Internal Control

Question 2

If Internal Control is poor and a company’s accounting practices are sloppy - which risk is higher?

Answer 2

Control risk increases with poor Internal Controls and sloppy accounting practices.

Question 3

If Internal Control is poor - what is the effect on the audit?

Answer 3

Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.

Question 4

What does Internal Control provide reasonable assurance for?

Answer 4

Internal control provides reasonable assurance that Material misstatements will be prevented Reliability/integrity of financial statements will be preserved Assets are protected against misuse

Question 5

What is required in an examination of Internal Control under Sarbanes-Oxley?

Answer 5

CEO/CFO must disclose Internal Control deficiencies Management must provide assessment of Internal Control Management must certify Financial Statements

Question 6

What is the relationship between Internal Control and Substantive Testing?

Answer 6

Inverse Relationship Stronger Internal Controls - Less Testing Needed Weaker Internal Controls - More Testing Needed

Question 7

What are the 3 objectives of Internal Control?

Answer 7

Reliability of Financial Reporting Operational Efficiency/Effectiveness Compliance with Law and Regulations

Question 8

What are the 5 components of Internal Control?

Answer 8

Control Environment Risk Assessment Information and Communication Monitoring Control Activities

Question 9

What is the purpose for a Control Environment assessment?

Answer 9

Sets tone for the entire company

Question 10

What are the components of the Control Environment?

Answer 10

Integrity/Ethics of Management Competence of Management Organizational Structure Human Resource Policies Assignment of Authority/Responsibility Management’s Style (riskier with a dominant/aggressive individual) Board/Audit Committee involvement

Question 11

What does an auditor’s assessment of Detection Risk determine?

Answer 11

Detection Risk determines nature- timing- and extent of audit procedures.

Question 12

What determines the acceptable level of Detection Risk?

Answer 12

Risk of material misstatement determines acceptable level of Detection Risk

Question 13

What items could increase the risk of material misstatement?

Answer 13

Rapid growth in the company. The methods management uses to identify risk- estimate its significance and assess the likelihood of occurrence Major changes to operations- personnel- systems- IT- products- corporate organization- and foreign operations.

Question 14

What happens when Control Risk is assessed to be at the maximum level?

Answer 14

No Internal Control testing is performed. All audit procedures are increased in intensity to compensate for increased risk.

Question 15

What happens when Control Risk is below the maximum level?

Answer 15

Auditor tests Internal Controls. Auditor evaluates Control Risk based on tests Auditor adjusts substantive tests accordingly Weaker Internal Control - More substantive tests Stronger Internal Control - Less substantive tests

Question 16

Describe some common examples of Control Activities.

Answer 16

Performance Reviews Information Processing Physical Controls Segregation of Duties

Question 17

What should an auditor understand with respect to Information and Communication on an audit?

Answer 17

Understand Client’s Major transaction classes Transaction initiation Support records/documents Transaction processing Financial Statement internal reporting process Financial Statement external reporting process

Question 18

How must an auditor document understanding of Internal Control?

Answer 18

Through written documentation such as Internal Control memos- flowcharts- and questionnaires

Question 19

What questions should be asked to determine the risk of material misstatement?

Answer 19

Were all transactions recorded? Were they timely? Measured appropriately? Recorded in correct period? Presented and disclosed properly? Did Management communicate their responsibilities?

Question 20

What is the purpose of testing Internal Controls?

Answer 20

Auditor needs reasonable assurance that controls are functioning as designed and effective Internal Control Testing should be strong as (IRON) so that nothing gets past them Inquiry - Interview company personnel Re-performance - Can it be replicated? Observation - Watch the control be applied INspection - Dig into the details/documents If results are as expected- substantive procedures do not need to be adjusted

Question 21

When can controls tested by an auditor in a prior year be used in the current year’s audit assessment?

Answer 21

Controls tested by auditor in a prior year can be used in the current year’s audit assuming they are re-tested every third year Exception If the control has changed since the last audit

Question 22

What happens if Internal Controls are deficient?

Answer 22

Control Risk increases Scope of substantive procedures increases Detection Risk decreases Material Weakness - Reasonable possibility that a material misstatement in Financial Statements would not be found- more than a remote chance of occurrence

Question 23

What is a Material Weakness?

Answer 23

Reasonable possibility exists that a material misstatement in Financial Statements would not be found- and has more than a remote chance of occurrence.

Question 24

What does Tracing test?

Answer 24

Tests Completeness Starts with source document and traces forward to the journal entry.

Question 25

What does Vouching test?

Answer 25

Tests Existence. Starts with a journal entry and searches for a voucher or source document to support the entry.

