Internal Control

Question 1

What is the primary goal of COSO?

Answer 1

Provide guidance and frameworks for enterprise risk management, internal control, and fraud deterrence.

Question 2

Who are COSO members?

Answer 2

AICPA
American Accounting Association (AAA)
Financial Executives International (FEI)
Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)

Question 3

What are the objectives of internal control?

Answer 3

Ensure effective and efficient operations
Accurate and reliable financial reporting
Compliance with laws and regulations

Question 4

What are the components of internal control?

Answer 4

Control environment
Risk assessment
Information and communication
Monitoring
Control activities

Question 5

Control Environment

Answer 5

Demonstrate commitment to integrity and ethics
Board of directors exercise oversight responsibility
Establish structure, authority & responsibility
Demonstrates commitment to competence
Enforces accountability

Question 6

Risk Assessment

Answer 6

Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change

Question 7

Information and Communication Systems

Answer 7

Uses relevant information
Communicates internally
Communicates externally

Question 8

Monitoring

Answer 8

Conducts ongoing and/or separate evaluations

Question 9

Control Activities

Answer 9

Selects and develops control activities
Selected and develops general controls over technology
Deploys control activities through policies and procedures

Question 10

Segregation of Duties

Answer 10

Custody
Authorization
Recording
Reconciliation

Question 11

What are the limitations of internal control?

Answer 11

Competence
Collusion
Override by management
Obsolescence
Cost constraints

Question 12

What is a control deficiency?

Answer 12

Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Question 13

What is a significant deficiency?

Answer 13

A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness yet important enough to merit attention of those charged with governance and management.

Question 14

What is a material weakness?

Answer 14

A deficiency, or a combination of deficiencies, in internal control involving financial reporting, such that there is a reasonable possibility that a material misstatement exists.

Question 15

What are the types of control?

Answer 15

Preventative
Detective
Corrective
Directive
Compensating

Question 16

When is an auditor required to perform test of controls?

Answer 16

On audits of issuers. Audits of non-issuers does not require a test of controls, it’s optional.

Question 17

When is an auditor required to opine on a client’s financial statements?

Answer 17

On audits of issuers & non-issuers.

Question 18

When is an auditor required to perform substantive procedures?

Answer 18

On audits of issuers & non-issuers.

Question 19

In assessing inherent risk, the auditor obtains an understanding…

Answer 19

of the entity and its environment

Question 20

In assessing control risk, the auditor obtains an understanding…

Answer 20

of the entity’s internal control

Question 21

What should the auditor consider when obtaining an understanding of the entity and its environment?

Answer 21

Objectives & strategies
Financial performance
External environment
Nature of operations
Ownership and governance
Investments
Financing structure
Accounting policies

Question 22

How should the auditor obtain an understanding of the entity and its environment?

Answer 22

Analytical procedures
Inquiries
Inspection

Question 23

What should the auditor consider when obtaining an understanding of the entity’s internal control?

Answer 23

Evaluate design of I/C
Assess implementation of I/C

Question 24

How should the auditor obtain an understanding of the entity’s internal control?

Answer 24

Inquiries
Walkthroughs
Inspection
Observation

Question 25

What is the top down approach (obtain an understanding of the entity’s internal control)?

Answer 25

Step 1: assess risk at financial statement level / entity level
Step 2: evaluate risk at account balances, transactions, & disclosures level
Step 3: evaluate risk at assertion level

Question 26

What are the key elements of internal control to document?

Answer 26

Each of the I/C components
Any significant risks identified and related I/C

Question 27

What are the types of documentation forms for internal control?

Answer 27

Flowcharts
Internal Control Questionnaire (ICQ)
Narratives
Decision tree

Question 28

What is risk of material misstatement?

Answer 28

RMM = IR x CR
Risk of material misstatement = Inherent risk x Control risk

Question 29

What are the steps to assess RMM?

Answer 29

Identify risks
Consider the likelihood of identified risks
Consider the magnitude of the impact on FS
Determine if identified risks are significant

Question 30

What are the steps of the Non-Control Reliance Approach?

Answer 30

Improper design & implementation of controls > Controls are not designed properly and therefore not operating effectively > do not perform test of operating effectiveness of internal controls

Question 31

What are the NET of the audit procedures of the Non-Control Reliance Approach?

Answer 31

Improper design & implementation of controls > Controls are not designed properly and therefore not operating effectively > do not perform test of operating effectiveness of internal controls.
Assess CR at maximum > RMM is high > DR is low > increase NET of audit procedures

Question 32

What are the steps of the Control Reliance Approach?

Answer 32

Proper design & implementation of internal controls > controls are designed properly and therefore could be operating effectively > perform test of operating effectiveness of internal controls

Question 33

What are the steps of the Control Reliance Approach?

Answer 33

Proper design & implementation of internal controls > controls are designed properly and therefore could be operating effectively > perform test of operating effectiveness of internal controls

Question 34

What are the NET of the audit procedures of the Control Reliance Approach, when controls are not operating?

Answer 34

Proper design & implementation of internal controls > controls are designed properly and therefore could be operating effectively > perform test of operating effectiveness of internal controls
Controls are not operating > assess CR at maximum > RMM is high > DR is low > increase NET of audit procedures

Question 35

What is the nature of test of controls?

