Internal Control Flashcards Preview

AUD > Internal Control > Flashcards

Flashcards in Internal Control Deck (40)
1

What is internal control?

A process designed to provide reasonable assurance that objectives are met

2

What are the five components of internal control?

Control activities
Risk assessment
Information and communication systems
Monitoring
Environment

3

What are control activities?

Activities/processes taken to reduce risk, as decided by management

4

What are some common control activities?

Performance reviews

Information processing (verifying transaction info)

Physical controls

Segregation of duties

5

What is risk assessment?

The entity's (not the auditor's) analysis of risks

6

What is monitoring?

Evaluating the internal control system's effectiveness over time (and making certain corrections)

It is necessary, since internal controls tend to fail over time

7

What is the control environment?

The general "atmosphere" for controls, consisting of attitudes within mgmt and personnel to excellence and integrity

8

Is it necessary for an entity to have all five components of internal control?

No -- the framework is helpful for the auditor's evaluation, not necessarily a description for all entities

Also, the auditor's main job is testing effectiveness, not categorizing

9

Should the auditor evaluate all of an entity's internal control systems?

No, only controls relevant to the financial statements (and only ones with significant risks)

10

What are some examples of irrelevant controls?

Controls to ensure compliance with safety regulations

Controls to set an optimal price on a product

11

What is an important consideration when evaluating controls?

Some controls will have overlapping purposes -- both financial reporting and operations (e.g. a lockbox for collecting payments)

12

What are the two parts of understanding a control?

Design -- whether it prevents/detects misstatements

Implementation -- whether it is actually being used

13

What are some procedures for assessing the design and implementation of controls?

Inquiries

Observing the applications of controls

Inspecting documents

Tracing transactions through the information system

14

What should the auditor document regarding internal control?

(1) Key elements of the five components
(2) Sources
(3) Risk assessment procedures that were performed

15

What are different ways to document an entity's internal control?

Flowchart

Questionnaire

Narrative/memorandum

16

What are the advantages and disadvantages of a flowchart?

Advantages:
-very clear
-hard to overlook things
-requires complete understanding to create

Disadvantages:
-more time-consuming to create

17

What is the questionnaire approach to documenting internal control?

Simply listing questions to be answered

E.g. "Are the subsidiary ledgers frequently balanced with the control accounts?"
"Are these two duties properly segregated?"

18

What are the advantages and disadvantages of a questionnaire?

Advantages:
-easy to create
-requires listed issues to be covered
-weaknesses are obvious ("no")

Disadvantages:
-can be too general

19

What is the narrative approach, and what are its advantages and disadvantages?

Simply writing out what the system is

Advantages:
-unique to each engagement
-requires good understanding to create

Disadvantages:
-takes a long time
-lacks safeguards if auditor overlooks something

20

When should the auditor perform tests of controls?

Either:
-when his risk assessment includes an assessment of controls' effectiveness
-when substantive procedures alone don't reduce detection risk enough

21

What is the difference between risk assessment procedures on controls and tests of controls?

In risk assessment procedures, the auditor evaluates control design and implementation

In tests of controls, he tests effectiveness

These can sometimes be performed simultaneously

22

What are some tests for the operating effectiveness of controls?

Generally the same as for testing design and implementation of controls:
-inquiries
-inspection of documents
-observation of control's application
-reperformance of control by auditor

23

What is important to know regarding the different kinds of tests for controls' operating effectiveness?

Combinations of them should be used

E.g., inquiries alone are insufficient

24

How do the results of substantive procedures bear on the effectiveness of controls?

A lack of misstatement does not mean controls are effective, but misstatements might mean that controls are ineffective

Any misstatements found by the auditor but not the entity are significant deficiencies

25

What should an auditor test for controls' operating effectiveness if he plans to rely on prior period evidence?

If controls have changed, they need to be tested

If not, they should be tested at least once per three years (though more frequently the more crucial the control is)

26

How should auditors treat prior evidence for the effectiveness of controls that mitigate significant risk?

They should consider it but not rely upon it

It should be tested even if the control is unchanged from the prior period

27

What qualifies as a deficiency in the design of an internal control?

Not merely whether a control would not detect a misstatement if operating properly, but also if a control is missing

Distinguished from a deficiency in operation, which occurs when a control does not operate as designed

28

For controls, what is the difference between a material weakness and a significant deficiency?

Material weakness = reasonable possibility that control will lead to material misstatement

Significant deficiency = not as bad, but still requires attention

29

What should the auditor do if there are multiple significant deficiencies for a control?

Determine whether they, in aggregate, are a material weakness

30

What is a compensating control?

A control that limits the extent of a deficiency

31

What control deficiencies should be reported to management and TCWG?

All significant deficiencies and material weaknesses, including ones previously mentioned but not yet fixed

Must be in writing

32

When should control deficiencies be reported to management and TCWG?

Issuers must do this before the audit report is issued on the financial statements
-Otherwise, the latest is within 60 days of the report release date

Some deficiencies should be communicated during the audit, though not necessarily in writing

33

What is the report release date?

When the auditor grants permission for the entity to use the audit report for their financials

34

What should be included in the auditor's written communication for control deficiencies?

(1) that the auditor aims to express an opinion on the financials, not on controls per se
(2) a definition of "significant deficiency" and "material weakness"
(3) that the auditor did not aim to uncover all SDs and MWs
(4) a clear distinction between deficiencies identified as SDs and MWs
(5) that the communication is intended only for the specified parties

35

For communication on control deficiencies, what should the auditor say if he finds no significant deficiencies or material weaknesses?

He can make a communication stating that no material weaknesses were found, but not one stating that no significant deficiencies were found

36

What are five objectives for an internal control system?

(1) Authorization
(2) Validity (e.g. whether a transaction has occurred)
(3) Recording
(4) Tracking assets
(5) Custody of assets/limited access

37

What subsidiary objectives comprise the objective of proper recording?

(i) Completeness
(ii) Valuation
(iii) Classification
(iv) Timing

38

What duties should be segregated for the processing of a transaction?

-authorization
-record keeping
-custody

39

What enables documents to be tracked through the control system?

Prenumbering them

40

What are some common types of transaction cycles?

(a) Sales-Receivables-Cash Receipts
(b) Purchases-Payables-Cash Disbursements
(c) Inventory & Production
(d) Personnel & Payroll
(e) Property, Plant, & Equipment

It helps to apply internal control objectives within these groups