II. Internal Control - Concepts and Standards - Assessing Control Risk Under AICPA Standards

Question 1

What is the primary guidance applicable to the auditor consideration of Internal Control?

What is Internal Control?

Answer 1

1. Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.
2. Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

is effected by those charged with governance, management, and other personnel—that is designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to:

1. reliability of financial reporting, (applies to auditors as well)
2. effectiveness and efficiency of operations, and
3. compliance with applicable laws and regulations.

Note:

Mgmt when developing Internal control they must have all these three objectives in mind.

Question 2

Internal control consists of five interrelated components, what are they and give a brief description of them and its components.

Answer 2

Control environment - policies and procedures that determine the overall control consciousness of the entity, sometimes called “the tone at the top.”

7 Elements:

• Communication and enforcement of integrity and ethical value
• Commitment to competence
• Participation of those charged with governance (including their interaction with internal and external auditors)
• Management’s philosophy and operating style
• The entity’s organizational structure
• The entity’s assignment of authority and responsibility (including internal reporting relationships)
• Human resource policies and practices

Risk assessment - the policies and procedures involving the identification, prioritization, and analysis of relevant risks as a basis for managing those risks.

Information and communication systems— The policies and procedures related to the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.​

Control activities - The policies and procedures that help ensure that management directives are carried out, especially those related to:

(SCARE)

• S - Segregation of duties (or “Separation of Duties)
  
  • Diff. Department (Accounting, Access, and Authorization)
• C - Controls (Physical Controls)
• A - Authorization,
• R- Reviews (Performance Review)
• E - EDP/IT (Information processing)

Monitoring - The policies and procedures involving the ongoing assessment of the quality of internal control effectiveness over time.​

Question 3

The AU section focuses on the auditor’s requirements related to:

Answer 3

• Risk assessment procedures - obtain an understanding of the entity and its environment, including its internal control
  
  • Inquiries of Management and Others
  • Observation and Inspection
  • Analytical Procedures
  • Review Information
  • Discussion among Audit Team Members
    
    • Key members should be involved in the discussion
    • The objective of this discussion
    • The discussion should include critical issues
• Understanding the entity and its environment, including its internal control
• Assessing the risks of material misstatement
• Documentation

Question 4

Understanding the Entity and Its Environment consist of understanding what 5 things?

Answer 4

(1) industry, regulatory, and other external factors;
(2) nature of the entity; (operation, ownership, etc.)
(3) objectives and strategies and related business risks that may cause a material misstatement of the financial statements;
(4) measurement and review of the entity’s financial performance - these factors might increase the risks of material misstatement
(5) Internal controls relevant to the audit

Question 5

What are the Documentation Requirements when assessing control risk?

Answer 5

• Discussion among audit team about the risk of material misstatement and of material fraud and the appropriateness of the financial reporting framework (including any decision of how and when it occurred)
• Key Elements of understanding obtained from the entity, its environment, and I/C (including risk assessment procedure performed)
• Assess the Risk of Material Misstatement (Both at F/S level) and as well as relevant assertion level
• Any significant risk that we identified or the relevant controls that we obtained in understanding whether those controls effectively mitigated the significant risks

Question 6

Management’s attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity’s control environment when

Answer 6

If management is dominated by one individual who is also a shareholder, the opportunity is present for management’s attitude toward financial reporting to significantly influence an entity’s control environment.

Question 7

Which of the following elements of an entity’s internal control structure includes the development of personnel manuals documenting employee promotion and training policies?

Answer 7

Control environment.

Note: The control environment sets the tone of an organization, influencing the control consciousness of its people. It includes the following factors: integrity and ethical values, commitment to competence, board of directors or audit committee participation, management’s philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices.

The development of personnel manuals documenting employee promotion and training policies is a component of human resource policies and practice.)

Question 8

After obtaining an understanding of an entity’s internal control structure, an auditor “may assess control risk at the maximum level” for some assertions of the auditor

Answer 8

Believes the internal control policies and procedures are unlikely to be effective.

Note: auditor’s identification of internal controls that are likely to prevent material misstatements would be more likely to result in a reduced control risk assessment rather than assessment at maximum.

Question 9

For certain controls, such as segregation of duties, documentary evidence may not exist.

An auditor would most likely test the procedures by

Answer 9

Segregation of duties and similar controls which lack documentation of their functioning are best tested through observation and inquiry.

Question 10

An auditor should obtain sufficient knowledge of an entity’s accounting system to understand the

Answer 10

Process used to prepare significant accounting estimates.

Why? An auditor is concerned about the information system and related controls which are relevant to financial reporting.

note: this closely relates with the financial reportings.

