2 - Assessing Risk and Developing a Planned Response (25-35%)

Question 1

Hash total

Answer 1

Hash totals are an input control. They are a nonsense total; for example, the sum of the digits of an invoice number. A hash total is similar to a control total and is used to verify processing (or output) compared to input.

Question 2

Completeness check

Answer 2

A completeness check is a verification that all data required to process a given type of transaction has been entered in the required data fields. If missing data is detected, the operator is generally prompted to enter or complete the submission before it will be accepted for processing.

Question 3

Obtaining and understanding the entity’s system of internal control

Answer 3

Evaluating the DESIGN of a control and determining whether it has been IMPLEMENTED.

Question 4

Using test data

Answer 4

When using test data, the auditor is looking for controls that are built into the system, not controls that operate outside of the computer. Thus, the auditor would not be testing controls concerning control over and distribution of unclaimed paychecks.

Question 5

IT provides potential benefits

Answer 5

consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions,
enhance timeliness, availability, and accuracy of information,
facilitate additional analysis of information,
enhance the ability to monitor performance of policies and procedures,
reduce the risk of controls being circumvented, and
enhance the ability to achieve effective segregation of duties.

Question 6

Integrated test facility

Answer 6

An integrated test facility involves the use of a set of transactions belonging to a dummy entity. These transactions have a predetermined result against which the computer processing will be compared. These transactions are run during the regular processing of data and often without the computer operator’s knowledge.

Question 7

A design deficiency

Answer 7

A deficiency in design exists when a control necessary to meet the control objective is missing or an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.
If employees can change their time after the timecards have been approved, then that deficiency is considered to be a design deficiency.

Question 8

Parallel simulation

Answer 8

The use of parallel simulation requires the auditor to use a computer simulation that mimics the client’s production programs. The auditor processes actual client data through the simulated program and compares the results with the client’s processed data.

Question 9

Controls in an electronic data interchange (EDI) system

Answer 9

It is generally more important to have preventive controls in place for those benefits to be recognized.

Question 10

Preventing vs Detective Controls

Answer 10

Preventive controls have the objective of preventing errors or fraud that could result in a misstatement of the financial statements from occurring.

Detective controls have the objective of detecting errors or fraud that has already occurred that could result in a misstatement of the financial statements.

Question 11

Detection Risk vs Control Risk

Answer 11

Detection risk is the risk that audit procedures will fail to detect a material misstatement in the financial statements. Detection risk is within the auditor’s control
Control risk is the risk that a company’s internal controls will fail to prevent or detect material misstatements in financial statements. It is not within the auditor’s direct control

Question 12

Online inquiry

Answer 12

Online inquiry is an interactive procedure that allows an auditor or other authorized personnel to select and view individual records or transactions.
The auditor is most likely to use online inquiry to confirm whether operating personnel had corrected several errors in transaction files discovered during a recent audit.

Question 13

Mapping

Answer 13

Monitors the execution of a program. It would not be used to confirm whether operating personnel had corrected errors in transaction files discovered during a recent audit.

Question 14

Tracing

Answer 14

Tracing provides an audit trail of the instructions that are executed when a program is run. It would not be used to confirm whether operating personnel had corrected errors in transaction files discovered during a recent audit.

Question 15

Embedded audit module

Answer 15

An embedded audit module is able to identify and report specific transactions. Therefore, the module is used by the auditor to continuously audit transactions and capture those transactions of specific interest to the auditor.

Question 16

SOC Type 1

Answer 16

SOC Type 1 engagement addresses whether controls are suitably designed.

Question 17

SOC Type 2

Answer 17

SOC Type 2 engagement is principally focused on whether controls achieve operational effectiveness

Question 18

Audit strategy

Answer 18

The audit strategy determines the characteristics of the engagement that defines its scope, allows the auditor to determine key dates and reporting objectives, and considers factors such as materiality and preliminary identification of areas where there may be a higher risk of material misstatement. The audit strategy helps the auditor assign resources.

Question 19

Audit plan

Answer 19

The audit plan, is more detailed than the audit strategy and includes the nature, timing, and extent of audit procedures to be performed by audit team members in order to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.

Question 20

At the account balance, class of transactions, or disclosure level, audit risk consists for:

Answer 20

The risk (consisting of inherent risk and control risk) that the relevant assertions related to balances, classes, or disclosures contain misstatements that could be material to the financial statements when aggregated with misstatemenets in other relevant assertions related to balances, classes, or disclosures
The risk (detection risk) that the auditor will not detect such misstatements.

Question 21

Control risk

Answer 21

Control risk is the risk that a misstatement that could occur in a relevant assertion and that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected on a timely basis by the entity’s system of internal control

Question 22

Performance materiality.

Answer 22

AU-C 320.09 defines performance materiality as “the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole.”

Question 23

Inherent risk (IR)

Answer 23

Inherent risk (IR) is the susceptibility of a relevant assertion to a misstatement that could be material, assuming that there are no related controls. The auditor would be looking for situations such as accounts that are more susceptible to misstatement or theft, complex calculations, amounts derived from accounting estimates, and business risks arising from outside the entity.

Question 24

Materiality:

Answer 24

recognizes the importance of some matters for fair presentation of financial statements,

involves judgments which depend upon the surrounding circumstances, and

necessarily involves both quantitative and qualitative judgments.

Question 25

The acceptable level of detection risk is inversely related to

Answer 25

AU-C 200.A47–.A49 notes that detection risk is a function of the effectiveness of an auditing procedure and of its application by the auditor. Thus, the acceptable level of detection risk relates to the auditing procedures applied through substantive tests. As the assurance provided by substantive tests becomes or is expected to become higher, the acceptable level of detection risk decreases, or vice versa. Thus detection risk is inversely related to the assurance provided by substantive tests.