Sei sulla pagina 1di 86

Chapter 05 - Risk Assessment: Internal Control Evaluation

Chapter 05
Risk Assessment: Internal Control Evaluation
Multiple Choice Questions

1. An audit team's responsibility would not include


A. Designing client's internal controls.
B. Documentation of understanding of a client's internal controls.
C. Communicating internal control deficiencies.
D. Assessing the effectiveness a client's internal controls.

2. The appropriate separation of duties does not include


A. Authorization to execute transactions.
B. Recording of transactions.
C. Custody of assets involved in the transactions.
D. Data preparation.

3. A set of characteristics that helps to define a seriousness about employees' attitudes about
the control activities in a company is referred to as
A. Management assertions.
B. The control environment.
C. Control risk assessment.
D. Functional responsibilities.

4. Control activities intended to ensure that transactions are recorded in the right period are
designed to achieve the ASB assertion of
A. Occurrence.
B. Accuracy.
C. Valuation or allocation.
D. Cutoff.

5-1

Chapter 05 - Risk Assessment: Internal Control Evaluation

5. Sound internal control can described as separating all of the following duties and
responsibilities except for
A. Transaction authorization.
B. Recordkeeping.
C. Custody of, or direct access to, assets.
D. Hiring of employees.

6. After obtaining an understanding of the entity's internal control and assessing control risk,
an auditor of a non public company decided not to perform additional tests of controls. The
auditor most likely concluded that the
A. Additional evidence to support a further reduction in control risk was not cost beneficial.
B. Assessed level of inherent risk exceeded the assessed level of control risk.
C. Internal control structure was properly designed and justifiably may be relied on.
D. Evidence obtainable through tests of controls would not support an increased level of
control risk.

7. Regardless of the assessed level of control risk, an auditor of a non public company would
perform some
A. Tests of controls to determine the effectiveness of internal control policies.
B. Analytical procedures to verify the design of internal control activities.
C. Substantive tests to restrict detection risk for significant transaction classes.
D. Dual purpose tests to evaluate both the risk of monetary misstatement and preliminary
control risk.

8. The "obtaining an understanding" work phase (Phase 1) of internal control evaluation


would not give auditors an overall acquaintance with the client's
A. Control environment.
B. Information and communication system.
C. Control activity effectiveness.
D. Monitoring activities.

5-2

Chapter 05 - Risk Assessment: Internal Control Evaluation

9. Which of the following is an Information Technology General Control?


A. Check digit.
B. Run-to-run totals.
C. Distribution of computerized output.
D. Separation of duties in the IT department.

10. Control strengths and weaknesses should be documented in audit documentation,


sometimes called
A. Questionnaires, narratives, and flowcharts.
B. Bridge working papers.
C. Communications of significant deficiencies.
D. Internal control letters.

11. The internal control in small business is highly dependent on the


A. Separation of functional responsibilities.
B. Complexity of the client's internal controls.
C. Owner-manager's competence, ethics and integrity.
D. Bonding of employees.

12. Which of the following is not an input control activity?


A. Reasonableness tests.
B. Record counts.
C. Financial totals.
D. Hash totals.

13. A sales clerk enters a customer's six-number customer account. The computer program
uses the first five numbers to calculate a sixth number. This resulting number is then
compared to the sixth number entered by the sales clerk. This is an example of a
A. A valid character test.
B. Missing data test.
C. Reasonableness test.
D. Check digit.

5-3

Chapter 05 - Risk Assessment: Internal Control Evaluation

14. Which of the following is the least important audit reason for the auditor's obtaining an
understanding of a company's internal control?
A. To serve as a basis for constructive suggestions.
B. To plan subsequent substantive tests.
C. To identify types of potential misstatements.
D. To consider factors that affect the risk of material misstatement.

15. Tracing bills of lading to sales invoices provides evidence that


A. Shipments to customers were invoiced.
B. Shipments to customers were recorded as sales.
C. Recorded sales were shipped.
D. Invoiced sales were recorded as sales.

16. Which of the following client internal control activities is not usually performed in the
treasurer's department?
A. Verifying the accuracy of checks and vouchers.
B. Controlling the mailing of checks to vendors.
C. Approving vendors' invoices for payment.
D. Canceling payment vouchers when paid.

17. Which of the following audit procedures most likely would provide an auditor with the
most assurance about the effectiveness of the operation of an entity's internal control?
A. Confirmation with outside parties.
B. Inquiry of client personnel.
C. Successful re-performance of the control procedure.
D. Observation of client personnel.

18. When obtaining an understanding of an entity's internal control in a financial statement


audit, an auditor is not obligated to
A. Determine whether the control activities have been placed in operation.
B. Perform procedures to understand the design of the internal control system.
C. Document the understanding of the company's internal control system.
D. Search for significant deficiencies in the operation of the internal control system.

5-4

Chapter 05 - Risk Assessment: Internal Control Evaluation

19. After obtaining an understanding of a client's financial reporting control activities, the
auditor would next
A. Test the client's control activities.
B. Assess the control risk.
C. Document the understanding obtained.
D. Plan the remainder of the audit work.

20. If auditors assess control risk at the maximum level, they will tend to
A. Perform a great deal of additional tests of controls.
B. Perform a great deal of substantive testing during the audit.
C. Perform substantive tests at an interim date.
D. Perform more audit procedures using internal evidence.

21. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of
the
A. Factors that raise doubts about the auditability of the financial statements.
B. Operating effectiveness of internal control policies and procedures.
C. Risk that material misstatements exist in the financial statements.
D. Possibility that the nature and extent of substantive tests may be reduced.

22. When the audit team increases the planned assessed level of control risk because certain
control activities were determined to be ineffective, the audit team would most likely increase
the
A. Extent of tests of details.
B. Level of inherent risk.
C. Extent of tests of controls.
D. Level of detection risk.

23. In computer systems, the information technology general controls (ITGC) would not
include
A. Processing control activities.
B. Separation of various computer system functions.
C. Documentation of the data processing system.
D. Control over physical access to computer hardware.

5-5

Chapter 05 - Risk Assessment: Internal Control Evaluation

24. When auditing financial statements of a private company, the minimum work an auditor
must perform in connection with a company's internal control is best described by which of
the following statements:
A. Perform exhaustive tests of accounting controls and evaluate the company's control system
effectiveness.
B. Determine whether the company's control policies are designed well enough to prevent
material errors.
C. Prepare auditing working papers documenting the understanding of the company's internal
control.
D. Design procedures to search for significant deficiencies in the actual operation of the
company's internal control.

25. Which of the following would likely be classified as a material weakness?


A. Absence of appropriate separation of duties.
B. Absence of appropriate reviews and approvals of transactions.
C. Evidence of failure of control activities.
D. Ineffective oversight of the financial reporting process by the company's audit committee.

26. If a control total were to be computed on each of the following data items, which would
best be identified as a hash total for a payroll IS application?
A. Hours worked.
B. Total debits and total credits.
C. Net pay.
D. Department numbers.

5-6

Chapter 05 - Risk Assessment: Internal Control Evaluation

27. Generally accepted auditing standards (GAAS) give auditors considerable discretion to
decide the amount of work required to satisfy auditing standards guiding internal control
evaluation and related audit planning. Which of the descriptions below best expresses the
minimum amount of work permitted by GAAS for nonpublic companies?
A. Do not obtain an understanding of client environment, accounting, or control activities. Do
not document the decision to assess control risk at maximum. Perform 100% substantive audit
on all financial statement transactions and balances.
B. Obtain an understanding of client environment, accounting, and control activities.
Document the decision to assess control risk at maximum. Perform an extensive but not 100%
substantive audit on financial statement transactions and balances.
C. Obtain an understanding of client environment, accounting, and control activities, and
perform detail tests of controls. Document the decision to assess control risk below the
maximum. Perform restricted substantive audit on financial statement transactions and
balances, considering the control risk assessment.
D. Obtain an understanding of client environment, accounting, and control activities, and
perform detail tests of controls. Document the decision to assess control risk at zero. Perform
no substantive audit on financial statement transactions and balances, since zero control risk
means that no errors or fraud can reach the accounts.

28. Proper separation of duties reduces the opportunities to allow persons to be in positions to
both
A. Journalize entries and prepare financial statements.
B. Record cash receipts and cash disbursements.
C. Establish internal controls and authorize transactions.
D. Perpetuate and conceal errors and fraud.

29. In an audit of financial statements, an auditor's primary consideration regarding an


internal control policy or activity is whether the policy or activity
A. Reflects management's philosophy and operating style.
B. Affects management's financial statement assertions.
C. Provides adequate safeguards over access to assets.
D. Enhances management's decision making processes.

5-7

Chapter 05 - Risk Assessment: Internal Control Evaluation

30. Which of the following is a step in an auditor's decision to assess control risk at below the
maximum?
A. Apply analytical procedures to both financial data and nonfinancial information to detect
conditions that may indicate weak controls.
B. Perform tests of details of transactions and account balances to identify potential errors and
fraud.
C. Identify specific internal control policies and activities that are likely to detect or prevent
material misstatements.
D. Document that the additional audit effort to perform tests of controls exceeds the potential
reduction in substantive testing.

