II. Internal Control - Concepts and Standards - Evaluating Internal Control

Question 1

What should the auditor do if Internal Controls are ineffective?

What happens if it was effective?

Answer 1

• the auditor would assess control risk at the maximum level and perform a wholly substantive approach.
• auditor should consider the possibility of assessing the control risk at less than the maximum level, which leads to considering any cost-benefit issues involved in adopting a reliant strategy.
  • If so the auditor would have to perform test of controls to evaluate the Operating Effectiveness of those Internal Controls

After, choose max or low level of control risk, the auditor would prepare a written “Audit Plan” to achieve an appropriate level of detection risk, while considering material misstatement = (IR + CR)

Question 2

Who is primarily responsible for the design and implementation of internal control?

Answer 2

The design and implementation of internal control is a management function (not the auditor’s responsibility!)

Note: Management makes the decision that effectively determines the effective or ineffectiveness of internal controls.

Question 3

What does “Reasonable Assurance” Recognizes?

Answer 3

“Cost-benefit” considerations,

Note: The Costs of the control policy should not outweigh the benefits from it.

• Mistakes may occur dues to misunderstandings, misjudgements, or fatigue
• Breakdowns occurs from collusion or management overrides of internal controls

Question 4

Assessing control risk at below the maximum level most likely would involve

Answer 4

Identifying specific internal control structure policies and procedures relevant to specific assertions.

Note: In order to assess control risk below maximum, the auditor must collect evidence to support the reduction. Collecting such evidence involves identifying specific internal controls relevant to specific assertions and then performing tests of controls to evaluate the effectiveness of the controls.

Question 5

Control risk should be assessed in terms of

Answer 5

Financial statement assertions.

Note: The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found in the account balance, transaction class, or disclosure components. Based on the understanding of internal control and the control risk assessments, the auditor determines the nature, timing, and extent of the auditing procedures to be performed.

Question 6

After obtaining an understanding of the internal control structure and assessing control risk of an entity, an auditor decided not to perform tests of controls.

The auditor most likely decided that

Answer 6

It would be inefficient to perform tests of controls that would result in a reduction in planned substantive tests.

Note: There is always a cost-benefit trade-off in testing controls. The auditor tests controls in order to rely on them and to reduce substantive testing. If testing controls won’t reduce substantive testing sufficiently (i.e., enough to offset the cost of testing controls), the auditor will opt not to test controls. In other words, it would be inefficient to perform the tests of controls.

Question 7

Which of the following statements about internal control structure is correct?

Answer 7

The cost-benefit relationship is a primary criterion that should be considered in designing an internal control structure.

Note: A primary criterion of any system of internal control is the cost-benefit relationship. The cost of an entity’s internal control should not exceed the benefits to be derived.

Question 8

What would be considered an inherent limitation of the potential effectiveness of an entity’s internal control structure?

Answer 8

These include:

The fallibility of human judgment and

performance and

the possibility of collusion or

management override.

Question 9

Which of the following auditor concerns could most likely be so serious that the auditor concludes that a financial statement audit cannot be conducted?

Answer 9

The integrity of the entity’s management is suspect.

Note: The auditor would decide that an audit could not be conducted if management integrity were questioned. “Management integrity” is such a critical component of an effective internal control environment that the suspected lack thereof would be cause for the auditor to withdraw from the engagement.

Question 10

After assessing control risk at below the maximum level, an auditor desires to seek a further reduction in the assessed level of control risk. At this time, the auditor would consider whether

Answer 10

Additional evidential matter sufficient to support a further reduction is likely to be available.

Note:

• If the auditor desires to further reduce the assessed level of control risk, he/she must first consider whether additional evidence will be available to support such a reduction.
• The auditor must also consider whether it would be efficient (cost-effective) to collect such evidence.​

Question 11

Which of the following statements is correct concerning an auditor’s assessment of control risk?

Answer 11

Assessing control risk may be performed concurrently during an audit with obtaining an understanding of the entity’s internal control structure.

Note: Understanding internal control and assessing control risk are steps that may be performed concurrently in an audit. The evidence collected to achieve one objective may also be used for the other objective.

For example, inquiries and information gathered about management’s use of budgets in order to understand the control environment may also be used as a test of control over the effectiveness and operation of the budgeting control.

Question 12

When assessing control risk at below the maximum level, an auditor is required to document the auditor’s understanding of the

I. Entity’s control activities that help ensure management directives are carried out.

II. Entity’s control environment factors that help the auditor plan the engagement.

Answer 12

Both I and II.

Control activities and control environmental factors are both components of the internal control system. As a result, they would both be documented.

