Internal Control Flashcards Preview

AUD > Internal Control > Flashcards

Flashcards in Internal Control Deck (40)

What is internal control?

A process designed to provide reasonable assurance that objectives are met


What are the five components of internal control?

Control activities
Risk assessment
Information and communication systems


What are control activities?

Activities/processes taken to reduce risk, as decided by management


What are some common control activities?

Performance reviews

Information processing (verifying transaction info)

Physical controls

Segregation of duties


What is risk assessment?

The entity's (not the auditor's) analysis of risks


What is monitoring?

Evaluating the internal control system's effectiveness over time (and making certain corrections)

It is necessary, since internal controls tend to fail over time


What is the control environment?

The general "atmosphere" for controls, consisting of attitudes within mgmt and personnel to excellence and integrity


Is it necessary for an entity to have all five components of internal control?

No -- the framework is helpful for the auditor's evaluation, not necessarily a description for all entities

Also, the auditor's main job is testing effectiveness, not categorizing


Should the auditor evaluate all of an entity's internal control systems?

No, only controls relevant to the financial statements (and only ones with significant risks)


What are some examples of irrelevant controls?

Controls to ensure compliance with safety regulations

Controls to set an optimal price on a product


What is an important consideration when evaluating controls?

Some controls will have overlapping purposes -- both financial reporting and operations (e.g. a lockbox for collecting payments)


What are the two parts of understanding a control?

Design -- whether it prevents/detects misstatements

Implementation -- whether it is actually being used


What are some procedures for assessing the design and implementation of controls?


Observing the applications of controls

Inspecting documents

Tracing transactions through the information system


What should the auditor document regarding internal control?

(1) Key elements of the five components
(2) Sources
(3) Risk assessment procedures that were performed


What are different ways to document an entity's internal control?





What are the advantages and disadvantages of a flowchart?

-very clear
-hard to overlook things
-requires complete understanding to create

-more time-consuming to create


What is the questionnaire approach to documenting internal control?

Simply listing questions to be answered

E.g. "Are the subsidiary ledgers frequently balanced with the control accounts?"
"Are these two duties properly segregated?"


What are the advantages and disadvantages of a questionnaire?

-easy to create
-requires listed issues to be covered
-weaknesses are obvious ("no")

-can be too general


What is the narrative approach, and what are its advantages and disadvantages?

Simply writing out what the system is

-unique to each engagement
-requires good understanding to create

-takes a long time
-lacks safeguards if auditor overlooks something


When should the auditor perform tests of controls?

-when his risk assessment includes an assessment of controls' effectiveness
-when substantive procedures alone don't reduce detection risk enough


What is the difference between risk assessment procedures on controls and tests of controls?

In risk assessment procedures, the auditor evaluates control design and implementation

In tests of controls, he tests effectiveness

These can sometimes be performed simultaneously


What are some tests for the operating effectiveness of controls?

Generally the same as for testing design and implementation of controls:
-inspection of documents
-observation of control's application
-reperformance of control by auditor


What is important to know regarding the different kinds of tests for controls' operating effectiveness?

Combinations of them should be used

E.g., inquiries alone are insufficient


How do the results of substantive procedures bear on the effectiveness of controls?

A lack of misstatement does not mean controls are effective, but misstatements might mean that controls are ineffective

Any misstatements found by the auditor but not the entity are significant deficiencies


What should an auditor test for controls' operating effectiveness if he plans to rely on prior period evidence?

If controls have changed, they need to be tested

If not, they should be tested at least once per three years (though more frequently the more crucial the control is)


How should auditors treat prior evidence for the effectiveness of controls that mitigate significant risk?

They should consider it but not rely upon it

It should be tested even if the control is unchanged from the prior period


What qualifies as a deficiency in the design of an internal control?

Not merely whether a control would not detect a misstatement if operating properly, but also if a control is missing

Distinguished from a deficiency in operation, which occurs when a control does not operate as designed


For controls, what is the difference between a material weakness and a significant deficiency?

Material weakness = reasonable possibility that control will lead to material misstatement

Significant deficiency = not as bad, but still requires attention


What should the auditor do if there are multiple significant deficiencies for a control?

Determine whether they, in aggregate, are a material weakness


What is a compensating control?

A control that limits the extent of a deficiency


What control deficiencies should be reported to management and TCWG?

All significant deficiencies and material weaknesses, including ones previously mentioned but not yet fixed

Must be in writing


When should control deficiencies be reported to management and TCWG?

Issuers must do this before the audit report is issued on the financial statements
-Otherwise, the latest is within 60 days of the report release date

Some deficiencies should be communicated during the audit, though not necessarily in writing


What is the report release date?

When the auditor grants permission for the entity to use the audit report for their financials


What should be included in the auditor's written communication for control deficiencies?

(1) that the auditor aims to express an opinion on the financials, not on controls per se
(2) a definition of "significant deficiency" and "material weakness"
(3) that the auditor did not aim to uncover all SDs and MWs
(4) a clear distinction between deficiencies identified as SDs and MWs
(5) that the communication is intended only for the specified parties


For communication on control deficiencies, what should the auditor say if he finds no significant deficiencies or material weaknesses?

He can make a communication stating that no material weaknesses were found, but not one stating that no significant deficiencies were found


What are five objectives for an internal control system?

(1) Authorization
(2) Validity (e.g. whether a transaction has occurred)
(3) Recording
(4) Tracking assets
(5) Custody of assets/limited access


What subsidiary objectives comprise the objective of proper recording?

(i) Completeness
(ii) Valuation
(iii) Classification
(iv) Timing


What duties should be segregated for the processing of a transaction?

-record keeping


What enables documents to be tracked through the control system?

Prenumbering them


What are some common types of transaction cycles?

(a) Sales-Receivables-Cash Receipts
(b) Purchases-Payables-Cash Disbursements
(c) Inventory & Production
(d) Personnel & Payroll
(e) Property, Plant, & Equipment

It helps to apply internal control objectives within these groups