Chapter 7 Internal Control

True/False Questions

1. Internal control is concerned with the reliability of financial information.

Answer: True Difficulty: Easy

2. The Foreign Corrupt Practices Act prohibits bribes to foreign corporate officials to
obtain business.

Answer: False Difficulty: Hard

3. Incompatible duties exist when an employee is in a position to perpetrate and conceal

errors or fraud.

Answer: True Difficulty: Easy

4. Internal auditors should preferably report to the chief accounting officer of the
company.

Answer: False Difficulty: Medium

5. Well-designed internal control will prevent fraud by top management.

Answer: False Difficulty: Medium

6. CPA firms may use written narratives to describe internal control in their audit
working papers.

Answer: True Difficulty: Easy

7. The communication of reportable conditions about a client's internal control should be

addressed only to senior management of the company.

Answer: False Difficulty: Medium

8. If the auditors' assessment of the design of internal control reveals that it cannot be
relied upon, the auditors are not required to prepare any documentation of internal
control for their working papers.

Answer: False Difficulty: Medium

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 95

Chapter 7 Internal Control

9. The relatively low number of types of transactions incurred by small firms makes the
segregation of duties impossible.

Answer: False Difficulty: Easy

10. CPAs are required to assess the operating effectiveness of most significant accounting
oriented controls.

Answer: False Difficulty: Medium

Multiple Choice Questions

11. Which of the following matters would an auditor most likely consider to be a
reportable condition to be communicated to the audit committee?
A) Management's failure to renegotiate unfavorable long-term purchase
commitments.
B) Recurring operating losses that may indicate going concern problems.
C) Evidence of a lack of objectivity by those responsible for accounting decisions.
D) Management's current plans to reduce its ownership equity in the entity.

Answer: C Difficulty: Medium Source: AICPA

12. In assessing the objectivity of a client's internal auditors, the CPA would be most
likely to consider internal auditor.
A) Education levels.
B) Experience.
C) Organizational status within the company.
D) Training and supervisory skills.

Answer: C Difficulty: Medium

13. What needs to be documented when control risk is assessed below the maximum
level?
Understanding of IC Assessed Level Basis for Assessment
A) Yes Yes Yes
B) Yes Yes No
C) Yes No Yes
D) Yes No No

Answer: C Difficulty: Hard

96 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition

Chapter 7 Internal Control

14. After obtaining an understanding of internal control and arriving at a planned assessed
level of control risk, an auditor decided to perform tests of controls. The auditor most
likely decided that:
A) Additional evidence to support a reduction in the assessed level of control risk is
not available.
B) An increase in the assessed level of control risk is justified for certain financial
statement assertions.
C) It would be efficient to perform tests of controls that would result in a reduction in
planned substantive tests.
D) There were many internal control deficiencies that would allow misstatements to
enter the accounting system.

Answer: C Difficulty: Hard Source: AICPA

15. Which of the following is least likely to be evidence on operating effectiveness?

A) Cancelled supporting documents.
B) Confirmations of accounts receivable.
C) Records documenting usage of computer programs.
D) Signatures on authorization forms.

Answer: B Difficulty: Hard

16. Which of the following is not ordinarily a procedure for documenting an auditor's
understanding of internal control for planning purposes?
A) Checklist.
B) Flowchart.
C) Questionnaire.
D) Confirmation.

Answer: D Difficulty: Easy

17. Tests of controls do not ordinarily address:

A) By whom a control was applied.
B) How a control was applied.
C) The consistency with which a control was applied.
D) The cost effectiveness of the way a control was applied.

Answer: D Difficulty: Hard

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 97

Chapter 7 Internal Control

18. Which is most likely when the assessed level of control risk increases?
A) Change from performing substantive tests at year-end to an interim date.
B) Perform substantive tests directed inside the entity rather than tests directed
toward parties outside the entity.
C) Use the maximum number of dual purpose tests.
D) Use a larger sample size for substantive tests.

Answer: D Difficulty: Medium

19. Which is correct concerning a CPA's communication of control related matters to the
audit committee?
A) Material weaknesses, and not reportable conditions must be communicated.
B) Reportable conditions must be communicated, and the auditor must indicate
whether they are also material weaknesses.
C) Reportable conditions must be communicated, and the auditor need not indicate
whether they are also material weaknesses.
D) The CPA only needs to communicate material weaknesses that do not qualify as
reportable conditions.

