ACC 380- AKA HELL.

A company's AIS records all sales orders that are entered, but some customer calls are never entered into the system. Which assertion is violated?

Completeness

A clerk records a sale using the correct quantity and price, but assigns it to the wrong customer account. Which assertion is violated?

Accuracy / Classification

Which assertion is most directly concerned with whether a recorded transaction actually happened?

Validity / Existence

A sales manager pressures staff to hold December sales open in the system until

January shipments occur. Which assertion is at risk?

Cutoff

Which of the following is NOT a financial reporting assertion used to evaluate processing controls?

Authorization

A system requires manager approval before payments are released, but errors still occasionally occur due to incorrect approvals. Which type of control is this approval process?

Preventative

A report identifies differences between quantities shipped and quantities billed but does not correct them. What type of control is this?

Detective

Why is it unusual to have a detective control without a corrective control?

Errors identified would remain uncorrected

Insurance is classified as a corrective control rather than a detective control because it:

Reduces losses after they occur

Which statement best reflects the fundamental purpose of internal control?

Ensure organizational objectives are met

In the segregation of duties framework used in class, which role evaluates whether

primary authorization is being performed effectively?

Secondary authorizer

Which role is primarily responsible for identifying and responding to losses caused by people with custody of assets?

Primary authorizer

An employee both receives inventory and records inventory transactions. Which risk is

introduced?

Ability to both perpetrate and conceal errors

A person who approves sales orders also approves shipments. From a segregation of

duties perspective, this arrangement is acceptable.

TRUE

A person who handles cash receipts also handles inventory. From a segregation of

duties perspective, this arrangement is acceptable.

TRUE

Which principle best explains why segregation of duties is required?

No one should be able to both commit and conceal errors

In a fully computerized system, segregation of duties is primarily enforced through:

Access controls and authentication

Which of the following is an IT general control rather than an application control?

Restricting access to production programs

Why are "super-user" IDs considered a significant control weakness?

They bypass segregation of duties

A payroll system flags any paycheck exceeding $10,000 for review after processing. This control is best classified as:

Detective

Expected loss in a risk assessment represents:

The average loss per unit of time

In the risk assessment process, which step must be completed first?

Identify threats

Why does automation not eliminate the need for segregation of duties?

Programming and access can still be misused

Matching shipping documents to sales invoices primarily addresses which assertion?

Validity / Existence

A system requires manager approval before a credit memo can be issued. Which type of

Preventive

Auditing standards for publicly listed firms are set by the:

PCAOB

In the segregation of duties framework, which role is primarily responsible to evaluate whether the primary authorizer is doing their job effectively?

Secondary Authorizer

In the segregation of duties framework, which role is primarily responsible to identify and act on losses arising from the actions of people with custody of assets?

Primary Authorizer

The following are the elements of control systems in general:

Sensor, objective, feedback signal/mechanism

An employee who opens mail which includes customer payments steals cash and changes the cash receipts listing to cover up theft. Segregation of which duties would prevent this:

Custody and reconciliation

A person who reviews and approves sales orders also reviews and approves shipments. From a segregation of duties perspective, this is OK.

TRUE

Most fundamentally, the purpose of control is to ensure:

Organizational objectives are met

A person who handles inventory also handles cash. From a segregation of duties

perspective, this is OK.

TRUE

In the risk assessment, the potential dollar loss that could Expected loss:

Exposure (expected loss= average; per unit of time)

Publicly listened firms must report on the ________ of internal control over _________

effectiveness, financial reporting

In the risk assessment process, the first step is to:

Identify the threats the organization is facing

Managements and auditors must report on internal control: NOT "All of the other answers"

Managements and auditors must report on internal control: NOT "All of the other answers"

A person who receives inventory purchases also writes off A/R. From a segregation of

duties perspective, this is OK

TRUE

14. Which of the following is not one of the five elements of the COSO framework?

All the other answers are elements of the COSO framework

The COSO framework is specifically required by:

None of the other answers (none of them)

The SoD framework presented in class and article requires which the the 3 duties be performed by separate individuals?

Secondary authorization, asset custody, and reconciliation

Sales order created by salespeople in field without cust. Credit history are sent to Credit Manager to approve redit for the sale, then are sent to the warehouse clerk who ships them. NO other personnel are involved. From a So D perspective, this is ok.

FALSE

In the SoD framework, which role is primarily responsible to make sure the person who records the transactions is doing this effectively, if the recorder also handles assets?

