Internal Controls A

Which of the following factors would most likely be considered an inherent limitation to an entity’s internal control?

Human judgment in the decision making process.                                                                                                                                                                              (Human judgment is faulty, and controls may fail because of simple error or mistake. For example, design changes for an automated order entry system may be faulty because the designers did not understand the system or because programmers did not correctly code the design changes. Errors also may arise when automated reports are misinterpreted by users. Furthermore, manual or automated controls can be circumvented by collusion, and management may inappropriately override internal control.)

An auditor uses the knowledge provided by the understanding of the system of internal control and the assessed risks of material misstatement primarily to

Determine the nature, timing, and extent of substantive procedures for financial statement assertions. (The auditor is required to obtain an understanding of the entity and its environment, including its system of internal control, to assess the risks of material misstatement of the financial statements, whether due to fraud or error, to provide a basis for responding to the assessed RMMs. Regardless of the assessed RMMs, the auditor performs substantive procedures for all relevant assertions for material classes of transactions, account balances, and disclosures. Moreover, the auditor designs and performs further audit procedures whose nature, timing, and extent respond to the assessed RMMs at the relevant assertion level.)

Which of the following statements is correct regarding internal control?

An inherent limitation of internal control is that controls can be circumvented by management override.                                                                                                  (Because of its inherent limitations, internal control can be designed and implemented to provide only reasonable assurance that the entity’s objectives are met. Human judgment is faulty, and controls may fail because of human error. Furthermore, manual or automated controls can be circumvented by collusion, and management may inappropriately override internal control.)

An entity should consider the cost of a control in relationship to the risk. Which of the following controls best reflects this philosophy for a large dollar investment in heavy machine tools?

Imprinting a controlled identification number on each tool.                                                                                                                         (A controlled identification number on each tool and periodic checking allow for an effective control at reasonable cost.)

In an audit of financial statements, an auditor’s primary consideration regarding an internal control is whether the control

Affects management’s financial statement assertions.                                                (Assertions are management representations embodied in the financial statements. They are used by the auditor to consider the different potential misstatements. A relevant assertion has a reasonable possibility of containing a misstatement that could cause a material misstatement(s) of the financial statements. Thus, a relevant assertion has a meaningful bearing on whether the account is fairly stated. Tests of controls are designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. They should be performed when (1) the auditor’s assessment of the RMMs at the relevant assertion level includes an expectation of the operating effectiveness of controls or (2) substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level. Thus, the auditor is primarily concerned with whether a control affects relevant financial statement assertions.)

An auditor is evaluating a client’s internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect?

Two employees, who work in different departments, are circumventing an internal control.                                                                                                                            (Because of its inherent limitations, internal control can provide only reasonable assurance that the entity’s objectives are met. Thus, manual or automated controls can be circumvented by collusion of two or more people or by management override (AU-C 315). Fraud perpetrated by collusion may be difficult to detect because of schemes designed to conceal it.)

Which of the following factors most likely would be considered an inherent limitation to an entity’s internal control?

Collusion of employees in circumventing internal controls.                                                                                                          (Because of the inherent limitations of internal control, it can be designed and operated to provide only reasonable assurance that the entity’s objectives are met. For example, human judgment is faulty, and controls may fail because of human error. Manual or automated controls may be circumvented by collusion, and management may inappropriately override internal control. Furthermore, custom, culture, the corporate governance system, and an effective control environment are not absolute deterrents to fraud.)

Which of the following situations represents a limitation, rather than a failure, of internal control?

A purchasing employee and an outside vendor participate in a kickback scheme.                                                                  (Because of the inherent limitations of internal control, it can be designed to provide only reasonable assurance that the entity’s objectives are met. For example, (1) controls may fail because of human error, (2) management may override controls inappropriately, or (3) manual or automated controls may be circumvented by collusion (e.g., a kickback scheme involving a purchasing employee and an outside vendor).)

The objective of the auditor is to identify and assess the risks of material misstatement (RMMs). The auditor therefore identifies and assesses RMMs

At the financial statement and relevant assertion levels.                                                                                                               (The objective of the auditor is to identify and assess the RMMs, whether due to fraud or error, at the financial statement and relevant assertion levels. This objective is achieved through understanding the entity and its environment, including the entity’s internal control, to provide a basis for designing and implementing responses to the assessed RMMs. A relevant assertion has a reasonable possibility of containing a misstatement that could cause material misstatement(s) of the financial statements. Thus, a relevant assertion has a meaningful bearing on whether the account is fairly stated.)

Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity’s system of internal control?

Incompatible duties.                                                                                                             (A system of internal control has inherent limitations. The performance of incompatible duties, however, is a failure to assign different people the functions of authorization, recording, and asset custody, not an inevitable limitation of a system of internal control. Segregation of duties is a category of control activities.)

Which of the following best describes an inherent limitation that should be recognized by an auditor when considering the potential effectiveness of internal control?

Controls, whether manual or automated, whose effectiveness depends on segregation of duties can be circumvented by collusion.                                                                                                                      (One of the inherent limitations of internal control is that it can be circumvented by collusion among persons both within and outside the entity. Thus, a control based on segregation of duties will be ineffective if a person in a position to commit fraud colludes with a person who can conceal it.)

Which of the following situations represents a limitation, rather than a failure, of internal control?

A purchasing employee and an outside vendor participate in a kickback scheme.                                                                                                                                               (Because of the inherent limitations of internal control, it can be designed to provide only reasonable assurance that the entity’s objectives are met. For example, (1) controls may fail because of human error, (2) management may override controls inappropriately, or (3) manual or automated controls may be circumvented by collusion (e.g., a kickback scheme involving a purchasing employee and an outside vendor).)

Internal control can provide only reasonable assurance of achieving an entity’s control objectives. The likelihood of achieving those objectives is affected by which limitation inherent to a system of internal control?

The cost of internal control should not exceed its benefits.                                                                                                                 (The cost of an entity’s internal control should not exceed the benefits that are expected to be derived. Although the cost-benefit relationship is a primary criterion that should be considered in designing internal control, the precise measurement of costs and benefits usually is not possible.)

According to COSO, which of the following must be established prior to the risk assessment process?

Entity-level objectives.                                                                                                            (According to COSO, the entity-level objectives must be clearly defined prior to the risk assessment process because they are the framework against which risks are identified and evaluated. Establishing these objectives ensures that all subsequent risk considerations are consistent with the organization’s strategic vision.)

Which of the following factors represents an inherent limitation of internal control?

Mistakes resulting from human error.                                                                                  (Inherent limitations of internal control include reasonable assurance, human error, collusion, management override, fraud, and cost-benefit consideration.)

Manual controls would most likely be more suitable than automated controls for which of the following?

Large, unusual, or nonrecurring transactions.                                                                                                                (Manual controls may be more suitable where judgment and discretion are required, such as (1) for large, unusual, or nonrecurring transactions; (2) for circumstances where misstatements are difficult to define, anticipate, or predict; (3) in changing circumstances that require a control response outside the scope of an existing automated control; and (4) in monitoring the effectiveness of automated controls.)

Which of the following is a component part of the COSO’s internal control framework?

Information systems.                                                                                                       (According to the COSO, an entity’s internal control has five components: (1) the control environment, (2) risk assessment process, (3) control activities, (4) information systems, and (5) monitoring. The control environment sets the tone of an organization, influences control consciousness, and provides a foundation for the other components. Risk assessment is the identification, analysis, and management of risks relevant to achievement of objectives. Control activities help ensure that management directives are executed. The information system consists of (1) physical and hardware components, (2) software, (3) people, (4) procedures, and (5) data. Monitoring assesses the performance of internal control over time.)

Which of the following items is an example of an inherent limitation in an internal control system?

Human error in decision making.                                                                                            (Because of its inherent limitations, internal control can be designed and operated to provide only reasonable assurance that the entity’s objectives are met. Thus, (1) human judgment is faulty, (2) controls may fail because of human error, (3) manual or automated controls can be circumvented by collusion, and (4) management may inappropriately override internal control. Moreover, custom, culture, the corporate governance system, and an effective control environment are not absolute deterrents to fraud. For example, if the nature of management incentives increases the RMMs, the effectiveness of controls may be reduced. A factor that is an inherent limitation of an audit as well as internal control is the need to balance benefit and cost. Although the ability to provide only reasonable assurance is a primary design criterion for internal control, the precise measurement of costs and benefits is not feasible. However, costs should not exceed the benefits of control. Thus, the cost constraint limits internal control.)

Which of the following is an inherent limitation of internal control?

