Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Chapter 05
Risk Assessment: Internal Control Evaluation
Multiple Choice Questions
3. A set of characteristics that helps to define a seriousness about employees' attitudes about
the control activities in a company is referred to as
A. Management assertions.
B. The control environment.
C. Control risk assessment.
D. Functional responsibilities.
4. Control activities intended to ensure that transactions are recorded in the right period are
designed to achieve the ASB assertion of
A. Occurrence.
B. Accuracy.
C. Valuation or allocation.
D. Cutoff.
5-1
5. Sound internal control can described as separating all of the following duties and
responsibilities except for
A. Transaction authorization.
B. Recordkeeping.
C. Custody of, or direct access to, assets.
D. Hiring of employees.
6. After obtaining an understanding of the entity's internal control and assessing control risk,
an auditor of a non public company decided not to perform additional tests of controls. The
auditor most likely concluded that the
A. Additional evidence to support a further reduction in control risk was not cost beneficial.
B. Assessed level of inherent risk exceeded the assessed level of control risk.
C. Internal control structure was properly designed and justifiably may be relied on.
D. Evidence obtainable through tests of controls would not support an increased level of
control risk.
7. Regardless of the assessed level of control risk, an auditor of a non public company would
perform some
A. Tests of controls to determine the effectiveness of internal control policies.
B. Analytical procedures to verify the design of internal control activities.
C. Substantive tests to restrict detection risk for significant transaction classes.
D. Dual purpose tests to evaluate both the risk of monetary misstatement and preliminary
control risk.
5-2
13. A sales clerk enters a customer's six-number customer account. The computer program
uses the first five numbers to calculate a sixth number. This resulting number is then
compared to the sixth number entered by the sales clerk. This is an example of a
A. A valid character test.
B. Missing data test.
C. Reasonableness test.
D. Check digit.
5-3
14. Which of the following is the least important audit reason for the auditor's obtaining an
understanding of a company's internal control?
A. To serve as a basis for constructive suggestions.
B. To plan subsequent substantive tests.
C. To identify types of potential misstatements.
D. To consider factors that affect the risk of material misstatement.
16. Which of the following client internal control activities is not usually performed in the
treasurer's department?
A. Verifying the accuracy of checks and vouchers.
B. Controlling the mailing of checks to vendors.
C. Approving vendors' invoices for payment.
D. Canceling payment vouchers when paid.
17. Which of the following audit procedures most likely would provide an auditor with the
most assurance about the effectiveness of the operation of an entity's internal control?
A. Confirmation with outside parties.
B. Inquiry of client personnel.
C. Successful re-performance of the control procedure.
D. Observation of client personnel.
5-4
19. After obtaining an understanding of a client's financial reporting control activities, the
auditor would next
A. Test the client's control activities.
B. Assess the control risk.
C. Document the understanding obtained.
D. Plan the remainder of the audit work.
20. If auditors assess control risk at the maximum level, they will tend to
A. Perform a great deal of additional tests of controls.
B. Perform a great deal of substantive testing during the audit.
C. Perform substantive tests at an interim date.
D. Perform more audit procedures using internal evidence.
21. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of
the
A. Factors that raise doubts about the auditability of the financial statements.
B. Operating effectiveness of internal control policies and procedures.
C. Risk that material misstatements exist in the financial statements.
D. Possibility that the nature and extent of substantive tests may be reduced.
22. When the audit team increases the planned assessed level of control risk because certain
control activities were determined to be ineffective, the audit team would most likely increase
the
A. Extent of tests of details.
B. Level of inherent risk.
C. Extent of tests of controls.
D. Level of detection risk.
23. In computer systems, the information technology general controls (ITGC) would not
include
A. Processing control activities.
B. Separation of various computer system functions.
C. Documentation of the data processing system.
D. Control over physical access to computer hardware.
5-5
24. When auditing financial statements of a private company, the minimum work an auditor
must perform in connection with a company's internal control is best described by which of
the following statements:
A. Perform exhaustive tests of accounting controls and evaluate the company's control system
effectiveness.
B. Determine whether the company's control policies are designed well enough to prevent
material errors.
C. Prepare auditing working papers documenting the understanding of the company's internal
control.
D. Design procedures to search for significant deficiencies in the actual operation of the
company's internal control.
26. If a control total were to be computed on each of the following data items, which would
best be identified as a hash total for a payroll IS application?
A. Hours worked.
B. Total debits and total credits.
C. Net pay.
D. Department numbers.
5-6
27. Generally accepted auditing standards (GAAS) give auditors considerable discretion to
decide the amount of work required to satisfy auditing standards guiding internal control
evaluation and related audit planning. Which of the descriptions below best expresses the
minimum amount of work permitted by GAAS for nonpublic companies?
A. Do not obtain an understanding of client environment, accounting, or control activities. Do
not document the decision to assess control risk at maximum. Perform 100% substantive audit
on all financial statement transactions and balances.
B. Obtain an understanding of client environment, accounting, and control activities.
Document the decision to assess control risk at maximum. Perform an extensive but not 100%
substantive audit on financial statement transactions and balances.
C. Obtain an understanding of client environment, accounting, and control activities, and
perform detail tests of controls. Document the decision to assess control risk below the
maximum. Perform restricted substantive audit on financial statement transactions and
balances, considering the control risk assessment.
D. Obtain an understanding of client environment, accounting, and control activities, and
perform detail tests of controls. Document the decision to assess control risk at zero. Perform
no substantive audit on financial statement transactions and balances, since zero control risk
means that no errors or fraud can reach the accounts.
28. Proper separation of duties reduces the opportunities to allow persons to be in positions to
both
A. Journalize entries and prepare financial statements.
B. Record cash receipts and cash disbursements.
C. Establish internal controls and authorize transactions.
D. Perpetuate and conceal errors and fraud.
5-7
30. Which of the following is a step in an auditor's decision to assess control risk at below the
maximum?
A. Apply analytical procedures to both financial data and nonfinancial information to detect
conditions that may indicate weak controls.
