Ch 10 - Internal Control, Control Risk and Section 404 Audits Flashcards Preview

Auditing > Ch 10 - Internal Control, Control Risk and Section 404 Audits > Flashcards

Flashcards in Ch 10 - Internal Control, Control Risk and Section 404 Audits Deck (46):

a measure of the auditor's expectation that internal controls will neither prevent material misstatements from occurring nor detect and correct them if they have occurred; is assessed for each transaction-related audit objective in a cycle or class of transactions

Assessment of control risk


a control elsewhere in the system that offsets the absence of a key control

Compensating control


A cooperative effort among employees to steal assets or misstate records



Policies and procedures, in addition to those included in the other four components of internal control, that help ensure that necessary actions are taken to address risks in the achievement of the entity's objectives.

Control activities


What are the five control activities?


1) Adequate separation of duties
2) Proper authorization of transactions and activities
3) Adequate documents and records
4) Physical control over assets and records
5) Independent checks on performance


A deficiency in the design or operation of controls that does not permit company personnel to prevent or detect and correct misstatements on a timely basis.

Control deficiency


The actions, policies and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity.

Control environment


A methodology used to help the auditor assess control risk by matching key internal controls and internal control deficiencies with transaction-related audit objectives.

Control risk matrix


Controls that have a pervasive effect on the entity's system of internal control

Entity-level controls


A diagrammatic representation of the client's documents and records and the sequence in which they are processed.



company-wide policies for the approval of all transactions within stated limits.

General authorization


Internal control activities designed for the continuous internal verification of other controls.

Independent checks


the set of manual and/or computerized procedures that initiates, records, processes, and reports an entity's transactions and maintains accountability for the related assets.

Information and communication


a process designed to provide reasonable assurance regarding the achievement of management's objectives.

Internal control


a series of questions about the controls in each audit area used as a means of indicating to the auditor aspects of internal control that may be inadequate.

Internal control questionnaire


controls that are expected to have the greatest effect on meeting the transaction-related audit objectives

key controls


an optional letter written by the auditor to a client's management containing the auditor's recommendations for improving any aspect of the client's business.

management letter


a significant deficiency in internal control that, by itself, or in combination with other significant deficiencies, results in a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected

material weakness


management's ongoing and periodic assessment of the quality of internal control performance to determine that controls are operating as intended and are modified when needed



a written description of a client's internal controls, including the origin, processing and disposition of documents and records, and the relevant control procedures.



procedures used by the auditor to gather evidence about the design and implementation of specific controls

procedures to obtain an understanding


management's identification and analysis of risks relevant to the preparation of financial statements in accordance with an applicable accounting framework

risk assessment


separation of the following activities in an organizaiton:
(1) custody of the assets from accounting,
(2) authorization from custody of assets,
(3) operational responsibility from record keeping, and
(4) IT duties from outside users of IT

Separation of duties


one or more control deficiencies exist that is less severe than a material weakness, but important enough to merit attention by those responsible for oversight of the company's financial reporting

significant deficiency


risks the auditor believes require special audit consideration; the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit if control risk is to be assessed below the maximum

significant risks


case-by-case approval of transactions not covered by company-wide policies

specific authorization


audit procedures to test the operating effectiveness of controls in support of reduced assessed control risk

test of controls


the person(s) with responsibility for overseeing the strategic direction of the entity and its obligations related to the accountability of the entity, including overseeing the financial reporting and disclosure process

those charged with governance


the tracing of selected transactions through the accounting system to determine that controls are in place.



What are the typical three broad objectives of management in designing an effective control system?

(1) reliability of financial reporting,
(2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.


What does Section 404 of SOX require?

management to assess and report on the effectiveness of internal control over financial reporting.


What is COSO?

Committee of Sponsoring Organizations of the Treadway Commission Integrated Framework.

Most widely accepted internal control framework in the US


What are the five components that management designs and implements to provide reasonable assurance that COSO describes?


1) Control environment
2) Risk assessment
3) Control activities
4) Information and communication
5) Monitoring


What are the four phases of assessing internal control?

1) Obtain and document understanding of internal control design and operation

2) Assess control risk

3) Design, perform, and evaluate tests of controls

4) Decide planned detection risk and substantive tests


What are three methods to document internal control?

1) narrative
2) flowchart
3) internal control questionnaire


What are five steps to identify deficiencies and weaknesses in internal control?

1) Identify existing controls
2) Identify the absence of key controls
3) Consider the possibility of compensating controls
4) Decide whether there is a significant deficiency or material weakness
5) Determine potential misstatements


The auditor must _____ significant deficiencies and material weaknesses in ________ to those charged with governance as soon as the auditor becomes aware of their existence.



Which of the following situations is not considered a scope limitation?

A. Management issues a partial representation.
B. Management issues a written representation covering all required statements.
C. Management refuses to furnish a written representation.
D. The auditor fails to obtain a written representation from management.

B. Management issues a written representation covering all required statements.


Which of the following represents the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated, i.e., the financial statements are not presented fairly in conformity with the applicable financial reporting framework?

A. Inherent risk
B. Audit risk
C. Control risk
D. Detection risk

B. Audit risk


According to AS 16, the auditor should include which one of the following matters in the engagement letter?

A. Anticipated audit completion date
B. Expected audit opinion to be issued
C. Management's responsibilities
D. Prior year audit results

C. Management's responsibilities


If the auditor is unable to obtain appropriate written representation from management, the auditor should consider this a(n):

A. inherent risk.
B. internal control failure.
C. material weakness.
D. scope limitation.

D. scope limitation.


What strategy is best described as “relying on automated controls in future years, given that adequate general computer controls are maintained”?

A. Application control testing
B. AS 5
C. Benchmarking

C. Benchmarking


Which of the following is not a goal of a walkthrough?

A. Determine whether any control failures are assessed as a material weakness

B. Determine whether controls are designed effectively

C. Gain a deeper understanding of a transaction

D. Identify whether any necessary controls are missing

A. Determine whether any control failures are assessed as a material weakness


An auditor's report on the audit of internal control over financial reporting should state that it was conducted in accordance with the standards of the:

A. American Institute of Certified Public Accountants.

B. Financial Accounting Standards Board.

C. Public Company Accounting Oversight Board (United States).

D. Securities and Exchange Commission.

C. Public Company Accounting Oversight Board (United States).


When should the auditor issue a report disclaiming an opinion on internal control over financial reporting?

A. After completing the entire audit

B. As soon as a conclusion is reached that a scope limitation exists

C. At the normally scheduled audit completion date

D. Once the auditor has any indication that a scope limitation may exist

B. As soon as a conclusion is reached that a scope limitation exists


What are four types of procedures auditors are likely to use to support the operating effectiveness of internal controls?

1) Inquiries of client personnel
2) Examine documents, records, and reports
3) Observe control-related activities
4) Reperform client procedures