QB Chapter 5: Internal Control

Question 1

ISA (UK) 315, Identifying and Assessing the Risks of Material Misstatement Through
Understanding of the Entity and Its Environment states that an internal control system in an
organisation consists of five components: the control environment, the entity’s risk
assessment process, the information system, control activities and monitoring of controls.
For each of the following examples, select the component which it illustrates.
The process of preparing the financial statements
A Control environment
B Information system
C Control activities
Locking the inventory storeroom
D Control environment
E Information system
F Control activities

Answer 1

B,F The process of preparing the financial statements forms part of the information
processing system.
Locking the inventory storeroom is a specific control activity.
None of the above relate to the control environment, which refers to the management
style and philosophy towards controls

Question 2

In each of the following three cases, select whether control risk is higher or lower than
normal.
The company has an established and well-resourced internal audit function.
A Control risk is higher than normal
B Control risk is lower than normal
The company has a history of reviewing financial performance on a regular basis at board
level.
C Control risk is higher than normal
D Control risk is lower than normal
Purchase invoices are not authorised before payment.
E Control risk is higher than normal
F Control risk is lower than normal

Answer 2

B,D,E
Control risk is lower than normal (ie, internal controls are stronger) where the company
has an established internal audit function (which strengthens the control environment
by monitoring the adequacy and effectiveness of the controls in place) and where the
board has a track record of performance review, monitoring and investigating
deviations from expected performance. Control risk is higher than normal where
purchase invoices are not authorised (control deficiency)

Question 3

Which three of the following statements about audit committees are correct?
A At least 50% of the members of an audit committee must be non-executive directors
B Listed companies are required to have an audit committee
C Audit committees are considered to be good practice for all large companies
D If a company has an internal audit function, the chief internal auditor should sit on the
audit committee
E Audit committees are an important aspect of a company’s control environment

Answer 3

B,C,E
Option A is incorrect as all members of an audit committee must be non-executive
directors. Option D therefore is also incorrect. The chief internal auditor does not sit on
the audit committee, but should ideally report directly to this committee.

Question 4

According to ISA (UK) 315, Identifying and Assessing the Risks of Material Misstatement
Through Understanding of the Entity and Its Environment, which three of the following are
aspects of an entity’s control environment?
A The attitude of the directors to internal controls
B The attitude of staff to internal controls
C The awareness of internal control issues in the company
D The actions of senior management in relation to internal controls

Answer 4

A,C,D
Option B is not correct as it is the attitude of management and senior staff that will
shape the entity’s control environment and not that of the ordinary staff.

Question 5

For each of the following internal controls, which is the principal limitation?
The preparation of a bank reconciliation
A Human error
B Collusion
Segregation of duties in a sales system
C Human error
D Collusion

Answer 5

A,D For the preparation of reconciliations where calculations are involved, the inherent
limitation is that these reconciliations are susceptible to human error. Even where
duties are segregated, this control can be overridden by the collusion of the parties
involved.

Question 6

Which one of the following is not part of an entity’s risk assessment process?
A Identify relevant business risks
B Estimate the impact of risks
C Assess the likelihood of occurrence
D Decide upon actions to manage the risks
E Report the process to the auditors

Answer 6

E Reporting the process to the auditors is part of the external audit process and not part
of the internal risk assessment process.

Question 7

For each of the following statements about the information system in a company, select
whether they are true or false.
The information system comprises only the IT system of a company.
A True
B False
The information system includes the process of preparing the financial statements, such as
the production of journals.
C True
D False

Answer 7

B,C The information system comprises all the information (be it in hardcopy or electronic
form) that flows into the financial statements and does include the whole process of
financial statement preparation.

