A3-7 Flashcards Preview

AUD BECKER MCQ > A3-7 > Flashcards

Flashcards in A3-7 Deck (57)
1

Which of the following procedures most likely would provide an auditor with evidence about whether an entity's internal control activities are suitably designed to prevent or detect material misstatements?

a.

Performing analytical procedures using data aggregated at a high level.

b.

Reperforming the activities for a sample of transactions.

c.

Vouching a sample of transactions directly related to the activities.

d.

Observing the entity's personnel applying the activities.

Choice "d" is correct. Observation and inspection may be used to evaluate the design of controls. Observation of entity personnel applying control activities is a procedure that would likely provide evidence about the design of the activities.

Choice "b" is incorrect. Reperforming control activities provides the auditor with evidence about the operating effectiveness of specific control activities, not the design effectiveness.

Choice "a" is incorrect. Analytical procedures would not provide the auditor with evidence about the design of specific control activities.

Choice "c" is incorrect. Vouching a sample of transactions directly related to control activities would not provide the auditor with evidence about the design of specific control activities.

2

Management philosophy and operating style most likely would have a significant influence on an entity's control environment when:

a.

Those charged with governance actively oversee the financial reporting process.

b.

Management is dominated by one individual.

c.

The internal auditor reports directly to management.

d.

Accurate management job descriptions delineate specific duties.

Choice "b" is correct. Management philosophy and operating style encompass a broad range of characteristics. Such characteristics may include the following: management's approach to taking and monitoring business risks, management's attitudes and actions toward financial reporting, and management's attitudes toward information processing and accounting functions and personnel. These characteristics are more likely to have a significant influence on the control environment when management is dominated by one individual, since there will be few alternative viewpoints presented.

Choice "c" is incorrect. The internal audit function is part of the monitoring component of internal control, not part of the control environment. If the internal auditor reports directly to management, this would reduce his or her objectivity and perhaps make the monitoring function less effective, but it would have minimal impact on the control environment. 

Choice "d" is incorrect. Accurate management job descriptions would not change the influence that management philosophy and operating style have on the entity's control environment.

Choice "a" is incorrect. The involvement of those charged with governance in the reporting process would tend to moderate or offset the influence that management philosophy and operating style have on the entity's control environment.

3

The overall attitude and awareness of those charged with governance (i.e., an entity's board of directors) concerning the importance of internal control usually is reflected in its:

a.

Computer-based controls.

b.

System of segregation of duties.

c.

Control environment.

d.

Safeguards over access to assets.

Choice "c" is correct. The control environment reflects the overall attitude, awareness and actions of those charged with governance (i.e., the board of directors, management, owners, and others) concerning the importance of control and its emphasis in the entity.

Choice "a" is incorrect. Computer-based controls are a control activity. The overall attitude and awareness of those charged with governance is not a control activity.

Choice "b" is incorrect. A system of segregation of duties is a control activity. The overall attitude and awareness of those charged with governance is not a control activity.

Choice "d" is incorrect. Safeguards over access to assets is a control activity. The overall attitude and awareness of those charged with governance is not a control activity.

4

In an audit of financial statements, an auditor's primary consideration regarding internal control is whether the control:

a.

Affects management's financial statement assertions.

b.

Provides adequate safeguards over access to assets.

c.

Enhances management's decision-making processes.

d.

Reflects management's philosophy and operating style.

Choice "a" is correct. Assessing control risk is the process of evaluating the effectiveness of an entity's internal control in preventing or detecting material misstatements in the financial statements.

Choice "d" is incorrect. Management's philosophy and operating style are considered a part of the control environment. They are not the primary consideration in evaluating internal control.

Choice "b" is incorrect. Providing adequate safeguards over access to assets is a type of control activity, but it is not the auditor's primary consideration regarding internal control.

Choice "c" is incorrect. Policies and procedures concerning the effectiveness, economy, and efficiency of certain management decision-making processes are not relevant to the auditor's consideration of internal control.

5

When obtaining an understanding of an entity's internal controls, an auditor should concentrate on the substance of the controls rather than their form because:

a.

The procedures may be so inappropriate that no reliance is contemplated by the auditor.

b.

Management may implement procedures whose costs exceed their benefits.

c.

Management may establish appropriate procedures but not enforce compliance with them.

d.

The procedures may be operating effectively but may not be documented.


Explanation

Choice "c" is correct. "Substance over form" concerns relate to controls that appear on the surface to exist but in reality are not operating effectively. When obtaining an understanding of a client's internal controls, an auditor should concentrate on the substance of controls rather than the form because even when appropriate procedures are established, management may not enforce compliance.

Choice "d" is incorrect. "Substance over form" concerns relate to controls that appear on the surface to exist but in reality are not operating effectively. Procedures that are operating effectively, even if they are not documented, do not illustrate this situation.

Choice "a" is incorrect. The auditor should first obtain an understanding of the controls in order to determine whether the controls are appropriate or inappropriate. The auditor would not focus at all on controls deemed to be inappropriate.

Choice "b" is incorrect. While the cost-benefit of internal control is of concern to management in the design of the system, it plays no role in the auditor's attempt to gain an understanding of internal controls.

6

When an auditor is to conduct an audit of a service organization, what considerations should the auditor make in the planning stages regarding internal controls of the organization?

a.

The auditor should obtain an understanding of the entity's internal controls after performing substantive procedures.

b.

The auditor should assess the control risk before obtaining an understanding of internal controls.

c.

The auditor should obtain an understanding of the effect of the user organization upon the service organization.

d.

The auditor should be engaged to perform agreed-upon procedures.

Choice "c" is correct. In some situations, the controls at a service organization are designed under the assumption that there will be certain complementary controls implemented by user organizations. These complementary controls should be included in the description of controls. The service auditor should obtain an understanding of such situations, in order to evaluate whether the complementary controls are necessary to achieve stated control objectives.

Choice "b" is incorrect. The auditor would need to understand controls before assessing their operating effectiveness.

Choice "a" is incorrect. Substantive procedures are not performed by a service auditor, who is either reporting on controls placed in operation, or on controls placed in operation and their operating effectiveness. Remember that a service auditor's engagement is not the same as an audit of financial statements.