B. Perform tests of details of transactions and account balances to identify potential errors and
fraud.
C. Identify specific internal control policies and activities that are likely to detect or prevent
material misstatements.
D. Document that the additional audit effort to perform tests of controls exceeds the potential
reduction in substantive testing.
31. Which of the following is not an objective of internal controls over financial reporting as
defined by the Sarbanes-Oxley Act?
A. Policies and procedures that pertain to the maintenance of records that in reasonable detail
accurately and fairly reflect the transactions and dispositions of the assets of the registrant.
B. Policies and procedures that provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance with generally accepted
accounting principles, and receipts and expenditures of the registrant are being made only in
accordance with authorizations of management and directors of the registrant.
C. Policies and procedures that provide reasonable assurance regarding the compliance with
applicable laws and regulations.
D. Policies and procedures that provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use or disposition of the registrant's assets that could
have a material effect on the financial statements.
32. Which of the following most likely would not be considered an inherent limitation of the
potential effectiveness of an entity's internal controls?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.
5-8
34. The primary objective of procedures performed to obtain an understanding of the entity's
internal control is to provide an auditor with
A. Knowledge necessary for audit planning.
B. Evidential matter to use in assessing inherent risk.
C. A basis for modifying tests of controls.
D. An evaluation of the consistency of application of management's policies.
35. The overall attitude and awareness of an entity's board of directors concerning the
importance of the client's internal control usually is reflected in its
A. Computer-based control activities.
B. System of separation of duties.
C. Control environment.
D. Safeguards over access to assets.
36. After obtaining an understanding of the internal controls and assessing control risk on the
audit of a non public company, an auditor decided to perform tests of controls. The auditor
most likely decided that
A. It would be efficient to perform tests of controls that would result in a reduction in planned
substantive tests.
B. Additional evidence to support a further reduction in control risk is not available.
C. An increase in the assessed level of control risk is justified for certain financial statement
assertions.
D. There were many internal control weaknesses that could allow errors to enter the
accounting system.
5-9
37. In an audit of financial statements of a non public company in accordance with generally
accepted auditing standards, an auditor is required to
A. Document the auditor's understanding of the entity's internal control.
B. Search for significant deficiencies in the operation of the internal controls.
C. Perform tests of controls to evaluate the effectiveness of the entity's accounting system.
D. Determine whether control activities are suitably designed to prevent or detect material
misstatements.
38. In testing control activities, an auditor ordinarily selects from a variety of techniques,
including
A. Inquiry and analytical procedures.
B. Reperformance and observation.
C. Comparison and confirmation.
D. Inspection and verification.
39. Assessing control risk at below the maximum level most likely would involve
A. Performing more extensive substantive tests with larger sample sizes than originally
planned.
B. Reducing inherent risk for most of the assertions relevant to significant account balances.
C. Changing the timing of substantive tests by omitting interim-date testing and performing
the tests at year end.
D. Identifying specific internal control structure policies and procedures relevant to specific
assertions.
40. A report on internal control effectiveness by the management team of public companies is
required by
A. The Sarbanes-Oxley Act of 2002.
B. The PCAOB.
C. The AICPA.
D. Only auditors are required to report on internal control effectiveness.
5-10
41. Management's report on internal controls must include each of the following except
A. A statement that management is responsible for establishing and maintaining adequate
internal control over financial reporting.
B. A statement identifying the framework management uses to evaluate the effectiveness of
the company's internal control.
C. A statement providing management's assessment of the effectiveness of the company's
internal control.
D. A statement providing management's evaluation of the company's control environment.
42. Which of the following areas can external auditors rely on internal auditors' work in
auditing internal controls?
A. Evaluation of the auditing environment.
B. Limited documentation and testing of internal control activities.
C. All testing of the operating effectiveness of internal control activities.
D. As the principle evidence for the external auditors' opinion.
44. The primary purpose for obtaining an understanding of a non public audit client's internal
control is to
Refer To: 05-43
A. Provide a basis for making constructive suggestions in a management letter.
B. Determine the nature, timing, and extent of tests to be performed in the audit.
C. Obtain sufficient appropriate audit evidence to afford a reasonable basis for an opinion on
the financial statements under examination.
D. Provide information for a communication of internal control-related matters to
management.
5-11
5-12
49. In most audits of large entities, control risk assessment contributes to audit efficiency,
which means that
Refer To: 05-43
A. The cost of substantive procedures will exceed the cost of control evaluation work.
B. Auditors will be able to reduce the cost of substantive procedures by an amount more than
the control evaluation costs.
C. The cost of control evaluation work will exceed the cost of substantive procedures.
D. Auditors will be able to reduce the cost of substantive procedures by an amount less than
the cost of tests of controls.
50. Which of the following is a device designed to help the audit team obtain evidence about
the accounting and control activities of an audit client?
Refer To: 05-43
A. A narrative memorandum describing the control system.
B. An internal control questionnaire.
C. A flowchart of the documents and procedures used by the company.
D. All of the above.
5-13
54. When planning an audit of internal controls under AS 5, the audit team should
Refer To: 05-43
A. Identify significant accounts, locations, and assertions.
B. Conduct a walkthrough of the internal control process.
C. Make inquiries of employees regarding the existence of control activities.
D. Re-perform control activities performed by client employees to determine their
effectiveness.
56. Totals of amounts in computer-recorded data fields that are not usually added but are used
only for data processing control purposes are called
Refer To: 05-43
A. Record totals.
B. Hash totals.
C. Processing data totals.
D. Field totals.
5-14
57. Which of the following does not accurately summarize auditors' requirements regarding
internal control?
5-15
61. Which of the following would probably not be considered an indication of a material
weakness?
Refer To: 05-43
A. Evidence of a material misstatement.
B. Ineffective oversight by the audit committee.
C. An immaterial fraud committed by senior management.
D. Overproduction by the manufacturing plant.
62. Which report would not be appropriate for a public accounting firm to provide on
financial reporting controls?
