CHAPTER 1: AUDITING AND INTERNAL CONTROL Flashcards
(89 cards)
1
Q
Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting
A
FALSE
2
Q
Both the SEC and the PCAOB require management to use the COBIT framework for assessing internal control adequacy.
A
FALSE
3
Q
Both the SEC and the PCAOB require management to use the COSO framework for assessing internal control adequacy.
A
FALSE
4
Q
A qualified opinion on management’s assessment of internal controls over the financial reporting system necessitates a qualified opinion on the financial statements?
A
FALSE
5
Q
The same internal control objectives apply to manual and computer-based information systems.
A
TRUE
6
Q
The external auditor is responsible for establishing and maintaining the internal control system.
A
FALSE
7
Q
Segregation of duties is an example of an internal control procedure.
A
TRUE
8
Q
Preventive controls are passive techniques designed to reduce fraud.
A
TRUE
9
Q
The Sarbanes-Oxley Act requires only that a firm keep good records.
A
FALSE
10
Q
A key modifying assumption in internal control is that the internal control system is the responsibility of management.
A
TRUE
11
Q
While the Sarbanes-Oxley Act prohibits auditors from providing non-accounting services to their audit clients, they are not prohibited from performing such services for non-audit clients or privately held companies.
A
TRUE
12
Q
The Sarbanes-Oxley Act requires the audit committee to hire and oversee the external auditors.
A
TRUE
13
Q
Section 404 requires that corporate management(including the CEO) certify their organization’s internal controls on a quarterly and annual basis.
A
FALSE
14
Q
Section 302 requires the management of public companies to assess and formally report on the effectiveness of their organization’s internal controls.
A
FALSE
15
Q
Application controls apply to a wide range of exposures that threaten the integrity of all programs processed within the computer environment.
A
FALSE
16
Q
IT auditing is a small part of most external and internal audits
A
FALSE
17
Q
Advisory services is an emerging field that goes beyond the auditor’s traditional attestation function
A
TRUE
18
Q
An IT auditor expresses an opinion on the fairness of the financial statements.
A
FALSE
19
Q
External auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization.
A
FALSE
20
Q
External auditors can cooperate with and use evidence gathered by internal audit departments that are organizationally independent and that report to the Audit Committee of the Board of Directors.
A
TRUE
21
Q
Tests of controls determine whether the data base contents fairly reflect the organization’s transactions.
A
FALSE
22
Q
Audit risk is the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated.
A
TRUE
23
Q
A strong internal control system will reduce the amount of substantive testing that must be performed.
A
TRUE
24
Q
Substantive testing techniques provide information about the accuracy and completeness of an application’s processes.
A
FALSE
25
The concept of reasonable assurance suggests that?
a. the cost of an internal control should be less than the benefit it provides
b. a well-designed system of internal controls will detect all fraudulent activity
c. the objectives achieved by an internal control system vary depending on the data processing method
d. the effectiveness of internal controls is a function of the industry environment
a. the cost of an internal control should be less than the benefit it provides
26
Which of the following is not a limitation of the internal control system?
a. errors are made due to employee fatigue
b. fraud occurs because of collusion between two employees
c. the industry is inherently risky
d. management instructs the bookkeeper to make fraudulent journal entries
c. the industry is inherently risky
27
The most cost-effective type of internal control is
a. preventive control
b. accounting control
c. detective control
d. corrective control
a. preventive control
28
Which of the following is a preventive control?
a. credit check before approving a sale on account
b. bank reconciliation
c. physical inventory count
d. comparing the accounts receivable subsidiary ledger to the control account
a. credit check before approving a sale on account
29
A well-designed purchase order is an example of a?
a. preventive control
b. detective control
c. corrective control
d. none of the above
a. preventive control
30
A physical inventory count is an example of a
a. preventive control
b. detective control
c. corrective control
d. Feed-forward control
b. detective control
31
The bank reconciliation uncovered a transposition error in the books. This is an example of a?
a.preventive control
b.detective control
c. corrective control
d.none of the above
b.detective control
32
Which of the following is not an element of the internal control environment?