31. Which of the following is not an objective of internal controls over financial reporting as
defined by the Sarbanes-Oxley Act?
A. Policies and procedures that pertain to the maintenance of records that in reasonable detail
accurately and fairly reflect the transactions and dispositions of the assets of the registrant.
B. Policies and procedures that provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance with generally accepted
accounting principles, and receipts and expenditures of the registrant are being made only in
accordance with authorizations of management and directors of the registrant.
C. Policies and procedures that provide reasonable assurance regarding the compliance with
applicable laws and regulations.
D. Policies and procedures that provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use or disposition of the registrant's assets that could
have a material effect on the financial statements.

32. Which of the following most likely would not be considered an inherent limitation of the
potential effectiveness of an entity's internal controls?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.

5-8

Chapter 05 - Risk Assessment: Internal Control Evaluation

33. As part of understanding the internal control, an auditor is not required to


A. Consider factors that affect the risk of material misstatement.
B. Ascertain whether internal control policies and activities have been placed in operation.
C. Identify the types of potential misstatements that can occur.
D. Obtain knowledge about the operating effectiveness of the client's internal control
activities.

34. The primary objective of procedures performed to obtain an understanding of the entity's
internal control is to provide an auditor with
A. Knowledge necessary for audit planning.
B. Evidential matter to use in assessing inherent risk.
C. A basis for modifying tests of controls.
D. An evaluation of the consistency of application of management's policies.

35. The overall attitude and awareness of an entity's board of directors concerning the
importance of the client's internal control usually is reflected in its
A. Computer-based control activities.
B. System of separation of duties.
C. Control environment.
D. Safeguards over access to assets.

36. After obtaining an understanding of the internal controls and assessing control risk on the
audit of a non public company, an auditor decided to perform tests of controls. The auditor
most likely decided that
A. It would be efficient to perform tests of controls that would result in a reduction in planned
substantive tests.
B. Additional evidence to support a further reduction in control risk is not available.
C. An increase in the assessed level of control risk is justified for certain financial statement
assertions.
D. There were many internal control weaknesses that could allow errors to enter the
accounting system.

5-9

Chapter 05 - Risk Assessment: Internal Control Evaluation

37. In an audit of financial statements of a non public company in accordance with generally
accepted auditing standards, an auditor is required to
A. Document the auditor's understanding of the entity's internal control.
B. Search for significant deficiencies in the operation of the internal controls.
C. Perform tests of controls to evaluate the effectiveness of the entity's accounting system.
D. Determine whether control activities are suitably designed to prevent or detect material
misstatements.

38. In testing control activities, an auditor ordinarily selects from a variety of techniques,
including
A. Inquiry and analytical procedures.
B. Reperformance and observation.
C. Comparison and confirmation.
D. Inspection and verification.

39. Assessing control risk at below the maximum level most likely would involve
A. Performing more extensive substantive tests with larger sample sizes than originally
planned.
B. Reducing inherent risk for most of the assertions relevant to significant account balances.
C. Changing the timing of substantive tests by omitting interim-date testing and performing
the tests at year end.
D. Identifying specific internal control structure policies and procedures relevant to specific
assertions.

40. A report on internal control effectiveness by the management team of public companies is
required by
A. The Sarbanes-Oxley Act of 2002.
B. The PCAOB.
C. The AICPA.
D. Only auditors are required to report on internal control effectiveness.

5-10

Chapter 05 - Risk Assessment: Internal Control Evaluation

41. Management's report on internal controls must include each of the following except
A. A statement that management is responsible for establishing and maintaining adequate
internal control over financial reporting.
B. A statement identifying the framework management uses to evaluate the effectiveness of
the company's internal control.
C. A statement providing management's assessment of the effectiveness of the company's
internal control.
D. A statement providing management's evaluation of the company's control environment.

42. Which of the following areas can external auditors rely on internal auditors' work in
auditing internal controls?
A. Evaluation of the auditing environment.
B. Limited documentation and testing of internal control activities.
C. All testing of the operating effectiveness of internal control activities.
D. As the principle evidence for the external auditors' opinion.

43. The most important fundamental component of an entity's internal control is


Refer To: 05-43
A. Effectiveness and efficiency of operations.
B. People who operate the control system.
C. Reliability of financial reporting.
D. Compliance with applicable laws and regulations.

44. The primary purpose for obtaining an understanding of a non public audit client's internal
control is to
Refer To: 05-43
A. Provide a basis for making constructive suggestions in a management letter.
B. Determine the nature, timing, and extent of tests to be performed in the audit.
C. Obtain sufficient appropriate audit evidence to afford a reasonable basis for an opinion on
the financial statements under examination.
D. Provide information for a communication of internal control-related matters to
management.

5-11

Chapter 05 - Risk Assessment: Internal Control Evaluation

45. Effectiveness of audit procedures would be reduced by


Refer To: 05-43
A. Selecting larger sample sizes for audit.
B. Performing audit procedures at the fiscal year-end date, as opposed to the interim period.
C. Deciding to obtain external evidence instead of internal evidence.
D. Performing procedures during the interim period, as opposed to at the fiscal year-end date.

46. Financial totals can be used for


Refer To: 05-43
A. Input controls.
B. Processing controls.
C. Output controls.
D. All of the above.

47. Which of the following is an application control?


Refer To: 05-43
A. Locked doors to the central server.
B. Change controls over new programs.
C. Backup controls.
D. An output control department that ensures that reports go to authorized recipients.

48. Which of the following is a preventive control?


Refer To: 05-43
A. A reconciliation of a bank account.
B. Internal auditors recalculating a sample of payroll entries.
C. Separation of duties between the payroll and personnel departments.
D. Use of hash totals for the payroll input sheet.

5-12

Chapter 05 - Risk Assessment: Internal Control Evaluation

49. In most audits of large entities, control risk assessment contributes to audit efficiency,
which means that
Refer To: 05-43
A. The cost of substantive procedures will exceed the cost of control evaluation work.
B. Auditors will be able to reduce the cost of substantive procedures by an amount more than
the control evaluation costs.
C. The cost of control evaluation work will exceed the cost of substantive procedures.
D. Auditors will be able to reduce the cost of substantive procedures by an amount less than
the cost of tests of controls.

50. Which of the following is a device designed to help the audit team obtain evidence about
the accounting and control activities of an audit client?
Refer To: 05-43
A. A narrative memorandum describing the control system.
B. An internal control questionnaire.
C. A flowchart of the documents and procedures used by the company.
D. All of the above.

51. A bridge workpaper shows the connection between


Refer To: 05-43
A. Control evaluation findings and subsequent audit procedures.
B. Management objectives and accounting system procedures.
C. Management objectives and entity control activities.
D. Financial statement assertions and tests of controls.

52. Tests of controls in a GAAS audit are required for


Refer To: 05-43
A. Obtaining evidence about the financial statement assertions.
B. Accomplishing control over the occurrence of recorded transactions.
C. Applying analytical procedures to financial statement balances.
D. Obtaining evidence about the operating effectiveness of client control activities.

5-13

Chapter 05 - Risk Assessment: Internal Control Evaluation

53. A client's financial control activity is


Refer To: 05-43
A. An action taken by auditors to obtain evidence.
B. An action taken by client personnel for the purpose of preventing, detecting, and correcting
errors and frauds in transactions to eliminate or mitigate risks identified by the company.
C. A method for recording, summarizing, and reporting financial information.
D. The functioning of the board of directors in support of its audit committee.

54. When planning an audit of internal controls under AS 5, the audit team should
Refer To: 05-43
A. Identify significant accounts, locations, and assertions.
B. Conduct a walkthrough of the internal control process.
C. Make inquiries of employees regarding the existence of control activities.
D. Re-perform control activities performed by client employees to determine their
effectiveness.

55. A material weakness is a situation in which


Refer To: 05-43
A. It is probable that an immaterial financial statement misstatement would not be detected on
a timely basis
B. There is a remote likelihood that a material misstatement would be detected on a timely
basis.
C. It is reasonably possible that a material misstatement would not be detected on a timely
basis.
D. It is reasonably possible that an immaterial misstatement would not be detected on a timely
basis.

56. Totals of amounts in computer-recorded data fields that are not usually added but are used
only for data processing control purposes are called
Refer To: 05-43
A. Record totals.
B. Hash totals.
C. Processing data totals.
D. Field totals.

5-14

Chapter 05 - Risk Assessment: Internal Control Evaluation

57. Which of the following does not accurately summarize auditors' requirements regarding
internal control?

Refer To: 05-43


A. Option A
B. Option B
C. Option C
D. Option D

58. AS 5 requires auditors of public companies to audit internal controls over


Refer To: 05-43
A. Operations.
B. Compliance with regulations.
C. Financial reporting.
D. All of the above.

59. AS 5 requires auditors of public companies to report on:

Refer To: 05-43


A. Option A
B. Option B
C. Option C
D. Option D

5-15

Chapter 05 - Risk Assessment: Internal Control Evaluation

60. AS 5 requires auditors to test


Refer To: 05-43
A. Operating effectiveness only.
B. Design effectiveness only.
C. Both operating and design effectiveness.
D. Neither operating nor design effectiveness.

