Ch 7 - internal controls

Question 1

Process, affected by the entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories

Answer 1

Internal controls

Question 2

A process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and affected by the company’s board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP

Answer 2

Internal Controls over Financial Reporting (ICFRs)

*related to the goal of reliable financial reporting

Question 3

Auditors are primarily concerned with…

Answer 3

Internal Controls Over Financial Reporting (ICFRs)

Question 4

An industry advocacy group that does a lot of things, including writing guidance for what makes for good controls.

Answer 4

COSO

Question 5

COSO 5-part framework:

Answer 5

1. Control environment
2. Management’s risk assessment
3. Accounting information system
4. Control activities
5. Monitoring

Question 6

Everything around the internal controls that influence their effectiveness (e.g., company culture, the competency of employees, etc.)

Answer 6

Control Environment

Question 7

Annual process where the client goes through and inventories their key risks, and the internal controls over them.

Answer 7

Management’s Risk Assessment

Question 8

The strength / quality of the system that houses the financial statements. This is particularly relevant to the goal of reliable financial reporting.

Answer 8

Accounting Information System

Question 9

The actual controls themselves, like approval requirements, locking up goods etc.

Answer 9

Control Activities

Question 10

Some sort of system for checking that the controls are “working properly”. This is often done with periodic testing by the client (often annually as part of Management’s Risk Assessment).

Answer 10

Monitoring

Question 11

3 Types of control activities:

Answer 11

ARC acronym:
1. Authorization
2. Recording
3. Custody (physical holding)

Question 12

T/F: no one person can be responsible for more than one ARC duty.

Answer 12

True; causes an issue of segregation of duties if one person has multiple of these as their responsibility

Question 13

T/F: The larger the firm, the harder it is going to be to fully separate the duties

Answer 13

False; smaller firms have a more difficult time separating duties because there are less employees, making smaller firms riskier

Question 14

Internal Controls break down for 2 reasons:

Answer 14

1. Collusion - Two or more people working together to circumvent controls
2. Management override of ICs - A manager has the authority/ability to do things normally disallowed by the internal controls (can do every duty)

Question 15

T/F: Control Risk is integral to understanding the Risk of Material Misstatement

Answer 15

True; inherent and control risks make up the total risk of material misstatement

Question 16

2 Audit procedures used to check if controls are implemented correctly:

Answer 16

1. Inquiries
2. Observation

Question 17

The control is being done all the time and people have not found a way of circumventing the control. Higher standard than implemented

Answer 17

Operating effectively

AICPA term

Question 18

The control is actually being done some of the time.

Answer 18

Implementation/ implemented

AICPA term

Question 19

Determining whether the company’s controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company’s control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements

Answer 19

Design effectiveness

PCAOB term (more detailed than implemented)

Question 20

If Control Risk is medium or low, we can use this as a justification for less audit work later on. The phrase is known as…

Answer 20

“relying on the internal controls”

Question 21

If control risk is lower, detection risk is _______

Answer 21

higher

Question 22

If the auditor is going to rely on the Internal Controls, they must test them for…

Answer 22

Operating effectiveness

• control is operating as designed
• person performing the control has the authority and competence to

Question 23

3 Audit procedures used to test for operative effectiveness?

Answer 23

1. Inspections
2. Observations (thorough)
3. Reperformance

Question 24

T/F: Public Companies in the US must get an annual audit of Internal Controls which tests ICFRs for Operating Effectiveness.

Answer 24

True; required by SOX

Question 25

T/F: An integrated audit focuses on all ICFRs.

Answer 25

False; only focuses on material ICFRs

Question 26

2 Types of ICFR opinions:

Answer 26

1. Unqualified opinion: given if there are zero “Material Weaknesses in ICFRs” as of the end of the year. 2. Adverse opinion: given when there are one or more Material Weaknesses in ICFR as of the end of the year.

Question 27

A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

Answer 27

Material weakness

Question 28

T/F: Control Risk accounts for how the Controls functioned all year long, while ICFR opinion is only based on material weaknesses at the last day of the period.

Answer 28

True; companies can fix their ICFR opinion up until 12/31

Question 29

T/F: A client cannot get an unqualified opinion on ICFR if their control risk is high

Answer 29

False; control risk can be high even though the firm got an unqualified opinion

Question 30

T/F: The SEC will not allow a client to file an Adverse ICFR Opinion.

Answer 30

False; the SEC does allow adverse opinions for ICFRs

Question 31

The actual, unknown, risk that a material misstatement could occur in an assertion and will not be prevented or detected on a timely basis by an entity's ICs.

Answer 31

Actual Control Risk (ACR)

Question 32

Why is actual control risk unknown?

Answer 32

because the audit is based on a sample and never tests every instance of all ICs.

Question 33

The level of Control Risk the auditor is planning on using in their Audit Risk Model (to determine the nature, timing and extent of audit procedures) in the earliest stages of the audit.

Answer 33

Planned Assessed Level of Control Risk (PALCR)

Question 34

if PALCR = “lower than the maximum level”, that means...

Answer 34

the auditor is planning on “relying on Internal Controls” and, therefore, must test them for Operating Effectiveness.

Question 35

The level of Control Risk really used in the Audit Risk Model for determining the nature, timing and extent of Substantive Procedures.

Answer 35

Assessed Level of Control Risk (ALCR)

Question 36

If no tests of controls are performed, _______ MUST BE at the maximum level.

Answer 36

Assessed Level of Control Risk (ALCR)

Question 37

T/F: Frequently, the PALCR and ALCR are NOT the same

Answer 37

True

Question 38

If controls operate as effectively as expected, then PALCR = __________

Answer 38

ALCR

Question 39

A deficiency, or a combination of deficiencies, in internal control over financial reporting, that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the company's financial reporting.

Answer 39

Significant deficiency

Question 40

Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.”

Answer 40

Deficiency (less than significant)