Question 13

The _ultimate purpose of assessing control ris_k is to contribute to the auditor’s evaluation of the

Answer 13

Risk that material misstatements exist in the financial statements.

Note: Assessing control risk and inherent risk helps the auditor identify where misstatements might exist; the auditor then performs auditing procedures to detect those misstatements.​

Question 14

*** After obtaining an understanding of the internal control structure and assessing control risk, an auditor decided to perform tests of controls. The auditor most likely decided that

Answer 14

It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests.

Note:

• if it is believed that such performance will result in a reduction in planned substantive tests.
• If the performance of tests of controls would not result in a reduction in substantive testing,
  
  • completing tests of controls would be inefficient and therefore should not be performed.
• If there were a lot of internal control weakness the auditor would not perform more test of controls
• Additional evidence is needed to support further reduction in control risk

Question 15

What are some facts on control risks?

Answer 15

• Assessing control risk and obtaining an understanding of an entity’s internal control structure may be performed concurrently.
• When control risk is at the maximum level, an auditor is required to document the basis for that assessment.
• Substantive testing cannot be eliminated through a lowered assessment of control risk. The auditor must perform substantive tests for significant account balances and transaction classes.
• When assessing control risk, the auditor may consider evidence obtained in prior audits about the operation of controls.
  
  • In evaluating the use of such evidence, the auditor should consider the significance of the assertion involved, the specific controls evaluated previously, the degree to which the effective design and operation of those controls were evaluated, the results of previous tests of controls, and other evidential matter obtained about controls during the audit.

Question 16

An auditor is evaluating a client’s internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect?

Answer 16

An intentional circumvention of controls associated with collusion involving employees in different departments would be particularly difficult to detect.

Question 17

The auditor should perform tests of controls of

Answer 17

tests of controls are only performed on controls that the auditor plans to consider is assessing the risk of material misstatement.

Note:

Performance of tests of controls on these controls may reduce the scope of substantive procedures needed.

Question 18

Types of test of controls:

Answer 18

• An auditor interviews and observes appropriate personnel to determine segregation of duties.
• Examine signatures on checks.
• Records documenting usage of computer programs.
• Canceled supporting documents.
• Signatures on authorization forms.

Question 19

statements about internal control:

Answer 19

• No one person should be responsible for the custodial responsibility and the recording responsibility for an asset.
• Transactions must be properly authorized before such transactions are processed.
• Because of the cost/benefit relationship, a client may apply controls on a test basis.

Question 20

What is always required on a particular audit of a nonissuer (nonpublic) company

Answer 20

Risk assessment procedures.

Substantive procedures.

Analytical procedures.

Note:

Tests of controls are only required when the auditor relies on the controls or substantive tests alone are not sufficient to audit particular assertions.

Question 21

Control risk should be assessed in terms of

Answer 21

Financial statement assertions.

Question 22

In obtaining an understanding of an entity’s internal control, an auditor is required to obtain knowledge about the

Operating effectiveness
of controls

Design of
controls

Answer 22

No

Yes

Note:

the auditor should perform procedures to provide sufficient knowledge of the design of the relevant controls and whether they have been implemented. Information on operating effectiveness need not be obtained unless control risk is to be assessed at a level below the maximum.

Question 23

Concerning current audit use of audit evidence about the operating effectiveness of controls obtained in prior year audits, the auditor generally may

Answer 23

Use such evidence, but should test related controls at least every third year.

Note:

professional standards allow use of such evidence if the related controls are tested at least every third year.

Question 24

For certain controls, such as segregation of duties, documentary evidence may not exist. An auditor would most likely test the procedures by

Answer 24

Observation and inquiry.

Note:

auditing procedures suggests that when no audit trail exists an auditor should use the observation and inquiry techniques.

Question 25

When an auditor discovered that certain control activities were ineffective, the auditor most likely would increase the

Answer 25

Extent of tests of details.

note:

an increase in the extent of tests of details (a type of substantive test) will decrease detection risk, which is appropriate because of the increase in control risk.

Question 26

Least likely to be considered by an auditor considering engagement of an information technology (IT) specialist on an audit?

Answer 26

Requirements to assess going concern status.

Note:

Assess going concern status remains the same on all audits, and thus does not directly affect engagement of an IT specialist.

Question 27

An auditor is concerned about a policy of management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor’s concern?

Answer 27

Verifying that approved spending limits are not exceeded.

Note:

management override often evidences itself through exceeding approved spending limits—thus, finding that those limits have not been exceeded provides some evidence that at least that form of management override did not occur.

