Internal Control

Question 1

What is internal control?

Answer 1

A process designed to provide reasonable assurance that objectives are met

Question 2

What are the five components of internal control?

Answer 2

Control activities
Risk assessment
Information and communication systems
Monitoring
Environment

Question 3

What are control activities?

Answer 3

Activities/processes taken to reduce risk, as decided by management

Question 4

What are some common control activities?

Answer 4

Performance reviews

Information processing (verifying transaction info)

Physical controls

Segregation of duties

Question 5

What is risk assessment?

Answer 5

The entity’s (not the auditor’s) analysis of risks

Question 6

What is monitoring?

Answer 6

Evaluating the internal control system’s effectiveness over time (and making certain corrections)

It is necessary, since internal controls tend to fail over time

Question 7

What is the control environment?

Answer 7

The general “atmosphere” for controls, consisting of attitudes within mgmt and personnel to excellence and integrity

Question 8

Is it necessary for an entity to have all five components of internal control?

Answer 8

No – the framework is helpful for the auditor’s evaluation, not necessarily a description for all entities

Also, the auditor’s main job is testing effectiveness, not categorizing

Question 9

Should the auditor evaluate all of an entity’s internal control systems?

Answer 9

No, only controls relevant to the financial statements (and only ones with significant risks)

Question 10

What are some examples of irrelevant controls?

Answer 10

Controls to ensure compliance with safety regulations

Controls to set an optimal price on a product

Question 11

What is an important consideration when evaluating controls?

Answer 11

Some controls will have overlapping purposes – both financial reporting and operations (e.g. a lockbox for collecting payments)

Question 12

What are the two parts of understanding a control?

Answer 12

Design – whether it prevents/detects misstatements

Implementation – whether it is actually being used

Question 13

What are some procedures for assessing the design and implementation of controls?

Answer 13

Inquiries

Observing the applications of controls

Inspecting documents

Tracing transactions through the information system

Question 14

What should the auditor document regarding internal control?

Answer 14

(1) Key elements of the five components
(2) Sources
(3) Risk assessment procedures that were performed

Question 15

What are different ways to document an entity’s internal control?

Answer 15

Flowchart

Questionnaire

Narrative/memorandum

Question 16

What are the advantages and disadvantages of a flowchart?

Answer 16

Advantages:

• very clear
• hard to overlook things
• requires complete understanding to create

Disadvantages:
-more time-consuming to create

Question 17

What is the questionnaire approach to documenting internal control?

Answer 17

Simply listing questions to be answered

E.g. “Are the subsidiary ledgers frequently balanced with the control accounts?”
“Are these two duties properly segregated?”

Question 18

What are the advantages and disadvantages of a questionnaire?

Answer 18

Advantages:

• easy to create
• requires listed issues to be covered
• weaknesses are obvious (“no”)

Disadvantages:
-can be too general

Question 19

What is the narrative approach, and what are its advantages and disadvantages?

Answer 19

Simply writing out what the system is

Advantages:

• unique to each engagement
• requires good understanding to create

Disadvantages:

• takes a long time
• lacks safeguards if auditor overlooks something

Question 20

When should the auditor perform tests of controls?

Answer 20

Either:

• when his risk assessment includes an assessment of controls’ effectiveness
• when substantive procedures alone don’t reduce detection risk enough

Question 21

What is the difference between risk assessment procedures on controls and tests of controls?

Answer 21

In risk assessment procedures, the auditor evaluates control design and implementation

In tests of controls, he tests effectiveness

These can sometimes be performed simultaneously

Question 22

What are some tests for the operating effectiveness of controls?

Answer 22

Generally the same as for testing design and implementation of controls:

• inquiries
• inspection of documents
• observation of control’s application
• reperformance of control by auditor

Question 23

What is important to know regarding the different kinds of tests for controls’ operating effectiveness?

Answer 23

Combinations of them should be used

E.g., inquiries alone are insufficient

Question 24

How do the results of substantive procedures bear on the effectiveness of controls?

Answer 24

A lack of misstatement does not mean controls are effective, but misstatements might mean that controls are ineffective

Any misstatements found by the auditor but not the entity are significant deficiencies

Question 25

What should an auditor test for controls' operating effectiveness if he plans to rely on prior period evidence?

Answer 25

If controls have changed, they need to be tested If not, they should be tested at least once per three years (though more frequently the more crucial the control is)

Question 26

How should auditors treat prior evidence for the effectiveness of controls that mitigate significant risk?

Answer 26

They should consider it but not rely upon it It should be tested even if the control is unchanged from the prior period

Question 27

What qualifies as a deficiency in the design of an internal control?

Answer 27

Not merely whether a control would not detect a misstatement if operating properly, but also if a control is missing Distinguished from a deficiency in operation, which occurs when a control does not operate as designed

Question 28

For controls, what is the difference between a material weakness and a significant deficiency?

Answer 28

Material weakness = reasonable possibility that control will lead to material misstatement Significant deficiency = not as bad, but still requires attention

Question 29

What should the auditor do if there are multiple significant deficiencies for a control?

Answer 29

Determine whether they, in aggregate, are a material weakness

Question 30

What is a compensating control?

Answer 30

A control that limits the extent of a deficiency

Question 31

What control deficiencies should be reported to management and TCWG?

Answer 31

All significant deficiencies and material weaknesses, including ones previously mentioned but not yet fixed Must be in writing

Question 32

When should control deficiencies be reported to management and TCWG?

Answer 32

Issuers must do this before the audit report is issued on the financial statements -Otherwise, the latest is within 60 days of the report release date Some deficiencies should be communicated during the audit, though not necessarily in writing

Question 33

What is the report release date?

Answer 33

When the auditor grants permission for the entity to use the audit report for their financials

Question 34

What should be included in the auditor's written communication for control deficiencies?

Answer 34

(1) that the auditor aims to express an opinion on the financials, not on controls per se (2) a definition of "significant deficiency" and "material weakness" (3) that the auditor did not aim to uncover all SDs and MWs (4) a clear distinction between deficiencies identified as SDs and MWs (5) that the communication is intended only for the specified parties

Question 35

For communication on control deficiencies, what should the auditor say if he finds no significant deficiencies or material weaknesses?

Answer 35

He can make a communication stating that no material weaknesses were found, but not one stating that no significant deficiencies were found

Question 36

What are five objectives for an internal control system?

Answer 36

(1) Authorization (2) Validity (e.g. whether a transaction has occurred) (3) Recording (4) Tracking assets (5) Custody of assets/limited access

Question 37

What subsidiary objectives comprise the objective of proper recording?

Answer 37

(i) Completeness (ii) Valuation (iii) Classification (iv) Timing

Question 38

What duties should be segregated for the processing of a transaction?

Answer 38

- authorization - record keeping - custody

Question 39

What enables documents to be tracked through the control system?

Answer 39

Prenumbering them

Question 40

What are some common types of transaction cycles?

Answer 40

(a) Sales-Receivables-Cash Receipts (b) Purchases-Payables-Cash Disbursements (c) Inventory & Production (d) Personnel & Payroll (e) Property, Plant, & Equipment It helps to apply internal control objectives within these groups