SU 06 Internal Control

Question 1

What are an auditors options as their response to assessed risk?

Answer 1

• Tests of controls
• Substantive Procedures

Question 2

What do tests of controls consist of

Answer 2

• assessing controls over processes
• assessing the control environment overall
• assessing the operating effectiveness of controls

Question 3

What affects the operating effectiveness of internal controls

Answer 3

Overall their value in reducing RMM

• are they designed well
• are they implemented and operating properly

Question 4

What are substantive procedures

Answer 4

audit procedures designed to produce evidence that may be used in court

Question 5

What circumstances may indicate increased risk

Answer 5

• changes in overall operating environment
• new personnel
• new/ revamped IT
• rapid growth
• new technology
• new business models-products-activities
• corporate restructuring
• expanded foreign operations
• new accounting pronouncements
• new

Question 6

Is an auditor required to assess internal controls?

Answer 6

Yes - part of SOX

Question 7

Internal control components

Answer 7

C.R.I.M.E

• Control activities
• Risk assessment
• Information and communication systems
• Monitoring
• Environment (control environment)

Question 8

Who is responsible for internal controls

Answer 8

Client management / governance

Question 9

What is the auditor’s responsibility in regard to internal controls

Answer 9

have the responsibility for assessing their existence/ management assertions about them

Question 10

Control activities include

Answer 10

• performance reviews
• general vs application controls
• physical controls
• segregation of duties

Question 11

Which duties must be segregated

Answer 11

authorization from recording from custody

Question 12

what is the difference between general and application controls

Answer 12

• General controls are over the whole system - controls at the business level
• application controls are built into specific applications

Question 13

Objectives of internal controls

Answer 13

1) to prevent or detect financial statement misstatements
2) to control operational objectives
3) to control compliance objectives

Question 14

Limitations of internal controls

Answer 14

• human judgement is faulty
• collusion may circumvent controls
• management may override controls
• impossible to create perfect controls (esp not at reasonable cost)

Question 15

Levels of internal controls

Answer 15

• entity level (general and application controls)
• transaction/ assertion level controls (address specific FS issues)

Question 16

What might transaction/ assertion controls address

Answer 16

• CAPE CROC asssertions
• transactions and account balances
• IS & BS balances

Question 17

Types of entity-level controls

Answer 17

• organizational structure
• clear assignment of authority and responsibility
• adequate segregation of duties
• IT planning in alignment with business strategy
• compliance with licensing , laws, and regulations

Question 18

Classes of internal controls

Answer 18

• Automated vs Manual

Question 19

classes of automated controls

Answer 19

• IT General Controls (ITGC)
• IT Application controls
• IT-dependent manual controls

Question 20

Types of IT General Controls

Answer 20

• data center & network
• system software acquisition, change, and maintenance
• program change
• access
• application system acquisition, development, & maintenance

Question 21

Preventive controls

Answer 21

• designed to stop errors before they occur
• often generate error messages/ alerts
• leave no documentary trail?
• informed by “WCGWs”

Question 22

WCGSs

Answer 22

What can go wrong

Question 23

Detective controls

Answer 23

Designed to catch fraud or errors after functions or transactions occur
- also informed by WCGWs
- important they can detect & intervene in a timely manner
- often use IT application controls for detection
- often built in as a post-processing procedure
- can be applied to each transaction or to batches

Question 24

Preventive vs detective control

Answer 24

• preventive more frequent, more dependent than IT, but also generally more cost effective
• preventive produces less evidence than detective
• auditors tend to focus on detective due to the larger amount of evidence

Question 25

Internal control functionalities

Answer 25

may be:
- complementary
- redundant
- compensation

Question 26

Complementary internal controls

Answer 26

Two or more controls working together for the same objective

Question 27

Redundant internal controls

Answer 27

two or more controls working separately for the same objective

Question 28

Compensating internal controls

Answer 28

One control works to offset the lack of / weakness in another control

Question 29

Types of tests of controls

Answer 29

inquiry (never sufficient alone)
inspection
observation
re-performance

Question 30

Benchmarking as a test of controls

Answer 30

comparing current results with previous audit results

Question 31

Service organizations

Answer 31

Organization that provides services to the client such that the service org’s services and controls are part of the client’s information system and relevant to financial reporting

Question 32

Type 1 service auditor’s report

Answer 32

reports on controls implemented

opinion only on the the description of controls and suitability of the design to the environment

Question 33

Type 2 service auditor’s report

Answer 33

Report on controls implemented AND test of operating effectiveness of internal controls

Question 34

Are service auditor’s reports ever referred to in audit reports?

Answer 34

NEVER in an unmodified opinion (do not relieve auditor of liability)

may be referenced in modification of opinion but must indicate reference does not reduce liability

Question 35

Risk assessment for service organizations

Answer 35

• must assess the degree of interaction between the service org and client (user) High = user initiates all processes, low = service org initiates, processes transactions independently
• must get written representations from service org’s management

Question 36

Requirement for management documentation of IC

Answer 36

must provide a written assessment

Question 37

Requirement for auditor response to IC

Answer 37

Must issue opinion on:
- management assessment of IC
- Actual effectiveness of IC

Must also communicate to management any material weaknesses and significant deficiencies discovered in the course of the audit

Question 38

Significant deficiencies

Answer 38

Issues with internal controls that do not rise to the level of materiality

Question 39

Internal control risks in IT

Answer 39

• system availability
• volatile transaction trails
• lack/ decrease in human involvement
• uniform processing (errors repeated)
• unauthorized access
• data vulnerability
• reduction in segregation of duties

Question 40

Major types of application IT controls

Answer 40

• input controls
• processing controls
• output controls

Question 41

When does data analytics outperform sampling

Answer 41

• when appropriate data is available, relatively clean and doesn’t require significant manipulation to be usable
• when the population is large
• when the auditor has a good understanding of the underlying business processes

Question 42

Why does the XBRL requirement increase IC issues

Answer 42

• increased outsourcing for programming
• new software/ programming –> potential errors
• additional data manipulation
• requires additional control tests/ disclosures

Question 43

Ways to document internal control assessments

Answer 43

• systems flowcharts
• questionnaires
• narrative memoranda
• decision tables
• checklists of procedures
• data analytics

Question 44

System flowchart

Answer 44

overview of inputs, processes, outputs

Question 45

Program flowchart

Answer 45

specific steps in computer programs

Question 46

Document flowchart

Answer 46

tracks flow of documents through an entity

Question 47

Management letter

Answer 47

prepared by the audit team
provided to board of directors
includes required internal control assessment
lists significant deficiencies and material weaknesses