Question 11

Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?

Answer 11

Allowing for greater management oversight of incompatible activities.

Note: closer management oversight directed specifically at such incompatible activities would be an effective approach in mitigating the risks involved.

Question 12

In obtaining an understanding of an entity’s internal control structure in a financial statement audit, an auditor is obligated to

Answer 12

• Determine whether the control procedures have been placed in operation.
• Perform procedures to understand the design of the internal control structure policies.
• Document the understanding of the entity’s internal control structure elements.

Question 13

In obtaining an understanding of an entity’s internal control structure policies and procedures that are relevant to audit planning, an auditor is required to obtain knowledge about the

Answer 13

Design of the policies and procedures pertaining to the internal control structure elements.

Note: only those internal controls which impact the financial statements are to be considered.

Question 14

Which of the following actions should the auditor take in response to discovering a deviation from the prescribed control procedure?

Answer 14

Make inquiries to understand the potential consequence of the deviation.

Note: the auditor should evaluate the significance of the potential effects associated with the deficiency. It would be appropriate to make inquiry of management and other client personnel in evaluating the potential effect of such a control deficiency.

Question 15

Which of the following audit techniques most likely would provide an auditor with the most assurance about the effectiveness of the operation of an internal control procedure?

Answer 15

Observation of client personnel is the best evidence about the effectiveness of operation of an internal control

Question 16

When considering the internal control structure, an auditor should be aware of the concept of reasonable assurance, which recognizes that

Answer 16

The cost of an entity’s internal control structure should not exceed the benefits expected to be derived.

Note: Internal control can provide only reasonable assurance as a limiting factor is the cost/benefit ratio. The cost of an entity’s internal control should not exceed the benefits derived therefrom.​

Question 17

Procedures is likely to be performed as a part of obtaining an understanding during an audit engagement of a new audit client previously audited by another CPA?

Answer 17

Communication with the predecessor auditor.

Performing analytical procedures.

Considering internal control.

Question 18

Example of an inherent limitation in an internal control system

Answer 18

Human judgment is an inherent limitation since that judgment can be faulty and result in a breakdown in internal control because of human error;

additional inherent limitations of internal control include:

(1) collusion of two or more people and
(2) inappropriate management override of internal control.

Question 19

Auditor most likely consider in evaluating the control environment of an audit client?

Answer 19

Management’s operating style is a part of the control environment and it is considered by auditors.

Question 20

What is ordinarily considered a factor indicative of increased financial reporting risk when an auditor is considering a client’s risk assessment policies?

Answer 20

rapid growth of the organization is considered a risk factor when considering a client’s risk assessment policies.

Note: risk factors do not necessarily indicate misstated financial statements, they are simply factors that have often been present in the past when misstatements have been identified.

Question 21

Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been

Answer 21

Implemented.

Question 22

When an auditor considers a client’s internal control, control activities ordinarily relate to performance reviews, information processing, segregation of duties and

Answer 22

Physical controls.

note: control activities include performance reviews, information processing, physical controls, and segregation of duties.

Question 23

What nonfinancial information would an auditor most likely consider in performing analytical procedures during risk assessment?

Answer 23

Square footage of selling space may be used in considering the overall reasonableness of sales.

Question 24

An entity’s ongoing monitoring activities often include

Answer 24

Reviewing the purchasing function.

Note:

Ongoing monitoring - involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions and such an approach may be followed in reviewing the purchasing function.

Question 25

Foreign Corrupt Practices Act

Answer 25

Every publicly held company must devise, document, and maintain internal control sufficient to provide reasonable assurances that internal control objectives are met.

Question 26

The overall attitude and awareness of an entity’s board of directors concerning the importance of internal control usually is reflected in its

Answer 26

control environment

Question 27

Analytical procedures most likely would be used during the risk assessment stage of an audit?

Answer 27

comparing current year to prior-year sales volumes is an analytical procedure and because analytical procedures in risk assessment often use such aggregated data.

Question 28

In assessing control risk, an auditor ordinarily selects from a variety of techniques, including

Answer 28

Tests of controls include inquiries of appropriate entity personnel, inspection of documents and reports, observation of the application of the policy or procedure, and reperformance of the application of the policy or procedure.

Note:

auditors are ultimately concerned with the existence of material misstatements in the financial statements.

Question 29

To help plan the nature, timing, and extent of substantive auditing procedures, preliminary analytical procedures should focus on

Answer 29

enhancing the auditor’s understanding of the client’s business and events that have occurred since the last audit date, and on identifying areas that may represent specific risks relevant to the audit.

Question 30

Primary purpose of performing analytical procedures as risk assessment procedures is to identify the existence of

Answer 30

Unusual transactions and events.

