Evaluating Internal Control

Question 1

In obtaining an understanding of an entity’s internal control relevant to audit planning, an auditor is required to obtain knowledge about the

Design of the controls pertaining to internal control components.

Effectiveness of controls that have been implemented.

Consistency with which controls are currently being applied.

Controls related to each principal transaction class and account balance.

Answer 1

Design of the controls pertaining to internal control components.

The requirement is to identify the knowledge that an auditor must obtain when obtaining an understanding of an entity’s internal control sufficient for audit planning. Answer (a) is correct because an auditor must obtain an understanding that includes knowledge about the design of relevant controls and records and whether the client has placed those controls in operation. Answers (b) and (c) are incorrect because auditors may choose not to obtain information on operating effectiveness of controls and their consistency of application. Answer (d) is incorrect because there is no such explicit requirement relating to controls; see AU-C 315 for the necessary understanding of internal control.

Question 2

When an auditor discovered that certain control activities were ineffective, the auditor most likely would increase the

Level of detection risk.
Extent of tests of details.
Level of inherent risk.
Extent of tests of controls.

Answer 2

Extent of tests of details.

This answer is correct because an increase in the extent of tests of details (a type of substantive test) will decrease detection risk, which is appropriate because of the increase in control risk.

Question 3

After obtaining an understanding of internal control and assessing control risk of an entity, an auditor decided not to perform tests of controls. The auditor most likely decided that

The available audit evidence obtained through tests of controls would not support an increased level of control risk.

A reduction in the assessed level of control risk is justified for certain financial statement assertions.

It would be inefficient to perform tests of controls that would result in a reduction in planned substantive tests.

The assessed level of inherent risk exceeded the assessed level of control risk.

Answer 3

It would be inefficient to perform tests of controls that would result in a reduction in planned substantive tests.

This answer is correct because an auditor may conclude that it is inefficient to obtain additional audit evidence through tests of controls and may use the assessed level of control risk to plan the substantive tests for those assertions.

Question 4

The objective of tests of details of transactions performed as tests of controls is to

Monitor the design and use of entity documents such as prenumbered shipping forms.

Determine whether controls have been implemented.

Detect material misstatements in the account balances of the financial statements.

Evaluate whether controls operated effectively.

Answer 4

Evaluate whether controls operated effectively.

The requirement is to identify the objective of tests of details of transactions performed as tests of controls. Answer (d) is correct because the purpose of tests of controls is to evaluate whether internal control operates effectively. Answer (a) is incorrect because while monitoring the design and use of entity documents may be viewed as a test of controls, it is not the objective. Answer (b) is incorrect because determining whether internal control is implemented is not directly related to tests of controls; see AU-C 315 for the distinction between “implemented” and “operating effectiveness.” Answer (c) is incorrect because substantive tests, not tests of controls, are focused on detection of material mis-statements in the account balances of the financial statements.

Question 5

An independent auditor has concluded that the client’s records, procedures, and representation can be relied upon based on tests made during the year when internal control was found to be effective. The auditor should test the records, procedures, and representations again at year-end if

Inquiries and observations lead the auditor to believe that conditions have changed significantly.

Comparisons of year-end balances with balances at prior dates revealed significant fluctuations.

Unusual transactions occurred subsequent to the completion of the interim audit work.

Client records are in a condition that facilitates effective and efficient testing.

Answer 5

Inquiries and observations lead the auditor to believe that conditions have changed significantly.

This answer is correct because auditors should retest records and transactions if year-end inquiries and observations lead the auditor to believe conditions have changed significantly.

Question 6

For certain controls, such as segregation of duties, documentary evidence may not exist. An auditor would most likely test the procedures by

Reperformance and corroboration.

Observation and inquiry.

Inspection and vouching.

Confirmation and recomputation.

Answer 6

Observation and inquiry.

This answer is correct because auditing procedures suggests that when no audit trail exists an auditor should use the observation and inquiry techniques.

Question 7

Which of the following represents an inherent limitation of internal controls?

