Internal Control

Question 1

How does the auditor assess the risk of material misstatement of the financial statements whether due to error or fraud and for designing the nature, timing, and exetent of further audit procedures?

Answer 1

By obtaining a sufficient understanding of the entity and the environment, including its internal control.

Question 2

What are the objectives of internal controls and which one is the primary interest of the outside auditor?

Answer 2

Accurate & reliable financial reporting <– primary interest

Compliance with laws and regulations

Effectiveness and efficiency of operations

(ACE)

Question 3

5 Components of Internal Control under the COSO Framework

Answer 3

1. Control activities (PIPS)
2. Risk Assessment by the entity
3. Information Systems and Communication
4. Monitoring
5. Control Environment (CHOPPER)

(CRIME)

Question 4

What control activities is the auditor interested in?

Answer 4

Whether the management does:

• Performance Reviews - CRAFT
• Information processing - general vs. application controls
• Physical controls - access to assets
• Segregation of Duties (ARCCS)

(PIPS) for C in CRIME

Question 5

What does an entity’s risk assessment for financial reporting purposes focus on and what factors does the risk assessment include?

Answer 5

Focuses on the identification, analysis, and management of risks relevant to the preparation of F/S that are fairly presented in conformormity with GAAP

Includes risks that affect the entity’s ability to properly record, process, summarize, and report financial data.

Include external and internal factors such as:

• changes in opeations
• new personnel
• new/upgraded IT
• rapid growth, new technology
• new lines of business, products or activities
• restructurings
• foreign operations
• accounting pronouncements

NOTE: Risk Assessments are NOT_ _the same activities as Monitoring. They are two distinct activities. Do not confuse the two.

Question 6

An entity’s ongoing monitoring activities often include

• Periodic audits by the audit committee
• Reviewing the purchasing function
• The audit of the annual financial statements
• Control risk assessment in conjunction with quarterly reviews

Answer 6

Reviewing the purchasing function

Audit committees do not do periodic audits. Audit committees hire external auditor to do these audits. Same for annaul financial statements.

Control risk assessment has nothing to do with ongoing monitoring activities. They are two distinct activities: CRIME

Question 7

What elements or factors should the auditor look for when obtaining an understanding of an entity’s internal control structure?

What techniques or procedures can the auditor use for obtaining the understanding to assess control risk?

Answer 7

CRIME + PIIO

NOTE: P = Prior Audits

Question 8

What is management’s objective of monitoring controls?

Answer 8

Because management is responsible for establishing and maintaining internal control, management monitors controls to ensure that they are operating as intended and that they are modified as appropriate for changes in conditions.

Question 9

How are an entity’s risk assessment and monitoring activities different?

Answer 9

An entity’s risk assessment = process that identifies, analyzes, and manage risks relevant to the preparation of F/S that are fairly presented in conformity with GAAP.

Monitoriting = a process that assessess the quality of internal control performance over time.

Question 10

What does an entity’s information system consists of?

Answer 10

Methods and records used to record, process, summarize, and report the company’s transactions and to maintain accountability for the related accounts.

Question 11

What are the control factors in an organization’s environment?

Answer 11

Commitment to competence

Human resource policies & practices that enforce training of employees and new hires

Organizational structure - the simpler, the easier to DIM the I/C

Participation of those charged with Governance - audit committee actively monitors the internal audit function*

Philosophy of management & operating style - tone at the top

Ethical values & integrity

Responsibility is assigned to different employees to ensure segregation of duties

CHOPPER

*Note - audit committee does not do the audits them selves. They check in with the internal audit to put pressure on management to be more attentive.

Question 12

What steps does the auditor take to obtain an understanding of the internal control structure?

Answer 12

1. Perform risk assessment procedures (CRIME + PIIO): What controls are implemented?
2. Document the understanding of I/C through FIND
3. Assess the RMM to decide whether the controls are expected to operate effectively
4. Perform Test of Controls on the controls that are implemented to see if they are operating effectively (test the cycles for ARCC’s by doing RIIO)
5. Reassess RMM to determine DR - to decide how much substanative testing to do
6. Document conclusions

Question 13

When can an auditor avoid testing a control?

