5.1

Question 1

An auditor is evaluating a client’s internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect?

Answer 1

Two employees, who work in different departments, are circumventing an internal control.

Because of its inherent limitations, internal control can provide only reasonable assurance that the entity’s objectives are met. Thus, manual or automated controls can be circumvented by collusion of two or more people or by management override (AU-C 315). Fraud perpetrated by collusion may be difficult to detect because of schemes designed to conceal it.

Question 2

Which of the following factors is most likely to affect the extent of the documentation of the auditor’s understanding of a client’s system of internal controls?

Answer 2

The degree to which information technology is used in the accounting function.

As internal control becomes more sophisticated, the documentation becomes more complex and extensive.

Question 3

It is important for the auditor to consider the competence of the audit client’s employees, because their competence bears directly and importantly upon the

Answer 3

Achievement of the objectives of internal control.

The control environment is the foundation of internal control. A commitment to competence is one of the factors in the control environment.

Question 4

Although substantive tests may support the accuracy of underlying information used in monitoring, these tests may provide no affirmative evidence of the effectiveness of monitoring controls because

Answer 4

The information used in monitoring may be accurate even though it is subject to ineffective control.

When obtaining an understanding of each of the five components of internal control (including monitoring), the auditor must perform procedures to understand the design of relevant controls and must determine whether controls have been implemented. If (s)he intends to rely on the controls, (s)he must also determine their effectiveness. However, when controls based on monitoring leave no audit trail, for example, documentation of design or operation, evidence about effectiveness of design or operation may be obtained only by inquiries, observations, and computer-assisted audit methods. Moreover, substantive procedures likewise may provide no affirmative evidence of the effectiveness of monitoring controls because the information may be accurate even though controls over its creation are ineffective. Thus, the ineffectiveness of monitoring would not be revealed by substantive procedures unless the detection of material misstatements resulted in performance of additional audit procedures directed at the controls.

Question 5

An entity should consider the cost of a control in relationship to the risk. Which of the following controls best reflects this philosophy for a large dollar investment in heavy machine tools?

Answer 5

Imprinting a controlled identification number on each tool.

A controlled identification number on each tool and periodic checking allow for an effective control at reasonable cost.

Question 6

An entity has many employees who access a database with numerous access points. The database contains sensitive information about the customers of the entity. Access controls prevent employees from entry to those areas of the database for which they have no authorization. All salespersons have certain access permission to customer information. Which of the following is a true statement about the nature of the controls and risks?

Answer 6

A salesperson’s access to customer information should extend only to what is necessary to perform his or her duties.

Internal control risks vary with the nature and characteristics of IT usage. Employees should be allowed access to systems only to the extent necessary for them to carry out their responsibilities.

Question 7

In obtaining an understanding of a manufacturing entity’s internal control concerning inventory balances, an auditor most likely would

Answer 7

Review the entity’s descriptions of inventory policies and procedures.

The auditor should obtain an understanding of the internal control components to plan the audit, including knowledge about the design of relevant controls and whether they have been implemented. Reviewing the entity’s descriptions of inventory policies and procedures helps the auditor understand their design.

Question 8

An auditor anticipates relying on the operating effectiveness of controls in a computerized environment. Under these circumstances, on which of the following activities would the auditor initially focus?

Answer 8

General controls.

Relying on controls involves (1) identifying specific controls that are suitably designed to prevent, or detect and correct, material misstatements in relevant assertions; (2) performing tests of controls; and (3) assessing the RMMs. Some computer controls relate to all computer activities (general controls), and some relate to specific tasks (application controls). Because general controls have pervasive effects, they should be tested before application controls. If the general controls are ineffective, tests of the application controls over input, processing, and output are unlikely to permit the auditor to rely on controls.

Question 9

Which of the following constitutes a potential risk associated with the use of information technology in an entity’s internal control structure?

Answer 9

Unauthorized changes to systems.

Use of IT creates specific risks to internal control. They include unauthorized (1) access to data (e.g., recording of unauthorized, inaccurate, or nonexistent transactions), (2) changes in data, and (3) changes in systems or programs.

Question 10

First Federal S&L has an online, real-time system, with terminals installed in all of its branches. This system will not accept a customer’s cash withdrawal instruction in excess of $1,000 without the use of a “terminal audit key.” After the transaction is authorized by a supervisor, the bank teller then processes the transaction with the audit key. This control can be strengthened by

Answer 10

Online recording of the transaction on an audit override sheet.

Control over large cash withdrawals can be improved further by separately recording these transactions. The additional documentation provides an audit trail that the auditor may follow to determine whether the special procedures have been followed.

Question 11

Which of the following best describes an inherent limitation that should be recognized by an auditor when considering the potential effectiveness of internal control?