Refer To: 05-43
A. Unqualifiedno material weaknesses found.
B. Disclaimer of opinionunable to perform all necessary procedures.
C. Disclaimer of opinionsignificant deficiencies exist.
D. Adversematerial weaknesses exist.
63. The purpose of separating the duties of hiring personnel and distributing payroll checks is
to separate the
Refer To: 05-43
A. Authorization of transactions from the custody of related assets.
B. Operational responsibility from the record-keeping responsibility.
C. Human resources function from the controllership function.
D. Administrative controls from the internal accounting controls.
5-16
64. Which of the following statements is not true with respect to the auditors' report on
internal control over financial reporting?
Refer To: 05-43
A. The report will be dated as of the balance sheet date.
B. The report will express an opinion on the effectiveness of internal control over financial
reporting.
C. If one or more material weaknesses exist, the auditor will issue an adverse opinion.
D. The report may be presented with the report on the entity's financial statements as a
combined report.
65. If the auditors encounter a significant scope limitation in evaluating a public company's
internal control over financial reporting, which of the following types of opinions on the
effectiveness of the company's internal control over financial reporting would be appropriate?
Refer To: 05-43
A. Unqualified opinion or adverse opinion.
B. Qualified opinion or adverse opinion.
C. Unqualified opinion or disclaimer of opinion.
D. Disclaimer of opinion.
66. Which of the following information would be included in the introductory paragraph of
the auditors' report on internal control over financial reporting if the report is presented
separately from the auditors' report on the entity's financial statements?
Refer To: 05-43
A. The fact that the auditors conducted an audit of the entity's financial statements.
B. The definition of a material weakness in internal control over financial reporting.
C. Statements identifying the responsibility of the auditors and management for internal
control over financial reporting.
D. A reference to the auditors' report and opinion on the entity's financial statements.
5-17
67. Which of the following is not one of COSO's objectives for internal controls?
A. Efficiency and effectiveness of operations.
B. Reliability of financial reporting.
C. Maximization of profit.
D. Compliance with applicable laws and regulations.
68. Which of the following is not one of the elements of the control environment?
A. Process for recording transactions and preparing financial statements.
B. Presence of an internal auditing function.
C. A company's organizational structure.
D. Methods of assigning authority and responsibility.
70. An edit test that checks data fields to see if any are blank when they must contain data is
called a
A. Valid sign test.
B. Missing data test.
C. Limit test.
D. Valid character test.
71. An action taken to prevent, detect, and correct errors and frauds in transactions is referred
to as a
A. Control objective.
B. Risk assessment.
C. Dual-purpose test.
D. Control activity.
5-18
72. Accounting for the numerical sequence of shipping documents is a control procedure
designed to achieve the internal control objective of
A. Validity.
B. Completeness.
C. Accounting.
D. Accuracy.
73. Auditors obtain an understanding of the internal control through all of the following,
except
A. Previous experience with the company.
B. Responses to inquiries directed to client personnel.
C. A substantive testing audit plan.
D. A "walk-through" of one or more transactions.
74. The most efficient means of gathering evidence about the internal control is to conduct a
formal interview with knowledgeable managers and
A. Write a narrative description of each important control.
B. Prepare a flowchart illustrating the internal control.
C. Prepare a well indexed file of audit documentation.
D. Use an internal control questionnaire.
76. A computerized accounting system would not include which of the following among the
processing control activities?
A. Limit and reasonableness tests.
B. File and operator controls.
C. Master file changes.
D. Run-to-run total.
5-19
Matching Questions
1. Classification
2. Occurrence
3. Accuracy
4. Allocation or
valuation
5. Completeness
5-20
____
____
____
____
____
80. For each of the descriptions below, match the correct control, A to G.
1. sequence tests
2. limit/reasonableness
tests
3. check digit
4. missing data tests
5. valid sign test
____
____
____
____
____
81. The primary reason for conducting an evaluation of a company's internal control is to
provide a basis for communicating significant deficiencies.
True False
82. The audit task of control risk assessment involves finding out what the company does to
prevent, detect, and correct errors and fraud.
True False
83. The audit team is responsible for the client's internal control.
True False
84. The attitudes of managers and directors are probably the most pervasive influences on the
control environment.
True False
5-21
85. The most important feature of an internal control system is the people who make the
system work.
True False
86. A control activity is an action taken to prevent, detect, and correct errors and frauds in
transactions.
True False
87. The COSO report indicates that internal control should be considered a process, not an
end in itself.
True False
88. Auditors of public companies do not need to determine the quality of a client's internal
control; they only need to know enough to plan the audit work.
True False
89. The primary reason to evaluate internal control is to formulate constructive suggestions
for improvement.
True False
90. The most efficient means of gathering evidence about a client's internal control is to
prepare a flowchart of the system.
True False
91. The strengths and weaknesses of a control system should be documented in bridge
working papers connecting the control evaluation to subsequent audit procedures.
True False
5-22
92. Auditors do not need to perform tests of controls audit procedures on internal control
weaknesses just to prove the weaknesses actually exist.
True False
93. To reduce the final control risk assessment to a low level, auditors need only to determine
the required degree of compliance with the control policies and procedures.
True False
94. Auditors perform tests of control activities to determine how the company's controls
actually functioned during the period under audit.
True False
95. Control systems generally provide absolute assurance that the objectives of internal
control are satisfied.
True False
96. Dual-purpose audit tests are procedures that produce both control and substantive
evidence.
True False
97. The key person in the internal control system of a small business is the independent
auditor.
True False
98. Evaluation of internal control systems on a nonpublic entity should not be subject to cost/
benefit considerations.
True False
5-23
99. Tests of controls consist of procedures designed to produce evidence of how effectively
the client's controls work in practice.
True False
100. Auditors can stop the assessment of control risk for nonpublic entities for either
effectiveness or efficiency reasons.
True False
102. The auditor's opinion on internal control under AS 5 relates only to controls existing at
the end of the year.
True False
103. Auditors should begin their evaluation of internal controls over financial reporting on a
bottom-up basisstarting with the account level assertion and working up to entity-level
controls.