Answer 13

• When the control is expected to not operate effectively because control appears to be inadequate/ ineffective / weak (Control Risk is at Maximum)
• performing the substanative procedures is more cost effective than performing test of controls (cost of ToC < Benefit)

This is the SUBSTANTIVE approach

Question 14

Can the auditor skip substantive testing if a control appears to be effective?

Answer 14

NO, the auditor still has to perform substantive testing in conjunction with the test of controls. All the auditor has to do is decrease the scope of the substanative procedures, not eliminate these procedures. This is the COMBINED approach.

No audit is ever performed without any substantive testting of details. Therefore, we never, ever eliminate substanative testing from our aduit.

Question 15

What is the objective of a test of control?

Answer 15

To evaluate the operating effectiveness of a control after the auditor’s risk assessment presumes the control to be effective.

Question 16

What is the difference between risk assessment procedures on the entity’s internal control structure and a test on the entity’s internal control?

Answer 16

Risk assessment procedures on the entity’s internal control structure = aids the auditor in evaluating whether the control has been suitably designed and implemented

(the control actually exists and presumed to work)

Test of control = aids the auditor in whether the control is operating effectively and is only done after risk assessment shows the control was implemented.

(the control actually works or fails)

Question 17

Techniques for documenting the auditor’s understanding of internal control.

Answer 17

Flowchart - visual depcition of the structure

Internal Control Questionnaire (ICQ) - Each question is deisnged to identify a potentially useful I/C element that might be relied upon if it is operating effectively. (MOST popular b/c most structured and esaiest for inexperienced auditors to use)

Narrative or Memorandum - detailed written description of the structure

Decision table/tree - depicts the logic of an operation or process, uses Yes/No questions, ad hoc queries, LIMITED use, need to use in conjunction with other documentation

FIND

Question 18

What is the benefit of obtaining an understanding of an entity’s internal control structure and what is the auditor primarly focused on?

Answer 18

To identify which controls to rely on in order to reduce the risk of misstatements (Control Risk) and ultimately, reduce substantive testing.

Auditor is primarly focused on identifying those controls that are implemented while obtaining this understanding of the internal control structure.

(Operating effectiveness of the control comes after the understanding.)

Question 19

Can a test of details be performed as a test of a control? Why or why not?

Answer 19

YES, because the test of details evaluates whether a control operated effectively because:

• if the test of details shows the account balance is correct, this indicates the controls must be operating effectively.

(Balance is correct = control is working)

• If the test of details shows the account balance is misstated, then indicates the controls are not operating effectively as they should be.

(Balance is misstated = control failed)

Question 20

The objective of tests of details of transactions performed as tests of controls is to

• Monitor the design and use of entity documents such as prenumbered shipping forms.
• Determine whether internal controls have been implemented.
• Detect material misstatements in the account balances of the financial statements.
• Evaluate whether internal controls operated effectively.

Answer 20

Evaluate whether internal controls operated effectively.

Recall that tests of details of transactions examine the actual amounts and if tests of details show that the transactions’ amounts are misstated, then it shows the control is not working as expected. Conversely, if the amounts are correct, then it shows the control operated effectively as expected.

Question 21

What is the objective of the tests of details of transactions, balances, and disclosures?

Answer 21

Verifying the account balances, the transactions, and disclsoures and that these details are the source of the account balances.

Used for testing a control AND substanative testing (Concurrent or dual-purpose testing)

NO audit is performed without including substantive tests of details.

Can be used for testing a control by identifying whether the account balance or transactional amounts are misstated. If misstated, indicates control failed to operate effectively.

Question 22

What are the inherent limitations of an entity’s internal control structure regardless of its strength?

Answer 22

Collusion - employees conspire together

Override by management - recall this must always be addressed in a fraud risk assessment because it is inherent. Even the most effective I/C structure cannot prevent intentional misbehavior by management

Competence - mistakes happen

Obsolesecence - since a company’s operations or size can change at any point

(COCO)

Question 23

Can a test of details (substanative testing) be done concurrently with test of controls?

Answer 23

YES, this is known as the dual-purpose test in audit sampling.

