Chapter 5 Flashcards

Question 1

Q

How does COSO define Internal Control?

Answer

A

a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Question 2

Q

Who is responsible for maintaining effective internal controls?

Answer

A

Management

Question 3

Q

What is the auditor required to do in terms of the client’s internal controls?

Answer

A

Gain an understanding of the client’s internal controls related to financial reporting

Question 4

Q

What is the purpose of the assessment of inherent risk for the auditor?

Answer

A

Gives the auditor a basis for planning the nature, timing, and the extent of substantive procedures (do the auditors want to rely on the controls?)

Question 5

Q

What are substantive procedures?

Answer

A

Procedures to address detection risk

Question 6

Q

Less Reliance on Internal Control (Higher CR, Lower DR)

Nature

Answer

A

More effective tests

Question 7

Q

Less Reliance on Internal Control (Higher CR, Lower DR)

Timing

Answer

A

More testing at year-end

Question 8

Q

Less Reliance on Internal Control (Higher CR, Lower DR)

Extent

Answer

A

More tests

Question 9

Q

More Reliance on Internal Control (Lower CR, Higher DR)

Nature

Answer

A

Less effective tests

Question 10

Q

More Reliance on Internal Control (Lower CR, Higher DR)

Timing

Answer

A

More testing at interim

Question 11

Q

More Reliance on Internal Control (Lower CR, Higher DR)

Extent

Answer

A

Fewer tests

Question 12

Q

If you gain an understanding that control risk is 50%, if you want to rely on that, you have to test the controls, to…

Answer

A

validate that the control risk really is 50%

Question 13

Q

If my understanding is 50% control risk, but you don’t want to rely on that, you can…

Answer

A

assess control risk higher

Question 14

Q

If my understanding is 50% control risk, but you start testing and they are failing…

Answer

A

Adjust risk lower

Question 15

Q

What is COSO?

Answer

A

An internal control framework

It is NOT required by law, but the SEC noted it as a possible framework for use by companies to evaluate the effectiveness of internal controls over financial report

The only framework that the SEC said was appropriate to follow (Not actually required but many companies adopted because it was the only framework that the SEC “approved.”)

Question 16

Q

What are the 3 types of internal control?

Answer

A

Financial reporting
Regulatory compliance
Operations

Question 17

Q

What are the five components of internal control?

Answer

A

Control environment
Risk assessment
Control activities
Communication
Monitoring

Question 18

Q

COSO defines internal control as the processes in place to provide reasonable assurance of:

Answer

A

Reliability of financial reporting
Compliance with laws and regulations
Effectiveness and efficiency of operations

Question 19

Q

Strictly speaking, external auditors focus on which of these?

Reliability of financial reporting
Compliance with laws and regulations
Effectiveness and efficiency of operations

Answer

A

The first category of reasonable assurance

“Reliability of financial reporting”

Question 20

Q

Audited pipeline company: chemicals/oil through pipe. Pipeline had a sensor – measured every mile (what was going through the pipe). Primary reason for the sensor operations (efficiency, bandwidth,etc.) also used from a compliance perspective (if there is a leak – regulations), also related to revenue recognition. Auditors were concerned how well the sensors worked…

Answer

A

In the end, as an auditor you care about how controls relate to financial reporting – but that doesn’t mean that the controls won’t ever have other implications.

Question 21

Q

What 5 principles relate to the control environment?

Answer

A

Principle 1: The organization demonstrates a commitment to integrity and ethical values.
Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Question 22

Q

Control Environment

Answer

A

Set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

Board of directors and senior management set the “tone at the top” of an organization, influencing the control consciousness of its people.

Question 23

Q

What is the foundational component for COSO?

Answer

A

Control Environment

Question 24

Q

Because control environment is the foundation for all other components, the auditor must…

Answer

A

obtain a detailed understanding of the control environment and document that understanding.

Question 25

Q

Risk Assessment Principles

Answer

A

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.

Question 26

Q

COSO Risk Assessment

Answer

A

Management’s identification and analysis of relevant risks related to the achievement of its objectives.

Question 27

Q

Is COSO Risk Assessment the same as the Auditor’s Risk Assessment?

Question 28

Q

What does management look at during risk assessment?

Answer

A

What are my strategic goals?
What are risks in achieving these goals?

Question 29

Q

Control Activity Principles

Answer

A

Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.
Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Question 30

Q

What are control activities?

Answer

A

The policies and procedures that help ensure management directives are carried out

The “guts” of the internal control system

Question 31

Q

When auditors get to control activities they have to…

Answer

A

map controls to an assertion

Question 32

Q

What are examples of control activities?