True False
5-24
107. The COSO report identifies the objectives to be achieved by internal control as (1)
effectiveness and efficiency of _____________________________, (2) reliability of
_____________________________ _____________________________, and (3) compliance
with _____________________________ and _____________________________.
________________________________________
5-25
111. In connection with control activities used in a client's internal control system, a
_____________________________ _____________________________ is a tally of the
number of transactions submitted at a particular time and it is used to determine whether the
proper number was processed in a data conversion or computer accounting application.
________________________________________
112. Control activities in a computerized accounting system may be classified into two types-_____________________________ controls and _____________________________
controls.
________________________________________
113. Significant deficiencies in internal control also include the more serious condition called
a _____________________________ _____________________________.
________________________________________
114. To reduce the control risk level to a low level, auditors must determine (1) the
_____________________________ _____________________________ of company
compliance with control policies, and (2) the _____________________________
_____________________________ of company compliance.
________________________________________
5-26
117. In gathering evidence about the client's internal control, auditors may use a (n)
_____________________________ _____________________________
_____________________________, which is a checklist of internal control related
questions.
________________________________________
121. Computerized checks to see whether data values exceed or fall below some
predetermined limit are called limit or _____________________________
_____________________________.
________________________________________
122. Techniques used to check errors in accounting data in computer based accounting
systems can be categorized as _____________________________
_____________________________, _____________________________
_____________________________, and _____________________________
_____________________________.
________________________________________
5-27
Essay Questions
124. What is the difference between an information technology general control and an
information technology application control?
125. What is the difference between an internal control's design effectiveness and its
operating effectiveness?
5-28
127. List and explain briefly the phases of an internal control evaluation.
128. What are some of the problems in establishing an internal control system in small
business?
129. The Sunny Company is computerizing its accounting function. It would like to separate
the duties of the systems analyst, programmer, and computer operator by hiring three different
people for these jobs. However, they can only afford to hire two people.
Required: A. Briefly describe the functions of the systems analyst, programmer, and computer
operator.
B. If Sunny Company can afford only two positions, which two of the three would you
combine into one job? Explain.
5-29
130. Explain the different opinions that auditors can issue for an entity's internal control over
financial reporting.
131. Auditors are required to obtain a sufficient understanding of an entity's internal control.
This understanding is required by the performance principle of GAAS.
Required: A. What are some of the goals (purposes) for conducting an evaluation of an
entity's internal control?
B. What audit work is required for an auditor to assess control risk below the "maximum"
level?
C. Should auditors always try to obtain enough evidence to assess control risk below the
"maximum" level? Explain.
132. What are the six steps auditors of public companies should use to audit internal control
over financial reporting (ICOFR)?
5-30
134. What is the difference between a significant deficiency and a material weakness?
5-31
135. Each of the five cases illustrates specific control activities from a client's revenue cycle
(accounts receivable/sales). For each of the procedures, (a) identify which management
assertions apply, and (b) what potential category of errors and frauds can be prevented.
5-32
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
5-33
3. A set of characteristics that helps to define a seriousness about employees' attitudes about
the control activities in a company is referred to as
A. Management assertions.
B. The control environment.
C. Control risk assessment.
D. Functional responsibilities.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
4. Control activities intended to ensure that transactions are recorded in the right period are
designed to achieve the ASB assertion of
A. Occurrence.
B. Accuracy.
C. Valuation or allocation.
D. Cutoff.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
5-34
5. Sound internal control can described as separating all of the following duties and
responsibilities except for
A. Transaction authorization.
B. Recordkeeping.
C. Custody of, or direct access to, assets.
D. Hiring of employees.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
6. After obtaining an understanding of the entity's internal control and assessing control risk,
an auditor of a non public company decided not to perform additional tests of controls. The
auditor most likely concluded that the
A. Additional evidence to support a further reduction in control risk was not cost beneficial.
B. Assessed level of inherent risk exceeded the assessed level of control risk.
C. Internal control structure was properly designed and justifiably may be relied on.
D. Evidence obtainable through tests of controls would not support an increased level of
control risk.
AICPA
AACSB: Analytic
AICPA BB: Resource Management
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard
5-35
7. Regardless of the assessed level of control risk, an auditor of a non public company would
perform some
A. Tests of controls to determine the effectiveness of internal control policies.
B. Analytical procedures to verify the design of internal control activities.
C. Substantive tests to restrict detection risk for significant transaction classes.
D. Dual purpose tests to evaluate both the risk of monetary misstatement and preliminary
control risk.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Hard
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-36
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Easy
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Medium
5-37
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium
13. A sales clerk enters a customer's six-number customer account. The computer program
uses the first five numbers to calculate a sixth number. This resulting number is then
compared to the sixth number entered by the sales clerk. This is an example of a
A. A valid character test.
B. Missing data test.
C. Reasonableness test.
D. Check digit.
Original
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium
5-38
14. Which of the following is the least important audit reason for the auditor's obtaining an
understanding of a company's internal control?
A. To serve as a basis for constructive suggestions.
B. To plan subsequent substantive tests.
C. To identify types of potential misstatements.
D. To consider factors that affect the risk of material misstatement.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Comprehension
Difficulty: Medium
AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Decision Making
Bloom's: Knowledge
Difficulty: Medium
5-39
16. Which of the following client internal control activities is not usually performed in the
treasurer's department?
A. Verifying the accuracy of checks and vouchers.
B. Controlling the mailing of checks to vendors.
C. Approving vendors' invoices for payment.
D. Canceling payment vouchers when paid.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium
17. Which of the following audit procedures most likely would provide an auditor with the
most assurance about the effectiveness of the operation of an entity's internal control?
