Internal Control

Question 1

If Internal Control is poor and a company’s accounting practices are sloppy - which risk is higher?

Answer 1

Control risk increases with poor Internal Controls and sloppy accounting practices.

Question 2

If Internal Control is poor - what is the effect on the audit?

Answer 2

Auditor will need to perform more testing and dig deeper into accounts in order to arrive at an opinion regarding the financial statements.

Question 3

What does Internal Control provide reasonable assurance for?

Answer 3

Internal control provides reasonable assurance that

Material misstatements will be prevented

Reliability/integrity of financial statements will be preserved

Assets are protected against misuse

Question 4

What is required in an examination of Internal Control under Sarbanes-Oxley?

Answer 4

CEO/CFO must disclose Internal Control deficiencies

Management must provide assessment of Internal Control

Management must certify Financial Statements

Question 5

What is the relationship between Internal Control and Substantive Testing?

Answer 5

Inverse Relationship

Stronger Internal Controls - Less Testing Needed

Weaker Internal Controls - More Testing Needed

Question 6

What are the 3 objectives of Internal Control?

Answer 6

Reliability of Financial Reporting

Operational Efficiency/Effectiveness

Compliance with Law and Regulations

Question 7

What are the 5 components of Internal Control?

Answer 7

Control Environment

Risk Assessment

Information and Communication

Monitoring

Control Activities

Question 8

What is the purpose for a Control Environment assessment?

Answer 8

Sets tone for the entire company

Question 9

What are the components of the Control Environment?

Answer 9

Integrity/Ethics of Management
Competence of Management
Organizational Structure
Human Resource Policies
Assignment of Authority/Responsibility
Management’s Style (riskier with a dominant/aggressive individual)
Board/Audit Committee involvement

Question 10

What does an auditor’s assessment of Detection Risk determine?

Answer 10

Detection Risk determines nature- timing- and extent of audit procedures.

Question 11

What determines the acceptable level of Detection Risk?

Answer 11

Risk of material misstatement determines acceptable level of Detection Risk

Question 12

What items could increase the risk of material misstatement?

Answer 12

Rapid growth in the company.

The methods management uses to identify risk- estimate its significance and assess the likelihood of occurrence

Major changes to operations- personnel- systems- IT- products- corporate organization- and foreign operations.

Question 13

What happens when Control Risk is assessed to be at the maximum level?

Answer 13

No Internal Control testing is performed.

All audit procedures are increased in intensity to compensate for increased risk.

Question 14

What happens when Control Risk is below the maximum level?

Answer 14

Auditor tests Internal Controls.

Auditor evaluates Control Risk based on tests

Auditor adjusts substantive tests accordingly

Weaker Internal Control - More substantive tests

Stronger Internal Control - Less substantive tests

Question 15

Describe some common examples of Control Activities.

Answer 15

Performance Reviews

Information Processing

Physical Controls

Segregation of Duties

Question 16

What should an auditor understand with respect to Information and Communication on an audit?

Answer 16

Understand Client’s

Major transaction classes
Transaction initiation
Support records/documents
Transaction processing
Financial Statement internal reporting process
Financial Statement external reporting process

Question 17

How must an auditor document understanding of Internal Control?

Answer 17

Through written documentation such as Internal Control memos- flowcharts- and questionnaires

Question 18

What questions should be asked to determine the risk of material misstatement?

Answer 18

Were all transactions recorded?
Were they timely?
Measured appropriately?
Recorded in correct period?
Presented and disclosed properly?
Did Management communicate their responsibilities?

Question 19

What is the purpose of testing Internal Controls?

Answer 19

Auditor needs reasonable assurance that controls are functioning as designed and effective

Internal Control Testing should be strong as (IRON) so that nothing gets past them

Inquiry - Interview company personnel
Re-performance - Can it be replicated?
Observation - Watch the control be applied
INspection - Dig into the details/documents

If results are as expected- substantive procedures do not need to be adjusted

Question 20

When can controls tested by an auditor in a prior year be used in the current year’s audit assessment?

Answer 20

Controls tested by auditor in a prior year can be used in the current year’s audit assuming they are re-tested every third year

Exception If the control has changed since the last audit

Question 21

What happens if Internal Controls are deficient?

Answer 21

Control Risk increases

Scope of substantive procedures increases

Detection Risk decreases

Material Weakness - Reasonable possibility that a material misstatement in Financial Statements would not be found- more than a remote chance of occurrence

Question 22

What is a Material Weakness?

What type of opinion on Internal Controls?

Answer 22

Reasonable possibility exists that a material misstatement in Financial Statements would not be found- and has more than a remote chance of occurrence.

Adverse Opinion

Question 23

What does Tracing test?