a. management philosophy and operating style
b. organizational structure of the firm
c. well-designed documents and records
d. the functioning of the board of directors and the audit committee
c. well-designed documents and records
33
Which of the following suggests a weakness in the internal control environment?
a. the firm has an up-to-date organizational chart
b. monthly reports comparing actual performance tobudget are distributed to managers
c. performance evaluations are prepared every three years
d. the audit committee meets quarterly with the external auditors
c. performance evaluations are prepared every three years
34
Which of the following indicates a strong internal control environment?
a. the internal audit group reports to the audit committee of the board of directors
b. there is no segregation of duties between organization functions
c. there are questions about the integrity of management
d. adverse business conditions exist in the industry
a. the internal audit group reports to the audit committee of the board of directors
35
According to COSO, an effective accounting system performs all of the following except?
a. identifies and records all valid financial transactions
b. records financial transactions in the appropriate accounting period
c. separates the duties of data entry and report generation
d. records all financial transactions promptly
c. separates the duties of data entry and report generation
36
Which of the following is the best reason to separate duties in a manual system?
a. to avoid collusion between the programmer and the computer operator
b. to ensure that supervision is not required
c. to prevent the record keeper from authorizing transactions
d. to enable the firm to function more efficiently
c. to prevent the record keeper from authorizing transactions
37
Which of the following is not an internal control procedure?
a. authorization
b. management’s operating style
c. independent verification
d. accounting records
b. management’s operating style
38
The decision to extend credit beyond the normal credit limit is an example of?
a.independent verification
b. authorization
c.segregation of functions
d.supervision
b. authorization
39
When duties cannot be segregated, the most important internal control procedure is?
a. supervision
b. independent verification
c. access controls
d. accounting records
a. supervision
40
An accounting system that maintains an adequate audit trail is implementing which internal control procedure?
a. access controls
b. segregation of functions
c. independent verification
d. accounting records
d. accounting records
41
The importance to the accounting profession of the Sarbanes-Oxely Act is that?
a. bribery will be eliminated
b. management will not override the company’s internal controls
c. management are required to certify their internalcontrol system
d. firms will not be exposed to lawsuits
c. management are required to certify their internalcontrol system
42
The board of directors consists entirely of personal friends of the chief executive officer. This indicates a weakness in?
a. the accounting system
b. the control environment
c. control procedures
d. this is not a weakness
b. the control environment
43
The office manager forgot to record in the accounting records the daily bank deposit. Which control procedure would most likely prevent or detect this error?
a. segregation of duties
b. independent verification
c. accounting records
d. supervision
b. independent verification
44
Control activities under SAS 109/COSO include?
a. IT Controls, preventative controls, and Corrective controls
b. physical controls, preventative controls, and corrective controls.
c. general controls, application controls, and physical controls.
d. transaction authorizations, segregation of duties, and risk assessment
c. general controls, application controls, and physical controls.
45
Internal control systems have limitations. These includeall of the following except?
a. possibility of honest error
b. circumvention
c. management override
d. stability of system
d. stability of system
46
Management can expect various benefits to follow from implementing a system of strong internal control. Which of the following benefits is least likely to occur?
a. reduced cost of an external audit.
b. prevents employee collusion to commit fraud.
c. availability of reliable data for decision-making purposes.
d. some assurance of compliance with the Foreign Corrupt Practices Act of 1977.e. some assurance that important documents and records are protected.
b. prevents employee collusion to commit fraud.
47
Which of the following situations is not a segregation ofduties violation?
a. The treasurer has the authority to sign checks but gives the signature block to the assistant treasurer to run the check-signing machine.
b. The warehouse clerk, who has the custodial responsibility over inventory in the warehouse, selects the vendor and authorizes purchases when inventories are low.
c. The sales manager has the responsibility to approve credit and the authority to write off accounts.
d. The department time clerk is given the undistributed payroll checks to mail to absent employees.
e. The accounting clerk who shares the record keeping responsibility for the accounts receivable subsidiary ledger performs the monthly reconciliation of the subsidiary ledger and the control account
b. The warehouse clerk, who has the custodial responsibility over inventory in the warehouse, selects the vendor and authorizes purchases when inventories are low.