Collusion.                                                                                                                         (Two or more people may collude, or management may override internal control.)

Which of the following are considered control environment elements?

Detection Risk	Commitment to Competence
NO	YES

For the audit of a nonissuer, the primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with

Knowledge necessary to plan the audit.

It is important for the auditor to consider the competence of the audit client’s employees, because their competence bears directly and importantly upon the

Achievement of the objectives of internal control. (The control environment is the foundation of internal control. A commitment to competence is one of the factors in the control environment.)

Which of the following are considered control environment factors?

Detection Risk No

Human Resources Policies and Practices Yes

The control environment may decrease the effectiveness of control activities when

Management has substantial incentives for meeting earnings projections. (The control environment may reduce the effectiveness of other components of internal control. For example, when the nature of management incentives increases the risks of material misstatement of financial statements, the effectiveness of control activities may be reduced.)

Which of the following would an auditor most likely consider in evaluating the control environment of an audit client?

Management’s operating style. (The control environment is the foundation for the other components of internal control. It provides discipline and structure and sets the tone of the organization. The evaluation of the design of the control environment includes such factors as management’s philosophy and operating style. They relate to management’s approach to taking and managing business risks. They also relate to management’s attitudes and actions toward (1) financial reporting, (2) information processing, (3) accounting functions, and (4) personnel.)

Which of the following is a component of internal control?

Risk assessment                                                                                                          (Internal control has five components: (1) the control environment, (2) risk assessment process, (3) control activities, (4) information systems, and (5) monitoring of controls. The control environment sets the tone of an organization, influences control consciousness, and provides a foundation for the other components. The risk assessment process is the identification, analysis, and management of risks relevant to achievement of objectives. Control activities help ensure that management directives are executed. The information system, including the related business processes relevant to financial reporting and communication, consists of (1) physical and hardware components, (2) software, (3) people, (4) procedures, and (5) data. Monitoring assesses the performance of internal control over time (AU 315).)

An auditor most likely requires an understanding of IT in an attest engagement to

Determine the effect of IT on the audit. (IT skills may be required to (1) determine the effect of IT on the audit, (2) understand IT controls, and (3) design and perform tests of IT controls and substantive procedures.)

Which of the following factors is most relevant when an auditor considers the client’s organizational structure in the context of the risks of material misstatement?

The suitability of the client’s lines of reporting.                                                          (Lines of reporting can determine the ability of management or other employees to circumvent implemented controls. Reporting lines are part of the organizational structure and affect the auditor’s assessment of the RMMs.)

In planning an audit, the auditor’s knowledge about the design of relevant internal control activities should be used to

Identify the types of potential misstatements that could occur.

This answer is correct.

(An auditor must (1) evaluate the design of relevant controls and (2) determine whether they have been implemented. This knowledge is used to (1) identify the types of potential misstatements, (2) identify the factors that affect the risks of material misstatements, and (3) design further audit procedures.)

In obtaining an understanding of the system of internal control in a financial statement audit, an auditor is not obligated to

Search for significant deficiencies in the operation of internal control.

This answer is correct.

In all audits, the auditor should obtain an understanding of each of the five components of internal control sufficient to plan the audit. An understanding is obtained by performing risk assessment procedures to evaluate the design of controls relevant to the audit and to determine whether they have been implemented. In addition, the auditor should obtain and document the understanding of the entity’s internal control components. However, in an audit, the auditor is not obligated to search for significant deficiencies or material weaknesses (AU-C 265). However, an auditor must determine whether deficiencies have been identified.

The auditor observes client employees while obtaining an understanding of internal control to

This answer is correct.

To obtain the understanding of relevant controls, the auditor evaluates their design and determines whether they have been implemented. These procedures include observation of the application of specific controls, tracing transactions, inspection of documents and reports, and inquiries of appropriate client personnel. But inquiry alone is insufficient (AU-C 315). Certain organizational controls (e.g., segregation of functional responsibilities) do not leave an audit trail, which may require auditor observation of client personnel.

Which of the following procedures most likely will provide an auditor with sufficient evidence about whether an entity’s controls are suitably designed and have been implemented to prevent, or detect and correct, material misstatements?

Observing the entity’s personnel applying the controls.

This answer is correct.