Answer 35

See how controls were applied at relevant times during the period under audit
See the consistency with which controls were applied
See by whom or by what means they were applied

Question 36

When should you have a smaller sample size or less frequent testing, assuming there have been no changes to the system?

Answer 36

When the controls are automated

Question 37

When should you have a larger sample size and more frequent testing due to higher susceptibility to inconsistency and errors?

Answer 37

When controls are manual

Question 38

When controls are tested during interim and there are significant changes in control, how much testing should be done?

Answer 38

Additional testing should be done

Question 39

When controls are tested during interim and there are no significant changes in control, how much testing should be done?

Answer 39

No additional testing should be done

Question 40

When there are changes in controls and controls were tested during the previous year audit of a non-issuer, what testing should be done?

Answer 40

The controls should be tested again in the current year

Question 41

When there are no changes in controls and controls were tested during the previous year audit of a non-issuer, what testing should be done

Answer 41

If no significant changes have occurred, the controls should be tested at least once every third year.

Question 42

Are auditors of issuers required to test controls each year?

Answer 42

Yes

Question 43

What are the procedures for test of controls to determine operating effectiveness?

Answer 43

Reperformance
Inquiry
Inspection
Observation

Question 44

What are the major transaction cycles?

Answer 44

Revenue
Cash receipts
Expenditure
Inventory
Personnel & payroll

Question 45

What is a design deficiency?

Answer 45

The control is not designed properly

Question 46

What is an operating deficiency?

Answer 46

The control is designed properly but doesn’t work

Question 47

What are the levels of deficiency?

Answer 47

Low - control deficiency
Medium - significant deficiency
High - material weakness

Question 48

Is communication of a control deficiency required in the audit of financial statements of a non-issuer?

Answer 48

No communication is required to management of TCWG

Question 49

Is communication of a control deficiency required in the audit of financial statements & internal control of a non-issuer?

Answer 49

Communication is required to management within 60 days of the audit report release date, in writing or orally.
No communication is required to TCWG

Question 50

Is communication of a control deficiency required in the audit of financial statements & internal control of an issuer?

Answer 50

Communication is required to management by the audit report release date in writing or orally.
No communication is required to TCWG

Question 51

Is communication of a significant deficiency required in the audit of financial statements of a non-issuer?

Answer 51

Communication is required to management & TCWG within 60 days of the audit report release date, in writing or orally.

Question 52

Is communication of a significant deficiency required in the audit of financial statements & internal control of a non-issuer?

Answer 52

Communication is required to management & TCWG by the audit report release date in writing.

Question 53

Is communication of a significant deficiency required in the audit of financial statements & internal control of an issuer?

Answer 53

Communication is required to management & TCWG by the audit report release date in writing.

Question 54

Is communication of a material weakness required in the audit of financial statements of a non-issuer?

Answer 54

Communication is required to management & TCWG within 60 days of the audit report release date, in writing or orally.

Question 55

Is communication of a significant deficiency required in the audit of financial statements & internal control of a non-issuer?

Answer 55

Communication is required to management & TCWG by the audit report release date in writing.

Question 56

Is communication of a material weakness required in the audit of financial statements & internal control of an issuer?

Answer 56

Communication is required to management & TCWG by the audit report release date in writing.

Question 57

What is an example of a service organization?

Answer 57

IT services
Cloud computing
Payroll processing
Data center management
Application hosting

Question 58

What is a SOC 1 report?

Answer 58

Report on controls related to financial reporting at the service organization

Question 59

What is a SOC 2 report?

Answer 59

Restricted use report on controls related to the AICPA’s 5 Trust Service Categories (security, availability, processing integrity, confidentiality, and privacy) at the service organization

Question 60

What is a SOC 3 report?

Answer 60

General use report on controls related to the AICPA’s 5 Trust Service Categories (security, availability, processing integrity, confidentiality, and privacy) at the service organization

Question 61

What is the focus of a SOC 1 Type 1 report?

Answer 61

Design of internal controls

Question 62

What is the focus of a SOC 1 Type 2 report?

Answer 62

Design and operating effectiveness of internal control

Question 63

What does a SOC 1 Type 1 report assess?

Answer 63

Assess the suitability and effectiveness of the controls in place at the service organization.

Question 64

What does a SOC 1 Type 2 report assess?

Answer 64

Assess the suitability and effectives of the controls, and how they are operating in practice

Question 65

What is the timeframe of a SOC 1 Type 1 report?

Answer 65

Specific point in time

Question 66

What is the timeframe of a SOC 1 Type 2 report?

Answer 66

Over a period of time

Question 67

What does a SOC 2 Type 1 report focus on?

Answer 67

Design of internal controls related to the security, availability, confidentiality, privacy, and integrity of systems.

Question 68

What does a SOC 2 Type 2 report focus on?

Answer 68

Design and operating effectiveness of internal controls related to the security, availability, confidentiality, privacy, and integrity of systems.

Question 69

What does a SOC 2 Type 1 report assess?

Answer 69

Assesses the suitability and effectiveness of controls in place at the service organization.

Question 70

What does a SOC 2 Type 2 report assess?

Answer 70

Assess the suitability and the effectiveness of the controls, and how they are operating in practice.

Question 71

What is the timeframe of a SOC 2 Type 1 report?

Answer 71

Specific point in time

Question 72

What is the timeframe of a SOC 2 Type 2 report?

Answer 72

Over a period of time