list price, and total. 3 5. Completeness Account for numerical sequence of pre-numbered shipping documents. 5 AACSB: Analytic AICPA BB: Critical Thinking AICPA FN: Risk Analysis Bloom's: Application Difficulty: Hard 80. For each of the descriptions below, match the correct control, A to G. 1. sequence tests Programmed tests to ensure that illogical conditions do not occur. 2 2. limit/reasonableness tests Test that checks data fields for appropriate plus or minus. 5 3. check digit Test that checks data fields to see if any are blank. 4 4. missing data tests An extra number tagged on to the end of a basic identification. 3 5. valid sign test Test that can check for missing documents in a prenumbered series. 1 AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Hard True / False Questions Question also Found in Study Guide 5-71
  72. 72. Chapter 05 - Risk Assessment: Internal Control Evaluation 81. The primary reason for conducting an evaluation of a company's internal control is to provide a basis for communicating significant deficiencies. FALSE 82. The audit task of control risk assessment involves finding out what the company does to prevent, detect, and correct errors and fraud. TRUE 83. The audit team is responsible for the client's internal control. FALSE 84. The attitudes of managers and directors are probably the most pervasive influences on the control environment. TRUE 85. The most important feature of an internal control system is the people who make the system work. TRUE 86. A control activity is an action taken to prevent, detect, and correct errors and frauds in transactions. TRUE 87. The COSO report indicates that internal control should be considered a process, not an end in itself. TRUE 5-72
  73. 73. Chapter 05 - Risk Assessment: Internal Control Evaluation 88. Auditors of public companies do not need to determine the quality of a client's internal control; they only need to know enough to plan the audit work. FALSE 89. The primary reason to evaluate internal control is to formulate constructive suggestions for improvement. FALSE 90. The most efficient means of gathering evidence about a client's internal control is to prepare a flowchart of the system. FALSE 91. The strengths and weaknesses of a control system should be documented in bridge working papers connecting the control evaluation to subsequent audit procedures. TRUE 92. Auditors do not need to perform tests of controls audit procedures on internal control weaknesses just to prove the weaknesses actually exist. TRUE 93. To reduce the final control risk assessment to a low level, auditors need only to determine the required degree of compliance with the control policies and procedures. FALSE 94. Auditors perform tests of control activities to determine how the company's controls actually functioned during the period under audit. TRUE 5-73
  74. 74. Chapter 05 - Risk Assessment: Internal Control Evaluation 95. Control systems generally provide absolute assurance that the objectives of internal control are satisfied. FALSE 96. Dual-purpose audit tests are procedures that produce both control and substantive evidence. TRUE 97. The key person in the internal control system of a small business is the independent auditor. FALSE 98. Evaluation of internal control systems on a nonpublic entity should not be subject to cost/benefit considerations. FALSE 99. Tests of controls consist of procedures designed to produce evidence of how effectively the client's controls work in practice. TRUE 100. Auditors can stop the assessment of control risk for nonpublic entities for either effectiveness or efficiency reasons. TRUE 101. PCAOB Auditing Standard No. 5 only applies to public companies. TRUE 5-74
  75. 75. Chapter 05 - Risk Assessment: Internal Control Evaluation 102. The auditor's opinion on internal control under AS 5 relates only to controls existing at the end of the year. TRUE 103. Auditors should begin their evaluation of internal controls over financial reporting on a bottom-up basis—starting with the account level assertion and working up to entity-level controls. FALSE Fill in the Blank Questions Questions also Found in Study Guide 104. _____________________________ _____________________________ are the set of policies and procedures that are designed to insure that transactions are recorded properly. Control activities 105. _____________________________ _____________________________ in internal control are matters the auditors believe should be communicated to the clients' audit committee. Significant deficiencies 106. The audit team is responsible for designing an evaluation of _____________________________ internal control systems, and _____________________________ the control _____________________________ of that system. existing, assessing, risk 5-75
  76. 76. Chapter 05 - Risk Assessment: Internal Control Evaluation 107. The COSO report identifies the objectives to be achieved by internal control as (1) effectiveness and efficiency of _____________________________, (2) reliability of _____________________________ _____________________________, and (3) compliance with _____________________________ and _____________________________. operations, financial reporting, laws, regulations 108. _____________________________ _____________________________ are specific actions taken by a client's management and employees to help ensure that management directives are carried out. Control activities 109. _____________________________ _____________________________ to assets and important records, documents, and blank forms should be limited to authorized personnel only in a well controlled company. Physical access 110. Internal control systems generally provide _____________________________ assurance that the objectives of internal control are satisfied. reasonable 111. In connection with control activities used in a client's internal control system, a _____________________________ _____________________________ is a tally of the number of transactions submitted at a particular time and it is used to determine whether the proper number was processed in a data conversion or computer accounting application. record count 112. Control activities in a computerized accounting system may be classified into two types-- _____________________________ controls and _____________________________ controls. general, application 5-76
