Appia’ at Sometys isiness & Assurance Principles : 5 55 B ‘An audit is conducted with to check jp statements are in accordance to the © fina; standards and does not necessarily men, accuracy. n 56 | Fraudulent Financial reporting usually hag to do with overstating Revenues and Assets 7 D | This increases control risk. 58 B | All of the choices provided pertain to req misstated financial statements, poo Interna 2 a structure however does not necessarily mean 4 Financial Statement is materially misstateq, " “tts 59 A Low employee turnover means that the bu: acting normal. 60 A | Most likely an error in management but necessary mean the financial statement is mcentyr CHAPTER 5: . STUDY AND EVALUATION OF INTERNAL CONTROLS {UDITING STANDARD REFERENCE(S): psA 315 (Revised) - Identifying and Assessing the Risks: of Material Misstatements through Understanding the Entity and its Environment ps 265-— Communicating Deficiencies in Internal Control to Those Charged with Governance and Management. - , > The next stage is to analyze the level of control risk after the auditor has determined the target level of audit risk and assessed the level of inherent risk. ~ + Control riskis the process of analyzing an entity's internal control in terms of how it prevents or detects major misstatements in the financial statements, as well as its design and operational effectiveness. As a result of a series of events, a conclusion has been reached. : Definition of Internal Control 7 Ss.» The process dévised, implemented, and maintained by those charged with governance, management, and other personnel in order to provide reasonable assurance that an entity's objectives will be met. Nature of Internal Control > When a company is small, its owner or management can do or oversee all of its functions individually. However, as the: company grows, it becomes vital to assign personnel functional duties, After then, measures must be put in place to allow employees’ performance to be monitored and ensure that they are executing their obligations as intended. PSA 315 states that: Internal control is a process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of ‘financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations, This description encapsulates four key concepts: > _ Internal control is a process ‘Internal control is a tool for attaining the organization's goals, not an end in itself. 175 ya 7 oa laa a> Internal control is effected by those charged with governancy ‘management and other personnel. People at all levels of the organization are responsible for inten Control which includes management, those charged with governeny, and staff personnel; ¥ Management - to aid in the achievement of the entsy, objectives by designing, implementing, and maintaining inte; control. ¥ Those chai i ance - through managers Control, to assure the integrity of accounting and finaney reporting systems. ¥ Staff_personnel - must carry out their indivigg responsibilities in order to achieve the entity's goals. > Internal control can be expected to provide reasonaty assurance of achieving the entity's objectives. 4 This is due to /nherent limitations of any system of internal cont although intemal control is designed to prevent, detect and cores problems, an effective internal contro! can only minimize butnat eliminate material misstatements, whether due to fraud a error. é Inherent limitations commonly include: Management overriding the internal control. Circumvention of internal controls through the collusion ama employees. Y The cost-benefit relationship is a primary criterion in desing | internal control, that is, the cost of a control should not exc its expected benefits. This is known as the concept d reasonable assurance, Most intemal controls tend to be directed at routine transactos rather than non-routine transactions, ‘The potential for Auman error due to carelessness, dstraioh mistakes of judgment and the misunderstanding of instructors Human error may include errors in the design or use # automated controls. ‘The possibility that procedures may become Inadequate 2° changes in conditions, and compliance with procedures deteriorate. segregation of duties may be difficult to achieve in a set entity. 176 f KRChapter 5: Stady and Evaluation of Intermal Controls » Internal control is designed to help achieve.the entity's objectives. Internal control is focused on achieving the objective of the organization. These objectives are categorized as follows: (F.0.C.) ¥ Fina «= This objective relates to reliability of financial reporting. «The auditor is solely interested with those policies and procedures within tie accounting and internal control systems that are significant in the financial statement assertions. Therefore, the objective that is most relevant to the audit is the financial reporting objective. Y Operational _effecti jective - this objective is intended to enhance effectiveness and efficiency of operations. ¥ Compliance objective - this objective relates to entity's compliance with applicable laws and regulations. = NOTE: > Operational and compliance objectives may be relevant to the audit only if they are related to data that the auditor examines in order to verify the credibility of certain financial statement assertions. : | > There is a direct relationship between the entity's objectives and the | internal control it implements to provide reasonable assurance about | their achievement. Both the entity's objectives and controls relate to financial reporting, operations and compliance. > For instance, those controls pertaining to detecting non-compliance with laws and regulations that may have a direct and material effect on the financial statements, such as controls over compliance with income. tax laws and regulations used to determine the income tax provisions maybe relevant. lassification of internal control > According to objectives: * Financial reporting controls Y Controls to achieve reliability of financial reporting objective. * Operational effectiveness controls Y Controls to achieve operational effectiveness objective. * Compliance controls Y Controls to achieve compliance objective. 177 a)> According to functions: .* Preventive controls ¥ To deter problems before they arise which includes: +t Segregation of employee duties. + Control physical access to assets, facilities and informatio, * Detective controls ¥ To discover problems as they arise which include: + Preparing bank reconciliation + Preparing monthly trial balance * Corrective controls ¥. To remedy problems discovered with detective controls which include: + Maintaining backup copies of transactions and master fies, Benefits of strong internal control: Reduced cost of an external audit Availability of reliable data for decision-making purposes Protection of important documents and records Assurance of compliance with applicable laws and regulations S488 Internal control objective relevant to the audit > Not all entity's objectives and internal control are relevant to the auditors risk assessment: Relevant to the auditor ¥ Financial reporting objective Reasons: +4 Itis relevant to the financial statement assertions + Pertain to the management of risk that may give rise to material misstatement to financial statements ‘May be relevant to the auditor ¥ Operational and compliance objectives afe not usually relevant to the audit but may relevant to the auditor only if they relate to data the auditor evaluates to determine the reliability of some financial statement assertions. ¥ Examples of operational controls that are not normally te relevant to the audit production and, staff scheduling, qually control, and employee compliance with health and safety requirements. However, these may be relevant to the audl! it 44 The information produced is used to develop an analy procedure such as: "Controls pertaining to non-financial data that the auditor uses in analytical procedures, such a production statis 178 wyChapter 5: Study and Evatuation of Tetraal Cros * Controls pertaining to detecting non-compliance. with laws and regulations that may have.a direct and ‘material effect on the financial statements, such as controls over compliance with income tax laws and regulations used to determine the income tax __ Provision. ‘ +. ‘The information is required for disclosure in the financial statements such as: : ‘ = Controls to ensure the accuracy of such data to Produce statistics that were used as a basis for an analytical procedure. "Controls for detecting and reporting on non- ’ compliance with certain laws and regulations that has a direct and material effect on the financial statements. jOTE: N >» Controls related to the safeguarding of assets often relate to both operations and financial reporting and objectives. > The auditor would generally consider only those controls related to financial reporting, such as controls that limit access to the programs used to process cash disbursements. Components of Internal Contro! > The interrelated components of internal control represent the means used by an entity to help achieving its objectives. (C.R.I.M.E.) * Control Environment Y Sets the overall tome of the company. Y The control environment encompasses management's and those in charge of governance's attitudes, awareness, and actions in relation to the entity's internal control and its significance, ¥ The control environment also encompasses governance and management functions, and it sets the tone for an organization through influencing people's control awareness. It provides discipline and structure and serves as the foundation for effective internal control. Y Factors involved in the control environment includes: = Integrity and Ethical Values : ‘L The entity should establish ethical standards. Ethical standards influence the effectiveness of the design, administration and monitoring of controls. + Active participation of those charged with governance ‘through assignment of audit committee in overseeing financial reporting policies and practices of the entity. 