Chapter 9

Question 1

CAS 315 requires all five components of _____ internal control to be addressed and understood

Answer 1

COSO framework

Question 2

what are the five components of COSO?

Answer 2

1. control environment
2. risk assessment
3. control activities
4. information and communication
5. monitoring

Question 3

auditor uses his understanding of COSO to

Answer 3

identify potential errors or fraud and other irregularities that can increase risk material misstatement

Question 4

the risk of material misstatement must be monitored at both

Answer 4

overall financial statement level and assertion level

Question 5

once potential errors or fraud risks are identified

Answer 5

use to design the audit procedure to respond to the risks

Question 6

items to understand information system and communication (7)

Answer 6

1. financial reporting process (accounting estimates and disclosures)
2. nature and details of procedures
3. controls surrounding journal entries
4. major classes of transactions of entity
5. how transactions initiate and recorded
6. accounting records exist and nature
7. how information system get other events significant to fin. statements

Question 7

methods to document understanding of control activities (3)

Answer 7

1. narrative
2. flowchart
3. internal control questionnaire

Question 8

def: narrative

Answer 8

written description of internal controls

Question 9

what elements are included in narrative (4)

Answer 9

1. origin
2. processing
3. disposition of documents and records
4. relevant control activities

Question 10

def: flowchart

Answer 10

diagrammatic representation of client’s documents and records and sequence in which processed

Question 11

def: internal control questionnaire

Answer 11

series of questions about controls in each audit area

Question 12

if questions in questionnaire are answered no?

Answer 12

failure of internal control so completeness objective not completed

Question 13

how to evaluate if controls have been implemented

Answer 13

1. consider if the control when in operation would achieve this objective
2. is the control implemented
3. is it carried out by appropriately qualified persons

Question 14

methods to evaluate implementation of controls (6)

Answer 14

1. previous experience with entity
2. make inquiries of client personnel
3. examine doc and records
4. observe activities and operations
5. walk through of accounting system or transaction
6. assess control risk

Question 15

before making preliminary assessment of control risk for each class of transactions

Answer 15

must see if entity is auditable

Question 16

3 criteria for auditable entity

Answer 16

1. management lacks integrity
2. accounting records are deficient (lack evidence)
3. complex IT environments (must have skills)

Question 17

how to assess control risk at assertion level

Answer 17

control risk matrix

Question 18

Def: control risk matrix

Answer 18

method used to help auditor assess control risk by matching key internal controls and internal control weaknesses with transaction related audit objectives

Question 19

purpose of control risk matrix

Answer 19

provide a convenient way of organizing control risk for each assertion and related audit objective

Question 20

process of assessing control risk with matrix

Answer 20

1. identify audit objectives (assertions)
2. identify specific relevant controls
3. associate controls with objective (assertion)
4. identify and evaluate control deficiencies, significant deficiencies and material weaknesses

Question 21

a C in control matrix means

Answer 21

affects the objective listed at the top

Question 22

a D in control matrix means

Answer 22

deficiency

Question 23

a lot of Ds means

Answer 23

increase in control risk depending on importance of deficiency

Question 24

three levels of absence of internal controls (CAS 265)

Answer 24

1. control deficiency
2. significant deficiency
3. material weakness

Question 25

def: control deficiency

Answer 25

design or operation of controls does not detect and correct misstatements in timely manner

Question 26

def: significant deficiency

Answer 26

one or more control deficiencies exist that are less severe than material weakness

Question 27

def: material weakness

Answer 27

significant deficiency results in reasonable possibility that internal control will not prevent or detect material financial misstatements on timely basis

Question 28

five step approach to identify significant and/or material internal control weaknesses

Answer 28

1. identify existing controls
2. identify absence of key controls
3. possibility of compensating or mitigating controls
4. significant deficiency or material weakness
5. potential material misstatements that could result

Question 29

def: test of controls

Answer 29

procedures to test effectiveness of controls in support of reduced assessed control risk

Question 30

five types of audit procedures to support operation of key internal controls

Answer 30

1. inquiries of appropriate entity personnel
2. inspect documents, records and reports
3. observe control-related activities
4. test data
5. re-perform client procedures

Question 31

def: procedures to obtain an understanding of internal controls

Answer 31

are applied to all controls identified while test of controls when assessed control risk has not been satisfied by procedure

Question 32

CAS 402 requires auditor to consider the need to understand service center’s controls if

Answer 32

they process significant financial data

Question 33

name for auditors who issue reports on the internal control of service orgs

Answer 33

service auditors

Question 34

Type 1 report

Answer 34

management description of a service organization’s system and suitability of the design of controls

Question 35

type 2 report

Answer 35

type 1 + operating effectiveness of controls

Question 36

tests of controls are more ________ than substantive procedures in certain situations

Answer 36

cost efficient

Question 37

in highly automated systems, the auditor has to

Answer 37

rely on internal controls

Question 38

if the auditor relies on internal controls

Answer 38

they must be tested

Question 39

if risk with simple IT system the IT specialist can (5)

Answer 39

1. assist in documenting and assessing IT control environment
2. test general controls
3. document and assess key automated controls
4. develop CAATs to test controls and perform substantive tests
5. evaluate weaknesses and develop recommendations

Question 40

audit in more complex IT environments

Answer 40

through the computer by testing automated internal controls and account balances electronically (since general controls exists)

Question 41

3 approaches to test effectiveness of automated controls when audit through computer

Answer 41

1. test data approach
2. parallel simulation
3. embedded audit module approach

Question 42

def: test data approach

Answer 42

use auditor’s test data to determine whether the client’s computer program correctly processes valid and invalid transactions

Question 43

when using a test data approach, auditors have three main considerations

Answer 43

1. test data should include all relevant conditions that the auditor wants tested
2. application programs used by auditor must be the same as those used by client throughout the year
3. test data must be eliminated from client’s records

Question 44

def: parallel simulation testing

Answer 44

auditor use of audit software to replicate some part of a client’s application system

Question 45

auditors commonly do parallel simulation testing with

Answer 45

GAS (generalized audit software)

Question 46

GAS provide

Answer 46

data retrieval, data manipulation and reporting capabilities oriented to needs of auditor

Question 47

def: embedded audit module approach

Answer 47

audit transactions processed by IT where auditor embeds a module in client’s app software to identify transactions with characteristics of interest to the auditor

Question 48

purpose of embedded audit module

Answer 48

analyze these transactions on a real-time, continuous basis as client transactions are processed

Question 49

when the auditor finds significant control deficiencies he must

Answer 49

communicate in writing to the audit committee or equivalent

Question 50

when must a report on internal controls be given to management AND board of directors

Answer 50

if it has significant impacts on financial statements

Question 51

how must it be reported to management and board of directors

Answer 51

internal control letter

Question 52

the description of internal control deficiency and recommendation is usually included

Answer 52

in a year end report or internal control letter to the audit committee

Question 53

def: management letter

Answer 53

auditor’s written communication to management to point out less significant weaknesses in internal controls and possibilities to improve operations

Question 54

difference between internal control audit and financial statements audit

Answer 54

IC: perform tests of control for ALL significant account balances, transactions and disclosures and related assertions while in financial statement audit they might or might not. only the controls that the auditor plans to rely on must be tested

Question 55

in a financial statement audit the auditor is providing

Answer 55

assurance over financial statements and not internal controls