AU-C 315 states that risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include (1) inquiry of entity personnel, (2) observing the application of specific controls, (3) inspecting documents and reports, and (4) tracing transactions through the information system relevant to financial reporting. Inquiry alone is not sufficient to evaluate the design of a control relevant to an audit and to determine whether it has been implemented.

Which of the following statements regarding auditor documentation of the understanding of the client’s internal control components obtained to plan the audit is correct?

No one particular form of documentation is necessary, and the extent of documentation may vary.

This answer is correct.

In accordance with the documentation requirements in AU-C 315, the auditor should document such matters as (1) discussions among the engagement team; (2) the understanding of the entity and its environment, including each internal control component, sources of information, and the risk assessment procedures; (3) the risk assessments; and (4) risks requiring special audit consideration. The form and extent of documentation vary with (1) the nature, size, and complexity of the entity and its controls; (2) the availability of information; and (3) the audit methods and technology used (AU-C 315).

Which of the following factors are included in an entity’s control environment?

Audit Committee Participation Yes

Integrity and Ethical Values Yes

Organizational Structure Yes

This answer is correct.

The control environment is the foundation for all other control components. It provides discipline and structure, sets the tone of the organization, and influences the control consciousness of employees. Its components include (1) participation of those charged with governance, (2) integrity and ethical values, (3) organizational structure, (4) management’s philosophy and operating style, (5) assignment of authority and responsibility, (6) human resource policies and practices, and (7) commitment to competence.

The control environment may decrease the effectiveness of control activities when

Management has substantial incentives for meeting earnings projections.

This answer is correct.

The control environment may reduce the effectiveness of other components of internal control. For example, when the nature of management incentives increases the risks of material misstatement of financial statements, the effectiveness of control activities may be reduced.

Which of the following is not a medium that can normally be used by an auditor to record information concerning internal control?

Procedures manual.

This answer is correct.

A procedures manual is one source of information about the client’s internal control. However, the auditor normally does not prepare this manual and record information in it. The accounting procedures manual is a client document that explains the client’s accounting system and how to implement it.

Transaction authorization within an organization may be either specific or general. An example of specific transaction authorization is the

Approval of a detailed construction budget for a warehouse.

This answer is correct.

A specific transaction authorization is applicable to a unique decision. A general authorization establishes criteria and authorizes the routine making of decisions subject to the criteria. Approving a detailed construction budget for a warehouse is a one-time decision.

An auditor is concerned with controls designed to safeguard assets that are relevant to the reliability of financial reporting. Adequate safeguards over access to and use of assets means protection from

Losses arising from access by unauthorized persons.

This answer is correct.

A management objective implicit in internal control is that access to assets be permitted only in accordance with management’s authorization. However, elimination of access is not feasible because access to assets is necessary in normal business operations. The extent of access is determined by the nature of the assets and their susceptibility to loss through fraud and error. Authorization of access involves limitations on both physical access and indirect access.

The auditor should document the understanding of internal control. For example, a narrative memorandum may be used to

Provide a written description of the process and flow of documents and of the control points.

This answer is correct.

An auditor should prepare documentation of internal control during an audit. Examples of an auditor’s documentation include flowcharts, narrative memoranda, questionnaires, and decision tables. A narrative memorandum is a written description of the process and flow of documents and of the control points. For an information system that makes little use of IT or that processes few transactions, documentation in the form of a memorandum may suffice.

Which of the following activities by small business clients best demonstrates management integrity in the absence of a written code of conduct?

Emphasizing ethical behavior through oral communication and management example.

This answer is correct.

Audit evidence for elements of the control environment of a small business client may not be documented, especially when management communication with other employees is informal but effective. Thus, a small business may not have a written code of conduct. However, it may have a culture emphasizing integrity and ethical behavior by means of oral communication and management example.

In obtaining an understanding of the system of internal control in a financial statement audit, an auditor is not obligated to

Search for significant deficiencies in the operation of internal control.

This answer is correct.

In all audits, the auditor should obtain an understanding of each of the five components of internal control sufficient to plan the audit. An understanding is obtained by performing risk assessment procedures to evaluate the design of controls relevant to the audit and to determine whether they have been implemented. In addition, the auditor should obtain and document the understanding of the entity’s internal control components. However, in an audit, the auditor is not obligated to search for significant deficiencies or material weaknesses (AU-C 265). However, an auditor must determine whether deficiencies have been identified.