179Comprcheesie Reviewer tn Auditing and. Asexance Principles ‘Management ‘philosophy and operating cycle Management's approach to taking and mai business risks, attitudes and actions toward hance reporting, and attitudes toward information processing and accounting functions and personnel. ee of authority and responsibility How authority and responsibility for operating active are assigned and how reporting relationships ang authorization hierarchies are established. | + Appropriate methods of assigning responsibility mus | be implemented to avoid incompatible functions andis | minimize the possibility of errors because of too much | work load assigned to an employee. | Commitment to competence | + Management's consideration of the competence leves for particular jobs and how those levels translate inty requisite skills and knowledge. | + Competence is the knowledge and skills necessary ta | accomplish tasks that define the individual's job. Personnel or Human résource policies and procedures | + The entity must implement appropriate policies far recruitment/hiring, orientation, training, evaluating, counseling, promoting, compensating, and remedial actions because the competence of the entiys employees will bear directly on the effectiveness of the entity's internal control. | | Organizational structure | 4 The framework within which an entity's activities fa | achieving its objectives are planned; execute, | | controlled and reviewed. 4 Establishing a relevant organizational structue includes considering key areas of authority an! responsibilty and appropriate lines of reporting. + The appropriateness of an entity's organization’ structure depends, in part, on its size and the natut of its activities. 180a} * ° “Chapter 5: Study and Evaluation of Internal Controle Risk Assessment ; v The business objectives of the entity cannot be met without some risk. ¥ The risk that an entity's business objectives will not be met as a result of internal and external variables’ such as technology advancements, changes in client demand, and other economic shifts is referred to as i isk. v_ Each entity must be aware of the risks it faces. Management should establish policies and procedures for identifying and analyzing risks to the entity's business, as well as taking appropriate action to mitigate those risks. The auditor is solely concerned with risks that are relevant to the preparation of reliable financial statements for auditing purposes. ¥ Matters the auditor should consider are how management: « Identifies business risks (inherent and residual risks) relevant to financial reporting; = Estimates the significance of the risks; «Assesses the likelihood of their occurrence; and + Decides upon actions to manage them. Information and Communication System ¥ Timely information and communication are required for effective internal control. Communication involwes providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. Communication may take such forms as policy manuals and financial reporting manuals. Open communication channels help ensure that exceptions are reported and acted on. Y Accounting system means the series of tasks and récords of an entity by which transactions are processed as a means of Maintaining financial records. The tasks identify, assemble, analyze, calculate, classify, record, summarize and report transactions and other events. ¥ The procedures and records established to initiate, record, Process, and report entity transactions (as well as events and conditions), as well as maintain accountability for the related assets and liabilities, make up the information system relevant to financial reporting objectives, which includes the financial reporting system. 181Y The auditor shall obtain an understanding of the information ° v system, including the related business processes, relevant ty financial reporting, including the following areas: " . The classes of transactions in the entity's operations tha are significant to the financial statements; ‘The procedures, within both information technology (In) and manual systems, by which those transactions are initiated, recorded, processed, corrected as_ necessary, transferred to the general ledger and reported in the financial statements; + The related accounting records, supporting information ang | specific accounts in the financial statements that are used | to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. . = The records may be in either manual or electronic form; * How the information system captures events ani conditions, other than transactions, that are significant the financial statements; * The financial reporting process used to prepare the entitys financial statements, including significant accounting estimates and disclosures; and * Controls surrounding journal entries, including non- standard journal entries used to record non-recurring, Unusual transactions or adjustments. Monitoring the Controls Refers to the process that assesses the quality of internal contl performance on an ongoing basis. Management's monitoring of controls includes considering whether they are operating 3 intended and that they are modified as appropriate for changes ‘in conditions, Monitoring assesses the effectiveness of the internal controls performance over time. The objective is to ensure the contros are working properly and, if not, to take necessary correctie actions, Management accomplishes monitoring of controls through ongoing activities, separate evaluations or 2 combination of the two, Management's monitoring activities may also include ust information from external parties such as complaints fro customers or comments from regulatory bodies that ma! 182aes Chapter 5: Study and Evaluation of Iuterat Controle indicate problems, highlight areas in need of improvement, or require communications relating to internal control from external auditors, + . Existing Con’ ities ¥ Control activities are the policies and procedures that ” help ensure management's directives are carried out and that necessary steps to address risks are taken. Control activities address risks that if not mitigated would threaten the achievement of the entity's objectives. ¥° The auditor should obtain a sufficient understanding of control activities to assess the risks of material misstatement at the assertion level and to design further audit procedures responsive to assessed risks. ¥ Gategories of specific control activities that may be relevant * to an audit are as follows: (P.IP.S) * Performance reviews — includes review of the following: : +t Reviews and analyses of actual performance versus budgets, forecasts, and prior period performance. + Relating different sets of data to one another, together with analyses of the relationships and investigative and corrective actions (for example, the management of a sports team. might use attendance data to ascertain the reasonableness Of ticket sales). 4 Comparing internal data with external sources of information, and ++ Review of functional or activity performance (for example, sales reports, receivable reports, etc., may be used to analyze performance and to identify errors): ‘+ Information processing controls — ensure that transactions are valid, properly authorized, and completely and accurately recorded. + Application controls — controls which apply to the processing of individual applications. Examples of application controls: v Checking the arithmetical accuracy of records ¥ Maintaining and reviewing accounts and trial balance 7 183Comferchensive Resicwer in Auditing and. Asuccance Principles ¥ Automated controls such as edit checks og input data and numerical sequence checks Manual follow-up of exception reports ¥ Controls surrounding receivables ¥ Controls surrounding payroll "4 General controls — which are controls that relate to many applications and support the effective functioning of application controls by helping tp ensure the continued proper operation of information systems. General controls apply to information processing throughout the company, Examples of general controls: Program change controls Y Controls that restrict access to programs o data Y Controls over the implementation of new releases of packaged software applications Y Controls over system software that restric access to or monitor the use of system utilities that could change financial data or records without leaving an audit trall ¥ Controls over data center/network ‘+ Physical _controls - are physical controls fo safeguarding assets involve security devices and limited access to programs and to restricted areas, including computer facilities. 4 Physical segregation and security of assets including adequate safeguards such secured facilities over access to assets and records Examples of physical controls: Y Protective or security devices Y Bonded or independent custodians ¥ Physical and security of assets: * — Cash— placed in cash boxes, vault or safe deposit boxes * Cash ~ deposited in a bank 184Chapter $1 Study and Evaluation of Internal Controle = Inventory — placed in a warehouse “= PPE items — tagged with non-movable labels + Authorization for access to computer programs and data files (for example, requiring password prior to access) 4 Authorized access to assets and records (such as through the use of Computer access codes, prenumbered forms, and required signatures on documents for the removal or disposition of assets) . +4 Required signatures on documents for the removal or disposition of assets ++ Periodic counting and comparison with amounts shown on control records such as: ¥ Comparing the results of cash, security and inventory counts with accounting records ¥ Reconciliations + The extent to which physical controls intended to ~ prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation. Segregation _of duties — involves ensuring that individuals do not perform incompatible duties. Duties should be segregated such that the work of one individual provides a crosscheck on the work of another individual. +t A proper segregation of duties (or incompatible functions) requires that one person should not be responsible for all phases of a transaction. It _ requires assigning different people the responsibilities of: (C.A.R.E.) © Custodianship of Assets 0 — Authorization of transactions o Record of transactions © Execution of transactions 185actch de Renee in Paitng and Aaseranee Pre “4 Segregation of duties is intended to reduce the opportunities to allow any person to be ins posttion to both perpetrate and conceal errors or fraud in the normal course of the person's duties, nternal Control in Smaller Entities . | ies there are often few employees, which can /imit the oer He sanch segregation Of duties is practicable and the paper tral o Fsmentation available. But internal control still exists. ities, the control environment (management's commitment tp ns bates Competence, attitude toward control, and their day-to-day set be very important to evaluate. This will involve assessing the ill actions) wi uses, and actions of management ofa highly involved owner-manager can be both an internal > Tne P