Question 26

What activities represent Segregation of Duties?

Answer 26

Non-compatible duties performed by separate individuals- such as Authorization of asset disbursement vs. Recording of Assets vs. Custody of assets If supporting audit evidence doesn’t exit - use Observation and Inquiry Accounting should be segregated from Production

Question 27

With respect to signing checks - how are duties segregated?

Answer 27

Employees who prepare vouchers/invoices should not also have the authority to SIGN CHECKS Tip - Remember this as an underlying theme with Segregation of Duties. The authority to make a payment should not also lie in the hands of those creating invoices/vouchers. Why? People commit fraud by setting up fake companies and basically paying themselves

Question 28

With respect to custody of assets - how should duties be segregated?

Answer 28

Employees who have custody of assets should not also RECORD those assets Someone in charge of petty cash should not also control the petty cash records Treasury Department (custodians) should NOT have record keeping duties They control assets and should not be able to adjust any recording of those assets

Question 29

What are the limitations on Control Activities?

Answer 29

Controls can’t stop collusion or bad judgment Management can override controls Cost vs. Benefit relationship of Internal Control

Question 30

What is required if a Material Weakness is identified?

Answer 30

A written report to management is required. Report declaring that no material weaknesses were found is allowed Previous weaknesses reported that still exist should be reported again Should be reported no later than 60 days after audit report release date If one or more material weaknesses is uncorrected at year-end- an Adverse Opinion on Internal Control must be given

Question 31

What is the effect of a Significant Deficiency? What is it?

Answer 31

A significant deficiency adversely affects a company’s ability to report in the financial statements according to GAAP. A significant deficiency is a more than a remote likelihood of material misstatement by more than an inconsequential amount

Question 32

What must occur if a Significant Deficiency is identified?

Answer 32

If a Significant Deficiency is identified- a written report to management required Report declaring that no significant deficiencies exist is not allowed Previous deficiencies reported that still exist should be reported again Should be reported no later than 60 days after the audit report release date

Question 33

What is a Control Deficiency?

Answer 33

A control is not operating as intended.

Question 34

What must an auditor ask if using the work of third parties?

Answer 34

Are they competent? Are they objective?

Question 35

What must an auditor understand with respect to internal auditors?

Answer 35

Auditor needs to understand the role of Internal Auditors within the organization because their work affects the audit plan Responsibility for judgments about materiality or appropriateness of entries or estimates cannot be shared with third parties like Internal Auditors Internal Auditors should be asked to do some of the legwork like preparing schedules or running reports They should not be asked to make any decisions or judgments

Question 36

What is required in an examination of Internal Control under Sarbanes-Oxley?

Answer 36

CEO/CFO must disclose deficiencies Management must provide assessment of Internal Controls Management must certify Financial Statements

Question 37

What is the relationship between Internal Control and Substantive Testing?

Answer 37

Has inverse relationship Stronger Internal Control results in LESS substantive testing Weaker Internal Control leads to MORE substantive testing

Question 38

What are the three objectives of Internal Control?

Answer 38

Reliability of Financial Reporting Operational Efficiency/Effectiveness Compliance with Law and Regulations

Question 39

What are the five components of Internal Control?

Answer 39

Control Activities Risk Assessment Information and Communications Monitoring Control Environment

Question 40

What are the components of the Control Environment?

Answer 40

Integrity/Ethics of Management Competence of Management Organizational Structure Human Resources Policies Assignment of Authority/Responsibility Management’s Style (riskier with a dominant/aggressive individual) Board/Audit Committee involvement

Question 41

What happens when Control Risk is below the maximum level?

Answer 41

Auditor tests Internal Controls. Auditor evaluates Control Risk based on tests Auditor adjusts substantive tests accordingly Weaker Internal Control - More substantive tests Stronger Internal Control - Less substantive tests

Question 42

What should an auditor understand with respect to Information and Communication on an audit?

Answer 42

Understand Client’s Major transaction classes Transaction initiation Support records/documents Transaction processing Financial Statement internal reporting process Financial Statement external communication process

Question 43

How must an auditor document understanding of Internal Control?

Answer 43

Auditor must document understanding of Internal Control via Memos - Flowcharts - Questionnaires

Question 44

What is the purpose of testing Internal Controls?

Answer 44

Auditor needs reasonable assurance that controls are functioning as designed and effective Internal Control Testing should be strong as (IRON) so that nothing gets past them Inquiry - Interview company personnel Re-performance - Can it be replicated? Observation - Watch the control be applied INspection - Dig into the details/documents If results are as expected - substantive procedures do not need to be adjusted