Question 8

The following are examples of internal controls which operate at Badweather plc.
For each example, select the type of control activity which it illustrates.
The financial controller counts petty cash on a monthly basis.
A Authorisation
B Information processing
C Physical control
There are two keys to the locked finance department safe: one held by the finance director
and the other by the managing director.
D Authorisation
E Information processing
F Physical control

Answer 8

C,F Both are physical controls

Question 9

The following are examples of internal controls which operate at Castle Ltd.
For each example, select the type of control activity which it illustrates.
The financial controller reconciles the receivables ledger to the receivables ledger control
account monthly.
A Performance review
B Information processing
C Segregation of duties
The receivables ledger clerk posts invoices to the receivables ledger. The cash book clerk
posts cash receipts to the receivables ledger.
D Performance review
E Information processing
F Segregation of duties

Answer 9

B,F Reconciliations are information processing as they are undertaken to check the
completeness and accuracy of information. Having separate clerks recording sales
invoices and posting cash receipts in the sales ledger reduces the risk of fraud and
error (is therefore a segregation of duties control).

Question 10

The following are examples of computer controls which operate at Goody plc.
For each example, select the type of computer control which it illustrates.
Storing extra copies of programs and data files off-site
A General
B Application
Programmes to check data fields on input transactions
C General
D Application
Manual checks to ensure that input data were authorised
E General
F Application

Answer 10

A,D,F
Option A is a general control as it supports the effective functioning of application
controls. Options D and F are correct as they relate specifically to the processing of
individual applications.

Question 11

Which one of the following would be the simplest way of recording a straightforward
system not subject to a great deal of change annually?
A Flowchart
B Narrative notes
C Questionnaire
D Family tree

Answer 11

B Narrative notes would be the simplest way of recording a straightforward system that
was is not subject to a great amount of change annually. It is, however, the least
effective way in terms of readily identifying the system in operation and the
deficiencies of the system.

Question 12

Which three of the following would be the best sources of information about a company’s
systems?
A The company’s procedures manual
B The internal audit function’s system notes
C The prior year audit file
D Inquiries made of company staff
E The company’s website

Answer 12

A,B,D
Option C is not correct as while the prior year audit file will be useful, the system may
have changed in the intervening period. The company’s website is very unlikely to
contain details on the internal control system. SAMPLE PAPER

Question 13

Most entities make use of IT systems for financial reporting and operational purposes.
Controls operating in an IT environment can be split into general controls and application
controls.
Which one of the following is an application control?
A Training staff in new IT procedures
B Taking back-up copies of programs
C Maintenance agreements over IT equipment
D Cyclical reviews of all master files

Answer 13

D Cyclical reviews of the master files is an application control. The remainder of the
options available are general controls.

Question 14

Which two of the following represent inherent limitations of a system of internal controls?
A Lack of controls over the purchases system
B Lack of understanding of the purposes of controls
C Lack of staff to ensure segregation of duties
D The possibility that staff members will collude in fraud

Answer 14

B,D Options A and C are incorrect as they are control deficiencies, rather than inherent
limitations of an internal control system as such.

Question 15

Which two of the following are authorisation control activities?
A A bank reconciliation signed by the finance director
B A cheque payment run approved by the finance director
C An appraisal of the sales ledger clerk by the finance director
D A trial balance compiled by the finance director

Answer 15

A,B Appraising the sales ledger constitutes performance review and compiling the trial
balance are information processing control activities.

Question 16

With regards to internal control systems in small entities, select whether each of the
following statements is true or false.
Smaller companies are more likely to be successful in the implementation of segregation of
duties controls.
A True
B False
Management override is more likely to take place in smaller companies.
C True
D False

Answer 16

B,C Small companies are less likely to be successful in the implementation of segregation
of duties controls due to the limited number of employees available to segregate
specific tasks within the various cycles. Given the limited number of staff in small
companies and the dominance of management, controls are more likely to be
overridden in smaller companies than larger ones.

Question 17

ISA (UK) 315 states that an internal control system in an organisation consists of five
components: the control environment, the entity’s risk assessment process, the information
system, control activities and monitoring of controls.
For each of the following examples, select the component which it illustrates.
Training programme for all staff
A Control environment
B Control activity
C Monitoring of controls
Review of actual performance against budget
D Control environment
E Control activity
F Monitoring of controls

Answer 17

A,E Training programme for all staff is part of the control environment. Review of actual
performance versus budget is a control activity.