strength and an internal contro! weakness. The strength is tht fe person (assuming his or her competence) will be knowledgeable Are deal aspects of operations and that itis highly unlikely material enor at be missed. The weakness is that the person is also in a good positon to override internal controls. Information Technol > An entity's use of informal components of internal control: : ‘Management's failure to appropriately address IT risks may negatively impact the control environment. ‘The use of IT may enhance an entity's risk assessment by providing more timely information. ; 4 Many information and Communication systems make extensive use | of TT, and the way in which IT is used often affects an entiys | | 1 ‘on Internal Contr n technology. may affect any of the five internal control: Much of the information used in monitoring is provided by IT, and therefore, the accuracy of the IT system is crucial. The use of IT may affect the way in which existing control activities * are implemented. Also, the effectiveness of user controls may depend upon tlie accuracy of information provided to the user by IT systems, > Manual vs, Automated Controls | % Manual controls may be more appropriate than automated controls in situations where judgment and discretion is required, such a | Circumstances ‘in which misstatements are difficult to ‘defi | anticipate, or predict, i 186 : J : Low van. °awe ar 7 ee awe = . Chapter 5: Stady and Evaluation of Internat Conbales Manual controls, however, may pose additional risks because they ‘ can be more easily ignored or overridden, they are subject to human error, and they are less consistent than automated controls. ng Automated Controls y Test testing automated controls, the auditor needs to identify and test * ot just specific application controls but relevant general controls on (which the application controls depend. : In a manual system, manual controls such as approvals, reviews, and reconclliations are used. In an automated system using information technology, both manual and automated controls may be used; however, even manual controls may be dependent to some extent on the effective functioning of IT. > 1rBenefits a 7D Tris used by an entity to improve the efficiency and effectiveness of its internal control. The auditor should consider the effect of such benefits as part of assessing internal control. Benefits may include: ¥ The ability to process large volumes of transactions and data accurately and consistently. ¥ Improved timeliness and availabilty of information. Y Facilitation of data analysis and performance monitoring. ¥ Reduction in the risk that controls will be circumvented. Vv Enhanced segregation of duties through effective implementation of security controls. > ITRisks “ The use of IT may also create additional internal control risks. The auditor must evaluate the entity's use of IT to determine whether and to what extent the following risks exist: ¥ Potential reliance on inaccurate systems, ¥ Unauthorized access to data, which may result in loss of data and/or data inaccuracies. ¥ Unauthorized changes to data, systems, or programs. Y Failure to make required changes or updates to systems or programs. 187> Involves study and evaluation of internal control > Reasons/purpose of the auditor's study and evaluation of internal control; % Primary: to provide a basis for planning the audit to determine the nature, timing, and éxtent of audit procedures ‘+ Secondary: to provide a basis for constructive suggestions to management about improvements in internal control structure consideration of internal control: > Steps ii : ‘+ Obtain_sufficient_understanding of the internal_control relevant to the audit = Involves obtaining understanding of the design and operation of, internal control relevant to the audit. = The auditor should use the understanding of the’ five ‘components of internal control sufficient to evaluate the design and determine if the control has been implemented. = While the five components of internal control provide a useful framework for identifying and evaluating controls, the auditor should"be more concerned with Whether and how a specific control prevents, or detects and corrects, material misstatements, than with the classification of controls into categories. * Internal control is relevant to the entire entity and each of the five components of internal control may affect any of the three entity objectives, but not all of an entity's objectives and related controls are relevant to the audit. Generally, those controls that pertain to financial reporting objective are most relevant to the ‘audit; it is primarily those controls that the auditor must consider and understand. The auditor'need not assess all controls related to financial reporting, but rather applies professional judgment in determining which controls to assess. 4 Evaluate the design of relevant control o Involves determining whether the control, individually or in combination with other controls, is capable of : effectively preventing or detecting and: correcting material misstatements © Major emphasis in the design of effective control includes: Y Assets are properly protected ¥ Duties are segregated ¥ Transactions are authorized * 188Chapter 5; Study and Evaluation of Tuteruat Cautroty + Determine whether the control has been implemented © whether the control is placed in operation; a contro] has been implemented if the control exists and is being used by the entity, © Procedures to obtain evidence about the design and Implementation of controls: Inquiry of entity personnel (inquiry, alone is not sufficient). * ., Inspecting documents and records. * Observing of application of specific controls, * Performing a. “walk-through” test ~ tracing a transaction through the accounting system, from ; initial recording to presentation in the financial statements. -[NOTE: ‘The understanding of internal control is used by the auditor in: > Identify types of potential misstatements that can occur . > Consider factors that affect the risks of material misstatements > Determine the nature, timing, and extent of audit procedures + Perform preliminary assessment of control risk = The assessment of control risk is based on understanding of internal control. + Assess control risk at a high level: © If internal control is poor or not effective, or © If itis inefficient to rely on internal control (inefficient to perform tests of controls) ITE: wetter’ response iF control risk is assessed at a NatYnexnun level: > Skip or do not perform tests of controls >_ Rely primarily on substantive tests 4 Assess control risk at less than high level: © Ifinternal control is effective or reliable, and. If it Is inefficient to obtain evidence to justify the assessment of control risk at less than high level 189NOTE: > Even if the internal control is effective, the auditor shoulg control risk ata high level fit i inefficient to obtain evidence to ja the assessment of control risk at less than high level. thy > The PSA requires the auditor to document the basis which i evidence to justly the assessment of control risk at less than fig level. Auditor's response if control risk is assessed at less than high/maximum ke | > Perform tests of controls - to confirm operating effectiveness gf controls. ~ Perform tests of controls * Tests of controls are performed when the auditor plans to cn internal control; the auditor will only test those control tt he plans to rely upon (controls that are likely to prevent a detect and ‘correct material misstatement relevant to te financial statements). NOTE: > Tests performed to test tie operating effectiveness (as to design a operation) of internal controls that are likely to detect or oem material misstatements in support of a reduced assessed = ie control isk, Thus, tests of controls are performed to substantiate ® reduced assessed level of control risk. in > Tests performed confirm that the controls tested are wad effectively. =“ e ted > Unlike substantive tests of details, tests of controls are not red audit procedure. steal cont > The greater the reliance the auditor plans to place on inter to the more extensive the tests of those controls that ™ performed. ‘ : ination of > Tests of controls generally consist of one (or combi following evidence gathering techniques: Inquiry % Observation Inspection + Reperformance > Results of tests of controls secant conten sc, controls ess the auditor should revise the preliminary risk control risk from less than high to high level ) 190 as}Chapter 5: Study and Evaluation of Internal Controls 7 the auditor should also make the necessary revision on the overall audit strategy, audit plan and preliminary audit |, program. Results of tests of controls m effecti if control: ¥ the auditor may rely on entity's internal control and decrease substantive testing. Documentation of the understanding of accounting and internal control systems = Form of documentation may vary-wherein one form or a combination of forms of documentation may be used at the same time. ° = Forms of documentation include: + are control questionnaire Consists of a list of questions on internal control be answered by "Yes" or "No" response. A negative response is designed to draw attention to a possible weakness in internal control. Written explanations are required for "No" answers. + Flowcharts - 9 pictorial/symbolic diagram depicting the operation of a program/system or the sequential flow of authority, processes, transactions and documents. The use of standard symbols makes flowcharts easy to © understand, © Systems flowcharts = Used to evaluate internal control because it shows the origin of each document in the system, its subsequent processing, and its final disposition. « * IT flowcharts = used in evaluating the internal control in an automated/computerized accounting environment. = The auditor can use these flowcharts to evaluate both the flow of the program and the internal controls related to the IT function in general. + Internal control checklists © A detailed listing of ideal control measures (the auditor tick marks the controls adopted by the client). 191Comprehensive Reatewer tn Auditing and Aaaccance Prtaciples Narrative memoranda it on Witton version of a flowchart. It is a description y the auditor's understanding of the system of inteing, control. Note that flowcharts are more appropriate fy, documenting complex control structures, while writes narratives are more appropriate for less compe, structures. + Decision trees ortables : © Decision trees : i are graphic illustrations that depict the logic of ay operation or process.’ They generally empig questions with "Yes" or "No" answers, which dire the user to the next relevant questions. © Decision tables 2a ® are graphic illustrations that depict the logici relationships of a system in’ table form. Bon approaches document the auditor's understanding of a process. Documentation of the assessed level of control risk = If the control risk is assessed at a high level, the auditor should document his conclusion that control risk is‘at a high level. = If the control risk is assessed at less than high level, the auditor should document: . ‘ = His conclusion that control risk is at less than high level, and The basis for that assessment — results of tests of controls confirming the assessment of control risk at .below high/maximum level. Communicating with those charged with governance and manageme! > The auditor should communicate audit matters of governance interest arising from the audit of financial statements with those charged with governance of an entity. > Governance refers to the role of persons entrusted with the supervision, control and direction of an enti Those charged with governance ordinarily are accountable for ensuring that the -entity achieves its objectives, financial reporting, and reporting to interested parties. 192 ;NOTES: joe > Chapter 5: Study and Evaluation of Internat Controls Reportable conditions are significant deficiencies/weaknesses in the design or operation of the internal control which have come to the auditor’s attention that should be reported to the appropriate level of management such as the highest official of the, company or those charged with governance (usually to the entity's audit committee of the board of directors) in writing, in a formal management letter (the by-product of the audit engagement) at the earliest opportunity so that appropriate corrective actions may be taken as soon as possible, A deficiency may be of such magnitude as to be considered a material weakness in internal. control. A material internal control weakness is a condition in which material errors or fraud would ordinarily not be detected within a timely period by employees in the normal course of performing their assigned functions. f opinion on entity's ii ntrol: Consideration of jnternal control in financial statement audit is not sufficient to express an opinion on an entity's controls because only those controls on which an auditor intends to rely are reviewed, tested, and evaluated. The auditor is not required to identify or search for internal control weaknesses. Internal control weaknesses > >» Examples of significant weaknesses in internal control include: Weak control environment (such as ineffective oversight, poor attitude toward internal control, or instances found of management override or fraud). Weaknesses in IT general controls. i Significant business risks that have not been addressed by policies, procedures or internal controls. Inadequate policies and procedures in place for: ‘© Appropriately assessing and applying accounting principles % ‘Determining accounting estimates and assessing their reasonableness ** Preparing the financial statements and the disclosures required, and : 193Comprclensive Restewer n editing and. Assurance + Safeguarding assets > significant internal control activities or application contols not o as designed, not applied consistently by appropriate individuaye “ay monitored by appropriate individuals. Ong > Significant deficiencies previously communicated to managem, those charged with governance that remain uncorrected afte reasonable period of time. Sony 194 oanChapter 5: Study and Evaluation of Internat Controle EXERCISES \f Internal Control Which of the following is the most accurate? A. An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about the efficiency of management's decision-making prices B. An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about the Entity’s ability to process and summarize financial data C. An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about the appropriate prices the entity should charge for its products D. An auditor would most likely be concerned with internal control policies and procedures that provide reasonable assurance about the methods of assigning production tasks to employees When it comes to an audit of financial statements, the primary consideration of an auditor regarding an internal control activity is whether the control A. Helps in the management's decision-making process B, Mirrors management's philosophy and operating style C. Has an’effect in the management's financial statement assertions D. Provides sufficient safeguards over access to assets Which of the following objectives of internal control would be most relevant to the audit? ‘A. Operational objective B. Compliance objective C. Administrative control objective _ D. Financial reporting objective Who is ‘responsible for establishing and maintaining internal control system? J A. Management and those charged with governance B, The controller or the treasurer C. The external auditors D. The internal auditors Which of the following pertains to the fundamental purpose of an internal control? . A. To encourage compliance with organization objectives B. To ensure the accuracy, reliability, and timeliness of information C. To safeguard the resources of the organization D. To provide reasonable assurance that the objectives of the organization are achieved 195i Comprehension Reotewer in Auditing and. } Absunance Principles { 6. All of the following is part of the three primary objectives Of effecting } internal control except: A. Reliability of financial reportifig B. Efficiency and effectiveness of operations _ { i ‘Compliance with laws and regulations : Each of the above option is a secondary objective of effective inter control 7. An act of two or more employees to steal assets or misstate records is t known as ; ‘A. Acontrol deficiency B. Collusion . .Amaterial weakness D. Any of the above* 8. Which statement is true about relevance of various types of controls tog financial audit? ‘A. Controls over the safeguards of assets and liabilities are critical, ty controls over the accuracy of financial reporting may also te necessary. B, When taking a substantive auditor approach, an auditor may typcay *- overlook a consideration of controls. Financial reporting controls are usually the most directly relevantis an audit, but other controls may also be important. D. All controls are ordinarily relevant to an audit 9. Which of the folowing is not one of the three primary objectives a effective internal control? A. Reliability of financial reporting B. Assurance of zero business risk C... Efficiency and effectiveness of operations D. Compliance with laws and regulations 10. Which of the following is not typically one of the management's concen in designing effective internal controls? ‘A. Generating profits from operations B. Designing the most effective internal control possible no matter hot much it will cost , CC. Complying with applicable laws and regulations D. Generating fairly stated financial statements Li. Internal control should be designed to provide reasonable assurance ti! ‘A, Employees will prevent or discover material errors or fraud in tie course of their assigned duties and correct them in a timely mann. B, The direction and control of management's performance is provide! by the internal auditing department in a cost-effective and effet manner. C, Management's planning, organizing, and directing processes #® propery evaluated 196Chapter 5: Study and. Evaluation of Intermal Controle p. Employee collusion has not been used to thwart management's . intentions. In performing an audit of financial statements, it is required that the 2. uditor should obtain a sufficient knowledge of a clent's-business and industry to A. Develop a professional skepticism when it comes to managements financial statement assertions. B, Make suggestions for improvements to the client's internal control stem. . Understand the events and transactions that may have an impact D. on the client's financial statements . Examine if the aggregate of known misstatements results in'the financial statements being materially misstated as a whole. 13, Which of the following fraudulent actions is most likely to be perpetrated asa result of the revenue cycle's lack of adequate internal controls? ‘A. The failure to prepare shipping documents. may cause an overstatement of inventory balances. 8. Fictitious transactions may be documented, resulting in revenue understatement and receivables overstatement. C. Claim received from ‘customers for goods returned may be intentionally recorded in other customer’s accounts. D.’ Authorization of credit memos by cash-handling workers may allow for cash embezzlement. i | I | 14, The financial statements must be prepared and presented in a fair and accurate manner by the entity's management. Its responsibility includes the following, except A, Designing, implementing, and maintaining internal control related to the preparation and presentation of financial statements. B. Selecting and applying appropriate accounting policies. C. Assessing the risks of material misstatement ‘of the financial statements. D. Making accounting estimates that are reasonable in ‘the circumstances. . Which of the following statements best expresses the objective of the traditional audit of financial statements? A. To assure ‘adoption of sound accounting policies and the establishment and maintenance of internal control. B. To express an opinion on the fairness with which the statements present financial position, financial performance, and cash flows in accordance with Philippine Financial Reporting Standards, - C. To express an opinion on the accuracy with which the statements present financial position, financial performance, and cash flows in accordance with Philippine Financial Reporting Standards. D. To make suggestions as to the form’ or content of the financial statements or to draft them in whole or in part, \ \ 197Comprehensive Reviewer in Muditing and. Aesurance Principles 16. 17. 18. 19. 