Choice "d" is incorrect. Although a service auditor's engagement differs from an audit of financial statements, it is performed in accordance with the general standards as well as the relevant fieldwork and reporting standards. It is not considered to be an agreed-upon procedures engagement, as the auditor has not been engaged by the service organization to issue a report of findings based on specific, agreed-upon procedures.

7

Proper segregation of duties reduces the opportunities to allow any employee to be in a position to both:

a.

Monitor internal controls and evaluate whether the controls are operating as intended.

b.

Adopt new accounting pronouncements and authorize the recording of transactions.

c.

Journalize cash receipts and disbursements and prepare the financial statements.

d.

Record and conceal fraudulent transactions in the normal course of assigned tasks.

Choice "d" is correct. Proper segregation of duties reduces the opportunities for any individual to both perpetrate and conceal errors or fraud.

Choice "c" is incorrect. Proper segregation of duties typically involves assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of the related assets. Since journalizing cash receipts and disbursements and preparing the financial statements are both recordkeeping functions, this would not be a violation of proper segregation of duties.

Choice "a" is incorrect. Monitoring internal controls and evaluating whether those controls are operating as intended would properly be performed by one person. Combining these functions does not violate the concept of proper segregation of duties, since it does not encompass an inappropriate combination of authorization, recordkeeping, and custodial functions.

Choice "b" is incorrect. Proper segregation of duties typically involves assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of the related assets. Since adopting new accounting pronouncements and authorizing the recording of transactions are both authorization functions, this would not be a violation of proper segregation of duties.

8

Management's emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when:

a.

External policies established by parties outside the entity affect accounting policies.

b.

Internal auditors have direct access to the entity's board of directors.

c.

A significant portion of management compensation is represented by stock options.

d.

Those charged with governance are active in overseeing the entity's financial reporting policies.

Choice "c" is correct. Management's emphasis on meeting projected profit goals would significantly influence an entity's control environment when a significant portion of management compensation is represented by stock options, because management would then have a personal interest that might be at odds with accurate financial reporting.

Choice "b" is incorrect. An effective internal audit function would tend to moderate management's emphasis on meeting projected profit goals, and would therefore tend to dampen the effect on the control environment.

Choice "a" is incorrect. External policies established by outside parties would tend to moderate management's emphasis on meeting projected profit goals, and would therefore tend to dampen the effect on the control environment.

Choice "d" is incorrect. Active participation of those charged with governance would tend to moderate management's emphasis on meeting projected profit goals, and would therefore tend to dampen the effect on the control environment.

9

Which of the following components (elements) of an entity's internal control includes the development of personnel manuals documenting employee promotion and training policies?

a.

Information and communication system.

b.

Monitoring.

c.

Quality control system.

d.

Control environment.

Choice "d" is correct. The control environment element of an entity's internal control relates to the tone of the organization, which includes human resource policies and practices.

Choice "b" is incorrect. Monitoring activities assess the quality of internal control performance over time. 

Choice "a" is incorrect. The information and communication system relates to the identification, capture, and exchange of information.

Choice "c" is incorrect. A quality control system is not a component of an entity's internal control.

10

Which of the following statements about internal control is correct?

a.

The cost-benefit relationship is a primary criterion that should be considered in designing internal control.

b.

Properly maintained internal control reasonably ensures that collusion among employees cannot occur.

c.

Exceptionally strong internal control is enough for the auditor to eliminate substantive tests on a significant account balance.

d.

The establishment and maintenance of internal control is an important responsibility of the internal auditor.

Choice "a" is correct. The concept of reasonable assurance recognizes that the cost of an entity's internal control should not exceed the benefits that are expected to be derived. The cost-benefit relationship is a primary criterion that should be considered in designing internal control.

Choice "b" is incorrect. Even a properly maintained system of internal control is unable to reasonably ensure that collusion among employees cannot occur.

Choice "d" is incorrect. Establishing and maintaining internal control is the responsibility of management -- not the internal auditor.

Choice "c" is incorrect. An exceptionally strong internal control that has been tested and can be relied upon by the auditor will allow the auditor to reduce (but not eliminate) substantive tests on significant account balances.

11

An auditor uses the knowledge provided by the understanding of internal control and the final assessed risk of material misstatement primarily to determine the nature, timing, and extent of the:

a.

Attribute tests.

b.

Substantive tests.

c.

Tests of controls.

d.

Compliance tests.

Choice "b" is correct. An auditor uses the knowledge provided by the understanding of internal control and the final assessed risk of material misstatement primarily to determine the nature, timing, and extent of the substantive tests to be performed.

Choices "a", "d", and "c" are incorrect. Attribute tests, compliance tests, and tests of controls are all tests that assist the auditor in assessing control risk and determining the final assessed risk of material misstatement, not the other way around.

12

The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the:

a.

Possibility that the nature and extent of substantive tests may be reduced.

b.

Factors that raise doubts about the auditability of the financial statements.

c.

Risk that material misstatements exist in the financial statements.

d.

Operating effectiveness of internal control activities.

Choice "c" is correct. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material misstatements exist in the financial statements.

Choice "b" is incorrect. Sometimes risk assessment procedures may raise doubts about the auditability of the financial statements, but this is not the ultimate purpose of assessing control risk.

Choice "d" is incorrect. The auditor is required to obtain knowledge about the operating effectiveness of internal controls, if his or her risk assessment is based on the effective operation of controls. Obtaining such knowledge, however, is not the ultimate purpose of assessing control risk.

Choice "a" is incorrect. Although the nature and extent of substantive tests may be reduced based on the results of the control risk assessment, this is not the ultimate purpose of assessing control risk.

13

In obtaining an understanding of an entity's internal control, an auditor is required to obtain knowledge about the:

~Operating effectiveness of controls
~Design of controls
a.

No

Yes

b.

Yes

No

c.

Yes

Yes

d.

No

No

Choice "a" is correct. No - Yes. In obtaining an understanding of an entity's internal control, an auditor is required to obtain knowledge about the design of controls and whether they have been implemented. The auditor is not required to obtain knowledge about the "operating effectiveness of controls" as part of obtaining an understanding of internal control.

Choices "c", "b", and "d" are incorrect, per the above explanation.

14

Internal control includes which of the following components:

~Control Environment

~Monitoring

~Information and Communication Systems

~Risk Assessment
a.

