9 - II: Internal control

Question 1

How should the auditor obtain an initial understanding of internal control?

Answer 1

Through inquiry of appropriate personnel, observation, review of audit documentation.

Question 2

What is transaction cycle? Examples?

Answer 2

A group of essentially same type of transactions.

Revenue/receipts, expenditures/disbursement, payroll..

Question 3

How is the transaction cycle related to audits?

Answer 3

Control risk is constant within the transaction cycle. It’s the highest level of aggregation about which meaningful generalizations of control risk can be made.

Question 4

What are 3 basic ways to document the understanding of internal control?

Answer 4

1. Flowcharts.
2. Internal control questionnaires (ICQs).
3. Narrative write-up (written memo).

Question 5

What are advantages and disadvantages of flowcharts? Meaning of specific symbols?

Answer 5

A systematic approach that prevents overlook important considerations, fairly easy to review/understand/update. Tailored to client specific.

Tedious/time consuming. Might miss deficiencies by too much details.

Square: computer operation/process. Square w/wave bottom: document. Square with narrowed bottom: manual operation (off-line). Diamond: decision point. Triangle point down: Off-line storage (filing).

Question 6

What are advantages and disadvantages of ICQs?

Answer 6

Can be prepared in advance - prevent missing important questions. No answer indicates deficiency - easy.

Generic questionnaires not tailored to client - irrelevant questions can be included. Client could inaccurately answer intentionally/unintentionally.

Question 7

What are advantages and disadvantages of narrative write-ups?

Answer 7

can be tailored to client. can be as detailed or general. easy to prepare.

Relatively easy to overlook important considerations because analysis is fairly unstructured.

Question 8

What is walkthrough?

Answer 8

The auditor takes a few transactions to trace them through the client’s accounting system to get some feedback as to whether the auditor has accurately understood/documented the way the client is processing transactions.

Question 9

Is walkthrough evidence or test of controls?

Answer 9

No.

Question 10

What is a type of control: compensating?

Answer 10

Supplements a basic underlying control.

Question 11

What is a type of control: preventive?

Answer 11

Prevents erros or fraud from occurring.

Question 12

What is batch processing?

Answer 12

Transactions that are processed by type.

Question 13

What is the purpose of obtaining sufficient knowledge of an entity’s information system?

Answer 13

To understand the financial reporting process used to prepare the entity’s F/S, including significant accounting estimates/disclosures.

Question 14

What are 4 steps of evaluating internal control?

Answer 14

1. Preliminary evaluation of internal control.
2. Perform test of controls.
3. Reevaluate planned reliance based on the results of test of controls.
4. Develop a detailed audit plan.

Question 15

What is the first stage of preliminary evaluation?

Answer 15

Consider whether reliance on certain specific internal control strength is appropriate. Consider the apparent adequacy of controls regarding design effectiveness.

Question 16

What should the auditor do if internal control is perceived to be ineffective?

Answer 16

Assess the control risk at the maximum level (no reliance) and perform a wholly substantive audit approach by;

• considering the possible types of errors/problems that could occur.
• considering the kinds of procedures that would prevent/detect those.
• determine whether such control is in place.
• evaluate implications of any identified weaknesses.

Question 17

If internal control is perceived effective?

Answer 17

Perform tests of control to evaluate the operating effectiveness of control. Consider cost-benefit issues.

Question 18

What is the purpose of test of controls?

Answer 18

To verify the controls that looked good on paper (design effectiveness) were actually working as intended through the period (operating effectiveness).

Question 19

What is the purpose of considering internal control?

Answer 19

To design an audit plan to achieve an appropriate level of detection risk.

Question 20

Who is responsible for internal control?

Answer 20

Management.

Question 21

What are 3 basic inherent limitations of internal control?

Answer 21

1. Cost-benefit considerations.
2. Mistakes due to misunderstanding, misjudgments, carelessness, fatigue, etc.
3. Segregation of duty may break down due to collusion (a conspiracy among employees/management to circumvent internal controls) or management override.

Question 22

At the very beginning stage of initial review of I/C, if I/C is not adequate to audit, what must the auditor do?

Answer 22

Disclaim an opinion or withdraw from the audit.

Question 23

When the auditor determines that I/C effective, but cost > benefit, what should he do?

Answer 23

No reliance. Perform a wholly substantive audit approach.

Question 24

When is test of control required?