Bank reconciliations are not performed on a timely basis.

The CEO can request a check with no purchase order.

Customer credit checks are not performed.

Shipping documents are not matched to sales invoices.

Answer 7

The CEO can request a check with no purchase order.

This answer is correct because internal control is ordinarily subject to management override of controls—here requesting a check without adequate support. Such a situation is very difficult to control due to management’s authority.

Question 8

Tests of controls are performed in order to determine whether

Controls are functioning as designed.

Necessary controls are absent.

Incompatible functions exist.

Material dollar errors exist.

Answer 8

Controls are functioning as designed.

This answer is correct because the purpose of tests of controls is to provide reasonable assurance that the internal control procedures are designed and operating effectively.

Question 9

Which of the following is not a step in an auditor’s decision to conclude that controls operate effectively?

Evaluate the effectiveness of the controls with tests of controls.

Obtain an understanding of the entity’s accounting system and control environment.

Perform tests of details of transactions to detect material misstatements in the financial statements.

Consider whether controls can have a pervasive effect on financial assertions.

Answer 9

Perform tests of details of transactions to detect material misstatements in the financial statements.

This answer is correct because performing tests of details of transactions to detect material misstatements pertains more directly to detection risk rather than inherent or control risk.

Question 10

Which of the following is ordinarily considered a test of a control?

Send confirmation letters to banks.

Count and list cash on hand.

Examine signatures on checks.

Test the clerical accuracy of inventory listings as of the balance sheet date.

Answer 10

Examine signatures on checks.

This answer is correct because tests of controls are directed toward the effectiveness of the design or operation of controls. In this case the control procedure is to determine that only authorized persons sign checks.

cash count is a test of transactions and balances which is a substantive test rather than a test of a control.

testing the clerical accuracy of inventory listings as of the balance sheet date is primarily a substantive test to determine whether inventory listings are accurately compiled.

Question 11

Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity’s internal control?

Incompatible duties.
Management override.
Mistakes in judgment.
Collusion among employees.

Answer 11

Incompatible duties.

The requirement is to identify the reply that most likely would not be considered an inherent limitation of the potential effectiveness of an entity’s internal control. Answer (a) is correct because incompatible duties may generally be divided among individuals in such a manner as to control the problem. Answers (b), (c), and (d) are all incorrect because management override, mistakes of judgment, and collusion among employees are all inherent limitations of internal control.

Question 12

When tests of controls reveal that controls are not operating as anticipated, it is most likely that the assessed level of the risk of material misstatement will

Be less than the planned level.

Equal the planned level.

Be greater than the planned level.

Be less than the actual level.

Answer 12

Be greater than the planned level.

This answer is correct because when controls are not operating as anticipated the risk of material misstatement will be greater than the planned assessed level of control risk.

Question 13

Which of the following would be least likely to be included in an auditor’s tests of controls?

Inspection.
Observation.
Inquiry.
Confirmation.

Answer 13

Confirmation.

This answer is correct because tests of controls provide reasonable assurance that prescribed control procedures are being followed. Confirmation is used primarily to substantiate the existence of an account balance and, therefore, is considered a substantive test.

Question 14

The auditor should perform tests of controls of

Those controls that the auditor plans to use to support a conclusion that controls operate effectively.

Those controls in which significant deficiencies were identified.

Those controls that have a material effect upon the financial statement balances.

A random sample of the controls that were reviewed.

Answer 14

auditor plans to use to support a conclusion that controls operate effectively.

This answer is correct because tests of controls are only performed on controls that the auditor plans to consider is assessing the risk of material misstatement. Performance of tests of controls on these controls may reduce the scope of substantive procedures needed.

Question 15

Which of the following is a basic tool used by the auditor to control the audit work and review the progress of the audit?

Time and expense summary.
Engagement letter.
Progress flowchart.
Audit plan.

Answer 15

Audit plan.