Yes

Yes

Yes

Yes

b.

No

Yes

No

No

c.

No

No

Yes

Yes

d.

Yes

No

No

Yes

Choice "a" is correct. Yes - Yes - Yes - Yes. In addition, "control activities" rounds out the five components of internal control.

Choices "d", "c", and "b" are incorrect, per the above.

15

The responsibility to establish, maintain and monitor internal controls is that of the entity's:

a.

Management.

b.

Internal auditor.

c.

External auditor.

d.

Accounting department.

Choice "a" is correct. The entity's management is responsible for establishing, maintaining, and monitoring the entity's internal controls, considering whether those controls are operating as intended, and modifying controls as conditions change.

Choice "d" is incorrect. The accounting department is not responsible for establishing, maintaining, and monitoring internal controls.

Choice "b" is incorrect. The internal auditors contribute to the monitoring of the entity's activities, but are not responsible for establishing or maintaining them.

Choice "c" is incorrect. The (external) auditor is required to obtain sufficient knowledge of internal control, but is not responsible for establishing, maintaining, and/or monitoring internal control.

16

Internal control is relevant to:

I.

An entire entity.

II.

An entity's operating units.

III.

An entity's business functions.

a.

I only.

b.

II only.

c.

I, II, and III.

d.

III only.

Choice "c" is correct. Internal control is relevant to the entity, its operating units, and its business functions.

Choices "a", "b", and "d" are incorrect. Internal control is relevant to all parts of the entity, although not all controls may be relevant to a financial statement audit.

17

Which of the following is necessary in a financial statement audit?

a.

An understanding of internal control relevant to each of an entity's business functions.

b.

An understanding of internal control relevant to an entity's compliance objective.

c.

An understanding of internal control relevant to each of an entity's operating units.

d.

An understanding of internal control relevant to an entity's financial reporting objective.

Choice "d" is correct. An understanding of internal control relevant to an entity's financial reporting objective is necessary as part of audit planning.

Choices "c" and "a" are incorrect. An understanding of internal control relevant to each of an entity's operating units and business functions may not always be necessary.

Choice "b" is incorrect. Not all compliance objectives are relevant to an audit, since some are not related to financial reporting.

18

Which of the following controls is least likely to be relevant to a financial statement audit?

a.

Use of computer passwords to limit access to data files.

b.

Policies that relate to compliance with income tax regulations.

c.

Procedures that prevent the excess use of materials in production.

d.

Generation of production statistics used to evaluate variances.

Choice "c" is correct. Procedures to reduce inefficiency on the production line relate to operational objectives, and not necessarily to financial reporting objectives.

Choices "b", "a", and "d" are incorrect. Compliance with income tax regulations, use of passwords to limit data access, and generation of reports to facilitate variance analysis are all important controls related to financial reporting.

19

An auditor's primary consideration in evaluating controls is whether specific controls:

a.

Reduce detection risk to a sufficiently low level.

b.

Affect financial statement assertions.

c.

Can be classified into one of the five internal control components.

d.

Improve the efficiency of the client's operations.

Choice "b" is correct. An auditor's primary consideration in evaluating controls is whether specific controls affect financial statement assertions, since ultimately the auditor must render an opinion on whether those assertions are fairly stated.

Choice "c" is incorrect. The five components of internal control provide a useful framework for the auditor to evaluate the impact of such controls on an audit, but such classification is not the auditor's primary consideration.

Choice "d" is incorrect. Although a proper system of internal control may improve the client's operational efficiency, it is not a primary consideration for the auditor.

Choice "a" is incorrect. The auditor controls detection risk by varying the nature, timing, and extent of substantive tests. Whether or not a proper system of controls is in place affects control risk, not detection risk.

20

If a budgetary reporting system provides adequate reports, but the reports are not analyzed and acted upon:

a.

The control has been implemented and is operating effectively.

b.

The control has been implemented but is not operating effectively.

c.

The control has not been implemented and is not operating effectively.

d.

The control has not been implemented but is operating effectively.

Choice "b" is correct. The fact that budgetary reports are being generated indicates that the control has been implemented. The control, however, does not provide any assurance regarding achievement of the entity's objectives, since the report is not being analyzed or acted upon. Accordingly, the control is not operating effectively.

Choices "a", "c", and "d" are incorrect. The control has been implemented but is not operating effectively per the explanation above.

21

In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor most likely would:

a.

Review the entity's descriptions of inventory controls.

b.

Analyze monthly production reports to identify variances and unusual transactions.

c.

Analyze inventory turnover statistics to identify slow-moving and obsolete items.

d.

Perform test counts of inventory during the entity's physical count.

Choice "a" is correct. In obtaining an understanding of a manufacturing entity's internal control concerning inventory balances, an auditor would most likely review the entity's descriptions of inventory controls.

Choice "d" is incorrect. Performing test counts of inventory during the entity's physical count is a substantive procedure performed after obtaining an understanding of internal control.

Choice "c" is incorrect. Analyzing inventory turnover statistics to identify slow-moving and obsolete items is a substantive procedure performed after obtaining an understanding of internal control.

Choice "b" is incorrect. Analyzing monthly production reports to identify variances and unusual transactions is a substantive procedure performed after obtaining an understanding of internal control.

22

Which of the following services performed by another entity would not be considered to be part of the client's information system?

a.

Initiation of the client's weekly payroll transactions by a payroll processing organization.

b.

Sale (specifically authorized by the client) of investment securities by an external broker.

c.

Processing of the client's accounting transactions by an electronic data processing service center.

d.

Preparation of the client's financial statements by an outside accounting organization.

Choice "b" is correct. Services performed by another organization are not considered to be part of the client's information system if the services provided are limited to executing transactions that are specifically authorized by the client.

Choice "c" is incorrect. A service organization's services are part of an entity's information system if they affect any of the following: How the entity's transactions are initiated; the accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity's transactions; the accounting processing involved from the initiation of transactions to their inclusion in the financial statements, including electronic means used to transmit, process, maintain, and access information; and the financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures.

Choice "d" is incorrect. As described more fully above, a service organization's services are part of an entity's information system if they affect the initiation, processing, or reporting of the entity's transactions.