Answer 24

When the auditor relies on the control or substantive tests alone are not sufficient to audit particular assertions.

Question 25

What must the auditor obtain knowledge about when understanding an entity’s I/C?

Answer 25

Design controls.

Question 26

How is test of control performed?

Answer 26

Select a sample of transactions and verify that the control procedures of interest were performed.

Question 27

Control risk should be assessed in terms of what?

Answer 27

F/S assertions.

Question 28

AICPA: what are 2 responsibilities of the auditor?

Answer 28

1. Understanding the entity and its environment and assessing the risks of material misstatement.
2. Performing Audit Procedures in response to assessed risks and evaluating the audit evidence obtained.

Question 29

AICPA: What are 3 key objectives of I/C?

Answer 29

1. Reliability of financial reporting.
2. Effectiveness and efficiency of operations.
3. Compliance with applicable laws and regulations.

Question 30

AICPA: What are 5 interrelated components of I/C?

Answer 30

1. Control environment.
2. Risk assessment.
3. Information and communication systems.
4. Control activities.
5. Monitoring.

Question 31

What is control environment?

Answer 31

Policies/procedures to establish the overall control consciousness of the organization (the tone at the top).

Question 32

What are the 7 elements of control environment?

Answer 32

1. Communication/enforcement of ethical values.
2. Commitment to competence.
3. Participation by those charged w/ governance.
4. Management’s philosophy/operating style.
5. Organizational structure.
6. Assignment of authority/responsibility.
7. HR policies/practices.

Question 33

What is risk assessment?

Answer 33

Policies/procedures to identify/analyze relevant risks/prioritize them so they can be effectively managed.

Question 34

What is control activities?

Answer 34

Policies/procedures to provide reasonable assurance that management’s specific objectives will be achieved.

Question 35

What are 5 control activities? (SCARE).

Answer 35

Segregation of duties.
Controls (physical controls).
Authorization.
Review of performance.
EDP/IT (information processing).

Question 36

What are 3 functions of segregation of duties (CAR)? What is 4th duty?

Answer 36

Authorization (execution).
Access (custody).
Accounting (record-keeping).

Reconciliation.

Question 37

What is information/communication?

Answer 37

Policies/procedures to identify, capture, exchange relevant information in a form and time frame that enables personnel to meet their responsibilities.

Question 38

What is monitoring?

Answer 38

Policies/procedures to assess the effectiveness of I/C over time.

Question 39

AICPA: What are 5 risk assessment procedures?

Answer 39

1. Inquiries of management/others.
2. Observation/inspection of document etc.
3. Analytical procedure performed in planning.
4. Review of info obtained in prior period.
5. Discussion among audit team members about the RMM.(key members should be involved to understand the potential for material misstatement in areas, discuss areas of sig audit risk, potential for management override, susceptibility of fraud).

Question 40

AICPA: what is significant risks?

Answer 40

In the auditor’s judgment, requires special audit consideration.

Question 41

What are situations that are fraud risk?

Answer 41

Complexity of transactions, pertain to related parties, involve subjective measurements, unusual transactions.

Question 42

What must the auditor do when identifying sig risks?

Answer 42

Obtain an understanding of relevant controls and evaluate whether controls mitigate the risks.

Question 43

What are 5 elements of understanding the entity and its environment?

Answer 43

1. Industry, regulatory, and other external factors.
2. Nature of the entity (operations, ownerships, etc).
3. Objectives, strategies, and related business risks that may cause material misstatements.
4. Measurement and review of the entity’s financial performance measures (these may increase the risks of material misstatement).
5. I/C relevant to the audit.

Question 44

Can segregation of duties prevent fraud?

Answer 44

No. collusion, management override.

Question 45

Is the auditor obligated to search for significant deficiencies?

Answer 45

No.

Question 46

What is the concept of reasonable assurance related to I/C structure?

Answer 46

Cost benefit concept.

Question 47

When “overall response” (substantive) at F/S level is required, what kind of procedures are needed to perform an audit?

Answer 47

Assign more experienced staff. 
Provide closer supervision.
Use specialists.
Use more unpredictable audit procedures.
Determine whether to use "substantive approach" or "a combined approach" (both test of controls/substantive procedures).

Question 48

When response to the risks of material misstatement is at the relevant assertion level, what response is needed?

Answer 48

Make decisions about the nature, timing, and extent of further procedures (test of control, substantive procedures.