20. It is critical for the auditor to assess the audit client's employees competency since their competence has a direct and significant impact on the audit client's results through ‘A. The comparison of recorded accountability with assets B, The cost-benefit relationship of internal control C. The timing of the tests to be performed D. The achievement of the objectives of internal ‘control An adequate system of internal controls is most likely to detect a fraud perpetrated by A. Group of managers in collusion B. Group of employees in collusion CC. Single employee : D. Single manager Which of the following components of an entity's internal control includes the creation and implementation of training policies that inform employees about their future duties and responsibilities? A. Control activities B. Monitoring of controls C. Control environment D. Information and communication An entity's internal control system contains manual elements and often contains automated elements. Manual elements in intemal control may be less reliable than automated elements because of the reason that A. Manual control elements are more readily bypassed, disregarded, or overridden, and they are also more prone to simple errors and mistakes. B.- Manual control elements facilitate the additional analysis of information C. Consistency of application of manual control elements can always be assumed D. Manual control elements include relying on systems or programs that process data incorrectly, process incorrect dates, or both. The following are components of internal control A. Control activities B. The entity’s risk assessment process CC. Control environment D. Business risk 198au Chapter 5: Study and Evaluation of Internat Oourole f Internal ooh Which of the following is true with respect to separation of duties? A. Itis desirable to prevent employees who authorize transactions from having custody of related assets B. Employees should not be in charge of assets both temporarily and permanently. ¢c. Allowing an employee to open cash receipts and record them is permissible, D. Nore of the above is correct 22, The most significant type of protective measure for safeguarding assets and records is ‘A. Proper authorization of transactions B, Adequate separation of duties among personnel Adequate documentation D. The use of physical precautions 23. Which of the following most accurately reflects the entity's risk management process? A. Entity’s assessment of audit risks affecting the financial statements B, The process through which an entity identifies business risks that ate important to financial reporting objectives and decides what actions to take to address those risks. Entity’s process of evaluating the risks of misstatements due to fraud The entity's evaluation of the risks that internal controls would fail to detect financial statement misstatements po Which of the following deal with ongoing assessment of the quality of internal control by management? A. Management activities B, Quality control activities C. Monitoring activities D. Oversight activities 24. 25, An entity's ongoing monitoring activities often include A. Periodic audits by the audit committee B.. The audit of the annual financial statements C. Control risk assessment in conjunction with quarterly reviews D. Reviewing the purchasing function ‘The policies and procedures that help ensure that management directives are carried out are referred to as the: ‘A. Control environment B. Information system C. Control activities D. Monitoring of controls 26, 19928. 29. 30. 31. A Be c Dd. Rewewer in Haditng and. Aasurance Principles : 27. All of the following are specific contro! activities. that are. relevant ip financial statement audit except: Performance reviews Physical controls Monitoring Segregation of duties Proper segregation of functional responsibilities In an effective structure of internal control calls for separation of the functions of ‘A. Custody, execution and reporting B. c. Authorization, payment, and recording Authorization, execution, and payment Authorization, recording, and custody D. Which of the following activities has the least chance of improving a company's internal control? A B. c D. ‘Separating accounting from other financial operations Maintaining insurance for fire and theft Carefully selecting and training employees Fixing responsibility for the performance of employee duties Which of the following best describes the purpose of control activities? A B. Cc D. The actions, policies, and procedures that reflect the overall attitudes, ‘of management The identification and analysis of risks relevant to.the preparation of financial statements Activities that deal with the ongoing assessment of the quality of internal control by management The policies and procedures that help ensure that necessary actions are taken in order to achieve the entity’s objectives ‘An auditor opted to conduct control tests after learning about the intemal control structure and assessing control risk. The auditor most likely decided that A B. oat ‘There is insufficient data to support additional reductions in control risk. For certain financial statement assertions, an increase in the assessed level of control risk is justified. It would be more efficient to conduct control tests that would resut in fewer substantive tests being conducted. There were numerous flaws in internal controls that might have “allowed errors to enter the accounting system. ° 200 rH. ew, Chapter 5: Study and Evaluation of Internal Controle 32, An auditor has decided that a client's existing internal controls are well designed and performing as intended after analyzing and evaluating them. Under these circumstances, the auditor would most likely A, Conduct additional control tests as specified in the audit program. B, Set the direction risk higher than it would be in the case of weak of internal control. , C. Determine the control policies and procedures that should prevent . or detect mistakes and fraud. * D, Set the direction risk at a lower level than it would be in the case of a lack of internal control, 33. Which of the following statements concerning walkthrough tests is incorrect? : A. . Tracing a few transactions through accounting systems is required, B, . This approach could be used in test of control C. This technique is used to assess if the controls are in place. D. The nature and scope of the walk-through 34. The auditor's understanding of the entity's accounting and internal control systems 'is usually gained through past experience with the entity. In addition, the auditor may perform the following procedures, except A. Inquiries of relevant management, supervisory, and other people at various organizational levels within the entity, as well as citations to paperwork, job descriptions, and flow charts. B. Internal control processes must be re-performed. C. Inspecting the accounting and internal control system's documents and records . D. Observation of the entity's activities and operations, including computer operations organization, management people,” and transaction processing nature. 35. When obtaining knowledge of the entity's accounting and internal control systems, an auditor is least likely to do which of the following? A. Inquiries’of appropriate personnel » B. Performing analytical review procedures Inspection of documents and record D. Observation of the entity's activities and operations 36. & Subsequent to the consideration of internal control, an auditor might decide to : A. Limit the scope of control testing in areas where internal control is strong. : 8B. In areas where internal control is strong, expand the scope of control and substantive tests. C. In areas where internal control is lacking, expand the scope of substantive testing. . D. Inregions where internal control is strong, reduce the scope of both substantive and control tests. 201 |Comprehensive Reviewer ta Auditing and, Abunance 37. Which of the following audit tests would be regarded as a test of controls A. A comparison of inventory pricing to bills from vendors B. Verification of signatures on canceled checks for authorizations from the board of directors C. Physical inspections of the additions to property, pant, and equipment D. Examine the specif things that make up a general ledger accounts balance. 38. The auditor may elect to conduct some control tests during an interim Visit prior to the period's end. The auditor, on the other hand, cannot rely ~ onthe results of such a test without contemplating the need for adaitiona audit evidence for the remainder of the period, Factors'to be considered in deciding whether to perform tests of controls for the remaining perio would not include ‘A. Have there been any changes to the accounting and internal control systems during the interim? The outcome of the substantive tests The interim tests' findings The amount of time left in the current period . poe 3 s The approach of tests of control is heading toward the controls A. Efficiency B. Efficiency and effectiveness C. Cost benefit ratio D. Effectiveness 40. According to the requirement of PSA 330, how often should an auditor assess the operational efficacy of controls that appear to work as they did in previous yearsand on which the auditor desires to depend ths ear? Atleast every third aut B. Monthly C. Each audit D. Atleast every second audit 41. Prior to the assessment of control risk at a level lower than the maximum “the auditor is able to get reasonable assurance that controls are in place and functioning properly. The assurance is most likely obtained in partby A. Inspection of documents B, Preparing flowcharts C. Performing substantive tests D. Analyzing tests of threads and ratios 42. An auditor commonly tests the segregation of duties in connection with the inventory through A. Analytical procedures and invoice recalculation B. Document inspection and reconciliation C._ Personal inquiry and observation : 20244. 45. 46. 4) 48. a Chapter 5: Study and Evaluation of Internat Crntrole D. Test counts and cutoff procedures . An auditor found that the controls are well designed and functioning as expected after studying and evaluating the client's intérnal control system. Under these circumstances the auditor would most likely A. Increase the extent of planned analytical review procedures B.. Cease to perform further substantive tests C. Not increase the extent of predetermined substantive tests D.. Carry out all control tests to the extent specified in the audit program Subsequent to the obtaining of sufficient understanding of the entity's “accounting and internal. control systems, the. auditor should make a preliminary assessment of A. Audit risk B. Inherent risk C. Detection risk D. Control risk Which of the following is not a typical medium for an auditor to keep track of information on a client's internal control policies and procedures? A. Questionnaire B. - Narrative memorandum .