A. Confirmation with outside parties.
B. Inquiry of client personnel.
C. Successful re-performance of the control procedure.
D. Observation of client personnel.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-40
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
19. After obtaining an understanding of a client's financial reporting control activities, the
auditor would next
A. Test the client's control activities.
B. Assess the control risk.
C. Document the understanding obtained.
D. Plan the remainder of the audit work.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
5-41
20. If auditors assess control risk at the maximum level, they will tend to
A. Perform a great deal of additional tests of controls.
B. Perform a great deal of substantive testing during the audit.
C. Perform substantive tests at an interim date.
D. Perform more audit procedures using internal evidence.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Easy
21. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of
the
A. Factors that raise doubts about the auditability of the financial statements.
B. Operating effectiveness of internal control policies and procedures.
C. Risk that material misstatements exist in the financial statements.
D. Possibility that the nature and extent of substantive tests may be reduced.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Medium
5-42
22. When the audit team increases the planned assessed level of control risk because certain
control activities were determined to be ineffective, the audit team would most likely increase
the
A. Extent of tests of details.
B. Level of inherent risk.
C. Extent of tests of controls.
D. Level of detection risk.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium
23. In computer systems, the information technology general controls (ITGC) would not
include
A. Processing control activities.
B. Separation of various computer system functions.
C. Documentation of the data processing system.
D. Control over physical access to computer hardware.
Original
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium
5-43
24. When auditing financial statements of a private company, the minimum work an auditor
must perform in connection with a company's internal control is best described by which of
the following statements:
A. Perform exhaustive tests of accounting controls and evaluate the company's control system
effectiveness.
B. Determine whether the company's control policies are designed well enough to prevent
material errors.
C. Prepare auditing working papers documenting the understanding of the company's internal
control.
D. Design procedures to search for significant deficiencies in the actual operation of the
company's internal control.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard
5-44
26. If a control total were to be computed on each of the following data items, which would
best be identified as a hash total for a payroll IS application?
A. Hours worked.
B. Total debits and total credits.
C. Net pay.
D. Department numbers.
AICPA
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium
27. Generally accepted auditing standards (GAAS) give auditors considerable discretion to
decide the amount of work required to satisfy auditing standards guiding internal control
evaluation and related audit planning. Which of the descriptions below best expresses the
minimum amount of work permitted by GAAS for nonpublic companies?
A. Do not obtain an understanding of client environment, accounting, or control activities. Do
not document the decision to assess control risk at maximum. Perform 100% substantive audit
on all financial statement transactions and balances.
B. Obtain an understanding of client environment, accounting, and control activities.
Document the decision to assess control risk at maximum. Perform an extensive but not 100%
substantive audit on financial statement transactions and balances.
C. Obtain an understanding of client environment, accounting, and control activities, and
perform detail tests of controls. Document the decision to assess control risk below the
maximum. Perform restricted substantive audit on financial statement transactions and
balances, considering the control risk assessment.
D. Obtain an understanding of client environment, accounting, and control activities, and
perform detail tests of controls. Document the decision to assess control risk at zero. Perform
no substantive audit on financial statement transactions and balances, since zero control risk
means that no errors or fraud can reach the accounts.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium
5-45
28. Proper separation of duties reduces the opportunities to allow persons to be in positions to
both
A. Journalize entries and prepare financial statements.
B. Record cash receipts and cash disbursements.
C. Establish internal controls and authorize transactions.
D. Perpetuate and conceal errors and fraud.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard
5-46
30. Which of the following is a step in an auditor's decision to assess control risk at below the
maximum?
A. Apply analytical procedures to both financial data and nonfinancial information to detect
conditions that may indicate weak controls.
B. Perform tests of details of transactions and account balances to identify potential errors and
fraud.
C. Identify specific internal control policies and activities that are likely to detect or prevent
material misstatements.
D. Document that the additional audit effort to perform tests of controls exceeds the potential
reduction in substantive testing.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Hard
31. Which of the following is not an objective of internal controls over financial reporting as
defined by the Sarbanes-Oxley Act?
A. Policies and procedures that pertain to the maintenance of records that in reasonable detail
accurately and fairly reflect the transactions and dispositions of the assets of the registrant.
B. Policies and procedures that provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance with generally accepted
accounting principles, and receipts and expenditures of the registrant are being made only in
accordance with authorizations of management and directors of the registrant.
C. Policies and procedures that provide reasonable assurance regarding the compliance with
applicable laws and regulations.
D. Policies and procedures that provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use or disposition of the registrant's assets that could
have a material effect on the financial statements.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-47
32. Which of the following most likely would not be considered an inherent limitation of the
potential effectiveness of an entity's internal controls?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Comprehension
Difficulty: Hard
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-48
34. The primary objective of procedures performed to obtain an understanding of the entity's
internal control is to provide an auditor with
A. Knowledge necessary for audit planning.
B. Evidential matter to use in assessing inherent risk.
C. A basis for modifying tests of controls.
D. An evaluation of the consistency of application of management's policies.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
35. The overall attitude and awareness of an entity's board of directors concerning the
importance of the client's internal control usually is reflected in its
A. Computer-based control activities.
B. System of separation of duties.
C. Control environment.
D. Safeguards over access to assets.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
5-49
36. After obtaining an understanding of the internal controls and assessing control risk on the
audit of a non public company, an auditor decided to perform tests of controls. The auditor
most likely decided that
A. It would be efficient to perform tests of controls that would result in a reduction in planned
substantive tests.
B. Additional evidence to support a further reduction in control risk is not available.
C. An increase in the assessed level of control risk is justified for certain financial statement
assertions.
D. There were many internal control weaknesses that could allow errors to enter the
accounting system.
AICPA
AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium
37. In an audit of financial statements of a non public company in accordance with generally
accepted auditing standards, an auditor is required to
A. Document the auditor's understanding of the entity's internal control.
B. Search for significant deficiencies in the operation of the internal controls.
C. Perform tests of controls to evaluate the effectiveness of the entity's accounting system.
D. Determine whether control activities are suitably designed to prevent or detect material
misstatements.
AICPA
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-50
38. In testing control activities, an auditor ordinarily selects from a variety of techniques,
including
A. Inquiry and analytical procedures.
B. Reperformance and observation.
C. Comparison and confirmation.
D. Inspection and verification.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
39. Assessing control risk at below the maximum level most likely would involve
A. Performing more extensive substantive tests with larger sample sizes than originally
planned.