61. Which of the following would probably not be considered an indication of a material
weakness?
Refer To: 05-43
A. Evidence of a material misstatement.
B. Ineffective oversight by the audit committee.
C. An immaterial fraud committed by senior management.
D. Overproduction by the manufacturing plant.

62. Which report would not be appropriate for a public accounting firm to provide on
financial reporting controls?
Refer To: 05-43
A. Unqualifiedno material weaknesses found.
B. Disclaimer of opinionunable to perform all necessary procedures.
C. Disclaimer of opinionsignificant deficiencies exist.
D. Adversematerial weaknesses exist.

63. The purpose of separating the duties of hiring personnel and distributing payroll checks is
to separate the
Refer To: 05-43
A. Authorization of transactions from the custody of related assets.
B. Operational responsibility from the record-keeping responsibility.
C. Human resources function from the controllership function.
D. Administrative controls from the internal accounting controls.

5-16

Chapter 05 - Risk Assessment: Internal Control Evaluation

64. Which of the following statements is not true with respect to the auditors' report on
internal control over financial reporting?
Refer To: 05-43
A. The report will be dated as of the balance sheet date.
B. The report will express an opinion on the effectiveness of internal control over financial
reporting.
C. If one or more material weaknesses exist, the auditor will issue an adverse opinion.
D. The report may be presented with the report on the entity's financial statements as a
combined report.

65. If the auditors encounter a significant scope limitation in evaluating a public company's
internal control over financial reporting, which of the following types of opinions on the
effectiveness of the company's internal control over financial reporting would be appropriate?
Refer To: 05-43
A. Unqualified opinion or adverse opinion.
B. Qualified opinion or adverse opinion.
C. Unqualified opinion or disclaimer of opinion.
D. Disclaimer of opinion.

66. Which of the following information would be included in the introductory paragraph of
the auditors' report on internal control over financial reporting if the report is presented
separately from the auditors' report on the entity's financial statements?
Refer To: 05-43
A. The fact that the auditors conducted an audit of the entity's financial statements.
B. The definition of a material weakness in internal control over financial reporting.
C. Statements identifying the responsibility of the auditors and management for internal
control over financial reporting.
D. A reference to the auditors' report and opinion on the entity's financial statements.

Question also found in Study Guide

5-17

Chapter 05 - Risk Assessment: Internal Control Evaluation

67. Which of the following is not one of COSO's objectives for internal controls?
A. Efficiency and effectiveness of operations.
B. Reliability of financial reporting.
C. Maximization of profit.
D. Compliance with applicable laws and regulations.

68. Which of the following is not one of the elements of the control environment?
A. Process for recording transactions and preparing financial statements.
B. Presence of an internal auditing function.
C. A company's organizational structure.
D. Methods of assigning authority and responsibility.

69. Which of the following would not be considered a control activity?


A. Assessment of control risk
B. Performance reviews
C. Physical controls
D. Information processing controls

70. An edit test that checks data fields to see if any are blank when they must contain data is
called a
A. Valid sign test.
B. Missing data test.
C. Limit test.
D. Valid character test.

71. An action taken to prevent, detect, and correct errors and frauds in transactions is referred
to as a
A. Control objective.
B. Risk assessment.
C. Dual-purpose test.
D. Control activity.

5-18

Chapter 05 - Risk Assessment: Internal Control Evaluation

72. Accounting for the numerical sequence of shipping documents is a control procedure
designed to achieve the internal control objective of
A. Validity.
B. Completeness.
C. Accounting.
D. Accuracy.

73. Auditors obtain an understanding of the internal control through all of the following,
except
A. Previous experience with the company.
B. Responses to inquiries directed to client personnel.
C. A substantive testing audit plan.
D. A "walk-through" of one or more transactions.

74. The most efficient means of gathering evidence about the internal control is to conduct a
formal interview with knowledgeable managers and
A. Write a narrative description of each important control.
B. Prepare a flowchart illustrating the internal control.
C. Prepare a well indexed file of audit documentation.
D. Use an internal control questionnaire.

75. The five internal control components do not include


A. Control activities.
B. Risk assessment.
C. Monitoring.
D. Control risk.

76. A computerized accounting system would not include which of the following among the
processing control activities?
A. Limit and reasonableness tests.
B. File and operator controls.
C. Master file changes.
D. Run-to-run total.

5-19

Chapter 05 - Risk Assessment: Internal Control Evaluation

77. Significant deficiencies are defined as conditions that


A. Could adversely affect the organization's ability to initiate, record, process, and report
financial data in the financial statements.
B. Results in a reasonable possibility that a material misstatement exists in financial
statements.
C. Exists when the design or operation of a control does not allow the company's management
or employees to detect or prevent misstatements in a timely fashion.
D. Relates to either a necessary control that is missing or an existing control that is so poorly
designed that it fails to satisfy the control's objective.

78. AS 5 requires the audit team to do all the following except


A. Evaluate the severity of each control deficiency that comes to his or her attention.
B. Document the process used to determine significant accounts and disclosures and major
classes of transactions.
C. Test all internal controls in the company.
D. AS 5 requires all the above.

Matching Questions

79. Below are the nine ASB management assertions.

1. Classification
2. Occurrence
3. Accuracy
4. Allocation or
valuation
5. Completeness

Match shipping documents with sales invoices


before a sale is recorded.
Balance total of individual customers' receivables
with the control account.
Sales manager approves taking discounts.
Computer check for billing the quantity shipped,
list price, and total.
Account for numerical sequence of pre-numbered
shipping documents.

5-20

____
____
____
____
____

Chapter 05 - Risk Assessment: Internal Control Evaluation

80. For each of the descriptions below, match the correct control, A to G.

1. sequence tests
2. limit/reasonableness
tests
3. check digit
4. missing data tests
5. valid sign test

Programmed tests to ensure that illogical


conditions do not occur.
Test that checks data fields for appropriate
plus or minus.
Test that checks data fields to see if any are
blank.
An extra number tagged on to the end of a
basic identification.
Test that can check for missing documents in
a prenumbered series.

____
____
____
____
____

True / False Questions

Question also Found in Study Guide

81. The primary reason for conducting an evaluation of a company's internal control is to
provide a basis for communicating significant deficiencies.
True False

82. The audit task of control risk assessment involves finding out what the company does to
prevent, detect, and correct errors and fraud.
True False

83. The audit team is responsible for the client's internal control.
True False

84. The attitudes of managers and directors are probably the most pervasive influences on the
control environment.
True False

5-21

Chapter 05 - Risk Assessment: Internal Control Evaluation

85. The most important feature of an internal control system is the people who make the
system work.
True False

86. A control activity is an action taken to prevent, detect, and correct errors and frauds in
transactions.
True False

87. The COSO report indicates that internal control should be considered a process, not an
end in itself.
True False

88. Auditors of public companies do not need to determine the quality of a client's internal
control; they only need to know enough to plan the audit work.
True False

89. The primary reason to evaluate internal control is to formulate constructive suggestions
for improvement.
True False

90. The most efficient means of gathering evidence about a client's internal control is to
prepare a flowchart of the system.
True False

91. The strengths and weaknesses of a control system should be documented in bridge
working papers connecting the control evaluation to subsequent audit procedures.
True False

5-22

Chapter 05 - Risk Assessment: Internal Control Evaluation

92. Auditors do not need to perform tests of controls audit procedures on internal control
weaknesses just to prove the weaknesses actually exist.
True False

93. To reduce the final control risk assessment to a low level, auditors need only to determine
the required degree of compliance with the control policies and procedures.
True False

94. Auditors perform tests of control activities to determine how the company's controls
actually functioned during the period under audit.
True False

95. Control systems generally provide absolute assurance that the objectives of internal
control are satisfied.
True False

96. Dual-purpose audit tests are procedures that produce both control and substantive
evidence.
True False

97. The key person in the internal control system of a small business is the independent
auditor.
True False

98. Evaluation of internal control systems on a nonpublic entity should not be subject to cost/
benefit considerations.
True False

5-23

Chapter 05 - Risk Assessment: Internal Control Evaluation

99. Tests of controls consist of procedures designed to produce evidence of how effectively
the client's controls work in practice.
True False

100. Auditors can stop the assessment of control risk for nonpublic entities for either
effectiveness or efficiency reasons.
True False

101. PCAOB Auditing Standard No. 5 only applies to public companies.


True False

102. The auditor's opinion on internal control under AS 5 relates only to controls existing at
the end of the year.
True False

103. Auditors should begin their evaluation of internal controls over financial reporting on a
bottom-up basisstarting with the account level assertion and working up to entity-level
controls.
True False

Fill in the Blank Questions

Questions also Found in Study Guide

104. _____________________________ _____________________________ are the set of


policies and procedures that are designed to insure that transactions are recorded properly.
________________________________________

5-24

Chapter 05 - Risk Assessment: Internal Control Evaluation

105. _____________________________ _____________________________ in internal


control are matters the auditors believe should be communicated to the clients' audit
committee.
________________________________________

106. The audit team is responsible for designing an evaluation of


_____________________________ internal control systems, and
_____________________________ the control _____________________________ of that
system.
________________________________________