€. Flowchart D. Procedure manual The auditor observes client employees while obtaining an understanding of the internal control structure so that he can ‘A. Update information contained in the organization and procedure manuals : B. “Become familiar with the control structure's design and implementation of applicable policies, procedures, and records. C._ Prepare a flowchart D. Determine the extent of compliance with quality control standards . Which statement about the auditor's documentation of the client's internal contro! framework is correct? ‘A, Documentation must include flow charts B. Although documentation is desirable, it is not required. ae C. No particular form of documentation is necessary, and the extent of , documentation may vary * D." Documentation must include procedural write-ups The auditor might follow multiple transactions through the control Process to get a better knowledge of the internal control structure, The primary purpose of this task is to A. Determine the effectiveness of the control procedures B. Determine whether the controls have been placed in operation C. Replace substantive tests D. Detect fraud done by the management 20349. Which of the following refers to the conclusion reached as’a result of assessing control? Assurance provided by internal control structure Determined level of acceptable detection risk * Assessed level of control risk Product of the understanding of internal cba poe 50. The reason why an auditor assesses control risk is because it ‘A. Has an impact on the level of detection risk that the auditor is wiling ‘to take. Is relevant to the auditor's understanding of the control environment Assures that the auditor's materiality levels are not excessive, Indicates to the auditor where inherent risk may be the greatest gos n_of iI Cor > 51, The best way to normally gain audit evidence concerning proper szsragatin of duties is through: Inquiries about the employee who Implements control methois among coworkers. B. Preparation of a flowchart of duties’ performed and available personnel C. Direct personal observation of the employee who performs contol procedures D. Inspection of third-party documents containing the initials of who applied control procedures 52. The auditor concludes that there are no major internal accounting contr shortcomings based on an interim assessment and review. The records and procedures would most likely be tested again at year-end if ‘A. The auditor's inquiries and observations lead him to assume that circumstances have changed. B. Compliance tests were not performed by the internal auditor during the remaining period C. The internal accounting contro! system provides a foundation on viich to rely in order to reduce the scope of substantive testing. D. The auditor used non-statistical sampling during the interim perad compliance testing 53, The majority of a company's audits are performed by the same CPA fir every year. Except for early engagements, the auditor enters the audit with @ wealth of information on previous years’ internal controls, Because fiers and controls usually do not change often The auditor can skip the evaluation of this area on repeat engagements B. It eases the burden on the auditor's requirement to do a complete study of the controls this year C._ It is sufficient for the auditor to simply ask the client if the contsos have changed from the previous year. 204Capiter $: Study and. Evaluation of Tnterat Controle D, This data can be updated and applied to the audit for the current year. 54, When the auditor estimates control risk at a high level, which of the following is correct? \ A. The auditor should perform tests of controls B. The auditor should document his conclusion that control risks is at a high level - C. The auditor need not document his understanding of internal control D. The auditor should keep track of. the facts that led to his conclusion, 55. Ifthe auditor desires to further lower the assessed degree of control risk connected to plant asset transactions after gaining an initial grasp of a client's internal control, the auditor should next ‘A. Conduct in-depth analyses of plant asset balances. B. Verify that current-year additions are physically present, C. Fill out the internal accounting. control questionnaire's. plant asset section. . . D. Further test those internal contro! procedures relating to processing and recording plant asset transactions f 56. An auditor uses the knowledge provided by the understanding of internal control and the final assessed level of control risk primarily to determine the nature, timing, and extent of the Substantive tests Attribute tests Tests of controls Compliance tests poop 57. Control testing is applied in order to know whether or not A. Incompatible functions exist. B. The assessed level of control risk can be reduced. C. Necessary controls are absent. ‘ D. Material peso errors exist. : 58. What is the objective of tests of details of transactions performed astests ~ of controls? A. To monitor the design and use of entity documents: such as prenumbered shipping form. B, To evaluate whether controls operated effectively. C. Todetermine whether control have been placed in operation. D. To direct material misstatements in the account balances of the financial statements. 205 NIST R Wa Waan INV ON No, rans, a (OVAY Wes - bo Sta 2,59, aes of the following is true? Tests of controls are designed to obtain evidence to support the auditor's assessment of control risk at a high level. B. Tests of controls are designed to obtain evidence to support the auditor’s assessment of control risk at zero level. C. Tests of controls are designed to obtain evidence to support the auditor's assessment of control risk at the maximum level, D. Tests of controls are designed to obtain evidence to support the auditor’s assessment of control risk at less than high level, 60. Which ofthe following statements regarding tests of controls is true? Control test deviations are significant only if they occur in significant patterns never before seen by the auditor. B. Tests of controls must be performed on each audit. C._ Ifthe aueitor plans to rely onthe client's controls, the controls must, be tested. _D. All of the above are correct. 61. The auditor would most likely assess control risk at a high level when ‘A. The entity's accounting,and internal control systems are not reliable, B. The auditor wants to rely on the-accounting and internal contal _____ systems of the company. ; C. It would be efficient to perform test of control. D. The auditor wants to restrict substantive tests. 62., The main emphasis by auditors is on controls over: ‘A. Account balances. B. Classes of transactions. *C. Both A and B because they are equally important. D. Both A and B because they vary from client to client. 63. When obtaining audit evidence regarding the effective operation of internal controls, the auditor considers all of the following except one, which is it? . A. How they were applied. B. By whom they were applied. C. Why they were applied. D. The consistency with which they were applied during the period. 64. Which of the folowing may or may not be required during a compans audit? A. Substantive procedures B, Risk assessment procedures C. Tests of controls D. Analytical procedures y 206Chapter §: Study and Evaluation of Internal Controls 65. Control risk should be assessed by ‘ A. Control environment factors B. Specific controls CC. Types of potential factors D. Financial statement assertions 66. Following the assessment of control risk, an auditor wishes to reduce the degree of control risk further. At this time, the auditor would consider whether A. The entity’s controls pertain to any financial statement assertions. _ B. It would be efficient to obtain an understanding of the entity's “information system. C. There is likely to be additional audit evidence available to support a further reduction. D. The entity's controls have been implemented. 67. Which of the following strategies is not appropriate for gaining knowledge about internal controls? A. Examine documents and records. B, Read industry trade magazines. C. Observé client activities and operations. D. Make inquiries of the client’s personnel. 68. The auditor acquires a reasonable degree of assurance that the internal control procedures are in use and operating as designed before relying on the system of internal control. The auditor obtains this assurance by performing planned A. Transaction tests B, Tests of trends and ratios C. Substantive tesis D. Tests of controls Which of the following is a phase in an auditor's decision to evaluate control risk at a lower level than high? * A. Determine which internal control policies and procedures are most likely to identify or avoid material misstatements. ~ -B. Document that the additional audit effort to perform tests of controls, exceeds the potential reduction in substantive testing. C. Use analytical processes on both financial and non-financial data to identify conditions that could suggest a lack of controls. D. Perform tests of details of transactions and accounts balances, to identify potential errors and fraud. 69. 70. Tests of controls do not include: A. Inspection of documentary support for transactions. evidencirig authorization. B. Analytical procedures involving comparison of operating expenses with budgeted amounts. C. Reperformance of internal control procedures. 207D. Inquiries about, and observation of, internal controls which leave ng audit trail. . To obtain evidential matter about control risk, an auditor selects test from a variety of techniques including ‘A. Analytical procedures B. Calculation Cc. Inquiry D. Confirmation . When the auditor finds that there are missing controls in an area of the accounting system, the audit program in that area would be modified in such a way.as to } ‘A Cause the issuance ofa qualified or adverse opinion. B, Eliminate the need for a test of controls. C._ Increase the amount of tests of controls. D. Increase the.reliance on tests of controls. . Documentary proof may not exist for certain controls, such as segregation of duties. An auditor would most likely test the procedures ‘A> Reperformance and corroboration. B. "Observation and inquiry. C._ Inspection and vouching. D. Confirmation and re-computation. 