This answer is correct because the audit plan aids in instructing assistants in the work and includes audit procedures to accomplish the objectives of the examination. Thus, it allows the auditor to control the audit work and to review the progress of the audit.

Question 16

Which of the following would be least likely to suggest to an auditor that the client’s management may have overridden internal control?

There are numerous delays in preparing timely internal financial reports.

Management does not correct internal control weaknesses that it knows about.

Differences are always disclosed on a computer exception report.

There have been two new controllers this year.

Answer 16

Differences are always disclosed on a computer exception report.

This answer is correct because differences are expected to be disclosed on a computer exception report; disclosing these differences is the primary purpose of the report. Thus, this would not indicate that there are problems in the client’s internal control.

Question 17

In which of the following circumstances is the performance of tests of controls least likely?

The auditor’s risk assessment includes an expectation of operating effectiveness of controls.

Substantive procedures alone do not provide sufficient audit evidence.

The planned level of the risk of material misstatement is at the maximum level.

Performance of tests of controls appears cost effective.

Answer 17

The planned level of the risk of material misstatement is at the maximum level.

This answer is correct because when the planned level of the risk of material misstatement is at the maximum level, no tests of controls are performed.

Question 18

When considering internal control, an auditor should be aware of the concept of reasonable assurance, which recognizes that

Internal control may be ineffective due to mistakes in judgment and personal carelessness.

Adequate safeguards over access to assets and records should permit an entity to maintain proper accountability.

Establishing and maintaining internal control is an important responsibility of management.

The cost of an entity’s internal control should not exceed the benefits expected to be derived.

Answer 18

The cost of an entity’s internal control should not exceed the benefits expected to be derived.

The requirement is to identify the meaning of the concept of reasonable assurance. Answer (d) is correct because reasonable assurance recognizes that the cost of internal control should not exceed the benefits expected to be derived.

Question 19

Which of the following statements best describes why an auditor would use only substantive procedures to evaluate specific relevant assertion and risks?

The relevant internal control components are not well documented.

The internal auditor already has tested the relevant controls and found them effective.

Testing the operating effectiveness of the relevant controls would not be efficient.

The cost of substantive procedures will exceed the cost of testing the relevant controls.

Answer 19

Testing the operating effectiveness of the relevant controls would not be efficient.

This is correct because auditors attempt to perform the audit in a cost-effective manner, and when the use of tests of controls to address operating effectiveness is not efficient, such procedures will not be performed.

Question 20

An auditor is concerned about a policy of management override as a limitation of internal control.

Which of the following tests would best assess the validity of the auditor’s concern?

Matching purchase orders to accounts payable.

Verifying that approved spending limits are not exceeded.

Tracing sales orders to the revenue account.
Reviewing minutes of board meetings.

Answer 20

Verifying that approved spending limits are not exceeded.

This answer is correct because management override often evidences itself through exceeding approved spending limits—thus, finding that those limits have not been exceeded provides some evidence that at least that form of management override did not occur.

Question 21

Which of the following is required documentation in an audit in accordance with generally accepted auditing standards?

All audit findings.

A flowchart depicting the segregation of duties and authorization of transactions.

An audit plan.

A memorandum setting forth details on every change made during the audit engagement to the overall audit strategy.

Answer 21

An audit plan.

This answer is correct because auditors should develop and document an audit plan that presents the nature, timing, and extent of audit procedures.

Question 22

Which of the following is an inherent limitation in internal control?
Incompatible duties.
Lack of segregation of duties.
Faulty human judgment.
Lack of an audit committee.

Answer 22

Faulty human judgment

This answer is correct because even the best controls may fail if they rely upon human judgment, and that judgment is faulty.

Question 23

Which of the following is a step in an auditor’s decision to assess the risk of material misstatement at a low level by relying on controls?

Apply analytical procedures to both financial data and nonfinancial information to detect conditions that may indicate weak controls.

Perform tests of details of transactions and account balances to identify potential errors and irregularities.

Identify specific controls that are likely to detect or prevent material misstatements.