Answer 23

Tests Completeness

Starts with source document and traces forward to the journal entry.

Question 24

What does Vouching test?

Answer 24

Tests Existence.

Starts with a journal entry and searches for a voucher or source document to support the entry.

Question 25

What activities represent Segregation of Duties?

Answer 25

Non-compatible duties performed by separate individuals- such as Authorization of asset disbursement vs. Recording of Assets vs. Custody of assets If supporting audit evidence doesn't exit - use Observation and Inquiry Accounting should be segregated from Production

Question 26

With respect to signing checks - how are duties segregated?

Answer 26

Employees who prepare vouchers/invoices should not also have the authority to SIGN CHECKS Tip - Remember this as an underlying theme with Segregation of Duties. The authority to make a payment should not also lie in the hands of those creating invoices/vouchers. Why? People commit fraud by setting up fake companies and basically paying themselves

Question 27

With respect to custody of assets - how should duties be segregated?

Answer 27

Employees who have custody of assets should not also RECORD those assets Someone in charge of petty cash should not also control the petty cash records Treasury Department (custodians) should NOT have record keeping duties They control assets and should not be able to adjust any recording of those assets

Question 28

What are the limitations on Control Activities?

Answer 28

Controls can't stop collusion or bad judgment Management can override controls Cost vs. Benefit relationship of Internal Control

Question 29

What is required if a Material Weakness is identified?

Answer 29

A written report to management is required. Report declaring that no material weaknesses were found is allowed Previous weaknesses reported that still exist should be reported again Should be reported no later than 60 days after audit report release date If one or more material weaknesses is uncorrected at year-end- an Adverse Opinion on Internal Control must be given

Question 30

What is the effect of a Significant Deficiency? What is it?

Answer 30

A significant deficiency adversely affects a company's ability to report in the financial statements according to GAAP. A significant deficiency is a more than a remote likelihood of material misstatement by more than an inconsequential amount

Question 31

What must occur if a Significant Deficiency is identified?

Answer 31

If a Significant Deficiency is identified- a written report to management required Report declaring that no significant deficiencies exist is not allowed Previous deficiencies reported that still exist should be reported again Should be reported no later than 60 days after the audit report release date

Question 32

What is a Control Deficiency?

Answer 32

A control is not operating as intended.

Question 33

What must an auditor ask if using the work of third parties?

Answer 33

Are they competent? Are they objective?

Question 34

What must an auditor understand with respect to internal auditors?

Answer 34

Auditor needs to understand the role of Internal Auditors within the organization because their work affects the audit plan Responsibility for judgments about materiality or appropriateness of entries or estimates cannot be shared with third parties like Internal Auditors Internal Auditors should be asked to do some of the legwork like preparing schedules or running reports They should not be asked to make any decisions or judgments

Question 35

What is required in an examination of Internal Control under Sarbanes-Oxley?

Answer 35

CEO/CFO must disclose deficiencies Management must provide assessment of Internal Controls Management must certify Financial Statements

Question 36

What is the relationship between Internal Control and Substantive Testing?

Answer 36

Has inverse relationship Stronger Internal Control results in LESS substantive testing Weaker Internal Control leads to MORE substantive testing

Question 37

What are the three objectives of Internal Control?

Answer 37

Reliability of Financial Reporting Operational Efficiency/Effectiveness Compliance with Law and Regulations

Question 38

What are the five components of Internal Control?

Answer 38

Control Activities Risk Assessment Information and Communications Monitoring Control Environment

Question 39

What are the components of the Control Environment?

Answer 39

Integrity/Ethics of Management Competence of Management Organizational Structure Human Resources Policies Assignment of Authority/Responsibility Management's Style (riskier with a dominant/aggressive individual) Board/Audit Committee involvement

Question 40

What happens when Control Risk is below the maximum level?

Answer 40

Auditor tests Internal Controls. Auditor evaluates Control Risk based on tests Auditor adjusts substantive tests accordingly Weaker Internal Control - More substantive tests Stronger Internal Control - Less substantive tests

Question 41

What should an auditor understand with respect to Information and Communication on an audit?

Answer 41

Understand Client's Major transaction classes Transaction initiation Support records/documents Transaction processing Financial Statement internal reporting process Financial Statement external communication process

Question 42

How must an auditor document understanding of Internal Control?

Answer 42

Auditor must document understanding of Internal Control via Memos - Flowcharts - Questionnaires

Question 43

What is the purpose of testing Internal Controls?