48
Which concept is not an integral part of an audit?
a. evaluating internal controls
b. preparing financial statements
c. expressing an opinion
d. analyzing financial data
b. preparing financial statements
49
Which statement is not true?
a. Auditors must maintain independence.
b.IT auditors attest to the integrity of the computer system.
c.IT auditing is independent of the general financial audit.
d.IT auditing can be performed by both external and internal auditors.
c.IT auditing is independent of the general financial audit.
50
Typically, internal auditors perform all of the following tasks except?
a.IT audits
b. evaluation of operational efficiency
c. review of compliance with legal obligations
d. internal auditors perform all of the above task
d. internal auditors perform all of the above task
51
The fundamental difference between internal and external auditing is that?
a. internal auditors represent the interests of the organization and external auditors represent outsiders.
b. internal auditors perform IT audits and external auditors perform financial statement audits.
c. internal auditors focus on financial statement audits and external auditors focus on operational audits and financial statement audits.
d. external auditors assist internal auditors but internal auditors cannot assist external auditors.
a. internal auditors represent the interests of the organization and external auditors represent outsiders.
52
Internal auditors assist external auditors with financial audits to?
a. reduce audit fees
b. ensure independence
c. represent the interests of management
d. the statement is not true; internal auditors are not permitted to assist external auditors with financial audits.
a. reduce audit fees
53
Which statement is not correct?
a. Auditors gather evidence using tests of controls and substantive tests.
b. The most important element in determining the level of materiality is the mathematical formula.
c. Auditors express an opinion in their audit report.
d. Auditors compare evidence to established criteria.
b. The most important element in determining the level of materiality is the mathematical formula.
54
All of the following are steps in an IT audit except?
a. substantive testing
b. tests of controls
c. post-audit testing
d. audit planning
c. post-audit testing
55
When planning the audit, information is gathered by allof the following methods except?
a. completing questionnaires
b. interviewing management
c. observing activities
d. confirming accounts receivable
d. confirming accounts receivable
56
Substantive tests include?
a. examining the safety deposit box for stock certificates
b. reviewing systems documentation
c. completing questionnaires
d. observation
a. examining the safety deposit box for stock certificates
57
Tests of controls include?
a. confirming accounts receivable
b. counting inventory
c.completing questionnaires
d. counting cash
c.completing questionnaires
58
All of the following are components of audit risk except?
a. control risk
b. legal risk
c. detection risk
d. inherent risk
b. legal risk
59
Control risk is?
a. the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated
b. associated with the unique characteristics of the business or industry of the client
c. the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts
d. the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor
c. the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts
60
Which of the following is true?
a. In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the reliability of the computer system.
b. Conducting an audit is a systematic and logical process that applies to all forms of information systems.
c. Substantive tests establish whether internal controls are functioning properly.
d. IT auditors prepare the audit report if the system is computerized
b. Conducting an audit is a systematic and logical process that applies to all forms of information systems.
61
Inherent risk?
a. exists because all control structures are flawed in some ways.
b. is the likelihood that material misstatements exist in the financial statements of the firm.
c. is associated with the unique characteristics of the business or industry of the client.
d. is the likelihood that the auditor will not find material misstatements.
c. is associated with the unique characteristics of the business or industry of the client.
62
Attestation services require all of the following except?
a. written assertions and a practitioner’s written report
b. the engagement is designed to conduct risk assessment of the client’s systems to verify their degree of SOX compliance
c. the formal establishment of measurements criteria
d. the engagement is limited to examination, review,and application of agreed-upon procedures
b. the engagement is designed to conduct risk assessment of the client’s systems to verify their degree of SOX compliance
63
The financial statements of an organization reflect a set of management assertions about the financial health of the business. All of the following describe types of assertions except?
a. that all of the assets and equities on the balance sheet exist
b. that all employees are properly trained to carry out their assigned duties
c. that all transactions on the income statement actually occurred
d. that all allocated amounts such as depreciation are calculated on a systematic and rational basis
b. that all employees are properly trained to carry out their assigned duties
64
Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?
a. Auditors must determine, whether changes in internal control has, or is likely to, materially affect internal control over financial reporting.
b. Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit.
c. Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting.
d. Management must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter
c. Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting.