107. The COSO report identifies the objectives to be achieved by internal control as (1)
effectiveness and efficiency of _____________________________, (2) reliability of
_____________________________ _____________________________, and (3) compliance
with _____________________________ and _____________________________.
________________________________________

108. _____________________________ _____________________________ are specific


actions taken by a client's management and employees to help ensure that management
directives are carried out.
________________________________________

109. _____________________________ _____________________________ to assets and


important records, documents, and blank forms should be limited to authorized personnel only
in a well controlled company.
________________________________________

110. Internal control systems generally provide _____________________________ assurance


that the objectives of internal control are satisfied.
________________________________________

5-25

Chapter 05 - Risk Assessment: Internal Control Evaluation

111. In connection with control activities used in a client's internal control system, a
_____________________________ _____________________________ is a tally of the
number of transactions submitted at a particular time and it is used to determine whether the
proper number was processed in a data conversion or computer accounting application.
________________________________________

112. Control activities in a computerized accounting system may be classified into two types-_____________________________ controls and _____________________________
controls.
________________________________________

113. Significant deficiencies in internal control also include the more serious condition called
a _____________________________ _____________________________.
________________________________________

114. To reduce the control risk level to a low level, auditors must determine (1) the
_____________________________ _____________________________ of company
compliance with control policies, and (2) the _____________________________
_____________________________ of company compliance.
________________________________________

115. Auditors perform _____________________________


_____________________________ _____________________________ to determine how
well the company's controls actually functioned during the period under audit.
________________________________________

116. The concept of _____________________________ _____________________________


recognizes that the cost of an entity's internal control should not exceed the benefits that are
expected to be derived.
________________________________________

5-26

Chapter 05 - Risk Assessment: Internal Control Evaluation

117. In gathering evidence about the client's internal control, auditors may use a (n)
_____________________________ _____________________________
_____________________________, which is a checklist of internal control related
questions.
________________________________________

118. _____________________________ _____________________________


_____________________________ reduce opportunities for a person to be in a position to
perpetrate and conceal errors and frauds when performing their normal duties.
________________________________________

119. A(n) _____________________________ _____________________________


_____________________________ is a single procedure that produces both control and
substantive evidence.
________________________________________

120. A(n) _____________________________ _____________________________ is an extra


number, precisely calculated, that is tagged onto the end of a basic identification number such
as an employee number.
________________________________________

121. Computerized checks to see whether data values exceed or fall below some
predetermined limit are called limit or _____________________________
_____________________________.
________________________________________

122. Techniques used to check errors in accounting data in computer based accounting
systems can be categorized as _____________________________
_____________________________, _____________________________
_____________________________, and _____________________________
_____________________________.
________________________________________

5-27

Chapter 05 - Risk Assessment: Internal Control Evaluation

123. A material weakness results in a _____________________________


_____________________________ that a _____________________________
_____________________________ would not be prevented or detected on a timely basis.
________________________________________

Essay Questions

124. What is the difference between an information technology general control and an
information technology application control?

125. What is the difference between an internal control's design effectiveness and its
operating effectiveness?

126. List several elements of a company's control environment.

5-28

Chapter 05 - Risk Assessment: Internal Control Evaluation

127. List and explain briefly the phases of an internal control evaluation.

128. What are some of the problems in establishing an internal control system in small
business?

129. The Sunny Company is computerizing its accounting function. It would like to separate
the duties of the systems analyst, programmer, and computer operator by hiring three different
people for these jobs. However, they can only afford to hire two people.
Required: A. Briefly describe the functions of the systems analyst, programmer, and computer
operator.
B. If Sunny Company can afford only two positions, which two of the three would you
combine into one job? Explain.

5-29

Chapter 05 - Risk Assessment: Internal Control Evaluation

130. Explain the different opinions that auditors can issue for an entity's internal control over
financial reporting.

131. Auditors are required to obtain a sufficient understanding of an entity's internal control.
This understanding is required by the performance principle of GAAS.
Required: A. What are some of the goals (purposes) for conducting an evaluation of an
entity's internal control?
B. What audit work is required for an auditor to assess control risk below the "maximum"
level?
C. Should auditors always try to obtain enough evidence to assess control risk below the
"maximum" level? Explain.

132. What are the six steps auditors of public companies should use to audit internal control
over financial reporting (ICOFR)?

5-30

Chapter 05 - Risk Assessment: Internal Control Evaluation

133. What constitutes a material weakness?

134. What is the difference between a significant deficiency and a material weakness?

Question is also Found in Study Guide

5-31

Chapter 05 - Risk Assessment: Internal Control Evaluation

135. Each of the five cases illustrates specific control activities from a client's revenue cycle
(accounts receivable/sales). For each of the procedures, (a) identify which management
assertions apply, and (b) what potential category of errors and frauds can be prevented.

5-32

Chapter 05 - Risk Assessment: Internal Control Evaluation

Chapter 05 Risk Assessment: Internal Control Evaluation Answer Key

Multiple Choice Questions

1. An audit team's responsibility would not include


A. Designing client's internal controls.
B. Documentation of understanding of a client's internal controls.
C. Communicating internal control deficiencies.
D. Assessing the effectiveness a client's internal controls.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

2. The appropriate separation of duties does not include


A. Authorization to execute transactions.
B. Recording of transactions.
C. Custody of assets involved in the transactions.
D. Data preparation.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

5-33

Chapter 05 - Risk Assessment: Internal Control Evaluation

3. A set of characteristics that helps to define a seriousness about employees' attitudes about
the control activities in a company is referred to as
A. Management assertions.
B. The control environment.
C. Control risk assessment.
D. Functional responsibilities.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

4. Control activities intended to ensure that transactions are recorded in the right period are
designed to achieve the ASB assertion of
A. Occurrence.
B. Accuracy.
C. Valuation or allocation.
D. Cutoff.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

5-34

Chapter 05 - Risk Assessment: Internal Control Evaluation

5. Sound internal control can described as separating all of the following duties and
responsibilities except for
A. Transaction authorization.
B. Recordkeeping.
C. Custody of, or direct access to, assets.
D. Hiring of employees.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

6. After obtaining an understanding of the entity's internal control and assessing control risk,
an auditor of a non public company decided not to perform additional tests of controls. The
auditor most likely concluded that the
A. Additional evidence to support a further reduction in control risk was not cost beneficial.
B. Assessed level of inherent risk exceeded the assessed level of control risk.
C. Internal control structure was properly designed and justifiably may be relied on.
D. Evidence obtainable through tests of controls would not support an increased level of
control risk.
AICPA

AACSB: Analytic
AICPA BB: Resource Management
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard

5-35

Chapter 05 - Risk Assessment: Internal Control Evaluation

7. Regardless of the assessed level of control risk, an auditor of a non public company would
perform some
A. Tests of controls to determine the effectiveness of internal control policies.
B. Analytical procedures to verify the design of internal control activities.
C. Substantive tests to restrict detection risk for significant transaction classes.
D. Dual purpose tests to evaluate both the risk of monetary misstatement and preliminary
control risk.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Hard

8. The "obtaining an understanding" work phase (Phase 1) of internal control evaluation


would not give auditors an overall acquaintance with the client's
A. Control environment.
B. Information and communication system.
C. Control activity effectiveness.
D. Monitoring activities.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-36

Chapter 05 - Risk Assessment: Internal Control Evaluation

9. Which of the following is an Information Technology General Control?


A. Check digit.
B. Run-to-run totals.
C. Distribution of computerized output.
D. Separation of duties in the IT department.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Easy

10. Control strengths and weaknesses should be documented in audit documentation,


sometimes called
A. Questionnaires, narratives, and flowcharts.
B. Bridge working papers.
C. Communications of significant deficiencies.
D. Internal control letters.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

11. The internal control in small business is highly dependent on the


A. Separation of functional responsibilities.
B. Complexity of the client's internal controls.
C. Owner-manager's competence, ethics and integrity.
D. Bonding of employees.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Medium

5-37

Chapter 05 - Risk Assessment: Internal Control Evaluation

12. Which of the following is not an input control activity?


A. Reasonableness tests.
B. Record counts.
C. Financial totals.
D. Hash totals.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium

13. A sales clerk enters a customer's six-number customer account. The computer program
uses the first five numbers to calculate a sixth number. This resulting number is then
compared to the sixth number entered by the sales clerk. This is an example of a
A. A valid character test.
B. Missing data test.
C. Reasonableness test.
D. Check digit.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium

5-38

Chapter 05 - Risk Assessment: Internal Control Evaluation

14. Which of the following is the least important audit reason for the auditor's obtaining an
understanding of a company's internal control?
A. To serve as a basis for constructive suggestions.
B. To plan subsequent substantive tests.
C. To identify types of potential misstatements.
D. To consider factors that affect the risk of material misstatement.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Comprehension
Difficulty: Medium

15. Tracing bills of lading to sales invoices provides evidence that


A. Shipments to customers were invoiced.
B. Shipments to customers were recorded as sales.
C. Recorded sales were shipped.
D. Invoiced sales were recorded as sales.
Original

AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Decision Making
Bloom's: Knowledge
Difficulty: Medium

