Chapter 7

Question 1

What are internal controls defined as?

Answer 1

policies and procedures put in place by management to help the entity achieve objectives with regards too

Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations

Question 2

If the auditor choses the combined audit strategy do they need to look into the internal controls?

Answer 2

Yes, regardless of the audit strategy auditors are required to obtain and document their understanding of the entity’s internal controls

Question 3

If the auditor choses the substantive audit strategy do they need to look into internal controls?

Answer 3

Yes, regardless of the audit strategy auditors are required to obtain and document their understanding of the entity’s internal controls

Question 4

Do internal controls provide an absolute assurance that FS are fairly stated?

Answer 4

No, but they provide a reasonable assurance (due to their inherent limitations)

Question 5

What are some of the inherent limitations internal controls include?

Answer 5

Human error & carelessness
Collusion by 2 or more to override circumvent control
Control within software being overridden or disabled
Unusual transactions fall outside of the entity’s control activities

Question 6

What are the levels that internal controls are broken down into?

Answer 6

Entity level controls - widespread and impacts all processes in the entity
Transaction level controls - only impact specific class of transactions

Question 7

What do entity level controls impact?

Answer 7

widespread and impacts all processes in the entity

Question 8

What do transaction level controls affect?

Answer 8

only impact specific class of transactions

Question 9

What are entity level controls often used for and not used for?

Answer 9

Entity level controls are typically used for auditors to gain an understanding and identify risks to assess RMM & fraud

Entity level controls are rarely tested

Question 10

What 5 components does entity-level controls consist of? (CRIME)

Answer 10

C - control environment
R - risk assessment process
I - information systems & communication
M - monitoring controls
E - existing control activities

Question 11

What does the control environment for entity-level controls?

Answer 11

sets the foundation for effective internal controls

Auditor assesses to see if there is a culture of integrity, ethical behaviour, and accountability

Question 12

What is the “risk assessment process” component of entity-level controls?

Answer 12

Responsible for identifying business risks that face the entity (

Helps auditor identify and assess RMM

Question 13

What is the “information systems & communication” component of entity-level controls?

Answer 13

Entity’s policies an procedures to capture, exchange and communicate information needed to conduct the entity’s operations

Auditors are most interested in systems and controls for FS preparation

Question 14

What is the “existing control activities” component of entity-level controls?

Answer 14

entity’s policies and procedures that help carry out management directives

ex: performance reviews, authorization controls, physical controls, segregation of incompatible duties

Question 15

What is the “monitoring controls” component of entity-level controls?

Answer 15

entities policies sand procedures to assess if controls are operating as intended and whether any changes are required

Question 16

Transaction level controls have two aspects to it, what are they?

Answer 16

Preventive controls - prevent errors (applied to individual transactions)
Detective controls - detect errors (applied after transactions have been processed)

Question 17

What are the types of controls that affect the processing of individual transactions? (MAID)

Answer 17

M - manual controls
A - automated controls
I - IT-department manual controls
D - IG general controls (ITGCs)

MAID - keeping transactions clean and under control

Question 18

What are manual controls? (processing individual transactions, MAID)

Answer 18

do not rely on the entities IT applications (review of bank reconciliation)

Question 19

What are automated controls? (processing individual transactions, MAID)

Answer 19

controls that rely on the entities IT applications (edit and sequence checks)

Question 20

What are IT department manual controls? (processing individual transactions, MAID)

Answer 20

manual controls that are dependent on the entity’s IT application for some part

ex: management relying on computer generated report to identify variances

Question 21

What are IT general controls (ITGCs)?
(processing individual transactions, MAID)

Answer 21

high level controls over an entity’s IT environment that help ensure the proper functioning of:
automated controls
IT dependent manual controls

Question 22

What must a auditor document & understand regardless of the audit plan?

Answer 22

The entity’s internal control regardless of whether they will be tested or not

Question 23

What do walkthroughs involve?

Answer 23

following a transaction through the entire cycle, from reporting to the general ledger and settlement

Question 24

What impacts the selecting and testing of controls?

Answer 24

Influenced by the frequency of control and level of assurance (limited or reasonable).

Auditors try to focus on testing key controls for each assertion that prevent/detect material misstatements

Question 25

What are techniques for testing controls? (4 - RIIO)

Answer 25

R - re-performance I - Inspection (physical evidence) I - inquiry O - observation

Question 26

What is the re-performance testing control technique? (RIIO)

Answer 26

auditor re-does the control to see if it works

Question 27

What is the inspection testing control technique? (RIIO)

Answer 27

Auditor checks documents for proof that the control was done

Question 28

What is the Inquiry testing control technique? (RIIO)

Answer 28

asks people how the control is done or monitored

Question 29

What is the observation testing control technique? (RIIO)

Answer 29

Auditor watches how the control is being performed in real time

Question 30

What is the most reliable form of evidence out of the testing control techniques? (RIIO)

Answer 30

Re-performance, as the auditor gets direct evidence to assess if a control is operating effectively

Question 31

How do auditors assess the results of testing the controls?

Answer 31

If the controls work as expected: auditor keeps original audit strategy If controls don't work as expected: auditor increases the control risk and do more substantive testing

Question 32

How does an auditor know whether to extend the testing of controls if deviations are identified?

Answer 32

Professional judgement

Question 33

How does documenting the testing process come into play, what must be followed?

Answer 33

The auditor needs to document the controls that are selected for testing, the tests performed, and the results of the tests (including deviations). Must be sufficient documentation to allow another auditor to review and re-perform the testing if necessary.

Question 34

What does the management letter contain?

Answer 34

Formally report internal control weaknesses Recommendations for fixing the issues Auditors now often report all weaknesses rather than only the significant ones Auditors follow up to check if previously reported weaknesses have been correceted