Internal Control Flashcards
What is internal control?
Provides reasonable assurance that
- ) Material misstatements will be prevented
- ) reliability and integrity of F/S will be preserved
- ) Assets are protected against misuse.
Examination of I/C is required by mgmt under?
Sarbanes-Oxley
Under Sarbanes-Oxley what must management do?
- ) CEO/CFO must disclose deficiencies
- ) Mgmt must assess I/C
- ) Mgmt must certify F/S
What type of relationship does I/C have with Substantive Testing?
An inverse relationship
Stronger I/C =
Less testing needed
Weaker I/C =
More testing needed
What are the 3 objectives of I/C?
- ) Reliability of Financial Reporting
- ) Operational efficiency/effectiveness
- ) Compliance with Law and Regulations
What are the 5 components of I/C?
- ) Control environment
- ) Risk assessment
- ) Control activities
- ) Information and communication
- ) Monitoring
What does the control environment assessment do?
Sets tone for the entire company
What are the 8 questions that the control environment assessment should address?
- ) How are mgmt’s integrity/ethics
- ) Is mgmt competent
- ) Healthy organizational structure
- ) Appropriate HR policies
- ) Authority/responsibility assignments
- ) What is mgmt’s style
- ) Is mgmt agressive
- ) Are the Board/Audit Committee actively involved
What is the risk of material misstatement? (RMM)
determines acceptable level of detection risk
What is detection risk? (DR)
Detection risk determines the nature, timing, and extent of audit procedures
What type of growth is considered risky?
Rapid
What are 3 risk assessment questions to ask about mgmt?
How does mgmt:
- ) Identify risks
- ) Estimate significance
- ) Assess occurrence likelihood
When performing a risk assessment what are the major changes that need to be addressed?
- ) operations
- ) personnel
- ) systems
- ) IT
- ) products
- ) corporate organization
- ) foreign ops
What type of I/C testing is performed when control risk is assessed at maximum?
None
What types of procedures are performed when control risk is assessed below maximum?
- ) tests I/C
- ) evaluates control risk based on tests
- ) adjusts substantive tests accordingly
What are 4 types of control activities?
- ) performance reviews
- ) information processing
- ) physical controls
- ) segregation of duties
When it comes to information and communication what are 6 things an auditor needs to understand?
- ) major transaction classes
- ) transaction initiation
- ) support records/documents
- ) transaction processing
- ) financial statement internal reporting process
- ) financial statement external reporting process
How can an auditor document I/C?
- ) memo
- ) flowchart
- ) questionnaires
Understanding I/C allows the auditor to determine what?
The nature, timing and extent of planned audit procedures.
What are 6 risks associated with material misstatements?
- ) were all transactions recorded
- ) were they recorded timely
- ) were they measured appropriately
- ) were they recorded in the correct period
- ) were they presented and disclosed properly
- ) did mgmt communicate their responsibilities
I/C should be IRON strong. What does IRON stand for?
I - inquiry: interview co personnel
R - re-performance: can it be replicated
O - observation: watch the control being applied
N - inspection: dig into the details/documents
Substantive procedures should not need to be adjusted if the results of I/C testing are?
as expected
If internal controls are deficient:
- ) Control risk increases
- ) Substantive tests increase
- ) Detection risk decreases
- ) a more than remote chance that a material misstatement in F/S would not be found
What does tracing test?
Tests completeness.
Starts with the source document and traces forward to journal entry
What does vouching test?
Tests existence.
Starts with journal entry and searches for a voucher or source document to support the entry
What does T before V and C before E mean?
Tracing = Completeness Vouching = Existence
What are 3 limitations of I/C?
- ) controls can’t stop collusion or bad judgement
- ) Mgmt can override controls
- ) cost vs benefit
How are material weaknesses reported?
- ) reasonable possibility that controls will not prevent a material misstatement
- ) written report required; can issue a report with no material weaknesses
- ) previous weaknesses that still exist should be reported again
- ) should be reported no later than 60 days after audit report release date
- ) If one or more material weaknesses is uncorrected at year-end and adverse opinion on I/C must be given
How are significant deficiencies reported?
- ) adversely affects company’s ability to report F/S in accordance with GAAP
- ) important enough to merit attention by those responsible for oversight of the company’s financial reporting
- ) written report to mgmt required: cannot issue a report with no significant deficiencies
- ) previous deficiencies reported that still exist should be reported again
- ) should be reported not later than 60 days after audit repot release date
What is a control deficiency?
- ) a control is not operating as intended
2. ) written report to mgmt is not required
When using the work of a third party (internal auditor) you should determine if they are:
- ) competent
2. ) objective
An internal auditor reporting to the audit committee is:
More objective and reliable
An internal auditor reporting to a manager is:
Less objective and reliable