Question 28

In assessing control risk, an auditor ordinarily selects from a variety of techniques, including

Answer 28

Tests of controls directed toward effectiveness or operation of a control would ordinarily include inquiries, inspections of documents, observation, and reperformance of the application of a control. Thus, both reperformance and observation are used by an auditor to assess control risk.

Question 29

After obtaining an understanding of internal control and assessing control risk of an entity, an auditor decided not to perform tests of controls. The auditor most likely decided that

Answer 29

It would be inefficient to perform tests of controls that would result in a reduction in planned substantive tests.

Question 30

An auditor assesses control risk because it

Answer 30

Affects the level of detection risk that the auditor may accept.

note:

An auditor uses the assessed levels of control and inherent risk to establish the level of detection risk that the auditor may accept.

Question 31

Which of the following statements best describes why an auditor would use only substantive procedures to evaluate specific relevant assertion and risks?

Answer 31

Testing the operating effectiveness of the relevant controls would not be efficient.

Note:

auditors attempt to perform the audit in a cost-effective manner, and when the use of tests of controls to address operating effectiveness is not efficient, such procedures will not be performed.

Question 32

Which of the following is an inherent limitation of internal controls?

Answer 32

Collusion between employees may neutralize the effects of a segregation of duties.

Question 33

What auditor’s decision to assess control risk a below the maximutm?

Answer 33

Identify specific internal control policies and procedures that are likely to detect or prevent material misstatements.

Question 34

After obtaining an understanding of the internal control structure and assessing control risk, an auditor decided not to perform additional tests of controls.

The auditor most likely concluded that the

Answer 34

additional tests of controls would be performed only if such performance were considered cost beneficial. The cost of obtaining the additional evidence must be less than the benefits to be derived from the related reduction in substantive testing.

Question 35

Before assessing control risk at a level lower than the maximum, the auditor obtains reasonable assurance that controls are in use and operating effectively. This assurance is most likely obtained in part by

Answer 35

Inspection of documents is a form of a test of controls, and such tests are used to obtain reasonable assurance that controls are in use and operating effectively.

Question 36

In designing written audit plans, an auditor should establish specific audit objectives that relate primarily to the

Answer 36

Financial statement assertions.

Note:

This answer is correct because in obtaining audit evidence to support financial statement assertions, the auditor develops specific audit objectives in light of those assertions.

a

Question 37

Inherent limitation in internal control

Answer 37

Even the best controls may fail if they rely upon human judgment, and that judgment is faulty.

Question 38

An auditor observed that a client mails monthly statements to customers. Subsequently, the auditor reviewed evidence of follow-up on the errors reported by the customers.

This test of controls most likely was performed to support management’s financial statement assertion(s) of

Presentation and disclosure

Rights and obligations

Answer 38

No

Yes

The auditor’s test of controls thus provides evidence to support the assertion of rights and obligations. It does not address presentation and disclosure.

Question 39

Which of the following strategies would a CPA most likely consider in auditing an entity that processes most of its financial data only in electronic form, such as a paperless system?

Answer 39

Continuous monitoring and analysis of transaction processing with an embedded audit module.

note:

continuous monitoring and analysis of transaction processing with an embedded audit module might provide an effective way of auditing these processes

Question 40

Which of the following represents an inherent limitation of internal controls?

Answer 40

The CEO can request a check with no purchase order.

Note:

internal control is ordinarily subject to management override of controls—here requesting a check without adequate support. Such a situation is very difficult to control due to management’s authority.

Question 41

Not a step in an auditor’s decision to conclude that controls operate effectively

What are the steps to conclude that controls are operating effectively?

Answer 41

Perform tests of details of transactions to detect material misstatements in the financial statements.

Note:

performing tests of details of transactions to detect material misstatements pertains more directly to detection risk rather than inherent or control risk.

The steps:

Evaluate the effectiveness of the controls with tests of controls.

Obtain an understanding of the entity’s accounting system and control environment.

Consider whether controls can have a pervasive effect on financial assertions.

Question 42

When considering internal control to determine whether the necessary procedures are designed and operating effectively, an auditor should

Answer 42

Perform tests of controls.

Note:

used to provide reasonable assurance that the accounting control procedures on which the auditor intends to rely are being followed as prescribed.

Question 43

Assessing control risk at a low level involves

Answer 43

(1) identifying specific controls relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions, and

(2) performing tests of controls to evaluate the effectiveness of such controls.

Question 44

After obtaining an understanding of internal control and assessing the risk of material misstatement, an auditor decided to perform tests of controls. The auditor most likely decided that

Answer 44

It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests.

note:

Tests of controls will be performed when they are expected to result in a cost effective reduction in planned substantive tests.