Choice "a" is incorrect. As described more fully above, a service organization's services are part of an entity's information system if they affect the initiation, processing, or reporting of the entity's transactions.

23

Which of the following is an inherent limitation in internal control?

a.

Faulty human judgment.

b.

Lack of an audit committee.

c.

Lack of segregation of duties.

d.

Incompatible duties.


Explanation

Choice "a" is correct. Inherent limitations in internal control are limitations that exist despite implementation of appropriate controls. For example, faulty human judgment may result in errors in the design or use of internal controls.

Choice "d" is incorrect. Assigning incompatible duties to a particular individual indicates a missing control, rather than an inherent limitation in internal control.

Choice "c" is incorrect. Lack of segregation of duties indicates a missing control, rather than an inherent limitation in internal control.

Choice "b" is incorrect. Lack of an audit committee indicates a missing control, rather than an inherent limitation in internal control.

24

The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that:

a.

Specific internal control activities are not operating as designed.

b.

The collective effect of the control environment may not achieve the control objectives.

c.

Material misstatements may exist in the financial statements.

d.

Tests of controls may fail to identify activities relevant to assertions.

Choice "c" is correct. The auditor's ultimate purpose of assessing control risk is to evaluate the risk of financial statement misstatement.

Choice "a" is incorrect. The auditor's evaluation of whether or not specific internal control activities are operating as designed is part of his/her assessment of control risk; however, the ultimate purpose of making this assessment is to evaluate the risk of financial statement misstatement.

Choice "b" is incorrect. The auditor's evaluation of the collective effect of the control environment is part of his/her assessment of control risk; however, the ultimate purpose of making this assessment is to evaluate the risk of financial statement misstatement.

Choice "d" is incorrect. Tests of controls are not used to identify activities relevant to assertions. Tests of controls are used to evaluate the operating effectiveness of internal control in preventing or detecting material misstatements.

25

Which of the following represents an inherent limitation of internal controls?

a.

The CEO can request a check with no purchase order.

b.

Customer credit checks are not performed.

c.

Shipping documents are not matched to sales invoices.

d.

Bank reconciliations are not performed on a timely basis.

Choice "a" is correct. An inherent limitation of internal control exists when, although good controls are instituted, management can override those controls. When the CEO requests a check with no purchase order, this is an example of management override. 

Choice "d" is incorrect. An inherent limitation of internal control is a limitation that prevents seemingly good controls from working. Failure to institute proper controls, such as not requiring timely bank reconciliations, is not an inherent limitation of internal control. 

Choice "b" is incorrect. An inherent limitation of internal control is a limitation that prevents seemingly good controls from working. Failure to institute proper controls, such as not requiring customer credit checks, is not an inherent limitation of internal control. 

Choice "c" is incorrect. An inherent limitation of internal control is a limitation that prevents seemingly good controls from working. Failure to institute proper controls, such as not requiring matching of shipping documents and sales invoices, is not an inherent limitation of internal control.

26

Which of the following factors is most relevant when an auditor considers the client's organizational structure in the context of control risk?

a.

The suitability of the client's lines of reporting.

b.

Management's attitude toward information processing and accounting departments.

c.

Physical proximity of the accounting function to upper management.

d.

The organization's recruiting and hiring practices.

Choice "a" is correct. The suitability of the client's lines of reporting is an important part of the organizational structure, which in turn is a key component of the control environment. Since the control environment has a pervasive effect on the auditor's risk assessment, consideration of the suitability of the client's lines of reporting is quite relevant in evaluating control risk.

Choice "b" is incorrect. Management's attitude toward the information processing and accounting departments may have some impact on the auditor's assessment of control risk (especially if management tends to override controls), but it is not particularly relevant with respect to consideration of the client's organizational structure.

Choice "d" is incorrect. The organization's recruiting and hiring practices are not particularly relevant with respect to consideration of the client's organizational structure.

Choice "c" is incorrect. The physical proximity of the accounting function to upper management is not particularly relevant with respect to consideration of the client's organizational structure, especially since electronic communications are commonly used.

27

An auditor is auditing a mutual fund company that uses a transfer agent to handle accounting for shareholders. Which of the following actions by the auditor would be most efficient for obtaining information about the transfer agent's internal controls?

a.

Review prior-year workpapers to determine whether the number of transactions processed by the agent has materially increased.

b.

Perform an audit on the internal control function of the agent.

c.

Perform tests of controls on a sample of the audited firm's transactions through the agent.

d.

Review reports on internal control placed in operation and its operating effectiveness produced by the agent's own auditor.

Choice "d" is correct. Reports on internal control placed in operation and its operating effectiveness produced by the agent's own auditor would be an efficient means of obtaining information about the transfer agent's internal controls.

Choice "a" is incorrect. Whether or not the number of transactions processed by the agent has materially increased (or decreased) is not relevant to obtaining information about the transfer agent’s internal controls.

Choice "b" is incorrect. Although performing an audit on the internal control function of the transfer agent would provide information about the transfer agent's internal controls, this would not be as efficient as reviewing the reports from the agent’s own auditor.

Choice "c" is incorrect. Performing tests of controls on a sample of the audited firm's transactions through the transfer agent would provide some information about the transfer agent's internal controls, but this would not be as efficient as reviewing the reports from the agent’s own auditor.

28

Which of the following is an inherent limitation of internal controls?

a.

Employee peer review.

b.

Judgmental sampling.

c.

Segregation of duties.

d.

Collusion.

Choice "d" is correct. Inherent limitations of internal control include collusion, human error, and management override.

Choice "b" is incorrect. Sampling is used in most audit applications, since it is generally not feasible to examine 100% of a population, but this is not an inherent limitation of internal control.

Choice "c" is incorrect. Segregation of duties may be difficult to achieve in a small entity, and this can be viewed as an inherent limitation in internal control for such entities. However, this question does not mention the size of the entity, and generally speaking, segregation of duties is a control activity, not an inherent limitation of internal control.

Choice "a" is incorrect. Peer review is a form of monitoring, which is a control activity, not an inherent limitation of internal control.

29

An auditor should obtain sufficient knowledge of an entity's information system relevant to financial reporting to understand the:

a.

Policies used to detect the concealment of fraud.

b.

Procedures used to assure proper authorization of transactions.

c.

Safeguards used to limit access to computer facilities.

d.

