Chapter 12: Assessing Control Risk and Reporting on Internal Controls Flashcards

1
Q

When the auditor attempts to understand the operation of the accounting system by tracing a few transactions through the accounting system, the auditor is said to be

A) tracing.

B) vouching.

C) performing a walkthrough.

D) testing controls.

A

C) performing a walkthrough.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

For financial statement audits, auditors need to understand controls that are relevant to the audit in order to

A) identify and assess the risks of material misstatements.

B) perform preliminary analytical procedures.

C) detect fraud.

D) assess inherent risk.

A

A) identify and assess the risks of material misstatements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Narratives, flowcharts, and internal control questionnaires are three common methods of

A) testing the internal controls.

B) documenting the auditor’s understanding of internal controls.

C) designing the audit manual and procedures.

D) documenting the auditor’s understanding of a client’s organizational structure.

A

B) documenting the auditor’s understanding of internal controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When dealing with the documentation of internal control,

A) in a narrative, most questions simply require a “yes” or “no” response.

B) questionnaires offer useful checklists to remind the auditor of the many different types of internal controls that should exist.

C) questionnaires and flowcharts should not be used together.

D) flowcharts fail to show the segregation of duties in the company.

A

B) questionnaires offer useful checklists to remind the auditor of the many different types of internal controls that should exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which type of evidence is notused by the auditor to obtain an understanding of the design and implementation of internal control?

A) inquiry

B) observation

C) confirmation

D) inspection

A

C) confirmation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Walkthroughs combine observation, inspection, and inquiry to assure that the controls designed by management have been implemented.

TRUE OR FALSE

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A narrative should describe the disposition of every document and record in the system.

TRUE OR FALSE

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Flowcharts are harder to read and update than narratives.

TRUE OR FALSE

A

FALSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When documenting their understanding of a client’s internal controls, auditors are required to use narratives.

TRUE OR FALSE

A

FALSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When making a preliminary assessment of control risk, the starting point for most auditors is

A) IT assessment controls.

B) assessment of entity level controls.

C) transaction-related controls.

D) fraud controls.

A

B) assessment of entity level controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are performing the audit of internal control for Clifton Company. Which of the following would represent a material weakness in internal control?

A) The company’s audit committee has experienced unusual turnover of members.

B) The company’s CFO was indicted for embezzling from the company.

C) Bank reconciliations are done monthly.

D) The CEO retired after twenty years of service to the company.

A

B) The company’s CFO was indicted for embezzling from the company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The employee in charge of authorizing credit to the company’s customers does notfully understand the concept of credit risk. This lack of knowledge would

A) constitute a deficiency in operation of internal controls.

B) constitute a deficiency in design of internal controls.

C) constitute a deficiency of management.

D) not constitute a deficiency.

A

A) constitute a deficiency in operation of internal controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When assessing whether the financial statements are auditable, the auditor must consider

A) that the integrity of management and the adequacy of accounting records are the two primary factors determining auditability.

B) that the integrity of management and the adequacy of risk management are the two primary factors determining auditability.

C) that if all of the transaction information is available only in electronic form without a visible audit trail, the company cannot be audited.

D) the control risk before determining if the entity is auditable.

A

A) that the integrity of management and the adequacy of accounting records are the two primary factors determining auditability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Once auditors determine that entity level controls are designed and placed in the operation, they

A) make a preliminary assessment for each transaction-related audit objective for each major type of transaction.

B) make a preliminary assessment of control risk.

C) obtain an understanding of the design and implementation of internal control.

D) prepare audit documentation in order to express their opinion on the company’s internal control system.

A

A) make a preliminary assessment for each transaction-related audit objective for each major type of transaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is the correct definition of “control deficiency”?

A) A control deficiency exists if the design or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis.

B) A control deficiency exists if one or more deficiencies exist that adversely affect a company’s ability to prepare external financial statements reliably.

C) A control deficiency exists if the design or operation of controls results in a more than remote likelihood that controls will not prevent or detect misstatements.

D) A control deficiency exists if the design or operation of controls results in a more than probable likelihood that controls will prevent or detect misstatements.

A

A) A control deficiency exists if the design or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which deficiency exists if a necessary control is missing or not properly implemented?

A) control

B) significant

C) design

D) operating

A

C) design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The auditor should identify and include only ________ controls since they will be sufficient to achieve the transaction-related audit objectives and will also provide audit efficiency.

A) key

B) significant

C) material

D) compensating

A

A) key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

When identifying audit objectives and existing controls,

A) audit objectives are identified for classes of transactions, account balances, and presentation and disclosure.

B) the auditor identifies controls to satisfy each objective.

