SU 05: Internal Control Concept and Information Technology

Question 1

Primary objective for procedures to obtain an understanding of internal control is to provide auditor

Answer 1

Knowledge necessary for audit planning. The second standard of field work states, the auditor must obtain a sufficient understanding of entity and its environment including its internal control to assess RMM of f/s whether due to error or fraud and to design the nature, timing, and extent of further audit procedures

Question 2

In an audit of f/s an auditor primary consideration of internal control is whether the control
A reflects management philosophy and operating style
B affect management f/s assertions

Answer 2

B, an auditor primary concern is whether a specific control affects relevant f/s assertions. Much of the audit work required to form an opinion consists of gathering evidence about relevant assertions in the f/s. These assertions are management representation embodied in component of f/s (au 326). Controls relevant to an audit pertain to the preparation of f/s that are fairly presented in conformity with GAAP (au 314)

Question 3

In obtaining understanding of controls that are relevant to audit planning an auditor is required to obtain knowledge
A design of controls included in internal control components
B effectiveness of internal controls implemented
C consistency to control is applied

Answer 3

A, in all audits the auditor should obtain an understanding of each of the 5 components of internal control sufficient to plan the audit. Sufficient understanding is obtained by performing procedures to understand design of controls and determining whether they have been implemented

Question 4

In planning an audit certain accounts an auditor may conclude specific procedures used to obtain an understanding of an entity internal control need not be included because of the auditor judgment of materiality and assessment of

Answer 4

Inherent risk, the nature, timing, and extent of procedures performed to obtain an understanding vary with size and complexity of the entity, the auditor prior experience with entity, the nature and extent of changes in systems and operations and the entity’s documentation of specific controls. The auditor assessment of inherent risk and judgement about materiality and disclosure affect nature and timing and procedures performed. Thus if account has a low assessed level of inherent risk and amounts involved are not material, specific procedures for obtaining understanding might be omitted

Question 5

1.) Auditor preforms tests of controls

Answer 5

a. B, describes what is done when the auditor has an expectation of the operating effectiveness of controls – The auditor tests controls when (a) their risk assessment is based on the expectation of the operating effectiveness of controls, or (b) substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level.

Question 6

2.) The auditor prepares flowcharts, narratives, questionnaires, or other materials

Answer 6

a. C, describes the documentation of the understanding of the entity and its environment, including internal control, and assessment of RMM – The auditor documents among other things, the understanding of the entity and its environment, including internal control. This documentation extends to the five components of internal control. Also, documented are (a) the sources of information, (b) the risk assessment procedures, (c) the assessment of RMM, (d) the basis of the assessments (e) the risks identified and related controls evaluated. Flowcharts, questionnaires, decision tables, checklists, and narratives are among the possible forms of documentation.

Question 7

3.) The auditor considers the factors affecting the RMM

Answer 7

a. A, Describe the reason for the auditor to obtain an understanding of the entity and its environment, including internal control and assessment of RMM – The auditor should obtain an understanding of the components of internal control to assess RMM, whether due to error or fraud, and design further audit procedures. This knowledge should be used to (a) determine the types of potential misstatement, (b) considers factors affecting the RMM, (c) design of tests of controls (if applicable), and (d) design of substantive procedures.

Question 8

4.) The auditor performs risk assessment procedures to test operating effectiveness of controls

Answer 8

a. D, describe a procedure that is not performed – Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including internal control. Test of controls evaluate the operating effectiveness

Question 9

5.) The auditor designs substantive procedures

Answer 9

a. A, Describe the reason for the auditor to obtain an understanding of the entity and its environment, including internal control. – The auditor should obtain an understanding of the components of internal control to assess RMM, whether due to error or fraud, and design further audit procedures. This knowledge should be used to (a) determine the types of potential misstatement, (b) considers factors affecting the RMM, (c) design of tests of controls (if applicable), and (d) design of substantive procedures.

Question 10

6.) The auditor documents the assessed RMM but not basis for the assessment

Answer 10

a. D, describe a procedure that is not performed – The auditor documents (a) assessed RMM at f/s and relevant assertion levels and (b) basis for assessment

Question 11

7.) The auditor records the control evaluated

Answer 11

a. C, describes the documentation of the understanding of the entity and its environment, including internal control, and assessment of RMM – The auditor documents the risk identified and the related controls evaluated.

Question 12

8.) The auditor considers whether substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level.

Answer 12

a. B, describes what is done when the auditor has an expectation of the operating effectiveness of controls – The auditor tests controls when (a) their risk assessment is based on the expectation of the operating effectiveness of controls, or (b) substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level.

