Chapter 6

Question 1

Proper segregation of duties reduces the opportunities to allow persons to be in positions to both:

Answer 1

Perpetrate and conceal errors and fraud

Question 2

Which of the following is not a component of an entity’s internal control?

Answer 2

Control risk

Question 3

The overall attitude and awareness of an entity’s board of directors concerning the importance of internal control usually is reflected in its

Answer 3

Control environment

Question 4

In an audit of financial statements, an auditor’s primary consideration regarding an internal control policy or procedure is whether the policy or procedure

Answer 4

Affects management’s financial statement assertions

Question 5

Which of the following situations most likely could lead to an embezzlement scheme?

Answer 5

Access to blank checks and signature plates is restricted to the cash disbursements bookkeeper who personally reconciles the monthly bank statement

Question 6

Which of the following factors is most relevant when an auditor considers the client’s organizational structure in the context of control risk?

Answer 6

The suitability of the client’s lines of reporting

Question 7

Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity’s internal control?

Answer 7

Incompatible duties

Question 8

In obtaining an understanding of an entity’s internal control in a financial statement audit, an auditor is not obligated to

Answer 8

Search for significant deficiencies in the operation of the entity’s internal control

Question 9

When obtaining an understanding of an entity’s internal control, an auditor should concentrate on the
implementation of the procedures because

Answer 9

Management may establish appropriate procedures but not enforce compliance with them.

Question 10

When considering internal control, an auditor should be aware of the concept of reasonable assurance, which recognizes that

Answer 10

The cost of an entity’s internal control should not exceed the benefits expected to be derived.

Question 11

Which of the following procedures most likely would provide an auditor with evidence about whether an entity’s internal control activities are suitably designed to prevent or detect material misstatements?

Answer 11

Observing the entity’s personnel applying the activities

Question 12

An auditor is concerned about a policy of management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor’s concern?

Answer 12

Verifying that approved spending limits are not exceeded

Question 13

Which of the following best describes what an auditor should do when control risk is assessed at the maximum level for an assertion?

Answer 13

Communicate the control weakness to management, and perform more extensive substantive tests over the asertion.

Question 14

Which of the following types of evidence would an auditor most likely examine to determine whether internal control policies and procedures are operating as designed?

Answer 14

Client records documenting approvals over transactions in the revenue cycle

Question 15

Audit evidence concerning limited access to assets is best obtained by

Answer 15

Observe the control being implemented.

Question 16

Which of the following statements is correct concerning the use of prior audit evidence regarding operating effectiveness of internal controls?

Answer 16

If the auditor uses prior audit evidence for several controls, the auditor should test a sufficient portion of them in each audit so that each is tested every third year.

Question 17

After testing a “non-issuer” client’s internal controls, an auditor discovers what he determines to be a material weakness in the client’s internal controls. Under these circumstances the auditor most likely would

Answer 17

Increase the assessment of control risk as well as the extent of related substantive tests

Question 18

Which is true regarding significant deficiencies and material weaknesses in an audit of financial statements?

Answer 18

Auditors must communicate them to management and those charged with governance.

Question 19

Which of the following factors should an auditor consider in evaluating the severity of a deficiency in internal control to determine if it should be communicated to the proper persons?

Answer 19

I. Magnitude of the potential misstatement
II. Likelihood of the misstatement

Question 20

An auditor’s primary consideration regarding an entity’s internal controls is whether they:

Answer 20

affect the financial statement assertions.

Question 21

Which of the following statements about internal control is correct?

Answer 21

The cost-benefit relationship is a primary criterion that should be considered in designing an internal control system.

Question 22

Internal control is a process designed to provide reasonable assurance regarding the achievement of which objective?

Answer 22

effectiveness and efficiency of operations

reliability of financial reporting

compliance with applicable laws and regulations

Question 23

Monitoring is a major component of the COSO Internal Control—Integrated Framework. Which of the following is not correct in how the company can implement the monitoring component?

Answer 23

The independent auditor can serve as part of the entity’s control environment and continuous monitoring.

Question 24

After obtaining an understanding of an entity’s internal control system, an auditor may set control risk at high for some assertions because the auditor:

Answer 24

believes the internal controls are unlikely to be effective.

Question 25

Regardless of the assessed level of control risk, an auditor would perform some:

Answer 25

substantive procedures to restrict detection risk for significant transaction classes.

Question 26

Assessing control risk below high involves all of the following except:

Answer 26

concluding that controls are ineffective.

Question 27

Which of the following audit techniques would most likely provide an auditor with the least assurance about the effectiveness of the operation of a control?

Answer 27

inquiry of entity personnel

Question 28

The highest-quality and most reliable audit evidence that segregation of duties is properly implemented is obtained by:

Answer 28

observation by the auditor of the employees performing control activities.

Question 29

SOC 1, Type 2 reports issued by the service organization’s auditor typically:

Answer 29

assess whether the service organization’s controls are suitably designed and operating effectively.

Question 30

Significant deficiencies are matters that come to an auditor’s attention that should be communicated to an entity’s audit committee because they represent:

Answer 30

significant deficiencies in the design or operation of the internal control.