5-39

Chapter 05 - Risk Assessment: Internal Control Evaluation

16. Which of the following client internal control activities is not usually performed in the
treasurer's department?
A. Verifying the accuracy of checks and vouchers.
B. Controlling the mailing of checks to vendors.
C. Approving vendors' invoices for payment.
D. Canceling payment vouchers when paid.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium

17. Which of the following audit procedures most likely would provide an auditor with the
most assurance about the effectiveness of the operation of an entity's internal control?
A. Confirmation with outside parties.
B. Inquiry of client personnel.
C. Successful re-performance of the control procedure.
D. Observation of client personnel.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-40

Chapter 05 - Risk Assessment: Internal Control Evaluation

18. When obtaining an understanding of an entity's internal control in a financial statement


audit, an auditor is not obligated to
A. Determine whether the control activities have been placed in operation.
B. Perform procedures to understand the design of the internal control system.
C. Document the understanding of the company's internal control system.
D. Search for significant deficiencies in the operation of the internal control system.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

19. After obtaining an understanding of a client's financial reporting control activities, the
auditor would next
A. Test the client's control activities.
B. Assess the control risk.
C. Document the understanding obtained.
D. Plan the remainder of the audit work.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

5-41

Chapter 05 - Risk Assessment: Internal Control Evaluation

20. If auditors assess control risk at the maximum level, they will tend to
A. Perform a great deal of additional tests of controls.
B. Perform a great deal of substantive testing during the audit.
C. Perform substantive tests at an interim date.
D. Perform more audit procedures using internal evidence.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Easy

21. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of
the
A. Factors that raise doubts about the auditability of the financial statements.
B. Operating effectiveness of internal control policies and procedures.
C. Risk that material misstatements exist in the financial statements.
D. Possibility that the nature and extent of substantive tests may be reduced.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Medium

5-42

Chapter 05 - Risk Assessment: Internal Control Evaluation

22. When the audit team increases the planned assessed level of control risk because certain
control activities were determined to be ineffective, the audit team would most likely increase
the
A. Extent of tests of details.
B. Level of inherent risk.
C. Extent of tests of controls.
D. Level of detection risk.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium

23. In computer systems, the information technology general controls (ITGC) would not
include
A. Processing control activities.
B. Separation of various computer system functions.
C. Documentation of the data processing system.
D. Control over physical access to computer hardware.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium

5-43

Chapter 05 - Risk Assessment: Internal Control Evaluation

24. When auditing financial statements of a private company, the minimum work an auditor
must perform in connection with a company's internal control is best described by which of
the following statements:
A. Perform exhaustive tests of accounting controls and evaluate the company's control system
effectiveness.
B. Determine whether the company's control policies are designed well enough to prevent
material errors.
C. Prepare auditing working papers documenting the understanding of the company's internal
control.
D. Design procedures to search for significant deficiencies in the actual operation of the
company's internal control.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard

25. Which of the following would likely be classified as a material weakness?


A. Absence of appropriate separation of duties.
B. Absence of appropriate reviews and approvals of transactions.
C. Evidence of failure of control activities.
D. Ineffective oversight of the financial reporting process by the company's audit committee.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard

5-44

Chapter 05 - Risk Assessment: Internal Control Evaluation

26. If a control total were to be computed on each of the following data items, which would
best be identified as a hash total for a payroll IS application?
A. Hours worked.
B. Total debits and total credits.
C. Net pay.
D. Department numbers.
AICPA

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium

27. Generally accepted auditing standards (GAAS) give auditors considerable discretion to
decide the amount of work required to satisfy auditing standards guiding internal control
evaluation and related audit planning. Which of the descriptions below best expresses the
minimum amount of work permitted by GAAS for nonpublic companies?
A. Do not obtain an understanding of client environment, accounting, or control activities. Do
not document the decision to assess control risk at maximum. Perform 100% substantive audit
on all financial statement transactions and balances.
B. Obtain an understanding of client environment, accounting, and control activities.
Document the decision to assess control risk at maximum. Perform an extensive but not 100%
substantive audit on financial statement transactions and balances.
C. Obtain an understanding of client environment, accounting, and control activities, and
perform detail tests of controls. Document the decision to assess control risk below the
maximum. Perform restricted substantive audit on financial statement transactions and
balances, considering the control risk assessment.
D. Obtain an understanding of client environment, accounting, and control activities, and
perform detail tests of controls. Document the decision to assess control risk at zero. Perform
no substantive audit on financial statement transactions and balances, since zero control risk
means that no errors or fraud can reach the accounts.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium

5-45

Chapter 05 - Risk Assessment: Internal Control Evaluation

28. Proper separation of duties reduces the opportunities to allow persons to be in positions to
both
A. Journalize entries and prepare financial statements.
B. Record cash receipts and cash disbursements.
C. Establish internal controls and authorize transactions.
D. Perpetuate and conceal errors and fraud.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

29. In an audit of financial statements, an auditor's primary consideration regarding an


internal control policy or activity is whether the policy or activity
A. Reflects management's philosophy and operating style.
B. Affects management's financial statement assertions.
C. Provides adequate safeguards over access to assets.
D. Enhances management's decision making processes.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard

5-46

Chapter 05 - Risk Assessment: Internal Control Evaluation

30. Which of the following is a step in an auditor's decision to assess control risk at below the
maximum?
A. Apply analytical procedures to both financial data and nonfinancial information to detect
conditions that may indicate weak controls.
B. Perform tests of details of transactions and account balances to identify potential errors and
fraud.
C. Identify specific internal control policies and activities that are likely to detect or prevent
material misstatements.
D. Document that the additional audit effort to perform tests of controls exceeds the potential
reduction in substantive testing.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Hard

31. Which of the following is not an objective of internal controls over financial reporting as
defined by the Sarbanes-Oxley Act?
A. Policies and procedures that pertain to the maintenance of records that in reasonable detail
accurately and fairly reflect the transactions and dispositions of the assets of the registrant.
B. Policies and procedures that provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance with generally accepted
accounting principles, and receipts and expenditures of the registrant are being made only in
accordance with authorizations of management and directors of the registrant.
C. Policies and procedures that provide reasonable assurance regarding the compliance with
applicable laws and regulations.
D. Policies and procedures that provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use or disposition of the registrant's assets that could
have a material effect on the financial statements.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-47

Chapter 05 - Risk Assessment: Internal Control Evaluation

32. Which of the following most likely would not be considered an inherent limitation of the
potential effectiveness of an entity's internal controls?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Comprehension
Difficulty: Hard

33. As part of understanding the internal control, an auditor is not required to


A. Consider factors that affect the risk of material misstatement.
B. Ascertain whether internal control policies and activities have been placed in operation.
C. Identify the types of potential misstatements that can occur.
D. Obtain knowledge about the operating effectiveness of the client's internal control
activities.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-48

Chapter 05 - Risk Assessment: Internal Control Evaluation

34. The primary objective of procedures performed to obtain an understanding of the entity's
internal control is to provide an auditor with
A. Knowledge necessary for audit planning.
B. Evidential matter to use in assessing inherent risk.
C. A basis for modifying tests of controls.
D. An evaluation of the consistency of application of management's policies.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

35. The overall attitude and awareness of an entity's board of directors concerning the
importance of the client's internal control usually is reflected in its
A. Computer-based control activities.
B. System of separation of duties.
C. Control environment.
D. Safeguards over access to assets.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

5-49

Chapter 05 - Risk Assessment: Internal Control Evaluation

36. After obtaining an understanding of the internal controls and assessing control risk on the
audit of a non public company, an auditor decided to perform tests of controls. The auditor
most likely decided that
A. It would be efficient to perform tests of controls that would result in a reduction in planned
substantive tests.
B. Additional evidence to support a further reduction in control risk is not available.
C. An increase in the assessed level of control risk is justified for certain financial statement
assertions.
D. There were many internal control weaknesses that could allow errors to enter the
accounting system.
AICPA

AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium

37. In an audit of financial statements of a non public company in accordance with generally
accepted auditing standards, an auditor is required to
A. Document the auditor's understanding of the entity's internal control.
B. Search for significant deficiencies in the operation of the internal controls.
C. Perform tests of controls to evaluate the effectiveness of the entity's accounting system.
D. Determine whether control activities are suitably designed to prevent or detect material
misstatements.
AICPA

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-50

Chapter 05 - Risk Assessment: Internal Control Evaluation

38. In testing control activities, an auditor ordinarily selects from a variety of techniques,
including
A. Inquiry and analytical procedures.
B. Reperformance and observation.
C. Comparison and confirmation.
D. Inspection and verification.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

39. Assessing control risk at below the maximum level most likely would involve
A. Performing more extensive substantive tests with larger sample sizes than originally
planned.
B. Reducing inherent risk for most of the assertions relevant to significant account balances.
C. Changing the timing of substantive tests by omitting interim-date testing and performing
the tests at year end.
D. Identifying specific internal control structure policies and procedures relevant to specific
assertions.
AICPA

AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Comprehension
Difficulty: Hard

5-51

Chapter 05 - Risk Assessment: Internal Control Evaluation

40. A report on internal control effectiveness by the management team of public companies is
required by
A. The Sarbanes-Oxley Act of 2002.
B. The PCAOB.
C. The AICPA.
D. Only auditors are required to report on internal control effectiveness.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