Question 13

9.) The auditor applies limited substantive procedures to determine whether the control is operating effectively

Answer 13

a. D, describe a procedure that is not performed – the auditor performs substantive procedures to detect material misstatements. The auditor tests controls to determine their operating effectiveness

Question 14

10.) The auditor identifies the types of potential misstatement

Answer 14

a. A, Describe the reason for the auditor to obtain an understanding of the entity and its environment, including internal control. – The auditor should obtain an understanding of the components of internal control to assess RMM, whether due to error or fraud, and design further audit procedures. This knowledge should be used to (a) determine the types of potential misstatement, (b) considers factors affecting the RMM, (c) design of tests of controls (if applicable), and (d) design of substantive procedures.

Question 15

The internal control process is designed to provide reasonable assurance about these objectives

Answer 15

1. ) Reliability of Financial Reporting
2. ) Effectiveness and Efficiency of Operations
3. ) Compliance with Laws and Regs

Question 16

Components of Internal Control

Answer 16

1. ) Control Activities
2. ) Risk Assessment
3. ) Information and Communication Systems
4. ) Monitoring
5. ) Control Environment

Question 17

Control Activities Include

Answer 17

Performance Reviews
Information Processing
Physical Controls
Segregation of Duties

Question 18

Understanding Internal Control is used to

Answer 18

Identify types of misstatements
Design test of controls, when applicable
Design substantive tests

Question 19

Duties Requiring Segregation

Answer 19

Authorization, Recording, Custody

Question 20

Risk Assessment Circumstances

Answer 20

• Changes in operating environment
• New personnel
• New information systems
• Rapid growth
• New technology
• New lines, products, or activities
• Corporate restructuring
• Foreign operations
• Accounting pronouncements

Question 21

Entity Risk Assessment

Answer 21

designed to identify, analyze, and manage risks that affect entity’s objectives

Question 22

Auditor Risk Assessment

Answer 22

involves assessment of inherent risk and control risk to evaluate likelihood of material
misstatements occurring in financial statements

Question 23

Control Environment

Answer 23

• Integrity and ethical values
• Commitment to competence
• Human resource policies and practices
• Assignment of authority and responsibility
• Management’s philosophy and operating style
• Board of directors or audit committee participation
• Organizational structure

Question 24

Risk Assessment Procedures for Internal Control

Answer 24

• Inquiries of management and others within the entity
• Observing the application of specific controls
• Inspecting documents and records
• Tracing transactions through the information system

Question 25

Control risk may be set at the maximum level for some or all assertions

Answer 25

• The auditor does not intend to rely on internal control in relation to those assertions
• Tests of controls will not be performed

Question 26

Control risk may be set below maximum for some or all assertions

Answer 26

• The auditor must verify the effectiveness of internal control so that it can be relied upon
• Tests of controls will be performed

Question 27

Assessing control risk below maximum involves two components

Answer 27

1) Identify controls that will prevent or detect material misstatements in specific assertions
2) Perform tests of control to evaluate the effectiveness of the controls identified

Question 28

Tests of controls include

Answer 28

• Inquiry—Asking questions of appropriate personnel such as inquiring about the procedure
followed when merchandise is received
• Inspection—Looking at documentary evidence such as inspecting paid invoices to make
certain they have been cancelled to avoid double payment
• Observation—Watching client employees as they perform such as observing employees
receiving and recording purchases of merchandise to determine if there is proper segregation
of duties
• Reperformance—Repeating procedures performed by client employees such as recounting
inventories or recalculating invoice amounts

Question 29

The auditor should obtain an understanding of the information system

Answer 29

1) the classes of significant transactions; (2) the ways those transactions are initiated, authorized, recorded, processed, corrected, transferred to the general ledger, and reported; (3) the accounting records, whether electronic or manual; (4) how significant events and conditions other than transactions are captured; (5) the financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures; and (6) controls over journal entries

Question 30

Decision tables differ from program flowcharts in that decision tables emphasize

Answer 30

A decision table identifies the contingencies considered in the description of a problem and the appropriate actions to be taken relative to those contingencies. Decision tables are logic diagrams presented in matrix form. Unlike flowcharts, they do not present the sequence of the actions described.

Question 31

A field check.

Answer 31

A field check tests the characters to verify they are of the appropriate type for that field.

Question 32

An access log.

Answer 32

Access logs are designed to prevent improper use or manipulation of data files.

Question 33

A validity check

Answer 33

A validity check tests the relationships among input items and other parts of the system, e.g., that customer 1272 on the sales order is included in the customer file.

Question 34

Employee misses keying in PO number what control wold detect this error

Answer 34

Completeness test - an interactive program designed to notify the user to enter the number before accepting the report.