Chapter 5 -- Internal Control Concepts and Information Technology Flashcards by MARY SPURR

Section 5.1: Introduction to Internal Control

When are tests of controls performed?

The auditor’s assessment of RMM’s at the assertion level includes an expectation of the operating effectiveness of the controls.
or
Substantitive testing alone does not provide sufficient appropriate evidence at the relevant assertion level.

How well did you know this?

Not at all

Perfectly

Section 5.1: Introduction to Internal Control

What is the purpose of tests of control?

Tests of controls are designed to evaluation the operating effectiveness of controls in preventing, detecting and correcting material misstatements at the assertion level determined by management.

How well did you know this?

Not at all

Perfectly

Section 5.1: Introduction to Internal Control

What is the process an auditor would use to understand internal control?

Determine whether the relevant controls are capable of preventing, or detecting and correcting, material misstatements and have been implemented.
Assess the risks of material misstatement.
Design further audit procedures.
Evaluate the operating effectiveness of relevant controls.

How well did you know this?

Not at all

Perfectly

Section 5.1: Introduction to Internal Control

What are examples of inherent controls?

Cost contraints
Human Error
Management Override
Collusion

How well did you know this?

Not at all

Perfectly

Section 5.1: Introduction to Internal Control

What are some examples that would increase control risk?

New personnel
Rapid Growth
Corporate Restructurings

How well did you know this?

Not at all

Perfectly

Section 5.1: Introduction to Internal Control

What are some examples that would decrease control risk?

Segregation of duties
Physical controls

How well did you know this?

Not at all

Perfectly

Section 5.1: Introduction to Internal Control

What is one of the primary criteria in designing internal controls?

Cost-Benefit Relationship. The cost of internal control should not exceed its benefit.

How well did you know this?

Not at all

Perfectly

Section 5.1: Introduction to Internal Control

What are the components of internal control?

“CRIME”
Control Activities
Risk Management
Information Systems and Communication
Monitoring
Environment of controls

How well did you know this?

Not at all

Perfectly

Section 5.1: Introduction to Internal Control

Why would a substantive test not provide affirmative evidence of the effectiveness of monitoring controls?

Monitoring controls do not leave an audit trail about the effectiveness of the operation.
The ineffectiveness in the substantive test would not be discovered unless additional procedures were performed.
The records may also be accurate even though they are maintained by a person who performs incompatible functions.

How well did you know this?

Not at all

Perfectly

Section 5.2: Internal Control Components

What is included in the Control Activities component when part of internal control?

“The Activities of People Performing Is Always Special.”
Control activities are the policies and procedures that help ensure that management directives are carried out.
* Performance reviews that compare the actual performance with budgeted, or prior, performance.
* Physical controls
* Information processing
* Authorization
* Segregation of duties.

How well did you know this?

Not at all

Perfectly

Section 5.2: Internal Control Components

What is included in the Information Systems when part of internal control?

The accounting system
Automated or manual procedures
Procedures that are recorded to initiate, authorize, record, process and report transactions.
Maintain accountability

How well did you know this?

Not at all

Perfectly

Section 5.2: Internal Control Components

What is included in the Control Environment Component when part of internal control?

Control environment is the foundation for all other control components
“The Environment when People Integrate On Monday Again will be Chaotic Hell.”
* Participation of those charged with governance
* Integrity and ethical values
* Organizational structure
* Management’s philosophy and operating style
* Assignment of authority and responsibility
* Commitment to Competence
* Human resource policies and practices

How well did you know this?

Not at all

Perfectly

Section 5.2: Internal Control Components

What is included in the Risk Management Component when part of internal control?

The risk assessment process is the identification, analysis, and management of risks relevant to achievement of objectives.

Lines of reporting can have an impact on the ability of management and other employees to circumvent implemented controls.
Addressing policies over significant risk management practices.

How well did you know this?