Document that the additional audit effort to perform tests of controls exceeds the potential reduction in substantive testing.

Answer 23

Identify specific controls that are likely to detect or prevent material misstatements.

This answer is correct because assessing the risk of material misstatement below the maximum based on controls involves (1) identifying specific controls relevant to specific assertions, and (2) performing tests of controls to evaluate their effectiveness.

Question 24

Concerning current audit use of audit evidence about the operating effectiveness of controls obtained in prior year audits, the auditor generally may

Use such evidence, but should test related controls at least every third year.

Not use such evidence in the current audit.

Use such evidence, but only for immaterial accounts.

Only use such evidence for controls that have been implemented for a period of at least five years.

Answer 24

Use such evidence, but should test related controls at least every third year.

This answer is correct because the professional standards allow use of such evidence if the related controls are tested at least every third year.

Question 25

Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system?

Continuous monitoring and analysis of transaction processing with an embedded audit module.

Increased reliance on internal control activities that emphasize the segregation of duties.

Verification of encrypted digital certificates used to monitor the authorization of transactions.

Extensive testing of firewall boundaries that restrict the recording of outside network traffic.

Answer 25

Continuous monitoring and analysis of transaction processing with an embedded audit module.

The requirement is to identify a strategy that a CPA most likely would consider in auditing an entity that processes most of its financial data only in electronic form. Answer (a) is correct because continuous monitoring and analysis of transaction processing with an embedded audit module might provide an effective way of auditing these processes—although some question exists as to how many embedded audit modules CPAs have actually used in practice. Answer (b) is incorrect because there may well be a decrease in reliance on internal control activities that emphasize this segregation of duties since so many controls are in the hardware and software of the application. Answer (c) is incorrect because digital certificates deal with electronic commerce between companies, a topic not directly addressed by this question, and because such certificates provide limited evidence on authorization. Answer (d) is incorrect because while firewalls do control network traffic, this is not the most significant factor in the audit of electronic form financial data.

Question 26

Evidence concerning the proper segregation of duties for receiving and depositing cash receipts ordinarily is obtained by

Completing an internal control questionnaire that describes the control activities.

Observing the employees who are performing the control activities.

Performing substantive tests to verify the details of the bank balance.

Preparing a flow chart of the duties performed and the entity’s available personnel.

Answer 26

Observing the employees who are performing the control activities.

This answer is correct because observation of the employees performing the activities will provide the auditor with such evidence.

Question 27

A client maintains a large data center where access is limited to authorized employees. How may an auditor best determine the effectiveness of this control activity?

Inspect the policy manual establishing this control activity.

Ask the chief technology officer about known problems.

Observe whether the data center is monitored.

Obtain a list of current data center employees.

Answer 27

Observe whether the data center is monitored.

This answer is correct because observing whether the data center is monitored will provide the auditor with such evidence.

Question 28

Which of the following audit techniques ordinarily would provide an auditor with the least assurance about the operating effectiveness of an internal control activity?

Inquiry of client personnel.

Inspection of documents and reports.

Observation of client personnel.

Preparation of system flowcharts.

Answer 28

Preparation of system flowcharts.

This answer is correct because while auditors may use system flowcharts to document internal control and find weaknesses in the design of internal control, such flowcharts do not reveal whether the controls are operating effectively.

Question 29

Which of the following is an inherent limitation of internal controls?

Judgmental sampling.
Collusion.
Segregation of duties.
Employee peer review.

Answer 29

Collusion.

This answer is correct because collusion between employees may neutralize the effects of a segregation of duties.

Question 30

Assessing control risk at a low level most likely would involve

Performing more extensive substantive tests with larger sample sizes than originally planned.

Reducing inherent risk for most of the assertions relevant to significant account balances.

Changing the timing of substantive tests by omitting interim-date testing and performing the tests at year-end.

Identifying specific controls relevant to specific assertions.

Answer 30

Identifying specific controls relevant to specific assertions.