C) it is helpful for the auditor to use the five control activities as reminders of controls.

D) all of the above

A

D) all of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A(n) ________ control is a control elsewhere in the system that offsets the absence of a key control.

A) significant

B) alternate

C) design

D) compensating

A

D) compensating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A ________ exists if one or more control deficiencies exist that are less severe than a material weakness, but are important enough to merit attention by those responsible for oversight of the company’s financial reporting.

A) potential misstatement

B) significant weakness

C) significant deficiency

D) fraud symptom

A

C) significant deficiency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A five-step approach can be used to identify deficiencies, significant deficiencies, and material weaknesses. The first step in this approach is

A) identify the absence of key controls.

B) consider the possibility of compensating controls.

C) determine potential misstatements that could result.

D) identify existing controls.

A

D) identify existing controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When assessing control risk,

A) many auditors use actuarial tables to assist in the control risk assessment process.

B) each control can be used to satisfy only one audit objective.

C) many auditors use a control risk matrix to assist in the control risk assessment process.

D) all controls, including key controls, should be considered.

A

C) many auditors use a control risk matrix to assist in the control risk assessment process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

When a compensating control exists, the absence of a key control

A) is no longer a concern because there is no longer a significant deficiency or material weakness.

B) is still a major concern to the auditor.

C) could cause a material loss, so it must be tested using substantive procedures.

D) is magnified and must be removed from the sampling process and examined in its entirety.

A

A) is no longer a concern because there is no longer a significant deficiency or material weakness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The assessment of control risk is the measure of the auditor’s expectation that internal controls will prevent material misstatements from occurring or detect and correct them if they have occurred.

TRUE OR FALSE

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Key controls are notsufficient to achieve the transaction-related audit objectives.

TRUE OR FALSE

A

FALSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A design deficiency exists if the person performing the control is notqualified.

TRUE OR FALSE

A

FALSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A significant internal control deficiency is always considered a material weakness.

TRUE OR FALSE

A

FALSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

In some cases, management can correct deficiencies and material weaknesses before the auditor does significant testing, which may permit a reduction in control risk.

TRUE OR FALSE

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

If the results of tests of controls support the design and operations of controls as expected, the auditor uses ________ control risk as the preliminary assessment.

A) a lower

B) the same

C) a higher

D) either a lower or higher

A

B) the same

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An auditor is likely to use four types of procedures to support the operating effectiveness of internal controls. Which of the following would generally notbe used?

A) make inquiries of appropriate client personnel

B) examine documents, records, and reports

C) reperform client procedures

D) inspect design documents

A

D) inspect design documents

31
Q

Which of the following represents a correct statement regarding internal control testing?

A) When auditors plan to use evidence about the operating effectiveness of internal control contained in prior audits, auditing standards require tests of the controls’ effectiveness at least every other year.

B) The greater the risk, the less audit evidence the auditor should obtain that controls are operating effectively.

C) The auditor uses control risk assessment and results of tests of controls to determine planned detection risk and the related substantive tests for the financial statement audit.

D) Testing of internal controls can only be performed by the auditor at the end of the fiscal year.

A

C) The auditor uses control risk assessment and results of tests of controls to determine planned detection risk and the related substantive tests for the financial statement audit.

32
Q

An auditor traces the sales prices to the authorized price list in effect at the date of the transaction. Which of the following procedures has the auditor performed?

A) inquiry

B) observation

C) reperformance

D) examination

A

C) reperformance

33
Q

Tests of controls

A) are the procedures used to test the effectiveness of controls in support of a reduced assessed control risk.

B) are used to support the ending balances in the balance sheet and income statement accounts.

C) are performed at the end of the audit.

D) are designed to detect fraud.

A

A) are the procedures used to test the effectiveness of controls in support of a reduced assessed control risk.

34
Q

Which of the following is an accurate statement relating to the extent of procedures?

A) If an auditor wants a lower assessed control risk than the preliminary assessed control risk, the number of controls tested increases while the extent of the tests for each control decrease.

B) The extent of testing depends on the frequency of the operation of the controls.

C) All controls must be tested only at year-end.

D) The frequency of testing is the same for both manual and computer controls.

A

B) The extent of testing depends on the frequency of the operation of the controls.

35
Q

When testing manual or automated controls,

A) automated controls are always subject to random error or manipulation.

B) automated controls cannot be altered by making a change to the software application.

C) when there are effective general controls and automated application controls, the auditor will need to select a larger sample size of transactions to verify.

D) the extent of testing depends on whether it is a manual or automated control.

A

D) the extent of testing depends on whether it is a manual or automated control.

