Internal Control

Question 1

If Internal Control is poor and a company’s accounting practices are sloppy - which risk is higher?

Answer 1

Control risk increases with poor Internal Controls and sloppy accounting practices.

Question 2

If Internal Control is poor - what is the effect on the audit?

Answer 2

Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.

Question 3

What does Internal Control provide reasonable assurance for?

Answer 3

Internal control provides reasonable assurance that:

Material misstatements will be prevented or detected

Reliability/integrity of financial statements will be preserved

Assets are protected against misuse

Question 4

What is required in an audit of Internal Control under Sarbanes-Oxley?

Answer 4

Management must provide its assessment of Internal Control

auditor is required to audit internal control and express an opinion on the effectiveness of IC

Question 5

What are the 3 objectives of Internal Control?

Answer 5

Reliability of Financial Reporting

Operational Efficiency/Effectiveness

Compliance with Law and Regulations

Question 6

What are the 5 components of Internal Control?

Answer 6

Control Activties

Risk Assessment

Information and Communication

Monitoring

Control Environment

Question 7

What is the purpose for a Control Environment assessment?

Answer 7

Sets tone for the entire company

Establishes the overall attitude, awareness and actions

Question 8

What are the components of the Control Environment?

Answer 8

Philisophy of Mgt
Humaran resources
Reporting capabilities/competencies
Authoirity and responsibility
Structure of the organization
Ethical values and integrity
Directors (Board of) participation

Question 9

What happens when Control Risk is assessed to be at the maximum level?

Answer 9

Controls not operating effectively
RMM is increased
Internal Control not tested
Extensive substantive testing at year end

Question 10

What happens when Control Risk is below the maximum level?

Answer 10

Auditor tests Internal Controls.

Auditor evaluates Control Risk based on tests

Auditor adjusts substantive tests accordingly

Weaker Internal Control - More substantive tests

Stronger Internal Control - Less substantive tests

Question 11

Describe some common examples of Control Activities.

Answer 11

Performance Reviews

Information Processing

Physical Controls

Segregation of Duties

Question 12

What should an auditor understand with respect to Information and Communication on an audit?

Answer 12

How the company records, processes, summarizes, and reports financial data through:

• effective information systems
• identify and record all valid transactions
• in the proper time period
• at the proper amounts

Question 13

How must an auditor document understanding of Internal Control?

Answer 13

Through written documentation such as Internal Control memos- flowcharts- and questionnaires

Question 14

What is the purpose of testing Internal Controls?

Answer 14

Auditor needs reasonable assurance that controls are functioning as designed and are effective

Question 15

How often should controls be tested?

Answer 15

Controls should be tested at least every 3 years, if there have been no changes

If a control has changed from prior year, it should be tested in the current year audit

Controls mitigating significant risk should be tested annually

PCAOB does not permit rotational testing

Question 16

What happens if Internal Controls are deficient?

Answer 16

Control Risk increases

Scope of substantive procedures increases

Detection Risk decreases

Material Weakness - Reasonable possibility that a material misstatement in Financial Statements would not be found- more than a remote chance of occurrence

Question 17

What does Tracing test?

Answer 17

Tests Completeness

Starts with source document and traces forward to the journal entry.

Question 18

What does Vouching test?

Answer 18

Tests Existence.

Starts with a journal entry and searches for a voucher or source document to support the entry.

Question 19

What activities should be segregated?

Answer 19

authorization
bookkeeping
custody

Question 20

With respect to custody of assets - how should duties be segregated?

Answer 20

Employees who have custody of assets should not also RECORD those assets

Someone in charge of petty cash should not also control the petty cash records

Treasury Department (custodians) should NOT have record keeping duties

They control assets and should not be able to adjust any recording of those assets

Question 21

What are the limitations on internal control?

Answer 21

mistakes/human error/bad judgement

management override

collusion

Question 22

What is a Material Weakness?

Answer 22

a deficiency or combination of deficiencies such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis

a material weakness must be reported to the audit committee in writing

must continue to report until resolved

report if found, no need to actively search for

should be reported before report date release, but no later than 60 days after release date

can result in an adverse opinion (in a report on internal control)

Question 23

What is a Significant Deficiency?

Answer 23

a deficiency or combination of deficiencies less severe than a material weakness but important enough to merit attention by the audit committee (more than remote likelihood of material misstatement)

significant deficiencies must be reported to senior management in writing

must continue to report until resolved

report if found, no need to actively search for

should be reported before report date release, but no later than 60 days after release date

Question 24

What is a Control Deficiency?

Answer 24

the design or operation of a control does not allow the prevention or detection of a misstatement on a timely basis

Question 25

What must an auditor ask if using the work of third parties?

Answer 25

Are they competent?

Are they objective?

Question 26

What must an auditor understand with respect to internal auditors?

Answer 26

Auditor needs to understand the role of Internal Auditors within the organization because their work affects the audit plan

Responsibility for judgments about materiality or appropriateness of entries or estimates cannot be shared with third parties like Internal Auditors

Internal Auditors should be asked to do some of the legwork like preparing schedules or running reports

They should not be asked to make any decisions or judgments

Question 27

What is required in an examination of Internal Control under Sarbanes-Oxley?

Answer 27

CEO/CFO must disclose deficiencies

Management must provide assessment of Internal Controls

Management must certify Financial Statements

Question 28

What is the purpose of testing Internal Controls?

Answer 28

Auditor needs reasonable assurance that controls are functioning as designed and effective

Internal Control Testing should be strong as (IRON) so that nothing gets past them

Inquiry - Interview company personnel
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documents

If results are as expected - substantive procedures do not need to be adjusted

Question 29

What is the hierarchy of source docuemnts in the purchasing cycle?

Answer 29

purchase requisition
purchase order
receiving report
vendor invoice
voucher
check
purchasing journal

Question 30

What is the hierarchy of source docuemtns in the sales cycle?

Answer 30

sales oder
bill of lading
sales invoice
sales journal

Question 31

According to PCAOB, when will a control deficiency = significant deficiency?

Answer 31

weak controls over:

• the selection and application of accounting principles that in conformity with gasp
• anti fraud programs and controls
• non routine and nonsystematic transactions
• period-ending financial reporting process