Audit Internal Control

Question 1

COSO Internal Control Framework’

Answer 1

Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring

Question 2

What types of documentation are allowed for internal controls?

Answer 2

• Flowchart
• Narrative
• Questionnaire

Question 3

4 Steps in Carrying Out Tests of Control

Answer 3

1. Anticipate what material misstatements might arise
2. Learn the design of the system (memo, flowchart, questionnaire)
3. Look for specific control procedures that would prevent/detect
4. Make certain that those specific control procedures are operating effectively as designed

Question 4

How can the auditor test significant controls?

Answer 4

• Inquiry - talk to employees
• Re-performance - see if same results are achieved
• Observation - observe employee performing duties
• Inspection - look for physical proof (initials, etc.)

Question 5

What happens if a control passes the auditor’s test?

Answer 5

The auditor may be able to do less substantive testing than originally planned.

Lower control risk =

Able to increase detection risk

Auditor may be able to substitute analytical procedures for certain tests of details and balances.

Question 6

How do you test for segregation of duties?

Answer 6

Observation and inquiry.

Question 7

If an auditor wishes to perform a test of controls over a procedure that leaves NO audit trail, then the auditor must ______ and ______ to test the control.

Answer 7

Observation and inquiry.

can’t re-perform, can’t inspect

Question 8

When an entity transmits, processes, maintains or accesses a significant amount of information electronically, factors may make it impractical/impossible to reduce detection risk to an acceptable level through substantive testing alone. What should be done in this case?

Answer 8

Tests of control should be performed to address the insufficient paper-based audit eviddence.

Question 9

What audit technique is most likely to provide an auditor with the MOST assurance about the effectiveness of the operation of an internal control?

Answer 9

Observation of client personnel (better than just inquiring)

Question 10

When are manual controls more suitable?

Answer 10

When judgement and discretion are required such as:

• Large/Unusual or non-recurring transactions
• Changes in circumstances that require changes in controls.

Question 11

What are the cons of manual controls?

Answer 11

• can be ignored
• can be overridden
• subject to human error
• less consistent than automated controls

Question 12

When are automated controls suitable?

Answer 12

High volume or recurring transactions

Question 13

What are General Controls?

Answer 13

General Controls are policies and procedures that relate to the proper operation of the entire information system.

• Passwords
• Backup/Recovery
• Administrative rights to the network

Need to segregate duties between system analyst/software development and system maintenance and computer operations.

Question 14

What are Application Controls?

Answer 14

Relate to the processing of individual transactions

Help to ensure that transactions are authorized, accurately processed, reported

Include interfaces, e-commerce, manual follow-ups of exception reports.

Question 15

What are some IT risks?

Answer 15

• Unauthorized changes to data/systems/programs
• Failure to make required changes to data
• Inappropriate manual intervention
• Potential loss of data

Question 16

What is meant by “inherent limitations” in internal control?

Answer 16

Limitations that are built-in an cannot be entirely prevented.

Question 17

Can we use an internal auditor to assist in audit procedures?

Answer 17

Yes, so long as they are objective, competent, and the procedure does not require professional judgement

Question 18

Do we mention the use of a specialist in the audit report?

Answer 18

If the findings of the specialist do not lead to any change in the audit report, there is NO NEED to mention the use of the specialist in the audit report. It is IMPLIED that the auditor will use a specialist if needed.

If findings of the specialist DID RESULT in the working of the audit report, the auditor can mention the work of the specialist.

Question 19

Does the auditor need to perform substantive procedures to verify the specialist’s assumptions?

Answer 19

NO, they only need to obtain an understanding of the methods and assumptions used by the specialist

Question 20

Is it allowable to use a specialist who has a contractual relationship with the client?

Answer 20

May be acceptable under certain circumstances. Auditor need to assess the specialist’s objectivity.

Question 21

If the auditor uses the internal auditors for help with audit procedures, do they share responsibility for the audit opinion with the internal auditors?

Answer 21

NO, the audit opinion is strictly the responsibility of the external auditors.

Question 22

The auditor should prepare a written audit plan that specifies the nature, timing, and extent of further audit procedures to be performed. Further audit procedures may involve which of the following?

I. Test of Controls

II. Substantive procedures

Answer 22

BOTH

Question 23

TRUE OR FALSE:

Obtaining an understanding of an entity’s internal controls over financial reporting involves evaluating the design of relevant controls and determining whether they have been placed into operation.

Answer 23

TRUE

Question 24

What are advantages of internal control questionnaires OVERflowcharts?

Answer 24

• May be prepared in advance for clients in various industry categories
• Deficiencies are more easily identified

Question 25

According to Sarbanes, it is unlawful for a member of an audit engagement team to accept employment as CEO, CFO, CAO, or controller of an audit client that files reports with the SEC during the ___ period preceding the date of the start of the audit.

Answer 25

1 year

Question 26

The ultimate purpose of assessing control risk in an audit of f/s for a non-issuer is to:

Answer 26

Contribute to the auditor’s evaluation of the risk that material misstatements exist in financial statement assertions.

Question 27

In an audit of f/s, what is the auditor’s PRIMARY consideration regarding an internal control?

Answer 27

Whether the controls affect management’s financial statement assertions.

Question 28

A procedure designed wherein a “no” answer is usually designed to indicate a control weakness.

Answer 28

Questionairre

Question 29

What represents the highest level of aggregation about which meaningful generalizations of control risk can be made?

Answer 29

A Transaction cycle

In the revenue cycle for example, each transaction is captured, processed, and recorded subject to the same set of internal control policies and procedures.

Question 30

The auditor may select a few transactions to trace them through the client’s accounting system. This is known as a ______ and the purpose is to determine whether the auditor understands the client’s system.

Answer 30

The auditor may select a few transactions to trace them through the client’s accounting system. This is known as a WALKTHROUGH and the purpose is to determine whether the auditor understands the client’s system.

Question 31

Should an auditor consider evidence obtained in prior audits about the operation of control procedures?

Answer 31

YES