Not at all

Perfectly

Section 5.2: Internal Control Components

What is included in the Monitoring Component when part of internal control?

Monitoring is management’s timely assessment of internal control and the taking of corrective action so that controls operate as intended and are modified for changes in conditions.

Ongoing activities built into normal recurring actions such as supervision, possibly combined with separate evaluations.
The actions of internal auditors
Consideration of communications from external parties.

How well did you know this?

Not at all

Perfectly

Section 5.2: Internal Control Components

What is the difference between Specific and General Transaction Authorization?

A specific transaction authorization pertains to a unique decision.
A general transaction authorization establishes criteria and authorizes the routine making of decisions subject to the criteria.

How well did you know this?

Not at all

Perfectly

Section 5.3: Understanding Internal Control

What is the logical order for an auditor to obtain internal control?

Understanding of internal control
Tests of controls determine the operating effectiveness of the controls
Substantive procedures for all relevant assertions.

How well did you know this?

Not at all

Perfectly

Section 5.3: Understanding Internal Control

What type of impact does the operating effectiveness of internal control have on an audit?

Operating effectiveness has an impact on the nature, timing and extent of the substantive procedures being performed.

How well did you know this?

Not at all

Perfectly

Section 5.3: Understanding Internal Control

What is the objective of an auditor understanding internal control?

Understanding of internal control to evaluate the design of relevant controls and determine if they have been implemented.
Knowledge about the design and implementation of relevant internal controls should be used to identify types of misstatements that could occur
The auditor is interested in the design of the control and whether the control has been placed into operation at the entity

Section 5.3: Understanding Internal Control

What is not included in an auditor’s understanding of an entity’s internal control?

The auditor is not attempting to determine whether the control is effective
The auditor’s understanding is not established to design risk assessment procedures
Analtyical procedures are not used to demonstrate an auditor’s understanding of the client’s internal control
The auditor does not search for significant deficiencies

Section 5.3: Understanding Internal Control

What are the steps in performing risk assessment procedures to evaluate the design of relevant controls and determine if they have been implemented?

Determine whether the relevant controls are capable of preventing, or detecting and correcting, material misstatements and have been implemented
Assess the risks of material misstatement
Design further audit procedures
Evaluate the operating effectiveness of relevant controls.

Section 5.3: Understanding Internal Control

What areas of an entity’s information system should an auditor should obtain an understanding of?

Class of significant transactions
Ways those transactions are initiated, authorized, recorded, processed, corrected, transferred to the general ledger and reported.
The accounting records, either manual or electronic
How non-transactional significant events and conditions are captured
The financial reporting process used to prepare the entity’s financial statements, which includes significant disclosures
Controls over journal entries

Section 5.3: Understanding Internal Control

Why is maintenance of a control relevant in auditing?

Maintenance of a control is relevant because it is needed to confirm that the control over the assertion is working.

Section 5.3: Understanding Internal Control

What is the purpose of an auditor understanding an entity’s information technology system?

An auditor requires an understanding of IT to
* Determine the effect of IT on the audit
* Understand IT controls
* Design and perform tests of IT controls and substantive procedures.

Section 5.3: Understanding Internal Control

What is the purpose of an auditor having to obtain an understanding of internal control?

The understanding of internal control is used to:
* Identify the types of potential misstatements
* Consider factors that affect the RMMs
* Design tests of controls if needed
* Design substantive procedures

# Section 5.3: Understanding Internal Control What should be included in the documentation for the understanding of an entity's internal control when performing an audit in accordance with GAAS?

* The understanding of the entity and its environment and the components of internal control * The sources of information regarding the understanding * The risk assessment procedures performed

# Section 5.3: Understanding Internal Control What should the auditor document?

* Discussions among the engagement team * The understanding of an entity's internal control * The risk assessments * Risks requiring special audit consideration

# Section 5.3: Understanding Internal Control Why does the form and extent of audit documenation vary?

The form and extent of the documentation may vary due to the: * Nature, size and complexity of the entity and its controls * The availability of information * The audit methods and technology used.