Answer

A

Segregation of duties (e.g., separating authorization, physical transfer, and recording)
Approval and co-signing requirements
Documentation trails and prenumbered sequence controls
Restricted physical access
Reconciliations and independent cross-checks

Question 33

Q

What assertion is supported by the information processing control?

Purchase orders must be authorized by purchasing department before any purchase is made.

Answer

A

Occurrence

Question 34

Q

What assertion is supported by the information processing control?

All invoices received from vendors for payment must be matched to receiving report and purchase order to ensure that the quantity billed agrees with the quantity ordered and received at previously agreed-upon prices.

Answer

A

Accuracy (valuation or allocation)

Completeness and existence deal with direction of things (should it be in the report and it isn’t? and vice versa)

”Agreeing quantity and amounts” – hard to find a direction… valuation

Question 35

Q

What assertion is supported by the information processing control?

Prenumbered documents (checks, purchase orders, and receiving reports) must be used and accounted for to ensure that all transactions have been recorded.

Answer

A

Completeness

Checkbook, checks numbered sequentially…helps you see that everything’s been reccorded

Question 36

Q

Information and Communication Principles

Answer

A

Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.

Question 37

Q

Information and Communication

Answer

A

Controls related to how the organization communicates to support the proper functioning of internal controls.

This includes controls over the quality of the information used within communication.

Question 38

Q

Can auditors rely on information produced by the company’s information system?

Answer

A

Auditors cannot blindly rely on information produced by the company’s information system.

Question 39

Q

Monitoring Principles

Answer

A

Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Question 40

Q

Monitoring

Answer

A

Management’s process that assesses the quality of the internal control’s performance over time

Question 41

Q

Monitoring Examples

Answer

A

Periodic evaluation by internal audit
Supervisory review of controls
Follow-up of reporting errors
Follow up of customer complaints
Audit committee inquiries

Question 42

Q

What is monitoring essentially?

Answer

A

Controls over controls

Question 43

Q

Audit committee is typically considered part of the control environment, however, audit committee INQUIRES are…

Answer

A

monitoring

Question 44

Q

What are the limitations of internal control?

Answer

A

Human error
Collusion
Management override
Cost/benefit analysis

Question 45

Q

Cost/benefit analysis of internal control

Answer

A

There is often a trade-off between the cost and the effectiveness of internal controls.

The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived.

Question 46

Q

What type of controls are typically viewed to be more reliable?

Answer

A

Automated controls

Question 47

Q

Management override

Answer

A

CFO should have access to override certain controls – enabled to commit fraud if she wanted to

Question 48

Q

How do you develop an understanding of internal control?

Answer

A

Evaluating the design of controls
Determinng if the controls have been implemented

Question 49

Q

After auditors have developed an understanding of internal controls, what is the next steps?

Answer

A

Document the understanding of internal control

Question 50

Q

After documenting the understanding of internal control, what is the next question that should be considered by the auditor?

Answer

A

Does the auditor intent to rely on controls?

Question 51

Q

If the auditor intends to rely on controls what is the path of the “reliance strategy”?

Answer

A

Plan and perform tests of controls
Set control risk based on tests of controls
If the achieved level of control risk does NOT support the level of control risk, revise the planned level of substantive procedures, and then document the level of control risk.
If the achieved level of control risk supports the level of control risk, document the level of control risk
Perform the substantive procedures based on level of assessed control risk

Question 52

Q

If the auditor intends to rely on controls what is the path of the “substantive strategy”?

Answer

A

Set control risk at the maximum
Document the level of control risk
Perform substantive procedures based on level of assessed control risk

Question 53

Q

Substantive Strategy

After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set control risk at high for some or all assertions because of one or all of the following factors:

Answer

A

Controls do not pertain to an assertion
Controls are likely to be assessed as ineffective
Testing the effectiveness of controls is inefficient

Question 54

Q

Reliance Strategy

After obtaining an understanding of internal control, an auditor may want to rely on a control to allow for an increased detection risk (i.e., to not have to gain as much assurance from substantive procedures).

Answer

A

If the auditor plans to rely on a control, they must assess control risk by testing the control to validate it is designed appropriately and operating effectively.

Question 55

Q

Integrated Audit

Answer

A

the auditor provides an opinion on the effectiveness of a company’s internal controls AND on the fairness of a company’s financial statements

SOX requires for some companies

Question 56

Q

SOX Section 404a applies to…

Answer

A

all issuers (public companies)

Question 57

Q

SOX section 404b applies to…

Answer

A

accelerated fileres

Question 58

Q

Who established the PCAOB?

Question 59

Q

What does the PCAOB do?

Answer

A

Oversees public company auditors

Question 60

Q

What does SOX 404a outline?