Question 24

Describe a scenario of how a dual-purpose test is used for testing a control.

Answer 24

ABC Co is to be audited by your firm.

You chose to focus on credit sales transactions, so you inquire the client about the following:

Do you sell goods on credit ? – answer == Yes
Do you check consumer credit before you approve credit sales ?– answer == yes
Do you have a department that verifies credit – answer? == yes

Do you mark the documents verified to show that credit was checked? – answer == yes

Based on the results of the risk assessment procedure (Inquiry), you conclude that controls have been properly designed and implemented as it relates to credit sales. Accordingly, you assess the control risk below maximum for credit sales - meaning you presume the control works. You also document this understanding in the risk assessment.

Next, you need to verify that control risk (or RMM) is actually below maximum for misstatement of the client’s credit sales by determining whether the control operated as expected. This is the test of controls phase. You:

Take a sample of the client’s credit sale transactions.

Vouch the transactions to the approval documents** **► Test of Details because we verify the details of the credit sales (transactions) to the approval documents.

Inspect the approval documents to see if the sales were approved as appropriate. ►** Test of Details because we test the details of the approval documents AND Test of Controls because we test to see whether the control worked as presumed (operational effectiveness).**

Question 25

What are the four procedures for testing a control?

Answer 25

Reperformance - Reenact the process under the control

Inspection - documentary evidence

Inquiry - ask client personnel invovled in controls to state how effectively controls were enforced

Observation- watch client personnel perform their regular functions to see if they follow the controls that were designed and implementd. (MOST powerful evidence)

(RIIO)

Question 26

How often should a countinuing client’s internal controls be tested for operating effectiveness?

Answer 26

**Once in every third year **o ensure controls operated effectively

Question 27

If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in prior audits and the controls have not changed since they were last tested, then what does the auditor must do?

Answer 27

Test these controls once every third year to ensure they operated effectively.

Question 28

If an auditor finds significant deficiences or material weaknesses in an audit engagement on a non-issuer client, then how should they be communicated?

Answer 28

Communicate all significant and material weaknesses to management and those charged with governance in a Letter of Recommendation (in writing) by the report relase date, but NLT 60 days after report release.

Note that identifying such deficiencies is not an objective of the audit of a non-issuer’s financial statements. The auditor is still required to notify management and those charged with governance in writing of any significant deficiencies or material weaknesses that happen to come to the auditor’s attention during the engagement.

Question 29

Is the auditor required to re-communicate significant deficiencies and material weaknesses to the client if they have not been resolved?

Answer 29

Yes, the auditor must re-communicate these findings to the client.

Question 30

How are control deficiencies in audit or attestation engagements for non-issuers and issuers similar or dissimilar?

Answer 30

For non-issuers, a control deficiency is where the operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.

For issuers, a control deficiency is where the operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Question 32

At what level should the auditor assess the risks of material misstatement?

Answer 32

At the fiancial statement and relevant assertion levels

Question 33

Why does the auditor care about the internal control structure?

Answer 33

The internal control structure relates to whether the assertions relevant to the financial statements are CORRECT and therefore may rely on internal controls relevant to these assertions.

The assertions that we care about are the ones that are likely to prevent or detect material misstatements.

Question 34

What does the auditor need consider to asses the risk of material misstatement and determine which controls to test?

Answer 34

Identify the risks.

Relate the identified risks to the types of potential misstatements that could occur at the relevant assertion level.

Consider whether the risks are so significant that they could result in a material misstatement of the financial statements.

Consider the likelihood that the identified risks could result in material misstatements on the financial statements.

Question 35

When does the auditor make the final assessment of the risk of material misstatement to the relevant financial statements and assertions?

How does the auditor respond to the final assessment of the risk of material misstatement?

Answer 35

After the auditor has obtained an understanding of the internal control structure on which controls are implemented and tested the implemented controls for operational effectiveness.

The auditor then uses these results, which is the final assessment, to modify the audit program by increasing/decreasing substanative testing needed to obtain sufficient appropriate audit evidence.

Question 36

What is the objective of the preliminary assessment of control risk and inherent risk (RMM) and what is usually based on?

