Internal Control

Question 1

If Internal Control is poor and a company’s accounting practices are sloppy - which risk is higher?

Answer 1

Control risk increases with poor Internal Controls and sloppy accounting practices.

Question 2

If Internal Control is poor - what is the effect on the audit?

Answer 2

Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.

High risk
Don’t perform test of controls (unless heavy use of IT)
Lots of substantive testing

Question 3

What does Internal Control provide reasonable assurance for?

Answer 3

Internal control provides reasonable assurance that

Material misstatements will be prevented

Reliability/integrity of financial statements will be preserved

Assets are protected against misuse

Question 4

What is required in an examination of Internal Control under Sarbanes-Oxley?

Answer 4

CEO/CFO must disclose Internal Control deficiencies

Management must provide assessment of Internal Control

Management must certify Financial Statements

Question 5

What is the relationship between Internal Control and Substantive Testing?

Answer 5

Inverse Relationship
Stronger Internal Controls - Less Testing Needed (but never eliminated completely)
Weaker Internal Controls - More Testing Needed

Question 6

What are the 3 objectives of Internal Control?

Answer 6

Reliability of Financial Reporting

Operational Efficiency/Effectiveness

Compliance with Law and Regulations

Question 7

What are the 5 components of Internal Control?

Answer 7

"CRIME"
Control Environment
Risk Assessment
Information and Communication
Monitoring
Existing Control Activities

Question 8

What is the purpose for a Control Environment assessment?

Answer 8

Sets tone for the entire company

Question 9

What are the components of the Control Environment?

Answer 9

1) Integrity/Ethics of Management
2) Competence of Management
3) Organizational Structure
4) Human Resource Policies
5) Assignment of authority, responsibility, and accountability
6) Management’s Philosophy & Style (riskier with a dominant/aggressive individual)
7) Governance (board/audit committee) involvement

Question 10

What does an auditor’s assessment of Detection Risk determine?

Answer 10

Detection Risk determines nature- timing- and extent of audit procedures.

Question 11

What determines the acceptable level of Detection Risk?

Answer 11

Risk of material misstatement determines acceptable level of Detection Risk

Question 12

What items could increase the risk of material misstatement?

Answer 12

Rapid growth in the company.
The methods management uses to identify risk- estimate its significance and assess the likelihood of occurrence
Major changes to operations- personnel- systems- IT- products- corporate organization- and foreign operations.

Question 13

What happens when Control Risk is assessed to be at the maximum level?

Answer 13

No Internal Control testing is performed.All audit procedures are increased in intensity to compensate for increased risk.

Question 14

What happens when Control Risk is below the maximum level?

Answer 14

Auditor tests Internal Controls.
Auditor evaluates Control Risk based on tests
Auditor adjusts substantive tests accordingly
Weaker Internal Control - More substantive tests
Stronger Internal Control - Less substantive tests

Question 15

Describe some common examples of Control Activities.

Answer 15

“PAID TIPS”

Pre-numbered documents
Authorization of transactions 
Independent Checks
Documentation
Timely Performance Reviews
Information Processing
Physical Controls
Segregation of Duties

Question 16

What should an auditor understand with respect to Information and Communication on an audit?

Answer 16

Understand Client’s

Major transaction classes
Transaction initiation
Support records/documents
Transaction processing
Financial Statement internal reporting process
Financial Statement external reporting process

Question 17

What questions should be asked to determine the risk of material misstatement?

Answer 17

Were all transactions recorded?
Were they timely?
Measured appropriately?
Recorded in correct period?
Presented and disclosed properly?
Did Management communicate their responsibilities?

Question 18

What is the purpose of testing Internal Controls?

Answer 18

Auditor needs reasonable assurance that controls are functioning as designed and effective

Internal Control Testing should be strong as (IRON) so that nothing gets past them

Inquiry - Interview company personnel

Walkthroughs:
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documentsIf results are as expected- substantive procedures do not need to be adjusted

Question 19

When can controls tested by an auditor in a prior year be used in the current year’s audit assessment?

Answer 19

Controls tested by auditor in a prior year can be used in the current year’s audit assuming they are re-tested every third year

Exception If the control has changed since the last audit

Question 20

What happens if Internal Controls are deficient?

Answer 20

Control Risk increases

Scope of substantive procedures increases

Detection Risk decreases

Material Weakness - Reasonable possibility that a material misstatement in Financial Statements would not be found- more than a remote chance of occurrence

Question 21

What is a Material Weakness?