Process used to prepare significant accounting estimates.

Choice "d" is correct. The auditor should obtain sufficient knowledge of the client's information system relevant to financial reporting to understand the types of transactions processed, and how the transactions are initiated, recorded and summarized. Included in the information system relevant to financial reporting is the preparation of significant accounting estimates.

Choice "c" is incorrect. An entity's information system supports the identification, capture, and exchange of information. Understanding the information system would not necessarily help the auditor to understand the safeguards used to limit access to computer facilities.

Choice "b" is incorrect. An entity's information system supports the identification, capture, and exchange of information. Understanding the information system would not necessarily help the auditor to understand the procedures used to assure proper authorization.

Choice "a" is incorrect. An entity's information system supports the identification, capture, and exchange of information. Understanding the information system would not necessarily help the auditor to understand the policies used to detect the concealment of fraud.

30

In obtaining an understanding of the entity and its environment, including its internal control, an auditor is required to obtain knowledge about the:

a.

Consistency with which the internal controls are currently being applied.

b.

Effectiveness of the internal controls that have been placed in operation.

c.

Design of relevant internal controls pertaining to financial reporting in each of the five internal control components.

d.

Controls related to each principal transaction class and account balance.

Choice "c" is correct. In every audit, the auditor should obtain a sufficient understanding of the design of relevant internal controls pertaining to financial reporting in each of the five internal control components.

Choice "b" is incorrect. The auditor is not required, as a part of obtaining an understanding of the entity and its environment (including its internal control), to determine whether internal controls are operating effectively.

Choice "a" is incorrect. The auditor is not required, as a part of obtaining an understanding of the entity and its environment (including its internal control), to determine the consistency with which a control is applied.

Choice "d" is incorrect. Audit planning does not require an understanding of the controls related to each account balance, transaction class, and disclosure component in the financial statements. For certain items, a primarily substantive approach may be used instead.

31

An auditor should obtain sufficient knowledge of an entity's information system relevant to financial reporting to understand the:

a.

Safeguards used to limit access to computer facilities.

b.

Policies used to detect the concealment of irregularities.

c.

Process used to prepare significant accounting estimates.

d.

Procedures used to assure proper authorization of transactions.

Choice "c" is correct. An auditor is responsible for evaluating the reasonableness of significant accounting estimates made by management. An entity's information system may affect the quality of such estimates and therefore should be considered by the auditor.

Choices "a", "d", and "b" are incorrect. Control activities such as those designed to limit access, ensure proper authorization, and discover fraud are not directly related to the information system relevant to financial reporting.

32

Which of the following types of evidence would an auditor most likely examine to determine whether internal controls are operating as designed?

a.

Client records documenting the use of EDP programs.

b.

Confirmations of receivables verifying account balances.

c.

Gross margin information regarding the client's industry.

d.

Anticipated results documented in budgets or forecasts.

Choice "a" is correct. Client records documenting the use of EDP programs would be a relevant item for an auditor to examine while determining if internal control is operating as designed.

Choice "c" is incorrect. Industry gross margin information is evidence an auditor would examine while performing analytical procedures. Analytical procedures may be used as substantive tests, since they deal with dollar amounts rather than controls.

Choice "b" is incorrect. Confirmation of receivables is evidence an auditor would examine while performing substantive tests, since they deal with dollar amounts rather than controls.

Choice "d" is incorrect. Budgets and forecasts are evidence an auditor would examine while performing analytical procedures (comparison of expected results to actual). Analytical procedures may be used as substantive tests, since they deal with dollar amounts rather than controls.

33

Which of the following are considered control environment factors?

~Detection risk
~Human resource policies and practices
a.

No

No

b.

Yes

Yes

c.

No

Yes

d.

Yes

No

Choice "c" is correct. The control environment represents the collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific policies and procedures. Such factors include management's philosophy and operating style, the entity's organizational structure, the participation of those charged with governance, methods of assigning authority and responsibility, and human resource policies and practices.

Choices "b", "d", and "a" are incorrect, based on the above explanation.

34

In planning an audit, the auditor's knowledge about the design of relevant internal controls should be used to:

a.

Identify the types of potential misstatements that could occur.

b.

Document the assessed level of control risk.

c.

Determine whether controls have been circumvented by collusion.

d.

Assess the operational efficiency of internal control.

Choice "a" is correct. Knowledge about the design and implementation of relevant internal controls should be used to identify types of misstatements that could occur.

Choice "d" is incorrect. The operating efficiency of a control is not significant to the auditor; the auditor is concerned with operating effectiveness. Also, the auditor is not required to assess operating effectiveness during the planning stage of the audit.

Choice "c" is incorrect. Determining whether a control has been circumvented by collusion is not a normal part of the audit planning process.

Choice "b" is incorrect. Assessment of control risk (and documentation of that assessment) must be based on tests of controls, and not solely on knowledge about the design of controls.

35

An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts:

a.

Provide a visual depiction of client's activities.

b.

Identify internal control weaknesses more prominently.

c.

Indicate whether control activities are operating effectively.

d.

Reduce the need to observe client's employees performing routine tasks.

Choice "a" is correct. An advantage of using systems flowcharts to document internal information is that flowcharts provide a visual depiction of clients' activities.

Choice "b" is incorrect. Identification of internal control weaknesses requires the understanding, testing, and evaluation of controls. Either flowcharts or questionnaires can be used to obtain an understanding of internal control for this purpose.

Choice "c" is incorrect. Determining whether control activities are operating effectively requires tests of controls, and generally cannot be determined based on a flowchart or a questionnaire.

Choice "d" is incorrect. Observing tasks being performed (routine or otherwise) are tests of controls. The need to perform tests of controls is not affected by the form of audit documentation selected.

36

Which of the following factors is most likely to affect the extent of the documentation of the auditor's understanding of a client's system of internal controls?

a.

The degree to which the auditor intends to use internal audit personnel to perform substantive tests.

b.

The relationship between management, the board of directors, and external stakeholders.

c.

The degree to which information technology is used in the accounting function.

d.

The industry and the business and regulatory environments in which the client operates.

Choice "c" is correct. The more complex the IT system, the more extensive the documentation (such as flowcharts, narratives, questionnaires, decision tables, etc.). The less complex the IT system, more limited documentation, such as a memorandum, may be sufficient.