7 After reviewing a client’s internal control, an auditor has found that the system is well designed and is performing as planned. Under these circumstances, the auditor would most likely A. Cease to perform further substantive tests. B. Increase the extent of anticipated analytical procedures. C. Carry out all control tests to the extent specified in the audt D. program. : Not increase the extent of planned substantive tests, 9° =, . Extended performance of tests of contfos is most Iikely to occtir when ‘The auditor is doing a “fraud audit”, Controls are ineffective and assessed control risk is high. Itis a first-year audit. Controls are effective and assessed control risk is low. pOm> ;. To support the operational efficacy of internal controls, an auditor is likely to apply four types of procedures. Which of the following would generally NOT be used? A. Examine documents, records, and reports. B. Reperform client procedures. C. Inspect the design of documents, D.. Make inquiries of appropriate client personnel.Ghapter.5: Study and Evaluation of Internal Controls 77. A public company's material shortcomings in internal control must be reported in writing to which of the following? A. Members of management who are responsible for the related are of the company. - Audit committee of the company's board of directors. The PICPA. The SEC. 78. When a compensating control is present, the absence of a key control: ‘ Could cause a material loss, so it must be tested using substantive procedures. . B. Is no longer a concern because there is no longer a significant deficiency or material weakness. C. Is still a major concern to the auditor. . D. Is magnified and must be removed from the sampling process and examined in its entirety. : pos 78. Ifan auditor determines that some control activities are ineffective, he or she may increase the assessed degree of control risk. the auditor would most likely increase the : A. Extent of tests of controls. B. Level of detection risk. C._ Extent of tests of details. D. Level of inherent risk. 80, The reason why an auditor uses the knowledge provided by the understanding of internal control and the assessed level of the risk of material misstatement is to primarily | A. Determine whether procedures and records concerning the safeguarding of assets are reliable. B. Determine the nature, timing and extent of substantive tests for financial statement assertions. C. Determine whether the chances of someone bothering to commit and conceal fraud are minimized. D. “Adjust the original estimations of inherént: tisk ani. preliminary materiality judgments. 81. whic of the following statements concerning control risk is true? -\ Control risk assessment and understanding of an entity's it internal control system can be done at the same time. B, When control risk is at a high level,’an auditor is required to document the basis for that assessment C. Control risk may be deemed-low enough to obviate the need for comprehensive assessment for key transaction classes. D. An auditor should not consider evidence gathered from previous audits about the operation of contro! procedures when evaluating control risk. 209| ™ Conpochensive Reviewer te Auditing and Assirance Principles : 82. In general, a material weakness in internal control may be defined as 4 condition in which material errors or irregularities may occur and not be detected within a timely period by A B. c D. Employees in the normal course of performing their assigney functions. Outside consultants who issue a’ special-purpose report on internal control structure. . ‘An independent auditor during tests of controls. Management when ‘reviewing interim financial statements and reconciling account balances. 83. All of the following are performed by the auditor using his knowledge c accounting and internal control systems, as well as assessments of inherent and control risks except: A B. c D. Design appropriate audit procedures. Evaluate the effectiveness of the accounting and control systems. Identify the types of misstatements that could occur. Consider factors that affect the risk of material misstatements. 84, When the auditor attempts to understand the operation of the accounting system by tracing a few transactions through the accounting system, the auditor is said to be: 2 A. B. c D. Performing a walk-through Tracing , Vouching Testing controls 85. Which of the following is not part of a company's internal control system? A. B. c D. Information and communication, Control risk. ‘The contro! environment. Risk assessment. 86. Ina public firm, which of the following is in charge of developing internal controls? A B. G D. Management and auditors. Committee on Sponsoring Organizations. Management. Financial statement auditors. 87. The auditor's study of a public company's internal control is: poe Sun. Recommended by the PICPA. Required by GAAS; Required by PICAP, Required by the Sarbarles-Oxley Act. 210 ~—eZ AL Wy g="!PNyy <= 7 SOK 9! ve ay 'OxNChapiter 5: Study, and. Evatuation of Interac Coutate 88, The auditor's study of a private company's internal control is: ‘A. Recommended by the PICPA. : B. Required by GAAS, C. Required by PICAP. D.- Required by the Sarbanes-Oxley Act. 89. Which of management's concerns about implementing internal'controls is most important to the auditor? A. Efficiency of operations. B. Compliance with applicable laws and regulations. C. _ Reliability of financial reporting. D. ‘Effectiveness of operations. When an auditor tries to figure out how the accounting system works by tracking a few transactions across the system, the auditor is said to be: A. Tracing. B. Performing a walk-through. “C. Testing controls. D. Vouching. 90. Internal controi procedures are strengthened when the quantity of merchandise ordered is omitted from the copy of the purchase order sent. to the “A. . Purchasing agent. B. Accounts payable department. C. Receiving department. D. Department that initiated the requisition. 91. “92. An auditor would consider internal control over a. client's payroll procedures to be ineffective if the payroll department, supervisor is responsible for * A. Updating employee earnings records. B. Hiring subordinate payroll department employees, C._ Applying pay rates to time tickets. D. Having custody over unclaimed paychecks. 93, In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor most likely would A. Perform test counts of inventory during the entity's physical count. B. Analyze inventory turnover statistics to identify slow-moving and obsolete items. . C._ Review the entity's descriptions of inventory policies and procedures. D. Analyze monthly production reports to identify variances and unusual transactions. 94, The auditor who becomes aware of a reportable condition in internal control is required to communicate this to the A. ‘Senior management and board of directors. B. Board of directors and internal auditors. C. Internal auditors and senior management. 211Conppcbensoe Restewes ta Hadas and. Aaserance Prlaiples 95. 7. Pt at—~ 98, D. Audit committee or its equivalent. After obtaining an understanding of internal control and assessing contr risk, an auditor decides to perform tests of controls. The auditor moss ley decided that Tt would be efficient to perform tests of controls that would resut i, a reduction in planned substantive tests. B. There were many internal control structure weaknesses that coug allow errors in the accounting systems. C. Additional evidence to support a further reduction in control risks not available. D. Anincrease in the assessed level of control risk is justified for certaig financial statement assertions. When’ management is’ evaluating the design of internal contd, management evaluates whether the control can do all but which of the following? A. Correct material misstatements. B. Prevent material misstatements. Detect material misstatements D. None of the above is correct. ‘One of the components of internal control that an independent auditor must come to understand about each audit client is “information and communication.” What is meant by this term? ‘A. The ability of the management of the company to communicate its priorities to the appropriate staff levels within the organization, B. The ability of the accounting system to generate reliable information and convey it in a timely manner to those parties. within the organization that needs it. C. The ability of employees in a company to warn the independent auditor of fraudulent actions within the organization. D. The ability of the internal auditor to communicate information about the various systems to people within the organization at an appropriate level of authority. ACPA firm is beginning the audit of Panny Corporation. One of the staff auditors has been assigned to gain and then document her understanding of the internal controls designed to be in place in the company’s payrdl system. At the end of the day, the staff auditor has created a series of flowcharts, questionnaires, and narrative descriptions based on the understanding she has obtained. Which of the following is correct? ‘A. The questionnaire approach is preferred, B, The flowchart approach is preferred. C. She was correct in using all three of these techniques to fulfill this assignment. D. She only needed to use one of these techniques, 212! Chapter 5: Study and Evaluatlon of luternat Coutrate ane David, is employed by Crossline Corporation and earns P30 per hour. che usually works 28 hours per week but always claims to the firm that she works 32 hours per week in order to obtain additional pay. Which of the intemal ¢ control activities listed below is most likely to prevent this of theft? A. The company’s payroll program is tested each month with test data » to ensure that it operates properly. , .A separate paymaster delivers the checks each pay Period to Jane David after verifying her identity. ¢. The supervisor for Jane David must review her time sheet each period and indicate approval. p. Any paychecks that are printed but not picked up must be tured over to an independent group for subsequent handling. 