Question 31

Analytical procedures used in risk assessment for an audit should focus on identifying

Answer 31

Areas that may represent specific risks relevant to the audit.

Question 32

An inherent limitation to internal control is the fact that controls can be circumvented by

Answer 32

management override.

Question 33

To obtain audit evidence about control risk, an auditor selects tests from a variety of techniques including

Answer 33

inquiries of appropriate personnel, inspection of documents and records, observation of the application of controls, and reperformance of the application of the policy or procedure.

Question 34

Analytical procedures performed during the risk assessment phase of an audit should focus on

Answer 34

(1) enhancing the auditor’s understanding of the client’s business and the transactions and events that have occurred since the last audit date, and

(2) identifying areas that may represent specific risks relevant to the audit.

Question 35

Which of the following is an analytical procedure that an auditor most likely would perform when performing the risk assessment of an audit?

Answer 35

Comparing current year balances to budgeted balances.

note: current year balances to budgeted balances will help the auditor in identifying areas to which to devote additional audit attention.

Question 36

The use of fidelity bonds protects a company from embezzlement losses and also

Answer 36

Minimizes the possibility of employing persons with dubious records in positions of trust.

Note: bonding companies will typically investigate the backgrounds of new employees.

Question 37

Analytical procedures used during risk assessment in an audit should focus on

Answer 37

may enhance the auditor’s understanding of the client’s business and significant transactions and events that have occurred since the prior audit and also may help to identify the existence of unusual transactions or events and amounts, ratios, and trends that might indicate matters that have audit implications.

Question 38

Likely to be considered a risk assessment procedure?

Answer 38

• Analytical procedures.
• Inspection of documents.
• Observation of the performance of certain accounting procedures.

Question 39

An auditor assesses control risk because it

Answer 39

Affects the level of detection risk that the auditor may accept.

Question 40

Which of the following factors is most relevant when an auditor considers the client’s organizational structure in the context of control risk?

Answer 40

The suitability of the client’s lines of reporting.

Note: are necessary to prepare financial statements that follow GAAP.

Question 41

In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements, an auditor would most likely perform which of the following procedures?

Answer 41

Risk-assessment procedures to evaluate the design of relevant controls.

Note:

risk assessment procedures are performed to assess the risk of material misstatement throughout the financial statements.

Question 42

Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?

Answer 42

Allowing for greater management oversight of incompatible activities.

Note: management’s oversight of the activities may either prevent or detect improper activities.

Question 43

factors are included in an entity’s control environment

Answer 43

The audit committee, integrity and ethical values, and organization structure are all included.

Question 44

An auditor reviews a client’s accounting policies and procedures when considering which of the following planning matters?

Answer 44

Understanding of the client’s operations and business.

Question 45

likely affect the extent of the auditor’s consideration of the client’s internal control?

Answer 45

The amount of time budgeted to complete the engagement.

The nature of specific relevant controls.

The auditor’s prior experience with client operations.

Question 46

auditor’s assessment of control

Answer 46

AU-C 315 indicates that assessing control risk may be performed concurrently during an audit with obtaining an understanding of internal control.

Question 47

Correct concerning analytical procedures used during risk assessment in an audit engagement?

Answer 47

They usually use financial and nonfinancial data aggregated at a high level.

—often, both financial and nonfinancial information.

Question 48

component of internal control

Answer 48

(1) the control environment,
(2) control activities,
(3) the information system relevant to financial reporting and
(4) the monitoring of controls.
(5) Risk Assessment

Question 49

CPA most likely perform during the risk assessment phase of a financial statement audit?

Answer 49

Compare financial information with nonfinancial operating data.

Note: analytical procedures often include a comparison of financial information with nonfinancial operating data and because analytical procedures must be performed during risk assessment.

Question 50

While obtaining an understanding of a client’s risk assessment policies, an auditor ordinarily considers how management

Answer 50

Auditor should obtain sufficient knowledge of the entity’s risk assessment process to understand how management considers risks relevant to financial reporting objectives and decide about actions to address those risks

Question 51

When performing analytical procedures during the risk assessment of an audit, the auditor most likely would develop expectations by reviewing which of the following sources of information?

Answer 51

Unaudited information from internal quarterly reports.

Question 52

As a result of analytical procedures, the independent auditor determines that the gross profit percentage has declined from 30% in the preceding year to 20% in the current year. The auditor should

Answer 52

Consider the possibility of a misstatement in the financial statements

Note: significant fluctuation in the gross profit percentage might be indicative of a misstatement and, therefore, the auditor should consider the possibility of a misstatement in the financial statements.