# Section 5.4: Flowcharting Why are flowcharts useful?

* Flowcharts are useful for systems development * For understanding, evaluating and documenting an entity's internal control

# Section 5.4: Flowcharting What is a systems flowchart?

A system flowchart is a diagram of the documents and procedures of the entity's accounting process of the client's organization.

# Section 5.5: Internal Control and Information Technology What are the three types of control totals?

* Record Counts: Record counts establish the number of source documents and reconcile it to the number of output records. * Financial (Amounts): Compute dollar or amount totals from source documents and reconciles the data with an output record. * Hash Totals: Numbers are added on input documents that are not normally added.

# Section 5.5: Internal Control and Information Technology What is a hash total?

A hash total is the total number of invoices processed. Example: Invoices 201, 202, 203 and 204 were processed. The hash total would be 810 (201+202+203+204)

# Section 5.5: Internal Control and Information Technology What difficulty could the auditor experience because electronic evidence may not be retrievable after a specific period?

The timing of control and substantive tests.

# Section 5.5: Internal Control and Information Technology What is the purpose of the computer exception report?

* The exception reporting system highlights abnormal conditions and allows the auditor to focus on problem areas. * Exception reports, also called error listings, suspense listings, and edit reports indicate the errors discovered by the controls. * They permit the auditor to evaluate the effectiveness with which errors are investigated and corrected and the corrected transactions resubmitted.

# Section 5.5: Internal Control and Information Technology What strategy would an auditor most likely consider in auditing an entity that processes most of its financial data only in electronic form?

Continuous monitoring and analysis of transaction processing with an embedded audit module.

# Section 5.5: Internal Control and Information Technology What are general controls?

* General controls are policies and procedures that relate to many applications * Support the effective functioning of application controls by helping to ensure the continued proper operation of information systems * Controls for documenting and approving programs and changes to programs

# Section 5.5: Internal Control and Information Technology What information systems are included in General Controls?

* Data center and network operations * Systems software acquisition and maintenance * Access security * Application system acquisition, development, and maintenance * Controls for documenting and approving programs and changes to programs.

# Section 5.5: Internal Control and Information Technology What types of controsl are included in General Controls?

* Controls for documenting and approving programs and changes to programs. * Controls over operations to ensure efficient and effective operations of the computer activity * The procedures for acquiring, developing, testing, documenting, and approving systems or programs and changes thereto * Controls over access to equipment and data files * Other data and procedural controls affecting overall computer operations.

# Section 5.5: Internal Control and Information Technology What is tagging and tracing?

* Tagging and tracing describes the selection of specific transactions to which an indicator is attached at input. * A computer trail of all relevant processing steps of these tagged transactions in the application system can be printed or stored in a computer file for auditor evaluation.

# Section 5.5: Internal Control and Information Technology What is the difference between computer processing and manual processing?

* Computer processing virtually eliminates the occurrence of computation errors that may occur during manually processing. * However, if the program contains an error, than all of the transactions will be incorrect.

# Section 5.5: Internal Control and Information Technology What are the various types of checks in input control of data processing?

* Field checks * Financial totals * Hash totals * Reasonableness * Limit or range checks * Record counts * Check digits * Sequence checks * Sign checks * Validity checks.

# Section 5.5: Internal Control and Information Technology What is a record count?

A record count establishes the number of source documents and reconciles it to the number of records. Example: Four invoices were processed, so the record count will be 4.

# Section 5.5: Internal Control and Information Technology What is a validity check?

Validity checks test identification numbers or transaction codes by comparison with items that already known to be correct or authorized.

# Section 5.5: Internal Control and Information Technology How much understanding should an auditor have regarding a client's computer system?

* The auditor should obtain a sufficient understanding. * The auditor should have the training and proficiency that are necessary to understand controls relevant to the computer system.