1.16.18 Flashcards
To provide assurance that each voucher is submitted and paid only once, an auditor most likely would examine a sample of paid vouchers and determine whether each voucher is
Stamped “paid” by the check signer.
To provide assurance that voucher documentation is not used to support a duplicate payment, the individual responsible for cash disbursements should examine the voucher and determine the appropriateness of the supporting documents, sign the check, cancel the payment documents, and mail the check to the vendor.
Samples to test controls are intended to provide a basis for an auditor to conclude whether
The controls are operating effectively.
Tests of controls obtain evidence about the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. Tests of controls address (1) how they were applied at relevant times during the period, (2) by whom or by what means they were applied, and (3) the consistency of their application during the period. Prior to performing tests of controls, the auditor evaluates whether they are suitably designed to prevent, or detect and correct, material misstatements in relevant assertions (AU-C 330).
If the auditor intends to rely on the operating effectiveness of relevant controls, which test of controls is necessary to obtain sufficient appropriate evidence?
Inquiry.
According to AU-C 330, an auditor’s tests of controls include other audit procedures in combination with inquiry. For this purpose, inquiry combined with inspection, reperformance, or recalculation may be preferable to inquiry and observation. Observation is relevant only at a moment in time.
An auditor may compensate for a high assessed risk of material misstatement by
Increasing the extent of substantive analytical procedures.
When designing further audit procedures, the auditor obtains more persuasive evidence the higher the risk assessment. Thus, the auditor may increase the quantity of evidence or obtain more relevant or reliable evidence. Furthermore, the extent of audit procedures generally increases as the RMMs increase. For example, the auditor may increase sample sizes or perform more detailed substantive analytical procedures (AU-C 330).
Before sending or receiving EDI messages, a company should
Execute a trading partner agreement with each of its customers and suppliers.
Before sending or receiving EDI messages, a company should execute a trading partner agreement with its customers and suppliers. For example, all parties should understand (1) their responsibilities, (2) the messages each will initiate, (3) how they will interpret messages, (4) the means of authenticating and verifying the completeness and accuracy of messages, (5) the moment when the contract between the parties is effective, and (6) the required level of security.
Each of the following broker-dealer relationships impairs auditor independence with respect to a broker-dealer issuer audit client except
The auditor has a cash balance in a brokerage account that is fully covered by the Securities Investor Protection Corporation.
Under SEC Independence Standards, an accountant is not independent when (1) the accounting firm, (2) any covered person in the firm, or (3) any of the covered person’s immediate family members has any brokerage or similar accounts maintained with a broker-dealer that is an audit client if (1) the accounts include any asset other than cash or securities or (2) the value of the assets in the accounts exceeds the amount that is subject to a Securities Investor Protection Corporation advance for those accounts. Thus, a cash balance in a brokerage account that is fully insured under the Securities Investor Protection Act (SIPA) does not impair independence.
Under SEC Independence Standards, an accountant is not independent when (1) the accounting firm, (2) any covered person in the firm, or (3) any of the covered person’s immediate family members has any brokerage or similar accounts maintained with a broker-dealer that is an audit client if (1) the accounts include any asset other than cash or securities or (2) the value of the assets in the accounts exceeds the amount that is subject to a Securities Investor Protection Corporation advance for those accounts. Thus, a cash balance in a brokerage account that is fully insured under the Securities Investor Protection Act (SIPA) does not impair independence.
The assessment of the risks of material misstatement permits the auditor to rely on the controls.
Although controls appear to be effective based on the understanding of internal control, the auditor should perform tests of controls when the assessment of the RMMs at the relevant assertion level includes an expectation of their operating effectiveness. This expectation reflects the auditor’s intention to rely on the controls in determining the nature, timing, and extent of substantive procedures.
A university does not have a centralized receiving function for departmental purchases of books, supplies, and equipment. Which of the following controls will most effectively prevent payment for goods not received, if performed prior to invoice payment?
Vendor invoices should be approved by a departmental supervisor other than the employee ordering the goods.