  77. 77. Chapter 05 - Risk Assessment: Internal Control Evaluation 113. Significant deficiencies in internal control also include the more serious condition called a _____________________________ _____________________________. material weakness 114. To reduce the control risk level to a low level, auditors must determine (1) the _____________________________ _____________________________ of company compliance with control policies, and (2) the _____________________________ _____________________________ of company compliance. required degree, actual degree 115. Auditors perform _____________________________ _____________________________ _____________________________ to determine how well the company's controls actually functioned during the period under audit. tests of controls 116. The concept of _____________________________ _____________________________ recognizes that the cost of an entity's internal control should not exceed the benefits that are expected to be derived. reasonable assurance 117. In gathering evidence about the client's internal control, auditors may use a (n) _____________________________ _____________________________ _____________________________, which is a checklist of internal control related questions. internal control questionnaire 118. _____________________________ _____________________________ _____________________________ reduce opportunities for a person to be in a position to perpetrate and conceal errors and frauds when performing their normal duties. Separation of duties 5-77
  78. 78. Chapter 05 - Risk Assessment: Internal Control Evaluation 119. A(n) _____________________________ _____________________________ _____________________________ is a single procedure that produces both control and substantive evidence. dual-purpose test 120. A(n) _____________________________ _____________________________ is an extra number, precisely calculated, that is tagged onto the end of a basic identification number such as an employee number. check digit 121. Computerized checks to see whether data values exceed or fall below some predetermined limit are called limit or _____________________________ _____________________________. reasonableness tests 122. Techniques used to check errors in accounting data in computer based accounting systems can be categorized as _____________________________ _____________________________, _____________________________ _____________________________, and _____________________________ _____________________________. input controls, processing controls, output controls 123. A material weakness results in a _____________________________ _____________________________ that a _____________________________ _____________________________ would not be prevented or detected on a timely basis. reasonable possibility, material misstatement Essay Questions 5-78
  79. 79. Chapter 05 - Risk Assessment: Internal Control Evaluation 124. What is the difference between an information technology general control and an information technology application control? An information technology general control is used to help control the entire computing environment for an organization. For example, most organizations require password access to log into the computing environment. An information technology application control is a computerized control procedure that is designed to accomplish some type of control objective within a company's overall system of internal control. For example, a company's accounts receivable system may have an application control that automatically checks a customer's credit limit before a new sales order is approved. In order to function properly, an information technology application level technology control is dependent on effective information technology general controls. AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Medium 125. What is the difference between an internal control's design effectiveness and its operating effectiveness? Design effectiveness determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material financial misstatement. Operating effectiveness is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-79
  80. 80. Chapter 05 - Risk Assessment: Internal Control Evaluation 126. List several elements of a company's control environment. Some of the elements of a control environment include: * Management's philosophy and operating style. * Company organization structure. * Functioning of the board of directors, particularly its audit committee. * Methods of assigning authority and responsibility. * Management's monitoring methods, including internal auditing. * Personnel policies and practices. * External influences. AACSB: Analytic AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 127. List and explain briefly the phases of an internal control evaluation. Phase 1: Understanding and document the client's internal control structure. This phase includes a general knowledge of the control environment, including the identification of entity level controls. In addition, the auditor should gain an understanding of the flow of transactions through the accounting system and document this understanding using a questionnaire, narrative descriptions and perhaps flowcharts. Phase 2: Assessing the control risk on a preliminary basis. At this point of the process, the strengths and weaknesses of the system are analyzed and should be documented in a bridge workpaper. A preliminary assessment of internal controls is completed. At this point, a decision is made as to which controls are going tested and a required degree of compliance is determined. Phase 3: Performing tests of controls audit procedures and reassess control risk. When the audit team determines that a specific control activity could have a significant effect in reducing control risk to a low level for a specific assertion, they perform test of that control activity to obtain specific audit evidence about the effectiveness of the design or operation of that control activity. At this point, the actual degree of compliance is compared with the required degree of compliance. The audit team then must determine the final assessment of control risk and then determine whether any changes to the substantive testing plan must be made. AACSB: Analytic AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Comprehension Difficulty: Medium 5-80