41. Management's report on internal controls must include each of the following except
A. A statement that management is responsible for establishing and maintaining adequate
internal control over financial reporting.
B. A statement identifying the framework management uses to evaluate the effectiveness of
the company's internal control.
C. A statement providing management's assessment of the effectiveness of the company's
internal control.
D. A statement providing management's evaluation of the company's control environment.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Communication
Difficulty: Medium

5-52

Chapter 05 - Risk Assessment: Internal Control Evaluation

42. Which of the following areas can external auditors rely on internal auditors' work in
auditing internal controls?
A. Evaluation of the auditing environment.
B. Limited documentation and testing of internal control activities.
C. All testing of the operating effectiveness of internal control activities.
D. As the principle evidence for the external auditors' opinion.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium

43. The most important fundamental component of an entity's internal control is


Refer To: 05-43
A. Effectiveness and efficiency of operations.
B. People who operate the control system.
C. Reliability of financial reporting.
D. Compliance with applicable laws and regulations.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

5-53

Chapter 05 - Risk Assessment: Internal Control Evaluation

44. The primary purpose for obtaining an understanding of a non public audit client's internal
control is to
Refer To: 05-43
A. Provide a basis for making constructive suggestions in a management letter.
B. Determine the nature, timing, and extent of tests to be performed in the audit.
C. Obtain sufficient appropriate audit evidence to afford a reasonable basis for an opinion on
the financial statements under examination.
D. Provide information for a communication of internal control-related matters to
management.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

45. Effectiveness of audit procedures would be reduced by


Refer To: 05-43
A. Selecting larger sample sizes for audit.
B. Performing audit procedures at the fiscal year-end date, as opposed to the interim period.
C. Deciding to obtain external evidence instead of internal evidence.
D. Performing procedures during the interim period, as opposed to at the fiscal year-end date.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Easy

5-54

Chapter 05 - Risk Assessment: Internal Control Evaluation

46. Financial totals can be used for


Refer To: 05-43
A. Input controls.
B. Processing controls.
C. Output controls.
D. All of the above.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium

47. Which of the following is an application control?


Refer To: 05-43
A. Locked doors to the central server.
B. Change controls over new programs.
C. Backup controls.
D. An output control department that ensures that reports go to authorized recipients.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Application
Difficulty: Medium

5-55

Chapter 05 - Risk Assessment: Internal Control Evaluation

48. Which of the following is a preventive control?


Refer To: 05-43
A. A reconciliation of a bank account.
B. Internal auditors recalculating a sample of payroll entries.
C. Separation of duties between the payroll and personnel departments.
D. Use of hash totals for the payroll input sheet.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

49. In most audits of large entities, control risk assessment contributes to audit efficiency,
which means that
Refer To: 05-43
A. The cost of substantive procedures will exceed the cost of control evaluation work.
B. Auditors will be able to reduce the cost of substantive procedures by an amount more than
the control evaluation costs.
C. The cost of control evaluation work will exceed the cost of substantive procedures.
D. Auditors will be able to reduce the cost of substantive procedures by an amount less than
the cost of tests of controls.
Original

AACSB: Analytic
AICPA BB: Resource Management
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium

5-56

Chapter 05 - Risk Assessment: Internal Control Evaluation

50. Which of the following is a device designed to help the audit team obtain evidence about
the accounting and control activities of an audit client?
Refer To: 05-43
A. A narrative memorandum describing the control system.
B. An internal control questionnaire.
C. A flowchart of the documents and procedures used by the company.
D. All of the above.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Easy

51. A bridge workpaper shows the connection between


Refer To: 05-43
A. Control evaluation findings and subsequent audit procedures.
B. Management objectives and accounting system procedures.
C. Management objectives and entity control activities.
D. Financial statement assertions and tests of controls.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Medium

5-57

Chapter 05 - Risk Assessment: Internal Control Evaluation

52. Tests of controls in a GAAS audit are required for


Refer To: 05-43
A. Obtaining evidence about the financial statement assertions.
B. Accomplishing control over the occurrence of recorded transactions.
C. Applying analytical procedures to financial statement balances.
D. Obtaining evidence about the operating effectiveness of client control activities.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

53. A client's financial control activity is


Refer To: 05-43
A. An action taken by auditors to obtain evidence.
B. An action taken by client personnel for the purpose of preventing, detecting, and correcting
errors and frauds in transactions to eliminate or mitigate risks identified by the company.
C. A method for recording, summarizing, and reporting financial information.
D. The functioning of the board of directors in support of its audit committee.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-58

Chapter 05 - Risk Assessment: Internal Control Evaluation

54. When planning an audit of internal controls under AS 5, the audit team should
Refer To: 05-43
A. Identify significant accounts, locations, and assertions.
B. Conduct a walkthrough of the internal control process.
C. Make inquiries of employees regarding the existence of control activities.
D. Re-perform control activities performed by client employees to determine their
effectiveness.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

55. A material weakness is a situation in which


Refer To: 05-43
A. It is probable that an immaterial financial statement misstatement would not be detected on
a timely basis
B. There is a remote likelihood that a material misstatement would be detected on a timely
basis.
C. It is reasonably possible that a material misstatement would not be detected on a timely
basis.
D. It is reasonably possible that an immaterial misstatement would not be detected on a timely
basis.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Knowledge
Difficulty: Medium

5-59

Chapter 05 - Risk Assessment: Internal Control Evaluation

56. Totals of amounts in computer-recorded data fields that are not usually added but are used
only for data processing control purposes are called
Refer To: 05-43
A. Record totals.
B. Hash totals.
C. Processing data totals.
D. Field totals.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Hard

57. Which of the following does not accurately summarize auditors' requirements regarding
internal control?

Refer To: 05-43


A. Option A
B. Option B
C. Option C
D. Option D
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard

5-60

Chapter 05 - Risk Assessment: Internal Control Evaluation

58. AS 5 requires auditors of public companies to audit internal controls over


Refer To: 05-43
A. Operations.
B. Compliance with regulations.
C. Financial reporting.
D. All of the above.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

59. AS 5 requires auditors of public companies to report on:

Refer To: 05-43


A. Option A
B. Option B
C. Option C
D. Option D
Original

AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-61

Chapter 05 - Risk Assessment: Internal Control Evaluation

60. AS 5 requires auditors to test


Refer To: 05-43
A. Operating effectiveness only.
B. Design effectiveness only.
C. Both operating and design effectiveness.
D. Neither operating nor design effectiveness.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

61. Which of the following would probably not be considered an indication of a material
weakness?
Refer To: 05-43
A. Evidence of a material misstatement.
B. Ineffective oversight by the audit committee.
C. An immaterial fraud committed by senior management.
D. Overproduction by the manufacturing plant.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Comprehension
Difficulty: Medium

5-62

Chapter 05 - Risk Assessment: Internal Control Evaluation

62. Which report would not be appropriate for a public accounting firm to provide on
financial reporting controls?
Refer To: 05-43
A. Unqualifiedno material weaknesses found.
B. Disclaimer of opinionunable to perform all necessary procedures.
C. Disclaimer of opinionsignificant deficiencies exist.
D. Adversematerial weaknesses exist.
Original

AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

63. The purpose of separating the duties of hiring personnel and distributing payroll checks is
to separate the
Refer To: 05-43
A. Authorization of transactions from the custody of related assets.
B. Operational responsibility from the record-keeping responsibility.
C. Human resources function from the controllership function.
D. Administrative controls from the internal accounting controls.
AICPA adapted

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Easy

5-63

Chapter 05 - Risk Assessment: Internal Control Evaluation

64. Which of the following statements is not true with respect to the auditors' report on
internal control over financial reporting?
Refer To: 05-43
A. The report will be dated as of the balance sheet date.
B. The report will express an opinion on the effectiveness of internal control over financial
reporting.
C. If one or more material weaknesses exist, the auditor will issue an adverse opinion.
D. The report may be presented with the report on the entity's financial statements as a
combined report.
Original

AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard

65. If the auditors encounter a significant scope limitation in evaluating a public company's
internal control over financial reporting, which of the following types of opinions on the
effectiveness of the company's internal control over financial reporting would be appropriate?
Refer To: 05-43
A. Unqualified opinion or adverse opinion.
B. Qualified opinion or adverse opinion.
C. Unqualified opinion or disclaimer of opinion.
D. Disclaimer of opinion.
Original

AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium

5-64

Chapter 05 - Risk Assessment: Internal Control Evaluation

66. Which of the following information would be included in the introductory paragraph of
the auditors' report on internal control over financial reporting if the report is presented
separately from the auditors' report on the entity's financial statements?
Refer To: 05-43
A. The fact that the auditors conducted an audit of the entity's financial statements.
B. The definition of a material weakness in internal control over financial reporting.
C. Statements identifying the responsibility of the auditors and management for internal
control over financial reporting.
D. A reference to the auditors' report and opinion on the entity's financial statements.
Original

AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Hard

Question also found in Study Guide

67. Which of the following is not one of COSO's objectives for internal controls?
A. Efficiency and effectiveness of operations.
B. Reliability of financial reporting.
C. Maximization of profit.
D. Compliance with applicable laws and regulations.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