Choice "d" is incorrect. The industry and the business and regulatory environments in which the client operates are separate from a clients system of internal controls.

Choice "b" is incorrect. The relationship between management, the board of directors, and external stakeholders would be part of the auditor's general understanding of the entity and its environment and would not affect the extent of internal control documentation.

Choice "a" is incorrect. The degree to which the auditor intends to use internal audit personnel to perform substantive tests does not impact the documentation of the auditor's understanding of a client's system of internal controls.

37

Green, CPA, is auditing the financial statements of Ajax Co. Ajax uses the DP Service Center to process its payroll. DP's financial statements are audited by Blue, CPA, who recently issued a report on DP's policies and procedures regarding the processing of other entity's transactions. In considering whether Blue's report is satisfactory for Green's purposes, Green should:

a.

Assess control risk at the maximum level.

b.

Make inquiries concerning Blue's professional reputation.

c.

Perform tests of controls at the DP Service Center.

d.

Review the audit programs followed by Blue.

Choice "b" is correct. In considering whether the service auditor's (Blue, CPA) report is satisfactory for the user auditor (Green, CPA); the user auditor should make inquiries concerning the service auditor's reputation. 

Choice "a" is incorrect. Green would assess control risk only after considering the combined evidence provided by the service auditor's report and the user auditor's own procedures and other factors. The assessment of control risk is irrelevant in Green's consideration as to whether the service auditor's (Blue, CPA) report is satisfactory for Green. 

Choice "d" is incorrect. The user auditor (Green, CPA) has access to the report issued by the service auditor (Blue, CPA), but would not have access to the audit programs followed by the service auditor.

Choice "c" is incorrect. Green, CPA has been hired to audit the financial statements of Ajax Co. and therefore may test Ajax's controls. Green has not been hired to audit DP Service Center and therefore cannot test DP's controls. The only information Green has related to DP's controls is the report issued by Blue, CPA. In considering whether the service auditor's (Blue, CPA) report is satisfactory for the user auditor (Green, CPA); the user auditor should make inquiries concerning the service auditor's reputation.

38

Which of the following procedures is considered a test of controls?

a.

An auditor reviews the audit workpapers to ensure proper sign-off.

b.

An auditor reviews the entity's check register for unrecorded liabilities.

c.

An auditor evaluates whether a general journal entry was recorded at the proper amount.

d.

An auditor interviews and observes appropriate personnel to determine segregation of duties.

Choice "d" is correct. Interviewing and observing appropriate personnel to determine segregation of duties is a test of controls. Segregation of duties is a subcomponent of the control activities component of internal control.

Choice "b" is incorrect. An auditor's review of the entity's check register for unrecorded liabilities is a substantive test.

Choice "c" is incorrect. An auditor's evaluation as to whether a journal entry was recorded at the proper amount is a substantive test.

Choice "a" is incorrect. An auditor's review of the audit workpapers to ensure proper sign-off is not a test of the client's controls, but rather a procedure that provides quality control that the audit was adequately performed.

39

An auditor is concerned about a policy of management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor's concern?

a.

Matching purchase orders to accounts payable.

b.

Verifying that approved spending limits are not exceeded.

c.

Tracing sales orders to the revenue account.

d.

Reviewing minutes of board meetings.

Choice "b" is correct. If spending limits are exceeded, then this would be evidence that the spending limit control was violated and that management overrode internal control.

Choice "a" is incorrect. Matching purchase orders to accounts payable does not provide evidence regarding management override of internal control.

Choice "c" is incorrect. Tracing sales orders to the revenue account provides evidence concerning the completeness assertion of the revenue account and does not provide evidence of management override of internal control.

Choice "d" is incorrect. Reviewing minutes of board meetings provides information about major issues regarding the entity, such as mergers, but does not provide evidence regarding management override of internal control.

40

In which of the following circumstances would an auditor expect to find that an entity implemented automated controls to reduce risks of misstatement?

a.

When misstatements are difficult to define.

b.

When transactions are high-volume and recurring.

c.

When large, unusual, or nonrecurring transactions require judgment.

d.

When errors are difficult to predict.

Choice "b" is correct. Automated controls are more suitable than manual controls where transactions are high-volume and recurring.

Choice "d" is incorrect. Manual controls are more appropriate when errors are difficult to predict.

Choice "a" is incorrect. Manual controls are more appropriate when misstatements are difficult to define.

Choice "c" is incorrect. Manual controls are more appropriate when there are large, unusual, or nonrecurring transactions that require judgment.

41

An auditor has identified the controller's review of the bank reconciliation as a control to test. In connection with this test, the auditor interviews the controller to understand the specific data reviewed on the reconciliation. In addition, the auditor verifies that the bank reconciliation is properly prepared by the accountant and reviewed by the controller as evidenced by their respective sign-offs. Which of the following types of audit procedures do these actions illustrate?

a.

Observation and inspection of records.

b.

Confirmation and reperformance.

c.

Analytical procedures and reperformance.

d.

Inquiry and inspection of records.

Choice "d" is correct. The act of interviewing the controller and verifying the proper preparation of a bank reconciliation by reviewing the sign off is most closely related to the procedures of inquiry and inspection of records.

Choices "a", "b", and "c" are incorrect per the above explanation.

42

Which of the following is not a component of internal control?

a.

Control activities.

b.

Monitoring.

c.

Control environment.

d.

Inherent risk.

Choice "d" is correct. The five components of internal control are:

Control Environment: the overall tone of the organization.

Risk Assessment: management's identification of risk.

Information and Communication Systems: a means of recording transactions and communicating responsibilities.

Monitoring: assessment of internal control performance over time.

Existing Control Activities: control policies and procedures.

Choices "c", "a", and "b" are incorrect per the above explanation.

43

Each of the following types of controls is considered to be an entity-level control,except those:

a.

Regarding the company's annual stockholder meeting.

b.

Pertaining to the company's risk assessment process.

c.

Relating to the control environment.

d.

Addressing policies over significant risk management practices.

Choice "a" is correct. Entity level controls include controls related to the control environment, the risk assessment process, and the policies over risk management practices. Controls regarding the company's annual stockholder meeting are controls related to a specific event, rather than the entity as a whole.