  81. 81. Chapter 05 - Risk Assessment: Internal Control Evaluation 128. What are some of the problems in establishing an internal control system in small business? Internal control problems in small business would include: A. Separation of functional responsibilities would be difficult because of the small number of employees. B. The owner manager has to assume a greater role to oversee and supervise authorization, recordkeeping, and custodial functions. C. The owner manager must be diligent, competent, and have a high degree of integrity. AACSB: Analytic AICPA BB: Critical Thinking AICPA FN: Risk Analysis Bloom's: Application Difficulty: Medium 129. The Sunny Company is computerizing its accounting function. It would like to separate the duties of the systems analyst, programmer, and computer operator by hiring three different people for these jobs. However, they can only afford to hire two people. Required: A. Briefly describe the functions of the systems analyst, programmer, and computer operator. B. If Sunny Company can afford only two positions, which two of the three would you combine into one job? Explain. A. A systems analyst evaluates the existing system and designs new or improved data processing. This includes outlining the system and providing guidelines for the programmer. The programmer flowcharts, codes, and documents the application. The computer operator operates the computer based on written instructions. B. It would be best to combine the functions of the systems analyst and programmer. The programmer has intimate knowledge of the program. The programmer could write code that could be used during computer operations to manipulate data or assets for his or her benefit. Therefore, the worst situation would be to combine the functions of the programmer and computer operator. Another possibility would be to combine the responsibilities of the systems analyst and computer operator. Though this may not be as severe a problem, the systems analyst may still have special knowledge about the program and programming. AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Hard 5-81
  82. 82. Chapter 05 - Risk Assessment: Internal Control Evaluation 130. Explain the different opinions that auditors can issue for an entity's internal control over financial reporting. Auditors can issue the following opinions for an audit of an entity's internal control over financial reporting: • Unqualified. No material weaknesses exist. • Disclaimer. The audit team cannot perform all of the procedures considered necessary and therefore cannot issue an opinion. • Adverse opinion. One or more material weaknesses exist. AACSB: Communication AICPA BB: Legal AICPA FN: Research Bloom's: Knowledge Difficulty: Medium 5-82
  83. 83. Chapter 05 - Risk Assessment: Internal Control Evaluation 131. Auditors are required to obtain a sufficient understanding of an entity's internal control. This understanding is required by the performance principle of GAAS. Required: A. What are some of the goals (purposes) for conducting an evaluation of an entity's internal control? B. What audit work is required for an auditor to assess control risk below the "maximum" level? C. Should auditors always try to obtain enough evidence to assess control risk below the "maximum" level? Explain. A. The audit team has two primary reasons for conducting an evaluation of an entity's internal control. First, Sarbanes-Oxley requires an audit of the effectiveness of internal control that is an integrated part of the financial statement audit for publicly traded companies. The second reason for evaluating an entity's internal control is to comply with the performance principle of GAAS: To assess the risk of material misstatement to give the auditors a basis for planning the audit and determining the nature, timing, and extent of audit procedures for the substantive audit plan. The audit team assesses control risk. B. If auditors assess control risk as "maximum" or 100 percent (i.e., poor control), they will tend to perform a great deal of substantive procedures with large sample sizes (extent), at or near the entity's fiscal year end (timing), using procedures designed to obtain high-quality external evidence (nature). On the other hand, if auditors assess control risk as "low," usually around 10 to 20 percent (i.e., effective control), they can perform fewer substantive procedures with smaller sample sizes (extent), at an interim date before the entity's fiscal year end (timing), using a mixture of procedures designed to obtain high-quality external evidence and lower-quality internal evidence (nature). Of course, auditors may assess control risk between "low" and "maximum" (e.g., "moderate," "high," or "slightly below maximum") and adjust the substantive procedures accordingly. C. No. here may be occasions when the audit team chooses to test everything substantively rather than relying on internal controls to reduce substantive testing. For example, for fixed assets, there are usually a small number of very material transactions. Testing controls would not be efficient if the audit team is going to examine every transaction anyway. AACSB: Analytic AICPA BB: Critical Thinking AICPA FN: Risk Analysis Bloom's: Application Difficulty: Hard 5-83

×