Answer 43

Auditor needs reasonable assurance that controls are functioning as designed and effective Internal Control Testing should be strong as (IRON) so that nothing gets past them Inquiry - Interview company personnel Re-performance - Can it be replicated? Observation - Watch the control be applied INspection - Dig into the details/documents If results are as expected - substantive procedures do not need to be adjusted

Question 44

How to assess risk

Answer 44

Analytical procedures Inquiry Inspection of documents Observation

Question 45

Characteristics of documents in "cycles" for IC

Answer 45

Pre-printed, Pre-numbered, numerically controlled

Question 46

Order of components of IC

Answer 46

Control Environment, Risk Assessment, Control Activitites, Information & Communication, Monitoring

Question 47

Financial Statement Audit (Non-Issuer) VS PCAOB (Issuer); | Which periods do you look at?

Answer 47

Entire Period As a point in time

Question 48

Name examples of a company-level control Name an example of a control activity over a specific type of transaction

Answer 48

Monitoring, mgmt risk assessment process, controls over the drafting of financial statements Segregation of duties

Question 49

Where do internal auditors report to?

Answer 49

They report to the audit committee instead of top management since it is more likely that the internal auditor will be able to objectively perform the function If not, RMM will increase

Question 50

What is the responsibility of the payroll department?

Answer 50

The calculate the pay for employees NOT to distribute checks!!!

Question 51

What is a bill of lading?

Answer 51

Supports the amoount received

Question 52

What is a PO?

Answer 52

Evidence that the goods received were ordered

Question 53

What does tracing test? What does vouching test?

Answer 53

Tests completeness, and detects understatements Test existence, and detects overstatements

Question 54

What do you do as an independent auditor when a service auditor performs an audit?

Answer 54

Inquire about the service auditor's professional reputation DO NOT audit their work, or review their audit programs

Question 55

Significance of inherent limitations for attestation engagement and PCAOB audit

Answer 55

May not prevent or detect misstatements Also may not project into future

Question 56

How to date attestation engagement VS PCAOB audit

Answer 56

Period of time / Specific date Specific date

Question 57

How can you measure an internal auditor's objectivity?

Answer 57

By looking at who they report to Reviewing recommedations made in their reports

Question 58

How does scope, procedures, and purpose of the examination of Internal Control VS assessment of RMM differ

Answer 58

IC is more extensive because requires more tests on IC Same IC is to express an opinion; Assess RMM is to determine the nature, timing, and extent of sub testing

Question 59

What are the distribution of internal controls are restricted to who?

Answer 59

Management, and those who are in charge of governance

Question 60

Name the 3 types of Internal Control Reports

Answer 60

GAAS financial statement audit, AICPA attestation engagement, PCAOB audit

Question 61

SIMS IC example a) if wrong account b) to check if posted in an account c) if customer checks are being misappropriated and before getting to cashier d) if customer check are being misappropriated and got to cashier

Answer 61

a) confirm b) compare amounts AR and amounts amounts of invoices c) confirm with customer because it will show overstatement d) compare AR with validated deposit slip

Question 62

For internal control reports, who do you have to communicate control deficiencies too for an FS audit, Attestation Engagement, and a PCAOB audit? Pg. 4-23

Answer 62

Just management for all 3

Question 63

If you report on Internal Control, what does it mean?

Answer 63

They hired you to give an opinion on internal control, therefore it is considered an attestation engagement or a PCAOB audit

Question 64

What do you NOT do to assure that all billed sales are correctly posted to accounts receivable ledger

Answer 64

Dont reconcile to daily ledger Compare sales to daily postings of AR

Question 65

A department that should be charge in writing off bad debt should be independent of?

Answer 65

Sales, credit, and recordkeeping

Question 66

What is included in an internal control questionnaire? | Pg. 4-21

Answer 66

``` P Physical Control R Recording A Authorization I Independent checks S Segregation of duties E Evaluate performance ```

Question 67

SIM IC: Segregation of Duties a) When a sales clerk prepares a sales order without shipping advice, is it appropriate? b) What role in ARCCs should the sales clerk be?

Answer 67

a) Yes because shipping advice should be made when goods are shipped b) Authorization

Question 68

What is a good control for maintaining proper custody of a security? What is not a good control?

Answer 68

Investment ledger are periodically compared with the contents of a safety deposit box by independent auditor Access to sercurities in the safe deposit box limited to only ONE person; it should be 2

Question 69

Does matters that must be communicated with those in charge of governance have to be written? (DISAPPROVE)

Answer 69

No, it can be oral or written

Question 70

What is important with tracing and vouching?

Answer 70

Dont go from journal to ledger!!!

Question 71

What is a good safeguard for marketable securities?

Answer 71

Two company officials would have joint controls of the securities, which would be kept in a bank safe-deposit box

Question 72

If you obtain credit approval, which assertion does it cover?

Answer 72

Valuation

Question 73

What is the cashier's responsibility?

Answer 73

Everything to do with cash receipts