5-65

Chapter 05 - Risk Assessment: Internal Control Evaluation

68. Which of the following is not one of the elements of the control environment?
A. Process for recording transactions and preparing financial statements.
B. Presence of an internal auditing function.
C. A company's organizational structure.
D. Methods of assigning authority and responsibility.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

69. Which of the following would not be considered a control activity?


A. Assessment of control risk
B. Performance reviews
C. Physical controls
D. Information processing controls
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

70. An edit test that checks data fields to see if any are blank when they must contain data is
called a
A. Valid sign test.
B. Missing data test.
C. Limit test.
D. Valid character test.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium

5-66

Chapter 05 - Risk Assessment: Internal Control Evaluation

71. An action taken to prevent, detect, and correct errors and frauds in transactions is referred
to as a
A. Control objective.
B. Risk assessment.
C. Dual-purpose test.
D. Control activity.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

72. Accounting for the numerical sequence of shipping documents is a control procedure
designed to achieve the internal control objective of
A. Validity.
B. Completeness.
C. Accounting.
D. Accuracy.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Comprehension
Difficulty: Easy

5-67

Chapter 05 - Risk Assessment: Internal Control Evaluation

73. Auditors obtain an understanding of the internal control through all of the following,
except
A. Previous experience with the company.
B. Responses to inquiries directed to client personnel.
C. A substantive testing audit plan.
D. A "walk-through" of one or more transactions.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium

74. The most efficient means of gathering evidence about the internal control is to conduct a
formal interview with knowledgeable managers and
A. Write a narrative description of each important control.
B. Prepare a flowchart illustrating the internal control.
C. Prepare a well indexed file of audit documentation.
D. Use an internal control questionnaire.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Application
Difficulty: Medium

5-68

Chapter 05 - Risk Assessment: Internal Control Evaluation

75. The five internal control components do not include


A. Control activities.
B. Risk assessment.
C. Monitoring.
D. Control risk.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Easy

76. A computerized accounting system would not include which of the following among the
processing control activities?
A. Limit and reasonableness tests.
B. File and operator controls.
C. Master file changes.
D. Run-to-run total.
Original

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium

5-69

Chapter 05 - Risk Assessment: Internal Control Evaluation

77. Significant deficiencies are defined as conditions that


A. Could adversely affect the organization's ability to initiate, record, process, and report
financial data in the financial statements.
B. Results in a reasonable possibility that a material misstatement exists in financial
statements.
C. Exists when the design or operation of a control does not allow the company's management
or employees to detect or prevent misstatements in a timely fashion.
D. Relates to either a necessary control that is missing or an existing control that is so poorly
designed that it fails to satisfy the control's objective.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

78. AS 5 requires the audit team to do all the following except


A. Evaluate the severity of each control deficiency that comes to his or her attention.
B. Document the process used to determine significant accounts and disclosures and major
classes of transactions.
C. Test all internal controls in the company.
D. AS 5 requires all the above.
Original

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

Matching Questions

5-70

Chapter 05 - Risk Assessment: Internal Control Evaluation

79. Below are the nine ASB management assertions.

1. Classification
2. Occurrence
3. Accuracy
4. Allocation or
valuation
5. Completeness

Match shipping documents with sales invoices


before a sale is recorded.
Balance total of individual customers' receivables
with the control account.
Sales manager approves taking discounts.
Computer check for billing the quantity shipped, list
price, and total.
Account for numerical sequence of pre-numbered
shipping documents.

2
1
4
3
5

AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard

80. For each of the descriptions below, match the correct control, A to G.

1. sequence tests
2. limit/reasonableness
tests
3. check digit
4. missing data tests
5. valid sign test

Programmed tests to ensure that illogical


conditions do not occur.
Test that checks data fields for appropriate plus
or minus.
Test that checks data fields to see if any are
blank.
An extra number tagged on to the end of a basic
identification.
Test that can check for missing documents in a
prenumbered series.

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Application
Difficulty: Hard

True / False Questions

Question also Found in Study Guide

5-71

2
5
4
3
1

Chapter 05 - Risk Assessment: Internal Control Evaluation

81. The primary reason for conducting an evaluation of a company's internal control is to
provide a basis for communicating significant deficiencies.
FALSE

82. The audit task of control risk assessment involves finding out what the company does to
prevent, detect, and correct errors and fraud.
TRUE

83. The audit team is responsible for the client's internal control.
FALSE

84. The attitudes of managers and directors are probably the most pervasive influences on the
control environment.
TRUE

85. The most important feature of an internal control system is the people who make the
system work.
TRUE

86. A control activity is an action taken to prevent, detect, and correct errors and frauds in
transactions.
TRUE

87. The COSO report indicates that internal control should be considered a process, not an
end in itself.
TRUE

5-72

Chapter 05 - Risk Assessment: Internal Control Evaluation

88. Auditors of public companies do not need to determine the quality of a client's internal
control; they only need to know enough to plan the audit work.
FALSE

89. The primary reason to evaluate internal control is to formulate constructive suggestions
for improvement.
FALSE

90. The most efficient means of gathering evidence about a client's internal control is to
prepare a flowchart of the system.
FALSE

91. The strengths and weaknesses of a control system should be documented in bridge
working papers connecting the control evaluation to subsequent audit procedures.
TRUE

92. Auditors do not need to perform tests of controls audit procedures on internal control
weaknesses just to prove the weaknesses actually exist.
TRUE

93. To reduce the final control risk assessment to a low level, auditors need only to determine
the required degree of compliance with the control policies and procedures.
FALSE

94. Auditors perform tests of control activities to determine how the company's controls
actually functioned during the period under audit.
TRUE

5-73

Chapter 05 - Risk Assessment: Internal Control Evaluation

95. Control systems generally provide absolute assurance that the objectives of internal
control are satisfied.
FALSE

96. Dual-purpose audit tests are procedures that produce both control and substantive
evidence.
TRUE

97. The key person in the internal control system of a small business is the independent
auditor.
FALSE

98. Evaluation of internal control systems on a nonpublic entity should not be subject to cost/
benefit considerations.
FALSE

99. Tests of controls consist of procedures designed to produce evidence of how effectively
the client's controls work in practice.
TRUE

100. Auditors can stop the assessment of control risk for nonpublic entities for either
effectiveness or efficiency reasons.
TRUE

101. PCAOB Auditing Standard No. 5 only applies to public companies.


TRUE

5-74

Chapter 05 - Risk Assessment: Internal Control Evaluation

102. The auditor's opinion on internal control under AS 5 relates only to controls existing at
the end of the year.
TRUE

103. Auditors should begin their evaluation of internal controls over financial reporting on a
bottom-up basisstarting with the account level assertion and working up to entity-level
controls.
FALSE

Fill in the Blank Questions

Questions also Found in Study Guide

104. _____________________________ _____________________________ are the set of


policies and procedures that are designed to insure that transactions are recorded properly.
Control activities

105. _____________________________ _____________________________ in internal


control are matters the auditors believe should be communicated to the clients' audit
committee.
Significant deficiencies

106. The audit team is responsible for designing an evaluation of


_____________________________ internal control systems, and
_____________________________ the control _____________________________ of that
system.
existing, assessing, risk

5-75

Chapter 05 - Risk Assessment: Internal Control Evaluation

107. The COSO report identifies the objectives to be achieved by internal control as (1)
effectiveness and efficiency of _____________________________, (2) reliability of
_____________________________ _____________________________, and (3) compliance
with _____________________________ and _____________________________.
operations, financial reporting, laws, regulations

108. _____________________________ _____________________________ are specific


actions taken by a client's management and employees to help ensure that management
directives are carried out.
Control activities

109. _____________________________ _____________________________ to assets and


important records, documents, and blank forms should be limited to authorized personnel only
in a well controlled company.
Physical access

110. Internal control systems generally provide _____________________________ assurance


that the objectives of internal control are satisfied.
reasonable

111. In connection with control activities used in a client's internal control system, a
_____________________________ _____________________________ is a tally of the
number of transactions submitted at a particular time and it is used to determine whether the
proper number was processed in a data conversion or computer accounting application.
record count

112. Control activities in a computerized accounting system may be classified into two types-_____________________________ controls and _____________________________
controls.
general, application

5-76

Chapter 05 - Risk Assessment: Internal Control Evaluation

113. Significant deficiencies in internal control also include the more serious condition called
a _____________________________ _____________________________.
material weakness

114. To reduce the control risk level to a low level, auditors must determine (1) the
_____________________________ _____________________________ of company
compliance with control policies, and (2) the _____________________________
_____________________________ of company compliance.
required degree, actual degree

115. Auditors perform _____________________________


_____________________________ _____________________________ to determine how
well the company's controls actually functioned during the period under audit.
tests of controls

116. The concept of _____________________________ _____________________________


recognizes that the cost of an entity's internal control should not exceed the benefits that are
expected to be derived.
reasonable assurance

117. In gathering evidence about the client's internal control, auditors may use a (n)
_____________________________ _____________________________
_____________________________, which is a checklist of internal control related
questions.
internal control questionnaire

118. _____________________________ _____________________________


_____________________________ reduce opportunities for a person to be in a position to
perpetrate and conceal errors and frauds when performing their normal duties.
Separation of duties