Assessing control risk at a low level involves (1) identifying specific controls relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions, and (2) performing tests of controls to evaluate the effectiveness of such controls. Answer (a) is incorrect because assessing control risk at a low level may lead to less extensive, not more extensive substantive tests. Answer (b) is incorrect because the actual level of inherent risk is not affected by the level of control risk. Also, one would not expect a change in the assessed level of control risk to result in a change in the assessed level of inherent risk. Answer (c) is incorrect because assessing control risk at a low level may lead to interim-date substantive testing rather than year-end testing.

Question 31

Those procedures specifically outlined in an audit program are primarily designed to:

Prevent litigations.
Detect all misstatements due to errors or fraud.
Test internal structures.
Gather evidence.

Answer 31

Gather evidence.

This answer is correct because audit procedures are primarily designed to gather audit evidence which forms the basis for the auditor’s opinion. Completion of the audit program and any additional audit procedures should provide sufficient competent audit evidence for an opinion on the financial statements as required by the third standard of fieldwork.

Question 32

In designing written audit plans, an auditor should establish specific audit objectives that relate primarily to the

Timing of audit procedures.

Cost-benefit of gathering audit evidence.

Selected audit techniques.

Financial statement assertions.

Answer 32

Financial statement assertions.

This answer is correct because in obtaining audit evidence to support financial statement assertions, the auditor develops specific audit objectives in light of those assertions.

Question 33

Which of the following procedures is considered a test of controls?

An auditor reviews the entity’s check register for unrecorded liabilities.

An auditor evaluates whether a general journal entry was recorded at the proper amount.

An auditor interviews and observes appropriate personnel to determine segregation of duties.

An auditor reviews the audit workpapers to ensure proper sign-off.

Answer 33

An auditor interviews and observes appropriate personnel to determine segregation of duties.

This answer is correct because the professional standards indicate that tests of controls involve inquiry (interviews), inspection, observation, and reperformance.

Question 34

Of the following statements about internal control, which one is not valid?

No one person should be responsible for the custodial responsibility and the recording responsibility for an asset.

Transactions must be properly authorized before such transactions are processed.

Because of the cost/benefit relationship, a client may apply controls on a test basis.

Controls reasonably ensure that collusion among employees cannot occur.

Answer 34

Controls reasonably ensure that collusion among employees cannot occur.

This answer is correct because controls whose effectiveness depends on segregation of duties cannot be relied upon to ensure that collusion among employees will not occur. Segregation of employees may be circumvented by collusion.

Question 35

The auditor is examining copies of sales invoices only for the initials of the person responsible for checking the extensions. This is an example of a:

Test of a control.
Substantive test.
Dual-purpose test.
Test of balances.

Answer 35

Test of a control.

This answer is correct because tests of controls are used to test the effectiveness of the design or operation of a control. The auditor’s examination of sales invoices for specific initials would be an example of a procedure which provides assurance concerning the effectiveness of the operation of a control.

Question 36

When considering internal control to determine whether the necessary procedures are designed and operating effectively, an auditor should

Develop questionnaires and checklists.

Perform tests of controls.

Perform analytical procedures.

Perform substantive tests.

Answer 36

Perform tests of controls.

This answer is correct because a preliminary review is first made and then tests of controls are used to provide reasonable assurance that the accounting control procedures on which the auditor intends to rely are being followed as prescribed.

Question 37

Which of the following factors would most likely be considered an inherent limitation to an entity’s internal control?

The complexity of the information processing system.

Human judgment in the decision-making process.

The ineffectiveness of the board of directors.

The lack of management incentives to improve the control environment.

Answer 37

Human judgment in the decision-making process.

This answer is correct because faulty human judgment (1) may result in a variety of improperly recorded transactions and (2) is inherent in that it cannot be completely controlled

Question 38

When an auditor plans to rely on controls that have changed since they were last tested, which of the following courses of action would be most appropriate?

Test the operating effectiveness of such controls in the current audit.

Document that reliance and proceed with the original audit strategy.