Question 18

For each of the following statements, select whether they are true or false in respect of the
limitations of a system of internal control.
The cost of implementing controls may be more expensive than the cost of any potential
risk arising.
A True
B False
The effectiveness of many controls rely on the integrity of those applying them.
C True
D False
Internal controls are only applied to material items.
E True
F False
Standard controls may not be designed to deal with unusual transactions.
G True
H False

Answer 18

A,C,F,G
Option F is the only false item in the question as internal controls should be applied
equally to all transactions, whether material or not.

Question 19

For each of the following statements, select whether they are true or false in respect of
business risk.
Business risk is the risk inherent to the company in its operations.
A True
B False
Business risk is of no relevance to the auditor. The auditor is only concerned with audit risk.
C True
D False
Management are responsible for identifying and controlling business risks.
E True
F False

Answer 19

A,D,E
Business risk is of relevance to the auditor as business risks may impact on the financial
statements. Management are responsible for identifying and controlling business risks
although the auditor will assess business risk as part of the audit.

Question 20

One of the five elements of internal control is monitoring of controls.
Which two of the following are activities which would be used to monitor controls?
A Management’s review of whether bank reconciliations are being prepared on a timely
basis
B Internal auditors’ evaluation of whether the sales team are following company policy
regarding customer discounts
C Authorisation of purchase invoices before they are paid
D Authorisation of purchase orders by the department manager

Answer 20

A,B Options C and D are specific control activities (relating to authorisation).

Question 21

The following are examples of internal controls which operate at Elm plc.
For each example, select the type of control activity which it illustrates.
The financial controller reconciles the payables ledger to the payables ledger control
account on a monthly basis.
A Performance review
B Information processing
The payables ledger clerk posts invoices to the payables ledger. The cash book clerk posts
cash receipts to the payables ledger.
C Segregation of duties
D Performance review

Answer 21

B,C Information processing, segregation of duties.

Reasoning as per question 9 of this chapter.

Question 22

The following are examples of computer controls which operate in the payroll system at
Dobson Ltd.
For each example, select the type of computer control which it illustrates.
Password protection limiting access to data
A General
B Application
Range checks on payroll processing
C General
D Application
Manual checks to ensure that timesheets are authorised before details are processed
E General
F Application`

Answer 22

A,D,F
Password protection constitutes a general control. The remaining controls are
application controls.

Question 23

The following are examples of computer controls which operate in the payroll system at
Dobson Ltd.
For each example, select the type of computer control which it illustrates.
Password protection limiting access to data
A General
B Application
Range checks on payroll processing
C General
D Application
Manual checks to ensure that timesheets are authorised before details are processed
E General
F Application

Answer 23

A,B,D

Procedures for resubmission of rejected data are an application control

Question 24

Peach plc is a large organisation with a complex accounting and information system. Critical
to an understanding of the system are the reporting lines and relationships between different
departments.
In this situation which one of the following methods is most likely to be used by the auditor
to record the system of document flow?
A Narrative notes
B Flowcharts
C Questionnaires
D Organisational charts

Answer 24

B Narrative notes are more suitable for smaller businesses. Questionnaires do not show
relationships and reporting lines as clearly. Although the organisational chart would
show the structure of the organisation and general reporting lines, it would not
document the system in operation.

