IC- Concepts and Standards

Question 1

List the advantages of narratives (memos) to document the auditor’s understanding of internal controls.

Answer 1

1-Tailored to client;
2-Can be as detailed or as general as desired;
3-Easy to prepare;
4-Easy to read.

Question 2

What is the purpose of performing a walkthrough?

Answer 2

Obtain some feedback as to whether the way the auditor has understood (and documented) the entity’s internal controls is consistent with the way the entity is actually processing such transactions.

Question 3

List the disadvantages of narratives (memos) to document the auditor’s understanding of internal controls.

Answer 3

• Writing such a memo is rather unstructured, lacking a systematic approach;
• It may be rather easy to overlook relevant internal control issues.

Question 4

Identify 3 ways auditors might document their understanding of internal controls?

Answer 4

• Flowcharts of transaction cycles;
• Internal control questionnaires;
• Narrative write-ups (memos).

Question 5

Identify 2 reasons for assessing control risk at the maximum level.

Answer 5

1-The auditor believes that the design of internal control is ineffective; or
2-The auditor believes that reliance on internal control (and performing applicable tests of control) is not an efficient audit strategy compared to a wholly substantive audit approach.

Question 6

When should the auditor assess the design effectiveness of internal control?

Answer 6

In planning every audit under GAAS, as a basis for determining the nature, timing, and extent of further audit procedures.

Question 7

When should the auditor assess the operating effectiveness of internal control?

Answer 7

Whenever the auditor contemplates a reliance strategy (which means the same thing as “assessing control risk at less than the maximum level”) and only after performing the appropriate tests of control.

Question 8

What are some inherent limitations of internal controls?

Answer 8

• Faulty human judgement
• human error
• collusion by two or more people
• inappropriate management override of controls

Question 9

Definition of substantive procedures and what they comprise?

Answer 9

An audit procedure designed to detect MM at the assertion level. They comprise:
Tests of details (transactions, account balances,etc)
Substantive analytical procedures (analytical procedures required at the start and review, while substantive procedures during the audit use professional judgement)

Question 10

List some examples of appropriate responses by the auditor to risks of material misstatement at the financial statement level.

Answer 10

Assign more experienced staff to the engagement;
Provide closer supervision;
Use specialists;
Use more unpredictable audit procedures.

Question 11

What are the 3 different types of audit procedures?

Answer 11

Risk assessment procedures
Tests of control
Substantive procedures

Question 12

Define “significant deficiency.”

Answer 12

A deficiency (or combination of deficiencies) in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Question 13

What is meant by the term deficiency in design?

Answer 13

When a control necessary to meet the control objective is missing, or when the control objective is not always met, even if the control operates as designed.

Question 14

Define material weakness.

Answer 14

A deficiency (or combination of deficiencies) in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.

Question 15

Describe the timing of the required communication of significant deficiencies in internal control.

Answer 15

Under AICPA professional standards, written communication is required no later than 60 days after the audit report release date (including matters communicated orally during the audit).

Question 16

What is meant by the term deficiency in operation?

Answer 16

When a properly designed control does not operate as designed, or when the person performing the control does not have the authority or competence to effectively perform the control.

Question 17

When using the work of the internal audit function to obtain audit evidence, what three matters should the external auditor evaluate?

Answer 17

1-Objectivity—the internal audit function’s organizational status and the objectivity of the internal auditors;
2-Competence of the internal auditors; and
3-Whether the internal audit function applies a “systematic and disciplined approach, including quality control.”

Question 18

Objective of AU-C 315, Understanding the Entity and Its Environment

Answer 18

To identify/assess the RMM, whether due to fraud or error, at the FS/assertion level through understanding entity and environment, including the entity’s IC, thereby providing a basis for designing/implementing responses to the assessed RMM

Question 19

What are the 3 primary objectives of system of IC at the entity level?

