Chapter 5: Risk Assessment: Internal Control Evaluation Flashcards
COSO internal control categories include _____ and _____ of operations.
effectiveness; efficiency
What are the 3 main objectives of the COSO Framework?
- reliability of financial reporting
- effectiveness and efficiency of operations
- compliance with applicable laws and regulations
What does Section 302 of SOX do?
stipulates criminal penalties for CEOs and CFOs if they issue materially misleading financial statements
Section 302 of SOX requires….
- managers to be responsible for establishing a control environment
- management to assess the risks it wishes to control
- management to be responsible for monitoring and maintaining control activities
The assessment of risk of material misstatement at the assertion level is completed to give the audit team a basis for planning the audit and determining the ____, ____, and ____ of further audit procedures to be conducted for the financial statement audit.
nature, timing, extent
When would the audit team likely use substantive tests of detail designed to obtain evidence (nature), at or near entity’s fiscal year-end (timing), with large sample sizes (extent)? When the control risk is high or low?
When control risk is assessed as high
When would the audit team likely use substantive analytical procedures to obtain evidence (nature), at an interim date before the entity’s fiscal year-end (timing), with much smaller sample sizes (extent)?
When control risk is assessed as low
The audit team must adjust the substantive procedures accordingly in order to obtain enough evidence to mitigate the risk of material misstatements to a low level for the relevant assertions being tested if the assessment of control risk is ______.
moderate
What are the 5 components of the COSO framework?
- control environment
- risk assessment
- control activities
- monitoring
- information and communication
They work in an integrated manner
The COSO definition states that internal control is designed to provide _____ _____ regarding the achievement of objectives in three categories.
reasonable assurance
Integrity, ethical values and competence of the entity’s people are all ______ ______ factors.
control environment
Each member of the audit committee must be financially ____ and one member must be a financial _____.
literate, expert
All entities recognize the need for a formalized process to identify, assess and manage factors, events and conditions, known as _____ _____, that can prevent the organization from achieving its objectives.
business risk
The foundation for all other components of internal control is the _____ _____.
control environment
The risk assessment element of the COSO framework is ____ responsibility.
management’s
In a well-functioning internal control system, once the risks to management’s objectives have been identified, ____ are established to eliminate, mitigate, or compensate for the risks.
internal control activities
In some sense, all controls can be thought of as ____ controls.
preventative
The possibility of being caught by a detective control might prevent someone from committing an error or fraud.
Duties that should be separated are the _____ to execute transactions, _____ transactions, ____ of assets involved in the transactions and periodic ____ of existing assets to recorded amounts.
- authorization
- recording
- custody
- reconciliation
COSO developed a(n) ____ framework to facilitate the assessment and mitigation of business risks a company faces.
enterprise risk management
The professional standards require the auditor to gain an understanding of the client’s risk assessment process related to ______.
- financial reporting risks
- fraud risk
But all busines risks are still important
Specific actions a client’s management and employees take to help ensure management’s directives are carried out are called?
control activities
Professional standards recognize that to make effective decisions, managers must have access to _______, ______, and _____ information.
- timely
- reliable
- relevant
T/F: When gaining an understanding of internal controls, assertions should always be considered whether or not they are relevant
False
T/F: When gaining an understanding of internal controls, assertions should only be considered whether or not they are relevant
True
Obtaining an understanding of the information system relevant to financial reporting includes understanding… (2).
- how the information system captures events and conditions other than transactions significant to the financial statements
- the nature of the underlying accounting records, information and accounting used to execute a transaction
For all relevant assertions for each significant account and disclosure, the audit team begins by examining ____ ____ controls that are pervasive to the internal control system and reliability of the financial statements as a whole.
entity level
An employee knowingly doing something to bypass the internal control system is performing….
deliberate circumvention
The audit team identifies ___ ___ controls that pertain to specific classes of entries, account balances and disclosures.
transaction-level
Professional auditing standards recognize the cost of controls should not exceed the benefits expected from the controls, which is the concept of ____ ____.
reasonable assurance
Whether the controls over financial reporting, if operating as they should, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements is determined by ____ _____.
design effectiveness
Gaining an understanding of internal controls should start by identifying ____ accounts and disclosures and their __ _____.
significant; relevant assertions
Controls that are pervasive to the internal control system and the reliability of the financial statements as a whole are called ____-level transactions.
entity
Common monitoring controls include which of the following:
- external auditor inquiries of internal auditors and the audit committee
- supervisory review of controls
- periodic evaluation of controls by internal audit
- self-assessments by boards regarding the effectiveness of their oversight
- supervisory review of controls
- periodic evaluation of controls by internal audit
- self-assessments by boards regarding the effectiveness of their oversight
audit committee inquiries of internal and external auditors
Whether a control is working as designed and whether the person performing the control has the authority and qualifications to perform the control is referred to as _____ _____.
operating effectiveness
Using an automated test procedure designed to test all items in a population as a means to identify a violation of control activities is an example of ____ testing.
exception
What is the purpose of exception testing?
to identify a violation of a particular control activity through use of an automated test procedure designed to test all items in a population.
An account’s significance is based on its ____ risk.
inherent
Once items have been selected for testing, what are the four methods of testing controls?
- inquiry
- observation
- document examination
- reperformance
When testing controls, the audit team often uses ____ about the existence of the activity and then corroborate the evidence by observing the control activities are actually being performed.
inquiry