Question 25

In each of the following three cases, select whether control risk is higher or lower than
normal.
The payables ledger is not regularly reconciled to the payables ledger control account.
A Control risk is higher than normal
B Control risk is lower than normal
Management often override internal controls.
C Control risk is higher than normal
D Control risk is lower than normal
Entry to the inventory storeroom is only for authorised personnel.
E Control risk is higher than normal
F Control risk is lower than normal

Answer 25

A,C,F
A lack of regular reconciliations and management overriding internal controls lead to
an increase in control risk (higher than normal). The safeguarding of the physical
security of the inventories is a strength which renders control risk lower than normal

Question 26

Which two of the following are reasons why organisations need to have effective systems of
control?
To help the organisation in:
A minimising business risks
B maximising its profitability
C managing its assets and liabilities
D cutting down the time needed for the audit
E complying with laws and regulations

Answer 26

A,E Minimising business risks and complying with laws and regulations are the primary
reasons why organisations need effective systems of control. The others may result
from that effective internal control system. SAMPLE PAPER

Question 27

An effective system of internal control requires segregation of basic functions.
Which three of the following functions should ideally be segregated?
A Authorisation of transactions
B Preparation of financial statements
C Custody or handling of assets
D Budgetary control
E Recording of transactions

Answer 27

A,C,E
Authorisation of transactions, custody or handling of assets and recording of
transactions are the three functions which should ideally be separated such that no-one
person can initiate the transaction, record that transaction in the accounting records
and have custody of assets which arise from that transaction. For fraud to take place,
with such segregation of duties, there would have to be significant collusion. Preparing
financial statements is a function which follows from the recording of transactions and
effective budgetary control can only take place once there is confidence on the
integrity of data coming from effective internal control systems. SAMPLE PAPER

Question 28

An audit committee is a committee with responsibility for audit-related matters.
Which one of the following could be members of an effective audit committee?
A Executive directors only
B Non-executive directors only
C Non-executive directors and internal auditors
D Non-executive directors and external auditors

Answer 28

B An audit committee is made up of non-executive directors only. SAMPLE PAPER

Question 29

ISA (UK) 315, Identifying and Assessing the Risks of Material Misstatement Through
Understanding of the Entity and Its Environment states that an internal control system in an
organisation consists of five components: the control environment, the entity’s risk
assessment process, the information system, control activities and monitoring of controls.
For each of the following examples, select which component is illustrated.
The entity’s organisational structure
A Control environment
B Control activity
C Monitoring of controls
Review by management of monthly bank reconciliations
D Control environment
E Control activity
F Monitoring of controls

Answer 29

A,F The entity’s organisational structure is part of the entity’s control environment.
Monitoring of controls involves a review of the effectiveness of controls and whether
they need improving – hence a review by management of monthly bank reconciliations
is part of that monitoring system. SAMPLE PAPER

Question 30

The following are examples of internal controls which operate at Fairweather plc. In each
example select which control activity is illustrated.
The financial accountant signs the bank reconciliation, which was prepared by a member of
his staff.
A Authorisation
B Performance review
The finance director compares monthly expenditure on consumables to budgeted
expenditure.
C Authorisation
D Performance review

Answer 30

A,D Authorisation showing that the accountant has reviewed the reconciliation.
Performance review includes reviews and analyses of actual performance against
budgets (as here), forecasts and prior period performance. SAMPLE PAPER

Question 31

Most entities make use of IT systems for financial reporting and operational purposes.
Controls operating in an IT environment can be split into general controls and application
controls.
Which one of the following is an application control?
A Use of passwords
B Testing of new systems
C Authorisation of data for input
D Disaster recovery plan

Answer 31

C Application controls apply to the processing of individual applications (eg, sales,
purchases, inventory), hence authorisation of data for input (say of purchase orders) is
the application control. The remaining options are general controls, which relate to
many applications and support the operation of the whole IT environment.
SAMPLE PAPER

Question 32

Which two of the following reduce password effectiveness?
A Frequent changes of passwords
B User selection of passwords
C Automatic disconnection after failed attempts to access system
D Disciplinary offence if passwords revealed
E Displaying the password on screen

Answer 32

B,E User selection of passwords and displaying the password on screen would reduce
password effectiveness. The existence of frequent changes of passwords, automatic
disconnection after failed attempts and disciplinary offences if passwords are revealed
would all increase password effectiveness. SAMPLE PAPER

Question 33

ISA (UK) 315, Identifying and Assessing the Risks of Material Misstatement Through
Understanding of the Entity and Its Environment states that an internal control system in an
organisation consists of five components: the control environment, the entity’s risk
assessment process, the information system, control activities and monitoring of controls.
For each of the following examples, select which component is illustrated.
The entity’s internal audit function
A Control environment
B Control activity
C Monitoring of controls
The audit committee
D Control environment
E Control activity
F Monitoring of controls

Answer 33

C,D The internal audit function monitors controls that are already in operation.
The audit committee is part of the control environment as it contributes to the status of
internal controls within an organisation.