Inquire of management as to the effectiveness of the controls.

Report the reliance in the report on internal control.

Answer 38

Test the operating effectiveness of such controls in the current audit.

This answer is correct because the professional standards require that when the auditor plans to rely on controls that have changed since they were last tested, the auditor should test the operating effectiveness of such controls in the current audit.

Question 39

An auditor generally tests the segregation of duties related to inventory by

Personal inquiry and observation.

Test counts and cutoff procedures.

Analytical procedures and invoice recomputation.

Document inspection and reconciliation.

Answer 39

Personal inquiry and observation.

The requirement is to identify the appropriate procedures for testing the segregation of duties related to inventory. Answer (a) is correct because AU-C 315 suggests that when no audit trail exists (as is often the case for the segregation of duties) an auditor should use the observation and inquiry techniques.

Question 40

Audit plans should be designed so that:

Most of the required procedures can be performed as interim work.

Inherent risk is assessed at a sufficiently low level.

The auditor can make constructive suggestions to management.

The audit evidence gathered supports the auditor’s conclusions.

Answer 40

The audit evidence gathered supports the auditor’s conclusions.

This answer is correct because an audit plan should be designed so that the audit evidence gathered supports the auditor’s conclusions.

Question 41

The ultimate purpose of assessing control risk is to contribute to the auditor’s evaluation of the

Factors that raise doubts about the auditability of the financial statements.

Operating effectiveness of internal control policies and procedures.

Risk that material misstatements exist in the financial statements.

Possibility that the nature and extent of substantive tests may be reduced.

Answer 41

Risk that material misstatements exist in the financial statements.

Correct! The ultimate purpose of assessing control risk is to contribute to the auditor’s evaluation of the risk that material misstatements exist in the financial statements. Assessing control risk and inherent risk helps the auditor identify where misstatements might exist; the auditor then performs auditing procedures to detect those misstatements.

Question 42

Control risk should be assessed in terms of:

Specific control procedures.
Types of potential irregularities.
Financial statement assertions.
Control environment factors.

Answer 42

Financial statement assertions.

Correct! The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found in the account balance, transaction class, or disclosure components. Based on the understanding of internal control and the control risk assessments, the auditor determines the nature, timing, and extent of the auditing procedures to be performed.

Question 43

An auditor is evaluating a client’s internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect?

The accounting staff neglects the control, due to increased transactions to be processed.

The technology department writes a program that does not properly implement the control, due to a lack of understanding.

Two employees, who work in different departments, are circumventing an internal control.

Someone erroneously disables edit checks in a software program designed to identify control exceptions.

Answer 43

Two employees, who work in different departments, are circumventing an internal control.

Correct! An intentional circumvention of controls associated with collusion involving employees in different departments would be particularly difficult to detect.

Question 44

After obtaining an understanding of the internal control structure and assessing control risk of an entity, an auditor decided not to perform tests of controls.
The auditor most likely decided that

The available evidential matter obtained through tests of controls would not support an increased level of control risk.

A reduction in the assessed level of control risk is justified for certain financial statement assertions.

It would be inefficient to perform tests of controls that would not result in a reduction in planned substantive tests.

The assessed level of inherent risk exceeded the assessed level of control risk.

Answer 44

It would be inefficient to perform tests of controls that would not result in a reduction in planned substantive tests.

Correct! There is always a cost-benefit trade-off in testing controls. The auditor tests controls in order to rely on them and to reduce substantive testing. If testing controls won’t reduce substantive testing sufficiently (i.e., enough to offset the cost of testing controls), the auditor will opt not to test controls. In other words, it would be inefficient to perform the tests of controls.

Question 45

Which of the following is a step in an auditor’s decision to assess control risk at below the maximum?

Apply analytical procedures to both financial data and nonfinancial information to detect conditions that may indicate weak controls.

Perform tests of details of transactions and account balances to identify potential errors and irregularities.

Identify specific internal control policies and procedures that are likely to detect or prevent material misstatements.