Choices "c", "b", and "d" are incorrect, based on the above explanation.

44

When a service organization provides services that affect the initiation, execution, processing, or reporting of a user company's transactions, those services are:

a.

Considered to be part of the user company's control environment.

b.

Considered to be part of the user company's information system.

c.

Not considered to be part of the user company's internal control.

d.

Considered to be part of the user company's control activities.

 

Choice "b" is correct. When a service organization provides services that affect the initiation, execution, processing, or reporting of a user company's transactions, those services are considered to be part of the user company's information system.

Choices "a", "d", and "c" are incorrect per the above explanation.

45

An auditor determines that there is a high level of control risk surrounding the revenue cycle. Which situation is most likely to have given rise to this assessment?

a.

The sales manager does not enforce the client's stated policies regarding authorization and approval of sales transactions.

b.

The sales clerk is a newly hired, recent college graduate, with no previous experience in sales.

c.

A related party sale is identified which has not been properly disclosed in the financial statements.

d.

The auditor discovers a sale that was recorded in the current year although title did not pass until the subsequent year.

Choice "a" is correct. Management override of internal control policies and procedures might cause the auditor to assess control risk as high.

Choices "c" and "d" are incorrect. Identifying an omission or error in the financial statements would certainly cause the auditor to consider whether controls were operating effectively, but a single error alone is not likely to cause the auditor to assess control risk as high.

Choice "b" is incorrect. The sales clerk's inexperience alone is not likely to cause the auditor to assess control risk as high.

46

Which of the following is not a possible reason why a properly designed system of internal control may fail to prevent or detect fraud?

a.

Collusion by two or more individuals may be used to circumvent controls.

b.

Human error may result in an inappropriate application of controls.

c.

Inadequate segregation of duties may allow one person to both perpetrate and conceal fraudulent activity.

d.

Management may override controls through its attitude and actions.

Choice "c" is correct. Inadequate segregation of duties implies that the system of internal control was not properly designed.

Choice "a" is incorrect. Collusion can be used to circumvent properly designed controls.

Choice "b" is incorrect. Human error may result in an inappropriate application of properly designed controls.

Choice "d" is incorrect. Management's attitude and actions may result in the override of a properly designed system of internal control.

47

Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been:

a.

Authorized.

b.

Tested.

c.

Implemented.

d.

Monitored.

Choice "c" is correct. When evaluating a client's internal controls, the auditor must first obtain an understanding of the design of the controls and then determine if the controls have been implemented.

Choice "a" is incorrect. It is assumed that the design of the internal control has been authorized by client management.

Choice "b" is incorrect. Testing internal controls is not part of the understanding phase of internal control.

Choice "d" is incorrect. Monitoring the ongoing effectiveness of internal controls is not part of the understanding phase of internal control and is the responsibility of client management.

48

Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?

a.

Replacing personnel every three or four years.

b.

Disclosing lack of segregation of duties to the external auditors during the annual review.

c.

Requiring accountants to pass a yearly background check.

d.

Allowing for greater management oversight of incompatible activities

Choice "d" is correct. The best compensating control for the lack of segregation of duties in smaller organizations is to have more management oversight of incompatible functions.

Choice "b" is incorrect. While disclosing the matter to external auditors is prudent, it does not help as a compensating control.

Choice "a" is incorrect. Replacing personnel every three to four years does not eliminate the lack of segregation of duties in smaller organizations because this is an ongoing issue.

Choice "c" is incorrect. Performing accountants' background checks does not help the lack of segregation of duties in smaller organizations.

49

Which of the following procedures should a user auditor include in the audit plan to create the most efficient audit when an audit client uses a service organization for several processes?

a.

Audit the service organization's controls, assess risk, and prepare the audit plan.

b.

Review the service auditor's report and outline the accounting system in a memo to the working papers.

c.

Audit the service organization's controls to test the work of the service auditor.

d.

Review the service auditor's report on controls placed in operation.

Choice "d" is correct. Reviewing the service auditor's report on controls placed in operation would be the most efficient procedure when an audit client uses a service organization for several processes.

Choice "b" is incorrect. Although the user auditor may review the service auditor's report and outline the accounting system in a memo to the working papers, this would not be as efficient as just reviewing the service auditor's report.

Choice "a" is incorrect. Although the user auditor may contact the service organization to request to audit the service organization's controls, this would not be as efficient as reviewing the service auditor's report.

Choice "c" is incorrect. While the user auditor may supplement his or her understanding of the service auditor's procedures and conclusions by discussing with the service auditor the scope and results of the service auditor's work, this would not be as efficient as just reviewing the service auditor's report.

50

Which of the following is a factor in the control environment?

a.

Segregation of duties.

b.

Information processing.

c.

Management's philosophy and operating style.

d.

Performance reviews.

Choice "c" is correct. The COSO framework for internal control consists of five interrelated components. Management's philosophy and operating style is a factor in the control environment. The control environment sets the tone of the organization and originates with management and those charged with governance.

Choice "a" is incorrect. Segregation of duties is a factor of control activities. Control activities is another component of the COSO framework, and consists of control policies and procedures.

Choice "b" is incorrect. Information processing is a factor of information and communication.

Choice "d" is incorrect. Performance reviews is a factor of control activities.

51

Which of the following items is an example of an inherent limitation in an internal control system?

a.

Understaffed internal audit functions.

b.

Ineffective board of directors.

c.

Segregation of employee duties.

d.

Human error in decision making.

Choice "d" is correct. Human error in decision making is an example of inherent limitation in an internal control system. Internal control, no matter how effective, has inherent limitations. Inherent limitations in internal control recognize the realities that human judgment in decision making can be faulty and that breakdowns in internal control can occur because of human error. These limitations in internal control prevent auditors from providing absolute assurance about an internal control system.

Choice "c" is incorrect. Segregation of duties is not an inherent limitation in an internal control system. For example, smaller entities often have fewer employees, which may limit the extent to which segregation of duties is practicable. However, for key areas, even in a very small entity, it can be practicable to implement some degree of segregation of duties or other form of unsophisticated but effective controls. In addition, in a small owner-managed entity, the owner-manager may be able to exercise more effective oversight than in a larger entity. This oversight may compensate for the generally more limited opportunities for segregation of duties.