Answer: C Difficulty: Medium

20. A client's internal control appears strong, but the CPA has chosen not to test it. The
planned assessed level of control risk is at what level?
A) Zero.
B) Low.
C) Moderate.
D) Maximum.

Answer: D Difficulty: Hard

21. Which of the following would be least likely to be regarded as a test of a control?
A) Tests of the additions to property by physical inspection.
B) Tests of the signatures on cancelled checks to the authorized check signer list.
C) Tests of signatures on purchase orders.
D) Recalculation of payroll deductions.

Answer: A Difficulty: Hard

98 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition

Chapter 7 Internal Control

22. Which of the following is not considered one of the five major components of internal
control?
A) Risk assessment.
B) Segregation of duties.
C) Control activities.
D) Monitoring.

Answer: B Difficulty: Medium

23. Which of the following statements is correct concerning the auditors' understanding of
internal control needed by auditors to plan the audit?
A) The auditors must understand the information system, not the accounting system.
B) The auditors must understand monitoring and all preliminary accounting controls.
C) The auditors must understand the control environment, the information system,
and must use judgment as to the control activities which must be considered.
D) The auditors must understand the control environment, risk assessment, and all
control activities.

Answer: C Difficulty: Hard

24. The effectiveness of controls is not generally tested by:

A) Inspection of documents and reports.
B) Performance of analytical procedures.
C) Observation of the application of accounting policies and procedures.
D) Inquiries of appropriate client personnel.

Answer: B Difficulty: Medium

25. On financial statement audits, it is required that the auditor obtain an understanding of
internal control, including:
A) Its operating effectiveness.
B) Whether it has been placed in operation.
C) Performing tests of controls for all material controls.
D) Its ability to provide reasonable assurance.

Answer: B Difficulty: Medium

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 99

Chapter 7 Internal Control

26. Which of the following would be of least interest to the auditors in considering
internal control?
A) Procedures that are concerned with the decision processes leading to
management's authorization of transactions.
B) Procedures restricting access to assets.
C) Procedures related to recording transactions.
D) Policies concerning the reconciliation of accounting records to existing assets.

Answer: A Difficulty: Medium

27. This organization developed a set of criteria that provide management with a basis to
evaluate controls not only over financial reporting, but also over the effectiveness and
efficiency of operations and compliance with laws and regulations:
A) Foreign Corrupt Practices Corporation.
B) Committee of Sponsoring Organizations.
C) Cohen Commission.
D) Financial Accounting Standards Board.

Answer: B Difficulty: Medium

28. Which statement is correct concerning the definition of internal control developed by
the Committee of Sponsoring Organizations (COSO)?
A) Its applicability is largely limited to internal auditing applications.
B) It is recognized in the Statements on Auditing Standards.
C) It emphasizes the effectiveness and efficiency of operations over the reliability of
financial reporting.
D) It suggests that it is important to view internal control as an end product as
contrasted to a process or means to obtain an end.

Answer: B Difficulty: Hard

29. The definition of internal control developed by the Committee of Sponsoring

Organizations (COSO) includes the reliability of financial reporting, the effectiveness
and efficiency of operations, and:
A) Compliance with applicable laws and regulations.
B) Effectiveness of prevention of fraudulent occurrences.
C) Safeguarding of entity assets.
D) Incorporation of ethical business practice standards.

Answer: A Difficulty: Medium

100 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition
Chapter 7 Internal Control

30. Which statement is correct concerning the relevance of various types of controls to a
financial statement audit?
A) An auditor may ordinarily ignore a consideration of controls when a substantive
audit approach is used.
B) Controls over the reliability of financial reporting are ordinarily most directly
relevant to an audit, but other controls may also be relevant.
C) Controls over safeguarding assets and liabilities are of primary importance, while
controls over the reliability of financial reporting may also be relevant.
D) All controls are ordinarily relevant to an audit.

Answer: B Difficulty: Hard

31. Which of the following is not a component of the control environment?

A) Integrity and ethical values.
B) Risk assessment
C) Commitment to competence.
D) Organizational structure.

Answer: B Difficulty: Medium

32. Which of the following is not ordinarily considered a factor indicative of increased
financial reporting risk when an auditor is considering a client's risk assessment
policies?
A) Commissioned sales personnel.
B) Implementation of a new information system.
C) Rapid growth of the organization.
D) Corporate restructuring.