Document that the additional audit effort to perform tests of controls exceeds the potential reduction in substantive testing.

Answer 45

Identify specific internal control policies and procedures that are likely to detect or prevent material misstatements.

Correct! An auditor’s assessment of control risk at below the maximum requires identification of specific internal controls that are likely to detect or prevent material misstatements and the testing of those controls.

Question 46

An auditor assesses control risk because it:

Is relevant to the auditor’s understanding of the control environment.

Provides assurance that the auditor’s materiality levels are appropriate.

Indicates to the auditor where inherent risk may be the greatest.

Affects the level of detection risk that the auditor may accept.

Answer 46

Affects the level of detection risk that the auditor may accept.

Correct! An auditor uses the assessed levels of control and inherent risk to establish the level of detection risk that the auditor may accept.

Question 47

After obtaining an understanding of the internal control structure and assessing control risk, an auditor decided not to perform additional tests of controls. The auditor most likely concluded that the:

Additional evidence to support a further reduction in control risk was not cost beneficial to obtain.

Assessed level of inherent risk exceeded the assessed level of control risk.

Internal control structure was properly designed and justifiably may be relied on.

Evidence obtainable through tests of controls would not support an increased level of control risk.

Answer 47

Additional evidence to support a further reduction in control risk was not cost beneficial to obtain.

Correct! The performance of additional tests of controls would be performed only if such performance were considered cost beneficial. The cost of obtaining the additional evidence must be less than the benefits to be derived from the related reduction in substantive testing.

Question 48

Which of the following statements about internal control structure is correct?

A properly maintained internal control structure reasonably ensures that collusion among employees cannot occur.

The establishment and maintenance of the internal control structure are important responsibilities of the internal auditor.

An exceptionally strong internal control structure is enough for the auditor to eliminate substantive tests on a significant account balance.

The cost-benefit relationship is a primary criterion that should be considered in designing an internal control structure.

Answer 48

The cost-benefit relationship is a primary criterion that should be considered in designing an internal control structure.

Correct! A primary criterion of any system of internal control is the cost-benefit relationship. The cost of an entity’s internal control should not exceed the benefits to be derived.

Question 49

Which of the following auditor concerns could most likely be so serious that the auditor concludes that a financial statement audit cannot be conducted?

The entity has no formal written code of conduct.

The integrity of the entity’s management is suspect.

Procedures requiring segregation of duties are subject to management override.

Management fails to modify prescribed controls for changes in conditions

Answer 49

The integrity of the entity’s management is suspect.

Correct! The auditor would decide that an audit could not be conducted if management integrity were questioned. Management integrity is such a critical component of an effective internal control environment that the suspected lack thereof would be cause for the auditor to withdraw from the engagement.

Question 50

After assessing control risk at below the maximum level, an auditor desires to seek a further reduction in the assessed level of control risk. At this time, the auditor would consider whether

It would be efficient to obtain an understanding of the entity’s accounting system.

The entity’s internal control structure polices and procedures have been placed in operation.

The entity’s internal control structure polices and procedures pertain to any financial statement assertions.

Additional evidential matter sufficient to support a further reduction is likely to be available.

Answer 50

Additional evidential matter sufficient to support a further reduction is likely to be available.

Correct! If the auditor desires to further reduce the assessed level of control risk, he/she must first consider whether additional evidence will be available to support such a reduction. The auditor must also consider whether it would be efficient (cost-effective) to collect such evidence.

Question 51

An auditor observed that a client mails monthly statements to customers. Subsequently, the auditor reviewed evidence of follow-up on the errors reported by the customers.

This test of controls most likely was performed to support management’s financial statement assertion(s) of

Presentation and disclosure
Rights and obligations
Yes     Yes
Yes     No
No      Yes
No       No

Answer 51

No Yes

Correct! Follow-up on errors reported by customers provides evidence that the customers exist and that the receivables are valid (i.e., that the client has the rights to the assets). The auditor’s test of controls thus provides evidence to support the assertion of rights and obligations. It does not address presentation and disclosure.