Answer 36

We assess RMM to set the level of DR that we are willing to accept. (NOTE - Auditor controls DR)

The preliminary assessment of RMM is usually based on prior experience with the client or predecessors’ audits.

Question 37

Under SOX, what is management of an entity responsible for?

Answer 37

• Maintaining effective I/C
• Disclosing all significant I/C deficiencies to the issuer’s auditors and audit committee
• Report any fraud (even immaterial) involving management or employees having a role in I/C

Question 38

Can management refuse to address a deficiency in the internal control system?

Answer 38

Yes, so long as it is aware that the deficiency exists and can justify that the costs of addressing it outweighs the benefits

Question 39

True/False:

When an auditor identifies a significant deficiency or a material weakness in the client’s internal control system and management was previously notified of the issues, but justified that the cost of remedying the issues outweighs the benefits. The auditor must obtain a written representation from management for its cost-benefit justifications.

Answer 39

FALSE - the auditor does NOT obtain a written representation from management for its cost-beneift justifications because it was already known to management and the client.

Question 40

Who is most likely to commit fraudulent financial statements?

Answer 40

Management because it is often in a position where it can override controls in order to commit financial-statement fraud.

Question 41

What does the auditor test for on every audit under SAS 99 (AU 316)?

Answer 41

Override by management (COCO) because that is where financial statement fraud is most likely to be found

Question 42

What are the reasons for an audit not being able to detect a material misstatement despite being properly planned and performed?

Answer 42

• Fraud is often concealed very well through collusion or falsified documents (COCO)
• An auditor’s professional judgment can’t always identify every possible fraud risk factor. (We’re humans, too)

Question 43

Controls that Prevent vs. Detect and Correct

Answer 43

Controls that Prevent misstatements before they occur are most effective, but more $$ to implment

Controls that **Detect and Correct **misstatements after they occur are least effective, but cheaper to implemented (could be too late)

Question 44

Cashier vs. Cash Receipts Clerk

(Revenue Cycle)

Answer 44

Cashier - Receives cash and checks then deposits funds at the bank (Custody)

Cash Receipts Clerk - Receives Remittance list and posts to cash receipts jounral (Recording)

Question 45

How do the cashier and cash receipts clerk get what they need in order to perform their duties?

Answer 45

The mail room clerk/receiptionist **opens the mail that has the checks/cash and remittance advices; prepares a remittance listing (“prelist”), then delivers the cash/checks to the cashier and remittance to the cash receipts clerk. **

This ensures that the cash receipts clerk does not touch the cash/checks and that the cashier does not steal the cash/checks when depositing at the bank.

Question 46

What method can a company elminiate employees’ cash and checks in the revenue cycle?

Answer 46

By directing customers to submit their payments directly to a bank lockbox instead of to the company itself.

Question 47

What must the purchasing clerk do when placing an order? What follows after the order is placed?

Answer 47

Prepare the Purchase Order and submit to the vendor

Send additional copies of the PO to Receiving to allow it to receive the goods AND to Payables to allow it to do comparisons later.

Note - the copy of the PO sent to Receiving does NOT include quantities for goods ordered to allow for an independent count of goods received, which is submitted as a Receiving Report. The report is sent to Payables for comparison with the PO.

Payables clerk compares the PO and receivng report with vendor invoice to ensure they agree before preparing a payment voucher.

Question 48

Who usually prepares the check for payment for purchases?

Answer 48

Usually by a clerk in the treasury department who does not have signature authority.

The clerk provides an unsigned check with payment voucher and supporting documents to the treasurer for signature.

Question 49

Who has authority to sign checks for payments, issue credit memos, and bad debt write-offs?

Answer 49

Treasurer signs the check for payment and immediately cancels the supporting documents (voids), issue credit memos, and bad debt write-offs.

Question 50

What should the treasurer do when s/he receives an unsigned check?

Answer 50

Make sure the check agrees with the voucher and supporting documents (receiving report, purchase order, vendor invoice, requisition)

Sign the check and seal in envelope and arrange for mail

Immediately cancel or void the supporting docs to avoid duplication