65
List the four broad objectives of the internal control system?
safeguard assets
ensure the accuracy and reliability of accounting records
promote organizational efficiency
comply with management’s policies and procedures
66
Explain the purpose of the PCAOB.
The PCAOB is empowered to set auditing, quality control, and ethics standards; to inspect registered accounting firms; to conduct investigations; and to take disciplinary actions.
67
What are the five internal control components described in the COSO framework?
the control environment
risk assessment
information and communication
monitoring
control activities
68
What are management responsibilities under section 302 and 404?
Section 302 requires that corporate management(including the CEO) certify their organization’s internal controls on a quarterly and annual basis.
Section 404 requires the management of public companies to assess and formally report on the effectiveness of their organization’s internal controls.
69
authorizing a credit sale
Preventive
70
preparing a bank reconciliation
Detective
71
locking the warehouse
Preventive
72
preparing a trial balance
Detective
73
counting inventory
Detective
74
A clerk reorders 250 items when the inventory falls below 25 items. This is an example of?
General authorization
75
The internal audit department recalculates payroll for several employees each pay period. This is an example of?
Independent verification
76
Locking petty cash in a safe is an example of?
Access controls
77
Approving a price reduction because goods are damaged is an example of ?
Specific authorization
78
Using cameras to monitor the activities of cashiers is an example of ?
Supervision
79
Not permitting the computer programmer to enter the computer room is an example of?
Segregation of duties
80
Sequentially numbering all sales invoices is an example of?
Accounting records
81
Both the SEC and the PCAOB have expressed an opinion as which internal control framework an organization should use to comply with SOX legislation. Explain.
Both the SEC and PCAOB endorse the COSO framework but any framework can be used that encompasses all of the COSO’s general themes.
82
COSO identifies two broad groupings of information system controls. What are they?
General; Application
83
The Sarbanes-Oxley Act contains many sections. Which sections are the focus of this chapter?
The chapter concentrates on internal control and audit responsibilities pursuant to Sections 302 and404.
84
What are the objectives of application controls?
The objectives of application controls are to ensure the validity, completeness, and accuracy financial transactions.
85
Define general controls.
General controls apply to all systems. They are not application specific. General controls include controls over IT governance, the IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program changes.
86
Discuss the key features of Section 302 of the Sarbanes-Oxley Act.
Section 302 requires corporate management(including the chief executive officer [CEO]) to certify financial and other information contained in the organization’s quarterly and annual reports. The rule also requires them to certify the internal controls over financial reporting. The certifying officers are required to have designed internal controls, or to have caused such controls to be designed, and to provide reasonable assurance as to the reliability of the financial reporting process. Furthermore, they must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter
87
Explain the relationship between internal controls and substantive testing.
The stronger the internal controls, the less substantive testing must be performed.
88
Distinguish between errors and irregularities. Which do you think concern the auditors the most?
Errors are unintentional mistakes; while irregularities are intentional misrepresentations to perpetrate a fraud or mislead the users of financial statements.
Errors are a concern if they are numerous or sizable enough to cause the financial statements to be materially misstated. Processes which involve human actions will contain some amount of human error. Computer processes should only contain errors if the programs are erroneous, or if systems operating procedures are not being closely and competently followed.
Errors are typically much easier to uncover than misrepresentations, thus auditors typically are more concerned whether they have uncovered any and all irregularities
89
Distinguish between inherent risk and control risk. How do internal controls and detection risk fit in?
Inherent risk is associated with the unique characteristics of the business or industry of the client. Firms in declining industries are considered to have more inherent risk than firms in stable or thriving industries.
Control risk is the likelihood that the control structure is flawed because internal controls are either absent or inadequate to prevent or detect errors in the accounts.
Internal controls may be present in firms with inherent risk, yet the financial statements may be materially misstated due to circumstances outside the control of the firm, such as a customer with unpaid bills on the verge of bankruptcy.
Detection risk is the risk that auditors are willing to accept that errors are not detected or prevented by the control structure. Typically, detection risk will be lower for firms with higher inherent risk and control risk.