Question 31

An auditor anticipates assessing control risk at a low level in an IT environment. Under these circumstances, on which of the following controls would the auditor initially focus?

Answer 31

general controls

Question 32

An auditor’s flowchart of an entity’s accounting system is a diagrammatic representation that depicts the auditor’s:

Answer 32

understanding of the system.

Question 33

Types of Controls

In all accounting systems, a variety of controls must be designed to accomplish the organization’s control objectives.

Internal controls vary significantly between organizations–depending on attributes like organization size, nature of operations, and objectives. In all systems, however, a variety of controls needs to be designed to accomplish the organization’s objectives. Controls are classified as preventive, detective, or corrective.

Answer 33

Preventative control- segregation of duties

Detective control-a req. to prepare bank reconciliations

Corrective control- maintaining backups of data

Question 34

1. Segregation of duties is a control aimed at __________ misstatement.
2. The requirement to __________ journal entries is an example of a preventive control.
3. The goal to find a misstatement that has already been made is a type of __________ control.
4. Preparing bank __________ can help detect misstatements that have been made.
5. __________ controls come into play when a misstatement is found.

Answer 34

preventing- because Segregation of duties is a preventive control created to avoid misstatement.

approve- because Approving journal entries helps prevent misstatement in financial statements.

detective- Detective controls detect misstatements that have already been made.

reconciliations- Bank reconciliations are a type of detective control.

corrective- Corrective controls correct a misstatement that has been found.

Question 35

Control Environment Principles

The control environment, often referred to as “tone at the top”, sets the tone of an organization by influencing the control awareness of the people within the organization.

The control environment can be viewed as the foundation for all the other facets of internal control.

Answer 35

Commitment to Integrity and Ethical Values- a clearly articulated statement of ethical values

Effective Board of Directors- the extent of independence of this group is critical

Effective Organizational Structure- a well designed structure provides a basis for planning, directing,and controlling operations

Attracting, Developing, and Retaining Competent Employees- mgmt is committed to hiring employees with appropriate levels of education, experience, and evidence of integrity and ethical behavior

Individual Accountability- the org must hold individuals accountable for their internal control responsibilities

Question 36

1. __________ should develop a statement of ethical values.
2. If employees lack __________, they may be ineffective in performing their duties.
3. Organizational structure provides a basis for planning, directing, and controlling __________.
4. The audit committee should be composed of directors who are not __________ of the organization.
5. To enhance the control environment, management develops job __________.

Answer 36

senior management- A statement of values by senior management helps establish the control environment.

skills-Employees must have appropriate skills to properly perform their duties.

operations- A strong organizational structure helps to best control operations.

employees- To be independent, the audit committee needs to not be comprised of employees.

descriptions- Job descriptions help define objectives.

Question 37

Service Organization Reports

Service organizations need to have their controls reviewed by auditors. For example, service organizations that provide data processing services to various clients need to have their controls reviewed by auditors so that the client’s auditors can satisfy themselves that control is being adequately maintained relative to the processing of client data by an external source.

Often service organizations have their auditors, called service auditors, study their systems of internal control and issue a service auditor’s report.

Answer 37

Type 1 Report- report that documents a service org’s controls and docs their sustainability

Type 2 Report- report that documents a service org’s controls and docs their sustainability and effectiveness

Service Organization- perform at a processing/computer/IT services, like payroll processing, for various clients

Service Auditors- auditors selected by a service org to assess systems

Question 38

1. A Type __________ report assesses the controls and their suitability.
2. A Type __________ report assesses the controls, their suitability, and effectiveness.
3. __________ auditors are the auditors of a service organization.
4. There are __________ types of reports that auditors of service organizations (service auditors) can provide.
5. Type 2 reports address operating _____________; Type 1 reports do not.

Answer 38

1

2

service

two

effectiveness

Question 39

Risks and Controls in an IT Environment

The nature of the client’s IT system will affect the risks that management must confront in designing controls for the system. In assessing the risks of material misstatement, the auditors should identify these risks and evaluate the effectiveness of the related controls in mitigating those risks.

Auditors assess the risks of material misstatements by using all the audit evidence obtained on the client and its environment, including its internal control. When assessing the risks of material misstatement, the auditors should identify these risks and evaluate the effectiveness of the related controls in mitigating those risks in an IT environment.

Answer 39

Physical and user controls- destruction of infrastructure or data

Controls over access and backup copies-unauthorized changes

Program and user controls- destruction of data

Firewalls and password systems- introduction of unauthorized data or programs

Physical controls over terminals and testing of user programs and applications- unauthorized access to data or programs

Question 40

1. __________ may be used to mitigate the risk of unauthorized access in computer operations.
2. __________ may be used to mitigate the risk of unauthorized changes to computer programs.
3. Backup copies may be used to mitigate the risk of __________.
4. __________ may be used to mitigate the risk of viruses in electronic commerce.
5. __________ may be used to mitigate unauthorized access to programs.

Answer 40

physical controls

controls over access

destruction of data

firewalls

password systems