Audit #3

Question 1

What are the three primary objectives of a system of internal controls?

Answer 1

• Accurate & reliable financial reporting (attest audit)
• Compliance with applicable laws and regulations (compliance audit)
• Efficient and effective operations (operational audit)

Question 2

True or False

Internal Controls are evaluated at the entity level?

Answer 2

True

Question 3

True or False

Internal Controls are evaluated at the assertion level?

Answer 3

True

Question 4

Financial Statement assertions can be broken down into 3 categories, what are they?

Answer 4

Events & Transactions (Income Statement)

Account Balances (Balance Sheet)

Presentation & Disclosure

Question 5

What are the relevant assertions that management makes on the financial statements?

Answer 5

Events & Transactions - Completeness, Cut-off, Accuracy, Classification, Occurrence.

Accounts Balances - Rights & Obligations, Allocations & Valuation, Completeness, Existence. (RACE)

Presentation of the F/S & Disclosures - Rights & Obligations, Accuracy & Valuation, Completeness, Occurrence, Understandability & Classification.

Question 6

What are the 6 management assertions about the financial statements?

Answer 6

1. Understandability & Classification
2. Presentation & Disclosure
3. Existence & Occurrence
4. Rights & Obligation
5. Completeness & Cutoff
6. Valuation Allocation & Accuracy

Question 7

What is COSO?

Answer 7

COSO is a framework used to benchmark internal controls

Question 8

COSO defines 5 components of I/C (CRIME)

Answer 8

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring

Question 9

Who establishes the Control Environment in a company?

Answer 9

The Control Environment is established by the management of a company.

Question 10

What factors are included as part of COSO component 1 - Control Environment (CHOPPER)

Answer 10

Commitment to Competence

Human Resource Policies & Practices

Organizational Structure

Participation of those charged with governance

Philosophy of management & management operating style

ethical values & integrity

responsibility assignment

Question 11

COSO (CRIME)

Risk Assessment

Answer 11

Every organization faces risks, meaning that various factors, internal or external, could potentially prevent them from reaching their objectives. Organizations perform risk assessments to ensure that they only take necessary and acceptable risks.

Question 12

What are the four principles related to COSO - Risk Assessment

Answer 12

1. Specify Suitable Objectives
2. Identify & Analyze Risk
3. Assess Fraud Risk
4. Identify & Analyze Significant Change

Question 13

COSO (CRIME)

Control Environment

Answer 13

To ensure that all parts of the organization are adhering to standard practices, controls should be established across the enterprise environment. Management oversees and enforces a set of rules and procedures adopted from the COSO framework.

Question 14

What are the five principles related to COSO - Control Environment

Answer 14

1. Demonstrate commitment to integrity and ethical values
2. Exercise their oversight responsibility
3. Established Structure, Authority, and Responsibility
4. Demonstrates Commitment to Competence
5. Enforce Accountability

Question 15

Entity Level Controls - Should provide a foundation for overall I/C structure. Entity Level Controls Should include what:

Answer 15

1. Mission Statement
2. Code of Conduct
3. Organization Chart & Job Description
4. Behavior of Management & Executives

Question 16

COSO (CRIME)

Control Activities

Answer 16

Control activities are the steps taken to help mitigate risk across an organization. The COSO framework helps organizations make sure that all activities carried out by employees are beneficial to the company’s goals and don’t involve any unnecessary risk.

Question 17

What are some of the control activities that ensure management directives are carried out? (PIPS-ARCC)

Answer 17

1. Performance Review
2. Information Processing
3. Physical Controls
4. Segregation of Duties

• Authorization
• Recording
• Custody
• Comparing

Question 18

What are the five principles related to COSO - Control Activities

Answer 18

1. Select & Develop Control Activities
2. Select & Develop General Controls over Technology
3. Deploy Controls through policies & procedures

Question 19

COSO (CRIME)

Information & Communication

Answer 19

Communication, whether internal or external, is a daily occurrence for any organization. COSO provides controls to help organizations ensure that their communications follow best practices and contribute to achieving objectives.

Controls help prevent information from being shared inappropriately. Depending on the type and purpose of communication, different controls and rules may be used.

Question 20

What are the three principles related to COSO - Information & Communication

Answer 20

1. use relevant information
2. communicate internally
3. communicate externally

Question 21

COSO (CRIME)

Monitoring

Answer 21

ll internal control systems must be monitored regularly to verify that controls are functioning properly. This can be done in the form of internal audits, which gather information that regulators and management can evaluate. This ongoing evaluation yields reports that reach the board of directors. Combined with external financial reports, this helps reduce the risk of fraud and achieve investor confidence.