36
Q

Which of the following is true regarding the relationship between tests of controls and procedures to obtain an understanding?

A) In obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase.

B) Tests of controls are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding.

C) Procedures to obtain an understanding are performed only on one or a few transactions.

D) All of the above are correct.

A

D) All of the above are correct.

37
Q

When a client uses a service center for processing transactions,

A) the auditor can assume that the controls are adequate because it is an independent enterprise.

B) auditing standards require the auditor to test the service center’s controls if the service center application involves processing significant financial data.

C) and the user auditor decides to rely on the service auditor’s report, the user audit must make reference to the report of the service auditor in the opinion on the user organization’s financial statements.

D) none of the above

A

B) auditing standards require the auditor to test the service center’s controls if the service center application involves processing significant financial data.

38
Q

In evaluating the operational effectiveness of internal controls, the auditor is likely to use four types of audit procedures. List the procedures below.

A
  • Make inquiries of appropriate client personnel.
  • Examine documents, records, and reports.
  • Observe control-related activities.
  • Reperform client procedures.
39
Q

The procedures to obtain an understanding of internal control are only applied when the assessed control risk is high.

TRUE OR FALSE

A

FALSE

40
Q

Controls that are applied throughout the accounting period must be tested both at an interim date and then again on the balance sheet date.

TRUE OR FALSE

A

FALSE

41
Q

When there are a number of controls tested in prior audits that have notbeen changed, auditing standard require auditors to test some of those controls each year to ensure there is a rotation of controls testing throughout the three-year period.

TRUE OR FALSE

A

TRUE

42
Q

Which of the following is a correct statement?

A) The auditor uses the control risk assessment and results of tests of controls to determine planned detection risk.

B) The auditor links the inherent risk assessments to the balance-related audit objectives.

C) The audit risk model is used determine the level of audit risk.

D) All of the above are correct statements.

A

A) The auditor uses the control risk assessment and results of tests of controls to determine planned detection risk.

43
Q

The auditor assesses control risk for each related audit objective and supports control risk assessments with tests of controls.

TRUE OR FALSE

A

TRUE

44
Q

How must significant deficiencies and material weaknesses be communicated to those charged with governance?

A) Either oral or written communication is acceptable.

B) Oral communication is required.

C) Written communication is required.

D) Written communication is required for material weaknesses, but oral communication is allowed for significant deficiencies.

A

C) Written communication is required.

45
Q

Auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements in the

A) adverse opinion.

B) Section 404 report.

C) management letter.

D) Type 1 report.

A

C) management letter.

46
Q

The auditor will issue an unqualified opinion on internal control over financial reporting when

A) there are no identified material weaknesses as of the end of the fiscal year.

B) there have been no restrictions on the scope of the auditor’s work.

C) both a and b

D) either a or b

A

C) both a and b

47
Q

What type of report is issued when one or more material internal control weaknesses exist?

A) unqualified opinion

B) disclaimer of opinion

C) adverse opinion

D) qualified opinion

A

C) adverse opinion

48
Q

Which of the following is true regarding the auditor’s opinion on the effectiveness of internal control?

A) The auditor is attesting to the effectiveness of internal controls as of the end of the fiscal year.

B) If the client remedies a material weakness before the end of the fiscal year, the auditor must still issue a qualified opinion or a disclaimer of opinion.

C) A scope limitation requires the auditor to issues an adverse opinion.

D) Section 404 requires that the auditor design the audit to detect all deficiencies in internal control.

A

A) The auditor is attesting to the effectiveness of internal controls as of the end of the fiscal year.

49
Q

When determining what type of report to issue on internal control under Section 404,

A) an adverse opinion on internal control must be given if any weaknesses in a key internal control is discovered.

B) a scope limitation requires the auditor to disclaim an opinion on internal controls.

C) if the auditor gives a qualified opinion on the financial statements, they must give a qualified opinion on internal controls.

D) a scope limitation requires the auditor to express a qualified opinion or a disclaimer of opinion on internal controls.

A

D) a scope limitation requires the auditor to express a qualified opinion or a disclaimer of opinion on internal controls.

50
Q

The scope of the auditor’s report on internal control is limited to obtaining reasonable assurance that significant weaknesses in internal control are identified.

TRUE OR FALSE

A

FALSE

51
Q

To issue an unqualified opinion on internal control over financial reporting, there must be no identified material weaknesses and no restrictions on the scope of the audit.

TRUE OR FALSE

A

TRUE

52
Q

It is generally possible for small companies to have all of the following exceptfor

A) adequate documents and records.

B) physical controls over assets.

C) competent, trustworthy personnel.

D) internal auditors.

A

D) internal auditors.