B. Reducing inherent risk for most of the assertions relevant to significant account balances.
C. Changing the timing of substantive tests by omitting interim-date testing and performing
the tests at year end.
D. Identifying specific internal control structure policies and procedures relevant to specific
assertions.
AICPA
AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Comprehension
Difficulty: Hard
5-51
40. A report on internal control effectiveness by the management team of public companies is
required by
A. The Sarbanes-Oxley Act of 2002.
B. The PCAOB.
C. The AICPA.
D. Only auditors are required to report on internal control effectiveness.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
41. Management's report on internal controls must include each of the following except
A. A statement that management is responsible for establishing and maintaining adequate
internal control over financial reporting.
B. A statement identifying the framework management uses to evaluate the effectiveness of
the company's internal control.
C. A statement providing management's assessment of the effectiveness of the company's
internal control.
D. A statement providing management's evaluation of the company's control environment.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Communication
Difficulty: Medium
5-52
42. Which of the following areas can external auditors rely on internal auditors' work in
auditing internal controls?
A. Evaluation of the auditing environment.
B. Limited documentation and testing of internal control activities.
C. All testing of the operating effectiveness of internal control activities.
D. As the principle evidence for the external auditors' opinion.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
5-53
44. The primary purpose for obtaining an understanding of a non public audit client's internal
control is to
Refer To: 05-43
A. Provide a basis for making constructive suggestions in a management letter.
B. Determine the nature, timing, and extent of tests to be performed in the audit.
C. Obtain sufficient appropriate audit evidence to afford a reasonable basis for an opinion on
the financial statements under examination.
D. Provide information for a communication of internal control-related matters to
management.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Easy
5-54
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Application
Difficulty: Medium
5-55
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
49. In most audits of large entities, control risk assessment contributes to audit efficiency,
which means that
Refer To: 05-43
A. The cost of substantive procedures will exceed the cost of control evaluation work.
B. Auditors will be able to reduce the cost of substantive procedures by an amount more than
the control evaluation costs.
C. The cost of control evaluation work will exceed the cost of substantive procedures.
D. Auditors will be able to reduce the cost of substantive procedures by an amount less than
the cost of tests of controls.
Original
AACSB: Analytic
AICPA BB: Resource Management
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium
5-56
50. Which of the following is a device designed to help the audit team obtain evidence about
the accounting and control activities of an audit client?
Refer To: 05-43
A. A narrative memorandum describing the control system.
B. An internal control questionnaire.
C. A flowchart of the documents and procedures used by the company.
D. All of the above.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Easy
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Medium
5-57
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-58
54. When planning an audit of internal controls under AS 5, the audit team should
Refer To: 05-43
A. Identify significant accounts, locations, and assertions.
B. Conduct a walkthrough of the internal control process.
C. Make inquiries of employees regarding the existence of control activities.
D. Re-perform control activities performed by client employees to determine their
effectiveness.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Medium
5-59
56. Totals of amounts in computer-recorded data fields that are not usually added but are used
only for data processing control purposes are called
Refer To: 05-43
A. Record totals.
B. Hash totals.
C. Processing data totals.
D. Field totals.
Original
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Hard
57. Which of the following does not accurately summarize auditors' requirements regarding
internal control?
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard
5-60
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-61
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
61. Which of the following would probably not be considered an indication of a material
weakness?
Refer To: 05-43
A. Evidence of a material misstatement.
B. Ineffective oversight by the audit committee.
C. An immaterial fraud committed by senior management.
D. Overproduction by the manufacturing plant.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Comprehension
Difficulty: Medium
5-62
62. Which report would not be appropriate for a public accounting firm to provide on
financial reporting controls?
Refer To: 05-43
A. Unqualifiedno material weaknesses found.
B. Disclaimer of opinionunable to perform all necessary procedures.
C. Disclaimer of opinionsignificant deficiencies exist.
D. Adversematerial weaknesses exist.
Original
AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
63. The purpose of separating the duties of hiring personnel and distributing payroll checks is
to separate the
Refer To: 05-43
A. Authorization of transactions from the custody of related assets.
B. Operational responsibility from the record-keeping responsibility.
C. Human resources function from the controllership function.
D. Administrative controls from the internal accounting controls.
AICPA adapted
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Easy
5-63
64. Which of the following statements is not true with respect to the auditors' report on
internal control over financial reporting?
Refer To: 05-43
A. The report will be dated as of the balance sheet date.
B. The report will express an opinion on the effectiveness of internal control over financial
reporting.
C. If one or more material weaknesses exist, the auditor will issue an adverse opinion.
D. The report may be presented with the report on the entity's financial statements as a
combined report.
Original
AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard
65. If the auditors encounter a significant scope limitation in evaluating a public company's
internal control over financial reporting, which of the following types of opinions on the
effectiveness of the company's internal control over financial reporting would be appropriate?
Refer To: 05-43
A. Unqualified opinion or adverse opinion.
B. Qualified opinion or adverse opinion.
C. Unqualified opinion or disclaimer of opinion.
D. Disclaimer of opinion.
Original
AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium
5-64
66. Which of the following information would be included in the introductory paragraph of
the auditors' report on internal control over financial reporting if the report is presented
separately from the auditors' report on the entity's financial statements?
Refer To: 05-43
A. The fact that the auditors conducted an audit of the entity's financial statements.
B. The definition of a material weakness in internal control over financial reporting.
C. Statements identifying the responsibility of the auditors and management for internal
control over financial reporting.