Question 22

What are the two principles related to COSO - Monitoring

Answer 22

1. Conduct Ongoing and Separate Evaluation
2. Evaluate and Communicate Deficiencies

Question 23

What are the inherent limitation of I/C

Answer 23

1. Collusion
2. Management Override
3. Poor Human Judgement - Errors

Question 24

AU-C 315 - What are the steps must an auditor perform to obtain and apply an understanding of I/C?

Answer 24

1. Obtain an understanding of the design of all 5 components of an entity I/C (CRIME) through the performance of risk assessment procedures.
2. Document the understanding of I/C
3. Assess RMM
4. Develop an Audit Strategy to either:
   
   1. Not Rely
   2. Rely - TOC
5. Reassess RMM and evaluate results
6. Document conclusion and develop or revise audit program for further audit procedures

Question 25

In developing an understanding of the entity and its control environment the auditor is required to perform a Risk Assessment to understand the risk. What risk assessment procedures?

Answer 25

1. Analytical Procedures
2. Inquiry
3. Inspection
4. Observation
   5.

Question 26

What is the difference between a SOC 1 Report Type 1 vs Type 2 report?

Answer 26

Type 1 reports on the fairness of the presentation of managements description of the service organizations system and the suitability of the design

Type 2 reports on the fairness of the presentation of managements description of the service organizations system and the suitability of the design and operating effectiveness

Question 27

What are some of the techniques an auditor can take to document an understanding of I/C?

Answer 27

1. Internal Questionnaire
2. Flowcharts, Diagrams & Narratives

Question 28

Internal Control Questionnaire (PIPS-ARCC)

Answer 28

1. Performance Review - Are there written department policies and procedures? Are unusual or un-complete transactions investigated?
2. Information Technology - Are there controls that prevent the processing of IT unless certain criteria are met, such as the matching of certain documentation before recording a sale? Are there IT general controls that relate to the overall operation of the system, including the structure of the organization and access to information? Are application controls that relate to specific functions
3. Physical Controls
4. Segregation of Duties - Authorization, Custody, Recording, Comparison

Question 29

What are some factors that might increase the risk that the F/S are materially misstated?

Answer 29

1. Competency of management
2. Ability to develop estimates
3. Managements aggressiveness
4. economy
5. Financing requirements by the entity
   6.

Question 30

To test the effectiveness of the design and operation of a control, the auditor must consider:

Answer 30

How the control was applied.

The consistency with which it was applied, and

By whom it was applied

Question 31

What is the difference between IT General Controls & Application Controls?

Answer 31

1. IT General controls - These relate to the overall integrity of the system. Controls include IT governance policies, procedures, and practices (task and activities) established by management to provide reasonable assurance that specific objectives will be achieved.
2. Application Controls - These are the policies, procedures, and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (applications) are achieved. The are designed to ensure that an individual computer application program performs properly, accepting authorized input, processing it correctly, and generating appropriate output.

Question 32

Entity Level Controls Incude?

Answer 32

• Mission Statement
• Code of Conduct
• Organization Structure
• Tone at the top

Question 33

IT General Controls include?

Answer 33

• IT Governance
• Login Access controls
• Change controls
• Physical security
• Business resilience planning

Question 34

Application Controls

Answer 34

• Input controls
• Processing Controls
• Output Controls

Question 35

Business Process and its control activities are easier to recall when remembering that there is a (SACREd-MAPP) to every process and its components (previously discussed). What does (SACREd-MAPP) mnemonic stand for?

Answer 35

1. Start (initiation) of transaction/event
2. Authorize transaction/event
3. Complete (execute) transaction/event in accordance with policies/procedures
4. Record transaction/event
5. Evaluate defence (verify)
   
   1. Matching Documents
   2. Authoritative Signatures
   3. Pre-numbered documents
   4. Periodic reconciliation

Question 36

The revenue cycle generally consist of 6 business processes, which can be grouped into 3 main categories what are they?

Answer 36

1. Sales Order
   
   1. Credit Check
   2. Shipping
   3. Billing
2. Sales Return
3. Collection

Question 37

The spending cycle of a business can generally be broken down into the following 6 business processes and grouped into 3 main categories what are they?

Answer 37

1. Purchase Order
   
   1. Receiving
   2. Inventory Control
   3. Accounts Payable
2. Purchase Returns
3. Cash Disbursements