Question 45

In which of the following circumstances is the performance of tests of controls least likely?

Answer 45

when the planned level of the risk of material misstatement is at the maximum level = no tests of controls are performed.

Question 46

Those procedures specifically outlined in an audit program are primarily designed to

Answer 46

gather audit evidence which forms the basis for the auditor’s opinion.

Note:

Completion of the audit program and any additional audit procedures should provide sufficient competent audit evidence for an opinion on the financial statements as required by the third standard of fieldwork.

Question 47

Assessing the risk of material misstatement below the maximum based on controls involves

Answer 47

(1) identifying specific controls relevant to specific assertions, and
(2) performing tests of controls to evaluate their effectiveness.

Question 48

An auditor uses the assessed level of control risk to

Answer 48

Determine the acceptable level of detection risk for financial statement assertions.

Question 49

Example of test of controls

Answer 49

Auditor is examining copies of sales invoices only for the initials of the person responsible for checking the extensions.

Inspection.

Observation.

Inquiry.

Note:

Tests of controls are used to test the effectiveness of the design or operation of a control.

Question 50

likely to suggest to an auditor that the client’s management may have overridden internal control?

Answer 50

• There are numerous delays in preparing timely internal financial reports.
• Management does not correct internal control weaknesses that it knows about.
• There have been two new controllers this year.

Question 51

Auditing by testing the input and output of a computer system instead of the computer program itself will

Answer 51

Not detect program errors which do not show up in the output sampled.

note:

not reflected on the output will be missed. Thus, if a “loop” in a program is not used in one application, it is not tested.

Question 52

**Basic tool used by the auditor to control the audit work and review the progress of the audit?

Answer 52

Audit plan

Note:

• Audit plan aids in instructing assistants in the work and includes audit procedures to accomplish the objectives of the examination. Thus, it allows the auditor to control the audit work and to review the progress of the audit.
• An audit plan should be designed so that the audit evidence gathered supports the auditor’s conclusions.

Question 53

When considering internal control, an auditor should be aware of the concept of reasonable assurance, which recognizes that

Answer 53

The cost of an entity’s internal control should not exceed the benefits expected to be derived.

Remember: because reasonable assurance recognizes that the cost of internal control should not exceed the benefits expected to be derived.

Question 54

Evidence concerning the proper segregation of duties for receiving and depositing cash receipts ordinarily is obtained by

Answer 54

Observation of the employees performing the activities will provide the auditor with such evidence.

Question 55

Which of the following audit techniques ordinarily would provide an auditor with the least assurance about the operating effectiveness of an internal control activity?

Answer 55

Preparation of system flowcharts.

note:

While auditors may use system flowcharts to document internal control and find weaknesses in the design of internal control, such flowcharts do not reveal whether the controls are operating effectively.

Question 56

When an auditor plans to rely on controls that have changed since they were last tested, which of the following courses of action would be most appropriate?

Answer 56

the auditor should test the operating effectiveness of such controls in the current audit.

Question 57

Auditors should retest records and transactions if year-end inquiries and observations lead the auditor to believe conditions have

Answer 57

changed significantly.

Question 58

In obtaining an understanding of an entity’s internal control relevant to audit planning, an auditor is required to obtain knowledge about the

Answer 58

Design of the controls pertaining to internal control components.

Question 59

After assessing control risk, an auditor desires to seek a further reduction in the assessed level of control risk. At this time, the auditor would consider whether

Answer 59

Additional audit evidence sufficient to support a further reduction is likely to be available.

Question 60

An auditor generally tests the segregation of duties related to inventory by

Answer 60

Personal inquiry and observation.

Note:

AU-C 315 suggests that when no audit trail exists (as is often the case for the segregation of duties) an auditor should use the observation and inquiry techniques.

Question 61

Required documentation in an audit in accordance with generally accepted auditing standards?

Answer 61

An audit plan.

Note:

auditors should develop and document an audit plan that presents the nature, timing, and extent of audit procedures.

Question 62

Considered an inherent limitation of the potential effectiveness of an entity’s internal control?

Answer 62

• Management override.
• Mistakes in judgment.
• Collusion among employees.

Note: among employees are all inherent limitations of internal control.

Question 63

When tests of controls reveal that controls are not operating as anticipated, it is most likely that the assessed level of the risk of material misstatement will

Answer 63

Be greater than the planned level.

Question 64

What types of evidence would an auditor most likely examine to determine whether controls are operating as designed?

Answer 64

Inspection of client records documenting the use of computer programs will provide evidence to help the auditor evaluate the effectiveness of the design and operation of internal control; the client’s control over use of its computer programs in this case is documentation of the use of the programs.