Answer: A Difficulty: Hard

33. The Sarbanes-Oxley Act of 2002 requires that the audit committee:
A) Annually reassess control risk using information from the CPA firm.
B) Be directly responsible for the appointment, compensation and oversight of the
work of the CPA firm.
C) Require that the company’s CPA firm rotate the partner in charge of the audit.
D) Review the level of management compensation.

Answer: B Difficulty: Medium

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 101
Chapter 7 Internal Control

34. When tests of controls reveal that controls are operating as anticipated, it is most likely
that the assessed level of control risk will:
A) Be less than the planned assessed level of control risk.
B) Equal the planned assessed level of control risk.
C) Equal the actual control risk.
D) Be less than the actual control risk.

Answer: B Difficulty: Hard

35. Under which circumstance is it likely that the extent of substantive procedures will be
expanded beyond that anticipated in the audit plan?
A) The auditors have determined that controls have been placed in operation but, in
accordance with the audit plan, have performed no tests of controls.
B) Certain controls do not leave a trail of documentary evidence.
C) Deviation rates were greater than zero and approached anticipated levels.
D) The operating effectiveness of certain controls was found to be less than expected,
although no material misstatements were identified.

Answer: D Difficulty: Hard

36. The provisions of the Foreign Corrupt Practices Act apply to:
A) All U.S. corporations.
B) All U.S. corporations that engage in foreign operations.
C) All corporations that must file under the Securities Exchange Act of 1934.
D) All U.S. partnerships and corporations.

Answer: C Difficulty: Medium

37. If the auditors do not perform tests of controls for certain assertions:
A) They have performed a substandard audit.
B) They are not required to communicate reportable conditions relating to those
accounts to management and the board of directors.
C) They must issue a qualified opinion.
D) They must assess control risk at the maximum level for those assertions.

Answer: D Difficulty: Medium

102 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition
Chapter 7 Internal Control

38. During financial statement audits, the auditors' consideration of their clients' internal
control is integral to both assessing control risk and to:
A) Assessing inherent risk.
B) Planning the audit.
C) Assessing compliance with the Foreign Corrupt Practices Act.
D) Providing a reasonable basis for an opinion on compliance with applicable laws.

Answer: B Difficulty: Easy

39. Which of the following comes closest to outlining the auditors' responsibility for
considering internal control in all financial statement audits?
A) An understanding of the control environment, information and communication,
risk assessment and monitoring is necessary; an understanding of control activities
is only necessary for areas in which the auditor is performing tests of controls.
B) The auditor must obtain an understanding of each of the five internal control
components sufficient to plan the audit.
C) When tests of controls have been performed, control risk must be assessed at a
level less than the maximum.
D) An understanding of the control environment is necessary, but no understanding of
the other components is necessary unless control risk is to be assessed at a level
less than the maximum.

Answer: B Difficulty: Medium

40. In the consideration of internal control, the effectiveness of the design of controls is
tested by:
A) Flowcharts.
B) Tests of controls.
C) Substantive tests.
D) Decision tables.

Answer: B Difficulty: Easy

41. A significant deficiency in the design or functioning of internal control that could
adversely affect an organization's ability to record, process, summarize, and report
financial date is referred to as a(an):
A) Material weakness in internal control.
B) Inherent limitation of internal control.
C) Management override.
D) Reportable condition.

Answer: D Difficulty: Medium

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 103
Chapter 7 Internal Control

42. For good internal control, which of the following functions should not be assigned to
the company's accounting department?
A) Reconciling accounting records with existing assets.
B) Recording financial transactions.
C) Signing payroll checks.
D) Preparing financial reports.

Answer: C Difficulty: Medium

43. Which of the following is not a responsibility that should be assigned to a company's
internal audit department?
A) Evaluating internal control.
B) Approving disbursements.
C) Reporting on the effectiveness of operating segments.
D) Investigating potential merger candidates.

Answer: B Difficulty: Hard

44. Which of the following is true about the auditors' consideration of internal control?
A) The auditors must assess control risk at a level lower than the maximum.
B) The auditors must prepare a flowchart description of internal control for their
working papers.
C) The auditors must obtain an understanding of the steps in processing major types
of transactions.
D) The auditors must perform tests of controls.