5-77

Chapter 05 - Risk Assessment: Internal Control Evaluation

119. A(n) _____________________________ _____________________________


_____________________________ is a single procedure that produces both control and
substantive evidence.
dual-purpose test

120. A(n) _____________________________ _____________________________ is an extra


number, precisely calculated, that is tagged onto the end of a basic identification number such
as an employee number.
check digit

121. Computerized checks to see whether data values exceed or fall below some
predetermined limit are called limit or _____________________________
_____________________________.
reasonableness tests

122. Techniques used to check errors in accounting data in computer based accounting
systems can be categorized as _____________________________
_____________________________, _____________________________
_____________________________, and _____________________________
_____________________________.
input controls, processing controls, output controls

123. A material weakness results in a _____________________________


_____________________________ that a _____________________________
_____________________________ would not be prevented or detected on a timely basis.
reasonable possibility, material misstatement

Essay Questions

5-78

Chapter 05 - Risk Assessment: Internal Control Evaluation

124. What is the difference between an information technology general control and an
information technology application control?
An information technology general control is used to help control the entire computing
environment for an organization. For example, most organizations require password access to
log into the computing environment. An information technology application control is a
computerized control procedure that is designed to accomplish some type of control objective
within a company's overall system of internal control. For example, a company's accounts
receivable system may have an application control that automatically checks a customer's
credit limit before a new sales order is approved. In order to function properly, an information
technology application level technology control is dependent on effective information
technology general controls.

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Knowledge
Difficulty: Medium

125. What is the difference between an internal control's design effectiveness and its
operating effectiveness?
Design effectiveness determines whether the controls over financial reporting, if operating
effectively, would be expected to prevent or detect errors or fraud that could result in a
material financial misstatement. Operating effectiveness is whether the control is operating
as designed and whether the person performing the control possesses the necessary authority
and qualifications to perform the control effectively.

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-79

Chapter 05 - Risk Assessment: Internal Control Evaluation

126. List several elements of a company's control environment.


Some of the elements of a control environment include:
* Management's philosophy and operating style.
* Company organization structure.
* Functioning of the board of directors, particularly its audit committee.
* Methods of assigning authority and responsibility.
* Management's monitoring methods, including internal auditing.
* Personnel policies and practices.
* External influences.

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

127. List and explain briefly the phases of an internal control evaluation.
Phase 1: Understanding and document the client's internal control structure. This phase
includes a general knowledge of the control environment, including the identification of entity
level controls. In addition, the auditor should gain an understanding of the flow of
transactions through the accounting system and document this understanding using a
questionnaire, narrative descriptions and perhaps flowcharts.
Phase 2: Assessing the control risk on a preliminary basis. At this point of the process, the
strengths and weaknesses of the system are analyzed and should be documented in a bridge
workpaper. A preliminary assessment of internal controls is completed. At this point, a
decision is made as to which controls are going tested and a required degree of compliance is
determined.
Phase 3: Performing tests of controls audit procedures and reassess control risk. When the
audit team determines that a specific control activity could have a significant effect in
reducing control risk to a low level for a specific assertion, they perform test of that control
activity to obtain specific audit evidence about the effectiveness of the design or operation of
that control activity. At this point, the actual degree of compliance is compared with the
required degree of compliance. The audit team then must determine the final assessment of
control risk and then determine whether any changes to the substantive testing plan must be
made.

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Risk Analysis
Bloom's: Comprehension
Difficulty: Medium

5-80

Chapter 05 - Risk Assessment: Internal Control Evaluation

128. What are some of the problems in establishing an internal control system in small
business?
Internal control problems in small business would include:
A. Separation of functional responsibilities would be difficult because of the small number of
employees.
B. The owner manager has to assume a greater role to oversee and supervise authorization,
recordkeeping, and custodial functions.
C. The owner manager must be diligent, competent, and have a high degree of integrity.

AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Medium

129. The Sunny Company is computerizing its accounting function. It would like to separate
the duties of the systems analyst, programmer, and computer operator by hiring three different
people for these jobs. However, they can only afford to hire two people.
Required: A. Briefly describe the functions of the systems analyst, programmer, and computer
operator.
B. If Sunny Company can afford only two positions, which two of the three would you
combine into one job? Explain.
A. A systems analyst evaluates the existing system and designs new or improved data
processing. This includes outlining the system and providing guidelines for the programmer.
The programmer flowcharts, codes, and documents the application. The computer operator
operates the computer based on written instructions.
B. It would be best to combine the functions of the systems analyst and programmer. The
programmer has intimate knowledge of the program. The programmer could write code that
could be used during computer operations to manipulate data or assets for his or her benefit.
Therefore, the worst situation would be to combine the functions of the programmer and
computer operator. Another possibility would be to combine the responsibilities of the
systems analyst and computer operator. Though this may not be as severe a problem, the
systems analyst may still have special knowledge about the program and programming.

AACSB: Technology
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Bloom's: Application
Difficulty: Hard

5-81

Chapter 05 - Risk Assessment: Internal Control Evaluation

130. Explain the different opinions that auditors can issue for an entity's internal control over
financial reporting.
Auditors can issue the following opinions for an audit of an entity's internal control over
financial reporting:
Unqualified. No material weaknesses exist.
Disclaimer. The audit team cannot perform all of the procedures considered necessary and
therefore cannot issue an opinion.
Adverse opinion. One or more material weaknesses exist.

AACSB: Communication
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-82

Chapter 05 - Risk Assessment: Internal Control Evaluation

131. Auditors are required to obtain a sufficient understanding of an entity's internal control.
This understanding is required by the performance principle of GAAS.
Required: A. What are some of the goals (purposes) for conducting an evaluation of an
entity's internal control?
B. What audit work is required for an auditor to assess control risk below the "maximum"
level?
C. Should auditors always try to obtain enough evidence to assess control risk below the
"maximum" level? Explain.
A. The audit team has two primary reasons for conducting an evaluation of an entity's internal
control. First, Sarbanes-Oxley requires an audit of the effectiveness of internal control that is
an integrated part of the financial statement audit for publicly traded companies. The second
reason for evaluating an entity's internal control is to comply with the performance principle
of GAAS: To assess the risk of material misstatement to give the auditors a basis for planning
the audit and determining the nature, timing, and extent of audit procedures for the
substantive audit plan. The audit team assesses control risk.
B. If auditors assess control risk as "maximum" or 100 percent (i.e., poor control), they will
tend to perform a great deal of substantive procedures with large sample sizes (extent), at or
near the entity's fiscal year end (timing), using procedures designed to obtain high-quality
external evidence (nature). On the other hand, if auditors assess control risk as "low," usually
around 10 to 20 percent (i.e., effective control), they can perform fewer substantive
procedures with smaller sample sizes (extent), at an interim date before the entity's fiscal year
end (timing), using a mixture of procedures designed to obtain high-quality external evidence
and lower-quality internal evidence (nature). Of course, auditors may assess control risk
between "low" and "maximum" (e.g., "moderate," "high," or "slightly below maximum") and
adjust the substantive procedures accordingly.
C. No. here may be occasions when the audit team chooses to test everything substantively
rather than relying on internal controls to reduce substantive testing. For example, for fixed
assets, there are usually a small number of very material transactions. Testing controls would
not be efficient if the audit team is going to examine every transaction anyway.

AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard

5-83

Chapter 05 - Risk Assessment: Internal Control Evaluation

132. What are the six steps auditors of public companies should use to audit internal control
over financial reporting (ICOFR)?
1. Planning the engagement
2. Using a top-down approach to gain an understanding
3. Testing controls
4. Evaluating control deficiencies
5. Wrapping up: forming an opinion on the effectiveness of internal control over financial
reporting
6. Reporting on internal control

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

133. What constitutes a material weakness?


A material weakness in internal control is defined as a deficiency, or combination of
deficiencies, that results in a reasonable possibility that a material misstatement would not be
prevented or detected on a timely basis. The following circumstances should be regarded as
strong indicators that a material weakness exists:
Restatement of previously issued financial statements to reflect the correction of a
misstatement.
Evidence of material misstatements (caught by the audit team) that were not prevented or
detected by the client's internal controls.
Ineffective oversight of the financial reporting process by the entity's audit committee.
Indication of fraud (either material or immaterial) by senior management.

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

5-84

Chapter 05 - Risk Assessment: Internal Control Evaluation

134. What is the difference between a significant deficiency and a material weakness?
The difference between a significant deficiency and a material weakness is the (1) likelihood
and (2) materiality that a potential (or actual) misstatement would not be detected on a timely
basis.

AACSB: Analytic
AICPA BB: Legal
AICPA FN: Research
Bloom's: Knowledge
Difficulty: Medium

Question is also Found in Study Guide

5-85

Chapter 05 - Risk Assessment: Internal Control Evaluation

135. Each of the five cases illustrates specific control activities from a client's revenue cycle
(accounts receivable/sales). For each of the procedures, (a) identify which management
assertions apply, and (b) what potential category of errors and frauds can be prevented.

AACSB: Analytic
AICPA BB: Critical Thinking
AICPA FN: Risk Analysis
Bloom's: Application
Difficulty: Hard

5-86

Potrebbero piacerti anche