5.4

Question 1

An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts

Answer 1

Provide a visual depiction of clients’ activities.

Systems flowcharts provide a visual representation of a series of sequential processes, that is, of a flow of documents, data, and operations. In many instances, a flowchart is preferable to a questionnaire because a picture is usually more easily comprehended.

Question 2

An auditor would most likely be concerned with controls that provide reasonable assurance about the

Answer 2

Entity’s ability to initiate, authorize, record, process, and report financial data.

The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures, whether automated or manual, and records established to initiate, authorize, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity (AU-C 315).

Question 3

Which of the following factors is most likely to affect the extent of the documentation of the auditor’s understanding of a client’s system of internal controls?

Answer 3

The degree to which information technology is used in the accounting function.

As internal control becomes more sophisticated, the documentation becomes more complex and extensive.

Question 4

The normal sequence of documents and operations on a well-prepared systems flowchart is

Answer 4

Top to bottom and left to right.

The direction of flow in the normal sequence of documents and operations on a well-prepared systems flowchart is from top to bottom and from left to right.

Question 5

A client is concerned that a power outage or disaster could impair the computer hardware’s ability to function as designed. The client desires off-site backup hardware facilities that are fully configured and ready to operate within several hours. The client most likely should consider a

Answer 5

Hot site.

A hot site is a service facility that is fully operational and is promptly available in the case of a power outage or disaster.

Question 6

An entity should consider the cost of a control in relationship to the risk. Which of the following controls best reflects this philosophy for a large dollar investment in heavy machine tools?

Answer 6

Imprinting a controlled identification number on each tool.

A controlled identification number on each tool and periodic checking allow for an effective control at reasonable cost.

Question 7

The auditor should document the understanding of internal control. For example, a narrative memorandum may be used to

Answer 7

Provide a written description of the process and flow of documents and of the control points.

An auditor should prepare documentation of internal control during an audit. Examples of an auditor’s documentation include flowcharts, narrative memoranda, questionnaires, and decision tables. A narrative memorandum is a written description of the process and flow of documents and of the control points. For an information system that makes little use of IT or that processes few transactions, documentation in the form of a memorandum may suffice.

Question 8

First Federal S&L has an online, real-time system, with terminals installed in all of its branches. This system will not accept a customer’s cash withdrawal instruction in excess of $1,000 without the use of a “terminal audit key.” After the transaction is authorized by a supervisor, the bank teller then processes the transaction with the audit key. This control can be strengthened by

Answer 8

Online recording of the transaction on an audit override sheet.

Control over large cash withdrawals can be improved further by separately recording these transactions. The additional documentation provides an audit trail that the auditor may follow to determine whether the special procedures have been followed.

Question 9

If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll computer application?

Answer 9

Department numbers.

The three types of control totals are record counts, financial (amount) totals, and hash totals. Record counts establish the number of source documents and reconcile it to the number of output records. Financial (amount) totals compute dollar or amount totals from source documents (e.g., the total dollar amount of invoices processed) and reconcile them with the output records. Hash totals add numbers on input documents that are not normally added (e.g., department numbers for payroll processing) and reconcile them with output records.

Question 10

So that the essential control features of a client’s computer system can be identified and evaluated, the auditor of a nonissuer must, at a minimum, have

Answer 10

A sufficient understanding of the entire computer system.

The audit should be performed by a person having adequate technical training and proficiency as an auditor. That auditor is required to obtain a sufficient understanding of internal control to plan the audit and determine the nature, timing, and extent of tests to be performed. Hence, the auditor should have the training and proficiency that are necessary to understand controls relevant to the computer system.

Question 11

The online data entry control called preformatting is

Answer 11

The display of a document with blanks for data items to be entered by the terminal operator.

To avoid data entry errors in online systems, a preformatted screen approach may be used. It is a screen prompting approach that involves the display on a monitor of a set of boxes for entry of specified data items. The format may even be in the form of a copy of a transaction document. This technique is best suited to conversion of data from a source document.

Question 12

Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately because

Answer 12

There are time delays in processing transactions in a batch system.

Transactions in a batch computer system are grouped together, or batched, prior to processing. Batches may be processed either daily, weekly, or even monthly. Thus, considerable time may elapse between the initiation of the transaction and the discovery of an error.

Question 13

Control activities constitute one of the five components of internal control described in the COSO model. Control activities do not encompass

Answer 13

An internal auditing function.