D. A reference to the auditors' report and opinion on the entity's financial statements.
Original
AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard
67. Which of the following is not one of COSO's objectives for internal controls?
A. Efficiency and effectiveness of operations.
B. Reliability of financial reporting.
C. Maximization of profit.
D. Compliance with applicable laws and regulations.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
5-65
68. Which of the following is not one of the elements of the control environment?
A. Process for recording transactions and preparing financial statements.
B. Presence of an internal auditing function.
C. A company's organizational structure.
D. Methods of assigning authority and responsibility.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
70. An edit test that checks data fields to see if any are blank when they must contain data is
called a
A. Valid sign test.
B. Missing data test.
C. Limit test.
D. Valid character test.
Original
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium
5-66
71. An action taken to prevent, detect, and correct errors and frauds in transactions is referred
to as a
A. Control objective.
B. Risk assessment.
C. Dual-purpose test.
D. Control activity.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
72. Accounting for the numerical sequence of shipping documents is a control procedure
designed to achieve the internal control objective of
A. Validity.
B. Completeness.
C. Accounting.
D. Accuracy.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Comprehension
Difficulty: Easy
5-67
73. Auditors obtain an understanding of the internal control through all of the following,
except
A. Previous experience with the company.
B. Responses to inquiries directed to client personnel.
C. A substantive testing audit plan.
D. A "walk-through" of one or more transactions.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium
74. The most efficient means of gathering evidence about the internal control is to conduct a
formal interview with knowledgeable managers and
A. Write a narrative description of each important control.
B. Prepare a flowchart illustrating the internal control.
C. Prepare a well indexed file of audit documentation.
D. Use an internal control questionnaire.
Original
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium
5-68
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy
76. A computerized accounting system would not include which of the following among the
processing control activities?
A. Limit and reasonableness tests.
B. File and operator controls.
C. Master file changes.
D. Run-to-run total.
Original
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium
5-69
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
Matching Questions
5-70
1. Classification
2. Occurrence
3. Accuracy
4. Allocation or
valuation
5. Completeness
2
1
4
3
5
AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard
80. For each of the descriptions below, match the correct control, A to G.
1. sequence tests
2. limit/reasonableness
tests
3. check digit
4. missing data tests
5. valid sign test
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Application
Difficulty: Hard
5-71
2
5
4
3
1
81. The primary reason for conducting an evaluation of a company's internal control is to
provide a basis for communicating significant deficiencies.
FALSE
82. The audit task of control risk assessment involves finding out what the company does to
prevent, detect, and correct errors and fraud.
TRUE
83. The audit team is responsible for the client's internal control.
FALSE
84. The attitudes of managers and directors are probably the most pervasive influences on the
control environment.
TRUE
85. The most important feature of an internal control system is the people who make the
system work.
TRUE
86. A control activity is an action taken to prevent, detect, and correct errors and frauds in
transactions.
TRUE
87. The COSO report indicates that internal control should be considered a process, not an
end in itself.
TRUE
5-72
88. Auditors of public companies do not need to determine the quality of a client's internal
control; they only need to know enough to plan the audit work.
FALSE
89. The primary reason to evaluate internal control is to formulate constructive suggestions
for improvement.
FALSE
90. The most efficient means of gathering evidence about a client's internal control is to
prepare a flowchart of the system.
FALSE
91. The strengths and weaknesses of a control system should be documented in bridge
working papers connecting the control evaluation to subsequent audit procedures.
TRUE
92. Auditors do not need to perform tests of controls audit procedures on internal control
weaknesses just to prove the weaknesses actually exist.
TRUE
93. To reduce the final control risk assessment to a low level, auditors need only to determine
the required degree of compliance with the control policies and procedures.
FALSE
94. Auditors perform tests of control activities to determine how the company's controls
actually functioned during the period under audit.
TRUE
5-73
95. Control systems generally provide absolute assurance that the objectives of internal
control are satisfied.
FALSE
96. Dual-purpose audit tests are procedures that produce both control and substantive
evidence.
TRUE
97. The key person in the internal control system of a small business is the independent
auditor.
FALSE
98. Evaluation of internal control systems on a nonpublic entity should not be subject to cost/
benefit considerations.
FALSE
99. Tests of controls consist of procedures designed to produce evidence of how effectively
the client's controls work in practice.
TRUE
100. Auditors can stop the assessment of control risk for nonpublic entities for either
effectiveness or efficiency reasons.
TRUE
5-74
102. The auditor's opinion on internal control under AS 5 relates only to controls existing at
the end of the year.
TRUE
103. Auditors should begin their evaluation of internal controls over financial reporting on a
bottom-up basisstarting with the account level assertion and working up to entity-level
controls.
FALSE
5-75
107. The COSO report identifies the objectives to be achieved by internal control as (1)
effectiveness and efficiency of _____________________________, (2) reliability of
_____________________________ _____________________________, and (3) compliance
with _____________________________ and _____________________________.
operations, financial reporting, laws, regulations
111. In connection with control activities used in a client's internal control system, a
_____________________________ _____________________________ is a tally of the
number of transactions submitted at a particular time and it is used to determine whether the
proper number was processed in a data conversion or computer accounting application.
record count
112. Control activities in a computerized accounting system may be classified into two types-_____________________________ controls and _____________________________
controls.
general, application
5-76
113. Significant deficiencies in internal control also include the more serious condition called
a _____________________________ _____________________________.
material weakness
114. To reduce the control risk level to a low level, auditors must determine (1) the
_____________________________ _____________________________ of company
compliance with control policies, and (2) the _____________________________
_____________________________ of company compliance.
required degree, actual degree
117. In gathering evidence about the client's internal control, auditors may use a (n)
_____________________________ _____________________________
_____________________________, which is a checklist of internal control related
questions.
internal control questionnaire
5-77
121. Computerized checks to see whether data values exceed or fall below some
predetermined limit are called limit or _____________________________
_____________________________.
reasonableness tests
122. Techniques used to check errors in accounting data in computer based accounting
systems can be categorized as _____________________________
_____________________________, _____________________________
_____________________________, and _____________________________
_____________________________.
input controls, processing controls, output controls
Essay Questions
5-78
124. What is the difference between an information technology general control and an
information technology application control?
An information technology general control is used to help control the entire computing
environment for an organization. For example, most organizations require password access to
log into the computing environment. An information technology application control is a
computerized control procedure that is designed to accomplish some type of control objective
within a company's overall system of internal control. For example, a company's accounts
receivable system may have an application control that automatically checks a customer's
credit limit before a new sales order is approved. In order to function properly, an information
technology application level technology control is dependent on effective information
technology general controls.