Answer 21

• Worst
• Reasonable possibility exists that a material misstatement in Financial Statements would not be prevented, or detected and corrected and has more than a remote chance of occurrence.
• Not present in ISA’s

Question 22

What activities represent Segregation of Duties?

Answer 22

Non-compatible duties performed by separate individuals- such as

Authorization of asset disbursement vs. Recording of Assets vs. Custody of assets

If supporting audit evidence doesn’t exit - use Observation and Inquiry

Accounting should be segregated from Production

Question 23

What are the limitations on Control Activities?

Answer 23

Controls can’t stop collusion or bad judgment
Management can override controls
Cost vs. Benefit relationship of Internal Control

Question 24

What is required if a Material Weakness is identified?

Answer 24

A written report to management is required.

Report declaring that no material weaknesses were found is allowed

Previous weaknesses reported that still exist should be reported again

Should be reported no later than 60 days after audit report release date

If one or more material weaknesses is uncorrected at year-end- an Adverse Opinion on Internal Control must be given

Question 25

What is the effect of a Significant Deficiency? What is it?

Answer 25

• A significant deficiency adversely affects a company’s ability to report in the financial statements according to GAAP. A significant deficiency is a more than a remote likelihood of material misstatement by more than an inconsequential amount
• Bad (less severe than material weakness)

Question 26

What must occur if a Significant Deficiency is identified?

Answer 26

If a Significant Deficiency is identified- a written report to management required

Report declaring that no significant deficiencies exist is not allowed

Previous deficiencies reported that still exist should be reported again

Should be reported no later than 60 days after the audit report release date

Question 27

What is a Control Deficiency?

Answer 27

• A control is not operating as intended
• Least severe
• Control does not allow to prevent, detect and correct misstatements on a timely basis
• Deficiency in design: existing control does not achieve desired objective
• Deficiency in operation: properly designed - does not operate as designed or performed by an inappr

Question 28

What must an auditor ask if using the work of third parties?

Answer 28

Are they competent?

Are they objective?

Question 29

What must an auditor understand with respect to internal auditors?

Answer 29

Auditor needs to understand the role of Internal Auditors within the organization because their work affects the audit plan

Responsibility for judgments about materiality or appropriateness of entries or estimates cannot be shared with third parties like Internal Auditors

Internal Auditors should be asked to do some of the legwork like preparing schedules or running reports

They should not be asked to make any decisions or judgments

Question 30

What is required in an examination of Internal Control under Sarbanes-Oxley?

Answer 30

CEO/CFO must disclose deficiencies

Management must provide assessment of Internal Controls

Management must certify Financial Statements

Question 31

What is the relationship between Internal Control and Substantive Testing?

Answer 31

Has inverse relationship

Stronger Internal Control results in LESS substantive testing

Weaker Internal Control leads to MORE substantive testing

Question 32

What happens when Control Risk is below the maximum level?

Answer 32

Auditor tests Internal Controls.

Auditor evaluates Control Risk based on tests

Auditor adjusts substantive tests accordingly

Weaker Internal Control - More substantive tests

Stronger Internal Control - Less substantive tests

Question 33

What should an auditor understand with respect to Information and Communication on an audit?

Answer 33

Understand Client’s

Major transaction classes
Transaction initiation
Support records/documents
Transaction processing
Financial Statement internal reporting process
Financial Statement external communication process

Question 34

How must an auditor document understanding of Internal Control?

Answer 34

“FIND”
Flowcharts
Internal control questionnaires/checklists
Narrative
Documentation from client (organizational charts, manuals)

Question 35

What is the purpose of testing Internal Controls?

Answer 35

Auditor needs reasonable assurance that controls are functioning as designed and effective

Internal Control Testing should be strong as (IRON) so that nothing gets past them

Inquiry - Interview company personnel
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documents

If results are as expected - substantive procedures do not need to be adjusted

Question 36

What is risk assessment?

Answer 36

Identification & analysis of financial reporting risks by management to achieve it’s objectives.

Common examples include:

• Change in environment
• New personnel
• Change in information systems
• Rapid expansion
• New technology
• New business models, activities, products
• Corporate restructuring
• Foreign operations
• Change in accounting principles

Question 37

What is the process of Monitoring?

Answer 37

Assessing the quality of internal control performance over time by assessing the design & operation of controls. It is the responsibility of management.

Question 38

What are the two types of information processing controls?