Answer: C Difficulty: Medium

45. Which of the following is an advantage of describing internal control through the use
of a standardized questionnaire?
A) Questionnaires highlight weaknesses in the system.
B) Questionnaires are more flexible than other methods of describing internal control.
C) Questionnaires usually identify situations in which internal control weaknesses are
compensated for by other strengths in the system.
D) Questionnaires provide a clearer and more specific portrayal of a client's system
than other methods of describing internal control.

Answer: A Difficulty: Medium

104 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition
Chapter 7 Internal Control

46. Which of the following is not a factor that is considered in evaluating a client's overall
control environment?
A) The organizational structure.
B) The information system.
C) Management philosophy and operating style.
D) Board of directors.

Answer: B Difficulty: Medium

47. Which of the following would be least likely to be considered a benefit of effective
internal control?
A) Eliminating all employee fraud.
B) Restricting access to assets.
C) Detecting ineffectiveness.
D) Ensuring authorization of transactions.

Answer: A Difficulty: Medium

48. After documenting the client's prescribed internal control, the auditors will often
perform a walk-through of each transaction cycle. An objective of a walk-through is
to:
A) Verify that the controls have been placed in operation.
B) Replace tests of controls.
C) Evaluate the major strengths and weaknesses in the client's structure.
D) Identify weaknesses to be communicated to management in the management letter.

Answer: A Difficulty: Medium

49. The major components of internal control include all of the following, except:
A) Risk assessment.
B) The control environment.
C) Internal auditing.
D) Control activities.

Answer: C Difficulty: Medium

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 105
Chapter 7 Internal Control

50. Which of the following is correct with respect to internal control related matters
discovered during an audit?
A) Auditors must communicate and identify as such all material weaknesses in
internal control.
B) All material weaknesses in internal control are also reportable conditions.
C) All such matters must be communicated to the audit committee and regulatory
agencies.
D) Auditors must re-communicate all prior year matters which were not corrected.

Answer: B Difficulty: Hard

51. After considering the client's internal control the auditors have concluded that it is
well designed and is functioning as anticipated. Under these circumstances the
auditors would most likely:
A) Cease to perform further substantive tests.
B) Reduce substantive tests in areas where the internal control was found to be
effective.
C) Increase the extent of anticipated analytical procedures.
D) Perform all tests of controls to the extent outlined in the preplanned audit program.

Answer: B Difficulty: Easy Source: AICPA

52. The use of fidelity bonds protects a company from embezzlement loses and also:
A) Minimizes the possibility of employing persons with dubious records in positions
of trust.
B) Reduces the company's need to obtain expensive business interruption insurance.
C) Allows the company to substitute the fidelity bonds for various parts of internal
control.
D) Protects employees who made unintentional errors from possible monetary
damages resulting from such errors.

Answer: A Difficulty: Medium Source: AICPA

53. The independent auditors might consider the procedures performed by the internal
auditors because:
A) They are employees whose work must be reviewed during substantive testing.
B) They are employees whose work might affect the independent auditors’ work.
C) Their work impacts upon the cost/benefit tradeoff in evaluating inherent
limitations.
D) Their degree of independence may be inferred by the nature of their work.

Answer: B Difficulty: Medium Source: AICPA

106 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition
Chapter 7 Internal Control

54. In the consideration of internal control the operating effectiveness of controls is tested
by:
A) Flowcharts.
B) Tests of controls.
C) Substantive tests.
D) Decision tables.

Answer: B Difficulty: Easy Source: AICPA

55. The auditors who become aware of an internal control reportable condition are
required to communicate this to the:
A) Audit committee and client's legal counsel.
B) Board of directors and internal auditors.
C) Audit committee.
D) Internal auditors and senior management.

Answer: C Difficulty: Medium Source: AICPA

56. In general, a material internal control weakness may be defined as a condition in

which material misstatements due to errors or fraud would ordinarily not be detected
within a timely period by:
A) An auditor during the normal assessment of the system of internal control.
B) A controller when reconciling accounts in the general ledger.
C) Employees in the normal course of performing their assigned functions.
D) The chief financial officer when reviewing interim financial statements.

Answer: C Difficulty: Easy Source: AICPA

57. To provide for the greatest degree of independence in performing internal auditing
functions, an internal auditor most likely should report to the:
A) Financial vice-president.
B) Corporate controller.
C) Board of directors.
D) Corporate stockholders.