Question 34

For each of the following internal controls, which is the principal limitation?
The preparation of an accounts payable reconciliation
A Human error
B Collusion
Authorisation of new starters in a wages system in which duties are segregated
C Human error
D Collusion

Answer 34

A,D For the preparation of reconciliations where calculations are involved, the inherent
limitation is that these reconciliations are susceptible to human error.
Even where duties are segregated, this control can be overridden by the collusion of
the parties involved.

Question 35

For each of the following statements about audit committees, select whether the statement
is true or false.
Audit committees are responsible for recommending the appointment of the external
auditor
A True
B False
One of the roles of the audit committee is to review the integrity of formal announcements
relating to the company’s performance
C True
D False

Answer 35

A,C The external auditor is appointed by shareholders, but the audit committee makes
recommendations in relation to this.
The audit committee reviews the integrity of the financial statements of the company
and formal announcements relating to the company’s p

Question 36

Which two of the following are controls over input completeness?
A Document counts
B Manual check to ensure input was by authorised personnel
C Screen warning to prevent logout before processing is complete
D Programmed matching of input to an expected input control file

Answer 36

A,D All options are examples of application controls. Document counts ensure that the
expected number of documents is submitted, and hence that the documents are
complete.
A manual check to ensure input was by authorised personnel is a control over input
authorisation, not completeness.
A screen warning to prevent logout before processing is complete is a control over
input processing.
A programmed matching of input to an expected input control file is a control over
input completeness (this is similar in principle to a document count).

Question 37

For each of the following internal controls, select whether a preventive or a detective
control is being described.
Segregation of duties between raising and authorisation of purchase orders
A Preventive
B Detective
Monthly reconciliation of payables ledger with supplier statements
C Preventive
D Detective
Restricting users to read-only access of key folders on internal network
E Preventive
F Detective

Answer 37

A,D,E
Segregation of duties is a preventive control here because its aim is to prevent
unauthorised purchases from being made.
Reconciliation of the payables ledger with supplier statements aims to detect any
misstatements that have already been made – it is therefore a detective control.
Restricting users to read-only access of key folders on internal network aims to prevent
unauthorised changes being made to the files in these folders.

Question 38

The following are examples of computer controls which operate at Mesa plc.
For each example, select the type of computer control which it illustrates.
Approval of new applications by a sample of users and by management
A General
B Application
Virus checks on software on employees’ computers
C General
D Application
A check that all data entered in a field contains the correct number of digits
E General
F Application

Answer 38

A,C,F
Approval of applications by a sample of users and by management is a general control
related to the development of computer applications.
Virus checks on software on employees’ computers is a general control.
A check that all data entered in a field contains the correct number of digits is an
application control, since it relates to a particular field in a particular application

Question 39

One of the emerging operational issues that internal auditors need to be involved with is
cyber security (defined as the protection of systems, networks and data in cyberspace).
Which three of the following internal audit activities are most likely to feature in relation to
an entity’s cyber security?
A Reviewing the password protocols in place for employees with access to information
systems
B Testing the operating effectiveness of an entity’s firewall and anti-virus software
C Monitoring the entity’s website for signs of unauthorised modification
D Comparing the costs and benefits of the entity’s online social media presence

Answer 39

A,B,C
Cyber security is all about protecting data, systems and networks – firewalls and
password protocols address this at source, while monitoring the website helps to
identify any instances of breaches from other means.
Appraising the success or otherwise of an online social media presence does operate
in the same cyber context, but is more commercial than security driven.