Internal Control Flashcards

1
Q

What is internal control?

A

A process designed to provide reasonable assurance that objectives are met

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the five components of internal control?

A
Control activities
Risk assessment
Information and communication systems
Monitoring
Environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are control activities?

A

Activities/processes taken to reduce risk, as decided by management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some common control activities?

A

Performance reviews

Information processing (verifying transaction info)

Physical controls

Segregation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is risk assessment?

A

The entity’s (not the auditor’s) analysis of risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is monitoring?

A

Evaluating the internal control system’s effectiveness over time (and making certain corrections)

It is necessary, since internal controls tend to fail over time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the control environment?

A

The general “atmosphere” for controls, consisting of attitudes within mgmt and personnel to excellence and integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Is it necessary for an entity to have all five components of internal control?

A

No – the framework is helpful for the auditor’s evaluation, not necessarily a description for all entities

Also, the auditor’s main job is testing effectiveness, not categorizing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Should the auditor evaluate all of an entity’s internal control systems?

A

No, only controls relevant to the financial statements (and only ones with significant risks)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some examples of irrelevant controls?

A

Controls to ensure compliance with safety regulations

Controls to set an optimal price on a product

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is an important consideration when evaluating controls?

A

Some controls will have overlapping purposes – both financial reporting and operations (e.g. a lockbox for collecting payments)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the two parts of understanding a control?

A

Design – whether it prevents/detects misstatements

Implementation – whether it is actually being used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some procedures for assessing the design and implementation of controls?

A

Inquiries

Observing the applications of controls

Inspecting documents

Tracing transactions through the information system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What should the auditor document regarding internal control?

A

(1) Key elements of the five components
(2) Sources
(3) Risk assessment procedures that were performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are different ways to document an entity’s internal control?

A

Flowchart

Questionnaire

Narrative/memorandum

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the advantages and disadvantages of a flowchart?

A

Advantages:

  • very clear
  • hard to overlook things
  • requires complete understanding to create

Disadvantages:
-more time-consuming to create

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the questionnaire approach to documenting internal control?

A

Simply listing questions to be answered

E.g. “Are the subsidiary ledgers frequently balanced with the control accounts?”
“Are these two duties properly segregated?”

18
Q

What are the advantages and disadvantages of a questionnaire?

A

Advantages:

  • easy to create
  • requires listed issues to be covered
  • weaknesses are obvious (“no”)

Disadvantages:
-can be too general

19
Q

What is the narrative approach, and what are its advantages and disadvantages?

A

Simply writing out what the system is

Advantages:

  • unique to each engagement
  • requires good understanding to create

Disadvantages:

  • takes a long time
  • lacks safeguards if auditor overlooks something
20
Q

When should the auditor perform tests of controls?

A

Either:

  • when his risk assessment includes an assessment of controls’ effectiveness
  • when substantive procedures alone don’t reduce detection risk enough
21
Q

What is the difference between risk assessment procedures on controls and tests of controls?

A

In risk assessment procedures, the auditor evaluates control design and implementation

In tests of controls, he tests effectiveness

These can sometimes be performed simultaneously

22
Q

What are some tests for the operating effectiveness of controls?

A

Generally the same as for testing design and implementation of controls:

  • inquiries
  • inspection of documents
  • observation of control’s application
  • reperformance of control by auditor
23
Q

What is important to know regarding the different kinds of tests for controls’ operating effectiveness?

A

Combinations of them should be used

E.g., inquiries alone are insufficient

24
Q

How do the results of substantive procedures bear on the effectiveness of controls?

A

A lack of misstatement does not mean controls are effective, but misstatements might mean that controls are ineffective

Any misstatements found by the auditor but not the entity are significant deficiencies

25
Q

What should an auditor test for controls’ operating effectiveness if he plans to rely on prior period evidence?

A

If controls have changed, they need to be tested

If not, they should be tested at least once per three years (though more frequently the more crucial the control is)

26
Q

How should auditors treat prior evidence for the effectiveness of controls that mitigate significant risk?

A

They should consider it but not rely upon it

It should be tested even if the control is unchanged from the prior period

27
Q

What qualifies as a deficiency in the design of an internal control?

A

Not merely whether a control would not detect a misstatement if operating properly, but also if a control is missing

Distinguished from a deficiency in operation, which occurs when a control does not operate as designed

28
Q

For controls, what is the difference between a material weakness and a significant deficiency?

A

Material weakness = reasonable possibility that control will lead to material misstatement

Significant deficiency = not as bad, but still requires attention

29
Q

What should the auditor do if there are multiple significant deficiencies for a control?

A

Determine whether they, in aggregate, are a material weakness

30
Q

What is a compensating control?

A

A control that limits the extent of a deficiency

31
Q

What control deficiencies should be reported to management and TCWG?

A

All significant deficiencies and material weaknesses, including ones previously mentioned but not yet fixed

Must be in writing

32
Q

When should control deficiencies be reported to management and TCWG?

A

Issuers must do this before the audit report is issued on the financial statements
-Otherwise, the latest is within 60 days of the report release date

Some deficiencies should be communicated during the audit, though not necessarily in writing

33
Q

What is the report release date?

A

When the auditor grants permission for the entity to use the audit report for their financials

34
Q

What should be included in the auditor’s written communication for control deficiencies?

A

(1) that the auditor aims to express an opinion on the financials, not on controls per se
(2) a definition of “significant deficiency” and “material weakness”
(3) that the auditor did not aim to uncover all SDs and MWs
(4) a clear distinction between deficiencies identified as SDs and MWs
(5) that the communication is intended only for the specified parties

35
Q

For communication on control deficiencies, what should the auditor say if he finds no significant deficiencies or material weaknesses?

A

He can make a communication stating that no material weaknesses were found, but not one stating that no significant deficiencies were found

36
Q

What are five objectives for an internal control system?

A

(1) Authorization
(2) Validity (e.g. whether a transaction has occurred)
(3) Recording
(4) Tracking assets
(5) Custody of assets/limited access

37
Q

What subsidiary objectives comprise the objective of proper recording?

A

(i) Completeness
(ii) Valuation
(iii) Classification
(iv) Timing

38
Q

What duties should be segregated for the processing of a transaction?

A
  • authorization
  • record keeping
  • custody
39
Q

What enables documents to be tracked through the control system?

A

Prenumbering them

40
Q

What are some common types of transaction cycles?

A

(a) Sales-Receivables-Cash Receipts
(b) Purchases-Payables-Cash Disbursements
(c) Inventory & Production
(d) Personnel & Payroll
(e) Property, Plant, & Equipment

It helps to apply internal control objectives within these groups