Answer 38

General controls - apply to processing throughout company and related to many applications and operation of information sytem
Application controls - apply to processing of individual transactions and help ensure that transactions occurred are authorized and accurately processed.

Question 39

What can be done to maintain physical controls for safeguarding assets?

Answer 39

1) Physical segregation & security of assets
2) Authorized access
3) Periodic counting & inspection

Related to financial reporting objectives and operations objectives

NOT related to compliance objectives

Question 40

What are preventive controls?

Answer 40

Applied before processing activity; provide reasonable assurance that only valid transactions are recognized, approved, and submitted for processing.

Question 41

What are detective controls?

Answer 41

Applied after processing activity; provide reasonable assurance that errors or irregularities are discovered and corrected on a timely basis.

Question 42

What are flowcharts and how do they assist the auditor?

Answer 42

Flowcharts depict the auditor’s understanding of internal control

They show a flow of processes & documents

1) System flowcharts - show origin, processing, and disposition of a document
2) Program flowcharts - document logic & existing flow of a computer program

Question 43

How do internal control questionnaires assist auditors?

Answer 43

They are used for each assertion of management

List of questions with yes and no answers. No answers require explanations

Question 44

What are narratives?

Answer 44

Narratives are written versions of flowcharts and are more appropriate for less complex structures. It is hard to see weaknesses in internal control.

Question 45

What are the limitations of internal control?

Answer 45

1) Management override of internal control
2) Human error
3) Deliberate circumvention of controls by collusion
4) Segregation of duties difficult for small companies

Question 46

What types of reports exist for service auditors?

Answer 46

Type 1 - Design of controls

Type 2 - Design and operating effectiveness of controls

Question 47

What types of reports exist for user auditors?

Answer 47

Type 1 - Understanding of controls

Type 2 - Design, implementaiton, and operating effectiveness of a service organization’s controls

Question 48

What is the nature of an audit procedure?

Answer 48

Purpose - test of control vs. substantive testing

Type - Inquiry, Reperformance, Observation, Inspection, Confirmation, Analytical procedure, Recalculation (IRON CAR)

Question 49

What is the extent of an audit procedure?

Answer 49

Scope; quantity to be performed

Question 50

What is the timing of an audit procedure?

Answer 50

interim date (strong) vs. period end (weak)

Do interim testing if:

• Internal control is strong
• Amounts are reasonable predictable
• Little activity

Consider incremental audit risk before applying substantive tests at an interim period

Question 51

When are test of controls performed?

Answer 51

1) When controls are operating effectively
2) Extensive use of IT

Not required to evaluate operating effectiveness as part of design & understanding of internal control

Question 52

What is the hierarchy for type of test to be performed to obtain evidence? (Used for test of controls)

Answer 52

“RIO - I”

1) Re-performance (operating effectiveness)
2) Inspecting Documentation (design effectiveness)
3) Observation (design effectiveness)
4) Inquiry (design effectiveness)

Question 53

What is substantive testing?

Answer 53

• Required for each transaction, account balance, disclosure

- Two types: tests of details and analytical procedures (test account balances)

Question 54

What is an auditor’s primary consideration in evaluation controls?

Answer 54

If specific controls affect financial statement assertions

Question 55

What are the 3 internal control PLANNING objectives?

Answer 55

1) Identify types of potential misstatements
2) Consider factors that affect the risk of material misstatement
3) Design effective substantive tests

Question 56

What are some indicators of material weakness?

Answer 56

1) Identification of any level of fraud
2) Restatement of previously issued F?S
3) Identification of material weakness by auditor that would not have been detected by internal control
4) Ineffective oversight by those charges with governance

Question 57

What is design effectiveness of controls?

Answer 57

Controls satisfy company objectives and can effectively prevent or detect (and correct) material misstatements.
Ex: Walkthroughs - Inquiry, Observation, Inspection of documentation

Question 58

What is operating effectiveness of controls?

Answer 58

Whether controls are operating as designed and whether the persons implementing the controls are qualified to implement them effectively. Ex: Reperformance

Question 59

What two functions should an employee not perform to ensure segregation of duties?

Answer 59

Recording & Concealing transactions

Question 60

What is the most important consideration of management in regards to internal control?

Answer 60

Cost vs. Benefit relationship of Internal Control

Question 61

What information would raise questions about potential illegal acts?

Answer 61

Large payments made to:

1) Cash
2) Bearer bonds
3) Purchase cashier’s checks
4) Transfer funds to numbered accounts