Choice "b" is incorrect. An ineffective board of directors is not an inherent limitation of internal control. An ineffective board of directors can be remediated in various ways, such as by recruiting new directors or educating the board of directors on effective governance practices.

Choice "a" is incorrect. Understaffed internal audit functions are not an inherent limitation of internal control. Understaffed internal audit functions may be remediated by hiring more internal auditors.

52

Which of the following would an auditor most likely consider in evaluating the control environment of an audit client?

a.

Management reviews of monthly financial statements.

b.

Overall employee satisfaction with assigned duties.

c.

The number of CPAs in the accounting department.

d.

Management's operating style.

Choice "d" is correct. An auditor most likely would consider the management's operating style when evaluating the control environment of an audit client. The management's philosophy and operating style include the management's approach to taking and managing business risks, attitudes and actions toward financial reporting, and attitudes toward information processing and accounting functions and personnel.

Choice "b" is incorrect. Overall employee satisfaction is not likely to be considered in evaluating the control environment. Control environment focuses primarily on the governance and management functions.

Choice "c" is incorrect. The specific number of CPAs in the accounting department would most likely not be considered in evaluating the control environment. Control environment focuses primarily on the governance and management functions.

Choice "a" is incorrect. Management reviews of monthly financial statements would most likely be considered in evaluating control activities rather than control environment.

53

Which of the following is a component of internal control?

a.

Risk assessment.

b.

Operating effectiveness.

c.

Organizational structure.

d.

Financial reporting.

Choice "a" is correct. Risk assessment is a component of internal control. The other four components of internal control are control environment, information and communications systems, monitoring, and existing control activities.

Choice "d" is incorrect. Reliability of financial reporting is an entity objective, not a component of internal control. The components of internal control represent the means used by an entity to help achieve its objectives.

Choice "b" is incorrect. Effectiveness and efficiency of operations is an entity objective, not a component of internal control. The components of internal control represent the means used by an entity to help achieve its objectives.

Choice "c" is incorrect. Organizational structure is not a component of internal control. Internal control has five interrelated components: control environment, risk assessment, information and communication systems, monitoring, and existing control activities. Organizational structure is a factor of the control environment.

54

In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements, an auditor would most likely perform which of the following procedures?

a.

Risk-assessment procedures to evaluate the design of relevant controls.

b.

Tests of key controls to determine whether they are effective.

c.

Expanded substantive testing to identify relevant controls.

d.

Analytical procedures to determine the need for specific controls.

Choice "a" is correct. An auditor would most likely perform risk-assessment procedures to evaluate the design of relevant controls when obtaining an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements.

Choice "b" is incorrect. An auditor is not required to evaluate operating effectiveness as part of understanding internal control. Tests of controls are performed when the auditor's risk assessment is based on the assumption that controls are operating effectively or when substantive procedures alone are insufficient (e.g., when the entity makes extensive use of information technology).

Choice "c" is incorrect. Substantive testing is typically not utilized to identify relevant controls. Substantive testing is an audit procedure designed to detect material misstatements. Auditors typically will assess the risk of material misstatement, which includes obtaining an understanding of internal control, and then will determine the nature, extent, and timing of substantive procedures.

Choice "d" is incorrect. Analytical procedures typically do not help determine the need for specific controls. Procedures used to obtain an understanding of internal control sufficient to assess the risk of material misstatement include inquiry of entity personnel, observation of the application of controls, inspection of documents and reports, observation of the entity's premises and plant facilities, and walkthroughs.

55

Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when:

a.

External policies established by parties outside the entity affect its accounting practices.

b.

Internal auditors have direct access to the board of directors and the entity's management.

c.

Those charged with governance are active in overseeing the entity's financial reporting policies.

d.

Management is dominated by one individual who is also a shareholder.

Choice "d" is correct. When management is dominated by one individual who is also a shareholder, there may be an opportunity for management to override control procedures.

Choice "a" is incorrect. Influence of external parties serves an oversight role that strengthens the control environment and minimizes the effect of management's attitude.

Choice "b" is incorrect. Existence of internal auditors with direct access to the board of directors strengthens the control environment and lessens the effect of management's attitude.

Choice "c" is incorrect. Active participation of those charged with governance serves an oversight role that strengthens the control environment and lessens the effect of management's attitude.

56

Which of the following statements is correct regarding internal control?

a.

A well-designed and operated internal control environment should detect collusion perpetrated by two people.

b.

Internal control is a necessary business function and should be designed and operated to detect all errors and fraud.

c.

A well-designed internal control environment ensures the achievement of an entity's control objectives.

d.

An inherent limitation to internal control is the fact that controls can be circumvented by management override.

Choice "d" is correct. Since management generally has the authority to implement and assign responsibilities under the internal controls, they will generally also have the ability to circumvent those internal controls. This is an inherent limitation of internal control.

Choice "c" is incorrect. Although the design of an internal control system is important, it needs to be paired with the proper implementation and monitoring, and even then cannot ensure that the entity's internal control objectives will be met.

Choice "a" is incorrect. Internal control structures generally rely in some manner on segregation of duties. Because of this, collusion by two or more people can generally destroy this segregation of duties and thus potentially cause circumvention of the internal controls that may not be immediately detected.

Choice "b" is incorrect. No internal control system can guarantee the detection of all errors and fraud. The purpose of an internal control system is to significantly reduce the likelihood that errors or fraud will be committed and go undetected.

57

The audit plan usually cannot be finalized until the:

a.

Consideration of the entity's internal control has been completed.

b.

Search for unrecorded liabilities has been performed and documented.

c.

Significant deficiencies in internal control have been communicated to those charged with governance.

d.

Representation letter has been signed by the client.

Choice "a" is correct. The auditor should obtain a sufficient understanding of the entity and its environment, including its internal control, to plan the audit of the entity's financial statements.

Choice "d" is incorrect. The representation letter is not obtained until the end of the audit.

Choice "c" is incorrect. Informing those charged with governance of significant deficiencies in internal control generally occurs during or at the completion of the audit. It is not required before completion of the audit plan.

Choice "b" is incorrect. The search for unrecorded liabilities typically takes places after year-end, while the audit plan is prepared during planning. Information obtained from the search is not needed to finalize the audit plan.