Answer 19

[ACE] in the hole:
Accurate and reliable financial reporting
Compliance w/ applicable laws/regulations
Efficient and effective operations

Question 20

Events and Transactions (5 assertions):

Answer 20

[CPA-CO] I/S
Completeness
Period cutoff
Accuracy
Classification
Occurrence

Question 21

Account Balances (4 assertions):

Answer 21

[RACE] B/S
Rights and Obligations
Allocation and Valuation
Completeness
Existence

Question 22

Presentation (5 assertions):

Answer 22

[RACOU-n] Notes
Rights and Obligations
Accuracy and Valuation
Completeness
Occurrence
Understandably and Classification

Question 23

As far as IC, Mngmt is responsible for the …

Answer 23

[DIM]
Development, Implementation, and Maintenance of IC, while the auditor seeks reasonable assurance that IC are achieving objectives (ACE)

Question 24

5 components of IC

Answer 24

[CRIME]
control Environment- “tone at the top” [CHOPPER]
Risk assessment- internal and external
Control activities- policies/procedures carried out [PIPS, ARCC-S]
Information and communication
Monitoring controls/if they are effective

Question 25

Control Environment

Answer 25

[CHOPPER] Foundation for all other components
Commitment to competence
HR policies/practices 
Organizational structure
Participation of TCWG
Philosophy of mngmt/operating style
Ethical values/integrity
Responsibility assignment

Question 26

Control Activities

Answer 26

[PIPS]
Performance reviews- controls evaluate performance against a criteria
Information processing- controls that prevent processing of info unless criteria are met
Physical controls- limit access to assets
Segregation of duties [ARCC-S Authorization, Recording, Custody, Comparisons, Segregate all of these

Question 27

Risk Assessment

Answer 27

The entity’s, not the auditors done during planning. Obtain understanding about whether entity has process for identifying, est the sig., assessing likelihood of occurrence, and actions taken.

• If has process, then understand what failed (MW or SD?)
• If no process, does the absence represent a SD or MW?

Question 28

Steps to understanding of entity’s IC structure:

Answer 28

1. Obtain understanding of all 5 components [CRIME] through risk assessment procedures (form? [AIIO] is risk assessment procedures: AP, Inquiries, Inspection, Observation)
2. Document the understanding of IC [FIND]: Flowchart, ICQ, Narrative, Decision tree
3. Assessing RMM (No rely=high RMM=more sub testing; Yes rely=low RMM=combined approach)
4. Tests of controls (public issuers must perform)- test operating effectiveness through [RIIO]: Reperformance, Inspection, Inquiry, Observation (most effective)
5. Reassess RMM to determine DR- based on results of #4, modify sub procedures; Rely high, CR low, DR high, Sub low.
6. Document basis for conclusions- must document assessment of RMM, basis for assessment, sig risks identified, risks that req ToC to obtain suff evidence.

Question 29

DR in equation form

Answer 29

RMM x DR=AR

or.. AR/RMM = DR

Question 30

What are the internal control inherent limitations

Answer 30

[COCO]
Collusion
Override by management
Competence/human error
Obsolescence 
* Reasonable assurance and cost/benefit factor

Question 31

List managements assertions

Answer 31

[U-PERCV]
Understandability and classification
Presentation and disclosure
Existence or occurrence
Rights and obligations
Completeness and cutoff
Valuation, allocation and accuracy

Question 32

The acceptable level of detection risk is inversely related to the…

Answer 32

Assurance provided by substantive tests.

* DR is the risk of overlooking a mistake, as sub testing increases DR decreases a

Question 33

What opinion is expressed when there is a material weakness on effectiveness of IC report for an integrated audit of a nonissuer?

Answer 33

Adverse

Question 34

Diff between information processing controls and segregation of duties?

Answer 34

Info processing is designed to prevent certain information from being processed, in the form of fulfilling a sales order, without adhering to a specific control, obtaining credit approval.
Segregation of duties involves making certain that the same parties are not responsible for two or more of functions involving ARCC-s

Question 35

What type of work does internal auditor perform?

Answer 35

AU-C 610
Procedures to obtain understanding of the entity
Procedures when assigning risk
Substantive procedures

Question 36

What are the risk assessment procedures?

Answer 36

[AIIO]
AP
Inquiries
Inspection
Observation of applicable controls

Question 37

How to document the understanding of IC?

Answer 37

[FIND]
Flowcharts
IC questionnaire
Narrative or memo
Decision tree

Question 38

How to test of controls?

Answer 38

Test cycles for ARCC-s by doing RIIO (reperformance, inspection, inquiry, observation)
PCAOB has to do this
Test operating effectiveness of design (substance, not form)

Question 39

For an issuer (public) company audit of internal control, walkthroughs provide the auditor with primary evidence to

Answer 39

Evaluate the effectiveness of the design of controls and confirm whether controls have been implemented.