The COSO model describes control activities as policies and procedures that help ensure that management directives are carried out. They are intended to ensure that necessary actions are taken to address risks to achieve the entity’s objectives. Control activities have various objectives and are applied at various organizational and functional levels. However, an internal auditing function is part of the monitoring component.

Question 14

Which of the following is a component of internal control?

Answer 14

Risk assessment.

Internal control has five components: (1) the control environment, (2) risk assessment process, (3) control activities, (4) information systems, and (5) monitoring of controls. The control environment sets the tone of an organization, influences control consciousness, and provides a foundation for the other components. The risk assessment process is the identification, analysis, and management of risks relevant to achievement of objectives. Control activities help ensure that management directives are executed. The information system, including the related business processes relevant to financial reporting and communication, consists of (1) physical and hardware components, (2) software, (3) people, (4) procedures, and (5) data. Monitoring assesses the performance of internal control over time (AU 315).

Question 15

Although substantive tests may support the accuracy of underlying information used in monitoring, these tests may provide no affirmative evidence of the effectiveness of monitoring controls because

Answer 15

The information used in monitoring may be accurate even though it is subject to ineffective control.

When obtaining an understanding of each of the five components of internal control (including monitoring), the auditor must perform procedures to understand the design of relevant controls and must determine whether controls have been implemented. If (s)he intends to rely on the controls, (s)he must also determine their effectiveness. However, when controls based on monitoring leave no audit trail, for example, documentation of design or operation, evidence about effectiveness of design or operation may be obtained only by inquiries, observations, and computer-assisted audit methods. Moreover, substantive procedures likewise may provide no affirmative evidence of the effectiveness of monitoring controls because the information may be accurate even though controls over its creation are ineffective. Thus, the ineffectiveness of monitoring would not be revealed by substantive procedures unless the detection of material misstatements resulted in performance of additional audit procedures directed at the controls.

Question 16

Which of the following best describe the interrelated components of internal control?

Answer 16

Control environment; risk assessment process; control activities; the information system, including related business processes; and monitoring of controls.

Internal control has five components: the control environment, risk assessment process, control activities, information systems, and monitoring of controls. The control environment sets the tone of an organization, influences control consciousness, and provides a foundation for the other components. The risk assessment process is the identification, analysis, and management of risks relevant to achievement of objectives. Control activities help ensure that management directives are executed. The information system, including the related business processes relevant to financial reporting and communication, consists of (1) physical and hardware components, (2) software, (3) people, (4) procedures, and (5) data. Monitoring assesses the performance of internal control over time (AU-C 315 and AS 2110).

Question 17

Which of the following audit techniques ordinarily would provide an auditor with the least assurance about the operating effectiveness of an internal control activity?

Answer 17

Preparation of system flowcharts.

System flowcharts provide an overall view of the inputs, processes, and outputs of a system. If internal control is complex, the auditor may use flowcharts, questionnaires, or decision tables to document the understanding of internal control. However, tests of controls (tests of operating effectiveness) are concerned with (1) the manner in which controls were applied, (2) the consistency of application, (3) by whom or by what means they were applied, (4) whether the controls depend on other controls (indirect controls), and (5) the time or period for which the auditor intends to rely on the controls (AU-C 330).

Question 18

In an audit of financial statements, an auditor’s primary consideration regarding an internal control is whether the control

Answer 18

Affects management’s financial statement assertions.

Assertions are management representations embodied in the financial statements. They are used by the auditor to consider the different potential misstatements. A relevant assertion has a reasonable possibility of containing a misstatement that could cause a material misstatement(s) of the financial statements. Thus, a relevant assertion has a meaningful bearing on whether the account is fairly stated. Tests of controls are designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. They should be performed when (1) the auditor’s assessment of the RMMs at the relevant assertion level includes an expectation of the operating effectiveness of controls or (2) substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level. Thus, the auditor is primarily concerned with whether a control affects relevant financial statement assertions.

Question 19

Decision tables differ from program flowcharts in that decision tables emphasize

Answer 19

Logical relationships among conditions and actions.

A decision table identifies the contingencies considered in the description of a problem and the appropriate actions to be taken relative to those contingencies. Decision tables are logic diagrams presented in matrix form. Unlike flowcharts, they do not present the sequence of the actions described.

Question 20

Which of the following statements about internal control is correct?

Answer 20

The cost-benefit relationship is a primary criterion that should be considered in designing internal control.

Internal control reflects the quantitative and qualitative estimates and judgments of management in evaluating the cost-benefit relationship. The cost of internal control should not exceed its benefits. Although the cost-benefit relationship is a primary criterion in designing controls, precise measurement of costs and benefits is usually impossible.