100. An auditor uses the assessed level of control risk to ‘A. Determine the acceptable level of detection risk for financial statement assertions. B, Evaluate the effectiveness of the entity's internal control policies and procedures. C. Identify transactions and account balances where inherent risk is at the maximum. D. Indicate whether materiality thresholds for planning and evaluation purposes are sufficiently high. 213Comprchensive Reviewer tx Auditing and Aesurance Principles GUGGESTED KEY ANSWERS AND EXPLANATIONS TO MULTIPiE : QUE! CHOI, STIONS TT % [Le Si, ¢ 71 e4 2[-¢ 27|_¢ 5s2| A 7h 31D 26 | _D 53{D 74 4[_A 29| 8B 54D 79\~e> 5| D 30 | “D 55| D 80-67 Gar) 31] ¢ 56[ A sila 7B. 32| 8 s7| 8 82| A eic 33|_D 58{ 8 83/87 o| 8 34[_B 59D ~84| A” io| 8B 35|_8 60 | C 85 |B 1i|[—A 36|.C 61] A 861 32]_¢ 37 |B 62{.D | |_87| D 13 | D 38] B 63 | C 88 |B] 14{ C 39|'D 64|_ C 89 | ¢ 15| B 40 [A 65| D 90 |B 16] 0 ~41| A 66 | C ic oe fare 42] C 67 |B 92D ig] C 43|_C 68| D 93| Cc i9|_A 44|_p | | 69] A 94 [7D 20|D 45|_D 70 |B 35 [A 2|_A_| [46] 8 7i{ Cc 96] A 22| b-| | 47] 8 72| 8 97 |B 23 |B 48 | B 73| B 98] D | 24[ 49{¢ 74{D_| gol c 25| 0 sol A 7a) too [A 214 Suny 421... ° - 8965 “sarap— Chaitin 5: Stadty ane, < i Eoalaatin o 9, —Ky | Explanation: Prenat Ort wert = —— | Answer The intemal ‘control polices and pr highlight the effect on the Preparation res should i statement through the Avallabilty of accent, fmancial data, “curate financial ;———~T When it comes to an audit of finang: /| primary consideration of an audi RemeN, bid internal control activity j . T the control h: effect in the management's ‘ las an | assertions. Auditors ‘must vor panel S40 A aoe 4 A 2 Peary | The auditor aneGky- GUSSET Ea | luditor directly obtaining information from —t__| I a The substantive tests are increased or reduced depending on the results of the test of controls. Since the test of controls are meant to be performed befes| the substantive tests, the outcome of the substantie tests should have no bearing on whether or not: ‘the test Of controls should be performed. Pr Test of controls determine whether control risk i hig oF low. Control risk only pertain to the internal controls effectiveness, too Only ‘applicable if there have been no significa changes to the internal control system. four that refers to the testing of internal conto 8 {Cfers to preparation of working papers and obtaiirg knowledge about the business, C refers to substatie testing. D refers to analytical procedures. Employees is the easiest and most common method d 218 rt aye——————— geapte idence. A/B/D have no way of detecting fF | Inn of duties is being followed. % D —_ ition is one of the best ways to ensure that all B 5: Study and Evaluation of Iuternat Onatrols estes caditor must assess if control risk is at high oF The im level, and if control risk is fess than high OF maxi maximum level. Its high or at maximum level, bel test of controls will be necessary, ni 7 are the most common and effective ways of Meumenting the client's internal controls, rval tr Obsimented internal control procedures. are being followed. While thé form of documentation has not been prescribed by any standards, the extent _ of Focumentation required stil depends whether control risk was assessed at a high level or not, ————— This is called a walk-through procedure. {_______________________— When the auditor determines that control risk is at a high or maximum level, he is required to document the facts that led to the basis for the control assessment. If the auditor wants to further lower the control risk, he/she has to obtain more evidence regarding the operating effectiveness of the internal controls. AJC refer to assessing the internal controls to be ineffective. This assessment does not need evidence and relies on the professional judgement of the auditor, B is wrong since auditors cannot assess a control risk to be 0, it can only be minimized not eliminated. | owe a Control risk is assessed to be at a high or maximum {evel if the auditor deems them unreliable. Ppa Auditors emphasize internal control over classes of transactions rather than account balances because the PeT2eY, of accounting system outputs (account an ances) depends heavily on the accuracy of inputs Processing (transactions). the > $$ $$] The auditor should estabish why the controls were ade when he/she was obtaining an understanding of he internal controls, not during the test of controls. 219deemed high itor, there trol risk was igh by the auditor, tbe no need to conduct a test of controls. to gain an understanding of the business, Not jg used ae internal controls. Gres to @ cost benefit analysis on why a test of mtrois is Unnecessary, C° refers to analytical ojcedures. D_refers to substantive testing. Only A Preers to test of controls, which is necessary to evaluate entrol risk at ess than a high level, iD are all procedures that can be done during a test Nal. B is better performed. as a substitute for Substantive testing. 7fo]0 are applicable as procedures for substantive jg wrong as a lack of controls does not necessarily A gen that @ material misstatement exists, Only when siternative procedures cannot be performed would the Suditor’s opinion change. C/D are impossible to perform ‘without pre-existing controls in place, | cet ee ee eee EC [ests of controls are only conducted when the auditor assesses the control risk to be below high level. dtherwise, test of controls,will be unnecessary, and the guditor will go straight to substantive testing. jo Tee The design of the documents has no bearing on the internal control system of the client. ~ The audit committee would be the one charged with the management and maintenance of the internal control of the client. The compensating control would make up for the weaknesses of not having a key internal control. Control risk is high and therefore detection risk Is low. | This means that the auditor must use more effective substantive tests, expanding the scope of substantive testing. See 32 for the audit risk formula. B is wrong because no documentation is necessary if control risk is high. C is wrong. because substantive tests are still necessary, even if control risk is low. D is - 220Chapter 5: Study aud Evaluation of luternat Controle wrong because the auditor can consider previous audit evidence about the client's internal controls if there are no significant changes. Internal controls are ‘designed around the normal operations of a business. They are not intended to catch misstatements from abnormal operations. AC/D are referring to obtaining an understanding of the client's internal controls, B is only done when the auditor is conducting a test of controls, which occurs after A/C/D. In a walk-through, the auditor selects one or a few documents of a transaction type and traces them from -initiation through the entire accounting process. Walk- through conveniently combines observation, documentation, and inquiry. This forces the receiving department to conduct a physical count of goods received instead of relying on- the amount stated in the document. ‘An auditor is required to obtain an understanding of a client's internal control structure. Reviewing policies and procedures manuals that describe a client system such as inventory and the related controls is a standard audit step in obtaining that understanding. The audit committee is the appropriate recipient of communication regarding internal control related matters. Auditing authoritative sources state that after obtaining an understanding of internal control, the auditor considers if it is sufficient to perform tests of controls that would result in a reduction in planned substantive tests. Controls are designed to prévent and detect errors; corrections of errors involve human intervention. Internal control includes any policies and procedures | ° within the company designed to ensure that the accounting systems are functioning effectively as designed by the management of the company. One general goal is to make sure that the information produced by the accounting system is reliable and |-Comprchencive Reviewer in Auditing and Aesunance Principles ‘appropriate decisions. In looking at a particular and its internal control, the auditor evaluates th to generate information and then communica parties who can make use of it, Sst tegeelty ett 98 D The auditors goal was to establish her understang of the design of the controls that were supposed ra" in place in this payroll system. — All three of tne techniques (questionnaire, flowchart, or narrative) == accomplish this purpose successfully. Therefore. 2? ‘one is necessary although sometimes the technique, are grouped together ‘if the system is particu, complex. iy 99 c Each of these four is an internal control acti frequently found in a company’s pay system. However, they are each designed to prevent or discover frauds of a specific type. Here, the problem is extra hours claimed by an employee so that unearned money can be received. Test data is used to verify that the payroll program is working’ as intended. The paymaster hands out cheques to make certain that checks are being prepared for actual individuals who work for the company. That is also the case for following up on checks that are not claimed at the appropriate time. “The approval by the supervisor is correct here because the supervisor is the Person most likely to know how many hours the | employee actually did work. That person is in 2 position to verify that the number: of hours listed is correct. : 222CHAPTER 6: SUBSTANTIVE TESTING PROCEDURES GpITING STANDARD REFERENCE(S): ae a0 - Audit Evidence | pga 501 — Audit Evidence — Specific Considerations for Selected Items _| 4505 ~ External Confirmations 15h 520— Analytical Procedures - 06h 50 (Revised) — Auditing Accounting Estimates, including Fair Value imates and Related Disclosures uct ‘eausitor performs substantive tests to decrease the amount of detection risk ” “an acceptable low level after considering inherent risk and control risk. ive Test > Audit procedures designed to detect material misstatements at the assertion level. » Substantive procedures used by auditors could be either tests of details or substantive analytical processes. > The auditor's judgment on the expected effectiveness and efficiency of the available audit procedures to reduce audit risk to an acceptable level is used to determine which audit procedures to execute, including whether to utilize substantive analytical processes. > Placed to detect material peso/monetary errors or fraud. Gather evidence _\n respect to all material classes of transactions, account balances, and disclosures. > Supports the validity of management's assertions regarding the financial stafements. Thus, substantive procedures are frequently referred to as validation procedures because they provide evidence about the existence of misstatement. Substantive procedures are mandatory: . > Substantive procedures are required for all relevant assertions relating to each material class of transactions, account balance, and disclosure, regardless of the assessed risks of rhatetial misstatement. This Tequirement reflects the fact that: ‘Because the auditor's risk assessment is subjective, it may not identify, all risks of material misstatement. * There are inherent limitations to internal control; and 223