Reconciler

Auditing standards for publicly listed firms in the United States are set by the:

PCAOB

Which assertion addresses whether all transactions that occurred are recorded in the AIS?

Completeness

A sale is recorded for a transaction that never actually occurred. Which assertion is

violated?

Validity / Existence

A transaction is recorded in the wrong accounting period. Which assertion is violated?

Cutoff

Which of the following is NOT one of the financial reporting assertions discussed in

class?

Authorization

Which type of control is designed to stop errors or fraud before they occur?

Preventive

A report that flags unusually large transactions after processing is an example of a:

Detective control

Which control fixes an error that has already been detected?

Corrective

Insurance is considered which type of control?

Corrective only

Which of the following best describes the fundamental purpose of internal control?

Ensure organizational objectives are met

In the segregation of duties framework, which role is primarily responsible for evaluating whether the primary authorizer is doing their job effectively?

Secondary authorizer

Which role is primarily responsible for identifying and acting on losses caused by people with custody of assets?

Primary authorizer

An employee opens mail, steals customer payments, and alters the cash receipts listing to conceal the theft. Segregation of which duties would prevent this?

Custody and reconciliation

A person who approves sales orders also approves shipments. From a segregation of

duties perspective, this is acceptable.

TRUE

A person who handles inventory also handles cash receipts. From a segregation of duties perspective, this is acceptable.

TRUE

Which of the following is a primary objective of segregation of duties?

Prevent one person from both committing and concealing errors or fraud

In a computerized environment, segregation of duties is primarily enforced through:

Access controls and authentication

Which of the following is an IT general control?

Restricting access to production programs

Why are "super-user IDs" considered a control risk?

They bypass segregation of duties

A payroll system flags any paycheck over $10,000 for review after processing. This is an example of a:

Detective control

Expected loss in a risk assessment refers to:

Average loss per unit of time

In the risk assessment process, what is the first step management should perform?

Identify threats

Which of the following best explains why automation does not eliminate the need for

controls?

Programming errors and access misuse can still occur

Which assertion is most directly addressed by matching shipping documents to sales

invoices?

Validity / Existence

A system requires manager approval before issuing a credit memo. This is an example of a:

Preventive control

An employee should not be in a position to both

1) Perpetrate

2) Conceal

What is the control approach?

When everything done is seen by another person

What is the manual approach?

At least three people involved in the smallest orgs, five in others

Internal controls: ROW 1

Custody and recording

Internal controls: ROW 2

Primary authorization, recoding, reconciliation, recording of rec

Internal controls: ROW 3

Second set of eyes, reconciliation of record of primary authorization, authorization of rec

How to enforce SoD with computers?

1) Unique user IDs with limited access

2) Authentication (passwords, token/cards, biometrics)

Control activities

- Use AIS to ensure its integrity so you can believe it

- Processing controls

- SOD

- Processing/input controls

SoD

1) Custody of assets/recording

2) Primary authorization/reconciliation

3) Secondary authorization

4) Secondary authorization of access controls

For SOX internal control report or gain assurance on these processes for the regular FS audit, we must apply these assertions to the process that generate financial statement numbers and text

Assertions per PCAOB audit standard 5

1) Completeness

2) Accuracy/ valuation/allocation/classification

3) Validity/existence/ occurrence/ cutoff/ rights and obligation

4) Presentation and disclosure

Completeness:

a) Are all transactions that occurred recorded in the AIS?

- Do we have a filled out order for every call

b) Are all information fields recorded

- Could individual field be missed

c) Did we receive all the orders that we should have?

- Were there orders that should have come in but did not

Accuracy

Is the transaction recorded at the right values?

- How could sales orders be recorded at wrong quantities or wrong sales amount

- Are there other important fields on the order that could be captured inaccurately

Validity/existance/occurance

a) V/E/O is the recorded transaction real?

- Is there a way to create orders that do not really exist

b) C Is the record transaction properly dated?

- Could we transfer orders to a different period

Control types:

Preventive:

- Before the fact - real time

- Get approval before payment

Detective

- Finds it - this is after error has occurred

- DO NOT FIX THE ERROR - just identify

- Batch controls, report of transactions > 50,000

Corrective:

- Fixes what is found by a DETECTIVE control

Unusual to have a detective control without a corrective vice verse

How to apply assertions

1) Take one process

2) Ask what can go wrong

3) Identify threats

4) Design controls

- Prevent

- Detect

- Correct