Internal Control Flashcards

1
Q

If Internal Control is poor and a company’s accounting practices are sloppy - which risk is higher?

A

Control risk increases with poor Internal Controls and sloppy accounting practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If Internal Control is poor - what is the effect on the audit?

A

Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.

High risk
Don’t perform test of controls (unless heavy use of IT)
Lots of substantive testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does Internal Control provide reasonable assurance for?

A

Internal control provides reasonable assurance that

Material misstatements will be prevented

Reliability/integrity of financial statements will be preserved

Assets are protected against misuse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is required in an examination of Internal Control under Sarbanes-Oxley?

A

CEO/CFO must disclose Internal Control deficiencies

Management must provide assessment of Internal Control

Management must certify Financial Statements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the relationship between Internal Control and Substantive Testing?

A

Inverse Relationship
Stronger Internal Controls - Less Testing Needed (but never eliminated completely)
Weaker Internal Controls - More Testing Needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 3 objectives of Internal Control?

A

Reliability of Financial Reporting

Operational Efficiency/Effectiveness

Compliance with Law and Regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the 5 components of Internal Control?

A
"CRIME"
Control Environment
Risk Assessment
Information and Communication
Monitoring
Existing Control Activities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the purpose for a Control Environment assessment?

A

Sets tone for the entire company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the components of the Control Environment?

A

1) Integrity/Ethics of Management
2) Competence of Management
3) Organizational Structure
4) Human Resource Policies
5) Assignment of authority, responsibility, and accountability
6) Management’s Philosophy & Style (riskier with a dominant/aggressive individual)
7) Governance (board/audit committee) involvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does an auditor’s assessment of Detection Risk determine?

A

Detection Risk determines nature- timing- and extent of audit procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What determines the acceptable level of Detection Risk?

A

Risk of material misstatement determines acceptable level of Detection Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What items could increase the risk of material misstatement?

A

Rapid growth in the company.
The methods management uses to identify risk- estimate its significance and assess the likelihood of occurrence
Major changes to operations- personnel- systems- IT- products- corporate organization- and foreign operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What happens when Control Risk is assessed to be at the maximum level?

A

No Internal Control testing is performed.All audit procedures are increased in intensity to compensate for increased risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What happens when Control Risk is below the maximum level?

A

Auditor tests Internal Controls.
Auditor evaluates Control Risk based on tests
Auditor adjusts substantive tests accordingly
Weaker Internal Control - More substantive tests
Stronger Internal Control - Less substantive tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe some common examples of Control Activities.

A

“PAID TIPS”

Pre-numbered documents
Authorization of transactions 
Independent Checks
Documentation
Timely Performance Reviews
Information Processing
Physical Controls
Segregation of Duties
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What should an auditor understand with respect to Information and Communication on an audit?

A

Understand Client’s

Major transaction classes
Transaction initiation
Support records/documents
Transaction processing
Financial Statement internal reporting process
Financial Statement external reporting process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What questions should be asked to determine the risk of material misstatement?

A

Were all transactions recorded?
Were they timely?
Measured appropriately?
Recorded in correct period?
Presented and disclosed properly?
Did Management communicate their responsibilities?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the purpose of testing Internal Controls?

A

Auditor needs reasonable assurance that controls are functioning as designed and effective

Internal Control Testing should be strong as (IRON) so that nothing gets past them

Inquiry - Interview company personnel

Walkthroughs:
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documentsIf results are as expected- substantive procedures do not need to be adjusted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When can controls tested by an auditor in a prior year be used in the current year’s audit assessment?

A

Controls tested by auditor in a prior year can be used in the current year’s audit assuming they are re-tested every third year

Exception If the control has changed since the last audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What happens if Internal Controls are deficient?

A

Control Risk increases

Scope of substantive procedures increases

Detection Risk decreases

Material Weakness - Reasonable possibility that a material misstatement in Financial Statements would not be found- more than a remote chance of occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a Material Weakness?

A
  • Worst
  • Reasonable possibility exists that a material misstatement in Financial Statements would not be prevented, or detected and corrected and has more than a remote chance of occurrence.
  • Not present in ISA’s
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What activities represent Segregation of Duties?