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium
125. What is the difference between an internal control's design effectiveness and its
operating effectiveness?
Design effectiveness determines whether the controls over financial reporting, if operating
effectively, would be expected to prevent or detect errors or fraud that could result in a
material financial misstatement. Operating effectiveness is whether the control is operating
as designed and whether the person performing the control possesses the necessary authority
and qualifications to perform the control effectively.
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-79
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
127. List and explain briefly the phases of an internal control evaluation.
Phase 1: Understanding and document the client's internal control structure. This phase
includes a general knowledge of the control environment, including the identification of entity
level controls. In addition, the auditor should gain an understanding of the flow of
transactions through the accounting system and document this understanding using a
questionnaire, narrative descriptions and perhaps flowcharts.
Phase 2: Assessing the control risk on a preliminary basis. At this point of the process, the
strengths and weaknesses of the system are analyzed and should be documented in a bridge
workpaper. A preliminary assessment of internal controls is completed. At this point, a
decision is made as to which controls are going tested and a required degree of compliance is
determined.
Phase 3: Performing tests of controls audit procedures and reassess control risk. When the
audit team determines that a specific control activity could have a significant effect in
reducing control risk to a low level for a specific assertion, they perform test of that control
activity to obtain specific audit evidence about the effectiveness of the design or operation of
that control activity. At this point, the actual degree of compliance is compared with the
required degree of compliance. The audit team then must determine the final assessment of
control risk and then determine whether any changes to the substantive testing plan must be
made.
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Comprehension
Difficulty: Medium
5-80
128. What are some of the problems in establishing an internal control system in small
business?
Internal control problems in small business would include:
A. Separation of functional responsibilities would be difficult because of the small number of
employees.
B. The owner manager has to assume a greater role to oversee and supervise authorization,
recordkeeping, and custodial functions.
C. The owner manager must be diligent, competent, and have a high degree of integrity.
AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium
129. The Sunny Company is computerizing its accounting function. It would like to separate
the duties of the systems analyst, programmer, and computer operator by hiring three different
people for these jobs. However, they can only afford to hire two people.
Required: A. Briefly describe the functions of the systems analyst, programmer, and computer
operator.
B. If Sunny Company can afford only two positions, which two of the three would you
combine into one job? Explain.
A. A systems analyst evaluates the existing system and designs new or improved data
processing. This includes outlining the system and providing guidelines for the programmer.
The programmer flowcharts, codes, and documents the application. The computer operator
operates the computer based on written instructions.
B. It would be best to combine the functions of the systems analyst and programmer. The
programmer has intimate knowledge of the program. The programmer could write code that
could be used during computer operations to manipulate data or assets for his or her benefit.
Therefore, the worst situation would be to combine the functions of the programmer and
computer operator. Another possibility would be to combine the responsibilities of the
systems analyst and computer operator. Though this may not be as severe a problem, the
systems analyst may still have special knowledge about the program and programming.
AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Application
Difficulty: Hard
5-81
130. Explain the different opinions that auditors can issue for an entity's internal control over
financial reporting.
Auditors can issue the following opinions for an audit of an entity's internal control over
financial reporting:
Unqualified. No material weaknesses exist.
Disclaimer. The audit team cannot perform all of the procedures considered necessary and
therefore cannot issue an opinion.
Adverse opinion. One or more material weaknesses exist.
AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-82
131. Auditors are required to obtain a sufficient understanding of an entity's internal control.
This understanding is required by the performance principle of GAAS.
Required: A. What are some of the goals (purposes) for conducting an evaluation of an
entity's internal control?
B. What audit work is required for an auditor to assess control risk below the "maximum"
level?
C. Should auditors always try to obtain enough evidence to assess control risk below the
"maximum" level? Explain.
A. The audit team has two primary reasons for conducting an evaluation of an entity's internal
control. First, Sarbanes-Oxley requires an audit of the effectiveness of internal control that is
an integrated part of the financial statement audit for publicly traded companies. The second
reason for evaluating an entity's internal control is to comply with the performance principle
of GAAS: To assess the risk of material misstatement to give the auditors a basis for planning
the audit and determining the nature, timing, and extent of audit procedures for the
substantive audit plan. The audit team assesses control risk.
B. If auditors assess control risk as "maximum" or 100 percent (i.e., poor control), they will
tend to perform a great deal of substantive procedures with large sample sizes (extent), at or
near the entity's fiscal year end (timing), using procedures designed to obtain high-quality
external evidence (nature). On the other hand, if auditors assess control risk as "low," usually
around 10 to 20 percent (i.e., effective control), they can perform fewer substantive
procedures with smaller sample sizes (extent), at an interim date before the entity's fiscal year
end (timing), using a mixture of procedures designed to obtain high-quality external evidence
and lower-quality internal evidence (nature). Of course, auditors may assess control risk
between "low" and "maximum" (e.g., "moderate," "high," or "slightly below maximum") and
adjust the substantive procedures accordingly.
C. No. here may be occasions when the audit team chooses to test everything substantively
rather than relying on internal controls to reduce substantive testing. For example, for fixed
assets, there are usually a small number of very material transactions. Testing controls would
not be efficient if the audit team is going to examine every transaction anyway.
AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard
5-83
132. What are the six steps auditors of public companies should use to audit internal control
over financial reporting (ICOFR)?
1. Planning the engagement
2. Using a top-down approach to gain an understanding
3. Testing controls
4. Evaluating control deficiencies
5. Wrapping up: forming an opinion on the effectiveness of internal control over financial
reporting
6. Reporting on internal control
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-84
134. What is the difference between a significant deficiency and a material weakness?
The difference between a significant deficiency and a material weakness is the (1) likelihood
and (2) materiality that a potential (or actual) misstatement would not be detected on a timely
basis.
AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium
5-85
135. Each of the five cases illustrates specific control activities from a client's revenue cycle
(accounts receivable/sales). For each of the procedures, (a) identify which management
assertions apply, and (b) what potential category of errors and frauds can be prevented.
AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard
5-86