53
Q

The auditor designs and performs a combination of tests of controls and substantive procedures to obtain reasonable assurance that the financial statements are fairly stated when control risk

A) is assessed above the maximum.

B) is assessed below the maximum.

C) cannot be assessed.

D) none of the above

A

B) is assessed below the maximum.

54
Q

Which of the following may represent the biggest challenge smaller public companies and nonpublic companies face in implementing effective internal control?

A) a lack of competent, trustworthy personnel

B) no clear lines of authority

C) no adequate separation of duties

D) a lack of adequate documents and records

A

C) no adequate separation of duties

55
Q

Which of the following is most correct for audits of non-public companies?

A) An audit of internal control is required.

B) An audit of internal control is not required.

C) An audit of the design of internal controls is required.

D) An audit of the operational effectiveness of internal controls is required.

A

B) An audit of internal control is not required.

56
Q

If, when obtaining an understanding of control activities of a relatively small client, the auditor identified no control activities, the auditor would probably set a high assessment of control risk.

TRUE OR FALSE

A

TRUE

57
Q

The auditor obtains a sufficient understanding of internal control to assess the risk of material misstatement at the overall financial statement level and at the relevant assertion level.

TRUE OR FALSE

A

TRUE

58
Q

The procedures used to gain an understanding of internal control do notvary from client to client.

TRUE OR FALSE

A

FALSE

59
Q

In an audit of a nonpublic company, the less control risk there is, the smaller the amount of planned substantive evidence that is required.

TRUE OR FALSE

A

TRUE

60
Q

The assessment of control risk does notimpact the testing of controls.

TRUE OR FALSE

A

FALSE

61
Q

A company’s size should have no impact on the nature of internal control and the controls that are implemented.

TRUE OR FALSE

A

FALSE

62
Q

Control risk is generally set at minimum for most private companies.

TRUE OR FALSE

A

FALSE

63
Q

The auditor’s objective in determining whether the client’s computer program correctly processes valid and invalid transactions is accomplished through the

A) test data approach.

B) generalized audit software approach.

C) microcomputer-aided auditing approach.

D) generally accepted auditing standards.

A

A) test data approach.

64
Q

When using the test data approach,

A) auditors process test data supplied by the client.

B) auditors often obtain assistance from a computer audit specialist.

C) the tests must be performed at the end of the year.

D) the test data must remain in the client’s records.

A

B) auditors often obtain assistance from a computer audit specialist.

65
Q

Which of the following is notseen as an advantage to using generalized audit software (GAS)?

A) Auditors can learn the software in a short period of time.

B) It can be applied to a variety of clients after detailed customization.

C) It can be applied to a variety of clients with minimal adjustments to the software.

D) It greatly accelerates audit testing over manual procedures.

A

B) It can be applied to a variety of clients after detailed customization.

66
Q

When using the test data approach,

A) test data should include data that the client’s system should accept or reject.

B) application programs tested by the auditor’s test data must be different from those used by the client throughout the year.

C) select data may remain in the client system after testing.

D) None of the above statements is correct.

A

A) test data should include data that the client’s system should accept or reject.

67
Q

Auditing by testing automated internal controls and account balances electronically, generally because effective general controls exist, is known as

A) auditing through the computer.

B) auditing around the computer.

C) embedded audit module approach.

D) parallel simulation testing.

A

A) auditing through the computer.

68
Q

Which of the following computer-assisted auditing techniques inserts an audit module in the client’s application system to identify specific types of transactions?

A) parallel simulation testing

B) test data approach

C) embedded audit module

D) generalized audit software testing

A

C) embedded audit module

69
Q

Which of the following best describes the test data approach?

A) Auditors process their own test data using the client’s computer system and application program.

B) Auditors process their own test data using their own computers that simulate the client’s computer system.

C) Auditors use auditor-controlled software to do the same operations that the client’s software does, using the same data files.

D) Auditors use client-controlled software to do the same operations that the client’s software does, using auditor created data files.

A

A) Auditors process their own test data using the client’s computer system and application program.

70
Q

The embedded audit module approach requires the auditor to insert an audit module in the client’s application system to identify specific types of transactions.

TRUE OR FALSE

A

TRUE

71
Q

The objective of the test data approach is to determine whether the client’s computer programs can correctly process valid and invalid transactions.

TRUE OR FALSE

A

TRUE

72
Q

Parallel simulation is used primarily to test internal controls over the client’s IT systems, whereas the test data approach is used primarily for substantive testing.

TRUE OR FALSE

A

FALSE

73
Q

Generalized audit software is used to test automated controls.

TRUE OR FALSE

A

TRUE