Question 52

Which of the following statements is correct concerning an auditor’s assessment of control risk?

Assessing control risk may be performed concurrently during an audit with obtaining an understanding of the entity’s internal control structure.

Evidence about the operation of control procedures in prior audits may not be considered during the current year’s assessment of control risk.

The basis for an auditor’s conclusions about the assessed level of control risk need not be documented unless control risk is assessed at the maximum level.

The lower the assessed level of control risk, the less assurance the evidence must provide that the control procedures are operating effectively.

Answer 52

Assessing control risk may be performed concurrently during an audit with obtaining an understanding of the entity’s internal control structure.

Correct! Understanding internal control and assessing control risk are steps that may be performed concurrently in an audit. The evidence collected to achieve one objective may also be used for the other objective. For example, inquiries and information gathered about management’s use of budgets in order to understand the control environment may also be used as a test of control over the effectiveness and operation of the budgeting control.

Question 53

When assessing control risk at below the maximum level, an auditor is required to document the auditor’s understanding of the

I. Entity’s control activities that help ensure management directives are carried out.

II. Entity’s control environment factors that help the auditor plan the engagement.

I only.
II only.
Both I and II.
Neither I nor II.

Answer 53

Both I and II.

Correct! The auditor is always required to obtain a sufficient understanding of the internal control system in order to plan the audit. This understanding must be documented, regardless of the level at which control risk is to be assessed. Control activities and control environment factors are both components of the internal control system. As a result, they would both be documented.

Question 54

After obtaining an understanding of the internal control structure and assessing control risk, an auditor decided to perform tests of controls. The auditor most likely decided that

It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests.

Additional evidence to support a further reduction in control risk is not available.

An increase in the assessed level of control risk is justified for certain financial statement assertions.

There were many internal control structure weaknesses that could allow errors to enter the accounting system.

Answer 54

It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests.

Correct! After obtaining an understanding of internal control and assessing control risk, an auditor will perform tests of controls, if it is believed that such performance will result in a reduction in planned substantive tests. If the performance of tests of controls would not result in a reduction in substantive testing, completing tests of controls would be inefficient and therefore should not be performed.

Question 55

Which of the following statements concerning control risk is correct?

Assessing control risk and obtaining an understanding of an entity’s internal control structure may be performed concurrently.

When control risk is at the maximum level, an auditor is not required to document the basis for that assessment.

Control risk may be assessed sufficiently low to eliminate substantive testing for significant transaction classes.

When assessing control risk, an auditor should not consider evidence obtained in prior audits about the operation of control procedures.

Answer 55

Assessing control risk and obtaining an understanding of an entity’s internal control structure may be performed concurrently.

Correct! Gaining an understanding of internal control and assessing control risk may be performed concurrently. Procedures performed to obtain an understanding of internal control may also be used to gather the evidence needed to assess control risk.

Question 56

An auditor uses the assessed level of control risk to

Evaluate the effectiveness of the entity’s internal control policies and procedures.

Identify transactions and account balances where inherent risk is at the maximum.

Indicate whether materiality thresholds for planning and evaluation purposes are sufficiently high.

Determine the acceptable level of detection risk for financial statement assertions.

Answer 56

Determine the acceptable level of detection risk for financial statement assertions.

Correct! The auditor assesses control risk (the risk that the internal control structure will not prevent or detect a material misstatement) and inherent risk (the risk of a material misstatement occurring) in order to determine the acceptable level of detection risk.

Question 57

In assessing control risk, an auditor ordinarily selects from a variety of techniques, including:

Inquiry and analytical procedures.

Reperformance and observation.

Comparison and confirmation.

Inspection and verification.

Answer 57

Reperformance and observation.

Correct! Tests of controls directed toward effectiveness or operation of a control would ordinarily include inquiries, inspections of documents, observation, and reperformance of the application of a control. Thus, both reperformance and observation are used by an auditor to assess control risk.