A

Non-compatible duties performed by separate individuals- such as

Authorization of asset disbursement vs. Recording of Assets vs. Custody of assets

If supporting audit evidence doesn’t exit - use Observation and Inquiry

Accounting should be segregated from Production

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the limitations on Control Activities?

A

Controls can’t stop collusion or bad judgment
Management can override controls
Cost vs. Benefit relationship of Internal Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is required if a Material Weakness is identified?

A

A written report to management is required.

Report declaring that no material weaknesses were found is allowed

Previous weaknesses reported that still exist should be reported again

Should be reported no later than 60 days after audit report release date

If one or more material weaknesses is uncorrected at year-end- an Adverse Opinion on Internal Control must be given

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the effect of a Significant Deficiency? What is it?

A
  • A significant deficiency adversely affects a company’s ability to report in the financial statements according to GAAP. A significant deficiency is a more than a remote likelihood of material misstatement by more than an inconsequential amount
  • Bad (less severe than material weakness)
26
Q

What must occur if a Significant Deficiency is identified?

A

If a Significant Deficiency is identified- a written report to management required

Report declaring that no significant deficiencies exist is not allowed

Previous deficiencies reported that still exist should be reported again

Should be reported no later than 60 days after the audit report release date

27
Q

What is a Control Deficiency?

A
  • A control is not operating as intended
  • Least severe
  • Control does not allow to prevent, detect and correct misstatements on a timely basis
  • Deficiency in design: existing control does not achieve desired objective
  • Deficiency in operation: properly designed - does not operate as designed or performed by an inappr
28
Q

What must an auditor ask if using the work of third parties?

A

Are they competent?

Are they objective?

29
Q

What must an auditor understand with respect to internal auditors?

A

Auditor needs to understand the role of Internal Auditors within the organization because their work affects the audit plan

Responsibility for judgments about materiality or appropriateness of entries or estimates cannot be shared with third parties like Internal Auditors

Internal Auditors should be asked to do some of the legwork like preparing schedules or running reports

They should not be asked to make any decisions or judgments

30
Q

What is required in an examination of Internal Control under Sarbanes-Oxley?

A

CEO/CFO must disclose deficiencies

Management must provide assessment of Internal Controls

Management must certify Financial Statements

31
Q

What is the relationship between Internal Control and Substantive Testing?

A

Has inverse relationship

Stronger Internal Control results in LESS substantive testing

Weaker Internal Control leads to MORE substantive testing

32
Q

What happens when Control Risk is below the maximum level?

A

Auditor tests Internal Controls.

Auditor evaluates Control Risk based on tests

Auditor adjusts substantive tests accordingly

Weaker Internal Control - More substantive tests

Stronger Internal Control - Less substantive tests

33
Q

What should an auditor understand with respect to Information and Communication on an audit?

A

Understand Client’s

Major transaction classes
Transaction initiation
Support records/documents
Transaction processing
Financial Statement internal reporting process
Financial Statement external communication process

34
Q

How must an auditor document understanding of Internal Control?

A

“FIND”
Flowcharts
Internal control questionnaires/checklists
Narrative
Documentation from client (organizational charts, manuals)

35
Q

What is the purpose of testing Internal Controls?

A

Auditor needs reasonable assurance that controls are functioning as designed and effective

Internal Control Testing should be strong as (IRON) so that nothing gets past them

Inquiry - Interview company personnel
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documents

If results are as expected - substantive procedures do not need to be adjusted

36
Q

What is risk assessment?

A

Identification & analysis of financial reporting risks by management to achieve it’s objectives.

Common examples include:

  • Change in environment
  • New personnel
  • Change in information systems
  • Rapid expansion
  • New technology
  • New business models, activities, products
  • Corporate restructuring
  • Foreign operations
  • Change in accounting principles
37
Q

What is the process of Monitoring?

A

Assessing the quality of internal control performance over time by assessing the design & operation of controls. It is the responsibility of management.

38
Q

What are the two types of information processing controls?

A

General controls - apply to processing throughout company and related to many applications and operation of information sytem
Application controls - apply to processing of individual transactions and help ensure that transactions occurred are authorized and accurately processed.