Answer 11

Controls, whether manual or automated, whose effectiveness depends on segregation of duties can be circumvented by collusion.

One of the inherent limitations of internal control is that it can be circumvented by collusion among persons both within and outside the entity. Thus, a control based on segregation of duties will be ineffective if a person in a position to commit fraud colludes with a person who can conceal it.

Question 12

Which of the following factors is most relevant when an auditor considers the client’s organizational structure in the context of the risks of material misstatement

Answer 12

The suitability of the client’s lines of reporting.

Lines of reporting can determine the ability of management or other employees to circumvent implemented controls. Reporting lines are part of the organizational structure and affect the auditor’s assessment of the RMMs.

Question 13

One of the major problems in a computer system is that incompatible functions may be performed by the same individual. One compensating control is the use of

Answer 13

A computer access log.

A computer (console) access log is a record of computer and software usage usually produced by the operating system. Proper monitoring of the log is a compensating control for the lack of segregation of duties. For example, the log should list operator interventions.

Question 14

In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements, an auditor would most likely perform which of the following procedures?

Answer 14

Risk-assessment procedures to evaluate the design of relevant controls.

In all audits, the auditor should obtain an understanding of the components of internal control to identify and assess the RMMs and to design further audit procedures. An understanding is obtained by performing risk assessment procedures to evaluate the design of controls relevant to the audit and determine whether they have been implemented. Risk assessment procedures performed to obtain evidence about the design and implementation of relevant controls include (1) inquiries, (2) observation of the application of specific controls, (3) inspection of documents and reports, and (4) tracing transactions. Inquiries alone are not sufficient.

Question 15

Which of the following components of internal control includes development and use of training policies that communicate prospective roles and responsibilities to employees?

Answer 15

Control environment.

The control environment sets the tone of an organization. It includes human resource policies and practices relative to hiring, orientation, training, evaluating, counseling, promoting, compensating, and remedial actions.

Question 16

The auditor’s understanding of internal control is documented to substantiate

Answer 16

Compliance with generally accepted auditing standards.

The auditor should prepare audit documentation that is sufficient to permit an experienced auditor to understand (1) the nature, timing, and extent of audit procedures performed to comply with GAAS and other requirements; (2) the results and evidence obtained; and (3) significant findings or issues, the conclusions reached, and judgments made (AU-C 230). Thus, the auditor should document, among other things, his or her understanding of the components of internal control and the assessed risks of material misstatement at the financial statement and assertion levels (AU-C 315).

Question 17

An entity has the following invoices in a batch:

Invoice Number: 
201
202
203
204

Product: 
F10
G15
H20
K35

Quantity:
150
200
250
300

Unit price:
$  5.00
10.00
25.00
30.00

Which of the following most likely represents a hash total?

Answer 17

810.

Input controls in batch computer systems are used to determine that no data are lost or added to the batch. Depending on the sophistication of a particular system, control may be accomplished by using record counts, financial totals, or hash totals. The hash total is a control total without a defined meaning, such as the total of employee numbers or invoice numbers, that is used to verify the completeness of data. The hash total of the invoice numbers is 810.

Question 18

An auditor is obtaining an understanding of a client’s Internet controls. Which of the following is most likely the least effective control?

Answer 18

The client requires users to share potentially useful downloaded programs from public electronic sources with only authorized employees.

Sharing programs from public electronic sources with authorized employees is an ineffective control. The programs are available to anyone with access to the public electronic sources.

Question 19

According to AU-C 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, not all controls are relevant to a financial statement audit. Which one of the following would most likely be considered in an audit?

Answer 19

Maintenance of control over unused checks.

Ordinarily, controls that are relevant to a financial statement audit pertain to the entity’s objective of preparing financial statements that are fairly presented in accordance with the applicable reporting framework, including managing the risks of material misstatements. Maintenance of control over unused checks is an example of a relevant control because the objective is to provide assurance about the existence assertion for cash.

Question 20

Which of the following items is an example of an inherent limitation in an internal control system?

Answer 20

Human error in decision making.

Because of its inherent limitations, internal control can be designed and operated to provide only reasonable assurance that the entity’s objectives are met. Thus, (1) human judgment is faulty, (2) controls may fail because of human error, (3) manual or automated controls can be circumvented by collusion, and (4) management may inappropriately override internal control. Moreover, custom, culture, the corporate governance system, and an effective control environment are not absolute deterrents to fraud. For example, if the nature of management incentives increases the RMMs, the effectiveness of controls may be reduced. A factor that is an inherent limitation of an audit as well as internal control is the need to balance benefit and cost. Although the ability to provide only reasonable assurance is a primary design criterion for internal control, the precise measurement of costs and benefits is not feasible. However, costs should not exceed the benefits of control. Thus, the cost constraint limits internal control.