Question 49

What does test of controls determine? When is it appropriate to use test of controls?

Answer 49

The operating effectiveness of controls.
When the risk assessment includes an “expectation of the operating effectiveness” of controls (relying on certain specific controls: accept somewhat higher risk - assessment must be accurate).
When wholly substantive approach is not sufficient.

Question 50

An audit is an interactive process. What should the auditor do to maintain this?

Answer 50

Evaluate whether the assessments of RMM at the relevant assertion level remain appropriate.
Consider all relevant audit evidence (whether it corroborates or contradicts the F/S assertions).

Question 51

What must be documented regarding procedures? (4)

Answer 51

1. The auditor’s over all response to address RMM at the F/S level and nature, timing, extent of further audit procedures performed.
2. The linkage of those procedures w/ the assessed RMM at the relevant assertion level.
3. The result of audit procedures.
4. That the F/S agree or reconcile with the underlying accounting records.

Question 52

How frequently must an auditor test controls which was effective in past years?

Answer 52

At least every third audit.

Question 53

How can an auditor compensate for a weakness in internal control?

Answer 53

By increasing the extent of analytical procedures.

Question 54

When evidence is available only in electronic form, what may be the best and most effective course of action?

Answer 54

Use generalized audit software to extract evidence.

Question 55

What is the auditor’s fundamental responsibility to communicate?

Answer 55

Any identified material weaknesses and significant deficiencies either in the design or operation of internal control.

Question 56

What are keys to the definition of significant deficiencies?

Answer 56

Less severe than a material weakness.

Important enough to merit attention by those charged with governance.

Question 57

What are keys to the definition of material weakness?

Answer 57

A reasonable possibility that a material misstatement of the entity’s F/S will not be prevented or detected and corrected on a timely basis.

Question 58

When the auditor identifies significant deficiencies and material weaknesses, what must he/her do?

Answer 58

Must communicate in writing to management/those charged w/ governance.

Question 59

How should an auditor communicate lesser matters?

Answer 59

Either verbally or in writing.

Question 60

When must the auditor communicate significant deficiencies and material weaknesses?

Answer 60

No later than 60 days following the report release date - - the report is permitted to use (sooner is preferred).

Question 61

Should the byproducts of audit be restricted?

Answer 61

Yes, restricted distribution.

Question 62

How is material weakness determined?

Answer 62

by whether there is more than a remote likelihood of a material loss occurring due to the control deficiency

Question 63

Must the auditor communicate sig deficiencies and material weakness separately?

Answer 63

Yes.

Question 64

A control deficiency that is more than a significant deficiency is most likely to result in what form of audit opinion relating to internal control?

Answer 64

Adverse.

Question 65

What are factors must be considered when evaluating deficiencies?

Answer 65

The entity’s size, complexity, nature and diversity of business activities.

Question 66

Internal audit function: what is its performance? What is the objective?

Answer 66

Assurance and consulting activities.
To evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes (GRC functions).

Question 67

What are 2 ways for the auditor to use internal audit function (I/A)?

Answer 67

1. To obtain audit evidence by substituting I/A’s work.

2. To provide direct assistance.

Question 68

What are 3 requirements must the auditor verify when using I/A’s evidence?

Answer 68

1. Objectivity of I/A - organizational status, policies, procedures.
2. Competence - education, experience, certification.
3. Systematic/disciplined approach - formal structured approach, including quality control.

Question 69

What are verification procedures the auditor should perform when using I/A’s evidence? (3)

Answer 69

1. Read I/A function’s report related to planned use.
2. Perform procedures to evaluate I/A’s planning, performance, review, documentation, validity/appropriateness of the conclusion.
3. Reperform some of the I/A’s work that is to be used.

Question 70

Who must make all the sig judgments about the audit?

Answer 70

The external auditor.

Question 71

What are 2 requirements when using I/A as direct assistance?

Answer 71

1. Objectivity.

2. Competence.

Question 72

What are 3 audit procedures when using I/A as direct assistance?

Answer 72

1. Obtain written acknowledgment from management that I/A is free to follow the external auditor without interference.
2. Appropriately direct, supervise, and review I/A’s work.
3. Test some of the work performed by the I/A’s accuracy.

Question 73

When using I/A or its work, is there any division of responsibility? Should the auditor mention the use of I/A?

Answer 73

No to both.