Answer: C Difficulty: Medium Source: AICPA

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 107
Chapter 7 Internal Control

58. Well-designed internal control that is functioning effectively is most likely to detect an
fraud arising from:
A) The fraudulent action of several employees.
B) The fraudulent action of an individual employee.
C) Informal deviations from the official organization chart.
D) Management fraud.

Answer: B Difficulty: Medium Source: AICPA

59. The program flowcharting symbol representing a decision is a:

A) Triangle.
B) Circle.
C) Rectangle.
D) Diamond.

Answer: D Difficulty: Medium Source: AICPA

60. Controls are not designed to provide assurance that:

A) Transactions are executed in accordance with management's authorization.
B) Fraud will be eliminated.
C) Access to assets is permitted only in accordance with management's authorization.
D) The recorded accountability for assets is compared with the existing assets at
reasonable intervals.

Answer: B Difficulty: Medium Source: AICPA

61. The scope of substantive tests as compared to the scope of tests of controls generally
vary:
A) In a parallel manner.
B) Inversely.
C) Directly.
D) Equally.

Answer: B Difficulty: Medium Source: AICPA

108 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition
Chapter 7 Internal Control

62. A primary purpose of the auditor's consideration of internal control is to provide a

basis for:
A) Determining whether procedures and records that are concerned with the
safeguarding of assets are reliable.
B) Constructive suggestions to clients concerning improvements in internal control.
C) Determining the nature, extent, and timing of audit tests to be applied.
D) The expression of an opinion on compliance with laws and regulations.

Answer: C Difficulty: Medium Source: AICPA

63. Which of the following audit tests would be regarded as a test of a control?
A) Tests of the specific items making up the balance in a given general ledger
account.
B) Tests confirming receivables.
C) Tests of the signatures on canceled checks to board of director's authorizations.
D) Tests of the additions to property, plant, and equipment by physical inspection.

Answer: C Difficulty: Medium Source: AICPA

64. If the independent auditors decide that the work performed by the internal auditors
may have a bearing on their own procedures, they should consider the internal
auditors’:
A) Competence and objectivity.
B) Efficiency and experience.
C) Independence and review skills.
D) Training and supervisory skills.

Answer: A Difficulty: Medium Source: AICPA

65. In the consideration of internal control, the auditor is basically concerned that it
provides reasonable assurance that:
A) Management can not override the system.
B) Operational efficiency has been achieved in accordance with management plans.
C) Misstatements have been prevented or detected.
D) Controls have not been circumvented by collusion.

Answer: C Difficulty: Medium Source: AICPA

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 109
Chapter 7 Internal Control

66. Which of the following is intended to detect deviations from prescribed controls?
A) Substantive tests specified by a standardized audit program.
B) Tests of controls designed specifically for the client.
C) Analytical procedures as designed in the industry audit guide.
D) Computerized analytical procedures tailored for the configuration of the computer
equipment in use.

Answer: B Difficulty: Medium Source: AICPA

67. An auditor's purpose for performing tests of controls is to provide reasonable

assurance that:
A) Controls are operating effectively.
B) The risk that the auditor may unknowingly fail to modify the opinion on the
financial statements is minimized.
C) Transactions are executed in accordance with management's authorization and
access to assets is limited by a segregation of functions.
D) Transactions are recorded as necessary to permit the preparation of the financial
statements in conformity with generally accepted accounting principles.

Answer: A Difficulty: Medium Source: AICPA

68. Of the following statements about internal control, which one is not valid?
A) No one person should be responsible for the custodial responsibility and the
recording responsibility for an asset.
B) Transactions must be properly authorized before such transactions are processed.
C) Because of the cost/benefit relationship, a client may apply control procedures on
a test basis.
D) Control activities reasonably insure that collusion among employees can not occur.

Answer: D Difficulty: Easy Source: AICPA

69. Tests of controls are performed in order to determine whether:

A) Controls are functioning as designed.
B) Necessary controls are absent.
C) Incompatible functions exist.
D) Material dollar errors exist.

Answer: A Difficulty: Easy Source: AICPA

110 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition
Chapter 7 Internal Control

70. Tests of controls are most likely to be performed when:

A) Controls seem weak and must be properly documented.
B) Inadequate substantive tests exist to restrict audit risk to an acceptable level.
C) The auditor wishes to assess control risk at the maximum.
D) The client’s control environment appears strong.