The departmental supervisors are the most likely to be aware of the goods received by their departments. Moreover, separating ordering authority from payment authority will prevent unauthorized purchases.
A CPA’s retention of client-provided records as a means of enforcing payment of an overdue audit fee is an action that is
Prohibited under the AICPA Code of Professional Conduct.
The Code defines client-provided records as “accounting or other records belonging to the client that were provided to the member by or on behalf of the client.” The retention (after a request is made for them) of client-provided records to enforce payment or for any other purpose is prohibited. Such an act is deemed to be discreditable to the profession.
Which of the following types of evidence should an auditor most likely examine to determine whether internal controls are operating as designed?
Client records documenting the use of computer programs.
In testing controls over the computer processing function, the auditor should obtain evidence of proper authorization of access to computer programs and files.
When assessing the competence of the internal auditors, an auditor should obtain information about the
Quality of the internal auditors’ working paper documentation.
Concerning the competence of the internal auditor, it is important to establish the quality of the work. The auditor should obtain information about (1) educational level and professional experience; (2) professional certification and continuing education; (3) audit policies, programs, and procedures (related to competence); (4) practices regarding assignment of internal auditors; (5) supervision and review of the internal auditor’s activities; (6) quality of documentation; and (7) performance evaluation.
Upon receipt of customers’ checks in the mail room, a responsible employee should prepare a remittance listing that is forwarded to the cashier. A copy of the listing should be sent to the
Accounts receivable bookkeeper to update the subsidiary accounts receivable records.
The individuals with recordkeeping responsibility should not have custody of cash. They should use either the remittance advices or a listing of the remittances to make entries to the cash and accounts receivable control account and to the subsidiary accounts receivable records. Indeed, having different people make entries in the control account and in the subsidiary records is an effective control.
If internal control is properly designed, the same employee may be permitted to
Sign checks and also cancel supporting documents.
Checks for disbursements should be signed by an officer, normally the CFO, after necessary supporting evidence has been examined. The documentation typically consists of a voucher, purchase order, receiving report, and a vendor invoice. Canceling vouchers and supporting papers (with perforations, ink, etc.) upon payment of the voucher prevents the payment of a duplicate voucher. If the person signing the check cancels the documents, they cannot be recycled for duplicate payments. Securing the paid-voucher file from access by the accounts payable clerk is another effective control.
A client who recently installed a new accounts payable system assigned employees a user identification code (UIC) and a separate password. Each UIC is a person’s name, and the individual’s password is the same as the UIC. Users are not required to change their passwords at initial log-in nor do passwords ever expire. Which of the following statements does not reflect a limitation of the client’s computer-access control?
Employees are not required to take regular vacations.
To be effective, passwords should consist of random letters, symbols, and numbers. They should not contain words or phrases that are easily guessed. Proper user authentication by means of passwords requires procedures to ensure that the valid passwords generated are known only by appropriate individuals. Moreover, passwords should be changed frequently so that the maximum retention period (the period during which they may be compromised) is relatively short. However, a minimum retention period should be required so that users cannot change passwords back to their old, convenient forms. Another weakness in access control is that different passwords are not required to perform different functions, e.g., to obtain access, to read certain files, or to update certain files. Use of separate passwords is a means of segregating duties. However, the password security system is unrelated to the absence of a requirement to take vacations. Nevertheless, such requirement may be appropriate for personnel in a position to embezzle funds.
In obtaining an understanding of internal control, the auditor may trace several transactions through the control process, including how the transactions interface with any service organizations whose services are part of the information system. The primary purpose of this task is to
Determine whether the controls have been implemented.
The understanding should include information about the design of relevant controls and determining whether they have been implemented by the entity and by service organizations whose services are part of the entity’s information system. Tracing a few transactions through the control process (a walkthrough) should provide that evidence. A walkthrough follows transactions from origination through the entity’s processes, including IT systems, until they are reflected in the entity’s financial records (AS 2110).