Answer

A

Management must…
1. report the results from its own tests of the company’s internal control over financial reporting (ICFR), identifying any deficiencies.
2. accept responsibility for internal controls
3. evaluate the effectiveness of ICFR using a suitable control criteria
4. support the evaluation with sufficient evidence, including documentation

Question 61

Q

Where is management’s ICFR opinion included?

Answer

A

Its annual report (10-K)

Question 62

Q

What kind of opinion is managment’s opinion over the effectiveness of ICFR?

Answer

A

“As of” the fiscal year end

Question 63

Q

What does SOX 404b outline?

Answer

A

ONLY applies to “accelerated filers”
Drawing on management’s findings and the auditor’s own tests, the external auditor must independently assess and report on the effectiveness of ICFR as of the fiscal year end. (integrated audit)

Question 64

Q

Large Accelerated Filers

Answer

A

(>$700 million in market capitalization) have to file their annual report within 60 days of year-end

Answer 63

A

(>$75 million in market capitalization) have to file their annual report within 75 days of year-end

Answer 64

A

(<$75 million in market capitalization) have to file their annual report within 90 days of year-end

Answer 65

A

Discuss with management: YES
Report to audit committee: NO
Adverse external opinion on internal control: NO

Answer 66

A

Discuss with management: YES
Report to audit committee: YES
Adverse external opinion on internal control: NO

Answer 67

A

Discuss with management: YES
Report to audit committee: YES
Adverse external opinion on internal control: YES

Answer 68

A

Material weakness
Adverse opinion and you must tell everyone

Answer 69

A

a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is areasonable possibilitythat a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.

Answer 70

A

a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by the audit committee.

Answer 71

A

A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Answer 72

A

Does the weakness involve the control environment?
Does the weakness repeat regularly?
What is the magnitude?
Does the weakness pertain to a complex and/or subjective process?
Does the weakness involve oversight processes?
Are there any compensating controls?
Has management taken actions to remediate the weakness?
Did the weakness result in an actual material error that had to be corrected?

Answer 73

A

Because ICFR opinions are as of the fiscal year-end, remediation may result in no need to disclose a material weakness.

Answer 74

A

remediate, or fix

Answer 75

A

The balance sheet date (before year end)

Answer 76

A

Unqualified opinion
Adverse opinion
Scope limitation

Answer 77

A

The entity’s internal conrol is designed and operating effectively (no material weakness)

Answer 78

A

Required if material weakness is identified

Answer 79

A

A serious scope limitation requires the auditor to disclaim an opinion

Answer 80

A

Integrated Audit (404b): Test each relevant control activity each year (all)

Financial Statement Audit: Test relevant control activities if relying on them

Answer 81

A

Integrated Audit (404b): Opinion on the effectiveness of internal control

Financial Statement Audit: No opinion on internal control

Answer 82

A

Integrated Audit (404b): Evaluate effectiveness of internal control AS OF the fiscal year end (also need to evaluate throughout the year for the associated financial statement audit)

Financial Statement Audit: Evaluate effectiveness of internal control (where relying) throughout the fiscal year

Answer 83

A

Private companies

Answer 84

A

Auditors must communicate known significant deficiencies and material weaknesses in internal control to management and to the entity’s governance body (e.g., audit committee, school board, etc.).

Answer 85

A

NO, but the auditor is required to evaluate and communicate deficiences that have been identified over the normal course of an audit

Answer 86

A

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (internal control over an outsourced service)

Answer 87

A

Type 1: Only covers the design of ICFR at the service organization
Type 2: Covers the design AND effectiveness of ICFR at the service organization

Answer 88

A

Not necessarily, but there is a reasonable possibility that there may be a material misstatement.

Answer 89

A

Yes because management didn’t catch it before the auditor. If you find the material misstatement, then you found the misstatement (you are past the threshold). Typically if you have a material misstatement it is almost always because you had an internal control issue.

Answer 90

A

Market reacts negatively to material weaknesses. CEO argues that there is not a material weakness because of the “reasonable possibility.” Management and Auditor argue over when you are going to put your foot down and when you are not. It is a REALLY hard thing for an auditor to say there is a material weakness when there is not a related material misstatement.

Answer 91

A

the auditor’s opinion on the fair presentation of the financial statements as well as the auditor’s assessment of internal control over financial reporting.

Answer 92

A

Yes. The company can have bad controls and still have a clean opinion. The SEC requires “fairly presented” financial statements.

Answer 93

A

Yes, but they have to assess it as such… they can’t just set it as such

Brainscape's Knowledge GenomeTM

Chapter 5 Flashcards

Brainscape's Knowledge Genome^TM