39
Q

What can be done to maintain physical controls for safeguarding assets?

A

1) Physical segregation & security of assets
2) Authorized access
3) Periodic counting & inspection

Related to financial reporting objectives and operations objectives

NOT related to compliance objectives

40
Q

What are preventive controls?

A

Applied before processing activity; provide reasonable assurance that only valid transactions are recognized, approved, and submitted for processing.

41
Q

What are detective controls?

A

Applied after processing activity; provide reasonable assurance that errors or irregularities are discovered and corrected on a timely basis.

42
Q

What are flowcharts and how do they assist the auditor?

A

Flowcharts depict the auditor’s understanding of internal control

They show a flow of processes & documents

1) System flowcharts - show origin, processing, and disposition of a document
2) Program flowcharts - document logic & existing flow of a computer program

43
Q

How do internal control questionnaires assist auditors?

A

They are used for each assertion of management

List of questions with yes and no answers. No answers require explanations

44
Q

What are narratives?

A

Narratives are written versions of flowcharts and are more appropriate for less complex structures. It is hard to see weaknesses in internal control.

45
Q

What are the limitations of internal control?

A

1) Management override of internal control
2) Human error
3) Deliberate circumvention of controls by collusion
4) Segregation of duties difficult for small companies

46
Q

What types of reports exist for service auditors?

A

Type 1 - Design of controls

Type 2 - Design and operating effectiveness of controls

47
Q

What types of reports exist for user auditors?

A

Type 1 - Understanding of controls

Type 2 - Design, implementaiton, and operating effectiveness of a service organization’s controls

48
Q

What is the nature of an audit procedure?

A

Purpose - test of control vs. substantive testing

Type - Inquiry, Reperformance, Observation, Inspection, Confirmation, Analytical procedure, Recalculation (IRON CAR)

49
Q

What is the extent of an audit procedure?

A

Scope; quantity to be performed

50
Q

What is the timing of an audit procedure?

A

interim date (strong) vs. period end (weak)

Do interim testing if:

  • Internal control is strong
  • Amounts are reasonable predictable
  • Little activity

Consider incremental audit risk before applying substantive tests at an interim period

51
Q

When are test of controls performed?

A

1) When controls are operating effectively
2) Extensive use of IT

Not required to evaluate operating effectiveness as part of design & understanding of internal control

52
Q

What is the hierarchy for type of test to be performed to obtain evidence? (Used for test of controls)

A

“RIO - I”

1) Re-performance (operating effectiveness)
2) Inspecting Documentation (design effectiveness)
3) Observation (design effectiveness)
4) Inquiry (design effectiveness)

53
Q

What is substantive testing?

A
  • Required for each transaction, account balance, disclosure

- Two types: tests of details and analytical procedures (test account balances)

54
Q

What is an auditor’s primary consideration in evaluation controls?

A

If specific controls affect financial statement assertions

55
Q

What are the 3 internal control PLANNING objectives?

A

1) Identify types of potential misstatements
2) Consider factors that affect the risk of material misstatement
3) Design effective substantive tests

56
Q

What are some indicators of material weakness?

A

1) Identification of any level of fraud
2) Restatement of previously issued F?S
3) Identification of material weakness by auditor that would not have been detected by internal control
4) Ineffective oversight by those charges with governance

57
Q

What is design effectiveness of controls?

A

Controls satisfy company objectives and can effectively prevent or detect (and correct) material misstatements.
Ex: Walkthroughs - Inquiry, Observation, Inspection of documentation

58
Q

What is operating effectiveness of controls?

A

Whether controls are operating as designed and whether the persons implementing the controls are qualified to implement them effectively. Ex: Reperformance

59
Q

What two functions should an employee not perform to ensure segregation of duties?

A

Recording & Concealing transactions

60
Q

What is the most important consideration of management in regards to internal control?

A

Cost vs. Benefit relationship of Internal Control

61
Q

What information would raise questions about potential illegal acts?

A

Large payments made to:

1) Cash
2) Bearer bonds
3) Purchase cashier’s checks
4) Transfer funds to numbered accounts