Answer: B Difficulty: Hard

71. Which of the following statements is correct concerning the auditor's required
communication of internal control reportable conditions?
A) If the auditor does not become aware of an reportable conditions during the
examination, that fact must be communicated.
B) Reportable conditions reported at interim dates should be tested for correction
before completion of the engagement.
C) Although written communication is preferable, the auditor may orally
communicate the findings.
D) Reportable conditions reported at interim dates must be repeated in the
communication at the completion of the engagement.

Answer: C Difficulty: Hard Source: AICPA

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 111
Chapter 7 Internal Control

Essay Questions

72. Independent auditors should consider the work of internal auditors in their assessment
of control risk.
a. Are internal auditors independent of management? Explain.
b. What is the difference between the primary objective of the independent auditors
and that of internal auditors? Explain.
c. Discuss the factors that should be considered by the independent auditors in
deciding how much, if any, reliance should be placed on the work of the internal
auditors.

Difficulty: Hard

Answer:
a. No. However, internal auditors may achieve independence from departments they
evaluate by reporting to a senior officer or the board of directors.
b. The independent auditors' objective is to express an opinion on the client's
financial statements. The internal auditors' primary objective is to aid
management in achieving the most efficient and effective administration of the
business.
c. In deciding the degree of reliance to be placed on the work of the internal auditors,
the independent auditors should consider the competence and objectivity of the
internal auditors, and evaluate their work.

73. Auditors are required to consider a client's internal control.

a. Describe the two purposes of the auditors' consideration of a client's internal
control.
b. Even the best internal control has certain limitations. List three of those
limitations.

Difficulty: Medium

Answer:
a. The auditors' consideration of their clients' internal control is integral to both (1)
the planning of the audit and (2) the assessing of control risk.
b. The limitations of internal control include (only three required):
 Carelessness.
 Misunderstanding of instructions.
 Top management may override the system
 Collusion among employees may circumvent controls dependent upon
segregation of duties.
 Cost considerations often limit the effectiveness of the design of the
structure.

112 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition
Chapter 7 Internal Control

74. When considering a client's internal control, the auditors focus on its various
characteristics. For each of the following characteristics indicate the auditors'
responsibility under in generally accepted auditing standards and the procedures used
to meet that responsibility.
a. The design of internal control.
b. Controls placed in operation.
c. The operating effectiveness of controls.

Difficulty: Medium

Answer:
a. The auditors have a responsibility to obtain an understanding of internal control
that is sufficient to plan the audit. An understanding of the design of the structure
is obtained by inspecting control manuals, organization charts, and job
descriptions, and by interviewing client personnel.
b. The auditors have a responsibility to determine whether internal control policies
and procedures are placed in operation in every audit. The auditors may determine
whether the controls have been placed in operation by observation, inspection, and
inquiry. Walk-through tests may also be used.
c. The auditors have a responsibility to determine the operating effectiveness of
controls that provide the basis for the auditors' assessment of control risk at levels
below the maximum. The auditors use observation, inspection, inquiry, and
reperformance to test the operating effectiveness of controls.

Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition 113
Chapter 7 Internal Control

75. Assume that you have assessed inherent risk for an audit area at a very high level.
While obtaining an understanding of internal control, you have determined that it
appears to be very strong. Nonetheless, due to the large number of transactions
involved, you have chosen not to test controls in the area.
a. At what level will the planned assessed level of control risk be established?
b. Describe the scope of tests of controls that will be performed.
c. At what level will the assessed level of control risk be established?
d. What must be documented in the working papers relating to internal control?
e. At what level will detection risk be established?
f. Describe the required scope of substantive tests, if any. Make certain to discuss
details of likely nature, timing and extent.

Difficulty: Hard

Answer:
a. Maximum, High or Highest.
b. None will be performed (because control risk is being assessed at the maximum
level).
c. Maximum, High or Highest
d. Control risk assessed at maximum (or high or highest) level. The auditor need not
document the reason for assessing control risk at the maximum (we delete points
from scores of students who state that the auditor needs to document the reason).
e. Minimum, low, or lowest
f. Nature--External sources rather than internal Timing--Year-end testing rather than
interim testing. Extent--Greatest extent

114 Whittington/Pany, Principles of Auditing and Other Assurance Services, Fourteenth Edition